KR101468192B1 - Secure User Authentication Scheme Based on Facial Recognition for Smartwork Environment - Google Patents

Abstract

The present invention relates to a face recognition based user authentication technique in a smart work environment. When a device generates a verifier by calculating registration information comprising face data with a random value and transmits the same, a server generates each key value of a user and the device by using the verifier; performs the center setting and the size setting of the face data; transmits the key value to the device; and designates the feature point of the face data between the device and the server. When the server compares the face data transmitted from the device with previously stored face data and transmits an additional verifier to the device, the device compares the additional verifier; transmits login information comprising the feature point and the key value of the face data to the server; and confirms legitimacy by using the login information and the key value. Because the inherent face data of a lot of smart work users, images selected by a user, and the feature point are used, the present invention is provided to previously block users who does not perform an accurate user authentication process and to track malicious inner users for important information exposure, thereby improving security.

Description

[Technical Field] The present invention relates to a face recognition based user authentication method in a smart work environment,

The present invention relates to a face recognition based user authentication method in a smart work environment, and more particularly, to a face recognition based user authentication method in a smart work environment in which authentication is performed using face data of a user in a smart work environment will be.

Recently, as people's interest in improving work environment has increased, research on smart work that can handle work in various environments is proceeding rapidly. Smart Work is a flexible work type that can perform tasks without restriction of time and space by using various devices. It is a kind of eco-friendly system that is free from existing business methods such as budget reduction, And future-oriented work environment [1].

SmartWalk is promoting the introduction of smartworld both at home and abroad as a future-oriented work environment that provides users with quick work process and convenient working environment. The smart work environment is a client / server environment similar to the existing cloud computing environment. Therefore, SmartWalk requires a fair user authentication process because many users access the internal data of the enterprise from the outside based on the client / server environment.

If unsecured user authentication is not performed, unauthorized users may be able to access and obtain personal information of employees, damage such as distribution of malicious code to internal network, and so on. In addition, there is a possibility that important data related to work may be lost or leaked, and there may be problems such as spam mails, spam letters, and the spread of malicious codes in the enterprise through the leaked data [1], [2] ].

In order to solve this problem, existing network environment uses ID / password based authentication method and authentication medium based authentication method such as smart card. However, it is troublesome to have a separate authentication medium, password peeking attack, password guessing attack It is also vulnerable to simple attacks such as.

[1] S.K. Park, J.H. Lee, "Smarwork Technology and Standardization ", Telecommunications Technology Assocition Journal, Vol. 136, pp.79-84 [2] M.S. Jeong, D. Lee, J. Kwak, "Analysis of Smartwork Security Threats and Security Requirements ", Korea Institute of Information Security & Cryptology, Journal of Information Security, Vol. 21 no. 5, pp55-63, 2011.5 [3] K.H., Lee, "Facial Recognition Technology Trends" [4] L. Lamport, "Password Authentication with Insecure Communication", Communications of ACM 24, Vol. 24. no.11. pp. 770-772, Nov. 1981. [5] M.S. Hwang, L.H. Li, "A new remote user authentication scheme using smart cards ", IEEE Transactions on Consumer Electronics Vol. 46. No. 1 pp.28-.30. Feb. 2000. [6] M.K. Khan, S.K. Kim, "Cryptanalysis and security enhancement of a " more efficient & secure dynamic ID-based remote user authentication scheme ", Computer Communications, Vol. 34, pp. 305-309, 2011. [7] M. Scott, "Cryptanalysis of an ID-based Password Authentication Scheme using Smart Cards and Fingerprints", ACM SIGOPS Operating Systems Review, 2004. [8] I. E. Liao, C. C. Lee, M. S, Hwang, "A password authentication scheme over insecure networks", Journal of Computer and System Sciences, Vol. 72, pp. 727-740, 2006. [9] S. Lee, I. Ong, H. T. Lim, H. J. Lee, "Two Factor Authentication for Cloud Computing", International Journal of KIMICS, Vol. 8, No. 4, pp. 427-432, Aug. 2010.

SUMMARY OF THE INVENTION Accordingly, the present invention has been made to solve the above-mentioned problems occurring in the prior art, and it is an object of the present invention to provide a face recognition- And to provide authentication techniques.

