KR101746471B1 - User authentication method of ssl-vpn and sso based on yaws - Google Patents

User authentication method of ssl-vpn and sso based on yaws Download PDF

Info

Publication number
KR101746471B1
KR101746471B1 KR1020160005379A KR20160005379A KR101746471B1 KR 101746471 B1 KR101746471 B1 KR 101746471B1 KR 1020160005379 A KR1020160005379 A KR 1020160005379A KR 20160005379 A KR20160005379 A KR 20160005379A KR 101746471 B1 KR101746471 B1 KR 101746471B1
Authority
KR
South Korea
Prior art keywords
vpn
ssl
sms
sso
server
Prior art date
Application number
KR1020160005379A
Other languages
Korean (ko)
Inventor
윤동한
Original Assignee
주식회사 쿼리시스템즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 쿼리시스템즈 filed Critical 주식회사 쿼리시스템즈
Priority to KR1020160005379A priority Critical patent/KR101746471B1/en
Application granted granted Critical
Publication of KR101746471B1 publication Critical patent/KR101746471B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

In this embodiment, security is enhanced by performing a VPN login process, an SMS / OPT login process, an SMS authentication number issuing process and a password re-issuance process by cooperation between an SSL-VPN server based on YAWS and an SSO server, It is possible.

Description

[0001] The present invention relates to a method of authenticating a user of an SSL-VPN and an SSO based on YAWS,

This embodiment relates to a user authentication technique, and more particularly, to a YAWS-based user authentication technique.

In general, Erlang is a functional parallel processing language created by the Swedish Ericsson research book, which can produce light processes very quickly. Each of these Erlang-based processes can be designed to be task-directed by message passing, output the result, and have no shared memory except for the ETS and DETS memory areas.

This is similar to MPI (Message Passing Interface) at first glance, but unlike MPI, which costs a lot of money to create a single process, Erlang processes can create, run, and delete hundreds of thousands of processes in real time on a normal personal PC Can be performed.

Furthermore, Erlang is advantageous for bundling large amounts of hardware because processes can be controlled remotely over a network even if they are different computers.

Yaws is commonly known as a web server based on Erlang. This Yaws-based Web server handles dynamic parallel processing unlike ordinary Web servers that process static content, and it can process transactions several tens of times when using the same resource.

The web server based on Yaws has SSL-VPN server and SSO (Single Sign On) server that performs SSL-VPN service.

However, the authentication process performed by the SSL-VPN server and the SSO (Single Sign On) server has a weak security problem.

Korean Published Patent: No. 2014-0076125 (2014.06.20: public date)

The present embodiment is intended to provide a user authentication method of SSL-VPN and SSO based on YAWS with enhanced authentication security.

According to one embodiment, whether or not an arbitrary user terminal transmits an SSO login screen to the user terminal according to existence of VPN session information to be verified at the SSL-VPN server when requesting a VPN login screen, A VPN login step determined by; In the state where the VPN session information does not exist, the SSL-VPN server and the SSO server perform an SMS authentication login or an OPT authentication login for SSL-VPN user authentication by using the copy SSO login screen in which the SSO login screen is copied SMS / OPT login step; An SMS authentication number issue step in which the SMS authentication request and the acceptance for the SMS authentication login are performed by the SSL-VPN server and the SSO server in a state where the VPN session information does not exist; And a password re-issuance step in which the SSL-VPN server and the SSO server perform the request and the acceptance of the personal identification information for SMS re-issuance and the SMS authentication number in the state where the VPN session information does not exist, based on the YAWS- And SSO user authentication methods.

In the VPN login step, if the VPN session information exists, the user terminal can receive the SSL-VPN login message already generated by the SSL-VPN server.

In the SMS / OPT login step, the SSL-VPN server may determine whether the ID, password, and SMS authentication number input through the copy SSO login screen are SSL-VPN users.

The SMS / OPT login step may further include requesting the SMS user authentication to the SSO server if the ID, password, and SMS authentication number are SSL-VPN users as a result of the determination.

