KR102345866B1 - Server System and Communication Security Method for User Devices Performed in the Server System - Google Patents

Abstract

The present invention relates to a server system and a communication security method for a user terminal performed in the server system. More specifically, the server system verifies authentication information received from a user terminal, in which an agent application is installed, and then, when the information is verified as effective information, the system issues and provides an authentication token to the user terminal, and, also, the system verifies routing request information received from the user terminal for the establishment of communication of a service application installed in the user terminal, and then, when the information is verified as effective information, the system provides the routing request information for the establishment of communication to a service server corresponding to the service application, and, as a result, only the authenticated user terminal can communicate with the service server. Therefore, the present invention is capable of blocking access from an unauthenticated user terminal.

Description

Server System and Communication Security Method for User Devices Performed in the Server System}

The present invention relates to a server system and a communication security method for a user terminal performed in the server system, and more particularly, the server system verifies authentication information received from a user terminal in which an agent application is installed, and when verified as valid, authentication When a token is issued and provided to the user terminal, routing request information for establishing communication of the service application installed in the user terminal received from the user terminal is verified as valid, the service server corresponding to the service application It relates to a server system and a communication security method for a user terminal performed in a server system, in which only an authenticated user terminal can establish communication with a service server by providing routing information for establishing communication with the user terminal .

Recently, with the development of mobile communication such as smartphones, the basis of a cloud environment in which computing resources can be utilized anywhere is expanding. However, as the cloud environment expands, security problems that may occur depending on the cloud environment, such as virtual infrastructure and resource sharing, are rising to the surface.

In the case of the conventional network system, the security of the internal network is established by separating the network from the outside. For this purpose, various security elements such as firewalls and virtual private network (VPN) devices are used.

However, as the size of the network increases, security devices must be provided for each component of the network, so there is a problem in that the security cost increases. Since it is possible to communicate with a server that provides A security vulnerability exists. In addition, since VPNs and firewalls are IP-based, additional problems that may be vulnerable to security for other layers may occur.

Therefore, in order to efficiently perform network security, a communication channel for authenticating or controlling a terminal accessing the network and a communication channel for a server that exchanges actual data with the terminal are dualized to provide security for the conventional network. There is a need to develop a new security method to improve

The present invention relates to a server system and a communication security method for a user terminal performed in the server system, and more particularly, the server system verifies authentication information received from a user terminal in which an agent application is installed, and when verified as valid, authentication When a token is issued and provided to the user terminal, routing request information for establishing communication of the service application installed in the user terminal received from the user terminal is verified as valid, the service server corresponding to the service application By providing the user terminal with routing information for establishing communication with aim to

In order to solve the above problems, in an embodiment of the present invention, as a communication security method for a user terminal performed in a server system that communicates with a user terminal in which an agent application is installed, the server system includes an authentication verification unit and An authentication verification step comprising an authentication control unit, verifying the authentication information received from the user terminal in which the agent application is installed, by the authentication verification unit, and transmitting the validated authentication information to the authentication control unit; an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal; By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and providing, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step, and providing it to the user terminal It provides a communication security method, including ;.

In an embodiment of the present invention, the authentication information includes identification information of the server system, identification information of the user terminal, and user information about the user of the user terminal, and the authentication verification step includes: Verifies the identification information of the included server system, transmits the authentication information to the authentication control unit when verified as valid, and the authentication token providing step includes the user included in the authentication information received from the authentication verification step It is determined whether the identification information of the terminal and the user information are included in the database stored in the server system, and when it is determined that it is included, an authentication token can be generated and provided to the user terminal.

In an embodiment of the present invention, in the communication security method, after the authentication token providing step is performed by the authentication verification unit, a policy including identification information of the server system and the authentication token from the user terminal a policy request information verification step of receiving request information, verifying the identification information and the authentication token of the server system included in the policy request information, and transmitting the policy request information to the authentication control unit when validated; And by the authentication control unit, based on the policy request information received through the policy request information verification step to derive the policy information corresponding to the user terminal and the user of the user terminal to provide the policy information to the user terminal policy information providing step; may include.

In an embodiment of the present invention, in the routing request information verification step, when the agent application of the user terminal provided with the policy information through the policy information providing step determines that the user terminal conforms to the policy information, The routing request information may be received from the user terminal.

In an embodiment of the present invention, the routing request information includes identification information of the server system and the authentication token, and the routing request information verification step includes identification information of the server system included in the routing request information and The authentication token is verified, and if validated, the routing request information is transmitted to the authentication control unit, and the routing information providing step includes the service based on the routing request information received through the routing request information verification step. The routing information may be provided to the user terminal by deriving routing information including address information of a server and address information of a gateway relaying communication between the service application and the service server.

In an embodiment of the present invention, the routing information provided to the user terminal through the routing information providing step causes an operating system installed in the user terminal in the agent application to cause the service application and the service server to A kernel of the operating system may be controlled to perform communication through a gateway.

In order to solve the above problems, in one embodiment of the present invention, as a server system for performing a communication security method for the user terminal by performing communication with a user terminal installed with an agent application, the server system includes an authentication verification unit and An authentication verification step comprising an authentication control unit, verifying the authentication information received from the user terminal in which the agent application is installed, by the authentication verification unit, and transmitting the validated authentication information to the authentication control unit; an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal; By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and providing, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step, and providing it to the user terminal It provides a server system that performs ;.

