KR101852791B1 - Certification service system and method using user mobile terminal based secure world - Google Patents

Abstract

The present invention relates to a system for an accredited certificate login service using a mobile terminal and a method thereof. According to the present invention, the system for the accredited certificate login service using the mobile terminal comprises: the mobile terminal operated by a general operating system and a secure operating system to store an accredited certificate in a secure world (SW); and a secure authentication server based on a user input to, after a login webpage provided from a website server accessed through a web browser of a personal computer is displayed, when a mobile login method, which is to login onto a website server through the accredited certificate stored in the secure world of the mobile terminal, is selected in a login webpage, provide a mobile login screen to authenticate a user of the mobile terminal to the personal computer and to transmit a push message for requesting authentication to the mobile terminal based on the user identification information entered into the mobile login screen displayed on the personal computer. After an authentication application for security executed in the secure world accepts the request for authentication in accordance with the push message and transmits signature data, which is obtained by electronically signing the stored accredited certificate with a personal key, to the secure authentication server, and after the website server receives the signature data from the secure authentication server through the personal computer and verifies to disclose the signature data, the mobile terminal is able to transmit a webpage processed to allow the login to the personal computer. The present invention is to provide a system for the accredited certificate login service using a mobile terminal and method thereof, which are able to store an accredited certificate in a secure world executed in a secure operating system within the mobile terminal and to log in by using the accredited certificate stored in the mobile terminal even when an accredited certificate is not stored in a personal computer.

Description

Technical Field [0001] The present invention relates to a certification service login service system and method using a mobile terminal,

The present invention relates to a system and method for a public certificate log-in service using a mobile terminal, and more particularly, to a system and method for a public certificate log-in service using a mobile terminal using a public certificate stored in a security area such as TEE or WBC of a mobile terminal And more particularly, to a system and method for authenticating a certificate login service using a mobile terminal capable of logging into a web site server in a personal computer or a mobile terminal.

As the services requiring security such as shopping through the Internet, financial transactions, and access to confidential information become popular, security on the website becomes a very important issue.

One way to secure security in existing Web sites is to send a text message containing the authentication number to the mobile terminal of the Web site user from a service provider or security service provider, There is a method of confirming whether the user is legitimate by inputting the corresponding password.

However, in this method, a program for transmitting a text message to another device using a computer virus is illegally embedded in a mobile terminal, and a text message for authentication is transmitted to a designated terminal, which can break security. Also, even if a mobile terminal is lost, security can no longer be maintained.

Another method for ensuring security in a web site is a method of authenticating a user through at least one of a security token and a one time password (OTP) generation function as disclosed in Patent No. 10-1247521 However, there is a problem that it is inconvenient to use and is also vulnerable to security.

In addition, even in general internet service, a public certificate is used. However, there is a demand for a method of replacing a public certificate with a problem of versatility or using a public certificate in a simpler manner. Particularly, in order to use services provided by government offices such as websites for financial transactions such as banks, the National Tax Service, and the National Health Insurance Corporation, login authentication using an official certificate is required. To do this, the user must store and carry a public certificate on all PCs, mobile terminals such as smart phones, or portable storage media used by the user. For example, when a public certificate is installed only on the first PC and is not installed on the second PC, when the user intends to access the public certificate using the second PC, the user newly downloads the public certificate, It is troublesome to register the certificate.

In addition, even when a mobile terminal is infected with a virus or hacked, a public certificate installed in a mobile terminal is also vulnerable to security.

Korean Patent No. 10-1247521

Technical Solution According to an aspect of the present invention, there is provided a method for storing a public key certificate in a mobile terminal, the method comprising: storing a public key certificate in a security area of a mobile terminal; And to provide a public certificate log-in service system and a method using a mobile terminal capable of providing a public certificate log-in service to access a web site server.

The solution of the present invention is not limited to those mentioned above, and other solutions not mentioned can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a public certificate log-in service system using a mobile terminal, the public certificate log-in service system being operated by a general operating system and a secure operating system, Is stored; And displaying a login web page provided from a web site server connected through a web browser of the personal computer on the basis of the user input, Providing a mobile login screen for authenticating a user of the mobile terminal to the personal computer when the method is selected in the login web page displayed on the mobile terminal, And a security authentication server for transmitting a push message for requesting an authentication to the terminal, wherein the mobile terminal accepts an authentication request according to the push message, Stored certificate The web site server receives the signature data from the security authentication server through the personal computer and verifies the signature data with a public key, Page to the personal computer.

The personal computer informs the security authentication server that the mobile login method has been selected and receives the mobile login screen for receiving the user identification information from the security authentication server and displays the mobile login screen can do.

Wherein the displayed mobile login screen includes an area for receiving the user identification information and a security code displayed for enhancing security, and the security enforcement includes an operation for confirming whether a user is requesting a login from the personal computer can do.

Wherein the security authentication application of the mobile terminal receives the push message and accepts the electronic signature based on the authentication certificate, and transmits an authentication request including information on the web site server and information on the displayed security code to the security A security code authentication screen for performing authentication with respect to the security code displayed on the personal computer, and displaying the generated security code authentication screen on the screen of the mobile terminal; receiving, from the authentication server, If the same code as the security code displayed in the secure area is selected, the security authentication application further performs user authentication by at least one of fingerprint authentication, pattern authentication, and PIN authentication, and when the user authentication is completed, Signature data is generated by digitally signing a public certificate, And transmits the signature data to the security authentication server, wherein the security authentication server transmits the signature data received from the mobile terminal to the personal computer to perform the authentication response.

The security authentication server, when receiving the authentication request including the user identification information from the personal computer, confirms the stored push ID mapped to the received user identification information, and transmits, to the mobile terminal corresponding to the confirmed push ID, A push message can be transmitted.

The mobile login method may include a mobile login selection menu displayed on a login web page provided from the connected web site server, a mobile login selection button added as a bookmark to the web browser, And a mobile login plug-in button.

The mobile terminal registers at least one of the PIN (personal identification number), iris, and fingerprint of the user on the basis of the user input in order to register the use in the security authentication server providing the mobile login method Push ID, and user identification information of the mobile terminal to the security authentication server to request use registration, and the security authentication server, in response to the use registration request, transmits a phone number, a push ID, Wherein the mobile terminal stores the public certificate in the security area so that the same public certificate as the public certificate registered in the web site server is linked with the security authentication application, Can be stored.

The mobile terminal receives at least one of the user's PIN, iris, and fingerprint through an authentication application executed in a general operating system, receives the PIN, iris, and fingerprint of the user, Push ID, and user identification information of the mobile terminal, and transmit the received phone number, push ID, and user identification information to the security authentication server.

Meanwhile, according to another embodiment of the present invention, an authorized certificate login service system using a mobile terminal is operated as a general operating system operating in a general area and a security operating system operating in a secure area (SW) Or a mobile login method for logging in the web site server through a public certificate stored in the security area on a login web page provided from a web site server accessed through a web site application, A mobile terminal for generating signature data in which an authentication application digitally signs the public certificate stored in the security area with a private key and transmitting the generated signature data to the website server; And a security authentication server for informing the mobile terminal of an authentication notification response that permits log-in by the mobile login method when an authentication notification confirming that the mobile login method is selected from the mobile terminal is received, And the web site server, when the signature data received from the mobile terminal is verified by the public key, receives the authentication notification response from the secure authentication server, Page to the mobile terminal.

