KR101994096B1 - Method for user authentication and user terminal for executing the same - Google Patents

Method for user authentication and user terminal for executing the same Download PDF

Info

Publication number
KR101994096B1
KR101994096B1 KR1020170180436A KR20170180436A KR101994096B1 KR 101994096 B1 KR101994096 B1 KR 101994096B1 KR 1020170180436 A KR1020170180436 A KR 1020170180436A KR 20170180436 A KR20170180436 A KR 20170180436A KR 101994096 B1 KR101994096 B1 KR 101994096B1
Authority
KR
South Korea
Prior art keywords
user
server
key
public key
pair
Prior art date
Application number
KR1020170180436A
Other languages
Korean (ko)
Inventor
박종진
김이구
강효관
Original Assignee
주식회사 예티소프트
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 예티소프트 filed Critical 주식회사 예티소프트
Priority to KR1020170180436A priority Critical patent/KR101994096B1/en
Application granted granted Critical
Publication of KR101994096B1 publication Critical patent/KR101994096B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers; Analogous equipment at exchanges
    • H04M1/72Substation extension arrangements; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selecting
    • H04M1/725Cordless telephones
    • H04M1/72519Portable communication terminals with improved user interface to control a main telephone operation mode or to indicate the communication status
    • H04M1/72522With means for supporting locally a plurality of applications to increase the functionality

Abstract

Provided are a user authentication method and a user terminal for performing the same. According to one embodiment of the present invention, the user terminal comprises: a key generation unit receiving input data from a user and generating a pair of a first public key and a second private key based on the input data; and a key management unit deleting the pair of the first public key and the first private key after registering the first public key in a server. The key generation unit receives the input data from the user when authenticating the user, regenerates the pair of the first public key and the first private key based on the input data, and regenerates the pair of the first public key and the first private key to generate a first electronic signature key as the first private key based on the input data.

Description

[0001] METHOD FOR USER AUTHENTICATION AND USER TERMINAL FOR EXECUTING THE SAME [0002]

Embodiments of the present invention relate to user authentication techniques using digital signatures.

Electronic signatures are one of the information used in electronic commerce for identification of users, forgery and alteration of documents, proof of transactions, and so on. A public key certificate is used to secure such digital signatures, and uses an asymmetric key based authentication method comprising a private key and a public key. This asymmetric key-based authentication scheme stores the private key in a local terminal (e.g., a user terminal) and authenticates the user through digital signature verification using the same.

However, when the private key is stored in the local terminal, it is inevitably vulnerable to leakage of the private key and various attacks due to the leakage of the private key. When the authentication information such as the private key is stored in the repository of the web browser in order to escape the authentication method, the authentication information is lost together with the cache information due to the operation of the various programs or the user, Problems may arise. Also, there is a problem that the security of the repository of the web browser is weak.

Korean Patent Registration No. 10-1350438 (Apr. 2014, 2014)

The embodiments of the present invention may be configured to supplement the vulnerability due to the key storage by generating the digital signature without storing the key pair for the digital signature in the user terminal, and even if the data for user authentication is deleted, And to provide a means to recover it without any procedure.

According to an exemplary embodiment of the present invention, there is provided a key generation apparatus comprising: a key generation unit receiving input data from a user and generating a pair of a first public key and a first private key based on the input data; And a key management unit for deleting the first public key and the first public key pair after registering the first public key in the server, wherein the key generation unit generates the input data from the user when authenticating the user And generating a first digital signature with the first private key by regenerating the pair of the first public key and the first private key based on the input data.

Wherein the key generation unit receives a unique ID and a first seed value corresponding to the unique ID from the server when logging in to the server, and generates the first seed value using the input data, the unique ID, A public key and a first private key pair.

Wherein the key generation unit requests the authentication of the user to the server using the unique ID, receives a first seed value corresponding to the unique ID, a random number for generating the first digital signature query, .

Wherein the key generation unit receives a second seed value from the server upon request of the user to authenticate the server and uses the input data, the unique ID, and the second seed value to authenticate the user A second public key, and a second private key pair.

Wherein the key management unit deletes the pair of the second public key and the second private key after registering the second public key in the server, And generates a second digital signature using the second private key by regenerating the pair of the second public key and the second private key using the input data, the unique ID, and the second seed value .

Wherein the key management unit registers unique information of the user terminal in the server and the key generation unit extracts unique information of the user terminal when the unique ID is deleted from the user terminal, The unique information and the ID of the user used for the login are verified and transmitted to the server and the authenticated user can be authenticated by receiving the unique ID from the server.