According to an embodiment of the present invention, the user terminal in which the agent application is installed communicates with the authentication verification unit and the authentication control unit of the server system so that communication with the service server can be established after access to the server system is permitted. , it can have the effect of fundamentally blocking access to the service server until access is permitted.

According to an embodiment of the present invention, in the authentication token providing step, after confirming the identification information of the user terminal and the user information about the user of the user terminal included in the authentication information, an authentication token capable of establishing communication with the service server is provided. Since it is provided to the user terminal, not only user information such as ID/PW, but also the user terminal is checked, so it is possible to exhibit the effect of blocking access to the user terminal that is not authenticated.

According to an embodiment of the present invention, the policy information providing step provides policy information corresponding to the user terminal, and communicates with the service server when the agent application installed in the user terminal determines that the user terminal conforms to the policy information. can be established, so that only user terminals that meet the policy set by the administrator of the server system can access the server system.

According to an embodiment of the present invention, since the routing information provided in the routing information providing step includes only the address information of the gateway through which communication with the service application of the user terminal is established and the address information of the service server, the user terminal is It can have the effect of preventing access to other components.

According to an embodiment of the present invention, since the authentication verification unit verifies the information received from the user terminal and transmits it to the authentication control unit when verified as valid, it is possible to reduce the load on the authentication control unit.

1 schematically shows a server system for performing a communication security method for a user terminal according to an embodiment of the present invention.
2 schematically shows the steps of performing an authentication verification step and an authentication token providing step according to an embodiment of the present invention.
FIG. 3 schematically illustrates the execution processes of the policy request information verification step and the policy information providing step according to an embodiment of the present invention.
4 schematically illustrates policy information provided to a user terminal according to an embodiment of the present invention.
5 schematically shows a routing request information verification step and a routing information providing step according to an embodiment of the present invention.
6 schematically illustrates a process of establishing communication of a service application according to routing information in a user terminal according to an embodiment of the present invention.
7 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

Hereinafter, various embodiments and/or aspects are disclosed with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth to provide a thorough understanding of one or more aspects. However, it will also be recognized by one of ordinary skill in the art that such aspect(s) may be practiced without these specific details. The following description and accompanying drawings set forth in detail certain illustrative aspects of one or more aspects. These aspects are illustrative, however, and some of various methods may be employed in the principles of the various aspects, and the descriptions set forth are intended to include all such aspects and their equivalents.

Further, various aspects and features will be presented by a system that may include a number of devices, components and/or modules, and the like. It is also noted that various systems may include additional apparatuses, components, and/or modules, etc. and/or may not include all of the apparatuses, components, modules, etc. discussed with respect to the drawings. must be understood and recognized.

As used herein, “embodiment”, “example”, “aspect”, “exemplary”, etc. may not be construed as an advantage or advantage in any aspect or design being described over other aspects or designs. . The terms '~part', 'component', 'module', 'system', 'interface', etc. used below generally mean a computer-related entity, for example, hardware, hardware A combination of and software may mean software.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements, and/or groups thereof. should be understood as not

Also, terms including an ordinal number, such as first, second, etc., may be used to describe various elements, but the elements are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, a first component may be referred to as a second component, and similarly, a second component may also be referred to as a first component. and/or includes a combination of a plurality of related listed items or any of a plurality of related listed items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein, including technical or scientific terms, are generally understood by those of ordinary skill in the art to which the present invention belongs. have the same meaning as Terms such as those defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in an embodiment of the present invention, an ideal or excessively formal meaning is not interpreted as

1 schematically shows a server system 2000 for performing a communication security method for a user terminal 1000 according to an embodiment of the present invention.

1, the server system 2000 includes a plurality of components for performing wired or wireless communication with the user terminal 1000, and the plurality of components includes an authentication verification unit 2100. , the authentication control unit 2200 , the gateway 2300 , and the service server 2400 may correspond to each other.

The authentication verification unit 2100 and the authentication control unit 2200 communicate with the user terminal 1000 to verify the user terminal 1000, and when the user terminal 1000 is normally verified, the user terminal (1000) is controlled to establish communication with the server system (2000), specifically, the service server (2400). That is, the authentication verification unit 2100 and the authentication control unit 2200 allow the user terminal 1000 to establish a communication channel so that the user terminal 1000 can exchange data for a service with the server system 2000 . ) plays a role in controlling

The service server 2400 may communicate with the service application 1200 installed in the user terminal 1000 to exchange data related to a service that the user of the user terminal 1000 wants to receive. Meanwhile, the server system 2000 may include a plurality of service servers 2400.1 to 2400.N, and each service server 2400.1 to 2400.N includes one or more service applications installed in the user terminal 1000 ( 1200.1 to 1200.N) to provide a predetermined service to the user.

The gateway 2300 serves to relay communication between the user terminal 1000 and the service server 2400 . The gateway 2300 connects to a plurality of service servers 2400.1 to 2400.N, and according to the data received from the user terminal 1000, a service server 2400 corresponding to the corresponding data of the user terminal 1000. data can be provided. In addition, the gateway 2300 is not exposed when the user terminal 1000 attempts to access the server system 2000 for the first time, and the user terminal 1000 uses the authentication verification unit 2100 and the authentication control unit 2200. When communication with the service server 2400 is established through , the user terminal 1000 may transmit data for communication with the service server 2400 to the gateway 2300 .

