KR101651563B1 - Using history-based authentication code management system and method thereof - Google Patents
Using history-based authentication code management system and method thereof Download PDFInfo
- Publication number
- KR101651563B1 KR101651563B1 KR1020160003097A KR20160003097A KR101651563B1 KR 101651563 B1 KR101651563 B1 KR 101651563B1 KR 1020160003097 A KR1020160003097 A KR 1020160003097A KR 20160003097 A KR20160003097 A KR 20160003097A KR 101651563 B1 KR101651563 B1 KR 101651563B1
- Authority
- KR
- South Korea
- Prior art keywords
- authentication
- authentication code
- history
- user
- computer
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
Abstract
The present invention relates to a history-based user authentication system and a method thereof. The present invention includes authentication participation means connected to the authentication computer and output from a user terminal for performing user authentication; The authentication computer includes authentication code generation management means for receiving and storing the authentication code transmitted from the user terminal and the usage condition data of the authentication code; An authentication code use condition management unit for confirming whether the use condition of the authentication code is satisfied in response to the authentication code use request from the user terminal; An authentication code use management means for performing a user authentication process when the use condition of the authentication code is satisfied; And an authentication code history management means for recording the generation history of the authentication code and the usage history of the authentication code in a table and storing the history.
Description
The present invention relates to a use history-based authentication code management system and a method thereof. More particularly, the present invention relates to a system and method for generating and managing a password substitution authentication code based on user participation based on use and reservation history, and a method of managing the use of a password or an authentication code is related to security, and includes integrity, confidentiality, availability To the authentication code which is the password substitution. In particular, the authentication code which introduces the role in addition to the confidentiality, which is the element of confidentiality, is introduced in the password, and all the execution and command data requested by the authentication system The present invention relates to a history-based authentication code management system and a method thereof, in which an unusual integrity verification process is applied by providing an environment in which a user can make a reservation and confirm a history of a reservation at any time.
The user authentication technology is becoming more and more important as the digital age in which most of the activities of individuals are carried out online. Various techniques for user authentication have been developed, but there is no fundamental measure for exposing the password in everyday life where a user uses a secret key. In order to enhance password protection, it is a dilemma that user convenience is lowered and password exposures are increased to improve convenience. In the present authentication system, encryption technology or a system and method through a third party certification authority are used. However, if a secret (secret key) is exposed, the user must be aware of the occurrence of an accident, It is assumed that the user is the user. Since the password is an identification means for recognizing the user online, the user (such as a hacker) can attack only one place by using a single sharp window. The defector has to cope with all possibilities and therefore has security difficulties. In addition, existing authentication techniques are limited if the internal administrator of the authentication system intends to participate in the user password security.
Korean Patent No. 10-1436404 (registered on August 26, 2014) has patented a device and method for authenticating a user (hereinafter referred to as "404 invention").
The user authentication apparatus of the patent invention includes an information acquisition unit for acquiring terminal identification information of a communication terminal device for which user authentication is requested, a terminal history confirmation unit for confirming a terminal authentication history corresponding to the terminal identification information, A history comparing unit for comparing a predetermined condition including an authentication request time or a preset number of times of authentication requests with the terminal authentication history that has been verified; and a history comparison unit for selecting the user authentication according to a result of the comparison, A user history confirmation unit for confirming a user authentication history corresponding to user identification information of a user currently being authenticated when the verification target is selected; A verification method determination unit for determining an authentication method for verification according to the method information, A user verification unit configured to perform user authentication according to the verification authentication method, and a verification authentication method determined by the authentication method or verification method determination unit requested by the communication terminal apparatus, by the user verification unit A history update unit for updating the terminal authentication history and the user authentication history including the user identification information, the terminal identification information, the authentication method information, the authentication time information, and the authentication result information stored in the database unit, It is an advantage that the security of the user authentication procedure is enhanced because the user can not easily pass the user authentication procedure.
Korean Patent No. 10-1523340 (registered on May 20, 2015) has been patented for a history-based use authentication system and its method (hereinafter referred to as "340 invention").
The patent invention includes a step in which a user terminal communicates with a history management computer to receive user approval; The user terminal requesting the history management record of the user to the history management computer; The history management computer transmitting the history record book of the user to the user terminal; Transmitting, by the user terminal, a service provider, a usage temporary password, and a usage condition entered in the history management record of the user to the history management computer; Storing the history management book of the user by the history management computer; The user terminal accessing a service computer operated by a service provider and transmitting the user information and the temporary password to the service computer; Performing a user authentication based on user information transmitted from the service computer, and transmitting the user information, the temporary password, and the service computer information to the history management computer to request authentication; The history management computer is transmitted from the service computer and based on the user information, the service computer information recorded in the history record book of the user and the provisional password are compared with the service computer information transmitted from the service computer and the temporary password ; Comparing the usage time information of the temporary password recorded in the history management record with the elapsed time from the temporary password record to the present time if the history management computer matches the comparison result; Wherein the history management computer transmits the provisional password unavailability information to the service computer when the contrast result elapsed time exceeds the usage time information, and if the contrast result elapsed time does not exceed the usage time information, To a computer.
