KR101603684B1 - Method for authentication using user apparatus, digital system, user apparatus, and authentication system thereof - Google Patents

Abstract

A personal authentication using a user device, a digital system therefor, a user device, and an authentication system are disclosed. The method for authenticating a user using the user device includes the steps of: a digital system communicating with a predetermined user device for authenticating the user; receiving, via the communication, device authentication information generated by the digital device by the user device; Transmitting an acknowledgment signal including authentication information to an authentication system, and performing an authentication check procedure in which the transmitted acknowledgment signal is authenticated by the authentication system, The authentication request outputted from the processing device or the digital system to the authentication system or the service system connected to the authentication system is processed successively and the device authentication information is generated by the authentication system and transmitted to the user device through the digital system Based on the generated server creation key It characterized in that it comprises a device-time information generated by the user equipment group.

Description

TECHNICAL FIELD [0001] The present invention relates to a user authentication method using a user device, a digital system for the same, and an authentication system using the same,

The present invention relates to a user authentication method using a user device, a digital system and an authentication system therefor, and more particularly to a digital authentication system and a user authentication method using a user who wants to use various services (for example, financial transactions such as login, Authentication method and system using the user device and the digital system (for example, a mobile terminal) when the user authentication (also referred to as user authentication) must be performed.

In particular, the server generates a server generation key, and authenticates a device (e.g., a digital system or a data processing apparatus) requesting authentication using the one-time information generated by the digital system or the user apparatus based on the generated server generation key And more particularly, to an authentication method having excellent security and a system therefor.

Conventional technology related to identity authentication has traditionally used identity and password authentication. However, such a conventional authentication method has a problem that it is difficult to perform a normal authentication function when an ID and a password are leaked. To complement this, various authentication schemes have appeared.

For example, there are authentication of the mobile phone itself, authentication by a user using an authorized certificate, authentication using an OTP, authentication of an i-PIN (Internet Personal Identification Number), or authentication using a credit card.

Authorized certificate authentication is an authentication protocol with a relatively high security level, but it is not easy to carry the authorized certificate stably and there are disadvantages such as complicated authentication process. In addition, the public certificate has also recently been leaked in large quantities, thus posing a problem of safety.

The i-PIN is a method of authenticating the user by using a virtual identification number used on the Internet. The user must know a new identification number in advance, and it is difficult to perform a normal authentication function once an exposure is performed as in an ID password method There are constraints.

In addition, the authentication of the mobile phone itself is problematic in that it is susceptible to smsing and the like by a method of authenticating occupation of the mobile phone by using the authentication number.

Also, since all of these conventional technologies are a method of inputting a password (certificate password, I-PIN password) or an authentication number, if a password or an authentication number is exposed to another person, the authentication of the user is inevitable. There is a high risk of exposure to hacking.

In addition, in the case of authentication using the OTP, the user can authenticate only when the user has the OTP client (OTP token). Also, the user is required to generate the OTP through the OTP client, There is a presence.

Accordingly, a technical idea that can provide a highly secure personal authentication protocol while maintaining convenience compared with conventional authentication technologies is required along with a payment protocol.

In addition, online crime becomes more intelligent and frequent as online financial transactions become more active, so the need for 2-channel authentication is increasing. Technological thinking is required to enable users to easily perform authentication while enabling 2-channel authentication.

In this case, the authentication request and the authentication action to be performed by a legitimate user can be separated so that the authentication request and the authentication request are authenticated, so that the information necessary for authentication can be easily exposed to the other person. A technical idea that allows the use of the service without requiring the service is required.

In order to use conventional one-time information (e.g., OTP), a client (e.g., OTP token) and an authentication side (e.g., OTP authentication server) , And time information). Especially, in order to generate one-time information through the time synchronization method which is widely used recently, time synchronization between the client and the authentication side is very important. In order to synchronize the time, the client side must be able to confirm the time. However, according to the technical idea of the present invention, the user device (e.g., a smart card or the like) may not have a timer. Even if a timer is provided in a user device or a digital system, it may be difficult to substantially synchronize the time with the timer of the user device and the authentication side (e.g., authentication system).

Korean Patent Application Publication No. 10-2013-0029983 "Method, apparatus and recording medium for authentication processing using local area communication"

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a digital system and a user device which are highly likely to be carried by a user. In addition, the present invention provides a two-channel personal authentication, a long-term personal authentication, or a technical idea enabling a third party to easily perform a personal authentication for allowing a legitimate user to provide a service.

In addition, since authentication can be performed using one-time information (e.g., OTP), it is necessary to have a separate one-time information generating device (e.g., OTP client) for generating one-time information It is to provide a technical idea that can carry out the simple and secure self-certification without.

In addition, the generation of the one-time information can be performed through a digital system or a user device (e.g., a smart card or the like) carried by the user, so that the risk that authentication due to illegal copying of the digital system or the user device can be performed And to provide technological ideas that can be significantly lowered.

In addition, the digital system transmits an acknowledgment signal including the one-time information only when the digital system communicates with the user equipment, thereby providing a higher level of security.

Also, even when the payment card is used for authentication of the user, the settlement financial information (for example, the card number, the expiration date, the CVC, etc.) may not be circulated on the network and even if the outflow of information occurs due to an attack, It is to provide a technical idea about the authentication method which can provide high security by reducing the risk of leakage of financial information.

In addition, it does not require a process of providing the user with the one-time information while inputting the one-time information, thereby providing the user with the technical idea of authentication of the user, which is robust against attacks through key logging .

Further, by allowing a digital system or a user apparatus to generate authentication information including one-time information using a server generation key (e.g., a random number, a time value, or the like) generated on the authentication side And to provide a highly secure authentication method. It is possible to use the server generation key even when the authentication information is generated by a user apparatus that can not directly communicate with the authentication side.

When the user equipment generates authentication information, the user equipment uses the server generation key received from the server, the identification information of the digital system received from the digital system or the terminal one-time information generated by the digital system, So as to provide a technical idea to authenticate the digital device as well as the user device at once by using the authentication information generated by the user device.

The present invention also provides a technical idea that allows a digital system and / or a user device to be used for an authentication operation to be predetermined and perform authentication of the user only through the digital system and / or the user device.

In addition, a digital system to be used for the authentication operation and a user apparatus that is paired with the digital system are set in advance, and authentication is successful only when communication (for example, contact or non-contact type) So as to provide a technical idea capable of providing a synergistic effect of remarkable security.

According to an aspect of the present invention, there is provided a method for authenticating a user using a user device, comprising: performing communication with a predetermined user device for authenticating the digital system; And transmitting an acknowledgment signal including the device authentication information to the authentication system, and performing an authentication check procedure in which the transmitted acknowledgment signal is authenticated by the authentication system, The authentication request outputted from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system is successively processed, and the device authentication information is generated by the authentication system and transmitted to the digital system The user's device And device one-time information generated by the user device based on the key generation key.

Wherein the device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the server generation key and the terminal identification information of the digital system transmitted to the user device via the communication And the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

Wherein the authentication method using the user device includes a step of transmitting the authentication request information output by the authentication system that has received the authentication request including identification information of the digital system output from the data processing device to the data processing apparatus or the digital system Wherein when the authentication action request information is displayed, the digital system can perform the communication with the user device.

The method for authenticating a user using the user device further includes receiving, by the digital system, authentication action request information output from the data processing apparatus that receives the identification information of the digital system. When the authentication action request information is received The digital system may perform the communication with the user equipment.

In addition, the authentication system generates server one-time information corresponding to the device one-time information, the server one-time information is information generated based on the server generation key, and generates the server one- Characterized in that the authentication confirmation procedure is successful if it corresponds to the apparatus one-time information included in the information, or if the decryption result corresponds to the server generation key, the authentication confirmation procedure may be successful .

Wherein when the device authentication information further includes terminal identification information of the digital system or terminal one-time information generated by the digital system, the terminal identification information of the digital system is further authenticated by the authentication system, Is authenticated, the authentication procedure is successful.

Wherein the authentication method using the user device further includes receiving the device identification information of the user device by the digital system through the communication, wherein the step of transmitting the confirmation signal to the authentication system comprises: And transmitting the device identification information to the authentication system by further including the device identification information in the confirmation signal, wherein the device identification information is authenticated by the authentication system.

The user device is a payment IC card and the device identification information included in the confirmation signal is identification information of the user device irrespective of the payment financial information of the payment IC card.

Wherein the step of transmitting the acknowledgment signal to the authentication system further comprises the step of the digital system further including the terminal identification information of the digital system in the acknowledgment signal and the terminal identification information is further authenticated by the authentication system And the authentication confirmation procedure is successful.

The user authentication method using the user device further includes a step of determining whether the digital system is a preconfigured pair so that the user equipment corresponds to the digital system and if the determination result indicates that the user equipment is a preset pair, To the authentication system.

The digital system transmits the device authentication information to the authentication system without displaying the device authentication information in the confirmation signal.

Wherein the digital system or the authentication system requests the user of the digital system for user authentication information corresponding to the user apparatus, Or the data processing apparatus transmits to the authentication system, and the authentication confirmation procedure is successful only when the user authentication information is further authenticated by the authentication system.

The digital system does not include the settlement financial information of the user apparatus and the user apparatus as the settlement IC card in the confirmation signal.

According to another aspect of the present invention, there is provided a method of authenticating a user using a user device, the method comprising: transmitting an authentication key from the authentication server to a digital system; when the digital system communicates with a predetermined user device, Receiving an authentication signal from the authentication device, the authentication signal including device authentication information generated by the user device, the authentication system performing an authentication procedure for authenticating the device authentication information based on the received confirmation signal And when the authentication confirmation procedure in which the device authentication information is authenticated is successful, the authentication system transmits the authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system, Characterized in that the device Through viewing the presentation communication on the basis of the user equipment with the server generates a key from the digital transmission system comprises a device-time information generated by the user device.

Wherein the device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the server generation key and the terminal identification information of the digital system transmitted to the user device via the communication And the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

Wherein the authentication method using the user device includes the steps of the authentication system receiving the authentication request including the identification information of the digital system from the data processing apparatus and the authentication system transmitting the digital system or the data processing And transmitting the authentication action request information to the device, wherein, after transmitting the authentication action request information, the authentication system performs the authentication process before the confirmation signal is received from the digital system .

Wherein the step of performing an authentication check procedure for authenticating the device authentication information based on the acknowledgment signal received by the authentication system comprises: receiving server one-time information corresponding to the device one-time information, Generating information on the basis of the generation key and determining whether the generated server one-time information corresponds to device one-time information included in the received device authentication information, or the authentication system decrypts and decrypts the device one- And determining whether the result corresponds to the server generation key.

Wherein when the device authentication information further includes terminal identification information of the digital system or terminal one-time information generated by the digital system, the authentication system checks the authentication information for authenticating the device authentication information based on the received confirmation signal The step of performing the procedure may further include the step of the terminal device identification information of the digital system or the authentication system authenticating the terminal device information.

Wherein the authentication method using the user device further comprises a step of authenticating whether or not the digital system in which the authentication system has transmitted the confirmation signal determines whether the digital system and the user apparatus are paired in advance to be mutually associated, It can be determined that the authentication check procedure is successful.

According to an aspect of the present invention, there is provided a method for authenticating a user using a user device, including: performing a communication with a digital system by a user device to authenticate the user; generating the device authentication information by the user device; Transmitting an authentication signal to the digital system; transmitting an acknowledgment signal including the transmitted device authentication information to the authentication system by the digital system; and transmitting the acknowledgment signal to an authentication system Wherein the authentication request is successful, the authentication request outputted from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system is successively processed, Information is generated by the authentication system It is characterized in that on the basis of the user device the generated server key delivery device to include a one-time information generated by the user device via the digital system.

Wherein the generating of the device authentication information by the user device comprises generating the first device one-time information based on the server generation key, or the user device receiving from the digital system through the server creation key and the communication And generating second device one-time information based on one terminal identification information to generate the device authentication information, wherein the user device is a device authentication device that includes the first device one-time information or the second device one- The information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

The user authentication method using the user device may be stored in a computer-readable recording medium on which the program is recorded.

According to another aspect of the present invention, there is provided a digital system comprising: a user equipment communication module for performing communication with a user equipment for authenticating a user of an authentication request; Wherein the authentication signal includes a device authentication information generated by the user device to the authentication system, wherein the device authentication information included in the confirmation signal is authenticated by the authentication system The authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected with the authentication system is successively processed, and the device authentication information is generated by the authentication system Lt; RTI ID = 0.0 > Based on the server generates a key delivery device characterized in that it comprises a device-time information generated by the user device.

Wherein the device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the server generation key and the terminal identification information of the digital system transmitted to the user device via the communication And the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

The digital system may further include a terminal one-time information generation module for generating the terminal one-time information.

According to another aspect of the present invention, there is provided an authentication system, comprising: a confirmation signal output by the digital system when the digital system communicates with a predetermined user device, the confirmation signal including device authentication information generated by the user device, An authentication unit configured to generate a predetermined server generation key and to perform an authentication verification procedure for authenticating the device authentication information included in the received confirmation signal; And a control unit for successively processing the authentication request output from the predetermined data processing apparatus or the digital system to the authentication system or the service system connected to the authentication system if the procedure is successful, From the digital system via the communication, And device-generated information generated by the user device based on the server generation key transmitted to the user device.

Wherein the device one-time information is based on the first device one-time information generated by the user device based on the server generation key or the server generation key and the terminal identification information of the digital system transmitted to the user device via the communication And the device authentication information may further include terminal identification information of the digital system or terminal one-time information generated by the digital system.

