KR101651563B1 - Using history-based authentication code management system and method thereof - Google Patents

Using history-based authentication code management system and method thereof Download PDF

Info

Publication number
KR101651563B1
KR101651563B1 KR1020160003097A KR20160003097A KR101651563B1 KR 101651563 B1 KR101651563 B1 KR 101651563B1 KR 1020160003097 A KR1020160003097 A KR 1020160003097A KR 20160003097 A KR20160003097 A KR 20160003097A KR 101651563 B1 KR101651563 B1 KR 101651563B1
Authority
KR
South Korea
Prior art keywords
authentication
authentication code
history
user
computer
Prior art date
Application number
KR1020160003097A
Other languages
Korean (ko)
Inventor
경호연
Original Assignee
경호연
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 경호연 filed Critical 경호연
Priority to KR1020160003097A priority Critical patent/KR101651563B1/en
Application granted granted Critical
Publication of KR101651563B1 publication Critical patent/KR101651563B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Abstract

The present invention relates to a history-based user authentication system and a method thereof. The present invention includes authentication participation means connected to the authentication computer and output from a user terminal for performing user authentication; The authentication computer includes authentication code generation management means for receiving and storing the authentication code transmitted from the user terminal and the usage condition data of the authentication code; An authentication code use condition management unit for confirming whether the use condition of the authentication code is satisfied in response to the authentication code use request from the user terminal; An authentication code use management means for performing a user authentication process when the use condition of the authentication code is satisfied; And an authentication code history management means for recording the generation history of the authentication code and the usage history of the authentication code in a table and storing the history.

Description

[0001] The present invention relates to a history-based authentication code management system and method,

The present invention relates to a use history-based authentication code management system and a method thereof. More particularly, the present invention relates to a system and method for generating and managing a password substitution authentication code based on user participation based on use and reservation history, and a method of managing the use of a password or an authentication code is related to security, and includes integrity, confidentiality, availability To the authentication code which is the password substitution. In particular, the authentication code which introduces the role in addition to the confidentiality, which is the element of confidentiality, is introduced in the password, and all the execution and command data requested by the authentication system The present invention relates to a history-based authentication code management system and a method thereof, in which an unusual integrity verification process is applied by providing an environment in which a user can make a reservation and confirm a history of a reservation at any time.

The user authentication technology is becoming more and more important as the digital age in which most of the activities of individuals are carried out online. Various techniques for user authentication have been developed, but there is no fundamental measure for exposing the password in everyday life where a user uses a secret key. In order to enhance password protection, it is a dilemma that user convenience is lowered and password exposures are increased to improve convenience. In the present authentication system, encryption technology or a system and method through a third party certification authority are used. However, if a secret (secret key) is exposed, the user must be aware of the occurrence of an accident, It is assumed that the user is the user. Since the password is an identification means for recognizing the user online, the user (such as a hacker) can attack only one place by using a single sharp window. The defector has to cope with all possibilities and therefore has security difficulties. In addition, existing authentication techniques are limited if the internal administrator of the authentication system intends to participate in the user password security.

Korean Patent No. 10-1436404 (registered on August 26, 2014) has patented a device and method for authenticating a user (hereinafter referred to as "404 invention").

The user authentication apparatus of the patent invention includes an information acquisition unit for acquiring terminal identification information of a communication terminal device for which user authentication is requested, a terminal history confirmation unit for confirming a terminal authentication history corresponding to the terminal identification information, A history comparing unit for comparing a predetermined condition including an authentication request time or a preset number of times of authentication requests with the terminal authentication history that has been verified; and a history comparison unit for selecting the user authentication according to a result of the comparison, A user history confirmation unit for confirming a user authentication history corresponding to user identification information of a user currently being authenticated when the verification target is selected; A verification method determination unit for determining an authentication method for verification according to the method information, A user verification unit configured to perform user authentication according to the verification authentication method, and a verification authentication method determined by the authentication method or verification method determination unit requested by the communication terminal apparatus, by the user verification unit A history update unit for updating the terminal authentication history and the user authentication history including the user identification information, the terminal identification information, the authentication method information, the authentication time information, and the authentication result information stored in the database unit, It is an advantage that the security of the user authentication procedure is enhanced because the user can not easily pass the user authentication procedure.

 Korean Patent No. 10-1523340 (registered on May 20, 2015) has been patented for a history-based use authentication system and its method (hereinafter referred to as "340 invention").

The patent invention includes a step in which a user terminal communicates with a history management computer to receive user approval; The user terminal requesting the history management record of the user to the history management computer; The history management computer transmitting the history record book of the user to the user terminal; Transmitting, by the user terminal, a service provider, a usage temporary password, and a usage condition entered in the history management record of the user to the history management computer; Storing the history management book of the user by the history management computer; The user terminal accessing a service computer operated by a service provider and transmitting the user information and the temporary password to the service computer; Performing a user authentication based on user information transmitted from the service computer, and transmitting the user information, the temporary password, and the service computer information to the history management computer to request authentication; The history management computer is transmitted from the service computer and based on the user information, the service computer information recorded in the history record book of the user and the provisional password are compared with the service computer information transmitted from the service computer and the temporary password ; Comparing the usage time information of the temporary password recorded in the history management record with the elapsed time from the temporary password record to the present time if the history management computer matches the comparison result; Wherein the history management computer transmits the provisional password unavailability information to the service computer when the contrast result elapsed time exceeds the usage time information, and if the contrast result elapsed time does not exceed the usage time information, To a computer.