In the 404 invention, the terminal authentication history is checked, a predetermined condition including a preset authentication request time or a preset number of authentication requests is compared with the terminal authentication history that has been checked, and a user authentication is selected according to a result of the comparison When the verification target is selected, the user authentication history corresponding to the user identification information of the currently authenticated user is confirmed, and the authentication method information included in the user authentication history The authentication method for verification is determined and the user authentication is performed in accordance with the authentication method for verification with respect to the communication terminal device. The user authentication is performed by checking the terminal authentication history and the user authentication history, Since the user can not directly participate in the authentication code generation and authentication process, And have about as it is, real-time user authentication is not possible to perform the configuration, but reserve certification, the poor ease of use authentication technology issues.
In the above 340 invention, the user sets the temporary password and the use condition, and if there is an authentication request in the user terminal, prepares the user temporary password on the history management computer, And performs user authentication according to the result. However, since the patent invention can not directly participate in the process of generating and authenticating the authentication code, the patent invention has the weakness of the conventional security problem, and the patent invention can not be applied to the invention, There is a problem that the convenience is poor.
Therefore, in the user authentication, the user can participate directly in the password authentication process, efficiently cope with the password exposure, provide convenience in using the authentication technology, and the root cause of vulnerability to the password exposure is the user There is a need for an invention that can directly perform forgery verification using a user's history of password use and reservation record.
It is an object of the present invention to solve the above problems of the prior art, and it is an object of the present invention to provide a method and apparatus for user authentication in which a user can participate in a password authentication process, The present invention also provides a usage history-based authentication code management system and method that can provide convenience and can directly perform forgery verification using a user's password history and reservation history.
According to a first aspect of the present invention, there is provided an information processing system including an authentication computer for performing a user authentication by inquiring conditions such as a stored authentication code and a reservation reservation period in response to a user's authentication request, ; A user information database for storing user information and user terminal information communicatively connected to or contained in the authentication computer and having made an authentication request; Authentication participation means, which is connected to the authentication computer by using a communication means and generates an authentication code in the authentication computer, reads the authentication code generation and use history, and executes in the user terminal to use the authentication code; A service computer connected to the authentication computer and the user terminal to perform a user authentication request to the authentication computer in response to a user authentication request from the authentication computer and to provide a predetermined service to the user terminal after the user authentication is completed; ; And a service information database for storing predetermined service information to be provided to the user terminal, wherein the service information database includes a user information database that is connected to or is included in the communication with the service computer and stores the user information that requests the authentication,
The user generates an authentication code including usage reservation period information by using the authentication participation means executed in the user terminal and stores the authentication code in the authentication computer and accesses the authentication computer to check the authentication code generation and use history And a use history based user authentication system is provided, wherein the use authorization code can be used when the condition of the use reservation period is satisfied.
According to a second aspect of the present invention, there is provided an information processing apparatus including an authentication management unit for performing a user authentication by inquiring conditions such as a stored authentication code and a reservation reservation period in response to a user's authentication request, A service computer for performing a request and providing a predetermined service to a user terminal requesting user authentication after user authentication is completed; A service information database for storing service information to be provided to the user terminal and a user information database for storing user information and user terminal information communicated or included in the service computer, And an authentication participation means executed in the user terminal for accessing the service computer by using a communication means to transmit the authentication code generated in the authentication management unit, viewing the authentication code generation and use history, and using the authentication code and;
The user generates an authentication code including usage reservation period information by using the authentication participation means executed in the user terminal, stores the authentication code in the authentication management unit of the service computer, accesses the authentication management unit, There is provided means for checking and viewing, and the use history-based user authentication system is provided, wherein the use authorization code can be used when the condition of the reservation reservation period is satisfied.
According to a third aspect of the present invention, there is provided a method of authenticating a user terminal, comprising: receiving a verification code input to a user participation means; Combining the authentication code use reservation period information selected or input in the authentication participation means with the authentication code to generate an inactivated authentication code and transmitting the authentication code to the authentication management unit of the authentication computer or the service computer and storing the authentication code; Receiving the authentication code input to the authentication participation means for use of the authentication code by the user terminal; The user terminal sending the authentication code information to the authentication computer of the authentication computer or the service computer to inquire the use condition of the authentication code; Performing authentication code use processing by the authentication management unit of the authentication computer or the service computer when the authentication code use condition is satisfied; And the authentication management unit of the authentication computer or the service computer stores the usage history of the user's authentication code.
According to a fourth aspect of the present invention, in the third aspect of the present invention, the user terminal receives the authentication code generation and use history browsing request input to the authentication participation means, ; And the authentication management unit of the authentication computer or the service computer further transmits the authentication code generation and use history information to the user terminal.
