KR101700833B1 - Card User Authentication System and Authentication Server and Portable Device for the same - Google Patents

Abstract

The present invention relates to a card user authentication system capable of fundamentally preventing an improper user from using a card by using user authentication information for identification by alternatively storing the user authentication information generated based on user identification information inputted by a user, card manufacturer information, time information, etc. in a second sector (S3) and a third sector (S4) which are card storage spaces, in an initial subscription process and each identification process, and an authentication server to authenticate validity of a card user, and further improving security of card user authentication by preventing reuse by newly changing user authentication data every time.

Description

[0001] The present invention relates to a card user authentication system and an authentication server for the card user authentication system,

The present invention relates to a card user authentication system, more specifically, a card user authentication system including a user authentication server for authenticating a legitimate user of a real card such as a traffic card, a user portable terminal for recording authentication information, .

Recently, a variety of cards such as credit cards and transportation cards have been used to provide various services such as financial services, transportation services, and e-commerce services.

These cards store card information related to the corresponding service, and services are provided using a card terminal that reads the card information and intermediates information with related service systems (servers, etc.).

For example, when the card is a credit card, various card information such as a credit card number, an expiration date, an issuer (card company) information such as credit card information is stored in the credit card, After reading the card information, credit card authorization and settlement services are performed across the VAN system and the payment system.

In the conventional card transaction technology, the card terminal decrypts and recognizes the card information encrypted and stored in the card when the card is issued, and transmits the card information to the approval server or the payment server. Therefore, Information can be recognized.

In some card services, a unique card terminal is used for each card issuer. In such a case, it is not a big problem that the card terminal recognizes the information of the card. However, since the card terminal management / It is common.

In this manner, in a situation where one card terminal is simultaneously used for providing card services of various issuers and the card terminal management / operating company is different from the card issuing company, it is not preferable that the card terminal recognize card information of all the cards.

More specifically, in Korean Patent No. 270615, an antenna for transmitting and receiving a radio frequency signal for accessing information stored in a memory area of a card, and a reader for detecting the read information of the card by demodulating the radio frequency signal received through the antenna, A plurality of wireless security modules (SAM) for extracting a code number system and its identification number from the card reading information demodulated by the wireless core module to verify the card and generate additional information, A serial or parallel interface between the module and the plurality of wireless security modules is performed to transmit the card read information detected by the wireless core module to a plurality of wireless security modules according to a predetermined information transmission method, And transmits the generated information to the wireless core module, And a wireless multi-access control means for controlling a card memory access operation in the card.

Korean Patent No. 338189 owned by the present applicant discloses that a card terminal includes a plurality of security access modules for a plurality of card issuers and when payment of a card usage fee is requested from a card, A technique is known in which the card information is read out through the connection module and then the payment for the card usage is performed.

As described above, in these conventional systems, since the card terminal reads the card information from the card and transmits the card information to the corresponding service server or the main system, there is a risk of card information leakage according to the card terminal, Can be a big problem in an environment that handles many kinds of cards.

Meanwhile, a number of credit card payment methods called a XXX page using a wireless communication terminal such as a smart phone have recently been proposed.

In such a payment method, information of a credit card owned by a user is registered using a client program installed in a wireless communication terminal to generate a virtual credit card, and when the card is used, credit card information registered in the wireless communication terminal Lt; / RTI >

Although such a credit card payment method is convenient in that it uses a personal wireless communication terminal such as a mobile phone instead of a real credit card, since the credit card information (card number, password, expiration date, etc.) is stored in the wireless communication terminal, There is still the possibility of leakage of personal information.

In addition, since the card information is still transmitted through the card terminal, the risk of card information leakage according to the card terminal still exists.

In addition, since the present credit card or the like illegally acquires the real card itself, the acquirer can illegally settle the card using the credit card, so there is no way to prevent illegal use of the card when the card is lost.

In addition, as a means to use a number of personal authentication services such as financial, securities, lost password, e-commerce, and new sign-up, a personal authentication service using many kinds of media such as official certificates, security cards, OTP, SMS and ARS However, it is troublesome for the user to directly call or input the number through various steps such as carrying additional media besides the credit card, or storing the information on the server by the user.

In addition, there is a disadvantage in that the cost of the expense user due to the re-issuance time due to loss of the medium and the cost of re-purchasing may increase, and the possibility of virus penetration due to the installation of the active X can not be excluded.

The present invention addresses this problem by registering and storing user authentication information required for proper user authentication in a real card such as a credit card and performing a legitimate user authentication using the credit card when using the credit card, .

In view of the above, it is an object of the present invention to provide a system for securely authenticating a legitimate user of a card.

Another object of the present invention is to provide a method and apparatus for registering / storing user authentication information generated using a personal identification information input by a legitimate user in a storage space of a physical card, and performing legitimate user authentication using the user authentication information when using the card, And a card user authentication system for preventing the card from being used by an unauthorized user.

Another object of the present invention is to provide a method and system for encrypting user authentication information generated by a user authentication server using a user's personal identification information in a user registration process (first subscription process) and a user authentication process (card use process) (S3 area) and the third sector (S4 area), and by authenticating a legitimate user using the latest user authentication information stored in the card each time the user is authenticated, only a legitimate user can use the card An authentication server and a personal portable terminal.

In order to achieve the above object, an embodiment of the present invention is a method for authenticating a user, comprising: a second sector (S3) and a third sector (S4) storing i-th user authentication information And transmits an i-th user authentication information request signal including the user identification information input by the user to the authentication server in the initial joining process or in the authentication process of the user, and transmits the i-th user authentication information transmitted from the authentication server And a third sector (S4) of the card. The mobile terminal of claim 1, further comprising: a wireless terminal for receiving the i-th user authentication information request signal and storing the i-th user authentication information request signal in the second sector (S3) And an authentication server for generating the i-th user authentication information based on the user identification information and the request time (tr, ta) of the i-th user authentication information request signal and transmitting the i-th user authentication information to the mobile terminal .

In another embodiment of the present invention, the user identification information transmitted by the user according to the first user authentication information request signal (User Authen. 1 Req.) Transmitted from the wireless terminal interfaced with the card during the initial registration process, A first user authentication information generating unit for generating first user authentication information based on the time tr and storing the first user authentication information in the second sector S3 of the card by transmitting the first user authentication information to the portable terminal, Based on the user identification information transmitted by the user and the authentication request time ta in accordance with the (i + 1) th user authentication information request signal (User Authen i + 1 Req.) Transmitted from the portable terminal connected to the card in the process (I + 1) th user authentication information, and transmits the generated i + 1 user authentication information to the portable terminal and alternately updates and stores the third i-th user authentication information in the third sector S4 and the second sector S3 of the card. The.

According to another embodiment of the present invention, there is provided a portable terminal for interfacing with a card and an authentication server and mediating an initial membership process and an authentication process between an authentication server and a card, Receives the input user identification information, generates an i-th user authentication information request signal including the user identification information, and transmits the i-th user authentication information request signal to the authentication server, receives the i-th user authentication information transmitted from the authentication server, 2 sector (S3) and the third sector (S4).

According to an embodiment of the present invention to be described below, an authentication server capable of authenticating a card user, and an authentication server for authenticating the card user information, card manufacturer information, and time information, The user authentication information generated on the basis is stored in the storage space of the card and is used for the authentication of the user, whereby the use of the card by the unjust user can be prevented originally.

Furthermore, since the user authentication data generated in the authentication process of the card is alternately stored in two storage spaces of the card, not in the portable terminal, and the user authentication data is newly changed every time and is not reused, Can be further improved.

1 is an overall configuration diagram of a card user authentication system according to an embodiment of the present invention.
FIG. 2 is a detailed configuration of a personal portable terminal and a card owned by a user in the card user authentication system according to the embodiment of the present invention.
3 is a block diagram of internal functions of an authentication server among card user authentication systems according to an embodiment of the present invention.
4 is a block diagram of internal functions of the encryption / decryption server in the card user authentication system according to the embodiment of the present invention.
FIG. 5 illustrates a data flow during a user registration process during a card user authentication process according to an embodiment of the present invention.
FIG. 6 illustrates a flow of data in the process of user authentication and card use in the card user authentication process according to the embodiment of the present invention.

Hereinafter, some embodiments of the present invention will be described in detail with reference to exemplary drawings. In the drawings, like reference numerals are used to denote like elements throughout the drawings, even if they are shown on different drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

In describing the components of the present invention, terms such as first, second, A, B, (a), and (b) may be used. These terms are intended to distinguish the components from other components, and the terms do not limit the nature, order, order, or number of the components. When a component is described as being "connected", "coupled", or "connected" to another component, the component may be directly connected or connected to the other component, Quot; intervening "or that each component may be" connected, "" coupled, "or " connected" through other components.

1 is an overall configuration diagram of a card user authentication system according to an embodiment of the present invention.

The card user authentication system according to an embodiment of the present invention includes a card 100, a personal portable terminal 200 connected to the authentication server and the encryption / decryption server through communication, Generates user authentication information (User Authen.) And / or user use information using personal identification information and card information, responds to the portable terminal, and verifies user authentication information transmitted from the portable terminal when using the card And an authentication server 300 that performs authentication and authentication.

The portable terminal may further include an encryption / decryption server 400 connected to the portable terminal and generating and providing a security access key S3 and S4 key for enabling connection to a storage space of a card storing user authentication information.