In the 404 invention, the terminal authentication history is checked, a predetermined condition including a preset authentication request time or a preset number of authentication requests is compared with the terminal authentication history that has been checked, and a user authentication is selected according to a result of the comparison When the verification target is selected, the user authentication history corresponding to the user identification information of the currently authenticated user is confirmed, and the authentication method information included in the user authentication history The authentication method for verification is determined and the user authentication is performed in accordance with the authentication method for verification with respect to the communication terminal device. The user authentication is performed by checking the terminal authentication history and the user authentication history, Since the user can not directly participate in the authentication code generation and authentication process, And have about as it is, real-time user authentication is not possible to perform the configuration, but reserve certification, the poor ease of use authentication technology issues.

In the above 340 invention, the user sets the temporary password and the use condition, and if there is an authentication request in the user terminal, prepares the user temporary password on the history management computer, And performs user authentication according to the result. However, since the patent invention can not directly participate in the process of generating and authenticating the authentication code, the patent invention has the weakness of the conventional security problem, and the patent invention can not be applied to the invention, There is a problem that the convenience is poor.

Therefore, in the user authentication, the user can participate directly in the password authentication process, efficiently cope with the password exposure, provide convenience in using the authentication technology, and the root cause of vulnerability to the password exposure is the user There is a need for an invention that can directly perform forgery verification using a user's history of password use and reservation record.

Korean Patent No. 10-1436404 (Registration date August 26, 2014) Korean Patent No. 10-1523340 (registered on May 20, 2015)

It is an object of the present invention to solve the above problems of the prior art, and it is an object of the present invention to provide a method and apparatus for user authentication in which a user can participate in a password authentication process, The present invention also provides a usage history-based authentication code management system and method that can provide convenience and can directly perform forgery verification using a user's password history and reservation history.

According to a first aspect of the present invention, there is provided an information processing system including an authentication computer for performing a user authentication by inquiring conditions such as a stored authentication code and a reservation reservation period in response to a user's authentication request, ; A user information database for storing user information and user terminal information communicatively connected to or contained in the authentication computer and having made an authentication request; Authentication participation means, which is connected to the authentication computer by using a communication means and generates an authentication code in the authentication computer, reads the authentication code generation and use history, and executes in the user terminal to use the authentication code; A service computer connected to the authentication computer and the user terminal to perform a user authentication request to the authentication computer in response to a user authentication request from the authentication computer and to provide a predetermined service to the user terminal after the user authentication is completed; ; And a service information database for storing predetermined service information to be provided to the user terminal, wherein the service information database includes a user information database that is connected to or is included in the communication with the service computer and stores the user information that requests the authentication,

The user generates an authentication code including usage reservation period information by using the authentication participation means executed in the user terminal and stores the authentication code in the authentication computer and accesses the authentication computer to check the authentication code generation and use history And a use history based user authentication system is provided, wherein the use authorization code can be used when the condition of the use reservation period is satisfied.

According to a second aspect of the present invention, there is provided an information processing apparatus including an authentication management unit for performing a user authentication by inquiring conditions such as a stored authentication code and a reservation reservation period in response to a user's authentication request, A service computer for performing a request and providing a predetermined service to a user terminal requesting user authentication after user authentication is completed; A service information database for storing service information to be provided to the user terminal and a user information database for storing user information and user terminal information communicated or included in the service computer, And an authentication participation means executed in the user terminal for accessing the service computer by using a communication means to transmit the authentication code generated in the authentication management unit, viewing the authentication code generation and use history, and using the authentication code and;

The user generates an authentication code including usage reservation period information by using the authentication participation means executed in the user terminal, stores the authentication code in the authentication management unit of the service computer, accesses the authentication management unit, There is provided means for checking and viewing, and the use history-based user authentication system is provided, wherein the use authorization code can be used when the condition of the reservation reservation period is satisfied.

According to a third aspect of the present invention, there is provided a method of authenticating a user terminal, comprising: receiving a verification code input to a user participation means; Combining the authentication code use reservation period information selected or input in the authentication participation means with the authentication code to generate an inactivated authentication code and transmitting the authentication code to the authentication management unit of the authentication computer or the service computer and storing the authentication code; Receiving the authentication code input to the authentication participation means for use of the authentication code by the user terminal; The user terminal sending the authentication code information to the authentication computer of the authentication computer or the service computer to inquire the use condition of the authentication code; Performing authentication code use processing by the authentication management unit of the authentication computer or the service computer when the authentication code use condition is satisfied; And the authentication management unit of the authentication computer or the service computer stores the usage history of the user's authentication code.

According to a fourth aspect of the present invention, in the third aspect of the present invention, the user terminal receives the authentication code generation and use history browsing request input to the authentication participation means, ; And the authentication management unit of the authentication computer or the service computer further transmits the authentication code generation and use history information to the user terminal.

According to the present invention, in the online use authentication of the Internet or the like, even if the confidentiality of data such as a password or an authentication code, the integrity of the authentication code, and the confidentiality of the data during the availability are damaged, There is an effect that can be secured. In addition, since the process for ensuring confidentiality of data can be omitted, it is possible to reduce the process for security. In addition, since the user can directly participate in the generation and use of the authentication code, the effect of security can be further enhanced. Moreover, since the reservation means for the authentication code use period can be utilized, the effect of security can be further enhanced in the business area in which real-time authentication is not required.