According to the present invention, in the online use authentication of the Internet or the like, even if the confidentiality of data such as a password or an authentication code, the integrity of the authentication code, and the confidentiality of the data during the availability are damaged, There is an effect that can be secured. In addition, since the process for ensuring confidentiality of data can be omitted, it is possible to reduce the process for security. In addition, since the user can directly participate in the generation and use of the authentication code, the effect of security can be further enhanced. Moreover, since the reservation means for the authentication code use period can be utilized, the effect of security can be further enhanced in the business area in which real-time authentication is not required.
1 is a schematic block diagram of an embodiment of a history-based user authentication system according to the present invention.
2 is a schematic block diagram of an embodiment of an authentication computer which is a main part of an embodiment of the present invention.
3 is a schematic block diagram of an embodiment of a user information database which is a main part of an embodiment of the present invention.
4 is a schematic configuration diagram of an embodiment of an authentication code history table generated in an authentication computer, which is a main part of an embodiment of the present invention.
FIG. 5 is an explanatory diagram of a method in which an authentication computer, which is a main part of an embodiment of the present invention, blocks a hash value processing block of a plurality of storage servers.
FIG. 6 is a schematic configuration diagram of an embodiment of a user browse data table that can be confirmed and requested by an authentication computer, which is a major part of an embodiment of the present invention.
FIG. 7 is a schematic configuration diagram of an embodiment of an authentication participation means executed in a user terminal, which is a main part of an embodiment of the present invention.
8 is a schematic block diagram of another embodiment of the history-based user authentication system of the present invention.
9 is a flowchart for explaining an embodiment of a usage history-based user authentication method of the present invention.
10 is a flowchart for explaining another embodiment of the usage history-based user authentication method of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The description and terminology of the premise knowledge will be defined in order to facilitate understanding of the present invention. The main security mechanisms are classified into four categories: encryption, authentication, authorization, and audit. Encryption is the modification of key data to make it illegal for users to use. Authentication is the control of access to data for legitimate users, and authorization is a legitimate user or authentication And the auditing is to record what kind of data the user has processed and to clarify the place of verification or responsibility in the future.
There are also three elements of security: confidentiality, availability, and integrity. Passwords for user authentication also require the above three elements of security.
<Confidentiality>
With regard to security confidentiality, the content of the data must be known only to the owner of the data and the authenticated user. Even if confidentiality of communication is ensured by communication between each member, even if it is stored as plain text in the authentication system, confidentiality of password data can not be guaranteed from an internal administrator or an external intruder. Therefore, the existing authentication systems encrypt and store the password data in the authentication system before storing the password data in order to guarantee the confidentiality of the data.
In the embodiment of the present invention, it is necessary to record the password data to be used for actually using the password even if the password data is stored as plain unencrypted plain text and exposed to the outside, and a predetermined time (reservation period) Since the role as a password is performed after the past, the role effectiveness of confidentiality is utilized through the opportunity that the user can verify.
<Integrity>
With regard to security integrity, password data must be stored in the authentication system as intended by the user. If the data is not saved as it is, it must be verifiable by the data user. The encryption algorithms used to verify the integrity of the data stored in the authentication system include homomorphic encryption, hash, and signature.
In the embodiment of the present invention, a configuration is used in which, in relation to the security integrity, generation and use of password data is performed by a delay verification technique, and an opportunity for the user to verify the entire process is used.
<Availability>
With respect to the availability of security, it means that services are maintained seamlessly and that information is provided to authorized parties. This ensures availability by backing up information against possible attacks or by protecting against suspicious threats.
In the embodiment of the present invention, the availability to the present invention is essential, so that the user can access the authentication system at any time to view and confirm the password history. When the authentication system is suspended due to force majeure, all the password authentication procedures requested before the pause are stopped and left a history of being stopped.
In addition, as a main security element in a security system, in order for a security service to be completely performed through a user terminal used by a user, an authentication system for performing user authentication for security, and a communication network connecting them, Processing (user terminal and authentication system), and transmission (communication network). In the present invention, the generation of security-related data, that is, the protection of password data stored in the authentication system, for example, is focused on, and only the prevention of forgery and falsification of the use phase among the three steps of access, And a simple configuration is proposed by reducing the number of steps in the process of preventing forgery and falsification of security-related data.
The terms necessary to describe the embodiment of the present invention are defined as follows.
<Block chain>
The block chain technology means "distributed storage, PKI encryption, P2P communication, and continuous growing transaction connection" applied in Bitcoin.
In the present invention, only the distributed storage and the PKI encryption are used to encrypt and store the authentication code history information in a plurality of storage servers to ensure security and integrity.
