KR102358598B1 - Method for Processing Two Channel Authentication by using Contactless Media - Google Patents

Abstract

According to the two-channel authentication method using a contactless medium of the present invention, in the method executed through an operation server communicating with the user's first terminal and communicating with the user's second terminal equipped with an NFC module, the user's first terminal Receives and stores authentication request information via the connected first communication network, checks the operation or activation of a program provided in the user's second terminal using the second communication network, and drives or activates the program of the second terminal Upon confirmation, the authentication information (s) for authentication processing of the authentication request information and the authentication code (s) dynamically generated for server authentication through the program of the second terminal are provided to the program of the second terminal, Supporting NFC through the NFC module of the second terminal based on the authentication result of the authentication code (s) through the program of the second terminal and the result of the medium access procedure performed between the program of the second terminal and the designated security server The encryption block read by the program of the second terminal from the designated storage area of the non-contact medium and the authentication dynamically generated through the program of the second terminal for authentication of the program (or the second terminal that has driven or activated the program) Authentication generated through the program of the second terminal by using the code (t) and one or more pieces of information including at least one piece of information (or partial information) included in the authentication information (s) provided by the program of the second terminal Receive the information t, and decrypt the specified in conjunction with the validation of the received authentication code (t) and the integrity authentication of the information included in the authentication information (s) using the information included in the authentication information (s) Request authentication means information corresponding to the encryption block from the server, receive authentication means information generated through the encryption block from the decryption server, and transmit the authentication means information and authentication information (t) to a designated authentication server Requests authentication approval, receives the authentication approval result from the authentication server and transmits it to the program of the second terminal, and the authentication code (s) is validated through a specified code verification procedure through the program of the second terminal. are certified

Description

Method for Processing Two Channel Authentication by using Contactless Media

The present invention is a method executed through an operation server that communicates with a user's first terminal and communicates with a user's second terminal having an NFC module, and requests authentication via the first communication network to which the user's first terminal is connected. For receiving and storing information, confirming the operation or activation of a program provided in the user's second terminal using the second communication network, and for authentication processing of the authentication request information when confirming that the program is driven or activated by the second terminal The authentication information (s) and the authentication code (s) dynamically generated for server authentication through the program of the second terminal are provided to the program of the second terminal, and the authentication code (s) through the program of the second terminal Based on the authentication result of the second terminal and the result of the medium access procedure performed between the program of the second terminal and the designated security server, the second terminal from the designated storage area of the contactless medium supporting NFC through the NFC module of the second terminal For authentication of the cryptographic block read by the program of the program (or the second terminal driving or activating the program), the authentication code (t) dynamically generated through the program of the second terminal and the program of the second terminal Receives the authentication information (t) generated through the program of the second terminal by using one or more pieces of information including at least one information (or some information) included in the authentication information (s) provided as Authentication means information corresponding to the encryption block with a designated decryption server in conjunction with the validation of the authentication code (t) and the integrity authentication of the information included in the authentication information (t) using the information included in the authentication information (s) request, receive authentication means information generated through the encryption block from the decryption server, transmit the authentication means information and authentication information (t) to a designated authentication server to request authentication approval, and authenticate from the authentication server Receiving an approval result and transmitting it to the program of the second terminal, the authentication code (s) is a two-channel authentication method using a contactless medium whose validity is authenticated through a specified code verification procedure through the program of the second terminal. it's about

With the recent activation of smart phones, various methods for using the NFC (Near Field Communication) function of the smart phone for various authentication are being tried.

However, in the conventional NFC-based authentication using a smartphone in service, a method is mainly used to receive an OTP (One Time Password) dynamically generated through an NFC card and transmit it to a server for authentication (Patent Publication No. 10). -2014-0089019).

However, since NFC-based authentication using a conventional smart phone can be implemented only by issuing a separate NFC card that dynamically generates OTP or selling it to a user, it has not been actively activated yet.

Meanwhile, most users have contactless financial IC cards such as transportation cards or contactless/combi-type credit cards. If the contactless financial IC card issued to users is authenticated by tagging the smart phone in this way, the authentication service can be provided without issuing a separate card.

However, it is easily possible by using the smartphone itself as a contactless financial IC card (eg, as a transportation card) and tagging it on a payment terminal (eg, a bus terminal, a subway terminal, etc.) Although it is possible to read a card, reading a previously issued contactless financial IC card has a very difficult problem in reality.

The reason is that in order to read a transportation card or a contactless financial IC card on a smartphone, a SAM (Secure Application Module) in the form of a security chip must be installed in the smartphone. Since it is a terminal designed and manufactured for this purpose, it is possible to mount a SAM in the form of a security chip, but it is practically impossible to mount a SAM in the form of a security chip in a smartphone designed and manufactured as a personal portable communication terminal.

Meanwhile, by implementing a SAM processing server on the network that performs the same function as the SAM embedded in a conventional terminal even if the smartphone is not equipped with SAM, contactless financial IC card A network SAM technology that enables reading has been proposed (Patent Registration Publication No. 10-1300817).

However, the conventional network SAM technology simply implements the conventional security chip-type terminal-embedded SAM on a server on the network. Decryption is performed directly in the phone. In this way, when the card information read in the smartphone is decrypted, there is a problem that the card information read from the contactless financial IC card is exposed as it is even through a very simple smartphone hacking at any time.

An object of the present invention for solving the above problems is, in a method executed through an operation server that communicates with the user's first terminal and communicates with the user's second terminal equipped with an NFC module, the user's first terminal The first step of receiving and storing the authentication request information via the first communication network connected to it, the second step of confirming the operation or activation of the program provided in the user's second terminal using the second communication network, and the second step When the program driving or activation of the terminal is confirmed, the authentication information (s) for the authentication processing of the authentication request information and the authentication code (s) dynamically generated for server authentication through the program of the second terminal are transferred to the program of the second terminal Based on the third step provided as a result of the authentication code (s) through the program of the second terminal and the result of the medium access procedure performed between the program of the second terminal and the designated security server, the second terminal For authentication of the encryption block and the program (or the second terminal driving or activating the program) read as the program of the second terminal from the designated storage area of the non-contact medium supporting NFC through the NFC module of the second Using one or more pieces of information including at least one information (or some information) included in the authentication code (t) dynamically generated through the program of the terminal and the authentication information (s) provided by the program of the second terminal 2 The fourth step of receiving the authentication information (t) generated through the program of the terminal and the validation of the received authentication code (t) and the authentication information (t) using the information included in the authentication information (s) A fifth step of requesting authentication means information corresponding to the encryption block to a designated decryption server in conjunction with the integrity authentication of the information included in a sixth step of receiving authentication means information generated through the encryption block from the decryption server and a seventh step of requesting authentication approval by transmitting the authentication means information and authentication information (t) to a designated authentication server, and an eighth step of receiving an authentication approval result from the authentication server and transmitting the result to the program of the second terminal. Including, the authentication code (s), the second terminal To provide a two-channel authentication method using a contactless medium whose validity is authenticated through a specified code verification procedure through the program of

The two-channel authentication method using a contactless medium according to the present invention is a method executed through an operation server that communicates with the user's first terminal and communicates with the user's second terminal equipped with an NFC module, the user's first terminal The first step of receiving and storing the authentication request information via the first communication network connected to it, the second step of confirming the operation or activation of the program provided in the user's second terminal using the second communication network, and the second step When the program driving or activation of the terminal is confirmed, the authentication information (s) for the authentication processing of the authentication request information and the authentication code (s) dynamically generated for server authentication through the program of the second terminal are transferred to the program of the second terminal Based on the third step provided as a result of the authentication code (s) through the program of the second terminal and the result of the medium access procedure performed between the program of the second terminal and the designated security server, the second terminal For authentication of the encryption block and the program (or the second terminal driving or activating the program) read as the program of the second terminal from the designated storage area of the non-contact medium supporting NFC through the NFC module of the second Using one or more pieces of information including at least one information (or some information) included in the authentication code (t) dynamically generated through the program of the terminal and the authentication information (s) provided by the program of the second terminal 2 The fourth step of receiving the authentication information (t) generated through the program of the terminal and the validation of the received authentication code (t) and the authentication information (t) using the information included in the authentication information (s) A fifth step of requesting authentication means information corresponding to the encryption block to a designated decryption server in conjunction with the integrity authentication of the information included in a sixth step of receiving authentication means information generated through the encryption block from the decryption server and a seventh step of requesting authentication approval by transmitting the authentication means information and authentication information (t) to a designated authentication server, and an eighth step of receiving an authentication approval result from the authentication server and transmitting the result to the program of the second terminal. Including, the authentication code (s), the second It is characterized in that the validity is authenticated through a specified code verification procedure through the program of the terminal.
In the two-channel authentication method using a contactless medium according to the present invention, the medium access procedure, the operation server intervenes in the data exchange process between the program of the second terminal and a designated security server, and the NFC of the second terminal Checking the unique serial number read from the non-contact medium through a module and providing it to a designated security server, and a designated storage area (m, 0) among N (N > 1) storage areas provided in the non-contact medium from the security server The step of receiving the first authentication key for reading the authentication code (m) recorded in ≤ m < N and transmitting it to the program of the second terminal and the second terminal through the NFC module of the second terminal Confirming the authentication code (m) and providing it to a designated security server, and from the security server recorded in a designated storage area (n, 0≤n<N, n≠m) among N storage areas provided in the non-contact medium It characterized in that it further comprises the step of receiving the second authentication key for reading the cipher block and transmitting it to the program of the second terminal.
In the two-channel authentication method using a contactless medium according to the present invention, the medium access procedure is generated through the security server by the operation server intervening in the data exchange process between the program of the second terminal and a designated security server The method further includes receiving the authentication value and transmitting it to the program of the second terminal, the fourth step further comprising the step of receiving the authentication value from the program of the second terminal, the fifth step further comprising the step of providing the authentication value to the decryption server to request authentication, wherein the authentication value is validated through the decryption server, and the authentication means information is the authentication result of the authentication value. It is characterized in that it is generated using a cipher block.
In the two-channel authentication method using a contactless medium according to the present invention, the medium access procedure reads a unique serial number from a contactless medium that supports NFC through the NFC module of the second terminal by the program of the second terminal Step and the program of the second terminal process the read unique serial number to be transmitted to a designated security server, and a designated storage area (m, 0≤m< Receiving the first authentication key for reading the authentication code (m) recorded in N) and the program of the second terminal transmits the first authentication key to the non-contact medium through the NFC module to the non-contact medium reading the authentication code (m) recorded in the designated storage area (m) of the second terminal and processing the read authentication code (m) to be transmitted to the security server Receiving a second authentication key for reading an encryption block recorded in an area (n, 0≤n<N, n≠m), and the program of the second terminal to the contactless medium through the NFC module 2 It characterized in that it comprises the step of reading the encryption block recorded in the designated storage area (n) of the contactless medium by transmitting the authentication key.
In the two-channel authentication method using a contactless medium according to the present invention, the medium access procedure is generated through the security server based on the verification result of the authentication code (m) by the program of the second terminal through the security server Further comprising the step of receiving the authenticated value, and when processing to transmit the read cipher block to a designated decryption server, further comprising the step of processing the program of the second terminal to transmit the authentication value to the decryption server and, the authentication value is characterized in that validity is authenticated through the decryption server.
In the two-channel authentication method using a contactless medium according to the present invention, the authentication information (t) is personal information input from the user through the second terminal, and a user corresponding to authentication means information corresponding to the encryption block. It is characterized in that it comprises at least one of the confidential information of.
The two-channel authentication method using a contactless medium according to the present invention is a method executed through an operation server that communicates with the user's first terminal and communicates with the user's second terminal equipped with an NFC module, the user's first terminal A first step of receiving and storing authentication request information via the connected first communication network, a second step of confirming the operation or activation of a program provided in the user's second terminal using the second communication network; When the program driving or activation of the second terminal is confirmed, the authentication information (s) for the authentication processing of the authentication request information and the authentication code (s) dynamically generated for server authentication through the program of the second terminal are transferred to the second terminal Based on the third step of providing the program of the second terminal, the authentication result of the authentication code (s) through the program of the second terminal, and the result of the medium access procedure performed between the program of the second terminal and the designated security server Through the NFC module of the second terminal, the encryption block read by the program of the second terminal from the designated storage area of the non-contact medium supporting NFC and the program of the second terminal for driving or activating the program of the second terminal for authentication A fourth step of receiving a dynamically generated authentication code (t) and authentication information (t) for an authentication approval request through A fifth step of requesting authentication means information corresponding to the encryption block to a designated decryption server in conjunction with integrity authentication of the information (t), and a sixth step of receiving authentication means information generated through the encryption block from the decryption server a seventh step of requesting authentication approval by transmitting the authentication means information and authentication information (t) to a designated authentication server; Includes 8 steps.

According to the present invention, the second step may further include performing a procedure for notifying a push for program driving or activation to the user's second terminal.

According to the present invention, the authentication code (s) may include a code value that can be authenticated through a code verification procedure provided in the program of the second terminal.

According to the present invention, the two-channel authentication method using the contactless medium intervenes in the data exchange process between the program of the second terminal and a designated security server, and is read from the contactless medium through the NFC module of the second terminal. The steps of verifying the unique serial number and providing it to a designated security server; The step of receiving the first authentication key for reading the authentication code (m) and transmitting it to the program of the second terminal, and confirming the authentication code (m) read from the non-contact medium through the NFC module of the second terminal and providing a second authentication key for reading the cipher block recorded in the designated storage area (n, 0≤n<N, n≠m) from the security server to the second It may further include the step of transmitting to the program of the terminal.