In the SMS / OPT login step, when the SSO server confirms the ID, password, and SMS authentication number as a normal SSO user in response to the SMS user authentication request, the SMS / OPT login step considers the SMS login as a normal SMS login, Otherwise, it is considered an abnormal SMS login; And normalizing the SMS authentication login if the normal SMS login is performed.

In the step of issuing the SMS authentication number, when an SMS authentication number issue request is made using the ID, password, and SMS authentication number input through the copy SSO login screen, the ID, password, and SMS authentication number are determined to be SSL- And determining from the SSL-VPN server.

The SMS authentication number issue step may include transmitting the SSL-VPN user authentication request and the SMS authentication number issue request to the SSO server if the ID, password, and SMS authentication number are SSL-VPN users as a result of the determination .

The SMS authentication number issuing step corresponds to the SSL-VPN user authentication request and the SMS authentication number issuance request, and when the SSO server confirms the ID, password and SMS authentication number as a normal SSO user, it regards it as a normal SMS login Transmits the issued SMS authentication number to the user terminal, and if it is not confirmed as the normal SSO user, it can be regarded as an abnormal SMS login, and the abnormal login result can be transmitted to the user terminal.

Wherein the password re-issuing step includes: transmitting personal information received from the user terminal to the SSO server from the SSL-VPN server; Transmitting the normal result and the terminal phone number to the SSL-VPN server when the SSO server confirms the transmitted personal information; And transmitting the SMS transmission screen to the user terminal when receiving the normal result from the SSL-VPN server.

Transmitting the SMS origination request to the SSL-VPN server through the SMS origination screen; Transmitting the SMS origination request to the SSO server if the SSL-VPN server transmits an SMS origination request to the SSO server when transmitting the SMS origination request to the SSL-VPN server through the terminal phone number; And transmitting the SMS authentication number generated in the SSO server to the user terminal if the SMS origination acceptance is affirmative.

Wherein the password re-issuing step includes: transmitting an authentication request including the SMS authentication number input through the SMS origination screen to the SSL-VPN server; Transmitting the terminal telephone number and the SMS authentication number to the SSO server in response to the authentication request; And determining from the SSO server whether the terminal phone number and the SMS authentication number are SSO users.

The SSL-VPN server may further include a step of transmitting a password change screen to the user terminal when it is determined that the authentication is successful according to the determination and the SSL-VPN server confirms success.

Wherein the password re-issuing step includes: transmitting a password change request input through the password change screen to the SSO server through the SSL-VPN server; Transmitting to the SSL-VPN server whether the password change is successful in response to the password change request; And transmitting the change completion screen to the user terminal when the password change is successful.

The user authentication method may further include relaying or confirming a message transmitted and received between the SSL-VPN server and the SSO server in an ACS server connected between the SSL-VPN server and the SSO server.

As described above, this embodiment has an effect of authentication processing in which authentication security is enhanced by further performing SMS or OPT authentication login in addition to the existing authentication login.

In addition, the present embodiment has the effect of enhancing authentication security and enabling faster authentication processing by performing user login and authentication through a VPN login process, an SMS / OPT login process, an SMS authentication number issue process and a password re-issuance process.

The effects described above are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the following description.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. However, the technical features of the present embodiment are not limited to the specific drawings, and the features disclosed in the drawings may be combined with each other to constitute a new embodiment.
1 is a flowchart exemplarily showing an example of a user authentication method according to an embodiment.
FIG. 2 is a block diagram illustrating a configuration of a Yaws-based authentication processing system that performs the user authentication method of FIG. 1; FIG.
3 is a flowchart illustrating the VPN login process of FIG. 1 in more detail.
4 is a flowchart illustrating the SMS login process of FIG. 1 in more detail.
5 is a flowchart for explaining the SMS authentication number issuing process of FIG. 1 in more detail.
FIG. 6 and FIG. 7 are flowcharts illustrating the password re-issuance processor of FIG. 1 in more detail.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout.

It is to be understood that the terms used in the following examples are used only to illustrate specific embodiments, and are not intended to be limiting.