<Password>
The password for user authentication is collectively referred to as a secret key. In the embodiment of the present invention, the ID / PW scheme based on the user memory is assumed, and the PW is referred to as a password. Because password is a value that only the user knows, the secret of the three elements of Booyan is the key.
<Authentication code>
The authentication code is a concept similar to a password, and in the embodiment of the present invention, data serving as a password is referred to as an authentication code. The difference is that when the password is exposed, it can not perform the role of authenticating the user, which is its original function, but the authentication code can perform the role of user authentication even when exposed.
<User authentication technology>
User authentication techniques are technologies that verify whether a user is legitimate online or not. ID / PW technology is representative, and digital signature through certified certificate is also applicable.
<Encryption technology>
Encryption technologies can be roughly classified into Message Authentication Code (MAC) based on a symmetric key and Digital Signature based on a public key. In the case of symmetric key-based structures, a MAC value is generated in a storage device through a secret key to ensure integrity, and a verifier also obtains a stored item and a secret key stored in the storage device It verifies the MAC. However, if the stored private key is exposed, it is possible to conceal the modulation by the MAC value regeneration after modulating the resistance items in the file, and the possibility of attack through the manager who manages the verifier or the storage device can not be excluded. In the case of public key infrastructure, it is used to generate digital signature using private key and public key. Since it uses two different keys, it is safer than the symmetric key, but it is troublesome to reset each other's public key every predetermined period (1 year). Specifically, data encrypted in the past can be decrypted by a high-performance computer at some point, so the key must be re-issued to maintain a constant confidentiality.
<Non-encryption scheme>
Non-cryptographic techniques related to user authentication are mainly used offline. Specifically, the contents of face-to-face secrets, such as via the messenger (destruction), are examples.
<Based on user participation>
The user participation basis in the present invention means that the user participates in the verification process directly without allowing the password user to perform the verification process according to the password generation and use only to the system or the third party.
<History Based>
The history base in the embodiment of the present invention is a configuration that helps the user to use history information as a judgment data by leaving all the processes of generating and using a password as a record. Therefore, history information can only be generated and can not be deleted or changed. The history information is distributed and stored by using the block chain technique to cope with the integrity threat by the insider.
<Reservation>
In the embodiment of the present invention, reserving means that a password to be used when a password is to be used is recorded in advance as to how to use the restaurant, such as a reservation. When creating a password replacement authentication code, it is made in advance through reservation.
<Reservation period>
In the embodiment of the present invention, when the authentication code is recorded in the authentication system in order to use the authentication code, the authentication code does not immediately perform the role but stops the role for the interval determined by the reservation period.
Further, in the embodiment of the present invention, each constituent requirement of the authentication computer, the user terminal or the service computer may be used in the same meaning as the computer program executed in the authentication computer, the user terminal or the service computer, or may be used in the meaning of the hardware itself .
1 is a schematic block diagram of an embodiment of a history-based user authentication system according to the present invention.
As shown in FIG. 1, an
The user generates an authentication code including usage reservation period information by using the authentication participation means 300 executed in the user terminal and stores the authentication code in the
The
The
The user terminal may be connected to the
For example, the user of the user terminal accesses the
The user executes an application of the user terminal to access the
2 is a schematic block diagram of an embodiment of an authentication computer which is a main part of an embodiment of the present invention. As shown in FIG. 2, the authentication computer of the present invention includes a user
3 is a schematic block diagram of an embodiment of a user information database which is a main part of an embodiment of the present invention. As shown in FIG. 3, the user database of the present invention includes a user for receiving user authentication to use a service provided by the
4 is a schematic configuration diagram of an embodiment of an authentication code history table generated in an authentication computer, which is a main part of an embodiment of the present invention. 4, the authentication code history table of the present invention is composed of a pre-record table as a table for recording the generation history of the authentication code and a post-record table as a table for recording the use history of the generated authentication code .
In the pre-record table among the above-described authentication code history tables, only one row can always function as an authentication code. Therefore, in the above example, the authentication code of the
The description column of the post record table specifically records information using the authentication code. By doing so, the user's recognition ability can be improved. You can also manage session value columns in the post history table. The session value column is a value that is written for the administrator's follow-up rather than to the user. Therefore, it is not a requirement. Specifically, when a specific service for each service is handled to receive the service only by the authorized user, only the user having the corresponding session value is accessed through the session processing. This is because it is useful for post-accident response if history value of such session value is managed.
The hash sine value is a key value for securing the integrity of the data, and is a value obtained by encrypting the current row input value and the immediately preceding input value with the public key of the next storage server. Therefore, in order to manipulate one row, it is necessary to know the private key of the next storage server. In order to delete a row, the data of the connected storage server must also be deleted. Therefore, all the highest privileges of the relevant storage server must be secured. As the number of participating storage servers increases, the operation becomes more difficult.