According to an aspect of the present invention, there is provided a digital device, comprising: communication means for performing communication with a digital system; computing means for generating device authentication information when the communication is performed through the communication means; The generated device authentication information is transmitted to the digital system, and when an acknowledgment signal including the transmitted device authentication information is transmitted to the authentication system by the digital system, the transmitted acknowledgment signal is authenticated by the authentication system An authentication process is performed, and if the authentication confirmation process is successful, the authentication request outputted from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system is processed successively, An authentication system On the basis of the server generates the key passes through the system is characterized in that it comprises a device-time information generated by the operation means.

Wherein the computing means generates the first device one-time information based on the server generation key or generates the second device one-time information based on the server generation key and the terminal identification information received from the digital system through the communication, And the computing means generates terminal identification information of the digital system or terminal identification information generated by the digital system in the device authentication information including the first device one-time information or the second device one- May be further included.

According to the technical idea of the present invention, there is an effect of providing high security and simplicity by performing self-authentication by using two independent objects of a digital system and a user device, both of which are highly likely to be carried by a user and are familiar.

In other words, the authentication request is performed by a data processing apparatus that is separate from the digital system, and the authentication operation is performed through the digital system, It is possible to perform a two-channel authentication, a remote authentication, or a third party authentication by a legitimate user with high security because it can be carried out elsewhere or by another person different from the authentication requestor.

In addition, there is no need for a user to have a device for separate one-time information (e.g., OTP, etc.), and a user device (e.g., IC card, traffic card, electronic ID card, etc.) It is possible to increase both the security and the convenience of the user.

The present invention also provides a highly secure authentication method using a server creation key (for example, a random number value, a server time value, etc.) generated by an authentication side (e.g., an authentication system). In particular, in the case of using the server generation key, the authentication side and the client side must be able to communicate with each other. According to the technical idea of the present invention, communication with the authentication side is performed via the digital system capable of performing communication with the authentication side. There is an effect that the authentication using the one-time information can be performed even by the user apparatus that can not perform. That is, it is necessary to carry two authentication tools of digital system and user device that the user generally possesses, so that authentication can be successful, but at least one of the authentication tools (for example, IC card or the like) It is possible to perform authentication using one-time information. Also, even when the user device can not communicate with the authentication side among the authentication tools, the authentication can be performed through the digital system as the remaining authentication tool.

Further, when the user apparatus generates authentication information including one-time information, the user apparatus transmits the server generation key received from the server, the identification information of the digital system received from the digital system or the terminal one-time information generated by the digital system The authentication information generated by the user apparatus can be used to authenticate not only the user apparatus but also the digital system. In addition, since the digital system can authenticate not only the user apparatus but also the digital system using the authentication information generated by the user apparatus, the digital system, which is relatively vulnerable to attack, independently generates authentication information and authenticates the authentication system , It is possible to obtain high security.

In addition, it does not require the user to input the information while using the one-time information, so that the user is not exposed to the hacking of the key input method such as the key logging as well as the convenience of the user authentication.

In addition, since the digital system to be used for authentication of the user can be preset and specified, it has the effect of having a strong characteristic against attack such as smishing or man in the middle attack. Online crime can be actively blocked.

In addition, since a user apparatus constituting a pair (pair) with the digital system can be set in advance, it is possible to set up a pair of apparatuses without having all the apparatuses constituting the pair (that is, The apparatus can not be normally authenticated), thereby remarkably improving the security.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
4 shows a schematic data flow of authentication of a user using a user device according to an embodiment of the present invention.
FIG. 5 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
6 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
Figs. 7 to 9 show a schematic data flow when the user apparatus generates the one-time information using the identification information of the digital system.
FIG. 10 is a diagram illustrating a process of an authentication system performing an authentication procedure according to an embodiment of the present invention. Referring to FIG.
11 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.
12 is a diagram showing a schematic configuration of a user apparatus according to an embodiment of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.

Referring to FIG. 1, a digital system 100, an authentication system 200, and a user device 300 may be provided to implement a user authentication method using a user device according to an embodiment of the present invention. Depending on the implementation, a predetermined data processing apparatus 400 may be further provided. Further, a service system 500 connected to the authentication system 200 and capable of providing a predetermined service to the digital system 100 and / or the data processing apparatus 400 may be further provided.

The digital system 100 can implement the technical idea of the present invention while transmitting and receiving necessary information through the wired / wireless network with the authentication system 200. The digital system 100 may acquire information (e.g., device authentication information or device identification information) necessary for the technical idea of the present invention from the user device 300 by communicating with the user device 300 can do. In addition, the digital system 100 can communicate with the user device 300 by communicating information necessary for the technical idea of the present invention (for example, a server creation key generated by the authentication system 200) , Terminal identification information, or terminal one-time information generated by the digital system 100).

The digital system 100 may perform contact or non-contact communication with the user device 300. For example, the user device 300 may be implemented as a smart card, an IC card, or a transportation card capable of performing contact or non-contact communication with the digital system 100. In particular, the user device 300 may be a payment IC card (e.g., a credit card, a check card, etc.).

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, the user device 300 may be a device capable of proving an identity (e.g., an electronic identification card), a communicable OTP device, or a user's mobile phone separate from the digital system 100.

Hereinafter, for convenience of description, the user device 300 will be described as a payment IC card, but the scope of the present invention is not limited thereto. Although the digital system 100 and the user device 300 perform short-range wireless communication (e.g., NFC communication, blues, etc.), the scope of the present invention is not limited thereto.

The digital system 100 may perform communication (e.g., near field wireless communication) with the user device 300. To this end, the user may tag the digital system 100 and the user device 300.

In this specification, tagging refers to the case where the digital system 100 and the user device 300 are located within a certain distance (for example, 10 cm or less when the NFC communication is used) in order to carry out contactless communication such as RFID communication and NFC communication. Or the like). The user can perform tagging by bringing the digital system 100 or the user device 300 into a predetermined distance to the user device 300 or the digital system 100. [

If the user device 300 is a payment card, the user device 300 may be a financial transaction means. The user device 300 may include a predetermined communication device (e.g., an RF antenna, an RF tag, and the like) to perform tagging communication with the digital system 100. [ In addition, the user device 300 may further include a storage device in which information necessary for realizing the technical idea of the present invention can be stored. For example, the user device 300 may be implemented as an IC card having an IC chip or various types of smart cards. Of course, the user device 300 may be an apparatus that can not independently perform financial transactions as described above. Even if the user device 300 is not a financial transaction device, according to the technical idea of the present invention, a user device 300 (e.g., an ID, a mobile phone separate from the digital system 100) Etc.) can be used to easily perform authentication of the user. For example, since the user can easily perform the identity authentication only by the tagging operation of the digital system 100 and the user device 300, the user can input the ID / password, select the authorized certificate, As compared with the conventional complicated authentication process, it is possible to perform the self-authentication with high security, which is much simpler.

In addition, when performing short-range wireless communication through tagging, it is not necessary to take out a user device (e.g., an electronic ID card or a payment card 300) from a pocket or a wallet.

Of course, another conventional authentication method (for example, authentication using an authorized certificate, etc.) may be performed before or after the authentication of the user according to the technical idea of the present invention is performed for higher security. It goes without saying that higher security can be provided when such dual security authentication is performed.

According to one embodiment, the user device 300 may generate certain authentication information, which is to define the authentication information generated by the user device 300 as 'device authentication information'. The device authentication information may include at least one piece of information to be authenticated. The device authentication information may include at least one-time information (e.g., OTP) generated by the user device, and one-time information generated by the user device 300 as device one-time information.

Also, as will be described later, the device authentication information may further include identification information (hereinafter referred to as terminal identification information) of the digital system 100 as the authentication information. In addition, the device authentication information may further include terminal one-time information generated by the digital system 100 as the authentication information.

On the other hand, the device one-time information may be one-time information generated based on the server generation key generated by the authentication system 200 and transmitted through the digital system 100. It is natural that the identification information of the device for generating the one-time information (e.g., the user device 300) can be further used when generating the one-time information (for example, the device one-time information).

Depending on the implementation, the device one-time information may be generated using the terminal generation information of the digital system 100 received from the digital system 100, as well as the server generation key.

According to an embodiment, the device one-time information may be generated using both the server generation key and the terminal identification information. The generating of the device one-time information using the server creation key and the terminal identification information may include not only the case where each of the server generation key and the terminal identification information is used as an input value of the one- And a value generated using the key and the terminal identification information are used as input values of the one-time information generation algorithm.

According to an embodiment, the device one-time information may be generated using the server generation key and the terminal one-time information generated by the digital system 100.

In a case where the device one-time information is generated based on not only the server generated key but also the terminal identification information or the terminal one-time information, there is an effect that the terminal identification information or the terminal one-time information is authenticated by the authentication system 200 . That is, the digital system 100 is authenticated.

The device authentication information includes at least one piece of information to be authenticated. The at least one piece of information to be authenticated may be encrypted with a separate encryption key, or a part of the at least one piece of information to be encrypted may be encrypted. May include a case in which the information to be authenticated is used to generate an encryption key or an encryption key.

Thus, the fact that the device authentication information includes at least one of the pieces of authenticated information indicates that the authentication system 200 is capable of obtaining the at least one piece of authenticated information included in the device authentication information (for example, Encryption, encoding, hashing, etc.) to generate the device authentication information.

The user device 300 may generate the device one-time information, and may transmit only the device one-time information to the digital system 100 as the device authentication information. Or device authentication information including the device one-time information and the terminal identification information (or terminal one-time information) to the digital system 100.

On the other hand, the authentication information to be authenticated by the authentication system 200 may be generated by the digital system 100. The authentication information (hereinafter, terminal authentication information) generated by the digital system 100 may also be generated in a manner similar to the above-described device authentication information.

That is, the terminal authentication information may include at least one item of information to be authenticated, and the terminal authentication information may include at least one-time information (hereinafter referred to as terminal one-time information) generated by the digital system 100 have.

Also, as will be described later, the terminal authentication information may further include identification information (hereinafter, device identification information) of the user device 300 or device one-time information generated by the user device 300 as the authentication information .

Also, the terminal's one-time information may be one-time information generated based on a server generated key. According to an embodiment, the terminal one-time information may be generated not only by the server generation key but also by using the device identification information (or device one-time information) received from the user device 300. When the generated one-time information is generated based on not only the server generation key but also the device identification information or the device one-time information, if the device one-time information is authenticated by the authentication system 200, Or the device one-time information. That is, the user device 300 is authenticated.

Hereinafter, authentication information included in an acknowledgment signal transmitted from the digital system 100 to the authentication system 200 will be mainly described as a case of device authentication information generated by the user device 300. [ However, even if the authentication information is terminal authentication information, the average expert in the technical field of the present invention can readily deduce that the technical idea of the present invention can be applied in a similar manner only in the case of generating authentication information .

According to one embodiment, when the user device 300 is a payment card, when the tag is tagged with the digital system 100, the card is supplied with power through electromagnetic induction, The device authentication information can be generated. The processor included in the IC chip may generate the device authentication information when power is supplied through the communication with the digital system 100 and allow the digital system 100 to read the generated device authentication information . Of course, at this time, the digital system 100 may be required to be an authorized system capable of reading the device authentication information. Certified software capable of reading the device authentication information may be installed in the digital system 100 for this purpose.

On the other hand, the device authentication information includes device one-time information as described above, and the device one-time information may include a server generation key (for example, a random number value) generated by the authentication system 200 to generate one- And may be information generated as an input value of a predetermined algorithm. The server creation key may be transferred from the authentication system 200 to the user device 300 via the digital system 100. For example, when the digital system 100 and the user device 300 perform an authentication operation for communicating with each other, the digital system 100 transmits the server generation key received from the authentication system 200 to the user device 300, . Then, the user device 300 can generate the one-time information using the received server generation key as an input value (key or seed). Of course, since the user device 300 performs a function of a client that generates one-time information, it is needless to say that the identification information of the user device 300 can be further used when generating the device one-time information.

The server creation key may be a random number value generated by the authentication system 200, but is not limited thereto, and may be any information that the server can specify.

The method of generating the one-time information by the user device 300 using the server creation key may be such that the user device 300 generates one-time information even when the timer for using the time synchronization method is not provided, It is possible to easily judge whether the information is authentic or not. In addition, even when using the user device 300 equipped with the timer, it may be very difficult to synchronize the time of the user device 300 and the authentication system 200 on a user-by-user basis. In addition, the system can cope with various types of online attacks through the digital system 100. Also, it is possible to easily generate the one-time information even if the user device (e.g., IC card 300) possessed by the user is used instead of the OTP client specially designed for generating the one-time information.

Meanwhile, the method using the server generation key such as the technical idea of the present invention can be compared with the conventional challenge response method. In order to use the conventional challenge response method, the client must be able to perform communication with the authentication system 200 do. However, according to the technical idea of the present invention, it is possible to generate the device one-time information in a similar manner to the challenge response method using the user device 300 that can not directly communicate with the authentication system 200. This is because, in order to authenticate through the technical idea of the present invention, the user must perform an authentication operation communicating the digital system 100 and the user device 300, that is, two authentication tools, (200). ≪ / RTI >

The user device 300 can communicate with the digital system 100 and the digital system 100 can communicate with the authentication system 200 according to the technical concept of the present invention, May obtain a server generation key from the authentication system 200 and use it to generate device one-time information. Of course, in addition to the server creation key, the identification information of the user device 300 may be further used as an input value (key or seed) for generating device one-time information. Various one-time information generation algorithms for generating one-time information using a predetermined input value, that is, a fixed value such as the server generated key (e.g., a random number value) and / or a device Therefore, a detailed description thereof will be omitted.

