KR100351264B1 - Communication terminal apparatus embedded the function generating One Time Password based on the challenge/response - Google Patents

Abstract

PURPOSE: A communication terminal for embedding an OTP(One Time Password) generating function based on a challenge/response is provided to minimize the key input of a user by embodying an OTP function and a normal function of the communication terminal by one body and performing an authentication procedure based on the challenge/response. CONSTITUTION: An electronic telephone type keypad(510) inputs alphanumeric data. An OTP generating unit(520) receives a challenge value in a state in which an authentication token mode is set up for generating an OTP based on a challenge/response protocol, and generates a user-side response value corresponding to the challenge value using a unidirectional function. A communication module unit(530) receives the challenge value through a wired and wireless communication network and transmits the user-side response value generated in the OTP generating unit(520) through the wired and wireless communication network for performing a transmission and reception function for a normal voice communication in a normal communication mode, and providing an authentication service based on the challenge/response protocol in the authentication token mode. An authentication parameter memory(540) stores various authentication parameters including a PIN(Personal Identification Number) and an encryption key value.

Description

Communication terminal apparatus embedded the function generating One Time Password based on the challenge / response}

The present invention relates to a communication terminal device having a built-in challenge / response-based one-time password generation function for a remote authentication service. More particularly, the communication terminal device provides a remote authentication service based on a challenge / response protocol. By incorporating the One Time Password (OTP) function that generates a response value corresponding to the challenge value, the OTS function is integrated with the normal communication terminal device. A communication terminal apparatus embedded with a challenge / response-based one-time password generation function for convenience is provided.

Recently, remote banking services such as home trading, phone banking, and personal computer banking have existed in the time / space that exists between financial companies and customers to provide financial services. With the convenience of easily eliminating the restrictions, it is showing high preference among various financial services, and at the same time, the increase in the use population is accelerating.

Today, due to the development of various electronic technologies, the spread of tools that can access specific information that requires security through various paths is being changed. As development is announced by non-professionals, more advanced security technologies are expected to emerge to block and protect such information from unauthorized access, access, destruction, cloning, and theft.

In response to this technological trend, efforts are being made from various angles to secure security related to authentication of remote service systems, which occupy one of the mainstream areas of security systems. One Time Password (OTP) system is one.

The one-time password system is a security solution that frequently changes the password (password) when the user connects to the computer network and requests authentication from the host.The current timesync method and the challenge / challenge / response, host random number input method ”has been developed. One-time password (OTP) has the advantage that even if a password is leaked on the public network, the password can be misused because it is limited to one time. Therefore, this system is emerging as a success factor of virtual banking service and remote financial service promoted by domestic and foreign financial industry, and attracts attention as a new concept of security solution from large information system operators or service providers.

The present invention relates to an authentication system for a remote service, which will be described in more detail with respect to the authentication system for a remote financial service according to the prior art.

First, a representative method for accessing an authentication server that leads the authentication process of a remote financial service is introduced. One method is to use a telephone and a public communication network based on an answering system. There is a method of accessing an authentication server using a computer communication network which is rapidly becoming popular.

When a connection with the authentication server is established by using such a communication system, an authentication process for verifying the authenticity of the user is performed by the authentication server. An authentication password (or, The most common method is to remember the unique password, password) in the head of each user and authenticate the authenticity of the user by entering it when authentication for financial services is required.

However, as is well known, this method has a high risk of exposing each person's authentication password to others, and detects a fingerprint or inputs an authentication password by using a fixed password. There is a possibility of easily leaking to others by the mobilization of a certain fraudulent method of recording, in particular, because it can be easily read by the employees of the financial institution, etc. There are a number of financial incidents involved, and much effort is required to understand where they are responsible.

A more advanced form of authentication that has emerged as an alternative to solve this problem is the authentication of a remote financial service system using a randomly generated random number (or random number plastic), often referred to as a "random check". There is a way.

In the above-described prior art, the latter is relatively more confidential than the former as a new session is read by reading the corresponding authentication password on a random number table including a plurality of authentication passwords, but the method using the random number is also Although the confidentiality is somewhat higher due to the authentication system operating within the scope of a certain rule, there is no countermeasure in case there is no countermeasure when the random number is copied and leaked or the employee of the relevant financial company uses an illegal method. In addition, questions are raised in terms of safety.

In order to solve such a problem, the inventor of the present invention, Republic of Korea Patent Application No. 97-56548, "Authentication system of remote financial services", Republic of Korea Patent Application No. 97-57621, "Authentication system of remote financial services using a computer communication network" Has been proposed.

In order to help the understanding of the present invention, the components of the gist of Korean Patent Application No. 97-56548, "Authentication System for Remote Financial Services" will be briefly described as follows.