According to another exemplary embodiment of the present invention, there is provided a method for authenticating a user performed on a user terminal having one or more processors and a memory storing one or more programs executed by the one or more processors, ; Generating a pair of a first public key and a first private key based on the input data; Deleting the first public key and the first private key pair after registering the first public key in the server; Receiving the input data from the user when authenticating the user; And reproducing the pair of the first public key and the first private key based on the input data to generate a first electronic signature with the first private key.

Wherein the generating of the first public key and the first private key pair comprises receiving a unique ID and a first seed value corresponding to the unique ID from the server upon logging into the server, ID and the first seed value to generate the first public key and the first private key pair.

Wherein the user authentication method comprises: requesting the server to authenticate the user using the unique ID before generating the first digital signature statement; And receiving a first seed value corresponding to the unique ID, a random number for generating the first digital signature statement, and a signature text from the server.

Wherein the user authentication method comprises: receiving a second seed value from the server upon requesting authentication of the user to the server; And generating a pair of a second public key and a second private key to be used for the next authentication of the user using the input data, the unique ID, and the second seed value.

The user authentication method may further include, after the step of generating the pair of the second public key and the second private key, registering the second public key in the server and deleting the pair of the second public key and the second private key step; Receiving the input data from the user at the next authentication for the user; And regenerating the pair of the second public key and the second private key based on the input data to generate a second digital signature using the second private key.

The user authentication method includes: registering unique information of the user terminal in the server; Extracting unique information of the user terminal when the unique ID is deleted from the user terminal; Receiving the extracted unique information of the user terminal and the ID of the user used for the login to the server and verifying; And receiving the unique ID from the server and performing an authentication procedure for the user.

According to another exemplary embodiment of the present invention there is provided a computer program stored in a non-transitory computer readable storage medium, the computer program comprising one or more instructions, The method comprising: receiving input data from a user when the computing device is executed by the computing device; Generating a pair of a first public key and a first private key based on the input data; Deleting the first public key and the first private key pair after registering the first public key in the server; Receiving the input data from the user when authenticating the user; And reproducing the pair of the first public key and the first private key based on the input data to generate the first electronic signature with the first private key.

Receiving input data from a user by a computing device; Generating a pair of a first public key and a first private key based on the input data; Deleting the first public key and the first private key pair after registering the first public key in the server; Receiving the input data from the user when authenticating the user; And generating a first digital signature with the first private key by regenerating the pair of the first public key and the first private key based on the input data. And a transfer unit for transferring the computer program to a distribution server.

According to embodiments of the present invention, a pair of asymmetric keys for authentication of a user is not internally stored in a user terminal, and a public key / private key pair is newly generated based on user's input data at every authentication, It is possible to prevent vulnerabilities due to leakage and various attacks.

Also, according to embodiments of the present invention, a user terminal can continuously update a key pair used for user authentication by generating a new key pair (i.e., authentication in the form of a one time certificate) at every authentication, The security of the authentication information can be further improved.

According to embodiments of the present invention, even if user information necessary for user authentication is deleted due to cache erasure or the like by registering unique information of a user terminal in a server in advance, Information can be easily recovered.

1 is a block diagram showing a detailed configuration of a user authentication system according to an embodiment of the present invention;
2 is a flowchart illustrating a user registration procedure according to an embodiment of the present invention.
3 is a flowchart illustrating a user authentication procedure according to an embodiment of the present invention.
4 is a flowchart illustrating a procedure for recovering user information according to an embodiment of the present invention.
5 is a block diagram illustrating a detailed configuration of a user terminal according to an embodiment of the present invention.
6 is a block diagram illustrating and illustrating a computing environment including a computing device suitable for use in the exemplary embodiments.
7 is a block diagram showing a detailed configuration of an apparatus for transmitting a computer program for causing the computing device of Fig. 6 to perform the above-described user authentication method

Hereinafter, specific embodiments of the present invention will be described with reference to the drawings. The following detailed description is provided to provide a comprehensive understanding of the methods, apparatus, and / or systems described herein. However, this is merely an example and the present invention is not limited thereto.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intention or custom of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification. The terms used in the detailed description are intended only to describe embodiments of the invention and should in no way be limiting. Unless specifically stated otherwise, the singular form of a term includes plural forms of meaning. In this description, the expressions "comprising" or "comprising" are intended to indicate certain features, numbers, steps, operations, elements, parts or combinations thereof, Should not be construed to preclude the presence or possibility of other features, numbers, steps, operations, elements, portions or combinations thereof.

