KR101659847B1 - Method for two channel authentication using smart phone - Google Patents

Method for two channel authentication using smart phone Download PDF

Info

Publication number
KR101659847B1
KR101659847B1 KR1020150099616A KR20150099616A KR101659847B1 KR 101659847 B1 KR101659847 B1 KR 101659847B1 KR 1020150099616 A KR1020150099616 A KR 1020150099616A KR 20150099616 A KR20150099616 A KR 20150099616A KR 101659847 B1 KR101659847 B1 KR 101659847B1
Authority
KR
South Korea
Prior art keywords
user
authentication
mobile terminal
site
security token
Prior art date
Application number
KR1020150099616A
Other languages
Korean (ko)
Inventor
안준철
강지헌
김성원
Original Assignee
(주)케이스마텍
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)케이스마텍 filed Critical (주)케이스마텍
Priority to KR1020150099616A priority Critical patent/KR101659847B1/en
Application granted granted Critical
Publication of KR101659847B1 publication Critical patent/KR101659847B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communication the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The present invention provides a method for performing two-channel user authentication using a mobile terminal, securing security in log-in on a website and using the website by using a mobile terminal when user authentication is required in the website. An authentication server transmits a user identification (ID) encoded by a terminal corresponding key and a website ID to the mobile terminal when authentication is required for a registered website of a registered user. The mobile terminal displays an authentication checking screen showing the user ID and the website ID to be checked by the user. The mobile terminal checked by the user generates a security token and encodes the security token by the terminal corresponding key to be transmitted to the authentication server. After the security token where the authentication server is encoded is decoded by using the terminal corresponding key of the corresponding mobile terminal, authentication is performed by comparing a registered security token and a received security token. According to the present invention, user authentication with high security can be performed by using the mobile terminal when internet services are used through an information device such as a personal computer or the like, thereby obtaining superior generality and convenience in usage.

Description

[0001] The present invention relates to a two-channel user authentication method using a mobile terminal,

The present invention relates to a two-channel user authentication method using a mobile terminal, and more particularly to a two-channel user authentication method using a mobile terminal for authenticating a user on a web site, Channel user authentication method using a terminal.

Security is a very important issue for web sites because services that require security such as shopping through the Internet, financial transactions, and access to confidential information are widely used. Conventionally, as one method for securing security on a web site, when a service provider or a security service provider transmits a text message including an authentication number to a mobile terminal of a web site user, The user can confirm whether or not the user is legitimate by inputting the corresponding password. However, in this method, a program for sending a text message to another device using a computer virus is sneaked into a mobile terminal, and a text message for authentication is transmitted to a designated terminal, which can break security. Also, even if a mobile terminal is lost, security can not be ensured.

As another method, there is a method of using a public certificate as in the Japanese Patent Registration No. 10-1247521, but there is a problem that the use is inconvenient and the public certificate itself is lost and security is opened. In addition, although a security method using biometric information such as a fingerprint is also used, there is a problem in that the recognition rate drops when water or dirt gets on the hand, and in the case where the terminal is infected with a virus or hacked, security becomes a problem.

Also, in the case of leakage of personal information, there is a case in which a large number of users are billed for a large amount of service by unauthorizedly joining a mobile or internet service without permission and using the service unauthorizedly.

In addition, even though the public Internet service uses the public certificate, there is a demand for a method of substituting the public certificate for the problem of the general purpose. In addition, a separate one-time password generator is used to secure higher security in financial transactions, but it is very inconvenient to use a separate password generating device for each transaction financial institution.

It is an object of the present invention to provide a two-channel user authentication method using a mobile terminal capable of ensuring security when subscribing to and using an Internet service. It is another object of the present invention to provide a two-channel user authentication method using a mobile terminal which can be used universally when using an Internet service and has high security.

The user authentication method of the present invention includes a registration step and an authentication step.