As shown in FIG. 1, Korean Patent Application No. 97-56548 is a system for authenticating a remote financial service based on a challenge / response protocol to receive an input of a user who requires authentication for a remote financial service. Telephone 110; An answering machine 120 that forms a call path by dialing the phone 110 and receives a preset user identifier and provides a user interface for performing an authentication procedure of a remote financial service; Recognizes the user identifier input from the answering machine 120, generates a challenge value and passes it to the user through the answering machine 120, and then responds to its own response determined by the output value of the one-way function for the challenge value. Authentication composed of an authentication server 130 for authenticating the authenticity of the user by generating a value and determining whether it is equal to a user side response value corresponding to a challenge value applied through the telephone 110 and the answering machine 120. Decision system 100; And an authentication token card 200 which is externally displayed for the user to provide to the authentication determination system 100 by generating a user-side response value corresponding to the challenge value through a built-in one-way function in response to receiving the challenge value from the user. It is characterized by consisting of).

In addition, Korean Patent Application No. 97-56548, "Authentication System for Remote Financial Services," may be subject to eavesdropping by others without advanced technology, as it is supported by voice service of an automated answering system. In particular, this type of remote financial services to recognize the problem that it is more likely to become a financial services of the useless to the hearing impaired or people who are less able to hear than normal people, to solve this problem, Korean Patent Application No. 97-57621, "Computer communication network Authentication system of the remote financial service using "", as shown in Fig. 2, in the authentication system of the remote financial service based on the challenge / response protocol, which requires authentication for the remote financial service. A computer terminal 100 for providing input / output means to a user; The communication server 310 forms a communication connection by dialing the computer terminal 100 connected to the computer communication network 200 and receives a predetermined user identifier and provides bidirectional communication connectivity for performing an authentication procedure of a remote financial service. communication server and the user identifier input from the communication server 310, generate a challenge value, and transmit the challenge value to the user through the communication server 310, and then perform a unidirectional function on the challenge value. Generating a response value determined by an output value of the computer terminal 100; An authentication determination system 300 comprising an authentication server 320 for authenticating the authenticity of the user by determining whether the user response value corresponding to the challenge value applied through the communication server 310 is the same. ); And generating the user response value corresponding to the challenge value through the built-in one-way function in response to receiving the challenge value from the user so that the user determines the authentication determination system 300 through the computer terminal 100. It is characterized by consisting of the authentication token card 400 to be displayed to the outside to provide to).

Korean Patent Application No. 97-56548 and Korean Patent Application No. 97-57621 mentioned above both employ a portable authentication token card designed to generate a variable authentication password through communication with an authentication server. By fundamentally blocking the leakage of the authentication password, the security and reliability of the authentication of the user's authenticity is maximized.But basically, both parties receive a challenge value from the user as an authentication token card designed to be carried by an individual is input. The built-in one-way function generates a user-side response value corresponding to the challenge value and displays it externally so that the user can provide it to the authentication judgment system through a computer terminal or a telephone. Input and check the user reference value accordingly. There is inconvenience on the operation that a portion must be provided to the authentication system is determined by the communication terminal.

In addition, such manual operation may cause an inconvenience in operation and may frequently generate a key input error, and may cause a long time for authentication processing by a user's key input. However, the inconvenience that the user must know in detail how to operate the authentication token card has been a factor that inhibits the change of the remote service based on the challenge / response protocol.

In addition, in the conventional case, there has been the inconvenience of management and portability in which the communication terminal and the authentication token card have to be managed separately. In particular, in recent years, with the advance of mobile phone technology and mobile computing technology, cellular cellular phones are cellular. Wireless phones such as phones, PCS phones, TRS phones, Iridium phones, two-way text-to-speech pagers, two-way message terminals, personal digital assistant terminals, and more As communication terminal devices become widespread, the inconvenience of carrying separate pieces separately is actively raised, and technology that can integrate the functions by adding functions that can be integrated to the portable communication terminal device is expected. It is becoming.

Accordingly, the present invention has been made to solve such a problem, and in a communication terminal device supporting bidirectional communication, a response value corresponding to a challenge value is provided to provide a remote authentication service based on a challenge / response protocol. By incorporating OTP (One Time Password) function, OTP function and normal communication terminal function are integrated to perform challenge / response based authentication process to minimize user's key input to remote service. It is a challenge / response-based one-time password generation function that can improve the security and reliability of authentication for user's authenticity while being easy to carry by integrated management according to function integration. The purpose is to provide a built-in communication terminal device.

1 is a block diagram showing Korean Patent Application No. 97-56548, "Authentication System for Remote Financial Services",

2 is a block diagram showing Korean Patent Application No. 97-57621, "Authentication System for Remote Financial Service Using Computer Communication Network";

3 is a block diagram showing a preferred embodiment of a communication terminal device having a built-in challenge / response-based one-time password generation function according to the present invention;

Figure 4 is a block diagram showing another embodiment of a communication terminal device with a built-in one-time password generation function according to the present invention,

5 is a block diagram showing another embodiment of a communication terminal device with a built-in challenge / response-based one-time password function according to the present invention;

6 is a configuration diagram showing a first embodiment of an authentication system for remote service using the communication terminal device of the present invention;

7 is a configuration diagram showing a second embodiment of a system for authenticating a remote service using a communication terminal device of the present invention;

8 is a configuration diagram showing a third embodiment of an authentication system for remote service using the communication terminal device of the present invention;

9 is a configuration diagram showing a fourth embodiment of a system for authenticating a remote service using a communication terminal device of the present invention;

10 is a configuration diagram showing a fifth embodiment of an authentication system for remote service using a communication terminal device according to the present invention;

11 is a configuration diagram showing a sixth embodiment of the authentication system for remote service using the communication terminal device of the present invention;

12 is a configuration diagram showing a seventh embodiment of an authentication system for remote service using the communication terminal device of the present invention.