According to another aspect of the present invention, there is provided a face recognition-based user authentication method in a smart work environment, wherein a device generates a verifier by calculating registration information including face data with a random value, The server generates a key value of a user and a device using the verifier, performs center setting and specification of the face data, and transmits the key value to the device, A registration step of specifying a minutiae of the target person; And when the server compares the face data transmitted from the device with the face data stored in advance and transmits an additional verifier to the device, the device compares the additional verifier and transmits login information including the minutiae of the face data and the key value And a login and authentication step of confirming the legitimacy of the server using the login information and the key value.

Wherein the registering step comprises the steps of: the device generating user information and device information, a random value; Generating a password and a serial number verifier by computing the face data, the password and the serial number with the random number, and transmitting the user and the information to the server via the specific channel together with the information; The server generating a key value of a user and a device using the serial number verifier; The server performs center setting and specification of the face data, applies a grid to the face data, and transmits the face data together with each key value to the device; Storing a key value and a random value received by the device, selecting a desired image and feature point from the transmitted face data, and transmitting the selected image and feature point to the server; And storing the image and the minutiae received by the server.

Wherein the login and authentication step comprises: the device generating user information and device information and face data; Generating, by the device, respective verifiers, generating parameters necessary for verification, and transmitting the generated parameters to the server; Generating a key value from the data stored in the server and confirming an identifier; Comparing the facial data stored in advance by the server with the received facial data, and transmitting facial data to the device, the facial data including an additional verifier and a grid; The device generating the additional verifier using the parameter, and comparing the generated additional verifier with the transmitted additional verifier; The device selecting desired images and feature points from the face data to which the grid is applied, generating login information through the key value, and transmitting the login information to the server; And confirming the legitimacy of the login information using the login information and the key value transmitted from the server.

At this time, the grid is applied inside the circular rim of the face, divided into the set number, and coordinates are given to each of the divided images; The server randomly outputs selectable feature points and randomly generated false feature points to form a feature point candidate group and transmits the faceted data to the device so that the user can select a desired feature point from the feature point candidates.

As described above, according to the face recognition-based user authentication technique in the smart work environment according to the present invention, unique face data of a large number of smart work users and images and feature points selected by the user are used, Users can block beforehand.

Also, according to the present invention, malicious internal users can be traced to important information exposure, thereby improving security.

1 is a system configuration diagram for a face recognition based user authentication technique in a smart work environment of the present invention.
2 is a diagram illustrating a data center extraction process according to an embodiment of the present invention.
3 is a view illustrating a process of setting a face standard according to an embodiment of the present invention.
4 is a diagram illustrating an example of face data division according to an embodiment of the present invention.
5 is a diagram illustrating a process of deriving a candidate group according to an embodiment of the present invention.
6 is a registration phase protocol according to an embodiment of the present invention.
7 is a login and authentication step protocol according to an embodiment of the present invention.

Hereinafter, a face recognition based user authentication method in a smart work environment of the present invention will be described in detail with reference to the accompanying drawings.

First, we describe the user authentication method based on existing smart work, face recognition technology, client / server architecture, and describe user authentication methods such as Integrity, Confidentiality, Mutual Authentication, Impersonation Attack, After analyzing the existing problems, the differences of the present invention will be explained.

Smart Walk

SmartWalk is a future-oriented business type that can work efficiently anytime and anywhere by moving away from the way of performing work in the existing limited office. Working at home, working at home rather than company, moving to work on various sites using various devices, working at a Smart Work Center to work at a place separately established by the company . Due to flexibility of work style, it is expected to have the same effect as expanding employment opportunities for difficult-to-work people, such as seniors and pregnant women with excellent skills. In addition, , Rapid decision making and problem solving are possible [1], [2].

Face recognition technology

Face recognition technology is a technology that is used variously in the sale of applications such as identification inquiry, access control, unmanned surveillance, or criminal search. In most cases, images and still images were used at the beginning, but related researches have been actively developed and are continuously being developed.

Face recognition does not require any special action or action by the user, and it performs authentication without touching the user and the recognition device. Therefore, there is an advantage that the user does not have a sense of rejection, and each user has high safety Can be done [3].

Client / server architecture based user authentication scheme

The smart work environment is an environment similar to the client-server architecture in which the existing cloud computing environment has evolved, and many users can receive services or services based on the same infrastructure. In addition, because it is based on virtualization technology similar to cloud computing environment, cloud computing related technology will be applicable to most of smart work environment. Therefore, in the present invention, problems are analyzed through analyzing user authentication techniques based on existing client / server architecture.

