KR102452717B1 - Apparatus and Method for User Authentication - Google Patents

Abstract

A user authentication device and method are disclosed. A user authentication method according to an embodiment of the present invention may include the steps of: determining whether a user ID (USER ID, UID) and password (Rememberable Password, RPWD) have been entered according to a login request from the user; if only a user ID (USER ID, UID) is entered, performing biometric authentication using a password (Authenticator Password, APWD) stored in advance in an authentication device owned by the user; and logging in to a specific service based on the user password (User Password, UPWD) restored from the password (Authenticator Password, APWD) output from the authentication device. Vulnerabilities of password-based user authentication can be remedied.

Description

Apparatus and Method for User Authentication}

The described embodiments relate to user authentication techniques.

ID/password authentication (hereafter, password authentication), which was first used in UNIX in the early 1970s, is still the most used user authentication method 50 years later.

Password authentication is vulnerable to a brute-force attack because the number of cases is small due to the characteristic that the user must remember and manually input it. In particular, since well-known passwords such as 'password', '123456', and 'asdf1234' are frequently used, passwords can be more easily hacked in a dictionary attack using them.

As IT technology rapidly develops from the Internet to smartphones and even IoT, the number of services subscribed per user increases rapidly, along with the increase in account information that users need to manage. Therefore, for convenience of use, users usually use the same ID and password in most subscription services, which amplifies the ripple effect when one server or account is hacked.

Recently, in order to prevent the use of such a weak password, the server side is forcing a password generation policy, for example, the use of zero or more characters, including one English/special character/numeric character, and replacing it every 6 months.

Therefore, it is not easy for users to remember complex and frequently changed passwords, so write down passwords, save them in a file, or pattern passwords that do not violate policy, such as 'January@01', 'February@02' , 'Samwol@03', etc. are bypassed, and on the contrary, it further lowers the password security.

There are two major techniques for improving password weakness as described above.

The first is to use software that manages passwords for you. For example, password management tools such as LastPass, RPass, Chrome password autocomplete, etc., are tools that store the user's password instead and input it when the user needs it.

However, these password management tools have the following problems.

First, when a user uses a stored password, user authentication is required, and this user authentication is also password authentication. That is, another password is encrypted with the master password. Therefore, when the master password is leaked, there is a risk that all account information of the user is leaked. In fact, in September 2017, Alpass was hacked and became an issue.

In addition, since it must always be connected to the Internet, the service may not be available in the event of a server failure, and there is a limit to use in the private network of a company/organization.

In addition, since all user account information is stored on the server, ownership of data is not guaranteed, and the service provider must be fully trusted.

The second method is to authenticate the user using biometric information such as fingerprint and iris instead of password. This biometric market standard FIDO (Fast Identity Online) is a next-generation authentication technology that replaces existing authentication technologies such as passwords and public certificates. It was established by the FIDO Alliance in December 2014. has been announced

However, FIDO has the following problems.

Since this is not compatible with the existing password authentication method, it requires a lot of money, time, and user cooperation to apply it to an already developed system. In addition, since a separate authentication device is required in FIDO, if the user loses the authentication device or the authentication device breaks down, the user's private key cannot be used, so password restoration or recovery is impossible. In preparation for such a situation, it is possible to back up the private key for restoration/recovery, but this causes the same problem as the existing public certificate.

The described embodiment can improve the vulnerability of password-based user authentication.

The described embodiment aims to solve a problem such as password leakage in a password-based authentication method.

The described embodiment aims to solve a problem that authentication information can be obtained only when always connected to the Internet.

The described embodiment aims to eliminate the dependency of having to completely trust an external operator.

The described embodiment has the purpose of making it compatible with the existing password authentication while complying with the FIDO standard.

The described embodiment aims to enable the restoration and recovery of passwords even if the authentication device in the FIDO is lost or broken.

The user authentication method according to the embodiment is a step of determining whether to input a user ID (USER ID, UID) and a password (Rememberable Password, RPWD) in response to a login request from a user, only the user ID (USER ID, UID) is input In this case, the step of performing biometric authentication using a password (Authenticator Password, APWD) stored in advance in the authentication device owned by the user and the user password restored from the password (Authenticator Password, APWD) output from the authentication device (User Password, UPWD) to log in to a specific service.

In this case, the step of performing biometric authentication is performed based on the FIDO standard protocol, and APWD may be input to or output from the authentication device using an extension field of the FIDO CTAP2 protocol.

At this time, the user authentication method according to the embodiment, before performing the above steps, changing the current UPWD (User Password) to RPWD (Rememberable Password) and registering the authentication and restoring the existing UPWD from the RPWD, and the new UPWD and The method may further include generating an Authenticator Password (APWD) and registering the user's authentication device.

