KR102038217B1 - Information security system through encrypting and decrypting personal data and contents in smart device based on Lightweight Encryption Algorithm, method thereof and computer recordable medium storing program to perform the method - Google Patents

Abstract

The present invention provides an information security system through encryption and decryption of personal information and content in a smart device based on a light weight encryption algorithm (LEA), a method therefor, and a computer readable recording medium having recorded thereon a program for performing the method. It is about. In the present invention, when the data of the first format is input, encoding the data in a second format, which is an image file format, scrambled and encrypted the converted data through a lightweight encryption algorithm, and if there is a decryption request, And descrambling the encrypted data through the lightweight encryption algorithm to decrypt the encrypted data into a second type of data, and decoding the decrypted second type of data into a first type of data. Provides information security method of security system.

Description

Information security system through encryption and decryption of personal information and contents in smart device based on lightweight encryption algorithm, method for this, and computer readable recording medium recording program for performing the method contents in smart device based on Lightweight Encryption Algorithm, method approximately and computer recordable medium storing program to perform the method}

The present invention relates to a copyright protection technology, and more particularly, to an information security system through encryption and decryption of personal information and content in a smart device based on Lightweight Encryption Algorithm (LEA), a method for performing the same, and performing the method. A computer readable recording medium having recorded thereon a program therefor.

Lightweight, such as the Internet of Things (IoT), the cloud, due to the development of ICT (Information and Communications Technologies) technology and the increasing use of portable devices such as personal computers, mobile phones, and personal digital assistants (PDAs) Various services based on environment are expanding. These services are used in various fields. For example, in order to build a smart education system, lightweight environment-based portable equipment and network services are used in the education business field. Because copyright protection systems such as smart education systems transmit and receive large-capacity multimedia contents based on lightweight environment-based portable devices and networks, these contents are hijacked and stolen by malicious attackers due to the openness of the network. Can be. Therefore, it is necessary to provide copyright protection technology to prevent infringement of intellectual property rights of individuals or organizations on contents transmitted / received in a lightweight environment. However, the existing cryptographic algorithms have difficulty in providing security for lightweight environment-based devices due to problems such as computational power limitation and network bandwidth.

Korean Laid-Open Patent Publication No. 2007-0060955, issued June 13, 2007 (Name: Digital Content Transceiver and Method for Copyright Protection)

An object of the present invention is to provide an information security system through encryption and decryption of personal information and content in a smart device based on a lightweight encryption algorithm, a method therefor, and a computer readable recording medium having recorded thereon a program for performing the method.

Information security system according to a preferred embodiment of the present invention for achieving the above object is a cloud comprising a plurality of physically separated authentication device, and a plurality of virtual machines logically divided to perform the function of the authentication device A server, a secret key is generated, and when k is a natural number, the secret key is divided into k secret key pieces, and the k secret key pieces are k devices among the plurality of authentication devices and the plurality of virtual machines. And a first user device for distributing the data to the second user device, generating an encryption key using the secret key, encrypting the content using the encryption key and a round function, and transmitting the encrypted content to a second user device. .

The system collects secret key pieces from at least n of the k devices when n is a natural number smaller than k, restores the secret key from secret key pieces collected through Lagrange interpolation, and the secret key. The second user device further generates a decryption key using the decryption key and restores the content using the decryption key and the round function.

An information security method of an information security system according to a preferred embodiment of the present invention for achieving the above object comprises the steps of: converting the content into an image file format when the first user device receives the content in the document file format; Generating, by the first user device, a secret key; generating, by the first user device, an encryption key using the secret key; and content, by the first user device using the encryption key and a round function. And encrypting, and transmitting, by the first user device, the content to the second user device.

에 따라 상기 비밀키를 k개의 비밀키 조각으로 분할하는 단계와, 상기 제1 사용자장치가 상기 k개의 비밀키 조각을 물리적으로 구분된 복수의 인증장치 및 논리적으로 구분되어 인증장치의 기능을 수행하는 클라우드서버의 복수의 가상머신 중 k개의 장치에 분배하여 전송하는 단계를 더 포함한다. After the first user device generates a secret key, when k is a natural number, the first user device performs an equation.

Dividing the secret key into k secret key fragments, and wherein the first user device performs the functions of the plurality of physically separated authentication devices and logically divided authentication devices of the k secret key pieces. The method may further include distributing and transmitting the data to k devices of the plurality of virtual machines of the cloud server.

After the step of transmitting the content to the second user device, when n is a natural number smaller than k, the second user device collecting secret key pieces from at least n of the k devices, and a Lagrangian interpolation method. Restoring the secret key from the collected secret key fragments; generating a decryption key using the secret key; and restoring content using the decryption key and a round function.

In addition, the present invention provides a computer-readable recording medium having recorded thereon a program for performing the information security method according to an embodiment of the present invention to achieve the above object.

The method according to an embodiment of the present invention is a lightweight encryption algorithm (LEA), which provides security in a lightweight environment, such as cloud and the Internet of Things, and up to twice the size of the international encryption standard AES (Advanced Encryption Standard). Provides high speed First of all, the method according to the embodiment of the present invention may provide a low power security environment.

