KR101645705B1 - Method for authentication between devices - Google Patents

Abstract

The present invention relates to an authentication method between a first device and a second device, the authentication method including at least one of a device ID, an authentication code, a random number generation function, a random number generation function, and a key generation function of the first device, 1 < / RTI > equipment and the second equipment, respectively; (B) generating a first random number using the random number generation function and the random number generation function, and generating a first key value using the first random number and the key generation function; (C) transmitting, by the first equipment, an equipment ID cryptographic key obtained by encrypting the equipment ID using the first key value to the second equipment; (D) generating, by the second device, a second random number using the random number generation factor, and generating a second key value using the second random number and the key generation function; The second device decrypts the device ID cryptographic key using the second key value to extract the device ID and encrypts the authentication code corresponding to the extracted device ID using the second key value, (E) transmitting an encryption key to the first device; The first device decrypts the authentication code encryption key using the first key value to extract an authentication code, and performs authentication by comparing the extracted authentication code and the authentication code stored in the first device f).

Description

{METHOD FOR AUTHENTICATION BETWEEN DEVICES}

Embodiments of the present invention relate to authentication methods between devices, and more particularly, to authentication methods between devices in an IOT communication environment.

Modern society is changing from the development of technology to an era in which all things (devices) and people communicate, even though we are not conscious of it. This technology is called the Internet of things (IOT). The key to IOT technology is that all devices perform sensing, information processing, and so on, without human intervention. As communication between these devices becomes possible, each device may be exposed to various risk factors such as hacking, malicious code, and viruses, so authentication between devices needs to be performed.

There are public key encryption and symmetric key encryption methods for encrypting and decrypting data. The public key cryptosystem has a public key and a secret key corresponding thereto in a one-to-one correspondence, and the symmetric key cryptosystem is a method of encrypting and decrypting a public key that is not disclosed.

A public key cryptographic key has a security vulnerability in exchanging key information, and a secret key cryptographic security vulnerability occurs when a secret key is exposed. In addition, although the authentication device uses a certificate for mutual identification, encrypts it with the corresponding key information of the certificate, and decrypts the encrypted information. However, when the authentication information is transmitted through the public network, . For example, in SSL (Secure Socket Layer) and TLS (Transport Layer Security), there is a process of exchanging keys between a client and a server. In addition, a large number of equipments and servers communicating in the IOT environment must receive a certificate verified by a certification authority (CA) in order to secure the reliability of communication. In this case, a high authentication cost is incurred, It is difficult to implement a reliable communication system that is commercialized by existing technologies in a real environment.

In order to solve the problems of the prior art as described above, the present invention complements the drawbacks of existing authentication and encryption algorithms, and it is an object of the present invention to provide an apparatus and a method for encrypting data, It is possible to encrypt and decrypt the data by using a separate key generated by using the equipment ID, authentication code, and random number generation factor. In addition, when the random number generation rule To prevent the error of decryption due to the random number mismatch, thereby proposing an authentication method between the devices.

Other objects of the invention will be apparent to those skilled in the art from the following examples.

According to a preferred embodiment of the present invention, there is provided an authentication method between a first device and a second device, the method comprising the steps of: obtaining a device ID, an authentication code and a random number generation factor of the first device, (A) storing authentication information in the first device and the second device, the authentication information including at least one of the generation functions; (B) generating a first random number using the random number generation function and the random number generation function, and generating a first key value using the first random number and the key generation function; (C) transmitting, by the first equipment, an equipment ID cryptographic key obtained by encrypting the equipment ID using the first key value to the second equipment; (D) generating, by the second device, a second random number using the random number generation factor, and generating a second key value using the second random number and the key generation function; The second device decrypts the device ID cryptographic key using the second key value to extract the device ID and encrypts the authentication code corresponding to the extracted device ID using the second key value, (E) transmitting an encryption key to the first device; The first device decrypts the authentication code encryption key using the first key value to extract an authentication code, and performs authentication by comparing the extracted authentication code and the authentication code stored in the first device f) of the first device and the second device is provided.

The step (a) may be performed through a path other than the data communication path between the first equipment and the second equipment.

Wherein the step (a) may further store the equipment ID of the second equipment in the first equipment and the second equipment, and the step (b) and the step (d) To generate the first key value and the second key value.

Wherein the communication between the first equipment and the second equipment is performed through a TCP-IP protocol, and the step (b) comprises: transmitting an ACK transmission time of the ACK signal transmitted from the first equipment to the second equipment, Wherein the second device generates the first random number by further using the first transmission time calculated through the interval value, and wherein the step (d) includes: generating a SYN-ACK transmission time , The second equipment generates the second random number by further using the ACK reception time at which the ACK signal was received and the second transmission time calculated through the predetermined time interval value.