In the registration step, when the website requested to be newly registered through the user PC connected to the website requests the new registration while transmitting the user ID and the site ID of the website to the authentication server, Encrypts the site ID, converts the data including the encrypted user ID and the site ID into a specific image, and transmits the image to the website. When the web site outputs the specific image to the screen of the user PC, the user's mobile terminal captures and reads the specific image using the authentication application, decrypts the read information using the common key, Acquires the device ID of the mobile terminal, generates the terminal symmetric key, encrypts the registration data including the user ID, the site ID, the device ID, and the terminal symmetric key with the common key, and transmits the encrypted registration data to the authentication server. The authentication server decrypts the registration data received from the mobile terminal, associates and decrypts the decrypted data, generates a security token seed using at least a part of the stored data, and transmits the secret token to the mobile terminal, Stores the security token seed.

In the authentication step, when the user authentication is required, if the web site transmits the user ID and the site ID to the authentication server, the authentication server encrypts the user ID and the site ID with the terminal symmetric key associated with the user ID and the site ID, And pushes the encrypted data to the mobile terminal associated with the user ID and the site ID. After the data is pushed from the authentication server, the mobile terminal decrypts the data using the terminal symmetric key, and then displays an authentication confirmation screen including at least a part of the decrypted data, and receives authentication confirmation from the user. The mobile terminal receiving the authentication confirmation from the user generates a security token using the stored security token seed, encrypts it with the terminal symmetric key, and transmits the encrypted security token to the authentication server. The authentication server decrypts the security token received from the mobile terminal with the terminal symmetric key corresponding to the mobile terminal, and then verifies the security token and transmits the result to the website.

The security token seed and the terminal symmetric key can be generated using at least the time and device ID. The verification of the security token may be a comparison of a security token generated using the security token seed with a security token received from the mobile terminal.

Upon receiving a new registration request including the user ID and the site ID from the web site, the authentication server checks whether the user ID and the site ID are registered, encrypts the user ID and the site ID with the common key when not registered, The user ID and the site ID are generated as QR codes and transmitted to the website. In one embodiment, the particular image is a QR code image. Also, the device ID of the mobile terminal is SUID (A 16 byte unique identifier of the SoC).

The registering step may further include setting a password in the authentication application. In this case, an authentication confirmation screen may be displayed at the authentication step, and when receiving confirmation from the user, the password may be input and the subsequent procedure may proceed only if the password is matched with the established password.

According to the present invention, highly secure user authentication can be performed by using a mobile terminal when using an Internet service using an information device such as a personal computer, so that general purpose and easy to use. Also, since the mobile terminal handles the password for the authentication in the security operating system independent of the general operating system, the security is high. In addition, when a user subscribes to a web site as well as when using a service, it is possible to prevent unauthorized subscription of another person, thereby enhancing the stability of the service.

FIG. 1 is a network diagram showing a mobile terminal, an authentication server, a web site, and a user PC for performing a user authentication method of the present invention connected through a network.
FIG. 2 is a functional block diagram of a mobile terminal, an authentication server, and a web site for performing the user authentication method of the present invention.
FIG. 3 is a flowchart showing a procedure for passing a terminal control right between NW (Normal World) and SW (Secure World).
4 is a flowchart illustrating a procedure for registering a user to a specific web site on an authentication server for authentication of the present invention.
5 is a flowchart showing an authentication procedure for logging into a registered website.
FIG. 6 is a flowchart showing an authentication procedure when the push data is not received in the authentication procedure for logging in the registered website.
7 shows an example of the authentication confirmation screen.
8 shows an example of a registration site screen.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a network diagram showing a mobile terminal, an authentication server, a web site, and a user PC for performing a user authentication method of the present invention connected through a network. The authentication method of the present invention is applicable when using a service (for example, Internet banking provided by a bank server) provided by the Web site 300 using the user PC 400. [

The general operating system and the security operating system are independently executed in the mobile terminal 100, and the processing of the security information for registering the website in the authentication server and using the service provided in the registered website is performed in the security operating system. The authentication server 200 transmits the user ID and the web site ID encrypted with the terminal symmetric key to the mobile terminal 100 when login (or user) authentication is required on the registered website of the registered user. The mobile terminal 100 displays an authentication confirmation screen showing at least a part of the decrypted data, for example, a user ID and a web site ID, and receives confirmation from the user. The mobile terminal 100 having received the user confirmation generates a security token, encrypts the security token with the terminal symmetric key, and transmits the encrypted token to the authentication server 200. After the authentication server 200 decrypts the encrypted security token using the terminal symmetric key of the corresponding mobile terminal 100, it compares the received security token with the security token registered for the corresponding user ID and website ID, The result is transmitted to the web site and the mobile terminal, and the web site allows the user to log in (or use the service) according to the received result.