1 is a view for explaining the configuration of an information security system according to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of a cloud server according to an exemplary embodiment of the present invention.
3 is a block diagram illustrating a configuration of a user device according to an exemplary embodiment of the present invention.
4 is a block diagram illustrating a configuration of an authentication apparatus according to an embodiment of the present invention.
5 is a block diagram illustrating a configuration of an encryption / decryption unit according to an embodiment of the present invention.
6 is a flowchart illustrating a method for information security according to an embodiment of the present invention.
7 is a flowchart illustrating a method of inserting copyright information into content according to an embodiment of the present invention.
8 is a flowchart illustrating a method of distributing and storing a secret key fragment according to an embodiment of the present invention.
9 is a flowchart illustrating an encryption method using live signal according to an embodiment of the present invention.
10 is a flowchart illustrating a method for information security according to an embodiment of the present invention.
11 is a flowchart illustrating an encryption method using live signal according to an embodiment of the present invention.
12 is a flowchart illustrating a method of collecting secret key pieces according to an alternative embodiment of the present invention.
13 is a flowchart illustrating a method of extracting copyright information from content according to an embodiment of the present invention.
14 to 17 are diagrams for describing an information security method according to an embodiment of the present invention.

Prior to the description of the present invention, the terms or words used in the specification and claims described below should not be construed as being limited to the ordinary or dictionary meanings, and the inventors should consider their own invention in the best way. For the purpose of explanation, it should be interpreted as meaning and concept corresponding to the technical idea of the present invention on the basis of the principle that it can be appropriately defined as the concept of term. Therefore, the embodiments described in the present specification and the configuration shown in the drawings are only the most preferred embodiments of the present invention, and do not represent all of the technical idea of the present invention, and various equivalents may be substituted for them at the time of the present application. It should be understood that there may be water and variations.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In this case, it should be noted that like elements are denoted by like reference numerals as much as possible. In addition, detailed descriptions of well-known functions and configurations that may blur the gist of the present invention will be omitted. For the same reason, some components in the accompanying drawings are exaggerated, omitted, or schematically illustrated, and the size of each component does not entirely reflect the actual size.

First, the configuration of an information security system according to an embodiment of the present invention will be described. 1 is a view for explaining the configuration of an information security system according to an embodiment of the present invention. Referring to FIG. 1, an information security system 10 according to an exemplary embodiment of the present invention includes a cloud server 100, a plurality of user devices 200, and a plurality of authentication devices 300.

The cloud server 100 generates a plurality of virtual machines for a predetermined time according to a request of the user device 200, and extinguishes after a predetermined time elapses. That is, each of the plurality of virtual machines operates for a set time. Each of the plurality of virtual machines is logically divided, and stores a secret key fragment according to an embodiment of the present invention or a biometric data according to an embodiment of the present invention for a predetermined time.

In an embodiment of the present invention, the user device 200 includes a first user device 201 and a second user device 202. In the present invention, when the first user device 201 encrypts and transmits the content (original content), the second user device 202 assumes a situation in which the original content is restored by decrypting the encrypted content. At least one of a secret key fragment and biometric data may be used for such encryption and decryption.

Then, each of the above-described configuration of the cloud server 100, the user device 200 and the authentication device 300 will be described. First, the configuration of the cloud server 100 according to an embodiment of the present invention will be described. 2 is a block diagram illustrating a configuration of a cloud server according to an exemplary embodiment of the present invention. Referring to FIG. 2, the cloud server 100 according to an embodiment of the present invention includes a communication module 110, a storage module 120, and a control module 130. In particular, the control module 130 includes a plurality of virtual machines.

The communication module 110 is for communicating with the user device 200 through a network. The communication module 110 may receive data such as a secret key fragment from the user device 200 or transmit data such as a secret key fragment to the user device 200 under the control of the control module 130. The communication module 110 may include a modem that modulates a signal to be transmitted and received through a network and demodulates the received signal. The communication module 110 may transmit data received from the control module 130 to the user device 200 through a network. In addition, the communication module 110 may transmit the received data to the control module 130.

The storage module 120 stores a program and data necessary for the operation of the cloud server 100. For example, the storage module 120 may store data, for example, secret key pieces, in correspondence with each of the plurality of virtual machines of the control module 130.

The control module 130 may control an overall operation of the cloud server 100 and a signal flow between internal blocks of the cloud server 100, and may perform a data processing function for processing data. The control module 130 may be a central processing unit, a digital signal processor, or the like. In particular, the control module 130 may create a virtual machine, which is a plurality of processes that are logically divided to perform the same function as the authentication apparatus according to the embodiment of the present invention. The operation of this control module 130 will be described in more detail below.

Next, the user device 200 according to an embodiment of the present invention will be described. 3 is a block diagram illustrating a configuration of a user device according to an exemplary embodiment of the present invention. Referring to FIG. 3, a user device 200 according to an embodiment of the present invention includes a communication unit 210, an input unit 220, a display unit 230, a storage unit 240, and a control unit 250.