In addition, it may further include a card issuer server 500 connected to the encryption / decryption server 400 through a dedicated communication network, and performing a card or transaction approval using the decrypted card information transmitted from the encryption / decryption server.

Hereinafter, each component constituting the card user authentication system according to the embodiment of the present invention will be described in detail.

The card 100 includes all kinds of cards capable of performing financial service, transportation service, etc. in contact or non-contact with a card terminal or a portable terminal such as a general credit card, a (postponed type)

The card 100 may include at least one chip, and may be an RF type card that is connected to the card terminal or the portable terminal through a short-range wireless communication in a non-contact manner to exchange data.

The short-range wireless communication for connecting the card 100 and the portable terminal is not limited to RF, infrared communication, PAN communication, and Bluetooth communication, but is preferably a communication method conforming to the NFC (Near Field Communication) protocol.

   The storage space (110 in FIG. 2) in the chip included in the card 100 or the card is divided into two or more sectors. In each sector, hierarchical card-related information according to the degree of security, User authentication information and user utilization information generated and provided by the authentication server can be stored.

More specifically, the storage space of the card may include a second sector (114 in FIG. 2) and a third sector (116 in FIG. 2), which may be represented by S4, (S3) may store the encrypted first user authentication information (User Authen. 1) provided from the authentication server in the process of registering the user authentication on the card (the user registration process or the first registration process), and the third sector S4) may store the second user authentication information (User Authen.2) generated by the authentication server during the actual use process of the card or the user authentication process.

In addition, the storage space of the card may further include a first sector (112 in FIG. 2) and a fourth sector (118 in FIG. 2) that may be represented by S12, ) Stores a security certificate code (Ccode) used for forgery check of the card, and the encrypted sector information used at the time of using the card may be stored in the fourth sector S12.

The security authentication code (Ccode) is data having a certain length (Byte) and can be expressed by the first authentication information, and is a value uniquely assigned to the card.

In addition to the security authentication code, card issuer information, which is information on an issuer of the card, may be further stored in the fourth sector S12, and the card issuer information may include U-ID of the card manufacturer Can be used.

The encrypted card information stored in the fourth sector S12 is information necessary for card transaction approval such as a card number, an expiration date, a password, etc. Since this card information is important security information, it is encrypted by a specific encryption algorithm And is stored in the fourth sector S12.

A chip serial number (CSN), which is unique identification information of a chip included in the card 100, may be separately stored in the storage space of the card, and the chip serial number may be data of 4 bytes in length have.

In recent years, when a portable electronic device such as a smart phone has a built-in card function, the card 100 should be understood as a concept including such portable electronic devices, and a chip serial number (CSN) , A user authentication information (User Authen.), A security authentication code (Ccode), and encrypted card information.

The personal portable terminal 200 is a communication terminal for connecting the card 100 to the authentication server 300 or the encryption / decryption server 400 and may be a personal wireless communication terminal such as a general mobile phone or a smart phone, It is not.

The portable terminal 200 includes a user authentication module for authenticating the card user according to the present invention, and the user authentication module can be installed in the portable terminal as an application software of a smart phone.

The portable terminal is not limited to such a personal wireless communication terminal but is a terminal that mediates a corresponding service by accessing a card and using information stored in the card. The terminal includes a general credit card terminal connected to a conventional VAN communication network, A traffic card terminal installed in the mobile communication terminal, or any other wireless card terminal or dongle terminal of other types.

The portable terminal 200 has a function of reading various data stored in the storage space of the card 100 and writing the necessary information in the storage space of the card irrespective of the form thereof .

The portable terminal 200 accesses the card 100 and extracts various kinds of information input from the card user through the authentication server 300 and the encryption / decryption server 400 in the course of the self-registration process, the card transaction service, And performs the function of transmitting.

In particular, the user authentication module of the portable terminal 200 generates a first user authentication information request signal including the user identification information and the card information that the card user inputs during the person registration process, and transmits the first user authentication information request signal to the authentication server, Receives and verifies the encrypted first user authentication information transmitted from the authentication server, and stores the encrypted first user authentication information in the second sector (S3) of the card.

In addition, the user authentication module of the portable terminal 200 generates a second user authentication information request signal including user identification information and first user authentication information generated / stored in the user registration process, and transmits the second user authentication information request signal to the authentication server And further verify the encrypted second user authentication information transmitted from the authentication server and store the encrypted second authentication information in the third sector S4 of the card.

In addition, the user authentication module of the portable terminal 200 may perform verification of user authentication information (User Authen.) Received from the authentication server during the card use process or the user authentication process.

The user authentication information (User Authen.) Used in the present invention includes user identification information input by a user, card identification information or manufacturer identification information, a UID, a registration request time (tr) in which a self- Or the authentication request time (ta) as an input value with a constant cryptographic hash algorithm (hash function).

등의 해쉬 함수에 의하여 생성되는 값일 수 있다.This user authentication information (User Authen.) Is, for example, user identification information 시간 time information +

And so on.

To this end, the user authentication module of the portable terminal 200 includes a second sector security access key (S3 key) that can access the second sector S3 and the third sector S4 of the card, (S4 key) from the encryption / decryption server and access the storage space (second sector and third sector) of the corresponding card using the security access key to extract or record data.

The user authentication module of the portable terminal 200 receives the first sector security key (SO Key) and the fourth sector security key (S12 Key) from the encryption / decryption server 400 And a function of connecting to the first sector S0 and the fourth sector S12 of the card storage space using the post-card.

That is, the first sector security access key to the fourth sector security access key (S0 Key, S3 Key, S4 Key, S12 Key) of the present invention can be transmitted to the mobile terminal 200 through the first sector S0, The second sector S3, the third sector S4, and the fourth sector S12.

More specifically, the user authentication module of the portable terminal 200 accesses the storage space of the card using the second sector security access key (S3 key) and the third sector security access key (S4 key) provided from the encryption / decryption server Thereby recording the first user authentication information (User Authen 1) and the second user authentication information (User Authen 2) provided from the authentication server 300 in the second sector S3 and the third sector S4 of the card .

The user authentication module of the portable terminal 200 may be configured to transmit the first sector S0 and the fourth sector S12 of the card by a first sector security key (SO Key) and a fourth sector security key (S12 Key) (Certificate Code) and the encrypted card information stored in the memory card.

As will be described later, the first sector security access key to the fourth sector security access key (S0 Key, S3 Key, S4 Key, S12 Key) are calculated by a specific secure access key generation algorithm according to the chip serial number (CSN) .

Accordingly, the security access key generation algorithm is stored in the card 100, so that the security access key generation algorithm can be generated in real time based on the chip serial number of the card 100. In addition, Keys (S0 Key, S3 Key, S4 Key, S12 Key) may be stored in a certain storage space.

In addition, when there is a connection from the card, the portable terminal 200 transmits a first sector secure connection key (SO Key) from the encryption server to the mobile terminal 200, Generates a sector security access key request signal (SO Key Req.), And transmits it to the encryption / decryption server.

The portable terminal 200 extracts the security authentication code Ccode stored in the first sector S0 of the card 100 using the first sector security access key (SO Key) received from the encryption / decryption server 400 (S3 Key Req.) To the encryption / decryption server 400, and receives a second sector secure connection key (S3 Key) in response to the second sector secure connection key request signal have.

The mobile terminal 200 verifies the first user authentication information (User Authen. 1) provided from the authentication server in the first registration process or the first registration process, and then transmits the second sector security access key S3 received from the encryption / Accesses the second sector S3 of the card and stores the verified first user authentication information (User Authen. 1) in an encrypted state in the second sector S3 of the card.

The first user authentication information (User Authen. 1) stored in the second sector S3 of the card is transmitted again to the authentication server 300 during the card use process or the user authentication process and is verified. The use of the card by an unauthorized user can be prevented.

The second user authentication information (User Authen. 2) is generated in the primary authentication process and stored in the third sector S4 of the card. In the subsequent secondary card use process or in the authentication process of the user, .

Similarly, in the second authentication process, the authentication is performed in the authentication server using the second user authentication information (User Authen.2), and in the second authentication process, the third user authentication information (User Authen. Is generated and transmitted to the mobile terminal and the card, and the third user authentication information (User Authen. 3) is stored again in the second sector S3 of the card and can be used in the subsequent third authentication process.

That is, the first user authentication information (User Authen. 1) generated in the authentication server in the initial user registration process or the subscription procedure and the i-th user authentication information (User Authen.i i> 1) Is alternately stored in the second sector S3 and the third sector S4 of the card and is used for user authentication in the i-th identity authentication process.

In this manner, the user authentication information newly generated every time using the user identification information and the authentication request time as variables are alternately stored in the second sector S3 and the third sector S4 of the card, Therefore, the security of the authentication can be improved by not changing the user authentication information dynamically and reusing it.

The overall identity registration process or the first subscription process, the card usage process, or the user identity process in the identity authentication process will be described in more detail with reference to FIG. 5 and below.

In this specification, for the sake of convenience, the process that the card owner performs for the first user registration is expressed as a person registration process or an initial signup process, and a subsequent authentication process for card use is expressed as a card use process or a personal authentication process .

In this specification, for convenience, the mobile terminal transmits a security access key request signal, i.e., a first sector security access key request signal (SO Key Req.), A second sector security access key request signal (S3 Key Req The first request, the second request, the third request, and the third sector secure connection key request signal (S4 Key Req.) And the fourth sector secure connection key request signal (S12 Key Req. Quot; and "fourth request ".