According to the present invention, the two-channel authentication method using the contactless medium intervenes in a data exchange process between the program of the second terminal and a designated security server, receives the authentication value generated through the security server, and receives the second The method further includes transmitting to the program of the terminal, the fourth step further comprising receiving the authentication value from the program of the second terminal, and the fifth step is to provide the authentication value to the decryption server and requesting authentication, wherein the authentication value is validated through the decryption server, and the authentication means information may be generated using the encryption block as an authentication result of the authentication value.

According to the present invention, the program of the second terminal receives the authentication information (s) and the authentication code (s) from the operation server, and the validity of the received authentication code (s) through a designated code verification procedure It may further include the step of authenticating.

According to the present invention, the medium access procedure comprises the steps of: reading, by the program of the second terminal, a unique serial number from a non-contact medium supporting NFC through the NFC module of the second terminal; The authentication code (m) recorded in the designated storage area (m, 0≤m<N) among the N (N>1) storage areas provided in the non-contact medium by processing the read unique serial number to be transmitted to the designated security server Receiving a first authentication key for reading, the program of the second terminal transmits the first authentication key to the non-contact medium through the NFC module and records it in a designated storage area (m) of the non-contact medium Reading the authentication code (m), the program of the second terminal processes the read authentication code (m) to be transmitted to the security server, and a designated storage area of the contactless medium (n, 0≤n< Receiving a second authentication key for reading the encryption block recorded in N, n≠m), the program of the second terminal transmits the second authentication key to the contactless medium through the NFC module, It may include the step of reading the cipher block recorded in the designated storage area (n) of the contactless medium.

According to the present invention, the cipher block may be transmitted to a decryption server having a decryption module for the cipher block.

According to the present invention, the medium access procedure further comprises the step of receiving, by the program of the second terminal, the authentication value generated through the security server based on the verification result of the authentication code (m) through the security server, , further comprising the step of, when processing the read encryption block to be transmitted to a designated decryption server, processing the program of the second terminal to transmit the authentication value to the decryption server, wherein the authentication value is transmitted through the decryption server Validity can be verified.

According to the present invention, the authentication information t may include at least one of personal information input from the user through the second terminal and user's secret information corresponding to authentication means information corresponding to the encryption block. .

Meanwhile, the two-channel authentication method using a non-contact medium according to the present invention is a method executed through a program provided in a second terminal of a user having an NFC module, and is unique from a non-contact medium supporting NFC through the NFC module. A first step of reading the serial number, processing the read unique serial number to be transmitted to a designated security server, and a designated storage area (m, 0≤m) among N (N>1) storage areas provided in the non-contact medium A second step of receiving a first authentication key for reading the authentication code (m) recorded in <N; A third step of reading the authentication code (m) recorded in the area (m), processing the read authentication code (m) to be transmitted to the security server, and a designated storage area (n, 0≤n) of the contactless medium A fourth step of receiving a second authentication key for reading the encryption block recorded in <N, n≠m), and transmitting the second authentication key to the contactless medium through the NFC module A fifth step of reading the cipher block recorded in the storage area n, and a sixth step of processing the read cipher block to be transmitted to a designated decryption server.

According to the present invention, in the sixth step, the encryption block may be transmitted to an operation server interworking with the decryption server.

According to the present invention, in the two-channel authentication method using the contactless medium, the authentication information (s) for authentication processing from the operation server and the authentication code (s) dynamically generated for server authentication through the program of the second terminal Further comprising the step of receiving and authenticating the validity of the received authentication code (s) through a specified code verification procedure, the first step is through the NFC module when the validity of the authentication code (s) is authenticated A unique serial number can be read from a contactless medium supporting NFC.

According to the present invention, the sixth step may further include generating the authentication information (t) to be used in the authentication procedure using the cipher block and transmitting it to the operation server.

According to the present invention, further comprising the step of dynamically generating an authentication code (t) for the authentication of the second terminal driving or activating the program, the sixth step is to transmit the generated authentication code (t) to the operation server It may further include the step of transmitting to.

According to the present invention, the two-channel authentication method using the contactless medium receives the authentication value generated through the security server based on the verification result of the authentication code (m) through the security server when the second authentication key is received and, the sixth step further includes processing the authentication value to be transmitted to the decryption server, and the validity of the authentication value may be authenticated through a designated decryption server.

According to the present invention, the two-channel authentication method using the contactless medium may further include the step of receiving and outputting an authentication approval result of an authentication approval procedure performed using the authentication means information generated through the encryption block. .

According to the present invention, when a user's first terminal requests authentication through a first communication network, a contactless medium including a contactless financial IC card such as a transportation card or a contactless/combi-type credit card in a user's second terminal equipped with an NFC module There is an advantage of authenticating in proximity.

According to the present invention, there is an advantage in that the encryption block read from the contactless medium is not decrypted in the second terminal and is not exposed during authentication by bringing the contactless medium including the contactless financial IC card close to the user's second terminal.

According to the present invention, the second terminal of the user participating in the authentication in the process of reading an encryption block from the contactless medium and authentication processing by bringing the contactless medium including the contactless financial IC card close to the user's second terminal, the operation server, There is an advantage in that the security server and the decryption server mutually authenticate the operation or validity of the other party to safely process the authentication.

1 is a diagram showing the configuration of a two-channel authentication system using a contactless medium according to an embodiment of the present invention.
2 is a diagram illustrating a functional configuration of a second terminal and a program according to an embodiment of the present invention.
3 is a diagram illustrating a server authentication and NFC activation process using a second terminal according to an embodiment of the present invention.
4 is a diagram illustrating a primary information exchange process between a second terminal and a security server for non-contact medium access according to an embodiment of the present invention.
5 is a diagram illustrating a secondary information exchange process between a second terminal and a security server for non-contact medium access according to an embodiment of the present invention.
6 is a diagram illustrating a secondary information exchange process between a second terminal and a security server for non-contact medium access according to another embodiment of the present invention.
7 is a diagram illustrating a process of reading a cipher block from a contactless medium according to an embodiment of the present invention.
8 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from a contactless medium according to an embodiment of the present invention.
9 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from a contactless medium according to another embodiment of the present invention.
10 is a diagram illustrating a process of performing an authentication approval procedure using an authentication means generated through an encryption block according to an implementation method of the present invention.

Hereinafter, the principle of operation of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. However, the drawings shown below and the description to be given below relate to a preferred implementation method among various methods for effectively explaining the characteristics of the present invention, and the present invention is not limited only to the following drawings and description.

That is, the following embodiment corresponds to an embodiment of a preferred union type among numerous embodiments of the present invention, and an embodiment in which a specific configuration (or step) is omitted in the following embodiment, or a specific configuration (or step) An embodiment in which a function implemented in a function is divided into a specific configuration (or step), or an embodiment in which a function implemented in two or more configurations (or step) is integrated into any one configuration (or step), a specific configuration (or step) Embodiments in which the order of operation is replaced, etc. are clearly stated to be within the scope of the present invention, even if not separately mentioned in the following embodiments. In addition, in the embodiment that implements a specific component implemented on the server side in the following embodiment on the terminal side and refers to it on the server side, or conversely, implements a specific component implemented on the terminal side in the following embodiment on the server side and in the terminal It is also clearly stated that all embodiments using the same belong to the scope of the present invention. Therefore, based on the following examples, it is clearly specified that various examples corresponding to a subset or a complement can be divided retroactively from the filing date of the present invention.

In addition, in the following description of the present invention, if it is determined that a detailed description of a related well-known function or configuration may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted. And the terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to intentions or customs of users and operators. Therefore, the definition should be made based on the content throughout the present invention.

As a result, the technical spirit of the present invention is determined by the claims, and the following examples are one means for efficiently explaining the technical spirit of the present invention to those of ordinary skill in the art to which the present invention belongs. only

1 is a diagram showing the configuration of a two-channel authentication system using a contactless medium 100 according to an embodiment of the present invention.

In more detail, FIG. 1 shows that when a user's first terminal 105 requests an authentication through the first communication network, after the user requests an authentication procedure to the user's second terminal 200 via a separate second communication network, a designated security server A specified storage area (n, 0≤n<N) among N (N>1) storage areas on the NFC (Near Field Communication)-based contactless medium 100 interfaced to the second terminal 200 through 150 ) and processing the authentication corresponding to the authentication request of the first terminal 105 through the authentication means generated using the encryption block read from the contactless medium 100 through the designated decryption server 160 As showing the configuration of the system, those of ordinary skill in the art to which the present invention pertains, refer to and/or modify this figure 1 to various implementations of the configuration of the two-channel authentication system using the non-contact medium 100 A method (eg, an implementation method in which some components are omitted, subdivided, or combined) may be inferred, but the present invention includes all the implementation methods inferred above, and only the implementation method shown in FIG. 1 is used. Its technical characteristics are not limited.

The present invention is an NFC-based device having a first terminal 105 of a user requesting authentication through a first communication network, N storage areas, and storing a cryptographic block in a designated storage area (n) among the N storage areas. of the user's second terminal 200 and the user's first terminal 105 interfaced with the contactless medium 100 through the NFC module 205 and connected to a second communication network. After confirming the authentication request and performing the procedure of accessing the storage area n for storing the encryption block among the storage areas of the non-contact medium 100 interfaced with the user's second terminal 200 using the second communication network, the The non-contact medium interfaced with the operation server 110 and the second terminal 200 through the second communication network and the operation server 110 for performing the authentication approval related procedure using the cipher block read from the designated storage area (n) of the contactless medium (100) A security server 150 that provides an authentication key for accessing the storage area n of 100 and the authentication means information corresponding to the encryption block read from the storage area n of the contactless medium 100 are generated. and a decryption server 160, and an authentication server 170 that performs an authentication approval procedure using the authentication means information generated through the encryption block. The operation server 110, the security server 150, the decryption server 160, the authentication server 170, etc. are interlocked with a communication network (eg, a dedicated line), and depending on the business relationship that operates each server, some servers are one It can be implemented as a server.

The first terminal 105 is a generic name of a terminal that requests authentication through a first communication network that is physically/logically distinct from a second communication network to which the second terminal 200 having the NFC module 205 is connected, Preferably, a wired terminal (eg, a computer connected to the wired Internet, a laptop computer, etc.) connected to a wired communication network (eg, wired Internet, etc.) is included. However, the first terminal 105 is not limited to the wired terminal, and the second terminal 200 having the NFC module 205 requests authentication through a first communication network that is distinct from the second communication network to which it is connected. As long as it is a terminal, it is clearly stated that any terminal (eg, a wireless communication terminal or IPTV, etc.) may be included.

According to the embodiment of the present invention, the first terminal 105 accesses a designated web server (eg, a shopping mall server, etc.) through a first communication network and requests authentication using the contactless medium 100 according to the present invention. The authentication request through the first terminal 105 may be directly transmitted to the operation server 110 or may be transmitted to the operation server 110 through a separate relay organization (eg, PG, etc.).

The contactless medium 100 is a generic term for media that interfaces with the second terminal 200 through NFC, preferably a transportation card that supports NFC (eg, T-money card), and a non-contact IC card that supports NFC (eg, Postpaid transportation cards, credit cards supporting NFC, various ID cards supporting NFC, etc.) may be included.

According to the embodiment of the present invention, the contactless medium 100 is equipped with a chip having N storage areas, and is decrypted through the decryption server 160 designated in any one of the N storage areas (n). Record and maintain possible cipher blocks.

The second terminal 200 is a generic term for terminals having an NFC module 205 for processing NFC and connecting to a second communication network physically/logically distinct from the first communication network to which the first terminal 105 is connected. , preferably including a wireless terminal (eg, mobile phone, smart phone, tablet PC, etc.) connected to a wireless communication network (eg, mobile communication network, portable Internet, wireless LAN, etc.). However, the second terminal 200 is not limited to the wireless terminal, and any terminal (eg, supporting NFC) is a terminal having an NFC module 205 connected to a second communication network that is distinct from the first communication network. Wired terminals) are clearly included. Hereinafter, for convenience, the features of the present invention will be mainly described with reference to an embodiment in which the second terminal 200 is a wireless terminal such as a smart phone. The second terminal 200 communicates with the operation server 110 through the second communication network by interworking with the non-contact medium 100 through the NFC module 205 (or, depending on the implementation method, the security server 150, the decryption server ( 160), a program 210 that enables direct communication with at least one of them) is loaded, and a preferred embodiment thereof will be described with reference to FIG. 2 .

The security server 150 operates a security module 155 that manages various authentication keys for reading the encryption block recorded in the storage area n of the non-contact medium 100 interfaced with the second terminal 200 . As a generic name of a server, preferably, the security module 155 may include a configuration of a SAM (Secure Application Module, Secure Access Module) implemented in a server on a network.

According to the first security module 155 interworking embodiment of the present invention, the program 210 of the second terminal 200 passes through the operation server 110 or at least one relay server (not shown). to communicate with the security server 150 .

According to the second security module 155 interworking embodiment of the present invention, the program 210 of the second terminal 200 sets communication information for communication with the security server 150, and transmits the communication information. It can communicate with the security server 150 by using.

The decryption server 160 is a generic name of a server operating a decryption module 165 that decrypts an encryption block recorded in the storage area n of the contactless medium 100 interfaced with the second terminal 200, preferably Thus, the decryption module 165 may include the configuration of a SAM implemented in a server on a network.

According to the first decryption module 165 interworking embodiment of the present invention, the program 210 of the second terminal 200 passes through the operation server 110 or at least one relay server (not shown). to communicate with the decryption server 160 .

According to the second decryption module 165 interworking embodiment of the present invention, the program 210 of the second terminal 200 sets communication information for communication with the decryption server 160, and transmits the communication information. can be used to communicate with the decryption server 160 .

According to the embodiment of the present invention, the security server 150 and the decryption server 160 may be integrated into one server or individually implemented as each server. An embodiment in which the security server 150 and the decryption server 160 are implemented as separate servers will be described and illustrated.

The authentication server 170 is a server that performs an authentication approval procedure using authentication means information generated through an encryption block recorded in the storage area n of the non-contact medium 100 interfaced with the second terminal 200. As a generic name, it may include a financial company server that preferably includes at least one of a card company server, a bank server, and the like, and in this case, the authentication and approval procedure may be performed through the financial company server. Meanwhile, depending on the implementation method, the authentication server 170 may include a payment relay server (eg, payment agency, VAN, etc.) that interworks with at least one financial company server. In this case, the authentication approval procedure is performed between the payment relay server and the financial company. It may be performed by interworking with the server.

The operation server 110 is a generic name of a server that communicates with the program 210 of the second terminal 200 and performs at least one specified procedure for authentication processing, preferably the program of the second terminal 200 . Communication between the 210 and the security server 150 , the decryption server 160 and the authentication server 170 may be relayed.

According to the embodiment of the present invention, communication between the program 210 of the second terminal 200 and the operation server 110 is encrypted/decrypted according to a predetermined encryption/decryption method and is processed, according to an embodiment of the present invention Even if not mentioned separately in the second terminal 200, the communication between the program 210 and the operation server 110 (and/or the communication between the security server 150, and/or the communication between the decryption server 160) is designated It specifies that encryption/decryption is performed according to the encryption/decryption method.

Referring to FIG. 1 , the operation server 110 includes a first communication confirmation unit 112 for confirming communication with a first terminal 105 via a first communication network, and from the first terminal 105 . An authentication request receiving unit 114 for receiving authentication request information transmitted through a first communication network, and an authentication request storage unit 118 for storing the received authentication request information, the first terminal through a first communication network In step 105, an authentication request response unit 116 for processing a response to the authentication request is provided.

When the user's first terminal 105 accesses the web server through the first communication network and selects authentication according to the present invention, the first communication confirmation unit 112 is configured to connect to a designated path (eg, the first terminal 105 and Communication with the first terminal 105 is confirmed through a direct path for direct communication or a relay path through a designated relay organization.

When the user's first terminal 105 requests authentication according to the present invention through the first communication network, the authentication request receiving unit 114 is configured by a designated path (eg, a direct path communicating directly with the first terminal 105, or The authentication request information for the authentication request requested by the first terminal 105 is received through a relay path through a designated relay organization.

According to the first authentication request method of the present invention, the authentication request information is transmitted from the user's first terminal 105, and the authentication request receiving unit 114 is the user's first terminal ( 105) can receive the authentication request information sent from.

According to the second authentication request method of the present invention, the authentication request information is requested to be transmitted to a web server through the first terminal 105 of the user, and the authentication request receiving unit 114 receives the web server on the first communication network. It is possible to receive the authentication request information transmitted through the

According to the third authentication request method of the present invention, the authentication request information is requested to be transmitted to a relay organization through the first terminal 105 of the user, and the authentication request receiving unit 114 is a designated relay organization on the first communication network. It is possible to receive the authentication request information transmitted through

According to the fourth authentication request method of the present invention, the authentication request information is transmitted in a manner that partially combines the first to third authentication request methods, and the authentication request receiving unit 114 receives the first to second authentication requests. It is possible to receive authentication request information in a combined method. For example, a part of the authentication request information may be transmitted from the first terminal 105 or a part of the authentication request information may be transmitted from a relay organization.

According to the implementation method of the present invention, the authentication request information includes affiliated store information (eg, affiliated store ID, affiliated store name, etc.), a transaction number (eg, a number that identifies each authentication request, etc.) ), it is preferable to include at least one of an authentication result transmission URL, and an authentication revocation response URL.

The authentication request storage unit 118 stores the authentication request information received through the authentication request receiving unit 114 in a designated storage medium and maintains it until the authentication approval result for the authentication request is confirmed or the authentication cancellation is requested. .

The authentication request response unit 116 generates at least one authentication response information for the authentication request information received through the authentication request receiving unit 114, and transmits the generated authentication response information through the first communication network to the second communication network. It is provided to one terminal (105). Preferably, the authentication request response unit 116 provides an authentication approval result to the first terminal 105 or transmits various error information generated while performing an authentication-related procedure to the first terminal 105 . can provide

Referring to FIG. 1 , the operation server 110 includes a second terminal confirmation unit 120 having an NFC module 205 among the user's terminals and confirming the second terminal 200 connected to the second communication network and , a second communication activation unit 122 for activating communication between the second terminal 200 and the operation server 110 through a second communication network, and provided in the second terminal 200 through the second communication network A driving/activation confirmation unit 124 for confirming driving or activation of the program 210, and an authentication information (s) generating unit 126 for generating authentication information (s) for authentication processing of the authentication request information; An authentication code (s) generating unit 128 that dynamically generates an authentication code (s) for server authentication through the program 210 of the second terminal 200, and the driven or activated second terminal 200 It has an information providing unit 130 that provides the authentication information (s) and the authentication code (s) to the program 210 of the. On the other hand, the authentication code (s) generating unit 128 may be implemented in the form of a separate server interworking with the operation server 110, thereby, the present invention is not limited thereto.

The second terminal confirmation unit 120 is a second terminal ( 200) is checked.

According to the implementation method of the present invention, the second terminal confirmation unit 120 is the first terminal 105 information of the user (eg, in at least one server of a web server, a relay organization, and an operation server 110 ) Information allocated to the terminal 105, address information uniquely set to the first terminal 105 (IP/MAC, etc.) or user identification information using the first terminal 105 (eg, unique ID of the user, web server, etc.) , relay agency, and at least one server of the operating server 110 may register and store information on the user's second terminal 200 and the user's second terminal 200 in advance, and in this case, the first communication confirmation Through the unit 112, the user's first terminal 105 information (or user identification information using the first terminal 105) is checked, and the user's first terminal 105 information (or the first terminal 105) is checked. ) using the user identification information) and the mapped user's second terminal 200 can be identified. Alternatively, the second terminal confirmation unit 120 may read the authentication request information received through the authentication request receiving unit 114 to confirm the user's second terminal 200 information (eg, mobile phone number, etc.).

When the user's second terminal 200 is confirmed, the second communication activation unit 122 sends the user's second terminal 200 through a second communication network of the program 210 provided in the second terminal 200 . By performing a procedure of sending a push notification for driving (eg, executing the program 210) or activating (eg, activating from the background to the front), the program 210 of the second terminal 200 is driven or activated According to the communication macro set in the program 210, it is possible to process to request a communication connection to the operation server (110). Alternatively, the second communication activation unit 122 performs a procedure of outputting a message for driving or activating the program 210 of the second terminal 200 to the first terminal 105, thereby allowing the user to use the second terminal It may be requested to drive or activate the program 210 of 200 . Meanwhile, the second communication activation unit 122 may be omitted depending on the implementation method, and the present invention is not limited thereto.

The drive/activation check unit 124 checks whether the program 210 provided in the second terminal 200 is driven or activated through the second communication network. Preferably, when the program 210 of the second terminal 200 is driven or activated and a communication connection with the operation server 110 is attempted according to a designated communication macro, the driving/activation confirmation unit 124 is the communication connection It can be confirmed that the program 210 of the second terminal 200 that attempts to do this is driven or activated.

After receiving the authentication request information through the authentication request receiving unit 114 and before transmitting the designated information to the program 210 of the second terminal 200 through the information providing unit 130, the authentication The information (s) generating unit 126 generates authentication information (s) for authentication processing of the authentication request information. According to an implementation method, the authentication information (s) may further include at least one of affiliate store information and a transaction number.

After receiving the authentication request information through the authentication request receiving unit 114 and before transmitting the designated information to the program 210 of the second terminal 200 through the information providing unit 130, the authentication The code (s) generator 128 authenticates the validity of the operation server 110 that provides the authentication information through the program 210 of the second terminal 200, and additionally the second terminal 200 (or the program 210 of the second terminal 200) dynamically generates an authentication code (s) for performing validation and/or transaction verification. Preferably, the authentication code (s) generating unit 128 is a shared value exchanged/shared in advance/real time with the program 210 of the second terminal 200 (eg, MIN of the second terminal 200, Exchange/shared key value, etc.) and/or a synchronization value synchronized with the program 210 of the second terminal 200 (eg, time, etc.) is substituted into a designated code generation algorithm (eg, hash algorithm) to provide an authentication code (s) can be created dynamically.

The information providing unit 130 is the authentication information (s) generated through the authentication information (s) generating unit 126 and the authentication code (s) dynamically generated through the authentication code (s) generating unit 128 is checked, and provided as the program 210 of the second terminal 200 confirmed to be driven or activated through the driving/activation confirmation unit 124 . The authentication information (s) and the authentication code (s) may be transmitted together or provided sequentially according to a specified order.

The program 210 of the second terminal 200 receives the authentication information (s) and the authentication code (s) from the operation server (110). On the other hand, after the program 210 of the second terminal 200 is driven or activated, or after receiving the authentication information (s) and/or the authentication code (s), the user's PIN input is requested, and the user Authenticates the validity of the input PIN. To this end, the program 210 of the second terminal 200 may receive the user's PIN in advance and store and manage it in a designated storage area.

When the authentication code (s) is received from the operation server 110, the program 210 of the second terminal 200 authenticates the validity of the received authentication code (s) using a designated code verification procedure. . For example, the program 210 of the second terminal 200 is a shared value exchanged/shared in advance/real time with the operation server 110 (eg, MIN of the second terminal 200, exchanged/shared key value) and/or a synchronization value (eg, time, etc.) synchronized with the operation server 110 to generate a verification code (s) by substituting a specified code generation algorithm (eg, hash algorithm), and the received The validity of the authentication code (s) may be verified by comparing the authentication code (s) with the generated verification code (s).

When the authentication information (s) is received from the operation server 110 , the program 210 of the second terminal 200 outputs the received authentication information (s), and reads from the contactless medium 100 . The authentication information (t) for the authentication approval request using the encrypted block is generated.

According to the implementation method of the present invention, the program 210 of the second terminal 200 is the user's personal information (eg, the first 6 digits of the resident number, etc.) and/or confidential information (eg, 2 digits of the card password) is requested to be input, and the authentication information t may include personal information and/or confidential information input from the user. Meanwhile, depending on the implementation method, the authentication information t may include all or at least a part of the authentication information s.

When the validity of the authentication code (s) is authenticated, the program 210 of the second terminal 200 performs a procedure for reading the encryption block from the contactless medium 100 interfaced to the second terminal 200. do. Preferably, the program 210 of the second terminal 200 performs a procedure of activating the NFC module 205 of the second terminal 200 (however, it can be omitted if it is already activated), and the second Inducing information for guiding the contactless medium 100 to come close to the NFC module 205 of the terminal 200 is displayed, and the contactless medium ( 100) is recognized.

The program 210 of the second terminal 200 is a medium access procedure for accessing the storage area of the non-contact medium 100 to read the cipher block recorded in the designated storage area of the recognized non-contact medium 100 , and the medium access procedure may be processed through communication between the program 210 of the second terminal 200 interfaced with the contactless medium 100 and the security server 150 .

According to an embodiment of the present invention, communication between the program 210 of the second terminal 200 and the security server 150 for the medium access procedure may be processed via the operation server 110, and this In order to access the storage area of the non-contact medium 100 interfaced through the NFC module 205 of the second terminal 200, the operation server 110 reads an encryption block from the contactless medium 100. A medium access procedure relay unit 132 for relaying the medium access procedure between the program 210 of the second terminal 200 and the security server 150 may be provided.

The program 210 of the second terminal 200 is a unique serial number (eg, CSN (Card Serial) of the contactless medium 100) from the contactless medium 100 through the NFC module 205 of the second terminal 200 Number, Chip Serial Number, etc.) are read, and the unique serial number read from the non-contact medium 100 through a designated path is transferred to the designated security server 150 . Preferably, the program 210 of the second terminal 200 transmits the read unique serial number to the operation server 110, and the media access procedure relay unit 132 of the operation server 110 is the The unique serial number may be transmitted to the security server 150 . Meanwhile, according to an implementation method, the program 210 of the second terminal 200 may transmit the unique serial number to the security server 150 through the second communication network.

The security server 150 is a designated storage area (m, 0≤m<N) among N (N>1) storage areas provided in the non-contact medium 100 corresponding to the unique serial number from the security module 155 . Extracts the first authentication key for reading the authentication code (m) recorded in the process to be transmitted to the program 210 of the second terminal 200 through a designated path. Preferably, the security server 150 transmits the first authentication key to the operation server 110, and the medium access procedure relay unit 132 of the operation server 110 transmits the first authentication key to the first authentication key. It can be transmitted to the program 210 of the second terminal 200 . Meanwhile, according to an implementation method, the security server 150 may transmit the first authentication key to the program 210 of the second terminal 200 through a second communication network.

The program 210 of the second terminal 200 that has received the first authentication key transmits the first authentication key to the contactless medium 100 through the NFC module 205 of the second terminal 200. The authentication code (m) recorded in the designated storage area (m) of the contactless medium 100 is requested. The contactless medium 100 responds to the authentication code m recorded in the storage area m when authentication is successful by authenticating the first authentication key according to a specified authentication procedure, and the second terminal 200 The program 210 of the reads the authentication code (m) recorded in the storage area (m) of the contactless medium (100). Meanwhile, according to the implementation method, the non-contact medium 100 may respond to issuer information (Issuer), and the program 210 of the second terminal 200 may read the issuer information of the contactless medium 100. . In this case, it is preferable that the authentication code (m) and the issuer information are read together.