When the security authentication server receives a notification indicating that the mobile login method is selected from the mobile terminal and an authentication notification confirmation including a phone number of the mobile terminal and information of the web site server, When the information of the server is stored in the mapping, an authentication notification response allowing the log-in by the mobile login method can be transmitted to the mobile terminal.

The security authentication server maps and stores information on the phone number of the mobile terminal and information on a plurality of web site servers including the web site server based on user input.

According to another embodiment of the present invention, there is provided a public certificate log-in service method using a mobile terminal, comprising the steps of: (A) accessing a web site server through a web browser of a personal computer, Displaying a web page; (B) If a mobile login method for logging in to the web site server is selected from the login web page displayed through a public operating system and a public certificate stored in a secure area (SW) of a mobile terminal operating in a secure operating system, Providing an authentication server to the personal computer with a mobile login screen for authenticating a user of the mobile terminal; (C) transmitting, by the security authentication server, a push (PUSH) message for requesting authentication to the mobile terminal based on user identification information input through the mobile login screen displayed on the personal computer; (D) a security authentication application executed in a security area of the mobile terminal accepts an authentication request according to the push message, transmits signature data digitally signed with the stored public key certificate to the security authentication server, ; And (E) if the signature data provided from the security authentication server and the personal computer at the website server are verified with the public key, logging into the web site server.

Wherein the step (B) comprises the steps of: (B1) selecting a mobile login method for logging in to the website server through a public certificate stored in the mobile terminal; (B2) informing the security authentication server that the personal computer has selected the mobile login method; (B3) the security authentication server transmitting the mobile login screen to the personal computer; And (B4) displaying the mobile login screen for receiving the user identification information on a login web page of the personal computer.

Wherein the displayed mobile login screen includes an area for receiving the user identification information and a security code displayed for enhancing security, and the security enforcement includes an operation for confirming whether a user is requesting a login from the personal computer can do.

Wherein the step (D) comprises: (D1) accepting the digital signature by the security authentication application when the mobile terminal receives the push message; (D2) receiving from the security authentication server an authentication request message including information on the website server and information on the security code displayed by the mobile terminal; (D3) generating a security code authentication screen for performing authentication on the displayed security code by the authentication application for security of the mobile terminal and displaying on the screen; (D4) If a code identical to the security code displayed on the mobile login screen is selected in the displayed security code authentication screen, the security authentication application performs user authentication by at least one of fingerprint authentication, pattern authentication and PIN authentication Further comprising: (D5) when the user authentication is completed, generating signature data by electronically signing the public certificate stored in the security area, and transmitting the generated signature data to the security authentication server; And (D6) the secure authentication server transmitting the received signature data to the personal computer and responding to the authentication.

The step (C) includes: (C1) the security authentication server receiving an authentication request including user identification information from the personal computer; (C2) the security authentication server confirms a push ID mapped to the received user identification information; And (C3) transmitting the push message to the mobile terminal corresponding to the identified push ID.

The mobile login method selected in the step (B) includes: a mobile login selection menu displayed on a login web page provided from the connected web site server; a mobile login selection button added as a bookmark to the web browser; It can be selected by at least one of the mobile login plugin buttons that run in the form of plugins in the browser.

The method of claim 1, further comprising the steps of: (F) prior to step (A): (F) registering the user's PIN (personal identification number) Pushing at least one of the mobile terminal, transmitting the phone number, the push ID, and the user identification information of the mobile terminal to the security authentication server to request use registration; (G) mapping the phone number, the push ID, and the user identification information of the mobile terminal to the security authentication server to perform use registration; And (H) storing the public certificate in the secure area so that the public certificate identical to the public certificate previously registered in the website server is interlocked with the secure authentication application.

The step (F) includes: (F1) receiving at least one of PIN, iris, and fingerprint of the user through an authentication application executed in a general operating system of the mobile terminal; (F2) storing the PIN, iris and fingerprint of the user inputted in the step (F1) in the secure area so as to be interlocked with the secure authentication application; And (F3) receiving the phone number, the push ID, and the user identification information of the mobile terminal through the authentication application and transmitting the received phone number, the push ID, and the user identification information to the security authentication server.

According to another embodiment of the present invention, there is provided a mobile terminal comprising: (A) connecting a mobile terminal operated by a general operating system and a secure operating system to a web site server through a mobile web browser; (B) displaying the login web page provided by the mobile terminal from the website server; (C) If the mobile login method for logging in the web site server is selected through the authorized certificate stored in the secure area (SW) of the mobile terminal in the login web page displayed on the mobile terminal, Requesting a security authentication application to be authenticated using a public certificate; (D) After the security authentication application accepts the login authentication request, notifies the security authentication server that the mobile login method has been selected, and transmits the signature data, which is electronically signed with the private key stored in the security area, to the mobile web browser Transmitting and authenticating and responding; And (E) if the signature data is verified with the public key at the website server, logging into the website server.

Wherein the step (D) comprises the steps of: (D1) when the security authentication application accepts the login authentication request, transmitting the phone number of the mobile terminal and the information of the website server to the secure authentication server, ; (D2) if the phone number and the information of the website server are stored in the security authentication server, informing the mobile terminal that mobile login is possible by a public certificate; And (D3) generating, by the security authentication application, signature data that is digitally signed with the private key stored in the security area, and transmitting the generated signature data to the mobile web browser.

According to the present invention, the authorized certificate can be stored in a security area operating in a security operating system in the mobile terminal, and even if the authorized certificate is not stored in the PC, the authorized certificate can be used to log in from the PC or mobile terminal using the authorized certificate. This allows you to log in to the website server whenever you want, without having to store the official certificate on every PC, such as your company or home.

The effects of the present invention are not limited to those mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the following description.

Brief Description of the Drawings Fig. 1 is a diagram illustrating a public certificate log-in service system using a mobile terminal according to an embodiment of the present invention;
FIG. 2 illustrates an example of a login web page providing a mobile login method according to an embodiment of the present invention; FIG.
3 is a view illustrating an example of a mobile login screen displayed on a first personal computer according to an embodiment of the present invention;
4 is a view illustrating an example of a security code authentication screen displayed on the first mobile terminal,
5 is a diagram illustrating an example of an additional authentication screen displayed on the first mobile terminal,
FIG. 6 is a block diagram illustrating a first mobile terminal based on a trusted execution environment according to an exemplary embodiment of the present invention,
7 is a diagram for explaining a procedure for transferring a control right of a first mobile terminal between a general area and a secure area;
8 is a diagram illustrating a public certificate log-in service system using a second mobile terminal according to another embodiment of the present invention;
9 to 12 are flowcharts illustrating a public certificate log-in service method using a first mobile terminal according to an embodiment of the present invention,
13 is a flowchart illustrating a public certificate log-in service method using a second mobile terminal according to another embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features, and advantages of the present invention will become more readily apparent from the following description of preferred embodiments with reference to the accompanying drawings. However, the present invention is not limited to the embodiments described herein but may be embodied in other forms. Rather, the embodiments disclosed herein are provided so that the disclosure can be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

Further, when it is mentioned that the first component is operated or executed on the second component state (ON), the first component is operated or executed in an environment in which the second component is operated or executed, or the second component Quot; or " directly " or " indirectly "

It is to be understood that when an element, component, apparatus, or system is referred to as comprising a program or a component made up of software, it is not explicitly stated that the element, component, (E.g., memory, CPU, etc.) or other programs or software (e.g., drivers necessary to run an operating system or hardware, etc.)