The communication unit 210 is for communicating with the cloud server 100, another user device 200, or the authentication device 300. The communication unit 210 may communicate with the cloud server 100, another user device 200, or an authentication device 300 through a network including a base station (BS), a base station such as a base station (BS), a NodeB, an eNodeB, and the like. . In addition, the communication unit 210 may use another user device 200 or an authentication device 300 using a communication method such as Near Field Communication (NFC), Bluetooth, ZigBee, and Infrared Data Association (IrDA). ) Can be communicated with. The communication unit 210 may be configured as an RF transmitter for up-converting and amplifying a frequency of a transmitted signal, and an RF receiver for low noise amplifying and down-converting a received signal. When the communication unit 210 receives various messages, information, data, etc. from the control unit 250, the communication unit 210 may transmit them to other devices. In addition, when the communication unit 210 receives various messages, information, data, etc. from another device, the communication unit 210 may transmit the message to the control unit 250.

The input unit 220 receives a user's key operation for controlling various functions, operations, and the like of the user device 200, generates an input signal, and transmits the generated input signal to the controller 250. The input unit 220 may include at least one of a power key, a character key, a numeric key, and a direction key for power on / off. The function of the input unit 220 may be performed in the display unit 230 when the display unit 230 is implemented as a touch screen, and when the display unit 230 can perform all functions, the input unit 220 may be omitted. have.

The display unit 230 may receive data for screen display from the controller 250 and display the received data on the screen. In addition, the display unit 230 may visually provide a menu, data, function setting information, and various other information of the user apparatus 200 to the user. When the display unit 230 is formed of a touch screen, some or all of the functions of the input unit 220 may be performed instead. The display unit 230 may be formed of a liquid crystal display (LCD), organic light emitting diodes (OLEDs), active matrix organic light emitting diodes (AMOLEDs), or the like.

The storage unit 240 stores various data necessary for the operation of the user device 200, applications, and various data generated according to the operation of the user device 200. The storage unit 240 may be a storage, a memory, or the like. The storage unit 240 may store an operating system (OS) for booting and operating the user device 200 and various applications according to an embodiment of the present invention. Various data stored in the storage unit 240 may be deleted, changed, or added according to a user's manipulation.

The controller 250 may control an overall operation of the user device 200 and a signal flow between internal blocks of the user device 200, and may perform a data processing function for processing data. The controller 250 may be a central processing unit (CPU), an application processor, a graphic processing unit (GPU), or the like. In particular, the controller 250 includes an encryption / decryption unit 400. The encryption and decryption unit 400 performs encryption or decryption according to a Lightweight Encryption Algorithm (LEA). The operation of the controller 250 including the encryption / decryption unit 400 will be described in more detail below. In addition, although not shown, the user device 200 according to the embodiment of the present invention includes a storage medium inserting unit for inserting an external storage medium such as a memory card to store data, and a connection for exchanging data with an external digital device. A terminal and a terminal for charging can be provided. In addition, the user device 200 may be configured to further include a functional part having an additional function, such as an audio processing unit for inputting or outputting an audio signal, a voice signal, etc. through a microphone and a speaker, an MP3 module for digital sound source reproduction Can be. Due to the convergence trend of digital devices, variations of mobile devices are very diverse and cannot be enumerated. However, a unit equivalent to the above-mentioned units is further included in the user device 200 according to the present invention. It can be easily understood by those of ordinary skill in the art.

Next, the authentication apparatus 300 according to the embodiment of the present invention will be described. 4 is a block diagram illustrating a configuration of an authentication apparatus according to an embodiment of the present invention. Referring to FIG. 4, the authentication apparatus 300 according to the embodiment of the present invention includes a communication unit 310, an input unit 320, a display unit 330, a storage unit 340, and a control unit 350. do.

The communication unit 310 is for communicating with the user device 200 via a network. Through such communication, data or the like can be received or transmitted. The communication unit 310 may be configured as an RF transmitter for upconverting and amplifying a frequency of a transmitted signal, and an RF receiver for low noise amplifying and downconverting a received signal.

The input unit 320 is a means for receiving at least one of a user's command, selection, data, and information. The input unit 320 may include a plurality of input keys and function keys for receiving numeric or text information and setting various functions. . In addition, the input unit 320 may detect a user's key input and transmit an input signal according to the detected key input to the control unit 350.

The display unit 330 may receive data for screen display from the control unit 350 and display the received data on the screen. In addition, the display unit 330 may visually provide a menu, data, function setting information, and various other information of the authentication apparatus 300 to the user. When the display unit 330 is formed as a touch screen, some or all of the functions of the input unit 320 may be performed instead. The display unit 330 may be formed of a liquid crystal display (LCD), organic light emitting diodes (OLEDs), active matrix organic light emitting diodes (AMOLEDs), or the like.