1 is a block diagram showing a detailed configuration of a user authentication system 100 according to an embodiment of the present invention. 1, a user authentication system 100 according to an embodiment of the present invention includes a user terminal 102, a server 104, and a database 106. [

The user terminal 102 may be a wearable device such as a desktop, a notebook, a tablet computer, a smart phone, a PDA, a smart watch, or the like. The user terminal 102 may log into the server 104 at the request of the user to perform i) user registration procedures and ii) user authentication procedures described below.

First, the user terminal 102 may register the user information and authentication information for user authentication in the server 104 through a user registration procedure. Here, the user information may be, for example, personal information such as a user's name, age, and gender, login information such as a user ID / password, and the like. The authentication information may be, for example, a public key used for authentication of the user, unique information of the user terminal 102, and the like. At this time, the user terminal 102 receives the input data from the user to generate a public key / private key pair, registers the public key in the server 104, and deletes the public key / private key pair on the user terminal 102 side . Here, the input data may be data of a set type obtained by the user's input, for example, a password (or PIN number), a pattern having a set shape, voice data, or the like. Also, the public key registered in the server 104 may be in the form of a certificate including various information for user authentication according to the embodiment.

Next, the user terminal 102 can perform the user authentication procedure in cooperation with the server 104. [ To this end, the user terminal 102 may receive the input data from a user when authenticating the user, regenerate the pair of public key / private key, and generate an electronic signature through the private key. The user terminal 102 may forward the electronic signature statement to the server 104 and the electronic signature statement may be verified at the server 104 based on the server 104 side public key.

As described above, the user terminal 102 newly generates a public key / private key pair based on the input data of the user at every authentication without storing a pair of asymmetric keys for authentication of the user, It is possible to block vulnerabilities due to various attacks. Also, as will be described later, the user terminal 102 can generate and register a new key pair at every authentication, and even if the user information is deleted due to cache deletion or the like, it can be easily recovered without a separate re-registration procedure have. The user registration procedure, the user authentication procedure and the user information recovery procedure will be described later in detail with reference to FIG. 2 to FIG.

The server 104 is a device that performs a user registration procedure and a user authentication procedure at the request of the user terminal 102. The server 104 can store and manage the user information and authentication information described above in the database 106, and can extract necessary information with reference to the database 106 at each authentication. The user terminal 102 is connected to the server 104 or a service (for example, a bank transfer, a balance inquiry, and the like) set up from a separate service server (not shown) such as a bank server, a card company server, Financial services, electronic payment services, etc.).

The database 106 is a repository where user information and authentication information are stored (or registered). The database 106 may reside in the server 104 as a configuration of the server 104, but is not limited thereto. The database 106 may be connected to the server 104 via a network (not shown) as a separate configuration from the server 104. [ The user terminal 102 may register the user information and authentication information for user authentication in the server 104 side database 106.

2 is a flowchart illustrating a user registration procedure according to an embodiment of the present invention. In the illustrated flow chart, the method is described as being divided into a plurality of steps, but at least some of the steps may be performed in reverse order, combined with other steps, performed together, omitted, divided into detailed steps, One or more steps may be added and performed.

In step S102, the user terminal 102 requests the server 104 to log in and register the user information at the request of the user. The user terminal 102 may receive a user ID from a user and request registration of the user information by logging into the server 104 through the user ID.

In step S104, the user terminal 102 receives a unique ID from the server 104, a first seed value corresponding to the unique ID, and a random number (or a random number The original text of the signature). The server 104 generates the unique ID and the first seed value as the user terminal 102 logs in, maps the unique ID and the first seed value to the user ID, May be transmitted to the user terminal 102 together with a random number. The unique ID may, for example, be a combination of one or more numbers, letters, or symbols, and may be different for each user terminal 102.

In step S106, the server 104 stores the generated unique ID, the first seed value, and the random number in the database 106. [

In step S108, the user terminal 102 receives input data from the user. As described above, the input data may be, for example, a password (or PIN number), a pattern having a set shape, voice data, or the like.

In step S110, the user terminal 102 generates a pair of the first public key and the first private key using the input data, the unique ID, and the first seed value. The user terminal 102 applies an asymmetric key algorithm (for example, ECC: Elliptic Curve Cryptography, RSA: Rivest Shamir Adleman algorithm, etc.) set based on the input data, the unique ID and the first seed value The pair of the first public key and the first private key may be generated, but the method of generating the public key / private key pair is not particularly limited.