1 is a schematic block diagram of an embodiment of a history-based user authentication system according to the present invention.
2 is a schematic block diagram of an embodiment of an authentication computer which is a main part of an embodiment of the present invention.
3 is a schematic block diagram of an embodiment of a user information database which is a main part of an embodiment of the present invention.
4 is a schematic configuration diagram of an embodiment of an authentication code history table generated in an authentication computer, which is a main part of an embodiment of the present invention.
FIG. 5 is an explanatory diagram of a method in which an authentication computer, which is a main part of an embodiment of the present invention, blocks a hash value processing block of a plurality of storage servers.
FIG. 6 is a schematic configuration diagram of an embodiment of a user browse data table that can be confirmed and requested by an authentication computer, which is a major part of an embodiment of the present invention.
FIG. 7 is a schematic configuration diagram of an embodiment of an authentication participation means executed in a user terminal, which is a main part of an embodiment of the present invention.
8 is a schematic block diagram of another embodiment of the history-based user authentication system of the present invention.
9 is a flowchart for explaining an embodiment of a usage history-based user authentication method of the present invention.
10 is a flowchart for explaining another embodiment of the usage history-based user authentication method of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

The description and terminology of the premise knowledge will be defined in order to facilitate understanding of the present invention. The main security mechanisms are classified into four categories: encryption, authentication, authorization, and audit. Encryption is the modification of key data to make it illegal for users to use. Authentication is the control of access to data for legitimate users, and authorization is a legitimate user or authentication And the auditing is to record what kind of data the user has processed and to clarify the place of verification or responsibility in the future.

There are also three elements of security: confidentiality, availability, and integrity. Passwords for user authentication also require the above three elements of security.

<Confidentiality>

With regard to security confidentiality, the content of the data must be known only to the owner of the data and the authenticated user. Even if confidentiality of communication is ensured by communication between each member, even if it is stored as plain text in the authentication system, confidentiality of password data can not be guaranteed from an internal administrator or an external intruder. Therefore, the existing authentication systems encrypt and store the password data in the authentication system before storing the password data in order to guarantee the confidentiality of the data.

In the embodiment of the present invention, it is necessary to record the password data to be used for actually using the password even if the password data is stored as plain unencrypted plain text and exposed to the outside, and a predetermined time (reservation period) Since the role as a password is performed after the past, the role effectiveness of confidentiality is utilized through the opportunity that the user can verify.

<Integrity>

With regard to security integrity, password data must be stored in the authentication system as intended by the user. If the data is not saved as it is, it must be verifiable by the data user. The encryption algorithms used to verify the integrity of the data stored in the authentication system include homomorphic encryption, hash, and signature.

In the embodiment of the present invention, a configuration is used in which, in relation to the security integrity, generation and use of password data is performed by a delay verification technique, and an opportunity for the user to verify the entire process is used.

<Availability>

With respect to the availability of security, it means that services are maintained seamlessly and that information is provided to authorized parties. This ensures availability by backing up information against possible attacks or by protecting against suspicious threats.

In the embodiment of the present invention, the availability to the present invention is essential, so that the user can access the authentication system at any time to view and confirm the password history. When the authentication system is suspended due to force majeure, all the password authentication procedures requested before the pause are stopped and left a history of being stopped.

In addition, as a main security element in a security system, in order for a security service to be completely performed through a user terminal used by a user, an authentication system for performing user authentication for security, and a communication network connecting them, Processing (user terminal and authentication system), and transmission (communication network). In the present invention, the generation of security-related data, that is, the protection of password data stored in the authentication system, for example, is focused on, and only the prevention of forgery and falsification of the use phase among the three steps of access, And a simple configuration is proposed by reducing the number of steps in the process of preventing forgery and falsification of security-related data.

The terms necessary to describe the embodiment of the present invention are defined as follows.

<Block chain>

The block chain technology means "distributed storage, PKI encryption, P2P communication, and continuous growing transaction connection" applied in Bitcoin.

In the present invention, only the distributed storage and the PKI encryption are used to encrypt and store the authentication code history information in a plurality of storage servers to ensure security and integrity.

<Password>

The password for user authentication is collectively referred to as a secret key. In the embodiment of the present invention, the ID / PW scheme based on the user memory is assumed, and the PW is referred to as a password. Because password is a value that only the user knows, the secret of the three elements of Booyan is the key.

<Authentication code>

The authentication code is a concept similar to a password, and in the embodiment of the present invention, data serving as a password is referred to as an authentication code. The difference is that when the password is exposed, it can not perform the role of authenticating the user, which is its original function, but the authentication code can perform the role of user authentication even when exposed.

<User authentication technology>

User authentication techniques are technologies that verify whether a user is legitimate online or not. ID / PW technology is representative, and digital signature through certified certificate is also applicable.

<Encryption technology>

Encryption technologies can be roughly classified into Message Authentication Code (MAC) based on a symmetric key and Digital Signature based on a public key. In the case of symmetric key-based structures, a MAC value is generated in a storage device through a secret key to ensure integrity, and a verifier also obtains a stored item and a secret key stored in the storage device It verifies the MAC. However, if the stored private key is exposed, it is possible to conceal the modulation by the MAC value regeneration after modulating the resistance items in the file, and the possibility of attack through the manager who manages the verifier or the storage device can not be excluded. In the case of public key infrastructure, it is used to generate digital signature using private key and public key. Since it uses two different keys, it is safer than the symmetric key, but it is troublesome to reset each other's public key every predetermined period (1 year). Specifically, data encrypted in the past can be decrypted by a high-performance computer at some point, so the key must be re-issued to maintain a constant confidentiality.

 <Non-encryption scheme>

 Non-cryptographic techniques related to user authentication are mainly used offline. Specifically, the contents of face-to-face secrets, such as via the messenger (destruction), are examples.

 <Based on user participation>

The user participation basis in the present invention means that the user participates in the verification process directly without allowing the password user to perform the verification process according to the password generation and use only to the system or the third party.

<History Based>

The history base in the embodiment of the present invention is a configuration that helps the user to use history information as a judgment data by leaving all the processes of generating and using a password as a record. Therefore, history information can only be generated and can not be deleted or changed. The history information is distributed and stored by using the block chain technique to cope with the integrity threat by the insider.

<Reservation>

In the embodiment of the present invention, reserving means that a password to be used when a password is to be used is recorded in advance as to how to use the restaurant, such as a reservation. When creating a password replacement authentication code, it is made in advance through reservation.

<Reservation period>

In the embodiment of the present invention, when the authentication code is recorded in the authentication system in order to use the authentication code, the authentication code does not immediately perform the role but stops the role for the interval determined by the reservation period.

