KR102211698B1 - Global authentication account system - Google Patents

Abstract

A computer program stored in a computer-readable storage medium, according to some embodiments of the present disclosure, wherein the computer program includes instructions for causing a processor of a main authentication server to perform the following steps, the steps: logging in from a client Receiving information; Checking whether the login information is valid when the login information is received; If the login information is valid, generating an authentication token and transmitting the authentication token to the client; Receiving a verification request signal for the authentication token from a server of a specific site; Performing verification on the authentication token in response to the verification request signal; And when the verification of the authentication token is completed, transmitting a verification completion signal to the specific site, and recording the subscription history for the specific site in the blockchain network.

Description

Global authentication account system {GLOBAL AUTHENTICATION ACCOUNT SYSTEM}

The present disclosure relates to a global authentication account system, and more specifically, to a method of joining or leaving a website using a global authentication account of the global authentication account system.

Recently, the 4th Industrial Revolution, the next generation industrial revolution made by the convergence of information and communication technologies, has become an issue. In the existing industry, automation meant passively operating according to a program entered in advance, but in the 4th industrial revolution, it means that machines actively grasp the situation and operate. This fourth industrial revolution is led by artificial intelligence, robot technology, and life science.

Among the technologies of the 4th industrial revolution, Blockchain is attracting attention as a major technology. Blockchain is a technology that provides security as a public transaction ledger. These blockchains are attracting attention, and the Bitcoin platform and ethereum platform, which are blockchain-based cryptocurrency technologies, are also attracting attention.

Bitcoin refers to a cryptocurrency that can record transaction records by blockchain technology, and Ether of Ethereum refers to a cryptocurrency that can record additional information such as contracts as well as transaction technology. In particular, Ethereum is attracting more attention by supporting a smart contract function that can record separate information.

On the other hand, there are various web sites that provide various services online. In order to use various services provided by these various web sites, the user must perform a membership registration procedure for the web sites that provide each service. In this case, it may be difficult for the user to manage IDs and passwords for each web site. In addition, from the standpoint of a web site providing a service, a large cost may be required to manage IDs and passwords of numerous users.

Accordingly, there may be a need in the art for a way to be able to unify the subscription process for various web sites.

Korean Patent Application Publication No. 10-2018-0129027

The present disclosure was devised in response to the above-described background technology, and is to provide a global authentication account system.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems that are not mentioned will be clearly understood by those skilled in the art from the following description.

According to some embodiments of the present disclosure for solving the problems as described above, a computer program stored in a computer-readable storage medium is disclosed. The computer program includes instructions for causing a processor of the main authentication server to perform the following steps, the steps comprising: receiving login information from a client; Checking whether the login information is valid when the login information is received; If the login information is valid, generating an authentication token and transmitting the authentication token to the client; Receiving a verification request signal for the authentication token from a server of a specific site; Performing verification on the authentication token in response to the verification request signal; And when the verification of the authentication token is completed, transmitting a verification completion signal to the specific site, and recording the subscription history for the specific site in the blockchain network.

Further, in response to the verification request signal, performing verification of the authentication token may include: recognizing whether a subscription history for the specific site has been recorded in the blockchain network; And completing verification of the authentication token when the subscription history for the specific site is not recorded in the blockchain network.

In addition, recording the subscription history for the specific site in the blockchain network may include: generating a transaction including information on the specific site and the login information; And causing a plurality of nodes to write the transaction to a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network.

In addition, the login information may include an ID hash value, a first distribution value of a password hash value, and a domain of the specific site.

According to some embodiments of the present disclosure for solving the problems as described above, a computer program stored in a computer-readable storage medium is disclosed. The computer program includes instructions for causing a processor of the main authentication server to perform the following steps, the steps comprising: receiving login information from a client; Receiving an inquiry request signal for inquiring a list of sites to which the client has subscribed, in conjunction with receiving the login information; In response to the inquiry request signal, obtaining a list of sites to which the client is subscribed, recorded in the blockchain network; And transmitting a list of sites to which the client has subscribed to the client.

In addition, the steps may include: receiving a request signal to withdraw from the client for at least one site included in the list of subscribed sites; And in response to the withdrawal request signal, recording the withdrawal history for the at least one site in the blockchain network; may further include.

In addition, the step of receiving an withdrawal request signal for at least one site included in the list of the subscribed sites from the client includes a first authentication token for the main authentication server and a second authentication token for a sub authentication server. Receiving; Verifying the first authentication token; Transmitting the second authentication token to the sub-authentication server to verify the second authentication token; Receiving a verification signal for the second authentication token from the sub-authentication server; And verifying the first authentication token and, when a verification signal for the second authentication token is received from the sub-authentication server, transmitting a withdrawal token to the client.

In addition, in response to the withdrawal request signal, recording the withdrawal history for the at least one site in the blockchain network includes information on the at least one site requesting withdrawal from the list of subscribed sites, and Generating a transaction including the login information; And causing a plurality of nodes to write the transaction to a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network.

In addition, the login information may include a first distribution value of an ID hash value and a password hash value.

According to some embodiments of the present disclosure for solving the problems as described above, a computer program stored in a computer-readable storage medium is disclosed. The computer program includes instructions for causing a processor of a client to perform the following steps, wherein the steps include: obtaining security level information of the client recorded in a blockchain network; Recognizing a security algorithm based on the security level information; Obtaining an ID hash value and a password hash value by hashing the ID and password using the security algorithm; Transmitting login information including the ID hash value and the distribution value of the password hash value to each of a main authentication server and a sub authentication server; Receiving a first authentication token corresponding to the login information from the main authentication server, and receiving a second authentication token corresponding to the login information from the sub authentication server; And transmitting a subscription request signal including the first authentication token and the second authentication token to a server of a specific site.

In addition, the step of transmitting the login information including the distribution value of the password hash value to each of the main authentication server and the sub authentication server includes the ID hash value, the domain of the specific site, and the password hash value to the main authentication server. Transmitting first login information including a first variance value; And transmitting second login information including a second distribution value of the password hash value different from the first distribution value of the ID hash value, the domain of the specific site, and the password hash value to the sub-authentication server. Can include.

According to some embodiments of the present disclosure for solving the problems as described above, a computer program stored in a computer-readable storage medium is disclosed. The computer program includes instructions for causing a processor of a client to perform the following steps, wherein the steps include: login information including an ID hash value and a distribution value of a password hash value to a main authentication server and a sub authentication server, respectively. Transmitting; In conjunction with transmitting the login information to each of the main authentication server and the sub authentication server, an inquiry request signal for inquiring a list of sites to which the client is subscribed is transmitted to at least one of the main authentication server and the sub authentication server. Step to do; Receiving a list of sites to which the client is subscribed from at least one of the main authentication server and the sub authentication server; And transmitting a withdrawal request signal for at least one site included in the list of the subscribed sites to at least one of the main authentication server and the sub authentication server.

In addition, transmitting the login information to each of the main authentication server and the sub-authentication server may include: transmitting first login information including a first distribution value of the ID hash value and the password hash value to the main authentication server; And transmitting second login information including a second distribution value of the password hash value different from the first distribution value of the ID hash value and the password hash value to the sub-authentication server.

In addition, transmitting the withdrawal request signal for at least one site included in the list of the subscribed sites to at least one of the main authentication server and the sub authentication server, the first authentication token of the main authentication server and the sub Transmitting a second authentication token of an authentication server to at least one of the main authentication server and the sub authentication server; And receiving a withdrawal token from at least one of the main authentication server and the sub-authentication server when the verification of each of the first authentication token and the second authentication token is completed in each of the main authentication server and the sub authentication server. It may further include

Technical solutions obtainable in the present disclosure are not limited to the above-mentioned solutions, and other solutions that are not mentioned are clearly to those of ordinary skill in the technical field to which the present disclosure belongs from the following description. It will be understandable.

The present disclosure may provide a method of signing up or leaving a website using a global authentication account of a global authentication account system.

The effects obtainable in the present disclosure are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those of ordinary skill in the art from the following description. .

Various aspects are now described with reference to the drawings, where like reference numbers are used collectively to refer to like elements. In the examples that follow, for illustrative purposes, a number of specific details are presented to provide a thorough understanding of one or more aspects. However, it will be apparent that such aspect(s) may be practiced without these specific details.
FIG. 1 is a diagram illustrating an example of a global authentication account system based on an authentication server, a client, and a blockchain network in which various aspects of the present disclosure may be implemented.
2 is a flowchart illustrating an example of a method of generating a global authentication account according to some embodiments of the present disclosure.
3 is a diagram for describing an example of a global authentication account creation screen displayed on a client according to some embodiments of the present disclosure.
4 is a flowchart illustrating an example of a method of generating a global authentication account corresponding to an account creation request signal received from a client by an authentication server according to some embodiments of the present disclosure.
5 is a flowchart illustrating an example of a method of changing or recovering a password of a global authentication account according to some embodiments of the present disclosure.
6 is a diagram illustrating an example of a password change or recovery screen displayed on a client according to some embodiments of the present disclosure.
7 is a flowchart illustrating an example of a method of applying a new password for a global authentication account by an authentication server according to some embodiments of the present disclosure.
8 is a flowchart illustrating an example of a method of signing up for a specific site using a global authentication account according to some embodiments of the present disclosure.
9 is a diagram for describing an example of a login screen for a global authentication account displayed on a client according to some embodiments of the present disclosure.
10 is a flowchart illustrating an example of a method of performing verification on an authentication token received from a client by an authentication server according to some embodiments of the present disclosure.
11 is a flowchart illustrating an example of a method of leaving a specific site using a global authentication account according to some embodiments of the present disclosure.
12 is a flowchart illustrating an example of a method of transmitting an withdrawal token corresponding to an withdrawal request signal received from a client by an authentication server to a client according to some embodiments of the present disclosure.
13 is a flowchart illustrating an example of a method of transferring a certification authority providing a global authentication service according to some embodiments of the present disclosure.
14 is a flowchart illustrating an additional example of a method of transferring a certification authority providing a global authentication service according to some embodiments of the present disclosure.
15 is a flowchart illustrating an example of a method of changing a security level of a client by a specific authentication server to be transferred according to some embodiments of the present disclosure.
16 is a diagram for explaining an example of a certification authority transfer screen displayed on a client according to some embodiments of the present disclosure.
17 shows a simplified and general schematic diagram of an exemplary computing environment in which some embodiments of the present disclosure may be implemented.

Various embodiments and/or aspects are now disclosed with reference to the drawings. In the following description, for illustrative purposes, a number of specific details are disclosed to aid in an overall understanding of one or more aspects. However, it will also be appreciated by those of ordinary skill in the art that this aspect(s) may be practiced without these specific details. The following description and the annexed drawings set forth in detail certain illustrative aspects of one or more aspects. However, these aspects are exemplary and some of the various methods in the principles of the various aspects may be used, and the descriptions described are intended to include all such aspects and their equivalents. Specifically, as used herein, "an embodiment", "example", "aspect", "example" and the like are not construed as having any aspect or design being better or advantageous than other aspects or designs. May not.

In addition, various aspects and features will be presented by a system that may include one or more devices, terminals, servers, devices, components and/or modules, and the like. The devices, terminals, servers discussed in connection with the drawings, that various systems may include additional devices, terminals, servers, devices, components and/or modules, etc. It should also be understood and appreciated that it may not include all of devices, components, modules, etc.

As used herein, the terms "computer program", "component", "module", "system", etc. may be used interchangeably, and computer-related entities, hardware, firmware, software, combinations of software and hardware, Or it refers to the execution of software. For example, a component may be, but is not limited to, a process executed on a processor, a processor, an object, an execution thread, a program, and/or a computer. For example, both an application running on a computing device and a computing device may be components. One or more components may reside within a processor and/or thread of execution. A component can be localized on a single computer. A component can be distributed between two or more computers.

In addition, these components can execute from a variety of computer readable media having various data structures stored therein. Components can be, for example, via a signal with one or more data packets (e.g., data from one component interacting with another component in a local system, a distributed system, and/or a signal through another system and a network such as the Internet. Depending on the data being transmitted), it may communicate via local and/or remote processes.

Hereinafter, the same or similar components are assigned the same reference numerals regardless of the reference numerals, and redundant descriptions thereof will be omitted. In addition, in describing the embodiments disclosed in the present specification, when it is determined that detailed descriptions of related known technologies may obscure the subject matter of the embodiments disclosed in the present specification, detailed descriptions thereof will be omitted. In addition, the accompanying drawings are for easy understanding of the embodiments disclosed in the present specification, and the technical spirit disclosed in the present specification is not limited by the accompanying drawings.

The terms used in the present specification are for describing exemplary embodiments and are not intended to limit the present disclosure. In this specification, the singular form also includes the plural form unless specifically stated in the phrase. As used in the specification, “comprises” and/or “comprising” do not exclude the presence or addition of one or more other elements other than the mentioned elements.

Although the first, second, etc. are used to describe various devices or components, it is a matter of course that these devices or components are not limited by these terms. These terms are only used to distinguish one device or component from another device or component. Therefore, it goes without saying that the first element or component mentioned below may be a second element or component within the spirit of the present disclosure.

Unless otherwise defined, all terms (including technical and scientific terms) used in the present specification may be used as meanings that can be commonly understood by those of ordinary skill in the art to which this disclosure belongs. In addition, terms defined in a commonly used dictionary are not interpreted ideally or excessively unless explicitly defined specifically.

