KR20210027965A - A gate controlling method based on a password broadcast using near-field broadcasting and system for the same - Google Patents

Abstract

Disclosed is an access security method, which includes the steps of: receiving, by an access security device, a name of a near field communication unit of a first mobile device from a service server; receiving a first mobile correspondence password from a service server; detecting a first M signal which broadcasted by the first mobile device using near field communication, on the basis of the name of the near field communication unit; and allowing access through the access security device when it is determined that a first mobile password included in the first M signal is the same as the first mobile correspondence password. According to the present invention, it is possible to strengthen the security of the access security device by using a one-time password.

Description

A gate controlling method based on a password broadcast using near-field broadcasting and system for the same}

The present invention relates to a door control system. In particular, it relates to a door control technology that enhances security by cooperative authentication of a user's mobile device, a service server, and an access security device.

The digital lock is installed at the entrance door, and the lock is released by inputting the correct authentication information (eg, password, biometric authentication information, NFC tagging, etc.) previously set in the digital lock. In general, the unlocking function of a digital lock is implemented without interlocking with other devices. When the authentication information is exposed, that is, when a third party obtains the authentication information or becomes available in an illegal way, the access door of a third party There is a problem that intrusion is possible. Although the password may be exposed due to the carelessness of a legitimate accessor, there is a problem that the password may be exposed by a malicious third party hacking only the digital lock.

In order to solve this problem, it is possible to prevent intrusion through the entrance door by hacking only the digital lock using another device interlocking with the digital lock. However, in a commercialized embodiment, a digital key that is to be tagged with a digital lock is employed as an example of the other device interlocking with a digital lock.

As described above, conventionally, a 1-factor authentication method in which a lock is released using only one authentication information, or a 2-factor authentication method further using additional authentication information can be used.

However, in order to use additional authentication information, for example, a legitimate accessor has to take out the digital key with his or her hand and contact the digital lock in a short distance, which is inconvenient in the existing 2-factor authentication method.

Accordingly, there is a need for a technology capable of unlocking the digital lock without taking the other device out of the pocket, but using another device interlocking with the digital lock.

In the present invention, a security factor is added by performing an automatic short-range communication-based password (OTP) authentication without any additional actions other than the existing access security action performed for access by a legitimate accessor. Compared to the 2-factor authentication, which required authentication and inconvenient additional actions, it is intended to provide access security based on 2-Facter authentication and accessor authentication function, which is easier, simpler, and improved in security.

An object of the present invention is to provide a technology capable of unlocking an access security device without taking out an interlocking device interlocking with a digital lock (hereinafter, an access security device) from a pocket or a bag.

In addition, in the present invention, it is intended to provide a technology for enhancing the security of an access security device using a One Time Password (OTP).

In addition, in the present invention, the input of existing basic authentication information (e.g., 1-Factor authentication information such as password, NFC tagging information, biometric information, etc.) By constructing a physical security element through the use of OTP, even if the basic authentication information is exposed, it provides a secure IoT device that does not allow access if the linked mobile does not exist in the near distance of the digital lock. We want to provide an access security system.

According to an aspect of the present invention, when requesting access security permission through basic authentication information (e.g., 1-Factor authentication information such as password, NFC tagging information, biometric information, etc.), access to the mobile device linked with the basic authentication information Additional security elements using short-range communication function and OTP between security devices can be provided.

In the access security method provided according to an aspect of the present invention, an access requester may request an access by providing basic authentication information to an access security device.

Then, the access security device may request the service server to confirm the access requester based on the security requestor information (information input through a password, NFC, RFID, and other actions) received through a communication function. To this end, the access security device may transmit the security requestor information to the service server together with an access security device identifier capable of identifying the access security device.

Then, the service server may request real-time location information of the mobile together with OTP information (mobile OTP1) for mobile authentication from the mobile device interlocked with the access security device. To this end, the service server is configured to provide one mobile device connected to the access security device 1:1 or one of a plurality of mobile devices connected 1:N to the access security device. It may have access to a DB containing information about it. In this case, the DB may include the 1:1 linkage information or the 1:N linkage information. The association information may be provided in the form of a table.

Then, the mobile device receiving the request for the OTP information (mobile OTP1) and the real-time location information for mobile authentication from the service server may transmit its own mobile OTP1 and real-time location information to the service server.

To this end, the mobile device may include a mobile OTP generator and one or more location information collection devices. The at least one location information collection device may include a geolocation information collection device. The mobile OTP generator may be included in an application program installed on the mobile device. The OTP output value of the server OTP generation unit having the same OTP generation rule as the OTP generation rule of the mobile OTP generation unit may be obtained by the service server. The server OTP generation unit may be included in the service server as an application program or may be included in a separate computing device accessible to the service server.

Then, the service server authenticates the mobile device using the mobile OTP1 received from the mobile device, and transfers the real-time location information received from the mobile device and the location information (eg, geolocation information) of the access security device to each other. By comparison, it is possible to check whether the distance between the real-time location of the mobile device and the location of the access security device (eg, the earth location) is within a predetermined error range. To this end, the service server may be configured to access a DB including information on a location where the access security device exists. The location information of the access security device may be registered in the DB when a person authorized to use the access security device subscribes to the service providing the access security method according to the present invention.

When the distance between the real-time location of the mobile device and the location of the access security device is within a predetermined error range, the service server may specify the mobile device as a service target mobile device.

Then, the service server may transmit OTP information (mobile-adaptive OTP) of the mobile device to be checked through short-range communication to the access security device. In addition, the service server may request the mobile device to activate a short-range communication function, and request the mobile device to broadcast OTP information (mobile OTP).

In this case, the service server and the mobile device may respectively generate the mobile OTP2-server and the mobile OTP according to a specific OTP generation rule. Accordingly, the mobile OTP2-server and the mobile OTP generated at the same time may have the same value.

The mobile-adaptive OTP generated by the service server may be transmitted by the service server to the access security device through wired/wireless network communication. In addition, the mobile OTP generated by the mobile device may be transmitted by the mobile device to the access security device using a short-range communication function.

Then, the access security device checks the mobile OTP transmitted by the mobile device through the short-range communication function, and uses the strength of the wireless signal including the information of the mobile OTP transmitted using the short-range communication function. , It is possible to check the distance from the access security device to the mobile device.

Then, when the access security device determines that the mobile-compatible OTP and the mobile OTP have the same value, and when it is determined that the distance from the access security device to the mobile device is less than a predetermined error range, the access Security devices can allow access. That is, the access security device may release a lock managed by the access security device.

In this case, the short-range communication that the mobile device can utilize may include all kinds of short-range communication methods such as cell, BLE, beacon, Bluetooth, NFC, RFID, and wifi. If it conforms to the spirit of the present invention, it will fall within the scope of the present invention by applying another type of short-range communication method newly emerging after the present application.

An access security method provided according to an aspect of the present invention includes the steps of, by an access security device, receiving, from the service server, the name of the short-range communication unit of the first mobile device provided by the first mobile device to the service server; Receiving, by the access security device, a first mobile correspondence password from the service server; Detecting, by the access security device, a first M signal broadcast by the first mobile device using short-range communication based on the received short-range communication unit name; And when the access security device determines that the first mobile password included in the first M signal is the same as the first mobile password, permitting access through the access security device. In this case, the name of the short-range communication unit of the first mobile device may be the same as the first mobile correspondence password.

At this time, the access security method, prior to the step of receiving the name of the short-range communication unit from the service server, the access security device, obtaining user identification information; And transmitting, by the access security device, the acquired user identification information to the service server. In this case, the service server accesses a database including a table in which the user identification information and the first mobile device are associated with each other to obtain information on the first mobile device associated with the user identification information. In addition, the service server may be configured to obtain the name of the short-range communication unit by requesting the first mobile device for a name of the short-range communication unit of the first mobile device.

In this case, the access security method may further include generating, by the access security device, information on a first distance between the access security device and the first mobile device based on the strength of the 1M signal. . In this case, only when the first distance is less than or equal to a predetermined value, access through the access security device may be permitted.

In this case, the first mobile password may be generated by the first mobile device, and the first mobile password may be generated by the service server.

In this case, the first mobile password may be generated by the first mobile device, and the first mobile password may be the first mobile password obtained by the service server from the first mobile device.