It is also to be understood that the singular form " above " used in the description of the various embodiments described and in the claims includes plural referents unless the context clearly dictates otherwise.

It is also to be understood that the term " and / or " disclosed in the following embodiments includes any and all possible combinations of one or more of the listed related items.

It is also to be understood that the terms such as "connected" to another element, as disclosed in the following embodiments, may be directly connected to the other element, .

It is also to be understood that the terms such as " comprising "or " comprising ", as used in the following examples, mean that a constituent element can be implanted unless specifically stated to the contrary. But should be understood to include additional elements.

<Example of user authentication method>

FIG. 1 is a flowchart illustrating an example of a user authentication method according to an exemplary embodiment. FIG. 2 is a block diagram illustrating a configuration of a Yaws-based authentication processing system that performs the user authentication method of FIG.

The Yaws-based authentication processing system 100 shown in FIG. 2 may include a user terminal 110, an SSL-VPN server 120, an ACS server 130, and an SSO server 140. The user terminal 110, the SSL-VPN server 120, the ACS server 130 and the SSO server 140 may be connected to each other through a communication network such as a wireless network or a wired network.

The communication networks, including the wireless networks or wired networks mentioned, may be connected to a network, such as the Internet, also referred to as the World Wide Web (WWW), a cellular telephone network, an intranet, such as a wireless local area network (LAN) and / or a metropolitan area network / RTI &gt; and / or wireless communication with a wireless network and other devices.

The wireless network may be a wireless network, such as a cellular network (e.g., Global System for Mobile Communications (GSM), Enhanced Data Rates for GSM Evolution (EDGE), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA) (TDMA), Universal Mobile Telecommunications System (UMTS), Long Term Evolution (LTE), or other cellular networks), and the like.

For example, if the network data access element (s) is part of a GSM network, the network data access element (s) may be a base transceiver station (BTS), a base station controller (BSC), a mobile switching center (MSC) GPRS Support Node), and the like.

As another example, if the network data access element (s) is part of a LAN, the network data access element (s) may include one or more network switches, routers, hubs, and /

In this regard, the user terminal 110 may be a client terminal that requests the user authentication and receives the result.

The SSL-VPN server 120 manages SSL-VPN (Secure Sockets Layer Virtual Private Network), and manages an SSL-based virtual private network (VPN) capable of accessing the internal network regardless of the location or type of terminal .

SSL encrypts the information in the communication between the web browser and the server so that it can protect the contents of the information even if the information is leaked through the hack.

The SSL-VPN server 120 may be a web server based on Yaws implemented in the Erlang language.

The ACS server 130 may be a server for managing the AUTO CALLING SYSTEM, and may be a server for confirming messages exchanged between the SSL-VPN server 120 and the SSO server 140 or for automatically connecting telephone numbers or the like.

The SSO server 140 manages SSO (Single Sign On) processing, and can manage a substantial user authentication process so that multiple sites can be used by one user ID.

Hereinafter, a user authentication method performed through the above-described Yaws-based authentication processing system 100 will be described.

Referring to FIG. 1, a user authentication method 200 according to an embodiment may include steps 210 to 250 for processing a user authentication through the Yaws-based authentication processing system 100.

An exemplary step 210 is a VPN login process. When an arbitrary user terminal 110 requests a VPN login screen, the SSO login screen is displayed according to the presence or absence of VPN session information checked by the SSL-VPN server 120 The SSL-VPN server 120 determines whether the user terminal 110 should transmit the data to the user terminal 110 or not.

The mentioned SSO login screen may include an OTP login screen or an SMS login screen. The OTP login screen supports OTP (One Time Password) login. The One Time Password (OTP) may be a user authentication scheme using a one-time password of a random number generated randomly. On the other hand, the SMS login screen supports SMS (Short Message Service) login.

The SSO login screen transmitted to the user terminal 110 may be a copy SSO login screen.

In the SMS / OPT login process 220, the SSO server 140 and the SSL-VPN server 120 use the copied SSO login screen in which the SSO login screen is copied, For example, SMS authentication login or OPT authentication login for SSL-VPN user authentication.