Meanwhile, the user device 300 generates the device one-time information by further using the identification information of the digital system 100, that is, the terminal identification information (or the terminal one-time information generated in advance by the digital system 100) You may. For this, the digital system 100 may transmit the terminal identification information (or terminal one-time information) to the user device 300 when performing the communication (for example, short-range wireless communication) with the user device 300. Of course, the server creation key may also be communicated to the user device 300 via the communication, as described above. Then, the user device 300 can generate device one-time information using the received server generation key and the terminal identification information (or terminal one-time information) as input values. Of course, since the device one-time information is generated by the user device 300, it is needless to say that the identification information of the user device 300 can be further used to generate the device one-time information.

When the device one-time information is used up to the terminal identification information (or terminal one-time information) in generating the device one-time information, when the device one-time information is authenticated by the authentication system 200, (300) is not only authenticated but also authenticated to the digital system (100).

When the user device 300 and the digital system 100 are simultaneously authenticated using the device one-time information as described above, the user device 300 and the digital system 100 generate one-time information So that higher security can be provided as compared with the case where each one-time information is authenticated by the authentication system 200. [ This is because the user device (e.g., IC card 300) implementing the technical idea of the present invention may be far more difficult to tamper with the attack than the digital system 100. It is also possible that a single one-time information generated using a larger number of input values (e.g., server generated key, device identification information, and terminal identification information (or terminal one-time information)) is hacked, (I.e., the device one-time information and the terminal one-time information) generated by using the server-generated key (for example, the server generated key and the device identification information) are much more difficult to be hacked than the one- .

Of course, when the user device 300 generates device one-time information using up to the terminal identification information (or the terminal one-time information) of the digital system 100, the authentication system 200 also transmits the device one- The terminal identification information (or terminal one-time information) is used for authentication. When the terminal's one-time information is used to generate the device one-time information, the digital system 100 may transmit the terminal's one-time information to the authentication system 200 separately from the device authentication information, Of course. When the device authentication information is included in the confirmation signal, the terminal one-time information may or may not be generated based on the server generation key.

In addition, the device authentication information may simply include at least one of the device authentication information (e.g., terminal one-time information or terminal identification information) as well as the device one-time information.

The authentication system 200 can authenticate the authentication information included in the authentication information by receiving authentication information (e.g., device authentication information) included in the confirmation signal and authenticating the authentication information. It goes without saying that the authentication information to be authenticated means that the device corresponding to the authentication information is authenticated. For example, when the device one-time information is authenticated, the digital system 100 is further authenticated when at least the user device 300 is authenticated and further terminal identification information (or terminal one-time information) is used when generating the device one- It is effective. Further, when the device authentication information includes the terminal identification information (or the terminal one-time information), the digital system 100, which is a device corresponding to the terminal identification information (or the terminal one-time information), is authenticated.

According to another embodiment, the device one-time information is not generated in a manner similar to the challenge response method, that is, not the one-time information newly generated as the input value of the predetermined one-time information generation algorithm, May be information encrypted with a predetermined encryption key {e.g., device identification information and / or terminal identification information (or terminal one-time information)}. In this case, the authentication system 200 may authenticate the user device 300 by decrypting the device one-time information and determining whether the decrypted result corresponds to the server generation key. At this time, the user device 300 and the authentication system 200 may use a symmetric key or an asymmetric key (e.g., PKI, etc.).

Whether the device one-time information is one-time information generated by using the server generation key as an input value or simply the information obtained by encrypting the server generation key with a predetermined encryption key, the server generation key is transmitted to the authentication system 200 But it is not necessarily limited thereto. That is, the server creation key suffices to be information (e.g., time information, etc.) that can be confirmed by the authentication system 200 at a certain point in time.

Hereinafter, the user device 300 or the digital system 100 generates one-time information using the server creation key, and the authentication system 200 also generates one-time information using the server creation key, 300 or the digital system 100 according to an embodiment of the present invention. However, as described above, the user device 300 or the digital system 100 simply generates a value obtained by encrypting the server generation key as device one-time information or terminal one-time information, Information or the terminal one-time information may be decrypted to perform the authentication.

The device authentication information including the device one-time information may be information that can be authenticated by the authentication system 200. To this end, the authentication system 200 may be provided with an authentication unit for authenticating the authentication information included in the device authentication information. The authentication unit may generate one-time information by itself to authenticate the device one-time information, as will be described later. Of course, at this time, the authentication unit may generate the one-time information using the server generation key transmitted to the user device 300 through the digital system 100. [ That is, the user device 300 may operate as an OTP client, for example, and the authentication unit may operate as an OTP server. Hereinafter, the one-time information generated by the authentication system 200 will be defined as 'server one-time information' for convenience of explanation.

When the device authentication information further includes the terminal identification information, the authentication unit may further authenticate the terminal identification information. To this end, the terminal identification information of the digital system 100 may be registered in advance in the authentication unit (or in a system capable of performing communication with the authentication unit (e.g., mobile communication company system) And the terminal identification information included in the device authentication information correspond to each other, the terminal identification information can be authenticated.

As described above, according to the technical idea of the present invention, the user device 300 generates the device authentication information, and the generated device authentication information can be authenticated by the authentication system 200.

Also, according to one embodiment, the user device 300 may be a payment card. Then, the device one-time information generated by the user device 300 can generate device one-time information using the server generation key and the identification information of the user device 300. At this time, (For example, UID, time information or an arbitrary value) irrelevant to the information (for example, card number, validity period, CVC code, etc.) stored in the IC chip of the card as financial information necessary for settlement, And can be used as identification information of the mobile terminal 300. In this case, since the settlement financial information may not be distributed to the digital system 100 or the authentication system 200, the security can be enhanced. In this case, even though the device one-time information and device one-time information generation algorithm are leaked, there is no risk that the settlement financial information is leaked through reverse engineering or the like.

1, the digital system 100 can communicate with the authentication system 200 via a wired / wireless network, and can communicate with the user device 300 through a predetermined communication (e.g., a local area wireless communication) May be defined to include any type of data processing device capable of communicating over a network. For example, the digital system 100 may be a data processing device, such as a tablet, a music player, or the like, which is easy for the user to carry around. Of course, the digital system 100 is preferably capable of communicating with the authentication system 200 and / or the data processing apparatus 400 via a network.

In addition, it is needless to say that the digital system 100 can generate authentication information to be included in the confirmation signal, that is, terminal authentication information. The function of the digital system 100 to generate the terminal authentication information may be implemented by installing predetermined software in the digital system 100 to implement the technical idea of the present invention.

Also, the terminal one-time information included in the terminal authentication information may be generated using the server generation key generated by the authentication system 200 as an input value. When the authentication information to be included in the confirmation signal is generated by the user device 300, since the device one-time information is generated using the server generation key, the terminal's one-time information is generated using a separate protocol . That is, the digital system 100 may include a timer, and may be relatively easy to perform time synchronization with the authentication system 200 as compared to the user apparatus 300. [ Therefore, the terminal one-time information may be one-time information generated by using time information as an input value, such as a time synchronization method.

Also, the terminal's one-time information may be generated by further inputting identification information of the user device 300, that is, device identification information (or device one-time information). That is, the terminal one-time information may be generated based on the server generation key and the device identification information (or device one-time information) received from the authentication system 200. Of course, the terminal identification information of the digital system 100 may be further used. In this case, it is needless to say that similar effects to the case of using the terminal identification information when the user device 300 generates the apparatus one-time information can be obtained. In addition, not only the one-time information of the terminal but also device identification information (or device one-time information) can be further included in the terminal authentication information as the authentication information.

In any case, the terminal authentication information may also be authenticated by an authentication unit included in the authentication system 200. [ The case where the terminal authentication information is authenticated by the authentication unit is also similar to the case where the device authentication information is authenticated, and thus a detailed description thereof will be omitted.

As a result, according to the technical idea of the present invention, the digital system 100 may include the device authentication information generated by the user device 300 in an acknowledgment signal and transmit the device authentication information to the authentication system 200, May be included in the confirmation signal and transmitted to the authentication system 200. Of course, according to an embodiment, the apparatus authentication information and the terminal authentication information may be included in the acknowledgment signal and transmitted to the authentication system 200.

When both the device authentication information and the terminal authentication information are included in the confirmation signal, the device one-time information (or the terminal one-time information) is a server generation key (or server generation key and terminal identification information) And the terminal one-time information (or the device one-time information) may be one-time information generated without using the server generation key.

For example, the confirmation signal may include the device authentication information and the terminal authentication information, and the device one-time information included in the device authentication information may include a server generation key transmitted through the digital system 100, (Or terminal one-time information). In this case, the terminal one-time information may be one-time information generated without using the server generation key.

The authentication unit of the authentication system 200 may generate server one-time information corresponding to the device one-time information and / or server one-time information corresponding to the one-time information on the terminal, and the device one-time information and / It can be judged that the authentication check procedure is successful. Of course, when the authentication information further includes other information to be authenticated, the authentication information can be further authenticated.

Further, pair authentication for authenticating whether the digital system 100 and the user device 300 are paired as described later may be further performed, and further authentication may be performed to determine that the authentication confirmation procedure is successful have.

The confirmation signal may be defined as including a series of information or signals including information necessary for the authentication procedure performed by the authentication system 200. [ The acknowledgment signal may only refer to the device authentication information or the terminal authentication information but does not necessarily mean one data set (or continuous packet data), but may be temporally or physically separated information or signal. That is, the digital system 100 may output the confirmation signal to the authentication system 200 a plurality of times.

Of course, when both the apparatus authentication information and / or the terminal authentication information are authenticated by the authentication system 200, the authentication using the apparatus identification information or the terminal identification information may be optionally omitted (i.e., The device identification information or the terminal identification information may not be included), and in some embodiments, authentication may be performed using the terminal identification information corresponding to the device authentication information or the device identification information corresponding to the terminal identification information.

In any case, according to the technical idea of the present invention, the digital system 100 can include the device authentication information and / or the terminal authentication information in an acknowledgment signal and transmit it to the authentication system 200, The information may be authenticated by the authentication system 200.

Meanwhile, the digital system 100 can generate the terminal authentication information only when the digital system 100 communicates with the user device 300. According to an embodiment, the digital system 100 may generate the terminal authentication information in advance in response to the reception of the authentication action request information or by a predetermined request of the user, and when the communication is performed, May be included in the confirmation signal and transmitted to the authentication system 200.

Therefore, even if it is described that the authentication method according to the technical idea of the present invention includes a step of performing communication between the digital system and the user device and a step of generating the terminal authentication information, And the case where the communication is performed after the generation of the terminal authentication information can be interpreted as including the case where the communication is performed after the generation of the terminal authentication information.

As a result, even if the digital system 100 is attacked by hacking or the like, the terminal authentication information may not be generated unless the user device 300 is owned by the user. Or even if the terminal authentication information is generated, the confirmation signal may not be transmitted, and therefore the authentication of the user is not successful.

When the terminal's one-time information is generated based on the server generation key, the terminal's one-time information may include at least one of the server generation key received from the authentication system 200, And may be information generated by further inputting a value {key or seed}. At this time, the identification information of the user device 300 may be fixed identification information (e.g., UID, etc.) of the user device 300. Of course, in this case, the identification information may also be registered in the authentication system 200. Therefore, as long as communication with the user device 300 is not performed, the terminal's one-time information to be included in the terminal authentication information may not be generated, and the confirmation signal including the terminal authentication information may be transmitted to the authentication system 200, It may not be authenticated by the authentication system 200.

In addition, the terminal one-time information generated by the digital system 100 may be generated based on information (e.g., terminal identification information, time information, an arbitrary value, etc.) irrelevant to the payment financial information. That is, as described in the device one-time information, the terminal's one-time information may be information that is irrelevant to the settlement financial information or information generated from irrelevant information. Therefore, there is no risk that the settlement financial information will be leaked even if leakage occurs in the terminal one-time information and terminal one-time information generation algorithm.

In addition, the confirmation signal transmitted to the authentication system 200 by the digital system 100 may include only information (e.g., device identification information, terminal identification information, etc.) that is not related to the payment financial information, The security of the authentication method according to the technical idea of the invention can be enhanced.

The device authentication information generated by the user device 300 may be generated by the user device 300 only when the digital system 100 and the user device 300 communicate with each other. For example, when the user device 300 is a smart card such as a payment card or an electronic ID card, the smart card is not powered independently, so that the device authentication information is generated only when communication with the digital system 100 is performed Of course. Also, even when the user device 300 is powered on and can generate device authentication information by itself, the user device 300 must perform communication with the digital system 100 to generate the device authentication information . The server generation key {and terminal identification information (or terminal one-time information)} generated by the authentication system 200 through the communication can be transmitted to the user device 300. Of course, in this case, software or an applet for implementing the technical idea of the present invention may also be installed in the user device 300.

Also, the user device 300 may generate the device authentication information only when communication with the digital system 100 is performed in advance. It is needless to say that information about the digital system 100 forming a pair with the user device 300 may be registered in the user device 300 in advance.

In any case, the confirmation signal transmitted by the digital system 100 to the authentication system 200 may include authentication information (e.g., device authentication information and / or terminal authentication information) It may be output from the digital system 100 to the authentication system 200 only when communication is performed between the user device 100 and the user device 300. Therefore, even if either the device authentication information or the terminal authentication information is contained in the confirmation signal, there is an effect that the user is authenticated that another device (that is, the digital system 100 or the user device 300) is possessed .