The first sector security association key request signal (SO Key Req.) May include the corresponding chip serial number (CSN) of the corresponding card, and the second sector security association key request signal (S3 Key Req. The first modulation acknowledgment information (ATC1) received from the encryption / decryption server in response to the first sector secure connection key request and the first request time t1 information in which the first request is made can do.

In addition, the third sector security access key request signal (S4 Key Req.) Includes second serial number (CSN) of the corresponding card and second modulation acknowledgment information ATC2 and the second request time t2 in which the second request is made. The fourth sector security connection request signal S12 Key Req. May include the chip serial number CSN of the corresponding card, The third modulation confirmation information (ATC3) received from the encryption / decryption server in response to the sector security access key request, and the third request time (t3) in which the third request is made.

The modulation confirmation information (ATC1 to ATC4) used in the present invention is information for confirming integrity or modulation of data transmitted and received in the first to fourth requests, (AC) and a transaction code (TC) generated by a computation algorithm using a chip serial number (CSN) of a card, ATC).

The modulation acknowledgment information (ATC) is generated by the encryption / decryption server 400. When the first request is received from the portable terminal, the modulation confirmation information ATC is uniquely derived according to the transmitted chip serial number CSN and the first request time t1 Second modulation confirmation information ATC2 uniquely derived according to the chip serial number CSN and the second request time t2 transmitted when the second request is received from the portable terminal, Third modulation acknowledgment information (ATC3) uniquely derived according to the transmitted chip serial number (CSN) and the third request time (t3) when there is a third request from the mobile terminal, And fourth modulation acknowledgment information ATC4 uniquely derived according to the chip serial number CSN and the fourth request time t4.

The modulation acknowledgment information calculation algorithm for generating the modulation acknowledgment information (ATC) based on the chip serial number (CSN) and the requested time (t) is not limited. However, the encryption decryption server The verification information calculation algorithm should be included and applied.

In addition, an authorization code (AC) and a transaction code (TC) constituting the modulation acknowledgment information (ATC) indicate whether the first request to the fourth request are approved, completed or failed And the transaction code TC may be information for identifying the first request to the fourth request.

However, such an AC code and a transaction code TC may not be distinguished from each other, and may be integrally expressed as string data of a predetermined length.

In addition, the portable terminal 200 reads the encrypted card information stored in the fourth sector of the card in response to the fourth request in the process of using the card, and then generates a card approval request signal including transaction information through the card To the encryption / decryption server (400).

In addition to the encrypted card information read out, the card approval request signal includes the fourth modulation acknowledgment information (ATC4) received from the encryption / decryption server as a response to the fourth request, the chip serial number (CNS) of the card and the fourth request time (t4) information may be further included.

The portable terminal 200 receives the card approval result from the decryption server as a response to the card approval request signal, and ends the card service (payment, etc.) only when a normal card approval result is received.

FIG. 2 is a detailed block diagram of a mobile terminal and a card in a card user authentication system according to an embodiment of the present invention.

The portable terminal 200 according to the present invention is an apparatus for mediating the initial registration process and the authentication process between the card and the authentication server in cooperation with the card and the authentication server. In the initial registration process and the authentication process, Receives the identification information, generates an i-th user authentication information request signal including the user identification information, and transmits the i-th user authentication information request signal to the authentication server, receives the i-th user authentication information transmitted from the authentication server, And stores them in the third sector S4 alternately.

Also, the mobile terminal receives a second connection security key (S3 Key) and a second connection security key (S4 Key) that can access the second sector (S3) and the third sector (S4) of the card from the encryption / decryption server And the like.

Referring to FIG. 2, the internal structure of the portable terminal according to the present embodiment will be described in further detail.

The portable terminal 200 according to the present invention may be a general credit card terminal or a traffic card terminal but may be a wireless communication terminal or a dongle terminal connected to the card 100 through a local communication method such as NFC .

That is, the portable terminal 200 may be implemented in the form of a user's smartphone or other wireless portable device. In this case, the portable terminal 200 includes a terminal operation SW unit 210 such as Android or iOS, NFC A communication module, and a user authentication module 220 for performing a user authentication function according to the present invention.

The portable terminal may further include a secure access key processing module 230 and a card use processing module 240 interlocked with the encryption / decryption server.

The user authentication module 220, which is a feature of the present invention, has a function of generating a first user authentication information request signal (User Authen 1 Req.) And transmitting the first user authentication information request signal to the authentication server in the card user registration process, A function of receiving first user authentication information (User Authen. 1) and first user use information and verifying the received first user authentication information (User Authen. 1), and a function of verifying the first user authentication information 1 in the second sector S3 of the card in an encrypted state.

At this time, the first user authentication information request signal (User Authen 1 Req.) Includes the user identification information input by the user, the card serial number (CSN), the card issuer information such as manufacturer's name, the card block number (Block No.) , Portable terminal identification information (portable terminal ID), and the like, but the present invention is not limited thereto.

In addition, the user authentication module 220 may generate a second user authentication information request signal (User Authen 2 Req.) And transmit the second user authentication information request signal to the authentication server during the first card use process or the user authentication process, A function of receiving user authentication information (User Authen. 2) and second user use information and verifying the received second user authentication information (User Authen. 2), and verifying the second user authentication information (User Authen. 2) in the third sector S4 of the card in an encrypted state.

At this time, the second user authentication information request signal (User Authen .2 Req.) May include the user identification information input by the user, the first user authentication information (User Auth. But is not limited thereto.

Also, the user authentication module 220 generates and generates an i + 1 user authentication information request signal (User Auth. I + 1 Req.) In the i-th (i? 2) card use process or the identity authentication process, I + 1 user authentication information (User Authen. I + 1) and i + 1 user access information transmitted from the authentication server, and transmits the received i + 1 user authentication information (User Authen. i + 1) of the card and the encrypted third i-1 user authentication information (User Authen. i + 1) And stores the updated information.

That is, the encrypted first user authentication information (User Authen. 1) provided from the authentication server in the first subscription process or the first person registration process is stored in the second sector S3 of the card, And the second user authentication information (User Authen. 2) received from the authentication server in the first authentication process is stored in the third sector S4 of the card. In the second authentication process, And the third user authentication information (User Authen. 3) received from the authentication server in the second authentication process is updated and stored in the second sector (S3) of the card. In the third authentication process, It is used as data.

In this manner, new user authentication information (User Authen.) Is received from the authentication server in the self registration process (the first registration process) and the subsequent multiple authentication processes, and the second user authentication information is stored in the second sector S3, And the third sector (S4). The most recently stored user authentication information is used as authentication data in the next authentication process, thereby preventing the reuse of user authentication information and improving the security of the authentication system .

On the other hand, the user identification information that the user inputs to the portable terminal for authenticating the user may be information such as a password or date of birth specified by the user, and may be, for example, 6 to 8 digits of numeric information.

In the first registration process or the first registration process, the user authentication module 220 of the portable terminal is executed to allow the user to input user identification information (password, date of birth, etc.), and when the user identification information is input, Or tag, the user authentication module 220 of the portable terminal reads the manufacturer's UID of the manufacturer area (fourth sector, etc.) stored in the card.

In this state, the user authentication module of the portable terminal generates a first user authentication information request signal (User Authen 1 Req.) Including the user identification information input by the user and the manufacturer's UID information read from the card, and transmits it to the authentication server .

Then, the authentication server transmits the registration request time (User Authen 1 Req.) To which the user identification information included in the first user authentication information request signal (User Authen 1 Req.), Manufacturer's UID information, and the first user authentication information request signal (User Authen. 1) by a predetermined user authentication information creation algorithm on the basis of authentication information (tr) information (e.g., n-digit numeric data such as YYMMDDHHSS).

등과 같은 암호화 해쉬 알고리즘일 수 있으나 그에 한정되는 것은 아니다.At this time, the user authentication information generation algorithm is, for example, user identification information 시간 time information +

Or the like, but the present invention is not limited thereto.

The encrypted first user authentication information (User Authen. 1) generated in the authentication server is transmitted to the portable terminal, and the user authentication module of the portable terminal uses the same user authentication information generation algorithm as applied to the authentication server, 1 user authentication information, accesses the second sector S3 of the card using the second sector security access key (S3 Key) provided from the encryption / decryption server in advance, and transmits the encrypted first user authentication information User Authen. 1).

At this time, the portable terminal can store manufacturer's UID information read from the card, thereby completing the registration process or the first registration process.

In the subsequent authentication process or card use process, the user authentication module of the portable terminal is similarly executed, the user inputs the user identification information input at the time of first subscription, and the second sector (S3) of the card is accessed and stored The first user authentication information (User Authen. 1) is read.

The user authentication module of the portable terminal is configured to receive the user identification information, the manufacturer's UID information read from the card, the registration request time (tr) information that transmitted the first user authentication information request signal, the second sector (S3) Generates a second user authentication information request signal (User Authen 2 Req.) Including the first user authentication information (User Authen. 1) read from the authentication server 1 and transmits it to the authentication server.

Then, the authentication server verifies the transmitted first user authentication information (User Authen. 1) included in the second user authentication information request signal (User Authen 2 Req.).

That is, the authentication server receives the user identification information transmitted from the card, the manufacturer's UID information read from the card, the registration request transmitted from the user authentication information request signal (User Authen 2 Req.), (Tr) information as an input value and a value calculated from the first user authentication information (User Authen. 1) transmitted in the second user authentication information request signal (User Authen 2 Req.), It is determined that the first user authentication information (User Authen. 1) has been verified.