In addition, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or”. That is, unless specified otherwise or is not clear from the context, "X employs A or B" is intended to mean one of the natural inclusive substitutions. That is, X uses A; X uses B; Or, when X uses both A and B, “X uses A or B” can be applied to either of these cases. In addition, the term "and/or" as used herein should be understood to refer to and include all possible combinations of one or more of the listed related items.

In addition, the terms “information” and “data” as used herein may often be used interchangeably with each other.

The suffixes "module" and "unit" for constituent elements used in the following description are given or used interchangeably in consideration of only the ease of preparation of the specification, and do not have a distinct meaning or role by themselves.

Objects and effects of the present disclosure, and technical configurations for achieving them will become apparent with reference to the embodiments to be described later in detail together with the accompanying drawings. In describing the present disclosure, when it is determined that a detailed description of a well-known function or configuration may unnecessarily obscure the subject matter of the present disclosure, a detailed description thereof will be omitted. In addition, terms to be described later are terms defined in consideration of functions in the present disclosure and may vary according to the intention or custom of users or operators.

However, the present disclosure is not limited to the embodiments disclosed below, and may be implemented in various different forms. The present embodiments are provided only to make the present disclosure complete, and to completely inform the scope of the disclosure to those of ordinary skill in the art to which the present disclosure belongs, and the present disclosure is only defined by the scope of the claims. . Therefore, the definition should be made based on the contents throughout this specification.

The scope of rights to the method in the claims of the present disclosure is generated by the functions and features described in each step, and unless a precedence relationship of the order is specified in each step constituting the method, the claim It is not affected by the order of description of each step in the range. For example, in the claims described in a method including steps A and B, even if step A is described before step B, the scope of rights is not limited to that step A must precede step B. That is, the order of each step of the present disclosure may be changed as necessary, and at least one or more steps may be omitted or added.

FIG. 1 is a diagram illustrating an example of a global authentication account system based on an authentication server, a client, and a blockchain network in which various aspects of the present disclosure may be implemented.

Referring to FIG. 1, the global authentication account system may include an authentication server 100, a client 200, a blockchain network 300, and a network 400. However, since the above-described components are not essential in implementing the global authentication account system, the global authentication account system may have more or fewer components than the components listed above. Here, the global authentication account system refers to a system that provides subscription and withdrawal functions for various sites that provide various services using one account. Additionally, the global authentication account system may protect a user's account with a security level desired by the user, and may provide a function of changing an authentication authority or selecting a plurality of authentication authorities according to the user's selection. In addition, by using the global authentication account system, a user can not only subscribe to a site to use the service, but also provide a function of rejecting (ie, withdrawal) authentication at the subscribed site.

The authentication server 100 may provide a global authentication service for various web sites to which the client 200 wants to join. The authentication server 100 may include a main authentication server 110, a sub authentication server 120, and a specific authentication server 130. However, since the above-described components are not essential to provide a global authentication service, the authentication server 100 may have more or fewer components than those listed above.

A detailed description of a method for the above-described authentication server 100 to provide a global authentication service to the client 200 will be described later in detail with reference to FIGS. 2 to 16.

The authentication server 100 may include any type of computer system or computer device, such as, for example, a microprocessor, a mainframe computer, a digital processor, a portable device and a device controller.

According to some embodiments of the present disclosure, each of the authentication server 100 may include a communication unit, a memory, and a processor. However, the above-described components are not essential in implementing each of the authentication servers 100, and thus, each of the authentication servers 100 may have more or less components than those listed above. Here, each component may be composed of a separate chip, module or device, or may be included in a single device.

The communication unit of the authentication server 100 may include one or more modules that enable communication between the authentication server 100 and the client 200 and between the authentication server 100 and the blockchain network 300. In addition, the communication unit may include one or more modules for connecting the authentication server 100 to one or more networks.

The memory of the authentication server 100 may store a program for the operation of the processor, and may temporarily or permanently store input/output data. The memory of the authentication server 100 is a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (for example, SD or XD memory, etc.). ), RAM (Random Access Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), Magnetic It may include at least one type of storage medium among memory, magnetic disk, and optical disk. The memory of the authentication server 100 may be operated under control of the processor.

The processor of the authentication server 100 typically controls the overall operation of the authentication server 100. The processor of the authentication server 100 provides appropriate information or functions to the user by processing signals, data, information, etc. that are input or output through the above-described components or by running an application program stored in the memory of the authentication server 100 Or you can handle it.

In addition, the processor of the authentication server 100 may control at least some of the components included in the authentication server 100 to run an application program stored in the memory of the authentication server 100. Further, the processor of the authentication server 100 may operate by combining at least two or more of the components included in the authentication server 100 to run the application program.

Meanwhile, the client 200 may be associated with a user who wants to access at least one of the authentication server 100 and the blockchain network 300 in order to subscribe to a specific site through a global authentication service.

Specifically, the client 200 may mean a terminal to which a global authentication service is provided. For example, the client 200 includes a personal computer (PC), a notebook (note book), a mobile terminal, a smart phone, a tablet PC, and a wearable device. It may include, and may include all types of terminals that can access wired/wireless networks. In addition, the client 200 may include any type of computer system or computer device such as a microprocessor, mainframe computer, digital processor, portable device and device controller, and the like.

A detailed description of how the above-described client 200 receives the global authentication service provided by the authentication server 100 will be described later in detail with reference to FIGS. 2 to 16.

In addition, the client 200 may receive a global authentication service provided by the authentication server 100. Specifically, the client 200 accesses the authentication server 100 to download a global authentication service program or application provided by the authentication server 100, and then runs the downloaded global authentication service program or application while online. I can. However, the present invention is not limited thereto, and the client 200 may access the authentication server 100 and receive a global authentication service provided by the authentication server 100.

According to some embodiments of the present disclosure, the client 200 may include a communication unit 210, a memory 220, and a processor 230. However, the above-described components are not essential to implement the client 200, and the client 200 may have more or fewer components than the components listed above. Here, each component may be composed of a separate chip, module or device, or may be included in a single device.

The communication unit 210 of the client 200 may include one or more modules that enable communication between the client 200 and the authentication server 100 and between the client 200 and the blockchain network 300. In addition, the communication unit 210 may include one or more modules that connect the client 200 to one or more networks.

The memory 220 of the client 200 may store a program for the operation of the processor 230 and may temporarily or permanently store input/output data. The memory 220 is a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (for example, SD or XD memory), and RAM. (Random Access Memory, RAM), SRAM (Static Random Access Memory), ROM (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, magnetic It may include at least one type of storage medium among disks and optical disks. The memory 220 may be operated under control of the processor 230.

The processor 230 of the client 200 typically controls the overall operation of the client 200. The processor 230 may provide or process appropriate information or functions to a user by processing signals, data, information, etc. that are input or output through the above-described components or by driving an application program stored in the memory 220.

In addition, the processor 230 may control at least some of the components described with reference to FIG. 1 in order to drive the application program stored in the memory 220. Further, the processor 230 may operate by combining at least two or more of the components included in the client 200 to drive the application program.

Since the client 200 has a display, it can receive a user's input and provide an arbitrary type of output to the user in receiving a global authentication service.

The client 200 according to some embodiments of the present disclosure may issue a query or a transaction with at least one of the authentication server 100 and the blockchain network 300. The query in the present disclosure can be used to inquire account information for the global authentication account recorded on the blockchain network 300. The transaction in the present disclosure may be used to perform an update (modification/change/delete/add) on data recorded on the blockchain network 300.

In some embodiments of the present disclosure, the blockchain network 300 may mean a plurality of nodes operating based on blockchain technology. That is, the blockchain network 300 may include a plurality of nodes. Here, the blockchain technology is a distributed storage technology that stores data to be managed in a plurality of nodes constituting a blockchain network using a storage structure in which blocks are connected in a chain form.

The blockchain network 300 may store a transaction transmitted from the client 200 and/or the authentication server 100 in a block form based on a predetermined consensus algorithm. Data stored in a block form may be shared by a plurality of nodes constituting the blockchain network 300.

In some exemplary embodiments of the present disclosure, nodes in the blockchain network 300 may operate by a blockchain core package according to a hierarchical structure. The hierarchical structure is: a data layer that defines the structure of data handled by the blockchain network 300 and manages the data, a fee paid to miners during the mining process, performing mining to verify the validity of blocks and generating blocks A consensus layer in charge of processing of, an execution layer that processes and executes smart contracts, a common layer that implements and manages P2P network protocols, hash functions, digital signatures, encoding and common storage, and various applications are created, processed and managed. It can include an application layer.

Blockchain network 300 may include a plurality of nodes. In addition, at least one node included in the blockchain network 300 may receive a transaction from the client 200 and/or the authentication server 100. In this case, each of a plurality of nodes included in the blockchain network 300 may verify a transaction through a consensus algorithm and generate a block. In addition, each of the plurality of nodes may record a transaction in the generated block.

The client 200 and/or the authentication server 100 may operate as a node constituting the blockchain network 300. In this example, the client 200 and/or the authentication server 100 may implement at least one of a wallet function, a minor function, and a full blockchain data storage function. For example, when the client 200 and/or the authentication server 100 includes only a wallet function, it may operate as a node (eg, a Simplified Payment Verification (SPV) node) that performs transaction and validation.

The term “node” used in the present disclosure may be any type of computing device such as a server or terminal capable of exchanging data with at least one of “authentication server”, “client” and “blockchain network”. However, the present invention is not limited thereto, and the node may be any device capable of exchanging data between a plurality of nodes.

According to some embodiments of the present disclosure, a plurality of nodes included in the block chain network 300 may include a full block chain node and a light weight node.

A full block chain node can contain all block information from the first block of the block chain to a block that is currently newly created. In addition, the full blockchain node collects and stores all blockchain information, and can verify the received block to add a new block.

The lightweight node does not have the original of all block information, and may include only header information. In order for the lightweight node to verify the transaction, it can perform Simple Payment Verify (SPV).

For example, a lightweight node can request block information from a full blockchain node, and the authentication content of a transaction can be verified through Merkle Root.

However, for convenience of explanation, a plurality of nodes included in the blockchain network 300 may be described below assuming that they are full blockchain nodes.

The term “block” used in the present disclosure is a unit stored in a block chain network, and may form a block chain by being connected to adjacent blocks. When the information of the authentication server 100, the information of the client 200, and the content related to the information of the blockchain network 300 are issued as a transaction to the blockchain network, the transaction can be included in the block and recorded in the blockchain network. have. Depending on the settings of the blockchain network, the right to read, the right to consensus and/or the right to verify the data stored in the block can be determined.

A plurality of nodes included in the blockchain network 300 may share and store generated transactions and/or smart contracts through the network. In addition, a plurality of nodes can perform a function of recording a transaction in a block when the verification of the transaction and/or smart contract is completed through the consensus algorithm of the blockchain technology.

The blockchain network 300 may include a public blockchain network in which arbitrary nodes can perform consensus operations or a private blockchain network in which only predetermined nodes can perform consensus operations, depending on the implementation form. .

According to some embodiments of the present disclosure, the consensus algorithm performed in the blockchain network 300 is: PoW (Proof of Work) algorithm, PoS (Proof of Stake) algorithm, DPoS (Delegated Proof of Stake) algorithm, PBFT (Practical Byzantine Fault Tolerance) algorithm, Delegated Byzantine Fault Tolerance (DBFT) algorithm, Redundant Byzantine Fault Tolerance (RBFT) algorithm, Sieve algorithm, Tendermint algorithm, Paxos algorithm, Raft algorithm, PoA (Proof of Authority) algorithm and/or PoET (Proof of Elapsed Time) algorithm may be included.

Meanwhile, a block chain network structure according to some embodiments of the present disclosure may be of a public type or a private type. In the case of a public blockchain network, there is a disadvantage of inefficient in terms of consensus time, transaction processing speed, and efficiency of use of computing resources, as all nodes must perform verification in order to verify a transaction. Because it is possible, there may be advantages in the transparency and integrity of the stored data. In addition, in the case of a private (or consortium) block chain, since the operating entity is clear, there is an advantage of being efficient in terms of consensus time, transaction processing speed, and efficiency of use of computing resources, but transparency about the transaction processing process and results. There may be advantages in terms of

The consensus algorithm in some embodiments of the present disclosure may be a private or consortium-type blockchain network, but is not limited thereto, in order to improve the user experience through efficient use of computing resources and increase in transaction processing speed. Depending on the implementation, public type may be used as the consensus algorithm when it is desired to further emphasize the transparency of transactions or smart contracts.

Meanwhile, each of the authentication server 100, the client 200, and the blockchain network 300 may mutually transmit and receive data for the global authentication account system according to some embodiments of the present disclosure through the network 400. .

Network 400 according to some embodiments of the present disclosure is a public switched telephone network (PSTN), x Digital Subscriber Line (xDSL), Rate Adaptive DSL (RADSL), Multi Rate DSL (MDSL), VDSL ( Various wired communication systems such as Very High Speed DSL), Universal Asymmetric DSL (UADSL), High Bit Rate DSL (HDSL), and local area network (LAN) can be used.

In addition, the network 400 presented here is CDMA (Code Division Multi Access), TDMA (Time Division Multi Access), FDMA (Frequency Division Multi Access), OFDMA (Orthogonal Frequency Division Multi Access), SC-FDMA (Single Carrier- FDMA) and other systems can be used.

The network 400 according to the embodiments of the present disclosure may be configured regardless of its communication mode, such as wired and wireless, and various types of short-range communication networks (PAN), local area networks (WAN: Wide Area Network), etc. It can be configured as a communication network. In addition, the network may be a known World Wide Web (WWW), and may use a wireless transmission technology used for short-range communication such as infrared (IrDA) or Bluetooth.

The techniques described in this disclosure may be used not only in the networks mentioned above, but also in other networks.

Various embodiments described herein may be implemented in a recording medium and a storage medium that can be read by a computer or a similar device using, for example, software, hardware, or a combination thereof.

According to hardware implementation, the embodiments described herein include application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), The present disclosure may be implemented using at least one of processors, controllers, micro-controllers, microprocessors, and electrical units for performing other functions. The embodiments described in may be implemented by the processor 230 of the client 200 and/or the processor of the authentication server 100 itself.

According to software implementation, embodiments such as procedures and functions described in the present disclosure may be implemented as separate software modules. Each of the software modules may perform one or more functions and operations described herein. The software code can be implemented as a software application written in an appropriate programming language. The software code is stored in the memory 220 of the client 200 and/or the memory of the authentication server 100, and can be executed by the processor 230 of the client 200 and/or the processor of the authentication server 100. have.

2 is a flowchart illustrating an example of a method of generating a global authentication account according to some embodiments of the present disclosure.

Referring to FIG. 2, the processor 230 of the client 200 may transmit a subscription request signal for the global authentication service to the main authentication server 110 (S110).

Meanwhile, in response to receiving the subscription request signal, the main authentication server 110 may transmit an identity authentication request signal for the client to the identity authentication service providing server 500 (S120).

Here, the identity authentication service providing server 500 may perform identity authentication of the client 200. In addition, the identity authentication service providing server 500 may provide the main authentication server 110 whether or not the client 200 authenticates itself. For example, the identity authentication service providing server 500 may be a mail server or a communication company server.

The identity authentication service providing server 500 may perform an identity authentication service for a client in response to the identity authentication request signal. Specifically, the identity authentication service providing server 500 may transmit a signal requesting identity authentication information to the client 200. In addition, when the identity authentication service providing server 500 receives identity authentication information from the client 200, it may recognize that identity authentication of the client 200 is completed.

For example, the identity authentication service providing server 500 may be a mail server. In this case, the identity authentication service providing server 500 (here, the mail server) may transmit the identity authentication mail to the mail account of the client 200. The client 200 may transmit the identity authentication information to the identity authentication service providing server 500 (here, the mail server) in response to the identity authentication mail transmitted to the mail account of the client 200.

As another example, the identity authentication service providing server 500 may be a communication company server. In this case, the user authentication service providing server 500 (here, the communication company server) may transmit the user authentication message to the communication company account (eg, mobile phone number) of the client 200. The client 200 may transmit the identity authentication information to the identity authentication service providing server 500 (here, the service provider server) in response to the identity authentication message transmitted to the telecommunication company account of the client 200.

That is, the identity authentication service providing server 500 may complete identity authentication of the client 200 through identity authentication information transmitted by the client 200 in response to a signal requesting identity authentication information.

In addition, the identity authentication service providing server 500 may transmit a first signal indicating whether the client 200 has completed identity authentication to the main authentication server 110 (S130).

Specifically, the server 500 for providing an identity authentication service may transmit a first signal including a first identifier indicating that identity authentication is completed to the main authentication server 110 when identity authentication of the client 200 is completed. In addition, the server 500 for providing an identity authentication service may transmit a first signal including a second identifier indicating that identity authentication has failed to the main authentication server 110 when identity authentication of the client 200 fails.

Meanwhile, the main authentication server 110 may recognize that authentication of the client 200 has been completed based on the first signal (S140).

Specifically, the main authentication server 110 may recognize whether the identity of the client 200 has been authenticated according to an identifier related to whether or not the identity of identity has been authenticated included in the first signal. More specifically, when the first signal includes the first identifier indicating that the user authentication has been completed, the main authentication server 110 may recognize that the user authentication for the client 200 has been completed. In addition, the main authentication server 110 may recognize that the identity authentication for the client 200 has not been completed when the first signal includes a second identifier indicating that identity authentication has failed.

On the other hand, the client 200 may acquire account information of a global authentication account to be newly created through the account creation screen. Further, the client 200 may transmit an account creation request signal including account information to the main authentication server 110 (S150).

A description of a method of acquiring the account information of the global authentication account that the client 200 wants to create newly through the account creation screen will be described in detail later with reference to FIG. 3.

The main authentication server 110 may receive an account creation request signal from the client 200 after it is recognized that identity authentication of the client 200 has been completed (S150). Here, the account creation request signal may include information on an ID, a password hash value obtained by hashing a password, information on a security level of the password, and information on a selected authentication authority. Here, the security level may mean the security level of a security algorithm used when hashing the ID and password of the global authentication account. Specifically, the security level may mean at least one security level among SHA (Secure Hash Algorithm) functions. For example, the security level may mean the security level of at least one SHA function among SHA-128, SHA-256, and SHA-512.

Then, the main authentication server 110 may create a global authentication account corresponding to the account creation request signal (S160). Here, the global authentication account may mean an account that subscribes to the global authentication account system. Specifically, only one global authentication account may be created for each user (ie, for each client), and may be managed from a plurality of authentication servers 100. Meanwhile, a user may be provided with a function of signing up or withdrawing from various sites that provide various services using one global account.

A description of a method of generating a global authentication account corresponding to the account creation request signal by the above-described main authentication server 110 will be described later in detail with reference to FIG. 4.

According to some embodiments of the present disclosure, the main authentication server 110 may record account information on the generated global authentication account in the blockchain network 300 (S170).

Specifically, the main authentication server 110 may generate a transaction including account information. In addition, the main authentication server 110 may cause a plurality of nodes to record the transaction in a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network 300.

Each of the plurality of nodes included in the blockchain network 300 may check whether the main authentication server 110 sent the transaction by using the signature data included in the transaction. In addition, each of the plurality of nodes included in the blockchain network 300 may record a transaction in a block based on the consensus algorithm when the main authentication server 110 recognizes that it is correct to send the transaction.

The transaction may include a transaction input value including identification information generated from the private key. In addition, the transaction may include a transaction output value including address information in the blockchain network 300 in which a transaction including account information is to be stored.

Specifically, the transaction is a consensus algorithm when any one node among a plurality of nodes included in the blockchain network 300 extracts a nonce value that satisfies a preset condition, and when the nonce value is recognized as valid in each of the plurality of nodes. It can be recognized that it has been verified through. Here, the preset condition may be satisfied when the hash value of the block generated when the information stored in the header of the block and the nonce value are converted through a hash algorithm is less than the difficulty value of the block.

As described above, since the block chain network 300 records a transaction including account information in a block using the consensus algorithm of the block chain technology, forgery or alteration of account information can be prevented.

As described above, a transaction including account information of the client 200 may be stored in the blockchain network 300. Additionally, in the blockchain network 300, a transaction including information on a device and country in which the global authentication account of the client 200 is frequently used may be stored. In addition, a transaction including information on the creation date of the global authentication account of the client 200 may be stored in the blockchain network 300.

3 is a diagram for describing an example of a global authentication account creation screen displayed on a client according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 2, the processor 230 of the client 200 may control the communication unit 210 to transmit a subscription request signal to the main authentication server 110. Thereafter, the processor 230 may receive a signal requesting the identity authentication information from the identity authentication service providing server 500 through the communication unit 210. In addition, the processor 230 may control the communication unit 210 to transmit the identity authentication information to the identity authentication service providing server 500 in response to a signal requesting the identity authentication information.

Referring to FIG. 3, the processor 230 controls the communication unit 210 to transmit the identity authentication information to the identity authentication service providing server 500, and then outputs an account creation screen 10 as shown in FIG. You can control the display to do so. Here, the account creation screen 10 is a screen in which user interaction is possible, and a user may input account information on a global authentication account to be newly created through a specific button or keyboard.

According to some embodiments of the present disclosure, the account creation screen 10 may include a certification authority list 11, a security level area 12, and a password input area 13. However, since the above-described elements are not essential for implementing the account creation screen 10, the account creation screen 10 may have more or fewer elements than the elements listed above.

The certification authority list 11 may include the name of the certification body, a button for selecting a self-certification method for the certification body, and a contact input area to be registered with the certification body.

Specifically, the certification authority list 11 includes the name of the first certification authority (eg, Google), a button for selecting a personal authentication method to be used by the first certification authority (eg, a button to select between e-mail and SMS), and a first certification authority. It may include a contact (eg, email or mobile phone number) input area to be registered in.

In addition, the certification authority list 11 includes the name of a second certification authority different from the first certification authority (e.g., Facebook), a button for selecting a personal authentication method to be used by the second certification authority, and a contact input area to be registered with the second certification authority. Can include.

That is, as shown in Fig. 3, the certification authority list 11 includes the names of certification bodies for each of a plurality of certification bodies, a button for selecting a self-certification method for each of the plurality of certification bodies, and registration with each of the plurality of certification bodies. It may include a contact input area.

The security level area 12 may include a button for selecting the number of required authentications and a button for selecting a security level.

Specifically, when using the global authentication service, the security level area 12 is a mandatory authentication number selection button for selecting the number of authentication authorities to be required to perform authentication among a plurality of authentication authorities included in the authentication authority list 11 It may include.

That is, the security level area 12 may include a selection button for selecting a number within the number of certification authorities included in the certification authority list 11 described above. For example, the security level area 12 may include a button for selecting a required number of authentications to select one of 1 to 3 when three authentication authorities exist in the authentication authority list 11.

Here, the number of required authentications may mean the number of authentication authorities that must be logged in among a plurality of authentication authorities when the client 200 uses a global authentication account to subscribe or withdraw from a specific site. .

For example, when the number of required authentications is two, the client 200 may register or leave a specific site using at least two authentication tokens. Here, the at least two authentication tokens transmit login information to servers of at least two of the authentication authorities selected by the client 200 (i.e., authentication server), and if the login information is valid, the at least two authentications It can be received from each of the organizations.

In addition, the security level area 12 may include a security level selection button for selecting a security level of a security algorithm used when hashing an ID and password of a global authentication account. Specifically, the security level area 12 may include a security level selection button for selecting at least one of SHA (Secure Hash Algorithm) functions.

For example, as shown in FIG. 3, the security level area 12 may include a security level selection button for selecting at least one SHA function among SHA-128, SHA-256, and SHA-512.

In addition, the account creation screen 10 may include a password input area 13. Specifically, the password input area 13 may include a first password input area and a second password input area.

Meanwhile, the processor 230 of the client 200 may recognize each of the password input to the first password input area and the password input to the second password input area. Further, the processor 230 may complete the input of the account creation information only when the password input to the first password input area and the password input to the second password input area match. That is, when the password input in the first password input area and the password input in the second password input area match, the processor 230 activates the confirmation button of the account creation screen 10 and enters the first password input area. When the input password and the password input in the second password input area are different, the display may be controlled to output by deactivating the confirmation button of the account creation screen 10.

In addition, the processor 230 of the client 200 activates the confirmation button of the account creation screen 10 when all account information for the global authentication account to be newly created is normally entered on the account creation screen 10 described above. You can control the display to output.

In addition, the processor 230 of the client 200 may recognize an input to the confirmation button after controlling the display to activate and output the confirmation button.

The processor 230 may transmit an account creation request signal including account information on a global authentication account to be newly created to the main authentication server 110 in conjunction with recognizing the input to the confirmation button. Here, the main authentication server 110 may be an authentication server (eg, Google server) corresponding to the first authentication authority among the authentication authorities included in the above-described authentication authority list 11.

The account creation screen 10 described above is only a few examples to aid understanding of the present disclosure, and the present disclosure is not limited thereto.

4 is a flowchart illustrating an example of a method of generating a global authentication account corresponding to an account creation request signal received from a client by an authentication server according to some embodiments of the present disclosure.

Referring to FIG. 4, the main authentication server 110 transmits an account creation request signal including information on an ID, a password hash value obtained by hashing a password, information on a security level of a password, and information on a selected authentication authority. 200) can be received (S161).

In this case, the main authentication server 110 may distribute the password hash value based on the information on the selected authentication authority (S162).

Specifically, the main authentication server 110 may recognize the number of selected authentication authorities based on information on the selected authentication authority. In addition, the main authentication server 110 may divide the password hash value by the number of selected authentication authorities. Here, the information on the selected certification authority may include information on the main certification authority corresponding to the main authentication server 110 and information on the sub certification authority corresponding to the sub authentication server 120.

For example, the main authentication server 110 may recognize that the number of selected authentication authorities is two based on information on the selected authentication authority. In addition, the main authentication server 110 may divide the password hash value into two, which is the number of selected authentication authorities.

The main authentication server 110 may transmit the divided password hash value to each of the plurality of authentication authorities so that the password hash value is distributed and stored in a plurality of authentication authorities included in the information on the selected authentication authority (S163).

Specifically, the main authentication server 110 may store the first distributed value of the password hash value in the memory of the main authentication server 110 corresponding to the main authentication authority included in the information on the selected authentication authority. In addition, the main authentication server 110 may transmit a second distribution value different from the first distribution value of the password hash value to the sub authentication server 120 corresponding to the sub authentication authority included in the information on the selected authentication authority.

Meanwhile, the sub authentication server 120 may store the second distributed value of the password hash value received from the main authentication server 110 in the memory of the sub authentication server 120.

Here, the password hash value may match a value obtained by connecting the first variance value and the second variance value. For example, when the password hash value is'abcdefgh', the first variance value may be'abcd' and the second variance value may be'efgd'. Accordingly, when the first variance value'abcd' and the second variance value'efgh' are connected, the password hash value'abcdefgh' may be matched.

That is, since the plurality of authentication servers 100 divide and store the password hash value, even if any one authentication server receives a hacking attack, the security of the password of the client 200 can be guaranteed.

5 is a flowchart illustrating an example of a method of changing or recovering a password of a global authentication account according to some embodiments of the present disclosure.

Referring to FIG. 5, the processor 230 of the client 200 may control the communication unit 210 to transmit a password change request signal or an account recovery signal to the main authentication server 110 (S210).

Specifically, the processor 230 of the client 200 may obtain account information on the global authentication account of the client 200 recorded in the blockchain network 300 through the communication unit 210. Here, the account information may include information on the selected authentication authority.

Further, the processor 230 of the client 200 controls the communication unit 210 to transmit a password change request signal or an account recovery signal to a plurality of authentication servers corresponding to a plurality of authentication authorities included in the information on the selected authentication authority. can do.

Meanwhile, the main authentication server 110 may transmit an identity authentication request signal for the client 200 to the identity authentication service providing server 500 in response to receiving a password change request signal or an account recovery signal (S220). .

On the other hand, in response to receiving the password change request signal or the account recovery signal, the sub-authentication server 120 may also transmit an identity authentication request signal to the client 200 to the identity authentication service providing server 500.

Specifically, each of the main authentication server 110 and the sub authentication server 120 is based on an identity authentication method (eg, email or SMS) included in the account information for the global authentication account of the client 200 The providing server 500 may transmit an identity authentication request signal for the client 200.

For example, the main authentication server 110 may transmit an identity authentication request signal to the client 200 to the mail server when the main authentication server 110's identity authentication method included in the account information is mail. In addition, the sub-authentication server 120 may transmit an identity authentication request signal to the client 200 to the communication company server when the identity authentication method of the sub-authentication server 120 included in the account information is SMS. Here, each of the mail server and the communication company server may be an identity authentication service providing server 500.

Meanwhile, the identity authentication service providing server 500 may perform identity authentication of the client 200. In addition, the identity authentication service providing server 500 may provide the main authentication server 110 whether or not the client 200 authenticates itself.

Specifically, the identity authentication service providing server 500 may transmit a signal requesting identity authentication information to the client 200. In addition, when the identity authentication service providing server 500 receives identity authentication information from the client 200, it may recognize that identity authentication of the client 200 is completed.

For example, the identity authentication service providing server 500 may be a mail server. In this case, the identity authentication service providing server 500 (here, the mail server) may transmit the identity authentication mail to the mail account of the client 200. The client 200 may transmit the identity authentication information to the identity authentication service providing server 500 (here, the mail server) in response to the identity authentication mail transmitted to the mail account of the client 200.

As another example, the identity authentication service providing server 500 may be a communication company server. In this case, the user authentication service providing server 500 (here, the communication company server) may transmit the user authentication message to the communication company account (eg, mobile phone number) of the client 200. The client 200 may transmit the identity authentication information to the identity authentication service providing server 500 (here, the service provider server) in response to the identity authentication message transmitted to the telecommunication company account of the client 200.

That is, the identity authentication service providing server 500 may complete identity authentication of the client 200 through identity authentication information transmitted by the client 200 in response to a signal requesting identity authentication information.

Then, the identity authentication service providing server 500 may transmit a first signal indicating whether the client 200 has completed identity authentication to the main authentication server 110 and the sub authentication server 120 (S230).

Meanwhile, the main authentication server 110 may recognize that authentication of the client 200 is completed based on the first signal (S240).

According to some other embodiments of the present disclosure, when receiving a password change request signal or an account recovery signal from the client 200, the main authentication server 110 corresponds to the main authentication server 110 when creating a global authentication account. Thus, the contact information of the registered client 200 can be recognized. In addition, the main authentication server 100 may transmit a security code to a contact (eg, an email address or a mobile phone number) of the client 200 to authenticate the client 200. Here, the security code may be, for example, One Time Password (OTP). That is, the security code may mean a combination of specific characters and/or numbers temporarily generated for the client 200's identity authentication.

Meanwhile, the client 200 that has received the security code from the main authentication server 110 may perform identity authentication by transmitting the security code to the main authentication server 110.

That is, the main authentication server 110 transmits the first security code to the contact information of the client 200 and, when receiving the first security code sent from the client again, recognizes that the identity of the client 200 is completed. can do.

And, when the sub-authentication server 120 also receives a password change request signal or an account recovery signal from the client 200, when creating a global authentication account, the registered client 200 corresponding to the main authentication server 110 Contact information can be recognized. In addition, the main authentication server 100 may transmit a security code to a contact (eg, an email address or a mobile phone number) of the client 200 to authenticate the client 200.

Meanwhile, the client 200 receiving the security code from the sub-authentication server 120 may perform identity authentication by transmitting the security code to the sub-authentication server 120.

And, the sub-authentication server 120 transmits the second security code to the contact information of the client 200, and when the second security code sent from the client is received again, it recognizes that the identity of the client 200 is completed. can do.

After the client 200 completes authentication, the processor 230 of the client 200 may obtain a new password for the global authentication account through the password change screen or the account recovery screen. Also, the client 200 may hash a new password to obtain a new password hash value.

A description of a method of obtaining a new password for the global authentication account through the password change screen or the account recovery screen by the above-described client 200 will be described later in detail with reference to FIG. 6.

Specifically, the processor 230 of the client 200 may recognize the security level information included in the account information obtained from the blockchain network 300 through the communication unit 210. Also, the processor 230 of the client 200 may recognize a security algorithm based on the security level information. In addition, the processor 230 of the client 200 may obtain a new password hash value by hashing a new password using a security algorithm.

The processor 230 of the client 200 may control the communication unit 210 to transmit a new password hash value to each of the main authentication server 110 and the sub authentication server 120 (S250).

According to some other embodiments of the present disclosure, the processor 230 of the client 200 may receive a security code for identity authentication from each of the main authentication server 110 and the sub authentication server 120 through the communication unit 210. I can. In this case, the processor 230 of the client 200 may transmit the security code to each of the main authentication server 110 and the sub authentication server 120 and transmit the above-described new password hash value.

That is, the processor 230 of the client 200 uses the main authentication server 110 and the sub authentication server 120, respectively, for a security code and a new password to be applied to the global authentication account when authentication is completed. The communication unit 210 may be controlled to transmit a new password hash value together.

According to still another embodiment of the present disclosure, the processor 230 of the client 200 receives a security code from each of the main authentication server 110 and the sub authentication server 120 through the communication unit 210 can do. In this case, the processor 230 of the client 200 may control the communication unit 210 to transmit the security code to the main authentication server 110 and the sub authentication server 120, respectively, to perform identity authentication. Then, the processor 230 of the client 200 may control the communication unit 210 to transmit the above-described new password hash value to each of the main authentication server 110 and the sub authentication server 120 after performing identity authentication. I can.

Meanwhile, each of the main authentication server 110 and the sub authentication server 120 may apply a new password hash value received from the client 200 for which identity authentication has been completed to the global authentication account of the client 200 (S260).

A description of how the above-described main authentication server 110 applies the new password hash value received from the client 200 to the global authentication account of the client 200 will be described later in detail with reference to FIG. 7.

In the description of FIG. 5 described above, in order to help understanding the present disclosure, the client 200 transmits a password change request signal or an account recovery request signal to the main authentication server 110 and the sub authentication server 120, It was described as performing a change or account recovery. However, it is not limited to the above-described example, and the client 200 transmits a change request signal or an account recovery request signal to each of a plurality of authentication servers selected when creating a global authentication account, and performs password change or account recovery. can do.

6 is a diagram illustrating an example of a password change or recovery screen displayed on a client according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 5, when the main authentication server 110 receives a password change request signal or an account recovery signal from the client 200, the main authentication server 110 generates a global authentication account. The contact information of the registered client 200 may be recognized in response to. In addition, the main authentication server 100 may transmit a security code to a contact (eg, an email address or a mobile phone number) of the client 200 to authenticate the client 200. Here, the security code may be, for example, One Time Password (OTP). That is, the security code may mean a combination of specific characters and/or numbers temporarily generated for the client 200's identity authentication.

When the sub-authentication server 120 also receives a password change request signal or an account recovery signal from the client 200, contact information of the client 200 registered in response to the main authentication server 110 when creating a global authentication account Can be recognized. In addition, the main authentication server 100 may transmit a security code to a contact (eg, an email address or a mobile phone number) of the client 200 to authenticate the client 200.

Meanwhile, the processor 230 of the client 200 may receive a security code from each of the main authentication server 110 and the sub authentication server 120 through the communication unit 210 for self authentication. In this case, the processor 230 of the client 200 may transmit the security code to each of the main authentication server 110 and the sub authentication server 120 and transmit the above-described new password hash value.

Referring to FIG. 6, the processor 230 of the client 200 outputs a password change screen 20 or an account recovery screen 20 as shown in FIG. 6 when a signal indicating password change or account recovery is received. You can control the display to do so. Here, the password change screen 20 or the account recovery screen 20 is a screen in which user interaction is possible, and a user can input a new password through a specific button or keyboard. That is, the processor 230 of the client 200 may obtain a new password for the global authentication account through the password change screen 20 or the account recovery screen 20.

According to some embodiments of the present disclosure, the password change screen 20 or the account recovery screen 20 may include a certification authority list 21 and a new password input area 22. However, the above-described components are not essential in implementing the password change screen 20 or the account recovery screen 20, so the password change screen 20 or the account recovery screen 20 is more than the above-listed components. It may have many or fewer components.

The certification authority list 21 may include the name of the certification authority, a sending button for sending a security code to the certification authority, and a security code input area to be sent to the certification authority.

Specifically, the certification authority list 21 may include the name of the first certification authority (eg, Google), a send button for sending a security code to the first certification authority, and a security code input area to be sent to the first certification authority. have. Here, the security code input area to be sent to the first authentication authority may receive the security code received from the first authentication authority from the user. Then, when the input of the security code received from the first certification authority is completed, it is possible to recognize the input of the send button for sending the security code to the first certification authority.

In addition, the certification authority list 21 includes the name of a second certification authority different from the first certification authority (e.g., Facebook), a send button for sending a security code to the second certification authority, and a security code to be sent to the second certification authority. It can include areas. Here, the security code input area to be sent to the second authentication authority may receive a security code received from the second authentication authority from the user. Then, when the input of the security code received from the second certification authority is completed, an input of a send button for sending the security code to the second certification authority may be received.

Here, the security code input to the security code input area may be different for each authentication authority. For example,'A2DS5F' may be input in the security code input area to be sent to the first certification authority, and'ERS7FG' may be input in the security code input area to be sent to the second certification authority.

In addition, the password change screen 20 or the account recovery screen 20 may include a new password input area 22. Specifically, the new password input area 22 may include a first password input area and a second password input area.

Meanwhile, the processor 230 of the client 200 may recognize each of the password input to the first password input area and the password input to the second password input area. Further, the processor 230 may complete the input of the account creation information only when the password input to the first password input area and the password input to the second password input area match. That is, when the password input in the first password input area and the password input in the second password input area match, the processor 230 activates the confirmation button on the password change screen 20 or the account recovery screen 20, and , If the password input to the first password input area and the password input to the second password input area are different, the display can be controlled to output by deactivating the confirmation button on the password change screen 20 or the account recovery screen 20. have.

In addition, the processor 230 of the client 200 completes the transmission of the security code to each of the plurality of authentication authorities through the password change screen 20 or the account recovery screen 20 described above, and enters the first password input area. When the input password and the password input in the second password input area match, the display may be controlled to activate and output a confirmation button of the password change screen 20 or the account recovery screen 20.

In addition, the processor 230 of the client 200 may recognize an input to the confirmation button after controlling the display to activate and output the confirmation button.

The processor 230 of the client 200 may transmit a new password hash value to each of the main authentication server 110 and the sub authentication server 120 in conjunction with recognizing the input to the confirmation button. Here, the main authentication server 110 may be an authentication server (eg, Google server) corresponding to the first authentication authority among the authentication authorities included in the above-described authentication authority list 21. In addition, the sub-authentication server 120 may be an authentication server (eg, a Facebook server or an Ahnlab server) corresponding to a certification authority other than the first among the certification authorities included in the certification authority list 21 described above.

The above-described password change screen 20 or account recovery screen 20 are only some examples to aid understanding of the present disclosure, and the present disclosure is not limited thereto.

7 is a flowchart illustrating an example of a method of applying a new password for a global authentication account by an authentication server according to some embodiments of the present disclosure.

Referring to FIG. 7, the main authentication server 110 may receive a new password hash value from the client 200 whose identity authentication has been completed. In addition, the main authentication server 110 may apply a new password hash value to account information for the global authentication account of the client 200.

Specifically, the main authentication server 110 may recognize information on the selected authentication authority based on the account information on the global authentication account of the client 200 recorded in the blockchain network 300 (S261). Here, the account information may include information on an ID hash value, information on a security level of a password, and information on a selected authentication authority.

Then, the main authentication server 110 may recognize whether the main authentication authority corresponding to the main authentication server 110 is the selected authentication authority, based on the information on the selected authentication authority (S262).

When the main authentication server 110 recognizes that the main authentication authority corresponding to the main authentication server 110 is the selected authentication authority (S263, Yes), based on the information on the selected authentication authority, the main authentication server 110 divides a new password hash value. Can be (S262).

For example, the information on the selected certification authority may include information on a main certification authority corresponding to the main authentication server 110 and information on a sub certification authority corresponding to the sub authentication server 120. In this case, the main authentication server 110 may recognize that the number of selected authentication authorities is two based on the information on the selected authentication authority. In addition, the main authentication server 110 may divide the password hash value into two, which is the number of selected authentication authorities.

In addition, the main authentication server 110 may transmit the divided new password hash value to each of the plurality of authentication authorities so that the new password hash value is distributed and stored in a plurality of authentication authorities included in the information on the selected authentication authority (S263). ).

Specifically, the main authentication server 110 may store the first distributed value of the password hash value in the memory of the main authentication server 110 corresponding to the main authentication authority included in the information on the selected authentication authority. In addition, the main authentication server 110 may transmit a second distribution value different from the first distribution value of the password hash value to the sub authentication server 120 corresponding to the sub authentication authority included in the information on the selected authentication authority.

Meanwhile, the sub authentication server 120 may store the second distributed value of the password hash value received from the main authentication server 110 in the memory of the sub authentication server 120.

Here, the password hash value may match a value obtained by connecting the first variance value and the second variance value. For example, when the password hash value is'abcdefgh', the first variance value may be'abcd' and the second variance value may be'efgd'. Accordingly, when the first variance value'abcd' and the second variance value'efgh' are connected, the password hash value'abcdefgh' may be matched.

That is, since the plurality of authentication servers 100 divide and store the password hash value, even if any one authentication server receives a hacking attack, the security of the password of the client 200 can be guaranteed.

When the main authentication server 110 recognizes that the main authentication authority corresponding to the main authentication server 110 is not the selected authentication authority (S263, No), a new password hashed in the account information for the global authentication account of the client 200 Value may not be applied.

Additionally, the main authentication server 110 may transmit a notification that the client 200 is not a preselected main authentication authority to the client 200 through, for example, SMS or mail.

8 is a flowchart illustrating an example of a method of signing up for a specific site using a global authentication account according to some embodiments of the present disclosure.

Referring to FIG. 8, the processor 230 of the client 200 may obtain the security level information of the client recorded in the blockchain network 300. Then, the processor 230 may recognize a security algorithm based on the security level information (S310).

In addition, the processor 230 of the client 200 may obtain an ID hash value and a password hash value by hashing the ID and password using a security algorithm (S320).

In addition, the processor 230 of the client 200 transmits login information including the distributed value of the ID hash value and the password hash value to each of the main authentication server 110 and the sub authentication server 120 to join a specific site. The communication unit 210 may be controlled to be performed (S330).

Specifically, the processor 230 of the client 200 transmits the first login information including the ID hash value, the first distribution value of the password hash value, and the domain of a specific site to be subscribed to the main authentication server 110. The communication unit 210 can be controlled. In addition, the processor 230 controls the communication unit 210 to transmit the second login information including the ID hash value, the second distributed value of the password hash value, and the domain of a specific site to be subscribed to the sub-authentication server 120 can do. Here, the first variance value and the second variance value are values obtained by dividing the password hash value, and a value obtained by connecting the first variance value and the second variance value may match the password hash value.

Meanwhile, the main authentication server 110 receiving the first login information may recognize whether the first login information is valid. In addition, the main authentication server 110 may generate a first authentication token when the first login information is valid. In addition, the main authentication server 110 may transmit the first authentication token to the client 200.

In the present disclosure, the authentication token is information proving that the login information is valid when the client 200 transmits the login information to the authentication server 100 (for example, an identifier or a character string, etc.), and receives the login information. One authentication server 100 can generate.

That is, the first authentication token may mean information proving that the first login information transmitted to the main authentication server 110 by the client 200 is valid.

In the present disclosure, the authentication server 100 recognizes the validity of the login information, when the client 200 creates a global authentication account, the distribution value of the password hash value transmitted to the authentication server 100 and the login information It may mean to check whether the distribution values of the password hash values included in are identical.

That is, when the main authentication server 110 recognizes that the first login information including the first distribution value of the ID hash value and the password hash value is valid, when the client 200 creates a global account, the main authentication When the first distribution value of the ID hash value and the password hash value transmitted to the server 110 matches the ID hash value and the password hash value included in the first login information, it may be recognized that the first login information is valid.

On the other hand, the sub-authentication server 120 receiving the second login information may recognize whether the second login information is valid. Further, the sub authentication server 120 may generate a second authentication token when the second login information is valid. In addition, the sub authentication server 120 may transmit the second authentication token to the client 200. Here, the second authentication token may mean information proving that the second login information transmitted to the sub authentication server 120 by the client 200 is valid.

Upon receiving the first authentication token and the second authentication token, the client 200 may transmit a subscription request signal including the first authentication token and the second authentication token to the specific site server 600 in order to join a specific site.

In this case, the specific site server 600 may transmit a verification request signal for the first authentication token and the second authentication token to the main authentication server 110 and the sub authentication server 120, respectively (S370).

Specifically, the specific site server 600 may transmit a verification request signal to the main authentication server 110 to request verification whether the first authentication token is issued by the main authentication server 110 or not. In addition, the specific site server 600 may transmit a verification request signal for requesting verification of whether the second authentication token is issued by the sub authentication server 120 to the sub authentication server 120.

In addition, the specific site server 600 may receive a verification completion signal for each of the first authentication token and the second authentication token from the main authentication server 110 and the sub authentication server 120, respectively.

In the present disclosure, when the authentication server 100 receives login information from the client 200, the authentication server 100 performs verification on a specific authentication token, when the login information is valid, the client 200 It may mean to check whether the authentication token transmitted to) and the specific authentication token match.

That is, when the main authentication server 110 receives the login information, the first authentication token and the specific site server 600 previously transmitted to the client 200 are included in the sign-up request signal received from the client 200. When the first authentication tokens match, it may be recognized that verification of the first authentication token is complete.

According to some embodiments of the present disclosure, the specific site server 600 may cache whether to verify each of the first authentication token and the second authentication token for a preset period (eg, 15 days or 30 days).

Accordingly, when the specific site server 600 receives a subscription request signal including the first authentication token and the second authentication token from another client within a preset period, the main authentication server 110 and the sub authentication server 120 Even if the verification request for the first authentication token and the second authentication token is not made, it may be recognized that the first authentication token and the second authentication token are verified authentication tokens.

Meanwhile, the main authentication server 110 may verify the first authentication token (S380).

A description of a method for the above-described main authentication server 110 to verify the first authentication token will be described later in detail with reference to FIG. 10.

In addition, the main authentication server 110 may transmit a verification completion signal to the specific site server 600 when the verification of the first authentication token is completed. In addition, the main authentication server 110 may record the subscription history for a specific site in the blockchain network 300 (S390).

Specifically, the main authentication server 110 may generate a transaction including a subscription history for a specific site (ie, information on a specific site and login information of the client 200). In addition, the main authentication server 110 may cause a plurality of nodes to record the transaction in a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network 300.

Each of the plurality of nodes included in the blockchain network 300 may check whether the main authentication server 110 sent the transaction by using the signature data included in the transaction. In addition, each of the plurality of nodes included in the blockchain network 300 may record a transaction in a block based on the consensus algorithm when the main authentication server 110 recognizes that it is correct to send the transaction.

The transaction may include a transaction input value including identification information generated from the private key. In addition, the transaction may include a transaction output value including address information in the blockchain network 300 in which a transaction including account information is to be stored.

Specifically, the transaction is a consensus algorithm when any one node among a plurality of nodes included in the blockchain network 300 extracts a nonce value that satisfies a preset condition, and when the nonce value is recognized as valid in each of the plurality of nodes. It can be recognized that it has been verified through. Here, the preset condition may be satisfied when the hash value of the block generated when the information stored in the header of the block and the nonce value are converted through a hash algorithm is less than the difficulty value of the block.

As described above, the blockchain network 300 blocks a transaction including the subscription history for a specific site (ie, information on a specific site and login information of the client 200) using the consensus algorithm of the blockchain technology. Because it is recorded on, it is possible to prevent forgery or alteration of the subscription history for a specific site.

9 is a diagram for describing an example of a login screen for a global authentication account displayed on a client according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 8, the processor 230 of the client 200 may obtain the security level information of the client recorded in the blockchain network 300. Further, the processor 230 may recognize a security algorithm based on the security level information. Also, the processor 230 of the client 200 may obtain an ID hash value and a password hash value by hashing the ID and password using a security algorithm.

In addition, the processor 230 of the client 200 transmits login information including the distributed value of the ID hash value and the password hash value to each of the main authentication server 110 and the sub authentication server 120 to join a specific site. The communication unit 210 can be controlled so as to be performed.

Referring to FIG. 9, when the processor 230 of the client 200 transmits login information to join a specific site, at least two authentication servers to transmit the login information among a plurality of authentication servers through the login screen 30 Can be recognized.

Specifically, the processor 230 of the client 200 may control the display to output the login screen 30 as shown in FIG. 9 when a signal indicating that the client 200 subscribes to the characteristic site is received. Here, the login screen 30 is a screen in which user interaction is possible, and a user may input login information through a specific button or keyboard. That is, the processor 230 of the client 200 may obtain login information through the login screen 30.

According to some embodiments of the present disclosure, the login screen 30 may include an authentication authority selection area 31 and an ID and password input area 32. However, since the above-described components are not essential to implement the login screen 30, the login screen 30 may have more or fewer components than the components listed above.

The certification authority selection area 31 may include a list of certification authorities to which the client 200 has subscribed. In addition, the certification authority selection area 31 may include a check box corresponding to each of a plurality of certification authorities. Here, when the processor 230 of the client 200 receives a selection input for at least one of the plurality of certification authorities, it may control the display to display a check mark in a check box.

For example, the certification authority selection area 31 may include a list including Google, Facebook, and AhnLab, which are certification authorities selected by the global authentication account, and a check box corresponding to each of Google, Facebook, and AhnLab. In addition, the processor 230 of the client 200 may receive a selection input for Google and Facebook among Google, Facebook, and AhnLab. In this case, the processor 230 of the client 200 may control the display so that check boxes corresponding to Google and Facebook are displayed.

The ID and password input area 32 may include an area for inputting an ID for a global authentication account to which the client 200 has subscribed, and an area for inputting a password for the global authentication account.

For example,'blockchain@gmail.com', which is an ID (eg, email ID) for a global authentication account, and a password may be input in the ID and password input area 32. Here, the password may be displayed by being replaced with a specific character (eg, * or X).

In addition, the processor 230 of the client 200 may recognize an input for the confirmation button after all login information is input to the login screen 30. The processor 230 may transmit log-in information to the authentication server 100 in conjunction with recognizing the input to the confirmation button.

Specifically, the processor 230 may transmit login information to the authentication server 100 of a selected authentication authority among a plurality of authentication authorities in conjunction with recognizing an input to the confirmation button.

The above-described login screen 30 is only a few examples to aid understanding of the present disclosure, but the present disclosure is not limited thereto.

10 is a flowchart illustrating an example of a method of performing verification on an authentication token received from a client by an authentication server according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 8, the client 200 may transmit a subscription request signal including a first authentication token to a specific site server 600 to subscribe to a specific site.

Meanwhile, the specific site server 600 may transmit a verification request signal for the first authentication token to the main authentication server 110. In addition, the main authentication server 110 may verify the first authentication token received from the specific site server 600.

Referring to FIG. 10, when the main authentication server 110 performs verification for the first authentication token, the main authentication server 110 may recognize whether the subscription history of the client 200 for a specific site is recorded in the blockchain network 300. Can be (S381).

Then, when the main authentication server 110 recognizes that the subscription history of the client 200 for a specific site is not recorded (S382, No), it may complete the verification of the first authentication token (S382).

That is, when the main authentication server 110 recognizes whether the client 200 is the first sign-up to a specific site and recognizes that it is the first sign-up, the first authentication token may be verified. In addition, the main authentication server 110 may transmit a verification completion signal to the specific site server 600 to allow the client 200 to subscribe to the specific site.

Meanwhile, when the main authentication server 110 recognizes that the subscription history of the client 200 for a specific site is recorded (S382, Yes), it may not perform verification on the first authentication token.

As an example, when the main authentication server 110 recognizes that the subscription history of the client 200 for a specific site is recorded (S382, Yes), it receives a subscription request signal from a hacker to join a specific site in an unfair manner. It can be recognized as one. In addition, the main authentication server 110 may not perform verification on the first authentication token. In this case, since the specific site server 600 does not receive a verification completion signal for the first authentication token, it may not allow subscription to a specific site.

Accordingly, the main authentication server 110 may prevent a hacker from attempting to subscribe to a specific site in an unfair manner.

Additionally, the specific site server 600 may transmit a notification that a subscription to a specific site has been attempted in an unfair manner to the client 200 through, for example, SMS or mail.

As another example, when the main authentication server 110 recognizes that the subscription history of the client 200 for a specific site is recorded (S382, Yes), it may recognize that it has received a duplicate subscription request signal. In addition, the main authentication server 110 may not perform verification on the first authentication token. In this case, since the specific site server 600 does not receive a verification completion signal for the first authentication token, it may not allow subscription to a specific site.

Accordingly, the main authentication server 110 may prevent the client 200 from registering redundantly for a specific site.

In addition, the specific site server 600 may transmit a notification that a duplicate subscription to a specific site has been attempted to the client 200 through, for example, SMS or mail.

11 is a flowchart illustrating an example of a method of leaving a specific site using a global authentication account according to some embodiments of the present disclosure.

Referring to FIG. 11, the processor 230 of the client 200 stores login information including a distributed value of an ID hash value and a password hash value in order to leave a specific site, the main authentication server 110 and the sub authentication server 120. ) It is possible to control the communication unit 210 to transmit to each (S410).

Specifically, the processor 230 of the client 200 may obtain the security level information of the client recorded in the blockchain network 300. Also, the processor 230 may recognize a security algorithm based on the security level information. Further, the processor 230 may obtain an ID hash value and a password hash value by hashing the ID and password using a security algorithm. In addition, the processor 230 may control the communication unit 210 to transmit login information including a distribution value of the ID hash value and the password hash value to the main authentication server 110 and the sub authentication server 120, respectively.

More specifically, the processor 230 of the client 200 controls the communication unit 210 to transmit the first login information including the first distribution value of the ID hash value and the password hash value to the main authentication server 110. I can. In addition, the processor 230 may control the communication unit 210 to transmit the second login information including the second distribution value of the ID hash value and the password hash value to the sub authentication server 120. Here, the first variance value and the second variance value are values obtained by dividing the password hash value, and a value obtained by connecting the first variance value and the second variance value may match the password hash value.

The processor 230 of the client 200 transmits the login information to the main authentication server 110 and the sub authentication server 120, respectively, in conjunction with the inquiry request for inquiring the list of sites to which the client 200 is subscribed. The communication unit 210 may be controlled to transmit a signal to at least one of the main authentication server 110 and the sub authentication server 120 (S420).

Meanwhile, the main authentication server 110 may obtain a list of sites to which the client 200 recorded in the blockchain network 300 is subscribed in response to the inquiry request signal (S430). Further, the main authentication server 110 may transmit a list of sites to which the client 200 is subscribed to the client 200 (S440).

On the other hand, the sub-authentication server 120 may obtain a list of sites to which the client 200 recorded in the blockchain network 300 is subscribed in response to the inquiry request signal. In addition, the sub authentication server 120 may transmit a list of sites to which the client 200 is subscribed to the client 200.

The processor 230 of the client 200 may transmit a withdrawal request signal for at least one site from the list of subscribed sites to at least one of the main authentication server 110 and the sub authentication server 120 (S450).

Meanwhile, the main authentication server 110 may perform withdrawal processing for a specific site in response to the withdrawal request signal received from the client 200.

A description of how the main authentication server 110 performs withdrawal processing for a specific site based on the withdrawal request signal received from the client 200 will be described later in detail with reference to FIG. 12.

In response to the withdrawal request signal, the main authentication server 110 may record the withdrawal history for at least one site included in the list of subscribed sites in the blockchain network 300 (S460).

Specifically, the main authentication server 110 performs a transaction including the withdrawal history for a specific site (ie, information on at least one site requesting withdrawal from the list of subscribed sites and login information of the client 200). Can be generated. In addition, the main authentication server 110 may cause a plurality of nodes to record the transaction in a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network 300.

On the other hand, the sub-authentication server 120 may record the withdrawal history of at least one site included in the list of subscribed sites in the blockchain network 300 in response to the withdrawal request signal.

Specifically, the sub-authentication server 120 performs a transaction including the withdrawal history for a specific site (that is, information on at least one site requesting withdrawal from the list of subscribed sites and the login information of the client 200). Can be generated. In addition, the sub-authentication server 120 may cause a plurality of nodes to record the transaction in a block by transmitting the transaction to at least one node included in the blockchain network 300.

Each of the plurality of nodes included in the blockchain network 300 may check whether the main authentication server 110 or the sub-authentication server 120 sent the transaction by using the signature data included in the transaction. And, each of the plurality of nodes included in the blockchain network 300 records the transaction in the block based on the consensus algorithm when it is recognized that the main authentication server 110 or the sub authentication server 120 sent the transaction. I can.

The transaction may include a transaction input value including identification information generated from the private key. In addition, the transaction may include a transaction output value including address information in the blockchain network 300 in which a transaction including a history of withdrawal from a specific site will be stored.

Specifically, the transaction is a consensus algorithm when any one node among a plurality of nodes included in the blockchain network 300 extracts a nonce value that satisfies a preset condition, and when the nonce value is recognized as valid in each of the plurality of nodes. It can be recognized that it has been verified through. Here, the preset condition may be satisfied when the hash value of the block generated when the information stored in the header of the block and the nonce value are converted through a hash algorithm is less than the difficulty value of the block.

As described above, the blockchain network 300 uses the consensus algorithm of the blockchain technology to withdrawal history for a specific site (i.e., information on at least one site requesting withdrawal from the list of subscribed sites and a client ( 200) login information) is recorded in a block, so it is possible to prevent forgery or alteration of the withdrawal history for a specific site.

12 is a flowchart illustrating an example of a method for an authentication server to transmit an withdrawal token corresponding to an withdrawal request signal received from a client to a client according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 11, the client 200 may transmit login information to each of the main authentication server 110 and the sub authentication server 120 in order to leave a specific site.

Meanwhile, the main authentication server 110 may recognize whether the first login information received from the client 200 is valid. In addition, the main authentication server 110 may generate a first authentication token when the first login information is valid. In addition, the main authentication server 110 may transmit the first authentication token to the client 200.

In the present disclosure, the authentication server 100 recognizes the validity of the login information, when the client 200 creates a global authentication account, the distribution value of the password hash value transmitted to the authentication server 100 and the login information It may mean to check whether the distribution values of the password hash values included in are identical.

That is, when the main authentication server 110 recognizes that the first login information including the first distribution value of the ID hash value and the password hash value is valid, when the client 200 creates a global account, the main authentication When the first distribution value of the ID hash value and the password hash value transmitted to the server 110 matches the ID hash value and the password hash value included in the first login information, it may be recognized that the first login information is valid.

On the other hand, the sub-authentication server 120 may recognize whether the second login information received from the client 200 is valid. Further, the sub authentication server 120 may generate a second authentication token when the second login information is valid. In addition, the sub authentication server 120 may transmit the second authentication token to the client 200.

In this case, the processor 230 of the client 200 may transmit a withdrawal request signal for at least one site from the list of subscribed sites to at least one of the main authentication server 110 and the sub authentication server 120. Here, the withdrawal request signal may include a first authentication token and a second authentication token.

Referring to FIG. 12, the main authentication server 110 may receive a withdrawal request signal for at least one site included in a list of subscribed sites. Specifically, the main authentication server 110 may receive a withdrawal request signal including a first authentication token for the main authentication server 110 and a second authentication token for the sub authentication server 120 (S451).

In this case, the main authentication server 110 may verify the first authentication token (S452). Then, the main authentication server 110 may transmit the second authentication token to the sub authentication server 120 to verify the second authentication token (S453).

Further, the main authentication server 110 may receive a verification signal for the second authentication token from the sub authentication server 120 after transmitting the second authentication token to the sub authentication server 120 (S454).

In the present disclosure, when the authentication server 100 receives login information from the client 200, the authentication server 100 performs verification on a specific authentication token, when the login information is valid, the client 200 It may mean to check whether the authentication token transmitted to) and the specific authentication token match.

That is, when the main authentication server 110 receives the login information, the first authentication token and the specific site server 600 previously transmitted to the client 200 are included in the sign-up request signal received from the client 200. When the first authentication tokens match, it may be recognized that verification of the first authentication token is complete.

Then, the main authentication server 110 verifies the first authentication token, and when receiving a verification signal for the second authentication token from the sub authentication server 120 (S455, Yes), generates a withdrawal token to the client 200 ).

Here, the withdrawal token may mean withdrawal rights provided to the client 200 after it is proved that the information transmitted by the client 200 to the main authentication server 110 for withdrawal is valid. Additionally, the withdrawal token may indicate whether to withdraw from a specific site.

That is, when the processor 230 of the client 200 receives the withdrawal token through the communication unit 210, the withdrawal token may be stored in the memory 220. Accordingly, the processor 230 of the client 200 may recognize the withdrawn specific site through the withdrawal token for the specific site stored in the memory 220.

On the other hand, when the main authentication server 110 fails to verify the first authentication token or does not receive a verification signal for the second authentication token from the sub authentication server 120 (S455, No), the withdrawal token is sent to the client ( 200) may not be transmitted. In this case, the client 200 may not be able to proceed with the withdrawal procedure for the specific site.

Additionally, the main authentication server 110 verifies the first authentication token and the second authentication token included in the withdrawal request signal for at least one site included in the list of subscribed sites, and then withdraws from the at least one site. The history can be recorded in the blockchain network 300.

According to some other embodiments of the present disclosure, the sub-authentication server 120 may receive a withdrawal request signal for at least one site included in a list of subscribed sites. Specifically, the sub authentication server 120 may receive a withdrawal request signal including a second authentication token for the sub authentication server 120 and a first authentication token for the main authentication server 110.

In this case, the sub authentication server 120 may verify the second authentication token. In addition, the sub-authentication server 120 may transmit the first authentication token to the main authentication server 110 to verify the first authentication token.

In addition, the sub authentication server 120 may receive a verification signal for the first authentication token from the main authentication server 110 after transmitting the first authentication token to the main authentication server 110.

Then, the sub-authentication server 120 verifies the second authentication token and, when receiving a verification signal for the first authentication token from the main authentication server 110, may generate a withdrawal token and transmit it to the client 200. .

Additionally, the sub-authentication server 120 verifies the first authentication token and the second authentication token included in the withdrawal request signal for at least one site included in the list of subscribed sites, and then withdraws from the at least one site. The history can be recorded in the blockchain network 300.

13 is a flowchart illustrating an example of a method of transferring a certification authority providing a global authentication service according to some embodiments of the present disclosure.

Referring to FIG. 13, the processor 230 of the client 200 transmits login information including a distributed value of the ID hash value and the password hash value to transfer the authentication authority to the main authentication server 110 and the sub authentication server 120. ) It is possible to control the communication unit 210 to transmit to each (S510).

Specifically, the processor 230 of the client 200 may obtain the security level information of the client recorded in the blockchain network 300. Also, the processor 230 may recognize a security algorithm based on the security level information. Further, the processor 230 may obtain an ID hash value and a password hash value by hashing the ID and password using a security algorithm. In addition, the processor 230 may control the communication unit 210 to transmit login information including a distribution value of the ID hash value and the password hash value to the main authentication server 110 and the sub authentication server 120, respectively.

More specifically, the processor 230 of the client 200 controls the communication unit 210 to transmit the first login information including the first distribution value of the ID hash value and the password hash value to the main authentication server 110. I can. In addition, the processor 230 may control the communication unit 210 to transmit the second login information including the second distribution value of the ID hash value and the password hash value to the sub authentication server 120. Here, the first variance value and the second variance value are values obtained by dividing the password hash value, and a value obtained by connecting the first variance value and the second variance value may match the password hash value.

Meanwhile, the main authentication server 110 may recognize whether the first login information received from the client 200 is valid. In addition, the main authentication server 110 may generate a first authentication token when the first login information is valid. Then, the main authentication server 110 may transmit the first authentication token to the client 200 (S520).

In the present disclosure, the authentication server 100 recognizes the validity of the login information, when the client 200 creates a global authentication account, the distribution value of the password hash value transmitted to the authentication server 100 and the login information It may mean to check whether the distribution values of the password hash values included in are identical.

That is, when the main authentication server 110 recognizes that the first login information including the first distribution value of the ID hash value and the password hash value is valid, when the client 200 creates a global account, the main authentication When the first distribution value of the ID hash value and the password hash value transmitted to the server 110 matches the ID hash value and the password hash value included in the first login information, it may be recognized that the first login information is valid.

On the other hand, the sub-authentication server 120 may recognize whether the second login information received from the client 200 is valid. Further, the sub authentication server 120 may generate a second authentication token when the second login information is valid. In addition, the sub-authentication server 120 may transmit the second authentication token to the client 200 (S530).

In this case, the processor 230 of the client 200 may transmit a first signal requesting a transfer token to the main authentication server 110 (S540). Here, the first signal may include a first authentication token and a second authentication token.

Meanwhile, the main authentication server 110 may verify the first authentication token included in the first signal (S550). In addition, the main authentication server 110 may transmit a verification request signal including the second authentication token to the sub authentication server 120 to verify the second authentication token (S560).

Meanwhile, the sub authentication server 120 may verify the second authentication token included in the verification request signal. In addition, the sub-authentication server 120 may transmit a verification completion signal for the second authentication token to the main authentication server 110 (S570).

In the present disclosure, when the authentication server 100 receives login information from the client 200, the authentication server 100 performs verification on a specific authentication token, when the login information is valid, the client 200 It may mean to check whether the authentication token transmitted to) and the specific authentication token match.

That is, when the main authentication server 110 receives the login information, the first authentication token and the specific site server 600 previously transmitted to the client 200 are included in the sign-up request signal received from the client 200. When the first authentication tokens match, it may be recognized that verification of the first authentication token is complete.

The main authentication server 110 verifies the first authentication token, and when receiving a verification signal for the second authentication token from the sub authentication server 120, may generate a transfer token and transmit it to the client 200 (S580). ). Here, the transfer token may include information on the certification authority used by the client 200 before transferring the certification authority. That is, the transfer token may include information on the main authentication authority.

Meanwhile, the client 200 receiving the transfer token may transmit a second signal for requesting transfer to the certification authority to the specific authentication server 130 corresponding to the specific certification authority to be transferred (S590).

14 is a flowchart illustrating an additional example of a method of transferring a certification authority providing a global authentication service according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 13, when the client 200 receives a transfer token from the main authentication server 110, the client 200 may transmit a signal requesting the transfer to the authentication authority to the specific authentication server 130. .

Referring to FIG. 14, the client 200 may transmit a first signal requesting a transfer to an authentication authority (S610). Here, the first signal may include a transfer token. In addition, the transfer token may include information on the certification authority used by the client 200 before transferring the certification authority. That is, the transfer token may include information on the main authentication authority.

Meanwhile, the specific authentication server 130 may recognize the main authentication authority, which is an authentication authority related to the transfer, through the transfer token included in the first signal (S620). In addition, the specific authentication server 130 may transmit a second signal requesting transfer to the authentication authority to the main authentication server 110 corresponding to the main authentication authority (S630).

Specifically, the specific authentication server 130 may obtain account information on the global authentication account of the client 200 recorded in the blockchain network 300. Here, the account information may include information on the selected authentication authority.

More specifically, the specific authentication server 130 may obtain information on the selected authentication authority by searching for account information recorded in the blockchain network 300 using an ID hash value included in the first signal.

Further, the specific authentication server 130 may recognize information on the selected authentication authority based on the account information. Also, the specific authentication server 130 may recognize whether the main authentication authority is the selected authentication authority, based on information on the selected authentication authority. In addition, when the specific authentication server 130 recognizes that the main authentication authority is the selected authentication authority, the specific authentication server 130 may transmit a second signal requesting transfer to the authentication authority to the main authentication server 110 corresponding to the main authentication authority.

Specifically, the specific authentication server 130 may extract a first authentication token, a second authentication token, and a transfer token included in the first signal. In addition, when the specific authentication server 130 transmits the second signal to the main authentication server 110, the first authentication token, the second authentication token, and the transfer token included in the first signal and information on a specific authentication authority are provided. Can be transmitted with 2 signals.

On the other hand, the main authentication server 110 changes the authentication authority of the client 200 from the main authentication authority corresponding to the main authentication server 110 to a specific authentication authority based on the second signal requesting transfer to the authentication authority. I can. Here, the second signal may include a first authentication token, a second authentication token, a transfer token, and information on a specific authentication authority.

Specifically, the main authentication server 110 may verify the first authentication token and transmit the second authentication token to the sub authentication server 120 to request verification.

And, when the verification of the first authentication token is completed and the main authentication server 110 receives a verification completion signal for the second authentication token from the sub authentication server 120, based on the information on a specific authentication authority, The transfer of the certification body can be carried out.

As described above, the main authentication server 110 may perform the transfer of the certification authority based on the second signal for requesting transfer to the certification authority. In addition, the main authentication server 110 may transmit a transfer completion signal indicating that the transfer of the certification authority has been completed to the specific authentication server 130.

Additionally, the main authentication server 110 may record transfer information indicating that the main authentication authority has been changed to a specific authentication authority in the blockchain network 300 after performing the transfer of the authentication authority.

Specifically, the main authentication server 110 may generate a transaction including transfer information indicating that the main authentication authority has been changed to a specific authentication authority. In addition, the main authentication server 110 may cause a plurality of nodes to record the transaction in a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network 300.

Each of the plurality of nodes included in the blockchain network 300 may check whether the main authentication server 110 sent the transaction by using the signature data included in the transaction. In addition, each of the plurality of nodes included in the blockchain network 300 may record a transaction in a block based on the consensus algorithm when the main authentication server 110 recognizes that it is correct to send the transaction.

The transaction may include a transaction input value including identification information generated from the private key. In addition, the transaction may include a transaction output value including address information in the blockchain network 300 in which a transaction including transfer information is to be stored.

Specifically, the transaction is a consensus algorithm when any one node among a plurality of nodes included in the blockchain network 300 extracts a nonce value that satisfies a preset condition, and when the nonce value is recognized as valid in each of the plurality of nodes. It can be recognized that it has been verified through. Here, the preset condition may be satisfied when the hash value of the block generated when the information stored in the header of the block and the nonce value are converted through a hash algorithm is less than the difficulty value of the block.

As described above, since the blockchain network 300 records a transaction including transfer information that the main certification authority has been changed to a specific certification authority using the consensus algorithm of the block chain technology, the main certification authority It can prevent forgery or falsification of transfer information that has been changed.

According to some embodiments of the present disclosure, after recording the transfer information in the blockchain network 300, the main authentication server 110 may recognize whether the transfer to the certification authority has been completed. Specifically, the main authentication server 110 may transmit a third signal confirming whether the transfer is complete to the specific authentication server 130. In addition, when the main authentication server 110 receives the transfer completion signal corresponding to the third signal from the specific authentication server 130, it may recognize that the transfer to the certification authority has been completed.

When the main authentication server 110 recognizes that the transfer to the authentication authority has been completed, information related to the client 200 may be deleted from the memory of the main authentication server 110. That is, the main authentication server 110 confirms that the transfer has been completed from the specific authentication server 130, and then deletes information related to the client 200 from the memory, thereby protecting the personal information of the client 200, and the capacity of the memory. Can be secured.

Referring back to FIG. 14, after receiving the transfer completion signal from the main authentication server 110, the specific authentication server 130 may recognize whether a sub authentication authority different from the main authentication authority is the selected authentication authority (S650). ).

Specifically, the specific authentication server 130 may obtain account information on the global authentication account of the client 200 recorded in the blockchain network 300. Here, the account information may include information on the selected authentication authority.

More specifically, the specific authentication server 130 may obtain information on the selected authentication authority by searching for account information recorded in the blockchain network 300 using an ID hash value included in the first signal.

Further, the specific authentication server 130 may recognize information on the selected authentication authority based on the account information. In addition, the specific authentication server 130 may recognize whether the sub certification body is the selected certification body based on the information on the selected certification body.

In addition, when the specific authentication server 130 recognizes that the sub authentication authority is the selected authentication authority, the specific authentication server 130 may transmit an update request signal for the password hash value of the client 200 to the sub authentication server 120 corresponding to the sub authentication authority. Yes (S660).

A description of a method of transmitting the update request signal for the hash value of the password of the client by the specific authentication server 130 to the sub authentication server 120 will be described in detail later with reference to FIG.

15 is a flowchart illustrating an example of a method of changing a security level of a client by a specific authentication server to be transferred according to some embodiments of the present disclosure.

Referring to FIG. 15, the specific authentication server 130 may recognize whether or not the security level has been changed based on the security level reset information of the global authentication account included in the first signal received from the client 200 ( S661).

Here, the security level may mean the security level of a security algorithm used when hashing the ID and password of the global authentication account. Specifically, the security level may mean at least one security level among SHA (Secure Hash Algorithm) functions. For example, the security level may mean the security level of at least one SHA function among SHA-128, SHA-256, and SHA-512.

When the specific authentication server 130 recognizes that the security level of the global authentication account has not been changed (S662, No), the password hash value is the same as before, so the client to the sub authentication server 120 corresponding to the sub authentication authority. The update request signal for the password hash value of 200 may not be transmitted.

Meanwhile, when it is recognized that the security level has been changed (S662, Yes), the specific authentication server 130 may recognize the security algorithm based on the security level resetting information (S663). In addition, the specific authentication server 130 may obtain a new password hash value by hashing the password for the global authentication account of the client 200 using a security algorithm (S664).

In this case, the specific authentication server 130 may transmit an update request signal to the sub-authentication server 120 to update to a new password hash value (S665).

Additionally, the specific authentication server 130 may record information on the security level of the changed global authentication account in the blockchain network (S666).

Specifically, the specific authentication server 130 may generate a transaction including information on the security level that the security level of the client 200 has been changed. In addition, the specific authentication server 130 may cause a plurality of nodes to record the transaction in a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network 300.

Each of a plurality of nodes included in the blockchain network 300 may check whether a specific authentication server 130 sent a transaction by using signature data included in the transaction. In addition, each of the plurality of nodes included in the blockchain network 300 may record a transaction in a block based on a consensus algorithm when it is recognized that the specific authentication server 130 has sent the transaction.

The transaction may include a transaction input value including identification information generated from the private key. In addition, the transaction may include a transaction output value including address information in the blockchain network 300 in which a transaction including information on the security level is to be stored.

Specifically, the transaction is a consensus algorithm when any one node among a plurality of nodes included in the blockchain network 300 extracts a nonce value that satisfies a preset condition, and when the nonce value is recognized as valid in each of the plurality of nodes. It can be recognized that it has been verified through. Here, the preset condition may be satisfied when the hash value of the block generated when the information stored in the header of the block and the nonce value are converted through a hash algorithm is less than the difficulty value of the block.

As described above, since the block chain network 300 records a transaction including information on the security level that the security level of the client 200 has changed using the consensus algorithm of the block chain technology, Forgery or falsification of information can be prevented.

16 is a diagram for explaining an example of a certification authority transfer screen displayed on a client according to some embodiments of the present disclosure.

First, as described above in the description of FIG. 13, the processor 230 of the client 200 transmits the login information to the main authentication server 110 and the sub authentication server 120, respectively, in order to transfer the authentication authority. 210) can be controlled.

In addition, the processor 230 of the client 200 may transmit a first signal requesting a transfer token to the main authentication server 110.

Referring to FIG. 16, the processor 230 of the client 200 displays the first transfer request screen 40 as shown in FIG. 16 before transmitting the first signal to the main authentication server 110. Can be controlled. Here, the first transfer request screen 40 is a screen in which user interaction is possible, and a user can input a certification authority before transfer (before change) and a certification authority to be transferred (after change) through a specific button or keyboard. .

In addition, the processor 230 of the client 200 may transmit a first signal including information input through the first transfer request screen 40 to the main authentication server 110.

According to some embodiments of the present disclosure, the first transfer request screen 40 may include a transfer-related certification authority input area 41.

As described above, the transfer related certification authority input area 41 may include an input area for inputting a certification authority before change and a certification authority after change. However, the present invention is not limited thereto, and the transfer-related certification authority input area 41 may include a selectable list of certification authorities to which the client 200 has subscribed.

As shown in FIG. 16, the authentication authority input area 41 related to transfer may include'Apache', which is the name of the certification authority before the change. In addition,'Google', which is the name of the certification body after the change, may be included in the transfer related certification body input area 41. Here, the name of the certification body before the change and the name of the certification body after the change may be input or selected by the user.

In addition, the processor 230 of the client 200 sends a first signal for requesting a transfer token to the main authentication server 110 when the name of the certification authority before the change and the name of the certification authority after the change are input or selected by the user. Can be transmitted.

After transmitting the first signal, the processor 230 of the client 200 may receive the transfer token from the main authentication server 110 through the communication unit 210.

Referring back to FIG. 13, as described above, the client 200, which has received the transfer token from the main authentication server 110, receives a second signal requesting transfer to the certification authority. It can be transmitted to the authentication server 130.

Referring to FIG. 16, the processor 230 of the client 200 displays the second transfer request screen 50 as shown in FIG. 16 before transmitting the second signal to the specific authentication server 130. Can be controlled. Here, the second transfer request screen 50 is a screen in which user interaction is possible, and a user may input a change target authentication authority, security level information, and a new password through a specific button or keyboard.

According to some embodiments of the present disclosure, the second transfer request screen 50 may include a certification authority list 51, a security level reset area 52, and a new password input area 53. However, the above-described components are not essential in implementing the second transfer request screen 50, so the second transfer request screen 50 may have more or fewer components than the components listed above. have.

The certification authority list 51 may include an indicator indicating the name of the certification authority and the certification authority to be changed.

As shown in FIG. 16, the certification authority list 51 may include'Google', which is the name of the certification authority to be transferred. In addition, an indicator may be displayed at a location corresponding to “Google,” which is a certification authority to be transferred.

The security level reset area 52 may include a button for selecting the number of required authentications and a button for selecting a security level.

Specifically, when using the global authentication service, the security level reset area 52 selects the number of mandatory authentications for selecting the number of authentication authorities to perform authentication from among a plurality of authentication authorities included in the authentication authority list 51 It may include a button.

That is, the security level resetting area 52 may include a selection button for selecting a number within the number of certification authorities included in the certification authority list 51 described above. For example, the security level resetting area 52 may include a button for selecting a required number of authentications for selecting one of 1 to 3 when three authentication authorities exist in the authentication authority list 51.

Here, the number of required authentications may mean the number of authentication authorities that must be logged in among a plurality of authentication authorities when the client 200 uses a global authentication account to subscribe or withdraw from a specific site. .

For example, when the number of required authentications is two, the client 200 may register or leave a specific site using at least two authentication tokens. Here, the at least two authentication tokens transmit login information to servers of at least two of the authentication authorities selected by the client 200 (i.e., authentication server), and if the login information is valid, the at least two authentications It can be received from each of the organizations.

In addition, the security level resetting area 52 may include a security level selection button for selecting a security level of a security algorithm used when hashing an ID and password of a global authentication account. Specifically, the security level resetting area 52 may include a security level selection button for selecting at least one of SHA (Secure Hash Algorithm) functions.

For example, as shown in FIG. 16, the security level reset area 52 may include a security level selection button for selecting at least one SHA function from SHA-128, SHA-256, and SHA-512.

In addition, the second transfer request screen 50 may include a new password input area 53. Specifically, the new password input area 53 may include a first password input area and a second password input area.

Meanwhile, the processor 230 of the client 200 may recognize each of the password input to the first password input area and the password input to the second password input area. Further, the processor 230 may complete the input of the account creation information only when the password input to the first password input area and the password input to the second password input area match. That is, when the password input in the first password input area and the password input in the second password input area match, the processor 230 activates the confirmation button on the second transfer request screen 50 and inputs the first password. When the password input to the area and the password input to the second password input area are different, the display may be controlled to output by deactivating the confirmation button of the second transfer request screen 50.

And, the processor 230 of the client 200, when both the security level reset information and the new password are normally input to the above-described second transfer request screen 50, the confirmation button of the second transfer request screen 50 You can control the display to activate and output.

In addition, the processor 230 of the client 200 may recognize an input to the confirmation button after controlling the display to activate and output the confirmation button.

The processor 230 may transmit the second signal to the specific authentication server 130 in conjunction with recognizing the input to the confirmation button. Here, the specific authentication server 130 is an authentication server corresponding to an authentication authority indicated by an indicator as a certificate authority to be transferred (i.e., a change target authentication authority) among the certification authorities included in the certification authority list 51 described above. Google server).

The first transfer request screen 40 and the second transfer request screen 50 described above are only some examples to aid understanding of the present disclosure, and the present disclosure is not limited thereto.

17 shows a simplified and general schematic diagram of an exemplary computing environment in which embodiments of the present disclosure may be implemented.

While the present disclosure has generally been described above with respect to computer-executable instructions that can be executed on one or more computers, those skilled in the art will appreciate that the present disclosure may be implemented in combination with other program modules and/or as a combination of hardware and software. will be.

In general, modules herein include routines, procedures, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In addition, to those skilled in the art, the method of the present disclosure is not limited to single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronics, and the like (each of which It will be appreciated that other computer system configurations may be implemented, including one or more associated devices).

The described embodiments of the present disclosure may also be practiced in a distributed computing environment where certain tasks are performed by remote processing devices that are connected through a communication network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer-readable media. Computer-readable media can be any computer-readable media, including volatile and non-volatile media, transitory and non-transitory media, removable and non-transitory media. Includes removable media. By way of example, and not limitation, computer-readable media may include computer-readable storage media and computer-readable transmission media.

Computer-readable storage media include volatile and nonvolatile media, transitory and non-transitory media, removable and non-removable media implemented in any method or technology for storing information such as computer-readable instructions, data structures, program modules or other data. Includes the medium. Computer-readable storage media include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassette, magnetic tape, magnetic disk storage, or other magnetic storage. Devices, or any other medium that can be accessed by a computer and used to store desired information.

Computer-readable transmission media typically implement computer-readable instructions, data structures, program modules or other data on a modulated data signal such as a carrier wave or other transport mechanism. Includes all information delivery media. The term modulated data signal refers to a signal in which one or more of the characteristics of the signal is set or changed to encode information in the signal. By way of example, and not limitation, computer-readable transmission media include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above-described media are also intended to be included within the scope of computer-readable transmission media.

An exemplary environment 1100 is shown that implements various aspects of the present disclosure, including a computer 1102, which includes a processing device 1104, a system memory 1106, and a system bus 1108. do. System bus 1108 couples system components, including but not limited to, system memory 1106 to processing device 1104. The processing unit 1104 may be any of a variety of commercially available processors. Dual processors and other multiprocessor architectures may also be used as processing unit 1104.

The system bus 1108 may be any of several types of bus structures that may be additionally interconnected to a memory bus, a peripheral bus, and a local bus using any of a variety of commercial bus architectures. System memory 1106 includes read-only memory (ROM) 1110 and random access memory (RAM) 1112. The basic input/output system (BIOS) is stored in non-volatile memory 1110 such as ROM, EPROM, EEPROM, etc. This BIOS is a basic input/output system that helps transfer information between components in the computer 1102, such as during startup. Includes routines. RAM 1112 may also include high-speed RAM, such as static RAM, for caching data.

Computer 1102 also includes internal hard disk drive (HDD) 1114 (e.g., EIDE, SATA)-This internal hard disk drive 1114 can also be configured for external use within a suitable chassis (not shown). Yes--, magnetic floppy disk drive (FDD) 1116 (for example, to read from or write to removable diskette 1118), and optical disk drive 1120 (e.g., CD-ROM For reading the disk 1122 or reading from or writing to other high-capacity optical media such as DVD). The hard disk drive 1114, magnetic disk drive 1116, and optical disk drive 1120 are each connected to the system bus 1108 by a hard disk drive interface 1124, a magnetic disk drive interface 1126, and an optical drive interface 1128. ) Can be connected. The interface 1124 for implementing an external drive includes, for example, at least one or both of USB (Universal Serial Bus) and IEEE 1394 interface technologies.

These drives and their associated computer readable media provide non-volatile storage of data, data structures, computer executable instructions, and the like. In the case of computer 1102, drives and media correspond to storing any data in a suitable digital format. Although the description of the computer-readable storage medium above refers to a removable optical medium such as a HDD, a removable magnetic disk, and a CD or DVD, those skilled in the art can use a zip drive, a magnetic cassette, a flash memory card, a cartridge It will be appreciated that other types of computer-readable storage media, such as etc., may also be used in the exemplary operating environment and that any such media may contain computer-executable instructions for performing the methods of the present disclosure. .

A number of program modules, including the operating system 1130, one or more application programs 1132, other program modules 1134, and program data 1136, may be stored in the drive and RAM 1112. All or part of the operating system, applications, modules, and/or data may also be cached in RAM 1112. It will be appreciated that the present disclosure may be implemented on a number of commercially available operating systems or combinations of operating systems.

A user may input commands and information to the computer 1102 through one or more wired/wireless input devices, for example, pointing devices such as a keyboard 1138 and a mouse 1140. Other input devices (not shown) may include a microphone, IR remote control, joystick, game pad, stylus pen, touch screen, and the like. These and other input devices are often connected to the processing unit 1104 through the input device interface 1142, which is connected to the system bus 1108, but the parallel port, IEEE 1394 serial port, game port, USB port, IR interface, It can be connected by other interfaces such as etc.

A monitor 1144 or other type of display device is also connected to the system bus 1108 through an interface such as a video adapter 1146. In addition to the monitor 1144, the computer generally includes other peripheral output devices (not shown) such as speakers, printers, etc.

Computer 1102 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1148 via wired and/or wireless communication. The remote computer(s) 1148 may be a workstation, server computer, router, personal computer, portable computer, microprocessor-based entertainment device, peer device, or other common network node, and is generally referred to as a computer 1102. Although including many or all of the described components, only memory storage device 1150 is shown for simplicity. The logical connections shown include wired/wireless connections to a local area network (LAN) 1152 and/or to a larger network, eg, a wide area network (WAN) 1154. Such LAN and WAN networking environments are common in offices and companies, and facilitate an enterprise-wide computer network such as an intranet, all of which can be connected to a worldwide computer network, for example the Internet.

When used in a LAN networking environment, the computer 1102 is connected to the local network 1152 via a wired and/or wireless communication network interface or adapter 1156. Adapter 1156 may facilitate wired or wireless communication to LAN 1152, which also includes a wireless access point installed therein to communicate with wireless adapter 1156. When used in a WAN networking environment, the computer 1102 may include a modem 1158, connected to a communication server on the WAN 1154, or through the Internet, etc. to establish communication through the WAN 1154 Have means. The modem 1158, which may be an internal or external and a wired or wireless device, is connected to the system bus 1108 through a serial port interface 1142. In a networked environment, program modules described for the computer 1102 or portions thereof may be stored in the remote memory/storage device 1150. It will be appreciated that the network connections shown are exemplary and other means of establishing communication links between computers may be used.

Computer 1102 is associated with any wireless device or entity deployed and operated in wireless communication, e.g., a printer, scanner, desktop and/or portable computer, portable data assistant (PDA), communication satellite, wireless detectable tag. It operates to communicate with any equipment or place and phone. This includes at least Wi-Fi and Bluetooth wireless technologies. Thus, the communication may be a predefined structure as in a conventional network or may simply be ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) allows you to connect to the Internet, etc. without wires. Wi-Fi is a wireless technology such as a cell phone that allows such devices, for example computers, to transmit and receive data indoors and outdoors, ie anywhere within the coverage area of a base station. Wi-Fi networks use a wireless technology called IEEE 802.11 (a,b,g, etc.) to provide a secure, reliable and high-speed wireless connection. Wi-Fi can be used to connect computers to each other, to the Internet, and to a wired network (using IEEE 802.3 or Ethernet). Wi-Fi networks can operate in unlicensed 2.4 and 5 GHz radio bands, for example at 11 Mbps (802.11a) or 54 Mbps (802.11b) data rates, or in products that include both bands (dual band). have.

A person of ordinary skill in the art of the present disclosure includes various exemplary logical blocks, modules, processors, means, circuits and algorithm steps described in connection with the embodiments disclosed herein, electronic hardware, (convenience). For the sake of clarity, it will be appreciated that it may be implemented by various forms of program or design code or a combination of both (referred to herein as "software"). To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the particular application and design constraints imposed on the overall system. A person of ordinary skill in the art of the present disclosure may implement the described functions in various ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.

The various embodiments presented herein may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term “article of manufacture” includes a computer program or media accessible from any computer-readable device. For example, computer-readable storage media include magnetic storage devices (e.g., hard disks, floppy disks, magnetic strips, etc.), optical disks (e.g., CD, DVD, etc.), smart cards, and flash Memory devices (eg, EEPROMs, cards, sticks, key drives, etc.), but are not limited thereto. The term “machine-readable medium” includes, but is not limited to, wireless channels and various other media capable of storing, holding, and/or transmitting instruction(s) and/or data.

It is to be understood that the specific order or hierarchy of steps in the presented processes is an example of exemplary approaches. Based on the design priorities, it is to be understood that within the scope of the present disclosure a specific order or hierarchy of steps in processes may be rearranged. The appended method claims provide elements of the various steps in a sample order, but are not meant to be limited to the specific order or hierarchy presented.

The description of the presented embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be apparent to those of ordinary skill in the art, and general principles defined herein may be applied to other embodiments without departing from the scope of the present disclosure. Thus, the present disclosure is not limited to the embodiments presented herein, but is to be interpreted in the widest scope consistent with the principles and novel features presented herein.

Claims (14)

A computer program stored on a computer-readable storage medium, comprising:
The computer program includes instructions for causing the processor of the main authentication server to perform the following steps, the steps:
Receiving login information from a client;
Checking whether the login information is valid when the login information is received;
If the login information is valid, generating an authentication token and transmitting the authentication token to the client;
Receiving a verification request signal for the authentication token from a server of a specific site;
In response to the verification request signal, recognizing whether a subscription history for the specific site has been recorded in the blockchain network;
Completing verification of the authentication token when the subscription history for the specific site is not recorded in the blockchain network; And
When verification of the authentication token is completed, transmitting a verification completion signal to the specific site and recording a subscription history for the specific site in the blockchain network;
Containing,
A computer program stored on a computer readable storage medium.
delete The method of claim 1,
The step of recording the subscription history for the specific site in the blockchain network,
Generating a transaction including information on the specific site and the login information; And
Causing a plurality of nodes to write the transaction to a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
The above login information,
Including the ID hash value, the first distribution value of the password hash value, and the domain of the specific site,
A computer program stored on a computer-readable storage medium.
The method of claim 1,
Receiving login information from a client;
Receiving an inquiry request signal for inquiring a list of sites to which the client has subscribed, in conjunction with receiving the login information;
In response to the inquiry request signal, obtaining a list of sites to which the client is subscribed, recorded in the blockchain network; And
Transmitting a list of sites to which the client is subscribed to the client;
Further comprising,
A computer program stored on a computer readable storage medium.
The method of claim 5,
Receiving an withdrawal request signal for at least one site included in the list of the subscribed sites from the client; And
In response to the withdrawal request signal, recording an withdrawal history for the at least one site in the blockchain network;
Further comprising,
A computer program stored on a computer-readable storage medium.
The method of claim 6,
Receiving an withdrawal request signal for at least one site included in the list of the subscribed sites from the client,
Receiving a first authentication token for the main authentication server and a second authentication token for a sub authentication server;
Verifying the first authentication token;
Transmitting the second authentication token to the sub-authentication server to verify the second authentication token;
Receiving a verification signal for the second authentication token from the sub-authentication server; And
Verifying the first authentication token and, when receiving a verification signal for the second authentication token from the sub-authentication server, transmitting a withdrawal token to the client;
Containing,
A computer program stored on a computer-readable storage medium.
The method of claim 6,
In response to the withdrawal request signal, recording the withdrawal history for the at least one site in the blockchain network,
Generating a transaction including information on the at least one site requesting withdrawal from the list of subscribed sites and the login information; And
Causing a plurality of nodes to write the transaction to a block through a consensus algorithm by transmitting the transaction to at least one node included in the blockchain network;
Containing,
A computer program stored on a computer readable storage medium.
delete delete delete delete delete delete

Images