The authentication system 200 may perform an authentication procedure for authenticating the authentication information included in the confirmation signal.

The authentication procedure includes an authentication information authentication procedure for authenticating terminal authentication information generated by the digital system 100 and / or device authentication information generated by the user device 300. Whereby the legitimacy of the digital system 100 and / or the user device 300 can be authenticated.

On the other hand, when the authentication information includes only one-time information (in this case, the one-time information is generated without using the identification information of the device corresponding to the server generated key or the one-time information generated by the corresponding device) Strictly speaking, the software installed in the digital system 100 (that is, the software for generating the terminal one-time information) and / or the apparatus for generating the one-time information (for example, ) Or software (e.g., software installed in the user device 300, which is a separate mobile phone, for generating device one-time information, an applet installed in a smart card, etc.).

Software installed in the digital system 100 or the user device 300 may be installed only in the digital system 100 or the user device 300 authenticated as a legitimate user's device. In this case, if the validity of the software is authenticated, the digital system 100 is also automatically authenticated.

However, the authentication information according to the technical idea of the present invention may include a device (for example, a user device 300 or a digital system 100) that generates authentication information, because the software may leak or the software may be forged by an attack. Or the identification information of the device corresponding to the device (for example, the digital system 100 or the user device 300) may be further included as the authentication information. Or identification information of the digital system 100 and / or the user equipment 300 may be included in the confirmation signal separately from the authentication information. The authentication procedure may further include a step of authenticating the identification information (i.e., hardware) of the digital system 100 and / or the user device 300. The authentication of the digital system 100 and / or the hardware of the user device 300 may be performed by the authentication system 200 using the terminal identification information of the digital system 100 and / It may be a procedure of confirming the identification information and judging whether the terminal identification information and / or the device identification information is successful according to whether it corresponds to the information previously registered in the authentication system 200.

As a result, when the hardware authentication procedure is additionally performed, the security of the authentication method according to the technical idea of the present invention can be further enhanced. Even if the user possessing the digital system 100 does not have the user device 300 registered in the authentication system 200 or holds the user device 300, If the digital system 100 registered in advance in the terminal 200 is not possessed, the authentication of the user is prevented from being successful.

The procedure for authenticating the device identification information according to an embodiment may be performed by the digital system 100. [ Or the procedure for authenticating the terminal identification information may be performed by the user device 300. [ That is, in the digital system 100, the identification information of the user apparatus 300 that can be used for the authentication operation is stored in advance, or the digital system 100 (which can be used for the authentication operation in advance) The digital system 100 or the user device 300 may determine whether the device communicating with the digital device 100 is a device registered in advance by the authentication system 200, There is an effect similar to that the identification information and / or the terminal identification information are authenticated. However, since the digital system 100 and / or the user device 300 may be at a greater risk of being falsified than the authentication system 200, the authentication system 200 may use the device identification information and / Or it may be desirable that the terminal identification information be authenticated.

Of course, the procedure for authenticating the device identification information and / or the terminal identification information may be omitted when the terminal identification information (or device identification information) is used when generating the device one-time information (or the terminal one-time information) It is possible. That is, when the device one-time information (or the terminal one-time information) is generated using up to the terminal identification information (or the device identification information), the terminal identification information (or the device identification information) is separately authenticated There is an effect that the terminal identification information is authenticated if the device one-time information is authenticated.

The authentication procedure performed by the authentication system 200 may further include a pair authentication procedure for authenticating whether the digital system 100 and the user device 300 are a pair. That is, the digital system 100 and the user device 300 may be paired in advance. Only when the two devices forming the pair perform the communication, the authentication system 200 determines that authentication is successful . In this way, the authentication process for confirming the authentication request by the user (i.e., communicating the digital system 100 and the user device 300) must be paired to be successful. In this case, if the digital system 100 and the user device 300 are both registered by the authentication system 200, even if they are not paired with each other, the authentication confirmation process may not be successfully processed, It is possible to have a synergistic effect.

Whether the two devices used in the authentication operation (digital system 100 and user device 300) are a pair may be authenticated by the authentication system 200, but may also be authenticated by the digital system 100 . That is, the digital system 100 can communicate with the digital system 100 only when it communicates with the user device 300, which is set to pair with the digital system 100 in advance. To this end, the digital system 100 may have previously stored information (e.g., device identification information) about the user device 300 that is paired with the digital system 100 in advance. In some implementations, the user device 300 may store information about the digital system 100 that is paired with the user device 300, and the user device 300 may determine that the digital system 100 May be authenticated. If the authentication is not performed, the device authentication information may not be generated or a predetermined control may be performed so as not to transmit the device authentication information to the digital system 100.

Meanwhile, the authentication request may be transmitted to the authentication system 200 before the authentication signal is transmitted to the authentication system 200. For example, the authentication request may be an authentication request transmitted from the predetermined data processing apparatus 400 to the authentication system 200. The data processing apparatus 400 is a device which is separate from the digital system 100 and used by a user of the digital system 100 and is connected to the authentication system 200 to request authentication, Mobile terminal, set-top box, IPTV, and the like. For example, a user may input identification information (e.g., a telephone number) of his or her digital system 100 through the data processing apparatus 400 to perform an authentication request.

Further, the data processing apparatus 400 may be implemented in various embodiments according to the types of services provided after the authentication according to the technical idea of the present invention succeeds. For example, if the service is a payment service, the data processing device 400 may be an agent terminal requesting payment for settlement. If the service is a service for opening a door, the data processing device 400 may be a device installed at a door. Various embodiments of the data processing apparatus 400 may be possible depending on the type of service.

According to an embodiment, the data processing apparatus 400 or the digital system 100 may make an authentication request to a predetermined service system 500. The service system 500 may transmit a predetermined service (for example, a request for authentication) to the authentication requesting device (for example, the data processing device 400 or the digital system 100) upon successful authentication of the user according to the technical idea of the present invention. Login, financial transaction, confirmation of specific information, issuance of a certificate, purchase of goods or services, payment, opening and closing of a door, etc.). A user may access the service system 500 through the data processing apparatus 400 or the digital system 100 and the service system 500 may be connected to the service system 500 in order to perform the service provided by the service system 500. [ And may request the data processing apparatus 400 or the digital system 100 to authenticate the user. In this case, the service system 500 allows the data processing apparatus 400 or the digital system 100 to access the authentication system 200 (for example, a web page or a UI provided by the authentication system 200) The data processing apparatus 400 or the digital system 100 may be controlled to receive the authentication from the authentication system 200 through the data processing apparatus 400 or the digital system 100 have. The data processing apparatus 400 or the digital system 100 may transmit the authentication request to the authentication system 200 by inputting information necessary for the authentication request (for example, identification information of the digital system 100) As shown in FIG.

Of course, in some implementations, the service system 500 may receive an authentication request from the data processing apparatus 400 or the digital system 100 and send the received authentication request to the authentication system 200 . That is, the service system 500 may mediate the authentication process according to the technical idea of the present invention. The fact that the data processing apparatus 400 or the digital system 100 transmits predetermined information or signals to the authentication system 200 is transmitted to the authentication system 200 through the service system 500 And the like. Of course, even when the authentication system 200 transmits predetermined information or signals to the data processing apparatus 400 or the digital system 100, the authentication system 200 may include the case of being transmitted through the service system 500 . ≪ / RTI >

Although the authentication system 200 and the service system 500 are implemented as separate physical devices in FIG. 1, the authentication system 200 may be included in the service system 500 . In other words, since the predetermined software that implements the function of the authentication system 200 is installed in the service system 500, the authentication according to the technical idea of the present invention may be performed.

According to one embodiment, the authentication of the user according to the technical idea of the present invention may be performed for settlement. In this case, the data processing apparatus 400 may be a predetermined merchant terminal (a POS device installed in a store, a mobile merchant terminal, or the like). In this case, the user or the merchant can transmit the authentication request to the authentication system 200 by inputting identification information (e.g., telephone number) of the digital system 100 of the user to the merchant terminal. In some cases, the user may notify identification information of his or her digital system 100 to a merchant site to perform payment at a remote site. Then, the merchant may transmit the authentication request to the authentication system 200 by inputting the identification information using the data processing apparatus 400, that is, a computer used at the merchant, or an affiliate terminal. If the authentication is successful by the authentication system 200, the payment requested by the data processing apparatus 400 may be finally approved. At this time, the service system 500 may be a predetermined card company system (or a financial institution system that performs card settlement). In addition, the authentication request and the payment request need not necessarily be performed separately. That is, the authentication request according to the embodiment of the present invention may be performed simultaneously with a predetermined service request (for example, payment, etc.). In this case, identification information of the digital system 100 for the authentication request Of course. Such an example will be described in detail later with reference to FIGS. 4 and 5. FIG.

According to another embodiment, the authentication request may be output by the digital system 100 and transmitted to the authentication system 200 together with the acknowledgment signal or separately from the acknowledgment signal. Such an example will be described with reference to FIG.

When the authentication request is received and an acknowledgment signal is received from the digital system 100, the authentication system 200 performs an authentication check procedure as described above based on the received acknowledgment signal. If the authentication is successful, Can successfully process the authentication of the data processing apparatus 400 or the digital system 100. That is, the received authentication request can be successfully processed. The service system 500 may then provide the data processing device 400 or a predetermined service requested by the digital system 100. Needless to say, another authentication of the user (for example, authentication using the authorized certificate, etc.) may be required after the authentication of the user according to the technical idea of the present invention succeeds.

In addition, the authentication procedure may further include authenticating user authentication information (e.g., PIN) of the user device 300. For example, when the user device 300 is a payment IC card, a password (i.e., a PIN number) set by the user may be preset in the user device 300. The user authentication information of the user device 300 may also be registered in the authentication system 200 in advance. Then, the authentication system 200 receives the user authentication information from the digital system 100 or the data processing apparatus 400, and if the received user authentication information corresponds to previously registered information, To be successful. Of course, the authentication of the user authentication information may be performed by the digital system 100 that communicates with the user device 300. In this case, the user authentication information of the user device 300 may be registered in the digital system 100 in advance.

When the authentication operation is performed by the user, the digital system 100 may output an acknowledgment signal to the authentication system 200. The acknowledgment signal may include authentication information (the device one-time information and / or the terminal one-time information) Alternatively, the device identification information of the user device 300 and / or the terminal identification information of the digital system 100 may be further included so that the user device 300 and / or the digital system 100 ) Can be performed in hardware as described above.

The terminal identification information is information for identifying the hardware of the digital system 100 (e.g., USIM, identification information of a USIM, IMSI, IMEI, MAC Address, etc.). When the terminal identification information is included in the confirmation signal, the authentication system 200 can determine that the authentication confirmation procedure is successful only when the terminal identification information is registered in advance. Therefore, if the confirmation signal is not received through the digital system 100, which is a pre-registered terminal, even if the confirmation signal is transmitted to the authentication system 200 by a predetermined device, Therefore, there is an effect that a predetermined service may not be provided to the user. That is, it is possible to designate a digital system, thereby blocking unauthorized service requests through other terminals. Further, since an authentication action (payment authentication action) can be performed only through the designated digital system, there is an effect that smearing or manned middle attack can be prevented.

Meanwhile, the terminal one-time information generated by the digital system 100 or the device one-time information generated by the user apparatus 300 is displayed by the digital system 100, and the user inputs the terminal one- , The inputted terminal's one-time information may be included in the confirmation signal.

However, according to the embodiment of the present invention, the terminal may be automatically included in the confirmation signal without displaying the one-time information or the device one-time information and inputting by the user, thereby providing convenience of the authentication operation by the user, The risk of leakage of information through key logging may be lowered. Of course, in such a case, the non-repudiation of the user may cause the user to input the user authentication information (e.g., PIN) of the user device 300 and to authenticate the user by the authentication system 200 And ultimately by ensuring that the authentication procedure is successful.

The authentication system 200 includes all systems participating in receiving an authentication request, communicating with the digital system 100 and / or the data processing apparatus 400, or in deciding whether to grant an authentication request Can be defined as meaning. Of course, the authentication system 200 does not mean only one physical device, but may be a system that is organically coupled to a plurality of devices or systems to implement the technical idea of the present invention. For example, the authentication system 200 may receive the authentication request directly from the digital system 100 or the data processing apparatus 400, or may receive the authentication request via the service system 500 as described above have.

For example, in the case of a payment service, the authentication system 200 can directly transmit a settlement request (the settlement request is an authentication request) from the data processing apparatus 400, for example, a user's computer, an affiliate store terminal Or may receive a payment request (authentication request) via the service system (e.g., web server 500 that provides an online marketplace). In this case, the authentication system 200 may be a credit card company system that can settle the settlement request (authentication request) using the previously registered credit card information (the credit card company system in the present invention is not only an independent card company system, (Which means to include all financial institution systems (not shown) that perform card settlement). Also, according to an embodiment, a VAN system, a PG, or the like, which is connected to the card company system through a network and mediates a payment process, may be further included in the authentication system 200. [

Hereinafter, the process of authenticating the user according to the technical idea of the present invention will be described in more detail. Hereinafter, for convenience of explanation, the digital system 100 is implemented as a mobile phone, and the identification information of the digital system 100 used for the authentication request is a mobile phone number of the mobile phone as an example However, the scope of the present invention is not limited thereto.

2 shows a schematic configuration of a digital system according to an embodiment of the present invention.

Referring to FIG. 2, the digital system 100 includes a control module 110, a user equipment communication module 120, and a communication module 140. When the digital system 100 is configured to generate terminal authentication information, the digital system 100 may further include a terminal authentication information generation module 130.

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

The control module 110 may control the other components included in the digital system 100 such as the user device communication module 120, the terminal authentication information generation module 130, and / or the communication module 140 Functions and / or resources.

The user equipment communication module 120 may communicate with the user equipment 300. [ The communication may be contact or non-contact communication as described above. According to an example, the communication may be a contactless short range wireless communication (e.g., NFC communication). When the communication is the NFC communication, the user can be authenticated only by tagging the digital system 100 and the user device 300, so that the convenience of the user can be enhanced. In addition, even when the user device 300 is in a wallet or a pocket, the NFC communication can be performed without removing the user device 300, so that the convenience of authentication can be enhanced. The user equipment communication module 120 may be implemented by, for example, an NFC chip or a module provided in the digital system 100. In addition, it is a matter of course that the embodiment of the user equipment communication module 120 may be varied according to the embodiment of the communication performed by the digital system 100 and the user equipment 300.

The control module 110 may generate or transmit an acknowledgment signal according to the technical idea of the present invention.

The communication module 140 may communicate with the authentication system 200. And may perform communication with the data processing apparatus 400 according to an embodiment.

The control module 110 may communicate with the user device 300 through the user device communication module 120. Also, device authentication information and / or device identification information may be received from the user device 300 according to an implementation. Also, the server generation key received from the authentication system 200 and / or the terminal identification information (or terminal one-time information) of the digital system 100 may be transmitted to the user device 300 through the user equipment communication module 120 . The transmission of the server creation key and / or the terminal identification information (or terminal one-time information) is performed when an authentication operation performed by the user, that is, an operation of communicating the digital system 100 and the user apparatus 300 is performed . Of course, depending on the embodiment, the server creation key and / or the terminal identification information (or terminal one-time information) may be transmitted to the user device 300 separately from the authentication operation. For example, in the case of NFC communication, the user may have to perform a plurality of tagging. The server creation key may be transmitted to the user device 300 through the tagging of any one of a plurality of tagging, and if another tagging is performed, the user may be regarded as having the authentication operation.

The terminal authentication information generation module 130 can generate terminal authentication information. The terminal authentication information generation module 130 generates the terminal one-time information based on the server generation key (and the device identification information of the user device 300) received from the authentication system 200 as described above, Information can be included in the information. When the authentication information to be included in the confirmation signal is generated by the user device 300 instead of generating the authentication information to be included in the confirmation signal, the terminal authentication information generation module 130 generates the authentication information, May generate only the terminal one-time information to be included in the device authentication information or to be used for the device one-time information. The terminal authentication information generation module 130 may also generate the terminal one-time information based on the device identification information (or device one-time information) of the user device 300 or the identification information of the digital system 100 have.

At this time, the device identification information may be information independent of the settlement financial information. For example, when the user device 300 is a payment card, the payment financial information (e.g., a card number) of the payment card may be the device identification information. However, according to the technical idea of the present invention, (For example, UID, etc.) irrelevant to the settlement financial information may be used as the device identification information.

The terminal authentication information generation module 130 may generate terminal authentication information including the generated terminal one-time information, and the terminal authentication information may include identification information of the digital system 100 and / Information (or device one-time information) may be further included. Of course, when the terminal one-time information is information generated using the device identification information (or device one-time information), the device identification information (or device one-time information) separately from the terminal one-time information needs to be included in the terminal authentication information May not exist.

Then, the control module 110 generates an acknowledgment signal including the generated terminal authentication information (and / or device authentication information received from the user device 300), and transmits the generated confirmation signal to the communication module 140. [ And transmit it to the authentication system 200.

Or may include an authentication request in the acknowledgment signal. Alternatively, the confirmation signal may include an authentication signal indicating an authentication result using the user authentication information. It should be understood that the acknowledgment signal is not limited to one information or a continuously transmitted signal, and the acknowledgment signal may be transmitted to the authentication system 200 discontinuously in a plurality of times according to an embodiment.

The authentication system 200 may then perform an authentication procedure based on an acknowledgment signal including the authentication information. If the authentication confirmation process is successful, the authentication system 200 can process the authentication result as a successful authentication for the device (for example, the digital system 100 or the data processing device 400) that has output the authentication request . That is, the digital processing system 100 or the data processing apparatus 400 can successfully process the authentication request. For example, if the authentication confirmation process is successful, the authentication system 200 may transmit an authentication result indicating that the authentication of the user is successful to the data processing apparatus 400, the digital system 100, and / or the service system 500 Lt; / RTI >

When the authentication information (device authentication information and / or terminal authentication information) further includes the device identification information, the authentication system 200 can authenticate the user device 300 based on the device identification information . When the authentication information further includes the terminal identification information, the authentication system 200 can determine whether the digital system 100 is a terminal registered in advance based on the terminal identification information.

According to one embodiment, the authentication information may further include, as device identification information, payment financial information of the user device (e.g., payment card 300). That is, in this case, the user device 300 may be a payment card (i.e., an IC card). It is a matter of course that the authentication system 200 can authenticate the user device 300 based on the settlement financial information when the authentication information further includes the settlement financial information. However, even if the authentication information includes the terminal one-time information, there is a risk that the settlement financial information may be leaked and the outgoing settlement financial information may be abused when the settlement financial information is included. Therefore, when the authentication information further includes the settlement financial information of the user device 300, the authentication system 200 determines whether the digital system 100 is a terminal registered in advance based on the terminal identification information It may be desirable to enhance security. Of course, the device identification information may be selected as the identification information of the user device 300, which is not related to the payment financial information, as described above.

Meanwhile, the communication module 140 may receive predetermined authentication action request information from the authentication system 200 or from the data processing apparatus 400. [ The authentication action request information may include information for requesting a user to perform an authentication operation, that is, to communicate the digital system 100 and the user device 300. [ In addition, the server generation key generated by the authentication system 200 may be received together with the authentication action request information.

The server creation key may be received together with the authentication action request information and may be received separately before or after the authentication action request information is received by the digital system 100. [ For example, in the digital system 100, predetermined software for implementing the technical idea of the present invention can be installed, and the technical idea of the present invention can be implemented only when the software is executed. In this case, the digital system 100 may automatically perform communication with the predetermined authentication system 200 when the software is executed. In this case, the server generation key may be received in advance. In any case, the digital system 100 may receive the server creation key from the authentication system 200 before the user performs an authentication operation.

Of course, only the signal indicating that the authentication request has been performed in the data processing apparatus 400 or the digital system 100 may be included in the authentication action request information.

The authentication action request information may be displayed on a display device (not shown) included in the digital system 100. The user can confirm the authentication action request information and perform authentication by requesting the digital system 100 and the user device 300 by tagging.

The communication module 140 may receive the authentication action request information from the authentication system 200 or may receive the authentication action request information from the data processing device 400. Such an example will be described later with reference to Figs.

Meanwhile, the control module 110 may determine whether the user device 300 is a device forming a pair with the digital system 100. And transmit the confirmation signal to the authentication system 200 only when the user device 300 is a device forming a pair with the digital system 100. [ Of course, the procedure for authenticating such a pair may be performed by the authentication system 200 as described above.

Also, the control module 110 requests predetermined user authentication information (e.g., PIN) before or after performing communication with the user device 300, and when the user authentication information is transmitted to the user device 300 (e.g., The terminal authentication information may be generated only when it corresponds to the authentication information (for example, PIN information) of the IC card for payment), or may transmit the confirmation signal including the device authentication information acquired from the user device 300. [ It is possible to prevent the non-repudiation even if the user does not perform the process of checking the device one-time information or the terminal one-time information and directly inputting the device one-time information to the digital system 100 through the user authentication information.

If the user authentication using the user authentication information is not performed, the digital system may not transmit the confirmation signal to the authentication system 200. For example, the digital system 100 may receive the user authentication information in advance before communicating with the user device 300. Or may receive the user authentication information from the user after the communication is performed. If the user authentication information does not correspond to the information set in the user device 300 in advance, the confirmation signal may not be transmitted. According to an embodiment, the user authentication using the user authentication information may be performed by the digital system 100 after the confirmation signal is transmitted. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication using the user authentication information to the authentication system 200 after transmitting the confirmation signal. Then, the authentication system 200 receiving the authentication signal may finally determine the success or failure of the authentication confirmation procedure.

Or the digital system 100 transmits the user authentication information received from the user to the authentication system 200 and determines whether the user authentication information corresponds to the user device 300 by the authentication system 200 .

3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.

3, an authentication system 200 according to an exemplary embodiment of the present invention includes a control unit 210, a communication unit 220, and an authentication unit 230. The authentication system 200 may further include a DB 240.

The configuration of the control unit 210, the communication unit 220, the authentication unit 230, and the DB 240 included in the authentication system 200 includes hardware for performing the technical idea of the present invention, And the functional and structural combination of the software. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

Also, the authentication system 200 does not mean any physical device. That is, an average expert in the technical field of the present invention can easily deduce that the authentication system 200 can be implemented by organically combining different physical devices through a network.

The authentication system 200 may be included in the service system 500 or may be implemented in a system separate from the service system 500. In addition, the operating system of the authentication system 200 and the service system 500 may be the same or different.

The control unit 331 can control functions and / or resources of other components included in the authentication system 200 (e.g., the communication unit 220, the authentication unit 230, and the DB 240) .

The communication unit 220 may perform communication with the digital system 100. In particular, the communication unit 220 may receive an acknowledgment signal from the digital system 100.

The authentication unit 230 may generate the server generation key as described above. Further, the authentication confirmation procedure may be performed based on authentication information including one-time information (device one-time information or terminal one-time information) generated based on the server generation key. The one-time information may include device one-time information and / or terminal one-time information. For this, the authentication unit 230 may generate server one-time information using the server generation key transmitted to the digital system 100. [ Of course, it is also possible for the average expert in the technical field of the present invention to easily generate the server one-time information by using the information used in generating device one-time information or terminal one-time information in addition to the server creation key as an input value There will be.

Also, according to an embodiment, as described above, the authentication unit 230 simply decrypts the device one-time information and / or terminal one-time information, and determines whether the decrypted result corresponds to the server generation key, .

The device one-time information and / or the terminal one-time information may be information generated by using identification information of the corresponding device (or one-time information generated by the corresponding device). That is, the device one-time information may be information generated by using not only the server generation key but also the terminal identification information (or terminal one-time information). Also, the terminal's one-time information may be information generated by using not only the server generation key but also the device identification information (or device one-time information).

In this case, the authentication unit 230 may generate the server one-time information by further using the server generation key as well as the terminal identification information (device identification information) to authenticate the device one-time information Of course it is.

Of course, when the authentication information further includes the authentication information other than the one-time information, the authentication unit 230 can further authenticate the authentication information. Therefore, the authentication procedure includes an authentication procedure for authenticating the information to be authenticated. The authentication using the device identification information, the authentication using the terminal identification information, and the digital device 100, and the authentication of the user device 300, and / or authentication of the user authentication information set in the user device 300, as described above.

In a case where the device identification information corresponding to the one-time information is included, the authentication using the corresponding device identification information may not be selectively included in the authentication confirmation procedure. Of course, even if the device one-time information is authenticated by the authentication unit 230, device identification information may be included as the authentication information separately from the authentication information, and even if authentication using the device identification information is additionally performed, . Similarly, even if the terminal one-time information is authenticated by the authentication unit 230, the authentication information may include the terminal identification information as the authentication information, and the authentication may be performed even if the authentication using the terminal identification information is performed.

If the authentication unit 230 has succeeded in the authentication process, the control unit 210 can successfully process the authentication request that is already received or the authentication request included in the confirmation signal. The control unit 210 may send a signal indicating the authentication result to the service system 500 for success processing.

The device identification information of the user device 300 and the terminal identification information of the digital system 100 may be stored in advance in the DB 240 as described above. Also, the server generation key generated by the authentication unit 230 may be temporarily stored. Information on pair formation of the digital system 100 and the user apparatus 300, that is, information on which digital system 100 and which user apparatus 300 are formed in pairs, that is, pair setting information, Can be. Also, user authentication information corresponding to the user device 300 may be stored in advance.

The communication unit 220 may receive an authentication request from the data processing apparatus 400 or the digital system 100. Needless to say, the authentication request may include identification information (e.g., telephone number) of the digital system 100. Then, the control unit 210 may transmit authentication action request information to the digital system 100 or the data processing apparatus 400 through the communication unit 220. [ The user can confirm the authentication action request information and communicate the digital system 100 and the user device 300. [ Then, the communication unit 220 can receive an acknowledgment signal output from the digital system 100.

Then, the authentication unit 230 may perform the authentication procedure.

For this, the authentication unit 230 may generate server one-time information corresponding to the digital system 100 or the user device 300. [ Of course, it is also possible to generate server one-time information corresponding to the digital system 100 and server one-time information corresponding to the user apparatus 300, respectively. To this end, the authentication unit 230 may provide at least one input value (key or seed) for generating one-time information for each digital system 100 and / or for each user equipment 300, Shared with the digital system 100 and / or each user device 300, or may share the manner (or algorithm) of obtaining the at least one key. Of course, the server creation key may be included in the at least one input value. Of course, a function or algorithm for generating the server one-time information is also the same as the function or algorithm in which the digital system 100 or the user device 300 generates the terminal one-time information or the device 300 one-time information can do.

When the authentication unit 230 generates the server one-time information, the authentication unit 230 can perform the authentication check by determining whether the generated server one-time information corresponds to the one-time information included in the authentication information. It should be noted that there are various embodiments of at least one input value and one-time information generation algorithm for the digital system 100, the user apparatus 300, and the authentication unit 230, respectively, to generate one- The average expert in the field will be able to easily reason.

Meanwhile, when the authentication information includes the terminal identification information, the authentication unit 230 determines whether the terminal identification information corresponds to the information registered in advance in the DB 240, It can be judged that the procedure is successful.

The authentication unit 230 determines whether the digital system 100 and the user device 300 form a pair with each other based on information previously registered in the DB 240, The digital system 100 and the user device 300 form a pair to determine that the authentication confirmation procedure is successful.

When the user authentication information (for example, the PIN information of the payment card, etc.) of the user device 300 is received from the digital system 100, the authentication unit 230 transmits the user authentication information to the DB 240) to determine that the authentication check procedure is successful. Or may determine whether the authentication procedure is successful based on the authentication signal received from the digital system 100. [

4 to 9 show data flow of the authentication method using the user apparatus according to the embodiment of the present invention. 4 to 6 show an embodiment in which only the server generation key is transmitted from the digital system 100 to the user device 300 through the authentication operation, and FIGS. 7 to 9 illustrate an embodiment in which the user device 300 300) transmits the server generated key and the terminal identification information (or terminal one-time information).

FIG. 4 shows a schematic data flow of a user authentication method using a user apparatus according to an embodiment of the present invention.

4 illustrates an example in which an authentication request is made via the digital system 100. Referring to FIG. 4, the digital system 100 may send a predetermined authentication request to the authentication system 200 (S100 ). The authentication request is received through the communication unit 220 of the authentication system 200 and the control unit 210 may transmit the authentication action request information to the communication module 140 of the digital system 100 ). The authentication action request information may include a server creation key generated by the authentication system 200. In addition, the server generation key may be transmitted to the digital system 100 separately from the authentication action request information. And the authentication action request information may be displayed in the digital system 100. [ Of course, the server creation key may not be displayed by the digital system 100.

After confirming the authentication action request information displayed on the digital system 100, the user can communicate with the digital system 100 and the user device 300 (S120). The server creation key may be transmitted to the user device 300 through the communication. Then, the user device 300 may generate the device authentication information based on the server generation key (S130). The user device 300 may generate the device one-time information based on the server generation key and its identification information received through the communication, and may include the generated device one-time information in the device authentication information. According to an embodiment, the user device 300 may further include device identification information in the device authentication information separately from the device authentication one-time information.

Then, the digital system 100 can acquire the device authentication information generated by the user device 300 from the user device 300 (S140).

Of course, the digital system 100 may generate terminal one-time information (S130-1). The terminal one-time information may also be generated based on the server generation key. Alternatively, the terminal one-time information may be generated by using information (for example, time information) different from the server creation key as an input value. The control module 110 of the digital system 100 may control the terminal to generate the one-time information only when the communication is performed. In some cases, the terminal may generate the one-time information before the communication is performed (e.g., when the authentication-action request information is received) (S130-1).

Then, the digital system 100 may include the device authentication information and selectively transmit the terminal's one-time information or its identification information, that is, the terminal identification information, to the authentication system 200 by including it in the confirmation signal (S150).

As a result, the digital system 100 may include the device authentication information generated by the user device 300 in the confirmation signal, and may transmit the terminal's one-time information or its own terminal identification information, It can be further included in the confirmation signal.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S160). That is, an authentication procedure for authenticating the device authentication information included in the confirmation signal may be performed. Wherein the authentication procedure for authenticating the device authentication information includes a process for authenticating device one-time information included in the device authentication information, and when the device authentication information further includes the device identification information as the authentication information, And may include a procedure for authenticating the information. In addition, when the confirmation signal includes the terminal identification information (or terminal one-time information), the authentication confirmation procedure may further include a step of authenticating the terminal identification information (or terminal one-time information).

If the authentication verification process is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S170). Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

The authentication system 200 determines whether the device identification information corresponds to previously registered information, whether the terminal identification information corresponds to previously registered information, and / or whether the digital system 100 and the digital Based on whether the user device 300 forms a pair, to determine the success or failure of the authentication procedure.

FIG. 5 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

5, an example of an authentication request is performed by a predetermined data processing apparatus 400. Referring to FIG. 5, the data processing apparatus 400 receives an authentication request including identification information of the digital system 100 To the authentication system 200 (S200). Or when the authentication system 200 inputs an authentication request including information (e.g., user identification information, etc.) that can specify the digital system 100, the authentication system 200 The identification information of the digital system 100 may be determined.

The data processing apparatus 400 may be a computer or the like used by the user of the digital system 100. [ For example, the user can request an authentication online (S200) through a computer or the like, and in response, the authentication system 200 can transmit authentication action request information to the computer (S210-1). The user may perform an authentication operation to confirm the authentication action request information displayed on the computer and to communicate the digital system 100 and the user device 300 in operation S220. According to an embodiment, the authentication system 200 may transmit authentication action request information to the digital system 100 (S210). When the authentication action request information is transmitted to the digital system 100, the server activation key includes a server generation key generated by the authentication system 200 and transmitted to the authentication activity request information, The server creation key can be transmitted to the digital system 100 as described above. According to an embodiment, the authentication system 200 may transmit the authentication action request information to the data processing apparatus 400, and may transmit the server creation key to the digital system 100.

Then, the user can perform the authentication operation in response to this (S220).

According to another embodiment, the data processing apparatus 400 may be an affiliate terminal. That is, the user may want to perform settlement. In this case, the authentication request may be a payment request. The user can notify the merchant in the off-line store of the identification information of his or her own digital system 100 or can input the identification information of the digital system 100 himself / herself. Alternatively, at a remote location, the user may request the merchant to perform a payment (authentication) request for a predetermined payment through telephone, messaging, or e-mail. Then, an authentication (payment) request may be transmitted to the authentication system 200 by inputting the identification information of the digital system 100 to the merchant terminal (S200). At this time, the authentication action request information may also be transmitted to the merchant terminal and / or the digital system 100 (S200, S200-1). Of course, the server creation key may be transmitted to the digital system 100. In response, the user may communicate an authentication action, i.e., the digital system 100 and the user device 300 (S220). The server creation key may be transmitted to the user device 300 through the communication.

Then, the digital system 100 may obtain the device authentication information generated by the user device 300 (S230, S240). The device authentication information may include device one-time information generated by the user device 300 based on the server generation key, as described above. The user device 300 may further include its own identification information, that is, device identification information, in the device authentication information. Also, the digital system 100 may generate terminal one-time information (S230-1).

Then, the digital system 100 includes at least the device authentication information in the authentication system 200, and in accordance with the embodiment, the digital system 100 determines whether the digital system 100 further includes the terminal identification information (or the terminal one-time information) Signal (S250). Of course, the device identification information may include settlement financial information of the settlement card. In order to increase the security, the settlement financial information may be transmitted to the user system 300 even if the digital system 100 obtains the confirmation signal .

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S260). That is, an authentication procedure for authenticating the device authentication information included in the confirmation signal may be performed. Wherein the authentication procedure for authenticating the device authentication information includes a process for authenticating device one-time information included in the device authentication information, and when the device authentication information further includes the device identification information as the authentication information, And may include a procedure for authenticating the information. In addition, when the confirmation signal includes the terminal identification information (or terminal one-time information), the authentication confirmation procedure may further include a step of authenticating the terminal identification information (or terminal one-time information). Then, the authentication result may be transmitted to the digital system 100 (S270). Or may be transmitted to the data processing apparatus 400 (S270-1). Of course, the authentication result may be transmitted to the service system 500.

Meanwhile, the authentication request according to the embodiment of the present invention may be performed by a person other than the user of the digital system 100. For example, an authentication requester other than the user (that is, a person who performs authentication confirmation) such as a family member, a relative or an acquaintance of the user inputs the identification information of the user to the data processing apparatus 400, (200).

For example, when a non-user (authentication requestor) such as an authentication requestor who is an acquaintance of a user must log in to the user's web account, receives a certificate on behalf of a user, or requires payment by a third party, There may be a case where a service is to be provided from the service system 500. In this case, there has been a risk that information for authentication (for example, login information, authorized certificate password, card number, etc.) has to be informed to the authentication requester.

However, according to the technical idea of the present invention, the authentication request and the authentication operation can be performed in a spatially separated state, and the authentication request can be performed by the user without performing the authentication operation. It is not necessary to inform the user of the information.

Also, in the case of a payment service, when the authentication requester faces the identification information of the user or remotely notifies the affiliation shop side, the affiliate shop sends an authentication request (that is, a payment request ) To the authentication system (200). Of course, at this time, information on the authentication requester (for example, a name of a payment requester, a telephone number, etc.) may be further included, and information on the payment requester may be included in the authentication action request information.

In this case, the authentication system 200 may transmit the authentication action request information and the server generation key to the digital system 100 of the user, and the authentication operation as described above may be performed by the user. Then, if an authentication confirmation procedure is performed by the authentication system 200 and the authentication confirmation procedure is successful, the authentication (payment) result can be transmitted to the data processing apparatus 400 and the digital system 100.

4 and 5, since only identification information of the digital system 100 is required for an authentication request, there is an ease of requesting an authentication, and in order to perform an authentication operation, (E.g., tagging) the user device 300 with the user device 300. As described above, although the authentication request is easy and the authentication is easy, the security can be very high as described above. Also, as shown in FIG. 4 and FIG. 5, the user can easily determine whether the authentication request is allowed even in the two-channel authentication due to the ease of authentication request and the convenience of the payment confirmation operation. Further, The login information, the authorized certificate password, etc.), and can perform the authentication operation safely.

According to another embodiment, as shown in FIG. 6, when an authentication requestor, not a user, inputs identification information of the digital system 100 to the data processing apparatus (for example, a computer, a mobile terminal of an authentication requestor, , When the authentication requester faces the identification information of the user to the affiliate shop or remotely, the affiliate shop side inputs the identification information of the digital system 100 to the data processing device (for example, the affiliate shop terminal 400) . Then, the data processing apparatus 400 may transmit authentication action request information (that is, payment related information including payment details, etc.) to the digital system 100. Of course, in order to do so, predetermined software for implementing the technical idea of the present invention may be installed in the data processing apparatus 400.

The authentication action request information may include information on the merchant, payment details, and / or information on the payment requester. If the user confirms the authentication action request information and wishes to settle the settlement request corresponding to the authentication action request information, the user can perform the authentication operation as described above. The digital system 100 may then send an acknowledgment signal as described above to the authentication system 200. At this time, the confirmation signal may further include not only the device authentication information but also information necessary for a payment request (for example, information on a franchisee, payment details, etc.). That is, the confirmation signal may further include an authentication (settlement) request to be transmitted to the authentication system 200.

The authentication system 200 may then perform an authentication procedure based on the acknowledgment signal. The authentication system 200 can transmit the authentication result to the data processing apparatus 400 and / or the digital system 100. [0050] FIG. Of course, in the case of payment, if the authentication confirmation procedure is successful, the authentication system 200 or the service system 500 determines whether or not the payment is approved and transmits the payment result to the data processing apparatus 400 and / (100).

As a result, according to the technical idea of the present invention, it is possible to provide a solution with high security, which is very easy to perform authentication on behalf of a third party authentication requestor.

FIG. 6 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

6, when the user notifies or inputs the identification information of his / her digital system 100, the data processing apparatus 400 receives the identification information (S300) To the digital system 100 (S310).

For example, when the user notifies the identification information of his / her digital system 100 or inputs the payment information to his / her mobile terminal 400 without providing a payment card to the store, the data processing apparatus 400 may transmit the identification information (S300) and transmits the authentication action request information corresponding to the authentication to the digital system 100 (S310). The digital system 100 can then transmit an acknowledgment signal to the authentication system 200 by communicating the digital system 100 with the user device 300 sitting in the car or in the car, A payment request (i.e., an authentication request) corresponding to the digital signature can also be transmitted to the authentication system 200 by the digital system 100 and settlement can be easily performed. Therefore, in this case, the settlement financial information of the user device 300 as well as the user device 300 may not be transmitted to the merchant, which may be a safe settlement solution.

According to an embodiment, the data processing apparatus 400 and the digital system 100 may perform short-range wireless communication. In this case, the authentication action request information (payment related information) may be transmitted to the digital system 100 by the short distance wireless communication between the data processing apparatus 400 and the digital system 100. At this time, the identification information of the digital system 100 may not need to be input to the data processing apparatus 400.

For example, when the technical idea of the present invention is applied to a payment service, when a settlement amount is input to a data processing apparatus (for example, an affiliate terminal 400), the user inputs the digital system 100 to the data processing apparatus 400 It is possible to perform short-range wireless communication. Then, authentication action request information including payment related information (for example, payment details, merchant store identification information, etc.) including the payment amount may be transmitted to the digital system 100 through the short-range wireless communication at step S310. The user can then remotely communicate the digital system 100 with his / her user device (e.g., the payment IC card 300). With this two short-distance wireless communication, the user can easily make a payment. In this case, the identification information of the digital system 100 of the user is not required to be notified to the merchant, and the settlement financial information of the user device 300 may not be transmitted to the merchant.

