KR102222948B1 - Method and system for managing access security - Google Patents

Abstract

The present disclosure relates to an access security management method, which is implemented by an access security system which manages the access of a user using a user ID directly issued by the user from an ID issuing system. The access security management method includes the steps of: receiving an access request from a user terminal in which the user ID is stored; performing user ID validation comprising at least one of signature validation or expiration time validation of the user ID, in response to receiving the access request; and transmitting access permission to the user terminal which has transmitted the access request, and manipulating an access gate at a location associated with the user terminal when the validation of the user ID is verified.

Description

Access security management method and system {METHOD AND SYSTEM FOR MANAGING ACCESS SECURITY}

The present disclosure relates to a method and system for managing access security, and more particularly, to a method and system for performing access security management through validation of a user ID directly issued by a user.

Access security is used in various markets for the purpose of preventing terrorism, preventing the leakage of corporate information, managing immigration, and prohibiting unauthorized people from entering a specific area. In this regard, in the conventional access security, a method of managing a user's access by using a pass that does not include user information or a user ID issued from a central system has been mainly used.

However, since a pass that does not include user information or a user ID issued from a central system is easily exposed to the risk of hacking, an additional cost is required to enhance security and user discomfort increases. In particular, for the security of internal facilities, facilities of major government agencies, research institutes of private companies, etc., which require thorough management of user access, need a plan to thoroughly maintain/manage access security.

The present disclosure provides an access security management method, a computer program and an apparatus (system) stored in a recording medium for solving the above problems. In addition, a method of issuing a user ID for access security management, and a computer program and apparatus (system) stored in a recording medium are provided.

The present disclosure may be implemented in a variety of ways, including a method, an apparatus (system), or a computer program stored in a readable storage medium.

According to an embodiment of the present disclosure, an access security management method executed by an access security system that manages access of the user using a user ID directly issued by a user from an ID (identifier) issuing system, includes a user ID in which the user ID is stored. Receiving an access request from the user terminal, in response to receiving the access request, performing user ID validation including at least one of signature verification or expiration time verification of the user ID, and the validation of the user ID In this case, it includes the step of transmitting the access permission to the user terminal that transmitted the access request, and manipulating the access gate of the location associated with the user terminal.

According to another embodiment of the present disclosure, a computer program stored in a computer-readable recording medium is provided to execute the above-described access security management method on a computer.

According to another embodiment of the present disclosure, an access security management system in which a user directly manages access of a user by using a user ID issued from an ID issuing system is a communication configured to receive an access request from a user terminal in which the user ID is stored. And a module, a memory, and at least one processor connected to the memory and configured to execute at least one computer-readable program included in the memory. In response to receiving the access request, the at least one program performs user ID validation including at least one of signature verification or expiration time verification of the user ID, and if the validity of the user ID is verified, access permission is granted. It transmits the access request to the transmitted user terminal, and includes commands for manipulating the access gate at a location associated with the user terminal.

According to another embodiment of the present disclosure, a method of issuing a user ID for access security management executed by an ID issuing system includes receiving a request for issuing a user ID from a user terminal, in response to a request for issuing a user ID, And generating a user ID and transmitting the generated user ID to a user terminal that has transmitted a request for issuing the user ID.

According to another embodiment of the present disclosure, a computer program stored in a computer-readable recording medium is provided in order to execute the above-described method of issuing a user ID for access security management in a computer.

According to another embodiment of the present disclosure, an ID issuing system for access security management includes a communication module configured to receive a request for issuing a user ID from a user terminal, a memory, and a computer-readable at least included in the memory. And at least one processor configured to execute one program. The at least one program includes commands for generating a user ID in response to a request for issuing a user ID, and transmitting the generated user ID to a user terminal that has transmitted the issuance request for the user ID.

According to various embodiments of the present disclosure, without using a single key to encrypt and decrypt a user ID, security may be enhanced by using a key pair composed of a public key, a private key, or the like.

According to various embodiments of the present disclosure, since the user can directly receive the user ID, it is possible to reduce the risk that the user's personal information is exposed to a third party during the issuance of the user ID. In addition, the risk of personal information hacking can be effectively prevented by distributing and storing information on the user ID directly issued by the user in the blockchain network. In addition, by converting and storing the information on the user ID into a hash value, security for the user ID can be strengthened.

According to various embodiments of the present disclosure, even if the access security system does not have the public key of the ID issuing system for verifying the validity of the user ID, the access security system communicates with the blockchain network to simply disclose the ID issuing system. You can receive the key. In addition, since the public key of the ID issuing system is distributed and stored in the blockchain network, risks such as manipulation and hacking of the public key of the ID issuing system can be prevented due to characteristics such as reliability and integrity of the block chain.

According to various embodiments of the present disclosure, even if there is no verification logic for verifying the validity of the user ID in the access security system, the access security system communicates with the blockchain network to simply receive a validity check from the ID issuing system. I can.

Embodiments of the present disclosure will be described with reference to the accompanying drawings described below, in which like reference numerals denote like elements, but are not limited thereto.
1 is a diagram illustrating an example of transmitting an access request to a security facility using a user terminal according to an embodiment of the present disclosure.
2 is a schematic diagram illustrating a system connected to enable communication between a plurality of user terminals and an access security system in order to provide an access security management service according to an embodiment of the present disclosure.
3 is a block diagram illustrating an internal configuration of a user terminal and an access security management system according to an embodiment of the present disclosure.
4 is a diagram illustrating an example of a method of verifying the validity of a user ID by receiving a public key from a blockchain network according to an embodiment of the present disclosure.
5 is a diagram illustrating an example of a method of verifying the validity of a user ID by receiving a validity check from a blockchain network according to an embodiment of the present disclosure.
6 is a flowchart illustrating an access security management method according to an embodiment of the present disclosure.
7 is a flowchart illustrating a method of issuing a user ID for access security management according to an embodiment of the present disclosure.