The storage unit 340 stores a program and data necessary for the operation of the authentication device 300, and may be divided into a program area and a data area. The program area may store a program for controlling the overall operation of the authentication device 300, an operating system (OS) for booting the authentication device 300, an application program, and the like. The data area is an area in which user data generated according to the use of the authentication device 300 is stored. In addition, the storage unit 340 may store various types of data generated according to the use of the authentication device 300. Various data stored in the storage unit 340 may be deleted, changed, or added according to a user's manipulation.

The control unit 350 may control the overall operation of the authentication device 300 and the signal flow between the internal blocks of the authentication device 300, and perform a data processing function for processing data. The control unit 350 may be a central processing unit (CPU), an application processor, or the like. The control unit 350 may load and execute an application stored in the storage unit 340, and allocate a buffer to the temporary storage space if necessary. The operation of this control unit 350 will be described in more detail below.

As described above, the user device 200 includes an encryption / decoding unit 400, and the encryption / decryption unit 400 will be described in detail. 5 is a block diagram illustrating a configuration of an encryption / decryption unit according to an embodiment of the present invention.

In the encryption / decryption unit 400, for example, the plaintext and the ciphertext of the block cipher LEA are 128-bit long bit streams, and the secret key is 128, 192, or 256-bit long bit streams. The LEA's secret key, plaintext, and ciphertext are byte arrays, and the internal state variables and roundkeys used for encryption, decryption, and key scheduling are word arrays.

The encryption / decryption unit 400 includes a secret key module 410, a key schedule module 420, an encryption module 430, and a decryption module 440. The secret key module 410 generates a secret key for encryption and converts the generated secret key into a plurality of secret key pieces, for example, when k is a natural number, according to Equation 1 below. Can be divided into key pieces.

을 생성할 수 있다. Where p is a prime number equal to or greater than k + 1, x is k secret key fragments, a is the coefficient of the polynomial, and is chosen arbitrarily. That is, the secret key module 410 is a plurality of secret key pieces according to equation (1)

Can be generated.

After generating a plurality of secret key pieces, the secret key module 410 is a plurality of generated secret key pieces through the communication unit 210 to a plurality of virtual machines or a plurality of authentication devices 300 of the cloud server 100 Can be distributed and sent.

In addition, the secret key module 410 collects a part of the plurality of secret key pieces from the plurality of virtual machines or the plurality of authentication apparatus 300 of the cloud server 100 through the communication unit 210 for decryption. Then, the secret key module 410 may recover the secret key from the secret key pieces collected through the Lagrangian interpolation.

를 이용하여 k 비트의 비밀키 K로부터 Nr개의 192비트 암호화용 라운드키

(0 ≤ i ≤ Nr-1)를 생성할 수 있다. 또한, 키스케줄부(310)는 복호화를 위한 키 스케줄을 위해, 복호화 키스케줄 함수

를 이용하여 k 비트의 비밀키 K로부터 Nr개의 192비트 복호화용 라운드키

(0 ≤ i ≤ Nr-1)를 생성할 수 있다. The key schedule module 420 performs a key schedule function for encryption and a key schedule function for decryption. The key schedule module 420 generates a plurality of round keys from the secret key when the secret key generated by the secret key module 410 is input. For example, the key schedule unit 310 is an encryption key schedule function for a key schedule for encryption.

N-192-bit encryption roundkey from k-bit secret key K

(0 ≦ i ≦ Nr−1). Also, the key scheduler 310 decrypts a key schedule function for the key schedule for decryption.

Round key for N-192-bit decryption from k-bit secret key K

(0 ≦ i ≦ Nr−1).

에 입력하여 평문을 암호문으로 변환하는 암호화를 수행한다. 예를 들면, 암호모듈(430)은 라운드 함수

를 이용하여 128비트 평문 P를 128비트 암호문 C로 변환하는 암호화를 수행한다. The cryptographic module 430 rounds a plurality of round keys

Type in to encrypt the plain text into cipher text. For example, cryptographic module 430 is a round function

Encrypts 128-bit plain text P into 128-bit ciphertext C using

에 입력하여 암호문을 평문으로 변환하는 복호화를 수행한다. 예를 들면, 복호모듈(440)은 라운드 함수

를 이용하여 128비트 암호문 P를 128비트 평문 C로 변환하는 암호화를 수행한다. The decoding module 440 rounds a plurality of round keys.

Enter into to decrypt the ciphertext into plaintext. For example, the decoding module 440 is a round function

Encrypts the 128-bit ciphertext P into 128-bit plaintext C using

Next, a method for information security according to an embodiment of the present invention will be described. As described above, the user device 200 includes a first user device 201 and a second user device 202. In particular, the first user device 201 is a user device 200 that encrypts and transmits the content (original content) for copyright protection, and the second user device 202 decrypts the encrypted content to restore the content original. Assume that the user device 200. First, a description will be given of a method in which the first user device 201 encrypts a copyright protection content (original content) and transmits the same to the second user device 202. 6 is a flowchart illustrating a method for information security according to an embodiment of the present invention.

