KR101574169B1 - Method for authentication using user apparatus, digital system, and authentication system thereof - Google Patents

Abstract

A user authentication method using a user device, a digital system therefor, and an authentication system are disclosed. The authentication method using the user device includes the steps of: a digital system performing communication with a predetermined user device for authenticating the user; and receiving, via the communication, the device one-time information generated by the user device Transmitting an acknowledgment signal including the device one-time information to an authentication system, or generating the terminal one-time information and transmitting an acknowledgment signal including the generated one-time information to the authentication system, An authentication confirmation procedure is performed in which the device one-time information or the terminal one-time information included in the transmitted confirmation signal is authenticated by the system, and if the authentication confirmation procedure is successful, a predetermined data processing apparatus or the digital system, Or the authentication system Wherein the terminal's one-time information or the device one-time information is generated based on a server creation key generated by the authentication system and transmitted to the digital system or the user device And is generated by the digital system or the user device.

Description

Technical Field [0001] The present invention relates to a user authentication method using a user device, a digital system for the same, and an authentication system using the same,

The present invention relates to a user authentication method using a user device, a digital system and an authentication system therefor, and more particularly to a digital authentication system and a user authentication method using a user who wants to use various services (for example, financial transactions such as login, Authentication method and system using the user device and the digital system (e.g., mobile terminal) when the user authentication is to be performed.

In particular, the authentication system generates a server generation key, the generated server generation key is transmitted to the digital system, and the digital system generates authentication information using the transmitted server generation key and the identification information of the user apparatus, To the authentication system again, thereby providing a secure, simple and highly secure authentication method and system thereof.

Conventional technology related to identity authentication has traditionally used identity and password authentication. However, such a conventional authentication method has a problem that it is difficult to perform a normal authentication function when an ID and a password are leaked. To complement this, various authentication schemes have appeared.

For example, there are authentication of the mobile phone itself, authentication by a user using an authorized certificate, authentication using an OTP, authentication of an i-PIN (Internet Personal Identification Number), or authentication using a credit card.

Authorized certificate authentication is an authentication protocol with a relatively high security level, but it is not easy to carry the authorized certificate stably and there are disadvantages such as complicated authentication process. In addition, the public certificate has also recently been leaked in large quantities, thus posing a problem of safety.

The i-PIN is a method of authenticating the user by using a virtual identification number used on the Internet. The user must know a new identification number in advance, and it is difficult to perform a normal authentication function once an exposure is performed as in an ID password method There are constraints.

In addition, the authentication of the mobile phone itself is problematic in that it is susceptible to smsing and the like by a method of authenticating occupation of the mobile phone by using the authentication number.

Also, since all of these conventional technologies are a method of inputting a password (certificate password, I-PIN password) or an authentication number, if a password or an authentication number is exposed to another person, the authentication of the user is inevitable. There is a high risk of exposure to hacking.

In addition, in the case of authentication using the OTP, the user can authenticate only when the user has the OTP client (OTP token). Also, the user is required to generate the OTP through the OTP client, There is a presence.

Accordingly, a technical idea that can provide a highly secure personal authentication protocol while maintaining convenience compared with conventional authentication technologies is required along with a payment protocol.

In addition, online crime becomes more intelligent and frequent as online financial transactions become more active, so the need for 2-channel authentication is increasing. Technological thinking is required to enable users to easily perform authentication while enabling 2-channel authentication.

In this case, the authentication request and the authentication action to be performed by a legitimate user can be separated so that the authentication request and the authentication request are authenticated, so that the information necessary for authentication can be easily exposed to the other person. A technical idea that allows the use of the service without requiring the service is required.

In order to use conventional one-time information (e.g., OTP), a client (e.g., OTP token) and an authentication side (e.g., OTP authentication server) , And time information). Especially, in order to generate one-time information through the time synchronization method which is widely used recently, time synchronization between the client and the authentication side is very important. In order to synchronize the time, the client side must be able to confirm the time. However, according to the technical idea of the present invention, the user device (e.g., a smart card or the like) may not have a timer. Even if a timer is provided in a user device or a digital system, it may be difficult to substantially synchronize the time with the timer of the user device and the authentication side (e.g., authentication system).

Korean Patent Application Publication No. 10-2013-0029983 "Method, apparatus and recording medium for authentication processing using local area communication"

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a digital system and a user device which are highly likely to be carried by a user. In addition, the present invention provides a two-channel personal authentication, a long-term personal authentication, or a technical idea enabling a third party to easily perform a personal authentication for allowing a legitimate user to provide a service.

In addition, since authentication can be performed using one-time information (e.g., OTP), it is necessary to have a separate one-time information generating device (e.g., OTP client) for generating one-time information It is to provide a technical idea that can carry out the simple and secure self-certification without.

In addition, the generation of the one-time information can be performed through a digital system or a user device (e.g., a smart card or the like) carried by the user, so that the risk that authentication due to illegal copying of the digital system or the user device can be performed And to provide technological ideas that can be significantly lowered.

In addition, the digital system transmits an acknowledgment signal including the one-time information only when the digital system communicates with the user equipment, thereby providing a higher level of security.

Also, even when the payment card is used for authentication of the user, the settlement financial information (for example, the card number, the expiration date, the CVC, etc.) may not be circulated on the network and even if the outflow of information occurs due to an attack, It is to provide a technical idea about the authentication method which can provide high security by reducing the risk of leakage of financial information.

In addition, it does not require a process of providing the user with the one-time information while inputting the one-time information, thereby providing the user with the technical idea of authentication of the user, which is robust against attacks through key logging .

Further, the digital system or the user apparatus generates authentication information including one-time information using a server generation key (e.g., a random number value, a time value, or OTP) generated in the authentication side This is to provide a high authentication method. The present invention provides a technical idea that can use the server generation key even when one-time information is generated by a user apparatus that can not directly communicate with the authentication side.

Further, even if the digital system or the user apparatus does not generate the one-time information using the server generation key, the digital system generates the authentication information including the server generation key and the terminal identification information of the digital system or the device identification information of the user apparatus , The digital system can generate authentication information capable of authenticating both the digital system or the user device and the server generation key by using the terminal identification information or the device identification information and the server generation key, .

In particular, the authentication system may store the terminal identification information or the device identification information itself to authenticate the digital system or the user device, but may be determined based on the terminal identification information or the device identification information without storing the terminal identification information or the device identification information itself It is possible to authenticate the digital system and the user device by storing the predetermined medium specific information (e.g., the terminal identification information and the hash value using the device identification information), and even if the authentication system is attacked, To provide an authentication scheme in which device identification information may not be exposed.

In addition, although the digital system may simply include the server generation key and at least the terminal identification information and / or the device identification information in the authentication information for authentication, the media identification information (e.g., the hash value ), And generates authentication information (e.g., medium specific information and a hash value of the server generation key) based on the generated medium specific information (e.g., the terminal identification information and the hash value of the apparatus identification information) , The server generation key, the device identification information, and / or the terminal identification information may not be exposed even when the authentication information is leaked due to an attack of the network. Also, the authentication system may use the server generated key transmitted by itself and the medium unique information stored therein, without restoring or extracting the server generated key, device identification information, and terminal identification information from the authentication information for the authentication check procedure The authentication verification information can be generated by simply comparing the authentication information received from the digital system with the authentication information received from the digital system, thereby providing an authentication method in which a simple authentication procedure can be performed.

The present invention also provides a technical idea that allows a digital system and / or a user device to be used for an authentication operation to be predetermined and perform authentication of the user only through the digital system and / or the user device.

In addition, a digital system to be used for the authentication operation and a user apparatus that is paired with the digital system are set in advance, and authentication is successful only when communication (for example, contact or non-contact type) So as to provide a technical idea capable of providing a synergistic effect of remarkable security.

In addition, in the case of conducting a financial transaction using a predetermined data processing apparatus or a digital system, account identification information of a predetermined receiving account is included in information for performing authentication of the principal, so that an authentication step and a financial settlement step ), It is possible to provide a technical idea that can fundamentally control the smoothing and the memory hacking that may occur due to the distinction between them.

According to another aspect of the present invention, there is provided a method for authenticating a user using a user device, the method comprising: a digital system communicating with a predetermined user device for authenticating the user; And generates an acknowledgment signal including at least one of the device identification information of the user apparatus and the terminal identification information of the digital system received via the communication and the authentication information based on the received server generated key, Transmitting a signal to the authentication system, wherein an authentication confirmation procedure is performed in which the authentication information included in the confirmation signal transmitted by the authentication system is authenticated, and if the authentication confirmation procedure is successful, From the digital system, the authentication system or the authentication Wherein the authentication request is successfully processed in response to an authentication request output to a service system connected to the system, wherein the authentication information includes at least one of media confirmation information previously stored in the authentication system, System and / or the user device, and is successful if the authentication system corresponds to the server generation key transmitted to the digital system.

Wherein the authentication method using the user device includes a step of transmitting the authentication request information output by the authentication system that has received the authentication request including identification information of the digital system output from the data processing device to the data processing apparatus or the digital system Wherein when the authentication action request information is displayed, the digital system can perform the communication with the user device.

The method for authenticating a user using the user device further includes receiving, by the digital system, authentication action request information output from the data processing apparatus that receives the identification information of the digital system. When the authentication action request information is received The digital system may perform the communication with the user equipment.

Wherein the step of transmitting the confirmation signal to the authentication system comprises generating the authentication information including the server generation key, the terminal identification information, and the device identification information received by the digital system, And transmitting the signal to the authentication system, wherein the authentication confirmation procedure includes the media identification information stored in advance in the authentication system, and the medium identification information is information stored such that the terminal identification information and the device identification information correspond to each other, May include a step of determining whether the server generation key corresponding to the terminal identification information and the device identification information included in the authentication information and transmitted by the authentication system corresponds to a server generation key included in the authentication information have.

Wherein the step of transmitting the confirmation signal to the authentication system comprises generating the authentication information including the server generation key and the device identification information received by the digital system, Wherein the authentication confirmation process is performed by the media identification information stored in advance in the authentication system, and the medium identification information is information in which the device identification information is stored, the device identification information included in the authentication information, And determining whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.

Wherein the step of transmitting the confirmation signal to the authentication system comprises the steps of: generating the medium-specific information in which the digital system is determined based on at least the device identification information, and determining, based on the generated medium- Generating the authentication information, and transmitting the confirmation signal including the generated authentication information to the authentication system, wherein the authentication confirmation process includes: the media confirmation information stored in advance in the authentication system; Wherein the authentication information generating unit generates authentication authentication information based on at least the server unique information transmitted from the authentication system and the medium unique information determined based on the device identification information, Includes a step of determining whether or not the authentication information .

The medium specific information is a hash value generated based on at least the device identification information, and the authentication information is a hash value generated based on the medium unique information and the server generation key.

Wherein the digital authentication system generates the authentication information based on the account identification information of the receiving account, and the authentication method uses the account identification information of the receiving account, And transmitting the confirmation signal including the generated authentication information to the authentication system, wherein the authentication information based on the account identification information is authenticated by the authentication system so that a financial transaction targeting the receiving account is performed Is controlled.

The user device is a payment IC card, and the device identification information is identification information unique to the user device, not payment financial information of the payment IC card.

The user authentication method using the user device further includes a step of determining whether the digital system is a preconfigured pair so that the user equipment corresponds to the digital system and if the determination result indicates that the user equipment is a preset pair, To the authentication system.

A method for solving the above technical problem is characterized in that the authentication system transmits a server generation key to a digital system, the authentication system receives authentication information from the digital system, Receiving at least one of device identification information of the user equipment or terminal identification information of the digital system received through the communication and information generated based on the server generation key, The system comprising: performing an authentication verification procedure for authenticating the authentication information included in the received confirmation signal; and transmitting, from the predetermined data processing apparatus or the digital system, the authentication system or the authentication system Successful authentication request output to the service system Wherein the step of performing the authentication checking step comprises the steps of: the authentication system judges whether the authentication information is media check information previously stored in the authentication system, and the media check information is information indicating whether the digital system or the user And determining whether at least one of the devices is information that can identify at least one of the devices and the server generated key transmitted to the digital system.

Wherein the authentication information is information including the server creation key, the terminal identification information, and the device identification information transmitted to the digital system, the media identification information pre-stored in the authentication system, and the server creation key The medium identification information stored in advance in the authentication system, and the medium identification information is information stored so that the terminal identification information and the device identification information correspond to each other, And determining whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information, corresponding to the terminal identification information and the device identification information.

The authentication information is information including the server generation key and the device identification information transmitted to the digital system, and determines whether the authentication information corresponds to the medium identification information previously stored in the authentication system and the server generation key transmitted to the digital system Wherein the authentication system corresponds to the device identification information included in the authentication information, the medium identification information stored in advance in the authentication system, the medium identification information being information on which the device identification information is stored, And determining whether the server generated key corresponding to the server generated key corresponds to the server generated key included in the authentication information.

Wherein the authentication information is information that is generated by the digital system based on at least the medium identification information determined based on the device identification information and is determined based on the generated medium identification information and the received server generation key, Determining whether the media identification information stored in advance in the authentication system corresponds to the media identification information stored in advance in the authentication system and the server generation key transmitted to the digital system, And generating authentication authentication information based on the server generation key transmitted by the authentication system, and a step of generating authentication authentication information based on the authentication information received from the digital system Determines whether or not it corresponds to the authentication authentication information Step < / RTI >

Wherein the authentication method using the user device is used for authentication of a user at the time of a financial transaction in which a receiving account exists, the authentication information is information generated based on the account identification information of the receiving account, Wherein the authentication system determines whether the authentication information is authenticated by further determining whether the authentication information corresponds to the account identification information, and the authentication system determines whether the authentication information based on the account identification information is authenticated The financial transaction for the receiving account is performed.

Methods for solving the above technical problems may be implemented by a recorded computer program installed in a data processing apparatus, and a recording medium on which the computer program is recorded may be provided.

According to an aspect of the present invention, there is provided a digital system including a user device communication module for performing communication with a predetermined user device for authentication, a communication module for receiving a server generation key from the authentication system, A control module for generating an acknowledgment signal including at least one of device identification information of the device or terminal identification information of the digital system and authentication information based on the received server generated key and transmitting the generated acknowledgment signal to the authentication system An authentication confirmation process is performed in which authentication information included in the confirmation signal transmitted by the authentication system is authenticated, and if the authentication confirmation process is successful, the authentication system or the authentication Output to the service system connected to the system The authentication request is successfully processed, and the authentication information includes at least one of media identification information previously stored in the authentication system, the media identification information indicating at least one of the digital system or the user device participating in the communication And - if the authentication system corresponds to the server generated key sent to the digital system.