The client - server architecture based authentication method was first proposed by Lamport [4] in 1981, and research on the efficiency and safety of the authentication technology has begun. The authentication scheme proposed by Lamport is a method of verifying the validity of a user by using a password table. However, when the password table is damaged, stolen, or modified by another person, the system may not recognize the user. Hwang et al. [5] and Khan [6] proposed a new password-based authentication scheme using smart cards. Hwang et al. And Khan et al. Proposed a new authentication scheme with improved security and efficiency [5] [6]. Since then, the ID-based password authentication method using smart cards and fingerprints proposed by Kim et al. Has been problematic in that log-on is possible without using smart card, fingerprint, and ID / password by eavesdropping [7]. In addition, many of the proposed authentication schemes have been analyzed as vulnerable [7, 8]. After that, researches on user authentication method based on client - server architecture have been actively conducted, and as the cloud computing environment has spread widely, a large number of users have changed the existing client - server architecture using the same infrastructure, The server-to-server networking system required stronger authentication. Lee et al. [9] proposed a public key infrastructure and a mobile outband authentication scheme in a cloud computing environment. However, the authentication scheme proposed by Lee et al. Can be easily exposed to attacks such as eavesdropping by transmitting the ID and password, which are used for verifying the user, in plain text form without encrypting them, exist.

Integrity

In a network environment, integrity must be ensured not only for data transmission and reception, but also for existing data. The smart work environment uses a public network, such as the Internet, to access internal data from outside. In this case, malicious user access is possible rather than data transmission using a virtual private network (VPN) Various vulnerabilities can be exposed, and malicious users access the internal network, increasing the possibility of security incidents such as data corruption, alteration, and destruction. In the case of internal data used in the smart work environment, it is necessary to ensure the integrity of the data in order to prevent such problems by propagating erroneous information and disturbing the business due to data illegal or altered [2].

The authentication scheme proposed by Lee et al. Transmits the ID / password, which is a means used to verify the user, in a plain text form without encryption. If a user's ID / password is transmitted in plain text form, a malicious user can take the information and cause personal misappropriation, modification, falsification, and tampering, which can not guarantee data integrity.

Confidentiality

Since most users access external data from outside, if the confidentiality of the data is not secured, it will affect data security such as malicious user's unauthorized network access, intrusion of personal privacy or data leakage. I am crazy. Confidentiality is also essential because of the possibility of additional damage such as spam, spam, and phishing due to spilled data [2]. In Lee et al. 'S proposed method, as described above, the ID / password is transmitted in a plain text form which can be easily intercepted by a malicious user. Therefore, The data confidentiality can not be guaranteed.

Mutual Authentication

Security problems can arise if various users access the inside of a company from outside in real time to solve problems, or mutual authentication is not performed between a user and a server in a smart work environment in which various tasks are processed. When a user accesses a malicious phishing server and inputs user information, the server installer can easily obtain the user's information and access the inside by exploiting the acquired information. In addition, if a malicious user masquerades as a legitimate server, security incidents such as distribution of malicious code, personal information hijacking of employees, and leakage of confidential documents can occur [2]. Therefore, in order to prevent such damage, a mutual authentication process is required between the user and the server even when the user authentication process is performed. The authentication scheme proposed by Hwang et al. Does not perform a mutual authentication process between the user and the server. This makes it possible to steal information as a server or as a user.

Impersonation Attack

In a smart work environment using a public network, if a user acquires illegal data and accesses it as a legitimate user, problems such as personal information of the employees and leakage of the enterprise key data may occur [2]. However, in Lee et al. 'S proposed scheme, the ID / password is transmitted in plaintext form without encryption and mutual authentication is not performed between the user and the server. In such a case, it is possible for a malicious user to easily steal an ID / password, to steal a legitimate user using a legitimate user's mobile phone through theft or theft, to access the server, and to receive a one- It is possible.

Wiretapping

In the user authentication method proposed by Lee et al., The user transmits the ID and password of the user transmitted to the web server in a plain text form without encryption process. Thus, it is possible for a malicious user to eavesdrop on a user's identity and password.