The control unit 250 of the first user device 201 receives the content of the first format in step S110. Content of the first format according to an embodiment of the present invention means a file of a format other than the image file format. The content of the first format may exemplify a file of a document format such as a PPT file, a HWP file, a PDF file, or the like. Then, the control unit 250 converts the content of the document file format to the image file format which is the second format in step S120. The image file format may include JPG, PNG, and BMP.

Next, the control unit 250 inserts copyright information into the content in step S130. 7 is a flowchart illustrating a method of inserting copyright information into content according to an embodiment of the present invention. 7 is for explaining the step S130 in more detail. Table 1 and Table 2 below are source codes that implement an algorithm for inserting copyright information according to an embodiment of the present invention. 7, a method of inserting copyright information according to an embodiment of the present invention with reference to Tables 1 and 2 will be described in more detail.

T <-125
for x <-0 to Watermark_Width
for y <-0 to Watermark_Height
Average <-(R + G + B) / 3
if Average <= T then
Bin_Watermark <-Color.Black
else
Bin_Watermark <-Color.White
end if
next y
next x

procedure Chaotic (Image)
WC [Image_Width * Image_Height]
WC2 [Image_Width, Image_Height]
initial_x <-0.5
initial_m <-3.7
WC [0] <-initial_x
for i <-0 to Image_Width * Image_Height
?? One
WC [i + 1] <-initial_m * WC [i] *
(1 ?? WC [i])
next I
count <-0
for i <-0 to Image_Height
for j <-0 to Image_Width
WC2 [i, j] <-Floor (WC [count] + 0.5)
count ++
next j
next I
return WC2
end procedure

Chaotic (Resize_Image)
for y <-0 to Image_Height
for x <-0 to Image_Width
if Resize_Watermark (y, x) == 255 then
bin [7] <-1 ^ Chaotic [y, x]
else
bin [7] <-0 ^ Chaotic [y, x]
end if
next x
next y

S131: The control unit 250 prepares the copyright information before inserting the copyright information. Copyright information according to an embodiment of the present invention may be an image file. If the copyright information is not an image file such as a text file, for example, the file format of the copyright information is converted into an image file format.

S132: The controller 250 generates a chaotic sequence. Chaotic maps are used in the creation process, using two initial values as keys. The chaotic sequence is generated using Equation 2 below.

Here, the initial value is entered in Chaotic [i] and the parameter value is entered in initial_m.

S133: The controller 250 converts copyright information, which is an image file, into a binary image according to the source code of Table 1 below. In this case, as shown in Table 1, the controller 250 calculates an average pixel value of the RGB image and converts the image into black when the average value is smaller than the average value and white when the average value is smaller than the average value.

S134: The controller 250 resizes the binary image to the image size of the content (original content).

S135: The controller 250 converts pixel values of the binary image into binary numbers.

S136: The controller 250 inserts a value obtained by XORing a pixel and a chaotic sequence having the same pixel coordinates as the content of the binary image converted to binary into the LSB of the pixel value of the original image as the content. That is, since the binary image has been resized to the same size as the content, it has a pixel corresponding to each and every pixel of the content. Therefore, the corresponding pixel is converted into a binary number, and the converted binary number and chaotic sequence are XORed and inserted into the corresponding pixel of the content. For example, if the image pixel value is 255, XOR of 1 and the chaotic sequence is inserted into the LSB of the converted binary pixel value. This step S136 is repeated until all the copyright information is inserted into the LSB of all pixel values of the content original image.

Next, the secret key module 410 of the encryption and decryption unit 400 of the control unit 250 generates a secret key for encryption in step S140. Here, the secret key may be generated using a biosignal. The user device 200 may further include a biosignal sensor for collecting the biosignal. For example, biometric signals include facial features, speech, fingerprints, irises, retinas, hand geometry, signature mechanics, keying mechanics, lip movements, thermal facial images, thermal hand images, gait, body odor, and the like. The biosignal 200 may further include a biosignal sensor suitable for the type of the biosignal. Such biosignal sensors may exemplify camera sensors, infrared sensors, infrared camera sensors, inertial sensors, touch sensors, audio sensors, haptic sensors, and the like. The secret key module 410 may be an image of a biosignal collected through a biosignal sensor, and may convert the image into a bitstream and use a bitstream of a predetermined length among the bitstreams of the biosignal as a secret key.

Then, the secret key module 410 of the encryption / decryption unit 400 divides the secret key generated in step S150 into a plurality of secret key pieces according to Equation 1 above, and divides the plurality of secret key pieces into a communication unit ( Through 210, the plurality of virtual machines or the plurality of authentication devices 300 of the cloud server 100 is distributed and stored in k devices. Also, if necessary, the second user devices 202 are provided with connection addresses of k devices. This will be described in more detail. 8 is a flowchart illustrating a method of distributing and storing a secret key fragment according to an embodiment of the present invention. 8 is for explaining the step S150 in more detail.