In step S112, the user terminal 102 generates a digital signature by digitally signing a random number (or the original document including the random number) with the first private key. As will be described later, the digital signature statement can be used as a means for registering the first public key in the server 104. [

In step S114, the user terminal 102 stores in the internal storage (not shown) a unique ID used to generate the first public key and the first private key pair.

In step S116, the user terminal 102 transmits the digital signature statement, the first public key, and the unique information of the user terminal 102 to the server 104. [ Here, the unique information of the user terminal 102 is information for identifying the user terminal 102, and may be browser information such as monitor size, resolution, and the like. As will be described later, the unique information of the user terminal 102 can be utilized as a means for recovering the unique ID if the unique ID is deleted from the user terminal 102. [ If the unique ID and the first seed value are not separately managed by the server 104, the user terminal 102 transmits the unique ID and the first seed value to the digital signature statement, the first public key, and the user terminal 102 to the server 104 together with the unique information.

In step S118, the server 104 verifies the electronic signature statement received from the user terminal 102. [ To this end, the server 104 extracts a unique ID, a first seed value, and a random number transmitted to the user terminal 102 in step S104, corresponding to the user ID, referring to the database 106, The seed value, the random number, and the first public key received from the user terminal 102 may be used to verify the electronic signature.

In step S120, the server 104 transmits the verification result of the electronic signature inquiry to the user terminal 102. [

In step S122, the server 104 stores (or registers) the first public key and the unique information of the user terminal 102 in the database 106 when verification of the digital signature request is completed.

In step S124, when the user terminal 102 receives a message from the server 104 indicating that the verification of the digital signature is completed, the user terminal 102 deletes the generated pair of the first public key and the first private key, have.

In this way, the user terminal 102 registers the public key used for the user authentication in the server 104 and deletes the pair of the public / private keys on the user terminal 102, Can be blocked in advance.

3 is a flowchart illustrating a user authentication procedure according to an embodiment of the present invention. In the illustrated flow chart, the method is described as being divided into a plurality of steps, but at least some of the steps may be performed in reverse order, combined with other steps, performed together, omitted, divided into detailed steps, One or more steps may be added and performed.

In step S202, the user terminal 102 requests the server 104 for user authentication. At this time, the user terminal 102 may forward the unique ID received from the server 104 in the previous registration procedure to the server 104 together with the authentication request.

In step S204, the server 104 refers to the database 106 according to the authentication request and extracts the first seed value. The server 104 may extract the first seed value corresponding to the unique ID from the unique ID received from the user terminal 102, for example.

In step S206, the user terminal 102 receives from the server 104 a first seed value, a second seed value different from the first seed value, and a new random number (i.e., a new random number distinct from the random number in FIG. 2) The original of the signature including the random number). Here, the second seed value may be generated at the server 104 as a seed value used to generate a pair of public / private keys to be used for the next authentication of the user. The server 104 may generate the second seed value and map it to a user ID and a unique ID.

In step S208, the server 104 stores the second seed value and the random number in the database 106. [

In step S210, the user terminal 102 receives input data from a user. Here, the input data is the same input data as the input data input from the user in the previous registration procedure.

In step S212, the user terminal 102 generates a pair of the first public key and the first private key using the input data, the unique ID, and the first seed value. The user terminal 102 may generate the first public key and the first private key pair in the same manner as in step S110 of FIG.

In step S214, the user terminal 102 generates a first digital signature by digitally signing the random number (or the original document including the random number) with the first private key. As will be described later, the first digital signature may be used as a means for authenticating the user.

In step S216, the user terminal 102 generates a pair of a second public key and a second private key to be used for the next authentication of the user using the input data, the unique ID, and the second seed value.

In step S218, the user terminal 102 generates a second digital signature by digitally signing the random number (or the original document including the random number) with the second private key. As will be described later, the second digital signature may be used as a means for registering the second public key in the server 104.

In step S220, the user terminal 102 transmits the first electronic signature statement, the second electronic signature statement, the second public key, and the unique information of the user terminal 102 to the server 104.

In step S222, the server 104 refers to the database 106 and extracts the first public key. The first public key is a public key stored in the database 106 in the previous registration procedure.

In step S224, the server 104 verifies the first electronic signature statement. The server 104 extracts the unique ID, the first seed value, and the random number transmitted to the user terminal 102 in step S206 with reference to the database 106, and transmits the unique ID, the first seed value, The first electronic signature statement can be verified using the public key. When the verification of the first digital signature is completed, the server 104 may determine that the authentication of the user is completed.

