KR101602640B1 - Mobile payment system and method using mobile communication terminal - Google Patents

Abstract

The present invention relates to a system and method for payment on-line and off-line, and more particularly, to a system and method for payment settlement on a mobile communication terminal that can minimize the exposure of security information using unique identification information of a mobile communication terminal, To a mobile payment system and method using the mobile payment system.

Description

Technical Field [0001] The present invention relates to a mobile payment system and method using a mobile communication terminal,

The present invention relates to a system and method for payment on-line and off-line, and more particularly, to a system and method for paying on-line and off-line payment by using unique identification information of a mobile communication terminal to minimize exposures of security information such as card information, And more particularly, to a mobile payment system and method using a mobile communication terminal.

Due to the rapid development of internet technology based on wired / wireless communication, it has become impossible to think about the world without internet now.

In order to provide various services provided on the Internet, the user must register as a member in a web server provided by a contents provider (CP). Hereinafter, the system including the web server and providing the service is referred to as a "service server unit ". In order to prevent leakage of member information and use of services of third parties entered when registering a member, it is necessary to register an ID and password, or to obtain a public certificate and store it in a storage device.

In addition, e-commerce is being activated online through the advancement of the Internet technology, and various payments such as online transfer and card settlement are carried out online through activation of electronic commerce, and electronic payment by electronic commerce is performed safely Various user authentication schemes are applied. Such user recognition methods are also mainly used in knowledge-based authentication methods such as ID and password, and are subject to a public certificate, a one-time password (OTP), a token, a mobile authentication, and an ARS authentication.

However, in order to increase security, the ID password method recommends that users use different IDs and passwords for each of a large number of service server parts, and users also apply several passwords. However, in the case where an arbitrary service server unit is not frequently used, it is inconvenient to go through cumbersome procedures such as ID / password search because the ID and password can not be memorized. To solve this problem, when using the same ID and password, There is a problem that the damage due to the password may become large, and there is a problem that the ID and the password must be stored in each service server unit, thereby becoming a hacking object.

The user authentication method such as the public certificate and the OTP method has a disadvantage that it is difficult to manage the user authentication because there is a concern that the storage device and the OTP terminal for storing the public certificate are separately stored.

In addition, card settlement through a POS terminal and a payment terminal in a store is generally applied on the off-line, and it is a problem that a third party may steal a credit card because the card user does not determine whether the card is a substantial owner And card information such as a card number and an expiration date can be exposed.

Various payment systems for issuing a mobile card to a mobile communication terminal such as a smart phone and performing payment using the issued mobile card have been developed and applied instead of the credit card.

However, such a mobile card has a problem that complicated issuing procedures and installation procedures are required.

Registration No. 10-0710032

Accordingly, it is an object of the present invention to provide a mobile payment system and method using a mobile communication terminal, which can improve convenience of users while minimizing exposure of security information by using unique identification information of the mobile communication terminal.

According to another aspect of the present invention, there is provided a payment settlement system using a mobile communication terminal, the settlement system comprising: a service subscription information (Ticket) having terminal identification information, service subscriber information identification information, A service server unit for transmitting a payment settlement approval request signal including the payment settlement request signal and receiving a processing result for payment settlement in response thereto; A service registration key is generated and displayed at the time of registration, and the stored service subscription information including the service subscription information (Ticket) included at the time of receiving the payment approval approval request signal is compared and verified, An authentication terminal included in the storage service subscription information, acquiring user authentication information including card information, and transmitting a user authentication response signal including the acquired user authentication information; A registration terminal for obtaining a service registration key and terminal identification information of the authentication terminal displayed on the authentication terminal and transmitting a service registration request signal including the service registration key; When receiving a service registration request signal from the registration terminal, transmits a service subscription information issuance request signal including the terminal identification information included in the service registration request signal and encrypted with the service registration key, A requesting service register; And a subscription information issuing unit that receives the service subscription information issuing request signal from the service registration unit, decrypts the subscription information issuing request signal with the service registration key received from the authentication terminal, transmits a user authentication information issuing request signal to the authentication terminal, The method includes receiving a user registration response signal including user authentication information and authentication terminal identification information from a terminal, generating and storing service registration information based on user registration information and terminal identification information included in the user registration response signal, And transmits the payment approval approval request signal to the authentication terminal upon receipt of the payment approval approval request signal from the service server unit to request the user authentication, When a response signal is received A service settlement unit that verifies the user authentication response signal based on the stored service subscription information, performs payment settlement on the card information of the user authentication information included in the service subscription information, and provides a payment settlement result to the service server unit and the authentication terminal Payment authentication server generates the service authentication key by applying the terminal identification information and the key generation information to the Hash Message Authentication Code (HMAC), and transmits the service authentication key to the payment authentication server The authentication terminal generates the service authentication key by applying the service subscription information including the key generation information stored in advance and the terminal identification information to the hash mac, Decrypting the payment settlement approval request signal received from the payment authentication server .
The authentication terminal receives personal identification information (PIN) from a user upon receipt of the payment approval approval request signal encrypted with the service authentication key, decrypts the service authentication key stored in advance with the personal identification information, And decrypts the payment approval request signal.
The authentication terminal further includes service subscription information and a message verification value in the user authentication response signal, and the payment payment authentication server performs message verification based on the message authentication value and forgery verification of the service subscription information And performs the payment settlement processing upon successful verification and transmits the payment settlement processing result to the service server unit.
Wherein the registration terminal is a general wired telephone, the service registration unit is an automatic response system, and the answering system receives a service registration request signal including the terminal identification information and the service registration key through a voice guidance scenario.
The registration terminal is the authentication terminal, and the service registration unit is a web-based web server or an application-based application server.
The authentication terminal generates and displays a service registration key, and when the service registration unit receives the service registration key displayed on the authentication terminal from the registration terminal of the user, the service registration key includes the service registration key in the user authentication issue request signal The payment authentication server encrypts and transmits a user authentication information issuance request signal with the service registration key and the authentication terminal decrypts and processes the user authentication information issuance request signal received with the stored service registration key .
The authentication terminal generates a service authentication key when decrypting the user authentication information issuance request signal, encrypts the service authentication key, which is generated by receiving a PIN from a user, with the personal identification number, A personal identification information (PIN) from a user upon receipt of the payment approval approval request signal encrypted with the authentication key, decrypts the service authentication key stored in advance with the personal identification information, decrypts the payment approval approval request signal, .
The authentication terminal further includes a message verification value in the user registration response signal, and the payment payment authentication server performs message verification based on the message verification value, generates the service subscription information upon successful verification, And transmits a user registration result (response) to the service registration unit after user registration is completed.