Only when the first user authentication information (User Authen. 1) is verified as described above, the authentication server transmits the user authentication information included in the second user authentication information request signal (User Authen 2 Req.), On the basis of the transmitted authentication request time ta information (e.g., n-digit numeric data such as YYMMDDHHSS) to which the second user authentication information request signal (User Authen 2 Req.) Has been transmitted, And generates second user authentication information (User Authen. 2).

The encrypted second user authentication information (User Authen. 2) generated in the authentication server is transmitted to the portable terminal, and the user authentication module of the portable terminal uses the same user authentication information generation algorithm as applied to the authentication server, 2 user authentication information, accesses the third sector S4 of the card by using a third sector security access key (S4 Key) previously provided from the encryption / decryption server, and transmits the encrypted second user authentication information User Authen. 2).

At this time, the second user authentication information (User Authen. 2) stored in the third sector S4 of the card is used as the authentication data in the following second authentication process.

Similarly, in the second authentication process, the third user authentication information (Use Authen. 3) is stored in the second sector S3 of the card and is used in the third authentication process. In the third authentication process, 4 user authentication information (Use Authen. 4) is stored in the third sector S4 of the card and used in the fourth authentication process.

In this manner, new user authentication data is generated and stored in the second sector S3 and the third sector S4 of the card each time in the user registration process and the plurality of user authentication processes, , The user authentication information is not reused, and thus the security of the authentication system of the user can be further improved.

On the other hand, in addition to the user authentication information generated by the above-described user authentication information generation algorithm, user use information may further be used.

That is, in the self-registration process or the first-time subscription process, the authentication server stores, in addition to the user authentication information, a card use date, a card use presence / absence flag (Flag), a mobile terminal ID, The mobile terminal can further generate the first user use information including at least one of the version information of the module and transmit it to the mobile terminal.

The first user use information transmitted in this way can be stored in the second sector S3 of the card together with the first user authentication information (User Authen. 1) May be generated and stored alternately in the third sector S4 and the second sector S3 of the card together with the i-th user authentication information (User Authen. I).

By using such user utilization information, it is possible to prevent non-repudiation and misuse of data.

For example, in the authentication process of each user, the authentication server uses the user's name including the card use date, the card use flag (Flag), the portable terminal ID, the total cumulative number of times of use of the card, The user authentication module of the portable terminal can prevent the discard of the data transmitted between the portable terminal and the authentication server by verifying whether the user-use information is legitimate.

The verification of whether the user use information is legitimate can be made, for example, as to whether or not the card use date contained in the user use information is the same as the actual last used card use date, whether or not the cumulative total use number of the cards sequentially increases, Or whether the software version information of the user authentication module matches the actual version.

The first and second user authentication information (User Authen.1, 2) generated by the authentication server for card user authentication, the generation method and the data structure of the first and second user access information, and the like are described below with reference to the authentication server The process will be described in more detail.

Meanwhile, the secure connection key processing module 230 included in the portable terminal 200 can access the second sector S3 and the third sector S4 of the card to store the user authentication information provided from the authentication server The second sector security access key (S3 key), and the third sector security access key (S4 key) from the encryption / decryption server.

Also, the secure access key processing module 230 uses the first sector security access key (S0 Key) and the fourth sector security access key (S12 Key), which are provided from the encryption / decryption server, And encrypts security authentication information (Ccode) or encrypted card information stored in the fourth sector.

In addition, the secure access key processing module 230 may include first to fourth sector security access keys (S0 Key, S3 Key, S4 Key, S12 Key) for requesting the first sector security access key to the fourth sector security access key Generates a request, transmits it to the encryption / decryption server, and performs a function of receiving a response.

The card usage processing module 240 included in the portable terminal 200 performs a function of performing card approval using the encrypted card information derived from the fourth sector S12 of the card.

The user authentication module 220, the secure connection key processing module 230, and the card usage processing module 240 may be implemented in a form of a smartphone application developed by a card issuer, an encryption / decryption server operating entity, And the user may download the corresponding app from an app store or the like and install the app in a smart phone functioning as a mobile terminal.

Although the user authentication module 220 included in the portable terminal, the secure connection key processing module 230, and the card use processing module 240 have been described as being functionally separated, a single or at least one may be integrated There will be.

3 is a block diagram of internal functions of an authentication server among card user authentication systems according to an embodiment of the present invention.

The authentication server 300 according to the present invention may include a user authentication information generation module 310, a user utilization information generation module 320, and a user authentication information verification module 330, And, if necessary, one or more modules may be integrated and configured.

The user authentication information generation module 310 receives the first user authentication information generation request (User Auth. 1 Req.) Transmitted from the mobile terminal 200 during the user registration process, and then transmits the user identification information included in the request , Card identification information such as manufacturer's UID information, a registration request time (tr), and the like, to generate first user authentication information (User Authen.

The first user authentication information (User Authen. 1) is information generated by a certain user authentication information generation algorithm with input values of user identification information or the like inputted by a legitimate card user through the portable terminal in the user registration process, Based on the registration request time (tr) information (e.g., n-digit number data such as YYMMDDHHSS) in which the user identification information, manufacturer's UDI information, and the first user authentication information request signal (User Authen 1 Req.) Are transmitted, And may be information generated by a predetermined user authentication information generation algorithm.

등과 같은 암호화 해쉬 알고리즘일 수 있으나 그에 한정되는 것은 아니다.At this time, the user authentication information generation algorithm is, for example, user identification information 시간 time information +

Or the like, but the present invention is not limited thereto.

 More specifically, the user authentication information generation module 310 generates user authentication information including the user identification information included in the first user authentication information generation request (User Authen. 1 Req.) Transmitted from the mobile terminal 200, At least one of the card information including the number CSN, the card issuer information, the card block number (Block No), the portable terminal information such as the portable terminal ID, and the registration request time (tr) 1, generates the first user authentication information (User Authen. 1), encrypts the generated first user authentication information (User Authen. 1), and transmits the encrypted first user authentication information (User Authen. 1) to the mobile terminal 200.

The first user authentication information (User Authen. 1) transmitted in this manner is verified by the portable terminal and then stored in the second sector S3 of the card, thereby ending the user registration process of the card.

The first user authentication information (User Authen. 1) stored in the second sector S3 of the card is transmitted to the authentication server in the first card authentication process or the first authentication process, and is verified, It becomes usable.

In addition, the user authentication information generation module 310 receives the second user authentication information generation request (User Authen .2 Req.) Transmitted from the mobile terminal 200 during the first card use process or during the first user authentication process, (First authentication request time ta1) information (e.g., an n-digit number such as YYMMDDHHSS or the like) transmitted from the user identification information included in the request, manufacturer's UDI information, and a second user authentication information request signal (User Authen 2 Req. 2) according to a predetermined user authentication information generation algorithm, encrypts the generated second user authentication information (User Authen. 2), and transmits the generated second user authentication information (User Authen. 2) to the portable terminal 200 ).

The second user authentication information (User Authen. 2) thus transmitted is stored in the third sector S4 of the card after being verified by the portable terminal, and then used as the user authentication data in the second authentication process.

The user-use-information generating module 320 identifies the card using the information included in the request for generating the user authentication information, and generates user-use information, which is information on the usage history of the card.

The user use information may include at least one of a card use date, a card use presence / absence flag (Flag), a mobile terminal ID, a total cumulative use count of cards, and version information of a user authentication module installed in the card. Encrypts the user-use information, and transmits the encrypted information to the portable terminal.

The user authentication information verification module 330 performs verification of the first user authentication information (User Authen. 1) transmitted in the second user authentication information request signal (User Authen 2 Req.).

Specifically, the user authentication information verification module 330 determines whether the user authentication information included in the second user authentication information generation request (User Authen .2 Req.) Transmitted in the first authentication process and the user identification information transmitted from the manufacturer And a registration request time (tr) information in which the first user authentication information request signal is transmitted, as input values, and a value calculated by the second user authentication information request signal (User Authen 2 Req.) The first user authentication information (User Authen. 1) may be verified only when the first user authentication information (User Authen.

Likewise, the user authentication information verification module 330 determines whether the i-th user authentication information (User Authen i + 1 Req.) Included in the i-th user authentication information request signal (User Authen i + 1 Req.) Transmitted in the i- i), and generate the (i + 1) -th user authentication information (User Authen i + 1) by driving the user authentication information generation module 310 only when it is verified.

As described above, the authentication server 300 according to the present invention transmits a first user authentication information request signal (User Authen. 1 Req.) Transmitted from a mobile terminal interfaced with a card in the first subscription process A self-registration function for generating first user authentication information based on the user identification information and the registration request time (tr), transmitting the first user authentication information to the mobile terminal, and storing the first user authentication information in the second sector (S3) The user identification information transmitted by the user in accordance with the (i + 1) th user authentication information request signal (User Authen i + 1 Req.) Transmitted from the wireless terminal interfaced with the card in the i- (i + 1) th user authentication information on the basis of the first authentication information (ta) and transmits the generated i + 1 user authentication information to the portable terminal so that the third and fourth sectors (S4 and S3) of the card are alternately updated and stored.

Also, the authentication server 300 transmits the i + 1 user authentication information request signal (User Authen i + 1 Req.) Transmitted from the wireless terminal interfaced with the card during the i-th user authentication process, And a verification function for verifying the authentication information (User Authen i), and generates the (i + 1) th user authentication information only when the i-th user authentication information (User Authen i) is verified.

Based on the above description, functions of the respective components of the card user authentication system according to the present invention will be summarized as follows.

1, the card user authentication system according to the present invention mainly includes a second sector S3 and a third sector S4 for storing i-th user authentication information (i? 1) used for user authentication of a card An i < th > user authentication information request signal including the user identification information input by the user, and transmits the i < th > user authentication information request signal to the authentication server, A portable terminal (200) for alternately storing user authentication information in a second sector (S3) and a third sector (S4) of the card; and an authentication server Generates an i-th user authentication information based on the user identification information included in the signal and the request time (tr, ta) of the i-th user authentication information request signal, and transmits the i-th user authentication information to the mobile terminal do.

Also, the portable terminal generates a second connection security key (S3 Key) and a second connection security key (S4 Key) which can access the second sector (S3) and the third sector (S4) of the card, And may further include an encryption / decryption server 400 provided to the terminal.

On the other hand, the authentication server 300 receives the i-th user authentication information request signal and transmits the i-th user authentication information request signal including the card use date, the card use flag (Flag), the mobile terminal ID, And version information of the i-th user, and transmits the generated i-th user use information to the mobile terminal.

As described above, by using the card user authentication system according to the present invention, the user authentication information generated and provided by the authentication server is stored in the second sector (S3) and the third sector (S4) of the card alternately And is used as the authentication data in the next authentication process, whereby the user authentication of the card can be performed.

In particular, since the user authentication data is stored alternately in two storage spaces of the card instead of the portable terminal, and the user authentication data is not changed every time and reused, the security of the card user authentication can be further improved.

 4 is a block diagram of internal functions of the encryption / decryption server in the card user authentication system according to the embodiment of the present invention.

The encryption / decryption server according to the present invention can access the second sector S3 and the third sector S4 of the card to store the user authentication information (User Authen.) Received from the authentication server by the portable terminal 200 And generates and provides a second connection security key (S3 Key) and a second connection security key (S4 Key).

The encryption / decryption server includes a security authentication code (Ccode) for authentication of the card and a first security access key (S0 Key) for reading the encrypted card information from the first sector S0 and the fourth sector S12 of the card. ) And a fourth security access key (S12 Key), and a function of generating and verifying the modulation acknowledgment information (ATC) for preventing data tampering during data transmission / reception with the portable terminal.

4, the encryption / decryption server generates a first sector security access key to a fourth sector security access key in response to a request from the mobile terminal 200 to which the encryption / decryption server is connected, responds to the mobile terminal, (ATC) and transmits the generated ATC to the portable terminal, verifies the ATC transmitted from the portable terminal, and verifies the security authentication code (Ccode) transmitted from the portable terminal. , Verifies the fourth modulation confirmation information (ATC4) transmitted from the portable terminal 200, decrypts the encrypted card information transmitted from the portable terminal only when it is verified, extracts the decrypted card information, The encryption server 410 and the decryption server 420 may be separated from each other by the encryption server 410 and the decryption server 420, 420 may be integrated into the encryption / decryption server 400, which is a single server.

The encryption server 410 according to the present invention generates first to fourth sector security access keys (S0 Key, S3 Key, S4 Key, and S12 Key) according to a request from the mobile terminal 200 connected to the communication, Generates modulation acknowledgment information (ATC) for data modulation verification and transmits it to the portable terminal, verifies the first to third modulation confirmation information (ATC1, ATC2, ATC3) transmitted from the portable terminal, And performs a function of verifying the security authentication code (Ccode).

Referring to FIG. 4, the detailed configuration of the encryption server of the present invention will be described below.

The encryption server 410 according to the present invention further includes a server module unit internally functioning as a general server, an encrypted security connection (not shown) for performing security access key generation, ATC management, Module (Encryption Secure Access Module).

Of course, such internal division is not necessarily required, and may be integrated into one server or system in a physical or software manner. In particular, the cryptographic secure connection module (ESAM) may be implemented as one software module.

The ESAM includes the security access key management unit 412, the modulation confirmation information generation unit 414, the modulation confirmation information verification unit 416 and the security authentication code (Ccode) verification unit 418 Lt; / RTI >

S3 key, S3 key, S4 key, S12 key) according to the first request to the fourth request, which are sequentially transmitted from the portable terminal 200 connected to the communication, And responds to it.

The method of generating the first to fourth sector security access keys (S0 Key, S3 Key, S4 Key, S12 Key) by the security access key management unit 412 is disclosed in Korean Patent No. 338189 Can be adopted. That is, the first to fourth sector security access keys (S0 Key, S3 Key, S4 Key, and S12 Key) may be generated by a specific algorithm using the chip serial number (CSN) of the transmitted card as an input value.

For example, if the chip serial number (CSN) is 12345678 and the secure access key generation algorithm is (SNx3) +126 / 250, then the security access key value is Quot; 3703716 ". Here, the example of the security access key generation algorithm is described by a simple numerical operation structure. However, when various symbols and characters are applied and a complicated operation scheme is applied, the security of the card security access key value can be further strengthened.

The security association key generation algorithm may be stored in the card 100 in addition to the encryption server 410.

Accordingly, when the portable terminal receives the first sector security access key (S0 Key) in response to the first request and then attempts to access the first sector of the card using the first sector secure access key (S0 Key), the card responds to its first sector The first sector security access key (S0 Key) is generated in real time and compared with the first sector security access key (S0 Key) stored in advance or can be compared with the previously stored first sector secure access key (S0 Key).

Also, the security access key generation algorithm for generating the first to fourth sector security access keys (S0 Key, S3 Key, S4 Key, and S12 Key) may be configured with different algorithms.

That is, in order to allow the first to fourth sector security connection keys (S0 Key, S3 Key, S4 Key, and S12 Key) calculated from the same chip serial number (CSN) to have different values from each other, Key generation algorithm to the fourth sector security association key generation algorithm must be different from each other.

The modulation confirmation information generating unit 414 generates a modulation acknowledgment information by first modulating the chip serial number CSN of the card included in the first request to the fourth request and the first request time t1 to the fourth request time t4, (ATC1) to the fourth modulation acknowledgment information (ATC4) and transmits the generated information to the portable terminal 200. [

The modulation confirmation information verifying unit 416 verifies whether modulation of the first modulation confirmation information (ATC1) to the third modulation confirmation information (ATC3) transmitted in the second request to the fourth request from the portable terminal (200) Function.

The verification method of the modulation confirmation information verification unit 416 can be implemented in various ways. As an example of the verification method, the chip serial number (CSN) and the first request time t1, which are included in the second request, The first modulation confirmation information ATC1 included in the second request is directly compared with the value derived from the modulation confirmation information calculation algorithm to determine that the first modulation confirmation information ATC1 has been verified .

Similarly, the modulation confirmation information verifying unit 416 verifies the chip serial number (CSN) and the second request time t2 or the third request time t3, which are respectively included in the third request or the fourth request, The value derived from the modulation confirmation information calculation algorithm is compared with the second modulation confirmation information (ATC2) or the third modulation confirmation information (ATC3) directly included in the third request or the fourth request and the third modulation confirmation information (ATC3) It can be determined that the modulation confirmation information (ATC2) or the third modulation confirmation information (ATC3) has been verified

It is needless to say that the present invention is not limited to such a method. It is needless to say that the first modulation confirmation information (ATC1) to the third modulation confirmation information (ATC3) generated by the encryption server in the operation according to the first request to the third request, (ATC1) to the third modulation confirmation information (ATC3) transmitted from the portable terminal in the second request to the fourth request, and then stores the first modulation confirmation information It is also possible to do this.

The security authentication code (Ccode) verification unit 418 verifies the security certificate code (Ccode) included in the second request.

The encryption server 410 may further include a storage unit 419. The storage unit 419 stores a chip serial number (CSN) of a card issued by a plurality of card issuers and a unique serial number The authentication code (Ccode) can be matched and stored. The storage unit 419 of the encryption server 410 accesses the chip serial number CSN of the card issued from the card issuer and the first sector S0 to the fourth sector S12 of the corresponding card (S0 Key, S3 Key, S4 Key, S12 Key) that can be stored in the first sector can be matched and stored.

Accordingly, the security authentication code verifying unit 418 verifies the security authentication information (Ccode) included in the second request from the portable terminal and the chip serial number (CSN) transmitted in the second request, It is possible to compare the values of the security authentication information read out by the security authentication information reading unit 419 and judge that they are verified if they are the same.

The decryption server 420 according to the present invention verifies the fourth modulation confirmation information (ATC4) transmitted from the portable terminal 200 connected to the communication, decrypts the encrypted card information transmitted from the portable terminal only when it is verified Extracts the decrypted card information, and performs a function of performing approval of the card from the card server.

Further, the decryption server, as an additional function, compares the modulation confirmation information generation time or the fourth request time t4 derived from the fourth modulation confirmation information (ATC4) with the current time, and only when the difference is within a certain range It is possible to additionally have a timer function for limiting the card information to be decoded.

The decryption server 420 according to the present invention may further include a settlement server unit internally functioning as a general settlement agent system or a VAN server, a verification unit 430 for verifying the fourth modulation confirmation information (ATC) according to the present invention, And a decryption secure access module (DSAM) that performs a function of decrypting information.

Of course, such internal division is not necessarily required and may be integrated into one server or system in physical or software form. In particular, the decryption security access module (DSAM) is a software module, It can be implemented inside the server.

4, the decryption security access module (DSAM) of the decryption server 420 according to the present invention further includes a modulation confirmation information verification unit 422, a card information decryption unit 424, (426).

The modulation confirmation information verifying unit 422 verifies the fourth modulation confirmation information (ATC4) included in the card approval request transmitted from the portable terminal connected to the communication.

The verification method of the modulation confirmation information verification unit 422 can be implemented in various ways. As an example of the verification method, a method of comparing the value calculated using the modulation confirmation information calculation algorithm with the value received from the mobile terminal is used .

As described above, the portable terminal 200 reads the encrypted card information from the card using the fourth sector security connection key (S12 Key) received from the encryption server 410, And transmits the card approval request signal including information to the decryption server.

 At this time, the card authentication request signal includes again the fourth modulation acknowledgment information (ATC4) received together with the fourth sector security access key (S12 Key) from the encryption server, and transmits the fourth modulation acknowledgment information (ATC4) The chip serial number CSN of the card and the fourth request time t4 may be included together and transmitted.

In this case, the modulation confirmation information verifying unit 422 of the decryption server 420 verifies the chip serial number (CSN) and the fourth request time (t4) information included in the received card approval request signal, It is possible to determine that the second modulation confirmation information (ATC2) is verified only when the value derived from the calculation algorithm is compared with the fourth modulation confirmation information (ATC4) directly received and included in the card approval request signal.

For this, the decryption server 420 must include the same modulation algorithm (ATC) algorithm as the encryption server 410 and apply it.

Of course, the present invention is not limited to such a scheme. The encryption server transmits the fourth modulation confirmation information (ATC4) generated by the operation according to the fourth request to the decryption server 420, A method of comparing the fourth modulation confirmation information (ATC4) transmitted from the portable terminal may be possible.

The card information decryption unit 424 decrypts the encrypted card information included in the card approval request and extracts the decrypted card information only when the fourth modulation confirmation information (ATC4) is verified.

For this purpose, the card information decryption unit 422 of the decryption server must be able to store and apply a decryption algorithm corresponding to the encryption algorithm used by the card issuer in encrypting the card information when issuing the card to a specific card.

The card information decryption unit 424 transmits the decrypted card information (card number, valid period, password, etc.) and transaction information to the card issuer server 500 to request card approval, and after receiving the response signal, And transferring the card approval result to the portable terminal 200 again.

At this time, an approval number and transaction information may be included in the card approval response signal transmitted from the card issuer server 500 to the decryption server 420, and the card approval result transmitted from the decryption server 420 to the portable terminal 200 Authorization number and transaction number information.

On the other hand, if the decryption server 420 has elapsed a predetermined time or longer from when the portable terminal 200 has read the encrypted card information from the card through the encryption server 410, It is possible to further have a time management function that does not allow the card approval even if the card information is valid.

This is because the unauthorized mobile terminal reads the encrypted card information from the card to transmit an abnormal acknowledgment request, or when the transmission time of the acknowledgment request signal becomes abnormally large due to a problem such as a communication network, .

To this end, the time setting management unit 426 of the decryption server 420 generates a fourth modulation confirmation information generation time or a fourth request time, which is derived from the received fourth modulation confirmation information (ATC2) (t4) and the current time point, and performs a function of decrypting the card information only when the difference is within a certain range.

Therefore, when the time difference between the confirmed fourth modulation confirmation information generation time or the fourth request time t4 and the current time point at which the card approval request signal is transmitted is equal to or larger than a predetermined threshold value, To respond.

In this specification, the second request time t2 to the fourth request time t4 at which the second sector to the fourth secure connection key generation request signal is transmitted and the encryption server transmits the second to fourth modulation confirmation information ATC2, ATC3, and ATC4) are the same.

At this time, the predetermined threshold value of the time difference may be determined to be a predetermined time, for example, 30 seconds to 3 minutes, and the time setting management unit 426 may provide a function of allowing the user to variably set the threshold value.

1, a short range wireless communication network such as NRC, Bluetooth, etc. may be used between the card 100 and the mobile terminal 200. FIG.

 A 3G wireless communication network such as WCDMA or a next generation wireless communication network such as LTE (Long Term Evolution) or LTE-A may be used between the portable terminal 200 and the encryption server 410 or the decryption server 420, It is preferable that data transmitted and received between the portable terminal and the encryption server is encrypted and transmitted according to a specific encryption method defined by the RSA or the payment company.

The decryption server 420 and the card issuer server 500 may be connected through a dedicated communication network generally used between financial systems.

In the above description, the encryption / decryption server according to the present invention includes a second connection security key S3 (S3 Key) and a second connection security key S4 (S4) that can access the second sector S3 and the third sector S4 of the card. However, the first security access key (S0 Key) for reading from the first sector S0 and the fourth sector S12 of the card and the second security access key Key S12 Key and the function of generating and verifying the modulation acknowledgment information (ATC) for preventing data tampering during data transmission / reception with the mobile terminal.

In the process of accepting or approving a transaction for card transaction, the mobile terminal 200 transmits only the chip serial number (CSN) and the security authentication code (C code) of the card The card information such as the card number, the expiration date, and the password, which are important security information, can be obtained only in the encrypted state, and thus the problem of the card information leakage by the portable terminal can be prevented originally.

In addition, the user authentication information generated and provided by the authentication server is stored alternately in the second sector (S3) and the third sector (S4) of the card in each authentication process and used as authentication data in the next authentication process, In particular, since the user authentication data is stored alternately in two storage spaces of the card, not the portable terminal, and the user authentication data is newly changed every time and is not reused, Can be further improved.

FIG. 5 illustrates a data flow during a cardholder registration process or an initial registration process in a card user authentication process according to an embodiment of the present invention.

First, when the user connects the card to the portable terminal for proper user registration of the card, the portable terminal reads the card and reads the chip serial number (CSN) of the card. (S515)

Next, the mobile terminal generates a first sector security access key request signal (S0 Key Req.) And transmits it to the encryption server (S520). At this time, the first sector secure access key request signal (S0 Key Req. Number CSN, and the time at which the first sector secure connection key request signal S0 Key Req. Is transmitted and received is the first request time t1.

The first request time t1 may be determined as the time when the encryption server receives the first request, but the mobile terminal may include the transmission time of the first request in the first request in a timestamp format will be.

Upon receiving the first request, the encryption server generates a first sector secure connection key (S0 Key) using a first sector secure connection key generation algorithm using the received chip serial number (CSN) as an input value (S525)

The encryption server generates the first modulation confirmation information ATC1 using the modulation confirmation information calculation algorithm based on the received chip serial number CSN and the first request time t1.

At this time, the modulation confirmation information calculation algorithm is a certain calculation scheme that uses the chip serial number (CSN) and the first request time t1 as input values, and is distinguished from the security access key generation algorithm described above.

The encryption server generates a response signal (S0 Key) containing the generated first sector security access key (S0 Key) and the first modulation confirmation information (ATC1) and transmits the response signal (S0 Key) to the mobile terminal (S530)

The portable terminal receives a response signal (S0 Key Res.) From the encryption server, accesses the first sector of the card using the first sector security connection key (S0 Key) included therein, And reads the code (Ccode) (S540)

The mobile terminal generates a second sector secure connection key generation request signal (S3 Key Req.) Including the read security authentication code (Ccode) and transmits it to the encryption server. (S545)

In addition to the security authentication code (Ccode), the second request signal (S3 Key Req.) Includes the chip serial number (CSN) of the corresponding card, the first request time (t1) The first modulation confirmation information (ATC1) received in response to the first request may be included.

Upon receipt of the second request, the encryption server checks the first modulation acknowledgment information (ATC1), the security authentication code (Ccode), the second sector security authentication key (S3 Key) And performs a generation operation. (S550)

The four operations performed after the encryption server receives the second request will be described in detail as follows.

First, by verifying the integrity of the first modulation confirmation information (ATC1), it is determined whether or not the transmitted / received data is forged or falsified.

That is, the encryption server uses the modulation confirmation information verifying unit to calculate the value derived from the modulation confirmation information calculation algorithm using the chip serial number (CSN) and the first request time t1 information included in the second request as variables, 2 request and directly received first modulation acknowledgment information (ATC1) are compared with each other, it can be determined that the first modulation acknowledgment information (ATC1) is verified only when they are the same.

Also, the encryption server extracts a security authentication code (Ccode) of the card previously stored in the storage unit using the security authentication code (Ccode) verification unit, and compares the security authentication code (Ccode) included in the second request with the value of the received security authentication code , It is determined that the authentication is successful only in the same case.

In addition, the encryption server generates a second sector secure connection key (S3 Key) using a second sector secure connection key generation algorithm based on the chip serial number (CSN) included in the second request. Further, the encryption server generates the second modulation confirmation information ATC2 by applying the modulation confirmation information calculation algorithm based on the chip serial number (CSN) and the second request time t2.

Then, the encryption server generates a response signal (S3 Key Res.) Including the generated second sector security access key (S3 Key) and second modulation acknowledgment information (ATC2) to the mobile terminal (S555)

Of course, according to the present invention, the process of receiving the second sector security access key (S3 key) does not necessarily have to be performed through steps S515 to S555.

For example, if the mobile terminal knows the second sector security key (S3 key) of the card in advance, steps S515 to S555 are omitted, and the process may proceed to step S560.

If the security authentication code (Ccode) and / or the first and second modulation confirmation information (ATC1 and ATC2) are not used, the mobile terminal proceeds to step S555 after step S515, (S3 Key Req.) To the encryption / decryption server and receive the second sector security access key (S3 Key) as a response thereto.