An attacker who has previously registered a malicious user as a legitimate user on the cloud server has eavesdropped between the user and the server to check the ID and password and transmits the user's ID and password to perform the user authentication process. It is possible for the code to lead to the infected site, or to conduct malicious actions such as spam mail and text transmission using the user's personal information.

[Table 1] analyzes security vulnerabilities of existing technologies.

O: Provided

X: Failed to provide

Accordingly, the present invention proposes a face recognition based user authentication method that can be used in a smart work environment. The proposed method is a face authentication method using a camera of a smart device, which is mainly used in a smart work environment in which a user can freely access the internal data in real time by using various devices, and can receive services. The authentication scheme proposed in the present invention is divided into a registration step and a login and authentication step. The registration step is performed only once for the first time for secure communication and the security of the user information, and the login and authentication steps are performed each time the server is accessed . The overall proposal technique is represented schematically as shown in FIG. 1 below.

1 is a system configuration diagram for a face recognition based user authentication technique in a smart work environment of the present invention.

Referring to FIG. 1, a client 1 includes a smart device 11 including a camera, and a server 2 includes a face data standard specification system 21.

When the user generates facial data using the camera of the smart device 11 and transmits the facial data to the server 2, the server 2 carries out the user authentication using the algorithm of the facial data standard specification system 21.

1. Data center extraction and specification

In the user authentication technique proposed in the present invention, the face data stored in the first database and the data of various sizes of the data input in the authentication process can be outputted in a predetermined size in order to use the face data, The process of extracting the center is performed.

1-1. Center extraction of face data

In the case of input face data, since the position and size are continuously changed, it is necessary to center the data as a reference for normalizing the size of the face data. Accordingly, in the present invention, the center point of the data on which face data has been normalized is selected. This is shown in FIG.

① The center point of the face is to set the x, y coordinate reference point around the nose.

② Set the X axis around the reference point, and set the Y axis around the set X axis.

③ When the X and Y axes are set, the position of eyes and mouth is determined based on the center of each axis, and the upper and lower sides are distinguished.

After the center of the face data is extracted, the horizontal alignment and specification of the input data are performed.

1-2. Set data specification

When the face data of the user is inputted through the device, the face data of the user inputted to perform the recognition process of the corresponding data is not inputted with a certain size. Therefore, in order to maintain the same size even after new face data is input in the authentication process, a specific criterion is set and the size of the data is constantly generated according to the criterion. The concept of setting face standards is shown in Fig.

In the step of setting the face standard, the face data inputted through the device is relaxed and then standardized to the size of the face data having the same size as the registration process.

2. Image segmentation

The server proceeds with the size specification process of the inputted face data and performs the image segmentation process for use in the authentication process. Image segmentation minimizes data with no feature by applying a grid inside the circular border around the user's face. In addition, the number of image divisions can be selected by the user. An example of the division of face data is shown in Fig.

2-1. Designating Coordinates and Deriving Feature Points

The coordinate designation and feature point derivation is a process of assigning coordinates to an image segmented inside a circular frame. The reference is given coordinates according to the row and column corresponding to the image segmented from the upper left part of the face.

In addition, the server randomly outputs user-selectable feature points and randomly generated false feature points to form candidate feature points, and outputs the selected feature points as shown in FIG. 5 to select desired feature points from the feature point candidates.

3. Definitions

: 사용자 식별자-

: User identifier

: 사용자 패스워드-

: User password

: 사용자 디바이스 식별자-

: User device identifier

: 사용자 디바이스 시리얼넘버-

: User device serial number

: 랜덤넌스 값-

: Randomness value

: 사용자의 얼굴 데이터 -

: User's face data

: 격자가 적용된 얼굴 데이터-

: Face data with grid applied

: 서버의 비밀키-

: Server's secret key

: 사용자가 희망하는 이미지(

)-

: The image you want (

)

:

에서 희망하는 특징점(

)-

:

Desired feature points (

)

: 사용자 로그인 정보-

: User login information

,

: 해시연산, 연접연산-

,

: Hash operation, concatenation operation

: XOR 연산
-

: XOR operation

4. Steps to enroll

When a user transmits basic user information and face data through a secure channel for registration, the server generates a key value through the corresponding data and transmits the key value to the user. The user creates facial data in a department that performs user registration without using network resources to prevent attacks such as eavesdropping and hacking that may occur in the network environment and creates a secure channel by submitting information necessary for user registration .