At this time, the step of registering for authentication is a step of requesting the user to input the UID, the current UPWD, and the RPWP to be registered, as the initial registration request for authentication is requested from the user, the UID, the current UPWD and the RPWP to be registered from the user As input is received, chameleon hash It may include the steps of generating and storing a new UPWD and user parameters based on the function, and requesting a password change based on the UID, the current UPWD, and the new UPWD by accessing the application server of the connection target.

At this time, the step of registering the authentication device is a step of requesting the user to input the UID and RPWP, as the user requests to register the authentication device, and as the UID and RPWP are input from the user, restore the existing UPWP and store the user's in advance Creating and updating new UPWD, APWD and user parameters based on the chameleon hash function using parameters, storing the APWD in the user's authentication device through authentication based on the FIDO standard, and accessing the application server of the connection target It may include the step of requesting a password change based on the UID, the existing UPWD, and the new UPWD.

In this case, the step of performing biometric authentication includes the step of transmitting the challenge, which is a random value provided from the authentication provider, to the authentication device and requesting authentication (credential), the digital signature value of the challenge from the authentication device that has completed the biometric authentication of the user who is the authentication target, and It may include transmitting a credential response including the APWD to the authentication provider and receiving a result of verifying the digital signature value.

At this time, in the user authentication method according to the embodiment, as a result of determining whether a user (USER ID, UID) and a password (Rememberable Password, RPWD) are input, as the UID and RPWD are input, performing the biometric authentication and logging in Instead of the step, it is possible to perform a step of logging in to a specific service by restoring the existing UPWD based on the chameleon hash function using the RPWD.

In this case, the user authentication method according to the embodiment may further include, when a request to release the authentication device is requested, the user performs user authentication using the RPWD, and releases the registered authentication device.

At this time, the step of releasing is the step of restoring the existing UPWD based on the chameleon hash function using the RPWD as the user inputs the UID and RPWD and selects the button for losing the authentication device, accessing the application server of the access target It may include logging in based on the UID and the restored UPWD and requesting the authentication provider to delete the FIDO parameter.

A user authentication apparatus according to an embodiment includes a memory in which at least one program is recorded and a processor for executing the program, and the program, as a login request is requested from the user, a user ID (USER ID, UID) and a password (Rememberable Password) , RPWD) is inputted, if only UID is input, performing biometric authentication using a password (Authenticator Password, APWD) stored in advance in the authentication device owned by the user, and the password output from the authentication device ( A step of logging in to a specific service may be performed based on the user password (User Password, UPWD) restored from the Authenticator Password (APWD).

In this case, the step of performing biometric authentication is performed based on the FIDO standard protocol, and APWD may be input to or output from the authentication device using an extension field of the FIDO CTAP2 protocol.

At this time, the program, before performing the above steps, changing the current UPWD (User Password) to RPWD (Rememberable Password) to register for authentication and restore the existing UPWD from the RPWD, and a new UPWD and APWD (Authenticator Password) The step of creating and registering the user's authentication device may be further performed.

At this time, the step of registering for authentication is a step of requesting the user to input the UID, the current UPWD, and the RPWP to be registered, as the initial registration request for authentication is requested from the user, the UID, the current UPWD and the RPWP to be registered from the user As input is received, chameleon hash It may include the steps of generating and storing a new UPWD and user parameters based on the function, and requesting a password change based on the UID, the current UPWD, and the new UPWD by accessing the application server of the connection target.

At this time, the step of registering the authentication device is a step of requesting the user to input the UID and RPWP, as the user requests to register the authentication device, and as the UID and RPWP are input from the user, restore the existing UPWP and store the user's in advance Creating and updating new UPWD, APWD and user parameters based on the chameleon hash function using parameters, storing the APWD in the user's authentication device through authentication based on the FIDO standard, and accessing the application server of the connection target It may include the step of requesting a password change based on the UID, the existing UPWD, and the new UPWD.

In this case, the step of performing biometric authentication includes the step of transmitting the challenge, which is a random value provided from the authentication provider, to the authentication device and requesting authentication (credential), the digital signature value of the challenge from the authentication device that has completed the biometric authentication of the user who is the authentication target, and It may include transmitting a credential response including the APWD to the authentication provider and receiving a result of verifying the digital signature value.

At this time, the program determines whether a user ID (USER ID, UID) and a password (Rememberable Password, RPWD) are input, and as a result of determining whether the UID and RPWD are input, instead of performing the biometric authentication and logging in, RPWD can be used to restore the existing UPWD based on the chameleon hash function to further perform the step of logging in to a specific service.

In this case, the program may further perform the steps of, when a request to release the authentication device is requested, the user performs user authentication with the RPWD, and releases the registered authentication device.

At this time, the step of releasing is the step of restoring the existing UPWD based on the chameleon hash function using the RPWD as the user inputs the UID and RPWD and selects the button for losing the authentication device, accessing the application server of the access target It may include logging in based on the UID and the restored UPWD and requesting the authentication provider to delete the FIDO parameter.