Referring to FIG. 8, the control unit 250 generates k secret key pieces from the secret key in step S151, and then, among the cloud server 100 and the plurality of authentication devices 300 through the communication unit 210 in step S152. A secret key fragment storage request message including a secret key fragment is sent to a predetermined number of devices. According to an embodiment of the present invention, the cloud server 100 accommodates a plurality of secret key pieces through a virtual machine. Therefore, the controller 250 may transmit a secret key fragment storage request message including a plurality of secret key fragments to the cloud server 100. Also, each of the plurality of authentication devices 300 accommodates one secret key piece per authentication device 300, and the controller 250 includes a secret key including one secret key piece in any one authentication device 300. Send a fragment archive request message.

When the authentication device 300 receives the secret key piece storage request message, the control unit 350 of the authentication device 300 has a storage space for storing one secret key piece for a predetermined time in the storage unit 340. Allocate a private key fragment in the allocated storage space. Then, the control unit 350 transmits the access address for accessing the secret key fragment stored in the storage module 340 to the first user device 201 through the communication module 110 in step S153. At this time, the control unit 350 further includes a storage expiration time of the secret key fragment in addition to the access address and transmits it to the first user device 201.

When the cloud server 100 receives the secret key fragment storage request message, the control module 130 of the cloud server 100 generates a virtual machine corresponding to the number of secret key fragments included in the message. At this time, the control module 130 generates a virtual machine by allocating an access address for accessing the virtual machine. Each of the generated virtual machines allocates a storage space for storing the secret key fragment to the storage module 130 and stores the secret key fragment in the allocated storage space. Then, each of the virtual machines of the control module 130 transmits to the first user device 201 an access address for accessing the secret key pieces stored by each of the virtual machines through the communication module 110 in step S153. . At this time, since the control module 130 creates and then extinguishes the virtual machine for a predetermined time, each of the virtual machines of the control module 130 has an access address and an operation expiration time of the corresponding virtual machine, that is, storage expiration of the secret key fragment. The time is further included and transmitted to the first user device 201. As such, one virtual machine operates in the same manner as one authentication apparatus 300. This means that a virtual machine operates as a separate process with separate access addresses and as a separate device on the network that allocates and provides separate storage spaces.

As such, each time the first user device 201 receives a connection address and a storage expiration time for each of a plurality of (eg, k) secret key fragments from each of the plurality of virtual machines and the plurality of authentication devices 300, the first user device 201 In step S155, the control unit 250 allocates a separate channel and session to the access address and storage expiration time for the corresponding secret key fragment among the plurality of (eg, k) secret key fragments through the communication unit 210. Send to user device 202. That is, the access address and the storage expiration time of each of the plurality of secret key fragments are separately transmitted and transmitted through separate channels and sessions.

On the other hand, the key schedule module 420 of the encryption and decryption unit 400 generates a plurality of round keys from the secret key generated by the secret key module 410 in step S160. The encryption module 430 of the encryption / decryption unit 400 performs encryption to convert the plain text content into a cipher text by inputting a plurality of round keys to the round function in step S170.

Next, the controller 250 performs additional encryption using the biosignal in step S180. This step S180 may be selectively performed. 9 is a flowchart illustrating an encryption method using live signal according to an embodiment of the present invention. 9 is for explaining the step S180 in more detail.

The controller 250 receives a biosignal in operation S181. To this end, although not shown, the user device 200 may further include a biosignal sensor for collecting a biosignal. For example, biometric signals include facial features, speech, fingerprints, irises, retinas, hand geometry, signature mechanics, keying mechanics, lip movements, thermal facial images, thermal hand images, gait, body odor, and the like. The biosignal 200 may further include a biosignal sensor suitable for the type of the biosignal.

When the biosignal is input, the control unit 250 binarizes the biosignal in operation S182 and converts the biosignal converted into biometric data in operation S183. In this case, the controller 250 may convert the biometric data according to the Biometric Identification Record (BIR) structure of the Biometric Exchange File Format (CBEFF). Such biometric data has a structure as shown in Table 3 below.

SBH (header) Binary Biosignal (BDB) SB (Signature)

That is, the controller 250 generates a header for classifying the biosignal to the binarized biosignal, and adds a signature to generate biometric data.

Next, the control unit 250 generates a time stamp in step S183. Here, the time stamp is generated by a method negotiated in advance between both the first and second user apparatuses 201 and 202.

Subsequently, the controller 250 encrypts the hash function by inputting the content, the biometric data, and the time stamp as a factor in operation S184. After the above encryption is made, the controller 250 may store the biometric data in the cloud server 100 in step S185.

According to an embodiment of step S185, the controller 250 may request the cloud server 100 to store biometric data. Then, the control module 130 of the cloud server 100 generates a virtual machine, the generated virtual machine allocates a storage space for storing biometric data in the storage module 120, and stores in the allocated space. Then, the control module 130 transmits the access address for accessing the biometric data through the communication module 110 to the first user device 201. In this case, when the biometric data is stored only for a predetermined period, the biometric data may further include a storage expiration time of the biometric data.