It is also to be understood that the elements (or elements) may be implemented in software, hardware, or any form of software and hardware, unless the context requires otherwise.

Also, terms used herein are for the purpose of illustrating embodiments and are not intended to limit the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. The terms "comprises" and / or "comprising" used in the specification do not exclude the presence or addition of one or more other elements.

In addition, in describing the specific embodiments below, various specific contents have been set forth to further illustrate the invention and to aid understanding. However, it will be appreciated by those skilled in the art that the present invention may be understood by those skilled in the art without departing from such specific details. In some instances, it should be noted that portions of the invention that are not commonly known in the description of the invention and are not significantly related to the invention do not describe confusing reasons for explaining the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

Each of the configurations of the public certificate log-in service system using the mobile terminal shown in FIGS. 1 to 8 indicates that the functions and logically can be separated, and each configuration may be classified into a separate physical device or a separate code It will be readily apparent to one of ordinary skill in the art of the present invention that it is not meant to be written.

Also, in this specification, a DB may mean functional and structural combination of software and hardware for storing information corresponding to each DB. The DB may be implemented as at least one table, and may further include a separate DBMS (Database Management System) for searching, storing, and managing information stored in the DB. In addition, it can be implemented in various ways such as a linked-list, a tree, and a relational DB, and includes all data storage media and data structures capable of storing information corresponding to the DB.

The authorized certificate login service system using the mobile terminal may be installed in a predetermined data processing apparatus to implement the technical idea of the present invention.

1 is a diagram illustrating a public certificate log-in service system using a mobile terminal according to an embodiment of the present invention.

Referring to FIG. 1, an authorized certificate login service system using a mobile terminal according to an embodiment of the present invention includes a first personal computer 100, a first web site server 200, The first personal computer 100 and the first web site server 200 may include a first security authentication server 300 and a first mobile terminal 400. For convenience of explanation, And may or may not be included.

The first personal computer 100 may access the first web site server 200 through the web browser 110 and the first communication network 10 based on user input. The first personal computer 100 may be an electronic device such as a notebook, a tablet PC, a laptop, a desk top, or the like, on which the user's public certificate is not installed.

If the first web site server 200 is a server requiring login using a public certificate, the first web site server 200 may transmit the login web page to the first personal computer 100. A server requiring a login using a public certificate is a place that requires stronger personal authentication and security such as, for example, a government office such as the National Tax Service, a healthcare corporation, a bank, a credit card company, and the like.

The first personal computer 100 displays the login web page 20 as shown in FIG. 2, which will be described later, received from the first web site server 200 through the web browser 110. FIG.

After the login web page 20 is displayed on the first personal computer 100, the mobile login method of logging into the first web site server 200 through the public certificate stored in the security area of the first mobile terminal 400 is logged If the user of the first mobile terminal 400 is selected based on the user input on the web page 20, the first security authentication server 300 can authenticate the user of the first mobile terminal 400 via the first personal computer 100 And provide the mobile login screen 30 to the first personal computer 100.

After the mobile login screen 30 is displayed on the web browser 110 of the first personal computer 100, the user can input user identification information (e.g., phone number of the first mobile terminal 400) ) Can be input

The first security authentication server 300 may transmit a PUSH message for requesting authentication to the first mobile terminal 400 based on the user identification information input to the mobile login screen 30.

Meanwhile, the first mobile terminal 400 is a portable terminal capable of installing an operating system such as a smart phone, and is a general operating system operating in a general area (NW: Normal World) and a security operating system operating in a security area (SW And an authorized certificate can be stored in the security area.

According to an embodiment of the present invention, after the first authentication application for security 464 executed in the security area accepts an authentication request according to the push message, the first mobile terminal 400 transmits the stored authentication certificate to the private key Signing data that has been digitally signed can be transmitted to the first security authentication server 300, thereby making it possible to attempt to log in using the authorized certificate.

The first web site server 200 receives the signature data through the first security authentication server 300 and the first personal computer 100 and verifies the signature data with a public key. When the first web site server 200 succeeds in logging in, To the first personal computer 100. The user can access the first web site server 200 from the first personal computer 100 using the authorized certificate stored in the first mobile terminal 400 without installing the user's authorized certificate in the first personal computer 100. [ In the following, a login service using such an authorized certificate is referred to as an 'authorized certificate login service', a 'mobile login method', or a 'T-Cert login method'.

Hereinafter, a public certificate log-in service system using a mobile terminal according to an embodiment of the present invention will be described in more detail with reference to FIG. 1 through FIG.

Referring to FIG. 1, a first mobile terminal 400 according to an embodiment of the present invention includes a first communication interface 410, a first user interface 420, a first memory 430, (440).

The first communication interface unit 410 provides a communication circuit for basic functions (e.g., telephone, Internet, etc.) provided by the first mobile terminal 400, It is possible to provide a circuit for communication.

The first user interface unit 420 may be a touch panel that provides an interface path between a user and the first mobile terminal 400, receives a user input, and displays an operation result according to user input on the screen.

The first memory 430 may store instructions, data, software, and programs related to the operation and / or function of the first mobile terminal 400 as non-volatile memory. The program includes, for example, a first authentication application 452, an authentication application for first security 464, a general operating system, and a secure operating system.

The first authentication application 452 and the first authentication application for security 464 may be provided in the first security authentication server 300 as respective files as an application for providing a public certificate login service and may be provided simultaneously or sequentially Can be installed.

The first authentication application 452 is executed (that is, activated) in a general area where a general operating system operates, and includes a UI (User Interface) for registering or removing a web site server for logging in using the authorized certificate login service, A UI for registering a private key (or a password) of a registered user, a UI for receiving a security code to be described later, and a UI for receiving user's additional authentication information such as PIN, fingerprint, pattern or iris Can be provided to the user.

The first authentication application 452 also transmits the push ID received from the first secure authentication server 300 to the first authentication application for security 464 and the signature provided from the first authentication application for authentication 464 To the first security authentication server 300, an authentication response including data. Push ID is a function supported by the operating system of a mobile terminal such as a smart phone, and is managed by Apple Corporation for iOS and Google Corporation for Android. There is a unique push ID value for each mobile terminal, and a push ID can be received in cooperation with a server (for example, a Google Push server) of a company that supports the operating system when a user registers. If the server knows the push ID of the mobile terminal, the message can be delivered to the mobile terminal through the push service. This push ID value is also changed by the server of the company that supports the operating system.

The first security authentication application 464 for providing the public certificate log-in service is executed in the security area in which the security operating system operates, receives and decrypts the push ID from the first authentication application 452, Signature data signed with the private key may be generated and encrypted and transmitted to the first authentication application 452. [

The first processor 440 may control or manage the overall operation of the first mobile terminal 400. To this end, the first processor 440 may perform operations and / or processes relating to control and / or communication of other components of the first mobile terminal 400, including ROM, RAM, BUS, and MPU (Micro Process Unit) Application execution and the like can be handled.