In this case, the first mobile password is a first mobile OTP (One Time Password) generated by the first mobile device, and the first mobile password is a first mobile corresponding OTP generated by the service server, and The generation rule of 1 mobile OTP and the generation rule of the first mobile OTP may be identical to each other.

An access security method provided according to another aspect of the present invention includes the steps of: receiving, by a service server, user identification information from an access security device; Obtaining, by the service server, an identifier of the first mobile device associated with the user identification information by accessing a database including a table in which the user identification information and the first mobile device are associated with each other; Obtaining, by the service server, the name of the short-range communication unit from the first mobile device by requesting the name of the short-range communication unit of the first mobile device from the first mobile device using the identifier of the first mobile device; Transmitting, by the service server, the name of the short-range communication unit to the access security device; And transmitting, by the service server, a first mobile correspondence password to the access security device. In this case, the access security device is configured to detect the first M signal broadcast by the first mobile device using short-range communication based on the name of the short-range communication unit, and the first mobile password included in the first M signal When it is determined that is the same as the first mobile password, access through the access security device is permitted.

In this case, the first mobile password is a first mobile OTP (One Time Password) generated by the first mobile device, and the first mobile password is a first mobile corresponding OTP generated by the service server, and The generation rule of 1 mobile OTP and the generation rule of the first mobile OTP may be identical to each other.

In this case, the access security method comprises the steps of: requesting and obtaining, by the service server, information about the location of the first mobile device from the first mobile device; And acquiring, by the service server, accessing and acquiring, by the service server, a database including a table stored in association with an identifier of the access security device and a location where the access security device is installed, and the location where the access security device is installed; I can. In this case, the step of obtaining the name of the short-range communication unit may be executed only when the service server determines that the difference between the location of the first mobile device and the location where the access security device is installed is less than or equal to a predetermined value.

In this case, the access security method comprises the steps of: requesting and obtaining, by the service server, a mobile authentication password from the first mobile device; And generating, by the service server, a mobile correspondence authentication password. In this case, the step of acquiring the short-distance communication unit name may be executed only when the service server determines that the mobile authentication password and the mobile correspondence authentication password are identical to each other.

In this case, the process of allowing access through the access security device may include a process of releasing a lock controlled by the access security device.

An access security method provided according to another aspect of the present invention includes the steps of: transmitting, by a first mobile device, a name of a short-range communication unit of the first mobile device to the service server in response to a request from a service server; Generating, by the first mobile device, a first mobile password; And broadcasting, by the first mobile device, a first M signal including the first mobile password using short-range communication. In this case, the service server transmits the name of the short-range communication unit to the access security device, generates a first mobile password, and transmits the generated first mobile password to the access security device. In addition, the access security device is configured to detect the first M signal based on the name of the short-range communication unit, and when it is determined that the first mobile password included in the first M signal is the same as the first mobile correspondence password, It is to allow access through the access security device.

At this time, the access security method, prior to the step of transmitting the name of the short-range communication unit of the first mobile device to the service server, the first mobile device, in response to the request of the service server, the location of the first mobile device. It may further include the step of providing information on the service server. At this time, the service server may be configured to request the short-distance communication unit name from the first mobile device only when it is determined that the difference between the location where the access security device is installed and the location of the first mobile device is less than or equal to a predetermined value. have.

In this case, in the access security method, before the step of transmitting the name of the short-range communication unit of the first mobile device to the service server, the first mobile device generates a mobile authentication password in response to the request of the service server. It may further include the step of providing the generated mobile authentication password to the service server. In this case, the service server may be configured to request the name of the short-range communication unit from the first mobile device only when it is determined that the mobile authentication password generated by the service server and the mobile authentication password are identical to each other.

According to another aspect of the present invention, an access security device including a short-range communication unit, a data transmission/reception unit, and a processing unit may be provided. The processing unit, using the data transmission/reception unit, receiving, from the service server, the name of the short-range communication unit of the first mobile device provided by the first mobile device to the service server; Receiving a first mobile correspondence password from the service server by using the data transmission/reception unit; Detecting a first M signal broadcast by the first mobile device using short-range communication using the short-range communication unit based on the received short-range communication unit name; And when it is determined that the first mobile password included in the first M signal is the same as the first mobile password, permitting access through the access security device.

According to another aspect of the present invention, a service server including a data transmission/reception unit and a processing unit may be provided. The processing unit may include receiving user identification information from an access security device using the data transmission/reception unit; Acquiring an identifier of the first mobile device associated with the user identification information by accessing a database including a table in which the user identification information and the first mobile device are associated with each other; Obtaining the name of the short-range communication unit from the first mobile device by requesting the name of the short-range communication unit of the first mobile device from the first mobile device by using the data transmission/reception unit using the identifier of the first mobile device; Transmitting the name of the short-range communication unit to the access security device by using the data transmission/reception unit; And transmitting a first mobile correspondence password to the access security device by using the data transmission/reception unit. At this time, the access security device is configured to detect the first M signal broadcast by the first mobile device using short-range communication based on the name of the short-range communication unit, and the first mobile password included in the first M signal When it is determined that is the same as the first mobile password, access through the access security device is permitted.

According to another aspect of the present invention, a user device including a data transmission/reception unit, a short range communication unit, a signal detection unit, and a processing unit may be provided. The processing unit, using the data transmission/reception unit, transmitting the name of the short-range communication unit of the first mobile device to the service server in response to a request from the service server; Generating a first mobile password; And broadcasting the first M signal including the first mobile password using short-range communication using the short-range communication unit. The service server is configured to transmit the name of the short-range communication unit to the access security device, generate a first mobile password, and transmit the generated first mobile password to the access security device. In addition, the access security device is configured to detect the first M signal based on the name of the short-range communication unit, and when it is determined that the first mobile password included in the first M signal is the same as the first mobile correspondence password, It is to allow access through the access security device.

As described above, short-range communication that automatically operates without taking out a mobile device from a pocket or bag without any additional actions of the user in the use of a 1-Factor authentication access security device based on existing password input, biometric authentication, NFC tagging, etc. It is possible to provide an easy 2-factor authentication-based access security device and access security system by adding OTP authentication.

In addition, even if the mobile device is not taken out and held, the locked state of the access security device can be easily unlocked, and the time required for the unlocking can be reduced.

In addition, since it is not necessary to take out the mobile device, the procedure for unlocking the access security device is simplified.

In addition, according to an embodiment of the present invention, since a One Time Password (OTP) is used, security can be improved.

In addition, according to an embodiment of the present invention, when the mobile device receives a pre-regulated broadcasting signal from the access security device, the mobile device automatically changes the access security app from the standby state to the active state, and the mobile device When a short-range communication activation signal is received from the service server, the short-range communication mode of the mobile device is automatically changed to an ON state, so that unnecessary battery consumption of the mobile device can be prevented.

1 is a system diagram of a mobile access security system according to an embodiment of the present invention.
2 is a block diagram of a mobile device providing a mobile access security method according to an embodiment of the present invention.
3 is a block diagram of a service server providing a mobile access security method according to an embodiment of the present invention.
4 is a block diagram of an access security device providing a mobile access security method according to an embodiment of the present invention.
5A and 5B are flowcharts illustrating a mobile access security method according to the first embodiment of the present invention.
6 is a flow chart showing steps performed by an access security device for a mobile access security service provided according to the first embodiment of the present invention.
7 is a flowchart showing steps performed by a service server for a mobile access security service provided according to the first embodiment of the present invention.
8 is a flowchart showing steps performed by a mobile device for a mobile access security service provided according to the first embodiment of the present invention.
9A and 9B are flowcharts illustrating a mobile access security method according to a second embodiment of the present invention.
10 is a flowchart illustrating a mobile access security method according to a third embodiment modified from the second embodiment shown in FIGS. 9A and 9B.

Since the description of the present invention is merely an embodiment for structural or functional description, the scope of the present invention should not be construed as being limited by the embodiments described in the text. That is, since the embodiments can be variously changed and have various forms, the scope of the present invention should be understood to include equivalents capable of realizing the technical idea. In addition, since the object or effect presented in the present invention does not mean that a specific embodiment should include all or only such effects, the scope of the present invention should not be understood as being limited thereto.

Meanwhile, the meaning of terms described in the present application should be understood as follows.

Terms such as "first" and "second" are used to distinguish one component from other components, and the scope of rights is not limited by these terms. For example, a first component may be referred to as a second component, and similarly, a second component may be referred to as a first component.