Further, in the embodiment of the present invention, each constituent requirement of the authentication computer, the user terminal or the service computer may be used in the same meaning as the computer program executed in the authentication computer, the user terminal or the service computer, or may be used in the meaning of the hardware itself .

1 is a schematic block diagram of an embodiment of a history-based user authentication system according to the present invention.

As shown in FIG. 1, an authentication computer 100 for performing user authentication by inquiring conditions such as a stored authentication code and a reservation reservation period according to a user's authentication request; A user information database (200) for storing user information and user terminal information communicated or included in the authentication computer (100) and made an authentication request; (110) connected to the authentication computer (100) by using communication means and generating an authentication code in the authentication computer (100), viewing the authentication code generation and use history, and authenticating Participation means 300; The authentication server 100 is connected to the authentication computer 100 and the user terminal. The authentication computer 100 receives a user authentication request from the authentication computer 100 and performs a user authentication request to the authentication computer 100. After the user authentication is completed, A service computer 400 for providing a service of the server 400; A user information database 500 that is connected to or is included in the communication with the service computer 400 and stores user information for requesting the authentication and a service information database 500 for storing predetermined service information to be provided to the user terminal, (600);

The user generates an authentication code including usage reservation period information by using the authentication participation means 300 executed in the user terminal and stores the authentication code in the authentication computer 100, And means for checking the generation and use history of the code is provided so that the authentication code can be used when the condition of the use reservation period is satisfied.

The authentication computer 100 is configured to perform user authentication by transmitting and receiving data to and from a user terminal and a service computer 400 connected to each other through a communication means in the form of a computer program or hardware configured to perform the embodiment of the present invention to be. The authentication computer 100 may preferably be a server computer connected to a plurality of user terminals and capable of processing data sequentially or simultaneously transmitted from the plurality of user terminals.

The authentication computer 100 permits access to and use of the user's authentication code if requested by the authenticated user, permits the history information of the authentication code to be stored in a block chain manner, and the authentication code- And distributes and manages them to a plurality of storage servers. Therefore, a plurality of storage servers for storing authentication code related information can be used.

The user terminal may be connected to the authentication computer 100 and the service computer 400 and may execute or output the authentication participation means 300 composed of a computer program or a web program, And a PC, a notebook computer, a tablet computer, a smart communication device, or a mobile phone capable of transmitting and receiving data to and from the service computer 400.

For example, the user of the user terminal accesses the service computer 400 using a communication means and requests a user authentication. The service computer 400 accesses the authentication computer 100 using a communication unit and transmits user authentication request data including the user information of the user who made the authentication request and the user terminal information. The authentication computer 100 receives a user authentication request transmitted from the service computer 400, stores the received user authentication request in the user information database 200, and inquires whether the user is a previously registered user. The authentication computer 100 transmits an installation and connection request message of the authentication participation means 300 to the user terminal based on the user terminal information. In order to request the installation and connection of the authentication participation means 300, downloading information of an application program for participation in authentication or website connection information may be included in the message and transmitted. A user installs or connects the authentication participation means 300 on the basis of a message transmitted from the authentication computer 100 to activate the authentication participation means 300. [ For example, if the activation means activated by the user terminal is an application program, the user terminal accesses the application program downloading computer to download, install and execute an application program (hereinafter referred to as an 'application'). For example, the user can connect to the authentication computer 100 and join the application for use authentication to the application executed in the user terminal. The user receives approval for use from the authentication computer 100 by using an application activated in the user terminal and generates an authentication code of the application in order to authenticate a user for using a predetermined service provided by the service computer 400 And generates an inactivated authentication code including use condition data such as an authentication code use reservation period and an authentication code use time to be given to the authentication code and transmits the inactivated authentication code to the authentication computer 100. [ The authentication computer 100 generates an authentication code history table for managing the history of the authentication code generation and use of the user when the user requests approval for use and is approved for use so as to link the user's information or user terminal information And stores the authentication code and use condition data transmitted from the user terminal in the generation related table of the authentication code history table. The user can execute the application of the user terminal and access the authentication computer 100 to confirm the generation history of the authentication code to which the use condition registered by the user is assigned.

The user executes an application of the user terminal to access the authentication computer 100 in order to receive the predetermined service provided by the service computer 400. [ It is not necessary to perform a separate communication connection in a connected state. The user terminal transmits the authentication code input to the application by the user to the authentication computer 100. The authentication computer 100 inquires a predetermined use condition based on the authentication code transmitted from the user terminal, and confirms whether the inquired use condition is satisfied. The authentication computer 100 completes the user authentication and transmits the authentication result to the user terminal and the service computer when the inquired use condition is satisfied with respect to the authentication code. The authentication computer 100 stores the usage history of the authentication code in the usage related table of the authentication code history table. The user can execute the application of the user terminal and access the authentication computer 100 to confirm the use history of the authentication code to which the use condition registered by the user is registered.

2 is a schematic block diagram of an embodiment of an authentication computer which is a main part of an embodiment of the present invention. As shown in FIG. 2, the authentication computer of the present invention includes a user information management unit 110 for storing and managing information of a user or a user terminal, which is connected to a user terminal and authenticated to use the authentication system, )Wow; A service information management unit 120 for managing operator information of a service system the user wants to use; An authentication code generation management unit (130) for receiving, storing, and managing an authentication code provided with a use condition created by the user terminal; An authentication code use management unit 140 for performing user authentication by comparing an authentication code transmitted from the user terminal with a stored authentication code when using the authentication code stored at the request of the user terminal; An authentication code history management unit 150 for storing and managing the history of generation and use of the authentication code in a table; An authentication code browsing management unit 160 for browsing information such as an authentication code generated and stored from the user terminal and a use history of the authentication code; And a data history management unit 170 for storing and managing history of generation and change of usage related data of the authentication system provided from the user terminal.

3 is a schematic block diagram of an embodiment of a user information database which is a main part of an embodiment of the present invention. As shown in FIG. 3, the user database of the present invention includes a user for receiving user authentication to use a service provided by the service computer 400 using the authentication computer 100, or a user An information storage unit 210; A service provider information storage unit 220 for storing information of a service provider for requesting user authentication to the authentication computer 100 to provide a predetermined service to the user; And an authentication code history table storage unit 230 for storing the authentication code generation history table, the authentication code usage history table, and the authentication code usage history browsing table stored by the user.

4 is a schematic configuration diagram of an embodiment of an authentication code history table generated in an authentication computer, which is a main part of an embodiment of the present invention. 4, the authentication code history table of the present invention is composed of a pre-record table as a table for recording the generation history of the authentication code and a post-record table as a table for recording the use history of the generated authentication code . Sequence number 4 of the pre-record table indicates a row within the reservation period of use after generation of the authentication code. Since the reservation period (inactivity period) 1 day (24 hours) has not elapsed after the generation of the authentication code of the order number 4, the function of the authentication code of the order number 4 is in a stopped state. Therefore, the row that can perform the function with the current authentication code corresponds to sequence number 3. If the user wishes to stop all the lines currently operating as the authentication code, it is possible to successively generate two or more lines of authentication code to stop the function of the authentication code of all the rows of the dictionary record table. That is, if the authentication code of the order number 5 is continuously generated after generating the authentication code of the order number 4, the order number 3 capable of performing the current authentication code function is stopped, and after the 24 hours of the authentication code of the order number 4, Code function can be performed.

In the pre-record table among the above-described authentication code history tables, only one row can always function as an authentication code. Therefore, in the above example, the authentication code of the order number 4 can be activated after one day of inactivity period has elapsed. In this case, the function of the authentication code of the order number 3 is stopped.

The description column of the post record table specifically records information using the authentication code. By doing so, the user's recognition ability can be improved. You can also manage session value columns in the post history table. The session value column is a value that is written for the administrator's follow-up rather than to the user. Therefore, it is not a requirement. Specifically, when a specific service for each service is handled to receive the service only by the authorized user, only the user having the corresponding session value is accessed through the session processing. This is because it is useful for post-accident response if history value of such session value is managed.

The hash sine value is a key value for securing the integrity of the data, and is a value obtained by encrypting the current row input value and the immediately preceding input value with the public key of the next storage server. Therefore, in order to manipulate one row, it is necessary to know the private key of the next storage server. In order to delete a row, the data of the connected storage server must also be deleted. Therefore, all the highest privileges of the relevant storage server must be secured. As the number of participating storage servers increases, the operation becomes more difficult.

FIG. 5 is an explanatory diagram of a method in which an authentication computer, which is a main part of an embodiment of the present invention, blocks a hash value processing block of a plurality of storage servers. 5, a hash value is generated by encrypting the hash value of the next storage server in a block chain manner. In this way, not only the hash value but also the authentication code can be bundled into a block chain.

FIG. 6 is a schematic configuration diagram of an embodiment of a usage history browsing screen that can be confirmed and requested by an authentication computer, which is a main part of an embodiment of the present invention.

In order for the authentication code to play its role, it must have randomness like a password. Since the present invention relates to management code-based authentication code management, uniqueness and memory are additionally required. Randomness means that the other party should not be able to predict the authentication code (password), and uniqueness should be no redundant data. Remembrance is a function that can increase the user's short-term memory.

As shown in Fig. 6, the above-mentioned three terms are applied as follows. First, the randomness of the authentication code can be ensured by allowing the user to change the authentication code at any time. Second, the uniqueness of the authentication code can not be secured only by the value of one cell of the authentication code attribute, and it is combined with another attribute value (order number, creation date, use frequency, end date) other than the authentication code value, It is possible to secure uniqueness with these other rows. Third, the memory can be secured through the history information and the creation date of the authentication code generated in chronological order.

In addition, the usage history browsing screen of FIG. 6 is a data arrangement that allows the user to participate in verification of the authenticity of the authentication code. The authentication code column may not be a readable string as shown in the usage history screen, but may be displayed as a broken string because it is encrypted and stored in the DB. In addition, the "Description" column can be inserted to allow the user to write down his / her own reason for generating the authentication code, which can be used to enhance the memory.

When the authentication code of the present invention is recorded, the corresponding authentication code data can not function in real time as an authentication code, but the function is suspended for a predetermined period or time set by a reservation period (for example, two days or 30 minutes) have. The authentication code data recorded during the reservation period can be checked by the user through reading whether the data is the data recorded by the user himself / herself. The attributes of the reservation period indicate the following security characteristics. All records attempted to access the authenticating computer and to the pre-record table are serialized. When the authentication code data is recorded in the pre-record table, it can be recorded simultaneously. However, only the authentication code data last recorded in the pre-record table performs its role. The user can perform a self-performed password integrity verification by checking the dictionary table or the post-record table for at least one day or 30 minutes of the reservation period to determine whether or not it is the recorded action. Therefore, even if the authentication code recorded by the third party hacker or the like is given to the user, it is possible to sequentially verify the integrity.

It is also important to ensure availability so that users can participate in integrity verification at any time. All areas where availability should be considered include authentication system (authentication computer), client (user terminal), and communication network. However, in the present invention, it is concentrated in the authentication system area. When the network and client are unstable, the user is assumed to be a security conscious person who can access the authentication system through various media accessible to the environment. When an authentication system encounters a force majeure such as Distributed Denial of Service (DDos), it will automatically stop all unprocessed commands after that point if the authentication system goes beyond the scope of covering the attack traffic. Therefore, it is possible to prevent integrity breakage due to the availability destruction.

Confidentiality is also ensured by preventing the end-use phase of the exposed authentication code, not just the problem of breaching the secret of the exposed authentication code. Specifically, the entire process of exposing the authentication code can be divided into access, acquisition, and use. Various encryption technologies make the exposed password unreadable code even if the authentication code is exposed. This corresponds to the approach process in the segmentation process. Decrypting the encrypted code is practically difficult and attacks the user terminal by hacking it in such a way as to obtain the code before encryption through memory hacking. Confidentiality is easily neutralized.

An intruder who has obtained an exposed authentication code may need to make an end use to make sense. This is called the role of the authentication code. In the present invention, it is necessary to concentrate on the role of the authentication code and to leave a reservation history in order to use the secured authentication code. Since the user can check the authentication code history information during the reservation period for integrity verification, there is an opportunity to check whether the exposed authentication code is being used according to the user's intention. Therefore, it can play the role of password as the authentication code minus the role of confidentiality of the authentication code.

In addition, as a precondition of the present invention, the history of the authentication code data should be recorded, and it should not be deleted or changed. To directly manipulate the authentication code of the authentication computer, it is necessary to obtain the top level authority of the DBMS. There are two purposes of obtaining the top level authority. The first is to manipulate the authentication code history data, and the second is to generate the authentication code directly and use it without restriction. The only way to prevent these two things from happening is to fix the deletion and change permission settings unmodifiably when the table is first created. And if you want to modify the permissions of the table, you need to enter the secret key. The private key is automatically generated with a random value and discarded after one use. Therefore, it is impossible to change the privilege to delete or modify the table because it is necessary to know the secret key that no one knows. Also, there is an opportunity for the user, who is the host of the table, to check his / her data forgery, so that user verification can not be avoided even if he participates in external self-operation.

Even if the privilege setting of the table is changed to allow deletion and modification, the backup data must be simultaneously manipulated in addition to the data in the storage device currently in use. However, because backup data is usually run on a different server, concurrent operations are difficult enough for many stakeholders in the organization to participate. However, if you want to avoid this possibility, you can also protect each other's backups if you keep backup data in a third party.

FIG. 7 is a schematic configuration diagram of an embodiment of an authentication participation means executed in a user terminal, which is a main part of an embodiment of the present invention. As shown in FIG. 7, the authentication participation means of the present invention generates an inactivated authentication code by granting a use condition based on an authentication code input by a user, and transmits the authentication code to the authentication computer 100 A code generation management unit 310; An authentication code use management unit 320 for accessing the authentication computer 100 to inquire and confirm the user's use history of the authentication code; And an authentication code browse management unit 330 for accessing the authentication computer 100 and browsing the user's use history of the authentication code.

8 is a schematic block diagram of another embodiment of the history-based user authentication system of the present invention. As shown in FIG. 8, the usage history based user authentication system of the present invention includes an authentication management unit 1100 for performing user authentication by inquiring conditions such as a stored authentication code and a use reservation period according to a user's authentication request, (1000) including a service management unit (1200) for receiving a user authentication request and performing a user authentication request to the authentication management unit (1100) and providing a predetermined service to a user terminal requesting user authentication after user authentication is completed )Wow; A user information database 2000 for storing user information and user terminal information communicatively connected to or included in the service computer 1000 and requesting an authentication request and a service information database 2000 for storing predetermined service information to be provided to the user terminal A service information database 3000; And transmits the authentication code generated in the authentication management unit 1100 to the service computer 1000 by using a communication means, reads the authentication code generation and use history, executes it in the user terminal to use the authentication code, (4000) which is an authentication means; The user generates an authentication code including usage reservation period information by using the authentication participation means 4000 executed in the user terminal and stores the authentication code in the authentication management unit 1100 of the service computer 1000, 1100), and a means for checking the generation and use history of the authentication code is provided, and when the condition of the use reservation period is satisfied, the authentication code can be used. .

9 is a flowchart for explaining an embodiment of a usage history-based user authentication method of the present invention. As shown in FIG. 9, the usage history based user authentication method of the present invention includes activating an application stored in a user terminal or accessing an authentication computer to output an authentication related web program to activate an authentication participation means (S100 )Wow; (S101) receiving the authentication code input by the user terminal to the authentication participation means; Combining the authentication code use reservation period information and the usage time limit information selected or input by the authentication participation means with the authentication code to generate an authentication code and transmitting the authentication code to the authentication computer (S102); (S103) storing the deactivation authentication code to which the use condition is attached, the authentication computer including the authentication code use reservation period information and the use time limit information; (S104) the user terminal establishes a communication connection with the service computer and makes a request for providing a service; (S105) requesting a user authentication requesting service provision from the user terminal by accessing the authentication computer by communication with the service computer; (S106) requesting the authentication computer to input an authentication code to the user terminal; (S107) requesting the user terminal to view the authentication code stored in the authentication computer; The authentication computer providing the authentication code viewing screen to the user terminal (S108); (S109) the user terminal transmitting the authentication code input to the authentication participation means to the authentication computer for receiving the authentication code; A step (S110) of inquiring whether the authentication computer satisfies an authentication code use condition stored based on an authentication code transmitted from the user terminal; (S111) of confirming whether the use time limit of the authentication code has elapsed when the authentication code use condition is satisfied; A step (S112) of processing the user authentication and storing the use history of the authentication code when the use time limit of the authentication code has not elapsed; (S113) after the user authentication is performed in the authentication computer, the service computer providing a predetermined service requested by the user terminal.

10 is a flowchart for explaining another embodiment of the usage history-based user authentication method of the present invention. As shown in FIG. 10, the usage history based user authentication method of the present invention includes the steps of executing an application stored in a user terminal or accessing an authentication computer to output an authentication related web program to activate an authentication participation means (S200 )Wow; (S201) of receiving the authentication code input by the user terminal to the authentication participation means; (S202) of transmitting the authentication code to the service computer together with the authentication code use reservation period information and the use time limit information selected or input by the authentication participation means; (S203) of storing an inactivated authentication code to which an authentication management unit of the service computer is given a use condition including an authentication code use reservation period information and use time limit information; (S204) the user terminal making a service provision request to the service computer; The service computer requesting the authentication management unit to authenticate a user requesting service provision from the user terminal (S205); (S206) the authentication management unit requests the user terminal to input an authentication code; (S207) of requesting the user terminal to view the authentication code stored in the authentication management unit; The authentication management unit provides the authentication code viewing screen to the user terminal (S208); (S209) of causing the user terminal to transmit the authentication code input to the authentication participation means to the authentication management unit for receiving the authentication code; (S210) of inquiring whether the authentication management unit has satisfied an authentication code use condition stored on the basis of the authentication code transmitted from the user terminal; A step (S211) of confirming whether the use restriction time of the authentication code has elapsed when the authentication code use condition is satisfied; A step (S212) of processing the user authentication and storing the usage history of the authentication code when the use time limit of the authentication code has not elapsed; And providing the predetermined service requested by the service computer to the user terminal after the user authentication is performed in the authentication management unit (S213).

The embodiments of the present invention described above can be applied to fields requiring confirmation by the user, online document settlement field, and real estate registration field.

The embodiments of the present invention described above are only a few of various embodiments. A user terminal generates and stores an authentication code to which a use condition such as a reservation reservation period is given to an authentication computer or a service computer using the activated authentication participation means activated by the user terminal, Various embodiments in which the user authentication can be performed and the user terminal is included in the technical idea for viewing the history of the authentication code generation and the authentication code are included in the protection scope of the present invention.

100: Authentication computer
200, 600: user database
300: User terminal
400: service computer
500: Service database

Claims (10)

An authentication computer; and authentication participation means connected to the authentication computer and output from a user terminal for performing user authentication;
The authentication computer includes authentication code generation management means for receiving and storing the authentication code transmitted from the user terminal and the usage condition data of the authentication code; An authentication code use condition management unit for confirming whether the use condition of the authentication code is satisfied in response to the use request of the authentication code from the user terminal; An authentication code use management means for performing a user authentication process when the use condition of the authentication code is satisfied; And authentication code history management means for recording and storing the generation history of the authentication code and the usage history of the authentication code in a table;
Wherein the authentication code generation management means manages the authentication code transmitted from the user terminal so as not to be deleted or changed and encrypts the authentication code history information transmitted from the user terminal to make a node, Therefore, it is possible to perform arbitrary operations by the individual server administrators, to perform integrity verification by making it possible to compare hash values or original authentication code information for each node,
Wherein the verification code use condition management means performs verification of whether or not the use condition of the authentication code satisfies the usage condition based on the reservation record of the authentication codes, Whether or not a time or period has arrived,
Wherein the table for recording the generation history of the authentication code and the usage history of the authentication code in the authentication code history management means includes a dictionary record table for recording the generation history of the authentication code, And a post history record table. A service computer including a service management unit for providing a predetermined service and an authentication management unit for performing a user authentication to receive the service; and an authentication unit connected to the service computer to perform authentication Means of participation;
Wherein the authentication management unit of the service computer comprises authentication code generation management means for receiving and storing the authentication code transmitted from the user terminal and the usage condition data of the authentication code; An authentication code use condition management unit for confirming whether the use condition of the authentication code is satisfied in response to the use request of the authentication code from the user terminal; An authentication code use management means for performing a user authentication process when the use condition of the authentication code is satisfied; And authentication code history management means for recording and storing the generation history of the authentication code and the usage history of the authentication code in a table;
The authentication code generation management means manages the deletion and modification of the authentication code transmitted from the user terminal so that the authentication code history information transferred from the user terminal is made into a node, And then,
Wherein the verification code use condition management means performs verification of whether or not the use condition of the authentication code satisfies the usage condition based on the reservation record of the authentication codes, Whether or not a time or period has arrived,
Wherein the table for recording the generation history of the authentication code and the usage history of the authentication code in the authentication code history management means includes a dictionary record table for recording the generation history of the authentication code, And a post history record table. The method according to claim 1 or 2,
Wherein the authentication participation means is an application program executed by the user terminal or a web program output from the user terminal. The method of claim 3,
Wherein the authentication participation means comprises authentication code generation management means for generating an authentication code; An authentication code use management means for using the authentication code; And an authentication code browse management means for browsing the history of the generated or used authentication codes. The method according to claim 1 or 2,
Wherein the usage condition data of the authentication code includes usage reservation period of the authentication code and authentication code use time limit information. delete delete The method of claim 4,
Wherein the authentication code browse management means generates the generated authentication code information and usage history information of the authentication code so as to be able to be viewed by the authentication participation means. Executing an application stored in a user terminal or accessing an authentication computer or a service computer to output an authentication related web program to activate the authentication participation means; Receiving the authentication code input by the user terminal into the authentication participation means; Combining the usage condition including the authentication code use reservation period information and the usage restriction time information selected or input by the authentication participation means with the authentication code to generate an inactivated authentication code and transmitting the authentication code to the authentication computer of the authentication computer or the service computer ; Receiving the authentication code input to the authentication participation means for use of the authentication code by the user terminal; Transmitting the information of the authentication code to the authentication computer of the authentication computer or the service computer to inquire the use condition of the authentication code; Performing authentication code use processing by the authentication management unit of the authentication computer or the service computer when the use condition of the authentication code is satisfied; Wherein the authentication management unit of the authentication computer or the service computer stores the usage history of the user's authentication code in a table;
The authentication management unit of the authentication computer or the service computer manages the deletion and modification of the authentication code transmitted from the user terminal so that it can not be changed and the authentication code history information transmitted from the user terminal is converted into a node, And are distributed to a plurality of storage servers,
Wherein the confirmation of whether or not the use condition of the authentication code satisfies the usage condition is performed based on the reservation record of the authentication codes, And,
The table for recording the generation history of the authentication code and the usage history of the authentication code includes a pre-record table for recording the generation history of the authentication code and a post-record table for recording the use history of the generated authentication code Based user authentication method. The method of claim 9,
Wherein the table includes a pre-record table for recording the generation history of the authentication code and a post-record table for recording the usage history of the generated authentication code.
KR1020160003097A 2016-01-11 2016-01-11 Using history-based authentication code management system and method thereof KR101651563B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160003097A KR101651563B1 (en) 2016-01-11 2016-01-11 Using history-based authentication code management system and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160003097A KR101651563B1 (en) 2016-01-11 2016-01-11 Using history-based authentication code management system and method thereof

