KR102130321B1 - Method and apparatus for authentication without installation - Google Patents

Abstract

An authentication service system for user authentication is disclosed. According to the present invention, a non-installation client device executes an authentication security module and a user screen webpage through a web browser. A web server provides the user screen web page to a non-installable client, receives information on an authentication service selected among one or more authentication services from the non-installable client, and transmits information on the selected authentication service to an authentication server. The one or more authentication services include authentication certificate mobile terminal electronic signature, authentication certificate mobile terminal storage, and authentication certificate transmission.

Description

METHOD AND APPARATUS FOR AUTHENTICATION WITHOUT INSTALLATION}

The following embodiments relate to an authentication service device and a method therefor, and to an apparatus and method for performing authentication for a user without requiring installation on a user computer.

Electronic commerce has been actively conducted in recent years with the development of IT technology. In e-commerce, the damage caused by the leakage of personal information such as phishing continues. Therefore, the importance of authentication for the user, who is the principal of the transaction, is emerging.

Various authentication methods are widely used in authenticating users, and user-friendly authentication methods have been developed and used in terms of users.

In addition, in order to solve the security problems of the authentication method itself, or to provide a user-friendly authentication method from the user's perspective, the Financial Supervisory Service and other management organizations provide specific functions in the authentication method or exclude specific methods. There are cases in which conditions are required through laws and regulations.

For example, specific methods such as installation of ActiveX or other programs may be prohibited by supervisory authorities such as the Financial Supervisory Service.

Under these circumstances, it is necessary to provide an authentication method that satisfies the needs of the user and does not deviate from restrictions by laws and regulations.

In relation to the authentication of the user, Korean Patent Registration No. 10-1348079 (name: electronic signature system using a mobile terminal) has been disclosed.

One embodiment may provide an apparatus and method for processing authentication for a user based on a web service.

In one aspect, the processor for executing a non-installation authentication service in a web browser; And a communication unit that handles communication of the non-installed authentication service, wherein the non-installed authentication service is executed by a certified authentication security module, and displays a user screen web page using a web script provided by a web server. A non-installed client device is provided.

The authorized authentication security module and the web script may be provided through the web.

The accredited authentication security module and the web script may be non-installable, which does not require file installation.

To the user screen web page, an event selected by the user may be input from at least one event of an event of a request for signing of a mobile certificate of a public certificate, an event of a request of sending a public certificate, and an event of a request of storing a public certificate.

Authentication service information may be input to the user screen web page.

The authentication service information may include a mobile phone number and mobile operator information.

The user screen web page may be a device-independent responsive web page showing a constant screen regardless of the type of operating system of the non-installed client device and the type of the web browser.

The web script may receive a set value and event through a call of the authorized authentication security module, and transmit the set value and event to the user screen web page through a communication application programming interface (API).

The setting value may include affiliate identification information, security module identification information, and security identification information.

The event may include an event of a request for signing a mobile terminal for a public certificate, an event for a request for sending a public certificate, and an event for a request for storing a mobile terminal for a public certificate.

The web script receives a result value of an electronic signature generated by a mobile terminal certificate service app of a mobile terminal from a user screen web page through a communication API, and transmits the result value of the electronic signature to the authorized authentication security module. You can authenticate.

The user screen web page may receive a result of storing a public certificate from a mobile terminal certificate service app of a mobile terminal, and may transmit the result of storing the public certificate to the public authentication security module through a communication API.

The mobile terminal may provide one or more authentication services related to authentication for a user.

The one or more authentication services may include digital signing of a public certificate mobile terminal, storage of a public certificate mobile terminal, and transmission of a public certificate.

When one of the one or more authentication services is selected by the user of the non-installed client device, the user screen web page makes a request for the selected authentication service through Hypertext Transfer Protocol Secure (HTTPS) communication. It can be transmitted to the web application of the web server.

The web script may provide an API for transferring information from a certified authentication security module to a web script for each of the one or more authentication services.

The information of the channel, the information of the authorized authentication security module and the information of the keyboard security can be created in the web script.

The API may not include parameters of the channel information, the authentication authentication security module information, and the keyboard security information.

The authorized authentication security module may call a function of the web script to request a selected authentication service, and receive a signature value of an electronic signature using a callback function set as a parameter of the function.

The authorized authentication security module may call a function of the web script for a request of a selected authentication service, and receive completion of storage of a public certificate mobile terminal by using a callback function set as a parameter of the function.

In another aspect, the mobile terminal for providing an authentication service in conjunction with a non-installable client device, comprising: a processor that checks an SMS message or a push message sent from an authentication server and then executes a mobile terminal authentication service app; And a communication unit for processing communication of the mobile terminal certificate service app, wherein the mobile terminal certificate service app transmits a result value of an electronic signature to a user screen web page of a non-installed client device.

When information for generating a secret key is output to the user screen web page, and information for generating a secret key is output to the mobile terminal certificate service app, information for generating a secret key displayed on the user screen web page and the mobile Whether the information for generating the secret key output to the terminal certificate service app matches can be confirmed by the user.

When a portion of the information for generating the secret key is output on the user screen web page, a portion of the information for generating the secret key displayed on the user screen web page may be input by the user to the mobile terminal certificate service app.

In another aspect, an authentication service system for providing user authentication to a non-installed client, comprising: a web server; And an authentication server, wherein the web server provides a user screen web page to the non-installed client via the web, receives information of an authentication service selected from one or more authentication services from the non-installed client, and is selected. An authentication service system is provided that transmits information of an authentication service to the authentication server, and the authentication server transmits information of the selected authentication service to a mobile terminal.

The one or more authentication services may include digital signing of a public certificate mobile terminal, storage of a public certificate mobile terminal, and transmission of a public certificate.

The mobile terminal storage of the public certificate may be to store the public certificate to the USIM of the mobile terminal or to store the public certificate in a memory in the mobile terminal certificate service app installed in the mobile terminal.

The public certificate mobile terminal digital signature uses the public certificate stored in the memory in the USIM or the mobile terminal certificate service app to digitally sign the user's digital signature for the electronic signature text received from the non-installed client's public authentication security module. It can be provided.

The authentication certificate transmission may be to authenticate a user through transmission of the authentication certificate stored in the mobile terminal.

The authentication server may automatically branch to the selected authentication service.

The authentication server may branch to a public certificate mobile terminal electronic signature mode if the selected authentication service is the public certificate mobile terminal electronic signature.

The authentication server may branch to a public certificate mobile terminal storage mode if the selected authentication service is the public certificate mobile terminal storage.

The authentication server may branch to a public certificate transmission mode if the selected authentication service is the public certificate transmission.

The request for the selected authentication service may be sent by one of the non-installed client device and the installed client device.

In the authentication server, branching may be automatically performed according to the type of client device that has transmitted the selected authentication service.

The authentication server may generate information for generating a secret key.

Information for generating the secret key may be output from a user screen web page of the non-installed client.

All or part of the information for generating the secret key may be output from the mobile terminal certificate service app of the mobile terminal.

The authentication server may relay information transmitted between the web application of the web server and the mobile terminal certificate service app for verification of the secret key and sharing of a session key.

An apparatus and method for processing authentication for a user based on a web service are provided.

1 shows an authentication service system according to an embodiment.
2 is a block diagram of a non-installed client device according to an embodiment.
3 is a block diagram of a web server according to an embodiment.
4 is a block diagram of an authentication server according to an embodiment.
5 is a block diagram of a mobile terminal according to an embodiment.
6 is a signal flow diagram illustrating the operation of the authentication service system according to an embodiment.
7 is a signal flow diagram illustrating an operation of key acquisition of an authentication service system for key acquisition according to an embodiment.
8 is a signal flow diagram illustrating an operation of data transmission in an authentication service system according to an embodiment.
9 is a signal flow diagram illustrating the operation of an electronic signature of a public certificate mobile terminal in an authentication service system according to an embodiment.
10 is a signal flow diagram illustrating an operation of storing an authorized certificate mobile terminal in an authentication service system according to an embodiment.
11 is a signal flow diagram illustrating the operation of the authentication certificate transmission of the authentication service system according to an embodiment.
12 shows a configuration of an authentication service system according to an example.
13 illustrates a program configuration of an authentication service system according to an embodiment.

For a detailed description of the present invention, which will be described later, reference is made to the accompanying drawings that illustrate, by way of example, specific embodiments in which the present invention may be practiced. These examples are described in detail enough to enable those skilled in the art to practice the present invention. It should be understood that the various embodiments of the invention are different, but need not be mutually exclusive. For example, certain shapes, structures, and properties described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in relation to one embodiment. In addition, it should be understood that the location or placement of individual components within each disclosed embodiment can be changed without departing from the spirit and scope of the invention. Therefore, the following detailed description is not intended to be taken in a limiting sense, and the scope of the present invention, if appropriately described, is limited only by the appended claims, along with all ranges equivalent to those claimed. In the drawings, similar reference numerals refer to the same or similar functions across various aspects.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to enable those skilled in the art to easily implement the present invention.

1 shows an authentication service system according to an embodiment.

The authentication service system 100 may include at least one of a non-installed client device 110, a web server 120, an authentication server 130, a mobile terminal 140, and an installed client device 190.

The non-installable client device 110, the web server 120, the authentication server 130, the mobile terminal 140, and the installed client device 190 may interwork with each other to provide an authentication service.

The client device may include a non-installed client device 110 and an installed client device 190.

The non-installable client device 110 may be a client device with a web browser installed. For example, a web browser may support HTL 5 and provide an authentication service through HTML 5. Alternatively, the web browser may support legacy HTML versions that are legacy, and provide authentication services through the previous HTML versions.

The non-installable client device 110 may be a client device that does not require installation of a dynamic link library (DLL) to provide an authentication service. In other words, the non-installable client device 110 may be a client device that provides an authentication service through a web browser supporting HTML 5 or the like. For example, a certified authentication security module of the non-installed client device 110 may be provided from the web server 120.

The installation-type client 190 device may be a client device that requires installation of a DLL or the like in order to provide an authentication service. For example, the certified authentication security module of the installable client 190 may be installed in the installable client 190 in the form of a DLL.

The user may be provided with a predetermined service through the client device. For example, a user may be provided with Internet service, web service, etc. through a client device. In addition, the user can use the mobile terminal 140. Hereinafter, the user of the client device 110 and the user of the mobile terminal 140 may mean the same person. In addition, in the following description, the user of the client device and the user of the mobile terminal 140 may be used interchangeably. In other words, the user can use his client device and mobile terminal 140 to use the authentication service.

The client device includes a personal computer (PC), a laptop computer, a mobile phone, a tablet PC, navigation, a smart phone, and personal digital assistants (PDA) digital video broadcasting. ; DVB), smart televisions and communication devices such as set-tops.

In providing a service, authentication for a user may be required. The user may use the client device and mobile terminal 140 for authentication to the user.

The web server 120 may provide a user screen web page to the non-installed client 110 and execute a web application for user authentication. The web server 120 may receive information of the selected authentication service from the non-installed client 110 and may transmit information of the selected authentication service to the authentication server 130.

The authentication server 130 may transmit the selected authentication service information to the mobile terminal 140.

The authentication service system 100 and the mobile terminal 140 may provide one or more authentication services related to authentication for a user. The one or more authentication services may include 1) digital signing of a public certificate mobile terminal, 2) storage of a public certificate mobile terminal, and 3) transmission of a public certificate.

The storage of the public certificate mobile terminal may be storing the public certificate in the USIM of the mobile terminal 140 or the public certificate in a memory in the mobile terminal certificate service app. The digital certificate mobile terminal digital signature may be to provide a user's digital signature for the original digital signature received from the public authentication security module using a public certificate stored in a memory in the USIM or mobile terminal certificate service app. The public certificate electronic terminal electronic signature public certificate transmission may be to authenticate the user through the transmission of the public certificate stored in the mobile terminal 140.

When the information of the selected authentication service is transmitted, the mobile terminal certificate service app of the mobile terminal 140 may automatically branch to the selected authentication service.

For example, the mobile terminal certificate service app may branch to the public mobile terminal digital signature mode if the selected authentication service is a public digital certificate mobile terminal. The mobile terminal certificate service app may branch to the authorized certificate mobile terminal storage mode if the selected authentication service is a public certificate mobile terminal storage. In addition, when a public certificate is stored in the USIM storage mode in the mobile terminal storage of the public certificate, the mobile terminal certificate service app may branch to the USIM storage mode, and in the public storage of the mobile terminal certificate, the public certificate is stored in the memory in the mobile terminal certificate service app. In this case, the mobile terminal certificate service app may branch to the mobile terminal certificate service app storage mode. The mobile terminal certificate service app may branch to a public certificate transmission mode when the selected authentication service is a public certificate transmission.

The selected authentication service may be transmitted by one of the non-installed client device 110 and the installed client device 120. In the mobile terminal certificate service app of the mobile terminal 140, branching may be automatically performed according to the type of the client device that has transmitted the selected authentication service.

When the information of the selected authentication service is transmitted and branching is performed according to the selected authentication service, the mobile terminal certificate service app of the mobile terminal 140 selects an authentication service selected from one or more authentication services provided by the mobile terminal certificate service app. It can be provided automatically.

In the provision of the authentication service, interaction between the non-installable client device 110, the web server 120, the authentication server 130, and the mobile terminal 140 may be made.

The functions and operations of the non-installable client device 110, the web server 120, the authentication server 130, and the mobile terminal 140 for the authentication service are described in more detail in the following embodiments.

2 is a block diagram of a non-installed client device according to an embodiment.

The non-installed client device 110 may include a processor 210, a memory 220, and a communication unit 230.

The processor 210 can execute a program. The memory 220 may store programs.

The program may include a web browser.

The processor 210 can execute a non-installation authentication service in a web browser.

The communication unit 230 may receive data or information from another external device, and may transmit data or information to another external device.

The communication unit 230 may process communication of a web browser.

The communication unit 230 may process communication of a non-installation type authentication service.

The web browser can run a certified authentication security module.

The non-installed authentication service can be implemented by an accredited authentication security module.

Hereinafter, a web browser is provided to provide a non-installation authentication service, and functions executed, provided, and processed by the web browser may be considered to be executed, provided, and processed by the non-installation authentication service.

The web browser can load a user screen web page provided by the web server 120. The web browser can display a user screen web page using a web script provided by the web server 120.

The certified authentication security module and the user screen web page may provide one or more authentication services related to authentication for the user. The one or more authentication services may include 1) digital signing of a public certificate mobile terminal, 2) storage of a public certificate mobile terminal, and 3) transmission of a public certificate.

The user screen web page may provide an interface for selecting a public certificate and inputting a password for the public certificate to a user of the non-installable client device 110, and receiving a public certificate selection and a public certificate password from the user Can.

3 is a block diagram of a web server according to an embodiment.

The web server 120 may include a processor 310, a memory 320, and a communication unit 330.

The processor 310 may execute a program. The memory 320 can store a program.

The program may include a web application.

The communication unit 230 may receive data or information from another external device, and may transmit data or information to another external device.

The communication unit 230 may process communication of a web application.

The web server may provide a user screen web page to the non-installation terminal 110 through a web service.

4 is a block diagram of an authentication server according to an embodiment.

The authentication server 130 may include a processor 410, a memory 420, and a communication unit 430.

The processor 410 may execute a program. The memory 420 can store a program.

The communication unit 430 may receive data or information from another external device, and may transmit data or information to another external device.

The authentication server may provide one or more authentication services related to authentication for a user. The one or more authentication services may include 1) digital signing of a public certificate mobile terminal, 2) storage of a public certificate mobile terminal, and 3) transmission of a public certificate.

5 is a block diagram of a mobile terminal according to an embodiment.

The mobile terminal 140 may include a processor 510, a memory 520, and a communication unit 530.

The processor 510 may execute a mobile program. The memory 520 may store a mobile program. The memory 520 may be an internal memory of the mobile terminal 140. Alternatively, the memory 520 may be a memory mounted in the mobile terminal 140 such as a memory card.

The mobile program may include a mobile terminal certificate service app.

When the specified condition is satisfied, the processor 510 may execute a mobile program such as a mobile terminal certificate service app.

For example, the processor 510 may execute the mobile terminal authentication service app when an SMS message or a push message is received from the authentication server 130. After checking the SMS message or the push message sent from the authentication server 130, the processor 510 may execute the mobile terminal authentication service app.

The communication unit 530 may receive data or information from another external device, and may transmit data or information to another external device.

The communication unit 530 may process communication of the mobile terminal certificate service app.

The mobile terminal 140 may be equipped with a mobile USIM 540. Alternatively, the mobile terminal 140 may include a mobile USIM 540.

The mobile terminal certificate service app may provide one or more authentication services related to authentication of a user of the mobile terminal 140. The one or more authentication services may include 1) digital signing of a public certificate mobile terminal, 2) storage of a public certificate mobile terminal, and 3) transmission of a public certificate.

Mobile USIM 540 may provide a USIM security token. The USIM security token can be a security token with a security module in the mobile USIM 540. Hereinafter, the USIM security token may be abbreviated as a security token. Mobile USIM 540 may be abbreviated as USIM. The mobile terminal certificate service app can store a public certificate in the USIM security token.

The mobile terminal 140 or the operating system of the mobile terminal 140 may install and manage a mobile terminal certificate service app that provides one or more authentication services as a single application.

As various authentication services are provided by the mobile terminal certificate service app, the user can be provided with the authentication services required by the user through the mobile terminal 140 that he or she always carries, and installs and manages applications for each authentication service. Discomfort can be resolved. In addition, a unified user interface and user experience for various authentication services may be provided through a mobile application.

In addition, as various authentication services are provided by a single mobile terminal certificate service app, storage space problems and security problems according to application installation can be solved.

6 is a signal flow diagram illustrating the operation of the authentication service system according to an embodiment.

In step 610, the web browser of the non-installed client device 110 may output a screen of a certified authentication security module provided by the non-installed client device 110. The screen of the public authentication security model may be composed of HTML.

The screen of the certified authentication security module may include at least one authentication method for the user. In other words, the screen of the certified authentication security module may output a list of at least one authentication method available to the user.

The user may select one of the output at least one authentication method, and the selected authentication method may be input to the non-installable client device 110.

The user may select a mobile phone authentication among at least one of the output authentication methods. Hereinafter, the process of mobile phone authentication will be described.

When mobile phone authentication is selected, in steps 615, 620, and 625, the web script of the web script file included in the certified authentication security module displays the user screen web page provided by the web server 120. You can call it with a web browser.

The user screen web page may be a device-independent, responsive web page that shows a constant screen regardless of the type of operating system (OS) of the non-installable client device 110 and the type of web browser. Here, the responsive web page may be a web page that is optimally adjusted according to the type of device and the type of web browser.

In step 615, the web script of the web script file may request the user screen web page from the web server 120.

In step 620, the web server 120 may transmit the user screen web page to the non-installed client device 110.

In step 625, the web browser of the non-installed client device 110 may load the user screen web page.

When the user screen web page is invoked, parameters can be passed from the web script or from an authorized authentication security module to the user screen web page. The parameter may be transmitted through communication API communication among HTML5 web application programming interfaces (APIs).

The domain of the current web page of the web browser of the non-installed client device 110 and the domain of the user screen web page may be different. As domains are different, a cross-domain problem in which events are not transmitted between different domains may occur. This problem can be solved through the communication API communication of the HTML5 web API described above.

The parameters may include the phone number of the mobile terminal 140, affiliate channel information, and a security module code.

Affiliate channel information may be an identifier of an affiliate. The affiliate channel information may indicate which affiliate's web page is the current web page of the web browser of the non-installed client device 110.

The affiliate may be a subject providing a predetermined service provided through the non-installed client device 110. Alternatively, the affiliate may be a subject using an authentication service. For example, the affiliates may be financial companies, public institutions and securities companies.

The security module code may be an identifier of a certified authentication security module.

In step 630, the user may select one of the one or more authentication services displayed on the user screen web page, and input authentication service information. The selected authentication service and the entered authentication service information may be input to a user screen web page.

The one or more authentication services may include 1) digital signing of a public certificate mobile terminal, 2) storage of a public certificate mobile terminal, and 3) transmission of a public certificate. The storage of the public certificate mobile terminal may be storing the public certificate in the USIM of the mobile terminal 140 or the public certificate in a memory in the mobile terminal certificate service app.

By this selection, an event selected by the user is input to at least one event of an event of a request of a public certificate mobile terminal signature, a request of a public certificate transmission, and an event of a request of a public certificate mobile terminal storage as a user screen web page. Can be.

When the event of the request for the signing of the mobile terminal of the public certificate is input, the authentication service of the digital terminal of the public certificate mobile terminal may be performed.

When an event for requesting the transmission of the public certificate is input, an authentication service for sending the public certificate may be performed.

When the event of the request for storing the mobile terminal of the public certificate is input, an authentication service of storing the mobile terminal of the public certificate may be performed.

The case where the electronic certificate of the mobile terminal is selected is described in detail with reference to FIGS. 8 and 9. The case where the storage of the public certificate mobile terminal is selected will be described in detail with reference to FIGS. 8 and 10.

The authentication service information may include a phone number of the mobile terminal 140 and mobile carrier information.

In step 635, the user screen web page may deliver the selected authentication service request to the web application program of the web server 120.

The request for the authentication service may include authentication service information.

The request for the authentication service may be to request an authentication service selected by a user among one or more authentication services.

The user screen web page may transmit a request of the selected authentication service to a web application of the web server 120 through Hypertext Transfer Protocol Secure (HTTPS) communication.

HTTPS communication can be asynchronous. As the request of the selected authentication service is transmitted through HTTPS communication, the user screen web page may process a user event without being blocked even though a connection with a web application is being performed. User screen web pages and web applications can communicate using HTTPS communication. Secure Socket Layer (SSL) may be applied to HTTPS.

In step 640, when a request for the selected authentication service including authentication service information is received, the web application may create a separate session for the user.

The web application program may access the authentication server 130 by sending a connection request to the authentication server 130.

The connection request may include authentication service information.

The request for the selected authentication service may be sent by one of the non-installed client device 110 and the installed client device 120. In step 640, the authentication server 130 may automatically branch to the selected authentication service according to the type of client device.

In step 640, the authentication server 130 may automatically branch to the selected authentication service. For example, if the selected authentication service is a public certificate mobile terminal electronic signature, the authentication server 130 may branch to the public certificate mobile terminal electronic signature mode, and then steps 910 and 920 of FIG. 9 may be performed. have. For example, if the selected authentication service is a public certificate mobile terminal storage, the authentication server 130 may branch to a public certificate mobile terminal storage mode, and then steps 1010, 1020, and 1030 of FIG. 10 may be performed. have. In addition, when a public certificate is stored in the USIM storage mode in the mobile terminal storage of the public certificate, the authentication server 130 may branch to the USIM storage mode, and the public certificate is stored in the memory in the mobile terminal certificate service app in the mobile storage of the public certificate. In this case, the authentication server 130 may branch to the mobile terminal certificate service app storage mode. For example, if the selected authentication service is a public certificate transmission, the authentication server 130 may branch to the public certificate transmission mode.

The digital signature may be made in one of one or more digital signature schemes. The one or more digital signature schemes may include an in-app digital signature scheme, a USIM security token digital signature scheme, and a trust zone digital signature scheme.

The authentication server 130 may automatically branch to the selected electronic signature method.

In step 645, the authentication server 130 may transmit the connection request to the mobile terminal certificate service app of the mobile terminal 140 using the authentication service information. Alternatively, as the connection request is transmitted to the mobile terminal 140, the mobile terminal certificate service app may be executed, and the connection request may be transmitted to the mobile terminal certificate service app.

The connection request may be a URL (URL) text message or a push notification message. The connection request may include an installation guide message or an execution guide message.

The authentication server 130 may generate and transmit an access request to be transmitted to the mobile terminal certificate service app of the mobile terminal 140 using the authentication service information. Here, the authentication service information may be a phone number of the mobile terminal 140.

In step 650, when a connection request is received, the mobile terminal certificate service app may access the authentication server 130. The mobile terminal certificate service app may transmit the phone number of the mobile terminal 140 to the authentication server 130, and a connection between the mobile terminal 140 and the non-installable client 110 may be made through the delivery of the phone number. .

Steps of key acquisition, which will be described later with reference to FIG. 7 after step 650, may be performed.

7 is a signal flow diagram illustrating an operation of key acquisition of an authentication service system for key acquisition according to an embodiment.

Step 710 can be performed after step 650.

In step 710, the authentication server 130 may generate information for generating a secret key. The secret key can be used to encrypt the public key

In step 715, the authentication server 130 may transmit information for generating a secret key to the mobile terminal certificate service app of the mobile terminal 140 and the web application program of the web server 120.

In step 720, the mobile terminal certificate service app of the mobile terminal 140 may output all or part of the information for generating the secret key.

In step 725, as the information for generating the secret key is transmitted to the web application, information for generating the secret key may be output from the user screen web page. Alternatively, the user screen web page may output a key confirmation screen. In the key confirmation screen, information for generating a secret key may be output.

The web application may send a key confirmation request to the user screen web page. The key confirmation request may include a part of key generation information. As a key confirmation request is received, the user screen web page may output a key confirmation screen.

In step 730, it may be checked whether the information for generating the secret key is matched by the user.

Whether the information for generating the secret key output on the user screen web page and the information for generating the secret key output on the mobile terminal certificate service app match can be checked by the user.

For example, a confirmation that the information for generating the secret key output on the user screen web page and the information for generating the secret key output on the mobile terminal certificate service app match may be input by the user to the mobile terminal certificate service app. . The user screen web page may receive a confirmation of a part of the key generation information from the user through the outputted key confirmation screen.

Alternatively, a part of the information for generating the secret key output on the user screen web page may be input to the mobile terminal certificate service app by the user.

When a part of the information for confirming or generating the secret key is input, a message for proceeding to step 740 may be transmitted from the mobile terminal certificate service app to the web application.

In step 740, when information for verification or secret key generation is input, each of the web application and the mobile terminal certificate service app may generate a secret key using the information for secret key generation. The secret keys generated in each of the web application program and the mobile terminal certificate service app may be the same.

In step 745, the web application can generate a key pair for sharing the session key. The session key can be a disposable key. The session key may be a key that is generated differently each time. In other words, each time a use of the session key is required, different session keys can be used.

Hereinafter, information may be transmitted between a web application program of the web server 120 and a mobile terminal certificate service app of the mobile terminal 140 for sharing a session key. The authentication server 130 may relay information transmitted between the web application and the mobile terminal certificate service app for verification of the secret key and sharing of the session key.

The key pair can include a public key and a private key.

In step 750, the web application may generate an encrypted public key by encrypting the public key using a secret key.

In step 755, the web application may transmit the encrypted public key to the mobile terminal certificate service app of the mobile terminal 140 through the authentication server 130.

In step 760, the mobile terminal certificate service app may obtain the public key by decrypting the public key encrypted using the secret key.

In step 765, the mobile terminal certificate service app may transmit the result of obtaining the public key to the web application through the authentication server 130.

The above results may include 1) whether a public key has been obtained (or generated), 2) the obtained public key, and 3) confirmation that the public key has been obtained.

In step 770, the mobile terminal certificate service app may generate a session key.

In step 775, the mobile terminal certificate service app may generate an encrypted session key by encrypting the session key using the public key.

In step 780, the mobile terminal certificate service app may transmit the encrypted session key to the web application through the authentication server 130.

In step 785, the web application may obtain the session key by decrypting the encrypted session key using the private key.

In step 790, the web application may transmit the result of obtaining the session key to the mobile terminal certificate service app through the authentication server 130.

The above results may include 1) whether a session key has been obtained (or generated), 2) the obtained session key, and 3) confirmation that the session key has been obtained.

After the step 790, steps of data transmission to be described with reference to FIG. 8 may be performed.

8 is a signal flow diagram illustrating an operation of data transmission in an authentication service system according to an embodiment.

In step 810, the mobile terminal certificate service app may generate encrypted data by performing encryption of the data using the session key.

In step 820, the mobile terminal certificate service app may transmit the encrypted data resulting from the authentication service to the user screen web page of the non-installed client 110.

Steps 810 and 820 may perform other operations according to the above-described authentication service. 9 shows a case in which the selected authentication service is 1) an electronic certificate of a public certificate. 10 shows a case in which the selected authentication service is 2) an accredited certificate mobile terminal storage. 11 shows a case in which the selected authentication service is 3) a public certificate transmission.

9 is a signal flow diagram illustrating the operation of an electronic signature of a public certificate mobile terminal in an authentication service system according to an embodiment.

The digital signature may be made in one of one or more digital signature schemes. The one or more digital signature schemes may include an in-app digital signature scheme, a USIM security token digital signature scheme, and a trust zone digital signature scheme. In the following, the USIM security token electronic signature delivery method is described with reference to FIG. 9.

For electronic signatures, biometric information, including the password of a public certificate or the user's fingerprint, can be used.

The authentication service selected in step 630 may be a digital mobile terminal of a public certificate. The selected digital signature scheme may be a USIM security token digital signature delivery scheme.

First, the mobile terminal certificate service app of the mobile terminal 140 may perform security token authentication. The mobile terminal certificate service app may transmit a notification of the completion of the security token authentication to the user screen web page. The mobile terminal certificate service app may transmit a request for a result value of the electronic signature to the mobile terminal certificate service app.

The request for the result value of the electronic signature may include signature data. The signature data can be the subject of an electronic signature.

Step 810 can include step 910.

Next, in step 910, the mobile terminal certificate service app may perform an electronic signature using a public certificate stored in the USIM according to the user's selection.

In performing the electronic signature, the electronic signature text requested by the certified authentication security module may be delivered to the mobile terminal 140 through the web application and the authentication server 130 of the web server 120, and the delivered electronic An electronic signature can be made in the mobile terminal 140 using the original signature.

The signature value of the electronic signature may be a result of applying the electronic signature to the signature data.

The signature value of the digital signature, the result value of the digital signature and the public certificate can be encrypted with the session key.

Step 820 can include step 920.

In step 920, the mobile terminal certificate service app may transmit the signature value of the electronic signature encrypted with the session key, the result value of the electronic signature, and a public certificate to the user screen web page through the authentication server 130 and the web application. . The user screen web page may transmit the signature value of the electronic signature, the result value of the electronic signature, and the public certificate to the public authentication security module through the communication API.

The signature value of the electronic signature encrypted with the session key, the result value of the electronic signature, and the public certificate are secure sockets layer from the mobile terminal certificate service app to the user screen web page through the TCP/IP protocol. SSL) can be encrypted and transmitted end-to-end (E2E).

When the result value of the electronic signature is transmitted to the non-installed client device 110, the non-installed client device 110 may then transmit the result value of the electronic signature to the server performing authentication for the user. The server may perform authentication for the user of the non-installed client device 110 using the result value of the electronic signature, and may transmit the result of the authentication for the user to the non-installed client device 110. A non-installed client device 110 may receive a result of authentication for a user, and output a result of authentication for a user.

In one embodiment, when the selected digital signature method is an in-app electronic signature delivery method, the mobile terminal certificate service app may perform digital signature using a public certificate stored in a memory in the mobile terminal certificate service app.

In one embodiment, when the selected digital signature method is a trusted zone digital signature delivery method, the mobile terminal certificate service app may perform digital signature in the trusted zone using a private key securely stored in the trusted zone. .

10 is a signal flow diagram illustrating an operation of storing an authorized certificate mobile terminal in an authentication service system according to an embodiment.

The authentication service selected in step 630 may be an accredited certificate mobile terminal storage.

Step 810 may include step 1010 and step 1020.

Prior to step 1010, a public certificate and key file may be issued to a non-installed client 110 from a public certificate issuing authority such as a bank.

In step 1010, the user screen web page may transmit the user's public certificate and key file to the mobile terminal certificate service app through the web application and the authentication server 130.

In step 1020, the mobile terminal certificate service app may store a public certificate and key file in a memory selected by the user in the USIM or mobile terminal certificate service app.

Step 820 can include step 1030.

In step 1020, the mobile terminal certificate service app may transmit the result of the accredited certificate storage to the user screen web page through the authentication server 130 and the web application.

In step 1030, the user screen web page may transmit the result of the accredited certificate storage to the accredited authentication security module through the communication API.

11 is a signal flow diagram illustrating the operation of the authentication certificate delivery of the authentication service system according to an embodiment.

The authentication service selected in step 630 may be delivery of a public certificate.

A secure channel may be formed between the user screen web page and the mobile terminal certificate service app. To form a secure channel between the two, random number verification between a user screen web page and a mobile terminal certificate service app may be performed. The random number used in random number verification may be 16 digits.

Step 810 can include step 1110 and step 1120.

In step 1110, the user screen web page may transmit a certificate request to the mobile terminal certificate service app.

In step 1120, the mobile terminal certificate service app may generate an encrypted public certificate by performing encryption on the public certificate of the user stored in the mobile terminal 140.

Step 820 can include step 1130.

In step 1130, the mobile terminal certificate service app may deliver the public certificate to the user screen web page. The delivered public certificate may be an encrypted public certificate.

When the public certificate is delivered, an electronic signature using the public certificate can be made in the public authentication security module.

12 shows a configuration of an authentication service system according to an example.

The authentication service system 100 may be configured by a certified authentication security module, a web script file, a user screen web page, a web application, and an authentication server.

In FIG. 12, the authentication server may indicate the authentication server 130 described above. The mobile terminal may represent the mobile terminal 140 described above.

The public authentication security module may provide a public authentication function. The certified authentication security module can provide a screen for selecting an authentication method, and can provide a screen for other authentication services.

The web script file can be provided by an affiliate of the authentication service.

Certified authentication security modules and web scripts can be non-installed, requiring no file installation, and can be provided via the web.

The web script of the web script file can receive setting values and events through a call of a certified authentication security module.

For example, the event may be the selection of the authentication method and the selection of the authentication service, and the setting value may be the selected authentication method and the selected authentication service.

The web script can transmit setting values and events to a user screen web page through a communication API.

Here, the setting value may include affiliate identification information, security module identification information, and other security identification information.

The event may include an event of a request for signing of a public certificate mobile terminal, an event of a request for sending a public certificate, and an event of a request for storing a public certificate mobile terminal.

When the signature value of the electronic signature and the result value of the electronic signature are generated from the mobile terminal certificate service app installed on the mobile terminal 140, the web script can display the signature value and electronic signature of the electronic signature from the user screen web page through the communication API. The result value may be received, and the signature value of the electronic signature and the result value of the electronic signature may be transmitted to a certified authentication security module.

The web script can display the web page of the user screen in the browser.

The user screen web page may provide a user interface for use of the authentication service system.

For example, the user screen web page may include input of a user's mobile operator, input of a user's phone number, selection of a public certificate when storing a public certificate mobile terminal, input of a password when saving a public certificate mobile terminal, and network security information (serial Number).

For example, the user screen web page may provide a user interface such as displaying the progress of the authentication service, displaying various status messages, and displaying completion of the authentication service.

The user screen web page may transmit a request for digital signing of a mobile terminal of a public certificate and storage of a mobile terminal of a public certificate to a web application through HTTPS communication. The transmitted request for the digital signature of the mobile terminal and the request for storing the public certificate mobile terminal may be transmitted back to the mobile terminal certificate service app.

The user screen web page can process setting values and events transmitted from the web script.

When the signature value of the electronic signature and the result value of the electronic signature are generated from the mobile terminal certificate service app installed on the mobile terminal 140, the user screen web page displays the signature value of the electronic signature and the result value of the electronic signature through the communication API. You can send it as a web script.

The user screen web page can verify the public certificate, which is the object of storage when the public certificate is stored, using the password of the public certificate authenticated by the user.

The web application program can create a session for each user or client device, and performs verification and management.

The web application program may transmit a request for digital signature of the mobile terminal of the public certificate and a request of storing the mobile terminal of the public certificate to the authentication server 130 through TCP communication.

The web application program may transmit network security information (serial number) delivered by the user screen web page to the authentication server 130 through TCP communication.

The web application program may transmit the progress of the authentication service transmitted by the authentication server 130 to the user screen web page through HTTPS communication.

13 illustrates a program configuration of an authentication service system according to an embodiment.

The program of the authentication service system may be composed of a security module unit, an affiliate distribution unit, and a server unit.

The security module unit may be a module distributed and managed by a manufacturer of an accredited authentication security module. The security module unit may be composed of HTML files.

The security module unit may include a file of a certified authentication security module.

The affiliate distribution unit may be a module distributed and managed by an affiliate of the authentication service. The affiliate distribution department may be composed of HTML files, JavaScript files, Cascading Style Sheets (CSS) files, and image files.

The affiliate distribution unit may be provided on an affiliate server. The affiliate server may be the web server 120 described above.

The re-partition distribution unit may include 1) an affiliate.JS file corresponding to a web script file, 2) a TransXPC.html file and image file corresponding to a user screen web page, and 3) other files.

The server unit may be a module distributed and managed by the manufacturer of the authentication server 130. The server unit may include a WebService.dll file.

Table 1 below illustrates the API provided by the web script. The API provided by the web script may be an API for transferring information from the public authentication security module to the web script.

API name function Tranx2pcS API for the execution of digital certificates for mobile devices Tranx2phone API for execution of storage of mobile terminal of public certificate

The web script may provide an API for passing information from a certified authentication security module to a web script for each of the one or more authentication services.

Table 2 below illustrates an affiliate call back function. The affiliate's call back function may be a function in which the public authentication security module receives a digital signature value, a digital signature result value, and a public certificate from a web script.

In other words, the authorized authentication security module may call a function of a web script to request a selected authentication service, and receive a signature value of an electronic signature, etc. using a callback function set as a parameter of the function.

API name function callbackFunc After the signature value of the electronic signature, the result value of the electronic signature, and/or the public certificate are transmitted to the non-installable client 110, the public authentication security module displays the signature value of the electronic signature, the result value of the electronic signature, and/or the public certificate Function
After the execution of callbackFunc, the process of processing the signature value of the electronic signature by the public authentication security module may proceed.

Table 3 below illustrates a web application interworking API. The web application interworking API may be an API for a web script to transmit information to a web application.

API name function InitTranX2PC Entry point for the task of sending a public certificate to the non-installable client 110 InitTranX2Phone Entry point for storing accredited certificates on mobile device 130 WaitPhone Check the connection status of the mobile device 130
Check the connection status by repeating every 1 second AllowSMS On the SMS consent screen, the consent is sent to the web server 120 SecureNum Send the serial number entered by the user
The serial number can be 16 digits. Close End of session

The syntax of Transx2pcS described above may be the same as in Code 1 below.

[Code 1]

function Tranx2pcS(var callbackFunc, var hashData)

The parameter callbackFunc may be a callback function that receives a signature value of an electronic signature and the like from a web script. The signature value of the digital signature, the result value of the digital signature, and the digitally signed public certificate may be transmitted to the call back function passed as a parameter.

The parameter hashData may be hash data of the original text to be digitally signed with a public certificate.

The return value of Tranx2pcS may not exist, and the result of the Tranx2pcS call can be passed to the callback function.

The information of the channel, the information of the accredited authentication security module and the information of the keyboard security can be created and processed by itself in the web script. Therefore, by such self-writing and processing, Tranx2pcS called by the authentication authentication security module may not include parameters such as channel information, information of the authentication authentication security module, and keyboard security.

The syntax of the callback function callbackFunc may be the same as in Code 2 below.

[Code 2]

function callbackFunc(var signedData, var cert, var result)

The parameter singedData may be a signature value of an electronic signature for hashData.

The parameter cert may be a public certificate.

The parameter result may be a result of processing of Transx2pcS or a result of electronic signature.

The syntax of Tranx2phone described above may be the same as the code 3 below.

[Code 3]

function Tranx2phone(var callbackFunc, var cert, var key)

The parameter callbackFunc may be a callback function that receives the completion of storing the public certificate mobile terminal.

The parameter cert may be a public certificate to be stored.

The parameter key may be a key file to be stored.

The return value of Tranx2phone may not exist, and the result of the Tranx2pcS call can be passed to the callback function.

The information of the channel, the information of the accredited authentication security module and the information of the keyboard security can be created and processed by itself in the web script. Therefore, by this self-creation and processing, Tranx2pcS called by the authentication authentication security module may not include parameters such as channel information, authentication authentication security module information, and keyboard security information.

The parameter cert and the parameter key can be used only when issuing a public certificate, and when the public certificate is not issued, null values can be transmitted as values of the parameter cert and the parameter key.

The device described above may be implemented with hardware components, software components, and/or combinations of hardware components and software components. For example, the devices and components described in the embodiments include, for example, processors, controllers, arithmetic logic units (ALUs), digital signal processors (micro signal processors), microcomputers, field programmable arrays (FPAs), It may be implemented using one or more general purpose computers or special purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may run an operating system (OS) and one or more software applications running on the operating system. In addition, the processing device may access, store, manipulate, process, and generate data in response to the execution of the software. For convenience of understanding, a processing device may be described as one being used, but a person having ordinary skill in the art, the processing device may include a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that may include. For example, the processing device may include a plurality of processors or a processor and a controller. In addition, other processing configurations, such as parallel processors, are possible.

The software may include a computer program, code, instruction, or a combination of one or more of these, and configure the processing device to operate as desired, or process independently or collectively You can command the device. Software and/or data may be interpreted by a processing device or to provide instructions or data to a processing device, of any type of machine, component, physical device, virtual equipment, computer storage medium or device. , Or may be permanently or temporarily embodied in the transmitted signal wave. The software may be distributed on networked computer systems, and stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, or the like alone or in combination. The program instructions recorded on the medium may be specially designed and constructed for the embodiments or may be known and usable by those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs, DVDs, and magnetic media such as floptical disks. -Hardware devices specifically configured to store and execute program instructions such as magneto-optical media, and ROM, RAM, flash memory, and the like. Examples of program instructions include high-level language code that can be executed by a computer using an interpreter, etc., as well as machine language codes produced by a compiler. The hardware device described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

110: non-installable client device
120: web server
130: authentication server
140: mobile terminal
190: Installable client device

Claims (20)

delete A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
The non-installable client device provides the non-installable authentication service in conjunction with a mobile terminal,
When a part of information for generating a secret key is displayed on the user screen web page,
A part of the information for generating the secret key output on the user screen web page is input to the mobile terminal by a user of the non-installed client device, the non-installed client device. A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
To the user screen web page, an event selected by the user is input from at least two events: an event of a request for a digital certificate mobile terminal electronic signature, an event for a request for transmission of a public certificate, and a request for storage of a public certificate mobile terminal,
Authentication service information is input to the user screen web page,
The authentication service information includes the mobile phone number and mobile operator information,
The mobile terminal storage of the public certificate is to store the public certificate to the SIM (USIM) of the mobile terminal or to store the public certificate in a memory in the mobile terminal certificate service app installed in the mobile terminal,
The digital certificate mobile terminal digital signature is a digital signature of a user for an electronic signature text received from the public authentication security module of a non-installed client using the public certificate stored in the memory in the USIM or the mobile terminal certificate service app. It is provided to the certified authentication security module
The public certificate transmission is to authenticate the user through the transmission of the public certificate stored in the mobile terminal, non-installed client device. A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
The user screen web page is a device-independent responsive web page showing a constant screen regardless of the type of operating system of the non-installable client device and the type of the web browser,
The domain of the current web page of the web browser and the domain of the user screen web page are different.
The web script receives a set value and event through a call of the authorized authentication security module, and transmits the set value and event to the user screen web page through a communication application programming interface (API). -Installable client devices. A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
The web script receives a set value and event through a call of the authorized authentication security module, and transmits the set value and event to the user screen web page through a communication application programming interface (API),
The setting value includes affiliate identification information, security module identification information, and security identification information,
The event includes an event of a request for sending a public certificate and an event of a request for storing a public certificate mobile terminal,
The mobile terminal storage of the public certificate is to store the public certificate to the mobile terminal's SIM (USIM) or to store the public certificate to a memory in the mobile terminal certificate service app installed in the mobile terminal,
The public certificate transmission is to authenticate a user through the transmission of the public certificate stored in the mobile terminal, a non-installable client device. A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
The web script receives a result value of an electronic signature generated by a mobile terminal certificate service app of a mobile terminal from a user screen web page through a communication API, and transmits the result value of the electronic signature to the authorized authentication security module. Authenticated, non-installable client device. A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
The user screen web page receives a result of storing a public certificate from a mobile terminal certificate service app of a mobile terminal, and transmits the result of the public certificate storage to the public authentication security module through a communication API. A processor running a non-installable authentication service in a web browser; And
Communication unit for processing the communication of the non-installation type authentication service
Including,
The non-installation authentication service is executed by a public authentication security module, and displays a user screen web page using a web script provided by a web server,
The certified authentication security module provides a screen for selecting an authentication method,
The certified authentication security module and the web script are provided through the web,
The accredited authentication security module and the web script are non-installation type that does not require file installation,
The non-installation authentication service provides a plurality of authentication services related to authentication to a user,
The plurality of authentication services includes at least two of an electronic signature of a public certificate mobile terminal, storage of a public certificate mobile terminal, and transmission of a public certificate,
The mobile terminal storage of the public certificate is to store the public certificate to the mobile terminal's SIM (USIM) or to store the public certificate to a memory in the mobile terminal certificate service app installed in the mobile terminal,
The digital certificate mobile terminal digital signature is a digital signature of a user for an electronic signature text received from the public authentication security module of a non-installed client using the public certificate stored in the memory in the USIM or the mobile terminal certificate service app. It is provided to the certified authentication security module
The public certificate transmission is to authenticate the user through the transmission of the public certificate stored in the mobile terminal, non-installed client device. The method of claim 8,
When one of the plurality of authentication services is selected by the user of the non-installed client device, the user screen web page makes a request for the selected authentication service through Hypertext Transfer Protocol Secure (HTTPS) communication. To the web application of the web server,
Wherein the web script provides an API for passing information from an authorized authentication security module to the web script for each of the plurality of authentication services. The method of claim 9,
The web server receives information of the selected authentication service from the non-installed client, transmits information of the selected authentication service to the authentication server,
The request for the selected authentication service is sent by one of the non-installed client device and the installed client device,
In the authentication server, a branch is automatically made according to the type of client device that has transmitted the selected authentication service. The method of claim 9,
The authorized authentication security module calls a function of the web script to request a selected authentication service, and receives a result of the selected authentication service using a call back function set as a parameter of the function, a non-installed client device. The method of claim 11,
Wherein the call back function is common to the plurality of authentication services, and has a plurality of parameters corresponding to the results of the plurality of authentication services. delete delete delete delete delete delete delete delete

Images