FIG. 2 is a functional block diagram of a mobile terminal, an authentication server, and a web site for performing the user authentication method of the present invention.

In the present invention, a mobile terminal 100 such as a smart phone or a tablet PC is provided with a general operating system such as Android (an operating system for Google's smart phone), iOS (an operating system for Apple's iPhone), and a security operating system operating independently of a general operating system Lt; / RTI > Hereinafter, an area where a general operating system operates is referred to as a NW (Normal World) 110, and an area where a security operating system operates is referred to as a SW (Secure World)

The security application 112, which provides mobile security enhancement services such as payment, authentication, financial information management, personal information management, device management, security service, etc., needs a trusted execution environment (TEE) agent 113 to access the security information located in the SW 120. The TEE agent 113 serves as a gateway between the communication with the TEE (Trusted Execution Environment) and the mobile security enforcement service applications 111 at the NW 110. [ The TEE agent 113 may be loaded into the mobile security enforcement service application 111 in the form of an API (Application Programming Interface) or may operate in the background in the form of a standalone application.

The TEE agent 113 communicates with the Rich Execution Environment (REE) agent 123 at the SW 120. The REE agent 123 acts as a gateway for communications with the REE at the SW 120 and with a Trusted Application 122 (hereinafter referred to as TA). The REE agent 123 only accepts the connection of the authenticated TEE agent 113.

TA 122 provides a security-enhanced user interface (security enhanced I / O TA) through I / O devices such as a camera, a microphone, a screen touch, and a fingerprint scanner, encrypts and decodes feature values for user identification Encrypting and decrypting TA), and managing and controlling the personal information stored in the SW 120, such as storing the encrypted feature value in the personal information DB 121. The TA 122 is not directly accessible by the NW 110 and is only accessible via the REE agent 123. [ In addition, key personal information such as a feature value, a public key certificate, an ID and a password required for operation of the TA 122 such as generation of a terminal symmetric key and generation of a security token is also stored in the SW 120. According to an embodiment, the personal information DB 121 may be configured to be placed in a security area physically separated from a general area in which a general operating system operates. Alternatively, the entire SW 120 may be stored in the security area. The security area can be, for example, a TEE based on an ARM trust zone (Trustzone).

The TEE agent 113 can be managed and controlled by the authentication server 200 outside the mobile terminal when performing the authentication. The authentication server 200 includes an encryption module 210 and a decryption and verification module 220 to perform user authentication together with the TEE agent 113 of the mobile terminal. The encryption module 210 encrypts the user ID, the website ID, and the security token Seed using a common key or a terminal symmetric key, and the decryption and verification module 220 decrypts and decrypts the registration data and security token from the mobile terminal And compares the stored security token with the stored security token to verify that the user is a legitimate user. The web site 300 to which the mobile terminal 100 receives the service is provided with the security interlocking module 320 and the service providing module 310 so that the user authentication for login or service provision is performed by the authentication server 200 I will do it with help.

Next, with reference to FIG. 3, a procedure for passing the terminal control right between the NW and the SW will be described.

When security is required for user input or information output in the security application 112 adopting the security service of the present invention, for example, when an authentication confirmation screen or a registration site screen is output to the display of the mobile terminal, 112 calls the TEE agent 113 (step 1 & cir &).

The TEE agent 113 requests the REE agent 123 of the SW 120 to transfer control information for user input security while transmitting information on the application ID, user input type, and the like (step 2). The REE agent 123 transmits the received information to the TA 122 responsible for user input processing (step 3), and the TA 122 requests control authority to the security operating system (step 4). Then, the user screen is switched to the SW 120. The security operating system transfers the transfer result controlled by the TA 122 to the TA 122, and the TA 122 outputs a screen according to the type of the user input (step 5). For example, when a password of a mobile terminal is input, a screen for inputting a password is displayed. When a user touches the screen for inputting, a security keypad is displayed on the screen.