Wherein the step (b) generates the first random number using an integer value obtained by dividing the first transmission time by a time synchronization error, and the step (d) generates an integer value obtained by dividing the second transmission time by a time synchronization error To generate the second random number.

The authentication information may be stored in a separate authentication module included in the first device.

The authentication module may include a separate power source and an IC chip. When the authentication module is mounted on the first device, a random number generated using the random number generation factor stored in the IC chip and a random number stored in the first device The first device can authenticate the authentication module if the generated random numbers are the same using the generation factor.

The authentication module may be mounted on the authentication module mounting equipment supplied with communication with the power source and may be mounted on the first device separated from the authentication module mounting equipment in a state in which the time synchronization is performed through the time synchronization server, The authentication module and the first device can perform authentication by comparing the generated random numbers using the time information.

And if the first equipment in communication with the second equipment is at least two,

Wherein the authentication information further includes a device identification number of the first device, wherein authentication information for each of the first devices is stored in the second device in step (a), and step (d) The apparatus identification number of the first apparatus that transmitted the ID encryption key may be extracted and the second random number may be generated using the random number generation factor corresponding to the extracted apparatus identification number.

When the communication between the first devices and the second device is performed through the TCP-IP protocol, the extracted device identification number may be physical hardware information of the first device. When the communication between the first devices and the second device is performed through wireless communication, the extracted device identification number may be the communication modem information of the first device.

Wherein the authentication information further includes a device identification number of the first device when the first device communicating with the second device is at least two or more, (C) further transmits, to the second device, an equipment identification number of the first equipment requesting authentication among the first equipment, and the step (d) And generate the second random number using the random number generation factor corresponding to the identified device identification number and the random number generation function.

After the step (f), the first device regenerates the first random number, encrypts the data using at least one of the previously generated random number, the regenerated random number, and the first key value, And the second device regenerates the second random number and decrypts the data using at least one of the previously generated second random number, the regenerated random number, and the second key value, can do.

If the communication between the first device and the second device fails during the data transmission, the communication can be restored using the random number used for the last communication success.

According to another embodiment of the present invention, there is provided an authentication method between a first device and a second device using an authentication server, the method comprising the steps of: obtaining a device ID, an authentication code, a random number generation factor, And registering the authentication information of the first device in the first device, and registering the authentication information of the second device in the first device, the authentication information including at least one of the random number generation function and the key generation function, 2 step (a) of registering with the equipment; Wherein the first device generates a first key value using the first random number generated using the random number generation factor of the first device and the random number generation function and the key generation function, (B) transmitting a first equipment ID encryption key obtained by encrypting the equipment ID of the first equipment and an equipment identification number of the first equipment to the second equipment; (C) transmitting, by the second device, the encrypted first device ID encryption key and the device identification number of the first device to the authentication server; Wherein the authentication server generates a second key value using a second random number generated using a random number generation factor corresponding to the device identification number of the first device and the key generation function, Extracting a first device ID by decrypting the first device ID cryptographic key and generating a first authentication code cryptographic key by encrypting an authentication code corresponding to the extracted first device ID using the second key value, (D) transmitting to the second equipment; (E) sending the first authentication code encryption key to the first device; And the first device decrypts the first authentication code encryption key using the first key value to extract a first authentication code, and extracts the extracted first authentication code and the authentication code registered in the first device (F) performing authentication with the second device by comparing the first device and the second device with each other.

According to the present invention, the device ID and the authentication code, which are used for encrypting data and decrypting the data, are transmitted to an additional path other than the main communication network used between the devices, A separate key generated by using the equipment ID, the authentication code, and the random number generation factor can be used to encrypt and decrypt the data, and the random number generation rule can be previously shared among the devices when the random number is generated, We propose an authentication method between devices that can eliminate the error of decryption.

1 is a block diagram of equipment according to an embodiment of the present invention.
FIG. 2 is a detailed view illustrating an authentication process between devices according to an exemplary embodiment of the present invention. Referring to FIG.
3 is a diagram illustrating an example of a process in which a three-way handshake is performed at the start of mutual communication between a first device and a second device.
4 is a diagram illustrating an authentication method between a first device and a second device.
5 is a flowchart illustrating an authentication method between a first device and a second device using an authentication server according to another embodiment of the present invention.