The user authentication method according to the embodiment includes the steps of registering authentication by changing the current UPWD (User Password) to a RPWD (Rememberable Password), restoring the existing UPWD from the RPWD, and generating a new UPWD and APWD (Authenticator Password) of the user A step of registering an authentication device, a step of determining whether a user ID (USER ID, UID) and RPWD are input according to a login request from a user, and optionally a biometric authentication-based login step or a password-based login step depending on whether RPWD is input However, in the biometric authentication-based login step, as the UID is input, biometric authentication is performed using a password (Authenticator Password, APWD) previously stored in the authentication device owned by the user and the password output from the authentication device (Authenticator Password, APWD), including the step of logging in to a specific service based on the restored user password (User Password, UPWD), the password-based login step, as UID and RPWD are input, using RPWD chameleon hash It is possible to perform login to a specific service by restoring the existing UPWD based on the function.

In this case, the step of performing biometric authentication is performed based on the FIDO standard protocol, and APWD may be input to or output from the authentication device using an extension field of the FIDO CTAP2 protocol.

According to the described embodiment, it is possible to improve the vulnerability of password-based user authentication.

According to the described embodiment, since authentication is performed not only with a password but also with biometric information, security can be enhanced.

According to the described embodiment, no internet connection is required since the account information is stored in the authentication device.

According to the described embodiment, it is possible to lower the dependency on the service provider. That is, in the prior art, the service provider must trust the service provider and entrust the user account information, so it is dependent on the service provider, but according to the described embodiment, since the user's account information is stored in the authentication device used for FIDO authentication, the dependence of the service provider will be lowered. can

According to the described embodiment, it can be compatible with existing password authentication while complying with the FIDO standard. That is, since input and output of user account information through the authentication device is possible, the existing password authentication, which is a disadvantage of FIDO, can be compatible, and thus the cost can be reduced when applying FIDO biometric authentication in the existing system.

According to the described embodiment, even if the authentication device in the FIDO is lost or broken, the password can be restored and recovered.

1 is a diagram for explaining the concept of user authentication operation based on FIDO standard biometric authentication.
2 is a diagram for explaining a user authentication process based on the FIDO standard.
3 is a diagram for explaining a concept of a user authentication operation based on a FIDO standard according to an embodiment.
3 is a diagram for explaining a concept of a user authentication operation based on a FIDO standard according to an embodiment.
4 is a structural diagram of a FIDO standard-based user authentication framework according to an embodiment.
5 is a conceptual diagram of password generation based on a chameleon hash function according to an embodiment.
6 is a flowchart illustrating a user authentication method according to an embodiment.
7 is a sequence diagram of an authentication initial registration step ( S100 ) according to an embodiment.
8 to 10 are sequence diagrams of the registration step (S200) of the authentication device according to the embodiment.
11 to 13 are sequence diagrams of the FIDO-based user authentication step S300 according to the embodiment.
14 is a sequence diagram of a password-based user authentication step S400 according to an embodiment.
15 is a sequence diagram of a user authentication device release step S500 according to an embodiment.
16 is a diagram showing the configuration of a computer system according to an embodiment.

Advantages and features of the present invention and methods of achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in a variety of different forms, only these embodiments allow the disclosure of the present invention to be complete, and common knowledge in the technical field to which the present invention belongs It is provided to fully inform the possessor of the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout.

Although "first" or "second" is used to describe various elements, these elements are not limited by the above terms. Such terms may only be used to distinguish one component from another. Accordingly, the first component mentioned below may be the second component within the spirit of the present invention.

The terminology used herein is for the purpose of describing the embodiment and is not intended to limit the present invention. In this specification, the singular also includes the plural, unless specifically stated otherwise in the phrase. As used herein, “comprises” or “comprising” implies that the stated component or step does not exclude the presence or addition of one or more other components or steps.

Unless otherwise defined, all terms used herein may be interpreted with meanings commonly understood by those of ordinary skill in the art to which the present invention pertains. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless clearly specifically defined.

Hereinafter, an apparatus and method according to an embodiment will be described in detail with reference to FIGS. 1 to 16 .

The present invention applies a method of authenticating a user using biometric information based on the FIDO standard in order to improve the weakness of the conventional password-based authentication. First, we will look at user authentication based on the FIDO standard.

1 is a diagram for explaining a user authentication process based on the FIDO standard.

That is, referring to FIG. 1, when a user accesses a service and requests authentication such as login (1), the service provider, which is the authentication subject, transmits a random value challenge to the user's authentication device (2).

Then, the user who is the authentication target performs biometric authentication as the primary authentication using the biometric authentication device (3). In this case, as biometric authentication, fingerprint, iris, and facial recognition may be included.

Then, after making the stored user's private key usable (4), the authentication device digitally signs the challenge value and returns it to the service provider (5).

The service provider has the user's public key, uses it to verify the digital signature value (6), and performs signature authentication with secondary authentication by verifying the challenge value sent by itself (6). Finally, the authentication result is transmitted (7) to the authentication device and displayed to the user.