Next, the mobile terminal drives the user authentication module to receive user identification information that can identify a legitimate user such as a password from the user (S560), and transmits a first user authentication information request signal (User Authen. 1 Req.) And transmits it to the authentication server (S565)

At this time, in addition to the user identification information, the first user authentication information request signal (User Authen. 1 Req.) Includes a chip serial number (CSN) of the card, a maker UID (card issuer code), a card block number The same card information, and the portable terminal identification information such as the portable terminal ID.

Such user identification information, card (manufacturer) information, portable terminal identification information, and the like are used as input values used by the authentication server to generate the first user authentication information (User Authen.

Next, the authentication server determines whether or not a predetermined (predetermined) period of time has elapsed based on the user identification information included in the received first user authentication information request signal (User Authen. 1 Req.), Card identification information such as manufacturer's UID information, The first user authentication information (User Authen. 1) is generated by using the user authentication information generation algorithm (S570)

In addition, in step S570, the authentication server may further generate first user use information in addition to the first user authentication information. The first user use information includes a card use date, a card use flag (Flag), a portable terminal ID, The total number of cumulative use times, and the version information of the user authentication module installed in the card.

The authentication server transmits the generated first user authentication information (User Authen. 1), first user use information, etc. to the portable terminal as a response to the first user authentication information request signal (User Authen. (S575)

The portable terminal verifies the received first user authentication information in step S580. If it is verified, the portable terminal uses the second sector security connection key (S3 key) received from the encryption server in step S555 to transmit the second sector S3 ), And stores the encrypted first user authentication information (User Authen. 1) in the second sector of the card (S585)

The wireless terminal includes the same algorithm as the user authentication information generation algorithm of the authentication server. The wireless terminal has already transmitted the user identification information, the card maker's English name information and the first user authentication information request signal, tr), it is possible to perform verification of the first user authentication information by determining whether the value calculated through the user authentication information generation algorithm and the first user authentication information received from the authentication server are the same.

Of course, in addition to the first user authentication information, encrypted user use information may also be stored in the second sector S3 of the card in this process.

In addition, in step S585, the mobile terminal may store the card manufacturer's UID, thereby completing the registration process or the first registration process.

As described above, the first user authentication information is generated from the user identification information input by the user in the card registration process, the card manufacturer's name, the registration request time (tr), and the like, .

Further, by using the security authentication code (Ccode) and the modulation confirmation information (ATC1, 2) in this process, it is possible to further carry out a forgery check of the card.

FIG. 6 illustrates a flow of data in the process of user authentication or card use during the card user authentication process according to the embodiment of the present invention.

5, the first user authentication data for authenticating the user of the card is stored in an encrypted state in the second sector S3 of the card.

In this state, the user can perform a personal authentication process for authenticating a party user of the card irrespective of whether the user intends to perform settlement or the like using the card or not, and the process is shown in FIG.

First, the mobile terminal generates a third sector security access key request signal or a third request signal (S4 Key Req.) For accessing the third sector (S4) of the card and transmits it to the encryption / decryption server (S605)

In response to the third sector security association key request signal (S4 Key Req.), The chip serial number (CSN) of the corresponding card and the second sector security association key request Modulation acknowledgment information ATC2 and second request time t2 in which the second request is made.

The encryption / decryption server receiving the third request signal verifies the received second modulation acknowledgment information (ATC2), accesses the third sector (S4) of the card, a third sector security access key (S4 key) And generates third modulation confirmation information ATC3 (S610)

 The three operations performed after the encryption server receives the third request signal will be described in detail as follows.

It is possible to determine whether the transmitted / received data is forged or not by verifying the integrity of the second modulation confirmation information (ATC1). Specifically, the encryption server uses the modulation confirmation information verification unit A value derived from the modulation confirmation information calculation algorithm using the serial number CSN and the second request time t2 as variables is compared with the second modulation confirmation information ATC2 directly received included in the third request, It can be determined that the second modulation confirmation information (ATC2) is verified.

In addition, the encryption / decryption server generates a third sector secure connection key (S4 Key) using the third sector secure connection key generation algorithm based on the chip serial number (CSN) included in the third request.

Further, the encryption server generates the third modulation confirmation information ATC3 by applying the modulation confirmation information calculation algorithm based on the chip serial number (CSN) and the third request time t3.

Subsequently, the encryption server generates a response signal (S4 key) including the generated third sector security access key (S4 key) and the third modulation confirmation information (ATC3) and transmits it to the mobile terminal (S615)

Next, the mobile terminal drives the user authentication module to receive the user identification information input at the first subscription from the user (S620), and transmits a second user authentication information request signal (User Authen .2 Req.) Containing the user identification information. And transmits it to the authentication server (S625)

At this time, in addition to the card identification information such as the user identification information and the manufacturer's UID information, the second user authentication information request signal (User Authen .2 Req.) Further includes first user authentication information User Authen. 1), and a registration request time (tr) information in which the first user authentication information request signal is transmitted.

After receiving the second user authentication information request signal (User Auth .2 Req.), The authentication server verifies the first user authentication information included in the received second user authentication information, and transmits the second user authentication information, (S630)

More specifically, the authentication server generates the user authentication information based on the user identification information, manufacturer's name, registration request time (tr) information included in the second user authentication information request signal (User Authen. 2 Req.), (User Authen. 1) value included in the second user authentication information request signal (User Authen .2 Req.) And transmitted directly, and only when the two values are equal It can be determined that the first user authentication information (User Authen. 1) has been verified.

The authentication server generates the second user authentication information (User Authen. 2) only when the first user authentication information (User Authen. 1) is verified.

That is, after the first user authentication information (User Authen. 1) is verified, the authentication server verifies the user identification information included in the received second user authentication information request signal (User Authen .2 Req.), (User Authen. 2) by using a certain user authentication information generation algorithm on the basis of the card identification information and the time of transmitting the second user authentication information request signal, that is, the authentication request time (ta) .

In addition, in step S630, the authentication server may generate the second user use information in addition to the second user authentication information. The second user use information includes a card use date, a card use presence flag (Flag), a portable terminal ID, The total number of cumulative use times, and the version information of the user authentication module installed in the card.

The authentication server transmits the generated second user authentication information (User Authen. 2), second user information, etc. to the portable terminal as a response to the second user authentication information request signal (S635)

The portable terminal verifies the received second user authentication information, and when it is verified, accesses the third sector S4 of the card using the third sector security access key (S4 Key) received from the encryption server in step S615 And stores the encrypted second user authentication information (User Authen. 2) in the third sector S4 of the card (S640).

At this time, the second user authentication information (User Authen. 2) stored in the third sector S4 of the card is used as data for user authentication in the next authentication process.

The configuration for verifying the second user authentication information in the portable terminal is the same as the principle for verifying the first user authentication information in the first subscription process, and thus a detailed description thereof will be omitted.

As described above, only when the second user authentication information is verified in the portable terminal and thus the second user authentication information is normally stored in the third sector S4 of the card, it is recognized that the user authentication is completed.

That is, only when the user is authenticated using the first user authentication information stored in the second sector S3 of the card and the second user authentication information generated in the process is stored in the third sector S4 of the card, Has been completed.

After such user authentication is performed, a card use process such as a card approval process can be performed, and this process will be described in steps S645 to S680.

However, the user authentication system according to the present invention may not include steps S645 to S680, which are card approval procedures.

In the card approval process, which is an example of a card usage process after the card user authentication, a fourth sector security access key request signal (S12 Key Req.) That enables the mobile terminal to access the fourth sector (S12) And transmits the fourth request signal to the encryption / decryption server (S645)

The fourth request signal S12 Key Req. Includes the third request time t3 information that transmitted the third request for requesting the chip serial number CSN of the corresponding card and the third sector secure connection key S4 key And third modulation acknowledgment information (ATC3) received in response to the third request.

The encryption / decryption server receiving the fourth request performs verification of the third modulation confirmation information (ATC3), generation of the fourth sector security authentication key (S12 Key), and generation of the fourth modulation confirmation information (ATC4). (S650)

The three operations performed by the encryption / decryption server after receiving the fourth request correspond to the configuration performed by the encryption / decryption server after receiving the third request signal, and therefore, detailed description thereof will be omitted.

Briefly, after receiving the fourth request, the encryption / decryption server determines whether the transmitted / received data is forged or not by verifying the integrity of the third modulation confirmation information (ATC3) included in the fourth request and transmitted.

In addition, the encryption / decryption server generates a fourth sector secure connection key (S12 Key) using the fourth sector secure connection key generation algorithm based on the chip serial number (CSN) included in the fourth request, CSN and a fourth request time t4 to generate fourth modulation acknowledgment information ATC4.

Then, the encryption / decryption server generates a response signal (S12 Key) including the generated fourth sector secure connection key (S12 Key) and the fourth modulation confirmation information (ATC4) and transmits the response signal (S12 Key) to the mobile terminal (S655)

The portable terminal receives the response signal (S12 Key Res.) From the encryption / decryption server, accesses the fourth sector of the card using the fourth sector security connection key (S12 Key) included therein, (Card number, expiration date, password, etc.) (S660)

Then, the portable terminal generates a card approval request signal including the read encrypted card information and transaction information, and transmits the card approval request signal to the decryption server (encryption / decryption server). (S665)

At this time, in addition to the encrypted card information, a chip serial number (CSN) of the card, a fourth request time (t4) information, and fourth modulation confirmation information (ATC4) received in response to the fourth request ) May be included.