delete

delete

delete

delete

delete

delete

delete

delete

delete

delete

According to another aspect of the present invention, there is provided a payment settlement method using a mobile communication terminal, comprising the steps of: receiving a service subscriber information issuance request signal from a service registration unit, receiving a user registration response signal including terminal identification information from an authentication terminal, A payment settlement service registration process of generating and registering service subscription information including terminal identification information, and transmitting the service subscription information to the authentication terminal so that the authentication terminal stores and registers the service subscription information; A service payment request step of requesting payment payment by transmitting a payment payment approval request signal including terminal identification information of an authentication terminal when a payment payment event for the registered service subscriber occurs; The payment payment server unit sends a payment approval approval request signal to the authentication terminal upon receiving the payment approval approval request signal to request the user authentication; The authentication terminal compares the service subscription information included in the payment settlement approval request signal with the service subscription information stored in advance when receiving the payment settlement approval request signal from the payment settlement authentication server and verifies the service subscription information and obtains the user authentication information upon successful verification A user authentication information providing step of transmitting a user authentication response signal including user authentication information to the payment payment authentication server; And when the payment server unit receives the user authentication response signal, it verifies the user authentication response signal based on service subscription information stored in advance and performs payment settlement by user authentication, and then transmits a payment settlement result to the service server unit and the authentication terminal The payment settlement registration process includes: a service registration key generation step of generating and displaying a service registration key by an authentication terminal; The registration terminal obtains a service registration key displayed on the authentication terminal and transmits a service registration request signal including the service registration key to a service register that transmits the service registration request signal; A service registration request unit for requesting a user registration by encrypting a user authentication issue request signal with the service registration key when the service registration request is generated by receiving a service registration request signal from the registration terminal; When the payment authentication server receives the user authentication issue request signal, decrypts the user authentication information issue request signal with the service registration key received from the authentication terminal and transmits the user authentication information issue request signal to the authentication terminal A registration request step; A user registration response step of acquiring user authentication information upon receipt of a user authentication information issuance request signal to generate user registration information and transmitting a user registration response signal including the user registration information to the payment payment authentication server ; A service subscription information registration step of generating and storing the service subscription information when the payment settlement authentication server receives the user registration response signal and transmitting the service subscription information to the authentication terminal; And a service subscription information storing step of storing, when the service subscription information is received in response to the user registration response signal, the authentication terminal, and the service subscription information storing step, wherein the payment authentication server of the payment payment server A service authentication key generation step of generating a service authentication key upon receiving a signal; An encryption step of encrypting the payment approval approval request signal with the generated service authentication key; And a transmission step of transmitting the encrypted payment approval approval request signal, wherein the providing of the user authentication information comprises: generating a service authentication key for generating the service authentication key according to service subscription information stored in advance in the authentication terminal step; A decryption step of decrypting a payment settlement approval request signal received from the payment settlement authentication server with the service authentication key; A verification step of the authentication terminal comparing the decoded payment approval request signal with the service subscription information stored in advance; A user authentication information generation step of acquiring the user authentication information upon successful verification; And a user authentication response step of generating and transmitting a user authentication response signal including the user authentication information, wherein if the service server unit is a system on-line, the service authentication key includes terminal identification information, service identification information, and server security information (Hash Message Authentication Code: HMAC) to which a Server_Secret is applied.
The user authentication information providing step may include a step of requesting the user terminal to input a user PIN when the authentication terminal receives the payment approval approval request signal and decrypting a previously stored service authentication key encrypted with a user PIN And a decryption success determining step of deciding whether the decryption of the service authentication key is successful or not in the decryption step.
Wherein the authentication result providing step further includes a message verification value in a user authentication response signal in a user authentication response step of providing the user authentication information, and the authentication result providing step includes a step of, when the payment authentication authentication server receives the user authentication response signal, A service subscription information verification step of verifying the user authentication response signal by service subscription information; A message authentication step in which the payment authentication server performs message authentication based on the message verification value when the service subscription information is successfully verified; And providing a payment settlement result to the service server unit and the authentication terminal after processing the payment settlement through the financial settlement unit if the message authentication is successful.
The message verification value is generated by a Hash Message Authentication Code (HMAC) using terminal identification information, a server random value (R_S), and a service authentication key if the service server is a offline payment terminal.
Wherein the payment payment registration step comprises: a user registration confirmation request step of transmitting a user registration confirmation message to the authentication terminal when a service registration request is issued from the service terminal to the registration terminal; A service registration key generation step of generating and displaying a service registration key by the authentication terminal upon receipt of the user registration confirmation message; and a service registration step of determining whether a service registration key displayed on the authentication terminal is inputted from the registration server of the user, And a service registration key input step of, when the service registration key is input, the service server unit transmits the service registration key to the service authentication server by including the service registration key in the user authentication issue request step, Transmits the user authentication information issuance request signal by encrypting the user authentication information issuance request signal with the service registration key in the user registration request step and the authentication terminal decrypts and processes the user authentication information issuance request signal received in the service registration key stored in the user registration response step By feature do.

delete

delete

delete

delete

delete

delete

delete

delete

delete

The user does not have to input the login password or the password of the certificate through the input device such as a keyboard, a touch pad, or the like at the time of performing the user authentication, so that leakage of the user authentication information due to hooking of the input device driver, .