The control module generates the authentication information including the received server creation key, the terminal identification information, and the device identification information, transmits the confirmation signal including the authentication information to the authentication system, Wherein the medium identification information stored in advance in the authentication system, the medium identification information being information that the terminal identification information and the device identification information correspond to each other, corresponds to the terminal identification information and the device identification information included in the authentication information And determining whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.

Wherein the control module generates the authentication information including the received server generation key and the device identification information and transmits the confirmation signal including the authentication information to the authentication system, Wherein the medium identification information stored in advance is information on which the device identification information is stored corresponds to the device identification information included in the authentication information and the server generation key transmitted by the authentication system is the authentication And a procedure for judging whether or not it corresponds to a server generation key included in the information.

Wherein the control module generates medium specific information determined based on at least the device identification information, generates the authentication information determined based on the generated medium specific information and the server generated key received, Wherein the media identification information stored in advance in the authentication system, the media identification information being determined based on at least device identification information, the media identification information being stored And generating a verification authentication information based on the server generation key transmitted by the authentication system and determining whether or not the authentication information received from the digital system corresponds to the authentication authentication information .

The control module determines whether the user equipment is a preset pair corresponding to the digital system, and transmits the confirmation signal to the authentication system if the user equipment is a predetermined pair.

Wherein the control module generates the authentication information based on the account identification information of the receiving account for authentication of the user at the time of a financial transaction in which a receiving account exists and the authentication information based on the account identification information The financial transaction to be performed on the receiving account is controlled to be performed.

According to an aspect of the present invention, there is provided an authentication system including an authentication unit for generating a server generation key to be transmitted to a digital system and performing an authentication procedure for authenticating authentication information included in an acknowledgment signal received from the digital system, To the digital system, wherein the authentication information from the digital system, the authentication information, when the digital system communicates with a predetermined user device for authenticating the user, the device identification of the user device Information generated based on the server creation key and at least one of the terminal identification information of the digital system and information generated based on the server generation key, Connection with the system or the authentication system Wherein the authentication unit determines that the authentication information is the media identification information stored in advance in the authentication system, and the medium identification information is information indicating whether the digital system or the user apparatus participating in the communication And the server generation key transmitted to the digital system.

Wherein the authentication information is information including the server generation key, the terminal identification information, and the device identification information transmitted to the digital system, and the authentication unit transmits the medium identification information stored in advance in the authentication system, The terminal identification information and the device identification information correspond to the terminal identification information and the device identification information included in the authentication information, and the server generation key transmitted by the authentication system is included in the authentication information It is possible to determine whether or not it corresponds to the server creation key.

Wherein the authentication information is information including the server generation key and the device identification information transmitted to the digital system, and the authentication unit stores the medium identification information, which is stored in advance in the authentication system, Information on the server generated key corresponds to the device identification information included in the authentication information and whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.

Wherein the authentication information is information that is generated by the digital system based on at least the medium identification information determined based on the device identification information and is determined based on the generated medium identification information and the received server generation key, Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which the medium specific information determined based on at least the device identification information is stored, and the server identification key transmitted by the authentication system And determine whether or not the authentication information received from the digital system corresponds to the authentication authentication information.

Wherein the authentication information is information generated based on the account identification information of the receiving account at the time of a financial transaction in which the receiving account exists, the authentication unit further determines whether the authentication information corresponds to the account identification information The authentication system determines whether the authentication information is authenticated, and the authentication system can perform a financial transaction for the receiving account only if the authentication information based on the account identification information is authenticated.

According to the technical idea of the present invention, there is an effect of providing high security and simplicity by performing self-authentication by using two independent objects of a digital system and a user device, both of which are highly likely to be carried by a user and are familiar.

In other words, the authentication request is performed by a data processing apparatus that is separate from the digital system, and the authentication operation is performed through the digital system, It is possible to perform a two-channel authentication, a remote authentication, or a third party authentication by a legitimate user with high security because it can be carried out elsewhere or by another person different from the authentication requestor.

In addition, there is no need for a user to have a device for separate one-time information (e.g., OTP, etc.), and a user device (e.g., IC card, traffic card, electronic ID card, etc.) It is possible to increase both the security and the convenience of the user.

The present invention also provides a highly secure authentication method using a server creation key (for example, a random number value, a server time value, etc.) generated by an authentication side (e.g., an authentication system). In particular, in the case of using the server generation key, the authentication side and the client side must be able to communicate with each other. According to the technical idea of the present invention, communication with the authentication side is performed via the digital system capable of performing communication with the authentication side. There is an effect that authentication can be performed also by a user apparatus that can not be performed. That is, it is necessary to carry two authentication tools of digital system and user device that the user generally possesses, so that authentication can be successful, but at least one of the authentication tools (for example, IC card or the like) It is possible to perform authentication using one-time information. Also, even when the user device can not communicate with the authentication side among the authentication tools, the authentication can be performed through the digital system as the remaining authentication tool.

In addition, it does not require the user to input the information while using the one-time information, so that the user is not exposed to the hacking of the key input method such as the key logging as well as the convenience of the user authentication.

In addition, since the digital system to be used for authentication of the user can be preset and specified, it has the effect of having a strong characteristic against attack such as smishing or man in the middle attack. Online crime can be actively blocked.

In particular, the authentication system may store the terminal identification information or the device identification information itself to authenticate the digital system or the user device, but may be determined based on the terminal identification information or the device identification information without the terminal identification information or the device identification information itself (E.g., hash value using device identification information and device identification information). In this case, even if the authentication system attacks, the terminal identification information and / or the device identification information of the user are not exposed There is a safe effect.

Also, in the authentication information for authentication, the digital system may simply include a server creation key and at least device identification information (in addition to the device identification information, information about an object to be authenticated may be included in the authentication information. (For example, account information to be remitted) may be included according to the kind of service (for example, account transfer) to be authenticated. However, the digital system and the user (E.g., a hash value) based on information about each device (e.g., terminal identification information and device identification information), and generates medium specific information (e.g., hash of terminal identification information and device identification information (For example, medium specific information and a hash value of a server generated key) based on the server generated key There is an effect that the server creation key, the device identification information, and / or the terminal identification information may not be exposed even when the authentication information is leaked by an attack of the network. Also, the authentication system may use the server generated key transmitted by itself and the medium unique information stored therein, without restoring or extracting the server generated key, device identification information, and terminal identification information from the authentication information for the authentication check procedure The authentication verification information can be generated and compared with the authentication information simply received from the digital system, the authentication verification procedure can be performed, so that a simple authentication procedure can be performed.

In addition, since a user apparatus constituting a pair (pair) with the digital system can be set in advance, it is possible to set up a pair of apparatuses without having all the apparatuses constituting the pair (that is, The apparatus can not be normally authenticated), thereby remarkably improving the security.

In addition, when the financial transaction is performed using a predetermined data processing apparatus or a digital system, the account identification information of a predetermined receiving account is included in the information for performing authentication of the principal, so that it is possible to fundamentally block the transfer of the account outside the legitimate account, Hacking can be fundamentally blocked.

In addition, in the case of conducting a financial transaction using a predetermined data processing apparatus or a digital system, account identification information of a predetermined receiving account is included in information for performing authentication of the principal, so that an authentication step and a financial settlement step ) Can be prevented by preventing the smashing that may occur. In addition, there is a side effect that the transference account is displayed when the customer conducts the smsing and performs the authentication, thereby enhancing the customer's vigilance.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
4 shows a schematic data flow of authentication of a user using a user device according to an embodiment of the present invention.
FIG. 5 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
6 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.
8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.
FIG. 9 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
10 is a diagram for explaining an example in which the authentication method according to the embodiment of the present invention is applied to account transfer (remittance).
11 shows an example of medium identification information that can be stored in an authentication system to implement the technical idea of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.

Referring to FIG. 1, a digital system 100, an authentication system 200, and a user device 300 may be provided to implement a user authentication method using a user device according to an embodiment of the present invention. Depending on the implementation, a predetermined data processing apparatus 400 may be further provided. Further, a service system 500 connected to the authentication system 200 and capable of providing a predetermined service to the digital system 100 and / or the data processing apparatus 400 may be further provided.

The digital system 100 can implement the technical idea of the present invention while transmitting and receiving necessary information through the wired / wireless network with the authentication system 200. The digital system 100 may acquire information (e.g., device identification information) necessary for the technical idea of the present invention from the user device 300 by communicating with the user device 300. In addition, according to an embodiment, the digital system 100 communicates with the user device 300 so that the user device 300 can access information necessary for the technical idea of the present invention (e.g., by the authentication system 200) Generated server creation key, etc.).

The digital system 100 may perform contact or non-contact communication with the user device 300. For example, the user device 300 may be implemented as a smart card, an IC card, or a transportation card capable of performing contact or non-contact communication with the digital system 100. In particular, the user device 300 may be a payment IC card (e.g., a credit card, a check card, etc.).

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, the user device 300 may be a device capable of proving an identity (e.g., an electronic identification card), a communicable OTP device, or a user's mobile phone separate from the digital system 100.

Hereinafter, for convenience of description, the user device 300 will be described as a payment IC card, but the scope of the present invention is not limited thereto. Although the digital system 100 and the user device 300 perform short-range wireless communication (e.g., NFC communication, blues, etc.), the scope of the present invention is not limited thereto.

The digital system 100 may perform short-range wireless communication with the user device 300. [ To this end, the user may tag the digital system 100 and the user device 300.

In this specification, tagging refers to the case where the digital system 100 and the user device 300 are located within a certain distance (for example, 10 cm or less when the NFC communication is used) in order to carry out contactless communication such as RFID communication and NFC communication. Or the like). The user can perform tagging by bringing the digital system 100 or the user device 300 into a predetermined distance to the user device 300 or the digital system 100. [

If the user device 300 is a payment card, the user device 300 may be a financial transaction means. The user device 300 may include a predetermined communication device (e.g., an RF antenna, an RF tag, and the like) to perform tagging communication with the digital system 100. [ In addition, the user device 300 may further include a storage device in which information necessary for realizing the technical idea of the present invention can be stored. For example, the user device 300 may be implemented as an IC card having an IC chip or various types of smart cards. Of course, the user device 300 may be an apparatus that can not independently perform financial transactions as described above. Even if the user device 300 is not a financial transaction device, according to the technical idea of the present invention, a user device 300 (e.g., an ID, a mobile phone separate from the digital system 100) Etc.) can be used to easily perform authentication of the user. For example, since the user can easily perform the identity authentication only by the tagging operation of the digital system 100 and the user device 300, the user can input the ID / password, select the authorized certificate, As compared with the conventional complicated authentication process, it is possible to perform the self-authentication with high security, which is much simpler.

Of course, another conventional authentication method (for example, authentication using an authorized certificate, etc.) may be performed before or after the authentication of the user according to the technical idea of the present invention is performed for higher security. It goes without saying that higher security can be provided when such dual security authentication is performed.

According to one embodiment, the user device 300 may generate certain one-time information, which is to define the one-time information generated by the user device 300 as 'device one-time information'. The one-time information generated by the digital system 100 is defined as terminal one-time information. The one-time information used to implement the technical idea of the present invention may be device one-time information or terminal one-time information. The device one-time information and the terminal one-time information may be the same or similar to each other only in the generation of one-time information.

For example, when the user device 300 is a payment card, when the card is tagged with the digital system 100, the card is supplied with power through electromagnetic induction, and through the IC chip mounted on the card, One-time information can be generated. The processor included in the IC chip may generate the device one-time information when power is supplied through the communication with the digital system 100, and may enable the digital system 100 to read the generated device one-time information . Of course, at this time, the digital system 100 may be required to be an authorized system capable of reading the device one-time information. For this purpose, authenticated software capable of reading the device one-time information can be installed in the digital system 100.

Meanwhile, the device one-time information may be information generated by using a server generation key generated by the authentication system 200 as an input value of a predetermined algorithm capable of generating one-time information. The server creation key may be communicated from the authentication system 200 to the user device 300 through the digital system 100. For example, when the digital system 100 and the user device 300 perform an authentication operation for communicating with each other, the digital system 100 transmits the server generation key received from the authentication system 200 to the user device 300, . Then, the user device 300 can generate the one-time information using the received server generation key as an input value (key or seed).

The server creation key may be a random number value generated by the authentication system 200 or an OTP. In this case, the user device 300 may generate the one-time information using the random number value.

The method of generating the one-time information by the user device 300 using the server creation key may be such that the user device 300 generates one-time information even when the timer for using the time synchronization method is not provided, It is possible to easily judge whether the information is authentic or not. In addition, even when using the user device 300 equipped with the timer, it may be very difficult to synchronize the time of the user device 300 and the authentication system 200 on a user-by-user basis. In addition, the system can cope with various types of online attacks through the digital system 100. Also, it is possible to easily generate the one-time information even if the user device (e.g., IC card 300) possessed by the user is used instead of the OTP client specially designed for generating the one-time information.

Meanwhile, the method using the server generation key such as the technical idea of the present invention can be compared with the conventional challenge response method. In order to use the conventional challenge server method, the client must be able to communicate with the authentication system 200 do. However, according to the technical idea of the present invention, it is possible to generate the device one-time information in a similar manner to the challenge response method using the user device 300 that can not directly communicate with the authentication system 200. This is because, in order to authenticate through the technical idea of the present invention, the user must perform an authentication operation communicating the digital system 100 and the user device 300, that is, two authentication tools, (200). ≪ / RTI >

The user device 300 can communicate with the digital system 100 and the digital system 100 can communicate with the authentication system 200 according to the technical concept of the present invention, May obtain a server generation key from the authentication system 200 and use it to generate device one-time information. Of course, in addition to the server creation key, the identification information of the user device 300 may be further used as an input value (key or seed) for generating device one-time information. Various one-time information generation algorithms for generating one-time information using a predetermined input value, that is, a fixed value such as the server generated key (e.g., a random number value) and / or a device Therefore, a detailed description thereof will be omitted.

Then, the authentication system 200 generates the server one-time information using the server generation key, and determines whether the generated server one-time information corresponds to the device one-time information included in the confirmation signal, can do.