FIDO as described above has the following advantages.

Because only the public key of the user is stored in the server, it is safe from the problem of personal information leakage due to server hacking.

While the public certificate is encrypted with a password and stored in the PC, in FIDO, the user's private key is encrypted inside the authentication device and can be used only after successful biometric authentication.

However, since this is a method that uses only biometric authentication and is incompatible with the existing password authentication method, a lot of money, time, and user cooperation are required to apply it to an already developed system.

In addition, since a separate authentication device is required in FIDO, if the user loses the authentication device or the authentication device breaks down, the user's private key cannot be used, so password restoration or recovery is impossible. In preparation for such a situation, it is possible to back up the private key for restoration/recovery, but this causes the same problem as the existing public certificate.

Therefore, the embodiment proposes a user authentication technology that complies with the FIDO standard but is compatible with the existing password-based authentication method, and can recover even when the authentication device is lost or broken.

2 and 3 are diagrams for explaining the concept of a FIDO standard-based user authentication operation according to an embodiment, FIG. 4 is a structural diagram of a FIDO standard-based user authentication framework according to the embodiment, and FIG. It is a conceptual diagram of password generation based on chameleon hash function. However, the embodiment is based on the FIDO standard for biometric authentication, but the present invention is not limited thereto. That is, it is pointed out that other types of implementations that can use biometric authentication and password-based authentication in combination are also included in the scope of the present invention.

Referring to FIG. 2 , in the embodiment, the FIDO standard-based user authentication maintains the existing password-based login, but as the biometric authentication is performed based on the FIDO standard, the ID and Password, which are account information stored in the authentication device 10, are used for login. It is automatically input into the user terminal 20 to be authenticated. Also, referring to FIG. 3 , in the embodiment, only biometric authentication based on the FIDO standard may be performed.

Accordingly, referring to FIG. 4 , the user terminal 20 may include an authentication module 21 that performs biometric authentication based on the FIDO standard and delivers a user account according to the biometric authentication to the existing application SW 24 .

In this case, the authentication module 21 may include a FIDO API and a Cameleon Hash Function (CHF) API.

The FIDO API works with the authentication device 10 to perform FIDO standard-based biometric authentication, and uses the user's account information output from the authentication device 10 according to the biometric authentication result, that is, the password (Authenticator Password, APWD) to CHF. pass it to the API.

In this case, the input/output of account information of the authentication device 10 can be implemented by utilizing the extension field of the FIDO CTAP2 protocol, and the standard can be complied with because there is no modification of the existing protocol. Here, the extension field is a preliminary field that can be defined by the authentication device developer.

CHF API performs password generation and restoration using a chameleon hash algorithm, and a user password (User Password, UPWD) stored in the server 30 and a password (Authenticator Password, APWD) stored in the authentication device 20 and for restoration You can use different passwords (Rememberable Password, RPWD).

Here, the hash algorithm has the characteristic of collision resistance with always different output values when the input values are different. The chameleon hash algorithm is an algorithm that can intentionally create input values in which collision occurs.

That is, as shown in FIG. 5 , if the chameleon hash algorithm is used, the APWD to be stored in the authentication device 10 from the RPWD that the user 1 can memorize / input and the UPWD to be stored in the DB 30 of the server can be calculated.

Here, APWD and UPWD are random numbers as result values of hashes. Accordingly, the complexity of the password itself increases, thereby improving security.

In addition, even if UPWD is leaked due to server hacking, RPWD and APWD cannot be inferred because they have a one-way feature.

In addition, the CHF API may generate and restore such a chameleon hash-based password to enable restoration and recovery of a user account using RPWD in case of loss or failure of the authentication device. Therefore, since users who do not have an authentication device can be authenticated by RPWD, service operation can be flexibly operated from the operator's point of view by operating with the existing password authentication.

Therefore, according to the embodiment, as shown in (a) shown in FIG. 4, when FIDO authentication is completed based on the standard protocol using the FIDO API of the authentication module 21, it is stored as an extension field in the authentication device 10. The existing APWD is transferred to the chameleon hash API, and the UPWD is restored and used for login in the existing application SW 24 that requested authentication.

In addition, as in (b) shown in Figure 4, when the existing password authentication compatible and authentication device is lost / broken, if the user 1 directly inputs the RPWD, the UPWD is restored through the chameleon hash API, and , is used for login in the existing application SW 24 that has requested authentication.

6 is a flowchart illustrating a user authentication method according to an embodiment.

Referring to FIG. 6 , in the user authentication method according to the embodiment, first, an authentication initial registration process of changing the UPWD (User Password) of the previously used password authentication to a RPWD (Rememberable Password) is performed (S100). A detailed description thereof will be described later with reference to FIG. 7 .