FIG. 5 is an explanatory diagram of a method in which an authentication computer, which is a main part of an embodiment of the present invention, blocks a hash value processing block of a plurality of storage servers. 5, a hash value is generated by encrypting the hash value of the next storage server in a block chain manner. In this way, not only the hash value but also the authentication code can be bundled into a block chain.
FIG. 6 is a schematic configuration diagram of an embodiment of a usage history browsing screen that can be confirmed and requested by an authentication computer, which is a main part of an embodiment of the present invention.
In order for the authentication code to play its role, it must have randomness like a password. Since the present invention relates to management code-based authentication code management, uniqueness and memory are additionally required. Randomness means that the other party should not be able to predict the authentication code (password), and uniqueness should be no redundant data. Remembrance is a function that can increase the user's short-term memory.
As shown in Fig. 6, the above-mentioned three terms are applied as follows. First, the randomness of the authentication code can be ensured by allowing the user to change the authentication code at any time. Second, the uniqueness of the authentication code can not be secured only by the value of one cell of the authentication code attribute, and it is combined with another attribute value (order number, creation date, use frequency, end date) other than the authentication code value, It is possible to secure uniqueness with these other rows. Third, the memory can be secured through the history information and the creation date of the authentication code generated in chronological order.
In addition, the usage history browsing screen of FIG. 6 is a data arrangement that allows the user to participate in verification of the authenticity of the authentication code. The authentication code column may not be a readable string as shown in the usage history screen, but may be displayed as a broken string because it is encrypted and stored in the DB. In addition, the "Description" column can be inserted to allow the user to write down his / her own reason for generating the authentication code, which can be used to enhance the memory.
When the authentication code of the present invention is recorded, the corresponding authentication code data can not function in real time as an authentication code, but the function is suspended for a predetermined period or time set by a reservation period (for example, two days or 30 minutes) have. The authentication code data recorded during the reservation period can be checked by the user through reading whether the data is the data recorded by the user himself / herself. The attributes of the reservation period indicate the following security characteristics. All records attempted to access the authenticating computer and to the pre-record table are serialized. When the authentication code data is recorded in the pre-record table, it can be recorded simultaneously. However, only the authentication code data last recorded in the pre-record table performs its role. The user can perform a self-performed password integrity verification by checking the dictionary table or the post-record table for at least one day or 30 minutes of the reservation period to determine whether or not it is the recorded action. Therefore, even if the authentication code recorded by the third party hacker or the like is given to the user, it is possible to sequentially verify the integrity.
It is also important to ensure availability so that users can participate in integrity verification at any time. All areas where availability should be considered include authentication system (authentication computer), client (user terminal), and communication network. However, in the present invention, it is concentrated in the authentication system area. When the network and client are unstable, the user is assumed to be a security conscious person who can access the authentication system through various media accessible to the environment. When an authentication system encounters a force majeure such as Distributed Denial of Service (DDos), it will automatically stop all unprocessed commands after that point if the authentication system goes beyond the scope of covering the attack traffic. Therefore, it is possible to prevent integrity breakage due to the availability destruction.
Confidentiality is also ensured by preventing the end-use phase of the exposed authentication code, not just the problem of breaching the secret of the exposed authentication code. Specifically, the entire process of exposing the authentication code can be divided into access, acquisition, and use. Various encryption technologies make the exposed password unreadable code even if the authentication code is exposed. This corresponds to the approach process in the segmentation process. Decrypting the encrypted code is practically difficult and attacks the user terminal by hacking it in such a way as to obtain the code before encryption through memory hacking. Confidentiality is easily neutralized.
An intruder who has obtained an exposed authentication code may need to make an end use to make sense. This is called the role of the authentication code. In the present invention, it is necessary to concentrate on the role of the authentication code and to leave a reservation history in order to use the secured authentication code. Since the user can check the authentication code history information during the reservation period for integrity verification, there is an opportunity to check whether the exposed authentication code is being used according to the user's intention. Therefore, it can play the role of password as the authentication code minus the role of confidentiality of the authentication code.
In addition, as a precondition of the present invention, the history of the authentication code data should be recorded, and it should not be deleted or changed. To directly manipulate the authentication code of the authentication computer, it is necessary to obtain the top level authority of the DBMS. There are two purposes of obtaining the top level authority. The first is to manipulate the authentication code history data, and the second is to generate the authentication code directly and use it without restriction. The only way to prevent these two things from happening is to fix the deletion and change permission settings unmodifiably when the table is first created. And if you want to modify the permissions of the table, you need to enter the secret key. The private key is automatically generated with a random value and discarded after one use. Therefore, it is impossible to change the privilege to delete or modify the table because it is necessary to know the secret key that no one knows. Also, there is an opportunity for the user, who is the host of the table, to check his / her data forgery, so that user verification can not be avoided even if he participates in external self-operation.
Even if the privilege setting of the table is changed to allow deletion and modification, the backup data must be simultaneously manipulated in addition to the data in the storage device currently in use. However, because backup data is usually run on a different server, concurrent operations are difficult enough for many stakeholders in the organization to participate. However, if you want to avoid this possibility, you can also protect each other's backups if you keep backup data in a third party.