For example, when user information (eg, ID, password OPT login ID and password, SMS login ID and password, etc.) input through the copy SSO login screen is input, in order to verify that the user information is a normal login user It is possible to perform an SMS authentication login or an OPT authentication login for SSL-VPN user authentication in cooperation with the SSL-VPN server 120 and the SSO server 140.

In step 230, an SMS authentication number issuing process is performed. In the absence of the VPN session information, the SMS authentication request and acceptance for the SMS authentication login are performed in cooperation with the SSL-VPN server 120 and the SSO server 140 .

At this time, the SMS authentication login can be realized through the SMS login screen of the copy SSO login screen.

Similarly, the exemplary step 230 is an OPT authentication number issue process. In the absence of the VPN session information, the OPT authentication request and the acceptance for the OPT authentication login are transmitted to the SSL-VPN server 120 and the SSO server 140 Or may be performed in cooperation.

At this time, the OPT authentication login can be realized through the OPT login screen of the copy OPT login screen.

In the past, the SSL-VPN server 120 did not perform the SMS authentication request and the acceptance in conjunction with the SSO server 140.

An exemplary step 240 is a password re-issuance process in which, in the absence of VPN session information, personal information (same as user information) for password re-issuance, SMS authentication number request and acceptance, or OPT authentication number request and acceptance are transmitted to the SSL- May be performed in cooperation with the server 120 and the SSO server 140.

In the past, the SSL-VPN server 120 did not perform the SMS authentication number request and the acceptance or the OPT authentication number request and the acceptance in conjunction with the SO server 140.

As described above, the present embodiment can perform the authentication processing with enhanced authentication security by further performing the SMS or OPT authentication login in addition to the existing authentication login.

In step 250, the ACS server 130 connected between the SSL-VPN server 120 and the SSO server 140 relays or confirms a message transmitted and received between the SSL-VPN server 120 and the SSO server 140 Can play a role.

The mentioned message may be a message related to success / failure of the user to be logged in, and the success / failure information.

Hereinafter, steps 210 to 240 will be described in more detail.

<Example of VPN Login Process>

3 is a flowchart illustrating the VPN login process of FIG. 1 in more detail.

Referring to FIG. 3, in a VPN login process 210 according to one embodiment, when any user terminal 110 requests a VPN login screen, the SSL-VPN server 120 transmits a VPN session The presence of the information is confirmed (211).

For example, if the VPN session information exists in response to the VPN login screen request, the SSL-VPN login message that is already generated by the SSL-VPN server can be transmitted to the user terminal 110 If the VPN session information does not exist in response to the VPN login screen request, the SSO login screen may be transmitted to the user terminal 110 (213).

In this way, the VPN login process 210 determines whether to transmit the SSO login screen to the user terminal 110 according to the existence of the VPN session information confirmed by the SSL-VPN server 120, . &Lt; / RTI &gt;

Here, the SSO login screen may include an OTP login screen or an SMS login screen. The OTP login screen supports OTP (One Time Password) login. The One Time Password (OTP) may be a user authentication scheme using a one-time password of a random number generated randomly. On the other hand, the SMS login screen supports SMS (Short Message Service) login.

<Example of SMS Login Process>

4 is a flowchart illustrating the SMS login process of FIG. 1 in more detail.

Referring to FIG. 4, the SMS login process 220 according to one embodiment may include steps 221 through 227.

In an exemplary step 221, the user terminal 110 transmits personal information (user information) such as an ID, a password, and an SMS authentication message to the user through the SSO login screen received without VPN session information or the copied SSO login screen copied from the SSO login screen Number, and so on.

In step 222, the SSL-VPN server 120 may retrieve user information that has entered an ID, a password, and an SMS authentication number from the SSO server 140 via the ACS server 130 to check.

In step 223, the SSL-VPN server 120 may determine whether the ID, password, and SMS authentication number input through the copy SSO login screen are user information, for example, an SSL-VPN user.