According to another embodiment, the device one-time information is not generated in a manner similar to the challenge response method, that is, not the one-time information newly generated as the input value of the predetermined one-time information generation algorithm, Or may be information encrypted with a predetermined encryption key. In this case, the authentication system 200 may authenticate the user device 300 by decrypting the device one-time information and determining whether the decrypted result corresponds to the server generation key. At this time, the user device 300 and the authentication system 200 may use a symmetric key or an asymmetric key (e.g., PKI, etc.).

According to another embodiment, the one-time information may simply include the server creation key and information about an object to be authenticated. The subject to be authenticated may be user device 300 or digital system 100, depending on the embodiment. Further, information on an additional service authentication object (for example, an account to be remitted) necessary for the service (for example, identification information of an account to be remitted) may be further included depending on the type of the service to be authenticated. Therefore, if the user to be authenticated is the user device 300, the one-time information may simply include identification information of the user device 300, that is, device identification information. If the authentication target is the user device 300 and the digital system 100, the device identification information and the terminal identification information may be included in the authentication information together with the server creation key. According to an embodiment, information on an additional service authentication object (for example, identification information of an account to be remitted) may be included in the server generation key.

In particular, when the authentication method according to the technical idea of the present invention is applied to the account transfer service, which is an object of authentication, identification information of an account to be remitted may be included in the authentication information as information on a service authentication object. It is important to authenticate the account to be remitted, so that the service authentication object can be the service authentication object. Therefore, unauthorized attacks such as a method of replacing the remittance account with an account desired by the attacker can be prevented when the user successfully authenticates after inputting the remittance account for the transfer, such as the conventional memory hacking, You can send money only to the account you want to transfer. It goes without saying that the type of service authentication object that can be included in the authentication information may vary according to the service. Such an example will be described later in Fig.

As a result, the one-time information may simply include the server creation key and information about the authentication object (e.g., device identification information, terminal identification information, and / or additional service authentication objects necessary for the service).

For example, the one-time information may be information including any one of a server generation key and device identification information or terminal identification information, which is identification information of the user device 300. Or the information including the server creation key, the device identification information, and the terminal identification information, which is identification information of the digital system 100. Or the information including the server creation key and the device identification information and / or the terminal identification information and the information about the service authentication object. Of course, this one-time information may be encrypted. When only the server creation key and the device identification information are included in the one-time information, the authentication system 200 may separately acquire the terminal identification information through communication with the digital system 100 and authenticate the terminal identification information based on the previously stored medium identification information have.

In this case, the device one-time information is transmitted to the authentication system 200 through the digital system 100, and the authentication system 200 transmits the server generation key included in the device one-time information to the digital system 100 And determines whether or not the device identification information and / or the terminal identification information previously registered in the authentication system 200 and the device identification information and / or the terminal identification information included in the device one-time information correspond to each other Authentication may be performed. Of course, when the service authentication target is further included in the authentication information, it may be further determined whether the information about the service authentication object stored in advance in the authentication system 200 corresponds to the information about the service authentication object included in the authentication information have.

According to the embodiment, the information on the authentication target (for example, the device identification information and / or the terminal identification information and / or the information on the service authentication target) itself is not included in the device one-time information, A predetermined determination value determined based on information on an authentication object may be included in the authentication information.

The determination value may be a value determined by an algorithm for outputting a specific value when one piece of information or a plurality of pieces of information is input, and the determination value may be information different from the input information. The determination value may have the same value when the same information is input. Of course, the reverse may not hold. A typical algorithm for calculating such a decision value may be, but is not necessarily limited to, a hash algorithm. It goes without saying that a plurality of pieces of information may be combined in a predetermined manner and then inputted to an algorithm for determining the determined value in order to determine a determined value based on a plurality of pieces of information.

Therefore, the one-time information may include a server creation key and information about at least one authentication object, and the one-time information may include a determination value that is determined based on the server generation key and the information about the at least one authentication object have. According to an embodiment, a first determination value is determined based on the information about the at least one authentication subject, and a second determination value may be determined based on the first determination value and the server generation key. In this case, the authentication information may be the second decision value itself or information including the second decision value.

For example, the one-time information may include a determination value determined based on the server generation key and the device identification information and / or the terminal identification information, that is, the medium specific information. The media specific information may be unique information that is determined by the media participating in the user's authentication behavior (i.e., communication between the digital system 100 and the user device 300). According to an example, the medium specific information may be a hash value generated through a predetermined hash algorithm using terminal identification information and device identification information as input values. In the case of using the hash value, it is possible to know whether or not the input values are the same (that is, whether the two media participating in the authentication action are two predetermined media) according to whether the compared hash values are the same or not. However, It is not possible to restore the input values (i.e., the terminal identification information and the device identification information) by using the encryption key. In this specification, the case where the medium specific information generates input values (i.e., device identification information and terminal identification information) through hashing is described as an example, but a new unique value is generated using one or a plurality of input information Any algorithm that can do this is acceptable. That is, if the input information is the same, the output values are the same, and if not, any algorithm that is different from the output value may be used to generate the medium specific information.

According to the embodiment, the one-time information (device one-time information or terminal one-time information) may include the medium unique information and the server creation key. According to another embodiment, the one-time information may be generated again based on the medium unique information and the server generation key. At this time, an algorithm (e.g., a hashing algorithm) for outputting a predetermined output value using the medium specific information and the server generation key as input values may be used. Then, the one-time information may be a specific value determined by the terminal identification information, the device identification information, and a server generation key (or alternatively, information on an additional service authentication object may be further included). If the one-time information is the same, the terminal identification information, the device identification information, and the server creation key (or, optionally, information on an additional service authentication target) may be input values used for generating the one-time information It may mean the same. Therefore, when the one-time information is the determination value generated by the medium unique information and the server generation key, the authentication system 200 can use the authentication system 200 ) May also generate a decision value based on the medium specific information and the server generation key transmitted to the digital system 100 by itself, and may determine whether the generated decision value corresponds to the received one-time information.

In the authentication system 200, terminal identification information and device identification information capable of realizing the technical idea of the present invention may be previously stored in association with each other. That is, the digital system 100 and the user device 300, which can implement the technical idea of the present invention, may be set in advance in a pair. In the authentication system 200, terminal identification information and device identification information may be stored so as to correspond to each other. According to another embodiment, a determination value determined based on the terminal identification information and the device identification information which are pairs of each other, that is, the medium specific information, may be stored. That is, the authentication system 200 may not store the terminal identification information and / or the device identification information itself, but may store the medium specific information. In the former case, the authentication system 200 generates medium specific information based on the terminal identification information and / or device identification information stored for the authentication check procedure, and then generates one-time Information can be generated. In the latter case, the one-time information can be generated based on the medium specific information and the server generation key stored in advance.

When the authentication information is not stored in the authentication system 200 itself but the medium specific information is stored in the authentication system 200, the authentication system 200 can recognize the terminal identification information or the device identification information even if the authentication system 200 is attacked There is no security effect. Hereinafter, the information related to the media stored in the authentication system 200 and participating in the authentication operation of the user will be defined as medium identification information. Therefore, the medium identification information may be information stored in the terminal identification information and / or the device identification information itself (in advance correspondence), unique information determined based on the terminal identification information and the device identification information, .

Whether the device one-time information is one-time information generated by using a server generation key as an input value, information obtained by simply encrypting the server generation key with a predetermined encryption key, or device identification information and / Whether simply including the information, the server generation key may be a random number value generated by the authentication system 200 as described above, but is not necessarily limited thereto. That is, the server creation key suffices to be information (e.g., time information, etc.) that can be confirmed by the authentication system 200 at a certain point in time. In addition, the server generation key may be information generated one time to prevent reuse. Or an OTP in which the server creation key itself is generated in a predetermined manner.

In addition, one-time information may be generated by the digital system 100. [ Like the device one-time information, the terminal one-time information may be one-time information generated by using a server generation key received from the authentication system 200 as an input value, information obtained by encrypting a server generation key, Information including information and / or device identification information and the server creation key. Or information including the medium specific information and the server generation key (or alternatively, information on an additional service authentication subject may be further included) as described above, and the medium specific information and the server generation key (and additional service authentication Information about the object).

Hereinafter, the user device 300 or the digital system 100 generates one-time information using the server creation key, and the authentication system 200 also generates one-time information using the server creation key, 300 or the digital system 100 according to an embodiment of the present invention. However, as described above, the user device 300 or the digital system 100 simply generates a value obtained by encrypting the server generation key as device one-time information or terminal one-time information, Information or the terminal one-time information may be decrypted to perform the authentication. Alternatively, the authentication system 200 may generate the one-time information in the same manner as that generated by the digital system 100 or the user device 300, and may transmit the generated one-time information from the digital system 100 Authentication may be performed by comparing the received one-time information with the received one-time information. Alternatively, the one-time information received from the digital system 100 may simply include the server generation key and the device identification information, the server generation key, the device identification information and the terminal identification information, or the server generation key and the medium unique information In this case, authentication may be performed by determining whether the information included in the one-time information corresponds to information (server generation key) transmitted from the server itself and information (medium identification information) stored in advance.

The device one-time information may be information that can be authenticated by the authentication system 200. To this end, the authentication system 200 may be provided with an authentication unit for authenticating the device one-time information. The authentication unit may generate one-time information by itself to authenticate the device one-time information, as will be described later. Of course, at this time, the authentication unit may generate the one-time information using the server generation key transmitted to the user device 300 through the digital system 100. [ That is, the user device 300 may operate as an OTP client, for example, and the authentication unit may operate as an OTP server. Hereinafter, the one-time information generated by the authentication system 200 will be defined as 'server one-time information' for convenience of explanation.

As described above, according to the technical idea of the present invention, the user device 300 generates device one-time information, and the created device one-time information can be authenticated by the authentication system 200. Accordingly, when the user device 300 is authenticated using fixed device identification information such as UID (Unique Identification Number) of the card 300 that can be acquired from the user device 300, There is an effect that the risk of forgery and falsification of the identification information can be remarkably lowered.

Also, according to one embodiment, the user device 300 may be a payment card. Then, the device one-time information generated by the user device 300 may be generated by using the server generation key as an input value, and using the settlement financial information of the settlement card, that is, the information stored in the IC chip of the card (E.g., UID, time information, or any value) irrelevant to the information (e.g., card number, validity period, CVC code, etc.). In this case, since the settlement financial information may not be distributed to the digital system 100 or the authentication system 200, the security can be enhanced. In this case, even though the device one-time information and device one-time information generation algorithm are leaked, there is no risk that the settlement financial information is leaked through reverse engineering or the like.

1, the digital system 100 can communicate with the authentication system 200 via a wired / wireless network, and can communicate with the user device 300 through a predetermined communication (e.g., a local area wireless communication) May be defined to include any type of data processing device capable of communicating over a network. For example, the digital system 100 may be a data processing device, such as a tablet, a music player, or the like, which is easy for the user to carry around. Of course, the digital system 100 is preferably capable of communicating with the authentication system 200 and / or the data processing apparatus 400 via a network.

In addition, the digital system 100 may be implemented so as to generate predetermined one-time information in order to implement the technical idea of the present invention. The one-time information generated by the digital system 100 is defined as 'terminal one-time information' in this specification. The function of the digital system 100 to generate the terminal one-time information may be implemented by installing predetermined software in the digital system 100 to implement the technical idea of the present invention.

Also, the terminal one-time information may be generated by using the server generation key generated by the authentication system 200 as an input value. Of course, according to an embodiment, the digital system 100 may include a timer and may be relatively easy to perform time synchronization with the authentication system 200 relative to the user device 300. [ Therefore, the terminal one-time information may be one-time information generated by using time information as an input value, such as a time synchronization method.

In any case, the terminal one-time information may also be authenticated by the authentication unit included in the authentication system 200. The authentication unit may generate corresponding one-time server information for authenticating the terminal one-time information.

As a result, according to the technical idea of the present invention, the digital system 100 may include the device one-time information generated by the user device 300 in an acknowledgment signal and transmit it to the authentication system 200, May be included in the confirmation signal and transmitted to the authentication system 200. Of course, according to an embodiment, the device one-time information and the terminal one-time information may be included in the confirmation signal and transmitted to the authentication system 200. [ In any case, the information included in the confirmation signal for authentication is referred to as authentication information in this specification. That is, the authentication information may be the one-time information described above, that is, the device one-time information and / or the terminal one-time information. Then, the authentication unit of the authentication system 200 can authenticate the authentication information in various ways according to the embodiment of the authentication information.

For example, it is possible to generate server one-time information corresponding to the device one-time information and / or server one-time information corresponding to the terminal one-time information, and if the device one-time information and / It can be judged to have succeeded. Of course, the authentication of the user device 300 by the device identification information as described below, the authentication of the digital system 100 by the terminal identification information, and / or the authentication of the digital system 100 and the user device 300, A pair authentication may be performed to authenticate whether or not the authentication is successful.

The confirmation signal may be defined as including a series of information or signals including information necessary for the authentication procedure performed by the authentication system 200. [ The acknowledgment signal does not necessarily mean one data set (or contiguous packet data), but may be temporally or physically separated information or signal. That is, the digital system 100 may output the confirmation signal to the authentication system 200 a plurality of times.

Of course, when the authentication information includes both the device one-time information and the terminal one-time information, and both are authenticated by the authentication system 200, the authentication using the device identification information or the terminal identification information may be optionally omitted.

In any case, according to the technical idea of the present invention, the digital system 100 can include the authentication information in the confirmation signal and transmit it to the authentication system 200, and the authentication information included in the confirmation signal is transmitted to the authentication system 200 ). ≪ / RTI >

Meanwhile, the digital system 100 can generate the terminal one-time information only when the digital system 100 communicates with the user apparatus 300. According to an embodiment, the digital system 100 may generate the one-time information in advance in response to the receipt of the authentication action request information or by a predetermined request of the user in advance, and when the communication is performed, Side system 200 to the settlement-side system 200. The settlement- In any case, the digital system 100 can transmit the confirmation signal to the authentication system 200 only when the digital system 100 and the user device 300 are in communication. Therefore, even if it is described that the authentication method according to the technical idea of the present invention includes a step in which the digital system and the user apparatus communicate with each other and the user apparatus generates the terminal one-time information, It should not be interpreted as a description specifying the sequence to be generated, and may be interpreted as including the case where the communication is performed after generation of the terminal one-time information.

As a result, even if the digital system 100 is attacked by hacking or the like, the terminal's one-time information may not be generated unless the user has the user device 300. Or even if the terminal's one-time information is generated, the confirmation signal may not be transmitted, so that the authentication of the user is not successful.