Singular expressions are to be understood as including plural expressions unless the context clearly implies otherwise, and terms such as "include" or "have" refer to implemented features, numbers, steps, actions, components, parts, or It is to be understood that it is intended to designate that a combination exists and does not preclude the presence or addition of one or more other features, numbers, steps, actions, components, parts, or combinations thereof. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In each step, the identification code (for example, a, b, c, etc.) is used for convenience of explanation, and the identification code does not describe the order of each step, and each step is clearly in a specific order in the context. Unless otherwise stated, it may occur differently from the specified order. That is, each of the steps may occur in the same order as specified, may be performed substantially simultaneously, or may be performed in the reverse order.

The present invention can be implemented as computer-readable codes on a computer-readable recording medium, and the computer-readable recording medium includes all types of recording devices storing data that can be read by a computer system. . Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like, and are implemented in the form of a carrier wave (for example, transmission through the Internet). Includes things. Further, the computer-readable recording medium is distributed over a computer system connected through a network, so that computer-readable codes can be stored and executed in a distributed manner.

All terms used herein have the same meaning as commonly understood by one of ordinary skill in the field to which the present invention belongs, unless otherwise defined. Terms defined in commonly used dictionaries should be construed as having meanings in the context of related technologies, and cannot be construed as having an ideal or excessively formal meaning unless explicitly defined in the present application.

1 is a system diagram of a mobile access security system according to an embodiment of the present invention.

2 is a block diagram of a mobile device providing a mobile access security method according to an embodiment of the present invention.

3 is a block diagram of a service server providing a mobile access security method according to an embodiment of the present invention.

4 is a block diagram of an access security device providing a mobile access security method according to an embodiment of the present invention.

Referring to FIG. 1, a mobile access security system according to an embodiment of the present invention includes a short-range communication 100, a mobile device 200, a service server 300, and an access security device 400.

The short-range communication 100 refers to short-range communication that can be utilized to perform the mobile access security method according to an embodiment of the present invention. The short-range communication 100 may be one of Bluetooth communication, high frequency communication, RFID communication, beacon communication, NFC communication, Wi-Fi, acoustic communication using a microphone and a speaker, and a Cell-ID method (communication company cell-based communication method), It is not limited thereto.

Various prior art techniques, such as the technique of International Patent Publication No. WO 2008/083910, have been disclosed as techniques related to short-range communication of the Cell-ID method. In the case of a pico-cell and a femto-cell, a local communication function may be provided to an area corresponding to a short distance, and a short-range communication environment to which the present invention can be applied may be provided.

In an embodiment of the present invention, two or more short-range communication methods may be used. The first type of short-range communication may be a technology that transmits a signal detectable by the mobile device even when short-range communication technologies such as Bluetooth, NFC, and Wi-Fi of the mobile device are not activated. For example, the first type of short-range communication technology may be a communication technology using Cell-ID and a sound transmission technology using a speaker and a microphone. The second type of short-range communication technology may be a technology that causes power consumption of a mobile device, such as Bluetooth, NFC, and Wi-Fi. In addition, the second type of short-range communication technology may be a standard communication technology having a protocol for determining the strength of a received signal, such as Bluetooth, NFC, and Wi-Fi.

The short-range communication unit 270 of the mobile device 200 shown in FIG. 2 may be integrally included in the mobile device 200 described in detail below, or may be provided detachably.

The short-range communication unit 470 of the access security device 400 shown in FIG. 4 may be integrally included in the access security device 400 to be described in detail below, or may be provided detachably.

In one embodiment, the short-range communication unit 470 of the access security device 400 may include a cell-based communication device (such as a pico cell or a femto cell) connected to the access security device 400.

In one embodiment, the short-range communication unit 470 of the access security device 400 may be a speaker connected to the access security device 400. The speaker may be for transmitting ultrasonic waves, for example.

The mobile device 200 is carried by a user when using the mobile access security method according to an embodiment of the present invention, and has a short-range communication and communication function through a communication company to become an authentication means for controlling door opening and closing. Means. This may include smartphones, tablet PCs, mobile PCs, and various wearable devices.

Communication through the carrier may refer to wireless communication such as WiFi Internet, 3G, 4G, 5G, and LTE, and MAN communication using a wired network.

The mobile device 200 is equipped with a mobile access security application program in order to perform the mobile access security method according to an embodiment of the present invention, and the user can access the mobile access security application through the mobile device 200. You may have already registered as a member and logged in automatically to the access security service using the program. The mobile access security application program may hereinafter be simply referred to as an access security application or an access security application program.

The access security application program may be downloadable from a server distributing the program to the mobile device. The access security application program may be designed to perform a predetermined function in cooperation with a service server and an access security device. In the service server, a server access security application program corresponding to the access security application program may be installed and operated.

The service server 300 may execute a service program that provides an access security service according to an embodiment of the present invention that can be used through the access security application program. A user of the access security application program may be registered as a member of the access security service, and may be automatically logged into the service program through the access security application program.

A user who is a member of the access security service may be logged in to the access security application program running on the mobile device 200, and may be automatically logged in to the access security service through the access security application program. . In addition, the service server 300 may be connected to the mobile device 200 and the access security device 400 through wired or wireless communication.

The access security application program may operate in a standby mode or an activation mode. The standby mode may be a mode that reduces power consumption for execution of the access security application program, and the activation mode may be a mode set to smoothly perform a function provided by the access security application program.

Usually, the access security application program operates in the standby mode, thereby reducing power consumption of the mobile device 200. When the mobile device 200 is close to the access security device 400, the access security application program must be changed to an activation mode. A method of changing the access security application program from the standby mode to the activation mode will be described in more detail below. The access security application program generates a first mobile OTP in an activated state, generates a first M signal including the generated first mobile OTP, and broadcasts the first M signal through a short-range communication unit of the mobile device 200. Can be cast.

The access security application program is installed in the mobile device 200, and an access security application program for an access security device corresponding to the access security application program and the server access security application program is installed in the access security device 400 Can be.

The access security application program may generate and use OTP.

The OTP generated by the access security application program is transmitted to the service server 300, and the service server 300 may authenticate the mobile device 200 using the OTP transmitted from the mobile device 200. When the authentication is completed, the service server 300 may take steps to perform subsequent steps that the mobile device 200 must perform to unlock the access security device 400.

The OTP generated by the access security application program may be transmitted by the mobile device 200 using short-range communication technology. The access security device 400 may detect a signal transmitted from the mobile device 200 and recognize the OTP generated by the access security application program. Even if the short-range communication pairing between the access security device 400 and the mobile device 200 is not performed, the access security device 400 may recognize the OTP.

The OTP generated by the access security application program is transmitted to the service server 300, and the service server 300 may transmit the OTP received from the mobile device 200 to the access security device 400 again. Alternatively, the service server 300 may generate a mobile-adaptive OTP according to the same rules as the access security application program, and transmit the generated mobile-compatible OTP to the access security device 400.

The access security device 400 may check whether the OTP obtained by analyzing the signal transmitted by the mobile device 200 through short-range communication is the same as the OTP transmitted from the service server 300.

The access security device 400 has a short-range communication and communication function through a communication company, so that when a user inputs user identification information to unlock a door or gate, the user does not need to take out or manipulate the mobile device 200. It refers to a device that can be unlocked.

In one embodiment, the user identification information may be directly input to the access security device 400 by a passerby using the mobile device 200. In this case, the user identification information may be a secret ID that is identification information and authentication information of the user himself. The user identification information may be composed of numbers and/or letters that identify the mobile device 200, or may be an ID of a person having a legitimate right to use the mobile device 200 and the access security application program. The person's ID may be the person's name, nickname, or code. However, the specific format of the user identification number is not limited to the one described here. For example, when the mobile device 200 is a mobile phone, and when the user identification information is a mobile phone number, the passer-by may directly input the mobile phone number of the mobile device 200 into the access security device 400.

In another embodiment, the user identification information may be input through additional assistance of the access security device 400. After collecting user identification information of one or more nearby mobile devices by a predetermined method, the access security device 400 may display one or more user identification information through a user interface (eg, a monitor). A user interface capable of communicating user identification information identifying his or her mobile device 200 among the one or more user identification information displayed to the user interface of the access security device 400 or with the access security device 400 You can choose through. In addition, the passer-by may additionally input user authentication information (eg, password) through the user interface.

In another embodiment, the vehicle number recognition device may participate in the process of inputting the user identification information. To this end, the access security device 400 may be combined with a vehicle number recognition device.