In other words, the SSL-VPN server 120 can determine whether the ID, password, and SMS authentication number input through the copy SSO login screen belong to the SSL-VPN user of the SSL-VPN server 120.

For example, in step 224, if the ID, password, and SMS authentication number received from the user terminal 110 are SSL-VPN users, the SSL-VPN server 120 transmits the SMS user information to the SSO server 140, Authentication can be requested.

In the exemplary step 225, when the SSO server 140 confirms that the ID, password, and SMS authentication number are normal SSO users in response to the SMS user authentication request received from the SSL-VPN server 120, And if the ID, password, and SMS authentication number are not identified as a normal SSO user, it can be considered an abnormal SMS login.

For example, if the SMS-VPN server 120 considers it as a normal SMS login, the SSO server 140 normally processes the SMS authentication login and transmits the result to the SSL-VPN server 120, The completion screen can be transmitted to the user terminal 110 (226).

As described above, the present embodiment can perform user authentication for the SMS login process with enhanced security through cooperation between the SL-VPN server 120 and the SS0 server 140. [

The OPT login process may be processed instead of the SMS login process 220 described above. If the OPT login process is replaced with the OPT instead of the SMS, the process is substantially the same as the above-described process, and a description thereof will be omitted.

<Example of SMS authentication number issuing process>

5 is a flowchart for explaining the SMS authentication number issuing process of FIG. 1 in more detail.

Referring to FIG. 5, the SMS authentication number issue process 230 according to an exemplary embodiment may include steps 231 through 236.

First, in step 231, the user terminal 110 transmits the SSO login screen received without the VPN session information, or the personal information (user information) input through the copied SSO login screen copied therefrom, And sends an SMS authentication number issue request to the SSL-VPN server 120 using a password and an SMS authentication number.

In the exemplary step 232, the SSL-VPN server 120 can retrieve the user information that has input the ID, password, and SMS authentication number from the SSL-VPN server 120 through the ACS server 130 and check.

In an exemplary operation 233, the SSL-VPN server 120 may determine whether the user ID, password, and SMS authentication number are the checked user information, for example, an SSL-VPN user.

In other words, the SSL-VPN server 120 can determine whether the ID, password, and SMS authentication number input through the copy SSO login screen belong to the SSL-VPN user of the SSL-VPN server 120.

If the SSL-VPN server 120 determines in step 234 that the ID, password, and SMS authentication number received from the user terminal 110 are SSL-VPN users as a result of the determination, the SSO server 140 transmits an SSL- The user authentication request and the SMS authentication number issue request can be transmitted.

In step 235, the SS0 server 140 transmits the SS-VPN user authentication request and the SMS authentication number issuance request received from the SSL-VPN server 120 as the normal SSO user If it is verified, it can be regarded as a normal SMS login, and the SMS authentication number issued can be transmitted to the user terminal 110 through the SSL-VPN server 120.

However, in an exemplary step 236, the SS0 server 140 responds to the SSL-VPN user authentication request and the SMS authentication number issuance request received from the SSL-VPN server 120 so that the ID, password, If it is not confirmed as a user, it can be regarded as an abnormal SMS login, and the abnormal login result can be transmitted to the user terminal 110 through the SSL-VPN server 120.

As described above, the present embodiment can perform user authentication for the SMS authentication number issuing process with enhanced security through cooperation between the SL-VPN server 120 and the SS0 server 140. [

<Example of password re-issuance processor>

FIG. 6 and FIG. 7 are flowcharts illustrating the password re-issuance processor of FIG. 1 in more detail.

As shown, the password re-issuance processor 240 according to an embodiment may include steps 241 to 249.

First, in step 241, the SSL-VPN server 120 receives and confirms personal information (user information) input through the personal information input screen of the user terminal 110, and transmits the personal information to the SSO server 140 And the SSO server 140 may check the received personal information and transmit the normal result and the stored terminal phone number to the SSL-VPN server 120 when the status is normal.

In step 242, when the SSL-VPN server 120 receives a normal result from the SSL-VPN server 140, the SSL-VPN server 120 may transmit an SMS transmission screen to the user terminal 110. Accordingly, the user terminal 110 can display the SMS transmission screen on the display screen.