The registration step is completed when a part of the received data is stored in the user's device and necessary information is transmitted to the server through face recognition. The detailed procedure of the registration step is shown in Fig.

[Step 1] Generate user information, device information, and randomness values for registration.

(1)

(One)

[Step 2] The user generates a password and a serial number verifier by calculating the face data, the password and the serial number of the user with the random number, and transmits the password and the serial number verifier together with the information to the server via the secure channel.

(2)

(2)

(3)

(3)

(4)

(4)

(5)

(5)

[Step 3] The server confirms and stores the user and device information. Then, the key value of the user and the device is generated using the verifier.

(6)

(6)

(7)

(7)

[Step 4] The server performs centralization and normalization of the received facial data, and transmits the facial data together with each key value by applying a lattice.

(8)

(8)

(9)

(9)

를 디바이스에 저장하고, 전송받은 얼굴 데이터에서 희망하는 이미지와 특징점을 선택하여 서버로 전송한다.[Step 5] The user inputs the received key value and the randomness value

To the device, selects the desired image and feature point from the transmitted face data, and transmits the selected image and feature point to the server.

(10)

(10)

(11)

(11)

[Step 6] The server stores the received image and the minutiae and finishes the registration process.

(12)

(12)

5. Login and Authentication Steps

The user creates his / her information, randomness value and facial data for login, and generates a verifier and transmits it to the server. The transmitted server generates an identifier check and a key value to confirm the legitimacy, and compares the face data. Also, facial data with a grid is generated and data is received from the user to confirm the legitimacy of the user. Details of the login and authentication steps are shown in FIG.

[Step 1] The user connects to the server and generates his / her information, device information, and facial data.

(1)

(One)

(2)

(2)

[Step 2] The user creates each verifier, generates parameters necessary for verification, and transmits the parameters to the server. (The parameters generated in [Step 2] are the data generated by XOR operation and hash operation.)

(3)

(3)

(4)

(4)

(5)

(5)

(6)

(6)

(7)

(7)

(8)

(8)

[Step 3] The server generates a key value to confirm the transmitted identifier, and confirms the transmitted identifier. [Step 3] is a step for confirming the transmitted identifier, which generates data using data previously stored in the server, and then confirms whether the identifier matches the transmitted identifier.

(9)

(9)

(10)

(10)

(11)

(11)

(12)

(12)

(13)

(13)

(14)

(14)

[Step 4] The server compares the stored face data with the received face data, and transmits the face data with the additional verifier and the grid to the user. If [Step 4] does not match the verification result, the session is terminated.

(15)

(15)

(16)

(16)

(17)

(17)

(18)

(18)

(19)

(19)

[Step 5] The user generates the additional verifier transmitted using the parameters and compares the values.

(20)

(20)

(21)

(21)

(22)

(22)

(23)

(23)

[Step 6] The desired image and minutiae are selected from the face data to which the grid is applied, and the login information is generated using the key value and transmitted to the server.

(24)

(24)

(25)

(25)

(26)

(26)

(27)

(27)

[Step 7] The server confirms the legitimacy of the login information and decides whether to provide the service using the received login information and the key value. Terminate the session according to the confirmation result and error range.

(28)

(28)

(29)

(29)

(30)

(30)

(31)

(31)

6. Safety and efficiency analysis

6-1. Safety analysis

The proposed method can be summarized as follows [Table 2]. The user authentication scheme proposed in the present invention performs a registration process on a secure channel. A secure channel is formed by directly generating user's face data directly from the department performing user registration in the enterprise and directly submitting user information.

o Integrity: Unlike the authentication method proposed by Lee et al., the user registration process is performed on a secure channel, and parameters required for authentication are stored in the smart card.

를 사용하며, 사용자가 임의로 선택한 랜덤넌스 값

를 기반으로

와 개인이 직접 소지하고 있는 디바이스의 시리얼 넘버

을 XOR연산 및 해시 연산하여 패스워드와 디바이스 검증자

를 인증을 위한 파라미터로 사용하기 때문에 무결성을 보장할 수 있으며, 추가적으로 사용자의 얼굴 데이터

와 사용자가 선택한 이미지

과 특징점

을 사용자인증 과정에서 이용하기 때문에 데이터의 무결성을 보장할 수 있다.
In the login and authentication phase, the user's personal identifier

Is used, and the randomness value arbitrarily selected by the user

Based on

And the serial number of the device that the person directly carries

To XOR operation and hash operation to obtain a password and a device verifier

Is used as a parameter for authentication, integrity can be guaranteed, and furthermore, the user's face data

And user-selected images

And feature points

Is used in the user authentication process, the integrity of the data can be guaranteed.