In one embodiment, for example, when a passerby boards a vehicle and uses a store (eg, a gas station) having a plurality of vehicle entry lanes, the access security device 400 includes the vehicle number of one or more vehicles nearby. After collecting the at least one vehicle number, information related to the one or more vehicle numbers may be displayed through a user interface such as a monitor. In this case, each of the one or more vehicle numbers may be linked 1:1 with mobile device identification information for identifying a specific mobile device. And/or each of the one or more vehicle numbers may be associated with one or more user identification information identifying a user of the mobile device in 1:N (N is a natural number). The access security device 40 may display the collected number of one or more vehicles, one or more of the mobile device identification information, and/or the one or more user identification information through a user interface such as a monitor. The passer-by can select any one of the displayed information. In one scenario, a passerby may first select any one of a plurality of vehicle numbers or a plurality of mobile devices, and then select and input user identification information. In another scenario, the passer-by may skip the process of selecting a vehicle number or mobile device, and immediately select and enter user identification information. A passerby who has entered user identification information can additionally input user authentication information such as a password.

In another embodiment, for example, when using a drive-through store in which a passerby boards a vehicle and enters the store sequentially through one lane, the access security device 400 is the closest to the vehicle number recognition device. After collecting the vehicle number of one vehicle, the mobile device and user identification information linked to the collected vehicle number can be automatically specified, and the access security service is provided using the specified user identification information. can do. If a user who uses a mobile device linked to the one vehicle number has set a plurality of user identification information, the access security device 400 displays the plurality of user identification information on the screen and selects one of the user identification information. The user may be induced to select and input, and the access security service may be provided using the selected and input user identification information. The input user identification information is legitimate, and the access security device 400 may open a vehicle blocker controlled by itself.

Various information related to the vehicle number may be stored in a storage device that can be accessed by the service server 300 and a storage device that can be accessed by the access security application program installed in the mobile device 200. The access security device 400 may obtain mobile device identification information and/or user identification information associated with the selected vehicle number with the help of the service server 300. To this end, the mobile device 200 or the user of the access security application program may need to provide information to link the vehicle number and the user identification information to the access security system.

The access security device 400 may correspond to all devices that control a gate through which a person passes, a locking device installed on a door, and a locking device installed in a gate through which a vehicle passes.

In the access security device 400, an access security application program for an access security device is installed in order to perform a mobile access security method according to an embodiment of the present invention, and the access security device 400 is The security application program and/or the access security service may already be registered as a member and logged in automatically.

2 is a block diagram of a mobile device 200 providing a mobile access security method according to an embodiment of the present invention.

2, a mobile device 200 according to an embodiment of the present invention includes a data transmission/reception unit 210 for transmitting and receiving data to and from the service server 300, a first mobile OTP generation unit 230, and a short-range communication unit ( 270).

The mobile device 200 may generate the first mobile OTP in the first mobile OTP generation unit 230 using an access security application program. The first mobile OTP is generated in synchronization with the first mobile-adaptive OTP generation unit 3311 of the service server 300. Therefore, when the mobile device 200 transmits the generated first mobile OTP to the service server 300, the service server 300 can check the validity of the mobile device 200 using the first mobile OTP. have.

The first mobile OTP generation unit 230 managed by the access security application program may be configured to generate the same password at the same time as the first mobile-adaptive OTP generation unit 3311 of the service server 300. .

The access security application programs installed in different mobile devices 200 or different mobile devices 200 may have different mobile OTP generators that output different passwords at the same time.

The service server 300 may include different mobile-adaptive OTP generation units corresponding to the plurality of different mobile OTP generation units.

The short-range communication unit 270 may broadcast the name of the short-range communication unit of the mobile device 200. Broadcasting the name of the short-range communication unit of the mobile device 200 may be performed at the request of the service server.

3 is a block diagram of a service server 300 providing a mobile access security method according to an embodiment of the present invention.

Referring to FIG. 3, the service server 300 according to the embodiment of the present invention may include a data transmission/reception unit 310, an OTP function module 330, a validity check unit 350, and a command unit 370. have.

The OTP function module 310 includes subscription information of the access security application program using the user's OTP, user identification information, payment log, identification information of the mobile device 200 matched for each user, or identification information of the access security device 400 , OTP generation unit 331 and OTP determination unit 333 for generating OTP in synchronization with OTP generated for each mobile device may be included.

The OTP generation unit 331 may include a plurality of mobile-adaptive OTP generation units that independently operate in response to each of the plurality of mobile devices. 3 shows a first mobile-adaptive OTP generation unit 3311. The first mobile-adaptive OTP generation unit 3311 may generate a first mobile-adaptive OTP.

User identification information is set when the user subscribes to the access security application program through the mobile device 200 or before execution of the mobile access security method according to the embodiment of the present invention, and means all information that can identify the user. I can.

For example, it may be a character created by combining some or all of numbers, letters, and special symbols, or biometric information of the user such as a user's fingerprint, voice, or iris, or a vehicle registration number.

The user identification information may be matched 1:1 with the user's mobile device, and a single mobile device or a single access security application program installed on a single mobile device may include a plurality of user identification information.

The OTP generation unit 331 is synchronized with the OTP generation unit of the mobile device on which the access security application program is installed to generate the OTP in the same manner. The OTP determination unit 333 determines whether the OTP received from the mobile device and the OTP generated by the OTP generation unit 331 are the same.

The validity checker 350 may check the validity of the mobile device by comparing the OTP generated by the OTP function module 331 according to the OTP generation method of the mobile device and the OTP generated by the mobile device.

The command unit 370 transmits the name of the short-range communication unit of the mobile device to the short-range communication device activation command unit 371, which gives an activation command of the short-range communication unit to the mobile device, and to the access security device. It may include a broadcasting command unit 373 that issues a broadcasting command.

4 is a block diagram of an access security device 400 providing an OTP-based mobile access security method according to an embodiment of the present invention.

4, the access security device 400 according to an embodiment of the present invention includes an input unit 405, a data transmission/reception unit 410, a distance calculation unit 450, and a short-range communication unit 470 into which user identification information is input. It may include.

The user may input user identification information through the input unit 405. The input unit 405 may be embedded in the access security device 400 or may be attached separately.

The distance calculating unit 450 may measure a second distance from the access security device 400 to the mobile device 200 by short-range communication.

The short-range communication unit 470 may detect a short-range communication signal transmitted from the mobile device and detect the name of the short-range communication unit of the mobile device. The access security device 400 may receive and store the name of the short-range communication unit of the mobile device 200 in advance from the service server 300.

<First Example>

5A to 5B are flowcharts illustrating a mobile access security method according to the first embodiment of the present invention.

In FIGS. 5A to 5B, a message exchanged between the devices 21, 22, 30, and 40 may include identification information of each device.

In the example shown in FIG. 5A, the first mobile device 21 is possessed by a person (passenger) who intends to pass through the first access security device 40 using the mobile access security method according to the embodiment of the present invention. It may be a mobile device.

The first mobile device 21 may be executing an access security application program provided to execute the mobile access security method according to an embodiment of the present invention in a standby mode in step S210. The device identifier of the first mobile device 21 may be ID-M1.

The first access security device 40 may be executing an access security application program for an access security device provided to execute the mobile access security method according to an embodiment of the present invention. The device identifier of the first access security device 40 may be ID-P1.

The first access security device 40 may broadcast a first signal including identification information for identifying the first access security device 40 in step S420 using short-range communication.

Broadcasting of the first signal may be performed by short-range communication technology.

The first mobile device 21 may detect the first signal in step S220.

In one embodiment of the present invention, the detection of the first signal is performed even when a specific type of short-range communication unit of the first mobile device 21 (for example, a short-range communication unit for short-range communication of the second type described above) is not activated. I can.

As an example, if the cell-based communication function provided in the first mobile device 21 is activated, and the first signal is connected to the access security device 40, a cell-based communication device (picocell or femtocell, etc.) If transmitted via Bluetooth, NFC, Wi-Fi, and even when the short-range communication function using sound (high frequency) is not activated in the first mobile device 21, the first mobile device 21 is a specific Cell-ID When detected, the access security application program for the access security service may be activated.