FIG. 7 is a schematic configuration diagram of an embodiment of an authentication participation means executed in a user terminal, which is a main part of an embodiment of the present invention. As shown in FIG. 7, the authentication participation means of the present invention generates an inactivated authentication code by granting a use condition based on an authentication code input by a user, and transmits the authentication code to the authentication computer 100 A code generation management unit 310; An authentication code use management unit 320 for accessing the
8 is a schematic block diagram of another embodiment of the history-based user authentication system of the present invention. As shown in FIG. 8, the usage history based user authentication system of the present invention includes an authentication management unit 1100 for performing user authentication by inquiring conditions such as a stored authentication code and a use reservation period according to a user's authentication request, (1000) including a service management unit (1200) for receiving a user authentication request and performing a user authentication request to the authentication management unit (1100) and providing a predetermined service to a user terminal requesting user authentication after user authentication is completed )Wow; A user information database 2000 for storing user information and user terminal information communicatively connected to or included in the service computer 1000 and requesting an authentication request and a service information database 2000 for storing predetermined service information to be provided to the user terminal A service information database 3000; And transmits the authentication code generated in the authentication management unit 1100 to the service computer 1000 by using a communication means, reads the authentication code generation and use history, executes it in the user terminal to use the authentication code, (4000) which is an authentication means; The user generates an authentication code including usage reservation period information by using the authentication participation means 4000 executed in the user terminal and stores the authentication code in the authentication management unit 1100 of the service computer 1000, 1100), and a means for checking the generation and use history of the authentication code is provided, and when the condition of the use reservation period is satisfied, the authentication code can be used. .
9 is a flowchart for explaining an embodiment of a usage history-based user authentication method of the present invention. As shown in FIG. 9, the usage history based user authentication method of the present invention includes activating an application stored in a user terminal or accessing an authentication computer to output an authentication related web program to activate an authentication participation means (S100 )Wow; (S101) receiving the authentication code input by the user terminal to the authentication participation means; Combining the authentication code use reservation period information and the usage time limit information selected or input by the authentication participation means with the authentication code to generate an authentication code and transmitting the authentication code to the authentication computer (S102); (S103) storing the deactivation authentication code to which the use condition is attached, the authentication computer including the authentication code use reservation period information and the use time limit information; (S104) the user terminal establishes a communication connection with the service computer and makes a request for providing a service; (S105) requesting a user authentication requesting service provision from the user terminal by accessing the authentication computer by communication with the service computer; (S106) requesting the authentication computer to input an authentication code to the user terminal; (S107) requesting the user terminal to view the authentication code stored in the authentication computer; The authentication computer providing the authentication code viewing screen to the user terminal (S108); (S109) the user terminal transmitting the authentication code input to the authentication participation means to the authentication computer for receiving the authentication code; A step (S110) of inquiring whether the authentication computer satisfies an authentication code use condition stored based on an authentication code transmitted from the user terminal; (S111) of confirming whether the use time limit of the authentication code has elapsed when the authentication code use condition is satisfied; A step (S112) of processing the user authentication and storing the use history of the authentication code when the use time limit of the authentication code has not elapsed; (S113) after the user authentication is performed in the authentication computer, the service computer providing a predetermined service requested by the user terminal.
10 is a flowchart for explaining another embodiment of the usage history-based user authentication method of the present invention. As shown in FIG. 10, the usage history based user authentication method of the present invention includes the steps of executing an application stored in a user terminal or accessing an authentication computer to output an authentication related web program to activate an authentication participation means (S200 )Wow; (S201) of receiving the authentication code input by the user terminal to the authentication participation means; (S202) of transmitting the authentication code to the service computer together with the authentication code use reservation period information and the use time limit information selected or input by the authentication participation means; (S203) of storing an inactivated authentication code to which an authentication management unit of the service computer is given a use condition including an authentication code use reservation period information and use time limit information; (S204) the user terminal making a service provision request to the service computer; The service computer requesting the authentication management unit to authenticate a user requesting service provision from the user terminal (S205); (S206) the authentication management unit requests the user terminal to input an authentication code; (S207) of requesting the user terminal to view the authentication code stored in the authentication management unit; The authentication management unit provides the authentication code viewing screen to the user terminal (S208); (S209) of causing the user terminal to transmit the authentication code input to the authentication participation means to the authentication management unit for receiving the authentication code; (S210) of inquiring whether the authentication management unit has satisfied an authentication code use condition stored on the basis of the authentication code transmitted from the user terminal; A step (S211) of confirming whether the use restriction time of the authentication code has elapsed when the authentication code use condition is satisfied; A step (S212) of processing the user authentication and storing the usage history of the authentication code when the use time limit of the authentication code has not elapsed; And providing the predetermined service requested by the service computer to the user terminal after the user authentication is performed in the authentication management unit (S213).