The details of other embodiments are included in the detailed description and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention, and the manner of achieving them, will be apparent from and elucidated with reference to the embodiments described hereinafter in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments described below, but may be embodied in various forms. In the following description, it is assumed that a part is connected to another part, But also includes a case in which other elements are electrically connected to each other in the middle thereof. In the drawings, parts not relating to the present invention are omitted for clarity of description, and like parts are denoted by the same reference numerals throughout the specification.

Unlike a public key encryption method in which a key is exchanged for a mutual authentication between a first device and a second device, the present invention provides an authentication method between devices, Key, respectively. Hereinafter, an authentication method for performing mutual authentication without exchanging public keys will be described in more detail.

1 is a block diagram illustrating a configuration of an apparatus according to an embodiment of the present invention.

The apparatus 100 may include a communication unit 110, a control unit 120, a storage unit 130, and an authentication module 140.

The apparatus 100 may include various apparatuses for transmitting and receiving data when authenticated through mutual authentication with other apparatuses. For example, the equipment may include a power terminal device and a smart meter that constitute an Advanced Metering Infrastructure (AMI) in a Smart Grid system. The remote meter reading system is a meter reading system that monitors and controls the power used in each household remotely in a smart grid environment and performs mutual authentication between the devices to transmit the safe amount of power. In such a remote metering system, when a hack occurs in the communication between the power terminal and the smart meter, a problem may arise such that the meter reading amount of the power terminal is manipulated or the personal information of the consumer is exposed. As such, the apparatus of the present invention performs data communication with each other and may include various apparatuses requiring mutual authentication.

The communication unit 110 is for transmitting and receiving data to and from other devices that have been mutually authenticated, and can transmit and receive data between other devices through various communication methods as well as wired and wireless methods. In addition, the communication unit 110 may transmit and receive data using one or more communication methods. For this purpose, the communication unit 110 may include a plurality of communication modules that transmit and receive data according to different communication methods, respectively.

The control unit 120 performs overall control for communication with another device and for mutual authentication.

The storage unit 130 stores programs and data necessary for operation of the apparatus, and stores authentication information required for authentication according to the present invention. Here, the authentication information may include information such as a device ID, an authentication code, a random number generation argument, a random number generation function, and a key generation function.

The storage unit 130 may be an optical storage medium such as a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, a CD-ROM (Compact Disc Read Only Memory), a DVD (Digital Video Disk) A magneto-optical medium such as a floppy disk and a ROM, a random access memory (RAM), and a flash memory.

Storage of the authentication information may be performed through a path other than the data communication path between the first device 100 and the second device 200 because security is important.

In addition, the authentication information can be stored in a separate authentication module 140 that can not be artificially read, and the authentication module 140 allows only authorized devices to read the authentication information. The determination of an access permitted device may be restricted to a device that exists in a particular closed communication network that is not accessible from the outside or to a device with a specific equipment ID. Such an authentication module 140 may be included as part of the device or may be implemented as an independent module for authentication information distribution. Also, the authentication information may be transmitted from the authentication module 140 in an encrypted form such as a block cipher in a secure cipher system when it is transmitted through an electronic method or communication.

The authentication module 140 may include a separate power source and an IC chip. When the authentication module is mounted on the first device 100, the authentication module 140 generates a random number using the random number generation factor stored in the IC chip, The first device 100 authenticates the authentication module 140 as a legitimate authentication module when the random number generated using the random number generation factor stored in advance in the storage unit 130 of the first device 100 is the same, The device ID and the authentication code stored in the authentication module 130 may be stored in the storage unit 130.

The authentication process is performed when the authentication module 140 is installed in the first device 100 because a third party attempts to hack the authentication module 130 installed in the first device 100 .

According to yet another embodiment, the authentication module 140 may be installed in the authentication module mounting equipment to which the power supply and communication are supplied, and is separated from the equipment for mounting the authentication module, 1 equipment. Since the authentication module has its own power source and IC chip, even if the authentication module is separated from the equipment for mounting the authentication module, the authentication module has the current time information without any error for a predetermined time. The control unit 120 of the first device 100 generates a random number in the same manner as the authentication module in the time synchronized state and generates a random number generated by the authentication module after the authentication module is mounted and a random number generated by the control unit 120 The control unit 120 may read the device ID and the authentication code from the authentication module 140 into the storage unit 130. [ The authentication module 140 and the control unit 120 may generate random numbers by further using time information, and may compare them to perform authentication.

FIG. 2 is a detailed view illustrating an authentication process between devices according to an exemplary embodiment of the present invention. Referring to FIG.

Referring to FIG. 2, in order to perform mutual authentication between the first device 100 and the second device 200, the device ID and the authentication code of the first device 100 are stored in the first device 100 and the second device 200, And authentication information including at least one of a random number generation argument and a random number generation function is stored in advance (SlOO). The storage of the authentication information is performed through a path other than the data communication path between the first device 100 and the second device 200 as described above.

Then, the first device 100 generates a first random number using a random number generation factor and a random number generation function for mutual authentication with the second device 200, and generates a first random number using a first random number and a key generation function, (S110).

Here, the random number generation factor F is a mutually agreed factor between the first device 100 and the second device 200 for generating a random number. When the first device 100 is authenticated, Generate a random number through an argument (F).

More specifically, the first random number is generated by Equation (1) below, and the first key value can be generated by Equation (2) below.

는 제1 난수, fn()은 난수 생성 함수, F는 난수 생성 인수를 각각 의미한다.here,

Denotes a first random number, fn () denotes a random number generating function, and F denotes a random number generating factor.

는 제1 키값, fk()는 키 생성 함수를 각각 의미한다.here,

(K) denotes a first key value, and fk () denotes a key generation function.

The random number generation function and the key generation function are values previously stored in the first device 100 and the second device 200 in step S100 and the first device 100 and the second device 200 are the same Generating a random number If you generate a random number through a factor, the same key value will be generated

The first device 100 generates the device ID encryption key by encrypting the device ID of the first device 100 using the first key value in operation S120 and transmits the device ID encryption key to the second device 200, (S130).

The second device 200 receiving the equipment ID encryption key generates a second random number by using the random number generating function and the random number generating function and generates a second key value using the second random number and the key generating function ). if. If the same random number generation factor, random number generation function, and key generation function as those of the first device 100 are stored in the second device 200, the second random number and the second key value, which are equal to the first random number and the first key value, Will be generated. The second random number and the second key value may be generated through Equations (3) and (4) below.

는 제2 난수를 의미한다.here,

Means a second random number.

는 제2 키 값을 의미한다.here,

Quot; means a second key value.

The second device 200 decrypts the device ID encryption key using the second key value to extract the device ID (S150).

Then, the authentication code stored in the second device 200 is encrypted using the second key value to generate the authentication code encryption key (S160). Thereafter, the authentication code encryption key is transmitted to the first device 100, (S170).

The first device 100 extracts the authentication code by converting the authentication code encryption key into the authentication code using the first key value (S175), and compares the extracted authentication code and the authentication code stored in the first device 100 ( S180).

If the extracted authentication code is identical to the authentication code stored in the first device 100, it is determined that the mutual authentication between the first device 100 and the second device 200 is performed. 2 equipment 200 (S185).

It is determined that the authentication between the first device 100 and the second device 200 has failed and the first device 100 and the second device 200 200) (S190).

In operation S185, the first device 100 regenerates the first random number, encrypts the data using at least one of the previously generated random number, the regenerated random number, and the first key value, 200, and the second device regenerates the second random number every time the second data is transmitted, and uses at least one of the previously generated second random number, the re-generated second random number, and the key value Data can be decoded. That is, the present invention can increase data security by encrypting data using a random number generated in the first device and the second device.

For example, assuming that the data to be initially transmitted is P1, the data to be transmitted next is P2, and the data to be transmitted N-th in this way is Pn

,

,

,

,

와 같이 암호화 하고, 이것을 복호화한 결과는

으로 복호화되어서, 데이터와 다음번 데이터 암호화에 사용될 난수 값을 알 수 있어야 한다. 데이터를 받은 제2 장비(200)는 암호문을 복호화하여 데이터와 난수로 분리한다. 이 난수는 다음 번에 전송될 데이터의 복호화에 사용된다.

And the result of decoding this is

To be able to know the data and the random value to be used for the next data encryption. The second device 200 receives the data and decrypts the cipher text into data and random numbers. This random number is used to decrypt the data to be transmitted next time.

The actual implementation is

,

,

≪ / RTI >

과 같이 난수를 생성하는 함수인 fn()에 인수로 c를 사용하여 난수를 생성하고, 이 c를 함께 전송하는 구현도 가능하다. 또한, 난수를 통신상으로 전송하지 않고, 난수 생성 함수만 공유하여 암호화하고 복호화 하는 것도 가능할 것이다.

It is also possible to generate a random number using c as an argument to fn (), a function that generates a random number, as shown below, and then send this c together. It is also possible to encrypt and decrypt the random number generation function by sharing only the random number generation function without transmitting the random number to the communication.

In addition, the present invention can recover the communication using the random number used for the last communication success if the communication fails during data transmission between the first device and the second device.

Since the devices store authentication information such as device ID, authentication code, random number generation factor, random number generation function, and key generation function in advance, each device can generate the same random number and key value, There is no need to exchange information. Accordingly, there is no security vulnerability problem occurring in exchanging the key information of the conventional public key encryption authentication method.

In addition, the present invention resets authentication between the first device 100 and the second device 200 when a communication connection is attempted again after data transmission between the first device 100 and the second device 200 is completed do. The random number generation function of the present invention generates random numbers different from the random numbers generated in the random number generation so that the first and second devices are generated in the first device and the second device every time the first device 100 and the second device 200 authenticate The key value is changed every time, and the security reliability is improved.

According to an embodiment of the present invention, when it is impossible to generate a key value having a sufficient length only by a random number, the first key value and the second key value may be generated by further using the ID of the second device, . To this end, the first device and the second device may further store the device ID of the second device.

는 제2 장비의 ID를 의미한다.here,

Means the ID of the second device.

Since the first device knows the device ID of the second device in advance when performing authentication with the second device, it is possible to generate the first key value by further using the device ID of the second device as described above, 2 device generates a second key value by further using its own device ID.

According to another embodiment of the present invention, the communication between the first device 100 and the second device 200 is performed through the TCP-IP protocol and the time synchronization between the devices using the NTP (Network Time Protocol) , Time information can be further used to generate a random number having a high level of reliability. The first device 100 and the second device 200 store a random number generation factor F set in advance. With this random number generation factor, each device can convert NTP time to msec and generate a random number with this value.

However, when communication between the first device 100 and the second device 200 is delayed due to a computation time of each device or a transmission time of the communication network, a random number generated upon data transmission and a random number generated upon reception It can be different. To minimize these errors, each device minimizes random number generation errors by using time at a certain point in the process of three-way-handshake of TCP-IP when communicating with each other. Here, three-way-handshake means a process of establishing a session with an opponent device in advance in order to guarantee correct transmission of data before the device communicating using the TCP-IP protocol.

3 is a diagram illustrating an example of a process in which a three-way handshake is performed at the start of mutual communication between a first device and a second device.

3, the first device 100 transmits a SYN signal to the second device 200 at the start of communication with the second device 200, and the second device 200 transmits a SYN-ACK signal to the first device 200 To the equipment (100). The first equipment 100 transmits an ACK signal to the second equipment 200 to establish a session.

) 및 기 설정된 시간 구간 값(D)을 통해 산출된 제1 전송시간을 더 이용하여 제1 난수를 생성할 수 있다.The first equipment 100 transmits the ACK transmission time (the first equipment 100 transmits the ACK signal to the second equipment)

) And the first transmission time calculated through the predetermined time interval value (D) to generate the first random number.

)을 알 수 없으므로, 제2 장비(100)는 ACK 수신 시간(

)에서 SYN-ACK 전송 시간 (

)를 빼서 2로 나누어서 구한 추정 ACK 전송시간(

) 및 기 설정된 시간 구간 값(D)을 통해 산출된 제2 전송시간을 더 이용하여 제2 난수를 생성할 수 있다. In addition, the second device 200 transmits the ACK transmission time (

), The second equipment 100 can not know the ACK reception time (

) To the SYN-ACK transmission time (

) And subtracting the estimated ACK transmission time (

) And the second transmission time calculated through the predetermined time interval value (D), to generate the second random number.

Since an error may occur between the actual ACK transmission time and the estimated ACK transmission time, the error between the actual ACK transmission time and the estimated time of the ACK transmission can be reduced by using a predetermined time interval value obtained by dividing the time by a predetermined unit.

The first transmission time and the second transmission time are expressed by Equation (6) below.

는 제1 전송시간,

는 제2 전송시간, MOD()는 나머지 함수를 각각 의미한다. here,

A first transmission time,

And MOD () denotes a remaining function, respectively.

)이 10040msec이며, 추정 ACK 전송시간(

)가 10038msec 이며, 시간 구간 값(D)가 500인 경우 제1 전송시간

= 10040 - 40(10040을 500으로 나눈 나머지 값) = 10000이며, 제2 전송시간

= 10038 - 38(10038을 500으로 나눈 나머지 값) = 10000으로 동일한 시간이 산출됨을 알 수 있다. 이와 같이 본 발명은 제1 장비(100)와 제2 장비(200)간의 시간 동기화 값인 제1 전송시간 및 제2 전송시간을 더 이용하여 동일한 제1 난수 및 제2 난수를 생성함으로써 높은 수준의 신뢰성을 가진 난수를 생성할 수 있다.For example, the ACK transmission time (

) Is 10040 msec, and the estimated ACK transmission time (

) Is 10038 msec. When the time interval value D is 500, the first transmission time

= 10040 - 40 (remainder value obtained by dividing 10040 by 500) = 10000, and the second transmission time

= 10038 - 38 (the remainder value obtained by dividing 10038 by 500) = 10000, the same time is calculated. As described above, the present invention generates the same first random number and second random number using the first transmission time and the second transmission time, which are time synchronization values between the first device 100 and the second device 200, Can be generated.