As another example, even when a short-range communication function using Bluetooth, NFC, and Wi-Fi is not activated in the first mobile device 21, a microphone input installed in the first mobile device 21 may be activated. The microphone input may be regarded as a short-range communication function depending on the point of view, but it may not be. Therefore, even when the short-range communication function of the first mobile device 21 is not activated, if the first access security device 40 transmits the first signal using an acoustic signal, the transmitted first signal is 1 The mobile device 21 may recognize it, and if the first mobile device 21 detects a specific pattern from the first signal, the access security application program for the access security service may be activated.

The first mobile device 21 may convert the access security application program executed in the first mobile device 21 into an activation mode in step S221.

The first mobile device 21 transmits an activation notification (ID-M1) indicating that the first mobile device 21 has been activated in step S230, the name of the short-range communication unit of the first mobile device 21, and the first signal. The identification information (ID-P1) of the first access security device 40 that is the originating device may be transmitted to the service server 30.

In a modified embodiment, the transfer of the name of the short-range communication unit of the first mobile device 21 to the service server 30 may be performed at any time before the step (S341), which will be described later, is performed.

The service server 30 first generates first user identification information including one or more user identification information registered for a person who has logged in to the access security service through the first mobile device 21 in step S311. It can be provided to the access security device 40.

The first payment processing device 40 may display the first user identification information in step S430. The expression may be performed through, for example, a screen.

The first access security device 40 may receive a user input for selecting any one of the first user identification information in step S431. For example, in the case where the first mobile device 21 is a terminal intended to be used by six passengers for common use, the holder of the first mobile device 21 has six pieces of information displayed on the screen, that is, the first It is possible to provide a user input for selecting one of the user identification information of the passenger to the user identification information of the sixth passenger.

The user identification information input in step S431 may serve as secret information that others cannot know.

The first access security device 40 may transmit the user identification information selected and input in step S431 in step S433 to the service server 30.

The service server 30 may generate a first mobile correspondence password OTP-M1 using the first mobile correspondence OTP generation unit 3311 in step S340.

In a modified embodiment, the service server 30 may cause the first mobile device 21 to generate the first mobile password OTP-M1'. And, the service server 30 obtains the generated first mobile password (OTP-M1') from the first mobile device 21, and obtains the obtained first mobile password (OTP-M1') as a first It can be used as a mobile correspondence password (OTP-M1). That is, in this modified embodiment, the service server 30 may not directly generate the first mobile correspondence password OTP-M1.

The service server 30 may transmit the generated OTP-M1 and the name of the short-distance communication unit of the first mobile device 21 to the first access security device 40 in step S341.

In step S342, the service server 30 requests the first mobile device 21 to broadcast the first mobile password using short-range communication, and the first A command to activate the short-range communication unit of the mobile device 21 may be transmitted.

In this case, the first mobile password may be an OTP generated by the first mobile device 21 using the first mobile OTP generator. Alternatively, the first mobile password is one that the service server 30 generates an OTP using the first mobile OTP generation unit 3311, and then transmits the generated OTP to the first mobile device 21. I can.

The first mobile device 21 may activate its own short-range communication unit in step S240. On the other hand, if the short-range communication unit of the first mobile device 21 is already activated for another reason, the activated state may be forcibly maintained.

It will now be described with reference to FIG. 5B.

In step S250, the first mobile device 21 generates OTP-M1' (first mobile OTP) using the first mobile OTP generator, and generates a first M signal including the generated OTP-M1'. Broadcasting can be performed using the short-distance communication unit.

In step S441, the first access security device 40 detects the broadcasted 1M signal, and uses the strength of the detected 1M signal to provide the first access security device 40 and the first mobile device. The second distance, which is the distance between (21), can be calculated.

In step S442, the first access security device 40 may permit access when OTP-M1 is the same as OTP-M1′ and the second distance is less than or equal to a predetermined value. In contrast, the first access security device 40, in step (S442), if the OTP-M1 is not the same as OTP-M1', and/or the second distance is not less than a predetermined value, the access is not You can reject it.

Here, allowing access may mean that the lock of the door/gate managed or controlled by the first access security device 40 is released. In addition, refusing access may mean that the first access security device 40 maintains the locked state of the door/gate lock managed or controlled by the first access security device 40 without releasing the lock. The first access security device 40 may be installed in or near the door/gate.

In addition, the first access security device 40 may transmit information indicating that the access permission or access denial has been made to the service server 30 in step S443.

In step S350, the service server 30 may transmit the access permission or access denial status of the first access security device 40 to the previously registered device. The pre-registered device may include the first mobile device 21.

Also, the pre-registered device may include other devices. For example, the other device may be a device used by a parent, and the first mobile device 21 may be a device used by a child of the parent.

The first mobile device 21 may deactivate its own short-range communication unit in step S260.

The first mobile device 21 may deactivate the access security application program in step S261.

In one embodiment of the present invention, the first signal broadcast in step S420 may be that of using the first type of short-range communication technology. In addition, the broadcast signals transmitted in step S240 and step S250 may be those using the second type of short-range communication technology.

In contrast, in another embodiment of the present invention, the first mobile device 21 may be in a state in which the short-range communication unit for short-range communication of the second type has already been activated before step S420. In this case, the first mobile device 21 activates the short-range communication unit for short-range communication of the second type due to another cause, or if the first mobile device 21 is activated by the user's setting. I can. In this case, step S240 may be omitted. In addition, the first signal broadcast in step S420 may be that of using the second type of short-range communication technology.

6 is a flowchart showing steps performed by an access security device for an access security service provided according to an embodiment of the present invention.

In step (S10), the access security device may broadcast the first signal using short-range communication.

In step S11, the access security device may transmit user identification information to the service server.

In step (S12), the access security device, the name of the short-range communication unit of the first mobile device provided to the service server by the first mobile device that detected the first signal and the first mobile-adaptive OTP generated by the service server. Can be received from the service server.

In step S13, the access security device detects the first M signal broadcast by the first mobile device based on the name of the short-range communication unit of the first mobile device, and the access is based on the first M signal. It is possible to generate information about the first distance between the security device and the first mobile device.

In step S14, when the first mobile OTP included in the first M signal and the first mobile-adaptive OTP are the same, and the second distance is less than a predetermined value, the access security device permits access. If not, you can deny access.

7 is a flow chart showing steps performed by a service server for an access security service provided according to an embodiment of the present invention.

In step S20, the service server may receive user identification information from the access security device that broadcasts the first signal using short-range communication.

In step S21, the service server may transmit the name of the short-range communication unit of the first mobile device received from the first mobile device that has detected the first signal to the access security device.

In step S22, the service server may generate a first mobile-adaptive OTP and transmit it to the access security device.

In step S23, the service server may request the first mobile device to activate the short-range communication function, and request the first mobile device to generate and broadcast the first mobile OTP.

8 is a flowchart illustrating steps performed by a mobile device for an access security service provided according to an embodiment of the present invention.

In step S30, when the first mobile device detects the first signal, which is broadcast by the access security device using short-range communication, and includes identification information for identifying the access security device, the access security app is activated. I can.

In step S31, the first mobile device may transmit identification information identifying the access security device and the name of the short-range communication unit of the first mobile device to the service server.

In step S32, the first mobile device activates the short-range communication function in response to the request of the service server, generates the first mobile OTP, and uses the first M signal including the first mobile OTP through short-range communication. You can broadcast it.

<Second Example>

Hereinafter, an access security method provided according to another embodiment of the present invention will be described with reference to FIGS. 9A and 9B.

9A and 9B are flowcharts illustrating an access security method that may be provided according to an embodiment of the present invention.

In step S431, the access security device 40 may acquire user identification information.

At this time, for the user identification information, a passerby (entry requester) who wants to pass through the door/gate/door managed or controlled by the access security device 40 enters a password into the user interface provided by the access security device 40 Alternatively, it may be input through NFC technology, tagging technology such as RFID, or other actions using a short-range wireless communication interface provided by the access security device 40. The user identification information corresponds to the above-described basic authentication information.

In step S433, the access security device 40 may transmit the acquired user identification information to the service server 30.

The access security device 40 and the service server 30 can communicate with each other by a metropolitan area network (MAN) using a wireless communication network such as WiFi Internet, 3G, 4G, 5G, beyond 5G, and LTE, and a wired communication network. The communication behavior is not limited by a specific communication method.

In step S310, the service server 30 accesses a database including a table in which the user identification information and the first mobile device 21 are associated with each other, and the first mobile device is associated with the user identification information. The identifier (ID-M1) of the device 21 may be obtained. In this case, the database may be included in the service server 30, or may be included in another device (not shown) that the service server 30 can access through wired or wireless communication. In addition, when the user subscribes to the access security service using the first mobile device 21, the table is registered as subscription information in the service server 30 or another server linked to the service server 30. It may have been created.

In step S312, the service server 30 may request information on the location of the first mobile device 21 from the first mobile device 21 specified by the acquired identifier ID-M1. .

The first mobile device 21 and the service server 30 are 4G. 5G. A wireless communication network such as LTE and a MAN using a wired communication network can communicate with each other, and the communication behavior is not limited by a specific communication method.

The first mobile device 21 may include a location information measurement module (eg, a GPS module) capable of measuring its own location information (eg, earth location information).

In step S225, the first mobile device 21 may transmit information about the location of the first mobile device 21 to the service server 30.

In step S314, the service server 30 associates the location where the access security device 40 is installed, the identifier (ID-P1) of the access security device 30 and the location where the access security device 30 is installed. It can be obtained by accessing the database including the stored table. In this case, the database may be included in the service server 30, or may be included in another device (not shown) that the service server 30 can access through wired or wireless communication. And the table is created through the process of registering as subscription information in the service server 30 or another server linked to the service server 30 when a subscriber subscribes to the access security service using the access security device 40. It may have been.

Step S314 may be executed at any time after step S433.

In step S315, the service server 30 may request a mobile authentication password from the first mobile device 21.

In step S226, the first mobile device 21 may generate the mobile authentication password in response to the request in step S315. The mobile authentication password may be a One Time Password (OTP).

In step S227, the first mobile device 21 may provide the generated mobile authentication password to the service server 30.

In step S316, the service server 30 may generate a mobile correspondence authentication password. The mobile correspondence authentication password may be OTP.

At this time, the rule for generating the mobile authentication password generated by the first mobile device 21 in step S226 and the rule for generating the mobile response authentication password generated by the service server 30 in step S316 are OTP It can follow the rules for generating and can be generated by the OTP generation rules paired with each other. That is, the mobile authentication password generated at the same time and the mobile correspondence authentication password may be identical to each other.

In an embodiment, the first mobile device 21 may use the first mobile OTP generator 230 to generate the mobile authentication password. In addition, the service server 30 may use the first mobile corresponding OTP generation unit 3311 to generate the mobile corresponding authentication password.

The service server 30 may further include a first mobile OTP generation unit 3311 corresponding to the first mobile device 21 as well as a second mobile OTP generation unit corresponding to the second mobile device. Ewha, the service server 30 knows that the mobile authentication password received in step S227 is generated by the first mobile device 21, so that the mobile authentication password corresponds to the first mobile device. It can be generated using the OTP generation unit 3311.

In step S317, the service server 30 may determine whether the difference between the location of the first mobile device 21 and the location where the access security device 40 is installed is equal to or less than a predetermined value.

In step S318, the service server 30 may determine whether the mobile authentication password and the mobile correspondence authentication password are the same.

In step S320, the service server 30 may request the first mobile device 21 for the name of the short-range communication unit of the first mobile device 21.

However, step S320 may be executed only when it is determined that the mobile authentication password and the mobile correspondence authentication password are the same as a result of the determination in step S318.

And optionally, step (S320), as a result of the determination in step (S317), is executed only when it is determined that the difference between the location of the first mobile device 21 and the location where the access security device 40 is installed is less than or equal to a predetermined value. You can do it.

In step S230, the first mobile device 21 may provide the name of the short-range communication unit of the first mobile device 21 to the service server 30.

In this case, the name of the short-range communication unit of the first mobile device 21 may be an OTP generated by the first mobile device 21 using the first mobile OTP generating unit 230. And if the first mobile OTP generation unit 3311 of the service server 30 and the first mobile OTP generation unit 230 of the first mobile device 21 generate OTPs according to the same rules, the service server 30 ) May generate the short-range communication unit name of the first mobile device 21 by using the first mobile-adaptive OTP generation unit 3311 of the service server 30. Therefore, in this case, even if steps S320 and S230 are not performed, the service server 30 can find out the name of the short-range communication unit of the first mobile device 21.

In step S340, the service server 30 may generate a first mobile correspondence password OTP-M1 using the first mobile correspondence OTP generation unit 3311.

In a modified embodiment, the service server 30 may cause the first mobile device 21 to generate the first mobile password OTP-M1'. And, the service server 30 obtains the generated first mobile password (OTP-M1') from the first mobile device 21, and obtains the obtained first mobile password (OTP-M1') as a first It can be used as a mobile correspondence password (OTP-M1). That is, in this modified embodiment, the service server 30 may not directly generate the first mobile correspondence password OTP-M1.

In step S341, the service server 30 may transmit the name of the short-range communication unit of the first mobile device 21 to the access security device 40. In addition, in step S341, the service server 30 may transmit the generated first mobile correspondence password OTP-M1 to the access security device 40.

In one embodiment, the name of the short-range communication unit of the first mobile device 21 may be an OTP generated by the first mobile device 21 using the first mobile OTP generator 230. If the first mobile OTP generation unit 3311 of the service server 30 and the first mobile OTP generation unit 230 of the first mobile device 21 generate OTPs according to the same rules, the first mobile device ( The short-range communication unit name of 21) may be the same as the first mobile correspondence password OTP-M1 generated by the first mobile correspondence OTP generation unit 3311 of the service server 30.

In step S342, the service server 30 requests to activate the short-range communication function of the first mobile device 21, and the first mobile device 21 refers to the first mobile password OTP-M1'. A request to broadcast may be transmitted to the first mobile device 21 using a communication technology.

In this case, in an embodiment, the first mobile password OTP-M1 ′ may be an OTP generated by the first mobile device 21 using the first mobile OTP generator 230. Alternatively, in another embodiment, the first mobile password is, after the service server 30 generates an OTP using the first mobile OTP generation unit 3311, the generated OTP is used in the first mobile device 21 May have been sent to.

In step S240, the first mobile device 21 may activate a short-range communication function of the first mobile device 21.

In step S250, the first mobile device 21 may generate the first mobile password OTP-M1'. In this case, the first mobile password OTP-M1 ′ may be an OTP generated using the first mobile OTP generation unit 230. In addition, in step (S250), the first mobile device 21, the first mobile password (OTP-M1') using short-range communication, a signal broadcast through the short-range communication unit of the first mobile device 21 It can be transmitted using the phosphorus 1M signal.

As described above, the name of the short-range communication unit 270 of the first mobile device 21 itself may be the same as the first mobile password OTP-M1'.

Since the access security device 40 has received the name of the short-range communication unit of the first mobile device 21 in step S441, the first mobile device 21 can detect a signal broadcast using short-range communication. .

Therefore, in step S441, the access security device 40 receives the first mobile device 21, which has received the first M signal broadcast by the first mobile device 21 using short-range communication in step S341. ) Can be detected based on the name of the short-range communication unit. In addition, in step S441, the access security device 40 may generate information on the distance between the access security device 40 and the first mobile device 21 based on the strength of the first M signal. .

In step S442, when the access security device 40 determines that the first mobile password OTP-M1' acquired through the first M signal is the same as the first mobile password OTP-M1 , The access security device 40 may permit access of a passerby who wants to pass through a gate/door, etc. managed or controlled. In addition, in step (S442), the access security device 40, the first mobile password (OTP-M1') acquired through the first M signal is not the same as the first mobile password (OTP-M1). If it is determined that the access security device 40 is not allowed, the access of a passerby who wants to pass through the gate/door, etc. managed or controlled by the access security device 40 may not be permitted, that is, the access may be denied.

And/or, in step S442, access through the access security device 40 may be permitted only when the calculated distance is less than or equal to a predetermined value.

In this case, the process of allowing access through the access security device 40 may include a process of releasing a lock controlled by the access security device 40.

In one embodiment, the above-described step (S312), step (S225), and step (S317) may be omitted. This is because, by steps S441 and S442, effects similar to those of steps S312, S225, and S317 can be obtained. That is, this is because the effect of allowing access can be obtained only when the distance between the first mobile device 21 and the access security device 40 is sufficiently close. However, there is a difference that steps S312, S225, and S317 are performed in advance than steps S441 and S442.

In step S443, the access security device 40 may provide the service server 30 with the facts regarding the permission of the access or the denial of access.

In step S350, the service server 30 may transmit the access permission or access denial status of the access security device 40 to the previously registered device. The pre-registered device may include a first mobile device 21. In addition, the pre-registered device may further include other devices not shown.

In step S260, the first mobile device 21 may deactivate a function of the short-range communication unit that has been activated.

In step S261, the first mobile device 21 may deactivate the access security application program. That is, the access security application program can be put in a standby state.

In one embodiment, the first mobile password (OTP-M1') is generated by the first mobile device 21, and the first mobile password (OTP-M1) is generated by the service server 30. I can.

Unlike shown in FIG. 9B, in a modified embodiment, the first mobile password OTP-M1 ′ may be generated by the first mobile device 21. However, the first mobile password (OTP-M1) is not generated by the service server 30, but the first mobile password (OTP-M1') obtained by the service server 30 from the first mobile device 21. ) Can be.

At this time, the first mobile password (OTP-M1') is a first mobile OTP (One Time Password) generated by the first mobile device 21, and the first mobile password is generated by the service server 30. It is a first mobile-adaptive OTP, and the generation rule of the first mobile OTP and the generation rule of the first mobile-adaptive OTP may be the same.

As can be seen in FIGS. 9A and 9B, according to an embodiment of the present invention, the access security device 40 may determine permission of access or denial of access through the following process.

First, the access security device 40 must receive basic authentication information from a passerby (access requester) and transmit it to the service server 30.

Second, the access security device 40 must receive a first mobile correspondence password (OTP-M1), which is a kind of password, from the service server 30 in response to the transmission of the basic authentication information. In addition, the access security device 40 must receive information capable of specifying one mobile device from the service server 30, for example, the name of the short-range communication unit of the mobile device.

Third, the access security device 40 checks whether the first mobile device 21 having the received short-range communication unit name is within the short-range communication range, and a first mobile password (a type of password) from the first mobile device 21 OTP-M1') must be provided.

Fourth, the access security device 40 may allow access only when the first mobile password OTP-M1 and the first mobile password OTP-M1' are the same.

10 is a flowchart illustrating a mobile access security method according to a third embodiment modified from the second embodiment shown in FIGS. 9A and 9B.

The user identification information shown in FIGS. 9A, 9B, and 10 may be associated with only one mobile device or may be associated with a plurality of mobile devices.

In the second embodiment described with reference to FIGS. 9A and 9B, an example in which only one mobile device is associated with one user identification information is shown. For example, as an example of a case in which the user identification information is associated with only one mobile device, a case where a plurality of employee ID NFC tag cards prepared such as a company employee ID correspond 1:1 to one mobile device possessed by each employee Can be Here, the identification information provided by the NFC tag card may correspond to the user identification information, that is, the above-described basic authentication information.

In contrast, in the third embodiment described with reference to FIG. 10, not only the first mobile device but also the second mobile device are associated with the user identification information. That is, an example in which a plurality of mobile devices are associated with one user identification information is shown. For example, as an example of a case in which the user identification information is associated with a plurality of mobile devices, a case where a plurality of families use the same access password, or a case where a plurality of families use a plurality of duplicated NFC tag cards There may be. At this time, the access password or the identification information provided by the NFC tag card may correspond to the user identification information, that is, the above-described basic authentication information.

Step S1310 of FIG. 10 is a step that replaces step S310 of FIG. 9A.

Steps S312 and S225 of FIG. 10 are the same as steps S312 and S225 of FIG. 9A.

Steps S1312 and S1225 of FIG. 10 are additional steps added to the flowchart of FIG. 9A.

Step S1317 of FIG. 10 is a step that replaces step S317 of FIG. 9A.

Step S1328 of FIG. 10 is a step further added to the flowchart of FIG. 9A.

In addition, steps (S431), step (S433), step (S314), step (S315), step (S226), step (S227), step (S316), step (S318), and steps shown in FIGS. 9A and 9B (S340), step (S341), step (S342), step (S240), step (S250), step (S441), step (S442), step (S443), step (S350), step (S260), step (S261) and the like may be applied as it is to the third embodiment described with reference to FIG. 10. That is, FIG. 10 shows only differences between the third embodiment and the second embodiment for convenience of explanation.

FIG. 10 may be applied, for example, when a child with the first mobile device 21 and an adult with the second mobile device 22 are associated with the same user identification information, that is, the same basic authentication information. Here, the child and the adult may be members of one family.

In FIG. 10, a child with the first mobile device 21 tries to pass through the access security device 40, and an adult with the second mobile device 22 is far enough away from the access security device 40, For example, it can be applied when the distance is more than 4km.

In step S1310, the service server 30 receiving the user identification information from the access security device 40 may search for a mobile device related to the user identification information. In this case, a plurality of mobile devices including the first mobile device 21 and the second mobile device 22 may be associated with the user identification information.

In steps S312 and S1312, the service server 30 may request the location information of the mobile device from the first mobile device 21 and the second mobile device 22, respectively.

In steps S225 and S1225, the service server 30 may receive location information of a corresponding mobile device from the first mobile device 21 and the second mobile device 22, respectively.

In step S1317, the service server 30 determines whether the difference between the location of the first mobile device 21 and the location of the second mobile device 22 and the location of the access security device 40 is less than or equal to a predetermined value. can do.

In step S1328, the service server 30 selects one of the first mobile device 21 and the second mobile device 22, a mobile device that is sufficiently close to the access security device 40 to be less than or equal to the predetermined value. I can. For example, when both the first mobile device 21 and the second mobile device 22 are sufficiently close to the access security device 40 below the predetermined value, the first mobile device 21 and the second mobile device 22 ) Of the mobile device that is closer to the access security device 40 may be selected. Thereafter, the steps after step S1328 assume that the first mobile device 21 is selected from among the first mobile device 21 and the second mobile device 22.

Although not shown in FIG. 10, the service server 30 provides information on the selected first mobile device 21 among a plurality of user devices related to the user identification information and an event generated by the first mobile device 21. Can be provided to a preset device. For example, the preset device may be any one of the plurality of user devices, or may be provided to one computing device other than the plurality of user devices.

Meanwhile, some steps of the above-described access security method may be executed by the processing unit of the access security devices 400 and 40 including a short-range communication unit 470, a data transmission/reception unit 410, and a processing unit.

Some steps of the above-described access security method may be executed by the processing unit of the data transmission/reception unit 310 and the service servers 300 and 30 including the processing unit.

Some of the steps of the above-described access security method may be executed by the processing unit of the mobile devices 200 and 21 including a data transmission/reception unit 210, a short-range communication unit 270, a signal detection unit, and a processing unit.

The above-described mobile device, service server, and access security device may include processing units not shown in FIGS. 2, 3, and 4, respectively. The processing units included in the mobile device 200, the service server 300, and the access security device 40 are each executed by the mobile device 200, the service server 300, and the access security device 40. As a step, it may be adapted to perform any of the corresponding steps described above. Each of the above-described mobile device, service server, and access security device may include a nonvolatile storage device in which a program including instruction codes to be loaded and executed in order to execute the above-described steps is recorded, and the Non-volatile storage can be accessed by the processing unit.

Using the above-described embodiments of the present invention, those belonging to the technical field of the present invention will be able to easily implement various changes and modifications within the scope not departing from the essential characteristics of the present invention. The content of each claim in the claims may be combined with other claims that do not have a citation relationship within the range that can be understood through the present specification.