In step S226, the server 104 transmits the verification result of the first digital signature inquiry (i.e., the user authentication result) to the user terminal 102. [

In step S228, the server 104 verifies the second electronic signature. To this end, the server 104 extracts the unique ID, the second seed value, and the random number transmitted to the user terminal 102 in step S206 with reference to the database 106, and transmits the unique ID, the second seed value, And the second public key received from the user terminal 102 to verify the second electronic signature.

In step S230, the server 104 transmits the verification result of the second digital signature inquiry to the user terminal 102. [

In step S232, the server 104 stores the second public key and the unique information of the user terminal 102 in the database 106 when the verification of the second digital signature is completed.

In step S234, the user terminal 102 may delete the generated pair of the second public key and the second private key when receiving a message from the server 104 indicating that the verification of the second digital signature is completed.

The user terminal 102 may then generate a second digital signature with the second private key by regenerating the pair of the second public key and the second private key at the next authentication of the user, To authenticate the user. The second digital signature may be verified at the server 104 based on the second public key on the server 104 side, the second seed value on the server 104 side, and the server 104 side random number. In this manner, the key pair for user authentication can be continuously updated with the first public key / first private key? Second public key / second private key? Third public key / third private key, . That is, the user terminal 102 can continuously update the key pair used for user authentication by generating a new key pair at every authentication, thereby further improving the security of the authentication information.

FIG. 4 is a flowchart illustrating a procedure for recovering user information according to an exemplary embodiment of the present invention. Referring to FIG. In the illustrated flow chart, the method is described as being divided into a plurality of steps, but at least some of the steps may be performed in reverse order, combined with other steps, performed together, omitted, divided into detailed steps, One or more steps may be added and performed.

Here, the user information to be restored may be, for example, the above-described unique ID. Further, it is assumed that the unique ID stored in the repository (e.g., the repository of the web browser) in the user terminal 102 has been deleted due to cache deletion or the like.

In step S302, the user terminal 102 receives a user ID from the user.

In step S304, the user terminal 102 extracts unique information of the user terminal 102. [

In step S306, the user terminal 102 transmits the user ID and the unique information of the user terminal 102 to the server 104. [

In step S308, the server 104 verifies the user ID received from the user terminal 102 and the unique information of the user terminal 102. [ Specifically, the server 104 compares the user ID received from the user terminal 102 and the unique information of the user terminal 102 with the user ID stored in the database 106 and the unique information of the user terminal 102, can do.

In step S310, the server 104 extracts a unique ID corresponding to the user ID and the unique information of the user terminal 102 from the database 106 when the verification in step S308 is completed.

In step S312, the user terminal 102 receives the unique ID extracted from the server 104. [

In step S314, the user terminal 102 stores the unique ID received from the server 104 in the internal storage.

In step S316, the user terminal 102 performs the preceding authentication procedure (i.e., the authentication procedure in FIG. 3) using the unique ID.

As described above, according to the embodiments of the present invention, even if user information necessary for user authentication is deleted due to cache deletion or the like by previously registering unique information of the user terminal 102 in the server 104, The user information can be easily recovered using the unique information.

5 is a block diagram illustrating a detailed configuration of a user terminal 102 according to an embodiment of the present invention. 5, the user terminal 102 according to an exemplary embodiment of the present invention includes a key generation unit 202 and a key management unit 204. As shown in FIG.

The key generation unit 202 generates a pair of a public key and a private key used for user authentication. Specifically, the key generation unit 202 requests the server 104 to log in and register the user information at the request of the user. When the user terminal 102 logs in the server 104, A unique ID, a first seed value corresponding to the unique ID, and a random number. Thereafter, the key generation unit 202 receives input data from a user, and can generate the first public key and the first private key pair using the input data, the unique ID, and the first seed value . As described later, the key management unit 204 can delete the first public key / first private key pair after registering the first public key in the server 104. The key generation unit 202 generates The key pair can be regenerated. That is, the key generation unit 202 receives a random number from the server 104 when authenticating the user, regenerates a pair of the first public key and the first private key by receiving the input data again from the user, Signing the random number (or the original document including the random number) received from the server 104 with one private key. The first electronic signature may be verified at the server 104 based on the first public key on the server 104 side, the first seed value on the server 104 side, and the server 104 side random number.