The embodiments of the present invention described above can be applied to fields requiring confirmation by the user, online document settlement field, and real estate registration field.
The embodiments of the present invention described above are only a few of various embodiments. A user terminal generates and stores an authentication code to which a use condition such as a reservation reservation period is given to an authentication computer or a service computer using the activated authentication participation means activated by the user terminal, Various embodiments in which the user authentication can be performed and the user terminal is included in the technical idea for viewing the history of the authentication code generation and the authentication code are included in the protection scope of the present invention.
100: Authentication computer
200, 600: user database
300: User terminal
400: service computer
500: Service database
Claims (10)
The authentication computer includes authentication code generation management means for receiving and storing the authentication code transmitted from the user terminal and the usage condition data of the authentication code; An authentication code use condition management unit for confirming whether the use condition of the authentication code is satisfied in response to the use request of the authentication code from the user terminal; An authentication code use management means for performing a user authentication process when the use condition of the authentication code is satisfied; And authentication code history management means for recording and storing the generation history of the authentication code and the usage history of the authentication code in a table;
Wherein the authentication code generation management means manages the authentication code transmitted from the user terminal so as not to be deleted or changed and encrypts the authentication code history information transmitted from the user terminal to make a node, Therefore, it is possible to perform arbitrary operations by the individual server administrators, to perform integrity verification by making it possible to compare hash values or original authentication code information for each node,
Wherein the verification code use condition management means performs verification of whether or not the use condition of the authentication code satisfies the usage condition based on the reservation record of the authentication codes, Whether or not a time or period has arrived,
Wherein the table for recording the generation history of the authentication code and the usage history of the authentication code in the authentication code history management means includes a dictionary record table for recording the generation history of the authentication code, And a post history record table.
Wherein the authentication management unit of the service computer comprises authentication code generation management means for receiving and storing the authentication code transmitted from the user terminal and the usage condition data of the authentication code; An authentication code use condition management unit for confirming whether the use condition of the authentication code is satisfied in response to the use request of the authentication code from the user terminal; An authentication code use management means for performing a user authentication process when the use condition of the authentication code is satisfied; And authentication code history management means for recording and storing the generation history of the authentication code and the usage history of the authentication code in a table;
The authentication code generation management means manages the deletion and modification of the authentication code transmitted from the user terminal so that the authentication code history information transferred from the user terminal is made into a node, And then,
Wherein the verification code use condition management means performs verification of whether or not the use condition of the authentication code satisfies the usage condition based on the reservation record of the authentication codes, Whether or not a time or period has arrived,
Wherein the table for recording the generation history of the authentication code and the usage history of the authentication code in the authentication code history management means includes a dictionary record table for recording the generation history of the authentication code, And a post history record table.
Wherein the authentication participation means is an application program executed by the user terminal or a web program output from the user terminal.
Wherein the authentication participation means comprises authentication code generation management means for generating an authentication code; An authentication code use management means for using the authentication code; And an authentication code browse management means for browsing the history of the generated or used authentication codes.
Wherein the usage condition data of the authentication code includes usage reservation period of the authentication code and authentication code use time limit information.
Wherein the authentication code browse management means generates the generated authentication code information and usage history information of the authentication code so as to be able to be viewed by the authentication participation means.
The authentication management unit of the authentication computer or the service computer manages the deletion and modification of the authentication code transmitted from the user terminal so that it can not be changed and the authentication code history information transmitted from the user terminal is converted into a node, And are distributed to a plurality of storage servers,
Wherein the confirmation of whether or not the use condition of the authentication code satisfies the usage condition is performed based on the reservation record of the authentication codes, And,
The table for recording the generation history of the authentication code and the usage history of the authentication code includes a pre-record table for recording the generation history of the authentication code and a post-record table for recording the use history of the generated authentication code Based user authentication method.
Wherein the table includes a pre-record table for recording the generation history of the authentication code and a post-record table for recording the usage history of the generated authentication code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160003097A KR101651563B1 (en) | 2016-01-11 | 2016-01-11 | Using history-based authentication code management system and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160003097A KR101651563B1 (en) | 2016-01-11 | 2016-01-11 | Using history-based authentication code management system and method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101651563B1 true KR101651563B1 (en) | 2016-09-05 |
Family
ID=56939004
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160003097A KR101651563B1 (en) | 2016-01-11 | 2016-01-11 | Using history-based authentication code management system and method thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101651563B1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019027139A1 (en) * | 2017-08-04 | 2019-02-07 | 경호연 | Time-dependent blockchain-based self-verification user authentication method |
KR102002644B1 (en) * | 2018-05-29 | 2019-07-22 | 주식회사 기가코리아 | Method for providing numeral url based up-price transaction service using offline to online flatform |
CN114978749A (en) * | 2022-06-14 | 2022-08-30 | 中国电信股份有限公司 | Login authentication method and system, storage medium and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070091804A (en) * | 2006-03-07 | 2007-09-12 | 와이즈와이어즈(주) | Authentication method, system, server and recording medium for controlling mobile communication terminal by using authentication key |
KR101137523B1 (en) * | 2011-09-26 | 2012-04-20 | 유승훈 | Media, terminal and server for authentication and method for authenticating using the sames |
KR20140103004A (en) * | 2013-02-15 | 2014-08-25 | 주식회사 안랩 | User authenticating method and apparatus |
KR20150023993A (en) * | 2013-08-26 | 2015-03-06 | 경호연 | Self recording history-based use authentication system and method thereof |
-
2016
- 2016-01-11 KR KR1020160003097A patent/KR101651563B1/en active IP Right Grant
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070091804A (en) * | 2006-03-07 | 2007-09-12 | 와이즈와이어즈(주) | Authentication method, system, server and recording medium for controlling mobile communication terminal by using authentication key |
KR101137523B1 (en) * | 2011-09-26 | 2012-04-20 | 유승훈 | Media, terminal and server for authentication and method for authenticating using the sames |
KR20140103004A (en) * | 2013-02-15 | 2014-08-25 | 주식회사 안랩 | User authenticating method and apparatus |
KR101436404B1 (en) | 2013-02-15 | 2014-09-01 | 주식회사 안랩 | User authenticating method and apparatus |
KR20150023993A (en) * | 2013-08-26 | 2015-03-06 | 경호연 | Self recording history-based use authentication system and method thereof |
KR101523340B1 (en) | 2013-08-26 | 2015-05-28 | 경호연 | Self recording history-based use authentication system and method thereof |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019027139A1 (en) * | 2017-08-04 | 2019-02-07 | 경호연 | Time-dependent blockchain-based self-verification user authentication method |
KR20190015178A (en) * | 2017-08-04 | 2019-02-13 | 경호연 | Time-Dependent Block Chain-Based Self-Verification User Authentication Method |
CN110998572A (en) * | 2017-08-04 | 2020-04-10 | 京镐渊 | Self-verification user authentication method based on time-dependent blockchain |
KR102133659B1 (en) * | 2017-08-04 | 2020-07-14 | 경호연 | Time-dependent blockchain based self-verification user authentication method |
US11363033B2 (en) | 2017-08-04 | 2022-06-14 | Ho Yun KYUNG | Time-dependent blockchain-based self-verification user authentication method |
CN110998572B (en) * | 2017-08-04 | 2023-05-05 | 京镐渊 | Self-verification user authentication method based on time-dependent blockchain |
KR102002644B1 (en) * | 2018-05-29 | 2019-07-22 | 주식회사 기가코리아 | Method for providing numeral url based up-price transaction service using offline to online flatform |
CN114978749A (en) * | 2022-06-14 | 2022-08-30 | 中国电信股份有限公司 | Login authentication method and system, storage medium and electronic equipment |
CN114978749B (en) * | 2022-06-14 | 2023-10-10 | 中国电信股份有限公司 | Login authentication method and system, storage medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105103119B (en) | Data security service system | |
US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
CA2341784C (en) | Method to deploy a pki transaction in a web browser | |
US20070101400A1 (en) | Method of providing secure access to computer resources | |
EP1914951A1 (en) | Methods and system for storing and retrieving identity mapping information | |
CN114662079A (en) | Method and system for accessing data from multiple devices | |
CN105103488A (en) | Policy enforcement with associated data | |
EP1364268A2 (en) | Methods and systems for authenticating business partners for secured electronic transactions | |
JPH10269184A (en) | Security management method for network system | |
US11363033B2 (en) | Time-dependent blockchain-based self-verification user authentication method | |
JP2009514072A (en) | Method for providing secure access to computer resources | |
CN112673600A (en) | Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain | |
JP5992535B2 (en) | Apparatus and method for performing wireless ID provisioning | |
US11716312B1 (en) | Platform for optimizing secure communications | |
US11604888B2 (en) | Digital storage and data transport system | |
ES2665887T3 (en) | Secure data system | |
KR20060032888A (en) | Apparatus for managing identification information via internet and method of providing service using the same | |
JP2021536166A (en) | Verification of peer identification information | |
JPH05333775A (en) | User authentication system | |
CN117216740A (en) | Digital identity authentication method based on blockchain technology | |
KR101651563B1 (en) | Using history-based authentication code management system and method thereof | |
US20140250499A1 (en) | Password based security method, systems and devices | |
KR101996317B1 (en) | Block chain based user authentication system using authentication variable and method thereof | |
KR102053993B1 (en) | Method for Authenticating by using Certificate | |
CN115769546A (en) | Distributed anonymous compatible encryption management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20190805 Year of fee payment: 4 |