<Description of the symbols for the main parts of the drawings>

510: telephone keypad 520, 620: one-time password generation unit

530: communication module unit 540: authentication parameter memory

550: communication terminal control unit 560, 660: liquid crystal display unit

570, 670: voice generator 610: user input unit

630: data communication module unit 650: data communication terminal control unit

In order to achieve the above object, a communication terminal device having a built-in challenge / response-based one-time password generation function according to the present invention, in a communication terminal device supporting bidirectional communication, performs a unique device-specific communication function in a normal communication mode. Control the communication module to provide an access to the authentication token mode when the personal identification number keyed in through the keypad and the personal identification number in the authentication parameter memory match, and in the authentication token mode, the challenge value. While controlling to be provided to the one-time password generation unit from the keypad or the communication module unit, the user-side reference value generated by the one-time password generation unit is visually or audibly displayed on the outside or through the wired / wireless communication network or the data communication network through the communication module unit. Can send It is characterized by controlling the one-time password generation unit and the communication module unit.

Hereinafter, a configuration of a preferred embodiment of a communication terminal device having a challenge / response-based one-time password generation function according to the present invention will be described with reference to FIG. 3.

Prior to describing the present invention, a communication terminal device included in the name of the present invention will be briefly described. The communication terminal device includes a wired communication terminal device, a wireless communication terminal device, and a data communication network capable of voice communication through a public telephone communication network. Through the data communication terminal device capable of data communication through. For example, a wired communication terminal device may be a wired telephone for PSTN, a wired telephone for ISDN, an internet phone, etc., each capable of voice communication using a public telephone network, an integrated service digital network (ISDN), or the Internet. As a communication terminal device, a cellular phone, a PCS phone, a TRS phone, an Iridium phone, etc. are typical. In addition, the data communication terminal apparatus may include a wireless pager capable of two-way text service, a digital text transceiver such as a two-way message (TWM) terminal, a palm-top computer with a built-in communication function, and a mobile computer. A representative PDA (Personal Digital Assistant) is a representative computer.

3 is a block diagram showing a preferred embodiment 500 of a communication terminal device with a built-in challenge / response-based one-time password generation function according to the present invention.

As shown in FIG. 3, a preferred embodiment 500 of a communication terminal device having a built-in challenge / response-based one-time password generation function according to the present invention is a communication terminal device supporting two-way voice communication through a handset.

An electronic telephone keypad 510 for inputting alphanumeric data;

A one-time password generation unit for generating a user-side response value corresponding to the challenge value by using a one-way function in response to receiving a challenge value in a state where an authentication token mode for generating a one-time password based on the challenge / response protocol is set ( 520;

In the normal communication mode, the transmission and reception function for normal voice communication is performed, and in the authentication token mode, the challenge value is received through a wired / wireless communication network to provide an authentication service based on the challenge / response protocol, and the one-time password generation unit 520 A communication module unit (530) for transmitting the user-side response value generated by the &lt; RTI ID = 0.0 &gt;

An authentication parameter memory 540 for storing various authentication parameters including a Personal Identification Number (PIN) and an encryption key value and providing electrical erasing and programmability for the authentication parameters;

In the normal communication mode, the communication module unit 530 is controlled to provide normal voice communication through the handset, and the personal identification number and the authentication parameter memory 540 keyed through the telephone keypad 510 are controlled. If the personal identification numbers match, the access to the authentication token mode is allowed, and in the authentication token mode, the challenge value is the one-time password generation unit 520 from the telephone keypad 510 or the communication module unit 530. The one-time password generated by the one-time password generation unit 520 and the user-side reference value generated at the same time to the outside or transmitted through the wired / wireless communication network through the communication module unit 530. A communication terminal controller 550 controlling the unit 520 and the communication module 530; And

And a liquid crystal display 560 for displaying the operation state of the communication terminal controller 550 and displaying the challenge value and the user side response value.

The operation of the preferred embodiment 500 of the communication terminal device with the built-in challenge / response-based one-time password generation function according to the present invention configured as described above will be described in detail with reference to FIG. 3.

The core idea of the present invention is not only to perform normal voice call through the wired / wireless terminal device mentioned above, but also to provide convenience and high speed of authentication processing for a remote service by embedding a component capable of generating a one-time password. It is intended to increase the security and reliability of authentication for user's authenticity while being easy to carry by integrated management according to function integration.

First, in the normal communication mode, the communication module unit 530 and the handset provide sound line communication, which is a unique function of the communication terminal device. As described above, the communication at this time may be a wired communication or a wireless communication, and in some cases, may be a communication combining wired communication and wireless communication. In other words, the present invention is irrelevant to the communication format and can be applied to any communication format.

