KR100905315B1 - Authentication service method using public certification in mobile environment - Google Patents

Abstract

The present invention relates to a method for a certified certificate service in a mobile environment, and more specifically, to a delegation issue to a separate repository using a mobile terminal, and through online debit issued certificate transfer, goods purchase, fee The present invention relates to a method for performing user authentication of a mobile terminal user required for payment, customer consent, credit information inquiry, and the like.

Description

Certified certificate service method in mobile environment {AUTHENTICATION SERVICE METHOD USING PUBLIC CERTIFICATION IN MOBILE ENVIRONMENT}

The present invention relates to a method for a certified certificate service in a mobile environment, and more specifically, to a delegation issue to a separate repository using a mobile terminal, and through online debit issued certificate transfer, goods purchase, fee The present invention relates to a method for performing user authentication of a mobile terminal user required for payment, customer consent, credit information inquiry, and the like.

The Internet is a global computer network system. It is an open network that can be connected and used freely by applying a common protocol called TCP / IP to other computers that want to connect anywhere in the world. The development of data compression technology as well as the delivery of basic text information has made it possible to use various services such as large-capacity multimedia file transmission, e-mail, and the World Wide Web (WWW). As such, the use of the Internet is rapidly increasing as a strategic tool for improving efficiency and productivity in all parts of the existing industry as the use of the Internet is rapidly increasing in Korea and around the world. In addition, new business opportunities through the Internet are continuously being created, and the area is expanding. As a result, the number of Internet users is increasing.

Meanwhile, due to the development of wireless communication technology, a service provided by a mobile communication system using a CDMA (CDMA) scheme is not only a voice service but also a multi-channel that simultaneously transmits a large amount of data such as packet data and circuit data. It is developing into casting multimedia communication. As a large amount of data transmission is possible in a mobile communication system, various information such as financial services, language learning, games, and broadcasting services can be used anytime and anywhere using a mobile communication terminal. In addition, from the CDMA-2000 1x network, mobile communication can operate as an Internet Protocol (IP) terminal, and high-speed two-way data service is enabled. As information and communication technology advances, data transmission speed will increase further in next-generation mobile communication networks such as 1x EV-DO and IMT-2000.

The rapid construction of high-speed Internet networks and the proliferation of mobile communication terminals have made it easier for people to use various Internet services. However, social and economic damages caused by hacking and cyber crime are occurring in the internet environment where anonymity is guaranteed and information is easily obtained. Therefore, the electronic signature was introduced to verify the identity of the personal computer user or the mobile terminal user in the virtual Internet environment.

Electronic Signature is an electronic form of data that is logically coupled to the original data message, which is used to verify the identity of the signer and indicate the user's approval of the content of the original data message. Alternatively, it refers to information generated by a computer instead of a pen as an electronic substitute of a stamp. Currently, user authentication methods that standardize digital signatures based on public certificates are used around the world in both wired and wireless Internet environments.

Digital signature means a kind of digital signature using public key cryptography (asymmetric cryptosystem).

Typically, digital signature technology uses a public key infrastructure (PKI) encryption algorithm. The private key used in the public key infrastructure encryption algorithm is the digital signature generation key for generating the digital signature, and the public key is the digital signature verification key for verifying the digital signature. Therefore, the safe operation of the digital signature technology depends on the safe operation of the digital signature generation key (private key) and the digital signature verification key (public key).

Public Key Infrastructure (PKI) is secured by using a pair of public and private keys granted by a trusted organization for users of unsecured public networks such as the Internet. Exchange data secretly. In public key infrastructure (PKI) encryption, both public and private keys are generated simultaneously by the CA using the same algorithm. The private key is given only to the person who requested it, and the public key is published as part of the digital certificate in a public directory accessible to everyone. Private keys are never shared with others or transmitted over the Internet.

When sending an electronic document, the sender obtains the recipient's public key from the public directory, encrypts the electronic document, and sends it to the recipient. At this time, the sender encrypts the electronic certificate using its private key and sends the encrypted electronic document together with the encrypted electronic document so that the sender of the electronic document can be identified as the sender. The recipient decrypts the encrypted electronic document sent from the sender using his private key, and obtains the sender's public key from the public directory to decrypt the encrypted electronic certificate.

The core function of public key infrastructure (PKI) authentication is that confidentiality and e-commerce documents exchanged in the process of e-commerce are made, so that the contents of e-commerce can be known only to the trading parties and not to third parties. And e-commerce activities such as integrity to avoid tampering, identity to verify the identity of a trading party so that they can be held accountable for the conduct of the transaction, and contracts between parties. It is possible to guarantee non-repudiation that proves that the e-commerce activity is not denied due to harm.

The public key infrastructure (PKI) technology described above is a conventional technology that is known and implemented in various ways prior to this application, so a detailed description thereof will be omitted.

1 is a schematic diagram of a typical public key infrastructure (PKI) certificate issue system.

As shown in the figure, a conventional public key infrastructure (PKI) certificate issuance system includes a certification authority (CA) server 400, a registration authority (RA) server 300, and a directory. A server (Directory Server) 500 and a user computer 100 are included.

The certification authority (CA) server 400 is the most essential object constituting the public key infrastructure (PKI), and manages the management of the legitimacy of certificates when issuing, registering, and retrieving certificates. The CA server 400 has a hierarchy of Policy Approving Authority (PAA), Policy Certification Authority (PCA) and Certification Authority (CA) according to its role and function. Configuration, all of which are referred to as certificate authority servers.