According to an embodiment of the present invention, in order to eliminate the time synchronization error between the first device 100 and the second device 200, the first device 100 and the second device 200 may transmit the first transmission time And an integer value obtained by dividing the second transmission time by the time synchronization error (AC), to generate the first random number and the second random number, respectively. This can be expressed by Equation (7) below.

는 제1 전송시간을 시각 동기화 오차(AC)로 나눈 정수 값,

는 제2 전송시간을 시각 동기화 오차로 나눈 정수 값을 각각 의미한다.here,

Is an integer value obtained by dividing the first transmission time by the time synchronization error (AC)

Represents an integer value obtained by dividing the second transmission time by the time synchronization error.

According to another embodiment of the present invention, as shown in FIG. 4, there may be a plurality of first devices 100-1, 100-2, ..., 100-n communicating with the second device 200. FIG. In this case, if the second device 200 receives an authentication request from any one of the first devices, it can not know the random number generation factor of the other party. In order to solve such a problem, in step S100, the second device 200 acquires the device IDs of the first devices 100-1, 100-2, ..., 100-n in step S100, Authentication information, authentication code, random number generation factor, and equipment identification number. Also, the first devices may further store their device identification number information in the existing authentication information.

If the second device 200 knows the device identification number of the first device requesting authentication, it generates the same random number and key value as the first device requesting authentication using the random number generation factor corresponding to the device identification number Authentication can be performed.

The device identification numbers 100-1, 100-2, ..., 100-n of the first devices stored in the second device 200 correspond to hardware information of a communication device transmitted through a network layer of the OSI 7 Layer (MAC Address), or communication modem information of the first device in a wireless environment. That is, when the equipment identification number of the first equipment is the MAC address or the communication modem information, the second equipment 200 can extract the equipment identification number of the first equipment in the process of communicating with the first equipment requesting the certification. Accordingly, the second device 200 may extract the device identification number of the first device requesting authentication in step S140, and generate a second random number using the random number generation factor corresponding to the extracted device identification number have. In this case, the first device requesting authentication does not need to transmit a separate device identification number to the second device 200. [

However, when the hardware information of the other party can not be obtained as in the communication environment in which the private network is interfaced, or when a plurality of devices use one communication hardware, the second device 200 transmits the device identification number of the first device requesting authentication Can not be extracted. In this case, the first device requesting the authentication transmits its own device identification number to the second device 200 together with the device ID encryption key in step S130, and the second device 200 transmits the device identification number to the second device 200 in step S140. The second random number may be generated using the random number generation factor corresponding to the equipment identification number received in step < RTI ID = 0.0 >

5 is a flowchart illustrating an authentication method between a first device and a second device using an authentication server according to another embodiment of the present invention.

5, authentication information including at least one of a device ID, an authentication code, a random number generation factor, a device identification number, a random number generation function, and a key generation function of each of the first device 100 and the second device 200, The authentication information of the first device 100 is registered in the first device 100 and the authentication information of the second device 200 is registered in the second device.

When authentication between the first device 100 and the second device 200 is performed using the authentication server 300, first, in a state where the mutual authentication between the second device 200 and the authentication server 300 is performed, The second device 200 transmits the authentication information to the authentication server 300 and transmits the authentication information from the authentication server 300 to the first device 200. [ And transmits the authentication code to the first device 100.

More specifically, in step S200, the second device 200 generates a third key value using the third random number generated using the random number generation factor and the random number generation function of the second device 200, And transmits the third equipment ID encryption key obtained by encrypting the equipment ID of the second equipment 200 and the equipment identification number of the second equipment 200 to the authentication server 300 using the third key value .

The authentication server 300 generates a fourth key value using the fourth random number generated using the random number generation factor corresponding to the equipment identification number of the second device and the key generation function in step S210, Extracting a second device ID by decrypting the second device ID cryptographic key using the fourth key value, generating a second authentication code by encrypting the authentication code corresponding to the extracted second device ID using the fourth key value, And transmits the encryption key to the second device (200).

The second device 200 and the authentication server 300 extract the second authentication code by decrypting the second authentication code encryption key using the third key value and transmit the extracted second authentication code to the second device 200, It is determined that authentication with the authentication server 300 has been performed.