When the authentication action request information (payment related information) is transmitted from the data processing apparatus 400 to the digital system 100, information (payment related information) necessary for an authentication request (payment request) May be included. When the authentication action request information is received, the digital system 100 can communicate with the authentication system 200 and receive a server creation key (S310-1)

When the authentication operation is performed by the user in step S320, the device authentication information and the authentication request (payment request) generated by the user device 300 may be included in the confirmation signal and transmitted to the authentication system 200 (S320, S330, S330-1, S340, S350). That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200. Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. In addition, as described above, the digital system 100 may further include the terminal identification information (or terminal one-time information) in the acknowledgment signal as described above.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S360). If the authentication verification process is successful, the authentication result may be transmitted to the digital system 100 (S370-1). Of course, the data may be transmitted to the data processing apparatus 400 (S370). Or to a given service system 500.

7 to 9 illustrate a case where the user apparatus 300 uses the terminal identification information (or terminal one-time information) of the digital system 100 when generating the apparatus authentication information.

First, referring to FIG. 7, the embodiment shown in FIG. 7 can be performed in a manner similar to that shown in FIG. For example, the digital system 100 may transmit a predetermined authentication request to the authentication system 200 (S400). The authentication request is received through the communication unit 220 of the authentication system 200 and the control unit 210 may transmit the authentication action request information to the communication module 140 of the digital system 100 ). Also, a server creation key may be transmitted to the digital system 100 (S410).

After confirming the authentication action request information, the user can communicate with the digital system 100 and the user device 300 (S420). The server creation key may be transmitted to the user device 300 through the communication. Further, the terminal identification information of the digital system 100 may be further transmitted. Alternatively, the terminal one-time information generated by the digital system 100 may be transmitted to the user equipment 300 (S410-1, S420).

The user device 300 may then generate device authentication information including device one-time information. At this time, the device one-time information may be generated based on the server generation key (and device identification information), and may be generated based on the server generation key (and device identification information) and the terminal identification information (S430). In the former case, the user device 300 may include the device one-time information and the terminal identification information (or terminal one-time information) in the device authentication information. In the latter case, the device authentication information may include only the device one-time information.

Then, the digital system 100 may acquire the device authentication information generated by the user device 300 (S440).

When the terminal's one-time information generated by the digital system 100 is transmitted to the user equipment 300 through the communication, the terminal's one-time information may be generated before the communication is performed (S410-1). The above-mentioned terminal one-time information may or may not be generated based on the server generation key as described above. In addition, although the device one-time information may not be input by the user, the terminal's one-time information may be displayed by the digital system 100 and then input by the user. Information may be communicated to the user device 300 via the communication.

According to an embodiment, the digital system 100 transmits the server generation key and the terminal identification information (or the terminal one-time information) to the user device 300 through the communication, The device authentication information can be generated based on the information. At this time, the digital system 100 transmits the terminal's one-time information (or terminal identification information) to the authentication system 200 in addition to the device authentication information obtained from the user device 300 . At this time, the terminal's one-time information may be displayed by the digital system 100 and then input by the user, and the input terminal's one-time information may be included in the confirmation signal and transmitted to the authentication system 200 And may be communicated to the authentication system 200 separately from the confirmation signal via user input.

If the device one-time information included in the device authentication information is generated based on the terminal identification information (or the terminal one-time information), if the device one-time information is authenticated by the authentication system 200, 100) is also authenticated by the authentication system 200. FIG. Also, the terminal identification information (or the terminal one-time information) may be included in the device authentication information as the authentication information, instead of being used when the device one-time information is generated. The terminal identification information (or the terminal one-time information) can be authenticated.

In addition, the terminal's one-time information may be included in the confirmation signal separately from the device authentication information. In this case, the authentication procedure performed by the authentication system 200 may further include an authentication procedure for authenticating the terminal's one-time information . That is, there is an effect of double authentication in which the digital system 100 is authenticated by authentication of the device authentication information, and the digital system 100 is authenticated again using the terminal's one-time information.

The digital system 100 may include the device authentication information obtained from the user device 300 in the confirmation signal and transmit the device authentication information to the authentication system 200 in operation S450. According to an embodiment, the terminal identification information (or the terminal one-time information) can be further included in the acknowledgment signal as described above.

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S460). If the authentication verification procedure is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S470).

When the device authentication information included in the confirmation signal is authenticated by the authentication system 200, the information used for generating the device authentication information, that is, the terminal identification information (or the terminal one-time information) As shown in FIG.

Therefore, the authentication is performed at once to the digital system 100 as well as the user device 300 by authentication of the device one-time information. Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

The embodiment shown in FIG. 8 may be the case where authentication is performed in a manner similar to that shown in FIG.

The data processing apparatus 400 may transmit an authentication request to the authentication system 200 by inputting the identification information of the digital system 100 (S500). In response, the authentication system 200 may transmit authentication action request information to the data processing apparatus 400 (S510-1). The user may perform an authentication operation to confirm the authentication action request information displayed on the data processing device 400 and to communicate the digital system 100 and the user device 300 in operation S520. According to an embodiment, the authentication system 200 may transmit authentication action request information to the digital system 100 (S510). When the authentication action request information is transmitted to the digital system 100, the server activation key includes a server generation key generated by the authentication system 200 and transmitted to the authentication activity request information, The server creation key can be transmitted to the digital system 100 as described above. According to an embodiment, the authentication system 200 transmits the authentication action request information to the data processing apparatus 400, and the server creation key may be transmitted to the digital system 100.

Then, the user can perform the authentication operation in response thereto (S520).

The digital system 100 can transmit not only the server creation key but also the terminal identification information (or the terminal one-time information) to the user device 300 through the authentication operation (S520) The device 300 may generate the device authentication information (S530).

The device authentication information may include device one-time information and terminal identification information (or terminal one-time information) as described above, and the device one-time information may be generated based on the server generation key. Or the device authentication information includes only the device one-time information, and the device one-time information may be information generated based on the server generation key and the terminal identification information (or the terminal one-time information).

Then, the digital system 100 may receive the device-specific authentication information generated by the user device 300 through the communication (S540). For example, the digital system 100 transmits the server generation key and the terminal identification information (or the terminal one-time information) through the one short-range wireless communication (for example, tagging) And can receive all of the generated device authentication information.

In addition, the digital system 100 may generate terminal one-time information separately from the device authentication information (S510-2) and include the terminal identification information in the confirmation signal, or may include the terminal identification information in the confirmation signal Same as.

The digital system 100 may transmit the confirmation signal including the device authentication information and optionally the terminal identification information (or the terminal one-time information) to the authentication system 200 (S550).

In response, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S560). If the authentication verification procedure is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S570). For example, if the device authentication information included in the confirmation signal is authenticated by the authentication system 200, the information used in generating the device authentication information, that is, the terminal identification information of the digital system 100 (or the terminal one- ). ≪ / RTI > Therefore, the authentication is performed at once to the digital system 100 as well as the user device 300 by authentication of the device one-time information.

The embodiment shown in FIG. 9 may be the case where authentication is performed in a manner similar to that shown in FIG.

9, when the user notifies or inputs the identification information of the digital system 100 of the user, the data processing apparatus 400 receives the identification information (S600) and then transmits the authentication action request information (Or settlement related information) to the digital system 100 (S610).

When the authentication action request information is received, the digital system 100 can communicate with the authentication system 200 and receive the server creation key (S610-1).

If the authentication operation is performed by the user at step S620, the digital system 100 transmits the server creation key and the terminal identification information (or the terminal one-time information) to the user device 300, (S620, S630, S640) from the server creation key and the terminal identification information (or the terminal one-time information). Since the embodiment of the device authentication information is the same as that described with reference to FIG. 7 and FIG. 8, a detailed description will be omitted.

Also, the digital system 100 may generate terminal one-time information separately (S630-1) and transmit it to the user device 300, or may include terminal one-time information (or terminal identification information) As described above. The digital system 100 may transmit the confirmation signal including the device authentication information and optionally the terminal identification information (or the terminal one-time information) to the authentication system 200 (S660). The confirmation signal may further include an authentication request (payment request). Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200.

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S660). If the authentication verification process is successful, the authentication result may be transmitted to the digital system 100 (S670-1). Of course, the data may be transmitted to the data processing apparatus 400 (S670). Or to a given service system 500.

FIG. 10 is a diagram illustrating a process of an authentication system performing an authentication procedure according to an embodiment of the present invention. Referring to FIG.

Referring to FIG. 10, a description will be made of a series of processes in which the authentication unit 230 of the authentication system 200 performs an authentication process. The authentication unit 230 can obtain an authentication signal including at least device authentication information (S710). The device one-time information included in the device authentication information may be information generated based on the server generation key generated and transmitted by the authentication unit 230.

Then, the authentication unit 230 generates server one-time information based on the server generation key transmitted to the digital system 100 (S711), and generates server one-time information and device one-time information included in the device authentication information Authentication of the one-time information to determine whether the corresponding one-time information corresponds (S712).

The device authentication information may further include the terminal one-time information (or the terminal identification information) as the authentication information. The terminal's one-time information may be generated in a time synchronization manner. In this case, the authentication system may generate additional server one-time information using time information as an input value to authenticate the terminal's one-time information. Alternatively, when the device one-time information is information obtained by simply encrypting the server generation key based on the device identification information and the terminal identification information (or the terminal one-time information), the authentication unit 230 may store the device one- Authentication of the device one-time information may be performed by determining whether the decrypted and decrypted information based on the identification information and the terminal identification information (or the terminal one-time information) corresponds to the server generation key.

If the authentication of the device one-time information is successful, it can be determined that the authentication check process has succeeded (S760). If the authentication of the device one-time information fails, the authentication check process can be determined to have failed (S750).

When the device authentication information includes only the device one-time information, the authentication unit 230 may perform only authentication of the device one-time information. However, the authentication unit 230 may generate other authentication information (e.g., device identification information, (I.e., authentication of the user device 300), authentication of the terminal identification information (i.e., authentication of the digital system 100), as shown in FIG. 10, Authentication of the hardware}, and / or authentication of the pair.

In addition, if the terminal identification information (or the terminal one-time information) is included in the confirmation signal separately from the device authentication information, authentication of the terminal identification information (or the terminal one-time information) may be performed. If it is determined that the authentication is successful (S760), it is determined that the authentication is unsuccessful (S750).

Also, FIG. 10 shows the case where the authentication of the device identification information, the authentication of the terminal identification information, and the authentication of the pair are sequentially performed, but the order of these authentication can be changed in any way.

According to an example, if authentication of the device one-time information is successful as shown in FIG. 10, the authentication unit 230 performs authentication of the user device 300 using device identification information that can be included in the device authentication information (S720). If the authentication of the user device 300 is unsuccessful, the authentication unit 230 may determine that the entire authentication process is successful (S760) It can be determined that the authentication check procedure has failed (S750).

In addition, the device authentication information or the confirmation signal may include terminal identification information, and the authentication unit 230 may further perform authentication using the terminal identification information (S730).

If the authentication unit 230 further performs authentication using the terminal identification information at step S730, the authentication unit 230 determines whether the terminal identification information of the digital system 100 included in the confirmation signal or the device authentication information The hardware of the digital system 100 can be authenticated by determining whether the information registered in advance in the DB 240 corresponds to the information previously registered in the DB 240 (S730). If the hardware of the digital system 100 is successfully authenticated, it may determine that the entire authentication procedure has succeeded (S760), and may further perform authentication of the pair (S730). If the authentication of the hardware of the digital system 100 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S750).

If the authentication unit 230 further performs the pair authentication (S730), the authentication unit 230 transmits the pair setting information registered in advance in the DB 240, that is, information about the digital system and the user apparatus constituting the pair And performs pair authentication to confirm whether the digital system 100 and the user device 300 used in the authentication operation are a pair (S740). If the pair authentication is successful, it can be determined that the entire authentication check procedure is successful (S760). Of course, if the pair authentication fails, the authentication unit 230 may determine that the entire authentication check procedure has failed (S750).

11 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.

11, a user may input user authentication information (e.g., a PIN of a payment card) of the user device 300 through a predetermined application installed in the digital system 100 to perform an authentication operation (S800). Then, the digital system 100 and the user device 300 can communicate with each other (S810). Then, the digital system 100 can receive the device identification information of the user device 300 through the communication (S820).

The digital system 100 may perform user authentication to determine whether the user authentication information input from the user through the communication with the user device 300 corresponds to the information set in the user device 300 in operation S830. If the user authentication is successful, the digital system 100 may generate an acknowledgment signal including the device authentication information and transmit it to the authentication system 200 (S850). Of course, if the user authentication fails (S830), the digital system 100 can terminate the process (S860). It goes without saying that authentication of such user authentication information can be selectively performed.

According to an embodiment, the digital system 100 may perform pair authentication (S840). In step S850, the digital system 100 may transmit an acknowledgment signal to the mobile station 100 in order to verify that the pair authentication is successful.

In order for the digital system 100 to perform pair authentication, the device identification information of the user device 300 forming a pair with the digital system 100 may be registered in the digital system 100 in advance. According to an embodiment of the present invention, identification information or terminal identification information of the digital system 100 forming a pair with the user device 300 may be stored in the storage device of the user device 300. In this case, the digital system 100 may perform pair authentication by checking the information stored in the storage device.

In any case, if the digital system 100 and the user device 300 are not paired devices, the digital system 100 does not send the acknowledgment signal to the authentication system 200, (S860).

11 shows an example in which the user authentication is performed before the pair authentication, but it goes without saying that the pair authentication may be performed first.

Also, in FIG. 11, the user authentication information (e.g., PIN) of the user device 300 may be input at any time after the confirmation signal is transmitted to the authentication system 200 before the authentication confirmation process is terminated. That is, after the digital system 100 transmits the confirmation signal to the authentication system 200, the digital system 100 may receive user authentication information of the user device 300 from the user and authenticate the user. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication to the authentication system 200. Then, the control unit 210 included in the authentication system 200 may determine the success or failure of the authentication confirmation process after confirming the authentication signal.