After that, the user's authentication device can be registered (S200), and the registration process of the authentication device restores the existing UPWD from the RPWD, creates a new UPWD and APWD (Authenticator Password), and then saves/sets it. It works the same as the FIDO2 standard protocol. A detailed description thereof will be described later with reference to FIGS. 8 to 10 .

As described above, after the authentication device registration is completed, when the authentication device is available according to the user authentication request (S250) (S260), user authentication may be performed based on the authentication device (S300). In this case, user authentication is performed based on the FIDO2 standard protocol, and a user can log in to a specific service based on the existing UPWD restored from the APWD stored in the authentication device. A detailed description thereof will be described later with reference to FIGS. 11 to 13 .

Meanwhile, when the authentication device cannot be used (S260), the same user authentication process as the existing UPWD authentication may be performed (S400). At this time, the user may directly input the RPWD, restore the existing UPWD therefrom, and log in to a specific service (S400). A detailed description thereof will be described later with reference to FIG. 14 .

On the other hand, when the authentication device release request is requested (S250) due to the loss of the authentication device, the user may perform user authentication with the RPWD and release the registered authentication device (S500). A detailed description thereof will be described later with reference to FIG. 15 .

7 is a sequence diagram of an authentication initial registration step ( S100 ) according to an embodiment.

Referring to FIG. 7 , as the authentication initial registration button is selected from the user 1 ( S101 ), the existing application 24 of the user terminal 20 requests the authentication client 23 to start authentication initial registration together with the SID. do (S102).

Then, the authentication client 23 displays an input window for the user ID (User ID, UID), the current UPWD, and the RPWP to be registered (S103).

As the UID, the current UPWD, and the RPWP to be registered are input from the user 1 (S104), the authentication client 23 generates an alternate password (S105). That is, based on the chameleon hash function, a new UPWD is generated, RK is generated, and the RPWD is encrypted.

Then, as the authentication client 23 requests the authentication provider 22 to store the user parameters (S106), the authentication provider 22 stores the parameters in the database (S107) and then determines whether success or failure. A result is returned (S108).

Meanwhile, the authentication client 23 returns the UID, SID, current UPWD, and new UPWD to the existing application 24 (S109).

Then, the existing application 24 accesses the application server 31 of the connection target 30 and requests a password change based on the UID, the current UPWD, and the new UPWD (S110).

Then, the application server 31 changes the current UPWD corresponding to the UID to the new UPWD (S111), maps the changed new UPWD to the UID, and stores it in the DB 31 (S112).

As the password change result is returned from the application server 31 (S113), the existing application 24 transmits the password change result to the authentication client 23 (S114).

Then, the authentication client 23 transmits the password change result to the authentication provider 22 (S115) so that the DB commit is performed (S116).

In addition, the existing application 24 displays the authentication initial registration result so that the user can check (S117).

8 to 10 are sequence diagrams of the registration step (S200) of the authentication device according to the embodiment.

Referring to FIG. 8 , as the authentication device registration button is selected by the user 1 ( S201 ), the existing application 24 requests the authentication client 23 to start registering the authentication device ( S202 ).

Then, the authentication client 23 displays an input window for UID and RPWP (S203).

As the UID and RPWP are input from the user 1 (S204), the authentication client 23 requests the user parameters to the authentication provider 22 (S205), and the authentication provider 22 detects the parameters in the database. After (S206), it returns to the authentication client 23 (S207).

The authentication client 23 restores the existing UPWD based on the chameleon hash function using the parameters (S208), and generates a replacement password (S209). That is, based on the chameleon hash function, new UPWD and APWD are generated, RK is generated, and RPWD is encrypted.

Then, the authentication client 23 requests the authentication provider 22 to update the user parameters (S210), and the authentication provider 22 updates the database with the parameters (S210), and the result of success or failure returns (S212).

Next, referring to FIG. 9 , the authentication device 10 registration process is performed based on the FIDO2 standard protocol.

That is, as the authentication client 23 requests a FIDO REGISTRATION REQUEST (S213), the authentication provider 22 transmits a random value challenge to the authentication client 23 (S214), and the authentication client 23 ) transmits the challenge to the authentication device 10 to request authentication (Credential) (S215). In this case, according to an embodiment, the APWD may be transmitted to the credential request by utilizing an extension field of the FIDO CTAP2 protocol.

Then, the authentication device 10 displays a biometric authentication request message to the authentication target user 1 ( S216 ), and the user 1 performs biometric authentication using the authentication device 10 ( S217 ). In this case, as biometric authentication, fingerprint, iris, and facial recognition may be included.

Then, the authentication device 10 stores the FIDO parameter and the APWD (S218), digitally signs the challenge value, and responds with a credential to the authentication client 23 (S219).

The authentication client 23 responds to the FIDO registration to the authentication provider 22 (S220), and the authentication provider 22 has the user's public key, so it verifies the digital signature value (S221) and registers the FIDO A result is returned (S222).