Next, the authentication token mode will be described.

First, in order to enter the authentication token mode, a personal identification number (PIN) is required to improve security of user authenticity.

In other words, when a key input for entering the authentication token mode is authorized, the communication terminal controller 550 requests the personal identification number to be input through the liquid crystal display 540.

When a user inputs a user identification number using the telephone keypad 510, the communication terminal controller 550 may input the personal identification number keyed through the telephone keypad 510 and the individual in the authentication parameter memory 540. It is determined whether the identification numbers match.

As a result of the determination, if the user identification numbers do not match, the user is required to re-enter the correct user identification number over the predetermined number of error occurrences N allowed by the user, and finally the user inputs to such a request. If this fails, the opportunity to enter the authenticated talk mode is blocked.

On the other hand, when the personal identification number keyed in via the telephone keypad 510 and the personal identification number of the authentication parameter memory 540 match, the system allows access to the authentication token mode.

Here, an example of the electronic telephone keypad 510 for inputting alphanumeric data is 4 5 key matrices (4 It is common to use a keypad consisting of a 5 key matrix, and an expanded keyboard may be used.

Subsequently, when a challenge value is input in a state where an authentication token mode for generating a one-time password based on the challenge / response protocol is set, the one-time password generator 520 uses a one-way function to respond to the user side response corresponding to the challenge value. Generate a funnel value.

In this case, the communication module unit 530 receives the challenge value through a wired / wireless communication network to provide an authentication service based on the challenge / response protocol and receives the user-side response value generated by the one-time password generation unit 520. Transmit via wired or wireless network.

As the operation mode is selected as the normal communication mode or the authentication token mode, the communication terminal controller 550 controls the communication terminal device of the present invention as a whole. In the normal communication mode, the communication is performed to provide normal voice communication through the handset. The module unit 530 is controlled, and access to the authentication token mode is allowed when the personal identification number keyed in through the telephone keypad 510 and the personal identification number of the authentication parameter memory 540 match. In the authentication token mode, the challenge value is controlled to be provided from the telephone keypad 510 or the communication module unit 530 to the one time password generation unit 520, and the one time password generation unit 520 is The generated user-side reference value is displayed on the outside or through the wired / wireless communication network through the communication module unit 530. To be transmitted and controls the one-time password generation unit 520 and the communication module 530.

Accordingly, the liquid crystal display 560 not only displays a user input applied through the telephone keypad 510, but also displays an operation state of the communication terminal controller 550 and simultaneously displays the generated user response value. Do it. Obviously, the liquid crystal display 560 provides various display functions for supporting normal voice communication.

Here, the operation state of the communication terminal control unit 550 refers to what input the communication terminal control unit 550 requires or outputs a value having in a current state, and what processing is currently being performed. Informing the user of such operation status information may provide a user-friendly environment. For example, by encrypting, changing, confirming, selecting, querying, answering, etc. on the liquid crystal display 560 according to an operation situation at the present time, the user may be provided with improved convenience.

In addition, the preferred embodiment of the present invention is displayed on the liquid crystal display 560 to notify the user of the response value of the user, but in another embodiment of the present invention, the voice for notifying the user of the response value through the voice The generating unit may further optionally be included. In other words, the user-side response value may be notified to the user through both visual means (i.e., liquid crystal display) and audio means (i.e., voice generator), and notified by the user either by audible means or visual means alone. It means you can.

In a preferred embodiment of the present invention, the communication module unit 530 directly receives a challenge value from the device itself through a wired or wireless communication network and receives the user-side response value generated by the one-time password generation unit 520. It is transmitted through a wired / wireless communication network, but depending on the method of configuring an authentication system for a remote service, a challenge value may be received through another wired or wireless terminal device, and a response value of a user side may be transmitted through another wired or wireless terminal device. It is true. In this case, the communication terminal device 500 of the present invention is used like the authentication token card 200 of Korean Patent Application No. 97-56548, "Authentication System of Remote Financial Service" shown in FIG.

Therefore, the communication module 530 of the preferred embodiment of the present invention may exclude the function of transmitting and receiving the challenge value and the user-side response value.

Hereinafter, another embodiment of the present invention based on the above facts will be described with reference to FIG. 4.

Figure 4 is a block diagram showing another embodiment of a communication terminal device with a built-in one-time password generation function according to the present invention, the same reference numerals are assigned to components that perform functions similar to the preferred embodiment of the present invention shown in FIG. The present invention is intended to facilitate the understanding of another embodiment of the present invention.

Another embodiment of the present invention, as can be seen in Figure 4, a communication terminal device for supporting two-way voice communication through the handset, an electronic telephone keypad 510 for inputting alphanumeric data (alphanumeric data); A one-time password generation unit for generating a user-side response value corresponding to the challenge value by using a one-way function in response to receiving a challenge value in a state where an authentication token mode for generating a one-time password based on a challenge / response protocol is set ( 520; A communication module unit 530 performing a transmission / reception function for normal voice communication in a normal communication mode; An authentication parameter memory 540 for storing various authentication parameters including a Personal Identification Number (PIN) and an encryption key value and providing electrical erasing and programmability for the authentication parameters; In the normal communication mode, the communication module unit 530 is controlled to provide normal voice communication through the handset, and the personal identification number and the authentication parameter memory 540 keyed through the telephone keypad 510 are controlled. When the personal identification numbers match, the access is allowed to the authentication token mode, and in the authentication token mode, the challenge value is controlled to be provided from the telephone keypad 510 to the one-time password generation unit 520. A communication terminal controller 550 for controlling to display the user-side reference value generated by the one-time password generation unit 520 to the outside; A liquid crystal display unit 560 for displaying an operation state of the communication terminal controller 550 and displaying the challenge value and the user side response value; And a voice generator 570 for notifying the user of the response value of the user through voice.

Description of the operation of the other embodiment of the present invention configured as described above will be considered as fully mentioned while explaining the preferred embodiment of the present invention will be avoided overlapping description.

In another embodiment of the present invention, it is pointed out that the communication terminal device 500 is used as an authentication token card 200 of Korean Patent Application No. 97-56548, "Authentication System of Remote Financial Services" shown in FIG. This means that the communication terminal device 500 of the present invention does not necessarily communicate with the authentication server.

For example, if you have built-in challenge / response-based one-time password generation on wireless phones such as cellular phones, PCS phones, TRS phones, and IRIDIUM phones, By using the wireless telephone 500 to access the authentication server to obtain a challenge value and provide it to the one-time password generation unit 520, the response value generated according to the user's response is directly transmitted through the wireless telephone 500 itself. It is preferable to provide the authentication server to the authentication server. However, in some cases, a separate landline telephone is used to access the authentication server, and the telephone-based keypad 510 displays a challenge value acquired by the user through the landline telephone. When the key is input to the wireless telephone 500, the response value generated by the user is read from the wireless telephone 500, and indirectly read through the wired telephone. That means you can provide it to the server.

In addition, although the telephone keypad 510 is used as a user input means in a preferred embodiment of the present invention, in recent years, a voice recognition input and an electronic pen writer input are provided. There is a known technique for applying user input in various ways such as character recognition and graphical user interface input by a ball mouse, optical mouse, trackball, touch mouse, etc. The present invention is not dependent on the user input method. Even if it is used as a user input means, it is obvious that also depends on the claims of the present invention.

In the above-described preferred embodiment of the present invention and another embodiment, an embodiment based on a wired / wireless communication terminal device supporting two-way voice communication through a handset is described. However, a two-way text message wireless pager, a TWM terminal, a PDA The same effect can be achieved when the challenge / response-based one-time password generation function is embedded in a data communication terminal device such as a personal digital assistant terminal or a palm-top computer with a communication function. Self-explanatory

Accordingly, with reference to FIG. 5 attached to another embodiment of the present invention in which the challenge / response-based one-time password function according to the present invention is embedded in the data communication terminal device, it will be described below.

Another embodiment of the present invention is similar to the preferred embodiment of the present invention, but another embodiment of the present invention is based on a data communication terminal device among various communication terminal devices. Components that perform functions similar to other embodiments of the present invention will be given different reference numerals.

5 is a block diagram illustrating another embodiment 600 of a communication terminal device incorporating a challenge / response-based one-time password function according to the present invention.

Another embodiment 600 of the present invention, as can be seen in Figure 5, in the data communication terminal device that supports two-way data communication,

A user input unit 610 for inputting alphanumeric data;

A one-time password generation unit for generating a user-side response value corresponding to the challenge value by using a one-way function in response to receiving a challenge value in a state where an authentication token mode for generating a one-time password based on the challenge / response protocol is set ( 620;

In the normal communication mode, a transmission / reception function for unique data communication is supported, and in the authentication token mode, the challenge value is received through a data communication network to provide an authentication service based on the challenge / response protocol. A data communication module unit 630 for transmitting the user-side response value generated by 620 through the data communication network;

An authentication parameter memory 640 for storing various authentication parameters including a Personal Identification Number (PIN) and an encryption key value and providing electrical erasing and programmability for the authentication parameters;

In the normal communication mode, the data communication module 630 is controlled to provide a transmission / reception function for data communication, and a personal identification number keyed through the user input unit 610 and an individual of the authentication parameter memory 640. If the identification numbers match, the access is allowed to the authentication token mode, and in the authentication token mode, the challenge value is the one-time password generation unit 620 from the pad 610 or the data communication module unit 630. The one-time password generation so that the user-side reference value generated by the one-time password generation unit 620 can be displayed on the outside or transmitted through the data communication network through the data communication module unit 630. A data communication terminal control unit 650 controlling the unit 620 and the data communication module unit 630; And

And a liquid crystal display 660 for displaying the operation status of the data communication terminal controller 650 and displaying the challenge value and the user-side response value.

Also, optionally, another embodiment of the present invention may further include a voice generator 670 for notifying the user of the user-side response value through voice.

Hereinafter, the operation of another embodiment 600 of the communication terminal device with the built-in challenge / response-based one-time password generation function according to the present invention configured as described above will be described in detail with reference to FIG. 5. However, the description unnecessary overlapping with the contents described in the preferred embodiment of the present invention will be briefly described within the acceptable range of those skilled in the art.

First, when the operation mode of the communication terminal device 600 of the present invention is a normal communication mode, the data communication module 630 performs data communication, which is a unique function of the communication terminal device.

Meanwhile, the operation mode may be switched to the authentication token mode by a user input or an external input through the data communication module unit 630. First, in order to enter the authentication token mode, in order to improve security of user authenticity You will need a personal identification number (PIN).

For example, when a key input for entering the authentication token mode is authorized, the data communication terminal controller 650 requests the personal identification number to be input through the liquid crystal display 640. Subsequently, when a user inputs a user identification number using the user input unit 610, the data communication terminal controller 650 of the authentication parameter memory 640 and the personal identification number keyed in through the user input unit 610 are input. Determine whether the personal identification numbers match.

As a result of the determination, if the user identification numbers do not match, the user is required to re-enter the correct user identification number over the predetermined number of error occurrences N allowed by the user, and finally the user inputs to such a request. If this fails, the opportunity to enter the authenticated talk mode is blocked.

On the other hand, when the personal identification number keyed in through the user input unit 610 and the personal identification number of the authentication parameter memory 640 match, the system allows access to the authentication token mode.

Here, as examples of the user input unit 610 for inputting alphanumeric data, it is preferable to use any one of a keypad, an electric pen writer, and a voice recognition input device. Another embodiment is not dependent on user input means.

In other words, in recent years, user input can be applied in various ways such as voice recognition input, character recognition for electronic pen writer input, and graphical user interface input by a ball mouse, optical mouse, trackball, touch mouse, and the like. As is known in the art, like the preferred and other embodiments of the present invention, another embodiment of the present invention is not dependent on the user input method, and thus it is also used as a user input means. It is obvious that the claims are subject to the claims.

Subsequently, when the challenge value is input while the authentication token mode for generating the one-time password based on the challenge / response protocol is set, the one-time password generation unit 620 uses a one-way function to respond to the user side response corresponding to the challenge value. Generate a funnel value.

In this case, the data communication module unit 630 receives the challenge value through a data communication network to provide an authentication service based on the challenge / response protocol and receives the user-side response value generated by the one-time password generation unit 620. Transmit through the data communication network.

As the operation mode is selected as the normal communication mode or the authentication token mode, the data communication terminal control unit 650 controls the communication terminal device of the present invention as a whole. In the normal communication mode, the data communication module unit provides normal data communication. The controller 630 controls access to the authentication token mode when the personal identification number keyed in through the user input unit 610 and the personal identification number of the authentication parameter memory 640 match. In the token mode, the challenge value is controlled to be provided from the user input unit 610 or the data communication module unit 630 to the one time password generation unit 620, and the one time password generation unit 620 generates the one-time password. Display the user-side reference value to the outside or through the data communication module 630 through the data communication To be transmitted through the network and controls the one-time password generation unit 620 and the data communication module 630.

Accordingly, the liquid crystal display 660 not only displays the user input applied through the user input unit 610, but also displays the operation status of the data communication terminal control unit 650 and simultaneously displays the generated user response value. Do it. Obviously, the liquid crystal display 660 provides various display functions for supporting normal voice communication.

In addition, the preferred embodiment of the present invention is displayed on the liquid crystal display 660 to notify the user of the response value of the user, but in another embodiment of the present invention, the voice for notifying the user of the response value through the voice The generator 670 may be further included. In other words, the user-side response value may be notified to the user through both visual means (i.e., liquid crystal display) and audio means (i.e., voice generator), and notified by the user either by audible means or visual means alone. It means you can.

In a preferred embodiment of the present invention, the data communication module unit 630 directly receives a challenge value from the device itself through a data communication network and receives the user-side response value generated by the one-time password generation unit 620. Although transmitting through the data communication network, depending on the method of configuring the authentication system of the remote service, the challenge value may be received through another wired or wireless terminal device, and the user side response value may also be transmitted through the other wired or wireless terminal device. Is true. In this case, the communication terminal device 600 of the present invention is used like the authentication token card 200 of Korean Patent Application No. 97-56548, "Authentication System of Remote Financial Service" shown in FIG.

Therefore, the function of transmitting and receiving the challenge value and the user-side response value may be excluded from the data communication module 630 of another embodiment of the present invention.

As described above, various embodiments of the authentication system for remote service using the communication terminal device 500 of the present invention can be configured.

6 is a configuration diagram showing a first embodiment of an authentication system for remote service using the communication terminal device 500 of the present invention.

The first embodiment shown in FIG. 6 is illustrated based on an example in which a one-time password generation function is built into a wired communication terminal device 500 such as a wired telephone, and is publicly communicated through the wired communication terminal device 500 of the present invention. The configuration example of performing authentication processing by switching to the authentication token mode by itself while being connected to the answering machine 120 and the authentication server 130 via the telephone network 20 is shown.