Then, in step S220, the first device 100 generates a first key value using the first random number generated by using the random number generating function of the first device 100, the first random number generated using the random number generating function, And transmits the first equipment ID encryption key and the equipment identification number of the first equipment 100 that have encrypted the equipment ID of the first equipment 100 to the second equipment 200 using the first key value .

The second device 200 transmits the first device ID encryption key and the device identification number of the first device 100 to the authentication server 300 in step S230.

Then, in step S240, the authentication server 300 transmits the second random number generated using the random number generation factor corresponding to the device identification number of the first device and the second random number generated using the key generation function to the second Extracts a first device ID by decrypting the first device ID cryptographic key using the second key value, extracts a first device ID corresponding to the extracted first device ID using the second key value, And transmits the first authentication code encryption key that has been encrypted with the authentication code to the second device 200. [

Then, in step S250, the second device 200 transmits the first authentication code encryption key to the first device.

Finally, the first device decrypts the first authentication code encryption key using the first key value to extract a first authentication code, and extracts the first authentication code and the first authentication code, which are registered in the first device 100 And compares the authentication code and performs authentication with the second device.

As described above, the present invention has been described with reference to particular embodiments, such as specific elements, and specific embodiments and drawings. However, it should be understood that the present invention is not limited to the above- And various modifications and changes may be made thereto by those skilled in the art to which the present invention pertains. Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

100: first equipment 110: communication unit
120: control unit 130:
140: authentication module 200: second device
300: authentication server

Claims (18)

In an authentication method between a first device and a second device,
(A) storing authentication information including at least one of a device ID, an authentication code, a random number generation factor, a random number generation function, and a key generation function of the first device in the first device and the second device, respectively;
(B) generating a first random number using the random number generation function and the random number generation function, and generating a first key value using the first random number and the key generation function;
(C) transmitting, by the first equipment, an equipment ID cryptographic key obtained by encrypting the equipment ID using the first key value to the second equipment;
(D) generating, by the second device, a second random number using the random number generation factor, and generating a second key value using the second random number and the key generation function;
The second device decrypts the device ID cryptographic key using the second key value to extract the device ID and encrypts the authentication code corresponding to the extracted device ID using the second key value, (E) transmitting an encryption key to the first device;
The first device decrypts the authentication code encryption key using the first key value to extract an authentication code, and performs authentication by comparing the extracted authentication code and the authentication code stored in the first device f)
Wherein the first random number generated by the first device and the second random number generated by the second device are the same random number, and each time data communication between the first device and the second device is attempted, (f), and the random number generated in the first device and the second device is different from the random number generated in the previous authentication step. The method according to claim 1,
Wherein the step (a) is performed through a path other than the data communication path between the first equipment and the second equipment. The method according to claim 1,
The step (a) may further store the equipment ID of the second equipment in the first equipment and the second equipment,
Wherein the step (b) and the step (d) further generate the first key value and the second key value by further using the device ID of the second device. Way. The method according to claim 1,
Wherein communication between the first device and the second device is performed through a TCP-IP protocol,
The step (b) further generates the first random number by further using the first transmission time calculated based on the ACK transmission time and the predetermined time interval value in which the first equipment transmits the ACK signal to the second equipment ,
Wherein the step (d) includes: a SYN-ACK transmission time at which the second equipment transmits a SYN-ACK signal to the first equipment; an ACK reception time at which the second equipment receives the ACK signal; And generating the second random number by further using a second transmission time calculated through the first transmission time and the second transmission time. 5. The method of claim 4,
Wherein the step (b) generates the first random number using an integer value obtained by dividing the first transmission time by a time synchronization error,
Wherein the step (d) generates the second random number using an integer value obtained by dividing the second transmission time by the time synchronization error. 6. The method of claim 5,
Wherein the first random number is generated using the following equation.

here,

A first transmission time,

, MOD is a remaining function, D is a preset time interval value, Ac is the time synchronization error,

Is an integer value obtained by dividing the first transmission time by the time synchronization error,

Is a first random number, fn () is a random number generating function, and F is a random number generating rule. 6. The method of claim 5,
Wherein the second random number is generated using the following equation.

here,

The estimated ACK transmission time,

SYN-ACK transmission time,

ACK reception time,

, MOD is the remaining function, Ac is the time synchronization error,

Is an integer value obtained by dividing the second transmission time by the time synchronization error,