와 사용자가 선택한 이미지

와 특징점

를 로그인에 필요한 파라미터로 이용하기 때문에 사용자인증에 사용되는 정보들에 대한 기밀성을 보장할 수 있다.
o Confidentiality: All the information required for user authentication is processed in the secure channel in the registration phase. Then, in the login and authentication process, the necessary information is derived from the new values through calculation with other parameters and then the corresponding values are transmitted. Can be guaranteed. In addition, the user selected random value

And user-selected images

And feature points

Is used as a parameter necessary for login, it is possible to ensure the confidentiality of the information used for user authentication.

와

를 기반으로 생성한 검증자를 연산하여

를 생성하고 서버로 전송한다. 서버는 저장된 데이터와 생성된 값을 이용하여 파라미터를 생성하고, 생성한 파라미터와 전송받은 데이터들을 연산하여 인증에 필요한 파라미터를 도출하여 비교한다. 이를 통해 상호간에 전송된 데이터를 확인하고, 같은 사용자, 서버에서 전송된 데이터의 확인이 가능하다.
Mutual authentication: The user and the server send and receive parameters for mutual authentication to determine the legitimacy of the entity. The proposed authentication scheme

Wow

To generate a verifier

And transmits it to the server. The server generates parameters by using the stored data and the generated values, calculates the parameters and the transmitted data, and compares and compares parameters required for authentication. Through this, it is possible to confirm mutually transmitted data, and to confirm data transmitted from the same user and server.

, 사용자의 얼굴 데이터

, 희망하는 얼굴 이미지

, 특징점

는 등록 단계에서 사용자가 직접 등록한 데이터로써 추측하거나 임의로 선택하여 로그인 정보를 생성하는 것이 불가능하다. 또한 검증자와 다양한 파라미터를 이용하여 생성한 데이터들을 상호 인증에 이용하기 때문에 위장공격으로부터 안전하다.
o Camouflage Attack: In the enrollment phase, the user registers the user based on the secure channel, thus protecting the parameters and data from camouflage attacks safely. In addition, in the login and authentication steps, a random number value

, The user's face data

, Desired face image

, Feature points

It is impossible to guess or arbitrarily select as the data directly registered by the user in the registration step to generate login information. In addition, since the data generated by the verifier and various parameters are used for mutual authentication, it is safe from camouflage attacks.

o Eavesdropping: The registration phase of the proposed authentication protocol is performed on a secure channel, and it is impossible for a malicious attacker to intercept or intercept the user's information. In the login and authentication phase, the data transmitted between the user and the server are safe from eavesdropping because their values are not disclosed through computation.

[Table 2] analyzes the safety.

6-2. Efficiency Analysis

와 얼굴 이미지의 분할된 일부분인

, 특징점

를 사용함으로써 이러한 취약점들을 해결하였다. 효율성 분석에 대한 내용을 정리하면 [표 3]과 같이 나타낼 수 있다.
In the authentication protocol proposed in the present invention, four hash operations are performed in the login step, and two XOR operations are required. The authentication process requires four XOR operations on the user side and four hash operations and six XOR operations on the server side. The XOR operation has the advantage of being faster than the exponential operation, but it can be vulnerable to user / server spoofing attacks that may occur due to the characteristics of the XOR operation. In order to solve such a problem, in the present invention, not only an XOR operation but also a hash operation are performed together, and a random-

And part of the face image

, Feature points

To address these vulnerabilities. The efficiency analysis can be summarized as [Table 3].

[Table 3] analyzes the efficiency.

M: Exponentiation, H: Hash operation, S: Symmetric key encryption / decryption, X: XOR operation

In the authentication scheme proposed by Hwang et al., Five symmetric key encryption and decryption processes, four exponential operations and one XOR operation were performed. In the authentication scheme proposed by Khan et al., Nine hash operations and eight XOR operations were performed . The authentication scheme proposed in the present invention performs a total of 8 hash operations and 12 XOR operations. The speed of each cryptographic computation process can be summarized as follows [Table 4].