According to the implementation method of the present invention, the authentication code (m) is a code value for obtaining the second authentication key by transferring the encryption block recorded in the storage area (n) of the contactless medium 100 to the SAM to read. As (Certificate Code), it may be omitted or replaced with another value depending on the implementation method (or the type of chip of the non-contact medium 100 ).

The program 210 of the second terminal 200 processes the authentication code m read from the non-contact medium 100 through a designated path to be transmitted to the security server 150 . Preferably, the program 210 of the second terminal 200 transmits the read authentication code (m) to the operation server 110, and the media access procedure relay unit 132 of the operation server 110 may transmit the authentication code (m) to the security server 150 . Meanwhile, according to an implementation method, the program 210 of the second terminal 200 may transmit the authentication code m to the security server 150 through a second communication network.

The security server 150 authenticates the validity of the authentication code (m) through the security module 155, and when the validity of the authentication code (m) is authenticated, the contactless medium 100 from the security module 155 The program of the second terminal 200 through the designated path by extracting the second authentication key for reading the cipher block recorded in the designated storage area (n, 0≤n<N, n≠m) It is processed to be forwarded to (210). Preferably, the security server 150 transmits the second authentication key to the operation server 110, and the medium access procedure relay unit 132 of the operation server 110 transmits the second authentication key to the second authentication key. It can be transmitted to the program 210 of the second terminal 200 . Meanwhile, according to an implementation method, the security server 150 may transmit the second authentication key to the program 210 of the second terminal 200 through a second communication network.

According to the implementation method of the present invention, the security server 150, the security server 150 that performs a medium access procedure for reading the cipher block from the contactless medium 100, and the non-contact as a result of the medium access procedure An authentication value is generated for validation between the decryption server 160 that decrypts the cipher block read from the medium 100, and the authentication value is transmitted to the program 210 of the second terminal 200 through a designated path. can be processed for delivery.

According to the implementation method of the present invention, the security server 150 is synchronized with the decryption server 160 and a shared value (eg, secret key, etc.) exchanged/shared in advance/real time with the decryption server 160 . An authentication value can be dynamically generated by substituting the synchronized value (eg, time, random number, etc.) into a specified code generation algorithm (eg, hash algorithm), in this case, between the security server 150 and the decryption server 160 . Even if the authentication value is not shared, the validity of the authentication value may be authenticated through the code verification procedure performed by the decryption server 160 . Meanwhile, the security server 150 may generate an authentication value through a random number algorithm. In this case, the security server 150 may share the authentication value with the decryption server 160 to be authenticated.

According to the implementation method of the present invention, the authentication value is included in the second authentication key and one transaction block and transmitted to the program 210 of the second terminal 200, or each ( or sequentially) may be transmitted to the program 210 of the second terminal 200 . When the second authentication key and the authentication value are transmitted to the program 210 of the second terminal 200 through one transaction block, the security server 150 transmits the second authentication key and the authentication value to the operation server 110 , and the media access procedure relay unit 132 of the operation server 110 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200 . Meanwhile, according to an implementation method, the security server 150 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200 through a second communication network.

The program 210 of the second terminal 200 that has received the second authentication key transmits the second authentication key to the contactless medium 100 through the NFC module 205 of the second terminal 200. The cipher block recorded in the designated storage area n of the contactless medium 100 is requested. The contactless medium 100 responds to the encryption block recorded in the storage area n when the second authentication key is authenticated according to a specified authentication procedure and authentication is successful, and the program ( 210 reads the cipher block recorded in the storage area n of the contactless medium 100 .

When the cipher block is read from the non-contact medium 100, the program 210 of the second terminal 200 transmits the cipher block read from the non-contact medium 100 to the decryption server 160 through a designated path. In order to authenticate the validity of the second terminal 200 that has driven or activated the program 210 through the operation server 110, dynamically generated through the program 210 of the second terminal 200 The authentication code (t) and authentication information (t) for requesting authentication approval is transmitted to the operation server 110 . The read cryptographic block and the generated authentication code (t) and authentication information (t) are included in one transaction block and transmitted to the operation server 110, or each (or sequentially) transmitted through a designated sequence or path can be

On the other hand, when the authentication value generated through the security server 150 is received by the program 210 of the second terminal 200, the program 210 of the second terminal 200 performs the encryption block and the authentication. The value may be transferred to the decryption server 160 . The cryptographic block and the authentication value may be transmitted through one transaction block, or may be transmitted separately (or sequentially) through a designated order or path.

Referring to Figure 1, the operation server 110, the second terminal from the designated storage area (n) of the contactless medium 100 supporting NFC through the NFC module 205 of the second terminal 200 The cipher block read by the program 210 of 200 and the program 210 dynamically generated through the program 210 of the second terminal 200 for authentication of the second terminal 200 driving or activating the program 210 An information receiving unit 134 for receiving an authentication code (t) and authentication information (t) for an authentication approval request, and an authentication code (t) authentication unit 136 for authenticating the validity of the received authentication code (t) and , an authentication information (t) authentication unit 138 for authenticating the integrity of the received authentication information t, and an authentication means requesting unit requesting authentication means information corresponding to the encryption block from a designated decryption server 160 ( 140) is provided. On the other hand, the authentication code (t) authentication unit 136 may be implemented in the form of a separate server interworking with the operation server 110, thereby, the present invention is not limited thereto.

When the program 210 of the second terminal 200 transmits the cipher block read from the designated storage area n of the non-contact medium 100, the information receiving unit 134 of the second terminal 200 The cipher block is received from the program 210 . On the other hand, when the program 210 of the second terminal 200 transmits the encryption block and the authentication value, the information receiving unit 134 receives the encryption block and authentication from the program 210 of the second terminal 200 . value can be received.

The program 210 of the second terminal 200 generates an authentication code t for authenticating the validity of the second terminal 200 driving or activating the program 210 through the operation server 110 . to transmit, the information receiving unit 134 receives the authentication code t from the program 210 of the second terminal 200 . Preferably, the program 210 of the second terminal 200 is a shared value exchanged/shared in advance/real time with the operation server 110 (eg, MIN of the second terminal 200, exchanged/shared key) value) and/or a synchronization value (eg, time, etc.) synchronized with the operation server 110 may be substituted for a designated code generation algorithm (eg, hash algorithm) to dynamically generate an authentication code (t).

When an authentication code (t) is received from the program 210 of the second terminal 200, the authentication code (t) authentication unit 136 uses a specified code verification procedure to determine the number of the received authentication code (t). Validate validity. For example, the authentication code (t) authentication unit 136 is a shared value exchanged/shared in advance/real time with the program 210 of the second terminal 200 (eg, the MIN of the second terminal 200) , exchanged/shared key value, etc.) and/or a synchronization value (eg, time, etc.) synchronized with the program 210 of the second terminal 200 by substituting a designated code generation algorithm (eg, hash algorithm) to verify The validity of the authentication code t may be verified by generating a code t, and comparing the received authentication code t with the generated verification code t.

When the authentication information (t) is received from the program 210 of the second terminal 200, the authentication information (t) authentication unit 138 through the information providing unit 130 to the second terminal 200 Checks the authentication information (s) provided to the program 210 of the, and compares the configuration items of the authentication information (s) and the configuration items of the authentication information (t) for each item and confirms whether they match. For example, the authentication information (t) authentication unit 138 may authenticate whether the transaction number of the authentication information (t) matches the transaction number of the authentication information (s). If the configuration items of the authentication information (t) and the authentication information (s) match, the authentication information (t) may be authenticated as intact without being forged/falsified.

When the validity of the authentication code (t) is authenticated, and/or the integrity of the authentication information (t) is authenticated, the authentication means requesting unit 140 designates the encryption block received through the information receiving unit 134 . By transmitting to the decryption server 160 , the authentication means information corresponding to the encryption block is requested through the decryption module 165 of the decryption server 160 . On the other hand, when an authentication value is received from the program 210 of the second terminal 200, the authentication means requesting unit 140 transmits the authentication value to the decryption server 160, so that the decryption server 160 It can be processed to authenticate that the encryption block was read from the contactless medium 100 as a result of the medium access procedure through the security server 150 .

According to the implementation method of the present invention, the encryption block is encrypted to be decrypted using a decryption key managed through the decryption module 165 of the decryption server 160 and recorded in the storage area n of the contactless medium 100 . can be Alternatively, according to the implementation method, the block information recorded in the storage area n at the time the encryption block is read through the medium access procedure is decrypted through a decryption key managed through the decryption module 165 of the decryption server 160 It may be encrypted so as to be read, and the present invention is not limited thereto.

According to the implementation method of the present invention, the encryption block includes authentication means information (eg, credit card information, check card information, debit card information, cash card information, prepaid card information, transportation card) corresponding to the authentication means to be used for authentication processing. At least one card information or account information among the information) may be encrypted and included, or identification information for identifying an authentication means to be used in the authentication process may be encrypted and included. Alternatively, the encryption block may include predetermined block information in addition to the authentication means information or identification information.

The decryption server 160 checks the encryption module read from the contactless medium 100 and generates authentication means information corresponding to the encryption block through the decryption module 165 .

According to the first authentication means generating method of the present invention, when the authentication means information is encrypted in the encryption block, the decryption server 160 may decrypt the encryption block to generate the authentication means information.

According to the second authentication means generation method of the present invention, when the identification information for identifying the authentication means is encrypted in the encryption block, the decryption server 160 decrypts the encryption block to confirm the authentication means information, and authenticate The identification information and It is possible to obtain the mapped authentication means information.

According to the third authentication means generation method of the present invention, the encryption block can perform a function of an identifier mapped with authentication means information. In this case, the decryption server 160 stores authentication means information to be used for authentication processing. authentication means information mapped with the encryption block can be obtained from a secure storage medium (eg, the SAM storage area of the decryption module 165, DB of a financial company, or a secure storage medium allowed to store authentication means information) have.

According to the fourth authentication means generation method of the present invention, the decryption server 160 decrypts the encryption block to confirm block information (or authentication means information, identification information, etc. possible, hereinafter referred to as block information for convenience), By using the block information, it is possible to generate authentication means information of a designated information system corresponding to the authentication means. For example, the decryption server 160 may generate authentication means information by substituting a hash value generated by hashing the block information into a designated information system. In this case, the authentication means information is a function of a one-time authentication means can be performed. Alternatively, the decryption server 160 may generate authentication means information by substituting some information of the block information into a designated information system.

According to the fifth authentication means generating method of the present invention, the decryption server 160 may generate authentication means information of a designated information system corresponding to the authentication means by using the encryption block. For example, the decryption server 160 may generate authentication means information by substituting a hash value generated by hashing the encryption block into a designated information system. In this case, the authentication means information is a function of a one-time authentication means can be performed. Alternatively, the decryption server 160 may generate authentication means information by substituting some information of the encryption block into a designated information system.

On the other hand, the decryption server 160 generates authentication means information in the form of combining two or more of the first to fifth authentication means generating methods, or by modifying some of the first to fifth authentication means generating methods to provide authentication means. It is possible to generate information, and it is clearly stated that the present invention is not limited thereto. That is, the present invention includes the number of all cases of generating authentication means information to be used for authentication by using the encryption block as the scope of rights.

The decryption server 160 transmits the authentication means information generated using the encryption block to the operation server 110 based on one or more of the first to fifth authentication means generation methods or a modified method thereof.

On the other hand, when the authentication value is received from the operation server 110, the decryption server 160 authenticates the validity of the authentication value. Preferably, the decryption server 160 may authenticate the validity of the received authentication code (s) using a specified code verification procedure. For example, the decryption server 160 converts a shared value exchanged/shared in advance/real time with the security server 150 and/or a synchronization value synchronized with the security server 150 to a designated code generation algorithm (eg, hash algorithm) to generate a verification value, and compare the verification value with the verification value to verify the validity of the verification code (s). Alternatively, when the authentication value is a random number generated through the security server 150, the decryption server 160 receives the random number from the security server 150, and uses the shared random number to validate the authentication value. can be authenticated. Preferably, the decryption server 160 may generate authentication means information through the encryption block when the validity of the authentication value is authenticated.

Referring to Figure 1, the operation server 110, the authentication means receiving unit 142 for receiving the authentication means information generated through the encryption block from the decryption server 160, the authentication means information and authentication information ( t) to the designated authentication server 170 to request authentication approval; and an approval result transmitting unit 148 that transmits the approval result to the program 210 of the second terminal 200 .

When the decryption server 160 transmits the authentication means information generated through the encryption block through the decryption module 165, the authentication means receiving unit 142 generates from the decryption server 160 through the encryption block. Receive the authentication means information.

The authentication approval procedure unit 144 includes the authentication means information received from the decryption server 160 and the authentication information t (or authentication information s) received from the program 210 of the second terminal 200 ). transmits to the designated authentication server 170 to request authentication approval for the authentication information t through the authentication means information, and the authentication server 170 receives the authentication information t through the authentication means information. Perform the certification approval process for For example, when the authentication means information includes card information and the authentication means is a financial company server, the financial company server includes card information corresponding to the authentication means information and personal information included in the authentication information (t) and/ Alternatively, an authentication approval procedure for determining whether a card corresponding to the card information is validly issued and operated to the user by using the secret information may be performed. If, according to another implementation method of the present invention, the operation server 110 and the authentication server 170 are implemented as servers of the same operator (eg, a financial company), the authentication approval procedure unit 144 uses the authentication means information. An authentication approval procedure for the authentication information t may be performed.

The authentication server 170 generates an authentication approval result including the result of performing the authentication approval procedure and transmits it to the operation server 110 , and transmits the approval result receiving unit 146 to the authentication server 170 from the authentication server 170 . Upon receiving the authentication approval result, the approval result transfer unit 148 transmits the authentication approval result to the program 210 of the second terminal 200 . Meanwhile, upon receiving the authentication approval result from the authentication server 170 , the authentication request response unit 116 may transmit the authentication approval result to the first terminal 105 side through a designated path.