Is a second random number, fn () is a random number generating function, and F is a random number generating rule. 3. The method of claim 2,
Wherein the authentication information is stored in a separate authentication module included in the first device. 9. The method of claim 8,
The authentication module may include a separate power source and an IC chip. When the authentication module is mounted on the first device, a random number generated using the random number generation factor stored in the IC chip and a random number stored in the first device Wherein the first device authenticates the authentication module when the generated random number is equal to the generated random number. 10. The method of claim 9,
The authentication module may be mounted on the authentication module mounting equipment supplied with communication with the power source and may be mounted on the first device separated from the authentication module mounting equipment in a state in which the time synchronization is performed through the time synchronization server, Wherein the authentication module and the first device compare the generated random numbers by further using time information to perform authentication. The method according to claim 1,
And if the first equipment in communication with the second equipment is at least two,
Wherein the authentication information further includes a device identification number of the first device,
In the step (a), authentication information for each of the first devices is stored in the second device,
Wherein the step (d) extracts a device identification number of the first device that transmitted the device ID encryption key, and generates the second random number by using a random number generation factor corresponding to the extracted device identification number The authentication method between the first device and the second device. 12. The method of claim 11,
Wherein when the communication between the first devices and the second device is performed through the TCP-IP protocol, the extracted device identification number is physical hardware information of the first device. Authentication method between equipment. 12. The method of claim 11,
Wherein when the communication between the first devices and the second device is performed through wireless communication, the extracted device identification number is the communication modem information of the first device, and the authentication between the first device and the second device Way. The method according to claim 1,
And if the first equipment in communication with the second equipment is at least two,
Wherein the authentication information further includes a device identification number of the first device,
In the step (a), authentication information for each of the first devices is stored in the second device,
Wherein the step (c) further transmits, to the second device, the device identification number of the first device requesting authentication among the first devices,
Wherein the step (d) generates the second random number using a random number generation factor corresponding to the received equipment identification number and the random number generation function. The method according to claim 1,
After the step (f)
Wherein the first device regenerates the first random number and transmits data to the second device by encrypting the data using at least one of the previously generated random number, the regenerated random number, and the first key value,
Wherein the second device recovers the second random number and decrypts the data using at least one of a previously generated second random number, the regenerated random number, and the second key value. Authentication method between the device and the second device. 16. The method of claim 15,
Wherein the communication is restored by using a random number used for success in the final communication if communication fails during data transmission between the first device and the second device. An authentication method between a first device and a second device using an authentication server,
And registers authentication information including at least one of a device ID, an authentication code, a random number generation factor, an equipment identification number, a random number generation function, and a key generation function of each of the first device and the second device in the authentication server, (A) registering the authentication information of the first device in the first device and the authentication information of the second device in the second device;
Wherein the first device generates a first key value using the first random number generated using the random number generation factor of the first device and the random number generation function and the key generation function, (B) transmitting a first equipment ID encryption key obtained by encrypting the equipment ID of the first equipment and an equipment identification number of the first equipment to the second equipment;
(C) transmitting, by the second device, the encrypted first device ID encryption key and the device identification number of the first device to the authentication server;
Wherein the authentication server generates a second key value using a second random number generated using a random number generation factor corresponding to the device identification number of the first device and the key generation function, Extracting a first device ID by decrypting the first device ID cryptographic key and generating a first authentication code cryptographic key by encrypting an authentication code corresponding to the extracted first device ID using the second key value, (D) transmitting to the second equipment;
(E) sending the first authentication code encryption key to the first device; And
The first device decrypts the first authentication code encryption key using the first key value to extract a first authentication code, and compares the extracted first authentication code and the authentication code registered in the first device (F) performing authentication with the second device,
The second random number generated by the authentication server generated by the first device is the same and the step (b) to step (f) are re-performed each time data communication between the first device and the second device is attempted Wherein the first device and the authentication server generate a random number different from the random number generated in the previous authentication step. 18. The method of claim 17,
Prior to step (b) above,
Wherein the second device generates a third key value using the third random number generated using the random number generation factor of the second device and the random number generation function and the key generation function, Transmitting a third equipment ID encryption key obtained by encrypting the equipment ID of the second equipment and an equipment identification number of the second equipment to the authentication server;
The authentication server generates a fourth key value using the fourth random number generated using the random number generation factor corresponding to the device identification number of the second device and the key generation function, Extracting a second device ID by decrypting the second device ID encryption key, and encrypting a second authentication code encryption key obtained by encrypting an authentication code corresponding to the extracted second device ID using the fourth key value, Transmitting to the equipment;
The second device decrypts the second authentication code encryption key using the third key value to extract a second authentication code, and compares the extracted second authentication code and the authentication code registered in the second device And performing authentication with the authentication server by using the authentication server.

Images