Meanwhile, in another embodiment of the present invention, the server system 2000 may include a plurality of gateways, and each of the plurality of gateways may communicate with one or more service servers 2400 . Accordingly, when the user terminal 1000 wants to communicate with a specific service server 2400 , data can be transmitted to a gateway corresponding to the corresponding service server 2400 . In addition, a specific gateway among the plurality of gateways relays communication between the user terminal 1000 and the authentication verification unit 2100 and relays information for establishing communication between the user terminal 1000 and the service server 2400 . have.

Meanwhile, the user terminal 1000 includes an agent application 1100 and one or more service applications 1200.1 to 1200.N.

The agent application 1100 derives information for requesting permission to access the service server 2400 of the user terminal 1000 from the authentication verification unit 2100 and the authentication control unit 2200, or an authentication control unit ( 2200), it is possible to determine whether the corresponding user terminal 1000 conforms to the policy information, and controls the operating system (OS) 1300 installed in the user terminal 1000 to control the user terminal 1000 ) so that the communication between the service application 1200 and the service server 2400 installed in the can be established. Meanwhile, although not shown in FIG. 1 , the agent application 1100 may be installed in the user terminal 1000 through a distribution server (not shown) included in the server system 2000 .

The service application 1200 may provide a predetermined service to the user by performing communication with the corresponding service server 2400 . On the other hand, when the user terminal 1000 first accesses the server system 2000, the service application 1200 cannot communicate with the service server 2400, and the authentication verification unit 2100 and the authentication When the user terminal 1000 is permitted to access the service server 2400 through the control unit 2200, the service application 1200 through the agent application 1100 installed in the user terminal 1000 is the Communication with the service server 2400 may be performed.

Meanwhile, the server system 2000 may communicate with a manager terminal 3000 used by an administrator who manages the server system 2000 , and a service server of the user terminal 1000 from the manager terminal 3000 . It may receive one or more pieces of information for permitting access to 2400 and store the one or more pieces of information. Also, the server system 2000 may transmit information on the state of the server system 2000 to the manager terminal 3000 , such as information on one or more user terminals 1000 to which access is permitted.

That is, in the present invention, the user terminal 1000 and the server system 2000 may perform communication through two channels. Specifically, when the user terminal 1000 first accesses the server system 2000 through the agent application 1100, the user terminal 1000 communicates with the authentication verification unit 2100 (as indicated by a dotted line in FIG. 1). A series of communication for the user terminal 1000 to be granted an authority to access the service server 2400 through the illustrated) may be performed. And, when the user terminal 1000 is authorized, the user terminal 1000 may establish a communication channel (shown by a solid line in FIG. 1) with the service server 2400, and a service application through the communication channel. The 1200 and the service server 2400 may perform a series of communication to provide a service to the user.

Therefore, since the user terminal 1000 can establish communication with the corresponding service server 2400 only when the connection with the service server 2400 is permitted, the server system 2000 of the present invention provides for the service server 2400. It can have the effect of improving access security.

2 schematically shows the steps of performing an authentication verification step and an authentication token providing step according to an embodiment of the present invention.

As shown in FIG. 2, as a communication security method for a user terminal 1000 performed in a server system 2000 that communicates with a user terminal 1000 in which an agent application 1100 is installed, the server system 2000 ) includes an authentication verification unit 2100 and an authentication control unit 2200, and verifies the authentication information received from the user terminal 1000 in which the agent application 1100 is installed by the authentication verification unit 2100, an authentication verification step of transmitting authentication information verified to be valid to the authentication control unit 2200; and an authentication token providing step of generating, by the authentication control unit 2200, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal 1000; The information includes identification information of the server system, identification information of the user terminal, and user information about a user of the user terminal 1000, and the authentication verification step includes identification of the server system included in the authentication information. The information is verified, and when verified as valid, the authentication information is transmitted to the authentication control unit 2200, and the authentication token providing step includes identification information of the user terminal included in the authentication information received from the authentication verification step. and determining whether the user information is included in the database stored in the server system 2000 , and when it is determined that the user information is included, an authentication token may be generated and provided to the user terminal 1000 .

Specifically, the user executes the agent application 1100 installed in the user terminal 1000, the user inputs user information through the agent application 1100, and the user terminal 1000 receives the user's user information input. It can be received (S10). Meanwhile, the user information may correspond to one of various pieces of information that can identify a user who uses the user terminal 1000 . For example, the user information may correspond to ID/PW information or may correspond to user-specific biometric information such as fingerprint information.

Meanwhile, the agent application 1100 derives authentication information including the received user information (S11). Specifically, the authentication information includes identification information of the server system, identification information of the user terminal, and the user information.

The identification information of the server system may correspond to identification information on a network implemented inside the server system 2000 . For example, when the server system 2000 implements a network within a company, the identification information of the server system may correspond to identification information for the corresponding company, such as an ID for the corresponding company. The identification information of the user terminal may correspond to unique information for identifying the user terminal 1000 used by the user, and the identification information of the user terminal is the MAC address of the corresponding user terminal 1000 (Media Access Control Address) Alternatively, it may correspond to unique information about the user terminal 1000, such as a Unique Device Identifier (UDID) provided by iOS. Meanwhile, the identification information of the server system and the identification information of the user terminal may be pre-stored in the memory of the user terminal 1000 .

Meanwhile, the authentication information may be generated in the form of packet data including a header and a body, the header may include identification information of the server system, and the body may include identification information of the user terminal and the user information. . In this way, the agent application 1100 transmits the generated authentication information to the authentication verification unit 2100 (S12).

The authentication verification unit 2100 verifies the authentication information received from the user terminal 1000 by performing the authentication verification step (S13). Specifically, the authentication verification step verifies whether the identification information of the server system included in the header of the authentication information matches the identification information of the server system including the authentication verification unit 2100 (S13). The authentication verification unit 2100 may store identification information of a server system including itself in order to verify the received authentication information.

On the other hand, when the authentication information received in the authentication verification step is verified as valid, the authentication information is transmitted to the authentication control unit 2200 (S14), and if the authentication information is not verified as valid, that is, the When the identification information of the server system included in the authentication information does not match the identification information of the server system including the authentication verification unit 2100, the received authentication information is dropped or the user terminal that has transmitted the authentication information The verification result of the authentication information may be transmitted to the agent application 1100 of (1000).

On the other hand, the authentication control unit 2200 performs the authentication token providing step to verify the body of the authentication information received from the authentication verification unit 2100 (S15), and according to the verification result, the service application of the user terminal 1000 An authentication token capable of establishing communication between the 1200 and the service server 2400 may be generated (S16).

Specifically, the authentication token providing step verifies identification information and user information of the user terminal included in the body of the received authentication information. To this end, the authentication token providing step determines whether the identification information of the user terminal and the user information are stored in the database included in the authentication control unit 2200 or the server system 2000 . In an embodiment of the present invention, identification information and user information of the user terminal stored in the database may be received through the above-described manager terminal 3000 . In another embodiment of the present invention, as the user of the user terminal 1000 performs a procedure such as user registration through the agent application 1100, the identification information of the user terminal and the user information are automatically stored in the database. it might be

On the other hand, the authentication token providing step verifies the authentication information (S15), generates an authentication token (S16) when the corresponding authentication information is verified as valid, and uses the generated authentication token through the authentication verification unit 2100 The agent application 1100 is transmitted to the installed user terminal 1000 (S17 and S18). The authentication token generated through the authentication token providing step means that the user terminal 1000 is authenticated, and then, when the user terminal 1000 transmits data to the authentication verification unit 2100, the authentication token is included. The authentication verification unit 2100 provides the corresponding data to the authentication control unit 2200 by confirming the authentication token.

In addition, the authentication verification unit 2100 that has received the authentication token may store the authentication token, and then verify the authentication token included in the data received from the agent application 1100, and the user terminal 1000. In addition, when the received authentication token is stored (S19) and then data is transmitted to the authentication verification unit 2100, the authentication token stored in the data may be included.

In this way, the authentication verification unit 2100 verifies the validity of data to be transmitted from the user terminal 1000 to the authentication control unit 2200, and provides only the verified data to the authentication control unit 2200, so that the authentication The security of the control unit 2200 may be improved, and the load of the authentication control unit 2200 may be reduced.

On the other hand, when the user terminal 1000 receives the authentication token generated in the authentication token providing step, it can be determined that the authentication information is normally verified in the agent application 1100 of the user terminal 1000, but the In another embodiment, in the step of providing the authentication token, authentication result information indicating that verification of the authentication information has been normally performed together with the authentication token may be provided to the user terminal 1000 .

FIG. 3 schematically illustrates the execution processes of the policy request information verification step and the policy information providing step according to an embodiment of the present invention.

As shown in FIG. 3 , in the communication security method, after the authentication token providing step is performed by the authentication verification unit 2100 , the identification information of the server system and the Receives policy request information including an authentication token, verifies the identification information of the server system and the authentication token included in the policy request information, and when validated, transmits the policy request information to the authentication control unit 2200 a policy request information verification step that is transmitted to and by the authentication control unit 2200, the user terminal 1000 and policy information corresponding to the user of the user terminal 1000 are derived based on the policy request information received through the policy request information verification step. and a policy information providing step of providing the policy information to the user terminal 1000 .

Specifically, the user terminal 1000 provided with the authentication token immediately establishes communication between the service application 1200 installed in the user terminal 1000 and the service server 2400 included in the server system 2000. routing information can be transmitted to the authentication verification unit 2100 for The policy request information is transmitted to the authentication verification unit 2100, and the authentication verification unit 2100 and the authentication control unit 2200 correspond to the user terminal 1000 through the policy request information verification step and the policy information providing step. policy information is derived and provided to the user terminal 1000 .

To this end, the agent application 1100 generates policy request information including the authentication token after receiving the authentication token (S20), and transmits the policy request information to the authentication verification unit 2100 (S21) . Meanwhile, the policy request information may be generated in the form of packet data including a header and a body, the header may include identification information of a server system, and the body may include the authentication token.

Meanwhile, the authentication verification unit 2100 verifies the policy request information received from the user terminal 1000 by performing the policy request information verification step (S22). Specifically, the policy request information verification step verifies whether the identification information of the server system included in the header of the policy request information matches the identification information of the server system including the authentication verification unit 2100, and the policy request It is verified whether the authentication token included in the body of information corresponds to the authentication token generated by the authentication control unit 2200 included in the server system 2000 (S22).

Next, when the policy request information received in the policy request information verification step is verified as valid, the policy request information verification step transmits the policy request information to the authentication control unit 2200 (S23), and if the policy request If the information is not verified as valid, the received policy request information is dropped, or the verification result for the policy request information can be transmitted to the agent application 1100 of the user terminal 1000 that has transmitted the policy request information. have.

Meanwhile, the authentication control unit 2200 derives policy information corresponding to the policy request information received from the authentication verification unit 2100 by performing the policy information providing step (S24). Specifically, the policy information providing step derives policy information corresponding to the policy request information from among one or more policy information stored in the database included in the server system 2000 (S24). To this end, the administrator may input one or more policy information according to the type and/or user type of the user terminal 1000 through the administrator terminal 3000, and the server system 2000 may input one or more policy information input by the administrator. Policy information can be stored in the database.

In another embodiment of the present invention, the type of the user terminal 1000 may correspond to the type of the user terminal 1000 such as a desktop, a smart phone, and a tablet PC, and the type of the user is the server system 2000 In the case of operating in an enterprise, it may correspond to the rank and/or department of the user.

Next, in the policy information providing step, the derived policy information is transmitted (S25 and S26) to the user terminal 1000 in which the agent application 1100 is installed through the authentication verification unit 2100 (S25 and S26). The agent application 1100 determines the state of the user terminal 1000 according to the received policy information (S27), and when it is determined that the policy information is consistent with the policy information, the user terminal to the authentication verification unit 2100 Routing information for establishing communication between the service application 1200 and the service server 2400 of 1000 is requested.

4 schematically shows policy information provided to the user terminal 1000 according to an embodiment of the present invention.

As shown in FIG. 4 , the policy information includes one or more policies, and the routing request information verification step is performed in the agent application 1100 of the user terminal 1000 receiving the policy information through the policy information providing step. When it is determined that the corresponding user terminal 1000 conforms to the policy information, the routing request information may be received from the user terminal 1000 .

Specifically, as shown in FIG. 4 , the policy information includes one or more policies, and the policy information may include different policies according to the type of the user terminal 1000 and/or the type of the user, and the policy information can be set by the administrator.

The policy information may correspond to information for confirming the state of the user terminal 1000 when the user terminal 1000 accesses the server system 2000 , specifically, the service server 2400 . For example, the policy information includes a policy on whether or not to install one or more anti-virus software on the user terminal, a policy on whether or not a firewall is set on the user terminal, a policy on whether the operating system of the user terminal is updated to the latest, and a blacklist on the user terminal It may include a policy on whether to install one or more software included in , and a policy on whether to install one or more software included in the whitelist in the user terminal.

On the other hand, the agent application 1100 is based on the policy information provided from the authentication control unit 2200 whether the user terminal 1000 in which the agent application 1100 is installed conforms to one or more policies included in the policy information. can be judged To this end, the agent application 1100 may be given permission to access the inside of the operating system 1300 of the user terminal 1000 .

Accordingly, when it is determined that the corresponding user terminal 1000 matches the policy information provided by the agent application 1100, the agent application 1100 is a service application 1200 installed in the user terminal 1000. and routing information for establishing communication with the service server 2400 corresponding to the service application 1200 may be requested from the authentication verification unit 2100 .

On the other hand, when it is determined that the agent application 1100 does not match the policy information provided by the user terminal 1000, the agent application 1100 transmits the routing information to the authentication verification unit 2100. do not request In addition, the agent application 1100 additionally displays on the user terminal 1000 that it does not conform to the policy information, or communicates with a distribution server (not shown) included in the server system 2000 to make the The user terminal 1000 is provided by performing an operation such as installing one or more software to conform to the policy information on the user terminal 1000 or removing software included in the blacklist installed on the user terminal 1000 It is also possible to perform a series of processes to conform to policy information.

As such, in an embodiment of the present invention, the server system 2000 provides routing information for establishing communication between the service application 1200 and the service server 2400 immediately when the user terminal 1000 receives the authentication token. rather than providing the user terminal 1000 and policy information corresponding to the user to the agent application 1100, and only when the agent application 1100 determines that the user terminal 1000 conforms to the policy information Since the routing information can be requested, it is possible to prevent the user terminal 1000 including elements threatening security from accessing the service server 2400 in advance.

On the other hand, in another embodiment of the present invention, the process of determining whether the user terminal 1000 conforms to the policy information by the agent application 1100 according to the policy information is to request routing information from the agent application 1100 In addition to being performed for this purpose, the above process may be performed even after communication between the service application 1200 and the service server 2400 is established according to the routing information, and the user terminal 1000 does not conform to the policy information. If it is determined that the communication channel established may be disconnected.

5 schematically shows a routing request information verification step and a routing information providing step according to an embodiment of the present invention.

As shown in FIG. 5 , in the communication security method, the service application 1200 installed in the user terminal 1000 received from the user terminal 1000 provided with the authentication token by the authentication verification unit 2100 . ) and a routing request information verification step of verifying routing request information for requesting routing for establishing communication with the service server 2400, and transmitting the verified routing request information to the authentication control unit 2200; And, by the authentication control unit 2200, based on the routing request information received through the routing request information verification step, by deriving routing information for establishing communication between the service application 1200 and the service server 2400, the A routing information providing step provided to the user terminal 1000; includes, wherein the routing request information includes identification information of the server system and the authentication token, and the routing request information verification step includes: The included identification information of the server system and the authentication token are verified, and when validated, the routing request information is transmitted to the authentication control unit 2200, and the routing information providing step includes the routing request information verification step. Based on the routing request information received through the user terminal, the user terminal The routing information may be provided to (1000).

Specifically, when it is determined that the user terminal 1000 in the agent application 1100 conforms to the policy information as described above, the service application 1200 installed in the user terminal 1000 and the corresponding service server The routing request information for requesting routing information for establishing communication in step 2400 is generated (S30), and the routing request information is transmitted to the authentication verification unit 2100 (S31). Meanwhile, the routing request information may be generated in the form of packet data including a header and a body, the header may include identification information of a server system, and the body may include the authentication token.

On the other hand, the authentication verification unit 2100 verifies the routing request information received from the user terminal 1000 by performing the routing request information verification step (S32). Specifically, the routing request information verification step verifies whether the identification information of the server system included in the header of the routing request information matches the identification information of the server system including the authentication verification unit 2100, and the It is verified whether the authentication token included in the body of the routing request information corresponds to the authentication token generated by the authentication control unit 2200 included in the server system 2000 (S32).

Subsequently, when the routing request information received in the routing request information verification step is verified as valid, the routing request information verification step transmits the routing request information to the authentication control unit 2200 (S33), and if the routing request If the information is not verified as valid, the received routing request information is dropped, or the verification result for the routing request information can be transmitted to the agent application 1100 of the user terminal 1000 that has transmitted the routing request information. have.

On the other hand, the authentication control unit 2200 performs the routing information providing step and based on the routing request information received from the authentication verification unit 2100, the service application 1200 and the service server 2400 installed in the user terminal 1000. To derive routing information for establishing communication of (S34). Specifically, the routing information derived in the routing information providing step includes address information of a service server to establish communication and address information of a gateway relaying communication between the service server 2400 and service application 1200 to establish communication. may include

Next, the routing information providing step transmits the derived routing information to the user terminal 1000 in which the agent application 1100 is installed through the authentication verification unit 2100 (S35 and S36). On the other hand, the agent application 1100 is based on the received routing information, the service application 1200 and the service server 2400 via the gateway 2300 corresponding to the address information of the gateway included in the routing information communication A path (routing) for establishment may be set (S37).

6 schematically illustrates a process of establishing communication of a service application 1200 according to routing information in the user terminal 1000 according to an embodiment of the present invention.

As shown in FIG. 6 , the routing information provided to the user terminal 1000 through the routing information providing step is an operating system 1300 installed in the user terminal 1000 in the agent application 1100 . ) to control the kernel of the operating system 1300 so that the service application 1200 and the service server 2400 perform communication through the gateway 2300 .

Specifically, the agent application 1100 controls a kernel included in the operating system 1300 installed in the user terminal 1000 based on the routing information provided through the routing information providing step, thereby providing a service application 1200. and the service server 2400 may be routed to perform communication through the gateway 2300 .

The kernel provides a variety of services required to perform the service application 1200, and can provide networking with other user terminals by controlling the hardware of the user terminal 1000. Accordingly, the agent application 1100 is the Authority to control the kernel of the operating system 1300 may be granted.

Accordingly, the agent application 1100, the service application 1200 through the gateway 2300 corresponding to the address information of the gateway included in the routing information, the service corresponding to the address information of the service server included in the routing information The kernel is controlled to establish communication with the server 2400 .

In this way, the service application 1200 and the service server 2400 can communicate only through a channel through which communication is established according to the routing information, and the service application 1200 is a specific service server ( 2400), unnecessary communication with other components included in the server system 2000 can be blocked in advance, so that the security of the server system 2000 can be improved. .

On the other hand, in another embodiment of the present invention, when communication between the service application 1200 and the service server 2400 is established, the communication channel is encrypted, so that the security of data transmitted and received through the channel can be improved. , as the encryption method, various encryption methods such as Transport Layer Security (TLS) protocol may be used. Also, the section to be encrypted in the communication channel may correspond only to the section between the service application 1200 and the gateway 2300 .

7 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

Components included in the server system 2000 illustrated in FIG. 1 described above may include components of the computing device 11000 illustrated in FIG. 7 .

7, the computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, an input/output subsystem ( It may include at least an I/O subsystem) 11400 , a power circuit 11500 , and a communication circuit 11600 . In this case, the computing device 11000 may correspond to a component included in the server system 2000 illustrated in FIG. 1 .

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or non-volatile memory. . The memory 11200 may include a software module, an instruction set, or other various data required for the operation of the computing device 11000 .

In this case, access to the memory 11200 from other components such as the processor 11100 or the peripheral device interface 11300 may be controlled by the processor 11100 .

Peripheral interface 11300 may couple input and/or output peripherals of computing device 11000 to processor 11100 and memory 11200 . The processor 11100 may execute a software module or an instruction set stored in the memory 11200 to perform various functions for the computing device 11000 and process data.

The input/output subsystem may couple various input/output peripherals to the peripheral interface 11300 . For example, the input/output subsystem may include a controller for coupling a peripheral device such as a monitor or keyboard, mouse, printer, or a touch screen or sensor as required to the peripheral interface 11300 . According to another aspect, input/output peripherals may be coupled to peripheral interface 11300 without going through an input/output subsystem.

The power circuit 11500 may supply power to all or some of the components of the terminal. For example, the power circuit 11500 may include a power management system, one or more power sources such as batteries or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator, or a power source. It may include any other components for creation, management, and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, if necessary, the communication circuit 11600 may transmit and receive an RF signal, also known as an electromagnetic signal, including an RF circuit, thereby enabling communication with other computing devices.

This embodiment of FIG. 7 is only an example of the computing device 11000, and the computing device 11000 may omit some components shown in FIG. 7 or further include additional components not shown in FIG. 7, or 2 It may have a configuration or arrangement that combines two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. 7 , and various communication methods (WiFi, 3G, LTE) are provided in the communication circuit 11600 . , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware, software, or a combination of both hardware and software including an integrated circuit specialized for one or more signal processing or applications.

Methods according to an embodiment of the present invention may be implemented in the form of program instructions that can be executed through various separate computing devices and recorded in a computer-readable medium. In particular, the program according to the present embodiment may be configured as a PC-based program or an application dedicated to a mobile terminal. The application to which the present invention is applied may be installed in a separate computing device including a user terminal through a file provided by the file distribution system. For example, the file distribution system may include a file transmission unit (not shown) that transmits the file in response to a request from a separate computing device.

The device described above may be implemented as a hardware component, a software component, and/or a combination of the hardware component and the software component. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, may be implemented using one or more general purpose or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications executed on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For convenience of understanding, although one processing device is sometimes described as being used, one of ordinary skill in the art will recognize that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that can include For example, the processing device may include a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as parallel processors.

Software may comprise a computer program, code, instructions, or a combination of one or more thereof, which configures a processing device to operate as desired or is independently or collectively processed You can command the device. The software and/or data may be any kind of machine, component, physical device, virtual equipment, computer storage medium or device, to be interpreted by or to provide instructions or data to the processing device. , or may be permanently or temporarily embody in a transmitted signal wave. The software may be distributed over networked computing devices, and may be stored or executed in a distributed manner. Software and data may be stored in one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic such as floppy disks. - includes magneto-optical media, and hardware devices specially configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those generated by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

According to an embodiment of the present invention, the user terminal in which the agent application is installed communicates with the authentication verification unit and the authentication control unit of the server system so that communication with the service server can be established after access to the server system is permitted. , it can have the effect of fundamentally blocking access to the service server until access is permitted.

According to an embodiment of the present invention, in the authentication token providing step, after confirming the identification information of the user terminal and the user information about the user of the user terminal included in the authentication information, an authentication token capable of establishing communication with the service server is provided. Since it is provided to the user terminal, not only user information such as ID/PW, but also the user terminal is checked, so it is possible to exhibit the effect of blocking access to the user terminal that is not authenticated.

According to an embodiment of the present invention, the policy information providing step provides policy information corresponding to the user terminal, and communicates with the service server when the agent application installed in the user terminal determines that the user terminal conforms to the policy information. can be established, so that only user terminals that meet the policy set by the administrator of the server system can access the server system.

According to an embodiment of the present invention, the routing information providing step includes only the address information of the gateway through which communication with the service application of the user terminal is established and the address information of the service server, so that the user terminal accesses other components of the server system can have the effect of preventing it from happening.

According to an embodiment of the present invention, since the authentication verification unit verifies the information received from the user terminal and transmits it to the authentication control unit when verified as valid, it is possible to reduce the load on the authentication control unit.

As described above, although the embodiments have been described with reference to the limited embodiments and drawings, various modifications and variations are possible from the above description by those skilled in the art. For example, the described techniques are performed in an order different from the described method, and/or the described components of the system, structure, apparatus, circuit, etc. are combined or combined in a different form than the described method, or other components Or substituted or substituted by equivalents may achieve an appropriate result.

Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (9)

A communication security method for a user terminal performed in a server system that communicates with a user terminal in which an agent application is installed, comprising:
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; including,
The communication security method,
By the authentication verification unit,
After the authentication token providing step is performed, policy request information including identification information of the server system and the authentication token is received from the user terminal, and identification information of the server system included in the policy request information and the a policy request information verification step of verifying an authentication token and transmitting the policy request information to the authentication control unit if validated; and
By the authentication control unit,
A policy information providing step of providing the policy information to the user terminal by deriving the user terminal and policy information corresponding to the user of the user terminal based on the policy request information received through the policy request information verification step; A communication security method.
The method according to claim 1,
The authentication information is
Including identification information of the server system, identification information of the user terminal, and user information about the user of the user terminal,
The authentication verification step is,
Verifies the identification information of the server system included in the authentication information, and transmits the authentication information to the authentication control unit when verified as valid;
The authentication token providing step is
It is determined whether the identification information of the user terminal and the user information included in the authentication information received from the authentication verification step are included in the database stored in the server system, and when it is determined that they are included, an authentication token is generated and the A communication security method provided to a user terminal.
A communication security method for a user terminal performed in a server system that communicates with a user terminal in which an agent application is installed, comprising:
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; including,
The communication security method,
By the authentication verification unit,
After the authentication token providing step is performed, policy request information including identification information of the server system and the authentication token is received from the user terminal, and identification information of the server system included in the policy request information and the a policy request information verification step of verifying an authentication token and transmitting the policy request information to the authentication control unit if validated; and
By the authentication control unit,
A policy information providing step of providing the policy information to the user terminal by deriving the user terminal and policy information corresponding to the user of the user terminal based on the policy request information received through the policy request information verification step; do,
The routing request information verification step,
A communication security method for receiving the routing request information from the user terminal when the agent application of the user terminal provided with the policy information through the policy information providing step determines that the corresponding user terminal conforms to the policy information.
A communication security method for a user terminal performed in a server system that communicates with a user terminal in which an agent application is installed, comprising:
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; including,
The routing request information is
Including identification information of the server system and the authentication token,
The routing request information verification step,
Verifies the identification information and the authentication token of the server system included in the routing request information, and when it is verified as valid, transmits the routing request information to the authentication control unit,
The routing information providing step is,
Based on the routing request information received through the routing request information verification step, routing information including address information of the service server and address information of a gateway that relays communication between the service application and the service server is derived from the user terminal To provide the routing information to, communication security method.
A communication security method for a user terminal performed in a server system that communicates with a user terminal in which an agent application is installed, comprising:
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; including,
The routing request information is
Including identification information of the server system and the authentication token,
The routing request information verification step,
Verifies the identification information and the authentication token of the server system included in the routing request information, and when it is verified as valid, transmits the routing request information to the authentication control unit,
The routing information providing step,
Based on the routing request information received through the routing request information verification step, routing information including address information of the service server and address information of a gateway that relays communication between the service application and the service server is derived from the user terminal provide the routing information to
The routing information provided to the user terminal through the routing information providing step is,
In the agent application, an operating system installed in the user terminal controls a kernel of the operating system so that the service application and the service server communicate through the gateway.
As a server system for performing communication security method for the user terminal by performing communication with the user terminal in which the agent application is installed,
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; do,
The server system is
By the authentication verification unit,
After the authentication token providing step is performed, policy request information including identification information of the server system and the authentication token is received from the user terminal, and identification information of the server system included in the policy request information and the a policy request information verification step of verifying an authentication token and transmitting the policy request information to the authentication control unit if validated; and
By the authentication control unit,
A policy information providing step of providing the policy information to the user terminal by deriving the user terminal and policy information corresponding to the user of the user terminal based on the policy request information received through the policy request information verification step; to the server system.
As a server system for performing communication security method for the user terminal by performing communication with the user terminal in which the agent application is installed,
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; do,
The server system is
By the authentication verification unit,
After the authentication token providing step is performed, policy request information including identification information of the server system and the authentication token is received from the user terminal, and identification information of the server system included in the policy request information and the a policy request information verification step of verifying an authentication token and transmitting the policy request information to the authentication control unit if validated; and
By the authentication control unit,
A policy information providing step of providing the policy information to the user terminal by deriving the user terminal and policy information corresponding to the user of the user terminal based on the policy request information received through the policy request information verification step; do,
The routing request information verification step,
A server system for receiving the routing request information from the user terminal when the agent application of the user terminal provided with the policy information through the policy information providing step determines that the corresponding user terminal conforms to the policy information.
As a server system for performing communication security method for the user terminal by performing communication with the user terminal in which the agent application is installed,
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; do,
The routing request information is
Including identification information of the server system and the authentication token,
The routing request information verification step,
Verifies the identification information and the authentication token of the server system included in the routing request information, and when it is verified as valid, transmits the routing request information to the authentication control unit,
The routing information providing step,
Based on the routing request information received through the routing request information verification step, routing information including address information of the service server and address information of a gateway that relays communication between the service application and the service server is derived from the user terminal providing the routing information to a server system.
As a server system for performing communication security method for the user terminal by performing communication with the user terminal in which the agent application is installed,
The server system includes an authentication verification unit and an authentication control unit,
an authentication verification step of verifying, by the authentication verification unit, the authentication information received from the user terminal in which the agent application is installed, and transmitting the validated authentication information to the authentication control unit;
an authentication token providing step of generating, by the authentication control unit, an authentication token based on the authentication information received through the authentication verification step and providing it to the user terminal;
By the authentication verification unit, the routing request information for requesting routing to establish communication between the service application installed in the user terminal and the service server received from the user terminal receiving the authentication token is verified, and routing verified as valid a routing request information verification step of transmitting the request information to the authentication control unit; and
a routing information providing step of deriving, by the authentication control unit, routing information for establishing communication between the service application and the service server based on the routing request information received through the routing request information verification step and providing it to the user terminal; do,
The routing request information is
Including identification information of the server system and the authentication token,
The routing request information verification step,
Verifies the identification information and the authentication token of the server system included in the routing request information, and when it is verified as valid, transmits the routing request information to the authentication control unit,
The routing information providing step,
Based on the routing request information received through the routing request information verification step, routing information including address information of the service server and address information of a gateway relaying communication between the service application and the service server is derived, and the user terminal provide the routing information to
The routing information provided to the user terminal through the routing information providing step is,
In the agent application, an operating system installed in the user terminal controls a kernel of the operating system so that the service application and the service server communicate through the gateway.

Images