The key generation unit 202 receives the second seed value from the server 104 upon request of the user to authenticate the server 104 and uses the input data, the unique ID, and the second seed value To generate a second public key and a second private key pair to be used for the next authentication of the user. Thereafter, the key generation unit 202 may repeat the above-described series of operations related to the pair of the first public key / first private key with respect to the pair of the second public key / second private key. That is, the second electronic signature may be verified in the server 104 based on the second public key on the server 104 side and the second seed value on the server 104 side. In this manner, the key generation unit 202 can continuously update the key pair used for user authentication by generating a new key pair at every authentication, thereby further improving the security of the authentication information.

The key management unit 204 manages the key pair generated by the key generation unit 202. Specifically, when the public key / private key pair is generated, the key management unit 204 registers the public key in the server 104 and deletes the pair of the public key / private key. The key management unit 204 may delete the first public key and the first private key pair after registering the first public key in the server 104, for example. Also, when the pair of the public key / private key is updated with the pair of the second public key / second private key, the key management unit 204 registers the second public key in the server 104, You can delete the pair of private keys.

Also, the key management unit 204 can transmit the digital signature statement, the public key, and the unique information of the user terminal 102 generated in the user registration procedure / authentication procedure to the server 104. If the unique ID is deleted from the user terminal 102, the key generation unit 202 extracts the unique information of the user terminal 102 and extracts the unique information of the extracted user terminal 102, The ID is transmitted to the server 104 for verification, and the ID 104 is received from the server 104 to perform the authentication procedure.

In one embodiment, the key generation unit 202 and key management unit 204 may be implemented on a computing device that includes one or more processors and a computer-readable medium coupled to the processor. The computer readable recording medium may be internal or external to the processor, and may be coupled to the processor by any of a variety of well known means. A processor in the computing device may cause each computing device to operate in accordance with the exemplary embodiment described herein. For example, a processor may execute instructions stored on a computer-readable recording medium, and instructions stored on the computer readable recording medium may cause a computing device to perform operations in accordance with the exemplary embodiments described herein For example.

FIG. 6 is a block diagram illustrating and illustrating a computing environment 10 including a computing device suitable for use in the exemplary embodiments. In the illustrated embodiment, each of the components may have different functions and capabilities than those described below, and may include additional components in addition to those described below.

The illustrated computing environment 10 includes a computing device 12. In one embodiment, computing device 12 may be one or more components included in user terminal 102, or server 104.

The computing device 12 includes at least one processor 14, a computer readable storage medium 16, The processor 14 may cause the computing device 12 to operate in accordance with the exemplary embodiment discussed above. For example, processor 14 may execute one or more programs stored on computer readable storage medium 16. The one or more programs may include one or more computer-executable instructions, which when executed by the processor 14 cause the computing device 12 to perform operations in accordance with the illustrative embodiment .

The computer-readable storage medium 16 is configured to store computer-executable instructions or program code, program data, and / or other suitable forms of information. The program 20 stored in the computer-readable storage medium 16 includes a set of instructions executable by the processor 14. In one embodiment, the computer-readable storage medium 16 may be any type of storage medium such as a memory (volatile memory such as random access memory, non-volatile memory, or any suitable combination thereof), one or more magnetic disk storage devices, Memory devices, or any other form of storage medium that can be accessed by the computing device 12 and store the desired information, or any suitable combination thereof.

Communication bus 18 interconnects various other components of computing device 12, including processor 14, computer readable storage medium 16.

The computing device 12 may also include one or more input / output interfaces 22 and one or more network communication interfaces 26 that provide an interface for one or more input / output devices 24. The input / output interface 22 may include the scroll screen 102, the input interface 104, the input screen 105, and the like. The input / output interface 22 and the network communication interface 26 are connected to the communication bus 18. The input / output device 24 may be connected to other components of the computing device 12 via the input / output interface 22. The exemplary input and output device 24 may be any type of device, such as a pointing device (such as a mouse or trackpad), a keyboard, a touch input device (such as a touch pad or touch screen), a voice or sound input device, An input device, and / or an output device such as a display device, a printer, a speaker, and / or a network card. The exemplary input and output device 24 may be included within the computing device 12 as a component of the computing device 12 and may be coupled to the computing device 102 as a separate device distinct from the computing device 12 It is possible.

FIG. 7 is a block diagram illustrating a detailed configuration of an apparatus 300 for transmitting a computer program for causing the computing device 12 of FIG. 6 to perform the above-described user authentication method.

The computer program is a computer program stored in a non-transitory computer readable storage medium, which may include one or more instructions. At this time, the instructions may cause the computing device 12 to perform the user authentication method described above when executed by the computing device 12 having one or more processors.