2 is a diagram showing the functional configuration of the second terminal 200 and the program 210 according to an embodiment of the present invention.

In more detail, FIG. 2 shows authentication processing of access authority to the designated storage area n of the non-contact medium 100 interfaced through the NFC module 205 of the second terminal 200 through the designated security server 150 and the configuration of the program 210 that performs an authentication procedure for processing the encryption block read from the storage area n of the contactless medium 100 to be transmitted to the designated decryption server 160, and a second terminal ( 200), those of ordinary skill in the art to which the present invention pertains can infer various implementation methods for the function of the second terminal 200 by referring to and/or modifying this FIG. However, the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 2 . Preferably, the second terminal 200 of FIG. 2 may include at least one of various smart phones, various tablet PCs, various PDA's, and various mobile phones capable of wireless communication.

Referring to FIG. 2 , the second terminal 200 includes a control unit 201 , a memory unit 209 , a screen output unit 202 , a user input unit 203 , a sound processing unit 204 , and an NFC module 205 . and a short-range wireless communication unit 206, a wireless network communication unit 207, a USIM reader unit 208, and a USIM, and a battery for supplying power.

The control unit 201 is a generic name of components for controlling the operation of the second terminal 200, and includes at least one processor and an execution memory, and includes each component provided in the second terminal 200 and It is connected through a bus (BUS). According to the present invention, the control unit 201 loads at least one program code provided in the second terminal 200 through the processor into the execution memory for operation, and outputs the result to at least one program code through the bus. It is transmitted to the component to control the operation of the second terminal 200 . Hereinafter, for convenience, the configuration of the program 210 of the present invention implemented in the form of a program code will be described by showing it in the control unit 201 .

The memory unit 209 is a generic term for non-volatile memories corresponding to the storage resources of the second terminal 200 , and includes at least one program code executed through the control unit 201 and at least one program code used by the program code. Save and maintain the dataset of The memory unit 209 basically includes a system program code and system data set corresponding to the operating system of the second terminal 200 , and a communication program code and communication data set for processing wireless communication connection of the second terminal 200 . and at least one application program code and application data set, and the program code and data set corresponding to the program 210 of the present invention are also stored in the memory unit 209 .

The screen output unit 202 includes a screen output device (eg, a liquid crystal display (LCD), etc.) and a driving module for driving the same, and is interlocked with the control unit 201 to display a screen among various calculation results of the control unit 201 . An operation result corresponding to the output is output to the screen output device.

The user input unit 203 includes one or more user input devices (eg, a button, a keypad, a touch pad, a touch screen interlocking with the screen output unit 202, etc.) and a driving module for driving the same, and the control unit 201 and A command for instructing various operations of the control unit 201 is interlocked, or data necessary for the operation of the control unit 201 is input.

The sound processing unit 204 is composed of a speaker, a microphone, and a driving module for driving the same, and decodes sound data corresponding to sound output among various calculation results of the control unit 201 and outputs it through the speaker or , or a sound signal input through the microphone is encoded and transmitted to the control unit 201 .

The NFC module 205 is a communication resource for processing one or more proximity wireless communication among two-way proximity wireless communication, full-duplex proximity wireless communication, and half-duplex proximity wireless communication using a radio frequency signal as a communication medium at a proximity distance (eg, around 10 cm) As a generic name, it is possible to process proximity wireless communication according to the NFC (Near Field Communication) standard of preferably 13.56Mz frequency band. Alternatively, the NFC module 205 may process proximity wireless communication according to the ISO 18000 series standard, and in this case, may also process proximity wireless communication for a frequency band other than the 13.56Mz frequency band. For example, the NFC module 205 may operate in a reader mode, operate in a tag mode, or operate in a two-way communication mode. Meanwhile, the NFC module 205 may be included in a communication resource for connecting the second terminal 200 to a communication network according to a target to communicate in proximity.

The wireless network communication unit 207 and the short-range wireless communication unit 206 are generic names of communication resources for connecting the second terminal 200 to a designated communication network. Preferably, the second terminal 200 may include a wireless network communication unit 207 as a basic communication resource, and may include one or more short-range wireless communication units 206 .

The wireless network communication unit 207 is a generic term for communication resources that connect the second terminal 200 to a wireless communication network via a base station. It is configured to include at least one signal processing module, and is connected to the control unit 201 to transmit an operation result corresponding to wireless communication among various operation results of the control unit 201 through a wireless communication network or to transmit data through a wireless communication network Received and delivered to the control unit 201, the wireless communication access, registration, communication, and handoff procedures are performed. According to the present invention, the wireless network communication unit 207 can connect the second terminal 200 to a communication network including a communication channel and a data channel via a switch, and in some cases, packets without passing through the switch. It can be connected to a data network that provides communication-based wireless network data communication (eg, the Internet).

According to the embodiment of the present invention, the wireless network communication unit 207 performs at least one of accessing, location registration, call processing, call connection, data communication, and handoff to a mobile communication network according to the CDMA/WCDMA/LTE standard. includes configuration. Meanwhile, according to the intention of those skilled in the art, the wireless network communication unit 207 may further include a portable Internet communication configuration for performing at least one of accessing, location registration, data communication, and handoff to the portable Internet according to IEEE 802.16 related standards, It should be clearly stated that the present invention is not limited by the wireless communication configuration provided by the wireless network communication unit 207 . That is, the wireless network communication unit 207 is a generic term for a component that accesses a wireless communication network through a cell-based base station regardless of a frequency band of a wireless section, a type of a communication network, or a protocol.

The short-range wireless communication unit 206 connects a communication session using a radio frequency signal as a communication medium within a certain distance (eg, 10 m), and based on this, the second terminal 200 is a generic term for communication resources for connecting the second terminal 200 to the communication network. Preferably, the second terminal 200 may be connected to the communication network through at least one of Wi-Fi communication, Bluetooth communication, public wireless communication, and UWB. According to the embodiment of the present invention, the short-range wireless communication unit 206 may be implemented in an integrated or separate form with the wireless network communication unit 207 . According to the present invention, the short-range wireless communication unit 206 connects the second terminal 200 to a data network that provides short-range wireless data communication based on packet communication through a wireless AP.

The USIM reader unit 208 is configured to exchange at least one data set with a Universal Subscriber Identity Module mounted on or detached from the second terminal 200 based on the ISO/IEC 7816 standard. As a generic name, the dataset is exchanged in a half-duplex communication method through an Application Protocol Data Unit (APDU).

The USIM is a SIM-type card equipped with an IC chip according to the ISO/IEC 7816 standard, an input/output interface including at least one contact point connected to the USIM reader unit 208, and at least one program code for the IC chip. and an IC chip memory for storing a data set, and a program code for the IC chip or extracting (or processing) the data set according to at least one command connected to the input/output interface and transmitted from the second terminal 200 and a processor for transferring the data to the input/output interface.

The program 210 of the present invention is downloaded from a program providing server (eg, Apple's App Store, etc.) through a data network to which the communication resource is accessible and stored in the memory unit 209 . The downloaded program 210 operates in conjunction with the operation server 110, and may be manually driven by a user, or may be automatically driven (or activated) after user confirmation by receiving a message or activated. On the other hand, a separate program 210 may be running in advance to automatically drive the program 210 after user confirmation or, thereby, the present invention is not limited thereto.

Referring to FIG. 2 , the program 210 of the second terminal 200 includes a user who uses the second terminal 200 running the program 210 through a data network to which the communication resource can be accessed as a member. Corresponds to the second terminal 200 that is running the program 210 through the subscription/authentication processing unit 215 that performs a procedure for registering as a user or authenticating the user, and at least one communication network accessible through a communication resource. and a terminal medium authentication unit 220 for performing a procedure for authenticating the terminal medium.

The program 210 includes communication connection macro information for accessing the operation server 110 via a data network accessible through the communication resource, and the subscription/authentication processing unit 215 includes the screen output unit 202 ) to output user information (eg, name, resident registration number, etc.) for registering a user as a member and an interface for inputting a member account, and user information input through the interface to the operation server 110 through the data network and a member account to sign up the user as a member.

Meanwhile, the user's membership subscription may be through a separate user terminal in addition to the second terminal 200 . At this time, in order to authenticate that the subscribed user is a user using the second terminal 200 running the program 210, the subscription/authentication processing unit 215 outputs an interface for inputting the registered member account. And, by transmitting the member account input through the interface to the operation server 110 through the data network, a user using the second terminal 200 running the program 210 can be registered as a member. have.

When authenticating the subscribed user, the signup/authentication processing unit 215 outputs an interface for inputting a previously registered member account and/or password, and stores the member account and/or password input through the interface to the data. By transmitting to the operation server 110 through the network, the user using the second terminal 200 running the program 210 can be authenticated.

The terminal medium authentication unit 220 authenticates the validity of the program 210 with the operation server 110 through at least one of a data network and a communication network to which the communication resource can be accessed. According to the implementation method of the present invention, in the process of authenticating the validity of the program 210, an encryption/decryption communication process agreed in advance between the program 210 and the operation server 110 is performed, and for convenience, the encryption/decryption process is performed. A detailed description of the process will be omitted.

According to the first terminal medium authentication method of the present invention, the program 210 is downloaded through the program providing server with a unique key value that can identify that it is a program operated by the operation server 110 is set, In this case, the terminal medium authentication unit 220 may authenticate that the program 210 is a program operated by the operation server 110 by transmitting the unique key value to the operation server 110 . On the other hand, the terminal medium authentication unit 220 transmits the unique key value to the operation server 110, at least one unique information stored in the second terminal 200 or allocated to the communication network as the unique key By transmitting the value together, it is possible to simultaneously authenticate that the program 210 is a program operated by the operation server 110 and that the program 210 is running in the second terminal 200 .

According to the second terminal medium authentication method of the present invention, after the program 210 is downloaded through the program providing server, an app identification value (eg, an app identification value that uniquely identifies the program 210 on a data network according to a predetermined procedure) , a device token allocated by Apple's APNS, etc.) may be allocated, and in this case, the terminal medium authentication unit 220 transmits the app identification value to the operation server 110 , the program 210 . It can be authenticated that the program is operated by the operation server (110). Meanwhile, the terminal medium authentication unit 220 identifies at least one unique information stored in the second terminal 200 or allocated to the communication network in the process of transmitting the app identification value to the operation server 110 , the app identification By transmitting the value together, it is possible to simultaneously authenticate that the program 210 is a program operated by the operation server 110 and that the program 210 is running in the second terminal 200 .

According to the third terminal medium authentication method of the present invention, in the program 210, at least one key value, a key exchange protocol, and encryption/decryption rules are set, and an authentication procedure for authenticating the program 210 using these is defined. The certificate may be downloaded through the program providing server in a loaded state, and in this case, the terminal medium authentication unit 220 sets at least one key value and key set in the certificate according to the authentication procedure defined in the certificate. It is possible to authenticate that the program 210 is a program operated by the operation server 110 by selectively using an exchange protocol and encryption/decryption rules. On the other hand, the terminal medium authentication unit 220 further uses the at least one unique information stored in the second terminal 200 or allocated to the communication network in the process of using the certificate for the authentication procedure, so that the program 210 It is possible to simultaneously authenticate that the program is operated by the operation server 110 and that the program 210 is running in the second terminal 200 .

According to the fourth terminal medium authentication method of the present invention, when the authentication number sent from the operation server 110 is received through the message exchange protocol of the communication network, the second terminal 200 validates the received authentication number. By receiving the input and transmitting it to the operation server 110 through the data network, it is possible to authenticate that the program 210 is a program operated by the operation server 110 . On the other hand, the terminal medium authentication unit 220 transmits the authentication number to the operation server 110, at least one unique information stored in the second terminal 200 or allocated to the communication network with the authentication number By transmitting together, it is possible to simultaneously authenticate that the program 210 is a program operated by the operation server 110 and that the program 210 is running in the second terminal 200 .

According to the fifth terminal medium authentication method of the present invention, the terminal medium authentication unit 220 receives from the operation server 110 through an authentication method that selectively combines one or more of the first to fourth terminal medium authentication methods. It is possible to authenticate the validity of the program 210, and the present invention is not limited thereby.

Referring to FIG. 2 , the program 210 of the second terminal 200 is driven or activated by the operation server 110 when the program 210 is driven or activated according to a specified procedure. and a driving/activation processing unit 225 for recognizing that it has been activated.

When the program 210 is driven or activated through a push notification, or the program 210 is driven or activated by a user operation through a key input unit, the driving/activation processing unit 225 is configured according to a preset communication macro. By requesting a communication connection to the operation server 110 through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207 , the operation server 110 causes the second terminal 200 to operate. It can be recognized that the program 210 has been driven or activated.

Referring to Figure 2, the program 210 of the second terminal 200, the receiving unit 230 for receiving the authentication information (s) for authentication processing and the dynamically generated authentication code (s) for server authentication and , an authentication code (s) authenticator 235 for authenticating the validity of the received authentication code (s) through a specified code verification procedure, and the NFC module 205 when validating the authentication code (s) It may include an NFC activation unit 240 that confirms or processes to be activated, and a medium recognition unit 245 that recognizes a non-contact medium 100 adjacent to the NFC module 205 through the NFC module 205 .

After the program 210 is driven or activated, when the operation server 110 transmits the authentication information (s) for authentication processing and the authentication code (s) dynamically generated for server authentication, the receiving unit 230 receives the authentication information (s) and the authentication code (s) through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207 . The authentication information (s) and the authentication code (s) may be received together or may be received separately (or sequentially) according to a specified procedure.

On the other hand, when the authentication information (s) and the authentication code (s) are received from the operation server 110, the driving/activation processing unit 225 requests the user's PIN input and checks the validity of the PIN input from the user. Authenticate. To this end, the driving/activation processing unit 225 may receive a user's PIN in advance and store and manage it in a designated storage area.

When the authentication code (s) is received from the operation server 110, the authentication code (s) authentication unit 235 authenticates the validity of the received authentication code (s) using a designated code verification procedure. For example, the authentication code (s) authentication unit 235 is a shared value exchanged/shared in advance/real time with the operation server 110 (eg, MIN of the second terminal 200, exchanged/shared key) value) and/or a synchronization value (eg, time, etc.) synchronized with the operation server 110 is substituted for a specified code generation algorithm (eg, hash algorithm) to generate a verification code (s), and the received authentication By comparing the code (s) with the generated verification code (s), the validity of the verification code (s) can be verified.

When the validity of the authentication code (s) is authenticated, the NFC activation unit 240 checks whether the NFC module 205 of the second terminal 200 is activated to interface with the contactless medium 100 . If the NFC module 205 is not activated, the NFC activation unit 240 activates the NFC module 205 to interface with the non-contact medium 100 through the NFC module 205 according to a specified procedure. make it

When the NFC module 205 is activated, the medium recognition unit 245 checks whether the non-contact medium 100 is interfaced through the NFC module 205 in proximity to a specified proximity distance. Preferably, the medium recognition unit 245 displays guidance information for inducing the non-contact medium 100 to approach the NFC module 205 through the screen output unit 202, and the NFC module 205 Recognizes the non-contact medium 100 close to the frequency reach.

Referring to FIG. 2 , the program 210 of the second terminal 200 communicates with the security server 150 through a designated path, and a designated storage area ( A storage area ( Authentication for generating an authentication code (t) for authenticating the validity of the cipher block confirmation unit 255 for reading the cipher block recorded in n) and the second terminal 200 that has driven or activated the program 210 The code (t) generating unit 260, the authentication information (t) generating unit 265 for generating the authentication information (t) corresponding to the authentication information (s), and the password read from the contactless medium (100) It processes the block to be transmitted to a designated decryption server 160 and includes a transmission unit 270 for transmitting the authentication code t to the operation server 110, and authentication generated using the encryption block through a designated path and an authentication result processing unit 275 for receiving and outputting an authentication approval result of the authentication information t using the means information.

When the non-contact medium 100 close to the frequency reach is recognized through the NFC module 205, the medium access processing unit 250 reads a unique serial number from the non-contact medium 100 through the NFC module 205 and , the short-range wireless communication unit 206 and the wireless network communication unit 207 through a designated communication unit at least one of the unique serial number read from the non-contact medium 100 through the designated security server 150 is processed to be delivered. Preferably, the medium access processing unit 250 transmits the read unique serial number to the operation server 110 , and the operation server 110 may transmit the unique serial number to the security server 150 . . Meanwhile, according to an implementation method, the medium access processing unit 250 may transmit the unique serial number to the security server 150 through a second communication network.

The security server 150 is an authentication code recorded in a designated storage area (m, 0≤m<N) among N storage areas provided in the non-contact medium 100 corresponding to the unique serial number from the security module 155 . The first authentication key for reading (m) is extracted and processed to be transmitted to the program 210 of the second terminal 200 through a designated path. Preferably, the security server 150 transmits the first authentication key to the operation server 110 , and the operation server 110 transmits the first authentication key to the program 210 of the second terminal 200 . ) can be passed as Meanwhile, according to an implementation method, the security server 150 may transmit the first authentication key to the program 210 of the second terminal 200 through a second communication network.

The medium access processing unit 250 receives the first authentication key through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207 . When the first authentication key is received, the medium access processing unit 250 transmits the first authentication key to the contactless medium 100 through the NFC module 205 to a designated storage area of the contactless medium 100 . Request the authentication code (m) recorded in (m). The contactless medium 100 responds to the authentication code (m) recorded in the storage area (m) when authentication is successful by authenticating the first authentication key according to a specified authentication procedure, and the medium access processing unit 250 reads the authentication code (m) recorded in the storage area (m) of the contactless medium (100). Meanwhile, according to the implementation method, the contactless medium 100 may respond to issuer information, and the medium access processing unit 250 may further read the issuer information recorded in the storage area m of the contactless medium 100 . have.

The program 210 of the second terminal 200 is an authentication code read from the contactless medium 100 via a path designated through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207 . (m) is processed to be delivered to the security server (150). Preferably, the medium access processing unit 250 transmits the read authentication code (m) to the operation server 110, and the operation server 110 transmits the authentication code (m) to the security server 150 can be transmitted as Meanwhile, according to an implementation method, the medium access processing unit 250 may transmit the authentication code m to the security server 150 through a second communication network.

The security server 150 authenticates the validity of the authentication code (m) through the security module 155, and when the validity of the authentication code (m) is authenticated, the contactless medium 100 from the security module 155 The program of the second terminal 200 through the designated path by extracting the second authentication key for reading the cipher block recorded in the designated storage area (n, 0≤n<N, n≠m) It is processed to be forwarded to (210). Preferably, the security server 150 transmits the second authentication key to the operation server 110 , and the operation server 110 transmits the second authentication key to the program 210 of the second terminal 200 . ) can be passed as Meanwhile, according to an implementation method, the security server 150 may transmit the second authentication key to the program 210 of the second terminal 200 through a second communication network.

According to the implementation method of the present invention, the security server 150, the security server 150 that performs a medium access procedure for reading the cipher block from the contactless medium 100, and the non-contact as a result of the medium access procedure An authentication value is generated for validation between the decryption server 160 that decrypts the cipher block read from the medium 100, and the authentication value is transmitted to the program 210 of the second terminal 200 through a designated path. can be processed for delivery.

According to the implementation method of the present invention, the security server 150 is synchronized with the decryption server 160 and a shared value (eg, secret key, etc.) exchanged/shared in advance/real time with the decryption server 160 . An authentication value can be dynamically generated by substituting the synchronized value (eg, time, random number, etc.) into a specified code generation algorithm (eg, hash algorithm), in this case, between the security server 150 and the decryption server 160 . Even if the authentication value is not shared, the validity of the authentication value may be authenticated through the code verification procedure performed by the decryption server 160 . Meanwhile, the security server 150 may generate an authentication value through a random number algorithm. In this case, the security server 150 may share the authentication value with the decryption server 160 to be authenticated.

According to the implementation method of the present invention, the authentication value is included in the second authentication key and one transaction block and transmitted to the program 210 of the second terminal 200, or each ( or sequentially) may be transmitted to the program 210 of the second terminal 200 . When the second authentication key and the authentication value are transmitted to the program 210 of the second terminal 200 through one transaction block, the security server 150 transmits the second authentication key and the authentication value to the operation server 110 , and the operation server 110 may transmit the second authentication key and authentication value to the program 210 of the second terminal 200 . Meanwhile, according to an implementation method, the security server 150 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200 through a second communication network.

The medium access processing unit 250 receives the second authentication key through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207 . When the second authentication key is received, the medium access processing unit 250 transmits the second authentication key to the contactless medium 100 through the NFC module 205 to a designated storage area of the contactless medium 100 . Request the cipher block recorded in (n). The contactless medium 100 responds to the encryption block recorded in the storage area n when authentication is successful by authenticating the second authentication key according to a specified authentication procedure, and the encryption block confirmation unit 255 is the As a result of the medium access procedure performed through the medium access processing unit 250 , the encryption block recorded in the storage area n of the contactless medium 100 is read through the NFC module 205 .

The authentication code (t) generating unit 260 generates an authentication code (t) for authenticating the validity of the second terminal 200 that has driven or activated the program 210 through the operation server 110 . . Preferably, the authentication code (t) generating unit 260 is a shared value exchanged/shared in advance/real time with the operation server 110 (eg, MIN of the second terminal 200, exchanged/shared key value) etc.) and/or by substituting a synchronization value (eg, time, etc.) synchronized with the operation server 110 to a designated code generation algorithm (eg, a hash algorithm) to dynamically generate an authentication code (t).

The authentication information (t) generating unit 265 generates authentication information (t) for an authentication approval request using the encryption block read from the contactless medium (100).

According to the implementation method of the present invention, the authentication information (t) generating unit 265 generates the user's personal information (eg, the first 6 digits of the resident number, etc.) and/or secret information (eg, 2 digits of the card password). An input request is made, and the authentication information t may include personal information and/or confidential information input by the user. Meanwhile, depending on the implementation method, the authentication information t may include all or at least a part of the authentication information s.

The transmission unit 270 transmits the cipher block read from the contactless medium 100 through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207, so that the cipher block through a designated path. It processes to be transmitted to the decryption server 160, and the authentication code (t) generated through the authentication code (t) generating unit 260 and the authentication information (t) for the authentication approval request are transmitted to the operation server 110 send to The read cryptographic block and the generated authentication code (t) and authentication information (t) are included in one transaction block and transmitted to the operation server 110, or each (or sequentially) transmitted through a designated sequence or path can be

Meanwhile, when the authentication value generated through the security server 150 is received, the transmission unit 270 may process the encryption block and the authentication value to be transmitted to the decryption server 160 . The cryptographic block and the authentication value may be transmitted through one transaction block, or may be transmitted separately (or sequentially) through a designated order or path.

The encryption block is transmitted to the decryption server 160 through a designated path, and the decryption server 160 generates authentication means information corresponding to the encryption block and transmits it to the operation server 110, and the operation server 110 performs an authentication procedure (eg, an authentication approval request to the authentication server 170, etc.) for the authentication information t using the authentication means information generated through the encryption block, and then returns the authentication approval result It is confirmed and transmitted to the program 210 of the second terminal 200 , and the authentication result processing unit 275 approves the authentication through at least one communication unit among the short-range wireless communication unit 206 and the wireless network communication unit 207 . Receive and print the result.

3 is a diagram illustrating a server authentication and NFC activation process using the second terminal 200 according to an embodiment of the present invention.

In more detail, FIG. 3 shows authentication information (s) and authentication from the operation server 110 to the user's second terminal 200 equipped with the NFC module 205 when an authentication request is made through the user's first terminal 105. As showing the process of activating the NFC module 205 of the second terminal 200 after authenticating the operation server 110 in the second terminal 200 by providing a code (s), the present invention For those of ordinary skill in the art, various implementation methods for the server authentication and NFC activation process (eg, an implementation method in which some steps are omitted or the order is changed) with reference to and/or modification of this figure 3 can be inferred, but the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 3 .

Referring to FIG. 3 , when a user's first terminal 105 connects to a designated web server through the first communication network, selects an authentication method according to the present invention and requests to transmit authentication request information 300 , the operation server 110 ) receives the authentication request information through a designated path (305), and stores the received authentication request information (310).

The operation server 110 checks the second terminal 200 of the user who has performed the authentication procedure for the authentication request information, and notifies the second terminal 200 to drive or push the program 210 for activation. performing (315), the second terminal 200 of the user receives the push notification (320), and drives or activates the program 210 corresponding to the push notification according to a specified procedure (325), The program 210 of the second terminal 200 attempts to access the operation server 110 through the second communication network according to the designated communication macro (330), and the operation server 110 is the second terminal ( It is confirmed that the program 210 of the second terminal 200 is driven or activated on the basis of the connection attempt of the program 210 of the program 210 of the second terminal 200 ( 335 ).

If the program 210 of the second terminal 200 is driven or activated, the operation server 110 generates authentication information (s) for authentication processing of the received authentication request information (340), and the After generating the authentication code (s) for server authentication through the program 210 of the second terminal 200 (345), the authentication information (s) and the authentication code (s) through the second communication network are transmitted to the second It is provided to the program 210 of the terminal 200 (350).

The program 210 of the second terminal 200 receives the authentication information (s) and the authentication code (s) through the second communication network (355), and the received authentication code (s) according to a specified code verification procedure ) by authenticating the validity of (360), the validity of the operation server 110 that has transmitted the authentication information (s) is authenticated. On the other hand, the authentication code (s) authenticates the validity of the operation server 110 through the program 210 of the second terminal 200, but if the operation server 110 is a genuine server (= a phishing server If not), it is also possible to perform a function of verifying the second terminal 200 from the standpoint of the operation server 110 . According to the implementation method of the present invention, the program 210 of the second terminal 200 inputs the user's PIN at a point in the process of receiving the authentication code (s) after the program 210 is driven or activated. You can perform a PIN authentication procedure that receives and authenticates.

If the validity of the authentication code (s) is not authenticated, the program 210 of the second terminal 200 transmits an error code according to the authentication failure of the authentication code (s) to the operation server 110, The operation server 110 receives the error code, performs a specified internal procedure, and simultaneously transmits the error code to the first terminal 105 (365), and the first terminal 105 receives the error code and output (370).

On the other hand, when the validity of the authentication code (s) is authenticated, the program 210 of the second terminal 200 confirms the activation of the NFC module 205 provided in the second terminal 200 (375), If the NFC module 205 is not activated, the program 210 of the second terminal 200 performs a procedure for activating the NFC module 205 ( 380 ). If the NFC module 205 of the second terminal 200 is activated or in a pre-activated state, the program 210 of the second terminal 200 uses the NFC module 205 in FIGS. 4 to 7 . Follow the process shown in

4 is a diagram illustrating a primary information exchange process between the second terminal 200 and the security server 150 for accessing the non-contact medium 100 according to an embodiment of the present invention.

In more detail, FIG. 4 shows that when the user's second terminal 200 reads the unique serial number from the non-contact medium 100 through the NFC module 205 and processes it to be transmitted to the security server 150, the security server 150 ) shows the process of providing the first authentication key for reading the authentication code (m) recorded in the storage area (m) of the contactless medium 100 corresponding to the unique serial number, the technology to which the present invention belongs Those of ordinary skill in the art can infer various implementation methods (eg, an implementation method in which some steps are omitted or in which the order is changed) for the primary information exchange process by referring to and/or modifying this FIG. 4 . However, the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 4 .

Referring to FIG. 4 , the program 210 of the second terminal 200 approaches the non-contact medium 100 at a designated proximity distance (eg, within 1 cm, etc.) to the second terminal 200 through the NFC module 205 . to check whether it is recognized (400). If the non-contact medium 100 is recognized, the program 210 of the second terminal 200 requests the reading of the non-contact medium 100 through the NFC module 205 (405), and the non-contact medium 100 is A unique serial number (eg, CSN, etc.) is checked (410) and provided to the second terminal 200 through NFC (415).

The program 210 of the second terminal 200 reads (420) the unique serial number from the non-contact medium 100 through the NFC module 205, and processes the unique serial number to be transmitted to the security server (150). By doing so, the first authentication key for the contactless medium 100 is requested ( 425 ). According to the embodiment of FIG. 4 , the unique serial number is transmitted to the security server 150 via the operation server 110 .

The operation server 110 receives a unique serial number from the program 210 of the second terminal 200 (430), and transmits the unique serial number to the designated security server 150 to the non-contact medium 100. A first authentication key is requested for the user (435).

The security server 150 checks the first authentication key for the storage area m of the contactless medium 100 through the security module 155 (440). If the first authentication key is not confirmed (eg, if the non-contact medium 100 corresponding to the unique serial number is not a valid contactless medium 100), the security server 150 returns an error to the operation server 110 Transmitting the code, the operation server 110 receives the error code, performs a designated internal procedure, and at the same time provides the error code to the second terminal 200 (445), and the program of the second terminal 200 210 receives and outputs the error code (450).

Meanwhile, when the first authentication key is confirmed, the security server 150 transmits the first authentication key to the operation server 110 ( 455 ), and the operation server 110 receives the first authentication key. to provide to the second terminal 200 (460), and the program 210 of the second terminal 200 receives the first authentication key for the contactless medium 100 through the second communication network (465) ).

5 is a diagram illustrating a secondary information exchange process between the second terminal 200 and the security server 150 for accessing the non-contact medium 100 according to an embodiment of the present invention.

In more detail, FIG. 5 shows that the user's second terminal 200 reads the authentication code m recorded in the storage area m of the non-contact medium 100 through the first authentication key to the security server 150 . When it is processed to be delivered, the security server 150 authenticates the authentication code (m) and then provides a second authentication key for reading the cipher block recorded in the storage area (n) of the contactless medium (100). As shown, those of ordinary skill in the art to which the present invention pertains may refer to and/or modify FIG. 5 to perform various implementation methods for the secondary information exchange process (eg, some steps are omitted, or implementation method in which the order is changed) can be inferred, but the present invention includes all the inferred implementation methods, and the technical characteristics are not limited only to the implementation method illustrated in FIG. 5 .

Referring to FIG. 5 , when the first authentication key is received through the process shown in FIG. 4 , the program 210 of the second terminal 200 is first transferred to the non-contact medium 100 through the NFC module 205 . The authentication key is transmitted to request reading of the authentication code m (500), and the contactless medium 100 receives the first authentication key to authenticate validity (505). If the validity of the first authentication key is not authenticated, the contactless medium 100 responds with an error code through NFC, and the program 210 of the second terminal 200 receives an error through the NFC module 205 . The code is received and output (510).

On the other hand, when the validity of the first authentication key is authenticated, the contactless medium 100 checks the authentication code (m) recorded in the storage area (m) corresponding to the first authentication key (515), through NFC It is provided to the second terminal 200 ( 520 ). On the other hand, according to the implementation method, the contactless medium 100 further checks the issuer information for the contactless medium 100 based on the authentication result of the first authentication key (515), and provides it to the second terminal 200 may (520).

The program 210 of the second terminal 200 reads the authentication code m from the contactless medium 100 through the NFC module 205 ( 525 ), and may read the issuer information according to the implementation method. (525). The program 210 of the second terminal 200 requests the second authentication key for the contactless medium 100 by processing the authentication code m to be transmitted to the security server 150 ( 530 ). According to the embodiment of this figure 5, the authentication code (m) is transmitted to the security server 150 via the operation server (110).

The operation server 110 receives the authentication code (m) from the program 210 of the second terminal 200 (535), and transmits the authentication code (m) to the designated security server 150 by transmitting the non-contact medium The first authentication key for (100) is requested (540).

The security server 150 authenticates the validity of the authentication code m through the security module 155 (545). If the validity of the authentication code (m) is not authenticated, the security server 150 transmits an error code to the operation server 110, and the operation server 110 receives the error code and performs a specified internal procedure. Simultaneously, the error code is provided to the second terminal 200 (550), and the program 210 of the second terminal 200 receives and outputs the error code (555).

On the other hand, when the validity of the authentication code (m) is authenticated, the security server 150 checks the second authentication key for the storage area n of the contactless medium 100 through the security module 155 (560) ), and transmits the confirmed second authentication key to the operation server 110 (565). The operation server 110 receives the second authentication key and provides it to the second terminal 200 (570), and the program 210 of the second terminal 200 executes the contactless medium through a second communication network. Receives a second authentication key for (100) (575).

6 is a diagram illustrating a secondary information exchange process between the second terminal 200 and the security server 150 for accessing the non-contact medium 100 according to another embodiment of the present invention.

In more detail, FIG. 6 shows that the user's second terminal 200 reads the authentication code m recorded in the storage area m of the non-contact medium 100 through the first authentication key to the security server 150 . When the transfer is processed, the security server 150 authenticates the authentication code (m), generates an authentication value, and then a second authentication key for reading the encryption block recorded in the storage area (n) of the contactless medium (100) and a process of providing an authentication value, those of ordinary skill in the art to which the present invention pertains may refer to and/or modify this figure 6 to various implementation methods for the secondary information exchange process (for example, , some steps are omitted, or the order of which is changed) may be inferred, but the present invention is made including all the inferred implementation methods, and the technical characteristics are limited only to the implementation method shown in FIG. 6 it doesn't happen

Referring to FIG. 6 , when the first authentication key is received through the process shown in FIG. 4 , the program 210 of the second terminal 200 transmits the first to the non-contact medium 100 through the NFC module 205 . The authentication key is transmitted to request reading of the authentication code m (600), and the contactless medium 100 receives the first authentication key to authenticate validity (605). If the validity of the first authentication key is not authenticated, the contactless medium 100 responds with an error code through NFC, and the program 210 of the second terminal 200 receives an error through the NFC module 205 . The code is received and output (610).

On the other hand, when the validity of the first authentication key is authenticated, the contactless medium 100 checks the authentication code (m) recorded in the storage area (m) corresponding to the first authentication key (615), through NFC It is provided to the second terminal 200 ( 620 ). Meanwhile, according to the implementation method, the non-contact medium 100 further checks the issuer information for the non-contact medium 100 based on the authentication result of the first authentication key (615), and provides it to the second terminal 200 may (620).

The program 210 of the second terminal 200 reads the authentication code m from the non-contact medium 100 through the NFC module 205 ( 625 ), and may read the issuer information according to the implementation method. (625). The program 210 of the second terminal 200 requests a second authentication key for the contactless medium 100 by processing the authentication code m to be transmitted to the security server 150 ( 630 ). According to the embodiment of FIG. 6 , the authentication code m is transmitted to the security server 150 via the operation server 110 .

The operation server 110 receives the authentication code (m) from the program 210 of the second terminal 200 (635), and transmits the authentication code (m) to the designated security server 150 by transmitting the non-contact medium The first authentication key for (100) is requested (640).

The security server 150 authenticates the validity of the authentication code (m) through the security module 155 (645). If the validity of the authentication code (m) is not authenticated, the security server 150 transmits an error code to the operation server 110, and the operation server 110 receives the error code and performs a specified internal procedure. Simultaneously, the error code is provided to the second terminal 200 ( 650 ), and the program 210 of the second terminal 200 receives and outputs the error code ( 655 ).

On the other hand, when the validity of the authentication code (m) is authenticated, the security server 150 checks the second authentication key for the storage area n of the contactless medium 100 through the security module 155 (660). ), after generating an authentication value ( 665 ), the verified second authentication key and the generated authentication value are transmitted to the operation server 110 ( 670 ). The operation server 110 receives the second authentication key and the authentication value and provides it to the second terminal 200 (675), and the program 210 of the second terminal 200 is transmitted through a second communication network. A second authentication key for the contactless medium 100 and the authentication value are received ( 680 ).

7 is a diagram illustrating a process of reading a cipher block from the contactless medium 100 according to an embodiment of the present invention.

In more detail, FIG. 7 shows the process of reading the cipher block recorded in the storage area n of the contactless medium 100 through the second authentication key in the user's second terminal 200, and the present invention Those of ordinary skill in the art can infer various implementation methods (eg, an implementation method in which some steps are omitted or the order is changed) for the cipher block reading process by referencing and/or modifying this figure 7 However, the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 7 .

Referring to FIG. 7 , when the second authentication key is received through the process shown in FIG. 5 or 6 , the program 210 of the second terminal 200 executes the contactless medium 100 through the NFC module 205 . transmits the second authentication key to request reading of the cipher block (700), and the contactless medium 100 receives the second authentication key to authenticate validity (705). If the validity of the second authentication key is not authenticated, the contactless medium 100 responds to an error code through NFC, and the program 210 of the second terminal 200 receives an error through the NFC module 205 . The code is received and output (710).

On the other hand, when the validity of the second authentication key is authenticated, the contactless medium 100 checks the encryption block recorded in the storage area n corresponding to the first authentication key (715), and the second terminal through NFC Provided to ( 200 ) ( 720 ), the program 210 of the second terminal 200 reads the encryption block from the contactless medium 100 through the NFC module 205 ( 725 ).

8 is a diagram illustrating a process of performing an authentication procedure using an encryption block read from the contactless medium 100 according to an embodiment of the present invention.

In more detail, FIG. 8 shows the encryption block read from the storage area n of the non-contact medium 100 in the second terminal 200 of the user, the authentication code t generated in the second terminal 200, and the authentication process When the authentication information t is transmitted to the operation server 110 for Those of ordinary skill in the art to which this belongs, refer to and/or modify this figure 8 to infer various implementation methods (eg, an implementation method in which some steps are omitted or the order is changed) for the authentication procedure. However, the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 8 .

Referring to FIG. 8 , when the cipher block is read from the storage area n of the contactless medium 100 through the process shown in FIG. 7 , the program 210 of the second terminal 200 is the program 210 . Generates an authentication code (t) for authenticating the second terminal 200 in a driving or activated state (800), and authentication processing based on the authentication information (s) received through the process shown in FIG. Generates authentication information (t) for (805).

The program 210 of the second terminal 200 transmits the encryption block, the authentication code (t) and the authentication information (t) to the operation server 110 through the second communication network (810), and the operation server ( 110) receives the encryption block, the authentication code (t), and the authentication information (t) (815).

The operation server 110 authenticates the validity of the authentication code (t) according to a specified code verification procedure (820). If the validity of the authentication code (t) is not authenticated, the operation server 110 transmits an error code for this to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (825).

On the other hand, when the validity of the authentication code (t) is authenticated, the operation server 110 uses the authentication information (s) provided to the second terminal 200 through the process shown in FIG. ) to authenticate the integrity for (830). If the integrity of the authentication information (t) is not authenticated, the operation server 110 transmits an error code for this to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (835).

The operation server 110 requests authentication means information corresponding to the encryption block from the designated decryption server 160 (840), and the decryption server 160 receives the encryption block (845), and the encryption block to generate authentication means information (850).

According to the first authentication means generating method of the present invention, when the authentication means information is encrypted in the encryption block, the decryption server 160 may decrypt the encryption block to generate the authentication means information.

According to the second authentication means generation method of the present invention, when the identification information for identifying the authentication means is encrypted in the encryption block, the decryption server 160 decrypts the encryption block to confirm the authentication means information, and authenticate The identification information and It is possible to obtain the mapped authentication means information.

According to the third authentication means generation method of the present invention, the encryption block can perform a function of an identifier mapped with authentication means information. In this case, the decryption server 160 stores authentication means information to be used for authentication processing. authentication means information mapped with the encryption block can be obtained from a secure storage medium (eg, the SAM storage area of the decryption module 165, DB of a financial company, or a secure storage medium allowed to store authentication means information) have.

According to the fourth authentication means generation method of the present invention, the decryption server 160 decrypts the encryption block to confirm block information (or authentication means information, identification information, etc. possible, hereinafter referred to as block information for convenience), By using the block information, it is possible to generate authentication means information of a designated information system corresponding to the authentication means. For example, the decryption server 160 may generate authentication means information by substituting a hash value generated by hashing the block information into a designated information system. In this case, the authentication means information is a function of a one-time authentication means can be performed. Alternatively, the decryption server 160 may generate authentication means information by substituting some information of the block information into a designated information system.

According to the fifth authentication means generating method of the present invention, the decryption server 160 may generate authentication means information of a designated information system corresponding to the authentication means by using the encryption block. For example, the decryption server 160 may generate authentication means information by substituting a hash value generated by hashing the encryption block into a designated information system. In this case, the authentication means information is a function of a one-time authentication means can be performed. Alternatively, the decryption server 160 may generate authentication means information by substituting some information of the encryption block into a designated information system.

On the other hand, the decryption server 160 generates authentication means information in the form of combining two or more of the first to fifth authentication means generating methods, or by modifying some of the first to fifth authentication means generating methods to provide authentication means. It is possible to generate information, and it is clearly stated that the present invention is not limited thereto. That is, the present invention includes the number of all cases of generating authentication means information to be used for authentication by using the encryption block as the scope of rights.

If the authentication means information is not generated, the decryption server 160 transmits an error code to the operation server 110, and the operation server 110 receives the error code and performs a specified internal procedure, and at the same time The error code is provided to the second terminal 200 ( 855 ), and the program 210 of the second terminal 200 receives and outputs the error code ( 860 ).

On the other hand, when authentication means information is generated using the encryption block, the decryption server 160 transmits the authentication means information to the operation server 110 (865), and the operation server 110 receives the encryption block. Receives the authentication means information generated by using (870).

9 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from the contactless medium 100 according to another embodiment of the present invention.

In more detail, FIG. 9 shows the encryption block read from the storage area n of the non-contact medium 100 in the second terminal 200 of the user, the authentication value received through the process shown in FIG. 6, and the second terminal When the authentication code (t) generated in 200 and authentication information (t) for authentication processing are transmitted to the operation server 110, the decryption server 160 associated with the operation server 110 authenticates the authentication value. As a diagram showing a process of generating authentication means information through a cryptographic block after ciphering, those of ordinary skill in the art to which the present invention pertains may refer to and/or modify FIG. An implementation method (eg, an implementation method in which some steps are omitted or the order is changed) may be inferred, but the present invention includes all of the inferred implementation methods, and only the implementation method shown in FIG. The technical characteristics are not limited.

Referring to FIG. 9 , when the cipher block is read from the storage area n of the contactless medium 100 through the process shown in FIG. 7 , the program 210 of the second terminal 200 is the program 210 . Generates an authentication code (t) for authenticating the second terminal 200 in the driving or activated state (900), and authentication processing based on the authentication information (s) received through the process shown in FIG. Generates authentication information (t) for (905).

The program 210 of the second terminal 200 transmits the encryption block, the authentication value, the authentication code t, and the authentication information t to the operation server 110 through the second communication network (910), and the The operation server 110 receives the encryption block, the authentication value, the authentication code (t), and the authentication information (t) (915).

The operation server 110 authenticates the validity of the authentication code (t) according to a specified code verification procedure (920). If the validity of the authentication code (t) is not authenticated, the operation server 110 transmits an error code for this to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (925).

On the other hand, when the validity of the authentication code (t) is authenticated, the operation server 110 uses the authentication information (s) provided to the second terminal 200 through the process shown in FIG. ) to authenticate the integrity for (930). If the integrity of the authentication information (t) is not authenticated, the operation server 110 transmits an error code for this to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (935).

The operation server 110 provides the encryption block and the authentication value to the designated decryption server 160 to request authentication means information corresponding to the encryption block (940), and the decryption server 160 provides the encryption block and the authentication value (940). An authentication value is received ( 945 ), and the validity of the authentication value is authenticated ( 950 ). If the validity of the authentication value is not authenticated, the decryption server 160 transmits an error code to the operation server 110, and the operation server 110 receives the error code and performs a specified internal procedure at the same time. The error code is provided to the second terminal 200 (955), and the program 210 of the second terminal 200 receives and outputs the error code (960).

On the other hand, when the validity of the authentication value is authenticated, the decryption server 160 generates authentication means information using the encryption block (965).

According to the first authentication means generating method of the present invention, when the authentication means information is encrypted in the encryption block, the decryption server 160 may decrypt the encryption block to generate the authentication means information.

According to the second authentication means generation method of the present invention, when the identification information for identifying the authentication means is encrypted in the encryption block, the decryption server 160 decrypts the encryption block to confirm the authentication means information, and authenticate The identification information and It is possible to obtain the mapped authentication means information.

According to the third authentication means generation method of the present invention, the encryption block can perform a function of an identifier mapped with authentication means information. In this case, the decryption server 160 stores authentication means information to be used for authentication processing. authentication means information mapped with the encryption block can be obtained from a secure storage medium (eg, the SAM storage area of the decryption module 165, DB of a financial company, or a secure storage medium allowed to store authentication means information) have.

According to the fourth authentication means generation method of the present invention, the decryption server 160 decrypts the encryption block to confirm block information (or authentication means information, identification information, etc. possible, hereinafter referred to as block information for convenience), By using the block information, it is possible to generate authentication means information of a designated information system corresponding to the authentication means. For example, the decryption server 160 may generate authentication means information by substituting a hash value generated by hashing the block information into a designated information system. In this case, the authentication means information is a function of a one-time authentication means can be performed. Alternatively, the decryption server 160 may generate authentication means information by substituting some information of the block information into a designated information system.

According to the fifth authentication means generating method of the present invention, the decryption server 160 may generate authentication means information of a designated information system corresponding to the authentication means by using the encryption block. For example, the decryption server 160 may generate authentication means information by substituting a hash value generated by hashing the encryption block into a designated information system. In this case, the authentication means information is a function of a one-time authentication means can be performed. Alternatively, the decryption server 160 may generate authentication means information by substituting some information of the encryption block into a designated information system.

On the other hand, the decryption server 160 generates authentication means information in the form of combining two or more of the first to fifth authentication means generating methods, or by modifying some of the first to fifth authentication means generating methods to provide authentication means. It is possible to generate information, and it is clearly stated that the present invention is not limited thereto. That is, the present invention includes the number of all cases of generating authentication means information to be used for authentication by using the encryption block as the scope of rights.

If the authentication means information is not generated, the decryption server 160 transmits an error code to the operation server 110, and the operation server 110 receives the error code and performs a specified internal procedure, and at the same time The error code is provided to the second terminal 200 (970), and the program 210 of the second terminal 200 receives and outputs the error code (975).

On the other hand, when authentication means information is generated using the encryption block, the decryption server 160 transmits the authentication means information to the operation server 110 (980), and the operation server 110 receives the encryption block. Receives the authentication means information generated by using (985).

10 is a diagram illustrating a process of performing an authentication approval procedure using an authentication means generated through an encryption block according to an embodiment of the present invention.

In more detail, FIG. 10 shows a process of performing an authentication approval procedure using authentication means information using a cryptographic block in the operation server 110 through the decryption server 160. Technical field to which the present invention belongs Those of ordinary skill in the art will be able to infer various implementation methods (eg, an implementation method in which some steps are omitted or the order is changed) for the authentication procedure by referring and/or modifying this figure 10. , the present invention is made including all the implementation methods inferred above, and the technical characteristics are not limited only to the implementation method shown in FIG. 10 .

Referring to FIG. 10, when the authentication means information generated using the encryption block is confirmed through the process shown in FIG. 8 or 9, the operation server 110 performs the authentication means information generated through the encryption block and the A request for authentication approval is requested to the designated authentication server 170 using the received authentication information t shown in FIG. 8 or 9 (1000), and the authentication server 170 receives the authentication approval request (1005). ). An authentication approval procedure for the authentication information t is performed using the authentication means information (1010). For example, when the authentication means information includes card information and the authentication means is a financial company server, the financial company server includes card information corresponding to the authentication means information and personal information included in the authentication information (t) and/ Alternatively, an authentication approval procedure for determining whether a card corresponding to the card information is validly issued and operated to the user by using the secret information may be performed.

If the authentication approval procedure is completed, the authentication server 170 generates an authentication approval result for the authentication approval procedure (1015) and transmits it to the operation server 110 (1020), and the operation server 110 ) receives the authentication approval result (1025), performs a designated internal procedure (for example, transfers the authentication approval result to the first terminal 105 side), and provides the authentication approval result to the second terminal 200 at the same time, (1030), the program 210 of the second terminal 200 receives and outputs the authentication approval result (1035).

100: non-contact medium 105: first terminal
110: operation server 112: first communication confirmation unit
114: authentication request receiving unit 116: authentication request response unit
118: authentication request storage unit 120: second terminal verification unit
122: second communication activation unit 124: driving / activation confirmation unit
126: authentication information (s) generating unit 128: authentication code (s) generating unit
130: information providing unit 132: media access procedure relay unit
134: information receiving unit 136: authentication code (t) authentication unit
138: authentication information (t) authentication unit 140: authentication means request unit
142: authentication means receiving unit 144: authentication approval procedure unit
146: approval result receiving unit 148: approval result transmitting unit
150: security server 155: security module
160: decryption server 165: decryption module
170: authentication server 200: second terminal
205: NFC module 210: program
215: subscription/authentication processing unit 220: terminal medium authentication unit
225: driving/activation processing unit 230: receiving unit
235: authentication code (s) authentication unit 240: NFC active unit
245: medium recognition unit 250: medium access processing unit
255: cipher block confirmation unit 260: authentication code (t) generation unit
265: authentication information (t) generation unit 270: transmission unit
275: authentication result processing unit

Claims (18)

In the method executed through an operation server communicating with the user's first terminal and communicating with the user's second terminal equipped with an NFC module,
A first step of receiving and storing authentication request information via a first communication network to which the user's first terminal is connected;
a second step of confirming the driving or activation of a program provided in the user's second terminal using the second communication network;
When the program driving or activation of the second terminal is confirmed, the authentication information (s) for authentication processing of the authentication request information and the authentication code (s) dynamically generated for server authentication through the program of the second terminal are added to the second terminal A third step of providing a program of the terminal;
NFC through the NFC module of the second terminal based on the authentication result of the authentication code (s) through the program of the second terminal and the result of the medium access procedure performed between the program of the second terminal and the designated security server A cipher block read by the program of the second terminal from the designated storage area of the supported contactless medium and the program (or the second terminal driving or activating the program) are dynamically generated through the program of the second terminal for authentication Generated through the program of the second terminal using one or more pieces of information including at least one information (or some information) included in the authentication code (t) and the authentication information (s) provided by the program of the second terminal A fourth step of receiving the authentication information (t);
Corresponding to the encryption block with a designated decryption server in conjunction with the validation of the received authentication code (t) and the integrity authentication of the information included in the authentication information (t) using the information included in the authentication information (s) a fifth step of requesting authentication means information;
a sixth step of receiving authentication means information generated through the encryption block from the decryption server;
a seventh step of requesting authentication approval by transmitting the authentication means information and authentication information (t) to a designated authentication server; and
An eighth step of receiving the authentication approval result from the authentication server and transmitting it to the program of the second terminal;
The authentication code (s), two-channel authentication method using a contactless medium, characterized in that the validity is authenticated through a specified code verification procedure through the program of the second terminal.
delete delete The method of claim 1, wherein the medium access procedure comprises:
The operation server intervenes in the data exchange process between the program of the second terminal and the designated security server, confirms the unique serial number read from the non-contact medium through the NFC module of the second terminal, and provides it to the designated security server step;
Receive a first authentication key for reading an authentication code (m) recorded in a designated storage area (m, 0≤m<N) among N (N>1) storage areas provided in the contactless medium from the security server and transmitting it to the program of the second terminal;
verifying the authentication code (m) read from the non-contact medium through the NFC module of the second terminal and providing it to a designated security server;
Receive the second authentication key for reading the cipher block recorded in the designated storage area (n, 0≤n<N, n≠m) among the N storage areas provided in the contactless medium from the security server, A two-channel authentication method using a contactless medium, characterized in that it further comprises; transmitting to the program of the terminal.
The method of claim 1, wherein the medium access procedure comprises:
The operation server intervenes in the data exchange process between the program of the second terminal and a designated security server, receiving the authentication value generated through the security server and transmitting it to the program of the second terminal,
The fourth step further comprises the step of receiving the authentication value from the program of the second terminal,
The fifth step further includes the step of requesting authentication by providing the authentication value to the decryption server,
The authentication value is validated through the decryption server,
The authentication means information is a two-channel authentication method using a contactless medium, characterized in that it is generated using the encryption block as a result of the authentication of the authentication value.
delete The method of claim 1, wherein the medium access procedure comprises:
Reading, by the program of the second terminal, a unique serial number from a non-contact medium supporting NFC through the NFC module of the second terminal;
The program of the second terminal processes the read unique serial number to be transmitted to a designated security server, and a designated storage area (m, 0≤m<N) among N (N>1) storage areas provided in the non-contact medium Receiving a first authentication key for reading the authentication code (m) recorded in the;
Reading, by the program of the second terminal, the authentication code (m) recorded in the designated storage area (m) of the non-contact medium by transferring the first authentication key to the non-contact medium through the NFC module;
The program of the second terminal processes the read authentication code (m) to be transmitted to the security server, and the encryption block recorded in the designated storage area (n, 0≤n<N, n≠m) of the contactless medium receiving a second authentication key for reading; and
Reading, by the program of the second terminal, the encryption block recorded in the designated storage area (n) of the contactless medium by transferring the second authentication key to the contactless medium through the NFC module; A two-channel authentication method using a contactless medium.
delete ◈Claim 9 was abandoned when paying the registration fee.◈ The method of claim 7, wherein the medium access procedure comprises:
Further comprising the step of receiving, by the program of the second terminal, the authentication value generated through the security server based on the verification result of the authentication code (m) through the security server,
When processing the read encryption block to be transmitted to a designated decryption server, the method further comprising the step of processing, by the program of the second terminal, to transmit the authentication value to the decryption server,
The authentication value is a two-channel authentication method using a contactless medium, characterized in that the validity is authenticated through the decryption server.
◈Claim 10 was abandoned when paying the registration fee.◈ According to claim 1, wherein the authentication information (t),
A two-channel authentication method using a contactless medium, characterized in that it comprises at least one of personal information input from the user through the second terminal and user's secret information corresponding to authentication means information corresponding to the encryption block.



delete delete delete delete delete delete delete delete

Images