In an exemplary operation 243, the user terminal 110 transmits an SMS origination request to the SSL-VPN server 120 through the SMS origination screen displayed on the display screen, and the SSL-VPN server 120 transmits a received SMS origination request To the SSO server 140 through a pre-stored terminal phone number.

In step 244, the SS0 server 140 checks whether the received terminal phone number is the same as the stored terminal phone number. If the same is true, the SS0 server 140 accepts the SMS transmission. Otherwise, the SS0 server 140 performs the SMS rejection, To the VPN server 140.

In step 245, when the SSL-VPN server 120 receives an SMS origination acceptance from the SSO server 140, the SSL-VPN server 120 generates an SMS authentication number and transmits the SMS authentication number to the user terminal 110, The SSO server 140 can transmit an authentication request including the SMS authentication number entered through the screen to the SSL-VPN server 120. If the SMS receiving server 120 can not receive the SMS sending acceptance from the SSO server 140, have.

In step 246, the SSL-VPN server 120 transmits the extracted terminal phone number and SMS authentication number to the SSO server 140 in response to the authentication request, and the SSO server 140 transmits the received terminal phone number and It is possible to determine whether the SMS authentication number is the corresponding SSO user.

In step 247, the SSL-VPN server 120 receives the authentication success according to the determination of the SSO server 140, and when it is determined that the authentication is successful, transmits the password change screen to the user terminal 110 , And if it is confirmed that it is not, a rejection screen may be transmitted to the user terminal 110.

In step 248, the user terminal 110 transmits a password change request input through the password change screen to the SSO server 140 through the SSL-VPN server 120, and the SS0 server 140 transmits the received password In response to the change request, it is possible to transmit the success or failure of the change of the password to the SSL-VPN server 120.

In step 249, when the SSL-VPN server 120 determines that the received password change is successful, it transmits a change completion screen to the user terminal 110. If the SSL-VPN server 120 determines that the received password change is unsuccessful, And transmits the screen to the user terminal 110.

As described above, the present embodiment can enhance the security by performing the user authentication and the password change authentication in the SSO server 140 unlike the conventional method during the password change process.

Meanwhile, there may be an ACS server 130 connected between the SSL-VPN server 120 and the SSO server 140. The ACS server 130 may automatically relay messages transmitted and received between the SSL-VPN server 120 and the SSO server 140, particularly messages transmitted and received using a telephone number, or may check user confirmation required for user authentication .

The user authentication method described above can be implemented in the form of program instructions that can be executed through various computer components and recorded in a computer-readable medium.

The computer readable medium may be any medium accessible by the processor. Such media can include both volatile and nonvolatile media, removable and non-removable media, communication media, storage media, and computer storage media.

A communication medium may include computer readable instructions, data structures, program modules, other data of a modulated data signal such as a carrier wave or other transmission mechanism, and may include any other form of information delivery medium known in the art.

The storage medium may be any type of storage medium such as RAM, flash memory, ROM, EPROM, electrically erasable read only memory ("EEPROM"), registers, hard disk, removable disk, compact disk read only memory Or any other type of storage medium.

Computer storage media includes removable and non-removable, nonvolatile, and nonvolatile storage media implemented in any method or technology for storing information such as computer readable instructions, data structures, program modules or other data, Volatile media.

Such computer storage media may be embodied as program instructions, such as RAM, ROM, EPROM, EEPROM, flash memory, other solid state memory technology, CDROMs, digital versatile disks (DVDs) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, Lt; RTI ID = 0.0 &gt; and / or &lt; / RTI &gt;

Examples of program instructions may include machine language code such as those produced by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the exemplary embodiments or constructions. You can understand that you can do it. The embodiments described above are therefore to be considered in all respects as illustrative and not restrictive.