In addition, since the present invention does not require a complicated issuing procedure, the present invention has an effect that a user can easily install and use the apparatus.

In addition, the present invention has an effect that it is unnecessary to install a separate security program such as ActiveX for security.

In addition, the present invention has the effect of improving the security because the disposable random key is generated and encrypted at every payment.

1 is a diagram illustrating a network configuration of a payment payment system using a mobile communication terminal according to the present invention.
FIG. 2 is a conceptual diagram illustrating a configuration of a payment settlement system using a mobile communication terminal according to the present invention.
3 is a diagram illustrating a configuration of a mobile communication terminal of a payment payment system according to the present invention.
4 is a flowchart illustrating a method of registering a payment settlement service for a payment settlement method in a payment settlement system using a mobile communication terminal according to the present invention.
5 is a flowchart illustrating a method of registering a payment settlement service in an authentication terminal of a payment settlement system using a mobile communication terminal according to the present invention.
6 is a flowchart illustrating a payment settlement method of a payment system using a mobile communication terminal according to the present invention.
7 is a flowchart illustrating a payment settlement method in an authentication terminal of a payment payment system using a mobile communication terminal according to the present invention.
8 is a diagram illustrating an authentication key structure applied to hardware security of a payment payment system using a mobile communication terminal according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a configuration and operation of a payment settlement system using a mobile communication terminal according to the present invention will be described with reference to the accompanying drawings, and a payment settlement method based on user authentication in the system will be described.

FIG. 1 is a diagram illustrating a network configuration of a payment settlement system using a mobile communication terminal according to the present invention. FIG. 2 conceptually shows a configuration of a payment settlement system using a mobile communication terminal according to the present invention, FIG. 5 is a diagram illustrating an authentication key structure applied to hardware security of a payment payment system using a mobile communication terminal according to the present invention.

1, 2, and 8, a payment settlement system according to the present invention includes a service terminal unit 100, a payment server unit 200, a service server unit 500, and a financial settlement unit 600 .

The service terminal unit 100 and the payment payment server unit 200 are connected through the wire / wireless data communication network 110 and the public switched telephone network (PSTN) 120 to perform data communication and voice communication. The service terminal unit 100 and the service server unit 500 perform data communication through the wired / wireless data communication network 110 when the service server unit 500 is a system on-line. The payment payment server unit 200 and the service server unit 500 and the payment payment server unit 200 and the financial settlement unit 600 perform data communication through the wired and wireless data communication network 110.

The service terminal unit 100 includes an authentication terminal 10 and a registration terminal 20.

The registration terminal 20 may be a computer terminal 20-1 such as a computer, a notebook computer, a tablet PC, etc., a general wired telephone 20-2 and an authentication terminal 10 or 20-3 as shown in Fig. And connects to the payment payment server unit 200 to perform payment registration service registration using the mobile communication terminal according to the present invention.

The authentication terminal 10 is a mobile communication terminal such as a mobile phone, a smart phone and a smart pad, and is provided with a payment payment service application according to the present invention. The payment payment service application receives and stores service registration information, When a payment event occurs, approve payment by performing authentication of the user according to the service subscription information.

Specifically, the authentication terminal 10 includes a payment settlement service registration module 12 and a payment settlement authentication module 13.
The payment settlement service registration module 12 is activated by driving a payment settlement service application providing an interface means with a user. The payment and payment service registration module 12 performs data communication with the payment server 300 through the application server 330 of the service registration unit 300 or directly.
The payment payment authentication module 13 acquires the card information previously stored or inputted according to the present invention and the terminal identification information of the authentication terminal 10, and when the card information and the terminal identification information are obtained, MAC, or "H"), generates user registration information, receives and verifies the service subscription information, and stores the service subscription information. Then, based on the stored service subscription information, And performs an overall operation related to the payment method using the terminal. The Device Identification (DID) may be an International Mobile Equipment Identity (IMEI) or a Caller Identification (CID). For example, if the service server unit 500 is a system on-line, one or more of the IMEI and the telephone number can be used as the terminal identification information, and the service server unit 500 can use a POS (POS) It is preferable to use the telephone number as the terminal identification information. The generated service authentication key may be configured to be generated by applying the card information and terminal identification information to the HMAC each time the service authentication key is used according to the first embodiment of the present invention as a service authentication key used in future payment authentication, The PIN may be encrypted and stored, and a PIN identical to the PIN used for encrypting the service authentication key may be received and decrypted from the user every time payment is made.

The configuration and operation of the authentication terminal 10 will be described in more detail with reference to FIG.

The wired / wireless data communication network 110 includes a mobile communication network including an Internet network including a WiFi network and a wide area network (WAN), and a Long Term Evolution (LTE) network, which is a 3G network and a 4G network It is a connected network.