The data input by the user is transmitted to the REE agent 123 after the encryption processing in the TA 122 (step 6), and the REE agent 123 transfers the received encrypted data to the TEE agent 113 ⑦). The TEE agent 113 transfers the data to the security application 112 that has requested the service (step 8), and the security application 112 transmits the encrypted data to the authentication server 200.

Next, a two-channel user authentication method using the mobile terminal of the present invention will be described in detail with reference to FIG. 4 to FIG.

<Service Registration Phase>

First, referring to FIG. 4, a description will be given of a procedure for a user to perform a user registration for a specific web site for authentication of the present invention.

A user who accesses the Web site 300 using the PC 400 inputs a user ID and requests registration of membership / authentication according to the present invention to the Web site 300 (step 401). In some embodiments, the user may already be subscribed to the web site 300 using a user ID and password. Alternatively, according to an exemplary embodiment of the present invention, the user may subscribe to the web site 300 with a user ID while subscribing to the web site 300, and apply for registration of the authentication to the present invention. In addition, according to the embodiment, the user has already subscribed to the website 300 using the user ID and the password, and the specific service (for example, payment, viewing of secret information, etc.) provided by the website 300 ) Of the authentication method of the present invention. In this case, if the user is already logged in to the web site 300, the web site 300 may be configured to retrieve the user ID using the login information at step 401 without the user having to input the user ID.

The web site 300 receiving the application for registration of the authentication from the user PC 400 transmits the user ID and the site ID of the website 300 to the authentication server 200 and confirms whether the user is already registered in the web site Step 403). The authentication server 200 returns to the web site 300 whether the corresponding user ID and the site ID are stored in association with each other, that is, whether the user is registered in the corresponding web site (step 405). If it is not registered, the web site 300 transmits a screen for agreeing to the agreement to the user PC 400 and proceeds to the agreement agreement process (step 407).

When the agreement agreement procedure is completed, the web site 300 transmits a user ID and a site ID of the web site 300 to the authentication server 200 in step 409, and requests a new registration. On the other hand, according to the embodiment, it is possible to omit Step 403 and to perform Step 405 and Step 407 if there is a new registration request in Step 409.

Then, the authentication server 200 encrypts the user ID and the site ID using the common key, and then generates an image obtained by converting the data including the encrypted user ID and the site ID into the QR code, and transmits the generated image to the website 300 Step 411).

The web site 300 transmits the received QR code image to the user PC 400 so that the QR code image is displayed on the screen of the user PC 400 (step 413).

Meanwhile, the user installs and executes the authentication application including the common key in his / her mobile terminal 100 (415). The common key is common to all terminals that install authenticated apps regardless of website or user. The authentication application includes an application 112 operated in the NW 110 and a TA 122 operated in the SW 120 and the common key is distributed to the TA 122 operating in the SW 120 and distributed.

The authentication application installed in the mobile terminal 100 captures and reads the QR code in the NW 110 and transfers the read information to the TA 122 operating in the SW 120 (step 417). The TA 122 decodes the information read out from the QR code using the common key to extract the user ID and the site ID and generates the CPU serial number SUID (A 16 byte unique identifier of the SoC) of the mobile terminal 100 And generates a terminal symmetric key to be used for subsequent encryption / decryption. The TA 122 encrypts the registration data including the user ID, the site ID, the device ID, and the terminal symmetric key with the common key, and transfers the encrypted registration data to the NW 110 (step 419).

The terminal symmetric key can be generated based on, for example, a device ID and a time value. Also, the terminal symmetric key is generated only once per terminal. When the terminal symmetric key is registered in another web site after being generated once for registration to a specific web site, the terminal symmetric key is not newly generated but the already generated terminal symmetric key is used .

The NW 110 transmits the encrypted registration data to the authentication server 200 (step 421). After the authentication server 200 decrypts the received registration data and associates (maps) and stores the decrypted data with each other, the secure server 200 generates and stores a secure token seed and transmits it to the mobile terminal 100 (step 423). The terminal symmetric key is stored in association with the device ID, and the security token seed can be stored in association with the user ID and the website ID. Alternatively, the security token seed may be configured to generate only one security key for each mobile terminal, like the terminal symmetric key. In this case, the security token seed is stored in association with the device ID. The security token seed can be generated using the time and device ID.

The security token seed from the authentication server 200 is transmitted to the SW 120. The SW 120 stores the registration result message and transmits the registration completion message to the authentication server 200 via the NW 110, 200 transmits the registration completion message to the web site 300 (step 425). Then, the web site 300 displays a screen indicating that the registration is completed in the user PC 400. [

<Login step>

A method of logging in to the web site in a state where the user has registered the web site with the authentication server will be described with reference to Fig. In the following description, the case where the user logs in to the web site is taken as an example, but the present invention can be applied to the authentication for use of a specific service while logged in to the web site.

The user accesses the Web site 300 through the user PC 400 and inputs a user ID and requests a login (step 501). According to the embodiment, the user ID and the password may be input together and a login may be requested.

The web site 300 transmits the user ID and the site ID to the authentication server 200, and requests authentication (step 503). Then, the authentication server 200 finds the device ID registered in association with the user ID, encrypts the user ID and the site ID using the terminal symmetric key associated with the device ID, and pushes the mobile terminal authentication application to the mobile terminal authentication app (Step 505).

When the push data is received, the authentication application installed in the mobile terminal 100 is executed, the data received in the SW 120 is decrypted with the terminal symmetric key to extract the user ID and the site ID, and then the information for user confirmation is displayed on the screen 507). An example of the screen at this time is shown in Fig. The user confirms the displayed information and presses the OK button. Then, the NW 110 informs the SW 120 that the user has confirmed it (step 509). On the other hand, it is also possible to configure the user to input a predetermined password instead of the screen example of FIG. That is, the password can be set when the authentication app is installed, the password can be entered on the screen of Fig. 7, and the subsequent procedure can be performed only when the inputted password matches the set password.

After receiving the user confirmation, the SW 120 generates a security token using the stored security token seed, encrypts the generated security token with the terminal symmetric key, and transmits the encrypted security token to the NW 110 (step 511) And transmits it to the authentication server 200. (Step 513)

After the authentication server 200 decrypts the security token encrypted with the terminal symmetric key registered in association with the device ID, the authentication server 200 decrypts the registered security token with respect to the user ID and the site ID (or, in some embodiments, The security token generated using the security token seed) is compared to the decrypted security token. If both security tokens match, authentication succeeds; if not, authentication fails. The authentication server 200 transmits the authentication result to the web site 300 and the mobile terminal 100 (step 515). The authentication result is displayed on the screen of the mobile terminal 100 and the web site 300 (steps 517 and 519). If the authentication result is authentication success, the web site 300 permits the user to log in.

Meanwhile, it is possible to continue the authentication process even if the mobile terminal 100 fails to receive the push data sent in step 505. The procedure at this time will be described with reference to FIG. The procedure from FIG. 6 to step 605 is the same as the procedure up to step 505 in FIG. 5, so a detailed description will be omitted.

When push data is not received from the authentication server 200 after the login request is made to the web site 300, the user selects the menu to execute the authenticated app installed in the mobile terminal 100 and execute the push not received 607). Then, the SW 120 displays a list of sites registered by the user as shown in FIG. 8 (step 609). When the user selects a site corresponding to the web site 300 to which the user wants to log in, the information is transmitted from the NW 110 to the SW 120 (step 611). On the other hand, when the user selects a site, it is also possible to configure to receive a predetermined password from the user.

Since the procedure from step 613 to step 621 after the website is selected is the same as the procedure from step 511 to step 519 in FIG. 5, detailed description will be omitted.

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. That is, within the scope of the present invention, all of the components may be selectively coupled to one or more of them. In addition, although all of the components may be implemented as one independent hardware, some or all of the components may be selectively combined to perform a part or all of the functions in one or a plurality of hardware. As shown in FIG. The codes and code segments constituting the computer program may be easily deduced by those skilled in the art. Such a computer program can be stored in a computer-readable storage medium, readable and executed by a computer, thereby realizing an embodiment of the present invention. The storage medium of the computer program may include a semiconductor recording medium, a magnetic recording medium, an optical recording medium, a carrier wave medium, and the like.

Furthermore, the terms "comprises", "comprising", or "having" described above mean that a component can be implanted unless otherwise specifically stated, But should be construed as including other elements.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

100 mobile terminal,
200 authentication server,
300 websites,
400 user PC.

Claims (14)

delete delete delete delete delete A user authentication method including a registration step and an authentication step,
Wherein the registering step comprises:
Requesting a new registration while transmitting a user ID and a site ID of the web site to an authentication server through a web site newly requested to be registered through a user PC connected to the web site;
Encrypting the user ID and the site ID with the common key by the authentication server, converting the data including the encrypted user ID and the site ID into a specific image, and transmitting the converted image to the website,
The web site outputting the specific image on the screen of the user PC,
The user's mobile terminal captures and reads the specific image using the authentication application, decrypts the read information using the common key to extract the user ID and the site ID, obtains the device ID of the mobile terminal, Generating a symmetric key, encrypting registration data including a user ID, a site ID, a device ID, and a terminal symmetric key with a common key and transmitting the same to an authentication server;
The authentication server decrypts the registration data received from the mobile terminal, associates and decrypts the decrypted data, generates a security token seed using at least a part of the stored data, and transmits the generated seed to the device ID Storing and linking to the mobile terminal;
Storing the secure token seed at the mobile terminal;
Wherein the authentication server notifies completion of registration to the website
Wherein the authenticating step comprises:
Transmitting the user ID and the site ID to the authentication server when the user authentication is required;
The authentication server finds the device ID registered in association with the user ID, encrypts the user ID and the site ID with the terminal symmetric key associated with the device ID, and encrypts the user ID and the site ID, Pushing data,
Displaying an authentication confirmation screen including at least a part of the decrypted data after the mobile terminal having pushed the data from the authentication server decrypts the data with the terminal symmetric key,
Generating a security token using the security token seed in which the mobile terminal having received the authentication confirmation from the user is stored, encrypting the security token using the terminal symmetric key, and transmitting the encrypted security token to the authentication server,
The authentication server decrypts the security token received from the mobile terminal with the terminal symmetric key corresponding to the mobile terminal, and then verifies the security token and transmits the result to the website
And a user authentication method.
The method according to claim 6,
Wherein the secure token seed is generated using a time and a device ID.
The method according to claim 6,
Wherein verifying the security token comprises comparing a security token generated using the secure token seed with a security token received from the mobile terminal.
7. The method of claim 6, wherein in the registering step
Upon receiving a new registration request including the user ID and the site ID from the web site, the authentication server checks whether the user ID and the site ID are registered, encrypts the user ID and the site ID with the common key when not registered, Wherein the user ID and the site ID are generated as the specific image and transmitted to the web site.
The method of claim 6, wherein the specific image is a QR code image. The method according to claim 6,
Wherein the device ID of the mobile terminal is SUID (A 16 byte unique identifier of the SoC).
The method according to claim 6,
The registering step further comprises setting a password in the authentication app,
Wherein the authentication step displays the authentication confirmation screen in the authentication step and receives a password when receiving confirmation from the user, and proceeds to the subsequent step only when the password is matched with the established password.
The method according to claim 6,
Wherein the terminal symmetric key is generated based on at least a device ID and a time.
14. The method according to any one of claims 6 to 13,
Wherein the mobile terminal is operated independently of the general operating system and the secure operating system, and the encryption and decryption processing is performed in the secure operating system.

KR1020150099616A 2015-07-14 2015-07-14 Method for two channel authentication using smart phone KR101659847B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150099616A KR101659847B1 (en) 2015-07-14 2015-07-14 Method for two channel authentication using smart phone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150099616A KR101659847B1 (en) 2015-07-14 2015-07-14 Method for two channel authentication using smart phone

Publications (1)

Publication Number Publication Date
KR101659847B1 true KR101659847B1 (en) 2016-09-26

Family

ID=57068313

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150099616A KR101659847B1 (en) 2015-07-14 2015-07-14 Method for two channel authentication using smart phone

Country Status (1)