7 is a configuration diagram showing a second embodiment of a system for authenticating a remote service using the communication terminal device 500 of the present invention.

The second embodiment shown in FIG. 7 is shown based on an example in which a one-time password generation function is embedded in a wireless communication terminal device 500 such as a mobile phone. The wireless communication terminal device 500 of the present invention is wirelessly connected. The configuration example of performing authentication processing by switching to the authentication token mode by itself while being connected to the answering machine 120 and the authentication server 130 via the telephone network 20-1 is shown.

8 is a configuration diagram showing a third embodiment of the authentication system for remote service using the communication terminal device 500 of the present invention.

8 is based on an example in which a one-time password generation function is embedded in a wireless communication terminal device 500 such as a mobile phone, and the Republic of Korea Patent Application No. 97-56548 shown in FIG. Similar to the "authentication system of a remote financial service", an example of using a separate wireless or wired telephone 110 and using the wireless communication terminal device 500 of the present invention as if the token card 200 is used.

9 is a configuration diagram showing a fourth embodiment of an authentication system for remote service using the communication terminal device 500 of the present invention.

9 is similar to the Korean Patent Application No. 97-57621, "Authentication System for Remote Financial Services Using a Computer Communication Network," shown in FIG. An example of configuring a system for performing an authentication procedure for a remote service using the communication server 310 and the authentication server 320 after accessing the communication network 200 is shown.

10 is a configuration diagram showing a fifth embodiment of an authentication system for remote service using the communication terminal device 500 of the present invention.

The fifth embodiment shown in FIG. 10 is similar to Korean Patent Application No. 97-57621, "Authentication System for Remote Financial Services Using a Computer Communication Network," shown in FIG. An example of configuring a system for performing an authentication procedure for a remote service using the communication server 310 and the authentication server 320 after accessing the communication network 200 is shown.

11 is a configuration diagram showing a sixth embodiment of an authentication system for remote service using the communication terminal device 600 of the present invention.

The sixth embodiment shown in FIG. 11 is similar to Korean Patent Application No. 97-57621, "Authentication System for Remote Financial Services Using a Computer Communication Network" shown in FIG. An example of configuring a system for performing an authentication procedure for a remote service using the communication server 310 and the authentication server 320 after accessing the communication network 200-1 is shown.

12 is a configuration diagram showing a seventh embodiment of an authentication system for remote service using the communication terminal device 600 of the present invention.

The seventh embodiment shown in FIG. 12 is shown based on an example in which the one-time password generation function is built in the data communication terminal device 600. The Korean Patent Application No. 97-56548 shown in FIG. Similar to the "authentication system of" using a separate wireline telephone 110 and a public telephone network 20, or using a separate wireless telephone 110-1 and a wireless telephone 20-1 and the data communication terminal of the present invention An example of using the device 600 as a token card 200 is shown.

Meanwhile, in the above description, a device having a built-in challenge / response-based one-time password generation function focused on a portable wireless communication terminal device, a small wired terminal device, and a data communication terminal device has been described. However, the configuration of the present invention performs such a function. Elements may be handheld, such as notebook computers, lap-top computers, desktop computers, workstations, mainframes, or supercomputers. It is well known that it can be easily extended and applied to medium and large computers such as supercomputers. At this time, such computers are preferably connected to a communication network such as a wired or wireless telephone communication network or a computer communication network (ie, a data communication network).

In addition, the "remote service" referred to in the above description is a generic name including online services provided by an Internet service provider (ISP), electronic commerce, a service for connecting to a computer on a network, and the like, as described above. Concept.

The present invention relates to system passwords such as workstations, personal computers, passwords such as debit cards, credit cards, bank accounts, passwords of keys, home trading, phone banking ( Security for any application requiring authentication, such as passwords for remote banking services such as phone banking and personal computer banking, passwords for e-commerce, and passwords for subscriber verification from ISPs. It is well known that this excellent one-time password can be generated and applied.

Terminologies used herein are terms defined in consideration of functions in the present invention, which may vary according to the intention or customs of those skilled in the art, and the definitions should be made based on the contents throughout the present application. will be. Although specific embodiments of the invention have been described and illustrated, it will be apparent that the invention may be embodied in various modifications by those skilled in the art.

In addition, since the present invention has been described through the preferred embodiment of the present invention, in view of the technical difficulty aspects of the present invention, those having ordinary skill in the art can easily be different from another embodiment of the present invention. As modifications may be made, it is obvious that both the embodiments and modifications cited in the above description belong to the appended claims.

As described in detail above, in a communication terminal device supporting bidirectional communication, a one-time password (OTP) for generating a response value corresponding to a challenge value in order to provide a remote authentication service based on a challenge / response protocol; In accordance with the present invention, a challenge / response-based authentication procedure is performed by integrating an OTP function and a function of a normal communication terminal device by incorporating a Time Password) function, thereby minimizing a user's key input. Convenient convenience and high speed, and by the integrated management according to the functional integration is easy to carry, there is an advantage that can improve the security and reliability of the authenticity of the user.

Claims (13)

A communication terminal device supporting two-way voice communication through a handset, An electronic telephone keypad for inputting alphanumeric data; As a challenge value is input while an authentication token mode for generating a one-time password (OTP) based on the challenge / response protocol is set, a user-side response value corresponding to the challenge value is obtained by using a one-way function. Generating a one-time password generation unit; In the normal communication mode, a transmission / reception function is performed for normal voice communication, and in the authentication token mode, the challenge value is received through a wired / wireless communication network to provide an authentication service based on the challenge / response protocol, and the one-time password generator generates the one-time password. A communication module unit for transmitting the user-side response value through the wired or wireless communication network; And A challenge / response comprising an authentication parameter memory for storing various authentication parameters including a Personal Identification Number (PIN) and an encryption key value and providing electrical erasure and programmability to the authentication parameters Communication terminal device with built-in one-time password generation function. delete The method of claim 1, In the normal communication mode, the communication module is controlled to provide normal voice communication through the handset, and the authentication is performed when the personal identification number keyed through the telephone keypad and the personal identification number of the authentication parameter memory match. Allow access to the token mode, and in the authentication token mode, the challenge value is controlled to be provided from the telephone keypad or the communication module unit to the one-time password generation unit, and the user-side reference value generated by the one-time password generation unit. A communication terminal controller for controlling the one-time password generation unit and the communication module unit to display the outside or to transmit the wired / wireless communication network through the communication module unit; And And a liquid crystal display for displaying the challenge value and the response value of the user side while displaying an operation state of the communication terminal controller, and including a challenge / response-based one-time password generation function. . The method of claim 1, And a voice generation unit for notifying the user of the response value of the user through voice, wherein the communication terminal device includes a challenge / response-based one-time password generation function. A communication terminal device supporting two-way voice communication through a handset, An electronic telephone keypad for inputting alphanumeric data; A one-time password generation unit that generates a user-side response value corresponding to the challenge value by using a one-way function when the challenge value is input while the authentication token mode for generating a one-time password based on the challenge / response protocol is set; ; A communication module unit performing a transmission / reception function for normal voice communication in a normal communication mode; And A challenge / response comprising an authentication parameter memory for storing various authentication parameters including a Personal Identification Number (PIN) and an encryption key value and providing electrical erasure and programmability to the authentication parameters Communication terminal device with built-in one-time password generation function. delete The method of claim 5, In the normal communication mode, the communication module is controlled to provide normal voice communication through the handset, and the authentication is performed when the personal identification number keyed through the telephone keypad and the personal identification number of the authentication parameter memory match. Allow access to the token mode, and in the authentication token mode, the challenge value is controlled from the telephone keypad to be provided to the one-time password generator, and the user-side reference value generated by the one-time password generator is displayed externally. A communication terminal controller for controlling; And And a liquid crystal display for displaying the challenge value and the response value of the user side while displaying an operation state of the communication terminal controller, and including a challenge / response-based one-time password generation function. . The method of claim 5, And a voice generation unit for notifying the user of the response value of the user through voice, wherein the communication terminal device includes a challenge / response-based one-time password generation function. A data communication terminal device supporting two-way data communication, A user input unit for inputting alphanumeric data; A one-time password generation unit that generates a user-side response value corresponding to the challenge value by using a one-way function when the challenge value is input while the authentication token mode for generating a one-time password based on the challenge / response protocol is set; ; In the normal communication mode, a transmission / reception function for unique data communication is supported, and in the authentication token mode, the challenge value is received through a data communication network to provide an authentication service based on the challenge / response protocol, and the one-time password generation unit is generated. A data communication module unit configured to transmit the response value of the user side through the data communication network; And A challenge / response comprising an authentication parameter memory for storing various authentication parameters including a Personal Identification Number (PIN) and an encryption key value and providing electrical erasure and programmability to the authentication parameters Communication terminal device with built-in one-time password generation function. delete The method of claim 9, In the normal communication mode, the data communication module is controlled to provide a transmission / reception function for data communication, and when the personal identification number keyed in through the user input unit and the personal identification number of the authentication parameter memory coincide, Allow access to the mode, and in the authentication token mode, the challenge value is controlled to be provided from the cap pad or the data communication module unit to the one time password generation unit, and the user side reference value generated by the one time password generation unit A data communication terminal controller which controls the one-time password generation unit and the data communication module unit to be displayed externally or transmitted through the data communication network through the data communication module unit; And A communication terminal with a built-in challenge / response-based one-time password generation function, further comprising a liquid crystal display for displaying the challenge value and the user-side response value while displaying the operation status of the data communication terminal controller. Device. The method of claim 9, And a voice generation unit for notifying the user of the response value of the user through voice, wherein the communication terminal device includes a challenge / response-based one-time password generation function. The method of claim 9, wherein the user input unit, A communication terminal device with a built-in challenge / response-based one-time password generation function, characterized by using any one of a keypad, an electric pen writer, and a voice recognition input device.