Publications (1)

Publication Number Publication Date
KR101651563B1 true KR101651563B1 (en) 2016-09-05

Family

ID=56939004

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160003097A KR101651563B1 (en) 2016-01-11 2016-01-11 Using history-based authentication code management system and method thereof

Country Status (1)

Country Link
KR (1) KR101651563B1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019027139A1 (en) * 2017-08-04 2019-02-07 경호연 Time-dependent blockchain-based self-verification user authentication method
KR102002644B1 (en) * 2018-05-29 2019-07-22 주식회사 기가코리아 Method for providing numeral url based up-price transaction service using offline to online flatform
CN114978749A (en) * 2022-06-14 2022-08-30 中国电信股份有限公司 Login authentication method and system, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070091804A (en) * 2006-03-07 2007-09-12 와이즈와이어즈(주) Authentication method, system, server and recording medium for controlling mobile communication terminal by using authentication key
KR101137523B1 (en) * 2011-09-26 2012-04-20 유승훈 Media, terminal and server for authentication and method for authenticating using the sames
KR20140103004A (en) * 2013-02-15 2014-08-25 주식회사 안랩 User authenticating method and apparatus
KR20150023993A (en) * 2013-08-26 2015-03-06 경호연 Self recording history-based use authentication system and method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070091804A (en) * 2006-03-07 2007-09-12 와이즈와이어즈(주) Authentication method, system, server and recording medium for controlling mobile communication terminal by using authentication key
KR101137523B1 (en) * 2011-09-26 2012-04-20 유승훈 Media, terminal and server for authentication and method for authenticating using the sames
KR20140103004A (en) * 2013-02-15 2014-08-25 주식회사 안랩 User authenticating method and apparatus
KR101436404B1 (en) 2013-02-15 2014-09-01 주식회사 안랩 User authenticating method and apparatus
KR20150023993A (en) * 2013-08-26 2015-03-06 경호연 Self recording history-based use authentication system and method thereof
KR101523340B1 (en) 2013-08-26 2015-05-28 경호연 Self recording history-based use authentication system and method thereof

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019027139A1 (en) * 2017-08-04 2019-02-07 경호연 Time-dependent blockchain-based self-verification user authentication method
KR20190015178A (en) * 2017-08-04 2019-02-13 경호연 Time-Dependent Block Chain-Based Self-Verification User Authentication Method
CN110998572A (en) * 2017-08-04 2020-04-10 京镐渊 Self-verification user authentication method based on time-dependent blockchain
KR102133659B1 (en) * 2017-08-04 2020-07-14 경호연 Time-dependent blockchain based self-verification user authentication method
US11363033B2 (en) 2017-08-04 2022-06-14 Ho Yun KYUNG Time-dependent blockchain-based self-verification user authentication method
CN110998572B (en) * 2017-08-04 2023-05-05 京镐渊 Self-verification user authentication method based on time-dependent blockchain
KR102002644B1 (en) * 2018-05-29 2019-07-22 주식회사 기가코리아 Method for providing numeral url based up-price transaction service using offline to online flatform
CN114978749A (en) * 2022-06-14 2022-08-30 中国电信股份有限公司 Login authentication method and system, storage medium and electronic equipment
CN114978749B (en) * 2022-06-14 2023-10-10 中国电信股份有限公司 Login authentication method and system, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN105103119B (en) Data security service system
US8196186B2 (en) Security architecture for peer-to-peer storage system
CA2341784C (en) Method to deploy a pki transaction in a web browser
US20070101400A1 (en) Method of providing secure access to computer resources
EP1914951A1 (en) Methods and system for storing and retrieving identity mapping information
CN114662079A (en) Method and system for accessing data from multiple devices
CN105103488A (en) Policy enforcement with associated data
EP1364268A2 (en) Methods and systems for authenticating business partners for secured electronic transactions
JPH10269184A (en) Security management method for network system
US11363033B2 (en) Time-dependent blockchain-based self-verification user authentication method
JP2009514072A (en) Method for providing secure access to computer resources
CN112673600A (en) Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
US11716312B1 (en) Platform for optimizing secure communications
US11604888B2 (en) Digital storage and data transport system
ES2665887T3 (en) Secure data system
KR20060032888A (en) Apparatus for managing identification information via internet and method of providing service using the same
JP2021536166A (en) Verification of peer identification information
JPH05333775A (en) User authentication system
CN117216740A (en) Digital identity authentication method based on blockchain technology
KR101651563B1 (en) Using history-based authentication code management system and method thereof
US20140250499A1 (en) Password based security method, systems and devices
KR101996317B1 (en) Block chain based user authentication system using authentication variable and method thereof
KR102053993B1 (en) Method for Authenticating by using Certificate
CN115769546A (en) Distributed anonymous compatible encryption management system

Legal Events

Date Code Title Description
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190805

Year of fee payment: 4