For example, when the first processor 440 receives the push ID from the first secure authentication server 300, the first processor 440 executes the first authentication application 452 in the general operating system and the first authentication authentication application 464 It can run on a secure operating system.

The operations of the first authentication application 452 and the first authentication authentication application 464 executed by the first processor 440 are largely divided into an operation for joining a member to use an authorized certificate login service and a login operation using a mobile login Method, and an operation of logging in using a public certificate.

1. Operation to join the first security authentication server 300: Authorized certificate login service (for example, T- Cert ) Registration of use

First, a user uses an authorized certificate stored in the security area of the first mobile terminal 400 to authenticate the user by using an authorized certificate log-in which can log into the first web site server 200 in a plurality of personal computers, And can register with the first security authentication server 300 to use the service.

When the first authentication application 452 and the first security authentication application 464 for providing the public certificate log-in service provided in the embodiment of the present invention are installed in the first mobile terminal 400 and are executed for the first time, The authentication application 452 can verify that the first mobile terminal 400 supports a security area (SW) such as TEE for providing security enforcement services.

The security areas are various such as TEE (Trusted Execution Environment), WBC (White Box Cryptography), SE (Secure Element) or USIM (Universal Subscriber Identity Module). Hereinafter, TEE is used as an example of security area. T-Cert is an abbreviation of TEE-Certification.

If it is determined that the first mobile terminal 400 supports TEE, the first authentication application 452 operating in the general operating system requests the first security authentication server 300 for the contents of the contract for the authorized certificate login service Receive.

Upon receiving the agreement of the user and the login request (ID and Password) from the user, the first authentication application 452 may request the first security authentication server 300 to register and log in and receive an approval response thereto.

The first authentication application 452 inputs and sets information to be used for additional authentication such as PIN (Personal Identification Number), fingerprint or iris information from the user using a UI or a camera, Lt; / RTI >

The first security authentication application 464 stores the received PIN, fingerprint or iris information.

In addition, the first authentication application 452 can request registration of use of the authorized certificate login service while transmitting the phone number and the push ID of the first mobile terminal 400 to the first secure authentication server 300.

The first security authentication server 300 may map and store user identification information including a phone number and a push ID received from the first mobile terminal 400, with information to be used for the additional authentication.

When the use registration request is approved, the first authentication application 452 provides a UI for storing the authorized certificate, and the authorized certificate is stored in the portable storage medium, the first web site server 200, The security application for authentication 464 is notified of the download. Accordingly, the first authentication application for security 464 can map the authorized certificate to the private key, the PIN, the fingerprint or the iris, and store it in the security area. The public certificate stored in the security area is the same as the public certificate previously registered in the website servers to which the user logs in.

In addition, in an embodiment of the present invention, the phone number is used as the data for identifying the first mobile terminal 400, but the present invention is not limited to this, and data combined with other types of characters may be used.

2. Selecting the mobile login method from the login web page

When the use registration of the public certificate log-in service is completed by the above-mentioned operation, the user can log in to the first web site server 200 using the public certificate in the first personal computer 100 in which the public certificate is not stored .

More specifically, when the user accesses the first web site server 200 in the web browser 110 of the first personal computer 100, the web browser 110 of the first personal computer 100 displays The login web page 20 can be displayed.

2 is a diagram illustrating an example of a login web page 20 providing a mobile login method according to an embodiment of the present invention.

2, the login web page 20 includes an authorized certificate login menu 21, a T-Cert login menu 22, an ID login menu 23, a mobile login select button 24, (25).

The authorized web site server 200 is provided with a public certificate login menu 21, a T-Cert login menu 22 and an ID login menu 23 and includes a mobile login selection button 24 and a mobile login plug-in button 25 May be provided by the web browser 110 of the first personal computer 100.

The authorized certificate login menu (21) is a menu for selecting a method of logging in using a public certificate installed in the first personal computer (100).

The T-Cert login menu 22 is one of the mobile login methods according to the embodiment of the present invention and is displayed on the login web page 20 together with the authorized certificate login menu 21 in the first website server 200 Can be provided. To this end, the first web site server 200 is provided with a T-Cert login menu 22 and a program (for example, a JavaScript) cooperated and set up to be linked with the first security authentication server 300 .

The ID login menu 23 is a menu for the user to select a method of logging into the first web site server 200 using the ID and password set at member registration.

The mobile login selection button 24 is one of the mobile login methods provided in the form of a bookmark (i.e., bookmark) to the web browser 110. To this end, a script for displaying the mobile login selection button 24 additionally in the favorites of the web browser 110 and allowing the web browser 110 and the first security authentication server 300 to be interlocked should be installed.

The mobile login plug-in button 25 is one of the mobile login methods executed in the plug-in form in the web browser 110. To this end, a mobile login plug-in button 25 is additionally displayed on the menu bar of the web browser 110, and a plug-in for providing a mobile login method in cooperation with the web browser 110 and the first security authentication server 300 Should be installed.

When the authorized certificate registered in the first web site server 200 is not stored in the first personal computer 100 and stored in the secure area 460 of the first mobile terminal 400 of the user, The user can attempt to login to the first website server 200 by selecting one of the T-Cert login menu 22, the mobile login select button 24, and the mobile login plug-in button 25 to select the mobile login method.

If one of the T-Cert login menu 22, the mobile login selection button 24 and the login plug-in button 25 is selected in the login web page 20 displayed on the first personal computer 100, 1 personal computer 100 can notify the first security authentication server 300 that the mobile login method has been selected.

3. An operation to log in with a public certificate

When the first security authentication server 300 receives the selection of the mobile login method from the first personal computer 100, the first security authentication server 300 transmits the mobile login screen 30 to the first personal computer 100, Lt; / RTI >

The web browser 110 of the first personal computer 100 may display the received mobile login screen 30 on the login web page 20 in the form of a pop-up window.

3 is a diagram illustrating an example of a mobile login screen 30 displayed on a first personal computer 100 according to an embodiment of the present invention.

Referring to FIG. 3, the mobile login screen 30 according to an exemplary embodiment of the present invention may include an area 32 for receiving user identification information and a security code 34 for security enhancement.

The user identification information may be the telephone number of the first mobile terminal 400, for example.

The security enforcement includes an act of confirming that the user is requesting a login directly from the first personal computer 100. That is, if the same code as the security code 34 displayed on the mobile login screen 30 is not selected in the first mobile terminal 400, the user of the first personal computer 100 and the user of the first mobile terminal 400 Is judged to be different, and the authorized certificate login service can be terminated.

When the user identification information is input based on the user input, the first personal computer 100 transmits an authentication request message including user identification information, information of the first website server 200, and nonceData to the first security authentication server 300 ). The nonceData generally has a random value as a cryptographic token that the first website server 200 arbitrarily generates to defend a reply attack. In the absence of the nonceData, the data signed by the user can be illegally intercepted and reused, so that the first mobile terminal 400 transmits the digital signature including the nonceData generated by the first web site server 200 .

When the first security authentication server 300 receives the authentication request message including the user identification information, the information of the first web site server 200, and the nonceData, it checks the stored push ID mapped to the received user identification information, And transmits a push message requesting authentication by the public certificate to the first mobile terminal 400 corresponding to the push ID.

When the first authentication application 452 of the first mobile terminal 400 receives the push message through the first communication interface 410, the first authentication application 452 executes (i.e., runs) in the general area where the general operating system operates, And forward the push message to the first security authentication application 464.