Among the various encryption methods, we compared RSA 1024 (exponentiation), AES / CTR 256 (symmetric key) and SHA-512 (hash)

The encryption speed comparison was based on the implementation of Microsoft Visual C ++ 2005 SP1 version, and is the result of running on a 32-bit Windows Vista Intel Core 2 1.83GHz CPU.

[Table 4] compares the encryption method speed.

Through the comparison of the computation speeds of the existing user authentication scheme and the proposed scheme through Table 5, it can be seen that the operation speed is not significantly different from that of the conventional scheme.

(In the case of XOR operation, the operation amount of 1.83 GHz is rounded to 2.00 GHz.)

Table 5 compares the continuous speeds.

7. Conclusion

Smart work environment is a representative technology of future oriented IT service that provides convenience and flexibility based on various devices and communication infrastructure.

Many companies are adopting smart work environment because of cost reduction, productivity improvement and convenience enhancement for business facility construction. However, there is a possibility that malicious code can be infected through the loss of terminal or users' various connection environments, and malicious behavior due to infected malicious code can cause security incidents such as personal information leakage. Therefore, proper user authentication process for users of smart work environment that access internal resources in the external environment of the enterprise is essential.

In the present invention, an authentication method using face data of a user is proposed to authenticate a user to a large number of smart work users accessing an internal resource based on a network outside the enterprise. Since the proposed method uses unique facial data of many SmartWalk users and image and feature points selected by the user, users who do not perform the accurate user authentication process can be blocked in advance. In addition, malicious internal users can be traced to sensitive information exposures, which can greatly enhance security in the field of user authentication.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the invention.

1: Client
11: Smart Devices
2: Server
21: Facial data standard specification system

Claims (4)

delete When a device generates a validator by calculating registration information including facial data with a random value and transmits the validator to a server, the server generates a key value of the user and the device using the validator, A registration step of transmitting the key value to the device after performing specification, and designating a minutiae point of the face data between the device and the server; And
The server compares the face data transmitted from the device with the face data stored in advance and transmits an additional verifier to the device, the device compares the additional verifier, and transmits the login information including the minutiae of the face data and the key value And a login and authentication step of transmitting the authentication information to the server and confirming the legitimacy of the server using the login information and the key value,
Wherein the registering step comprises:
The device generating user information, device information, and randomness values;
Generating a password and a serial number verifier by computing the face data, the password and the serial number with the random number, and transmitting the user and the information to the server via the specific channel together with the information;
The server generating a key value of a user and a device using the serial number verifier;
The server performs center setting and specification of the face data, applies a grid to the face data, and transmits the face data together with each key value to the device;
Storing a key value and a random value received by the device, selecting a desired image and feature point from the transmitted face data, and transmitting the selected image and feature point to the server; And
And storing the image and the minutiae received by the server.
When a device generates a validator by calculating registration information including facial data with a random value and transmits the validator to a server, the server generates a key value of the user and the device using the validator, A registration step of transmitting the key value to the device after performing specification, and designating a minutiae point of the face data between the device and the server; And
The server compares the face data transmitted from the device with the face data stored in advance and transmits an additional verifier to the device, the device compares the additional verifier, and transmits the login information including the minutiae of the face data and the key value And a login and authentication step of transmitting the authentication information to the server and confirming the legitimacy of the server using the login information and the key value,
Wherein the login and authentication step comprises:
The device generating user information and device information and face data;
Generating, by the device, respective verifiers, generating parameters necessary for verification, and transmitting the generated parameters to the server;
Generating a key value from the data stored in the server and confirming an identifier;
Comparing the facial data stored in advance by the server with the received facial data, and transmitting facial data to the device, the facial data including an additional verifier and a grid;
The device generating the additional verifier using the parameter, and comparing the generated additional verifier with the transmitted additional verifier;
The device selecting desired images and feature points from the face data to which the grid is applied, generating login information through the key value, and transmitting the login information to the server; And
And authenticating the login information using the login information and the key value transmitted from the server.
The method according to claim 2 or 3,
The grid is applied inside a circular rim of the face, divided into a set number, and each divided image is given coordinates;
Wherein the server is configured to generate a feature point candidate by randomly outputting selectable feature points and randomly generated false feature points and to transmit facial data to the device so that the user can select desired feature points from the feature point candidates Face Recognition Based User Authentication Technique.

Images