According to an embodiment, the digital system 100 transmits user authentication information to the authentication system 200, and the authentication of the user authentication information may be performed by the authentication system 200. In this case, the digital system 100 may transmit the user authentication information to the authentication system 200 at any time before the payment request is approved by the authentication system 200. [ For example, the user authentication information may be included in the confirmation signal, and the user authentication information may be transmitted to the authentication system 200 at any time before or after the transmission of the confirmation signal. Then, the authentication unit 230 included in the authentication system 200 can perform the user authentication using the user authentication information of the user device 300 stored in the DB 240. And, if the user authentication is successful, it may be determined that the authentication confirmation process is finally succeeded.

Although the authentication information included in the confirmation signal is the device authentication information generated by the user device 300 in this specification, the authentication information included in the confirmation signal may be generated by the digital system 100 And may be terminal authentication information. In this case, it is easy for the digital system 100 to generate the terminal authentication information using the server generation key received from the authentication system 200 and the device identification information (or device one-time information) of the user device 300 I can reason.

12 is a diagram showing a schematic configuration of a user apparatus according to an embodiment of the present invention.

Referring to FIG. 12, the user device 300 may include an operation unit 310 and a communication unit 320.

The user device 300 may be implemented in various ways such as a smart card, an IC card, a transportation card, and a payment IC card capable of performing contact or non-contact communication with the digital system 100, as described above.

The computing means 310 may be an IC chip included in the IC card in its simplest form. The communication unit 320 may be implemented by an RF antenna or the like capable of performing communication with the digital system 100.

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, the user device 300 may be a device capable of proving an identity (e.g., an electronic identification card), a communicable OTP device, or a user's mobile phone separate from the digital system 100. In this case, the user equipment 300 may also be equipped with various communication means (e.g., NFC chips, Bluetooth devices, RF antennas, etc.) capable of communicating with the digital system 100, ).

The communication means 320 can perform communication with the digital system 100, that is, communication for an authentication operation.

When the communication is performed, the computing means 310 may generate the device authentication information. When the server generation key is received from the digital system 100 through the communication as described above, the calculation means 310 generates device one-time information based on the server generation key (the device one-time information is generated by the server Generated by using the identification information of the key and the device, or may be generated in various ways using the server creation key and various other information), and may generate the device authentication information including the generated device one-time information .

Alternatively, when the server generation key and the terminal identification information (or the terminal one-time information) are received from the digital system 100, the apparatus generating key and the terminal identification information (or the terminal one-time information) And generate device authentication information including the generated device one-time information. Or generates the device one-time information based on the server creation key, and generates device authentication information including the generated device one-time information and the terminal identification information (or the terminal one-time information) received from the digital system 100 It is possible.

The device authentication information generated by the computing means 310 may be transmitted to the digital system 100 via the communication and an acknowledgment signal including the transmitted device authentication information may be transmitted by the digital system 100 May be transmitted to the authentication system 200. Then, an authentication confirmation procedure in which the transmitted confirmation signal is authenticated by the authentication system can be performed. If the authentication confirmation process is successful, the authentication request output from the data processing apparatus 400 or the digital system 100 to the authentication system 200 or the service system 500 connected to the authentication system 200 Success can be handled.

The authentication method using the user apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (29)

The digital system performing communication with a predetermined user device for authenticating the user;
Receiving the device authentication information generated by the digital device by the digital device via the communication and transmitting an acknowledgment signal including the device authentication information to the authentication system; And
Wherein the authentication confirmation procedure is performed in which the transmitted confirmation signal is authenticated by the authentication system,
If the authentication confirmation process is successful, the authentication request output from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system is successfully processed,
The device authentication information includes:
And device-generated information generated by the user device based on a server generated key generated by the authentication system and transmitted to the user device via the digital system.
2. The apparatus of claim 1, wherein the device one-
First device one-time information generated by the user device based on the server creation key; Or second device one-time information generated by the user device based on the server creation key and the terminal identification information of the digital system transmitted to the user device via the communication; ego,
The device authentication information includes:
The terminal identification information of the digital system transmitted to the user apparatus or the terminal one-time information generated by the digital system and transmitted to the user apparatus may be further included.
The authentication method according to claim 1,
Further comprising the step of displaying the authentication action request information output by the authentication system which has received the authentication request including the identification information of the digital system output from the data processing apparatus, on the data processing apparatus or the digital system,
And when the authentication action request information is displayed, the digital system uses the user device performing the communication with the user device.
The authentication method according to claim 1,
Further comprising receiving, by the digital system, authentication action request information output from the data processing apparatus that has received the identification information of the digital system,
Wherein the digital system performs the communication with the user device when the authentication action request information is received.
2. The system according to claim 1,
The server one-time information corresponding to the apparatus one-time information, the server one-time information being information generated based on the server generation key, and generating the server one-time information, The authentication confirmation procedure is successful,
Decrypting the device one-time information, and if the decryption result corresponds to the server generation key, the authentication confirmation procedure is succeeded.
6. The method of claim 5, wherein if the device authentication information further includes terminal identification information of the digital system transmitted to the user apparatus or terminal generated by the digital system and transmitted to the user apparatus,
By the authentication system,
When the terminal identification information of the digital system is further authenticated or when the terminal one-time information is further authenticated, the authentication confirmation procedure is succeeded.
The authentication method according to claim 1,
Further comprising the step of the digital system receiving the device identification information of the user device via the communication,
Wherein the transmitting the confirmation signal to the authentication system comprises:
The digital system further including the device identification information in the confirmation signal and transmitting the identification information to the authentication system,
By the authentication system,
Wherein the apparatus identification information is authenticated before the authentication confirmation procedure is succeeded.
8. The apparatus of claim 7,
IC card for payment,
Wherein the device identification information included in the confirmation signal includes:
Wherein the authentication information is identification information of the user apparatus irrespective of the payment financial information of the payment IC card.
2. The method of claim 1, wherein transmitting the acknowledgment signal to an authentication system comprises:
And transmitting, by the digital system, the identification information of the digital system to the confirmation signal,
By the authentication system,
Wherein the authentication is successful if the terminal identification information is further authenticated.
The authentication method according to claim 1,
Further comprising the step of the digital system determining whether the user equipment is a preset pair to correspond to the digital system,
And if it is determined that the user device is a predetermined pair, transmits the confirmation signal to the authentication system.
The digital system according to claim 1,
Wherein the device authentication information is included in the confirmation signal and is transmitted to the authentication system without displaying the device authentication information.
The authentication method according to claim 1,
The digital system or the data processing apparatus requesting the user of the digital system for user authentication information corresponding to the user equipment; And
Further comprising the step of transmitting the input user authentication information in response to the request to the digital system or the data processing apparatus to the authentication system,
Wherein the authentication procedure is successful if the user authentication information is further authenticated by the authentication system.
The digital system according to claim 1,
Wherein the confirmation signal does not include the settlement financial information of the user apparatus and the user apparatus as a settlement IC card.
The authentication system transmitting the server generation key to the digital system;
Receiving, when the digital system communicates with a predetermined user device, the authentication system receiving a confirmation signal from the digital system, the confirmation signal including device authentication information generated by the user device;
Performing an authentication verification procedure for authenticating the device authentication information based on the confirmation signal received by the authentication system; And
When the authentication confirmation process in which the device authentication information is authenticated is successful, the authentication system successfully processes the authentication request output from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system And,
The device authentication information includes:
And a device generated by the user device based on the server generation key transmitted from the digital system to the user device via the communication.
15. The apparatus of claim 14, wherein the device one-
First device one-time information generated by the user device based on the server creation key; Or second device one-time information generated by the user device based on the server creation key and the terminal identification information of the digital system transmitted to the user device via the communication; ego,
The device authentication information includes:
The terminal identification information of the digital system transmitted to the user apparatus or the terminal one-time information generated by the digital system and transmitted to the user apparatus may be further included.
15. The authentication method according to claim 14,
The authentication system receiving the authentication request including identification information of the digital system from the data processing apparatus; And
Wherein the authentication system further comprises transmitting authentication action request information to the digital system or the data processing device in response to the reception,
Wherein the authentication system performs the authentication procedure after transmitting the authentication action request information and receiving the confirmation signal from the digital system.
15. The method of claim 14, wherein performing an authentication procedure to authenticate the device authentication information based on the acknowledgment signal received by the authentication system comprises:
Wherein the authentication system generates server one-time information corresponding to the device one-time information, the server one-time information is information generated based on the server generation key, and generates the server one- Determining whether it corresponds to device one-time information; or
Wherein the authentication system decrypts the device one-time information and determines whether the decryption result corresponds to the server generation key.
18. The method of claim 17, wherein if the device authentication information further includes terminal identification information of the digital system transmitted to the user apparatus or terminal generated by the digital system and transmitted to the user apparatus,
Wherein the performing of the authentication verification procedure for authenticating the device authentication information based on the confirmation signal received by the authentication system comprises:
Authenticating the terminal identification information of the digital system by the authentication system; or
Further comprising the step of the authentication system authenticating the terminal's one-time information.
15. The authentication method according to claim 14,
Further comprising the step of authenticating whether or not the pair is determined by determining whether the digital system to which the authentication signal transmitted the authentication signal and the user apparatus are previously set to correspond to each other,
And determining that the authentication confirmation procedure has succeeded if the pair status is authenticated.

The user device performing communication with the digital system for authentication;
The user device generating device authentication information;
Transmitting the device authentication information generated by the user device to the digital system;
Transmitting an acknowledgment signal including the transmitted device authentication information to the authentication system by the digital system; And
Wherein the authentication confirmation procedure is performed in which the transmitted confirmation signal is authenticated by the authentication system,
If the authentication confirmation process is successful, the authentication request output from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system is successfully processed,
The device authentication information includes:
And device-generated information generated by the user device based on a server generated key generated by the authentication system and transmitted to the user device via the digital system.
21. The method of claim 20, wherein the generating of device authentication information by the user device comprises:
Wherein the user device generates the first device one-time information based on the server creation key, or the second device one-time information based on the server generation key and the terminal identification information received from the digital system via the communication And generating the device authentication information,
The user equipment may further include the terminal identification information of the digital system or the terminal one-time information generated by the digital system in the device authentication information including the first device one-time information or the second device one-time information The authentication method using the user device.
A computer-readable recording medium recording a program for performing the method according to any one of claims 1 to 21.
In a digital system,
A user device communication module for communicating with a user device for authenticating the authentication request;
And a control module for transmitting to the authentication system an acknowledgment signal when the communication with the user device is performed through the user equipment communication module, the confirmation signal including the device authentication information generated by the user device,
By the authentication system,
When the authentication confirmation process of authenticating the device authentication information included in the confirmation signal is successful, the authentication request output from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system is a success process .
The device authentication information includes:
And device one-time information generated by the user device based on a server generation key generated by the authentication system and transmitted to the user device via the digital system.
24. The apparatus of claim 23, wherein the device one-
First device one-time information generated by the user device based on the server creation key; Or second device one-time information generated by the user device based on the server creation key and the terminal identification information of the digital system transmitted to the user device via the communication; ego,
The device authentication information includes:
Wherein the digital system further comprises terminal identification information of the digital system transmitted to the user apparatus or terminal one-time information generated by the digital system and transmitted to the user apparatus.
25. The digital system of claim 24,
And a terminal one-time information generating module for generating the terminal one-time information.
A communication unit for receiving a confirmation signal output by the digital system when the digital system communicates with a predetermined user device, the confirmation signal including device authentication information generated by the user device;
An authentication unit configured to generate a predetermined server generation key and to perform an authentication verification procedure for authenticating the device authentication information included in the received confirmation signal; And
And a control unit for successively processing an authentication request output from a predetermined data processing apparatus or the digital system to an authentication system or a service system connected to the authentication system when the authentication confirmation procedure in which the device authentication information is authenticated is successful,
The device authentication information includes:
And device one-time information generated by the user device based on the server generation key generated by the authentication unit and communicated from the digital system to the user device via the communication. system.
27. The method of claim 26, wherein the device one-
First device one-time information generated by the user device based on the server creation key; Or second device one-time information generated by the user device based on the server creation key and the terminal identification information of the digital system transmitted to the user device via the communication; ego,
The device authentication information includes:
The terminal identification information of the digital system transmitted to the user apparatus, or the terminal one-time information generated by the digital system and transmitted to the user apparatus.
Communication means for performing communication with the digital system;
And calculation means for, when the communication is performed through the communication means, generating device authentication information,
Wherein the device authentication information generated by the computing means is transmitted to the digital system, and when an acknowledgment signal including the transmitted device authentication information is transmitted to the authentication system by the digital system, An authentication confirmation process is performed,
If the authentication confirmation process is successful, the authentication request output from the predetermined data processing device or the digital system to the authentication system or the service system connected with the authentication system is successfully processed,
The device authentication information includes:
And device one-time information generated by the computing means based on a server generated key generated by the authentication system and delivered via the digital system.
The image processing apparatus according to claim 28,
Generating the first device one-time information based on the server generation key or generating the second device one-time information based on the server generation key and the terminal identification information received from the digital system through the communication, ≪ / RTI &
Wherein said calculating means comprises:
The terminal identification information of the digital system received from the digital system in the device authentication information including the first device one-time information or the second device one-time information, or the terminal identification information of the terminal generated by the digital system and received from the digital system Lt; RTI ID = 0.0 > information, < / RTI >

Images