The Policy Approving Authority (PAA) establishes authentication policies used throughout the public key infrastructure (PKI), audits the compliance status and adequacy of certification policies of subordinate organizations, and internal and external the public key infrastructure (PKI). It establishes and approves the policy for mutual authentication in the company, authenticates the public key of subordinate organizations, and manages certificates and certificate revocation lists (CRLs).

The Policy Certification Authority (PCA) establishes and verifies policies to be followed by users and certification authorities (CAs) in its own domain under the PAA. ) Authenticates the public key and manages certificates, certificate revocation lists, etc.

The certification authority (CA) is a lower layer of the policy certification authority (PCA), and issues or revokes the public key certificate of the user, delivers its public key and the public key of the superior authority, and registers the user. In accordance with the request of the institution (RA) server 300, it issues a public certificate, cross-certificates, and manages the public certificate and its owner information.

The CA is an entity that generates or revokes a certificate according to the authentication policy. All CAs generate their own key pairs and optionally generate keys of users.

The certificate is generated by digitally signing with a CA's private key. The certificate is issued to a certification authority, a user, a server, etc., and is issued to a certification authority to prove the legitimacy of a higher certification authority. Is issued to prove the identity or legitimacy of the user or server.

The domain refers to a logical grouping of CAs that implement common security policies or issue certificates for users in closely related namespaces.

Cross-Certificate is a certificate issued by one CA to another CA.

The Registrar (RA) server 300 provides users between the CA server 400 and the user computers 100 for users who are physically remote from the CA server 400. Performs a function of verifying the identity of users according to a request for issuance of an accredited certificate from the user, and if the identity is confirmed, the digital signature of the registrar (RA) server 300 is performed, and then to the certification authority (CA) server 400. Request issuance of an accredited certificate. Then, the certification authority (CA) server 400 checks the digital signature of the registrar (RA) server 300 and issues an authorized certificate for the corresponding user to return to the registrar (RA) server 300 or the user. Publish directly to

The directory server 500 stores a certificate, user related information, a mutual certificate, a certificate revocation list (CRL), and the like, issued by the CA server 400, and stores for retrieval thereof. As a separate server is installed and operated or managed by the certification authority (CA) server 400 itself.

The user computer 100 stores a user's own certificate issued by the CA server 400, and includes a certificate management system that exists in the form of software to manage the user's own certificate.

Within the accredited certificate, a unique identification number for the corresponding accredited certificate, a signature identifier used to sign the accredited certificate, an issuer name signed and generated by the accredited certificate, The validity time (Validity Time) indicating the start time and the end time that the accredited certificate can be used, the Subject Name from which the accredited certificate is issued, the user's Subject Public Key Info, and the Certification Policy Include.

The above-mentioned Certification Policy includes the mechanism by which the CA server operates, the encryption algorithm and the digital signature algorithm used, the minimum key size, the maximum validity of the certificate, the maximum duration of certificate revocation list renewal, and the issue of the certificate. To check the user's identity.

The certificate management system generates a private key and public key pair of the user, requests a public key certificate from a certification authority to receive a certificate, verifies a digital signature, obtains a public certificate of another user, and confirms the status thereof. It performs functions such as providing its own certificate to other users.

The certificate management system obtains the public key of the electronic document receiver from the directory server 500 when sending the electronic document for the electronic commerce activity, encrypts the electronic document and transmits the electronic document to the receiver. At this time, the certificate management system encrypts the public certificate of the user using a private key issued to the user and sends the digital signature with the encrypted electronic document.

On the other hand, the certificate management system decrypts the encrypted electronic document transmitted from the trading party using its own private key during the e-commerce transaction, and the encrypted public certificate sent along with the encrypted electronic document Decrypt by using the public key of the transaction party that sent the transaction.

The public key of the transaction party is preferably obtained by the certificate management system from the directory server 500. Alternatively, the public key of the transaction party may be transmitted from the transaction party to the user together with the encrypted electronic document.

Therefore, through the electronic certificate (certificate) issued by a trusted certification authority sent along with the electronic document (transaction details), the identity of the transaction party and the contents of the transaction in the case of electronic commerce such as electronic payment, electronic contract, etc. It will be possible to secure the safety and reliability of electronic commerce, such as preventing repudiation of transaction facts.

However, few users have recently used only one computer, especially for web services that require user authentication, such as using a personal computer installed in a public place, such as Internet banking, filing and issuing electronic complaint documents, and purchasing goods at an Internet shopping mall. If you want to be provided with services such as card payment according to the required certificate is required. In this case, there is a problem in that the web service can be used only after installing a public certificate on a personal computer using a storage medium equipped with a public certificate and performing a digital signature through the installed personal computer to authenticate the user.

Although, recently, a method of performing a user authentication by storing a public certificate in an internal memory of a user's mobile terminal has been developed. However, the mobile terminal is always carried, but there is a high risk of loss and a short time for replacement. Managing has vulnerabilities that can threaten personal credit security.