The first security authentication application 464 can accept a digital signature based on the public key certificate by receiving the push message. The first authentication application for security 464 transmits an authentication request message including information on the first web site server 200 and information on the security code displayed on the mobile login screen 30 of the first personal computer 100, From the first security authentication server 300 and transmit the security code authentication screen 40 to the first authentication application 452 for performing authentication for the security code displayed on the first personal computer 100 .

The first authentication application 452 can display the security code authentication screen 40 received from the first security authentication application 464 on the screen of the first user interface unit 420. [

4 is a diagram illustrating an example of a security code authentication screen 40 displayed on the first mobile terminal 400. [

Referring to FIG. 4, the security code authentication screen 40 may include a guidance display area 42 and a security code selection area 44.

A guideline for selecting the same code as the security code displayed on the first personal computer 100 may be displayed in the guidance display area 42. [ In the case of FIG. 4, the phrase " Please select a PIN image for authentication " is displayed in the guidance display area 42.

The user can select the same code 44 as the security code displayed on the mobile login screen 30 of the first personal computer 100 by operating the first user interface unit 420. [

The first authentication application 452 passes information about the code 44 selected by the user to the first security authentication application 464.

The first security authentication application 464 displays information on the code 44 selected by the user on the security code authentication screen 40 and the security code included in the authentication request message (i.e., the security code displayed on the mobile login screen 30) ) Can be compared to determine whether the same code is selected.

The first security authentication application 464 determines that the same code as the security code displayed on the mobile login screen 30 is selected in the security code authentication screen 40, It can be determined that the user of the mobile terminal 400 has attempted to log in and further perform user authentication by at least one of a plurality of authentication methods including fingerprint authentication, pattern authentication, iris authentication, and PIN authentication.

In order to further perform user authentication, the first authentication application for security 464 may generate an additional authentication screen 50 and forward it to the first authentication application 452.

The first authentication application 452 can display the received additional authentication screen 50 on the screen of the first user interface unit 420. [

5 is a diagram showing an example of the additional authentication screen 50 displayed on the first mobile terminal 400. As shown in FIG.

5, the additional authentication screen 50 may include an additional authentication guidance area 52 and an additional authentication input area 54. [

The first security authentication application 464 may randomly select one of a plurality of authentication methods including fingerprint authentication, pattern authentication, iris authentication, and PIN authentication, and display it in the additional authentication guidance area 52. In the case of FIG. 5, a guideline for requesting fingerprint authentication is displayed in the additional authentication guidance area 52. [

The user inputs a fingerprint in the additional authentication input area 54. The first authentication application for security 464 authenticates the fingerprint captured through the camera (not shown) of the first mobile terminal 400, The fingerprints can be compared to determine whether they match.

When it is confirmed that the same fingerprint has been input and the user addition authentication is completed, the first security authentication application 464 digitally signs the public certificate stored in the security area with the private key to generate signature data, To the authentication application 452.

The first authentication application 452 transmits the signature data to the first security authentication server 300 through the first communication interface 410. The first security authentication server 300 transmits the received signature data to the first personal authentication server 300. [ And transmits the authentication request to the computer 100 so as to authenticate the authentication request.

The first personal computer 100 transmits the received signature data to the first website server 200.

The first web site server 200 may verify the received signature data with the public key, and then transmit the web page to the first personal computer 100 after the login process. Accordingly, even when the authentication certificate is not installed in the first personal computer 100, the user can access the first web site server (not shown) via the first mobile terminal 400 without storing the authentication certificate in the first personal computer 100 200).

6 is a block diagram illustrating a first mobile terminal 400 based on a trusted execution environment according to an operating system according to an embodiment of the present invention.

In the embodiment of the present invention, the first mobile terminal 400 such as a smart phone or a tablet PC is provided with a general operating system such as Android (an operating system for Google's smartphone), iOS (an operating system for Apple's iPhone) A security operating system that operates as an operating system.

Hereinafter, the area where the general operating system operates is referred to as a general area (NW) 450, and the area where the security operating system operates is referred to as a security area (SW) 460. The security zone 460 may be physically separated from the general zone, and in the embodiment of the present invention, a TEE based on an ARM trust zone is exemplified.

The general area 450 and the secure area 460 or the first authentication application 452 and the first authentication application for security 464 can be operated by using a public certificate to log into the website server registered in the service Can be implemented.

The general area 450 may include a first authentication application 452 and a TEE agent 454.

The first authentication application 452 provides a mobile security enforcement service, such as an authentication service with a public certificate, and can access security information located in the secure area 460 via the TEE agent 454. [

The TEE agent 454 may be under the control of the first security authentication server 300 or a separate management server (not shown) when the user performs authentication after executing the first authentication application 452 for the first time.

In addition, the TEE agent 454 transfers control authority to the security area 460 so as to encrypt data transmitted through the first authentication application 452. That is, if an enhanced security service is required, the first authentication application 452 may pass data to the first security authentication application 464 located in the secure area 460 via the TEE agent 454. [ The TEE agent 454 may be installed in the first authentication application 452 in the form of an API (Application Programming Interface) or may operate in the background in the form of a standalone application.

In addition, the TEE agent 454 communicates with the Rich Execution Environment (REE) agent 462 in the secure area 460.

The security zone 460 may include a REE agent 462, an authentication application 464 for first security, and an authentication DB 466. [

The REE agent 462 serves as a gateway to the communication with the REE and the authentication application (TA: Trusted Application) 464 in the secure area 460. The REE agent 462 accepts only the connection of the authenticated TEE agent 454.

The first security authentication application 464 is not directly accessible in the general area 450 and can be accessed via the REE agent 462. [ The first security authentication application 464 includes an I / O security enhancer 464a and an encryption / decryption unit 464b. The I / O security enhancement unit 464a and the encryption / decryption unit 464b may be implemented in a single TA format.

The I / O security enhancement unit 464a may provide a security-enhanced user interface through an I / O device such as a camera, a microphone, a screen touch, a fingerprint scanner, iris recognition, pattern recognition,

The encryption / decryption unit 464b accepts the log-in using the public key certificate from the push ID received from the first security authentication server 300, and can generate and encrypt the signature key data by electronically signing the public key with the private key. In addition, the encryption / decryption unit 464b may perform an operation of managing and controlling the personal information stored in the secure area 460, such as storing information required to provide the authorized certificate login service to the authentication DB 466 .

The information stored in the authentication DB 466 includes, for example, feature values necessary for the operation of the authentication application 464 for first security, such as generation of a terminal symmetric key, generation of a security token, authentication certificate and private key, Major personal information such as the telephone number of the first mobile terminal 400 may also be stored. The authentication DB 466 may be configured to be located in the security area 460 physically separated from the general area 450 in which the general operating system operates.

Next, with reference to FIG. 7, a procedure for transferring the control right of the first mobile terminal 400 between the general area 450 and the security area 460 will be described.

When security is required for user input or information output in the first authentication application 452 for providing the authorized certificate login service of the present invention, for example, an authentication confirmation screen or a registration site screen is displayed on the first mobile terminal 400 The first authentication application 452 calls the TEE agent 454 (step 1).

The TEE agent 454 sends control information for user input security to the REE agent 462 in the secure area 460 while transmitting information about the application ID, user input type, and the like (step 2). The REE agent 462 transmits the received information to the security authentication application (hereinafter referred to as 'TA') 464 responsible for user input processing (step 3), and the TA 464 controls the security operating system (Step 4). Then, the user screen is switched to the security area 460.

The security operating system delivers the transmission result controlled by the TA 464, and the TA 464 outputs the screen according to the type of the user input (step 5). For example, when the password of the first mobile terminal 400 is input, a password input screen is displayed. When the user touches the screen to input the password, the security keypad is displayed on the screen.

The data input by the user is encrypted in the TA 464 and then transferred to the REE agent 462 (step 6), and the REE agent 462 transfers the encrypted data to the TEE agent 454 (step 7) . The TEE agent 454 transmits the encrypted data to the first authentication application 452 that has requested the service (step 8), and the first authentication application 452 transmits the encrypted data to the first security authentication server 300 send.

FIG. 8 is a diagram illustrating a public certificate log-in service system using a second mobile terminal 500 according to another embodiment of the present invention.

8, a public certificate login service system using a second mobile terminal 500 according to another embodiment of the present invention includes a second mobile terminal 500 connected via a second communication network 50, Server 600 and a second security authentication server 700. The second web site server 600 is included in the public certificate log-in service system for convenience of description, have.

The second mobile terminal 500, the second web site server 600, and the second security authentication server 700 shown in FIG. 8 are the same as those of the first web site server 200, Is similar to the operation of the first security authentication server 300 and the first mobile terminal 400.

In the embodiment of FIG. 8, the second mobile terminal 500 accesses the second web site server 600 directly and logs in through the public certificate stored in the security area such as TEE of the second mobile terminal 500 .

To this end, the second mobile terminal 500 includes a second communication interface 510, a second user interface 520, a second memory 530 and a second processor 540, 530 include a mobile web browser 532, a second authentication application 534 and a second authentication application for security 536. [

The second mobile terminal 500 shown in FIG. 8 is substantially similar to the second mobile terminal 500 described with reference to FIG. 1, and thus a detailed description thereof will be omitted. However, the second memory 530 may further include the mobile web browser 532, but it may be included in the first mobile terminal 400 as well.

The second mobile terminal 500 is operated as a general operating system operating in a general area and a security operating system operating in a security area, and a mobile web browser (or a web site dedicated application) of the second mobile terminal 500, And the second web site server 600 through the second communication network 50. The second mobile terminal 500 displays a login web page transmitted from the second web site server 600. [ The login web page may be the same as or similar to that of Fig.

If a mobile login method for logging in to the second web site server 600 through a public certificate stored in the security area of the second mobile terminal 500 is selected based on user input in the displayed login web page, The second authentication application for security 536 executing in the security operating system of the mobile terminal 500 can generate signature data that is electronically signed with the private key stored in the security area and transmit the generated signature data to the mobile web browser.

In detail, when the mobile login method is selected on the login web page, the mobile web browser notifies the second authentication application 534 that the mobile login method has been selected, and delivers the authentication request message, and the second authentication application 534 To the second security authentication application 536 again. The authentication request message may include information (e.g., URL) of the connected second website server 600 and nonceData.

The second security authentication application 536 may accept the authentication request message and then send an authentication notification confirmation message to the second security authentication server 700. [ The authentication notification confirmation message includes the information of the second web site server 600 and the phone number of the second mobile terminal 500 and may include information informing that the mobile login method is selected in the second mobile terminal 500 have.

When the second security authentication server 700 receives the authentication notification confirmation message indicating that the mobile login method is selected, the second security authentication server 700 transmits an authentication notification response message to the second mobile terminal 500 to permit log-in by the mobile login method.

The authentication notification response message may be communicated to the authentication application for second security 536 via the second authentication application 534 of the second mobile terminal 500. [

Upon receiving the authentication notification response message from the second security authentication server 700, the second authentication application for security 536 of the second mobile terminal 500 can generate signature data. The second authentication application for security 536 generates an authentication response message containing the signature data and the generated authentication response message is transmitted to the mobile web browser < RTI ID = 0.0 >Lt; / RTI >

The mobile web browser 532 may send a login request message containing the signature data to the second website server 600. [

The second web site server 600 verifies the signature data received from the mobile web browser 532 of the second mobile terminal 500 with the public key and if the verification succeeds, 500 to the mobile web browser 532.

Hereinafter, a public certificate log-in service method using a mobile terminal according to an embodiment of the present invention will be described with reference to FIGS. 9 to 13. FIG.

9 to 12 are flowcharts illustrating a method of authenticating a certificate login service using a first mobile terminal according to an embodiment of the present invention.

9 to 12, the first PC, the first web site server, the first security authentication server, and the first mobile terminal for implementing the public certificate login service method are the same as those of the first personal computer 100 ), The first web site server 200, the first security authentication server 300, and the first mobile terminal 400, which are described in detail above, and thus a detailed description thereof will be omitted.

9 is a flowchart schematically illustrating a public certificate log-in service method using a first mobile terminal according to an embodiment of the present invention.

Referring to FIG. 9, after the first mobile terminal installs and executes the authentication application and the security authentication application, the first mobile terminal can perform registration of using the public certificate login service (i.e., T-Cert login service) (S900).

After the registration of the use of the authorized certificate login service is completed, the first PC, in which the authorized certificate is not installed, accesses the web site server requiring login using a public certificate through a web browser based on the user input and displays the login web page (S1000).

If the mobile login method for logging in to the website server through the public operating system and the public certificate stored in the security area of the first mobile terminal operating in the secure operating system is selected in the login web page displayed on the first PC in step S1000, The security authentication server may provide a mobile login screen for authenticating the user of the first mobile terminal to the first PC (S1100).

The first security authentication server may transmit a push message for authentication request to the first mobile terminal based on the user identification information input through the mobile login screen displayed on the first PC (S1200).

The first security authentication application executed in the security area of the first mobile terminal accepts the authentication request according to the push message, generates the signature data digitally signed with the private key stored in the first mobile terminal, And transmits an authentication response to the server (S1300).

The first web site server verifies the signature data provided from the first security authentication server and the first PC with the public key, and then transmits the web page that has been log-processed to the first PC (S1400). Thereby, the first PC is logged into the first web site server by the authorized certificate stored in the security area of the first mobile terminal.

FIG. 10 is a flowchart showing the step S900 of FIG. 9 in more detail.

Referring to FIG. 10, a first authentication application for providing a public certificate log-in service installed and executed in the first mobile terminal can confirm whether the first mobile terminal supports a security area such as TEE (S910).

If the TEE is supported, the first authentication application operating in the general operating system requests the first security authentication server for terms and conditions for the authorized certificate login service (S915, S920).

The first authentication application displays the agreement on the first mobile terminal, and receives the agreement agreement and login request (including ID and Password) from the user (S925).

The first authentication application transmits a login request message including the ID and password input in step S925 to the first security authentication server, and receives an approval response, i.e., a login response (ok) (S930, S935).

The first authentication application 452 receives and sets the PIN, fingerprint, pattern, or iris information from the user in step S940. The first authentication application 452 transmits the PIN, fingerprint, pattern, or iris information to the first security authentication application together with the ID and password input in step S925, (S945).

The first security authentication application can map the received PIN, fingerprint or iris information, ID and Password to the security area and store the PIN, fingerprint or iris information (S950).

At the same time, the first authentication application can request registration of use of the authorized certificate login service while transmitting the phone number and the push ID of the first mobile terminal to the first secure authentication server (S955).

In step S960, the first security authentication server stores the received phone number and the push ID, maps and stores the received user ID and password in step S930, and responds to the use registration request in step S965. Steps S955 to S965 may be performed every time or when the first authentication application and the first security authentication application are executed to update the push ID.

After step S965, the first authentication application downloads the authorized certificate based on the user input (S970), and transmits the authentication certificate to the first security authentication application (S975).

The first authentication application for security may map the received authentication certificate together with the private key, the PIN, the fingerprint or the iris, the user ID and the password, and store the same in the security area (S980).

FIG. 11 is a flowchart specifically showing steps S1100 and S1200 of FIG. 9, and FIG. 12 is a flowchart illustrating steps S1300 and S1400 of FIG. 9 in more detail.

11 and 12, when a mobile login method (for example, a T-Cert login menu) is selected on the login web page shown in FIG. 2 displayed on the web browser of the first PC (S1110) The security authentication server can be informed that the mobile login method has been selected (S1120).

In response to the selected mobile login method, the first security authentication server may transmit a mobile login screen to the first PC for receiving user identification information from the user (S1130).

The first PC can display the mobile login screen received from step S1130 in the form of a pop-up window on the login web page (S1140).

On the other hand, when user identification information is inputted from the user through the mobile login screen (S1210), the first PC sends to the first security authentication server the user identification information (phoneNumber), the first website server information (siteInfo) The authentication request message may be transmitted (S1220).

The first security authentication server confirms the push ID mapped to the user identification information among the authentication request messages received in step S1220 (S1230), and requests authentication to the first mobile terminal corresponding to the confirmed push ID The push message can be transmitted (S1240).

The first authentication application of the first mobile terminal may receive the push message in step S1240 and may forward the push message to the authentication application for the first security (S1250).

The first security authentication application may request the first authentication application to receive the push message, accept the digital signature based on the authorized certificate, and generate the security code authentication screen (S1310, S1315).

The first authentication application displays the security code authentication screen as shown in Fig. 4 and the additional authentication screen as shown in Fig. 5, and can perform additional authentication such as code and fingerprint input same as the security code displayed on the mobile login screen from the user (S1320 ).

The first authentication application transmits the security code (authCode) input from the user in step S1320, the additional authentication information (e.g. fingerprint, certi +), and the information of the website server to the first security authentication application (S1325 ).

The first security authentication application stores the security code and the additional authentication information received in step S1325 (S1330), and transmits the feedback on the acceptance in step S1310 to the first authentication application (S1335).

The first authentication application transmits the acceptance feedback to the first security authentication server again (S1340), and the first security authentication server transmits the authentication request message including the information of the first website server and the nonceData to the first authentication application (S1345).

The first authentication application transmits an authentication request message to the first security authentication application (S1350).

Upon receiving the authentication request message, the first authentication application for security generates the signature data (signedData) by electronically signing the public key with the private key (S1355), and generates and transmits the authentication response message to the first authentication application S1360). The authentication response message may include the security code (authCode) selected in step S1320, additional authentication information (certi +), and signature data (signedData).

The first authentication application transmits the received authentication response message to the first security authentication server (S1365).

The first security authentication server compares the security code included in the authentication response message with the security code displayed on the screen transmitted in step S1130, and if the security code is identical to the security code included in the authentication response message, Information (information stored in step S950) are compared with each other, and if they are the same, user authentication is completed (S1370).

Then, the first security authentication server generates an authentication response message indicating that the user authentication is completed, and transmits the authentication response message to the first PC (S1375). The authentication response message includes the signature data generated in step S1355.

The first personal computer 100 transmits the received signature data to the first web site server (S1410).

The first web site server verifies the received signature data with the public key (S1420). If the authentication is successful, the first web site server transmits the login-processed web page to the first PC (S1430).

12, the first security authentication server determines whether the security code displayed on the mobile login screen of step S1140 is the same as the security code selected in step S1320.

Alternatively, as described with reference to FIG. 4, the first security authentication application may determine whether the security code displayed on the mobile login screen in step S1140 and the security code selected in step S1320 are the same

13 is a flowchart illustrating a public certificate log-in service method using a second mobile terminal according to another embodiment of the present invention.

In FIG. 13, the second mobile terminal, the second web site server, and the second security authentication server for implementing the public certificate login service method include the second mobile terminal 500, the second web site server 600, and a second security authentication server 700, which are described in detail above, and thus a detailed description thereof will be omitted.

Referring to FIG. 13, after the second mobile terminal installs and executes the authentication application and the security authentication application, the second mobile terminal can perform use registration of the authorized certificate login service (i.e., T-Cert login service) (S1500). The step S1500 is almost the same as the step S900 described with reference to Fig.

The second mobile terminal may request the connection through a method of inputting the URL of the second web site server through the mobile web browser (S1610, S1620).

The second mobile terminal displays the login web page transmitted from the second web site server (S1630, S1640).

If the mobile login method for logging in to the second web site server through the authorized certificate stored in the security area of the second mobile terminal 500 is selected based on the user input in the displayed login web page, The security authentication application can generate the signature data that is electronically signed with the private key stored in the security area and transmit the signature data to the mobile web browser (S1700).

In step S1700, when the mobile login method is selected on the login web page (S1710), the mobile web browser notifies the second authentication application that the mobile login method has been selected and transmits an authentication request message (S1720). The authentication request message may include information (siteInfo) of the second web site server and nonceData.

The second security authentication application accepts the authentication request message (S1730), generates an authentication notification confirmation message, and transmits the authentication notification confirmation message to the second security authentication server (S1740). The authentication notification confirmation message includes the information siteInfo of the second web site server and the phone number of the second mobile terminal (phoneNumber), and may include information indicating that the mobile login method is selected.

If the authentication information confirmation message is received (S1750), the second security authentication server transmits an authentication notification response message to the second mobile terminal (S1760).

When the authentication notification response message is received, the second security authentication application generates the signature data by digitally signing the public certificate with the private key, and transmits the authentication response message including the signature data to the web browser of the second mobile terminal (S1780 ).

The mobile web browser may send a login request message including the signature data among the received authentication response messages to the second web site server and request a login (S1810).

The second web site server verifies the received signature data with the public key, and then transmits the login-processed web page to the second mobile terminal (S1820, S1830).

Meanwhile, a public certificate log-in service method using a mobile terminal according to the present invention may be provided as a recording medium readable by a computer by tangibly embodying a program of instructions for implementing the public certificate log-in service method. I can understand.

That is, the login method of the authorized certificate login service system using the mobile terminal according to the present invention can be implemented in a form of a program that can be executed through various computer means, and can be recorded in a computer-readable recording medium, The medium may include program instructions, data files, data structures, etc., alone or in combination.

Accordingly, the present invention provides a program stored in a computer-readable recording medium, which is executed on a computer that controls the system, in order to implement a login method of an authorized certificate login service system using a mobile terminal.