According to an alternative embodiment of step S185, at this time, the controller 250 divides the biometric data into a plurality of biometric data pieces by using the above equation (1). Thereafter, the cloud server 100 may request to store a plurality of pieces of biometric data. When the plurality of biometric data fragments are received from the first user device 201, the control module 130 of the cloud server 100 generates a virtual machine corresponding to the number of biometric data fragments included in the message. At this time, the control module 130 generates a virtual machine by allocating an access address for accessing the virtual machine. Each of the generated virtual machines allocates a storage space for storing biometric data fragments to the storage module 130 and stores the biometric data fragments in the allocated storage space. Then, each of the virtual machines of the control module 130 transmits to the first user device 201 an access address for accessing the biometric data pieces stored by each of the virtual machines through the communication module 110. At this time, since the control module 130 generates and then extinguishes the virtual machine for a predetermined time, each of the virtual machines of the control module 130 has an access address and an operation expiration time of the corresponding virtual machine, that is, storage expiration of the biometric data fragment. The time is further included and transmitted to the first user device 201. This means that a virtual machine operates as a separate process with separate access addresses and as a separate device on the network that allocates and provides separate storage spaces.

As described above, when the encryption for the content is completed, the control unit 250 transmits the content to the second user device 202 through the communication unit 210 in step S190. If step S180 is performed, the controller 250 may transmit the time stamp together with the content. In addition, the transmission address may further include a connection address for accessing the biometric data or the biometric data fragment stored in the cloud server 100 and a storage expiration time of the biometric data or the biometric data fragment. As described above, the control unit 250 of the first user device 201 allocates a separate channel and session to the access address and storage expiration time of each of the biometric data or the plurality of biometric data fragments through the communication unit 210 to allocate the second user device. Send to 202. That is, the access address and storage expiration time of each biometric data or a plurality of biometric data fragments are separately transmitted and transmitted through separate channels and sessions.

Next, a method of decrypting the encrypted content (original content) transmitted by the first user device 201 by the second user device 202 will be described. 10 is a flowchart illustrating a method for information security according to an embodiment of the present invention.

The control unit 250 of the second user device 202 receives the content through the communication unit 210 in step S190. If the content is encrypted using the biosignal, the control unit 250 decrypts the biosignal in operation S210. 11 is a flowchart illustrating an encryption method using live signal according to an embodiment of the present invention. 11 is for explaining the step S210 in more detail. Referring to FIG. 11, when encryption is performed using a biosignal, the control unit 250 of the second user device 202 may store the biometric data (or the biometric data fragment) together with the encrypted content through the communication unit 210. Accessible access addresses and timestamps can be received. Accordingly, the controller 250 verifies the time stamp received in step S211. In this case, it is assumed that the time stamp succeeds in verification and the time stamp is a valid time stamp. Next, when the controller 250 accesses the virtual machine of the cloud server 100 to request biometric data (or biometric data fragments) by using the access information in operation S212, the virtual machine transmits the biometric data (or biometric data fragments). ) Is transmitted to the second user device 202. As a result, the controller 250 may receive the biometric data (or the biometric data fragment). In this case, when necessary, that is, when there are a plurality of pieces of biometric data, the controller 250 may restore the biometric data from the plurality of biometric data pieces using Lagrange interpolation.

As such, after verifying the time stamp and receiving the biometric data, the controller 250 inputs the time stamp and the biometric data into the hash function in step S213 to decode the content.

Also, optionally, when the first user device 201 transmits, the control unit 250 of the second user device 202 may include a plurality of virtual machines or a plurality of authentications in which a plurality of secret key pieces have been distributed in step S155. The device 300 may receive connection information of at least n devices of k devices. The control unit 250 collects the secret key fragments from at least n of k devices among the plurality of virtual machines or the plurality of authentication apparatuses 300 in which the plurality of secret key fragments are distributed through the communication unit 210 in step S220. . Here, according to an embodiment, the access information of the n devices may be shared in advance between the first user device 201 and the second user device 202. Alternatively, according to an alternative embodiment, the second user device 202 may receive the access information of the n devices from the first user device 201 in step S155. 12 is a flowchart illustrating a method of collecting secret key pieces according to an alternative embodiment of the present invention. According to the embodiment referring to FIG. 12, the control unit 250 of the second user device 202 may use the virtual machine or the authentication device 300 of the cloud server 100 through the access information previously received at step S221. Sends a request message requesting a secret key fragment Accordingly, if the secret key fragment storage expiration time has not yet passed, the control unit 250 of the second user device 202 through the communication unit 210 in step S222 of the virtual machine or authentication device of the cloud server 100 ( 300 may receive a secret key fragment.

When n is a natural number smaller than k, when n secret key pieces are collected, the control unit 250 of the second user device 202 restores the secret key from the secret key pieces collected through the Lagrange interpolation method in step S230. .

Then, the key schedule module 420 of the encryption and decryption unit 400 of the control unit 250 generates a plurality of round keys from the secret key generated by the secret key module 410 in step S240. In operation S250, the decryption module 440 of the encryption / decryption unit 400 decrypts the ciphertext content into plain text by inputting a plurality of round keys into a round function.

Next, the control unit 250 extracts copyright information from the content in step S260. 13 is a flowchart illustrating a method of extracting copyright information from content according to an embodiment of the present invention. 13 is for explaining the step S260 in more detail. Table 4 below is a source code for implementing an algorithm for extracting copyright information according to an embodiment of the present invention. A method of extracting copyright information according to an embodiment of the present invention will be described in more detail with reference to FIGS. 13 and 4.

Chaotic (Image)
for y <-0 to Image_Height
for x <-0 to Image_Width
lsb <-lsb ^ WC2 [y, x]
if lsb == 1 then
Image (y, x) <-255
else
Image (y, x) <-0
end if
next x
next y

S261: The controller 250 generates a chaotic sequence as shown in Equation 2 above.

S262: The controller 250 performs an XOR operation with the LSB and the chaotic sequence of each pixel in the content in which the copyright information is inserted.

S263: If the result of the calculation, the control unit 250 generates a pixel value of the binary image as 255 when the LSB is 1 and a pixel value of the binary image as 0 when the LSB is 1, and restores the binary image which is copyright information.

Next, the control unit 250 converts the content of the image file format such as JPG, PNG, BMP to a document file format such as PPT, HWP, PDF in step S270. Thus, the control unit 250 of the second user device 202 can use the content converted to the document file format in step S280.

14 to 17 are diagrams for describing an information security method according to an embodiment of the present invention. 14 and 15 are diagrams for explaining an encryption scheme using a secret key, FIG. 16 is a diagram for explaining a method of inserting copyright information, and FIG. 17 is for explaining biometric data according to an embodiment of the present invention. It is for the drawing.

The copyright information insertion and extraction technique in the form of an image using a chaotic map according to an embodiment of the present invention fits the size of the copyright information image with the original image, converts the binary information into a binary image, and then encrypts the image using a chaotic map. Secure copyright information can be inserted. According to the present invention, since the copyright information is inserted in the LSB of the original image, the distortion of the original image can be minimized.

On the other hand, the methods described in the embodiments of the present invention described above may be implemented in a program form readable through various computer means may be recorded on a computer-readable recording medium. Here, the recording medium may include a program command, a data file, a data structure, etc. alone or in combination. Program instructions recorded on the recording medium may be those specially designed and constructed for the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. For example, the recording medium may be magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs, DVDs, or magnetic-optical media such as floptical disks. magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions may include high-level language wires that can be executed by a computer using an interpreter as well as machine language wires such as those produced by a compiler. Such hardware devices may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the invention has been described using some preferred embodiments, these embodiments are illustrative and not restrictive. As such, those of ordinary skill in the art will appreciate that various changes and modifications may be made according to equivalents without departing from the spirit of the present invention and the scope of rights set forth in the appended claims.

100: cloud server 110: communication module
120: storage module 130: control module
200: user device 210: communication unit
220: input unit 230: display unit
240: storage unit 250: control unit
300: authentication device 310: communication unit
320: input unit 330: display unit
340: storage unit 350: control unit
400: encryption and decryption unit 410: secret key module
420: key schedule module 430: encryption module
440: decoding module

Claims (6)

In an information security system,
A plurality of physically separated authentication devices;
Cloud servers comprising a plurality of virtual machines logically divided to perform the function of the authentication device; And
When a secret key is generated and k is a natural number, the secret key is divided into k secret key pieces, and the k secret key pieces are included among the plurality of devices including the plurality of authentication devices and the plurality of virtual machines. A first user device for distributing and transmitting to k devices, generating a round key using the secret key, encrypting content using the round key and a round function, and transmitting the encrypted content to a second user device. Information security system comprising a. The method of claim 1,
When n is a natural number smaller than k, collecting secret key pieces from at least n of the k devices, recovering the secret key from secret key pieces collected through Lagrange interpolation, and using the secret key And a second user device generating a decryption key and restoring contents by using the decryption key and a round function. In the information security method of the information security system,
Converting, by the first user device, content in a document file format into content in an image file format;
Generating, by the first user device, a secret key;
when k is a natural number,
The first user device
Equation

Dividing the secret key into k pieces of secret keys; And
K devices among a plurality of devices including a plurality of authentication devices physically divided into the k secret key pieces and a plurality of virtual machines of a cloud server that are logically divided to perform functions of the authentication device Distributing to and transmitting the same;
Generating, by the first user device, a round key using the secret key;
Encrypting, by the first user device, content using the round key and the round function; And
And transmitting, by the first user device, the content to a second user device. delete The method of claim 3,
After transmitting the content to a second user device,
when n is a natural number less than k,
Collecting, by the second user device, a secret key fragment from at least n of the k devices;
Restoring the secret key from the secret key pieces collected through Lagrangian interpolation;
Generating a decryption key using the secret key; And
And restoring content using the decryption key and the round function. A computer-readable recording medium having recorded thereon a program for performing the information security method according to any one of claims 3 and 5.

Images