Upon receiving the card approval request signal, the decryption server performs verification of the fourth modulation confirmation information (ATC4) and decryption of the card information. (S670)

More specifically, the decryption server uses a modulation acknowledgment information verifying unit to obtain a chip serial number (CSN) and a fourth request time (t4) information included in the card approval request signal as variables and a value And the fourth received modulation confirmation information (ATC4) included in the card approval request signal and directly received, and determines that the fourth modulation confirmation information (ATC4) is verified only when they are the same.

 Only when the fourth modulation confirmation information (ATC4) is verified, the decryption server decrypts the received encrypted card information using a decryption algorithm that is known in advance, and decrypts the decrypted card information, that is, the card number, The card information is extracted.

Then, the decryption server transmits the decrypted card information and the transaction information to the card company server to request the card approval, and receives the result. (S675) The approval result message received from the card company server includes approval information, approval number, May be included.

The decryption server generates a card approval result signal based on the approval result information received from the card issuer server and transmits it to the portable terminal. (S680). At this time, an approval number and transaction number information may be included in the card approval result signal transmitted from the encryption / decryption server to the mobile terminal.

Of course, as described above, in step S670, if the time difference between the confirmed fourth modulation confirmation information generation time or the fourth request time t4 and the current time point at which the card approval request signal is transmitted is greater than or equal to a predetermined threshold value It is possible to respond to reject the card approval without decrypting the card information or requesting card approval from the card company server.

As described above, in the case where an additional second authentication process is performed after the step of FIG. 6, the user authentication is performed using the second user authentication information stored in the third sector S4 of the card, The third user authentication information is stored again in the second sector S3 of the card and used in the subsequent third authentication process.

Through the authentication process and the card authentication process described above, the first user authentication information generated in the first subscription process is firstly verified by the authentication server, and the second user authentication information is verified in the second mobile device. Thus, The unauthorized use of the card is fundamentally blocked as in the case of inputting the user identification information differently.

As described above, when the card user authentication system according to the embodiment of the present invention is used, in the course of card approval or transaction approval for card transaction, the mobile terminal transmits the chip serial number (CSN) Ccode) can be recognized. Since the card information such as the card number, the expiration date and the password, which are important personal security information used for the card approval, can be obtained only in the encrypted state, the problem of the card information leakage by the portable terminal There is an effect that it can be prevented originally.

In addition, the encryption server or the decryption server may generate and verify / verify the modulation confirmation information based on the chip serial number and the requested time information when transmitting / receiving various information required for card approval, thereby checking whether the transmitted / received data is forged or not The security can be improved.

In addition, an authentication server that can authenticate a card user, and an authentication server that authenticates user authentication information, which is generated based on user identification information, card manufacturer information, and time information input by a user, It is stored in the storage space and used for authentication of the user, so that the use of the card by an unauthorized user can be prevented originally.

Furthermore, since the user authentication data generated in the authentication process of the card is alternately stored in two storage spaces of the card, not in the portable terminal, and the user authentication data is newly changed every time and is not reused, Can be further improved.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the inventions. , Separation, substitution, and alteration of the invention will be apparent to those skilled in the art. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

100: card 200: card terminal
300: Encryption server 400: Decryption server
500: Card issuer server 112: First sector (S0)
114: second sector (S3) 116: third sector (S4)
118: fourth sector (S13) 320: encrypted secure connection module server (ESAM)
420: decryption security access module server (DSAM)

Claims (11)

A card including a second sector (S3) and a third sector (S4) storing i-th user authentication information (i? 1) used for user authentication of the card;
An i < th > user authentication information request signal including the user identification information input by the user is generated and transmitted to the authentication server in the first subscription process or the authentication process of the user, A second sector (S3) and a third sector (S4);
I) receiving the i-th user authentication information request signal, and based on the user identification information included in the i-th user authentication information request signal and the request time (tr, ta) of the i- An authentication server for generating authentication information and transmitting the generated authentication information to the mobile terminal;
/ RTI >
The encrypted first user authentication information (User Authen. 1) provided from the authentication server in the first subscription process or the self-registration process is stored in the second sector (S3) of the card, The second user authentication information (User Authen. 2) received from the authentication server in the first authentication process is stored in the third sector S4 of the card, and the second user authentication information And the third user authentication information (User Authen. 3) received from the authentication server in the second authentication process is again stored in the second sector (S3) of the card, and the third user In the authentication process, as data for authentication of the user, new user authentication data is generated every time during the user registration process and a plurality of user authentication processes A second sector (S3) and a third sector (S4) after the shift is stored as the next to ensure that only the identity authentication process, wherein the generated user authentication information is not re-use card user authentication system of the card. The method according to claim 1,
The mobile terminal generates a second sector access security key (S3 Key) and a third sector access security key (S4 Key) which can access the second sector (S3) and the third sector (S4) of the card, And an encryption / decryption server provided to the portable terminal. The method according to claim 1,
The i-th user authentication information is generated by a user authentication information generation algorithm which is a hash algorithm that inputs the user identification information, the request time (tr, ta) of the i-th user authentication information request signal, and the manufacturer identification information of the card The card authentication system comprising: The method of claim 3,
In the first subscription process, the portable terminal generates a first user authentication information request signal and transmits the first user authentication information request signal to the authentication server,
The authentication server generates first user authentication information based on user identification information included in the first user authentication information request signal and a registration request time (tr) in which the first user authentication information request signal is transmitted, To the terminal,
Wherein the portable terminal stores the first user authentication information in the second sector (S3) of the card. 5. The method of claim 4,
During the first self-certification process,
The portable terminal generates a second user authentication information request signal including the first user authentication information, the user identification information, and the registration request time (tr) information, and transmits the second user authentication information request signal to the authentication server,
Wherein the authentication server verifies the first user authentication information included in the second user authentication information request signal and transmits the user identification information included in the second user authentication information request signal only when verified, Generates second user authentication information based on the authentication request time (ta) at which the user authentication information request signal is transmitted, and transmits the second user authentication information to the mobile terminal,
And the portable terminal stores the second user authentication information in a third sector (S4) of the card. The method according to claim 1,
The authentication server may include a card use date, a card use presence flag (Flag), a portable terminal ID, a total cumulative number of times of use of the card, and a version information of a card or a user authentication module installed in the mobile terminal And further generates i < th > user-use information including at least one of the i < th > user information and transmits the generated i < th > user information to the portable terminal. Based on the user identification information and the registration request time (tr) inputted by the user in accordance with the first user authentication information request signal (User Authen. 1 Req.) Transmitted from the portable terminal synchronized with the card in the initial registration process, 1 < / RTI > user authentication information to be transmitted to the portable terminal, and storing the first user authentication information in the second sector (S3) of the card;
(I + 1) Req.) Transmitted from the portable terminal connected to the card in the i-th identity authentication process, the user identification information transmitted by the user and the authentication request time and transmits the generated i + 1 user authentication information to the mobile terminal and alternately updates and stores the third i-th user authentication information in the third sector S4 and the second sector S3 of the card.
Lt; / RTI >
The first user authentication information (User Authen. 1) provided to the card terminal in the first subscription process or the first person registration process is stored in the second sector (S3) of the card, and the first authentication process The second user authentication information (User Authen. 2) provided to the card terminal in the first authentication process is stored in the third sector S4 of the card, and the second user authentication information The third user authentication information (User Authen. 3) provided to the card terminal in the second authentication process is again stored in the second sector (S3) of the card, and the third user authentication information In the authentication process, as data for authentication of the user, new user authentication data is generated every time during the user registration process and the plurality of user authentication processes, Site (S3) and a third sector (S4) and then stored in the shift to the next person to use by authentication procedure, the card user authentication server, characterized in that to ensure that the generated credentials are not reused. 8. The method of claim 7,
The authentication server transmits the hash information including the user identification information included in the i + 1 user authentication information request signal (User Authen i + 1 Req.), The card manufacturer identification information, the authentication request time ta, And the i + 1 user authentication information is generated using a user authentication information generation algorithm which is an algorithm. 8. The method of claim 7,
The authentication server verifies the i-th user authentication information included in the (i + 1) -th user authentication information request signal (User Authen i + 1 Req.) Transmitted from the wireless terminal interfaced with the card during the i- And generates the (i + 1) -th user authentication only when it is verified. A portable terminal interfacing with a card and an authentication server to mediate an initial membership process between a card and an authentication server and an authentication process,
The mobile terminal receives the user identification information input by the user in the initial registration process and the authentication process,
Generating an i-th user authentication information request signal including the user identification information and transmitting the i-th user authentication information request signal to the authentication server, receiving the i-th user authentication information transmitted from the authentication server, (S4)
In the first subscription process, encrypted first user authentication information (User Authen. 1) provided from the authentication server is stored in the second sector (S3) of the card, and data for authentication (User Authen. 2) received from the authentication server in the first authentication process is stored in the third sector (S4) of the card, and the second authentication process And the third user authentication information (User Authen. 3) received from the authentication server in the second authentication process is again stored in the second sector (S3) of the card, and the third user By using the data as the authentication data in the authentication process, new user authentication data Is stored in the second sector (S3) and the third sector (S4) of the card alternately and used only in the next authentication process, so that the generated user authentication information is not reused Mobile terminal. 11. The method of claim 10,
The mobile terminal transmits a second sector access security key (S3 Key) and a third sector access security key (S4 Key) which can access the second sector (S3) and the third sector (S4) of the card to the encryption / From the portable terminal.

Images