100: first personal computer 200: first web site server
300: first security authentication server 400: first mobile terminal
452: first authentication application 464: authentication application for first security

Claims (21)

A mobile terminal operated by a general operating system and a secure operating system, and storing a public certificate in a secure area (SW); And
A mobile login method in which a login web page provided from a web site server connected through a web browser of a personal computer is displayed based on user input and then the web site server is accessed through a public certificate stored in a security area of the mobile terminal A mobile login screen for authenticating a user of the mobile terminal is provided to the personal computer and the user identification information including the phone number input on the mobile login screen displayed on the personal computer And a security authentication server for transmitting a PUSH message for requesting authentication to the mobile terminal,
If the mobile login method is selected in the personal computer,
Wherein the personal computer informs the security authentication server that the mobile login method is selected and receives and displays the mobile login screen for receiving the user identification information from the security authentication server,
The mobile terminal comprises:
When the security authentication application executed in the security area of the mobile terminal receives the push message and accepts the electronic signature based on the authorized certificate, the authentication application transmits the authentication information including the information of the website server and the displayed security code Receiving a request from the security authentication server, generating a security code authentication screen for performing authentication for the security code displayed on the personal computer, and displaying the security code authentication screen on the screen of the mobile terminal,
If the same security code as the security code displayed on the mobile login screen is selected in the displayed security code authentication screen, the security authentication application may further add user authentication by at least one of fingerprint authentication, pattern authentication and PIN authentication To generate additional authentication information,
Wherein the secure authentication server generates the signature data by digitally signing the public certificate stored in the security area, transmits the generated signature data, the selected security code, and the additional authentication information to the security authentication server,
The security authentication server includes:
If the security code received from the mobile terminal is the same as the security code displayed on the mobile login screen, the additional authentication information is compared with the information previously stored in the security authentication server, and if the comparison result is the same, the user authentication is completed, To the personal computer to perform an authentication response,
Wherein the web site server receives the signature data from the security authentication server through the personal computer, verifies the signature data using a public key, and transmits the web page to the personal computer after the login process. Authorized Certificate Login Service System.
delete The method according to claim 1,
The displayed mobile login screen may include:
An area for receiving the user identification information, and a security code displayed for security enhancement,
Wherein the security enforcement includes an act of verifying that a user is requesting a login at the personal computer.
delete The method according to claim 1,
The security authentication server includes:
Upon receipt of an authentication request including user identification information from the personal computer, confirming the stored push ID mapped to the received user identification information, and transmitting the push message to the mobile terminal corresponding to the confirmed push ID Authorized Certificate Login Service System using Mobile Terminal.
The method according to claim 1,
In the mobile login method,
A mobile login selection menu displayed on a login web page provided from the connected website server, a mobile login selection button added as a bookmark to the web browser, and a mobile login plugin button executed in a plug-in form in the web browser Wherein the authentication information includes at least one of a password and a password.
The method according to claim 1,
The mobile terminal comprises:
Wherein the at least one of the PIN (personal identification number), the iris, and the fingerprint of the user is registered on the basis of the user input in order to register the use in the security authentication server providing the mobile login method, Push ID, and user identification information to the security authentication server to request use registration,
The security authentication server maps and stores the phone number, the push ID, and the user identification information of the mobile terminal according to the use registration request,
Wherein the mobile terminal stores the public certificate in the security area so that the same public certificate as the public certificate registered in the web site server is interlocked with the security authentication application, system.
8. The method of claim 7,
The mobile terminal comprises:
Receiving at least one of the user's PIN, iris, and fingerprint through an authentication application executed in a general operating system, storing the inputted PIN, iris, and fingerprint in the secure area so as to be interlocked with the secure authentication application, A push ID, and a user identification information of the mobile terminal, and transmits the same to the security authentication server.
delete delete delete (A) displaying a login web page by accessing a web site server through a web browser of a personal computer for which a public certificate is not installed, based on user input;
(B) If a mobile login method for logging in to the web site server is selected from the login web page displayed through a public operating system and a public certificate stored in a secure area (SW) of a mobile terminal operating in a secure operating system, Providing an authentication server to the personal computer with a mobile login screen for authenticating a user of the mobile terminal;
(C) transmitting, by the security authentication server, a push (PUSH) message for requesting authentication to the mobile terminal based on user identification information including a phone number input through a mobile login screen displayed on the personal computer;
(D) a security authentication application executed in a security area of the mobile terminal accepts an authentication request according to the push message, transmits signature data digitally signed with the stored public key certificate to the security authentication server, ; And
(E) if the signature data provided from the security authentication server and the personal computer at the website server is verified with a public key, logging into the web site server;
The step (B)
(B1) selecting a mobile login method for logging in to the website server through a public certificate stored in the mobile terminal, in the login web page;
(B2) informing the security authentication server that the personal computer has selected the mobile login method;
(B3) the security authentication server transmitting the mobile login screen to the personal computer; And
(B4) displaying the mobile login screen for receiving the user identification information on a login web page of the personal computer,
The step (D)
(D1) when the mobile terminal receives the push message, the security authentication application accepts the electronic signature based on the public key certificate;
(D2) receiving from the security authentication server an authentication request message including information on the website server and information on the security code displayed by the mobile terminal;
(D3) generating a security code authentication screen for performing authentication on the displayed security code by the authentication application for security of the mobile terminal and displaying on the screen;
(D4) If a code identical to the security code displayed on the mobile login screen is selected in the displayed security code authentication screen, the security authentication application performs user authentication by at least one of fingerprint authentication, pattern authentication and PIN authentication Further performing the steps of generating additional authentication information;
(D5) when the user authentication is completed, generating signature data by digitally signing the public certificate stored in the security area, and transmitting the generated signature data, the selected security code and the additional authentication information to the security authentication server ; And
(D6) if the security code received from the mobile terminal is the same as the security code displayed on the mobile login screen, the security authentication server compares the additional authentication information with information previously stored in the security authentication server, And completing the authentication and transmitting the signature data to the personal computer to perform an authentication response.
delete 13. The method of claim 12,
The displayed mobile login screen may include:
An area for receiving the user identification information, and a security code displayed for security enhancement,
Wherein the security enforcement includes an act of verifying that a user is requesting a login at the personal computer.
delete 13. The method of claim 12,
The step (C)
(C1) the security authentication server receiving an authentication request including user identification information from the personal computer;
(C2) the security authentication server confirms a push ID mapped to the received user identification information; And
And (C3) transmitting the push message to the mobile terminal corresponding to the identified push ID.
13. The method of claim 12,
The mobile login method selected in the step (B)
A mobile login selection menu displayed on a login web page provided from the connected website server, a mobile login selection button added as a bookmark to the web browser, and a mobile login plugin button executed in a plug-in form in the web browser The method of claim 1, further comprising:
13. The method of claim 12,
Before the step (A)
(F) registering at least one of a PIN (personal identification number), an iris and a fingerprint of the user to the mobile terminal in order to register the use in the security authentication server providing the mobile login method, Transmitting a phone number, a push ID, and user identification information of the terminal to the security authentication server to request use registration;
(G) mapping the phone number, the push ID, and the user identification information of the mobile terminal to the security authentication server to perform use registration; And
(H) storing the public certificate in the secure area so that the public certificate, which is the same as the public certificate registered in the website server, is linked with the secure authentication application; and How to Service a Certified Certificate Login Using.
delete delete delete

Images