When the registration terminal 20 is the computer terminal 20-1 and the authentication terminal 20-3 according to the present invention, the registration terminal 20 connects to the service registration unit 300 through the wired / wireless data communication network 110, And performs data communication according to a Hyper Text Transfer Protocol (HTTP) or a Secure Socket Layer (SSL). When the authentication terminal 10 is a wired ordinary telephone 20-2, (10) performs analog communication with the service registration unit (300) through the general public telephone network (120). The registration terminal 20 is connected to the payment payment authentication server 400 directly or through an application server 330 of a service registration unit 300 to be described later and performs data communication .

The payment payment server unit 200 includes a service registration unit 300 and a payment payment authentication server 400.

The service registration unit 300 registers a service for a user of the service terminal unit 100 upon receipt of a service registration request signal from the registration terminal 20 of an arbitrary service terminal unit 100.

The service registration unit 300 includes at least one of an automatic response system (ARS) 310, a web server 320 and an application server 330 and is connected to a wired / wireless data communication network 110 and a general public telephone network (PSTN) And performs a service registration process of a user of the registration terminal 20 connected to and connected to the registration terminals 20 connected through the communication terminal 120.

Specifically, the automatic answering system 310 is connected to the wired telephone 20-2 of the service terminal unit 100 through the PSTN 120, or to the authentication terminal 20 through the PSTN 120 and the wired / wireless data communication network 110, -3), performs guidance for service registration by voice, and performs a payment settlement service registration process according to the present invention through voice guidance. When the Internet protocol (IP) exchanger is configured in the automatic answering system 310 and the originating registration terminal 20 is the authentication terminal 10, the answering system 310 does not go through the general public telephone network 120 It may be possible to connect the authentication terminal 10 directly to the wired / wireless data communication network 110 to perform a service registration process by voice.

The web server 320 provides the web-based service registration means to at least one of the computer terminal 20-1 as the registration terminal and the authentication terminal 10 as the registration terminal, And performs a payment settlement service registration process. Although the web server 320 is included in the payment server 200 in FIG. 1, the web server 320 may be included in the service server 500 that constitutes various web-based shopping malls described later.

The application server 330 accesses the computer terminal 20-1 of the service terminal unit 100 and the authentication terminal 10 or 20-3 of the mobile communication terminal through the wire / wireless data communication network 110, And performs the payment settlement service registration process through the payment settlement service registration unit of the service application.

The payment payment authentication server 400 receives and stores user registration information for a user requesting service registration through the service registration unit 300, generates and stores service registration information generated by the user registration information, Performs service registration processing, performs authentication of a user registered for a service by the service subscription information for a payment settlement request generated by an arbitrary service server unit (500), and processes payment settlement.

The payment payment authentication server 400 includes a service subscription information DB 410 for storing user registration information and service subscription information for users subscribed to the user authentication service according to the present invention, And a hardware security module (HSM) 420 for controlling the overall operation related to hardware security such as decryption of the hardware security module.

The HSM 420 generates and manages a ticket master key (Ticket_Master_key: TMK) for issuing service subscription information (Ticket) and a user master key (User_Master_Key: UMK) for authenticating a user, And a service authentication key, and stores and distributes the user distribution key to the user through the authentication terminal 10. The TMK is used as a master key for service subscription information generation and verification, and UMK is used as a master key for user authentication information verification. 8, the HSM 420 generates the TMK_S, which is the TMK for each service server by applying the service identification information and the UMK by the HMAC (Hash MAC: or "H"), which is a security standard algorithm, UMK_S, which is a star UMK, is generated.

The service server unit 500 may be an online system or an offline system. When the service server unit 500 is a system on-line, it may be a system that provides an arbitrary web-based service including a web server as described above, or a system that provides an application-based service. And a card payment terminal or a force terminal capable of inputting a telephone number of the authentication terminal 10 when the service server unit 500 is in an offline system.

3 is a diagram illustrating a configuration of an authentication terminal having a local area wireless communication module according to the present invention.

The authentication terminal 10 includes a control unit 11, a storage unit 14, an input unit 15, a display unit 16, and a wireless communication unit 17.

The storage unit 14 includes a program storage area for storing a control program such as the above-mentioned application for controlling the operation according to the present invention, a temporary area for temporarily storing data generated during the execution of the control program, And a data area for storing user data such as service registration information, encrypted service authentication key, user registration information, and service subscription information.

The input unit 15 includes a button input unit having a plurality of buttons capable of supplying power and selecting functions, a key input unit including a plurality of keys capable of inputting various characters, And a touch pad for providing coordinates of the display unit 16, and provides various user interface (UI) to the user.

The wireless communication unit 17 is a communication device capable of performing data communication and voice communication by connecting to a wired / wireless data communication network 110. The wireless communication unit 17 includes a wireless data communication device capable of connecting to a Wi-Fi network and performing data communication, And a mobile communication device that connects to the LTE network and performs data and voice communication.

The control unit 11 includes a payment settlement service registration module 12 and a payment settlement authentication module 13 which are activated by the operation of a payment settlement service application (app) according to the present invention as described with reference to FIG. 2, Controls the overall operation associated with user authentication.

Specifically, the payment settlement service registration module 12 of the control unit 11 controls the overall operation of the payment settlement service. In particular, the payment settlement service registration module 12 generates a service authentication key when a service registration key generation event occurs and a user authentication information issuance request signal is received. The payment authentication service registration module 12 generates a service authentication key using a personal identification number (PIN) The generated service authentication key is encrypted and stored.

Then, the payment payment authentication module 13 controls the overall operation of the identity authentication process for payment settlement. In particular, the payment and payment authentication module 13 decrypts the service authentication key stored in the encrypted and stored PIN according to the PIN input from the user during the authentication of the payment, and performs the authentication process using the decrypted service authentication key. At this time, if an incorrect PIN is input, the service authentication key will not be decrypted, and thus an authentication error and authentication failure will be notified.

4 is a flowchart illustrating a method of registering a payment settlement service for payment in a payment settlement system using a mobile communication terminal according to the present invention. Hereinafter, a method of registering a payment settlement service for performing a payment settlement method using the mobile communication terminal of the present invention will be described with reference to FIG.

First, in order to register the payment service using the mobile communication terminal according to the present invention, a user has to install a payment payment service application in the authentication terminal 10. The payment settlement application includes payment settlement service registration means and payment settlement means by self-certification. When the payment settlement service application is installed, the authentication terminal 10 generates and stores a service registration key through the payment settlement service registration means of the payment settlement service application (S111). The service registration key is a disposable secret key that is shared offline when subscribing for the service for the first time.

When the service registration key is generated, the registration terminal 20 obtains the terminal identification information of the authentication terminal 10 and the service registration key displayed on the authentication terminal 10 by the user (S113). The terminal identification information may be at least one of an International Mobile Equipment Identity (IMEI) and a Caller IDentification (CID) as a device IDentification (DID) of the authentication terminal 10, It may be desirable to apply the telephone number so that the user can easily use the system if the system 500 is an offline system.

When the terminal identification information and the service registration key are obtained, the registration terminal 20 provides a service registration request signal including the terminal identification information and the service registration key to the service registration unit 300 (S115).

The method of acquiring and transmitting the terminal identification information and the service registration key includes the type of the registration terminal 20 (general wired telephone, computer terminal, authentication terminal, etc.) and the type of service registration unit 300 (ARS system, Server, etc.). For example, if the registration terminal 20 is a general wired telephone and the service registration unit 300 is an automatic response system, the terminal identification information and the service registration key are transmitted as a DTMF signal by pressing a dial button of a general wired telephone It will be recognized by the analysis of the DTMF signal in the answering system.

Upon receiving the service registration request signal, the service registration unit 300 transmits a service subscription information issuance request signal including the terminal identification information and the service registration key to the payment authentication server 400 (S117). The service registration unit 300 may be configured in the service server unit 500. In this case, a service provider identification information (Service Provider IDentification: Spid) providing a service server unit 500, a user ID (UID) May be further included.

The payment payment authentication server 400 then transmits the service identification information including the terminal identification information included in the received service subscriber information issuing request signal, the random number generated by the user including the server random value (Random Server: R_S) and the key generation information (Server_Secret) Generates an authentication information issuance request signal, encrypts the user authentication information issuance request signal with the service registration key included in the user authentication issuance request signal, and provides it to the authentication terminal 10 (S119).

The service subscriber information issuance request signal may also be encrypted with the service registration key and transmitted to the payment and payment authentication server 400. However, in this case, the payment payment authentication server 400 must know the service registration key for releasing the encryption, so it must receive and receive the service registration key from the authentication terminal 10.

When the user authentication information issuance request signal is received, the authentication terminal 10 cancels the encryption of the user authentication information issuance request signal with the service registration key generated in S111, and then transmits the service information such as the terminal identification information, the server random value, The registration information is extracted (S121).

When the terminal identification information, the server random value, and the key generation information are extracted, the authentication terminal 10 acquires user authentication information (S123). The user authentication information may be card information, a password, and user identification information. The authentication terminal 10 may directly receive the user authentication information from the user or may load and store the user authentication information stored in the storage unit 14 of the authentication terminal 10 in advance.

When the user authentication information and the service registration information are obtained, the authentication terminal 10 generates the terminal identification information (terminal identifier: DID) and the key generation information (DID) included in the user authentication information issuance request signal as shown in FIG. (Server_Secret) to the HMAC to generate a service authentication key (S125).

[Equation 1]

User_Secret (service authentication key) = HMAC (terminal identification information, Server_Secret)

When the service authentication key is generated, the authentication terminal 10 stores the user registration information including the user authentication information and the service registration information (S127), and then transmits the user registration response signal including the server random value (Random Server: R_S) And transmits the user registration response signal together with the terminal identification information to the payment authentication server 400 (S129). That is, the terminal identification information is not encrypted. The user registration response signal may further include a message verification value, and the message verification value is obtained by the following equation (2) as the MAC value of the user authentication information generated using the service authentication key.

&Quot; (2) "

ResSign =

HMAC (| IMEI or CID | R_C | R_S, User_secret (service authentication key))

If the service server unit 500 is an online system, the service registration unit 300 is configured in the service server unit 500, and the off-line payment terminal has service identification information (Spid), the message authentication value is (3) < / RTI >

&Quot; (3) "

ResSign =

HMAC (| IMEI or CID | UID | Spid | R_C | R_S, User_secret

If the off-line payment terminal constitutes the service server unit 500 and has service identification information (Spid), the user enters or selects the service identification information through the registration terminal 20 in the payment payment service registration process Or to give the same service identification information to all offline payment terminals.

Upon receiving the user registration response signal, the payment payment authentication server 400 generates a service authentication key by using the terminal identification information and the Server_Secret (S131), decrypts the encrypted user registration response signal, (S133). If the verification is successful, a service ticket is generated (S135) and transmitted to the authentication terminal 10 (S137). The service subscription information includes a ticket body (Ticket_body) and MAC (MAC) information.

The ticket body includes a service subscription information identifier (TicketID), a CID (or IMEI), and a service validity period.

The Mac (MAC) is obtained by the following equation (4).

&Quot; (4) "

TMK_S = HMAC (TicketId, TMK)

MAC = HMAC (Ticket_body, TMK_S)

Here, TMK_S means TMK for each service subscriber.

Upon receiving the service subscription information, the authentication terminal 10 stores the verification subscription information in the storage unit 14 and completes registration (S141).

On the other hand, the payment payment authentication server 400 transmits service registration information to the authentication terminal 10, and then transmits a service registration response signal to the service registration unit 300 to notify that registration of the service is completed (S139). The service registration unit 300 receives the service registration response signal and provides the service registration response signal to the registration terminal 20 to notify the user that the service registration is completed (S143).

5 is a flowchart illustrating a method of registering a payment settlement service in an authentication terminal of a payment settlement system using a mobile communication terminal according to the present invention. Hereinafter, a method of registering a payment settlement service in an authentication terminal will be described in detail with reference to FIG.

The control unit 11 of the authentication terminal 10 checks whether a service registration key generation event is generated (S211). The service registration key generation event is generated at the time of installation or completion of the payment payment service application, at the time of requesting service registration through the payment payment service registration means of the payment payment service application, May be generated when a user registration request is issued from the payment and payment authentication server 400 by a registration request for the user. The user registration request may include a mobile communication message such as a Short Message Service (SMS), a Long Message Service (LMS), and a Multimedia Message Service (MMS) .

When the service registration key generation event is generated, the controller 11 drives the payment settlement service registration module 12 (S213).

The driven payment settlement service registration module 12 displays the service registration key generated in the display unit 16 that generated the service registration key (S215) on the display unit 16 (S217).

After displaying the service registration key, the payment settlement service registration module 12 checks whether a user authentication information issuance request signal is received from the payment payment authentication server 400 (S219) .

When the user authentication information issuance request signal is received, the payment payment authentication module 13 decrypts the received user authentication information issuance request signal with the service registration key stored in the storage unit 14 and stores it in step S221. After the decryption, the service registration key is disposable, so it will be deleted or processed so as not to be used any more.

After decoding the user authentication information issuance request signal, the payment payment authentication module 13 checks whether user authentication information is obtained (S223). The user authentication information may be input by the user through the input unit 15 or may be acquired by loading when the user authentication information is stored in advance in the storage unit 14. [

When the user authentication information is obtained, the payment payment authentication module 13 requests input of the user PIN (S225).

In step S227, it is determined whether the user inputs a PIN through the input unit 15 according to the PIN input request. If the PIN is input, the service authentication key is generated according to Equation 1 (S229) And stores the encrypted PIN (S231).

When the service authentication key is encrypted and stored, the payment and payment authentication module 13 generates service registration information including the service authentication key and stores it in the storage unit 14 (S235).

When the user registration response signal is generated, the payment payment authentication module 13 encrypts the user registration response signal with the service authorization key (S237) and transmits it to the payment payment authentication server 400 (S239).

After the transmission of the user response signal, the payment payment authentication module 13 checks whether the service subscription information is received from the payment payment authentication server 400 (S241). When the service subscription information is received, the service subscription information is verified and stored (S243) and completes the user registration.

6 is a flowchart illustrating a payment settlement method of a payment system using a mobile communication terminal according to the present invention.

Referring to FIG. 6, the service server unit 500 checks whether a payment settlement event is generated (S311). The payment settlement event may be generated when a payment request is made by inputting the terminal identification information (CID) of the authentication terminal 10 if the service server unit 500 is a payment terminal such as a POS and a card payment terminal on the off-line will be.

When the payment payment event occurs, the service server unit 500 transmits a payment payment approval request signal including the terminal identification information to the payment payment authentication server 400 (S313). If the service server unit 500 is a system on-line, the payment approval approval request signal may further include service identification information (Spid) and user identification information (UID) of the service server unit 500. However, in the former case, the payment terminal may have the service identification information, and in this case, the service identification information (Spid) may be transmitted together.

Upon receipt of the payment approval approval request signal, the payment payment authentication server 400 loads the service authentication key corresponding to the terminal identification information (CID) with reference to the service subscription information DB 410 and transmits its own server random value (R_S) Generates a payment settlement approval request signal including the terminal identification information (CID) and the server random value R_S, encrypts the generated payment settlement approval request signal with the service authentication key, and transmits it to the authentication terminal 10 S315).

Upon receiving the payment approval approval request signal, the authentication terminal 10 loads the service subscription information (Service Ticket) and verifies the terminal identification information and the period of the service subscription information (S317). When the service server unit 500 is a system on-line, it loads the service ticket corresponding to the service identification information, and transmits the service identification information (UID), the terminal identification information (DID) And so on.

If the verification is successful, the authentication terminal 10 acquires the user authentication information (S319) and transmits the acquired service subscription information, the server random value R_S, and the client random value (R_C) message verification value ResSign Generates an authentication response signal (S321), encrypts it with the service authentication key, and transmits it to the payment authentication server 400 (S323).

Upon receipt of the user authentication response signal, the payment authentication server 400 verifies the decrypted user authentication response signal (S325), decrypts the decrypted user authentication response signal with the service authentication key, And performs information verification (S327).

The verification and payment authentication server 400 performs message verification based on the message verification value after verifying the service subscription information (S329).

If the verification is successful, the signal verification, the service subscription information verification, and the message verification value, the payment payment authentication server 400 transmits the user authentication path to the service server unit 331 (S331) 600) by the card information included in the user authentication information (S333).

The payment payment authentication server 400 transmits the payment result to the service server unit 500 and the authentication terminal 10 (S335, S337).

7 is a flowchart illustrating a payment settlement method in an authentication terminal of a payment payment system using a mobile communication terminal according to the present invention.

Referring to FIG. 7, the control unit 11 of the authentication terminal 10 checks whether a payment approval approval request signal is received (S411). The payment approval approval request signal may be received in the form of a push message.

When the payment approval approval request signal is received and the user touches the payment approval approval request signal, the controller 11 drives the payment payment service registration module 12 (S413).

The activated payment settlement service registration module 12 displays the user PIN input means on the display unit 16 to request input of the user PIN (S415), and checks whether the user PIN is inputted through the user PIN input means (S417).

When the user PIN is input, the payment settlement service registration module 12 provides the payment settlement authentication module 13 with the payment authentication module 13, It decrypts with the authentication key (S419).

After attempting to decrypt the service authentication key, the payment and payment authentication module 13 determines whether the decryption has succeeded (S421), decrypts and stores the payment approval approval request signal with the decrypted service authentication key S422).

After decryption of the payment settlement request signal, the payment payment authentication module 13 receives the user authentication information through the input unit 15 or loads and stores the user authentication information stored in advance in the storage unit 14 (S423 ).

When the user authentication information is obtained, the payment payment authentication module 13 generates a user authentication response signal, encrypts the user authentication response signal with the service authentication key (S425), and transmits it to the payment authentication server 400 (S427).

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. It will be easily understood. It is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, it is intended to cover various modifications within the scope of the appended claims.

10: authentication terminal 11:
12: Payment payment service registration module 13: Payment payment authentication module
14: storage unit 15: input unit
16: Display section 17: Wireless communication section
20: registration terminal 100: service terminal unit
110: wired / wireless data communication network 120: general public telephone network
200: Payment settlement service part 300: Service registration part
310: Automatic Answering System (ARS) 320: Web server
330: Application server
400: Payment payment authentication server 410: Service subscription information DB
420 hardware security module 500 service server
600: Financial settlement department

Claims (20)

Upon receipt of a payment payment event, a payment settlement approval request signal including terminal identification information, service subscriber information identification information, and service subscription information (Ticket) having a service validity period is transmitted, and in response thereto, A receiving service server unit;
A service registration key is generated and displayed at the time of registration, and the stored service subscription information including the service subscription information (Ticket) included at the time of receiving the payment approval approval request signal is compared and verified, An authentication terminal included in the storage service subscription information, acquiring user authentication information including card information, and transmitting a user authentication response signal including the acquired user authentication information;
A registration terminal for obtaining a service registration key and terminal identification information of the authentication terminal displayed on the authentication terminal and transmitting a service registration request signal including the service registration key;
When receiving a service registration request signal from the registration terminal, transmits a service subscription information issuance request signal including the terminal identification information included in the service registration request signal and encrypted with the service registration key, A requesting service register; And
Upon receipt of the service subscription information issue request signal from the service registration unit, the subscription information issuance request signal is decrypted with the service registration key received from the authentication terminal, and a user authentication information issuance request signal is transmitted to the authentication terminal. And generates and stores service subscription information based on the user registration information and the terminal identification information included in the user registration response signal, And transmits the payment approval approval request signal to the authentication terminal upon receipt of the payment approval approval request signal from the service server unit to request the user authentication, When a signal is received, A payment settlement unit that verifies the user authentication response signal by the stored service subscription information, performs payment settlement for the card information of the user authentication information included in the service subscription information, and provides a payment settlement result to the service server unit and the authentication terminal Authentication server,
The payment payment authentication server generates the service authentication key by applying the terminal identification information and the key generation information to the hash mac, encrypts the payment approval approval request signal with the generated service authentication key,
The authentication terminal generates the service authentication key by applying the service subscription information including the key generation information stored in advance and the terminal identification information to the hash macro and transmits the service authentication key to the payment authentication server And decrypts the approval request signal.
delete delete The method according to claim 1,
The authentication terminal includes:
Upon receipt of the payment approval approval request signal encrypted with the service authentication key, the personal identification information (PIN) is input from the user, and the PIN is encrypted with the personal identification information to decrypt the service authentication key stored in advance, And decrypts the decrypted mobile communication terminal.
The method according to claim 1,
Wherein the authentication terminal further includes service subscription information and a message verification value in the user authentication response signal,
The payment payment authentication server performs forgery verification on the service subscription information and message verification based on the message verification value and then performs the payment payment processing upon successful verification and transmits the payment payment processing result to the service server unit Wherein the mobile communication terminal comprises:
delete The method according to claim 1,
The registration terminal is a general wired telephone,
The service registration unit is an automatic response system,
Wherein the automatic response system receives the service registration request signal including the terminal identification information and the service registration key through the voice guidance scenario.
The method according to claim 1,
Wherein the registration terminal is the authentication terminal,
Wherein the service registration unit is a web-based web server or an application-based application server.
The method according to claim 1,
The authentication terminal generates a service registration key, displays and stores the service registration key,
Wherein the service registration unit includes the service registration key in the user authentication issue request signal when the service registration key displayed on the authentication terminal is input from the registration terminal of the user,
The payment and payment authentication server encrypts and transmits a user authentication information issuance request signal with the service registration key,
Wherein the authentication terminal decrypts and processes the user authentication information issuance request signal received in the stored service registration key.
10. The method of claim 9,
Wherein the authentication terminal generates a service authentication key when decrypting the user authentication information issuance request signal, encrypts the service authentication key generated by receiving a PIN from the user with the personal identification number,
Upon receipt of the payment approval approval request signal encrypted with the service authentication key, the personal identification information (PIN) is input from the user, and the PIN is encrypted with the personal identification information to decrypt the service authentication key stored in advance, And decrypts the decrypted mobile communication terminal.
The method according to claim 1,
Wherein the authentication terminal further includes a message verification value in the user registration response signal,
The payment and payment authentication server performs message verification according to the message verification value, and generates the service subscription information upon successful verification and transmits the service subscription information to the authentication terminal. After completing the user registration, To the mobile communication terminal.
Upon receipt of a service subscriber information issue request signal from the service registration unit, receives a user registration response signal including terminal identification information from an authentication terminal, generates and registers service subscription information including the terminal identification information, A payment settlement service registration step of storing the information and registering the information to the authentication terminal;
A service payment request step of requesting payment payment by transmitting a payment payment approval request signal including terminal identification information of an authentication terminal when a payment payment event for the registered service subscriber occurs;
The payment payment server unit sends a payment approval approval request signal to the authentication terminal upon receiving the payment approval approval request signal to request the user authentication;
The authentication terminal compares the service subscription information included in the payment settlement approval request signal with the service subscription information stored in advance when receiving the payment settlement approval request signal from the payment settlement authentication server and verifies the service subscription information and obtains the user authentication information upon successful verification A user authentication information providing step of transmitting a user authentication response signal including user authentication information to the payment payment authentication server; And
When the payment server unit receives the user authentication response signal, verifies the user authentication response signal with the service subscription information stored in advance, performs payment settlement by user authentication, and then transmits a payment settlement result to the service server unit and the authentication terminal And a payment settlement providing process,
The payment settlement service registration process includes:
A service registration key generation step of generating and displaying a service registration key by the authentication terminal;
The registration terminal obtains a service registration key displayed on the authentication terminal and transmits a service registration request signal including the service registration key to a service register that transmits the service registration request signal;
A service registration request unit for requesting a user registration by encrypting a user authentication issue request signal with the service registration key when the service registration request is generated by receiving a service registration request signal from the registration terminal;
When the payment authentication server receives the user authentication issue request signal, decrypts the user authentication information issue request signal with the service registration key received from the authentication terminal and transmits the user authentication information issue request signal to the authentication terminal Request step;
A user registration response step of acquiring user authentication information upon receipt of a user authentication information issuance request signal to generate user registration information and transmitting a user registration response signal including the user registration information to the payment payment authentication server ;
A service subscription information registration step of generating and storing the service subscription information when the payment settlement authentication server receives the user registration response signal and transmitting the service subscription information to the authentication terminal; And
And a service subscription information storing step of storing, when the authentication subscriber terminal receives service subscription information in response to the user registration response signal,
The user authentication request process includes:
A service authentication key generation step of generating a service authentication key upon receipt of a payment payment approval request signal by the payment payment authentication server of the payment payment server;
An encryption step of encrypting the payment approval approval request signal with the generated service authentication key; And
And a transmission step of transmitting the encrypted payment approval request signal,
The user authentication information providing process includes:
A service authentication key generation step of generating the service authentication key by the service subscription information stored in advance in the authentication terminal;
A decryption step of decrypting a payment settlement approval request signal received from the payment settlement authentication server with the service authentication key;
A verification step of the authentication terminal comparing the decoded payment approval request signal with the service subscription information stored in advance;
A user authentication information generation step of acquiring the user authentication information upon successful verification; And
And a user authentication response step of generating and transmitting a user authentication response signal including the user authentication information,
The service authentication key includes:
If the service server is a system on-line, generating a hash macro (HMAC) using terminal identification information and key generation information (Server_Secret).
delete delete 13. The method of claim 12,
The user authentication information providing process includes:
Further comprising a decoding step of requesting input of a user PIN when the authentication terminal receives the payment approval approval request signal and attempting to decode a service authentication key that is encrypted with a user PIN when inputting a user PIN ,
And a decryption success determining step of deciding whether decryption of the service authentication key is successful in the decryption step.
13. The method of claim 12,
The method further comprises transmitting a message authentication value to the user authentication response signal in the user authentication response step of the user authentication information providing process,
The authentication information providing process includes:
A service subscription information verification step of verifying the user authentication response signal by the stored service subscription information when the payment authentication server receives the user authentication response signal;
A message authentication step in which the payment authentication server performs message authentication based on the message verification value when the service subscription information is successfully verified; And
And a payment settlement result providing step of providing a payment settlement result to the service server unit and the authentication terminal after processing payment settlement through the financial settlement unit if the message authentication is successful. .
17. The method of claim 16,
Wherein the message verification value comprises:
Wherein the service server is generated by a hash macro (HMAC) using terminal identification information, a server random value (R_S), and a service authentication key if the service server is a offline payment terminal. Way.
delete delete 13. The method of claim 12,
The payment settlement service registration process includes:
A user registration confirmation request step of transmitting a user registration confirmation message to the authentication terminal when a service registration request is issued from the service server unit registration terminal;
Generating a service registration key for generating and displaying a service registration key by an authentication terminal upon receiving the user registration confirmation message;
Further comprising a service registration key input determination step of determining, by the service server, whether a service registration key displayed on the authentication terminal is input from the registration terminal of the user,
When the service registration key is input, the service server transmits the service registration key in the user authentication issue request signal in the user authentication issue request step,
The payment and payment authentication server encrypts and transmits a user authentication information issuance request signal with the service registration key in a user registration request step,
Wherein the authentication terminal decrypts and processes the user authentication information issuance request signal received in the service registration key stored in the user registration response step.

Images