Next, referring to FIG. 10 , the authentication client 23 requests the authentication provider 22 to add the FIDO parameter ( S223 ), and the authentication provider 22 updates the DB with the additional requested parameter ( S224 ).

Meanwhile, the authentication client 23 returns the UID, SID, existing UPWD, and new UPWD to the existing application 24 (S225).

Then, the existing application 24 accesses the application server 31 of the connection target 30 and requests a password change based on the UID, the current UPWD, and the new UPWD (S226).

Then, the application server 31 changes the current UPWD corresponding to the UID to the new UPWD (S227), maps the changed new UPWD to the UID, and stores it in the DB 31 (S228).

As the password change result is returned from the application server 31 (S229), the existing application 24 transmits the password change result to the authentication client 23 (S230).

Then, the authentication client 23 transfers the password change result to the authentication provider 22 (S231) so that the DB commit is performed (S232).

In addition, the existing application 24 displays the authentication initial registration result so that the user can check (S233).

11 to 13 are sequence diagrams of the FIDO-based user authentication step S300 according to the embodiment.

Referring to FIG. 11 , in response to a login screen execution request from the user 1 ( S301 ), the existing application 24 displays an input window for UID and RPWP ( S302 ).

Then, after the user 1 inputs only the UID and selects the login button (S204), the existing application 24 transmits the UID and SID to the authentication client 23 to request a login start (S304) .

Then, the authentication client 23 requests the user parameter from the authentication provider 22 (S305), and the authentication provider 24 detects the parameter in the database (S306) and returns it to the authentication client 23 (S307).

Next, referring to FIG. 12 , a biometric authentication process by the authentication device 10 is performed based on the FIDO2 standard protocol.

That is, as the authentication client 23 requests a FIDO AUTHENTICATION REQUEST (S308), the authentication provider 22 transmits a random value challenge to the authentication client 23 (S309), and the authentication client 23 ) transmits the challenge to the authentication device 10 to request authentication (Credential) (S310).

Then, the authentication device 10 displays a biometric authentication request message to the authentication target user 1 (S311), and the authentication target user 1 performs biometric authentication using the authentication device 10 (S312) . In this case, as biometric authentication, fingerprint, iris, and facial recognition may be included.

Then, the authentication device 10 searches for the FIDO parameter and the APWD (S313), digitally signs the challenge value, and responds with a credential to the authentication client 23 (S219). In this case, depending on the embodiment, the APWD may respond to the Credential response by utilizing the Extension Field of the FIDO CTAP2 protocol.

The authentication client 23 makes a FIDO authentication response (FIDO REQUEST RESPONSE) to the authentication provider 22 (S315), and since the authentication provider 22 has the user's public key, it verifies the digital signature value using it (S316) ) and returns a FIDO authentication result (FIDO REQUEST RESULT) (S317).

13, the authentication client 23 restores the existing UPWD based on the chameleon hash function using the APWD (S318), and returns a result including the UID, SID and UPWD to the existing application 24. (S319).

Then, the existing application 24 accesses the application server 31 of the connection target 30 and logs in based on the UID and the restored UPWD (S320).

Then, the application server 31 executes a login using the UID and UPWD (S321), maps the UPWD with the UID, and stores it in the DB 31 (S322).

As the login result is returned from the application server 31 (S323), the existing application 24 displays the login result so that the user can check it (S324).

As described above, even if the user inputs only the UID without entering the password, the user can log in to the existing password-based service in the same way. In addition, since biometric authentication is performed, security can be further strengthened.

14 is a sequence diagram of a password-based user authentication step S400 according to an embodiment.

Referring to FIG. 14 , in response to a login screen execution request from the user 1 ( S401 ), the existing application 24 displays an input window for UID and RPWP ( S402 ).

Then, after the user 1 inputs the UID and RPWD and selects the login button (S403), the existing application 24 requests the authentication client 23 to start logging in (S404).

Then, the authentication client 23 requests the user parameter to the authentication provider 22 (S405), and the authentication provider 22 detects the parameter in the database (S406) and returns it to the authentication client 23 (S406) ( S407).

The authentication client 23 restores the existing UPWD based on the chameleon hash function using the RPWD (S408), and returns a result including the UID, SID, and UPWD to the existing application 24 (S409).

Then, the existing application 24 accesses the application server 31 of the connection target 30 and logs in based on the UID and the restored UPWD (S410).

Then, the application server 31 executes a login using the UID and UPWD (S411), maps the UPWD with the UID, and stores it in the DB 31 (S412).

As the login result is returned from the application server 31 (S413), the existing application 24 displays the login result so that the user can check it (S414).

As described above, when the user inputs the RPWP and UID, the existing password login is performed, but since the UPWP is restored from the RPWP based on a hash function, security can be enhanced.

15 is a sequence diagram of a user authentication device release step S500 according to an embodiment.

Referring to FIG. 15 , in response to a login screen execution request from the user 1 ( S501 ), the existing application 24 displays an input window for UID and RPWP ( S502 ).

Then, after the user 1 inputs the UID and RPWD, and selects the button for losing the authentication device (S503), the existing application 24 requests the authentication client 23 to start logging in (S504).

Then, the authentication client 23 requests the user parameter to the authentication provider 22 (S505), and the authentication provider 22 detects the parameter in the database (S506) and returns it to the authentication client 23 (S506) ( S507).

The authentication client 23 restores the existing UPWD based on the chameleon hash function using the RPWD (S508), and returns a result including the UID, SID, and UPWD to the existing application 24 (S509).

Then, the existing application 24 accesses the application server 31 of the access target 30 and logs in based on the UID and the restored UPWD (S510).

Then, the application server 31 executes a login using the UID and UPWD (S511), maps the UPWD with the UID, and stores it in the DB 31 (S512).

As the login result is returned from the application server 31 (S513), the login result is returned to the authentication client 23 via the existing application 24 (S514).

Then, the authentication client 23 requests the authentication provider 22 to delete the FIDO parameter (S515), and the authentication provider 22 deletes the parameter from the DB (S516) and returns the result (S517).

The result of deleting the parameter is returned to the existing application (S518), and the existing application 24 displays the authentication device loss processing result so that the user can check it (S519).

16 is a diagram showing the configuration of a computer system according to an embodiment.

The user terminal 20 according to the embodiment may be implemented in the computer system 1000 such as a computer-readable recording medium.

Computer system 1000 may include one or more processors 1010 , memory 1030 , user interface input device 1040 , user interface output device 1050 , and storage 1060 that communicate with each other via bus 1020 . can In addition, the computer system 1000 may further include a network interface 1070 coupled to the network 1080 . The processor 1010 may be a central processing unit or a semiconductor device that executes programs or processing instructions stored in the memory 1030 or storage 1060 . The memory 1030 and the storage 1060 may be a storage medium including at least one of a volatile medium, a non-volatile medium, a removable medium, a non-removable medium, a communication medium, and an information delivery medium. For example, the memory 1030 may include a ROM 1031 or a RAM 1032 .

Although embodiments of the present invention have been described above with reference to the accompanying drawings, those of ordinary skill in the art to which the present invention pertains can practice the present invention in other specific forms without changing its technical spirit or essential features. You will understand that there is Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive.

10: authentication device 20: user terminal
21: authentication module 24: existing application SW
30 : Server DB

Claims (20)