Hereinafter, with reference to the accompanying drawings, specific details for the implementation of the present disclosure will be described in detail. However, in the following description, when there is a possibility that the subject matter of the present disclosure may be unnecessarily obscure, detailed descriptions of widely known functions or configurations will be omitted.

In the accompanying drawings, the same or corresponding elements are denoted with the same reference numerals. In addition, in the description of the following embodiments, overlapping descriptions of the same or corresponding components may be omitted. However, even if description of a component is omitted, it is not intended that such component is not included in any embodiment.

Advantages and features of the disclosed embodiments, and a method of achieving them will become apparent with reference to the embodiments described below together with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below, but may be implemented in a variety of different forms, and only the present embodiments make the present disclosure complete, and the present disclosure provides the scope of the invention to those of ordinary skill in the art. It is provided only to inform you completely.

The terms used in the present specification will be briefly described, and the disclosed embodiments will be described in detail. Terms used in the present specification have selected general terms that are currently widely used as possible while considering functions in the present disclosure, but this may vary according to the intention or precedent of a technician engaged in a related field, the emergence of new technologies, and the like. In addition, in certain cases, there are terms arbitrarily selected by the applicant, and in this case, the meaning of the terms will be described in detail in the description of the corresponding invention. Therefore, the terms used in the present disclosure should be defined based on the meaning of the term and the contents of the present disclosure, not the name of a simple term.

In the present specification, expressions in the singular include plural expressions unless the context clearly specifies that they are in the singular. In addition, plural expressions include expressions in the singular, unless the context clearly specifies that they are plural. When a part of the specification is said to include a certain component, it means that other components may be further included rather than excluding other components unless specifically stated to the contrary.

In addition, the terms "module" or "unit" used in the specification mean software or hardware components, and "module" or "unit" performs certain roles. However,'module' or'unit' is not meant to be limited to software or hardware. The'module' or'unit' may be configured to be in an addressable storage medium, or may be configured to reproduce one or more processors. Thus, as an example,'module' or'unit' refers to components such as software components, object-oriented software components, class components, and task components, processes, functions, and properties. , Procedures, subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, or variables. Components and functions provided within the'module' or'unit' may be combined into a smaller number of components and'module' or'unit', or additional components and'module' or'unit'. Can be further separated.

According to an embodiment of the present disclosure, a'module' or'unit' may be implemented with a processor and a memory. 'Processor' should be interpreted broadly to include general purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, etc. In some circumstances, a'processor' may refer to an application specific semiconductor (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), and the like. 'Processor' refers to a combination of processing devices such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in combination with a DSP core, or any other such combination of configurations. You may. In addition, the'memory' should be broadly interpreted to include any electronic component capable of storing electronic information. 'Memory' refers to random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erase-programmable read-only memory (EPROM), It may refer to various types of processor-readable media such as electrically erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, and the like. The memory is said to be in electronic communication with the processor if the processor can read information from and/or write information to the memory. The memory integrated in the processor is in electronic communication with the processor.

In the present disclosure, the'user ID' may be any kind of identifier capable of identifying each user who transmits an access request to a security facility. According to an embodiment, the user ID may be a decentralized identifier (DID) distributed and stored in each node of the blockchain network. The user ID may include the user's personal information, the expiration time of the user ID, the user's public key, and the like.

In the present disclosure, the'ID issuing system' may mean any kind of system capable of issuing a user's ID for access security. In one embodiment, the ID issuing system may include one or more computing systems or cloud computing systems capable of executing an ID issuing function. In addition, the ID issuing system may be a separate system connected to a blockchain network in which the issued user ID can be distributed and stored, but is not limited thereto. In another embodiment, the ID issuing system may define the authority of the ID, and may be a certification authority (CA) constituting a blockchain network.

1 is a diagram illustrating an example of transmitting an access request to a security facility using a user terminal 110 according to an embodiment of the present disclosure. The user may access or contact the user terminal 110 to the access gate 120 to transmit an access request. In this case, the user terminal 110 may transmit the user ID together when transmitting the access request. Specifically, the user signs the user ID on the user ID stored in the user terminal 110 using the user's private key, and requests access by accessing or contacting the user terminal 110 in which the signed user ID is stored. Can be transmitted. According to an embodiment, instead of directly contacting the user terminal 110 with the entrance gate 120, wireless communication (eg, cellular data communication, WiFi, NFC (Near Field Communication), Bluetooth, etc.) By using, an access request may be transmitted to the access gate 120. Additionally or alternatively, the user terminal 110 may transmit an access request to the access gate 120 by communicating with the access gate 120 through a wired network.

Upon receiving the access request, the access gate 120 may transmit an access permission to the user terminal 110 when the user ID received together with the access request is valid. Specifically, the access gate 120 determines whether the signature of the received user ID is valid (for example, whether it is signed with the user's private key associated with the user's public key included in the user ID), and expiration of the received user ID. Validation including whether or not time has elapsed can be performed. When the validity of the user ID is verified, the access gate 120 may transmit an access permission to the user terminal 110.

According to an embodiment, validity verification may be performed by a predetermined verification method. The predetermined verification method may be performed by verification logic capable of performing signature verification of the user ID, verification of the expiration time of the user ID, and the like. Accordingly, the verification logic for verifying the user ID may be stored and executed in the access gate 120.

According to an embodiment, the access gate 120 including the verification logic may perform validation using a public key associated with a user ID. Specifically, the access gate 120 may decrypt the user ID by using the public key associated with the private key encrypted with the user ID when generating the user ID. The public key associated with the private key encrypted with the user ID may be pre-stored in the access gate 120.

Meanwhile, the user's public key and the user's private key may form a key pair. Instead of using a single key to encrypt and decrypt the user ID, security can be enhanced by using a key pair consisting of a public key, a private key, and the like. In this case, even if the user's public key included in the user ID is disclosed, the private key of the user ID can be kept secret, and access through hacking of the user ID can be blocked.

According to another embodiment, when the public key associated with the private key encrypted with the user ID is not stored in the access gate 120, the access gate 120 may receive the public key from the blockchain network in which the public key is stored. have. Specifically, the access gate 120 transmits a public key request associated with the received user ID encrypted private key to the blockchain network, and in response thereto, provided by the blockchain network (related to the private key encrypted user ID). ) Can receive public key. After that, the access gate 120 may perform validity verification by decrypting the user ID using the received public key.

According to another embodiment, when the verification logic is not stored in the access gate 120, the access gate 120 may transmit a validation request for validating the user ID to the blockchain network. The blockchain network receiving the validation request can perform validation using verification logic that can perform signature verification of the user ID and expiration time verification of the user ID. After that, the access gate 120 may check the validation result by receiving a response to the validation request from the blockchain network.

Meanwhile, the user can directly receive a user ID for access from the ID issuing system. According to an embodiment, the user may transmit a request for issuing a user ID together with the user's public key to the ID issuing system. Upon receiving the user ID issuance request, the ID issuing system may generate a user ID including the user's public key. The generated user ID can be encrypted with the private key of the ID issuing system. Additionally, the ID issuing system may receive user information such as a name and a phone number from the user, and may generate a user ID including the received user information. Thereafter, the generated user ID may be transmitted to the user terminal 120 associated with the user who transmitted the request for issuing the user ID. In this case, the user may directly communicate with the ID issuing system based on a communication protocol interface such as HTTP/HTTPs and RPC/RPCs provided by the user terminal 120.

According to another embodiment, when the user's public key does not exist, the ID issuing system receiving the user ID issuance request may generate a key pair including the user's public key and the user's private key. The ID issuing system may generate a user ID including the generated user's public key. Additionally, the ID issuing system may receive user information such as a name and a phone number from the user, and may generate a user ID including the received user information. The generated user ID can be encrypted with the private key of the ID issuing system. Thereafter, the generated user ID, the generated user's private key, and the like may be transmitted to the user terminal 120 associated with the user who transmitted the user ID issuance request. In this case, the user may directly communicate with the ID issuing system based on a communication protocol interface such as HTTP/HTTPs and RPC/RPCs provided by the user terminal 120.

According to another embodiment, the ID issuing system may receive a request for issuing a user ID together with the user's public key from the ID management application 112 stored in the user terminal 120 that has received the user registration. Upon receiving the user ID issuance request, the ID issuing system may generate a user ID including the user's public key. The generated user ID can be encrypted with the private key of the ID issuing system. Additionally, the ID issuing system may receive user information such as a name and a phone number from the user, and may generate a user ID including the received user information. Thereafter, the generated user ID may be transmitted to the ID management application 112 of the user terminal 120 that has transmitted the request for issuing the user ID.

According to another embodiment, the ID issuing system may receive a request for issuing a user ID from the ID management application 112 stored in the user terminal 120 receiving the user registration. When the user's public key does not exist, the ID issuing system receiving the user ID issuance request may generate a key pair including the user's public key and the user's private key. The ID issuing system may generate a user ID including the generated user's public key. The generated user ID can be encrypted with the private key of the ID issuing system. Additionally, the ID issuing system may receive user information such as a name and a phone number from the user, and may generate a user ID including the received user information. Thereafter, the generated user ID, the generated user's private key, etc. may be transmitted to the ID management application 112 of the user terminal 120 that has transmitted the user ID issuance request.

In FIG. 1, it is illustrated that one access gate 120 receives an access request and performs validity verification of a user ID, but is not limited thereto. According to an embodiment, there may be two or more entrance gates, and each entrance gate may include a separate system for validating a user ID. According to another embodiment, two or more access gates may exist, and all access gates may be associated with one system (eg, access security management system) for validating user ID. In addition, the access gate 120 may be configured to be connected to a blockchain network associated with the ID issuing system. In this case, the blockchain network can store information about the ID issuing system (for example, user ID generation information, public key of the ID issuing system, etc.) in the form of a block chain.

In addition, in FIG. 1, it is illustrated that one ID issuing system receives a request for issuing a user ID, generates a user ID, and transmits the generated user ID to the user terminal 120, but is not limited thereto. There may be two or more ID issuing systems that generate user IDs. In addition, each ID issuing system can be connected to the blockchain network, and information on the user ID generated by the ID issuing system can be distributed and stored in the blockchain network. In this case, information on the user ID may be converted into a hash value by a hash function (eg, SHA-1, SHA-2, etc.) and stored in the blockchain network. Additionally, information about the public key of the ID issuing system, information about the private key of the ID issuing system, etc. can be distributed and stored in the blockchain network. In this case, the public key of the ID issuing system, the private key of the ID issuing system, etc. can be converted into a hash value by a hash function (eg, SHA-1, SHA-2, etc.) and stored in the blockchain network.

Since the user can directly receive the user ID, it is possible to reduce the risk of the user's personal information being exposed in the process of issuing the user ID. In addition, the risk of personal information hacking can be effectively prevented by distributing and storing information on the user ID directly issued by the user in the blockchain network. In addition, by converting and storing information on the user ID into a hash value, security for the user ID can be strengthened.

2 is a schematic diagram illustrating a system 200 connected to enable communication between a plurality of user terminals 210_1, 210_2, 210_3 and an access security system 230 in order to provide an access security management service according to an embodiment of the present disclosure. to be. As shown, the system 200 includes an access security system 230 that provides an access security management service based on a user ID directly issued by a user, a plurality of access security systems 230 connected to the access security system 230 through a network 220 User terminals 210_1, 210_2, 210_3 and an ID issuing system 240 may be included. According to an embodiment, the access security system 230 may store, provide, and execute a computer executable program (eg, a downloadable application) and data for providing an access security management service, and/ Alternatively, it may include a database, or one or more distributed computing devices and/or distributed databases based on cloud computing services. The access security management service provided by the access security system 230 may be provided to a user through an ID management application installed in each of the plurality of user terminals 210_1, 210_2, and 210_3.

The plurality of user terminals 210_1, 210_2, 210_3 may communicate with the access security system 230 through the network 220. The network 220 may be configured to enable communication between the plurality of user terminals 210 and the access security system 230. Depending on the installation environment, the network 220 is, for example, a wired network 220 such as Ethernet, a wired home network (Power Line Communication), a telephone line communication device, and RS-serial communication, a mobile communication network, or a wireless network (WLAN). LAN), Wi-Fi, Bluetooth, and a wireless network 220 such as ZigBee, or a combination thereof. The communication method is not limited, and user terminals 210_1, 210_2, as well as a communication method utilizing a communication network (for example, a mobile communication network, wired Internet, wireless Internet, broadcasting network, satellite network, etc.) that the network 220 may include. Short-range wireless communication between 210_3) may also be included. For example, the network 220 includes a personal area network (PAN), a local area network (LAN), a campus area network (CAN), a metropolitan area network (MAN), a wide area network (WAN), and a broadband network (BBN). And any one or more of networks such as the Internet. In addition, the network 220 may include any one or more of a network topology including a bus network, a star network, a ring network, a mesh network, a star-bus network, a tree or a hierarchical network, etc. Not limited.

In FIG. 2, a mobile phone or a smart phone 210_1, a tablet computer 210_2, and a laptop or desktop computer 210_3 are illustrated as examples of user terminals, but are not limited thereto, and the user terminals 210_1, 210_2, 210_3 are wired and /Or may be any computing device capable of wireless communication and capable of installing and executing an ID management application. For example, the user terminal 210 includes a smartphone, a mobile phone, a navigation terminal, a desktop computer, a laptop computer, a digital broadcasting terminal, a personal digital assistant (PDA), a portable multimedia player (PMP), a tablet computer, a game console. console), a wearable device, an internet of things (IoT) device, a virtual reality (VR) device, an augmented reality (AR) device, and the like. In addition, in FIG. 2, three user terminals 210_1, 210_2, 210_3 are shown to communicate with the access security system 230 through the network 220, but are not limited thereto, and a different number of user terminals 210_1, 210_2 and 210_3) may be configured to communicate with the access security system 230 through the network 220.

According to an embodiment, the access security system 230 may receive a user ID from a plurality of user terminals 210_1, 210_2, and 210_3. According to an embodiment, the access security system 230 may receive a user ID from an ID management application stored in a plurality of desktop or laptop computers 210_3. According to another embodiment, the access security system 230 may receive a user ID signed by a user using a user's private key from a plurality of mobile phones, smartphones, or tablet computers 210_1 and 210_2.

In addition, the access security system 230 may perform validation of the received user ID. That is, the access security system 230 may perform signature verification and expiration time verification of the received user ID. According to an embodiment, when the access security system 230 stores a public key that can verify the validity of a user ID, a verification logic that can perform the validation, the access security system 230 You can directly perform validation of According to another embodiment, when a public key for verifying the validity of a user ID is not stored in the access security system 230, but a verification logic capable of performing validation is stored, the access security system ( 230) may request the public key of the ID issuing system 240 from the ID issuing system 240 or a blockchain network associated with the ID issuing system 240. Thereafter, the access security system 230 receives the public key of the ID issuing system 240 from the ID issuing system 240 or the blockchain network associated with the ID issuing system 240, and performs validation of the user ID. I can. According to another embodiment, when the access security system 230 does not store a public key that can verify the validity of a user ID, a verification logic that can perform the validation, the access security system 230 The validation request may be transmitted to the ID issuing system 240 or the blockchain network associated with the ID issuing system 240. Thereafter, the access security system 230 may receive a response to the validation request from the ID issuance system 240 or the blockchain network associated with the ID issuance system 240, and indirectly perform the validation of the user ID. have.

3 is a block diagram showing the internal configuration of the user terminal 210 and the access security management system 230 according to an embodiment of the present disclosure. The user terminal 210 may refer to an arbitrary computing device capable of executing an ID management application and capable of wired/wireless communication, for example, a mobile phone terminal 210_1, a tablet terminal 210_2, and a PC terminal of FIG. 2 (210_3) and the like. As shown, the user terminal 210 may include a memory 312, a processor 314, a communication module 316, and an input/output interface 318. Similarly, the access security management system 230 may include a memory 332, a processor 334, a communication module 336, and an input/output interface 338. As shown in FIG. 3, the user terminal 210 and the access security management system 230 enable communication of information and/or data through the network 220 using respective communication modules 316 and 336. Can be configured. In addition, the input/output device 320 may be configured to input information and/or data to the user terminal 210 through the input/output interface 318 or to output information and/or data generated from the user terminal 210.

The memories 312 and 332 may include any non-transitory computer-readable recording medium. According to an embodiment, the memories 312 and 332 are non-destructive mass storage devices such as random access memory (RAM), read only memory (ROM), disk drive, solid state drive (SSD), flash memory, etc. (Permanent mass storage device) may be included. As another example, a non-destructive mass storage device such as a ROM, SSD, flash memory, disk drive, etc. may be included in the user terminal 210 or the access security management system 230 as a separate permanent storage device separate from the memory. In addition, the memory 312 and 332 may store an operating system and at least one program code (eg, a code for an ID management application installed and driven in the user terminal 210 ).

These software components may be loaded from a computer-readable recording medium separate from the memories 312 and 332. The recording medium readable by such a separate computer may include a recording medium that can be directly connected to the user terminal 210 and the access security management system 230, for example, a floppy drive, a disk, a tape, a DVD/CD. -It may include a computer-readable recording medium such as a ROM drive or a memory card. As another example, software components may be loaded into the memories 312 and 332 through a communication module other than a computer-readable recording medium. For example, at least one program is a computer program installed by files provided through the network 220 by a file distribution system for distributing the installation files of developers or applications (eg, ID management associated with access security management service) Application) may be loaded into the memories 312 and 332.

The processors 314 and 334 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input/output operations. Instructions may be provided to the processors 314 and 334 by the memories 312 and 332 or the communication modules 316 and 336. For example, the processors 314 and 334 may be configured to execute an instruction received according to a program code stored in a recording device such as the memories 312 and 332.

The communication modules 316 and 336 may provide a configuration or function for the user terminal 210 and the access security management system 230 to communicate with each other through the network 220, and the user terminal 210 and/or access The security management system 230 may provide a configuration or function for communicating with other user terminals or other systems (eg, a separate cloud system). For example, a request or data generated by the processor 314 of the user terminal 210 according to a program code stored in a recording device such as a memory 312 (e.g., an access request using a user ID, a signature with a user's private key) Information on the user ID) may be transmitted to the access security management system 230 through the network 220 under the control of the communication module 316. Conversely, a control signal or command provided under the control of the processor 334 of the access security management system 230 passes through the communication module 336 and the network 220 to the communication module 316 of the user terminal 210. Through the user terminal 210 may be received. For example, the user terminal 210 may receive an access permission request, user ID validation information, and the like from the access security management system 230 through the communication module 316.

The input/output interface 318 may be a means for an interface with the input/output device 320. As an example, the input device may include a device such as a camera, keyboard, microphone, and mouse including an audio sensor and/or an image sensor, and the output device may include a device such as a display, a speaker, a haptic feedback device, and the like. I can. As another example, the input/output interface 318 may be a means for an interface with a device in which a configuration or function for performing input and output is integrated into one, such as a touch screen. For example, when the processor 314 of the user terminal 210 processes a command of a computer program loaded in the memory 312, the access security management system 230 or other user terminals provide information and/or data. A service screen configured by using or access permission information may be displayed on the display through the input/output interface 318. In FIG. 3, the input/output device 320 is illustrated not to be included in the user terminal 210, but is not limited thereto, and may be configured with the user terminal 210 and one device. In addition, the input/output interface 338 of the access security management system 230 is an interface with a device (not shown) for input or output that is connected to the access security management system 230 or that the access security management system 230 may include. It can be a means for. In FIG. 3, the input/output interfaces 318 and 338 are illustrated as elements configured separately from the processors 314 and 334, but are not limited thereto, and the input/output interfaces 318 and 338 may be configured to be included in the processors 314 and 334. have.

The user terminal 210 and the access security management system 230 may include more components than those of FIG. 3. However, there is no need to clearly show most of the prior art components. According to an embodiment, the user terminal 210 may be implemented to include at least some of the input/output devices 320 described above. In addition, the user terminal 210 may further include other components such as a transceiver, a global positioning system (GPS) module, a camera, various sensors, and a database. For example, when the user terminal 210 is a smartphone, it may generally include components included in the smartphone, for example, an acceleration sensor, a gyro sensor, a camera module, various physical buttons, and touch Various components such as a button using a panel, an input/output port, and a vibrator for vibration may be implemented to be further included in the user terminal 210.

According to an embodiment, the processor 314 of the user terminal 210 may be configured to operate an ID management application or a web browser application related to an access security management service. In this case, a program code associated with the application may be loaded into the memory 312 of the user terminal 210. While the application is running, the processor 314 of the user terminal 210 receives information and/or data provided from the input/output device 320 through the input/output interface 318 or the access security management system through the communication module 316 Information and/or data may be received from 230, and the received information and/or data may be processed and stored in the memory 312. In addition, such information and/or data may be provided to the access security management system 230 through the communication module 316.

While the ID management application is running, the processor 314 inputs or selects text, images, and input devices through input devices such as a camera, microphone including a touch screen, a keyboard, an audio sensor and/or an image sensor connected to the input/output interface 318. Images, etc. may be received, and the received text, images, and/or images may be stored in the memory 312 or provided to the access security management system 230 through the communication module 316 and the network 220. . According to an embodiment, the processor 314 may provide the user ID on the ID management application through the input device to the access security management system 230 through the network 220 and the communication module 316. The processor 334 of the access security management system 230 may be configured to manage, process, and/or store information and/or data received from a plurality of user terminals and/or a plurality of external systems. According to an embodiment, the processor 334 may perform validation of a corresponding user ID based on the user ID received from the user terminal 210 and transmit access permission to the user terminal 210.

4 is a diagram illustrating an example of a method of verifying the validity of a user ID by receiving a public key from a blockchain network 430 according to an embodiment of the present disclosure. According to an embodiment, the user terminal 410 may transmit an access request 412 to the access security management system 420. The user terminal 410 may be a user terminal 410 in which a user ID directly issued by a user for access security management is stored, and an ID management application for storing/managing a user ID may be stored. The access security management system 420 may be a system of one access gate or a system associated with a plurality of access gates.

According to an embodiment, the access security management system 420 receiving the access request 412 may transmit the public key request 422 to the blockchain network 430 to verify the validity of the user ID. In this case, the public key may be the public key of the ID issuing system that generated the corresponding user ID, and may be a private key that encrypts the user ID and a public key forming a key pair. The public key of the ID issuing system may be distributed and stored in a plurality of nodes constituting the blockchain network 430 associated with the ID issuing system. For example, the public key of the ID issuing system may be converted into a hash value by a hash function and stored in a plurality of nodes constituting the blockchain network 430.

Blockchain network 430 receiving the public key request 422 may transmit the public key of the ID issuing system to the access security system 420 (432). The access security system 420 receiving the public key of the ID issuing system may perform validity verification 424 of the user ID. Validation 424 may include signature verification, expiration time verification, and the like. Signature verification may be verifying whether or not information signed in the user ID is valid. Specifically, the signature verification may be verifying whether the user's private key forms a key pair with the user's public key included in the user ID. The expiration time verification may be verifying whether the expiration time of the user ID has elapsed. Specifically, the access security system 420 may extract information about the expiration time included in the user ID, and perform expiration time verification based on the extracted information.

When the validity of the user ID is verified, the access security system 420 may transmit the access permission 426 to the user terminal 410. In addition, the access security system 420 may manipulate an access gate located within a predetermined distance from the user terminal 410 that has received the access permission 426. In another embodiment, the access security system 420 may manipulate the access gate located closest to the user terminal 410 that has received the access permission 426.

With such a configuration, even if the access security system 420 does not have the public key of the ID issuing system for verifying the validity of the user ID, the access security system 420 communicates with the blockchain network 430 and is simple. You can receive the public key of the ID issuing system. In addition, since the public key of the ID issuing system is distributed and stored in the blockchain network 430, risks such as manipulation and hacking of the public key of the ID issuing system can be prevented due to characteristics such as reliability and integrity of the block chain. have.

5 is a diagram illustrating an example of a method of verifying the validity of a user ID by receiving a validity check 532 from the blockchain network 530 according to an embodiment of the present disclosure. According to an embodiment, the user terminal 510 may transmit an access request 512 to the access security management system 520. The user terminal 510 may be a user terminal 510 in which a user ID directly issued by a user for access security management is stored, and an ID management application for storing/managing a user ID may be stored. The access security management system 520 may be a system of one access gate, or may be a system associated with a plurality of access gates.

According to an embodiment, the access security management system 520 receiving the access request 512 may transmit the validation request 522 to the blockchain network 530 to validate the user ID. When transmitting the validation request 522, the access security management system 520 may transmit the user ID received together with the access request 512 to the blockchain network 530. For example, when there is no verification logic for validating the user ID in the access security management system 520, the access security management system 520 may transmit a validation request to the blockchain network 530.

According to an embodiment, the blockchain network 530 may be connected to the ID issuing system 540. For example, the ID issuing system 540 may be an authentication authority constituting the blockchain network 530, and may be a system capable of generating a user ID. The blockchain network 530 receiving the validation request 522 may transmit the user ID and the validation request to the ID issuing system 540 that generated the user ID.

The ID issuing system 540 may perform validity verification 542 of the user ID. According to an embodiment, the validity verification 542 may include signature verification, expiration time verification, and the like. Signature verification may be verifying whether or not information signed in the user ID is valid. Specifically, the signature verification may be verifying whether the user's private key forms a key pair with the user's public key included in the user ID. The expiration time verification may be verifying whether the expiration time of the user ID has elapsed. Specifically, the ID issuing system 540 may extract information about the expiration time included in the user ID, and perform expiration time verification based on the extracted information. In this case, the verification logic stored in the ID issuing system 540 may be the same verification logic as the verification logic of the access security system described above with reference to FIG. 4.

When the validity of the user ID is verified, the ID issuing system 540 may transmit the validity check 532 to the access security system 520 through the blockchain network 530. Thereafter, the access security system 520 receiving the validity check 532 may transmit the access permission 542 to the user terminal 510. In addition, the access security system 520 may manipulate an access gate located within a predetermined distance from the user terminal 510 that has received the access permission 526. In another embodiment, the access security system 520 may manipulate the access gate located closest to the user terminal 510 that has received the access permission 526. With such a configuration, even when there is no verification logic for verifying the validity of the user ID in the access security system 520, the access security system 520 communicates with the blockchain network 530 to provide an ID issuing system 540. ) Can simply receive a validity check 532.

6 is a flowchart illustrating an access security management method 600 according to an embodiment of the present disclosure. According to an embodiment, the access security management method 600 may be performed by an access security management system (eg, at least one processor of the access security management system). As shown, the access security management method 600 may be initiated by receiving an access request from a user terminal in which a user ID is stored (S610). Specifically, the processor may receive an access request from the ID management application of the user terminal in which the user ID is stored.

Meanwhile, the user ID may be distributed and stored in a plurality of nodes constituting the blockchain network. In addition, the user ID may include user information of the user and a public key of the user for verifying the signature of the user ID. In addition, the user ID may be encrypted with the private key of the ID issuing system that generated the user ID.

In response to receiving the access request, the processor may perform user ID validation including at least one of signature verification or expiration time verification of the user ID (S620). In this case, the processor may perform user ID validation by receiving the user ID, signed with the user's public key included in the user ID and the user's private key forming a key pair. According to an embodiment, the processor may verify the validity of the user ID by decrypting the user ID using the public key of the ID issuing system that generated the user ID. According to another embodiment, the processor may verify the validity of the user ID by extracting the public key of the ID issuing system that generated the user ID from the blockchain network associated with the ID issuing system. According to another embodiment, the processor may transmit a validation request for validating the user ID to the ID issuing system that generated the user ID. Thereafter, the processor may receive a response to the validation request from the ID issuing system that has received the validation request.

When the validity of the user ID is verified, the processor transmits the access permission to the user terminal that has transmitted the access request, and can manipulate the entrance gate at a location associated with the user terminal (S630). If the validity of the user ID is verified, the user's information included in the user ID can be trusted, and if the user's information included in the user ID matches that stored in the access security system, the user's access can be granted. .

7 is a flowchart illustrating a method 700 of issuing a user ID for access security management according to an embodiment of the present disclosure. The method 700 for issuing a user ID for access security management may be performed by an ID issuing system (eg, at least one processor of an ID issuing system). According to an embodiment, the ID issuing system may be a single ID issuing system associated with a blockchain network. For example, the ID issuance system may be a node (certification authority) constituting a blockchain network, or a separate system connected to the blockchain network. According to another embodiment, there may be two or more ID issuing systems. In this case, each ID issuing system may include a unique ID issuing system's public key and an ID issuing system's private key, and each ID issuing system may be a node constituting one blockchain network. .

According to an embodiment, the method 700 for issuing a user ID for access security management may be initiated by a processor receiving a request for issuing a user ID directly from a user terminal (S710). According to another embodiment, the processor may receive a request for issuing a user ID from an ID management application associated with a user terminal that has received user registration. Additionally, the processor may further receive user information of a user associated with the user terminal that has transmitted the user ID issuance request and the user's public key for verifying the signature of the user ID.

The processor may generate a user ID in response to a request for issuing a user ID (S720). In this case, the processor may generate a user ID encrypted with the private key of the ID issuing system. According to an embodiment, when receiving user information of the user associated with the user terminal that has transmitted the user ID issuance request and the user's public key for verifying the signature of the user ID, the processor includes the user information and the user's public key. You can create a user ID. According to another embodiment, when the user's public key is not received, the processor may generate a key pair including the user's public key and the private key, and generate a user ID including the generated user's public key. I can.

The processor may transmit the generated user ID to the user terminal that has transmitted the user ID issuance request (S730). When a key pair including the user's public key and the user's private key is generated, the processor may transmit the generated user's private key together with the user ID to the user terminal that has transmitted the user ID issuance request. According to an embodiment, when receiving a request for issuing a user ID from an ID management application associated with a user terminal that has received user registration, the processor may transmit the generated user ID to the ID management application. When a user ID issuance request is received from the ID management application, and a key pair including the user's public key and the user's private key is generated, the processor generates a user ID including the generated user's public key, and The user's private key can be transmitted to the ID management application.

According to an embodiment, the ID issuing system is associated with a blockchain network, and the generated user ID may be distributed and stored in a plurality of nodes constituting the blockchain network associated with the ID issuing system. In addition, the processor may convert the public key of the ID issuing system that generated the user ID and the private key of the ID issuing system into a public key hash value and a private key hash value. In this case, the converted public key hash value and the private key hash value may be distributed and stored in a plurality of nodes constituting the blockchain network associated with the ID issuing system.

In FIG. 7, it has been described above that the ID issuing system (eg, at least one processor of the ID issuing system) receives a request for issuing a user ID from a user terminal, but is not limited thereto. According to an embodiment, the processor may receive a request for issuing a user ID from an ID management application associated with a user terminal that has received user registration. In this case, if the processor does not receive the user's public key, if it does not receive the user's public key, the processor may generate a key pair including the user's public key and the private key, and the generated user's public key You can create a user ID that includes a key. Thereafter, the processor may transmit the generated user's private key to the ID management application.

The above-described access security management method and user ID issuance method for access security management may be provided as a computer program stored in a computer-readable recording medium for execution on a computer. The medium may be one that continuously stores a program executable by a computer, or temporarily stores a program for execution or download. In addition, the medium may be a variety of recording means or storage means in a form in which a single piece of hardware or several pieces of hardware are combined. The medium is not limited to a medium directly connected to a computer system, but may be distributed on a network. Examples of media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, And there may be ones configured to store program instructions, including ROM, RAM, flash memory, and the like. In addition, examples of other media include an app store that distributes applications, a site that supplies or distributes various software, and a recording medium or a storage medium managed by a server.

The method, operation, or techniques of this disclosure may be implemented by various means. For example, these techniques may be implemented in hardware, firmware, software, or a combination thereof. Those of skill in the art will appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented in electronic hardware, computer software, or combinations of both. To clearly illustrate this interchange of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends on the particular application and design requirements imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementations should not be interpreted as causing a departure from the scope of the present disclosure.

In a hardware implementation, the processing units used to perform the techniques include one or more ASICs, DSPs, digital signal processing devices (DSPDs), programmable logic devices (PLDs). ), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, electronic devices, other electronic units designed to perform the functions described in this disclosure. , Computer, or a combination thereof.

Accordingly, various exemplary logic blocks, modules, and circuits described in connection with the present disclosure may include general purpose processors, DSPs, ASICs, FPGAs or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or It may be implemented or performed in any combination of those designed to perform the functions described in. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. The processor may also be implemented as a combination of computing devices, eg, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in connection with the DSP core, or any other configuration.

In firmware and/or software implementation, the techniques include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), PROM ( on a computer-readable medium such as programmable read-only memory), erasable programmable read-only memory (EPROM), electrically erasable PROM (EEPROM), flash memory, compact disc (CD), magnetic or optical data storage device, etc. It can also be implemented as stored instructions. The instructions may be executable by one or more processors, and may cause the processor(s) to perform certain aspects of the functionality described in this disclosure.

Although the above-described embodiments have been described as utilizing aspects of the presently disclosed subject matter in one or more standalone computer systems, the present disclosure is not limited thereto, and may be implemented in connection with any computing environment such as a network or a distributed computing environment. . Furthermore, aspects of the subject matter in this disclosure may be implemented in multiple processing chips or devices, and storage may be similarly affected across multiple devices. Such devices may include PCs, network servers, and portable devices.

In the present specification, the present disclosure has been described with reference to some embodiments, but various modifications and changes may be made without departing from the scope of the present disclosure that can be understood by those of ordinary skill in the art to which the present disclosure belongs. In addition, such modifications and changes should be considered to fall within the scope of the claims appended to this specification.

110: user terminal 112: ID management application
120: entrance gate

Claims (20)

As an access security management method executed by an access security system that manages access of the user using a user ID directly issued by a user from an ID (identifier) issuing system,
Receiving an access request from a user terminal in which the user ID is stored;
In response to receiving the access request, performing user ID validation including at least one of signature verification and expiration time verification of the user ID; And
When the validity of the user ID is verified, transmitting an access permission to the user terminal that has transmitted the access request, and manipulating an access gate at a location associated with the user terminal,
The ID issuing system is associated with a blockchain network, and the public and private keys of the ID issuing system that generated the user ID are converted into a public key hash value and a private key hash value to form the blockchain network. Access security management method that is distributed and stored in the nodes of the network.
delete The method of claim 1,
The user ID includes user information of the user and a user's public key for verifying the signature of the user ID.
The method of claim 1,
The user ID is encrypted with a private key of the ID issuing system that generated the user ID.
The method of claim 1,
In response to receiving the access request, performing user ID validation including at least one of signature verification or expiration time verification of the user ID,
Receiving the user ID, signed with the user's private key forming a key pair with the user's public key included in the user ID
Including, access security management method.
The method of claim 1,
In response to receiving the access request, performing user ID validation including at least one of signature verification or expiration time verification of the user ID,
Decrypting the received user ID using the public key of the ID issuing system that generated the user ID
Including, access security management method.
The method of claim 6,
In response to receiving the access request, performing user ID validation including at least one of signature verification or expiration time verification of the user ID,
Requesting a public key of an ID issuing system to a blockchain network associated with the ID issuing system; And
In response to the request, receiving a public key of the ID issuing system provided by the blockchain network
Further comprising, access security management method.
The method of claim 1,
In response to receiving the access request, performing user ID validation including at least one of signature verification or expiration time verification of the user ID,
Transmitting a validation request for validating the user ID to an ID issuing system that has generated the user ID; And
Receiving a response to the validation request from the ID issuing system that has received the validation request
Including, access security management method.
A computer program stored in a computer-readable recording medium to execute the access security management method according to any one of claims 1 and 3 to 8 on a computer.
As an access security management system that manages the user's access by using the user ID issued by the user directly from the ID issuing system,
A communication module configured to receive an access request from a user terminal in which the user ID is stored;
Memory; And
At least one processor connected to the memory and configured to execute at least one computer-readable program included in the memory
Including,
The at least one program,
In response to receiving the access request, a user ID validation including at least one of a signature verification or an expiration time verification of the user ID is performed, and when the validity of the user ID is verified, an access permission is requested to the access Transmits to the transmitted user terminal, and includes commands for manipulating the entrance gate at a location associated with the user terminal,
The ID issuing system is associated with a blockchain network, and the public and private keys of the ID issuing system that generated the user ID are converted into a public key hash value and a private key hash value to form the blockchain network. Distributed and stored in the nodes of
Access security management system.
As a method of issuing a user ID for access security management executed by the ID issuing system,
Receiving a request for issuing the user ID from a user terminal;
Generating a user ID in response to a request for issuing the user ID;
Transmitting the generated user ID to the user terminal that has transmitted the request for issuing the user ID; And
Converting the public key and the private key of the ID issuing system that generated the user ID into a public key hash value and a private key hash value,
The ID issuing system is associated with a blockchain network, and the converted public key hash value and private key hash value are distributed and stored in a plurality of nodes constituting the blockchain network. .
The method of claim 11,
The ID issuance system is associated with the blockchain network,
The generated user ID is distributed and stored in a plurality of nodes constituting the blockchain network, a method of issuing a user ID for access security management.
The method of claim 11,
Receiving a request for issuing a user ID from the user terminal,
Receiving user information of the user associated with the user terminal that has transmitted the user ID issuance request and a user's public key for verifying the signature of the user ID,
In response to the request for issuance of the user ID, generating a user ID includes:
Generating the user ID including the user information and the user's public key
Containing, a method of issuing a user ID for access security management.
The method of claim 11,
In response to the request for issuance of the user ID, generating a user ID includes:
Generating a key pair including a public key and a private key of a user associated with the user terminal; And
Including the step of generating the user ID including the public key of the generated user,
Transmitting the generated user's private key to the user terminal
A method of issuing a user ID for access security management further comprising a.
The method of claim 11,
In response to the request for issuance of the user ID, generating a user ID includes:
Generating the user ID encrypted with the private key of the ID issuing system
Containing, a method of issuing a user ID for access security management.
delete The method of claim 11,
Receiving a request for issuing a user ID from the user terminal,
Receiving a request for issuance of the user ID from an ID management application associated with the user terminal that has received user registration,
Transmitting the generated user ID to the user terminal that has transmitted the request for issuing the user ID,
Transmitting the generated user ID to the ID management application
Containing, a method of issuing a user ID for access security management.
The method of claim 17,
In response to the request for issuance of the user ID, generating a user ID includes:
Generating a key pair including a public key and a private key of a user associated with the user terminal; And
Including the step of generating the user ID including the public key of the generated user,
Transmitting the generated user's private key to the ID management application
A method of issuing a user ID for access security management further comprising a.
A computer program stored in a computer-readable recording medium to execute the method for issuing a user ID for access security management according to any one of claims 11 to 15, 17 and 18 on a computer.
As an ID issuance system for access security management,
A communication module configured to receive a request for issuing a user ID from a user terminal;
Memory; And
At least one processor connected to the memory and configured to execute at least one computer-readable program included in the memory
Including,
The at least one program,
In response to the user ID issuance request, a user ID is generated, the generated user ID is transmitted to the user terminal that has transmitted the user ID issuance request, and the ID issuance system is disclosed. Includes instructions for converting a key and a private key into a public key hash value and a private key hash value,
The ID issuing system is associated with a blockchain network, and the converted public key hash value and private key hash value are distributed and stored in a plurality of nodes constituting the blockchain network,
User ID issuance system for access security management.

Images