100: authentication processing system 110:
120: SSL-VPN server 130: ACS server
140: SSO server

Claims (14)

A VPN login step of determining, at the SSL-VPN server, whether to transmit an SSO login screen to the user terminal according to existence of VPN session information that an arbitrary user terminal verifies at the SSL-VPN server when requesting a VPN login screen;
In the state where the VPN session information does not exist, the SSL-VPN server and the SSO server perform an SMS authentication login or an OPT authentication login for SSL-VPN user authentication by using the copy SSO login screen in which the SSO login screen is copied SMS / OPT login step;
An SMS authentication number issue step in which the SMS authentication request and the acceptance for the SMS authentication login are performed by the SSL-VPN server and the SSO server in a state where the VPN session information does not exist; And
VPN server and the SSO server for requesting and accepting personal information and an SMS authentication number for re-issuing a password in the absence of the VPN session information,
The SMS authentication number issue step may include:
When an SMS authentication number issue request is made using the ID, password and SMS authentication number input through the copy SSO login screen, the SSL VPN server determines whether the ID, password, and SMS authentication number are SSL-VPN users Step
A user authentication method of SSL-VPN and SSO based on YAWS. The method according to claim 1,
The VPN log-
Wherein the user terminal receives the SSL-VPN login message already generated by the SSL-VPN server when the VPN session information exists, based on the YAWS. The method according to claim 1,
The SMS / OPT login step includes:
The SSL-VPN server determines whether the ID, password, and SMS authentication number input through the copy SSO login screen are SSL-VPN users
A user authentication method of SSL-VPN and SSO based on YAWS. The method of claim 3,
The SMS / OPT login step includes:
As a result of the determination, when the ID, password, and SMS authentication number are SSL-VPN users, requesting the SMS authentication of the SSO server
Based on SSL-VPN and SSO based on YAWS. 5. The method of claim 4,
The SMS / OPT login step includes:
If the SSO server confirms the ID, the password, and the SMS authentication number as a normal SSO user in response to the SMS user authentication request, the normal SMS login is regarded as a normal SMS login. If the SSO user is not identified as the normal SSO user, ; And
If it is the normal SMS login, the step of normal processing the SMS authentication login
Based on SSL-VPN and SSO based on YAWS. delete The method according to claim 1,
The SMS authentication number issue step may include:
VPN user authentication request and the SMS authentication number issue request to the SSO server if the ID, password, and SMS authentication number are SSL-VPN users as a result of the determination
Based on SSL-VPN and SSO based on YAWS. 8. The method of claim 7,
The SMS authentication number issue step may include:
When the SSO server confirms the ID, password and SMS authentication number as a normal SSO user in response to the SSL-VPN user authentication request and the SMS authentication number issue request, And transmits an abnormal log-in result to the user terminal when the abnormal SSO user is not identified as the abnormal SMS log-in, and transmits the abnormal log-in result to the user terminal. The method according to claim 1,
The password re-
Transmitting the personal information received from the user terminal to the SSO server from the SSL-VPN server;
Transmitting the normal result and the terminal phone number to the SSL-VPN server when the SSO server confirms the transmitted personal information; And
When receiving the normal result from the SSL-VPN server, transmitting an SMS transmission screen to the user terminal
A user authentication method of SSL-VPN and SSO based on YAWS. 10. The method of claim 9,
The password re-
Transmitting an SMS origination request to the SSL-VPN server through the SMS origination screen;
Transmitting the SMS origination request to the SSO server if the SSL-VPN server transmits an SMS origination request to the SSO server when transmitting the SMS origination request to the SSL-VPN server through the terminal phone number; And
Transmitting the SMS authentication number generated by the SSO server to the user terminal if the SMS transmission acceptance is affirmative;
A user authentication method of SSL-VPN and SSO based on YAWS. 11. The method of claim 10,
The password re-
Transmitting an authentication request including the SMS authentication number input through the SMS sending screen to the SSL-VPN server;
Transmitting the terminal telephone number and the SMS authentication number to the SSO server in response to the authentication request; And
Determining by the SSO server whether the terminal telephone number and the SMS authentication number are SSO users
A user authentication method of SSL-VPN and SSO based on YAWS. 12. The method of claim 11,
The password re-
Upon receipt of the authentication success according to the determination at the SSL-VPN server and confirming success, the step of transmitting the password change screen to the user terminal
Based on SSL-VPN and SSO based on YAWS. 13. The method of claim 12,
The password re-
Transmitting a password change request inputted through the password change screen to the SSO server through the SSL-VPN server;
Transmitting to the SSL-VPN server whether the password change is successful in response to the password change request; And
If the password change is successful, transmitting a change completion screen to the user terminal
A user authentication method of SSL-VPN and SSO based on YAWS. 14. The method according to any one of claims 1 to 5, 7 to 13,
The ACS server connected between the SSL-VPN server and the SSO server relays or confirms a message transmitted and received between the SSL-VPN server and the SSO server
Based on SSL-VPN and SSO based on YAWS.
KR1020160005379A 2016-01-15 2016-01-15 User authentication method of ssl-vpn and sso based on yaws KR101746471B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160005379A KR101746471B1 (en) 2016-01-15 2016-01-15 User authentication method of ssl-vpn and sso based on yaws