When the terminal's one-time information is generated based on the server generation key, the terminal's one-time information may include at least one of the server generation key received from the authentication system 200, And may be information generated by further inputting a value {key or seed}. Herein, the identification information of the user device 300 may be fixed identification information (e.g., UID) of the user device 300. Of course, in this case, the key may also be registered in the authentication system 200. Therefore, as long as communication with the user device 300 is not performed, the terminal's one-time information may not be generated, and even if the confirmation signal including the terminal's one-time information is transmitted to the authentication system 200, It may not be authenticated by the authentication system 200.

In addition, the terminal one-time information generated by the digital system 100 may be generated based on information (e.g., terminal identification information, time information, an arbitrary value, etc.) irrelevant to the payment financial information. That is, as described in the device one-time information, the terminal's one-time information may be information that is irrelevant to the settlement financial information or information generated from irrelevant information. Therefore, there is no risk that the settlement financial information will be leaked even if leakage occurs in the terminal one-time information and terminal one-time information generation algorithm.

In addition, since the confirmation signal transmitted to the authentication system 200 by the digital system 100 may include only information (e.g., device identification information, terminal identification information, etc.) independent of the settlement financial information, The security of the authentication method according to the technical idea of the invention can be enhanced.

The device one-time information generated by the user device 300 may also be generated by the user device 300 only when the digital system 100 and the user device 300 communicate with each other. For example, when the user device 300 is a smart card such as a payment card or an electronic ID card, the smart card is not provided with power independently, so that communication with the digital system 100 must be performed to generate the device one- Of course. Also, even when the user device 300 is powered on and can generate device one-time information by itself, the user device 300 may be configured to generate the device one-time information only when communication with the digital system 100 is performed . And the server generation key generated by the authentication system 200 through the communication may be transmitted to the user device 300. [ Of course, in this case, software or an applet for implementing the technical idea of the present invention may also be installed in the user device 300.

In addition, the user device 300 may generate the device one-time information only when communication with the digital system 100 set in advance is performed. It is needless to say that information about the digital system 100 forming a pair with the user device 300 may be registered in the user device 300 in advance.

In any case, the confirmation signal transmitted by the digital system 100 to the authentication system 200 may include authentication information including the device one-time information and / or the terminal one-time information, It is preferable that the system 100 and the user apparatus 300 can be output from the digital system 100 to the authentication system 200 only when communication is performed. Therefore, even if either of the device one-time information or the terminal one-time information is included in the authentication information, there is an effect that the user is authenticated that another device (that is, the digital system 100 or the user device 300) .

The authentication system 200 may perform an authentication procedure for authenticating the authentication information included in the confirmation signal.

The authentication procedure includes a one-time information authentication procedure for authenticating terminal one-time information generated by the digital system 100 and / or device one-time information generated by the user apparatus 300. [ Whereby the legitimacy of the digital system 100 and / or the user device 300 can be authenticated. Meanwhile, the one-time information authentication procedure may be more strictly called the software (i.e., software for generating the terminal one-time information) installed in the digital system 100 and / or the one-time information generating device (E.g., an IC chip of a smart card, etc.) or software (e.g., software installed in the user device 300 that is a separate mobile phone and generating device one-time information, an applet installed on a smart card, etc.) .

Software installed in the digital system 100 or the user device 300 may be installed only in the digital system 100 or the user device 300 authenticated as a legitimate user's device. In this case, if the validity of the software is authenticated, the digital system 100 is also automatically authenticated.

However, since the software may be leaked or the software may be forged or falsified by attack, the authentication procedure according to the technical idea of the present invention may be performed by authenticating the hardware of the digital system 100 and / And may further include procedures. The authentication procedure of the digital system 100 and / or the hardware of the user device 300 may be performed by the authentication system 200 using the terminal identification information of the digital system 100 and / It may be a procedure of confirming the identification information and judging whether the terminal identification information and / or the device identification information is successful according to whether it corresponds to the information registered in advance in the authentication system 200.

As a result, when the hardware authentication procedure is additionally performed, the security of the authentication method according to the technical idea of the present invention can be further enhanced. Even if the user possessing the digital system 100 does not have the user device 300 registered in the authentication system 200 or holds the user device 300, If the digital system 100 registered in advance in the terminal 200 is not possessed, the authentication of the user is prevented from being successful.

The procedure for authenticating the device identification information according to an embodiment may be performed by the digital system 100. [ Or the procedure for authenticating the terminal identification information may be performed by the user device 300. [ That is, in the digital system 100, the identification information of the user apparatus 300 that can be used for the authentication operation is stored in advance, or the digital system 100 (which can be used for the authentication operation in advance) The digital system 100 or the user device 300 may determine whether the device communicating with the digital device 100 is a device registered in advance by the authentication system 200, There is an effect similar to that the identification information and / or the terminal identification information is authenticated. However, since the digital system 100 and / or the user device 300 may be at a greater risk of being falsified than the authentication system 200, the authentication system 200 may use the device identification information and / Or it may be desirable that the terminal identification information be authenticated.

The authentication procedure performed by the authentication system 200 may further include a pair authentication procedure for authenticating whether the digital system 100 and the user device 300 are a pair. That is, the digital system 100 and the user device 300 may be paired in advance. Only when the two devices forming the pair perform the communication, the authentication system 200 determines that authentication is successful . In this manner, the two devices used in the authentication operation for confirming the authentication request by the user (that is, the communication between the digital system 100 and the user device 300) must be a pair so that the authentication confirmation procedure can be succeeded. In this case, if the digital system 100 and the user device 300 are both registered by the authentication system 200, even if they are not paired with each other, the authentication confirmation process may not be successfully processed, It is possible to have a synergistic effect. Whether the two devices used in the authentication operation (digital system 100 and user device 300) are a pair may be authenticated by the authentication system 200, but may also be authenticated by the digital system 100 . That is, the digital system 100 can communicate with the digital system 100 only when it communicates with the user device 300, which is set to pair with the digital system 100 in advance. To this end, the digital system 100 may have previously stored information (e.g., device identification information) about the user device 300 that is paired with the digital system 100 in advance.

Meanwhile, the authentication request may be transmitted to the authentication system 200 before the authentication signal is transmitted to the authentication system 200. For example, the authentication request may be an authentication request transmitted from the predetermined data processing apparatus 400 to the authentication system 200. The data processing apparatus 400 is a device which is separate from the digital system 100 and used by a user of the digital system 100 and is connected to the authentication system 200 to request authentication, Mobile terminal, set-top box, IPTV, and the like. For example, a user may input identification information (e.g., a telephone number) of his or her digital system 100 through the data processing apparatus 400 to perform an authentication request.

Further, the data processing apparatus 400 may be implemented in various embodiments according to the types of services provided after the authentication according to the technical idea of the present invention succeeds. For example, if the service is a payment service, the data processing device 400 may be an agent terminal requesting payment for settlement. If the service is a service for opening a door, the data processing device 400 may be a device installed at a door. Various embodiments of the data processing apparatus 400 may be possible depending on the type of service.

According to an embodiment, the data processing apparatus 400 or the digital system 100 may make an authentication request to a predetermined service system 500. The service system 500 may transmit a predetermined service (for example, a request for authentication) to the authentication requesting device (for example, the data processing device 400 or the digital system 100) upon successful authentication of the user according to the technical idea of the present invention. Login, financial transaction, confirmation of specific information, issuance of a certificate, purchase of goods or services, payment, opening and closing of a door, etc.). A user may access the service system 500 through the data processing apparatus 400 or the digital system 100 and the service system 500 may be connected to the service system 500 in order to perform the service provided by the service system 500. [ And may request the data processing apparatus 400 or the digital system 100 to authenticate the user. In this case, the service system 500 allows the data processing apparatus 400 or the digital system 100 to access the authentication system 200 (for example, a web page or a UI provided by the authentication system 200) The data processing apparatus 400 or the digital system 100 may be controlled to receive the authentication from the authentication system 200 through the data processing apparatus 400 or the digital system 100 have. The data processing apparatus 400 or the digital system 100 may transmit the authentication request to the authentication system 200 by inputting information necessary for the authentication request (for example, identification information of the digital system 100) As shown in FIG.

Of course, in some implementations, the service system 500 may receive an authentication request from the data processing apparatus 400 or the digital system 100 and send the received authentication request to the authentication system 200 . That is, the service system 500 may mediate the authentication process according to the technical idea of the present invention. The fact that the data processing apparatus 400 or the digital system 100 transmits predetermined information or signals to the authentication system 200 is transmitted to the authentication system 200 through the service system 500 And the like. Of course, even when the authentication system 200 transmits predetermined information or signals to the data processing apparatus 400 or the digital system 100, the authentication system 200 may include the case of being transmitted through the service system 500 . ≪ / RTI >

Although the authentication system 200 and the service system 500 are implemented as separate physical devices in FIG. 1, the authentication system 200 may be included in the service system 500 . In other words, since the predetermined software that implements the function of the authentication system 200 is installed in the service system 500, the authentication according to the technical idea of the present invention may be performed.

According to one embodiment, the authentication of the user according to the technical idea of the present invention may be performed for settlement. In this case, the data processing apparatus 400 may be a predetermined merchant terminal (a POS device installed in a store, a mobile merchant terminal, or the like). In this case, the user or the merchant can transmit the authentication request to the authentication system 200 by inputting identification information (e.g., telephone number) of the digital system 100 of the user to the merchant terminal. In some cases, the user may notify identification information of his or her digital system 100 to a merchant site to perform payment at a remote site. Then, the merchant may transmit the authentication request to the authentication system 200 by inputting the identification information using the data processing apparatus 400, that is, a computer used at the merchant, or an affiliate terminal. If the authentication is successful by the authentication system 200, the payment requested by the data processing apparatus 400 may be finally approved. At this time, the service system 500 may be a predetermined card company system (or a financial institution system that performs card settlement). In addition, the authentication request and the payment request need not necessarily be performed separately. That is, the authentication request according to the embodiment of the present invention may be performed simultaneously with a predetermined service request (for example, payment, etc.). In this case, identification information of the digital system 100 for the authentication request Of course. Such an example will be described in detail later with reference to FIGS. 4 and 5. FIG.

According to another embodiment, the authentication request may be output by the digital system 100 and transmitted to the authentication system 200 together with the acknowledgment signal or separately from the acknowledgment signal. Such an example will be described with reference to FIG.

When the authentication request is received and an acknowledgment signal is received from the digital system 100, the authentication system 200 performs an authentication check procedure as described above based on the received acknowledgment signal. If the authentication is successful, Can successfully process the authentication of the data processing apparatus 400 or the digital system 100. That is, the received authentication request can be successfully processed. The service system 500 may then provide the data processing device 400 or a predetermined service requested by the digital system 100. Needless to say, another authentication of the user (for example, authentication using the authorized certificate, etc.) may be required after the authentication of the user according to the technical idea of the present invention succeeds.

In addition, the authentication procedure may further include authenticating user authentication information (e.g., PIN) of the user device 300. For example, when the user device 300 is a payment IC card, a password (i.e., a PIN number) set by the user may be preset in the user device 300. The user authentication information of the user device 300 may also be registered in the authentication system 200 in advance. Then, the authentication system 200 receives the user authentication information from the digital system 100 or the data processing apparatus 400, and if the received user authentication information corresponds to previously registered information, To be successful. Of course, the authentication of the user authentication information may be performed by the digital system 100 that communicates with the user device 300. In this case, the user authentication information of the user device 300 may be registered in the digital system 100 in advance.

When the authentication operation is performed by the user, the digital system 100 may output an acknowledgment signal to the authentication system 200, and the acknowledgment signal includes not only the device one-time information and / The device identification information of the device 300 and / or the terminal identification information of the digital system 100 may be further included so that the user device 300 and / or the hardware of the digital system 100 as described above The authentication can be performed as described above.

The terminal identification information may include identification information (e.g., identification information of a USIM, IMSI, IMEI, MAC) of the digital system 100 (hardware included in the digital system 100 Address, etc.). When the terminal identification information is included, the authentication system 200 can determine that the authentication check procedure is successful only when the terminal identification information is registered in advance. Therefore, if the confirmation signal is not received through the digital system 100, which is a pre-registered terminal, even if the confirmation signal is transmitted to the authentication system 200 by a predetermined device, Therefore, there is an effect that a predetermined service may not be provided to the user. That is, it is possible to designate a digital system, thereby blocking unauthorized service requests through other terminals. Further, since an authentication action (payment authentication action) can be performed only through the designated digital system, there is an effect that smearing or manned middle attack can be prevented.

Meanwhile, the terminal one-time information generated by the digital system 100 or the device one-time information generated by the user apparatus 300 is displayed by the digital system 100, and the user inputs the terminal one- , The inputted terminal's one-time information may be included in the confirmation signal.

However, according to the embodiment of the present invention, the terminal may be automatically included in the confirmation signal without displaying the one-time information or device one-time information and inputting by the user, thereby providing convenience of the authentication operation by the user. In addition, since there is no process of inputting terminal one-time information or device one-time information by the user, the risk of leakage of information through key logging or the like may be lowered. Of course, in such a case, the non-repudiation of the user may cause the user to input the user authentication information (e.g., PIN) of the user device 300 and to authenticate the user by the authentication system 200 And ultimately by ensuring that the authentication procedure is successful.

The authentication system 200 includes all systems participating in receiving an authentication request, communicating with the digital system 100 and / or the data processing apparatus 400, or in deciding whether to grant an authentication request Can be defined as meaning. Of course, the authentication system 200 does not mean only one physical device, but may be a system that is organically coupled to a plurality of devices or systems to implement the technical idea of the present invention. For example, the authentication system 200 may receive the authentication request directly from the digital system 100 or the data processing apparatus 400, or may receive the authentication request via the service system 500 as described above have.

For example, in the case of a payment service, the authentication system 200 can directly transmit a settlement request (the settlement request is an authentication request) from the data processing apparatus 400, for example, a user's computer, an affiliate store terminal Or may receive a payment request (authentication request) via the service system (e.g., web server 500 that provides an online marketplace). In this case, the authentication system 200 may be a credit card company system that can settle the settlement request (authentication request) using the previously registered credit card information (the credit card company system in the present invention is not only an independent card company system, (Which means to include all financial institution systems (not shown) that perform card settlement). Also, according to an embodiment, a VAN system, a PG, or the like, which is connected to the card company system through a network and mediates a payment process, may be further included in the authentication system 200. [

Hereinafter, the process of authenticating the user according to the technical idea of the present invention will be described in more detail. Hereinafter, for convenience of explanation, the digital system 100 is implemented as a mobile phone, and the identification information of the digital system 100 is a mobile phone number of the mobile phone. However, The scope of rights is not limited thereto.

2 shows a schematic configuration of a digital system according to an embodiment of the present invention.

Referring to FIG. 2, the digital system 100 includes a control module 110, a user equipment communication module 120, and a communication module 140. When the digital system 100 is implemented to generate terminal one-time information, the digital system 100 may further include a terminal one-time information generation module 130. [

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

The control module 110 may control the other components included in the digital system 100 such as the user device communication module 120, the terminal one-time information generation module 130, and / or the communication module 140 Functions and / or resources.

The user equipment communication module 120 may communicate with the user equipment 300. [ The communication may be contact or non-contact communication as described above. According to an example, the communication may be a contactless short range wireless communication (e.g., NFC communication). When the communication is the NFC communication, the user can be authenticated only by tagging the digital system 100 and the user device 300, so that the convenience of the user can be enhanced. In addition, even when the user device 300 is in a wallet or a pocket, the NFC communication can be performed without removing the user device 300, so that the convenience of authentication can be enhanced. The user equipment communication module 120 may be implemented by, for example, an NFC chip or a module provided in the digital system 100. In addition, it is a matter of course that the embodiment of the user equipment communication module 120 may be varied according to the embodiment of the communication performed by the digital system 100 and the user equipment 300.

The control module 110 may generate or transmit an acknowledgment signal according to the technical idea of the present invention.

The communication module 140 may communicate with the authentication system 200. And may perform communication with the data processing apparatus 400 according to an embodiment.

The control module 110 may communicate with the user device 300 through the user device communication module 120. Also, it may receive device one-time information and / or device identification information from the user device 300 according to an embodiment. Also, the server generation key received from the authentication system 200 through the user device communication module 120 may be transmitted to the user device 300. The transmission of the server creation key may be performed when an authentication operation performed by the user, that is, an operation of communicating the digital system 100 with the user apparatus 300 is performed. Of course, according to an embodiment, the server creation key may be transmitted to the user device 300 separately from the authentication operation. For example, in the case of NFC communication, the user may have to perform a plurality of tagging. The server creation key may be transmitted to the user device 300 through the tagging of any one of a plurality of tagging, and if another tagging is performed, the user may be regarded as having the authentication operation.

The terminal one-time information generation module 130 may generate terminal one-time information. The terminal one-time information generation module 130 can generate the terminal one-time information based on the server generation key received from the authentication system 200 as described above. In addition, the terminal may generate the terminal one-time information based on the device identification information of the user device 300 or the identification information of the digital system 100. At this time, the device identification information may be information independent of the settlement financial information. For example, when the user device 300 is a payment card, the payment financial information (e.g., a card number) of the payment card may be the device identification information. However, according to the technical idea of the present invention, (For example, UID, etc.) irrelevant to the settlement financial information may be used as the device identification information.

Then, the control module 110 generates an acknowledgment signal including authentication information including device one-time information and / or terminal one-time information received from the user device 300, and transmits the generated confirmation signal to the communication module 140 To the authentication system 200. The authentication system 200 of FIG.

The control module 110 may further include device identification information of the user device 300 obtained through the user device communication module 120 according to an embodiment. Also, the control module 110 may further include terminal identification information of the digital system 100. Or may include an authentication request in the acknowledgment signal. Alternatively, the confirmation signal may include an authentication signal indicating an authentication result using the user authentication information. It should be understood that the acknowledgment signal is not limited to one information or a continuously transmitted signal, and the acknowledgment signal may be transmitted to the authentication system 200 discontinuously in a plurality of times according to an embodiment.

The authentication system 200 may then perform an authentication procedure based on an acknowledgment signal including the authentication information. If the authentication confirmation process is successful, the authentication system 200 can process the authentication result as a successful authentication for the device (for example, the digital system 100 or the data processing device 400) that has output the authentication request . That is, the digital processing system 100 or the data processing apparatus 400 can successfully process the authentication request. For example, if the authentication confirmation process is successful, the authentication system 200 may transmit an authentication result indicating that the authentication of the user is successful to the data processing apparatus 400, the digital system 100, and / or the service system 500 Lt; / RTI >

If the confirmation signal further includes the device identification information, the authentication system 200 can authenticate the user device 300 based on the device identification information. Also, when the confirmation signal further includes the terminal identification information, the authentication system 200 can determine whether the digital system 100 is a terminal previously registered based on the terminal identification information.

According to an exemplary embodiment, the settlement financial information of the user equipment (e.g., the payment card 300) may be further included in the confirmation signal as the device identification information. That is, in this case, the user device 300 may be a payment card (i.e., an IC card). The authentication system 200 can authenticate the user device 300 based on the settlement financial information when the settlement financial information is further included in the confirmation signal. However, even if the confirmation signal includes the one-time information, there is a risk that the settlement financial information may be leaked when the settlement financial information is included, and the discharged settlement financial information may be abused. Therefore, when the confirmation signal further includes the settlement financial information of the user equipment, the authentication system 200 determines whether the digital system 100 is a terminal registered in advance, based on the terminal identification information, May be desirable. Of course, the device identification information may be selected as the identification information of the user device 300, which is not related to the payment financial information, as described above.

Meanwhile, the communication module 140 may receive predetermined authentication action request information from the authentication system 200 or from the data processing apparatus 400. [ The authentication action request information may include information for requesting a user to perform an authentication operation, that is, to communicate the digital system 100 and the user device 300. [ In addition, the server generation key generated by the authentication system 200 may be received together with the authentication action request information. Also, the communication module 140 may receive a server generation key from the authentication system 200. [

The server creation key may be received together with the authentication action request information and may be received separately before or after the authentication action request information is received by the digital system 100. [ For example, in the digital system 100, predetermined software for implementing the technical idea of the present invention can be installed, and the technical idea of the present invention can be implemented only when the software is executed. In this case, the digital system 100 may automatically perform communication with the predetermined authentication system 200 when the software is executed. In this case, the server generation key may be received in advance. In any case, the digital system 100 may receive the server creation key from the authentication system 200 before the user performs an authentication operation.

Of course, only the signal indicating that the authentication request has been performed in the data processing apparatus 400 or the digital system 100 may be included in the authentication action request information.

The authentication action request information may be displayed on a display device (not shown) included in the digital system 100. The user can confirm the authentication action request information and perform authentication by requesting the digital system 100 and the user device 300 by tagging.

The communication module 140 may receive the authentication action request information from the authentication system 200 or may receive the authentication action request information from the data processing device 400. Such an example will be described later with reference to Figs.

Meanwhile, the control module 110 may determine whether the user device 300 is a device forming a pair with the digital system 100. And transmit the confirmation signal to the authentication system 200 only when the user device 300 is a device forming a pair with the digital system 100. [ Of course, the procedure for authenticating such a pair may be performed by the authentication system 200 as described above.

Also, the control module 110 requests predetermined user authentication information (e.g., PIN) before or after performing communication with the user device 300, and when the user authentication information is transmitted to the user device 300 (e.g., It is possible to generate the terminal one-time information only when it corresponds to the authentication information (for example, PIN information) of the IC card for payment) or transmit the confirmation signal including the device one-time information acquired from the user apparatus 300. [ It is possible to prevent the non-repudiation even if the user does not perform the process of checking the device one-time information or the terminal one-time information and directly inputting the device one-time information to the digital system 100 through the user authentication information.

If the user authentication using the user authentication information is not performed, the digital system may not transmit the confirmation signal to the authentication system 200. For example, the digital system 100 may receive the user authentication information in advance before communicating with the user device 300. Or may receive the user authentication information from the user after the communication is performed. If the user authentication information does not correspond to the information set in the user device 300 in advance, the confirmation signal may not be transmitted. According to an embodiment, the user authentication using the user authentication information may be performed by the digital system 100 after the confirmation signal is transmitted. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication using the user authentication information to the authentication system 200 after transmitting the confirmation signal. Then, the authentication system 200 receiving the authentication signal may finally determine the success or failure of the authentication confirmation procedure.

Or the digital system 100 transmits the user authentication information received from the user to the authentication system 200 and determines whether the user authentication information corresponds to the user device 300 by the authentication system 200 .

3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.

3, an authentication system 200 according to an exemplary embodiment of the present invention includes a control unit 210, a communication unit 220, and an authentication unit 230. The authentication system 200 may further include a DB 240.

The configuration of the control unit 210, the communication unit 220, the authentication unit 230, and the DB 240 included in the authentication system 200 includes hardware for performing the technical idea of the present invention, And the functional and structural combination of the software. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

Also, the authentication system 200 does not mean any physical device. That is, an average expert in the technical field of the present invention can easily deduce that the authentication system 200 can be implemented by organically combining different physical devices through a network.

The authentication system 200 may be included in the service system 500 or may be implemented in a system separate from the service system 500. In addition, the operating system of the authentication system 200 and the service system 500 may be the same or different.

The control unit 331 can control functions and / or resources of other components included in the authentication system 200 (e.g., the communication unit 220, the authentication unit 230, and the DB 240) .

The communication unit 220 may perform communication with the digital system 100. In particular, the communication unit 220 may receive an acknowledgment signal from the digital system 100. Also, the communication unit 220 may transmit the server generation key to the digital system 100. [

The authentication unit 230 may generate the server generation key as described above. In addition, an authentication confirmation procedure may be performed based on the confirmation signal including the authentication information including the one-time information generated based on the server generation key. The authentication information may include one-time information, and the one-time information may include device one-time information and / or terminal one-time information. For this, the authentication unit 230 may generate server one-time information using the server generation key transmitted to the digital system 100. [ Of course, in addition to the server creation key, an average expert in the technical field of the present invention can generate the server one-time information by using information pre-agreed with the digital system 100 or the user apparatus 300 as an input value. I can reason.

Also, according to an embodiment, as described above, the authentication unit 230 simply decrypts the device one-time information and / or terminal one-time information, and determines whether the decrypted result corresponds to the server generation key, .

Further, as described above, the authentication information may be information that simply includes the medium-specific information (or the terminal identification information and / or device identification information) and the server generation key, the medium specific information (and the information on the additional service authentication target) And a determination value determined based on the server generation key. In this case, the authentication unit 230 authenticates the medium specific information (or the terminal identification information and / or device identification information) included in the authentication information based on the medium identification information stored in advance in the authentication system 200, The server generation key included in the authentication information can be authenticated based on the server generation key transmitted to the system 100. Alternatively, the authentication unit 230 may determine whether the digital system 100 or the user device 300 has generated the authentication information based on the medium identification information (e.g., medium specific information) (For example, a hashing algorithm) to generate a determination value, that is, authentication information for authentication. In addition, an authentication confirmation procedure may be performed by determining whether the generated authentication information for authentication and the authentication information received from the digital system 100 correspond to each other.

Wherein the authentication procedure includes an authentication procedure for authenticating one-time information included in the authentication information, the authentication using the device identification information, the authentication using the terminal identification information, As described above, at least one of authentication of whether the system 100 and the user device 300 are paired and / or authentication of the user authentication information set in the user device 300 may be selectively included.

When the one-time information includes the device one-time information, authentication using the device identification information may not be selectively included in the authentication confirmation procedure. If the one-time information includes terminal one-time information, The used authentication may optionally not be included in the authentication procedure. Of course, even if the one-time information includes the device one-time information or the one-time information includes terminal one-time information, the authentication using the device identification information and / or the authentication using the terminal identification information may be performed by the authentication unit 230 And in this case, the one-time information is to authenticate a specific device or software that generates the one-time information, whereas the authentication using the device identification information and / or the terminal identification information may be to authenticate the other hardware. Therefore, even if the device one-time information is authenticated by the authentication unit 230, there is a benefit even if the authentication using the device identification information is separately performed. Similarly, even if the terminal one-time information is authenticated by the authentication unit 230, authentication may be performed using the terminal identification information separately.

If the authentication unit 230 has succeeded in the authentication process, the control unit 210 can successfully process the authentication request that is already received or the authentication request included in the confirmation signal. The control unit 210 may send a signal indicating the authentication result to the service system 500 for success processing.

The DB 240 may previously store medium identification information (e.g., terminal identification information, device identification information, medium specific information, etc.) according to the technical idea of the present invention as described above. Also, the server generation key generated by the authentication unit 230 may be temporarily stored. Information on pair formation of the digital system 100 and the user apparatus 300, that is, information on which digital system 100 and which user apparatus 300 are formed in pairs, that is, pair setting information, Can be.

The communication unit 220 may receive an authentication request from the data processing apparatus 400 or the digital system 100. Needless to say, the authentication request may include identification information (e.g., telephone number) of the digital system 100. The identification information of the digital system 100 may be the identification information unique to the hardware of the digital system 100 or may be information different from the identification information of the digital system 100, May be varied according to the embodiment of FIG. Then, the control unit 210 may transmit authentication action request information to the digital system 100 or the data processing apparatus 400 through the communication unit 220. [ The user can confirm the authentication action request information and communicate the digital system 100 and the user device 300. [ Then, the communication unit 220 can receive an acknowledgment signal output from the digital system 100.

Then, the authentication unit 230 may perform the authentication procedure.

For this, the authentication unit 230 may generate server one-time information corresponding to the digital system 100 or the user device 300. [ Of course, it is also possible to generate server one-time information corresponding to the digital system 100 and server one-time information corresponding to the user apparatus 300, respectively. To this end, the authentication unit 230 may provide at least one input value (key or seed) for generating one-time information for each digital system 100 and / or for each user equipment 300, Shared with the digital system 100 and / or each user device 300, or may share the manner (or algorithm) of obtaining the at least one key. Of course, the server creation key may be included in the at least one input value. Of course, a function or algorithm for generating the server one-time information is also the same as the function or algorithm in which the digital system 100 or the user device 300 generates the terminal one-time information or the device 300 one-time information can do.

When the authentication unit 230 generates server one-time information, the authentication unit 230 authenticates the digital system 100 by determining whether the generated server one-time information corresponds to the one-time information included in the confirmation signal An authentication procedure can be performed. It should be noted that there are various embodiments of at least one input value and one-time information generation algorithm for the digital system 100, the user apparatus 300, and the authentication unit 230, respectively, to generate one- The average expert in the field will be able to easily reason.

Of course, as described above, the one-time information included in the authentication information may simply encrypt the server generation key, include the server generation key and the medium specific information (or terminal identification information and / or device identification information) In the case of a decision value determined based on the medium specific information, the server may not generate the one-time information, and the authentication unit 230 performs the authentication procedure at this time as described above.

Meanwhile, when the terminal identification information is included in the confirmation signal, the authentication unit 230 determines whether the terminal identification information corresponds to the information registered in advance in the DB 240, It can be judged that the procedure is successful.

The authentication unit 230 determines whether the digital system 100 and the user device 300 form a pair with each other based on information previously registered in the DB 240, The digital system 100 and the user device 300 form a pair to determine that the authentication confirmation procedure is successful.

When the user authentication information (for example, the PIN information of the payment card, etc.) of the user device 300 is received from the digital system 100, the authentication unit 230 transmits the user authentication information to the DB 240) to determine that the authentication check procedure is successful. Or may determine whether the authentication procedure is successful based on the authentication signal received from the digital system 100. [

FIG. 4 shows a schematic data flow of a user authentication method using a user apparatus according to an embodiment of the present invention.

4 illustrates an example in which an authentication request is made via the digital system 100. Referring to FIG. 4, the digital system 100 may send a predetermined authentication request to the authentication system 200 (S100 ). The authentication request is received through the communication unit 220 of the authentication system 200 and the control unit 210 may transmit the authentication action request information to the communication module 140 of the digital system 100 ). The authentication action request information may include a server creation key generated by the authentication system 200. Of course, the server creation key may not be displayed by the digital system 100. In addition, the server generation key may be transmitted to the digital system 100 separately from the authentication action request information.

After confirming the authentication action request information, the user can communicate with the digital system 100 and the user device 300 (S120). The server creation key may be transmitted to the user device 300 through the communication. Then, the user device 300 may generate device one-time information based on the server creation key (S130). In this case, the digital system 100 may acquire the device one-time information, and may further acquire the identification information of the user device 300 according to an embodiment (S140).

Of course, the digital system 100 may generate terminal one-time information (S130-1). The terminal one-time information may also be generated based on the server generation key. Alternatively, the terminal one-time information may be generated by using time information as an input value (for example, a time synchronization method). The control module 110 of the digital system 100 may control the terminal to generate the one-time information only when the communication is performed. In some cases, the terminal may generate the one-time information before the communication is performed (S130-1).

Then, the digital system 100 may transmit at least one of the terminal's one-time information or the device one-time information to the authentication system 200 (S150). Of course, the device identification information or the terminal identification information of the digital system 100 may be further included in the confirmation signal.

According to an embodiment of the present invention, the control module 110 of the digital system 100 does not include the settlement financial information of the settlement card in the confirmation signal even when the user device 300 is a settlement card It is possible. That is, the settlement financial information is not distributed through the network, thereby enhancing the security.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S160). If the authentication verification process is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S170). Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

As described above, the authentication system 200 determines whether the device identification information corresponds to previously registered information, whether the terminal identification information corresponds to previously registered information, and / or whether the digital system 100 and / It is of course also possible to determine the success or failure of the authentication procedure based further on whether the user device 300 forms a pair.

FIG. 5 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

5, the data processing apparatus 400 receives an authentication request by inputting identification information of the digital system 100, and transmits the authentication request to the data processing apparatus 400. [ To the authentication system 200 (S200).

The data processing apparatus 400 may be a computer or the like used by the user of the digital system 100. [ For example, the user can request an authentication online (S200) through a computer or the like, and in response, the authentication system 200 can transmit authentication action request information to the computer (S210-1). The user may perform an authentication operation to confirm the authentication action request information displayed on the computer and to communicate the digital system 100 and the user device 300 in operation S220. According to an embodiment, the authentication system 200 may transmit authentication action request information to the digital system 100 (S210). When the authentication action request information is transmitted to the digital system 100, the server activation key includes a server generation key generated by the authentication system 200 and transmitted to the authentication activity request information, The server creation key can be transmitted to the digital system 100 as described above. According to an embodiment, the authentication system 200 transmits the authentication action request information to the data processing apparatus 400, and the server creation key may be transmitted to the digital system 100.

Then, the user can perform the authentication operation in response to this (S220).

According to another embodiment, the data processing apparatus 400 may be an affiliate terminal. That is, the user may want to perform settlement. In this case, the authentication request may be a payment request. The user can notify the merchant in the off-line store of the identification information of his / her digital system 100 or can input the identification information himself / herself. Alternatively, at a remote location, the user may request the merchant to perform a payment (authentication) request for a predetermined payment through telephone, messaging, or e-mail. Then, an authentication (payment) request may be transmitted to the authentication system 200 by inputting the identification information of the digital system 100 to the merchant terminal (S200). At this time, the authentication action request information may also be transmitted to the merchant terminal and / or the digital system 100 (S200, S200-1). Of course, the server creation key may be transmitted to the digital system 100. In response, the user may communicate an authentication action, i.e., the digital system 100 and the user device 300 (S220). The server creation key may be transmitted to the user device 300 through the communication.

The digital system 100 may then obtain the device one-time information generated by the user device 300 (S230, S240). And may further acquire device identification information of the user device 300 according to an embodiment. Also, the digital system 100 may generate terminal one-time information (S230-1).

The digital system 100 may include at least the terminal one-time information or the device one-time information in the authentication system 200, and may further include the device identification information or the terminal identification information of the digital system 100, (S250). Of course, the device identification information may include settlement financial information of the settlement card. In order to increase the security, the settlement financial information may be transmitted to the user system 300 even if the digital system 100 obtains the confirmation signal .

According to an embodiment, the digital system 100 may acquire only the device identification information without acquiring the device one-time information of the user device 300, or simply acquire the device identification information of the user device 300 . In this case, the digital system 100 preferably generates the terminal one-time information. This is because, according to the technical idea of the present invention, it is preferable that at least one of the user equipment 300 and the terminal one-time information of the digital system 100 is included in the confirmation information.

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S260). Then, the authentication result may be transmitted to the digital system 100 (S270). Or may be transmitted to the data processing apparatus 400 (S270-1). Of course, the authentication result may be transmitted to the service system 500.

Meanwhile, the authentication request according to the embodiment of the present invention may be performed by a person other than the user of the digital system 100. For example, an authentication requester other than the user (that is, a person who performs authentication confirmation) such as a family member, a relative or an acquaintance of the user inputs the identification information of the user to the data processing apparatus 400, (200).

For example, if the authentication requestor, who is an acquaintance of the user, should log in to the user's web account, receive a certificate on behalf of the user, or require payment by a third party, the service system 500 There may be cases. In this case, conventionally, it is not easy to inform the authentication requestor of information (for example, login information, authorized certificate password, etc.) for authentication or to implement it. However, according to the technical idea of the present invention, the authentication request and the authentication operation can be performed in a spatially separated state, and since the authentication requestor does not need to perform the authentication operation, there is an effect that the information for authentication is not informed to the other person.

Also, in the case of a payment service, when the authentication requester faces the identification information of the user or remotely notifies the affiliation shop side, the affiliate shop sends an authentication request (that is, a payment request ) To the authentication system (200). Of course, at this time, information on the authentication requester (for example, a name of a payment requester, a telephone number, etc.) may be further included, and information on the payment requester may be included in the authentication action request information.

In this case, the authentication system 200 may transmit the authentication action request information and the server generation key to the digital system 100 of the user, and the authentication operation as described above may be performed by the user. Then, if an authentication confirmation procedure is performed by the authentication system 200 and the authentication confirmation procedure is successful, the authentication (payment) result can be transmitted to the data processing apparatus 400 and the digital system 100.

According to another embodiment, an authentication requestor that is not a user inputs identification information of the digital system 100 to the data processing apparatus (e.g., a computer, a mobile terminal of an authentication requestor, etc.) 400, The franchisee can input the identification information of the digital system 100 to the data processing device (for example, the franchisee terminal 400) when the identification information of the user is presented face to face or remotely. Then, the data processing apparatus 400 may transmit authentication action request information (that is, payment related information including payment details, etc.) to the digital system 100. Of course, in order to achieve this, predetermined software may be installed in the data processing apparatus 400 to implement the technical idea of the present invention.

The authentication action request information may include information on the merchant, payment details, and / or information on the payment requester. If the user confirms the authentication action request information and wishes to settle the settlement request corresponding to the authentication action request information, the user can perform the authentication operation as described above. The digital system 100 may then send an acknowledgment signal as described above to the authentication system 200. At this time, the confirmation signal may further include not only the one-time information on the terminal and / or the one-time information on the terminal but also information necessary for a payment request (for example, information on an affiliate shop, payment details, etc.). That is, the confirmation signal may further include an authentication (settlement) request to be transmitted to the authentication system 200.

The authentication system 200 may then perform an authentication procedure based on the acknowledgment signal. The authentication system 200 can transmit the authentication result to the data processing apparatus 400 and / or the digital system 100. [0050] FIG. Of course, in the case of payment, if the authentication confirmation procedure is successful, the authentication system 200 or the service system 500 determines whether or not the payment is approved and transmits the payment result to the data processing apparatus 400 and / (100).

As a result, according to the technical idea of the present invention, it is possible to provide a solution with high security, which is very easy to perform authentication on behalf of a third party authentication requestor.

4 and 5, since only the identification information of the digital system 100 is required for the authentication request, the authentication request is easy. In order to perform the authentication operation, (E.g., tagging) the user device 100 and the user device 300. As described above, although the authentication request is easy and the authentication is easy, the security can be very high as described above. Also, as shown in FIG. 4 and FIG. 5, the user can easily determine whether the authentication request is allowed even in the two-channel authentication due to the ease of authentication request and the convenience of the payment confirmation operation. Further, The login information, the authorized certificate password, etc.), and can perform the authentication operation safely.

FIG. 6 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

6, when the user notifies or inputs the identification information of his / her digital system 100, the data processing apparatus 400 receives the identification information (S300) To the digital system 100 (S310). It is needless to say that predetermined software for implementing the technical idea of the present invention may be installed in the data processing apparatus 400.

For example, when the user notifies the identification information of his / her digital system 100 or inputs the payment information to his / her mobile terminal 400 without providing a payment card to the store, the data processing apparatus 400 may transmit the identification information (S300) and transmits the authentication action request information corresponding to the authentication to the digital system 100 (S310). Then, the user can wirelessly communicate the digital system 100 to the data processing apparatus 400 in situ or in the car, and can easily perform settlement. In this case, the settlement financial information of the user device 300 as well as the user device 300 may not be transmitted to the merchant, so that it can be a safe settlement solution.

According to an embodiment, the data processing apparatus 400 and the digital system 100 may perform short-range wireless communication. In this case, the authentication action request information may be transmitted to the digital system 100 by the short distance wireless communication between the data processing apparatus 400 and the digital system 100. At this time, the identification information of the digital system 100 may not need to be input to the data processing apparatus 400.

For example, when the technical idea of the present invention is applied to a payment service, when a settlement amount is input to a data processing apparatus (for example, an affiliate terminal 400), the user inputs the digital system 100 to the data processing apparatus 400 It is possible to perform short-range wireless communication. Then, the authentication operation request information including the payment details including the payment amount (for example, merchant identification information, etc.) may be transmitted to the digital system 100. The user can then remotely communicate the digital system 100 with his / her user device (e.g., the payment IC card 300). With this two short-distance wireless communication, the user can easily make a payment. In this case, the identification information of the digital system 100 of the user is not required to be notified to the merchant, and the settlement financial information of the user device 300 may not be transmitted to the merchant.

In the case where the authentication action request information is transmitted from the data processing apparatus 400 to the digital system 100, in this case, the authentication action request information includes information (payment related information) required for an authentication request (payment request) . When the authentication action request information is received, the digital system 100 can communicate with the authentication system 200 and receive a server creation key (S310-1)

When the authentication operation is performed by the user (S320), the terminal one-time information generated by the digital system 100 and / or the device one-time information generated by the user device 300 and the authentication request (payment request) May be included in the confirmation signal and transmitted to the authentication system 200 (S320, S330, S330-1, S340, S350). Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S360). If the authentication confirmation process is successful, the authentication result may be transmitted to the digital system 100 (S380-1). Of course, the data may be transmitted to the data processing apparatus 400 (S380). Or to a given service system 500.

On the other hand, as described above, when the authentication information includes merely a server generated key and medium specific information (or terminal identification information and / or device identification information), or the authentication information is determined based on the server generated key and medium unique information Value will be described with reference to FIG.

FIG. 9 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

9, the digital system 100 may perform an authentication request to an authentication system 200 (S600. Of course, as described above, a given data processing apparatus 400 may perform an authentication request , Which will be described in detail above, so that a detailed description thereof will be omitted.

The authentication system 200 may then transmit the server creation key to the digital system 100. In operation S620, the user can communicate with the digital device 100 and the user device 300 through the authentication process. Of course, the server creation key may be transmitted to the digital system 100 after the communication.

The digital system 100 may receive the device identification information of the user device 300 from the user device 300 through the communication (S630). The digital system 100 may then selectively include the device identification information and its terminal identification information. The fact that the terminal identification information may be omitted is that the digital system 100 is connected to the authentication system 200, , The authentication for the digital system 100 may already be performed separately and may also authenticate the user device 300 without limitation to the specific digital system 100 The authentication information including the received server creation key is generated (S640), and the generated authentication information is included in the generated authentication information To the authentication system 200 (S650). Further, as described above, information on a service authentication object may be further included in the authentication information.

According to another embodiment, the digital system 100 receives the device identification information (S630). Specific information that is determined based on at least the received device identification information. That is, in addition to the device identification information, the medium unique information may be selectively generated based on the terminal identification information. In operation S650, the authentication information including the medium unique information and the server creation key is generated in operation S540, and an authentication signal including the generated authentication information may be transmitted to the authentication system 200 in operation S650.

According to another embodiment, the digital system 100 receives the device identification information (S630). Specific information that is determined based on at least the received device identification information. In operation S650, the authentication information generating unit generates the authentication information determined based on the medium unique information and the server generated key as the authentication information in operation S540, and transmits an authentication signal including the generated authentication information to the authentication system 200 in operation S650. Further, as described above, information on a service authentication object may be further used as input information for generating the authentication information.

In this case, the digital system 100 generates the authentication information, and the user device 300 may generate the authentication information as described above.