The present invention has been made in order to solve the above problems, the user terminal requesting the issuance of the certificate of authorization to the Certificate Authority (CA) server; (b) The Certificate Authority (CA) server that receives the request for delegation issuance generates and issues a certificate for the user, sends the certificate certificate server to the designated certificate storage server, and issues the delegated certificate and related information. Storing in; (c) In response to a request for providing user authentication of the user terminal connected to the web server, the authentication server connected to the web server requests user authentication from the user terminal, and the user terminal targets the certificate storage server. Selecting a delegated authentication; (d) transmitting, by the authentication server, user terminal information that has requested the certificate delegation authentication to the selected certificate storage server; (e) Before the certificate storage server performs delegation authentication processing on behalf of the user terminal, a user terminal is generated by creating a proxy terminal proxy verification password to confirm whether the user terminal at the time of registering the certificate has requested delegation authentication. Transmitting to the target; And (f) the certificate storage server confirms whether or not the delegate authentication request of the user terminal is requested through the proxy terminal proxy verification password returned from the user terminal, and if the proxy verification for the delegate terminal succeeds, the user substitutes for the user terminal. Performing delegated authentication; Characterized in that it comprises a.

Preferably, in the step (e), the delegate terminal proxy verification password includes at least one of telephone number information of the user terminal, resident registration number information of the user terminal, and delegation authentication date and time information in an exclusive OR manner (exclusive OR). Characterized in that it is a one-time password generated by the calculation.

More preferably, after the step (b), the certificate storage server, which has been issued a delegation certificate of the user, requests the delegation user identification information from the user and receives the user's identity information from the user terminal. step; It characterized in that it further comprises.

More preferably, the step (e), before the certificate storage server performs the delegated authentication process on behalf of the user terminal, and requests the identity information to confirm whether the current delegated authentication requestor is a legitimate user, Receiving and verifying identification information from a user terminal; Further, and if the verification of the identity of the delegated user is successful, characterized in that for performing the user authentication on behalf of the user terminal.

More preferably, the identification information may include identification card information photographed and transmitted by the user terminal of the corresponding user.

More preferably, the ID information includes image information of an ID photographed by the corresponding user terminal, exchange image file format information (Exif) including terminal model information or photographing module model information of the corresponding user terminal, and the corresponding user terminal. And at least one of a photographed ID image photographing resolution and verification ID image photographing date and time information of the corresponding user terminal.

More preferably, the identity verification for the delegated user, the certificate storage server obtains the information text data and image image data from the identification card image and compares it with previously stored authentication target user information, the user who the current delegated authentication requestor is a legitimate user And a first verification process of verifying whether or not the recognition.

More preferably, the identity verification for the delegated user, the certificate storage server obtains the exchange image file format (Exif) included in the transmitted identification image file and the stored exchange image file format of the authentication target user In comparison, it characterized in that it comprises a second identity verification process for verifying whether the current delegated authentication requestor is a legitimate user.

More preferably, the ID verification for the delegated user is based on the current time using the photographing time and the storage time information in the exchange image file format (Exif) included in the transmitted ID image file. And a third identity verification process of determining whether the current delegated authentication requestor is a legitimate user by determining whether the photograph was taken within a time period.

Authorized certificate service method in the mobile environment shown in the present invention, delegation issuance to a separate repository using a mobile terminal, through the delegation issued issuance, online account transfer, purchase of goods, payment, customer agreement, User authentication of the mobile terminal user required for credit information inquiry is performed, so that the user carries it at all times according to the method by which the user stores the authorized certificate in the internal memory of the mobile terminal, but the risk of loss is high. By overcoming vulnerabilities that can threaten the security of the Internet, even if you do not have to store your own certificates in your own memory through the slow wireless Internet, you can take care of your own certificates through the certificate archiving server anytime, anywhere.

In addition, since the user must be verified that he is a legitimate authorized certificate delegator in various ways when using the certificate from the certificate storage server that manages his own certificate, it is possible to perform more secure authentication of the authorized certificate.

In particular, the certificate archiving server is able to accurately check whether the user terminal at the time of registration of the certificate is requested for delegation authentication through the delegation terminal proxy verification that verifies whether the legitimate user terminal has requested the delegation authentication before delegation authentication. have.

In addition, through the delegation user identity verification that verifies whether the certificate storage server is a legitimate user requesting delegation authentication before delegation authentication, it is possible to accurately check whether the user at the time of registering the certificate has requested delegation authentication. It also works.

Hereinafter, exemplary embodiments of the present invention will be described with reference to the accompanying drawings.

Hereinafter, the present invention, a mobile terminal user required for issuing an authorized certificate to a separate repository using a mobile terminal, and transferring online, purchasing goods, payment, customer consent, and credit information inquiry through an authorized certificate issued by a delegation. Although a method of performing user authentication of the present invention will be described as a preferred embodiment, the technical idea of the present invention is not limited thereto, but may be variously implemented by those skilled in the art.

2 is an exemplary view of an information communication system to which the present invention is applied.

As shown in FIG. 2, the information communication system to which the present invention is applied includes a registration authority (RA) server 300, a certification authority (CA) server 400, and a directory server (Drectory Server). 500, the certificate storage server 600, the web server 700, the authentication server 800, and the user terminal 200 are configured to include an information communication network connecting the above-described configuration.

The information communication network includes the user terminal 200, the registration authority (RA) server 300, the certification authority (CA) server 400, the directory server 500, the certificate storage server 600, the web server 700, and By means of connecting the communication environment between the authentication server 800 means a data communication network in which data communication is performed. That is, the information communication network includes a wired Internet environment and a wireless Internet environment (mobile communication system).

The certification authority (CA) server 400 is a key element constituting the public key infrastructure (PKI), and manages the management of the legitimacy of the corresponding certificate when issuing, registering, and retrieving the certificate.

The certification authority (CA) server 400 is composed of a policy approving authority (PAA), a policy certification authority (PCA), and a certification authority (CA) according to its role and function. Configuration, all of which are referred to as certificate authority servers.

The Registrar (RA) server 300 may be configured to provide users between the CA server 400 and the user terminals 200 for users who are physically remote from the CA server 400. Performs a function to verify the identity of users in accordance with a request for issuance of an accredited certificate from, and if the identity is confirmed, after the electronic signature of the registrar (RA) server 300 is authorized to the certification authority (CA) server 400 Request issuance of a certificate. Then, the certification authority (CA) server 400 checks the digital signature of the registrar (RA) server 300 and issues an authorized certificate for the corresponding user to return to the registrar (RA) server 300 or the user. Publish directly to At this time, the issuance of the public certificate for the user is made by using the certificate storage server 600 as an issue target, which will be described in more detail later.

The directory server 500 stores a certificate, user related information, a mutual certificate, a certificate revocation list (CRL), and the like, issued by the CA server 400, and stores for retrieval thereof. As a separate server is installed and operated or managed by the certification authority (CA) server 400 itself.

The user terminal 200 includes a wireless application protocol (WAP), which is a wireless Internet access protocol, a Microsoft Internet Explorer (MIE: Microsoft Internet Explorer) based on HTML using an HTTP protocol, and a handheld device transport protocol ( HDTP: Handheld Device Transport Protocol), NTT DOKOMO's i-Mode or SK Telecom's 'NATE' to access the Internet via a mobile communication network.

The user terminal 200 accesses the registration authority (RA) server 300 or the certification authority (CA) server 200 and requests for issuance of a public certificate. At this time, the user terminal 200 is to designate a separate certificate storage server 600, rather than a personal PC or the corresponding mobile terminal (for example, a mobile phone) as a medium for issuing an accredited certificate. The public certificate of the user issued from) is stored and managed in the certificate storage server 600.

The certificate storage server 600 stores and manages the public certificate of the user issued from the registrar (RA) server 300 or the certificate authority (CA) server 200, and the public certificate of the user terminal 200. When a request for authentication occurs, the user's certificate is provided.

The web server 700 is a WEP / WAP server accessible in a mobile environment to which the user terminal 200 is connected through the information communication network. The web server 700 issues a credit card to a bank server of a bank in which a user's account is opened, and a user. It includes a card company server of a credit card company, a server of a mobile communication company to which a user's mobile phone is subscribed, and an operation server of a shopping mall that sells goods or contents to a user or provides an online service.

The authentication server 800 performs user authentication of the user terminal 200 attempting to access. When the user terminal 200 attempts to access the authentication server 800, an electronic signature message for the corresponding user is received from the certificate storage server 600 that manages the delegated certificate for the corresponding user terminal 200. The electronic signature message is validated through an electronic signature verification program mounted on the electronic signature verification unit 820. The validity of the digital signature is extracted from the public key, the digital signature is decrypted using the extracted public key, and compared with the hash value of the electronically signed original data. Hash function is a property of one-way function plus message compression. It is mainly used to compress a document to be digitally signed to have a constant output value.

The authentication server 800 performs login according to the verification result of the electronic signature. That is, if the verification of the electronic signature fails, the login processing unit 810 stops the connection with the user terminal 200 attempting to connect. On the contrary, if the verification of the electronic signature succeeds, the user terminal 200 attempting the connection is allowed.

Here, the delegation issuance of the public certificate is when an individual user wants to use a web service requiring user authentication by accessing a web server 700 that requires public authentication through his mobile user terminal 200. Remotely control their own certificates issued to a separate certificate storage server 600 without using their mobile terminal or their own PC, their removable storage media for the service required for authentication of the corresponding user terminal 200 This means that user authentication is done.

That is, an individual user selects a delegation issuance setting when issuing a public certificate, and issues a request for issuing the certificate. The CA (400), which receives the certificate, transmits the public certificate to the designated certificate storage server 600. .

In this case, when the user terminal 200 uses the corresponding certificate, the certificate storage server 600 performs the proxy verification for the delegate terminal necessary for the user terminal 200. This delegate terminal proxy verification process will be described in more detail below.

In addition, the certificate storage server 600 is requested by the user terminal 200 for the delegation user identity authentication necessary for the delegation of the user's public certificate received from the user terminal 200, the user terminal 200 is the corresponding certificate In the case of using the delegation user ID verification required for this will be performed with the user terminal 200. The delegated user ID verification may be used as an ID of the user photographed by the corresponding user terminal 200, and this delegated user ID verification process will be described in more detail below.

3 is a block diagram illustrating a certificate storage server 600 to which the present invention is applied.

Certificate storage server 600 to manage the authorized certificate issued to the individual is issued and managed as shown in Figure 3, the external interface 630 for data communication, the main control unit 610, data storage for the management of the official certificate Device 620, certificate detection unit for detecting a managed certificate certificate 640, electronic signature unit 650 for generating a public key and private key in a public key infrastructure environment, authentication for the proxy verification of the delegate terminal for the public certificate The delegation password management unit 660 and the identification information determination unit 670 for verifying the identity of the delegated user for the authorized certificate, a memory device including a RAM and a ROM, a separate operating system, and a display device not shown in the drawing.

Here, although only the certificate storage server 600 is described and illustrated in the above description and corresponding FIGS. 2 and 3, between the user terminal 200 of the user and the certificate storage server 600 when the authorized certificate is issued and used. An SMS / MMS server (not shown) may be linked as one of communication paths for proxy verification of a delegated terminal and identity verification of a delegated user.

The external interface 630 is a user terminal 200, a registration authority (RA) server 300, a certification authority (CA) server 400, a directory server 500, a web server in a wired or wireless environment through the information communication network. An access path is provided to transmit and receive data with the 700 and the authentication server 800.

The main control unit 610 should be able to execute a large number of mathematical calculations and examine a database when exchanging a large amount of business processing and mutual information. It is preferably a central processing unit of at least -1 series and is operated by a separate operating system.

The data storage device 620 includes a certificate DB, an authentication management DB, and an identity information DB, and are generally used to create and manage the DBs by database management software such as data software manufactured by Oracle Corporation.

The certificate DB stores and manages a public certificate of a user issued from the registrar (RA) server 300 or the certificate authority (CA) server 200.

In this way, the certificate archiving server 600 is delegated to and managed in the certificate DB in the certificate is a unique identification number (Serial Number), the algorithm identifier (Signature Algorithm ID) used to sign the certificate, the certificate Issuer Name signed and generated, Validity Time indicating the start and end times for which the Certificate is available, Subject Name for issuing the Certificate, and Delegation of the Certificate The issued certificate archiving server name (Mandator Name), the user's public key information (Subject Public Key Info), the authentication policy (Certification Policy) is included.

The authentication management DB stores management information including personal information of a delegated user, certificate delegation period information, certificate delegation contract information, and private key information of a delegated user for a user's public certificate managed by the certificate DB. do.

The identification information DB stores identification information for verifying the user's identity to the user authentication certificate managed in the certificate DB.

The identification information is preferably identification information transmitted from the user terminal 200 of the user.

More preferably, the identification card information includes image information of an ID card photographed by the user terminal 200 and exchange image file format information (Exif) including terminal model information or photographing module model information of the user terminal 200. : an exchangeable image file format), an ID image photographing resolution photographed by the corresponding user terminal 200, and ID image capturing date and time information for verification of the user terminal 200.

The certificate detector 640 detects an individual authorized certificate stored in the certificate DB. At this time, each public certificate is stored as a search key value of the mobile phone number of the user to be delegated management of the corresponding public certificate.

When the certificate detection unit 640 receives the telephone number of the user terminal for detecting the certificate from the user terminal 200 or the web server 700 requiring user authentication, the certificate DB is first searched for the certificate DB using the telephone number as a search key value. It checks whether the official certificate matching the phone number is properly managed and whether it is valid by checking the expiration date.

The electronic signature unit 650 generates a public key and a private key in a public key infrastructure.

That is, the electronic signature verification unit 820 of the authentication server 800 is connected to the CA server 400, and the login processing unit 810 is connected to the web server 700. When the 200 accesses the web server 700 and accesses a web service requiring online user authentication (account transfer online, purchase of goods, payment, customer agreement, credit information inquiry, etc.), the authentication server 800 is connected to the corresponding user terminal. On behalf of the (200) to process the user authentication process for the certificate storage server 600 and the corresponding user and if the user authentication is successful in the internal login processing unit 810 from the web server 700 for the corresponding user terminal 200 Allow web services that require user authentication to occur.

In this case, the electronic signature unit 650 generates an electronic signature message for the user who has undergone the above-mentioned delegated terminal proxy verification process and delegated user identity verification process and transmits it to the authentication server 800.

Therefore, the user terminal 200 can process the necessary authentication certificate for its own through the certificate storage server 600 anytime, anywhere, even if it does not store its own certificate in its memory through the slow wireless Internet. .

This simplicity is ensured by the following process. That is, with respect to the delegation authentication request of the user terminal 200, the certificate storage server 600 is currently used by the user terminal 200, and the user himself and the terminal is used in the normal situation It is necessary to make sure that this delegated authentication is handled properly.

This is ensured by the authentication delegate password management unit 660 and identification information determination unit 670.

The authentication delegate password management unit 660 generates a proxy for the delegate terminal proxy verification for the user terminal 200 to perform the delegated authentication process on behalf of the user terminal 200. The generated delegate terminal proxy verification password is a one-time password, the user terminal 200 is currently delegated authentication through the password returned to the user terminal 200 is sent to the user terminal 200 as a short message through SMS The request is verified.

4 shows a process of generating such a proxy for proxy verification terminal.

First, in step 1, the authentication delegate password management unit 660 converts the telephone number (010-9800-9787: 01098009787) of the user terminal 200 to a 13-digit value (0109800978700), and the social security number (650915) of the user. -1394816: 6509151394816) is calculated by Exclusive OR by mutual digits to obtain a one-step result value (6608951262516).

Then, as a second step, the date and time (November 23, 2007 15: 30: 200711231530) is a 13-digit value (2007112315300) and the result of the first step (6608951262516) by mutual digits in an exclusive OR method (Exclusive OR). Operation to obtain a two-step result value (8605063577816).

In step 3, the step 2 result value (8605063577816) is divided into odd number 8003786 and even number (6565710) according to the number of digits, and is calculated by using exclusive OR for each digit. Get

As a fourth step, the third step result value 4568496 is divided into an odd number 4646 and an even number 5590 based on the number of digits, and is calculated using an exclusive OR method for each digit. Get

The one-time delegated terminal proxy verification password generated in this way is delivered to the user terminal 200, the user who received the delegated terminal proxy verification password is stored in the certificate for the proxy terminal proxy verification through the user terminal 200 certificate Return to server 600. When the returned proxy for proxy verification is verified and verified by the authentication delegated password management unit 660, the above-mentioned certificate storage server 600 confirms that the authentication proxy of the delegated terminal is requested.

On the other hand, the identification information determiner 670 requests the identity information to the corresponding user terminal 200 to perform the delegated authentication process on behalf of the user terminal 200, the identity information of the user is transmitted to the internal identity information DB It is verified whether the user of the user terminal 200 is a legitimate user who requested the delegation authentication by comparing with the identity information of the corresponding user previously stored.

Here, the identification information is preferably identification information transmitted from the user terminal 200 of the user.

More preferably, the identification card information includes image information of an identification card photographed by the user terminal 200, exchange image file format information including terminal model information or photographing module model information of the user terminal 200, The ID card image resolution photographed by the user terminal 200 and the ID image image date and time information for verification of the user terminal 200 are included.

That is, the identification information determining unit 670 requests the user to transmit the identification information. Accordingly, the user photographs his or her identification card using his terminal 200 and sends it to the certificate storage server 600. Will be sent.

The identification information determining unit 670, which has received the ID card image, acquires the information text data and the image image data from the ID card image, and pre-stores the authentication target user information (ID card image information photographed by the user terminal when the certificate is delegated). The first identity verification is performed in comparison with.

In addition, the identification information determining unit 670 that receives the image of the identification card acquires an exchangeable image file format (Exif: exchangeable image file format) included in the transmitted identification image file and exchanges the previously stored authentication target user. A second identity verification is performed against the image file format. Through this, it is possible to check whether the ID card image currently being transmitted has been taken from the same terminal and the same module as the ID card image transmitted from the user when the previous certificate is delegated.

Here, the exchangeable image file format (Exif: exchangeable image file format) is an image file format stored in an image file of a digital camera. The camera manufacturer, camera model name, shooting time, Resolution information and the like.

In addition, the identification information determining unit 670 that receives the ID image photographing image capture time (the moment the shutter is pressed) and the storage time in the exchangeable image file format (Exif: exchangeable image file format) included in the transmitted ID image file The third identity verification is performed by determining whether the picture was taken within a predetermined time based on the current time using the information. Through this, it is possible to check whether the ID card image being transmitted is currently taken and transmitted from the user requesting the authorization.

Now, the overall flow of the present invention will be described with reference to FIG.

6 is an overall flowchart illustrating a method for authenticating a certificate in a mobile environment according to an embodiment of the present invention.

First, in order to issue the certificate to the certificate storage server 600 instead of the terminal 200 of the user, the user requests a certificate delegation issue to the registrar (RA) server 300 using his terminal 200. (S10).

In more detail, when a user requests a delegation issue of an authorized certificate targeting a certificate storage server 600 by accessing a registrar (RA) server 300 through an information communication network using his or her user terminal 200. In addition, the registrar (RA) server 300 provides a graphical user interface (GUI) for inputting user information (name and resident registration number in case of individual, corporation name and business registration number in case of corporation) to the corresponding user terminal 200. If the user inputs the user information and target information (certificate storage server name) that is the subject of delegation issuing through this, the delegation issuance request of the certificate from the user terminal 200 to the registrar (RA) server 300 is requested. The information is sent.

The registrar (RA) server 300 receiving the request for delegation of the authorized certificate from the user terminal 200 confirms the identity of the user (S12), and if the identity verification through the user information of the user is valid ( S14), the authentication authority (CA) server 400 according to the identity verification request for the authorized certificate delegation issuance for the user (S16).

In other words, when the registrar (RA) server 300 receives the delegation issuance request information of the public certificate from the user terminal 200, from the user information contained therein, the user can check whether the user is an individual or a legal person. To perform. In the case of identity inquiry, the registrar (RA) server 300 typically requests a real name verification system (not shown) to verify the identity of a corresponding user, and receives the identity verification result. If, as a result of identity verification, identity verification is authenticated, the registrar (RA) server 300 transmits the authentication certificate delegation issuance request information for the user to the certification authority (CA) server 400, and the identity verification is authenticated. If not, stop issuing the accredited certificate.

At this time, the data including the authentication certificate delegation issuance request information transmitted between the registrar (RA) server 300 and the certificate authority (CA) server 400 is encrypted using a public key infrastructure (PKI) method. It is desirable to decrypt the data transmitted and encrypted on the receiving side. Since encryption and decryption techniques using a public key infrastructure (PKI) are conventional techniques that have been widely known and implemented before this application, a detailed description thereof will be omitted.

The certification authority (CA) server 400 receiving the request for issuing the certificate of delegation for the user from the registrar (RA) server 300 generates a certificate for the user and generates the certificate of the certificate. Send to 300 to issue to a delegation target (certificate storage server) specified by the user, or directly sent to the delegation target (certificate storage server) designated by the user (S18).

In addition, the certification authority (CA) server 400 stores and stores the issued certificate and the delegation issuing information for the issued directory certificate (S20).

These certificates include the unique serial number for the certificate, the algorithm identifier used to sign the certificate, the issuer name that signed and created the certificate, and the certificate. Validity time indicating the start time and end time the certificate can be used, Subject Name to receive the public certificate, Certificate Archive server name to issue the public certificate, and public key information of the user (Subject Public Key Info), Certification Policy, and the like.

Through this process, the user's authorized certificate is delegated to the certificate storage server 600 designated by the user. Then, the user accesses the certificate storage server 600 through his user terminal 200 and The public certificate can be controlled.

At this time, the user must be verified that he is a valid authorized certificate delegator in various ways when using the public certificate from the certificate storage server 600 that manages his own certificate, hereinafter, including the delegate terminal proxy verification and delegated user identity verification It explains how to use the certificate.

When the user requests the use of the issued certificate, the certificate archiving server 600 that has been issued a delegated certificate of the user is required to verify whether the requesting user is the user who delegated the storage of the certificate. The user identity information is requested to the corresponding user terminal 200 (S22).

Accordingly, the user transmits identification information to verify the identity of the user using his terminal 200 to the certificate storage server 600.

In this case, the identification information is preferably identification information transmitted from the user terminal 200 of the user.

More preferably, the identification card information includes image information of an ID card photographed by the user terminal 200 and exchange image file format information (Exif) including terminal model information or photographing module model information of the user terminal 200. : an exchangeable image file format), an ID image photographing resolution photographed by the corresponding user terminal 200, and ID image capturing date and time information for verification of the user terminal 200.

Accordingly, the certificate storage server 600 ends the registration of the public certificate for the user by storing the public certificate of the user in the internal certificate DB and storing the delegation user ID verification information in the internal identity information DB (S26). ).

Thereafter, the user terminal 200 accesses the Internet through a wireless Internet environment using the WAP protocol, and requests a web service providing a user authentication to the web server 700 of the content provider (S28).

In this case, the web server 700 of the content provider is a WEP / WAP server that can be accessed under a mobile wireless environment that the user terminal 200 accesses through the information communication network. It includes a server of a card company of a credit card company that issued a credit card to a server, a server of a mobile communication company to which a user's mobile phone is subscribed, and an operation server of a shopping mall that sells goods or contents to a user or provides an online service.

As such, when the user terminal 200 requests a web service requiring user authentication, the authentication server 800 connected to the web server 700 requests user authentication from the user terminal 200 and the corresponding user terminal ( 200 selects the delegated authentication (S30).

Accordingly, the authentication server 800 transmits the user terminal information requesting the authorized certificate delegation authentication to the selected certificate storage server 600 (S32).

Receiving user terminal information, the authentication server 800 generates a password for the delegate terminal proxy verification for performing the delegated authentication process on behalf of the user terminal 200 through the authentication delegate password management unit 660, the corresponding user The terminal 200 transmits the target (S34).

The generation of the proxy for proxy verification for the terminal is a process for checking whether the user terminal 200 has requested delegation authentication at the certificate storage server 600 side.

The user who receives the proxy terminal proxy verification password returns the corresponding proxy terminal proxy verification password to the certificate storage server 600 through his terminal 200 (S38). When the returned proxy for proxy verification is verified and verified by the authentication delegated password management unit 660, the above-mentioned certificate storage server 600 confirms that the authentication proxy of the delegated terminal is requested.

Here, the certificate archiving server 600 may further go through the process of verifying the delegation user identity to verify whether the terminal is being used in the normal situation by the current user, in addition to the verification of the request for delegation authentication of the user terminal. .

That is, the certificate archiving server 600 confirmed through the password for the delegated terminal proxy verification that is returned whether the user authentication proxy request is made in the normal delegation terminal, the identity information for verifying the delegated user identity with respect to the user terminal 200 Request (S36).

The request for the identification information is a process of verifying whether the user of the user terminal 200 is a legitimate user who requested delegation authentication by comparing the identification information of the user to be transmitted with the identification information of the corresponding user previously stored in the internal identification information DB. to be.

The user receiving the request for identity information transmits his / her delegated user identity verification information to the certificate storage server 600 through his terminal 200 (S40).

In this case, the identification information is preferably identification information transmitted from the user terminal 200 of the user, and more preferably, the identification information includes image information of the identification card photographed by the user terminal 200, and Exchange image file format information (Exif: exchangeable image file format) including the terminal model information or the shooting module model information of the user terminal 200, the ID image recording resolution photographed by the corresponding user terminal 200, the corresponding user terminal ( And the verification ID image capturing date and time information.

The certificate storing server 600 receiving the identification information compares the identification information of the user, which is transmitted through the identification information determining unit 670, with the identification information of the user previously stored in the internal identification information DB, and the corresponding user terminal 200. ) Is verified as a valid user who requested delegated authentication.

In more detail, the identification information determining unit 670 requests the user to transmit the identification information. Accordingly, the user photographs his or her ID using his terminal 200 and stores it in the certificate storage server. To 600.

The identification information determining unit 670, which has received the ID card image, acquires the information text data and the image image data from the ID card image, and pre-stores the authentication target user information (ID card image information photographed by the user terminal when the certificate is delegated). The first identity verification is performed in comparison with.

In addition, the identification information determining unit 670 that receives the image of the identification card acquires an exchangeable image file format (Exif: exchangeable image file format) included in the transmitted identification image file and exchanges the previously stored authentication target user. A second identity verification is performed against the image file format. Through this, it is possible to check whether the ID card image currently being transmitted has been taken from the same terminal and the same module as the ID card image transmitted from the user when the previous certificate is delegated.

In addition, the identification information determining unit 670 that receives the ID image photographing image capture time (the moment the shutter is pressed) and the storage time in the exchangeable image file format (Exif: exchangeable image file format) included in the transmitted ID image file The third identity verification is performed by determining whether the picture was taken within a predetermined time based on the current time using the information. Through this, it is possible to check whether the ID card image being transmitted is currently taken and transmitted from the user requesting the authorization.

The certificate archiving server 600 that performed the delegation user verification before using the authorized certificate that is managed by delegation through the identification of the return of the proxy verification proxy for the delegate terminal and the identity of the delegation user identity verification as described above is performed by the delegation user. When the verification result is determined (S42), when the delegated terminal proxy verification is completed and the delegated user ID verification is passed, the corresponding certificate storage server 600 is connected with the authentication server 800 and the authentication server 800 is electronic signature verification. Performing user authentication for the certificate storage server 600 and the user through the unit 820 (S44), if the user authentication is successful, allows the connection of the web server 700 and the user terminal 200 ( S46). On the contrary, if the user authentication fails, the connection attempt of the web server 700 is stopped.

The present invention described above is capable of various substitutions, modifications, and changes without departing from the spirit of the present invention for those skilled in the art to which the present invention pertains. It is not limited to the drawing.

1 is a schematic diagram of a typical public key infrastructure (PKI) certificate issue system.

2 is an exemplary view of an information communication system to which the present invention is applied.

Figure 3 is a block diagram showing a certificate storage server to which the present invention is applied.

4 is a view for explaining a process of generating a proxy for proxy verification proxy terminal.

5 is a view for explaining the exchange image file format included in the image photographed by the terminal.

Figure 6 is a general flow diagram illustrating a method for a certificate service in a mobile environment according to an embodiment of the present invention.

Claims (9)

(a) requesting, by a user terminal, a delegation issue of an accredited certificate to a CA; (b) The Certificate Authority (CA) server that receives the request for delegation issuance generates and issues a certificate for the user, sends the certificate certificate server to the designated certificate storage server, and issues the delegated certificate and related information. Storing in; (c) In response to a request for providing user authentication of the user terminal connected to the web server, the authentication server connected to the web server requests user authentication from the user terminal, and the user terminal targets the certificate storage server. Selecting a delegated authentication; (d) transmitting, by the authentication server, user terminal information that has requested the certificate delegation authentication to the selected certificate storage server; (e) Before the certificate storage server performs delegation authentication processing on behalf of the user terminal, a user terminal is generated by creating a proxy terminal proxy verification password to confirm whether the user terminal at the time of registering the certificate has requested delegation authentication. Transmitting to the target; And (f) The certificate storage server checks whether the user terminal requests delegation authentication through the proxy terminal proxy verification password returned from the user terminal, and if the proxy verification succeeds for the delegate terminal, delegates the user on behalf of the user terminal. Performing authentication; Accredited certificate service method in a mobile environment comprising a. The method of claim 1, In the step (e), the proxy for proxy verification is generated by calculating at least one of telephone number information of the user terminal, resident registration number information of the user terminal, and temporary authentication information of the authorized user by other information and an exclusive OR method (Exclusive OR). Certified certificate service method in a mobile environment, characterized in that the one-time password. The method of claim 1, Between the steps (b) and (c), Receiving, by the certificate storage server, which has been issued a delegation certificate of a user, requesting the delegation user identification information from the corresponding user, and receiving the identification information of the user from the corresponding user terminal; Certified certificate service method in a mobile environment, characterized in that it further comprises a. The method of claim 3, wherein In step (e), Requesting identification information to confirm whether the current delegated authentication requestor is a legitimate user, and receiving and verifying identification information from the corresponding user terminal before the certificate storage server performs delegation authentication processing on behalf of the user terminal; Further comprising, if the verification of the identity of the delegated user is successful, the certificate service method for a mobile environment, characterized in that for performing the user authentication on behalf of the user terminal. The method according to claim 3 or 4, The identification information is an authentication certificate service method in a mobile environment, characterized in that the identification information transmitted by the user terminal of the user includes information. The method of claim 5, The ID information includes image information of an ID photographed by the corresponding user terminal, exchange image file format information (Exif) including terminal model information or photographing module model information of the corresponding user terminal, and ID image photographed by the corresponding user terminal. The at least one of the resolution, the identification ID image photographing date and time information for verification of the corresponding user terminal. The method of claim 6, Identity verification for the delegated user, The certificate storage server includes a first identity verification process of acquiring the information text data and the image image data from the identification card image and comparing it with previously stored authentication target user information to verify whether the current delegated authentication requestor is a legitimate user. Certified certificate service method in a mobile environment characterized in that. The method of claim 6, Identity verification for the delegated user, The certificate archiving server acquires the exchange image file format (Exif) included in the transmitted ID image file and compares it with the exchange image file format of the previously stored authentication target user to verify whether the current delegated authentication requestor is a legitimate user. Certified certificate service method in a mobile environment, characterized in that it comprises a second verification process. The method of claim 6, Identity verification for the delegated user, The certificate storage server determines whether the picture was taken within a predetermined time based on the current time by using the recording time and storage time information in the exchange image file format (Exif) included in the transmitted ID image file. And a third identity verification process for verifying whether or not the user is a legitimate user.

Images