determining whether to input a user ID (USER ID, UID) and a password (Rememberable Password, RPWD) in response to a login request from the user;
performing biometric authentication using a password (Authenticator Password, APWD) previously stored in an authentication device owned by the user when only a user ID (USER ID, UID) is input; and
A user authentication method comprising logging in to a specific service based on a user password (UPWD) restored from a password (Authenticator Password, APWD) output from an authentication device. The method of claim 1, wherein performing biometric authentication comprises:
It is performed based on the FIDO standard protocol,
APWD,
A user authentication method that is input to or output from an authentication device using an extension field of the FIDO CTAP2 protocol. The method of claim 1,
Before performing the above steps, changing the current UPWD (User Password) to RPWD (Rememberable Password) and registering authentication; and
Restoring the existing UPWD from the RPWD, generating a new UPWD and APWD (Authenticator Password) further comprising the step of registering the user's authentication device, user authentication method. The method of claim 3, wherein the step of registering for authentication comprises:
requesting the user to input a UID, a current UPWD, and an RPWP to be registered in response to an initial registration request from the user;
As UID, current UPWD and RPWP to be registered are input from the user, generating and storing a new UPWD and user parameters based on the chameleon hash function; and
A user authentication method comprising the step of accessing an application server of a connection target and requesting a password change based on the UID, the current UPWD, and the new UPWD. The method of claim 4, wherein the step of registering the authentication device comprises:
requesting the user to input a UID and RPWP in response to a request for authentication device registration from the user;
As UID and RPWP are input from the user, restoring the existing UPWP and generating and updating new UPWD, APWD and user parameters based on the chameleon hash function using the pre-stored parameters of the user;
Storing the APWD in the user's authentication device through authentication based on the FIDO standard; and
A user authentication method comprising the step of accessing an application server of a connection target and requesting a password change based on the UID, the existing UPWD, and the new UPWD. The method of claim 2, wherein performing biometric authentication comprises:
transmitting a challenge, which is a random value provided from an authentication provider, to an authentication device to request authentication;
transmitting a credential response including a challenge digital signature value and APWD from an authentication device that has completed biometric authentication of a user who is an authentication target to an authentication provider; and
A user authentication method comprising the step of receiving a result of verifying the digital signature value. The method of claim 1,
As a result of determining whether a user (USER ID, UID) and password (Rememberable Password, RPWD) are input, as UID and RPWD are input,
Instead of performing the biometric authentication and logging in,
A user authentication method that uses RPWD to restore an existing UPWD based on a chameleon hash function to perform a log-in to a specific service. The method of claim 1,
When the authentication device release is requested, the user performs user authentication by RPWD, and further comprising the step of releasing the registered authentication device, the user authentication method. The method of claim 8, wherein the releasing comprises:
After the user enters the UID and RPWD and selects the authentication device lost button, restoring the existing UPWD based on the chameleon hash function using the RPWD;
accessing the application server of the access target and logging in based on the UID and the restored UPWD; and
A user authentication method comprising the step of requesting an authentication provider to delete the FIDO parameter. a memory in which at least one program is recorded; and
a processor for executing a program;
program,
determining whether to input a user ID (USER ID, UID) and a password (Rememberable Password, RPWD) in response to a login request from the user;
performing biometric authentication using a password (Authenticator Password, APWD) previously stored in an authentication device owned by the user when only a user ID (USER ID, UID) is input; and
A user authentication device that performs the step of logging in to a specific service based on a user password (UPWD) restored from a password (Authenticator Password, APWD) output from the authentication device. The method of claim 10, wherein performing biometric authentication comprises:
It is performed based on the FIDO standard protocol,
APWD,
A user authentication device that is input to or output from an authentication device using an extension field of the FIDO CTAP2 protocol. 11. The method of claim 10, wherein the program,
Before performing the above steps, changing the current UPWD (User Password) to RPWD (Rememberable Password) and registering authentication; and
Restoring the existing UPWD from the RPWD, generating a new UPWD and APWD (Authenticator Password) to further perform the steps of registering the user's authentication device, the user authentication device. The method of claim 12, wherein the step of registering for authentication comprises:
requesting the user to input a UID, a current UPWD, and an RPWP to be registered in response to the initial authentication registration request from the user;
As UID, current UPWD and RPWP to be registered are input from the user, generating and storing a new UPWD and user parameters based on the chameleon hash function; and
Accessing an application server of a connection target and requesting a password change based on the UID, the current UPWD and the new UPWD, the user authentication device. 14. The method of claim 13, wherein the step of registering the authentication device comprises:
requesting the user to input a UID and RPWP in response to a request for authentication device registration from the user;
As UID and RPWP are input from the user, restoring the existing UPWP and generating and updating new UPWD, APWD and user parameters based on the chameleon hash function using the pre-stored parameters of the user;
Storing the APWD in the user's authentication device through authentication based on the FIDO standard; and
A user authentication device comprising the step of accessing an application server of a connection target and requesting a password change based on the UID, the existing UPWD, and the new UPWD. The method of claim 11, wherein performing biometric authentication comprises:
transmitting a challenge, which is a random value provided from an authentication provider, to an authentication device to request authentication;
transmitting a credential response including a challenge digital signature value and APWD from an authentication device that has completed biometric authentication of a user who is an authentication target to an authentication provider; and
A user authentication device comprising the step of receiving a result of verifying the digital signature value. 11. The method of claim 10, wherein the program,
As a result of determining whether a user (USER ID, UID) and password (Rememberable Password, RPWD) are input, as UID and RPWD are input,
Instead of performing the biometric authentication and logging in,
A user authentication device that further performs the step of logging in to a specific service by restoring the existing UPWD based on the chameleon hash function using the RPWD. 11. The method of claim 10, wherein the program,
When the authentication device release is requested, the user performs user authentication with RPWD, and further performs the steps of releasing the registered authentication device. 18. The method of claim 17, wherein the releasing comprises:
After the user enters the UID and RPWD and selects the authentication device lost button, restoring the existing UPWD based on the chameleon hash function using the RPWD;
accessing the application server of the access target and logging in based on the UID and the restored UPWD; and
A user authentication device comprising the step of requesting an authentication provider to delete the FIDO parameter. Changing the current UPWD (User Password) to RPWD (Rememberable Password) and registering for authentication;
Restoring the existing UPWD from the RPWD, generating a new UPWD and APWD (Authenticator Password) to register the user's authentication device;
determining whether to input a user ID (USER ID, UID) and RPWD in response to a login request from the user;
Depending on whether RPWD is entered or not, optionally perform a biometric authentication-based login step or a password-based login step,
The biometric authentication-based login step is,
performing biometric authentication using a password (Authenticator Password, APWD) previously stored in an authentication device owned by the user in response to the UID being input; and
Logging in to a specific service based on a user password (User Password, UPWD) restored from a password (Authenticator Password, APWD) output from an authentication device,
Password-based login steps,
As UID and RPWD are input, using RPWD to restore the existing UPWD based on the chameleon hash function to log in to a specific service, a user authentication method. The method of claim 19, wherein performing biometric authentication comprises:
It is performed based on the FIDO standard protocol,
APWD,
A user authentication method that is input to or output from an authentication device using an extension field of the FIDO CTAP2 protocol.

Images