At this time, the server generation key may be transmitted to the user device 300 via the communication (S620). The terminal identification information may be further transmitted to the user device 300 as needed.

The user device 300 generates authentication information (device one-time information) including the received server generation key and device identification information, generates authentication information including the server generation key, device identification information, and terminal identification information, Generating authentication information including the generated key and the medium specific information or generating a determination value determined based on the server generated key and the medium specific information as the authentication information. The generated authentication information is transmitted to the digital system 100, and the digital system 100 can transmit the confirmation signal including the authentication information to the authentication system 200. [

The authentication system 200 may perform an authentication procedure for authenticating the authentication information included in the received confirmation signal (S660). Then, the authentication result can be transmitted to the digital system 100 (S670).

On the other hand, an example of the case where the authentication information includes additional information about the service authentication object or the authentication information is generated based on the information about the service authentication object may be as shown in FIG.

In the case of a conventional account transfer or remittance, when an authentication request (remittance request) including remittance account information to be remitted (information capable of identifying the remittance account) is performed by the sender's apparatus (mobile phone, computer, or the like) (Such as an authorized certificate and / or OTP) in a system (e.g., a financial institution system or an authentication center associated with a server of a performer performing a money transfer service). (The remittance processing system may be included in the authentication system or separately implemented and connected to the authentication system) that performs the remittance process if the authentication is successful, As shown in FIG. At this time, the malicious attacker resides in a specific place (for example, memory) of the malicious code remitter device distributed by the attacker, and the authentication is terminated, and the remittance processing system changes the remittance account information to the account desired by the attacker To the remittance processing system, and the remittance processing system transfers the remittance to the changed account. At this time, the remittance account information displayed on the remitter device is kept as inputted by the remitter, so that the user may not be able to recognize the remittance account information. However, according to the technical idea of the present invention, such an attack can be prevented by incorporating the remittance account information into the authentication information as information on the service authentication object or generating the authentication information based on the remittance account information.

10 is a diagram for explaining an example in which the authentication method according to an embodiment of the present invention is applied to account transfer (money transfer). In FIG. 10, the case where the remittance processing system is included in the authentication system 200 for illustrative convenience is exemplarily shown. However, the remittance processing system may be provided separately from the authentication system 200 as described above.

Referring to FIG. 10, a sender can transmit an authentication request (a transfer request) to the authentication system 200 using the digital system 100 (S700). Of course, as described above, it is also possible to perform an authentication request (request for remittance) to the data processing apparatus 400 that is separate from the digital system 100. In this case, detailed description will be omitted since it is the same as described above. Also, the sender may input the remittance account information before the authentication request (the remittance request), or may input the remittance account information after the authentication request (the remittance request) (S740). In this case, the remittance account information inputted to the data processing apparatus 400 may be transmitted to the authentication system 200, To the digital system 100 via the Internet. The digital system 100 can receive the remittance account information to generate the authentication information by any route.

The authentication system 200 may transmit the server creation key to the digital system 100 at step S710 and the digital system 100 may communicate with the user device 300 at step S720. The digital system 100 may then receive the device identification information from the user device 300 (S730).

Then, the digital system 100 may generate authentication information (S750).

The remittance account information may be included in the authentication information as information on a service authentication object. For example, the authentication information may simply include a server creation key, device identification information (and terminal identification information), and remittance account information. In some implementations, only the server generated key and remittance account information may be included in the authentication information. That is, according to the embodiment, the user device 300 may be excluded from the information about the authentication object, and in this case, the communication S720 may be omitted. Alternatively, the authentication information may include the server generation key, the medium specific information, and the remittance account information. Depending on the implementation, a predetermined determination value based on the remittance account information may be included in the authentication information.

According to another embodiment, the authentication information may include a determination value determined based on the medium unique information and the remittance account information, and the server generation key.

Alternatively, the authentication information may include a determination value and a remittance account information (or a determination value determined based on the remittance account information) determined based on the server generation key and the medium inherent information. In this case, since the authentication system 200 has the information for authenticating the sender (that is, the server generated key, the apparatus identification information (or the medium unique information)) and the remittance account information, the apparatus for authenticating the remitter and the remittance May be disconnected.

Or the authentication information includes a determination value that is determined based on the medium unique information and the remittance account information and a second determination value that is determined based on the server generation key or that the second determination value is the authentication information itself It is possible.

In any case, the authentication information may be one-time information generated based on the server generation key and the remittance account information.

Such authentication information may be included in the confirmation signal and transmitted to the authentication system 200. [

Then, the remittance processing system may perform an authentication check procedure for authenticating the authentication information (S770). In addition, the apparatus for authenticating the sender according to the embodiment may be a separate apparatus from the remittance processing system. In this case, the authentication information may include information (server generation key, terminal identification information and / It is preferable that the apparatus identification information (or medium specific information) and the remittance account information (or the determination value based on the remittance account information) can be separately included.

In any case, the remittance processing system can determine whether the account to be remitted by the remittance accounting system corresponds to the remittance account information inputted by the remitter through the authentication confirmation procedure. That is, when the remittance account information (or the decision value) included in the authentication information corresponds to the remittance account information (or the decision value) to be remitted by itself, or when the authentication information itself is a decision value based on the remittance account information, It is possible to determine whether the authentication information corresponds to the authentication information received from the digital system 100. For example,

As described above, according to the technical idea of the present invention, the remittance processing system can perform the authentication confirmation procedure for authenticating the authentication information received from the digital system 100 before remittance (or at least the remittance account information (or remittance account information (S780). Since the authentication information is one-time information based on the remittance account information, the remittance account information input by the user (that is, the service It is possible to prevent the remittance from being carried out to an account different from the account to be authenticated.

Of course, after the remittance is performed, the authentication system 200 may transmit the remittance result to the digital system 100 (S790).

7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.

Referring to FIG. 7, the authentication unit 230 determines whether the authentication information (that is, the terminal's one-time information and / or the device one-time Information) can be obtained (S410). Then, the authentication unit 230 can authenticate the authentication information as described above. For example, after generating server one-time information based on a server generation key transmitted to the digital system 100 (S411), one-time information for determining whether the generated server one-time information and the terminal one-time information and / (S412). Of course, the device one-time information may be generated in a time synchronization manner, and in this case, the server one-time information may be generated using time information as an input value. Or if the device one-time information and / or the terminal one-time information are information obtained by simply encrypting the server generation key, the authentication unit 230 decrypts the device one-time information and / or the terminal one- Authentication of the one-time information may be performed by determining whether it corresponds to the server creation key. Alternatively, as described above, it is possible to authenticate the server generated key and the medium unique information (or the terminal identification information and / or the device identification information) included in the authentication information, or the server generated key and the medium unique information Information) that is a determination value that is determined based on the authentication information.

If authentication of the authentication information (one-time information) is successful, it can be determined that the authentication confirmation process has succeeded (S460). If the authentication of the one-time information fails, it can be determined that the authentication confirmation process has failed (S450).

The authentication unit 230 may perform only authentication of the one-time information. However, according to an embodiment, authentication of the device identification information (i.e., authentication of the user device 300) (I. E., Authentication of the hardware of the digital system 100), and / or authentication of the pair. In step S460, it is determined that the authentication is successful if all of the certificates are successful.

7, the authentication of the device identification information, the authentication of the terminal identification information, and the authentication of the pair are sequentially performed. However, it is needless to say that the sequence of such authentication can be changed at any time.

For example, if authentication of the one-time information is successful as shown in FIG. 7, the authentication unit 230 may authenticate the user device 300 using the device identification information (S420). If the authentication of the user device 300 is successful, it may determine that the entire authentication procedure has succeeded (S460), and may further perform authentication using the terminal identification information (S430). If the authentication of the user device 300 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S450).

When the authentication unit 230 further performs the authentication using the terminal identification information at step S430, the authentication unit 230 determines the terminal identification information of the digital system 100 included in the confirmation signal and the terminal identification information of the DB 240, The hardware of the digital system 100 may be authenticated by determining whether the information registered in advance corresponds to the information registered in the digital system 100 (S430). If the hardware of the digital system 100 is successfully authenticated, it may determine that the entire authentication procedure has succeeded (S460), and may further perform authentication of the pair (S430). If the authentication of the hardware of the digital system 100 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S450).

When the authentication unit 230 further performs the pair authentication (S430), the authentication unit 230 transmits the pair setting information registered in advance in the DB 240, that is, information about the digital system and the user apparatus constituting the pair (Step S440), and confirms whether the digital system 100 and the user device 300 used in the payment confirmation operation are a pair. If the pair authentication is successful, it can be determined that the entire authentication check procedure is successful (S460). Of course, if the pair authentication fails, the authentication unit 230 may determine that the entire authentication verification procedure has failed (S450).

8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.

Referring to FIG. 8, a user may input user authentication information (e.g., a PIN of a payment card) of the user device 300 through a predetermined application installed in the digital system 100 to perform an authentication operation (S500). The digital system 100 may communicate with the user device 300 (S510). Then, the digital system 100 can receive the device identification information of the user device 300 through the communication (S520).

The digital system 100 may perform user authentication to determine whether the user authentication information input from the user through the communication with the user device 300 corresponds to the information set in the user device 300 in operation S530. If the user authentication is successful, the digital system 100 generates an acknowledgment signal including the one-time information and transmits the acknowledgment signal to the authentication system 200 (S550). Of course, if the user authentication fails (S530), the digital system 100 can terminate the process (S560). According to an embodiment, the digital system 100 may perform pair authentication (S540). In step S550, the digital system 100 may transmit an acknowledgment signal to the mobile station 100 in order to verify that the pair authentication is successful.

In order for the digital system 100 to perform pair authentication, the device identification information of the user device 300 forming a pair with the digital system 100 may be registered in the digital system 100 in advance. According to an embodiment of the present invention, identification information or terminal identification information of the digital system 100 forming a pair with the user device 300 may be stored in the storage device of the user device 300. In this case, the digital system 100 may perform pair authentication by checking the information stored in the storage device.

In any case, if the digital system 100 and the user device 300 are not paired devices, the digital system 100 does not send the acknowledgment signal to the authentication system 200, (S560).

Although FIG. 8 shows an example in which the user authentication is performed before the pair authentication, it is needless to say that the pair authentication may be performed first.

In FIG. 8, the user authentication information (e.g., PIN) of the user device 300 may be input at any time after the confirmation signal is transmitted to the authentication system 200 before the authentication confirmation process is terminated. That is, after the digital system 100 transmits the confirmation signal to the authentication system 200, the digital system 100 may receive user authentication information of the user device 300 from the user and authenticate the user. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication to the authentication system 200. Then, the control unit 210 included in the authentication system 200 may determine the success or failure of the authentication confirmation process after confirming the authentication signal.

According to an embodiment, the digital system 100 transmits user authentication information to the authentication system 200, and the authentication of the user authentication information may be performed by the authentication system 200. In this case, the digital system 100 may transmit the user authentication information to the authentication system 200 at any time before the payment request is approved by the authentication system 200. For example, the user authentication information may be included in the confirmation signal, and the user authentication information may be transmitted to the authentication system 200 at any time before or after the transmission of the confirmation signal. Then, the authentication unit 230 included in the authentication system 200 can perform the user authentication using the user authentication information of the user device 300 stored in the DB 240. And, if the user authentication is successful, it may be determined that the authentication confirmation process is finally succeeded.

11 shows an example of medium identification information that can be stored in an authentication system to implement the technical idea of the present invention.

Referring to FIG. 11, the DB 240 of the authentication system 200 may store medium identification information. The medium identification information may be information on which terminal identification information and / or device identification information capable of implementing the technical idea of the present invention is stored as described above. 10A, the identification information of each of the digital system 100 and the user device 300, which is set in a pair in advance, that is, the terminal identification information, The identification information may be stored so as to correspond to each other. For example, a predetermined digital system (terminal identification information A) may be set as a pair with a specific user apparatus (a). In this case, the digital system corresponding to A and the user apparatus corresponding to a can communicate with each other, and the authentication according to the technical idea of the present invention can be succeeded.

Further, a plurality of user devices (device identification information b1, b2) may be set as a pair in a specific digital system (terminal identification information B). At this time, B and b1 communicate with each other, and B and b2 communicate with each other, so that the authentication according to the technical idea of the present invention can be succeeded.

As shown in FIG. 11A, in the authentication system 200, the terminal identification information and the device identification information corresponding thereto can be stored as medium identification information.

However, as described above, the authentication system 200 may store medium specific information in order to increase security. Such an example may be as shown in FIG. 11B. The medium specific information may be stored so as to correspond to user identification information (e.g., name, telephone number, or terminal identification information).

For example, the medium specific information corresponding to the user 1 may be h1, and the medium specific information h1 may be a determination value (e.g., a hash value) determined by the terminal identification information A and the device identification information . In addition, the medium specific information h2 may be h2 and h3, and the medium specific information h2 may be a determination value (e.g., a hash value) determined by the terminal identification information B and the device identification information b1 ). The medium specific information h3 may be a determination value (e.g., a hash value) determined by the terminal identification information B and the device identification information b2. If the medium specific information is stored in the authentication system 200, the terminal identification information and / or the device identification information may not be exposed even if the authentication system 200 is attacked. Further, when the authentication information generated by the user device 300 or the digital system 100 is a determination value determined based on the server generation key and the medium specific information as described above, the authentication system 200 may be a pre- There is an effect that verification authentication information capable of promptly authenticating the authentication information can be generated using unique information.

The authentication method using the user apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (27)

A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The user authentication method using the user device comprises:
Further comprising the step of displaying the authentication action request information output by the authentication system which has received the authentication request including the identification information of the digital system output from the data processing apparatus, on the data processing apparatus or the digital system,
And when the authentication action request information is displayed, the digital system uses the user device performing the communication with the user device.
delete A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The user authentication method using the user device comprises:
Further comprising receiving, by the digital system, authentication action request information output from the data processing apparatus that has received the identification information of the digital system,
Wherein the digital system performs the communication with the user device when the authentication action request information is received.
A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
Wherein the transmitting the confirmation signal to the authentication system comprises:
Generating the authentication information including the server generation key, the terminal identification information, and the device identification information received by the digital system, and transmitting the confirmation signal including the authentication information to the authentication system ,
The authentication procedure includes:
Wherein the medium identification information, which is stored in advance in the authentication system, the medium identification information corresponds to the terminal identification information and the device identification information included in the authentication information, the terminal identification information and the device identification information being stored to correspond to each other, And determining whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.
A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
Wherein the transmitting the confirmation signal to the authentication system comprises:
Generating the authentication information including the server generation key and the device identification information received by the digital system and transmitting the confirmation signal including the authentication information to the authentication system,
The authentication procedure includes:
Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which the device identification information is stored corresponds to the device identification information included in the authentication information, and the server creation key And determining whether or not the server authentication key corresponds to a server generation key included in the authentication information.
A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
Wherein the transmitting the confirmation signal to the authentication system comprises:
Wherein the digital system generates medium specific information determined based on at least the device identification information, generates the authentication information determined based on the generated medium specific information and the server generated key received, And transmitting the confirmation signal to the authentication system,
The authentication procedure includes:
Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which the medium specific information determined based on at least the device identification information is stored, and the server identification key transmitted by the authentication system And a step of determining whether or not the authentication information received from the digital system corresponds to the authentication information for authentication.
7. The apparatus of claim 6,
A hash value generated based on at least the device identification information,
The authentication information includes:
Wherein the hash value is a hash value generated based on the medium unique information and the server generation key.
A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The user authentication method using the user device comprises:
Is used for authentication of a person at the time of a financial transaction in which a receiving account exists,
The digital system generates the authentication information based on the account identification information of the receiving account and transmits the confirmation signal including the generated authentication information to the authentication system,
By the authentication system,
Wherein the control unit controls the financial transaction to be performed on the receiving account when the authentication information based on the account identification information is authenticated.
A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The user device comprising:
IC card for payment,
Wherein the device identification information comprises:
Wherein the identification information is unique to the user apparatus, not the payment financial information of the payment IC card.
A method for authenticating a user using a user device,
The digital system performing communication with a predetermined user device for authenticating the user; And
Wherein the digital system receives the server generation key from the authentication system and transmits at least one of the device identification information of the user apparatus or the terminal identification information of the digital system received via the communication and the authentication information based on the received server generation key Generating an acknowledgment signal including the acknowledgment signal and transmitting the generated acknowledgment signal to the authentication system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The user authentication method using the user device comprises:
Further comprising the step of the digital system determining whether the user equipment is a preset pair to correspond to the digital system,
And if it is determined that the user device is a predetermined pair, transmits the confirmation signal to the authentication system.
A method for authenticating a user using a user device,
The authentication system transmitting the server generation key to the digital system;
Wherein the authentication system receives authentication information from the digital system when the digital system communicates with a predetermined user device for authenticating the user, the device identification information of the user device received via the communication, The information being generated based on at least one of the terminal identification information of the terminal and the server generation key;
The authentication system performing an authentication check procedure for authenticating the authentication information included in the received confirmation signal; And
And successively processing the authentication request outputted from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system,
The step of performing the authentication procedure includes:
Wherein the authentication information is authentication information, media identification information previously stored in the authentication system, and the medium identification information is information capable of identifying at least one of the digital system or the user device participating in the communication, Determining whether the server generated key corresponds to the transmitted server generated key,
The authentication information includes:
A server generation key transmitted to the digital system, the terminal identification information, and the device identification information,
Wherein the step of determining whether the media verification information corresponds to the media verification information stored in advance in the authentication system and the server generation key transmitted to the digital system,
Wherein the medium identification information stored in the authentication system in advance in the authentication system is information on which the terminal identification information and the device identification information are stored so as to correspond to the terminal identification information and the device identification information And determining whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.
delete A method for authenticating a user using a user device,
The authentication system transmitting the server generation key to the digital system;
Wherein the authentication system receives authentication information from the digital system when the digital system communicates with a predetermined user device for authenticating the user, the device identification information of the user device received via the communication, The information being generated based on at least one of the terminal identification information of the terminal and the server generation key;
The authentication system performing an authentication check procedure for authenticating the authentication information included in the received confirmation signal; And
And successively processing the authentication request outputted from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system,
The step of performing the authentication procedure includes:
Wherein the authentication information is authentication information, media identification information previously stored in the authentication system, and the medium identification information is information capable of identifying at least one of the digital system or the user device participating in the communication, Determining whether the server generated key corresponds to the transmitted server generated key,
The authentication information includes:
The server generation key and the device identification information transmitted to the digital system,
Wherein the step of determining whether the media verification information corresponds to the media verification information stored in advance in the authentication system and the server generation key transmitted to the digital system,
Wherein the authentication system corresponds to the medium identification information stored in advance in the authentication system, the medium identification information is information on which the device identification information is stored, the device identification information included in the authentication information, And determining whether the server generation key corresponds to a server generation key included in the authentication information.
A method for authenticating a user using a user device,
The authentication system transmitting the server generation key to the digital system;
Wherein the authentication system receives authentication information from the digital system when the digital system communicates with a predetermined user device for authenticating the user, the device identification information of the user device received via the communication, The information being generated based on at least one of the terminal identification information of the terminal and the server generation key;
The authentication system performing an authentication check procedure for authenticating the authentication information included in the received confirmation signal; And
And successively processing the authentication request outputted from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system,
The step of performing the authentication procedure includes:
Wherein the authentication information is authentication information, media identification information previously stored in the authentication system, and the medium identification information is information capable of identifying at least one of the digital system or the user device participating in the communication, Determining whether the server generated key corresponds to the transmitted server generated key,
The authentication information includes:
Wherein the medium identification information determined based on at least the device identification information is generated by the digital system and is determined based on the generated medium identification information and the received server generation key,
Wherein the step of determining whether the media verification information corresponds to the media verification information stored in advance in the authentication system and the server generation key transmitted to the digital system,
The medium identification information stored in advance in the authentication system, the medium identification information being information in which medium specific information determined based on at least the device identification information is stored, and the server generation key transmitted by the authentication system Generating verification authentication information based on the authentication information; And
Wherein the authentication system determines whether the authentication information received from the digital system corresponds to the authentication information for authentication.
A method for authenticating a user using a user device,
The authentication system transmitting the server generation key to the digital system;
Wherein the authentication system receives authentication information from the digital system when the digital system communicates with a predetermined user device for authenticating the user, the device identification information of the user device received via the communication, The information being generated based on at least one of the terminal identification information of the terminal and the server generation key;
The authentication system performing an authentication check procedure for authenticating the authentication information included in the received confirmation signal; And
And successively processing the authentication request outputted from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system,
The step of performing the authentication procedure includes:
Wherein the authentication information is authentication information, media identification information previously stored in the authentication system, and the medium identification information is information capable of identifying at least one of the digital system or the user device participating in the communication, Determining whether the server generated key corresponds to the transmitted server generated key,
The user authentication method using the user device comprises:
Is used for authentication of a person at the time of a financial transaction in which a receiving account exists,
The authentication information includes:
The information being generated based on the account identification information of the receiving account,
The step of performing the authentication procedure includes:
Wherein the authentication system further determines whether the authentication information corresponds to the account identification information to determine whether the authentication information is authenticated,
The authentication system includes:
Wherein the authentication information is authenticated based on the account identification information so that a financial transaction targeting the receiving account is performed.
A computer program installed in a data processing apparatus and stored in a computer-readable recording medium for performing the method according to any one of claims 1, 3 to 11, 13 to 15.
In a digital system,
A user device communication module for performing communication with a predetermined user device for authentication;
A communication module for receiving a server generation key from an authentication system; And
Generating an acknowledgment signal including at least one of device identification information of the user equipment or terminal identification information of the digital system received via the communication and authentication information based on the received server generated key, And a control module for transmitting to the system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The control module includes:
Generates the authentication information including the received server creation key, the terminal identification information, and the device identification information, transmits the confirmation signal including the authentication information to the authentication system,
The authentication procedure includes:
Wherein the medium identification information, which is stored in advance in the authentication system, the medium identification information corresponds to the terminal identification information and the device identification information included in the authentication information, the terminal identification information and the device identification information being stored to correspond to each other, And a step of determining whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.
delete In a digital system,
A user device communication module for performing communication with a predetermined user device for authentication;
A communication module for receiving a server generation key from an authentication system; And
Generating an acknowledgment signal including at least one of device identification information of the user equipment or terminal identification information of the digital system received via the communication and authentication information based on the received server generated key, And a control module for transmitting to the system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The control module includes:
Generates the authentication information including the received server creation key and the device identification information, transmits the confirmation signal including the authentication information to the authentication system,
The authentication procedure includes:
Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which the device identification information is stored corresponds to the device identification information included in the authentication information, and the server creation key Determining whether or not the authentication information is identical to a server generation key included in the authentication information.
In a digital system,
A user device communication module for performing communication with a predetermined user device for authentication;
A communication module for receiving a server generation key from an authentication system; And
Generating an acknowledgment signal including at least one of device identification information of the user equipment or terminal identification information of the digital system received via the communication and authentication information based on the received server generated key, And a control module for transmitting to the system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The control module includes:
Generating the medium specific information determined based on at least the device identification information, generating the authentication information determined based on the generated medium specific information and the received server generated key, Transmits an acknowledgment signal to the authentication system,
The authentication procedure includes:
Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which the medium specific information determined based on at least the device identification information is stored, and the server generation key transmitted by the authentication system And a step of generating authentication information and determining whether or not the authentication information received from the digital system corresponds to the authentication authentication information.
In a digital system,
A user device communication module for performing communication with a predetermined user device for authentication;
A communication module for receiving a server generation key from an authentication system; And
Generating an acknowledgment signal including at least one of device identification information of the user equipment or terminal identification information of the digital system received via the communication and authentication information based on the received server generated key, And a control module for transmitting to the system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The control module includes:
Determining whether the user equipment is a preset pair corresponding to the digital system, and transmitting the confirmation signal to the authentication system if the user equipment is a predetermined pair, Digital system.
In a digital system,
A user device communication module for performing communication with a predetermined user device for authentication;
A communication module for receiving a server generation key from an authentication system; And
Generating an acknowledgment signal including at least one of device identification information of the user equipment or terminal identification information of the digital system received via the communication and authentication information based on the received server generated key, And a control module for transmitting to the system,
By the authentication system,
An authentication confirmation process is performed in which the authentication information included in the transmitted confirmation signal is authenticated, and if the authentication confirmation process is successful, the authentication information is output from the predetermined data processing device or the digital system to the authentication system or the service system connected to the authentication system Characterized in that the authentication request is successfully processed,
The authentication procedure includes:
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information capable of identifying at least one of the digital system or the user device participating in the communication, And if it corresponds to the transmitted server generated key,
The control module includes:
Generating the authentication information based on the account identification information of the receiving account for authentication of the user at the time of the financial transaction in which the receiving account exists,
By the authentication system,
Wherein the control unit controls the financial transaction to be performed on the receiving account when the authentication information based on the account identification information is authenticated.
In an authentication system,
An authentication unit for generating a server generation key to be transmitted to the digital system and performing an authentication verification procedure for authenticating the authentication information included in the confirmation signal received from the digital system;
When the digital system communicates with a predetermined user device for authenticating the user, the server transmits the server creation key to the digital system, and the authentication information from the digital system, A communication unit for receiving at least one of device identification information of the device or terminal identification information of the digital system and information generated based on the server generation key; And
And a control unit for successively processing the authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system,
Wherein,
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information for identifying at least one of the digital system or the user device participating in the communication, and the server Generating key corresponding to the generated key,
The authentication information includes:
A server generation key transmitted to the digital system, the terminal identification information, and the device identification information,
Wherein,
Wherein the medium identification information, which is stored in advance in the authentication system, the medium identification information corresponds to the terminal identification information and the device identification information included in the authentication information, the terminal identification information and the device identification information being stored to correspond to each other, Wherein the authentication system determines whether the server generation key transmitted by the authentication system corresponds to a server generation key included in the authentication information.
delete In an authentication system,
An authentication unit for generating a server generation key to be transmitted to the digital system and performing an authentication verification procedure for authenticating the authentication information included in the confirmation signal received from the digital system;
When the digital system communicates with a predetermined user device for authenticating the user, the server transmits the server creation key to the digital system, and the authentication information from the digital system, A communication unit for receiving at least one of device identification information of the device or terminal identification information of the digital system and information generated based on the server generation key; And
And a control unit for successively processing the authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system,
Wherein,
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information for identifying at least one of the digital system or the user device participating in the communication, and the server Generating key corresponding to the generated key,
The authentication information includes:
The server generation key and the device identification information transmitted to the digital system,
Wherein,
Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which the device identification information is stored corresponds to the device identification information included in the authentication information, and the server creation key Is identical to the server generation key included in the authentication information.
In an authentication system,
An authentication unit for generating a server generation key to be transmitted to the digital system and performing an authentication verification procedure for authenticating the authentication information included in the confirmation signal received from the digital system;
When the digital system communicates with a predetermined user device for authenticating the user, the server transmits the server creation key to the digital system, and the authentication information from the digital system, A communication unit for receiving at least one of device identification information of the device or terminal identification information of the digital system and information generated based on the server generation key; And
And a control unit for successively processing the authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system,
Wherein,
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information for identifying at least one of the digital system or the user device participating in the communication, and the server Generating key corresponding to the generated key,
The authentication information includes:
Wherein the medium identification information determined based on at least the device identification information is generated by the digital system and is determined based on the generated medium identification information and the received server generation key,
Wherein,
Wherein the medium identification information stored in advance in the authentication system, the medium identification information is information in which medium specific information determined based on at least the device identification information is stored and the server generation key transmitted by the authentication system, Generates authentication information,
Wherein the authentication system determines whether the authentication information received from the digital system corresponds to the authentication authentication information.
In an authentication system,
An authentication unit for generating a server generation key to be transmitted to the digital system and performing an authentication verification procedure for authenticating the authentication information included in the confirmation signal received from the digital system;
When the digital system communicates with a predetermined user device for authenticating the user, the server transmits the server creation key to the digital system, and the authentication information from the digital system, A communication unit for receiving at least one of device identification information of the device or terminal identification information of the digital system and information generated based on the server generation key; And
And a control unit for successively processing the authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system,
Wherein,
Wherein the authentication information is media identification information previously stored in the authentication system, the medium identification information being information for identifying at least one of the digital system or the user device participating in the communication, and the server Generating key corresponding to the generated key,
The authentication information includes:
The information is generated based on the account identification information of the receiving account at the time of the financial transaction in which the receiving account exists,
Wherein,
Further determining whether the authentication information corresponds to the account identification information to determine whether the authentication information is authenticated,
The authentication system includes:
So that the financial transaction targeting the receiving account is performed when the authentication information based on the account identification information is authenticated.

Images