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160005379A KR101746471B1 (en) 2016-01-15 2016-01-15 User authentication method of ssl-vpn and sso based on yaws

Publications (1)

Publication Number Publication Date
KR101746471B1 true KR101746471B1 (en) 2017-06-14

Family

ID=59217906

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160005379A KR101746471B1 (en) 2016-01-15 2016-01-15 User authentication method of ssl-vpn and sso based on yaws

Country Status (1)

Country Link
KR (1) KR101746471B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798456A (en) * 2019-10-22 2020-02-14 北京天融信网络安全技术有限公司 SSLVPN authentication method and intranet resource access and data acquisition method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120204245A1 (en) * 2011-02-03 2012-08-09 Ting David M T Secure authentication using one-time passwords

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120204245A1 (en) * 2011-02-03 2012-08-09 Ting David M T Secure authentication using one-time passwords

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798456A (en) * 2019-10-22 2020-02-14 北京天融信网络安全技术有限公司 SSLVPN authentication method and intranet resource access and data acquisition method

Similar Documents

Publication Publication Date Title
KR102321781B1 (en) Processing electronic tokens
EP2039110B1 (en) Method and system for controlling access to networks
RU2440688C2 (en) User profile, policy and distribution of pmip keys in wireless communication network
KR102001544B1 (en) Apparatus and method to enable a user authentication in a communication system
CN103944737A (en) User identity authentication method, third-party authentication platform and operator authentication platform
US8074259B1 (en) Authentication mark-up data of multiple local area networks
CN106465096B (en) It accesses network and obtains method, terminal and the core net of client identification module information
CN105830414A (en) Secure network access using credentials
US8931068B2 (en) Authentication process
CN109891921B (en) Method, apparatus and computer-readable storage medium for authentication of next generation system
US20210234836A1 (en) A proxy network with self-erasing processing elements
CN102215486B (en) Network access method, system, network authentication method, equipment and terminal
US8943570B1 (en) Techniques for providing enhanced network security
CN110719252A (en) Methods, systems, and computer readable media for authorizing transactions over a communication channel
KR101746471B1 (en) User authentication method of ssl-vpn and sso based on yaws
CN113411286B (en) Access processing method and device based on 5G technology, electronic equipment and storage medium
CN104469772A (en) Website equipment authentication method and device and authentication system
CN104335619A (en) Remote unlocking of telecommunication device functionality
US20210090087A1 (en) Methods for access point systems and payment systems therefor
CN111404965B (en) Method for realizing mobile terminal application safety verification
JP2017055172A (en) Radio communication device, radio communication method, and radio communication program
CN104980922A (en) Wireless Internet access method and system based on public platform
KR102148189B1 (en) Apparatus and method for protecting malicious site
KR101490549B1 (en) Wireless Internet Access Authentication Method for Web Based Advertisement Service
KR101480706B1 (en) Network system for providing security to intranet and method for providing security to intranet using security gateway of mobile communication network

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant