KR102189301B1 - System and method for providing blockchain based cloud service with robost security - Google Patents

Abstract

Provided is a system for providing a blockchain-based cloud service with enhanced security. The system comprises: a user terminal which provides bio-data of a user to access a service page through blockchain-based decentralized identifier (DID) authentication, operates as a virtual machine, and uses at least one program; and a cloud service providing server including a database unit which collects the bio-data from the user terminal and allows access of the user terminal to the service page through fast identity online (FIDO)-based DID authentication, a blockchain unit which distributes and stores the bio-data as at least one node in a private blockchain, a charging unit which charges only when the user terminal is activated by using function as a service (FaaS) that monitors the usage status of the user terminal, and an edge management unit which transfers work data worked at the user terminal from an edge node using edge cloud computing.

Description

Blockchain-based security-enhanced cloud service provision system and method{SYSTEM AND METHOD FOR PROVIDING BLOCKCHAIN BASED CLOUD SERVICE WITH ROBOST SECURITY}

The present invention relates to a cloud service providing system with enhanced security based on a block chain, and provides a cloud platform with enhanced security and integrity by decentralized storage of user bio data in a private block chain.

Cloud computing is a system in which users share IT resources, and is a computing environment in which users rent as much as they need and use it through a network at a desired time. In other words, while the existing computing environment was the concept of using IT resources fixedly installed within the organization, the cloud computing environment rents as much IT resources as needed at the time needed to lower the resource operation cost and increase the efficiency of resource use. It is a concept to use. In recent years, cloud computing is being activated for the stable provision of data processing and services exploding along with the development of major technologies such as IoT, artificial intelligence, and big data. Cloud computing includes deployment models such as Public Cloud, Private Cloud, Hybrid Cloud, and Community Cloud, Infrastructure as a Service (IaaS), and Platform (PaaS). as a Service) and SaaS (Software as a Service).

At this time, a method for performing cloud security analysis and policy management was researched and developed. In this regard, Korean Patent Publication No. 2018-0086919 (published on August 1, 2018), which is a prior art, provides security from a cloud security analysis device. Receives an analysis request message including data, performs a correlation analysis of security data for each analysis unit including at least one of a tenant unit and a user unit, and based on the result of the correlation analysis, security control command and security A configuration of setting at least one of the policies and transmitting at least one of the set security control command and the security policy to a cloud security analysis device is disclosed.

However, even if the above-described configuration is used, not only security threats appearing in the IT service environment, but also effective countermeasures against new security threats according to the characteristics of the cloud environment are not considered in the cloud computing environment. There is no choice but to secure security reliability. Although companies are increasingly interested in a cloud-based infrastructure environment, one of the reasons for reluctance to radically switch services is the security issue of the infrastructure. As guidelines and regulations related to cloud information security such as ISO27017 and ISO27018 are diversified, it is necessary to quickly respond and incorporate them, so continuous research on security issues related to cloud access by incorporating data forgery prevention technologies such as blockchain Need

In one embodiment of the present invention, by implementing a blockchain and a Decentralized Identifier (DID)-based authentication application as a VM (Virtual Machine), it can be used as an account with improved security for access control and user identification, and various infrastructures on mobile devices through the VM. And programs can be used like a personal PC, and by incorporating cloud edge computing technology, the problem of performance degradation due to data delay and traffic overload can be solved, and through periodic security updates to maintain the latest security of the operating system. The latest security can be automatically maintained without the involvement of each user, and since each company or individual does not have to pay the cost of the document writing program, the burden of purchasing costs can be relieved, and users can apply for subscriptions according to their preferences or needs. By providing a step-by-step cloud so that you can selectively use the desired functions and ultimately comply with the General Data Protection Regulation (GDPR), a blockchain-based security-enhanced cloud service delivery method can be provided. However, the technical problem to be achieved by the present embodiment is not limited to the technical problem as described above, and other technical problems may exist.

As a technical means for achieving the above-described technical problem, an embodiment of the present invention provides a user's bio data to access a service page through blockchain-based Decentralized Identifier (DID) authentication, and uses a virtual machine. A database conversion unit that allows access to the service page of the user terminal through FIDO (Fast IDentity Online) based DID authentication by collecting bio data from user terminals and user terminals that operate and use at least one program, and bio data is stored in a private blockchain. Blockchain unit that distributes storage to at least one node, billing unit that executes billing only for the active state of the user terminal using FaaS (Function as a Service) that monitors the usage status of the user terminal, and edge cloud computing. It includes a cloud service providing server including an edge management unit for transferring the work data worked on the user terminal from the edge node by using.

In another embodiment of the present invention, collecting bio data from a user terminal and receiving a request for issuing a blockchain-based decentralized identifier (DID), registering the bio data to be mapped to the user terminal and stored in response to the DID issuance request , Issuing DID by recording bio data in at least one node in the private blockchain, performing DID authentication based on FIDO (Fast IDentity Online) when authentication is requested from the user terminal, DID authentication is a private blockchain When it is completed based on, allocating any one of the at least one cloud PC as a virtual machine and connecting the allocated cloud PC to the user terminal.

According to any one of the above-described problem solving means of the present invention, by implementing a blockchain and a Decentralized Identifier (DID)-based authentication application as a VM (Virtual Machine), it can be used as an account with improved security for each access control and user identification. Through the mobile, various infrastructure and programs can be used like a personal PC, and by incorporating cloud edge computing technology, performance degradation problems due to data delay and traffic overload can be solved, and to maintain the latest security of the operating system. Through periodic security updates, users can automatically maintain the latest security without involvement of individual users, and since each company or individual does not have to pay for the document creation program, the burden of purchasing costs can be relieved, and user preferences and demands By providing a step-by-step cloud so that you can apply for a subscription according to the following, you can selectively use the desired function.

1 is a view for explaining a cloud service providing system with enhanced security based on a block chain according to an embodiment of the present invention.
FIG. 2 is a block diagram illustrating a cloud service providing server included in the system of FIG. 1.
3 and 4 are diagrams for explaining an embodiment in which a cloud service with enhanced security based on a block chain is implemented according to an embodiment of the present invention.
5 is a flowchart illustrating a method of providing a cloud service with enhanced security based on a block chain according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art can easily implement the present invention. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar reference numerals are assigned to similar parts throughout the specification.

Throughout the specification, when a part is said to be "connected" to another part, this includes not only "directly connected" but also "electrically connected" with another element interposed therebetween. . In addition, when a part "includes" a certain component, it means that other components may be further included, and one or more other features, not excluding other components, unless specifically stated to the contrary. It is to be understood that it does not preclude the presence or addition of any number, step, action, component, part, or combination thereof.

The terms "about", "substantially" and the like, as used throughout the specification, are used in or close to the numerical value when manufacturing and material tolerances specific to the stated meaning are presented, and are used in the sense of the present invention. To assist, accurate or absolute figures are used to prevent unfair use of the stated disclosure by unscrupulous infringers. As used throughout the specification of the present invention, the term "step (to)" or "step of" does not mean "step for".

In the present specification, the term "unit" includes a unit realized by hardware, a unit realized by software, and a unit realized using both. Further, one unit may be realized using two or more hardware, or two or more units may be realized using one hardware. Meanwhile,'~ unit' is not meant to be limited to software or hardware, and'~ unit' may be configured to be in an addressable storage medium or configured to reproduce one or more processors. Thus, as an example,'~ unit' refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, properties, and procedures. , Subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays and variables. The components and functions provided in the'~ units' may be combined into a smaller number of elements and'~ units', or may be further divided into additional elements and'~ units'. In addition, components and'~ units' may be implemented to play one or more CPUs in a device or a security multimedia card.

In this specification, some of the operations or functions described as being performed by the terminal, device, or device may be performed instead in a server connected to the terminal, device, or device. Likewise, some of the operations or functions described as being performed by the server may also be performed by a terminal, device, or device connected to the server.

In this specification, some of the operations or functions described as mapping or matching with the terminal means mapping or matching the unique number of the terminal or the identification information of the individual, which is the identification information of the terminal. Can be interpreted as.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

1 is a view for explaining a cloud service providing system with enhanced security based on a block chain according to an embodiment of the present invention. Referring to FIG. 1, a cloud service providing system 1 with enhanced blockchain-based security includes at least one user terminal 100, a cloud service providing server 300, and at least one cloud platform 400. I can. However, since the cloud service providing system 1 with enhanced blockchain-based security of FIG. 1 is only an embodiment of the present invention, the present invention is not limitedly interpreted through FIG. 1.

In this case, each component of FIG. 1 is generally connected through a network 200. For example, as shown in FIG. 1, at least one user terminal 100 may be connected to a cloud service providing server 300 through a network 200. In addition, the cloud service providing server 300 may be connected to at least one user terminal 100 and at least one cloud platform 400 through the network 200. In addition, at least one cloud platform 400 may be connected to the cloud service providing server 300 through the network 200.

Here, the network refers to a connection structure in which information exchange is possible between respective nodes such as a plurality of terminals and servers, and examples of such networks include a local area network (LAN) and a wide area communication network (WAN: Wide Area Network), Internet (WWW: World Wide Web), wired/wireless data communication network, telephone network, wired/wireless television communication network, etc. Examples of wireless data networks include 3G, 4G, 5G, 3GPP (3rd Generation Partnership Project), 5GPP (5th Generation Partnership Project), LTE (Long Term Evolution), WIMAX (World Interoperability for Microwave Access), and Wi-Fi. , Internet, LAN(Local Area Network), Wireless LAN(Wireless Local Area Network), WAN(Wide Area Network), PAN(Personal Area Network), RF(Radio Frequency), Bluetooth(Bluetooth) network, NFC( Near-Field Communication) network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia Broadcasting) network, etc. are included, but are not limited thereto.

In the following, the term “at least one” is defined as a term including the singular number and the plural number, and even if the term “at least one” does not exist, each component may exist in the singular or plural, and may mean the singular or plural. It will be self-evident. In addition, it will be possible to change according to the embodiment that each component is provided in a singular or plural.

At least one user terminal 100 is a user who accesses the cloud platform 400 through the cloud service providing server 300 using a cloud service-related web page, app page, program, or application with enhanced blockchain-based security. It may be a terminal of. To this end, at least one user terminal 100 provides bio data to register a user, and then connects to the cloud platform 400 through authentication through bio data, and the cloud PC included in the cloud platform 400 It may be a terminal that is provided with a virtual machine.

Here, the at least one user terminal 100 may be implemented as a computer capable of accessing a remote server or terminal through a network. Here, the computer may include, for example, a navigation system, a notebook equipped with a web browser, a desktop, a laptop, and the like. In this case, the at least one user terminal 100 may be implemented as a terminal capable of accessing a remote server or terminal through a network. At least one user terminal 100, for example, as a wireless communication device that is guaranteed portability and mobility, navigation, PCS (Personal Communication System), GSM (Global System for Mobile communications), PDC (Personal Digital Cellular), PHS(Personal Handyphone System), PDA(Personal Digital Assistant), IMT(International Mobile Telecommunication)-2000, CDMA(Code Division Multiple Access)-2000, W-CDMA(W-Code Division Multiple Access), Wibro(Wireless Broadband Internet) ) It may include all kinds of handheld-based wireless communication devices such as terminals, smart phones, smart pads, and tablet PCs.

The cloud service providing server 300 may be a server that provides a cloud service web page, an app page, a program, or an application with enhanced blockchain-based security. In addition, the cloud service providing server 300 may be a server that collects bio data when a user registration exists from the user terminal 100 and stores it distributedly in at least one node in the private blockchain. In addition, the cloud service providing server 300, when there is an access request from the user terminal 100, receives bio data to authenticate the user, and when authentication is completed with a private blockchain, one cloud in the cloud platform 400 It may be a server that allocates a PC. In addition, the cloud service providing server 300 may be a server that maintains security even if the user terminal 100 does not run the security program by using at least one type of security program.

Here, the cloud service providing server 300 may be implemented as a computer that can access a remote server or terminal through a network. Here, the computer may include, for example, a navigation system, a notebook equipped with a web browser, a desktop, a laptop, and the like.

At least one cloud platform 400 is a platform including at least one cloud PC using a cloud service related web page, app page, program or application with enhanced blockchain-based security, a private blockchain, and a server for user authentication Can be The at least one cloud platform 400 may be a platform connected to the user terminal 100 via the cloud service providing server 300.

2 is a block diagram illustrating a cloud service providing server included in the system of FIG. 1, and FIGS. 3 and 4 are a block chain-based security-enhanced cloud service implementation according to an embodiment of the present invention. It is a figure for explaining an embodiment.

Referring to FIG. 2, the cloud service providing server 300 includes a database conversion unit 310, a block chain unit 320, a billing unit 330, an edge management unit 340, a security center unit 350, and an attack preparation unit. (360), it may include a subscription management unit 370 and an allocation unit 380.

The cloud service providing server 300 according to an embodiment of the present invention or another server (not shown) that operates in conjunction with at least one user terminal 100 and at least one cloud platform 400 provides blockchain-based security. When transmitting an enhanced cloud service application, program, app page, web page, etc., at least one user terminal 100 and at least one cloud platform 400 are cloud service applications and programs with enhanced blockchain-based security. , App pages, web pages, etc. can be installed or opened. In addition, a service program may be driven in at least one user terminal 100 and at least one cloud platform 400 by using a script executed in a web browser. Here, the web browser is a program that allows you to use the Web (WWW: World Wide Web) service, which means a program that receives and displays hypertext described in HTML (Hyper Text Mark-up Language). For example, Netscape , Explorer, Chrome, etc. In addition, the application refers to an application program on the terminal, and includes, for example, an app running on a mobile terminal (smartphone).

Referring to FIG. 2, the database unit 310 may collect bio data from the user terminal 100 and allow access to the service page of the user terminal 100 through DID authentication based on Fast IDentity Online (FIDO). . The FIDO authentication technology is designed to overcome the security problem that occurs when the current user possesses an authentication means such as a certificate and memorizes a password such as a password, and the FIDO authentication technology provides UAF method and U2F method. The UAF authentication method is a standard that utilizes personal biometric information, which is more secure than the existing ID/Password authentication method, and U2F is a method that additionally uses a separate authentication device to the ID/Password authentication method. In one embodiment of the present invention, FIDO version 2.0 is used, but the use of other versions is not excluded.

UAF protocol is a technology that authenticates by interworking with online services in a user's device. In the FIDO UAF protocol, when biometric information is recognized using a user device, the FIDO server can be accessed. In addition, it has a processing procedure for inputting a security key provided by the user device. The UAF protocol standard consists of documents such as the UAF Protocol Specification, which defines UAF messages interlocked between web server, FIDO server, and user devices. Table 1 below is a list of UAF protocol standards and a description of the standards.

UAF Specifications Contents FIDO UAF
Architectural Overview This overview document describes the various protocol design considerations in detail and also describes the user flows in detail. FIDO UAF Protocol
Specification This document defines the message formats and processing rules for all UAF protocol messages. UAF Application API
and Transport
Binding Specification This document describes the client side APIs and interoperability profile for client applications to utilize FIDO UAF. FIDO UAF
Authenticator-specific Module API This document defines Authenticator specific Modules and the API provided to the FIDO client by ASMs. FIDO UAF
Authenticator
Commands This document describes Low-level functionality that UAF Authenticators should implement to support the UAF protocol. FIDO UAF APDU This specification defines a mapping of FIDO UAF Authenticator commands to Application Protocol Data Units (APDUs) thus facilitating UAF authenticators based on Secure Elements. FIDO Metadata
Statements This document defines the authenticator metadata. FIDO Metadata
Service Baseline method for relying parties to obtain FIDO Metadata statements. FIDO UAF Registry
of Predefined Values This document defines UAF-specific strings and constants. FIDO Registry of
Predefined Values This document defines strings and constants applicable to various FIDO protocol families. See also FIDO UAF Registry of Predefined Values. FIDO AppID and
Facet Specification This document defines the scope of user credentials and how a trusted computing base which supports application isolation may make access control decisions about which keys can be used by which applications and web origins. FIDO ECDAA
Algorithm This document defines the direct anonymous attestation algorithm used in FIDO. FIDO Security
Reference on detailed analysis of security threats pertinent to the FIDO protocols based on its goals, assumptions, and inherent security measures. FIDO Technical
Glossary Defines the technical terms and phrases used in FIDO Alliance specifications and documents.

In FIDO UAF, user devices are composed of Browser APP, FIDO Client, Authenticator Specific Module (ASM), FIDO Authenticator, Authentication Key, and Attestation Key. FIDO UAF uses PKI authentication technology, but the difference from existing PKI method is that Attestation Certificate and Attestation Private Key are installed in the user device authentication module. When a user transmits a public key and a private key to a web server, not only the signature but also the authentication module can be used according to the purpose. After user registration, the FIDO Server allocates a Unique Secure Identifier to the FIDO Server and the device Authenticator, transmits it to the device, and authenticates the user using the identifier for service interworking. The U2F protocol is an existing authentication method, ID/Password based authentication method. After primary authentication, it is a technology that uses a separate device such as a USB dongle or smart card that stores a disposable security key to perform secondary authentication. U2G protocol provides more secure authentication than existing encryption methods through 2-Factor authentication. In the U2F protocol, when a user registers a U2F device, the user U2F device generates a public key and a private key and transmits the public key to the web server. After performing the first authentication for user authentication, the web server verifies whether the user owns the device using the digital signature. Table 2 below is a list of U2F protocol standards and a description of the standards.

U2F Specifications Contents FIDO U2F
Architectural Overview This overview document describes the various design considerations which go into the protocol in detail and describes the user flows in detail. FIDO U2F
Javascript API This document describes the client side API in the web browser for accessing U2F capabilities. FIDO U2F
Raw Message Formats This document describes the binary format of request messages which go from the FIDO U2F server to the FIDO U2F token and the binary format of the response messages from the token to the
server. FIDO U2F
HID Protocol Specification This document describes how messages sent from the FIDO Client to the USB U2F token are framed over USB HID. FIDO U2F Implementation
Considerations This document describes implementation considerations and recommendations for creators of U2F devices and for relying
parties implementing U2F support. FIDO AppID and Facet
Specification The U2F protocol ensures that the origin foo.com can only exercise a key that was issued for foo.com by the U2F token. FIDO Common Header
Files These header files define the values of symbolic constants and data structures referred to in the FIDO U2F Raw Messages document and the FIDO U2F HID Protocol Specification documents. FIDO Bluetooth
Specification This document describes how the U2F protocol should be performed between a FIDO client and a Bluetooth Low Energy FIDO authenticator. FIDO NFC Specification This document describes how the U2F protocol should be performed between a FIDO client and an NFC FIDO authenticator.

In the user authentication procedure in FIDO U2F, user authentication is handled by first sending Username and Password to FIDO Server. After completing the first authentication, the user performs the second authentication by pressing or tapping a USB device button. At this time, the U2F device can be applied in various ways such as USB, NFC, Bluetooth, etc. Biometric information authentication has the advantage of having security and convenience at the same time, but a method of storing biometric information in a server during the process of authenticating biometric information is used. In this case, there is a vulnerability of personal information leakage. To overcome this vulnerability, FIDO can solve the problem of personal information leakage from the server by using a method of authenticating by preserving biometric information in the user device. First, fingerprint recognition is the most widely used biometric recognition technology. Fingerprints have the characteristic that the shape at birth does not change without special matters, and can be introduced at a simple and low cost. Reliability and stability for identification are also relatively high, and fingerprint recognition technology can generally consist of an algorithm that extracts and compares feature points. Secondly, in iris recognition technology, irises are known to be different even if identical twins are known to be statistically more accurate than DNA analysis. The iris is formed differently on both sides during infancy. The iris recognition technology uses an infrared ray to image the iris, registers it, and compares it. These irises are characterized in that they cannot be duplicated except when the iris is damaged by a wound. It can also be recognized when wearing glasses.

Third, face recognition technology uses a method of registering and comparing individual faces. In general, there is a method of using a 2D or 3D image or a thermal imaging camera used to recognize a face. In the case of a 2D image, an image can be obtained at low cost, but there is a disadvantage in that the accuracy is low. In the case of a 3D image, although the accuracy is high, it may be expensive. Fourth, the speech recognition technology is a technology that identifies using the voice path and the voice characteristics of the shape of the mouth and larynx. Since it uses these vocal features, it has the advantage that it is impossible to duplicate it in a way that imitates the voices of others.

Fifth, in EEG recognition technology, biometric information recognition technology using EEG is a technology that recognizes using EEG that responds to specific situations. According to a specific situation, EEG can be classified into waveforms with different frequencies and amplitudes. Delta wave is a waveform of 0 to 4 Hz, which occurs when you are sleeping, Theta wave is a wave of 4 to 8 Hz, that occurs when you are drowsy or deep meditation, Alpha wave is a wave of 8 to 12 Hz, which occurs when you are relaxed or relaxed, and Beta wave is 15 It is a waveform of ∼30Hz, which occurs when conscious activity or concentration, and the gamma wave is a waveform of 30∼50Hz, which is externally generated in a state of anxiety or strong stress. To use EEG recognition technology, noise can be removed and used, and SVM machine learning can be used for performance analysis.

In an embodiment of the present invention, any one of the above-described biometric information may be used, or a method of using a plurality of biometric information may be used. In the latter case, multiple biometric information authentication is performed. For example, first, a security code is generated by matching a feature point and a random number to recognize a user's fingerprint. In order to extract fingerprint information, an arbitrary number of 10 user fingerprints is received as an input value. A random number is generated using a secure random function to match the feature points of the received fingerprint. Then, a security code is generated by matching the feature point and the random number. The security code consists of English letters, numbers, and Korean, and measures the EEG when the user recognizes the security code. EEG is generated by pattern-processing a signal around 300ms where a P300 pattern occurs when a specific object is recognized. The user can be authenticated by pattern processing the EEG signal, generating brainprint, and passing it to the FIDO Authenticator. In order to obtain the brain information value, the user's fingerprint value, the security code in which the fingerprint and the random code are matched, and the brain wave information that recognizes the security code must be obtained. This increases attack complexity compared to using only single biometric information. In addition, it is possible to solve the problem of biometric information finiteness, which is a disadvantage in authentication using biometric information.

The block chain unit 320 may distribute and store bio data to at least one node in the private block chain. The blockchain can be composed of a public blockchain and a private blockchain according to the participants, and can be composed of a competition method consensus algorithm and a non-competition consensus algorithm depending on how the chain is maintained. Since various results are generated according to the selection of the consensus algorithm, the existing algorithm can be used as it is or developed according to the environment and purpose of the block chain, or a completely new algorithm can be created and used.

Blockchain is divided into public and private blockchains according to the target audience. Public blockchain is a blockchain that anyone can freely participate in the blockchain network. Since the subject of operation and participation is unclear, the incentive system is issued and operated, and transparency is strengthened because many people participate together, and it has the advantage of strengthening security as many people join the network. There is a disadvantage in that the speed is slow because consensus is proceeded by and must be synchronized by propagating to the entire network. On the other hand, a private blockchain is a blockchain in which only authorized persons with legal responsibility can participate in the blockchain network. Since the subject of operation and participation is clear, there is no need to issue and operate coins, an incentive system. Since it is a model with enhanced confidentiality because a small number of authorized people participate, it has the advantage of speeding up the transaction speed with only trusted people, but because consensus is progressed by few people, some centralization may result in lower security. There is a drawback.

Blockchain consensus algorithm can be classified into a competitive method and a non-competitive method. The competition method maintains the unity of the chain by accepting only one consensus that satisfies certain conditions first, by proceeding with different consensus in several places at the same time without guaranteeing finality. This method has the advantage of solving the problem of not malicious participation or objection because everyone does not have to participate in the proof, but there is a possibility of double payment because a fork occurs, and the secondary chain that was not selected from the generated fork In this case, there is a disadvantage in that all resources used in mining are invalidated and, as a result, are wasted. In the competition method, there are PoW consensus algorithm, PoS consensus algorithm, and DPoS consensus algorithm.

On the other hand, in the non-competitive method, finality is guaranteed and only one consensus proceeds at a time, and many people proceed in a manner such as voting, thereby maintaining the unity of the chain. It has the advantage of not wasting resources because it only proceeds with one chain, but there is a problem that the system may collapse if one third does not proceed with the voting process or if the voting is ruined by evil in a way that more than 2/3 must agree. There is a disadvantage of centralization because voting is conducted under the control of a node or a leader node. There are PBFT consensus algorithm and Ripple consensus algorithm for non-competition methods.

The consensus algorithm consists of a PoW consensus algorithm, a PoS consensus algorithm, a DPoS consensus algorithm, a PBFT consensus algorithm, and a Ripple consensus algorithm. First, the PoW consensus algorithm obtains a hash value of the block header to be newly proved through the SHA256 algorithm, and increases the nonce by 1 until a number smaller than the number set in nBits comes out. At this time, the work of increasing the nonce by 1 until a number smaller than the number set in nBits is called is called mining, and the worker is called a miner. The PoW consensus algorithm requires the hashing power of the CPU or GPU, and the average operation is composed of an exponential function of the required number of zero bits, and the stability and safety increase as a larger network is constructed, and anyone can configure it with a simple structure. It has the advantage of being easy. However, since it uses hashing power, 51% attack that can influence the overall network consensus is possible if it has 51% hashing power, and it has a disadvantage that it uses a large amount of computer resources unnecessarily.

Second, the PoS consensus algorithm creates a new block by participating in the proof as much as the stake it owns. In other words, if you vote for a block that you think is worthy among several block candidates as much as you own, and the block is finally registered as an official block after receiving many votes, you will receive a new block reward as much as you voted. Therefore, the proposers tried to eliminate the motivation to create a block with bad intentions by matching the interests of the block producer and the stakeholder, and in the PoS consensus algorithm, a validator instead of a miner of the PoW consensus algorithm, and a mind instead of mining. The expression (Minting) is used. It solved the problem of wasting a large amount of computer resources unnecessarily by voting without obtaining a hash value, and it has the advantage of making 51% attacks much more difficult because it uses shares rather than hashing power. However, since the more stakes you have, the more you can prove, so it is similar to the interest of a bank and may not be distributed in the market.

Third, the DPoS consensus algorithm elects witnesses or representatives through voting and allows them to proceed with the PoS consensus algorithm. Candidates who want to become representatives register their public key with a pledge on the network, and voters receive votes as much as their stake through the voting rights included in the wallet and vote for the representative. If the appointed representatives wish to take advantage of an act such as Nothing at Stake, the voters may immediately vote and elect a new representative. If the general PoS consensus algorithm is viewed as a direct democracy by those who have stakes, DPoS can be said to be an indirect democracy by electing some representatives of the stake holders. At this time, it is fast and has the advantage of solving the Nothing at Stake problem because it is fast and has the advantage of solving the Nothing at Stake problem to prevent a tie, but a place with a large stake, such as an exchange, may abuse the voting right to elect a representative who is favorable to them. There is a drawback that security and transparency may be threatened by some centralization.

Fourth, in the PBFT consensus algorithm, one elected leader node receives a transaction verified as valid using a verification node, propagates the consensus request to all, and generates a block by obtaining 2/3 votes. The PBFT consensus algorithm developed the BFT algorithm of a distributed system that enables normal operation even when some abnormal nodes exist, so that it can be used even in asynchronous networks. In addition, in PBFT, through two broadcasting processes that propagate to the entire network and vote, the leader or verification node more accurately removes strange nodes with a higher probability. It has the advantage of being fast because it receives and proceeds with already verified transactions. However, since PBFT communicates between all nodes, as the number of nodes increases, larger communication overhead occurs, making it difficult to expand and not suitable for large-scale networks, and 33% of nodes do not vote or intentionally oppose. The downside is that the system can be stopped if done.

Fifth, the Ripple consensus algorithm is an asynchronous round-based protocol executed by the network verification server, which consists of a collection stage, a consensus stage, and a closing stage. In the collection step, the verification server receives a transaction from the network, checks the validity of the signature and the accuracy of related information, and broadcasts the proposal back to the network as a candidate set. In the consensus stage, the servers vote for the received proposal to agree. In the closing stage, if the proposal gets 80% or more consent, the proposal is removed from the candidate set and formally registered in the ledger, and one round is closed. Since the Ripple consensus algorithm aims to process a large amount of payments quickly with the goal of a real-time payment system, it is developed with a focus on speed, and its high speed is an advantage. However, it has built a high speed through very large centralization, and has a disadvantage that the system can be stopped if 20% of nodes do not vote or only oppose it intentionally.

Centralization is determined by the trust model, and transaction speed refers to the time it takes for each consensus algorithm to verify a transaction and create a new block. At this time, the speed is generally improved in proportion to the degree of centralization. Security refers to the degree of security against hacking. As the number of obstacles that are the target of an attack decreases, the security can be said to be weaker, so security is degraded in inverse proportion to the degree of centralization. On the other hand, the unreliable model has the advantage of improving security by having many points of failure through decentralization, but has the disadvantage of slowing the speed. Accordingly, one embodiment of the present invention forms a trust model with a private blockchain, but uses a PoS block containing a document on which legal procedures can be carried out in the private blockchain so as to increase security and achieve decentralization. You can use the verification method. At this time, in addition to PoS, it is possible to reach consensus with nodes elected from inside and outside the blockchain, and a representative is selected, but rather than pre-elected like DPoS or PBFT, randomly elected each time a transaction occurs with a quantum random number and communicated. By unifying the channel, it is possible to increase the transaction speed while also increasing the security.

The billing unit 330 may perform billing only in the active state of the user terminal 100 using a FaaS (Function as a Service) that monitors the use state of the user terminal 100. Serverless computing is a new cloud computing paradigm that relieves users of the burden of infrastructure management tasks for server management and load balancing operations, and is executed by registering function codes or workloads. In FaaS service using serverless computing, there is a delay time in which a container or sandbox is created to receive a computing environment that operates when a function is called. This overhead is called cold-start. In order to reduce this waiting time, it is also possible to analyze the minimum memory required by each workload by using the container update method, and dynamically manage the memory of the container, which is a function, in the idle state without load request. Through this, it is possible to reduce the overhead for cold-start of the container and keep it in a warm state to maintain fast response waiting time when triggering or requesting.

As a next-generation cloud technology, serverless computing is attracting attention as it is immediately allocated server resources required from a cloud provider and automatically returned after use, so that customers do not have to worry about securing infrastructure and can focus on development. Serverless computing can execute applications and services by receiving infrastructure and resources managed by a provider without building a server. The computing provider manages the execution environment and dynamically allocates resources to ensure scalability and availability. In addition, users pay only for resources that are called and used when an application program processes a specific task consisting of one or more functions. In FaaS, when a user registers the code of a function that is a part of the program, the cloud provider provisions or manages the server to provide an execution environment. The user writes the desired logic as a function, and when the function is called, the container is executed and the function defined in the runtime is executed. Functions are small codes that are executed whenever there is an event, rather than processing the user's request while the server keeps waiting, so they are used for simple tasks between major services.

The Lambda service provided by AWS is a serverless computing service that executes code in response to events and automatically manages basic computing resources. By using lambda functions to run your code on demand, it can automatically scale from a few requests per day to thousands of requests per second. In addition, with high availability, code runs in parallel and each trigger is handled individually to scale precisely to the size of the workload. Also, when a lambda is called by a trigger, the time it takes for the virtual machine, container, and library to be sequentially registered at runtime is called cold-start. It is possible to implement an analysis system to reduce cold-start that occurs when calling a function and keep the container in a warm state.It is possible to cold-start the waiting time that occurs after running the container, and to perform workload tasks and maintain a warm state. The time to update the container for the first time can be defined as mem-up, and the time for the second update of the container to prepare for the re-request of the task can be defined as mem-down.

First of all, you can implement a web server of the host server for socket communication, execute and execute a single or parallel container, receive an IP, and implement a web server for socket communication with the host server, and the containers perform workload tasks. Run and update the container first with the minimum memory and CPU size that the workload needs for the job, and the second update of the container's memory and CPU size in case of a re-request of the job. In addition, the host server requests the container server for cold-start time, workload work time, mem-up time, and mem-down time of the container, and the container server can deliver the requested value to the host server. Of course, the above-described method may not be applied, and only FaaS for accurate charging may be used.

The edge management unit 340 may transfer work data worked on the user terminal 100 from the edge node using edge cloud computing. Edge computing is a technology that uses an edge server located at the end-point of the network and geographically close to the user in order to solve the high latency problem of a cloud server located in a data center located far from the user. . In the edge computing environment, the edge server that can be used while mobile users move is constantly changing, so an environment for computation offloading must be built in real time on the edge server. To this end, data transmission to the corresponding edge server is required, and there is a problem that the operation offloading time is delayed. To this end, proactive data caching can be used. This time delay problem can be solved by predicting the moving path of a mobile user and storing information necessary for computation offloading in advance in an edge server to be connected in the future.

By analyzing the collected movement paths using predictive models such as Markov, SVR (Support Vector Regression), and RNN (Recurrent Neural Network), the future location of the user can be estimated. As described above, the predicted user's location information may be used for preemptive data caching in which data is previously stored in a server to be used by the user. Using the Markov Model, a Variable-Order Markov (VOM), which is the most used for predicting mobility of the user terminal 100, may be used. Unlike the Markov Model, which models the next state only with the previous state of a fixed length, the VOM models the next state through the previous state of a different length depending on the situation. In order to predict the next edge server with the VOM, first, the location information of the mobile user, that is, the user terminal 100 may be mapped to the ID of the edge server in the corresponding area. VOM can be implemented using Prediction Suffix Tree based on the user's moving path information mapped with the ID of the edge server.

The second method is to use SVR. SVR is a type of SVM (Support Vector Machine) and is a model for solving regression problems. The SVR model receives the user's past movement path as an input and outputs the next location. For example, a model can be trained using linear SVR as a prediction model and Epsilon-Insensitive Hinge Loss, and parameters (Epsilon, Tolerance) of the model with the best prediction performance can be determined and used. The third is RNN (Recurrent Neural Network), which is a kind of artificial neural network and has a structure in which the output of the previous input goes to the next input, so it is a suitable model for processing sequential data. . At this time, the RNN model can be implemented using a long short-term memory (LSTM) cell. When the user's past movement path comes in as an input of the RNN model in chronological order, the LSTM cell returns an output tensor. do. The output tensor calculated from the LSTM cell is finally calculated with two values through the fully connected layer. This final calculated tensor becomes the user's next position. An RNN model can be trained using MAE (Mean absolute error) as a loss function, and parameters of the RNN model can be determined like the SVR model. Of course, the prediction path may be identified by a method other than the above-described method, and a preemptive data caching and edge computing environment may be provided, and it will be apparent that the method is not limited to the above method.

The security center unit 350 selects and sets a policy to be applied in the cloud based on at least one previously stored security policy, continuously monitors the network security status with a network map, and provides a PaaS layer and an IaaS layer. It detects the threat of and blocks brute-force attacks through access to the JIT (Just-In-Time) virtual machine. At this time, it will be apparent that the type or number of security policies is not limited, and may vary according to embodiments and according to the environment or request of the user terminal 100.

The attack preparation unit 360 may provide an active directory that protects against a security attack by providing single sign-on (SSO) and multi-factor authentication to the user terminal 100. At this time, the attack preparation unit 360 may perform Identity and Access Management, Role-Based Access Control, and Intune Mobile Device Management.

Account management solutions included SSO (Single Sign-On), EAM (Extranet Access Management), and IAM (Identity Access Management). SSO is a security solution that allows you to use various systems or Internet services with a single login.If you use SSO, you can access various systems and services with only one account without going through multiple authentication procedures, reducing user convenience and management costs. It has the advantage of being able to. EAM is a solution that uses a single mechanism based on security policy to manage SSO and user authentication in terms defined by the Gartner group, and to manage user access to applications and data. If EAM is a solution centered on SSO and application access rights, IAM is the introduction of a more comprehensive and extended concept, and it has several names such as IM (Identity Management), account management solution, integrated account management, and integrated authentication management. It is called.

Cloud-based security services include email security, web security, identity and access management (IAM), and in addition to cloud-based tokenization and encryption, security information and event management (SIEM), Vulnerability Assessment, web firewall, etc. can be added. Among these, IAM technology can be used with the cloud, especially in the form of IDaaS. The main features of this IAM should be as follows. First, authentication information and policy information are configured using different repositories, and ID central management using an integrated database that enables different DBs such as LDAP and Domino Directory to be interlocked without changing the DB structure. In particular, ID policy and PW policy should be applied, and user authentication methods should be considered in various ways. Second, when the contents of the resource accessed by the user such as personnel transfer or job change are changed in the organization, it should be supported to enable smooth account management through the provisioning function. As a user subject to provisioning, Membership provisioning, which is configured according to the Access Rule, not individual users, as a managed server to which a user account should be added. To be able to use it, there must be a function such as entilement provisioning to which the policy is applied. Third, in order to manage user accounts, it is necessary to reinforce account management by defining procedures such as user account creation, change, request for approval, approval, rejection, and system reflection in the workflow. Fourth, it is necessary to support access control and SSO so that the user can check and control the resource request of a specific application or system so as to be similar to the existing EAM solution. Fifth, authority management should be performed on the account. Role-Based Access Control has a method of dynamically granting a user, a service resource (object), and permission necessary for performing a task to a function called a role, as well as a method of delegating authority using a protocol such as OAuth. May be. Lastly, by storing the records of requests, modifications, approvals, and deletions of the account, it is necessary to provide reports on incorrect requests, duplicate authentication, and cancellation of authorization at any time, and to prepare for various threats by maintaining log records.

AWS IAM, known as a cloud service, securely controls users' access to AWS services and resources. You can use IAM to create and manage AWS users and groups, and to allow or deny access to AWS resources. AWS's IAM can provide the following features. ① AWS account access sharing. With IAM, you can give users and groups their own security credentials, which allows you to increase security by specifying the AWS service APIs and resources they can access. IAM is protected by default, so users cannot access AWS resources until explicitly granted permission. ② It is a detailed authority. Using IAM, it is possible to grant different permissions to different people for different resources according to the rules stored in DymanoDB. ③ Multi-Factor Authentication (MFA) requires additional input of a password or access key that operates on a user account, as well as a value generated by a specially configured device in order to reinforce the security of the account.

④ ID Federation, among the methods of performing single sign-on and ID information management services, maintains the existing ID of the service provider (SP) and connects with the ID of the Internet ID service provider (IdP). Through ID federation, users can access the AWS Management Console with their corporate identity and access resources by calling AWS APIs without creating an IAM user account for each identity. For example, it can be used to give employees and applications federated access to the AWS Management Console and AWS service APIs through an identity system such as Microsoft Active Driectory. ⑤ It is possible to integrate with many AWS products. Because IAM is included in most AWS services, you can define access controls in one place within the AWS Management Console, and these access controls apply to the entire AWS environment.

⑥ For security credential management, if you use IAM, you can authenticate users in various ways depending on how you want to use AWS services. You can assign a variety of security credentials, including passwords, key pairs, and X.509 certificates. You can also apply multi-factor authentication (MFA) for users who access the AWS Management Console or use the API. In addition, AWS's IAM has the following 8 features.

① Centrally manage user information and security credential information. Users can control the creation, rotation, and revocation of AWS security credentials, such as the user's access key. ② Centrally manage user access. Users can control what users can access data in AWS systems, and they can view and manage how users access data. ③ Share AWS resources. Users can share data for joint projects. ④ Different authority can be granted according to the group within the organization. You can restrict user access to AWS according to departments and people's job functions, and when users move within the organization, you can easily update AWS access rights by changing their roles.

⑤ Centrally manage AWS resources. When a user leaves an organization or moves a group, there may be interruption of continuity and loss of data, and continuity can be maintained by centrally controlling the AWS data created by the user. ⑥ You can control resource creation. It can be managed so that users can create AWS data only in restricted places. ⑦ You can control the network. You can manage to allow users to access AWS resource resources only from the organization's network using SSL. ⑧ The AWS bill is unified. All users' AWS bills can be integrated and managed for the user's AWS activities. AWS provides cloud services on its own, and if IAM is built, in the case of Office 365, it uses the services of IAM Cloud companies to manage cloud users. The features of this service combined with IAM Cloud and Office 365 are as follows.

① It is a single sign-on function that connects to the user's computer, and IAM Cloud logs in single sign-on. IAM cloud users simply log in from their own workstation, and their Office 365 or other SaaS can be accessed without any other login by simply clicking on the application's shortcut.

② Support for portals that do not use SSO, and IAM Cloud uses Single Sign On. This single sign-on is an authentication function that enables resources on multiple computers to be used in one authentication process. In the case of IAM Cloud, you can access Office 365 and other SaaS applications by logging into your workstation. In addition, even if the portals on the IAM Cloud are not linked as single sign-on, if you add code to the portal, it becomes a portal that is linked with single sign-on.

③ It is an automated lifecycle management, and IAM Cloud automates user creation, user status change, and user authorization settings. Also, the administrator can apply different rules for each user group. IAM Cloud works like HR systems. So, IT teams don't need to manually fill in users in the Directory, but follow the rules created by the administrator to apply the user's information from one system to another. ④ Cloud Drive Mapper. IAM Cloud is a free cloud service that stores files such as photos, videos, and documents, called One Drive, and a cloud service that stores collaboration content between teams called SharePoint Online. It allows users to share and use information.

⑤ Multi-factor authentication, and IAM Cloud uses Multi-Factor Authentication. Multi-Factor Authentication is used as a simple and effective means to further strengthen security in addition to user name and password. In general, the method of entering the authentication code of the MFA device (which the customer has) is used. IAM Cloud has Multi-Factor Authentication for Office 365, which can enhance secure access to Office 365 applications.

⑥ In Active Directory Migration, IAM Cloud stores the Active Directory service by dividing it at intervals of 5 to 10 minutes on a regular basis, so when moving and integrating Active Directory in the future, time can be shortened compared to other clouds. ⑦ In Session Timeout Control, the default session timeout time of SharePoint is set to 10 hours. However, you can separately customize the session time limit in the admin portal. Therefore, it is possible to prevent a malicious user from continuously using it by giving a time limit on the authority. ⑧ In DR service provision, IAM Cloud can build a disaster recovery facility in the server room in preparation for the possibility of a disaster. For this reason, it is possible to immediately cope with the problem of service continuity. ⑨ Convenience of use. IAM Cloud is hosted on Azure Cloud, and extended control and customization for technical people is possible through API, and it is very convenient for non-technical people to use through portal UI.

Meanwhile, the cloud-based account management system has the following security threats. This is not a form of attack that can only occur in a cloud-based account management system. It is a problem with a general account management system. When the account management system is serviced based on cloud, the following types of attacks are possible as well. ① Brute-force Attack is called a brute force attack, and unauthorized access to the sensitive account credentials of cloud service users stored in the ID management server using combinations available by the attacker indiscriminately assigning the values of the user's ID and password. It is an attack that can be done. A dictionary attack is an example of such brute force attack, and if it does not comply with international standards for setting strong passwords, it can attack account management systems. If the attack is successful, the attacker can reinforce the attack to discover the security vulnerability of the account management system. Afterwards, attackers can analyze the server's response and manipulate it to achieve malicious purposes. ② In a cookie-replay attack, an attacker steals a cookie containing valid session information related to the cloud service user's account credentials, deceives the management server that the previously authenticated session is still valid, and reuses it. Through this attack, an attacker can gain unauthorized access to the victim's secret information in addition to cloud services and resources. ③ In the Data Tampering Attack, the information related to the cloud service user in the cloud account information storage is changed without permission. The attacker can damage the cloud service and resources through such modification. This attack is an attack on the integrity of account information stored in the cloud by using a loophole in the access control system. ④ Denial of Service (DoS) Attack is a form of attack that can be performed when the account management system does not provide a mechanism to log user activity. The attacker overwhelms the cloud account management server through false authentication and permission requests and stops the service by consuming all available resources so that it cannot process the request of a legitimate user. Therefore, there is a need to intelligentize the account management system to be sufficient to detect and defend against such attacks by attackers with appropriate logging mechanisms.

⑤ Eavesdropping, eavesdropping, attacks when identity credentials are exchanged for the purpose of authentication and authorization between cloud account management server and cloud service users at the communication level, and can be intercepted in real time without permission. It can be obtained, stolen, or read confidential, unencrypted data. ⑥ Privilege elevation attack, which is an Elevation of Privilege, is an attack involving legitimate subscribers of the account management system with limited privileges. Attackers impersonate other cloud service users with higher privileges than their privileges in order to achieve malicious purposes. After gaining extended access rights, it may steal personal and confidential information of cloud service users or seriously damage stored information.

⑦ The three attacks, Identity Forgery/Cloning/Spoofing Attacks, mean illegal copying or manipulating credentials and identity tokens issued by trusted organizations such as cloud service providers or governments for the purpose of deceit or false delivery. To prevent such attacks, a cloud-based account management system must perform a strict authentication mechanism to detect forged identities. Attacks that forge identity require specialized knowledge and skills in order to forge or steal identity, and sometimes, more effort than those obtained through achievement may be required. ⑧ Identity Theft Attack refers to stealing the identity of another person such as name, personally identifiable information, credit card number, etc. for the purpose of obtaining cloud resources or other financial benefits in the victim's name. It is a method of stealing identification information such as the name, personal identification information, and credit card number of other users and using it to steal cloud resources.This is a method of stealing financial information such as credit cards due to the nature of the cloud service used through billing. Even secondary damage can occur.

⑨ Luring Attack can be vulnerable to a Luring Attack if the account management system does not guarantee User-Centricity and does not provide a logging & reporting mechanism. This attack is a method in which an attacker can inject malicious code fragments into a cloud service user with many privileges to perform an attack without the cloud service user's knowledge. ⑩ In phishing attacks, if the account management system does not consider user-centricity, strong password system, and personal information preservation, it is more vulnerable to phishing attacks. A phishing attack is an attack in which a web site of almost the same form is disguised and redirects a user to obtain a user's name, password, bank account number, credit card information, etc. The attacker manipulates the communication so that the user feels as a normal IdP in order to successfully seduce the user beyond suspicion.

⑪ Replay Attack occurs when the account management system fails to maintain the security of identity authentication information, and a reuse attack occurs. This attack means that the attacker acquires valid identification information and reuses it. It is recommended to use secure sessions to prevent reuse attacks, but if you acquire a session in use, you may be exposed to reuse attacks as well. Therefore, when using a cookie, the input value must be encrypted and processed, and the expiration time of the cookie must be set as short as possible. In addition, it is possible to prevent the acquired session ID from being used by another IP by attaching the server IP when creating a session.

⑫ Repudiation occurs when a cloud service user denies his or her work, and this may occur when the cloud account management system does not implement an implementation to maintain a log of the service user's activity so that the cloud account management system can prove its responsibility for the user's actions. have. In the absence of real-time tracking and activity logging mechanisms, service users can easily deny their malicious actions actually performed on the cloud server, such as forging ID credentials or manipulating unauthorized data. ⑬ In Side-Channel Attack, if the account management system does not comply with Federation and Access Control, it may be damaged by Side-Channel Attack. In Side-Channel Attack, an attacker can steal information such as Session Identitfier, Timing Information, OAuth Token, and Electromagenetic Leaks from the physical implementation of the security system. To prevent this, it is necessary to distribute and store sensitive account information across multiple servers.

⑭ Skimming Attack is a method in which an attacker steals sensitive information from an authentication token and attacks it. To prevent such an attack, the account management system must ensure strong encryption and secure distributed storage of identity certificates on multiple servers. ⑮ Snooping is a form of attacking through illegal collection of sensitive information such as identity, available services and network topology to an identity server in a cloud environment, and includes sophisticated surveillance technology to intercept confidential communication through remote activity and keystroke monitoring. Because of this, it is different from general tapping. In order to prevent the above-described attacks, in an embodiment of the present invention, a security center and an attack preparation may be performed, and bio data is distributed and stored on at least one node of a private blockchain to prevent identity forgery and theft.

The subscription management unit 370 may provide at least one type of document editing program and an operating system program. In this case, the user terminal 100 may select and subscribe to any one or a combination of at least one type of document editing program and an operating system program.

The cloud service providing server 300 may provide a public cloud-based service. Here, Azure is the same as described above, so it is not described in duplicate. In addition, when access is permitted, the user terminal 100 is connected to any one of at least one virtual machine included in the cloud service providing server 300 to perform authentication by interlocking with the private blockchain, and when the authentication is completed, the cloud A PC virtual machine may be assigned, and the user terminal 100 may be connected to the cloud service providing server 300 using a 5G communication network and edge computing.

The allocation unit 380 may allocate any one of at least one cloud computer to the user terminal 100 when access to the user terminal 100 is permitted. Based on the above-described configuration, the cloud service providing server 300 collects bio data from the user terminal 100, receives a block chain-based decentralized identifier (DID) issuance request, and sends the bio data in response to the DID issuance request. Mapping to the user terminal 100 can be registered to be stored. In addition, the cloud service providing server 300 records the bio data in at least one node in the private blockchain to issue a DID, and when the user terminal 100 requests authentication, the FIDO (Fast IDentity Online) based DID Authentication can be performed. In addition, when the DID authentication is completed based on the private blockchain, the cloud service providing server 300 allocates any one of at least one cloud PC as a virtual machine and connects the allocated cloud PC with the user terminal 100. I can. Terms and matters not described above are the same as in the known art, and thus detailed descriptions thereof will be omitted.

Hereinafter, the operation process according to the configuration of the cloud service providing server of FIG. 2 will be described in detail with reference to FIGS. 3 and 4 as examples. However, it will be apparent that the embodiment is only any one of various embodiments of the present invention, and is not limited thereto.

3 and 4, the platform according to an embodiment of the present invention aims to solve the inconvenient portability of hardware equipment required for using a computer. First, it can be used like a personal PC by simply connecting to a cloud VM (virtual machine) using a mobile device. In addition, by utilizing 5G network communication, you can use a high-performance PC environment anytime, anywhere, with a monitor that minimizes the delay time of data transmission and reception. In addition, it is possible to securely use computing by obtaining an account for controlling access to a virtual machine based on a block chain, and improving security through more convenient and reliable identification of users through self-sovereign identity verification based on a block chain. Platform can be provided.

In addition, by using cloud edge computing technology, it is possible to solve the problem of performance degradation caused by data delay and traffic overload of existing cloud computing. In addition, to maintain the latest security of the operating system, it is possible to deploy and operate in batches without requiring the user to perform periodic software upgrades, and by setting the security update distribution policy in the Active Directory in the cloud environment, You can maintain the latest security updates, relieve the cost burden you have to pay to use genuine software, and relieve users of the cost of purchasing genuine software by providing genuine Windows OS and other software used by Microsoft. In addition, it is possible to provide a step-by-step cloud PC so that users can apply for a subscription that suits their preferences and performance. In addition, by utilizing the technology of the PaaS platform, various SDKs, programming languages, and libraries are provided according to the user's requirements, so that a cloud PC in various environments can be provided by selecting a development platform that suits the user's preference.

To this end, according to an embodiment of the present invention, a blockchain-based self-sovereign identity verification means DID (Decentralized Identifier, Distributed ID) authentication application is implemented, and all end-users such as desktop PCs and mobiles (Android, iOS) are implemented. It implements a client application to be used in a point device, and implements a FIDO 2.0 Server Endpoint through the Relying Party that accepts user requests. In addition, the API can be implemented according to the user's requirements in the RP Server, including the first registration (FIDO 2.0 Registration), the second authentication (FIDO 2.0 Authentication), and the third deletion (FIDO 2.0 De-Registration). I can.

In addition, the user terminal 100 can access the authentication server that verifies the integrity of data by storing the user's bio-authentication credential information in a private blockchain, and generates a certificate-based verification and PKI authentication key. can do. In addition, it is possible to issue a DID-based account and apply for a cloud PC subscription that fits the user's requirements or performance, and can issue a DID-based PC account for use with the office cloud platform, and the cloud according to the performance according to user requirements. A PC can be provided, an application that issues an account for use with a cloud PC platform can be implemented, and a process for identifying user identity information through DID authentication can be implemented. In addition, it is possible to verify the cloud PC account, issue a DID account assigned to the user, and register the cloud endpoint domain.

Secondly, genuine software can be used, for example, Windows 10 Professional OS can be used, Windows Defender antivirus program can be used, and business tasks can be performed through the Microsoft Office 365 suite.

Third, you can issue a cloud PC account, and you can build a cloud PC security solution. The security center can be used to enhance the security status of the data center and provide advanced threat prevention functions. In addition, you can set policies to be executed for management groups, all subscriptions, and all tenants in the cloud according to the security policy. The network map can continuously monitor the network security status, and security can be strengthened by adding a security score for the default security policy. Threat protection can be used to detect threats not only from PaaS but also from the IaaS layer, and through just-in-time (JIT) VM access, unnecessary access is prevented to block brute force attacks, and from DDoS distributed denial of service attacks within the cloud. Resources can be protected, and SSO and multi-factor authentication can be provided to users using Active Directory to help protect against security attacks, and identity and access management (IAM) can be centralized to secure security between applications, devices, services, and infrastructure. Can support access.

In addition, role-based access control (RBAC) allows you to manage users, tasks and their resource areas with access rights, manage, control, and monitor access to privileged accounts, and authorization through Intune MDM policies. Access is managed only for existing accounts, and data access can be controlled and monitored. Fourth, it is possible to implement an edge-based cloud computing and serverless architecture, and for this purpose, a distributed open edge that has built an edge node to directly perform computing at the end-point using 5G communication before accessing the virtual machine. By establishing a computing architecture and utilizing FaaS (Function as a Service)-based technology, it is possible to implement serverless-based cloud computing in which billing occurs only when users use the service.

In cloud computing according to an embodiment of the present invention, security and portability as well as communication quality differentiated from existing systems by solving delays and distributed processing for data traffic generation due to multiple user accesses and security issues that need to be supplemented It is expected to be a cloud PC platform equipped with. First of all, information protection can be reinforced. By applying various security solutions through the Intune MDM policy of cloud PC, unnecessary access in the account can be efficiently and safely managed, and reliable self-sovereignty based on blockchain using DID. By enabling type identification, users' access control and personal information protection can be reinforced, and by storing data using a private blockchain network, the transparency and non-repudiation effect of the original data is enhanced.

According to an embodiment of the present invention, it is possible to reduce the cost of purchasing necessary software for the OS and PC, and to reduce the data communication cost that can be used for an unlimited number of times by utilizing 5G, and data through FaaS-based cloud computing By applying a serverless platform in which billing is generated only when using, it can bring cost savings and quality improvement effects, and provide ultra-low latency cloud computing that can handle large amounts of traffic through the use of 5G communication speed and edge computing. can do.

The matters not described for the method of providing a cloud service with enhanced blockchain-based security in FIGS. 2 to 4 are the same as those described for the method of providing a cloud service with enhanced blockchain-based security through FIG. Since it can be easily inferred from the description, the description will be omitted below.

FIG. 5 is a diagram illustrating a process in which data is transmitted and received between components included in the cloud service providing system with enhanced security based on the block chain of FIG. 1 according to an embodiment of the present invention. Hereinafter, an example of a process in which data is transmitted/received between each component will be described with reference to FIG. 5, but the present application is not limitedly interpreted as such an embodiment, and is illustrated in FIG. 5 according to various embodiments described above. It is apparent to those skilled in the art that the process of transmitting and receiving data may be changed.

Referring to FIG. 5, the cloud service providing server collects bio data from a user terminal and receives a request for issuing a blockchain-based decentralized identifier (DID) (S5100).

In addition, the cloud service providing server registers to map and store the bio data in the user terminal in response to the DID issuance request (S5200), and issues the DID by recording the bio data in at least one node in the private blockchain (S5300). ).

In addition, the cloud service providing server performs FIDO (Fast IDentity Online)-based DID authentication when a user terminal requests authentication (S5400), and when DID authentication is completed based on a private blockchain, at least one cloud PC Any one of them is allocated as a virtual machine (S5500).

Finally, the cloud service providing server connects the allocated cloud PC with the user terminal (S5600).

The order between the above-described steps S5100 to S5600 is only an example and is not limited thereto. That is, the order of the above-described steps (S5100 to S5600) may be mutually changed, and some of the steps may be executed or deleted at the same time.

The matters not described for the method of providing a cloud service with enhanced blockchain-based security in FIG. 5 are the same as those described for the method of providing a cloud service with enhanced blockchain-based security through FIGS. 1 to 4 above. Since it can be easily inferred from the description, the description will be omitted below.

The method of providing a cloud service with enhanced security based on a block chain according to an embodiment described with reference to FIG. 5 is also in the form of a recording medium including instructions executable by a computer such as an application or program module executed by a computer. Can be implemented. Computer-readable media can be any available media that can be accessed by a computer, and includes both volatile and nonvolatile media, removable and non-removable media. Further, the computer-readable medium may include all computer storage media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.

The above-described method for providing a cloud service with enhanced blockchain-based security according to an embodiment of the present invention is an application basically installed in a terminal (this may include a program included in a platform or operating system basically installed in the terminal) It may be executed by, and may be executed by an application (ie, a program) directly installed on the master terminal by a user through an application providing server such as an application store server, an application, or a web server related to the service. In this sense, the method for providing a cloud service with enhanced blockchain-based security according to an embodiment of the present invention described above is implemented as an application (i.e., a program) installed in the terminal or directly installed by the user, It can be recorded on a computer-readable recording medium.

The above description of the present invention is for illustrative purposes only, and those of ordinary skill in the art to which the present invention pertains will be able to understand that other specific forms can be easily modified without changing the technical spirit or essential features of the present invention will be. Therefore, it should be understood that the embodiments described above are illustrative in all respects and not limiting. For example, each component described as a single type may be implemented in a distributed manner, and similarly, components described as being distributed may also be implemented in a combined form.

The scope of the present invention is indicated by the claims to be described later rather than the detailed description, and all changes or modified forms derived from the meaning and scope of the claims and their equivalent concepts should be interpreted as being included in the scope of the present invention. do.

Claims (11)

A user terminal that provides a user's bio data to access a service page through blockchain-based Decentralized Identifier (DID) authentication, operates as a virtual machine, and uses at least one program; And
A database converter that collects bio data from the user terminal and allows access to the service page of the user terminal through FIDO (Fast IDentity Online) based DID authentication, and distributes the bio data to at least one node in the private blockchain. Blockchain unit, a billing unit that executes billing only for the active state of the user terminal using FaaS (Function as a Service) that monitors the use state of the user terminal, and at the user terminal using edge cloud computing A cloud service providing server including an edge management unit for transferring work data from an edge node;
Including,
The cloud service providing server selects and sets a policy to be applied in the cloud based on at least one pre-stored security policy, continuously monitors the network security status with a network map, and provides the PaaS layer and the IaaS layer. It further includes a security center unit that detects threats and blocks brute-force attacks through access to JIT (Just-In-Time) virtual machines,
The cloud service providing server further includes an attack preparation unit providing an active directory that protects against security attacks by providing single sign-on (SSO) and multi-factor authentication to the user terminal,
The attack preparation unit is a cloud with enhanced blockchain-based security, characterized in that it performs Identity and Access Management, Role-Based Access Control, and Intune Mobile Device Management. Service delivery system.
delete delete delete The method of claim 1,
The cloud service providing server,
A subscription management unit that provides at least one type of document editing program and an operating system program;
Including more,
The user terminal is a system for providing a cloud service with enhanced security based on blockchain, characterized in that the user terminal selects and subscribes to any one or a combination of at least one of the at least one type of document editing program and an operating system program.
The method of claim 1,
When access is permitted, the user terminal is connected to one of at least one virtual machine included in the cloud service providing server to perform authentication by interlocking with a private blockchain, and when the authentication is completed, a cloud PC virtual machine is allocated Blockchain-based security-enhanced cloud service providing system, characterized in that receiving.
The method of claim 1,
The cloud service providing server is a cloud service providing system with enhanced security based on a blockchain, characterized in that providing a public cloud-based service.
The method of claim 1,
The user terminal is a cloud service providing system with enhanced security based on a blockchain, characterized in that the user terminal is connected to the cloud service providing server using a 5G communication network and edge computing.
The method of claim 1,
The cloud service providing server,
An allocation unit that allocates any one of at least one cloud computer to the user terminal when access to the user terminal is permitted;
Blockchain-based security-enhanced cloud service providing system comprising a.
The method of claim 1,
The cloud service providing server,
Blockchain-based security-enhanced cloud service providing system, characterized in that it provides at least one type of development platform environment based on PaaS.
In the cloud service providing method executed on the cloud service providing server,
Collecting bio data from a user terminal and receiving a request for issuing a blockchain-based decentralized identifier (DID);
Registering to map and store the bio data in the user terminal in response to the DID issuance request;
Issuing a DID by recording the bio data in at least one node in the private blockchain;
Performing DID authentication based on Fast IDentity Online (FIDO) when the user terminal requests authentication;
Allocating any one of at least one cloud PC as a virtual machine when the DID authentication is completed based on the private blockchain; And
Connecting the allocated cloud PC to the user terminal;
Including,
The cloud service providing server selects and sets a policy to be applied in the cloud based on at least one pre-stored security policy, continuously monitors the network security status with a network map, and provides the PaaS layer and the IaaS layer. It detects threats, blocks brute-force attacks through access to JIT (Just-In-Time) virtual machines,
The cloud service providing server provides an active directory that protects against security attacks by providing single sign-on (SSO) and multi-factor authentication to the user terminal, and access management (Identity and Access Management), role-based access A method of providing a cloud service with enhanced security based on a blockchain, characterized in that it performs Role-Based Access Control and Intune Mobile Device Management.

Images