21: first mobile device
30: service server
40: access security device
100: short-range communication
200: mobile device
210, 310, 410: data transmission/reception unit
230: OTP generation unit
450: distance calculation unit
270, 470: Ministry of Local Area Communication
300: service server
330: OTP function module
350: justification check
370: command
400: access security device
405: input

Claims (23)

Receiving, by the access security device, a name of a short-range communication unit of a first mobile device and a first mobile correspondence password (OTP-M1) from the service server (S341);
Detecting, by the access security device, the first M signal broadcast by the first mobile device using short-range communication based on the received short-range communication unit name (S441); And
When the access security device determines that the first mobile password (OTP-M1') acquired using the 1M signal is the same as the first mobile password, the access security device permits access through the access security device. Step (S442)
Containing,
Access security method. The method of claim 1,
Before the step of receiving the short-range communication unit name from the service server,
The step of obtaining, by the access security device, user identification information (S431); And
Transmitting, by the access security device, the acquired user identification information to the service server (S433);
It further includes,
The service server is configured to obtain information on the first mobile device associated with the user identification information by accessing a database including a table in which the user identification information and the first mobile device are associated with each other ( S310), and
The service server is configured to request (S320) the name of the short-range communication unit of the first mobile device from the first mobile device, and obtain the name of the short-range communication unit (S230),
Access security method. The method of claim 1,
The access security device further comprises a step (S441) of generating information about the distance between the access security device and the first mobile device based on the strength of the 1M signal, And
Characterized in that only when the distance is less than a predetermined value, access through the access security device is permitted (S442),
Access security method. The method of claim 1, wherein the first mobile password is generated by the first mobile device (S250), and the first mobile password is generated by the service server. The access according to claim 1, wherein the first mobile password is generated by the first mobile device, and the first mobile password is the first mobile password obtained by the service server from the first mobile device. Security method. The method of claim 1, wherein the first mobile password is a first mobile OTP (One Time Password) generated by the first mobile device, and the first mobile password is a first mobile-adaptive OTP generated by the service server. And, the first mobile OTP generation rule and the first mobile-adaptive OTP generation rule are identical to each other. The method of claim 1, wherein the name of the short-range communication unit of the first mobile device is the same as the first mobile correspondence password (OTP-M1). The method of claim 1, wherein the first mobile password is generated by the service server, and the first mobile password is the first mobile password obtained from the service server by the first mobile device. . The method of claim 1,
The first mobile password is obtained by the first mobile device from the service server with the password generated by the service server,
The first mobile correspondence password is obtained by the service server from the mobile device of the password generated by the first mobile device,
Access security method. Step of receiving, by the service server, user identification information from the access security device (S433);
Accessing, by the service server, a database including a table in which the user identification information and the first mobile device are associated with each other, and obtaining an identifier of the first mobile device associated with the user identification information (S310);
The service server obtains the short-range communication unit name from the first mobile device by requesting (S320) the name of the short-range communication unit of the first mobile device from the first mobile device using the identifier of the first mobile device (S230) ) To;
Transmitting, by the service server, the name of the short-range communication unit to the access security device (S341); And
Transmitting, by the service server, a first mobile correspondence password to the access security device (S341);
Including,
The access security device is configured to detect a first M signal S250 broadcast by the first mobile device using short-range communication based on the name of the short-range communication unit, and a first mobile device included in the first M signal When it is determined that the password is the same as the first mobile password, it is characterized in that the access through the access security device is permitted,
Access security method. The method of claim 10, wherein the first mobile password is a first mobile OTP (One Time Password) generated by the first mobile device, and the first mobile corresponding password is a first mobile corresponding OTP generated by the service server. And, the first mobile OTP generation rule and the first mobile-adaptive OTP generation rule are identical to each other. The method of claim 10,
The service server, by requesting information about the location of the first mobile device from the first mobile device (S312), and obtaining information about the location of the first mobile device from the first mobile device (S225) ; And
Accessing and obtaining (S314), by the service server, a location where the access security device is installed, by accessing a database including a table in which an identifier of the access security device and a location where the access security device is installed are linked to each other and stored;
It further includes,
The step of obtaining the short-distance communication unit name is performed only when the service server determines that the difference between the location of the first mobile device and the location where the access security device is installed is less than or equal to a predetermined value,
Access security method. The method of claim 10,
The service server requesting (S315) and obtaining (S227) a mobile authentication password from the first mobile device; And
Generating, by the service server, a mobile correspondence authentication password (S316);
It further includes,
The step of acquiring the short-distance communication unit name is executed only when the service server determines that the mobile authentication password and the mobile correspondence authentication password are identical to each other,
Access security method. The method of claim 10, wherein the process of allowing access through the access security device comprises a process of releasing a lock controlled by the access security device. The method of claim 10,
Receiving, by the service server, a fact of permission of access or denial of access from the access security device (S443); And
Transmitting, by the service server, an access permission or access denial status of the access security device to a pre-registered device (S350);
Further comprising,
Access security method. Transmitting, by the first mobile device, the name of the short-range communication unit of the first mobile device to the service server in response to the request of the service server (S320) (S230);
Generating, by the first mobile device, a first mobile password (S250); And
Broadcasting, by the first mobile device, a first M signal including the first mobile password using short-range communication (S250);
Including,
The service server is configured to transmit the name of the short-range communication unit to the access security device, and generate a first mobile correspondence password to transmit the generated first mobile correspondence password to the access security device, and
The access security device is configured to detect the first M signal based on the name of the short-range communication unit, and when it is determined that the first mobile password included in the first M signal is the same as the first mobile correspondence password, the Characterized in that to allow access through an access security device,
Access security method. The method of claim 16, wherein the first mobile password is a first mobile OTP (One Time Password) generated by the first mobile device, and the first mobile password is a first mobile corresponding OTP generated by the service server. And, the first mobile OTP generation rule and the first mobile-adaptive OTP generation rule are identical to each other. The method of claim 16,
Prior to the step of transmitting the name of the short-range communication unit of the first mobile device to the service server, the first mobile device transmits information on the location of the first mobile device in response to a request (S312) of the service server. Further comprising the step of providing (S225) to the service server,
The service server is configured to request (S320) the name of the short-range communication unit from the first mobile device only when it is determined that the difference between the location where the access security device is installed and the location of the first mobile device is less than or equal to a predetermined value. Characterized in that,
Access security method. The method of claim 16,
Before the step of transmitting the name of the short-range communication unit of the first mobile device to the service server, the first mobile device generates a mobile authentication password in response to the request (S315) of the service server (S226), and the generated Further comprising the step of providing a mobile authentication password to the service server (S227),
The service server is configured to request (S320) the name of the short-range communication unit from the first mobile device only when it is determined that the mobile authentication password generated by the service server and the mobile authentication password are identical to each other. ,
Access security method. The method of claim 16,
Before the step of broadcasting the first M signal,
Receiving, by the first mobile device, a request to activate a short-range communication function of the first mobile device, and a request for the first mobile device to broadcast a first mobile password from the service server (S342); And
Activating, by the first mobile device, a short-range communication function of the first mobile device (S240);
Further comprising,
Access security method. It includes a short-range communication unit, a data transmission and reception unit, and a processing unit,
The processing unit,
Receiving, from the service server, the name of the short-range communication unit of the first mobile device provided by the first mobile device to the service server by using the data transmission/reception unit;
Receiving a first mobile correspondence password from the service server by using the data transmission/reception unit;
Detecting a first M signal broadcast by the first mobile device using short-range communication using the short-range communication unit based on the received short-range communication unit name; And
When it is determined that the first mobile password included in the first M signal is the same as the first mobile password, allowing access through the access security device
Is supposed to run,
Access security device. It includes a data transmission and reception unit, and a processing unit,
The processing unit,
Receiving user identification information from an access security device using the data transmission/reception unit;
Acquiring an identifier of the first mobile device associated with the user identification information by accessing a database including a table in which the user identification information and the first mobile device are associated with each other;
Obtaining the name of the short-range communication unit from the first mobile device by requesting the name of the short-range communication unit of the first mobile device from the first mobile device by using the data transmission/reception unit using the identifier of the first mobile device;
Transmitting the name of the short-range communication unit to the access security device by using the data transmission/reception unit; And
Transmitting a first mobile correspondence password to the access security device by using the data transmission/reception unit;
Is supposed to run,
The access security device is configured to detect a first M signal broadcast by the first mobile device using short-range communication based on the name of the short-range communication unit, and the first mobile password included in the first M signal is When it is determined that it is the same as the first mobile correspondence password, it is characterized in that the access through the access security device is permitted,
Service server. It includes a data transmission/reception unit, a short range communication unit, a signal detection unit, and a processing unit,
The processing unit,
Transmitting the name of the short-range communication unit of the first mobile device to the service server in response to a request from the service server by using the data transmission/reception unit;
Generating a first mobile password; And
Broadcasting a first M signal including the first mobile password using short-range communication by using the short-range communication unit;
Is supposed to run,
The service server is configured to transmit the name of the short-range communication unit to the access security device, and generate a first mobile correspondence password to transmit the generated first mobile correspondence password to the access security device, and
The access security device is configured to detect the first M signal based on the name of the short-range communication unit, and when it is determined that the first mobile password included in the first M signal is the same as the first mobile correspondence password, the Characterized in that to allow access through an access security device,
Mobile devices.

Images