7, an apparatus 300 for transmitting the computer program may be connected to a distribution server 400 via a network, and may include a storage unit 302 and a transmission unit 304. [

The storage unit 302 is a storage in which the computer program is stored.

The transmission unit 304 transmits the computer program to the distribution server 400. Here, the distribution server 400 is a device that distributes a computer program (or an application) received from each device 300 on-line. In other words, the distribution server 400 can upload the computer program received from the transmission unit 304 to a market on the online market in a downloadable form, and transmit the computer program to the other device upon request of the other device.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, I will understand. Therefore, the scope of the present invention should not be limited to the above-described embodiments, but should be determined by equivalents to the appended claims, as well as the appended claims.

100: User authentication system
102: user terminal
104: Server
106: Database
202:
204:
300: a device for transmitting a computer program
302:
304:
400: Distribution Server

Claims (14)

  1. Receiving a unique ID and a first seed value corresponding to the unique ID from the server as it logs in to the server, receiving input data from a user, receiving the input data, the unique ID, and the first seed value A key generation unit for generating a pair of a public key and a first private key; And
    And a key management unit for registering the first public key in the server and deleting the first public key and the first private key pair,
    Wherein the key generation unit requests authentication of the user to the server using the unique ID, and transmits a first seed value corresponding to the unique ID and a first seed value corresponding to the first seed value, Receiving a second seed value, receiving the input data from the user, regenerating the pair of the first public key and the first private key based on the input data, and generating a first electronic signature with the first private key Generating a pair of a second public key and a second private key to be used for the next authentication of the user using the input data, the unique ID, and the second seed value, and generating a pair of a public key and a private key To continuously renew a pair of a public key and a private key used for user authentication.
  2. delete
  3. The method according to claim 1,
    Wherein the key generation unit receives a random number and a signature original for generating the first electronic signature statement from the server.
  4. delete
  5. The method according to claim 1,
    Wherein the key management unit deletes the pair of the second public key and the second private key after registering the second public key in the server,
    Wherein the key generation unit receives the input data from the user at the next authentication for the user and uses the input data, the unique ID, and the second seed value to generate a pair of the second public key and the second private key And generates a second electronic signature with the second private key.
  6. The method according to claim 1,
    Wherein the key management unit registers unique information of the user terminal in the server,
    The key generation unit extracts unique information of the user terminal when the unique ID is deleted from the user terminal, and transmits the unique information of the extracted user terminal and the ID of the user used for the login to the server And authenticates the user by receiving the unique ID from the server.
  7. One or more processors, and
    A user authentication method performed in a user terminal having a memory for storing one or more programs executed by the one or more processors,
    Receiving a unique ID and a first seed value corresponding to the unique ID from the server upon logging in to the server;
    Receiving input data from a user;
    Generating a pair of a first public key and a first private key using the input data, the unique ID, and the first seed value;
    Deleting the first public key and the first private key pair after registering the first public key in the server;
    Requesting authentication of the user to the server using the unique ID;
    Receiving a first seed value corresponding to the unique ID and a second seed value different from the first seed value from the server according to the authentication request;
    Receiving the input data from the user;
    Generating a first digital signature with the first private key by regenerating the pair of the first public key and the first private key based on the input data;
    Generating a pair of a second public key and a second private key to be used for the next authentication of the user using the input data, the unique ID, and the second seed value; And
    And newly generating a pair of a public key and a private key at each authentication, and continuously updating a pair of a public key and a private key used for user authentication.
  8. delete
  9. The method of claim 7,
    Before the step of generating the first electronic signature statement,
    Further comprising receiving from the server a random number and a signature text for generating the first electronic signature statement.
  10. delete
  11. The method of claim 7,
    After generating the pair of the second public key and the second private key,
    Registering the second public key in the server and deleting the pair of the second public key and the second private key;
    Receiving the input data from the user at the next authentication for the user; And
    Further comprising generating a second electronic signature with the second private key by regenerating the pair of the second public key and the second private key based on the input data.
  12. The method of claim 7,
    Registering the unique information of the user terminal in the server;
    Extracting unique information of the user terminal when the unique ID is deleted from the user terminal;
    Receiving the extracted unique information of the user terminal and the ID of the user used for the login to the server and verifying; And
    Further comprising receiving the unique ID from the server and performing an authentication procedure for the user.
  13. A computer program stored on a non-transitory computer readable storage medium,
    The computer program comprising one or more instructions that when executed by a computing device having one or more processors causes the computing device to:
    Receiving a unique ID and a first seed value corresponding to the unique ID from the server upon logging in to the server;
    Receiving input data from a user;
    Generating a pair of a first public key and a first private key using the input data, the unique ID, and the first seed value;
    Deleting the first public key and the first private key pair after registering the first public key in the server;
    Requesting authentication of the user to the server using the unique ID;
    Receiving a first seed value corresponding to the unique ID and a second seed value different from the first seed value from the server according to the authentication request;
    Receiving the input data from the user;
    Generating a first digital signature with the first private key by regenerating the pair of the first public key and the first private key based on the input data;
    Generating a pair of a second public key and a second private key to be used for the next authentication of the user using the input data, the unique ID, and the second seed value; And
    A step of newly generating a pair of a public key and a private key each time authentication is performed and continuously updating a pair of a public key and a private key used for user authentication
    In a non-transitory computer readable storage medium.
  14. delete
KR1020170180436A 2017-12-27 2017-12-27 Method for user authentication and user terminal for executing the same KR101994096B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020170180436A KR101994096B1 (en) 2017-12-27 2017-12-27 Method for user authentication and user terminal for executing the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020170180436A KR101994096B1 (en) 2017-12-27 2017-12-27 Method for user authentication and user terminal for executing the same

Publications (1)

Publication Number Publication Date
KR101994096B1 true KR101994096B1 (en) 2019-06-28

Family

ID=67066144

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020170180436A KR101994096B1 (en) 2017-12-27 2017-12-27 Method for user authentication and user terminal for executing the same

Country Status (1)

Country Link
KR (1) KR101994096B1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101066063B1 (en) * 2003-01-07 2011-09-20 퀄컴 인코포레이티드 System, apparatus and method for replacing a cryptographic key
KR101350438B1 (en) 2013-04-18 2014-01-16 주식회사 티모넷 Digital signature system for using se(secure element) inside mobile unit and method therefor
KR101490687B1 (en) * 2007-08-20 2015-02-06 삼성전자주식회사 Method and apparatus for sharing secret information between devices in home network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101066063B1 (en) * 2003-01-07 2011-09-20 퀄컴 인코포레이티드 System, apparatus and method for replacing a cryptographic key
KR101490687B1 (en) * 2007-08-20 2015-02-06 삼성전자주식회사 Method and apparatus for sharing secret information between devices in home network
KR101350438B1 (en) 2013-04-18 2014-01-16 주식회사 티모넷 Digital signature system for using se(secure element) inside mobile unit and method therefor

Similar Documents

Publication Publication Date Title
US7788729B2 (en) Method and system for integrating multiple identities, identity mechanisms and identity providers in a single user paradigm
US9867043B2 (en) Secure device service enrollment
US7548890B2 (en) Systems and methods for identification and authentication of a user
JP5869052B2 (en) Inclusive verification of platform to data center
CN101395624B (en) Verification of electronic signatures
US10382427B2 (en) Single sign on with multiple authentication factors
Bojinov et al. Kamouflage: Loss-resistant password management
US20180308098A1 (en) Identity Management Service Using A Block Chain Providing Identity Transactions Between Devices
US20070136599A1 (en) Information processing apparatus and control method thereof
US20060123465A1 (en) Method and system of authentication on an open network
US8661520B2 (en) Systems and methods for identification and authentication of a user
US8122255B2 (en) Methods and systems for digital authentication using digitally signed images
US10361849B2 (en) Methods and systems of providing verification of the identity of a digital entity using a centralized or distributed ledger
JP4879176B2 (en) System and method for implementing a digital signature using a one-time private key
DE112011100182T5 (en) Transaction check for data security devices
JP2002091299A (en) System and method for digital signature, mediation method and system for digital signature, information terminal, and recording medium
JP2007502578A (en) How to use a reliable hardware-based identity credentials in runtime package signature to perform a mobile communication and expensive safe transaction
US9509686B2 (en) Secure element authentication
EP2557532A9 (en) Methods and apparatus to provision payment services
US20160283941A1 (en) Systems and methods for personal identification and verification
JP2004023796A (en) Selectively disclosable digital certificate
JP2008269610A (en) Protecting sensitive data intended for remote application
EP3424177A1 (en) Systems and methods for distributed identity verification
US10079682B2 (en) Method for managing a trusted identity
US7555784B2 (en) Method and system for safely disclosing identity over the internet

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant