KR102296110B1 - Method for Managing Certificate - Google Patents

Abstract

The present invention relates to a certificate management method, wherein the certificate management method is executed through a management server provided or linked on a certificate use procedure path in which a procedure using a certificate through a communication network is performed, wherein when a certificate is issued to a user, the Stores identification information that identifies the designated information receiving means of the user who receives the certificate, and checks and reads certificate procedure information related to the digital signature algorithm use procedure for digitally signing using the certificate issued to the user on the certificate use procedure path to confirm that the certificate use procedure including the digital signature algorithm use procedure for digitally signing using the user's certificate is being performed on the certificate use procedure path, and the certificate use procedure including the digital signature algorithm use procedure is performed If it is confirmed that there is, the certificate use information is generated using the certificate procedure information to explain that the digital signature algorithm use procedure is performed on the certificate use procedure path, and is separated from the certificate use procedure path based on the identification information. A procedure of notifying a certificate use information message for delivering the certificate use information to a designated information receiving means of an actual user who has been issued the certificate through a channel of

Description

Method for Managing Certificate}

The present invention provides a certificate management method executed through a management server provided or linked to a certificate use procedure path in which a procedure using a certificate is performed through a communication network. Storing identification information that identifies the information receiving means, checking and reading certificate procedure information related to the digital signature algorithm use procedure for digitally signing using the certificate issued to the user on the certificate use procedure path on the certificate use procedure path If it is confirmed that the certificate use procedure including the digital signature algorithm use procedure for digital signing using the user's certificate is being performed, and it is confirmed that the certificate use procedure including the digital signature algorithm use procedure is being performed, the certificate procedure The information is used to generate certificate use information explaining that the digital signature algorithm use procedure is performed on the certificate use procedure path, and the certificate is transmitted through a separate channel differentiated from the certificate use procedure path based on the identification information. The present invention relates to a certificate management method for performing a procedure of notifying a certificate use information message for delivering the certificate use information to a designated information receiving means of an issued real user.

According to the Digital Signature Act, a certificate has been regarded as the most recognized authentication method for non-face-to-face transactions or non-face-to-face authentication using a communication network. However, attempts have been made to replace certificate-based authentication with other authentications due to the inconvenience of requiring a user to visit the RA to apply for issuance of a certificate, and the restriction that a certificate medium is required to store the certificate to use the certificate. . However, no alternative authentication method has completely replaced certificate-based authentication, but it is used as an auxiliary authentication method.

However, as various hacking techniques including smishing have improved recently, certificate theft and hacking are increasing day by day. Moreover, with the recent activation of smartphones, the service of storing and using certificates inside the smartphone is activated, and certificate theft and hacking targeting smartphones are increasing (related articles, http://www.hankyung.com/news) /app/newsview.php?aid=2013122544771). Now, it is safe to say that the certificate is no longer an authorized authentication method.

Nevertheless, certificates are still used as an authorized authentication method for non-face-to-face transactions or non-face-to-face authentication. Even if the certificate loses the qualification of 'authorized' in the future, it will be used as an authentication method for non-face-to-face transactions or non-face-to-face authentication. Currently, banks that mainly provide certificate-based authentication are providing electronic financial fraud prevention services that require users to enter a pre-registered password or a number indicated by a voice message using ARS (Automatic Response Service), but this is only for user authentication. It is only a service and cannot prevent or detect certificate theft or hacking.

An object of the present invention to solve the above problems is, in a certificate management method executed through a management server provided or linked to a certificate use procedure path in which a procedure using a certificate through a communication network is performed, a certificate is provided to a user In the case of being issued, the first step of storing identification information for identifying the designated information receiving means of the user who receives the certificate, and the digital signature algorithm use procedure for digitally signing using the certificate issued to the user on the certificate use procedure path A second step of confirming that a certificate use procedure including a digital signature algorithm use procedure for digitally signing using a user's certificate is being performed on the certificate use procedure path by checking and reading certificate procedure information and using the digital signature algorithm A third step of generating certificate use information explaining that the digital signature algorithm use procedure is performed on the certificate use procedure path using the certificate procedure information when it is confirmed that the certificate use procedure including the procedure is being performed, and the identification a procedure of notifying a certificate use information message for delivering the certificate use information to the designated information receiving means of the actual user who has been issued the certificate through a separate channel differentiated from the certificate use procedure path based on the information To provide a certificate management method including four steps.

In the certificate management method according to the present invention, the certificate management method is executed through a management server provided or linked to a certificate use procedure path in which a procedure using a certificate through a communication network is performed, when a certificate is issued to a user, the certificate The first step of storing identification information that identifies the designated information receiving means of the user who is issued the and a second step of confirming that the certificate use procedure including the digital signature algorithm use procedure for digitally signing using the user's certificate is being performed on the certificate use procedure path and the certificate including the digital signature algorithm use procedure When it is confirmed that the use procedure is being performed, a third step of generating certificate use information explaining that the digital signature algorithm use procedure is performed on the certificate use procedure path by using the certificate procedure information and the identification information A fourth step of performing a procedure of notifying a certificate use information message for delivering the certificate use information to a designated information receiving means of an actual user who has been issued the certificate through a separate channel from the certificate use procedure path characterized in that
In the certificate management method according to the present invention, the step of confirming one or more specified information of identification information, procedure value, or certificate use value included in the certificate procedure information, and one of the identified identification information, procedure value, or certificate use value It characterized in that it further comprises the step of authenticating the validity of the certificate use procedure by using the specified information.
In the certificate management method according to the present invention, when the digital signature algorithm use procedure or a part of the digital signature algorithm use procedure is performed before the certificate use information message is notified, the digital signature algorithm use procedure or the electronic signature algorithm use procedure It is characterized in that it further comprises the step of temporarily waiting without final processing of a part of the signature algorithm using procedure.
In the certificate management method according to the present invention, the step of receiving a certificate use approval message for the certificate use information from a user terminal corresponding to the information receiving means that has been notified of the certificate use information message, and the use of the certificate use approval message It characterized in that it further comprises the step of causing the digital signature algorithm use procedure to be finally processed on the certificate use procedure path based on the result.
In the certificate management method according to the present invention, receiving a certificate use rejection message for the certificate use information from a user terminal corresponding to the information receiving means that has been notified of the certificate use information message, and rejecting the use of the certificate use rejection message It characterized in that it further comprises the step of processing to cause an error in the digital signature algorithm use procedure on the certificate use procedure path based on the result.
In the certificate management method according to the present invention, the management server is characterized in that it comprises a server that does not form a direct contact point with the requesting terminal requesting the use of the certificate on the certificate use procedure path.
In the certificate management method according to the present invention, the certificate management method is executed through a management server provided or linked to a certificate use procedure path in which a procedure using a certificate through a communication network is performed, using a certificate on the certificate use procedure path A first step of confirming that the digital signature algorithm use procedure using the digital signature algorithm is being performed, and the certificate use procedure is being performed on the certificate use procedure path using the certificate procedure information related to the digital signature algorithm use procedure and a third step of performing a procedure of notifying a certificate usage information message to a designated information receiving means of an actual user who has been issued the certificate.

According to the present invention, in the first step, it can be confirmed that the digital signature algorithm use procedure is being performed on the certificate use procedure path based on the certificate use message received through the certificate use procedure path.

According to the present invention, the certificate management method further includes the step of confirming certificate procedure information related to the digital signature algorithm use procedure being performed on the certificate use procedure path, wherein the first step is to read the certificate procedure information It can be confirmed that the digital signature algorithm use procedure is being performed on the certificate use procedure path.

According to the present invention, the certificate management method further includes performing a digital signature algorithm use procedure requested through the certificate use procedure path or a part of the digital signature algorithm use procedure, wherein the first step includes: It can be confirmed that the digital signature algorithm use procedure is being performed on the certificate use procedure path in connection with the performed digital signature algorithm use procedure or a partial execution procedure of the digital signature algorithm use procedure.

According to the present invention, the certificate procedure information includes one or more standard definition information defined in a standard related to the digital signature algorithm use procedure, and is exchanged or obtained through the certificate use procedure path for the digital signature algorithm use procedure. At least one piece of non-standard information may be included.

According to the present invention, the certificate procedure information includes certificate identification information for identifying a certificate used for a certificate use procedure, issuer identification information for identifying an issuer who has been issued a certificate, certification authority identification information for identifying an authorized certification authority of the certificate, and a certificate It may include one or more identification information among the personalization agent identification information that identifies the personalization agent.

According to the present invention, the certificate procedure information includes medium identification information for identifying the certificate medium in which the certificate is stored, requesting authority identification information for identifying the requesting authority requesting use of the certificate, procedure identification information for identifying the certificate use procedure, and certificate use. It may include at least one piece of identification information among the requested terminal identification information. Meanwhile, the terminal identification information includes identification information matching the unique identification code of the terminal registered through the designated terminal registration procedure, identification information matching the unique identification code of the terminal program identified through the program loading/authentication procedure, and the fixed address of the terminal Identification information matching with ISP (Internet Service Provider)-based location information of the terminal, identification information matching with GPS (Global Positioning System)-based location information of the terminal, identification matching with base station-based location information of the terminal It may include at least one piece of identification information among information and identification information matching the phone number of the terminal.

According to the present invention, the certificate procedure information may include at least one of a procedure value necessary for using a certificate and a certificate use value generated using the certificate.

According to the present invention, the certificate management method includes the steps of: checking at least one designated identification information previously designated for authenticating the validity of the digital signature algorithm use procedure among the identification information included in the certificate procedure information; The method may further include authenticating the validity of the digital signature algorithm using procedure by authenticating the designated identification information. Meanwhile, the designated identification information may include at least one designated identification information among medium identification information for identifying a certificate medium storing a certificate, process identification information for identifying a certificate use procedure, and terminal identification information for requesting use of a certificate.

According to the present invention, the certificate management method includes the steps of: checking at least one specified value previously designated for authenticating the validity of the digital signature algorithm use procedure among a procedure value and a certificate use value included in the certificate procedure information; The method may further include authenticating the validity of the digital signature algorithm using procedure by authenticating the identified specified value.

According to the present invention, the certificate management method further comprises the step of storing notification target certificate identification information for identifying use of a notification target certificate, wherein at least one certificate identification information included in the certificate procedure information and the notification target The method may further include comparing and authenticating the certificate identification information, and confirming that the digital signature algorithm use procedure is being performed on the certificate use procedure path when the certificate identification information matches the notification target certificate identification information. .

According to the present invention, the certificate management method further comprises the step of storing the notification target issuer identification information for identifying the use of the notification target certificate, at least one issuer identification information included in the certificate procedure information and the notification target The method may further include comparing and authenticating the issuer identification information, and when the issuer identification information matches the notification target issuer identification information, confirming that the digital signature algorithm use procedure is being performed on the certificate use procedure path. .

According to the present invention, the certificate management method further comprises the step of storing notification target procedure identification information for identifying use of a notification target certificate, at least one procedure identification information included in the certificate procedure information and the notification target The method may further include comparing and authenticating the procedure identification information, and when the procedure identification information matches the notification target procedure identification information, confirming that the digital signature algorithm use procedure is being performed on the certificate use procedure path. .

According to the present invention, the certificate management method further comprises the step of storing the notification target certificate identification information for identifying the use of the notification target certificate, the digital signature algorithm use procedure requested through the certificate use procedure path or the electronic performing a partial execution procedure of the signature algorithm use procedure, and at least one certificate identification information corresponding to the performed digital signature algorithm use procedure or a partial execution procedure of the digital signature algorithm use procedure and the notification target certificate identification information The method may further include comparing and authenticating, and confirming that a digital signature algorithm use procedure is being performed on the certificate use procedure path when the certificate identification information matches the notification target certificate identification information.

According to the present invention, the certificate management method further comprises the step of storing the notification target issuer identification information for identifying the notification target certificate use, the digital signature algorithm use procedure requested through the certificate use procedure path or the electronic performing a partial execution procedure of the signature algorithm use procedure, and at least one issuer identification information corresponding to the performed digital signature algorithm use procedure or a partial execution procedure of the digital signature algorithm use procedure and the issuer identification information to be notified The method may further include comparing and authenticating, and when the issuer identification information matches the notification target issuer identification information, confirming that a digital signature algorithm use procedure is being performed on the certificate use procedure path.

According to the present invention, the certificate management method further comprises the step of storing notification subject procedure identification information for identifying the use of the notification subject certificate, the digital signature algorithm use procedure requested through the certificate use procedure path or the electronic performing a partial execution procedure of the signature algorithm use procedure, and at least one procedure identification information corresponding to the performed digital signature algorithm use procedure or a partial execution procedure of the digital signature algorithm use procedure and the notification target procedure identification information The method may further include comparing and authenticating, and confirming that a digital signature algorithm using procedure is being performed on the certificate using procedure path when the procedure identification information matches the notification target procedure identification information.

According to the present invention, the certificate use information includes date and time information on which a certificate issued to a user is used, institution information on a public certificate authority of the certificate, institution information on a certificate issuing institution, and at least one involved in the digital signature algorithm use procedure. It may include at least one piece of information among institution information, certificate usage field information, certificate medium information in which the certificate is recorded, transaction information in which the certificate is used, and terminal information used in the use of the certificate in the form of a string or a structure.

According to the present invention, in the certificate management method, when the digital signature algorithm use procedure or a part of the digital signature algorithm use procedure is performed before the certificate use information message is notified, the digital signature algorithm use procedure or the It may further include the step of temporarily waiting without final processing of some of the procedures for using the digital signature algorithm.

According to the present invention, the certificate management method may further include receiving a certificate use approval message for the certificate use information from a user terminal corresponding to the information receiving means that has been notified of the certificate use information message. Meanwhile, the certificate management method may further include allowing the digital signature algorithm use procedure to be finally processed on the certificate use procedure path based on the use approval result of the certificate use approval message.

According to the present invention, the certificate management method may further include receiving a certificate use rejection message for the certificate use information from a user terminal corresponding to the information receiving means that has been notified of the certificate use information message. Meanwhile, the certificate management method may further include processing an error in the digital signature algorithm use procedure on the certificate use procedure path based on the use rejection result of the certificate use rejection message.

According to the present invention, the management server includes a server provided in a service providing institution that provides a certificate-based service, a server provided in an authorized certification authority of the certificate, a server provided in an operating institution linked to the server of the service providing institution, It may include at least one server among the servers provided in the operating organization associated with the server of the accredited certification authority.

According to the present invention, it recognizes that the certificate issued to the user is being used by directly intervening in the certificate use procedure regardless of the various electronic financial fraud prevention services provided by the conventional bank, and based on this, the certificate use information for the use of the certificate By generating and notifying the actual user who has been issued the certificate, there is an advantage of safely managing the certificate without a separate auxiliary authentication method, and the advantage of always detecting and blocking certificate hacking and illegal transaction attempts in any way.

1 is a diagram illustrating a schematic diagram of a configuration of a certificate management system according to an embodiment of the present invention.
2 is a diagram showing the configuration of a procedure server and a management server according to an embodiment of the present invention.
3 is a diagram illustrating a process of performing a certificate use procedure between a requesting terminal and a procedure server according to an embodiment of the present invention.
4 is a diagram illustrating a process of notifying certificate use information according to an embodiment of the present invention.
5 is a diagram illustrating a process of notifying certificate use information according to another embodiment of the present invention.
6 is a diagram illustrating a process of approving or rejecting use of a certificate according to an implementation method of the present invention.
7 is a diagram illustrating a process of processing a certificate use procedure between a requesting terminal and a procedure server according to an implementation method of the present invention.

Hereinafter, the principle of operation of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. However, the drawings shown below and the description to be given below relate to a preferred implementation method among various methods for effectively explaining the characteristics of the present invention, and the present invention is not limited only to the following drawings and description. For example, it is possible to be implemented in a form in which a component provided on the server side is implemented on the terminal side, or, conversely, a component provided on the terminal side is implemented on the server side.

In addition, in the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted. And the terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to intentions or customs of users and operators. Therefore, the definition should be made based on the content throughout the present invention.

As a result, the technical spirit of the present invention is determined by the claims, and the following embodiments are one means for efficiently explaining the technical spirit of the present invention to those of ordinary skill in the art to which the present invention belongs. only

1 is a diagram showing a schematic diagram of the configuration of a certificate management system according to an embodiment of the present invention.

In more detail, this figure 1 confirms that the procedure using the certificate issued to the user is being performed on the certificate use procedure path, and when the certificate use procedure is confirmed, generates certificate usage information for the use of the corresponding certificate and notifies the user As showing the system configuration, those of ordinary skill in the art to which the present invention pertains may refer to and/or modify this figure 1 to various implementation methods (eg, some configurations are omitted or modified) for the configuration of the certificate management system. , or subdivided, or combined implementation method) may be inferred, but the present invention is made including all the inferred implementation methods, and the technical characteristics are not limited only to the implementation method illustrated in FIG. 1 .

The certificate management system of the present invention includes a requesting terminal 100 for requesting a procedure using a certificate issued to a user, and a procedure server provided on a certificate use procedure path to perform at least one procedure using a certificate issued to the user (110) and a management server that checks whether a procedure using the certificate issued to the user is being performed on the certificate use procedure path, and generates certificate usage information for the use of the corresponding certificate and notifies the user when the certificate use procedure is confirmed and 200, and a user terminal 105 used by a user who has actually been issued the certificate. The procedure server 110 and the management server 200 shown in FIG. 1 according to the implementation method of the present invention are named names in terms of their functional configuration, and the procedure server 110 and the management server 200 are physical servers. is by no means limited to For example, the procedure server 110 and the management server 200 may be implemented in the form of physically separated individual servers, or may be physically implemented in one server, or functionally or software in a physical server provided in advance. It is possible to be implemented, and the present invention includes all such embodiments.

The certificate use procedure path of the present invention includes a communication path formed through a communication network in order to perform the certificate use procedure requested from the requesting terminal 100 . Therefore, in the present invention, a server interworking with the management server 200 among one or more servers that directly perform the certificate use procedure on a communication path formed through a communication network to perform the certificate use procedure is defined as the procedure server 110 . and the management server 200 is provided on the certificate use procedure path to perform a certificate use procedure, or at least one terminal (eg, request terminal 100, etc.) provided on the certificate use procedure path; and / or check whether the procedure using the certificate issued to the user is being performed on the certificate use procedure path in connection with the procedure server 110 provided on the certificate use procedure path, and when the certificate use procedure is confirmed, the corresponding certificate It can be defined as a server that generates certificate usage information for use and notifies the user. According to the implementation method of the present invention, the management server 200 does not form a direct contact with the requesting terminal 100 that requests the use of the certificate on the certificate use procedure path in order to maintain the independence of the certificate use information notification. However, it may be implemented to form a communication contact point with the user terminal 105 corresponding to the information receiving means of the real user who has been issued the certificate of the certificate use procedure through a separate channel differentiated from the certificate use procedure path. can

The user of the present invention undergoes registration through RA and issuance through CA in accordance with specified standards (eg, KCAC.TS.CRMF, KCAC.TS.CMP, KCAC.TS.RS, etc.) (eg, KCAC.TS.CERTPROF, etc.) is issued and/or reissued and stored in a designated certificate medium (eg, KCAC.TS.UI, KCAC.TS.HSMS, KCAC.TS.HSMU, CAC.TS) .KP, KCAC.TS.CM, etc.), renew it (see, for example, KCAC.TS.ACUG, etc.), or use a copy (see, for example, KCAC.TS.CT, etc.), and the certificate is suspended or may be discarded (see eg KCAC.TS.CRLPROF). Here, the certificate medium includes an internal memory unit of the requesting terminal 100, an external memory unit detachable from the requesting terminal 100 (eg, HSM (Hardware Security Module), USB memory, security token, etc.), the requesting terminal ( 100) and may include at least one of an external device (eg, a mobile token, a cloud storing a certificate, etc.) that interfaces with the communication interface, and is expandable as necessary. According to the implementation method of the present invention, the user terminal is stored in the certificate medium at a designated time before, during, and after performing a certificate use procedure such as issuance, reissuance, renewal, copying, suspension, and revocation through the user terminal. A subscriber program for using the recorded certificate is provided and/or run. Also, the subscriber program is provided and/or operated at the time of starting the certificate-based service using the certificate recorded in the certificate medium.

The requesting terminal 100 is a generic term for a terminal requesting a procedure for using a certificate issued to a user, and preferably, it should be a terminal used by the user who has been issued a certificate, but the present invention may not be a terminal used by the user. Assume The requesting terminal 100 includes all types of terminals including wired terminals (eg, personal computers, laptops, etc.) and wireless terminals (eg, smart phones, mobile phones, tablet PCs, etc.) that can request the use of certificates non-face-to-face through a communication network. of the terminal, and is not limited to any specific terminal type or category. For example, if a refrigerator or air conditioner can request the use of a certificate through a communication network, it corresponds to the requesting terminal 100 of the present invention.

According to the embodiment of the present invention, the requesting terminal 100 displays a certificate selection interface in order to use a certificate-based service, and the certificate selection interface is displayed in the form of a program execution screen, or is displayed in the form of a certificate window, or , or in the form of a page. The requesting terminal 100 includes and/or runs a subscriber program to display the certificate selection interface. According to the implementation method of the present invention, it is preferable that the certificate use procedure for the certificate issued to the user from the point of view of the requesting terminal 100 is considered to be started from the time when the certificate selection interface is displayed on the requesting terminal 100 . do. However, the procedure for using a certificate of the present invention is by no means limited to the procedure for using a certificate based on the certificate selection interface, and it is preferable to include procedures such as certificate issuance, reissuance, renewal, copying and revocation as the procedure for using the certificate of the present invention. .

According to the implementation method of the present invention, the subscriber program driven in the requesting terminal 100 displays a certificate selection interface according to a specified standard (eg, KCAC.TS.NSACA), and selects the available certificates in the requesting terminal 100 . The provided certificate medium is searched and/or checked, and at least one certificate related information to be used by the requesting terminal 100 is extracted and displayed from at least one certificate medium.

When at least one certificate-related information is extracted and/or displayed from a designated certificate medium through the certificate selection interface, the subscriber program executes the certificate according to a designated standard (eg, KCAC.TS.CERTVAL, KCAC.TS.OCSP, etc.). establishes/verifies the path to be used, and/or authenticates the validity of the certificate (eg, certificate status, etc.), performs a certificate use procedure. Meanwhile, the time point at which the certificate path establishment/verification procedure and/or the certificate validity verification procedure is performed may be performed before or during the actual use of the certificate issued to the user. It is not limited by the time at which the procedure and/or certificate validity verification procedure is performed.

According to the implementation method of the present invention, the certificate validity authentication procedure is a certificate validity authentication procedure using a Certificate Revocation List (CRL), or a certificate validity authentication procedure using an Online Certificate Status Protocol (OCSP). includes Preferably, the certificate revocation list is provided in the service provider and is periodically updated in connection with the accredited certification authority. Therefore, the certificate validity authentication procedure using the certificate revocation list is performed through a server provided in the service provider, and the certificate usage information notification using this is linked to a server provided in the service provider or a server provided in the service provider. It can be provided through the operation server. Also preferably, the OCSP server for authenticating the validity of the certificate through the online status check protocol is provided in the authorized certification authority. Therefore, the certificate validity authentication procedure using the online status check protocol is performed by interlocking the server provided in the service provider and the OCSP server provided in the accredited certification authority. It may be provided through an operation server associated with a server provided in the accredited certification authority, or may be provided through a server provided in the service providing organization or an operation server associated with a server provided in the service provider according to the implementation method. .

According to the present invention, the certificate path establishment/verification procedure and/or certificate validity authentication procedure uses the certificate issued to the user on the certificate use procedure path before the certificate issued to the user is actually used in the certificate management technology of the present invention. It is one of the key procedures to ensure that the procedure is being carried out. Therefore, the procedure server 110 and/or the management server 200 of the present invention is one of the servers directly involved in the certificate path construction/verification procedure and/or the certificate validity authentication procedure, or at least the certificate path construction/verification procedure. It is preferably implemented as one of the servers interoperating with the server directly involved in the procedure and/or the certificate validity authentication procedure.

When at least one of the certificate path establishment/verification procedure and/or the certificate validity authentication procedure is performed, the subscriber program conforms to a specified standard (eg, KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC, etc.). Accordingly, a certificate use procedure is performed, which actually uses the certificate issued to the user by using at least one of a digital signature and/or hash and/or encryption through at least one designated algorithm.

A certificate-based service (eg, certificate-based login, certificate-based digital signature, etc.) may be provided through at least one of digital signature and/or hash and/or encryption using the specified algorithm, and according to the present invention, the specified algorithm In the certificate management technology of the present invention, while the certificate issued to the user is actually used, the procedure using

The procedure server 110 is a generic name for servers that are provided on the certificate use procedure path and perform at least one procedure among the certificate use procedures, and are preferably provided in a service provider that can provide a certificate-based service specified on the certificate use procedure path. It may include a certified service providing server and/or a certification authority server provided in an authorized certification authority or issuing authority of a certificate used for a certificate use procedure. That is, the procedure server 110 may be any server as long as it exists on the path for using the certificate, and is not limited by the type or category of a specific server or the server operating organization. According to the implementation method of the present invention, the certificate use procedure for the certificate issued to the user from the standpoint of the procedure server 110 confirms that a certificate-based service is requested from the requesting terminal 100, or the requesting terminal 100 It is preferable to be considered to be started from the point in time when it is determined that the certificate-based service is to be started. However, the procedure for using a certificate of the present invention is by no means limited to the procedure for using a certificate based on a certificate-based service, and it is preferable to include procedures such as certificate issuance, reissuance, renewal, copying and revocation as the procedure for using the certificate of the present invention.

According to the first procedure server 110 embodiment of the present invention, the procedure server 110 may include a service providing server provided in a service providing institution capable of providing a certificate-based service designated to the requesting terminal 100 . . Here, the service provider is a generic name of institutions that provide services using certificates, preferably electronic transaction institutions (eg, banks, card companies, securities companies, insurance companies, etc.), identity authentication institutions (eg, telecommunication companies, credit rating agencies, etc.); Internet service institutions (e.g., portal companies, institutions that operate homepages), government institutions (e.g., Korean Intellectual Property Office, e-government, etc.) Including all institutions, it is not limited by the type or category of a specific institution. Hereinafter, for convenience, the features of the present invention will be mainly described with reference to an embodiment in which the service providing institution is an electronic transaction institution. However, it should be clearly stated that the features of the present invention are not limited thereto.

According to the first implementation method of the first embodiment of the procedure server 110, the procedure server 110 is provided in an electronic transaction provider (eg, a bank, a credit card company, a securities company, an insurance company, etc.) that provides a certificate-based electronic transaction. It may include at least one server among various electronic transaction-related servers that provide electronic transaction services. For example, the procedure server 110 may include at least one banking-related server among various banking-related servers, such as an Internet banking server, a mobile banking server, and an electronic financial server provided in a bank.

According to the second implementation method of the embodiment of the first procedure server 110, the procedure server 110 is provided in the electronic transaction provider to perform certificate tasks (eg, certificate issuance, certificate reissuance, certificate suspension, certificate revocation, certificate validation, certificate roaming, etc.) may include at least one server among various certificate service related servers. For example, the procedure server 110 may include an RA server provided in a financial institution that performs an RA (Registration Authority) of a certificate among electronic transaction provider organizations that provide certificate-related services. Alternatively, the procedure server 110 may include a CRL server that processes certificate validation using a Certificate Revocation List (CRL) among servers of the electronic transaction provider. Alternatively, the procedure server 110 may include an OCSP request server for requesting real-time certificate validation to an OCSP (Online Certificate Status Protocol) server of an accredited certification authority among servers of the electronic transaction provider.

According to the third implementation method of the embodiment of the first procedure server 110, the procedure server 110 is provided in the electronic transaction provider and performs certificate-based authentication tasks (eg, certificate-based login authentication or certificate-based electronic signature verification). etc.) and may include at least one server among various certificate-based authentication servers. For example, the procedure server 110 may include an authentication server that processes a certificate-based login authentication task among servers of an electronic transaction provider. Alternatively, the procedure server 110 may include an authentication server that processes a certificate-based digital signature verification task among servers of an electronic transaction provider. Alternatively, the procedure server 110 may include a directory server provided in an electronic transaction provider or an authentication server of the electronic transaction provider can refer to.

According to an embodiment of the second procedure server 110 of the present invention, the procedure server 110 may include a certification authority server provided in an authorized certification authority or issuing authority of a certificate used for a certificate use procedure. Depending on the implementation method, it is possible to include a server of a top-level certification authority. Hereinafter, for convenience, an institution provided with the authentication institution server is referred to as an "accredited authentication institution". However, the present invention is not limited thereto, and even if it is not an 'accredited' certification authority, the present invention is not limited thereto.

According to the first implementation method of the second procedure server 110 embodiment, the procedure server 110 is provided in the accredited certification authority to perform certificate tasks (eg, certificate issuance, certificate reissuance, certificate suspension, certificate revocation, certificate validity). inspection, certificate roaming, etc.) may include at least one server among various certificate service related servers. For example, the procedure server 110 may include a CA server that performs a CA (Certificate Authority) task of an accredited certification authority. Alternatively, the procedure server 110 may include an OCSP server that processes real-time certificate validation by an authorized certification authority.

According to the second implementation method of the second embodiment of the procedure server 110, the procedure server 110 is provided in the accredited certification authority to perform certificate-based authentication tasks (eg, certificate-based login authentication or certificate-based digital signature verification, etc.) ) may include at least one server among various certificate-based authentication servers for processing. For example, the procedure server 110 may include an authentication server that processes a certificate-based login authentication task among servers of an accredited certification authority. Alternatively, the procedure server 110 may include an authentication server that processes a certificate-based digital signature verification task among servers of an accredited certification authority. Alternatively, the procedure server 110 may include a directory server provided in an accredited certification authority or implemented so as to be referenced by an electronic transaction authority.

The management server 200 checks whether a procedure using the certificate issued to the user is being performed on the certificate use procedure path, and when the certificate use procedure is confirmed, generates certificate usage information for the use of the corresponding certificate and notifies the user As a generic name of the server, it is preferably provided on the certificate use procedure path or may be linked with at least one server provided on the certificate use procedure path. That is, the management server 200 may be any server as long as it can confirm the use of the certificate and generate and notify the use of the certificate, and is not limited by the type or category of the specific server or the server operating organization. According to the implementation method of the present invention, the management server 200 registers predetermined information (eg, a user terminal (eg, a user terminal) 105), it is desirable to maintain a state of checking whether the procedure for using the certificate issued to the user is being performed on the certificate use procedure path from the point when the registration using the telecommunication company/agent, etc.) is confirmed.

According to the embodiment of the first management server 200 of the present invention, the management server 200 may include a certification authority server provided in an authorized certification authority or issuing authority of a certificate used for a certificate use procedure. According to the implementation method, the management server 200 may include a server of the highest level certification authority. Hereinafter, for convenience, an institution provided with the authentication institution server is referred to as an "accredited authentication institution". However, the present invention is not limited thereto, and even if it is not an 'accredited' certification authority, the present invention is not limited thereto.

According to the first implementation method of the first management server 200 embodiment, the management server 200 is provided in the accredited certification authority to perform certificate tasks (eg, certificate issuance, certificate reissuance, certificate suspension, certificate revocation, certificate validity). inspection, certificate roaming, etc.) may include at least one server among various certificate service related servers. For example, the management server 200 may include a CA server that performs a CA (Certificate Authority) task of an accredited certification authority. Alternatively, the management server 200 may include an OCSP server that processes real-time certificate validation by an authorized certification authority.

According to the second implementation method of the first management server 200 embodiment, the management server 200 is provided in the accredited certification authority to perform certificate-based authentication tasks (eg, certificate-based login authentication or certificate-based digital signature verification, etc.) ) may include at least one server among various certificate-based authentication servers for processing. For example, the management server 200 may include an authentication server that processes a certificate-based login authentication task among servers of an authorized certification authority. Alternatively, the management server 200 may include an authentication server that processes a certificate-based digital signature verification task among servers of an accredited certification authority. Alternatively, the management server 200 may include a directory server provided in an accredited authentication institution or implemented to be referenced by an electronic transaction institution.

According to the second management server 200 embodiment of the present invention, the management server 200 may include a certificate server provided in a service providing organization capable of providing a certificate-based service designated to the requesting terminal 100 . Here, the service provider is a generic name of institutions that provide services using certificates, preferably electronic transaction institutions (eg, banks, card companies, securities companies, insurance companies, etc.), identity authentication institutions (eg, telecommunication companies, credit rating agencies, etc.); Internet service institutions (e.g., portal companies, institutions that operate homepages), government institutions (e.g., Korean Intellectual Property Office, e-government, etc.) Including all institutions, it is not limited by the type or category of a specific institution.

According to the second implementation method of the second management server 200 embodiment, the management server 200 is provided in the electronic transaction provider to perform certificate tasks (eg, certificate issuance, certificate reissuance, certificate suspension, certificate revocation, certificate validation, certificate roaming, etc.) may include at least one server among various certificate service related servers. For example, the management server 200 may include an RA server provided in a financial institution that performs an RA (Registration Authority) of a certificate among electronic transaction providers that provide certificate-related services. Alternatively, the management server 200 may include a CRL server that processes certificate validation using a Certificate Revocation List (CRL) among servers of an electronic transaction provider. Alternatively, the management server 200 may include an OCSP request server for requesting real-time certificate validation to an OCSP (Online Certificate Status Protocol) server of an accredited certification authority among servers of an electronic transaction provider.

According to the third implementation method of the embodiment of the second management server 200, the management server 200 is provided in the electronic transaction provider to perform certificate-based authentication tasks (eg, certificate-based login authentication or certificate-based electronic signature verification). etc.) and may include at least one server among various certificate-based authentication servers. For example, the management server 200 may include an authentication server that processes a certificate-based login authentication task among servers of an electronic transaction provider. Alternatively, the management server 200 may include an authentication server that processes a certificate-based digital signature verification task among servers of an electronic transaction provider. Alternatively, the management server 200 may include a directory server provided in an electronic transaction provider or an authentication server of the electronic transaction provider can refer to.

According to the third management server 200 embodiment of the present invention, the management server 200 checks the certificate use procedure or uses the certificate in connection with the service providing server and/or the certification authority server provided on the certificate use procedure path. It may include an operation server that provides a task of generating and notifying information. The operation server may be provided in the service providing organization, in the certification authority, or in a separate operating organization (or business operator), and the present invention is limited by the organization in which the operation server is provided. doesn't happen

According to the first implementation method of the third management server 200 embodiment, the management server 200 is provided in various electronic transaction-related servers and electronic transaction providers that are provided in electronic transaction providing organizations to provide electronic transaction services. It may include an operation server that interworks with at least one of various certificate service-related servers that provide certificate services, and various certificate-based authentication servers that are provided in electronic transaction providing organizations to process certificate-based authentication tasks.

According to the second implementation method of the embodiment of the third management server 200, the management server 200 is provided in various certificate service-related servers provided in an accredited certification authority to provide certificate services, and is provided in a certificate-based certification authority. It may include an operation server that interworks with at least one server among various certificate-based authentication servers that process authentication tasks.

The procedure server 110 and the management server 200 shown in FIG. 1 according to the embodiment of the present invention may include a server provided in the same institution or a server provided in a separate institution that interworks with each other. When the procedure server 110 and the management server 200 are provided in the same institution, the procedure server 110 and the management server 200 may be implemented as one server. Hereinafter, for convenience, the features of the present invention will be mainly described with reference to an embodiment in which the procedure server 110 and the management server 200 are individual servers provided in separate institutions. However, the characteristics of the present invention are by no means limited thereto, and the procedure server 110 and the management server 200 are individual servers provided in the same institution, one server provided in the same institution, and individual servers provided in separate institutions. Any one of the servers may be included, and it is clear that the present invention includes all possible embodiments as described above.

According to the implementation method of the present invention, the procedure server 110 may transmit a certificate use message to the management server 200 while performing the certificate use procedure. Alternatively, the procedure server 110 stores log information during the certificate use procedure and sends a certificate use message corresponding to the log information to the management server 200 according to the request (or specified transmission condition) of the management server 200 . can transmit

According to the implementation method of the present invention, the management server 200 interworks with the procedure server 110 through a predetermined interworking interface. If the procedure server 110 and the management server 200 are separate servers provided in a separate institution, the interworking interface includes a network connecting the procedure server 110 and the management server 200 or a network such as a dedicated network. can do. If the procedure server 110 and the management server 200 are separate servers provided in the same institution, the interworking interface may include an internal network of the institution. Meanwhile, when the procedure server 110 and the management server 200 are logical servers physically provided in the same server, the interworking interface may include an internal communication interface inside the physical server.

The user terminal 105 is a generic term for a terminal used by a user who has been issued a certificate from an authorized certification institution (eg, Korea Financial Telecommunications & Clearings Institute, etc.) or a certificate issuing institution, and is a wireless terminal (eg, smartphone, mobile phone, tablet PC, etc.) used by the user. ) and wired terminals (eg, personal computers, laptops, etc.) may include all types of terminals.

2 is a diagram showing the configuration of the procedure server 110 and the management server 200 according to the embodiment of the present invention.

In more detail, FIG. 2 shows the functional components of the procedure server 110 and the management server 200 shown in FIG. 1, and those skilled in the art to which the present invention pertains Various implementation methods (eg, some components are omitted, subdivided, or combined implementation methods) for the configuration of the procedure server 110 and management server 200 can be inferred by referring and/or modifying the , the present invention is made including all implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 2 .

According to the implementation method of the present invention, the requesting terminal 100 is one of the terminals requesting a certificate-based service by using a certificate issued to the user, preferably the user terminal 105 used by the user himself, but this The invention assumes that this may not be the case. The subscriber program driven in the requesting terminal 100 displays a certificate selection interface according to a specified standard (eg, KCAC.TS.NSACA), and searches for a certificate medium having a certificate available in the requesting terminal 100 and / or check, and extract and display at least one certificate related information to be used in the requesting terminal 100 from at least one certificate medium.

When at least one certificate-related information is extracted and/or displayed from a designated certificate medium through the certificate selection interface, the subscriber program executes the certificate according to a designated standard (eg, KCAC.TS.CERTVAL, KCAC.TS.OCSP, etc.). establishes/verifies the path to be used, and/or authenticates the validity of the certificate (eg, certificate status, etc.), performs a certificate use procedure. The time point at which the certificate validity authentication procedure and/or the certificate validity authentication procedure is performed may be performed before or during the actual use of the certificate issued to the user, and the present invention provides for the certificate validity authentication procedure and/or certificate It is not limited by the time at which the validation process is performed.

When at least one of the certificate validity authentication procedure and/or the certificate validity authentication procedure is performed, the subscriber program performs at least one A certificate usage procedure is performed, in which the certificate issued to the user is actually used by using at least one of a digital signature and/or hash and/or encryption through a single designated algorithm. A certificate-based service (eg, certificate-based login, certificate-based digital signature, etc.) is provided through at least one of digital signature and/or hash and/or encryption using the specified algorithm.

Referring to FIG. 2, the procedure server 110 includes a service procedure performing unit 115 that performs a service procedure for providing a service requested from the requesting terminal 100, and a method for determining the use of a certificate for the service procedure. The certificate use determination unit 120, and the nth (1≤n≤N) certificate use procedure or the nth certificate use procedure associated with the service procedure among the N (N>1) certificate use procedures performed using the certificate A certificate procedure performing unit 125 for performing some of the procedures is provided. Here, the procedures for using the N certificates include procedures from issuance of certificates to reissuance, renewal, and copying of certificates, as well as various procedures for using certificates through a subscriber program, and procedures for suspending and revoking previously issued certificates, All procedures for using certificates are included, and the nth certificate usage procedure includes at least one certificate usage procedure to be currently performed or being performed in conjunction with the requesting terminal 100 among the N number of certificate usage procedures. Meanwhile, each n-th certificate use procedure consists of T (T>1) execution procedures, and some procedures of the n-th certificate use procedure are at least among the first execution procedure for the n-th certificate use procedure and the T-th execution procedure. It includes one performing procedure (eg, t(1<t≤T) performing procedure, etc.). Hereinafter, based on an embodiment in which the n-th certificate use procedure performed on the certificate use procedure path is a digital signature algorithm use procedure using a digital signature algorithm using a certificate among the N certificate use procedures (for example, refer to the KCAC.TS.DSIG standard) As the technical features of the present invention will be described in detail. However, it is clearly stated that the procedure for using the nth certificate of the present invention is not limited to the procedure for using the digital signature algorithm.

When the requesting terminal 100 requests a service to the procedure server 110 through a communication network, the service procedure performing unit 115 performs a procedure for providing the requested service. The service includes all services that can be provided through a communication network, such as a login service, a user authentication service, a web-based service, a financial transaction service, and a payment service, and is not limited to a specific service. In order to receive the service, the requesting terminal 100 may start a browser or may have and/or run a program for using a separate service. Meanwhile, according to the implementation method, the service provision is provided through a separate service providing server to which the requesting terminal 100 is connected (eg, a server that forms a communication channel with the requesting terminal 100 and is linked with the procedure server 110 ). In this case, the role of the service procedure performing unit 115 of the procedure server 110 is handled by the service providing server, so the service procedure performing unit 115 can be omitted.

At any specified time before, during, or after the service procedure is performed, the certificate use determination unit 120 determines whether it is necessary to use the certificate issued to the user in order to provide the service according to the specified procedure. The determination of the need for a certificate may be determined based on the type of the service procedure and/or the order of the procedure being performed. On the other hand, when the program for using the service is provided in the requesting terminal 100 according to the implementation method, the determination of the need for the certificate is determined through the program of the requesting terminal 100, or the program of the requesting terminal 100 and The certificate use determination unit 120 may be determined in conjunction with each other, and the present invention is not limited thereto.

When the use of the certificate is determined through the certificate use determination unit 120, the certificate procedure performing unit 125 identifies a digital signature algorithm use procedure to be performed in connection with the service procedure among the N certificate use procedures, and requests the request. In connection with the terminal 100 side, the identified digital signature algorithm using procedure is performed. Preferably, the certificate procedure performing unit 125 provides a certificate selection interface to the requesting terminal 100 (eg, a procedure of driving a subscriber program provided in the requesting terminal 100, only the requesting terminal 100) displays a certificate selection interface or may be omitted when a program for driving a subscriber program is provided), and performs at least one procedure for using a certificate in conjunction with a subscriber program driven in the requesting terminal 100 .

According to the implementation method of the present invention, identification information for identifying a certificate on a certificate use procedure path according to a standard (eg, KCAC.TS.DN, KCAC.TS.SIVID, etc.) specified during the digital signature algorithm use procedure is performed; / or one or more identification information including identification information that identifies the issuer (eg, user) who has issued the certificate is exchanged, and specified standards (eg, KCAC.TS.LDAP, KCAC.TS.TSP, KCAC.TS.NTP) , KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC), various procedure values for certificate use (eg, various parameters and variables defined in various standards for certificate use, etc.) and/or certificates A use value (eg, a value generated according to various standards for using a certificate) and the like may be exchanged.

On the other hand, in the case of an implementation method of receiving a certificate use approval message or a certificate use rejection message from the terminal 105 of the real user who has been issued the certificate for the digital signature algorithm use procedure according to the implementation method of the present invention, the certificate procedure is performed The unit 125 may temporarily wait without finalizing the digital signature algorithm use procedure until confirming the certificate use approval or certificate use refusal, and selectively use the digital signature algorithm according to the use approval result or the use refusal result. It is possible to finalize the

Referring to FIG. 2 according to the first procedure notification method of the present invention, the procedure server 110 includes a certificate procedure confirmation unit 130 that checks the digital signature algorithm use procedure being performed through the certificate procedure performing unit 125 . ), a procedure information verification unit 135 for verifying certificate procedure information related to the verified digital signature algorithm use procedure, and a certificate on the certificate use procedure path to the management server 200 using the verified certificate procedure information and a certificate procedure notification unit 140 that notifies that the usage procedure is being performed.

The certificate procedure check unit 130 designates and stores process identification information for identifying M (1≤M≤N) certificate use procedures that can be identified in the procedure server 110 among the N number of certificate use procedures, It is checked whether the procedure for using the digital signature algorithm performed through the certificate procedure performing unit 125 is included in the procedure for using the M certificates.

The procedure information confirmation unit 135 has an information list on the certificate procedure information to be checked in order to notify the certificate use information for the M number of certificate use procedures, and through the certificate procedure verification unit 130 , the electronic If it is confirmed that the procedure for using the signature algorithm is included in the procedure for using the M certificates, certificate procedure information corresponding to the information list is checked in relation to the procedure for using the digital signature algorithm.

According to the implementation method of the present invention, the certificate procedure information includes standard definition information defined in a standard related to the digital signature algorithm use procedure. Preferably, the standard definition information includes certificate identification information for identifying a certificate on a certificate use procedure path according to a specified standard (eg, KCAC.TS.DN, KCAC.TS.SIVID, etc.), and an issuer for identifying an issuer who has been issued a certificate. Identification information, certification authority identification information to identify an accredited certification authority, and issuing authority identification information to identify a certificate issuing authority A certificate issued by an institution can be used (for example, refer to KCAC.TS.CTL, etc.), and the present invention includes identification information of one or more of all permitted certificate use procedures), and a specified standard (eg, KCAC. TS.LDAP, KCAC.TS.TSP, KCAC.TS.NTP, KCAC.TS.DSIG, KCAC.TS.HASH, KCAC.TS.ENC) various procedure values and/or certificate usage values, etc. may include at least one. The standard definition information may include information defined in each standard as it is, or may include information agreed upon by the procedure server 110 and the management server 200 based on the information defined in the standard.

Meanwhile, the procedure information confirmation unit 135 may further confirm, as the certificate procedure information, at least one non-standard information used to perform the digital signature algorithm use procedure in addition to the standard definition information. The non-standard information includes medium identification information for identifying the certificate medium (eg, an identifier for identifying the type of the certificate medium and/or a unique code for uniquely identifying the certificate medium), and identification of the requesting authority for identifying the requesting authority requesting the use of the certificate. information, procedure identification information for identifying the type of procedure using the digital signature algorithm, result identification information for identifying the results of using various certificates, identification information for the terminal requesting the use of the certificate (e.g., the unique identification code of the terminal registered through the designated terminal registration procedure) Example: Identification information that matches the unique code recorded in the physical components constituting the terminal; Identification information matching with the unique code stored in the designated storage area of the terminal by performing the specified authentication procedure by being driven, and the fixed address of the terminal registered through information registration or information sharing procedures between related organizations (eg ISP) (eg, ISP) : ISP (Internet Service Provider)-based location information of the registered terminal through identification information matching with a fixed IP address, MAC address, etc. GPS (Global Positioning System)-based location information (GPS) of the terminal registered through the information sharing procedure between identification information, information registration or related organizations (eg, telecommunication companies, terminal manufacturers) matching possible request terminal 100 (local information, etc.) Example: Identification information matching with GPS-based location information when the requesting terminal 100 is a wireless terminal equipped with a GPS module), information registration, or a base station of a terminal registered through information sharing procedures between related organizations (eg, telecommunication companies) Identification information matching the base location information (eg, location information based on base station positioning or cell ID when the requesting terminal 100 is a wireless terminal forming a radio section with the base station), information registration or association organization (eg, telecommunication company) The phone number of the terminal registered through the information sharing procedure between If possible, it may include at least one piece of identification information among (eg, identification information matching the phone number assigned to the terminal). If the non-standard information is information defined in the standard corresponding to the digital signature algorithm use procedure or can be replaced with information defined in the standard, the information defined in the standard can be used/replaced.

When the certificate procedure information including at least one standard definition information for the digital signature algorithm use procedure and further including at least one non-standard information according to the implementation method is confirmed through the procedure information confirmation unit 135, the certificate The procedure notification unit 140 generates a predetermined certificate use message to include the verified certificate procedure information or to transmit the verified certificate procedure information to the management server 200 . The certificate use message may include certificate procedure information in a data area, or the certificate use message is used for notification and the certificate procedure information is transmitted to the management server ( 200) can be transferred. According to the implementation method of the present invention, the certificate use message may be implemented in various ways according to the relationship between the procedure server 110 and the management server 200 .

According to the first certificate-using messaging method of the present invention, if the management server 200 is also a server that performs a procedure related to the use of the certificate, the certificate procedure notification unit 140 transmits the verified certificate procedure information to the management server At the same time as delivered to 200, a message requesting the next procedure of the t-th execution procedure, that is, the (t+1)-th execution procedure, is included in the digital signature algorithm use procedure performed through the certificate procedure notification unit 140 . A certificate use message may be generated and transmitted to the management server 200 . For example, the procedure server 110 is a banking server of a financial institution, and the procedure for using the digital signature algorithm is a digital signature procedure using a certificate. If the unit 125 performs the t-th execution procedure for receiving the digital signature value, the certificate procedure notification unit 140 as a message requesting the (t+1)-th execution procedure for verifying the digital signature value The certificate use message may be generated and transmitted to the management server 200 (= authentication server).

According to the second certificate-using messaging method of the present invention, if the management server 200 is a server that does not perform a procedure related to the use of the certificate, the certificate procedure notification unit 140 manages the verified certificate procedure information. A certificate use message included for transmission to the server 200 may be generated and transmitted to the management server 200 . For example, if the procedure server 110 is an authentication server and the digital signature algorithm use procedure is a digital signature procedure using a certificate, and the management server 200 is a separate server connected to the authentication server, the certificate procedure performing unit ( 125) verifies the digital signature value, the certificate procedure notification unit 140 includes standard definition information for the digital signature verification procedure, and at least one A certificate use message including non-standard information may be generated and transmitted to the management server 200 .

Referring to FIG. 2 according to the second procedure notification method of the present invention, the procedure server 110 includes a log storage unit ( 145), a certificate procedure verification unit 130 that checks the digital signature algorithm use procedure performed through the certificate procedure performing unit 125 using log information related to the certificate use procedure among the log information; and a procedure information confirmation unit 135 for confirming certificate procedure information related to the digital signature algorithm use procedure, and a certificate procedure notification unit 140 for notifying that a certificate use procedure is being performed on the certificate use procedure path.

When the certificate use procedure or a part of the procedure requested from the requesting terminal 100 through the certificate procedure performing unit 125 is being performed or performed, the log storage unit 145 is stored through the certificate procedure performing unit 125 It saves log information about the certificate use procedure being executed or performed in the designated storage area.

The certificate procedure check unit 130 may select log information related to a certificate use procedure from among the log information stored through the log storage unit 145 , and/or group each procedure log for each certificate. The certificate procedure check unit 130 reads the selected and/or grouped log information to check a digital signature algorithm use procedure, and confirms whether the verified digital signature algorithm use procedure is included in the M certificate use procedures .

When it is confirmed that the digital signature algorithm using procedure is included in the M certificate usage procedures through the certificate procedure verification unit 130, the procedure information verification unit 135 receives information related to the digital signature algorithm usage procedure from the log information. Verifies certificate procedure information, which includes one or more standard definition information and includes at least one non-standard information according to an implementation method. The certificate procedure notification unit 140 generates a predetermined certificate use message to include the verified certificate procedure information or to transmit the verified certificate procedure information to the management server 200 .

According to the third certificate-using messaging method of the present invention, the certificate procedure notification unit 140 manages based on the standard definition information and/or non-standard information included in the certificate procedure information through the procedure information check unit 135 . Determines whether to notify the server 200 of the digital signature algorithm use procedure, and includes the certificate procedure information confirmed through the procedure information check unit 135, or transfers the verified certificate procedure information to the management server 200 For this purpose, a predetermined certificate use message may be generated and transmitted to the management server 200 .

According to the fourth certificate-using messaging method of the present invention, the certificate procedure notification unit 140 receives procedure notification request information from the management server 200, and in response to the procedure notification request information, the procedure information check unit 135 ) to include the verified certificate procedure information, or to transmit the verified certificate procedure information to the management server 200 , a predetermined certificate use message may be generated and transmitted to the management server 200 . The procedure information confirmation unit 135 may check and maintain the certificate procedure information before the procedure notification request information is received, or in response to receiving the procedure notification request information, the certificate procedure information based on the log information can be checked.

Referring to FIG. 2, the management server 200 includes notification target identification information for identifying a notification target to be notified of certificate use information, and an information storage unit 205 for storing and managing user information in a designated storage medium. do. On the other hand, in the case of notifying the notification target without separately distinguishing the notification target according to the implementation method, the notification target identification information may not be separately stored and managed.

According to the implementation method of the present invention, the user information is a generic name of user-related information identified to uniquely identify a user who is issued a certificate among information registered with a CA through an RA for certificate issuance, such as a user name, resident registration number, etc. It includes personal information, and preferably includes information identifying a user's information receiving means for receiving certificate use information. The information identifying the user's information receiving means includes the user's wireless terminal information (eg, mobile phone number, account information provided by the wireless network connected to the wireless terminal, etc.), program identification information provided in the user's wireless terminal (eg, push token, program-mapped account information, etc.), user's member account information, and user's e-mail address information. The personal information remains unchanged until the certificate is revoked after being registered through the RA, but some of the information identifying the information receiving means (eg, mobile phone number, etc.) may be changed. Accordingly, the information identifying the user's information receiving means among the user information can be effectively updated through a user authentication process using a separate channel.

According to the first information storage method of the present invention, the information storage unit 205 includes at least one of notification target certificate identification information for identifying a notification target certificate and/or notification target issuer identification information that has issued a notification target certificate The notification target identification information may be checked and stored in a designated storage medium, and preferably, the notification target certificate identification information and/or notification target issuer identification information may be mapped with information about the user who has been issued the certificate. According to the implementation method, the information storage unit 205 further confirms the notification target identification information for identifying the accredited certification authority or the certificate issuing authority (eg, the management server 200 is the accredited certification authority or the certificate issuing authority of the affiliated organization) server) and save it.

According to the implementation method of the present invention, in the first information storage method, the information storage unit 205 in the process of issuing/reissuing a certificate to the user agrees to notify (eg, application agreement, communication network) from the user who has been issued the certificate. Based on the non-face-to-face agreement and agreement to terms and conditions using As identification information, it can be stored in the designated storage medium as described above. Alternatively, when a user who has already been issued a certificate accesses (or joins/certifies as a member) through the user terminal 105, or mounts and drives a program designated in the user terminal 105 (eg, the user's wireless terminal), the The information storage unit 205 communicates with the user terminal 105 (or program) and provides certificate identification information and/or issuer identification information for a certificate issued/reissued to the user through a notification agreement or designated information registration procedure performed may be checked, and the verified certificate identification information and/or issuer identification information may be stored in the designated storage medium as notification target identification information.

According to the second information storage method of the present invention, the information storage unit 205 may determine and store the notification target procedure identification information for identifying the notification target certificate use procedure, and preferably, the notification target procedure identification information The information may be mapped with information of a user who has been issued the certificate.

According to the implementation method of the present invention, in the second information storage method, the information storage unit 205 is configured to notify m(1≤m≤N or 1≤) of certificate use information among N (N>1) certificate use procedures. After determining m≤M) notification target certificate use procedures, and determining notification target procedure identification information for identifying the determined m notification target certificate usage procedures, the determined procedure identification information is designated as the notification target identification information as described above. It can be stored on a storage medium. According to an implementation method, the notification target procedure identification information may not be stored in a storage medium, but may be provided in the form of a program code in the following certificate procedure verification unit 130 and/or notification target verification unit 220 .

According to the third information storage method of the present invention, the information storage unit 205 may check the valid certificate medium identification information in which the certificate issued to the user is recorded and store it in a designated storage medium. Here, the valid certificate medium includes a certificate medium in which the certificate issued to the user is actually recorded at the time of issuing/reissuing/copying the certificate to the user. For example, if the user receives a certificate from the HSM at the time of issuing the certificate and copies it to the user's wireless terminal, the valid certificate medium may include the user's HSM and the user's wireless terminal.

According to the fourth information storage method of the present invention, when a terminal capable of using a certificate issued to a user is designated and registered, the information storage unit 205 checks a unique identification code for the designated and registered terminal, and the confirmation The unique identification code may be stored in a designated storage medium as identification information for the designated terminal. Here, the unique identification code is a unique identification code stored in the memory unit of the terminal, a unique identification code for a program mounted in the terminal, a unique identification code recorded in a physical component constituting the terminal, mounted on the terminal or It may include at least one of the unique identification code of the chip to be detached.

According to the fifth information storage method of the present invention, the information storage unit 205 is capable of storing identification information and/or user information in a form combining the first to fourth information storage methods, thereby The invention is not limited.

Referring to FIG. 2, the management server 200 includes a certificate procedure receiving unit 210 that receives a certificate use message for a digital signature algorithm use procedure that is being performed or performed on a certificate use procedure path, and receives the certificate use message. A certificate procedure confirmation unit 130 that confirms the digital signature algorithm use procedure being performed on the certificate use procedure path or that the digital signature algorithm use procedure is performed on the certificate use procedure path based on the basis, and the certificate use and a procedure information verification unit 135 for verifying certificate procedure information related to the digital signature algorithm use procedure being performed or performed on the certificate use procedure path based on the message, and according to the implementation method, the digital signature algorithm is added to the certificate use message according to the implementation method. When a message requesting a (t+1) th execution procedure to be performed next to the t th execution procedure of the use procedure is included, the digital signature algorithm including the (t+1) th execution procedure of the digital signature algorithm using procedure A certificate procedure performing unit 125 for performing a use procedure may be provided.

The certificate procedure receiving unit 210 receives a certificate use message for the digital signature algorithm use procedure being performed on the certificate use procedure path. According to the embodiment of the present invention, the certificate procedure receiving unit 210 receives at least one of the first to fourth certificate using messaging methods from the procedure server 110 that performs the digital signature algorithm use procedure among the N certificate usage procedures. A certificate use message may be received according to the certificate use messaging method.

According to another embodiment of the present invention, the certificate procedure receiving unit 210 may receive a certificate use message from the requesting terminal 100 . On the other hand, when the certificate medium of the certificate to be used by the requesting terminal 100 is implemented in the form of a separate communication terminal other than the requesting terminal 100 (eg, mobile token), the certificate procedure receiving unit 210 corresponds to the certificate medium. It is possible to receive a certificate use message from the communication terminal. It is clear that the present invention includes an embodiment in which a certificate use message is received from the requesting terminal 100 or a separate communication terminal in addition to the procedure server 110 .

According to the implementation method of the present invention, the certificate use message includes certificate procedure information on the digital signature algorithm use procedure being performed on the certificate use procedure path, or receives the certificate procedure information from the procedure server 110 . information for, and to be performed after the t-th execution procedure previously performed on the certificate use procedure path among T execution procedures for implementing the digital signature algorithm use procedure being performed on the certificate use procedure path according to the implementation method It may include a message requesting the (t+1)th execution procedure. If the certificate use message is received from the procedure server 110 , the t-th performing procedure of the digital signature algorithm use procedure may be performed through the procedure server 110 . Meanwhile, according to another implementation method of the present invention, when the certificate use message is received from the requesting terminal 100 or a communication terminal corresponding to the certificate medium, the t-th performing procedure of the digital signature algorithm use procedure is performed by the requesting terminal 100 ) or through a communication terminal.

When the certificate use message includes a message requesting the (t+1)th execution procedure of the digital signature algorithm use procedure being performed on the certificate use procedure path, the certificate procedure performing unit 125 transmits the certificate use message. It reads and determines the (t+1)th execution procedure of the digital signature algorithm use procedure requested through the certificate use message, and information necessary for the (t+1)th execution procedure from the certificate procedure information and/or the specified storage medium After checking (eg, the key value of the certificate) or various values (eg, various procedure values, the certificate use value of the t-th execution procedure), the (t+1)-th execution procedure of the digital signature algorithm use procedure can be performed. have. For example, the certificate use message is received from a banking server of a financial institution, which is the procedure server 110, and the digital signature algorithm use procedure being performed on the certificate use procedure path including the banking server is an electronic signature procedure using a certificate. If the certificate use message includes a message requesting verification of the digital signature, the certificate procedure performing unit 125 confirms the user's certificate based on the certificate identification information of the certificate procedure information confirmed through the certificate use message (eg, public key), check the digital signature value (eg, certificate use value) and original data (eg, procedure value) included in the certificate procedure information, and then check the original data according to the digital signature verification procedure of the specified standard A (t+1) th execution procedure of generating a signature verification value (eg, a certificate use value) and verifying the digital signature by comparing the digital signature value with the signature verification value may be performed. On the other hand, in the case of an implementation method of receiving a certificate use approval message or a certificate use rejection message from the user's terminal 105 for the digital signature algorithm use procedure according to the implementation method, the certificate procedure performing unit 125 sends a certificate use approval message Alternatively, it is possible to temporarily wait without final completion of the digital signature algorithm use procedure until a certificate use rejection message is received. do.

The procedure information check unit 135 checks the certificate procedure information related to the digital signature algorithm use procedure being performed or performed on the certificate use procedure path based on the certificate use message. According to the implementation method of the present invention, the certificate procedure information is standard definition information defined in a standard related to the digital signature algorithm use procedure (eg, a specified standard (eg, certificate identification information, issuer identification information, certification authority identification information, issuance) It includes at least one identification information among the organization identification information, and includes various procedure values for certificate use and/or certificate use value, etc.), and according to an implementation method, at least one Non-standard information (e.g., medium identification information to identify the certificate medium, request organization identification information to identify the requesting organization that requested the use of the certificate, procedure identification information to identify the type of procedure using the digital signature algorithm, and results to identify various certificate usage results) identification information, identification information of a terminal requesting use of a certificate, etc.) may be further included.

When the certificate use message includes certificate procedure information, the procedure information check unit 135 can check the certificate procedure information related to the digital signature algorithm use procedure being performed or performed on the certificate use procedure path from the certificate use message. have. On the other hand, when the certificate use message is a message for transferring certificate procedure information maintained in the procedure server 110, the procedure information check unit 135 receives the certificate from the procedure server 110 based on the certificate use message. Receive procedural information.

The certificate procedure check unit 130 may confirm that the procedure using the certificate is being performed on the certificate use procedure path based on the certificate use message received from the procedure server 110 . According to the implementation method, when a certificate use message corresponding to the digital signature algorithm use procedure is received from the requesting terminal 100 or a separate communication terminal through the certificate use procedure path, the certificate procedure check unit 130 is configured to use the certificate based on the certificate use message. As a result, it can be confirmed that the procedure using the certificate is being performed on the certificate use procedure path.

If the certificate procedure information corresponding to the certificate use message is checked, the certificate procedure check unit 130 may read the certificate procedure information and confirm that the procedure using the certificate is being performed on the certificate use procedure path. For example, the certificate procedure check unit 130 reads at least one of identification information and/or a procedure value and/or a certificate use value included in the certificate procedure information to use the certificate on the certificate use procedure path. You can confirm that the procedure is being carried out.

On the other hand, when a specified part of the procedure for using the digital signature algorithm (eg, the (t+1)th execution procedure of the procedure for using the digital signature algorithm) is performed through the certificate procedure performing unit 125, the certificate procedure verification unit ( 130 , in connection with the certificate procedure performing unit 125 , can confirm that a procedure for using a certificate is being performed on the certificate use procedure path.

According to the implementation method of the present invention, the certificate procedure confirmation unit 130 uses the certificate use message, and/or reads the certificate procedure information, and/or works in conjunction with the certificate procedure performing unit 125, It can be confirmed that the digital signature algorithm use procedure using the digital signature algorithm using the certificate is being performed on the designated certificate use procedure path.

On the other hand, the certificate procedure check unit 130 uses the certificate use message, and/or reads the certificate procedure information, and/or works with the certificate procedure performing unit 125 to obtain a certificate on a specified certificate use procedure path. Confirm that at least one of the path establishment/verification procedure, certificate validity verification procedure, hash algorithm usage procedure, encryption algorithm usage procedure, certificate issuance procedure, certificate reissuance procedure, certificate renewal procedure, certificate copy procedure, and certificate revocation procedure is being performed more can be checked.

2, the management server 200 may include a certificate use authentication unit 215 for authenticating whether the use of a certificate corresponding to the digital signature algorithm use procedure being performed or performed on the certificate use procedure path is valid. have.

The certificate use authentication unit 215 checks at least one designated identification information previously designated for authenticating the validity of the digital signature algorithm use procedure from among the identification information included in the certificate procedure information corresponding to the digital signature algorithm use procedure, Authenticating the validity of the digital signature algorithm use procedure by authenticating the designated identification information using the previously stored identification information, and/or among the procedure value and the certificate use value in the certificate procedure information corresponding to the digital signature algorithm use procedure In order to certify the validity of the digital signature algorithm using procedure, at least one predefined value may be checked, and a verification operation may be performed on the specified value to authenticate the validity of the digital signature algorithm using procedure. Here, the designated identification information for authentication using the certificate includes at least one designated identification information among medium identification information for identifying the certificate medium storing the certificate, procedure identification information for identifying the certificate use procedure, and terminal identification information for requesting the use of the certificate. may include

According to the first certificate use authentication embodiment of the present invention, when the certificate procedure information includes medium identification information for identifying a certificate medium recording a certificate used for the digital signature algorithm use procedure, the certificate use authentication unit 215 compares the valid certificate medium identification information stored in the storage medium through the information storage unit 205 and the confirmed medium identification information, and the digital signature algorithm using procedure performed through the certificate procedure performing unit 125 It can be authenticated whether the certificate medium in which the certificate used for the is recorded matches the certificate medium issued/reissued/copied to the actual user. For example, the valid certificate medium of the user is the HSM and the wireless terminal. If the type of the certificate medium corresponding to the medium identification information is the hard disk of the computer, the certificate use authentication unit 215 is used in the digital signature algorithm use procedure. It can be determined that the used certificate medium is invalid. Alternatively, although the valid authentication medium of the user is an HSM and a wireless terminal, and the type of authentication medium corresponding to the medium identification information is a wireless terminal, a wireless terminal corresponding to the medium identification information and a wireless terminal corresponding to the valid authentication medium identification information If the terminals are different, the certificate use authentication unit 215 may determine that the certificate medium used in the digital signature algorithm use procedure is invalid.

According to the second certificate use authentication embodiment of the present invention, the certificate use authentication unit 215 may include identification information included in the certificate use message and The comparison result of the previously stored identification information may be used as an authentication result of authenticating the validity of the use of the certificate. According to the implementation method of the present invention, the certificate use authentication unit 215 uses the comparison result of the identification information used to confirm the notification target as an authentication result for authenticating the validity of the certificate use, or confirms the notification target A comparison result of other identification information other than the comparison result of the specific identification information used in the above can be used as an authentication result of authenticating the validity of the use of the certificate.

According to the third certificate use authentication embodiment of the present invention, the certificate use authentication unit 215 uses the certificate when the certificate procedure information includes a procedure value used for a digital signature algorithm use procedure or a certificate use value. The authenticator 215 may authenticate whether the use of the certificate is valid by performing a specified verification operation on the procedure value or the certificate use value. For example, when the certificate procedure information includes a certificate use value including a certificate-based login operation value or a certificate-based digital signature value, a specified verification operation is performed on the certificate-based login operation value or the certificate-based digital signature value By doing so, it is possible to authenticate whether the use of the certificate is valid. Here, the verification operation may be performed as a (t+1) th execution procedure for the digital signature algorithm use procedure, or may be performed as a separate certificate use authentication procedure.

Referring to FIG. 2, the management server 200 includes a notification target checking unit 220 that checks whether the digital signature algorithm use procedure being performed or performed on the certificate usage procedure path is using a certificate corresponding to the notification target. can do. On the other hand, when the certificate use information is notified without separately distinguishing the notification target, the notification target checking unit 220 may be omitted.

When the notification target is distinguished according to the implementation method of the present invention, the notification target confirmation unit 220 checks through the digital signature algorithm use procedure corresponding to the certificate use message, and/or the certificate procedure verification unit 130 . It can be checked whether the procedure for using the specified digital signature algorithm corresponds to the procedure for using the specified notification target certificate.

According to the first notification target confirmation method of the present invention, the notification target confirmation unit 220 checks at least one of the certificate identification information and the issuer identification information included in the certificate procedure information confirmed through the certificate use message, and , by comparing with the notification target certificate identification information or notification target issuer identification information stored in the storage medium through the information storage unit 205, the certificate identification information or issuer identification information included in the certificate procedure information is the notification target certificate identification information Alternatively, it can be checked whether it matches the notification target issuer identification information. If the certificate identification information or issuer identification information included in the certificate procedure information matches the notification target certificate identification information or the notification target issuer identification information, the notification target confirmation unit 220 can confirm that the notification target certificate has been used. have. If the notification target certificate identification information or notification target issuer identification information is not stored in the storage medium, the notification target verification unit 220 refers to a server of an authorized certification authority or a certificate issuing authority to provide the notification target certificate identification information or notification You can refer to the target issuer identification information.

According to the second notification subject confirmation method of the present invention, the notification subject confirmation unit 220 checks the procedure identification information included in the certificate procedure information confirmed through the certificate use message, and through the information storage unit 205 , By comparing with the notification target procedure identification information stored in the storage medium, it is confirmed whether the procedure identification information and the digital signature algorithm use procedure included in the certificate procedure information match the notification target procedure identification information. If the procedure identification information included in the certificate procedure information matches the notification target procedure identification information, the notification target confirmation unit 220 may confirm that the notification target certificate is used.

According to the third notification target verification method of the present invention, the notification target verification unit 220 performs the digital signature algorithm use procedure corresponding to the (t+1)th execution procedure performed through the certificate procedure performing unit 125 . Confirms at least one of the certificate identification information and the issuer identification information, and compares it with the notification target certificate identification information or the notification target issuer identification information stored in the storage medium through the information storage unit 205, the certificate procedure performing unit It can be checked whether the certificate identification information or issuer identification information of the digital signature algorithm using procedure corresponding to the (t+1)-th execution procedure performed through (125) matches the notification target certificate identification information or the notification target issuer identification information . If the certificate identification information or issuer identification information of the digital signature algorithm using procedure performed through the certificate procedure performing unit 125 matches the notification target certificate identification information or the notification target issuer identification information, the notification target confirmation unit 220 ) can be confirmed that the notification target certificate has been used. If the notification target certificate identification information or notification target issuer identification information is not stored in the storage medium, the notification target verification unit 220 refers to a server of an authorized certification authority or a certificate issuing authority to provide the notification target certificate identification information or notification You can refer to the target issuer identification information.

According to the fourth notification target verification method of the present invention, the notification target verification unit 220 performs the digital signature algorithm use procedure corresponding to the (t+1)th execution procedure performed through the certificate procedure performing unit 125 . The type of procedure is identified and compared with the notification target procedure identification information stored in the storage medium through the information storage unit 205 to correspond to the (t+1)th execution procedure performed through the certificate procedure performing unit 125 Check whether the procedure for using the digital signature algorithm is matched with the notification target procedure identification information. If the digital signature algorithm use procedure performed by the certificate procedure performing unit 125 matches the notification target procedure identification information, the notification target verification unit 220 may confirm that the notification target certificate is used.

According to the fifth notification subject confirmation method of the present invention, it is possible to check whether the notification subject certificate is used by combining the first to fourth notification subject confirmation methods, and the present invention is not limited thereto. Meanwhile, according to another implementation method of the present invention, it is possible to check whether the notification target certificate is used using other identification information than the identification information cited in the first to fourth notification target verification methods, and the present invention provides all such It is explicitly stated that examples are included.

Referring to FIG. 2, the management server 200 includes a usage information generation unit 225 that generates certificate usage information for a certificate use being performed or performed on a certificate use procedure path, and and a usage information notification unit 230 that performs a procedure of notifying a certificate usage information message to a designated information receiving means.

It is confirmed that the digital signature algorithm use procedure is being performed on the certificate use procedure path through the certificate procedure confirmation unit 130, and/or the validity of the use of the certificate is authenticated through the certificate use authentication unit 215, and / or when the use of the notification target certificate is confirmed through the notification target confirmation unit 220, the usage information generation unit 225 generates certificate usage information including that the certificate issued to the user for the use of the certificate is being used. create Here, the certificate use information includes date and time information on which the certificate issued to the user is used (for example, date information included in the certificate use message, or date and time information at the time the certificate use message is received), the authority on the certificate authority information, institution information on the certificate issuing authority, at least one institution information involved in the digital signature algorithm use procedure (eg, institution information equipped with the procedure server 110 that transmits the certificate use message), certificate use field information (eg, , certificate issuance, reissuance, copy, login, digital signature, etc.), certificate medium information on which the certificate is recorded (e.g., computer, floppy disk, security token, USB medium, HSM, mobile phone, smartphone, USIM, mobile token, etc.), It may include at least one of transaction information in which the certificate is used and terminal information (eg, information corresponding to terminal identification information) used to use the certificate.

According to the first usage information structure of the present invention, the certificate usage information may be in the form of a character string including one or more specified information. For example, the certificate use information may have a string structure such as “You logged in with a certificate issued by xx at bank xx on xx month xx, 20xx”.

According to the second usage information structure of the present invention, the certificate usage information may be in the form of a structure usable in the user terminal 105 and/or the designated program corresponding to the information receiving means of the actual user.

The usage information notification unit 230 checks user information based on at least one piece of identification information included in the certificate procedure information, and checks the information receiving means of the actual user corresponding to the user information. The user's information receiving means includes a user's wireless terminal capable of receiving a message, a program provided in the user's wireless terminal, a user account mapped with a program provided in the user's wireless terminal, a user's member account, and a user's mail address may include at least one of That is, the user's information receiving means may include a personalized terminal capable of receiving a message such as a user's wireless terminal, a program provided in the user's personalized terminal, and/or an account mapped with the program, and the user's terminal Even if 105 is not personalized, the user's member account or e-mail address capable of delivering usage information to the user may be included in the user's information receiving means. Hereinafter, for convenience, the features of the present invention will be described with reference to an embodiment in which the user's information receiving means is the user's wireless terminal or a program provided in the user's wireless terminal.

When the user's wireless terminal or a program provided in the user's wireless terminal corresponding to the user's information receiving means is identified, the usage information notification unit 230 sends the certificate usage information to the user's wireless terminal according to a specified messaging procedure. Alternatively, a procedure of notifying a program provided in the user's wireless terminal is performed.

For example, if the user's information receiving means is the user's wireless terminal and the designated messaging procedure is wireless messaging (eg, SMS, MMS, etc.) using the phone number of the wireless terminal, the usage information notification unit 230 generates a wireless message including the certificate use information in the body of the wireless message and the user's wireless terminal phone number in the receiving information and sends it to the user's wireless terminal (eg, request to send to a designated sending server) procedure can be performed. Alternatively, the usage information notification unit 230 may perform a procedure of generating and sending a wireless message including access information to the storage medium to the user's wireless terminal after storing the certificate usage information in a designated storage medium. , the certificate usage information stored in the storage medium may be transmitted to the user's wireless terminal according to a request of the wireless terminal receiving the wireless message.

Alternatively, if the user's information receiving means has a program provided in the user's wireless terminal and the designated messaging procedure is push messaging for the program of the wireless terminal, the usage information notification unit 230 may specify the certificate usage information. After being stored in the storage medium, a push notification is generated for delivering the certificate usage information stored in the storage medium to the program of the wireless terminal and notified to the program provided in the user's wireless terminal (for example, a push notification through a designated push server) request), and then transmit the certificate usage information stored in the storage medium to the program of the wireless terminal that has received the push message.

Upon receiving the certificate use information message, the user's wireless terminal or a program provided in the user's wireless terminal displays the certificate use information corresponding to the certificate use information message on the screen at the same time (or after), using the certificate An interface that approves or rejects the use of a certificate corresponding to the information is displayed, and a certificate use approval message or a certificate use rejection message is generated based on a user operation on the interface and transmitted to the management server 200 .

Referring to FIG. 2 , the management server 200 includes a use approval receiving unit 235 that receives a certificate use approval message from the user terminal 105 that has received the certificate use information message, and corresponds to the certificate use approval message. and a result providing unit 245 that provides a result of use approval to the procedure server 110, wherein the digital signature algorithm use procedure being performed through the certificate procedure performing unit 125 of the management server 200 is finalized. If not completed, the certificate procedure performing unit 125 finally completes the digital signature algorithm use procedure based on the use approval result.

When the user terminal 105 that has received the certificate usage information message, that is, the user's wireless terminal according to an embodiment of the present invention, or a program provided in the user's wireless terminal generates and transmits a certificate use approval message, the use approval receiving unit 235 receives the certificate use approval message through the designated communication network. For example, when the user's wireless terminal transmits a certificate use approval message through wireless messaging, the use approval receiving unit 235 transmits the certificate use approval message through a communication network via a mobile communication network providing the wireless messaging. can receive Alternatively, when the program provided in the user's wireless terminal transmits the certificate use approval message through a data network, the use approval receiving unit 235 receives the certificate use approval message through a communication network via the data network. can

According to the implementation method of the present invention, the certificate use approval message may include a use approval password input from the user terminal 105, and the use approval password may be compared and authenticated with a previously registered password. Alternatively, if the user's certificate is provided (or available) in the user terminal 105 through the certificate copy procedure, the certificate use approval message includes the certificate provided (or available) in the actual user's terminal 105 The use approval value may be included, and the use approval value may be authenticated through a separate certificate use procedure that is distinct from the digital signature algorithm use procedure requested from the requesting terminal 100 .

When the certificate use approval message is received through the use approval receiving unit 235, if the digital signature algorithm use procedure being performed through the certificate procedure performing unit 125 is not finally completed, the certificate procedure performing unit ( 125) finally completes the digital signature algorithm use procedure based on the use approval result.

When the certificate use approval message is received through the use approval receiving unit 235, the result providing unit 245 checks the use approval result corresponding to the certificate use approval message, and sends the use approval result to the procedure server (110). On the other hand, when the digital signature algorithm use procedure being performed through the certificate procedure performing unit 125 is finally completed after the certificate use approval message is received, the result providing unit 245 uses the certificate procedure performing unit 125 The result of using the certificate performed through the configuration may be provided to the procedure server 110 . At this time, if the certificate use result replaces the use approval result, the result providing unit 245 may provide the certificate use result to the procedure server 110 instead of the use approval result. Alternatively, the result providing unit 245 may provide the certificate use result and the use approval result to the procedure server 110 as separate results.

Referring to FIG. 2 , the management server 200 includes a use rejection receiving unit 240 that receives a certificate use rejection message from the user terminal 105 that has received the certificate use information message, and corresponds to the certificate use rejection message. and a result providing unit 245 for providing a result of refusal to use to the procedure server 110; If not completed, the certificate procedure performing unit 125 terminates the digital signature algorithm use procedure based on the use rejection result and forcibly generates an error.

When the user terminal 105 that has received the certificate use information message, that is, the user's wireless terminal according to an embodiment of the present invention, or a program provided in the user's wireless terminal generates and transmits a certificate use rejection message, the use rejection receiving unit 240 receives the certificate use rejection message through the designated communication network. For example, when the user's wireless terminal transmits a certificate use rejection message through wireless messaging, the use rejection receiving unit 240 transmits the certificate use rejection message through a communication network via a mobile communication network providing the wireless messaging. can receive Alternatively, when the program provided in the user's wireless terminal transmits the certificate use rejection message through the data network, the use rejection receiving unit 240 receives the certificate use rejection message through the communication network via the data network. can

When the certificate use rejection message is received through the use rejection receiving unit 240, if the digital signature algorithm use procedure being performed through the certificate procedure performing unit 125 is not finally completed, the certificate procedure performing unit ( 125) terminates the process of using the digital signature algorithm based on the result of the use rejection and forcibly generates an error.

When the certificate use rejection message is received through the use rejection receiving unit 240, the result providing unit 245 checks the use rejection result corresponding to the certificate use rejection message, and sends the use rejection result to the procedure server (110). On the other hand, after the certificate use rejection message is received, if the digital signature algorithm use procedure being performed through the certificate procedure performing unit 125 is terminated and an error occurs, the result providing unit 245 is the certificate procedure performing unit 125 . ) can be provided to the procedure server 110 by configuring the result of the certificate error performed through. At this time, if the certificate error result replaces the use rejection result, the result providing unit 245 may provide the certificate error result to the procedure server 110 instead of the use rejection result. Alternatively, the result providing unit 245 may provide the certificate error result and the use rejection result to the procedure server 110 as separate results.

Referring to FIG. 2 , the procedure server 110 receives a certificate use result and/or a use approval result approved by the user from the management server 200 , or a certificate error result from the management server 200 . and/or a result receiving unit 150 for receiving a result of denial of use rejected by the user.

When the certificate use result and/or use approval result is received through the result receiving unit 150, the certificate procedure performing unit 125 performs the next procedure (eg, procedure) corresponding to the certificate use result of the management server 200 side. When the (t+1) th execution procedure of the digital signature algorithm using procedure is performed through the management server 200 after the t th execution procedure of the digital signature algorithm using procedure is performed through the server 110, the procedure server ( 110) to perform the (t+2) execution procedure), and/or the digital signature algorithm use procedure corresponding to the use approval result (eg, the digital signature algorithm use procedure through the procedure server 110) By performing the (t+1) th (t+1) execution procedure) of the digital signature algorithm use procedure to be performed through the procedure server 110 based on the use approval when the t th execution procedure is performed, to the requesting terminal 100 It can provide certificate-based services.

On the other hand, when a certificate error result and/or use refusal result is received through the result receiving unit 150, the certificate procedure performing unit 125 generates a certificate-based authentication error for the digital signature algorithm use procedure being performed, and the requesting terminal (100) gives a certificate-based authentication error result.

3 is a diagram illustrating a process of performing a certificate use procedure between the requesting terminal 100 and the procedure server 110 according to an embodiment of the present invention.

In more detail, FIG. 3 shows a process in which the requesting terminal 100 and the procedure server 110 interwork to perform a procedure of using the certificate when the use of the certificate is required during the service procedure according to the service request of the requesting terminal 100. As one thing, those of ordinary skill in the art to which the present invention pertains may refer to and/or modify this figure 3 to see various implementation methods for the certificate use procedure (eg, some steps are omitted or the order is changed). implementation method) can be inferred, but the present invention includes all of the inferred implementation methods, and the technical characteristics are not limited to the implementation method illustrated in FIG. 3 .

3, the requesting terminal 100 requests a service through the communication network (300), and the procedure server 110 performs a service procedure requested from the requesting terminal 100 through the communication network (305), or A service procedure provided to the requesting terminal 100 through the communication network is checked (305).

If it is necessary to provide a certificate-based service for the performed or confirmed service procedure, the requesting terminal 100 checks a procedure value necessary for using the certificate based on the previously performed service procedure (310), and runs the subscriber program. to display a certificate selection interface (310). Meanwhile, the procedure server 110 may perform a procedure of providing a certificate selection interface to the requesting terminal 100 or providing a procedure value necessary for using the certificate (310),

The subscriber program of the requesting terminal 100 identifies at least one certificate medium having a certificate usable in the requesting terminal 100, works with the certificate medium to extract certificate-related information, and displays it on the certificate selection interface do (315).

If a certificate to be used for a certificate-based service is selected through the certificate selection interface, the subscriber program of the requesting terminal 100 performs an authentication procedure (eg, certificate password authentication) for certificate use through a certificate medium corresponding to the selected certificate. etc.) is performed (320).

The subscriber program of the requesting terminal 100 determines to perform the digital signature algorithm use procedure among the N certificate use procedures according to the certificate related standard (325). However, the procedure for using a certificate to be performed for one certificate-based service (eg, certificate-based login or certificate-based digital signature, etc.) is by no means limited to the procedure for using the digital signature algorithm. For the base service, two or more certificate usage procedures are linked and performed. However, the embodiments of the present invention describe the features of the present invention in detail based on the procedure for using the digital signature algorithm, and those of ordinary skill in the art to which the present invention pertains may refer to the embodiments of the present invention as the digital signature algorithm. It will be possible to apply to other certificate use procedures other than the use procedure, and the present invention includes all such embodiments within the scope of its rights.

The subscriber program of the requesting terminal 100 performs the first to (t-1) to be performed on the terminal side among the T execution procedures for the digital signature algorithm use procedure according to the standard related to the digital signature algorithm use procedure. Process the procedure (330). If the first to (t-1) execution procedures are processed, the subscriber program of the requesting terminal 100 requests to process the t-th execution procedure of the digital signature algorithm using procedure through the certificate use procedure path ( 335). Here, the first to (t-1) performing procedures are generic names of procedures to be performed on the terminal side on the certificate usage procedure path for the digital signature algorithm usage procedure, and may include a plurality of related procedures.

The procedure server 110 on the certificate use procedure path checks the first to (t-1) execution procedures processed at the requesting terminal 100 side with respect to the digital signature algorithm use procedure (340), and the first When at least one certificate use value is generated during the to (t-1)-th performing procedure, the certificate use value generated through the first to (t-1)-th performing procedure is checked ( 340 ).

The procedure server 110 processes the t-th execution procedure to be performed on the server side on the certificate usage procedure path for the digital signature algorithm usage procedure ( 345 ). Here, the t-th performing procedure does not refer to only one procedure, and is a generic name of the performing procedure to be performed at the server side on the certificate use procedure path for the digital signature algorithm using procedure, including a plurality of related procedures. it is possible

If the terminal-side execution procedure is to be performed by providing a procedure value or a certificate use value to the requesting terminal 100 as necessary while processing the t-th execution procedure of the digital signature algorithm use procedure, the procedure server 110 provides a procedure value or certificate use value necessary for the terminal-side execution procedure to the requesting terminal 100, and the subscriber program of the requesting terminal 100 is performed on the terminal side using the procedure value or certificate use value. After processing the execution procedure to be performed (330), the process of requesting the execution procedure linked to the procedure server 110 on the certificate use procedure path (335) may be repeated.

On the other hand, according to the implementation method of the present invention, the procedure server 110 processes the t-th execution procedure of the digital signature algorithm using procedure, and, with the management server 200, the (t) +1) A message for requesting an execution procedure is generated (355), and it is provided to the management server 200 so that the (t+1) th execution procedure of the digital signature algorithm using procedure is performed.

4 is a diagram illustrating a process of notifying certificate use information according to an embodiment of the present invention.

In more detail, FIG. 4 shows that the management server 200 confirms the digital signature algorithm use procedure being performed on the certificate use procedure path through the process shown in FIG. 3, and then uses the certificate usage information based on the digital signature algorithm use procedure. It shows the process of generating and notifying the actual user of the certificate. Those of ordinary skill in the art to which the present invention pertains will refer to and/or modify this figure 4 to learn about the process of notifying the use of the certificate. Various implementation methods (eg, an implementation method in which some steps are omitted or the order is changed) may be inferred, but the present invention includes all of the inferred implementation methods, and only the implementation method shown in FIG. 4 is used. Its technical characteristics are not limited.

Referring to FIG. 4, when the digital signature algorithm use procedure is performed on the certificate use procedure path through the process shown in FIG. 3, the procedure server 110 on the certificate use procedure path processes the digital signature algorithm use procedure. Certificate procedure information is checked based on the first to t-th execution procedures performed on the certificate use procedure path ( 400 ).

If the certificate procedure information for the digital signature algorithm use procedure is confirmed, the procedure server 110 generates a certificate use message for delivering the certificate procedure information to the management server 200 (405), and the generated The certificate use message is transmitted to the management server 200 (410). Preferably, the certificate use message may be generated and transmitted according to the first to fourth certificate use messaging methods.

The management server 200 receives the certificate use message from the procedure server 110 on the certificate use procedure path (415). Meanwhile, according to the implementation method, the management server 200 may receive a certificate use message from the requesting terminal 100 or a separate communication terminal in the certificate use procedure, and the present invention is not limited thereto.

The management server 200 checks the digital signature algorithm use procedure being performed on the certificate use procedure path based on the certificate use message ( 420 ).

If the digital signature algorithm use procedure is confirmed, the management server 200 checks the certificate procedure information related to the digital signature algorithm use procedure being performed on the certificate use procedure path (425), and the designation included in the certificate procedure information Through the identification information and/or the specified value, the validity of the digital signature algorithm use procedure is checked (430).

If the validity of the procedure for using the digital signature algorithm is verified, the management server 200 determines whether the procedure for using the digital signature algorithm corresponds to the use of the notified certificate based on the identification information included in the certificate procedure information ( 435).

If the procedure for using the digital signature algorithm corresponds to the use of a certificate to be notified, the management server 200 provides a certificate indicating that the procedure for using a certificate is being performed on the path of using the certificate based on the certificate procedure information of the procedure for using the digital signature algorithm. Generates usage information (440), and information receiving means of an actual user who has been issued the certificate (eg, a user's wireless terminal capable of receiving a message, a program provided in the user's wireless terminal, and a program provided in the user's wireless terminal) After checking (445) at least one of the mapped user account, the user's member account, and the user's e-mail address), a procedure of notifying a certificate use message corresponding to the certificate use information to the real user's information receiving means is performed. (450).

5 is a diagram illustrating a certificate use information notification process according to another embodiment of the present invention.

In more detail, FIG. 5 shows that when a (t+1) execution procedure of the digital signature algorithm use procedure is requested from the management server 200 on the certificate use procedure path through the process shown in FIG. 3, the management server ( 200) performs the (t+1) th execution procedure of the digital signature algorithm use procedure, and at the same time confirms the digital signature algorithm use procedure in connection with the (t+1) th execution procedure, performs the digital signature algorithm use procedure It shows the process of generating certificate usage information based on the certificate and notifying the actual user of the certificate. Those of ordinary skill in the art to which the present invention pertains may refer to and/or modify this figure 5 to use the certificate. Various implementation methods for the information notification process (eg, an implementation method in which some steps are omitted or the order is changed) may be inferred, but the present invention includes all the inferred implementation methods, and is shown in FIG. The technical features are not limited only to the illustrated implementation method. Meanwhile, according to another embodiment of the present invention, it is possible to notify the use of the certificate in the form of combining the above figures 4 or 5, and it is clearly stated that the present invention includes all such embodiments.

Referring to FIG. 5, when the digital signature algorithm use procedure is performed on the certificate use procedure path through the process shown in FIG. 3, the procedure server 110 on the certificate use procedure path processes the digital signature algorithm use procedure. Certificate procedure information is checked based on the first to t-th execution procedures performed on the certificate use procedure path ( 500 ).

In the case of requesting the (t+1) execution procedure of the digital signature algorithm use procedure to the management server 200 on the certificate use procedure path, the procedure server 110 transfers the certificate procedure information to the management server 200 . At the same time, a certificate use message for requesting the (t+1) execution procedure of the digital signature algorithm use procedure is generated (505), and the generated certificate use message is transmitted to the management server 200 (510) . Preferably, the certificate use message may be generated and transmitted according to the first to fourth certificate use messaging methods.

The management server 200 receives the certificate use message from the procedure server 110 on the certificate use procedure path (515). Meanwhile, according to the implementation method, the management server 200 may receive a certificate use message from the requesting terminal 100 or a separate communication terminal in the certificate use procedure, and the present invention is not limited thereto.

The management server 200 processes a (t+1) th execution procedure for the digital signature algorithm use procedure based on the certificate use message ( 520 ). If an actual user's use approval or use refusal is received after the certificate use information notification, the (t+1) execution procedure is not finally processed, and it is possible to temporarily wait until the use approval or use refusal is received .

The management server 200 checks the digital signature algorithm use procedure being performed on the certificate use procedure path in connection with the (t+1) th execution procedure of the digital signature algorithm use procedure (525). Meanwhile, even when the (t+1)th execution procedure of the digital signature algorithm use procedure is performed, the digital signature algorithm use procedure being performed on the certificate use procedure path can be checked based on the certificate use message.

If the digital signature algorithm use procedure is confirmed, the management server 200 checks the certificate procedure information related to the digital signature algorithm use procedure being performed on the certificate use procedure path (530), and the designation included in the certificate procedure information The validity of the digital signature algorithm use procedure is checked through the identification information and/or the specified value (535).

If the validity of the procedure for using the digital signature algorithm is verified, the management server 200 determines whether the procedure for using the digital signature algorithm corresponds to the use of the notified certificate based on the identification information included in the certificate procedure information ( 540).

If the procedure for using the digital signature algorithm corresponds to the use of a certificate to be notified, the management server 200 provides a certificate indicating that the procedure for using a certificate is being performed on the path of using the certificate based on the certificate procedure information of the procedure for using the digital signature algorithm. Generates usage information (545), and the information receiving means of the real user who has been issued the certificate (eg, a user's wireless terminal capable of receiving a message, a program included in the user's wireless terminal, and a program included in the user's wireless terminal) After checking at least one of the mapped user account, the user's member account, and the user's mail address) (550), a procedure of notifying a certificate use message corresponding to the certificate use information to the actual user's information receiving means is performed. (555).

6 is a diagram illustrating a process of approving or rejecting use of a certificate according to an embodiment of the present invention.

In more detail, Fig. 6 shows that the actual user of the certificate uses the certificate requested from the requesting terminal 100 on the certificate use procedure path based on the certificate use information message notified to the user through the process shown in Fig. 4 or 5. It shows the process of processing use approval or refusal for use, and those of ordinary skill in the art to which the present invention pertains can refer to and/or modify this figure 6 for the use approval/use refusal process. Various implementation methods (eg, an implementation method in which some steps are omitted or the order is changed) may be inferred, but the present invention includes all implementation methods inferred above, and only the implementation method shown in FIG. 6 is used. Its technical characteristics are not limited.

Referring to FIG. 6 , the terminal 105 of an actual user who has been issued a certificate used in the digital signature algorithm using procedure performed through the process shown in FIG. 3 is designated through the process shown in FIG. 4 or 5 . A procedure of receiving a certificate usage information message using a communication network is performed (600), and a procedure of confirming the certificate usage information based on the notification of the certificate usage information message through the communication network is performed (605).

If the certificate use information is confirmed based on the certificate use information message notification, the user terminal 105 displays the verified certificate use information (610), and approves the use of the certificate for the certificate use information according to the implementation method Alternatively, a certificate use approval/rejection interface for determining use rejection is displayed (610).

The user terminal 105 confirms the selection of the actual user to approve or reject the use of the certificate for the certificate use information through the certificate use approval/rejection interface (615).

If the actual user's certificate use approval is confirmed through the certificate use approval/rejection interface, the user terminal 105 transmits a certificate use approval message to the management server 200 (620), and the management server 200 receives the certificate use approval message (625). If the management server 200 is processing the (t+1)th execution procedure of the digital signature algorithm use procedure corresponding to the certificate use approval message, the management server 200 is The (t+1) th execution procedure is finally processed ( 630 ). The management server 200 provides the certificate use result and/or the use approval result approved by the actual user to the procedure server 110 (635).

On the other hand, if the actual user's certificate use rejection is confirmed through the certificate use approval/rejection interface, the user terminal 105 transmits a certificate use rejection message to the management server 200 (640), and the management server 200 receives the certificate use rejection message (645). If the management server 200 is processing the (t+1)th execution procedure of the digital signature algorithm use procedure corresponding to the certificate use rejection message, the management server 200 is The (t+1)th execution procedure is terminated and an error is forcibly generated ( 650 ). The management server 200 provides the certificate error result and/or the use rejection result rejected by the actual user to the procedure server 110 (655).

7 is a diagram illustrating a process of processing a certificate use procedure between the requesting terminal 100 and the procedure server 110 according to an embodiment of the present invention.

In more detail, FIG. 7 shows the process of selectively processing the digital signature algorithm use procedure being performed on the certificate use procedure path according to the certificate use approval or use rejection determined through the process shown in FIG. 6, and the present invention Those of ordinary skill in the art can infer various implementation methods (eg, an implementation method in which some steps are omitted or the order is changed) for the certificate use procedure by referring and/or modifying this figure 7 However, the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 7 .

Referring to FIG. 7 , when a certificate use result and/or a user approval result is received from the management server 200 through the process shown in FIG. 6 ( 700 ), the procedure server 110 displays the certificate use result And/or the server-side execution procedure on the certificate use procedure path for the digital signature algorithm use procedure being performed through the process shown in FIG. 3 is processed based on the use approval result ( 705 ). Meanwhile, through the process shown in Fig. 4 or 5, other certificate use procedures are being performed in addition to the digital signature algorithm use procedure, or the certificate use procedure performed through the process shown in Fig. 4 or 5 uses the notified certificate. Even in this case, the procedure server 110 may process the server-side execution procedure on the certificate use procedure path for the certificate use procedure being performed through the process shown in FIG. 3 ( 705 ).

If the digital signature algorithm using procedure is completed, the procedure server 110 checks whether the procedure for using the digital signature algorithm is certificate-based authentication (710). Here, the certificate-based authentication is confirmed based on the certificate use result or is confirmed based on the digital signature algorithm use procedure being performed in the procedure server 110, and is a result separate from the use approval result. That is, even if the use approval result is received through the process shown in FIG. 6, if an error occurs during the process of using the digital signature algorithm, the certificate-based authentication may fail.

If the certificate-based authentication is successful, the procedure server 110 performs a certificate use procedure associated with the digital signature algorithm use procedure based on the certificate-based authentication or provides a certificate-based service to the requesting terminal 100 A providing procedure is performed (715), and the requesting terminal 100 performs a terminal-side performing procedure of a certificate use procedure related to the digital signature algorithm use procedure or performs a procedure using a certificate-based service (720) .

Meanwhile, through the process shown in FIG. 6 , a certificate error result and/or a use rejection result by a user is received from the management server 200 ( 725 ), or a certificate use result and/or use from the management server 200 . If the certificate-based authentication fails even if the approval result is received, the procedure server 110 determines a certificate-based authentication error for the digital signature algorithm use procedure (730), and provides a certificate-based authentication error to the requesting terminal 100 and (735), the requesting terminal 100 receives and outputs the certificate-based authentication error (740).

100: request terminal 105: user terminal
110: procedure server 115: service procedure execution unit
120: certificate use determination unit 125: certificate procedure execution unit
130: certificate procedure verification unit 135: procedure information verification unit
140: certificate procedure notification unit 145: log storage unit
150: result receiving unit 200: management server
205: information storage unit 210: certificate procedure receiving unit
215: certificate use authentication unit 220: notification subject confirmation unit
225: usage information generation unit 230: usage information notification unit
235: use approval receiving unit 240: use rejection receiving unit
245: result providing unit

Claims (27)

In the certificate management method executed through a management server provided or linked to the certificate use procedure path in which the procedure for using the certificate through a communication network is performed,
A first step of storing identification information for identifying a designated information receiving means of the user to whom the certificate is issued when the certificate is issued to the user;
Digital signature algorithm for digitally signing using the user's certificate on the certificate use procedure path by checking and reading certificate procedure information related to the digital signature algorithm usage procedure for digitally signing using the certificate issued to the user on the certificate usage procedure path a second step of confirming that a certificate use procedure including a use procedure is being performed;
When it is confirmed that the certificate use procedure including the digital signature algorithm use procedure is being performed, the method for generating certificate use information explaining that the digital signature algorithm use procedure is performed on the certificate use procedure path using the certificate procedure information Step 3; and
A procedure of notifying a certificate use information message for delivering the certificate use information to the designated information receiving means of the actual user who has been issued the certificate through a separate channel differentiated from the certificate use procedure path based on the identification information is performed A fourth step of; certificate management method comprising a.
delete delete delete delete delete delete delete delete The method of claim 1,
checking at least one specified information of identification information included in the certificate procedure information, a procedure value, or a certificate use value; and
and authenticating the validity of the certificate use procedure by using one or more specified information of the identified identification information, procedure value, or certificate use value.
delete delete delete delete delete delete delete delete delete The method of claim 1,
When the digital signature algorithm use procedure or a partial execution procedure of the digital signature algorithm use procedure is performed before the certificate usage information message is notified, the digital signature algorithm use procedure or a partial execution procedure of the digital signature algorithm use procedure is finalized Certificate management method, characterized in that it further comprises the step of temporarily waiting without processing.
The method of claim 1,
receiving a certificate use approval message for the certificate use information from a user terminal corresponding to the information receiving means that has been notified of the certificate use information message; and
and allowing the digital signature algorithm use procedure to be finally processed on the certificate use procedure path based on the use approval result of the certificate use approval message.
delete The method of claim 1,
receiving a certificate use rejection message for the certificate use information from a user terminal corresponding to the information receiving means notified of the certificate use information message; and
and processing an error in the digital signature algorithm use procedure on the certificate use procedure path based on the use rejection result of the certificate use rejection message.
delete delete According to claim 1, wherein the management server,
and a server that does not form a direct contact point with a requesting terminal requesting use of a certificate on the certificate use procedure path.
delete

Images