Country Link
KR (1) KR101659847B1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101852791B1 (en) * 2017-10-16 2018-04-27 (주)케이스마텍 Certification service system and method using user mobile terminal based secure world
KR20180058996A (en) * 2016-11-25 2018-06-04 주식회사 티모넷 System and method for providing electronic signature service
KR20180135222A (en) * 2017-06-12 2018-12-20 주식회사 엔터소프트 Method for authentication using multi-channel, Authentication Server and AuthenticationAPPARATUS
KR20190097998A (en) * 2018-02-12 2019-08-21 주식회사 한컴위드 User authentication apparatus supporting secure storage of private key and operating method thereof
KR102346761B1 (en) * 2021-06-07 2022-01-03 주식회사 씨엘클라우드 Method, device and system for authenticating of user in a cloud environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110128371A (en) * 2010-05-22 2011-11-30 오중선 Mobile authentication system and central control system, and the method of operating them for mobile clients
US20120240204A1 (en) * 2011-03-11 2012-09-20 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication
KR101388935B1 (en) * 2012-10-22 2014-04-24 소프트포럼 주식회사 Two channel based user authentication apparatus and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110128371A (en) * 2010-05-22 2011-11-30 오중선 Mobile authentication system and central control system, and the method of operating them for mobile clients
US20120240204A1 (en) * 2011-03-11 2012-09-20 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication
KR101388935B1 (en) * 2012-10-22 2014-04-24 소프트포럼 주식회사 Two channel based user authentication apparatus and method

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180058996A (en) * 2016-11-25 2018-06-04 주식회사 티모넷 System and method for providing electronic signature service
KR101933090B1 (en) 2016-11-25 2018-12-27 주식회사 티모넷 System and method for providing electronic signature service
KR20180135222A (en) * 2017-06-12 2018-12-20 주식회사 엔터소프트 Method for authentication using multi-channel, Authentication Server and AuthenticationAPPARATUS
KR101955950B1 (en) * 2017-06-12 2019-06-24 주식회사 엔터소프트 Method for authentication using multi-channel, Authentication Server and AuthenticationAPPARATUS
KR101852791B1 (en) * 2017-10-16 2018-04-27 (주)케이스마텍 Certification service system and method using user mobile terminal based secure world
KR20190097998A (en) * 2018-02-12 2019-08-21 주식회사 한컴위드 User authentication apparatus supporting secure storage of private key and operating method thereof
KR102070248B1 (en) * 2018-02-12 2020-01-28 주식회사 한컴위드 User authentication apparatus supporting secure storage of private key and operating method thereof
KR102346761B1 (en) * 2021-06-07 2022-01-03 주식회사 씨엘클라우드 Method, device and system for authenticating of user in a cloud environment

Similar Documents

Publication Publication Date Title
US10904234B2 (en) Systems and methods of device based customer authentication and authorization
TWI667585B (en) Method and device for safety authentication based on biological characteristics
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
US9338163B2 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method
KR101659847B1 (en) Method for two channel authentication using smart phone
JP5066827B2 (en) Method and apparatus for authentication service using mobile device
KR101628004B1 (en) User simple authentication method and system using user terminal in trusted execution environment
US9231925B1 (en) Network authentication method for secure electronic transactions
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
KR101823471B1 (en) User simple authentication method and system using user terminal in trusted execution environment
EP2098985A2 (en) Secure financial reader architecture
EP2738722A1 (en) Method and system for providing secure end-to-end authentication and authorization of electronic transactions
KR101210260B1 (en) OTP certification device
KR101690989B1 (en) Method of electric signature using fido authentication module
KR101570773B1 (en) Cloud authentication method for securing mobile service
US11329824B2 (en) System and method for authenticating a transaction
TW201813361A (en) Method and device for providing and obtaining graphic code information, and terminal
CN113474774A (en) System and method for approving a new validator
KR101656458B1 (en) Authentication method and system for user confirmation and user authentication
KR102012262B1 (en) Key management method and fido authenticator software authenticator
KR102252731B1 (en) Key management method and apparatus for software authenticator
KR101625065B1 (en) User authentification method in mobile terminal
KR20180013710A (en) Public key infrastructure based service authentication method and system
KR102053993B1 (en) Method for Authenticating by using Certificate
KR101835718B1 (en) Mobile authentication method using near field communication technology

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190731

Year of fee payment: 4