KR102509928B1 - Method and System for Provide OTP to Public Facilities Management Terminal - Google Patents

Abstract

The present invention relates to a method for providing an OTP to a public facility management terminal and a system thereof and, more specifically, to an OTP to a public facility management terminal and a system thereof which generate a QR code with information including a seed key loaded from an external storage medium by a management terminal, recognize the QR code by a user terminal to receive the information including the seed key, generate an OTP based on the seed key and generation time, and allow the management terminal to verify the OTP and determines whether it is valid when the OTP is inputted to the management terminal to unlock the management terminal.

Description

Method and system for providing OTP to public facilities management terminal {Method and System for Provide OTP to Public Facilities Management Terminal}

The present invention relates to a method and system for providing an OTP to a public facility management terminal, and more particularly, by generating a QR code with information including a seed key loaded from an external storage medium by a management terminal, and by a user terminal Recognizing the QR code to receive the information including a seed key, generating an OTP based on the seed key and generation time, and inputting the OTP to the management terminal, the management terminal verifies the OTP, The present invention relates to a method and system for providing an OTP to a public facility management terminal that unlocks the management terminal by determining whether it is valid.

Public facilities are accessible to a large number of people, so security is important. In addition, since public facilities are closely used by the public, when a security issue occurs, various problems such as information asset hacking, personal information leakage, malfunction, privacy invasion, and malicious code propagation may occur.

Recently, 17,000 IoT devices around the world have been infected with a malicious code called the Mozi botnet. An NIS official mentioned that the main target of this attack is equipment that does not change the password set at the time of product purchase or uses a password that can be easily guessed by a third party.

Therefore, in order to enhance the security of public facilities, there is a need to strengthen the login method so that third parties do not easily access the public facilities.

Among various methods for strengthening the login method, there is an OTP technology. OTP is an abbreviation of One Time Password, and it is a technology that generates a number every time an OTP device needs it and inputs the number to the server. Because it is a one-time use number, it cannot be reused even if it is exposed, and there is no risk of leakage because it is generated by a hidden algorithm.

However, the conventional OTP technology requires a separate device to generate the OTP, and cannot be used when the device requesting the OTP is not connected online, and time synchronization between the OTP device and the device requesting the OTP is required. I have a problem with needing it.

Accordingly, it is necessary to develop a system that does not require a separate OTP device, operates offline, and uses an algorithm different from the existing OTP method.

The present invention relates to a method and system for providing an OTP to a public facility management terminal, and more particularly, by generating a QR code with information including a seed key loaded from an external storage medium by a management terminal, and by a user terminal Recognizing the QR code to receive the information including a seed key, generating an OTP based on the seed key and generation time, and inputting the OTP to the management terminal, the management terminal verifies the OTP, The present invention relates to a method and system for providing an OTP to a public facility management terminal that unlocks the management terminal by determining whether it is valid.

In order to solve the above problems, an embodiment of the present invention is a method of providing an OTP performed by a public facility management terminal and a user terminal, wherein the public facilities loaded from an external storage medium by the management terminal Facility code of; , and seed key for the corresponding management terminal; management terminal information about the management terminal; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including; A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal; an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP; The management terminal receives the OTP from the user, stores the input count and input time of the OTP input, and temporarily creates a temporary creation time corresponding to the creation time according to a second rule preset in the received OTP. a verification OTP generation step of extracting and determining whether the OTP matches the verification OTP by generating a verification OTP according to the preset first rule set based on the seed key and the temporary generation time; and when, by the management terminal, the OTP matches the verification OTP in the verification OTP generation step, the input time falls within the limited time from the decrypted temporary creation time, and the number of inputs is less than the limited number of times. Provides a method for providing an OTP, including an OTP validity determination step of determining that the OTP is valid and releasing the lock of the management terminal.

In one embodiment of the present invention, the QR code recognition step includes a mutual information verification step, the information mutual verification step, by the user terminal, a first OTP generating step of generating a first OTP; a first OTP verification step of receiving, by the management terminal, the first OTP from the user, verifying the first OTP, and generating a second OTP when the first OTP is verified; a second OTP verification step of receiving, by the user terminal, the second OTP from the user and verifying the second OTP; and when the 2 OTP is verified in the second OTP verification step, the user terminal stores the facility code included in the QR code, the seed key, the management terminal information, the limited time, and the limited number of times. and storing code information, and the first OTP generating step to the second OTP verifying step may be repeated a preset number of times.

In one embodiment of the present invention, the first preset rule set includes a plurality of rules, and the rule for deriving the temporary creation time from the creation time is the tens digit of each minute and second of the creation time. Corresponds to the rule of deriving the temporary creation time by calculating the remainder of dividing the number and the ones digit by 8, binarizing each of the remainders into 3 bits and arranging them in order, and the seed key and the temporary creation time In the rule for generating the OTP or the verification OTP, in order to derive a temporary OTP having 64 bits, the seed key is input to the first hash function to generate a binaryized seed key, and the binaryized seed key is generated. 52 digit sequences corresponding to bits of 1 are extracted from the front of the seed key, the seed key and the generation time are input to the second hash function to generate a binary temporary key, and the digit is generated from the temporary key. Bit values corresponding to the order are extracted in order, the bit values are sequentially placed in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP, and the temporary generation time is set in the preset 12 digits. Arrange in order to derive the temporary OTP having 64 bits, decompose the temporary OTP into binary numbers having 8 bits each of 8 digits from the front in order, and divide each of the binary numbers having 8 bits by 8 to obtain a remainder. may correspond to a rule for deriving the OTP or verification OTP, which is calculated and arranged in order.

In one embodiment of the present invention, the preset second rule converts the numbers of the OTP into binary numbers each having 8 bits from the front, arranges them in order, extracts bit values from preset 12 digits in order, , may correspond to a rule for deriving the temporary generation time by sequentially decomposing the extracted 12 bit values by 3 digits.

In one embodiment of the present invention, the management terminal includes a first module and a second module, and each of the first module and the second module determines the QR code generation step, the verification OTP generation step, and the OTP validity determination. OTP providing unit performing the steps; And a management unit for detecting other modules; wherein, while the OTP providing unit of a specific module among the first module and the second module performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step. , When the OTP providing unit of the specific module is forcedly terminated, the forced termination is detected by the management unit of the other module, and the QR code generating step, the verification OTP generating step, and the OTP by the OTP providing unit of the other module An effective judgment step may be performed subsequently.

In order to solve the above problems, one embodiment of the present invention is a system that provides an OTP including a public facility management terminal and a user terminal, wherein the user terminal recognizes the QR code by the user terminal and , QR code recognition step of verifying and storing the information included in the QR code; and an OTP generation step of generating an OTP according to a first rule set preset based on the seed key and a generation time, which is a time at which the user commanded OTP generation, and inputting the OTP to the locked management terminal by the user. ; and the management terminal includes: a facility code of the public facility loaded from an external storage medium; and a seed key for the corresponding management terminal; management terminal information about the management terminal; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including; The OTP is received from the user, the number of times the OTP is input and the input time are stored, a temporary creation time corresponding to the creation time is extracted from the received OTP according to a second rule set in advance, and the seed a verification OTP generation step of generating a verification OTP according to the preset first rule set based on a key and the temporary generation time, and determining whether the OTP matches the verification OTP; and when the OTP and the verification OTP coincide in the verification OTP generation step, the OTP is valid when the input time falls within the limited time from the decrypted temporary generation time and the number of inputs is less than the limited number of times. It provides a system for providing an OTP, performing an OTP validity determination step of determining and releasing the lock of the management terminal.

According to an embodiment of the present invention, since the management terminal loads information and installation files for generating an OTP from an external storage medium, the management terminal can exert an effect that does not require a network environment.

According to an embodiment of the present invention, since the management terminal and the user terminal generate and verify the OTP by the same algorithm, it is possible to achieve an effect of not requiring communication with each other.

According to one embodiment of the present invention, since the OTP is generated in the user terminal, an effect that does not require a separate OTP generating device can be exerted.

According to an embodiment of the present invention, since the temporary generation time corresponding to the generation time used when generating the OTP is calculated from the OTP, even if the time in the management terminal does not match the actual current time or the time of the user terminal, the OTP can exert an effect that can verify.

According to an embodiment of the present invention, the management terminal may be implemented as a first module and a second module, wherein the first module and the second module detect each other, and the first module and the second module detect each other. When a specific module among the modules is forcibly terminated, other modules operate, so that an attempt to release the lock by forcibly manipulating the management terminal can be prevented, thereby enhancing security.

According to an embodiment of the present invention, since an OTP is generated based on a seed key stored in each of the user terminal and the management terminal and an information mutual verification step of verifying each other is performed, the information is stored in the user terminal and the management terminal. It is possible to exert an effect of confirming whether the seed keys that have been created match.

According to an embodiment of the present invention, since the facility code and the management terminal information are stored in the user terminal, it is possible to easily distinguish each of a plurality of management terminals and generate an OTP for each.

1 schematically illustrates the steps of a method for providing an OTP according to an embodiment of the present invention.
Figure 2 schematically shows the QR code generation step and QR code recognition step according to an embodiment of the present invention.
3 schematically illustrates a mutual information verification step according to an embodiment of the present invention.
4 schematically illustrates an OTP generating step according to an embodiment of the present invention.
5 schematically illustrates a verification OTP generation step according to an embodiment of the present invention.
6 schematically illustrates an OTP validity determination step according to an embodiment of the present invention.
7 schematically illustrates a rule for deriving a temporary creation time from a creation time among a first preset rule set according to an embodiment of the present invention.
8 schematically illustrates a rule for deriving a digit sequence from a seed key among a first preset rule set according to an embodiment of the present invention.
9 schematically illustrates rules for arranging temporary keys based on digit order among a first preset rule set according to an embodiment of the present invention.
10 schematically illustrates rules for arranging temporary creation times based on preset 12 digits among preset first rule sets according to an embodiment of the present invention.
11 schematically illustrates rules for deriving an OTP or verification OTP from a temporary OTP among a first preset rule set according to an embodiment of the present invention.
12 schematically illustrates conversion of OTP numbers into binary numbers among preset second rules according to an embodiment of the present invention.
13 schematically illustrates derivation of temporary creation time among preset second rules according to an embodiment of the present invention.
14 schematically illustrates a first module and a second module according to an embodiment of the present invention.
15 illustratively illustrates the internal configuration of a computing device according to an embodiment of the present invention.

In the following, various embodiments and/or aspects are disclosed with reference now to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth in order to facilitate a general understanding of one or more aspects. However, it will also be appreciated by those skilled in the art that such aspect(s) may be practiced without these specific details. The following description and accompanying drawings describe in detail certain illustrative aspects of one or more aspects. However, these aspects are exemplary and some of the various methods in principle of the various aspects may be used, and the described descriptions are intended to include all such aspects and their equivalents.

Moreover, various aspects and features will be presented by a system that may include a number of devices, components and/or modules, and the like. It should also be noted that various systems may include additional devices, components and/or modules, and/or may not include all of the devices, components, modules, etc. discussed in connection with the figures. It must be understood and recognized.

"Example", "example", "aspect", "exemplary", etc., used herein should not be construed as preferring or advantageous to any aspect or design being described over other aspects or designs. . The terms '~unit', 'component', 'module', 'system', 'interface', etc. used below generally mean a computer-related entity, and for example, hardware, hardware It may mean a combination of and software, software.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements and/or groups thereof. It should be understood that it does not.

In addition, terms including ordinal numbers, such as first and second, may be used to describe various components, but the components are not limited by the terms. These terms are only used for the purpose of distinguishing one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention. The terms and/or include any combination of a plurality of related recited items or any of a plurality of related recited items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein, including technical or scientific terms, are generally understood by those of ordinary skill in the art to which the present invention belongs. has the same meaning as Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the embodiments of the present invention, an ideal or excessively formal meaning not be interpreted as

1 schematically illustrates the steps of a method for providing an OTP according to an embodiment of the present invention.

As shown in FIG. 1, as a method of providing an OTP performed by a public facility management terminal 1000 and a user terminal 2000, the public facility loaded from an external storage medium by the management terminal 1000 Facility code of ;, and a seed key for the corresponding management terminal (1000); Management terminal 1000 information about the management terminal 1000; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step (S100) of generating a QR code encoded to enable inverse conversion of information including; A QR code recognition step (S200) of recognizing the QR code, verifying and storing information included in the QR code by the user terminal (2000); OTP generation step (S300) of generating the OTP by the user terminal (2000) according to a first set of rules based on the seed key and a generation time, which is a time when the user commanded OTP generation; The management terminal 1000 receives the OTP from the user, stores the number of times the OTP is input and the input time, and corresponds to the generation time according to a second rule set in the received OTP. A verification OTP generation step of extracting a temporary creation time, generating a verification OTP according to the preset first rule set based on the seed key and the temporary creation time, and determining whether the OTP matches the verification OTP (S400). ); And by the management terminal 1000, if the OTP and the verification OTP match in the verification OTP generation step (S400), the input time corresponds to within the limited time from the decrypted temporary generation time, and the input time An OTP validity determination step (S500) of determining that the OTP is valid when the number of times is less than the limited number of times and releasing the lock of the management terminal 1000; may be included.

The method of providing OTP performed by the public facility management terminal 1000 and the user terminal 2000 includes QR code generation step (S100), QR code recognition step (S200), OTP generation step (S300), verification OTP generation step (S400), and an OTP validity determination step (S500).

The QR code generating step (S100) is performed by the management terminal 1000, and encodes information including the facility code, the seed key, the management terminal 1000 information, the limited time, and the limited number of times. It can be stored in the form of the QR code. When recognizing the QR code, the information may be received by inversely transforming the QR code.

The QR code recognition step (S200) is performed by the user terminal 2000, and recognizes the QR code generated by the management terminal 1000 to store and verify information included in the QR code. .

Specifically, the management terminal 1000 generates a QR code including information necessary for OTP generation, the user can recognize the QR code using the user terminal 2000, and the user terminal 2000 may perform an information mutual verification step of verifying the seed key, which is information included in the QR code.

The information mutual verification step may also be performed by the management terminal 1000 . That is, the mutual information verification step may correspond to a step of confirming whether the seed key of each of the user terminal 2000 and the management terminal 1000 is the same seed key. Details of the information mutual verification step will be described later.

The OTP generating step (S300) may be performed by the user terminal 2000 or may be performed by the user's OTP generating command. The user's OTP generation command may be activated by pressing an OTP generation button displayed on the screen of the user terminal 2000 .

The OTP may be generated by applying a predetermined first rule set to a generation time that is the time at which the OTP generation command is received and the seed key.

When the OTP is generated, the user can input the OTP displayed on the screen of the user terminal 2000 to the management terminal 1000 . The OTP may correspond to a password for unlocking the locked management terminal 1000 .

The verification OTP generation step (S400) may be performed by the management terminal 1000, is performed when the OTP is input from the user, and corresponds to a step of performing verification of the input OTP. In the verification OTP generation step (S400), a verification OTP is generated by the management terminal 1000, and the verification OTP is compared with the OTP, and if they match, it is determined that verification has been completed.

The OTP validity determination step (S500) may be performed by the management terminal 1000 and may correspond to a step of determining whether the OTP is a valid OTP. The OTP can have a valid time as a One Time Password, and in the present invention, the valid time can be set by setting a limited time for inputting the OTP. In addition, the number of times of input, which is the number of times of unlocking attempts by inputting the OTP, may be stored and compared with the predetermined limited number of times.

That is, in order for the OTP to be determined to be valid, both conditions must be satisfied: that the OTP is input within a limited time from the generation time and that the number of inputs does not exceed the limited number of times.

In another embodiment of the present invention, it is possible to set a limited number of times within a predetermined time. For example, you can set a limit of 5 times within 1 minute.

In order to provide a method for providing the OTP, the management terminal 1000 and the user terminal 2000 may correspond to a computing device including one or more processors and one or more memories, and a method for providing the OTP A computer program in which instructions for implementation are recorded is provided, and the corresponding method can be performed by executing the computer program in the management terminal 1000 and the user terminal 2000 . Preferably, the computer program may include an application.

That is, the computer program includes QR code generation, QR code recognition, information inverse conversion from QR code, a first rule set, a second rule, a first hash function, and a second hash function for implementing the method of providing the OTP. things can be included.

According to an embodiment of the present invention, the management terminal 1000 and the user terminal 2000 each have a computer program installed and a plurality of preset rules, so that the management terminal 1000 and the user terminal ( 2000) can generate and verify the OTP without mutual communication.

Figure 2 schematically shows a QR code generation step (S100) and a QR code recognition step (S200) according to an embodiment of the present invention.

As shown in FIG. 2, in the QR code generation step (S100), the facility code of the public facility loaded from an external storage medium by the management terminal 1000; and the seed for the management terminal 1000 key; Management terminal 1000 information about the management terminal 1000; the OTP input time limit input by the user; And the OTP input limited number of times; can generate a QR code encoded to enable inverse conversion of information including, the QR code recognition step (S200) by the user terminal 2000, recognizing the QR code, Information included in the QR code may be verified and stored.

In the QR code generating step (S100), information including the facility code, the seed key, the management terminal 1000 information, the limited time, and the limited number of times may be generated as a QR code.

The installation file, the seed key, and the facility code may be loaded by directly connecting the management terminal 1000 and the external storage medium instead of communicating in a network environment.

The installation file may correspond to an installation file of a computer program for performing the OTP providing method.

The seed key may be generated by the issuer in the issuer PC, and may be generated based on issuer PC information including the MAC address of the issuer PC and the current time (time at the time of issue). Specifically, the seed key may be generated by the issuer PC The seed key can be generated by inputting issuer PC information and the current time (time at issuance) of the PC into a hash function. Preferably, the hash function may correspond to HMAC whose output value is a 512 bits hash key. The output value may be output in various base numbers such as hexadecimal and binary numbers.

The facility code may correspond to identification information for the public facility. For example, the public facility may correspond to the Korean Intellectual Property Office computer, and the facility code may indicate characteristics of the corresponding public facility, such as 'Korean Intellectual Property Office computer 1'.

The external storage medium may include a plurality of pairs of the seed key and the facility code. For example, a seed key corresponding to the 'Korean Intellectual Property Office computer 1' and a seed key corresponding to the 'Korean Intellectual Property Office computer 2' exist, and the above two seed keys may be different from each other.

The management terminal 1000 information may include various information about the management terminal 1000, and preferably, may include the computer name of the management terminal and the operating system type of the management terminal 1000. In addition, the management terminal 1000 information can be extracted from the corresponding management terminal 1000 or can be input by a user.

The limited time and the limited number of times may be input by the user. The limited time may correspond to a limited time from when the OTP is generated to input, and the limited number of times may correspond to a limit on the number of times the OTP is input and verification fails. Accordingly, the time limit may mean a time period in which the generated OTP is valid.

That is, among the information included in the QR code, the facility code and the seed key can be loaded from the external storage medium, and the management terminal 1000 information can be extracted from the management terminal 1000 or input by a user. The limited time and the limited number of times may be set by the user.

According to an embodiment of the present invention, a computer program capable of encoding the information into a QR code is installed in the management terminal 1000. The computer program may be included in a computer program installed by the installation file.

In the QR code recognition step (S200), the QR code generated by the management terminal 1000 may be recognized. Specifically, the user can recognize the QR code displayed on the screen of the management terminal 1000 using the user terminal 2000, and the information included in the QR code by inversely converting the QR code. , the facility code, the seed key, the management terminal 1000 information, the limited time, and the limited number of times may be received, and if the seed key is verified, the information may be stored.

Verification of the seed key may be performed in a mutual information verification step included in the QR code recognition step (S200). This will be described later.

3 schematically illustrates a mutual information verification step according to an embodiment of the present invention.

As shown in Figure 3, the information mutual verification step, by the user terminal 2000, a first OTP generation step (S300) of generating a first OTP; a first OTP verification step of receiving, by the management terminal 1000, the first OTP from the user, verifying the first OTP, and generating a second OTP when the first OTP is verified; a second OTP verification step of receiving, by the user terminal 2000, the second OTP from the user and verifying the second OTP; and when the 2 OTP is verified in the 2 OTP verification step, by the user terminal 2000, the facility code included in the QR code, the seed key, the management terminal 1000 information, the limited time, and the QR code information storage step for storing a limited number of times; and the first OTP generation step (S300) to the second OTP verification step may be repeated a predetermined number of times.

Specifically, the information mutual verification step may correspond to steps S120 to step S180 in FIG. 3, and each step may be performed by the user terminal 2000 or the management terminal 1000, and each terminal This may correspond to a step of verifying whether seed keys stored in (the user terminal 2000 and the management terminal 1000) match.

Step S100 may correspond to the QR code generating step (S100), and the above-described QR code may be generated by the management terminal 1000.

Step S110 may correspond to the QR code recognition step (S200), and the QR code may be recognized by the user terminal 2000. Accordingly, the user terminal 2000 can receive the seed key.

In step S120, the user terminal 2000 may generate a first OTP for verification. The 1st OTP may be generated by a first set of predetermined rules based on a seed key received by the user terminal 2000 and a first creation time, which is a time at which the user commands generation of the 1st OTP. It may be displayed on the screen of the terminal 2000.

In step S130, the first OTP displayed on the screen of the user terminal 2000 may be input from the user to the manager terminal.

Step S140 may be performed by the management terminal 1000 and may verify the first OTP. Specifically, a first temporary creation time corresponding to the first creation time may be extracted by applying a predetermined second rule to the first OTP input from the user, and the seed key stored in the manager terminal and the A first verification OTP may be generated by applying the first rule set at a first temporary generation time, and if the first OTP and the first verification OTP match, it may be determined that the first OTP is verified.

In step S150, when the first OTP is verified, it may be performed by the manager terminal, and a second OTP may be generated. Specifically, the second OTP may be generated by a first rule set preset based on a seed key stored in the manager terminal and a second generation time, which is a time to generate the second OTP.

In step S160, the second OTP displayed on the screen of the management terminal 1000 may be input to the user terminal 2000 from the user.

Step S170 may be performed by the user terminal 2000 and may verify the second OTP. Specifically, a second provisional creation time corresponding to the second creation time may be extracted by applying a predetermined second rule to the second OTP input from the user, and the seed key received by the user terminal 2000. and a second verification OTP may be generated by applying the first rule set at the second temporary generation time, and if the second OTP and the second verification OTP match, it may be determined that the second OTP is verified.

In step S180, when the second OTP is verified, the seed key received by the user terminal 2000, the facility code, the management terminal 1000 information, the limited time, and the limited number of times may be stored.

Steps S120 to S170 may be repeated a predetermined number of times.

The stored facility code, the management terminal 1000 information, the limited time, and the limited number of times may be displayed in the user terminal 2000 when an OTP for the corresponding management terminal 1000 is generated. In addition, the facility code, the management terminal 1000 information, the limited time, and the limited number of times may be displayed on the lock screen of the management terminal 1000 .

For example, a lock screen may be initially displayed on the management terminal 1000, and the facility code, information on the management terminal 1000, the limited time, and the limited number of times may be displayed on the lock screen. The user checks the facility code and the management terminal (1000) information displayed on the lock screen, and generates an OTP on the screen displaying the corresponding facility code and management terminal (1000) information in the using terminal. The OTP may be generated by a corresponding seed key for the corresponding facility code and the corresponding management terminal 1000 information.

According to an embodiment of the present invention, since the facility code and the management terminal 1000 information are stored in the user terminal 2000, each of the plurality of management terminals 1000 is easily distinguished and an OTP for each is generated. You can exert the effect you can.

4 schematically shows an OTP generating step (S300) according to an embodiment of the present invention.

As shown in FIG. 4 , in the OTP generation step (S300), a first rule set preset by the user terminal 2000 based on the seed key and the generation time, which is the time when the user commands the OTP generation, is set. The OTP can be generated by

The OTP generation step (S300) may be performed by the user terminal 2000 and may correspond to a step of generating an OTP for unlocking the locked management terminal 1000. The user may command the user terminal 2000 to generate the OTP, and the user terminal 2000 may include a generation time according to the command; And a seed key received as the QR code and stored in the user terminal 2000; it is possible to generate an OTP based on.

Specifically, the OTP may be generated by applying a preset first rule set to the generation time and the seed key. The preset first rule set will be described later.

The OTP may be newly generated every predetermined time and displayed on the user terminal 2000 .

The preset time may correspond to the limited time.

5 schematically illustrates a verification OTP generation step (S400) according to an embodiment of the present invention.

As shown in FIG. 5, in the verification OTP generating step (S400), the management terminal 1000 receives the OTP from the user, stores the input count and input time of the OTP input, and inputs the OTP. A temporary creation time corresponding to the generation time is extracted from the received OTP by a preset second rule, and a verification OTP is generated by the preset first rule set based on the seed key and the temporary creation time, It may be determined whether the OTP coincides with the verification OTP.

5(A) corresponds to a diagram showing the number of inputs and the input time.

In the verification OTP generating step (S400), when the OTP is received from the user, the number of input times and the input time for the OTP can be stored, and a verification OTP can be generated and verified by comparing with the OTP.

Specifically, the OTP generated by the user terminal 2000 may be displayed on the screen of the user terminal 2000 and may be input to the management terminal 1000 by the user.

When receiving the OTP, the management terminal 1000 may store the input time and number of inputs of the OTP. The input count may be reset when the lock is released. That is, if verification of the input OTP fails, the number of times may be increased.

5 (B) corresponds to a diagram illustrating a process of generating a verification OTP.

The management terminal 1000 may extract the temporary creation time by applying a preset second rule to the OTP. The temporary generation time may correspond to the generation period used when generating the OTP.

When generating the OTP, a temporary creation time based on the generation time may be derived. Therefore, when the OTP is decrypted according to the second predetermined rule, the temporary creation time can be extracted. Details of the preset second rule for extracting the temporary creation time from the OTP will be described later.

Subsequently, the management terminal 1000 may generate the verification OTP by applying the preset first rule set to the seed key stored in the management terminal 1000 and the temporary generation time.

The OTP was generated based on the seed key and generation time stored in the user terminal 2000, and the verification OTP was generated based on the seed key stored in the management terminal 1000 and the generation time extracted from the generation time. Since it is generated based on the corresponding temporary creation time, when the seed key stored in the user terminal 2000 and the seed key stored in the management terminal 1000 match, the OTP and the verification OTP match. can do.

In the verification OTP generating step (S400), if the OTP and the verification OTP match, it can be determined as verification success, and if the OTP and the verification OTP match, verification failure is determined, and the input count is reset. may not

According to an embodiment of the present invention, since the temporary generation time corresponding to the generation time used when generating the OTP is calculated from the OTP, the time in the management terminal 1000 is the actual current time or the user terminal 2000 Even if it does not match the time, the effect of verifying the OTP can be exerted.

6 schematically illustrates the OTP validity determination step (S500) according to an embodiment of the present invention.

As shown in FIG. 6, in the OTP validity determination step (S500), when the OTP and the verification OTP coincide with each other in the verification OTP generation step (S400) by the management terminal 1000, the input time When the decrypted temporary generation time falls within the limited time and the number of times of input is less than the limited number of times, it is determined that the OTP is valid and the management terminal 1000 is unlocked.

(A) of FIG. 6 corresponds to a diagram showing a criterion for input time.

In the present invention, in order to enhance the security of the OTP, a time limit for inputting the corresponding OTP may be set, and a limit for the number of attempts to unlock the management terminal 1000 may be set.

The OTP validity determination step (S500) may correspond to a step of determining whether the OTP is valid, and may include two criteria for determining whether the OTP is valid.

The first criterion is the criterion for the time limit, and since the time limit is the time from generating the OTP to inputting it, the first criterion is that the input time is a decrypted temporary corresponding to the generation time from the OTP. It corresponds to whether it is within the above limited time from the creation time.

That is, if the temporary creation time is decoded, the creation time can be derived.

(B) of FIG. 6 corresponds to a diagram showing a criterion for the number of inputs.

The second criterion is the criterion for the limited number of times, and the second criterion corresponds to whether the number of inputs stored in the verification OTP generating step (S400) is less than the limited number of times.

When it is determined that the OTP is valid, both of the above two criteria are met, the input time falls within the limited time from the temporary creation time, and the number of inputs is less than the limited number of times, and the OTP is determined to be valid If so, the management terminal 1000 can release the lock.

According to an embodiment of the present invention, when the number of times of input is equal to or greater than the limit number of times, OTP may not be input to the management terminal 1000 for a predetermined period of time.

7 to 11, the preset first rule set includes a plurality of rules, and a rule for deriving the temporary creation time from the creation time includes ten minutes and seconds, respectively, of the creation time. Corresponds to the rule of deriving the temporary generation time by calculating the remainder of dividing the number of digits and the number of ones digits by 8, binarizing each of the remainders into 3 bits and arranging them in order, and the seed key and the The rule for generating the OTP or the verification OTP at the temporary generation time is to input the seed key to the first hash function to generate the binaryized seed key in order to derive the temporary OTP having 64 bits, and to generate the binaryized seed key. 52 digit numbers corresponding to bits of 1 are extracted from the front of the binary seed key, the seed key and the generation time are input to a second hash function to generate a binary temporary key, and the temporary key extracts bit values corresponding to the digit order in order, arranges the bit values in order in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP, and sets the temporary generation time to the preset The temporary OTP having 64 bits is derived by arranging 12 digits in order, and the temporary OTP is sequentially decomposed into binary numbers having 8 bits each of 8 digits from the front, and 8 for each of the binary numbers having 8 bits. It may correspond to a rule for deriving the OTP or verification OTP arranged in order by calculating the remainder divided by .

The preset first rule set includes a plurality of rules, and when each rule is applied, the OTP and the verification OTP can be derived from the seed key and the generation time. That is, in the OTP generating step (S300) and the verification OTP generating step (S400), detailed steps may be performed by applying each rule of the preset first rule set. The preset first rule set may be stored in the user terminal 2000 and the management terminal 1000 .

7 schematically illustrates a rule for deriving a temporary creation time from a creation time among a first preset rule set according to an embodiment of the present invention.

The generation time may include year, month, day, hour, minute, and second, which are the date and time when the OTP is commanded to be generated. In the rule for deriving the temporary creation time from the creation time, only minutes and seconds can be used in the creation time.

Each of the minutes and seconds of the creation time includes a number corresponding to the tens digit and the ones digit, and each of them can be derived as a part of the temporary creation time.

Specifically, each of the tens digit, the tens digit, the tens digit, and the tens digit of the second may be processed by Mod8 (a function that calculates the remainder divided by 8), and the result for Mod8 The value can be binarized to 3 bits. The temporary generation time can be derived by arranging each of the result values binarized into the 3 bits in order.

That is, the remainder of dividing the tens place of the minute by 8 is calculated, and the resulting value is binarized with 3 bits to obtain the first (A1), second (A2), It can be placed in the third (A3).

The remainder of division by 8 is calculated for the unit digit of the minute, and the resulting value is binarized with 3 bits, and the fourth (A4), fifth (A5), and sixth of the 12 bits of the temporary creation time are calculated. It can be placed in (A6).

The remainder of division by 8 is calculated for the tens digit of the second, and the resulting value is binarized with 3 bits, and the seventh (A7), eighth (A8), and ninth ( A9) can be placed.

Calculate the remainder of dividing the unit digit of the second by 8, and convert the resulting value into a 3-bit binary number to obtain the 10th (A10), 11th (A11), and 12th ( A12) can be placed.

Accordingly, the temporary generation time may correspond to a binary number having 12 bits.

8 schematically illustrates a rule for deriving a digit sequence from a seed key among a first preset rule set according to an embodiment of the present invention.

In order to generate the OTP, a digit sequence number may be calculated from the seed key.

Specifically, the seed key may be input to a first hash function, and may be output after being binarized by the first hash function.

The first hash function can be configured by combining a plurality of hash functions, so that even if the form of the input value is diverse, the output value can be output in binary. The first hash function may preferably include HMAC_SHA512.

The binaryized seed key may have a plurality of bits, and as an embodiment of the present invention, FIG. 8 shows a binaryized seed key having 512 bits.

In FIG. 8, the digit order of the bit value corresponding to 1 among the plurality of bits of the binaryized seed key is 52, including the 1st, 4th, 5th, 9th, 12th, and 512th. can be calculated for

That is, the digit order may mean the order of bits corresponding to 1 among the bits of the binaryized seed key extracted from the front, and may include 52 bits.

In FIG. 8, the binaryized seed key having 512 bits is only an example, but is not limited thereto.

The digit order shown in FIG. 8 is only an example, and is not limited thereto.

9 schematically illustrates rules for arranging temporary keys based on digit order among a first preset rule set according to an embodiment of the present invention.

A bit value extracted from the temporary key based on the digit order corresponds to a part of the temporary OTP.

As a result, the temporary OTP may correspond to a binary number having 64 bits, and 52 bits of the 64 bits may be composed of bit values extracted from the temporary key.

Specifically, the seed key and the generation time may be input to a second hash function, and may be output as a temporary key by the second hash function. The implication may correspond to a binary number.

The second hash function can be configured by combining a plurality of hash functions, so that the output value can be output in binary even if the form of the input value is diverse. The second hash function may preferably include HMAC_SHA512. Also, the first hash function and the second hash function may be the same.

Among the plurality of bits of the temporary key, the bit values of the bits corresponding to the digit order are sequentially extracted, and the extracted 52 bit values are stored in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP. They can be placed in any order.

The above rule is described as an example in FIG. 9 as follows. 9 shows a temporary key corresponding to a binary number having 512 bits.

In FIG. 9, when a bit value corresponding to the digit order is extracted from a plurality of bits of the temporary key, it can be shown as shown in A of FIG.

That is, from the plurality of bits of the temporary key, bit values corresponding to 52 sequential bits including the 1st, 4th, 5th, 9th, 12th, and 512th position numbers shown in FIG. 8 are extracted. can

The temporary OTP is a binary number having 64 bits, and the 64 bits should be displayed in a row. However, B in FIG. 9 corresponds to rearranging the incomplete temporary OTP by 8 bits from the front for convenience of explanation. do. Each cell of B corresponds to a bit of the temporary OTP, and 64 bits of the incomplete temporary OTP are shown as a total of 64 cells. In addition, the shaded part in B means the preset 12 digits.

Accordingly, the portions marked B1 to B52 without shading in B correspond to sequential arrangement of the bit values of A.

10 schematically illustrates rules for arranging temporary creation times based on preset 12 digits among preset first rule sets according to an embodiment of the present invention.

After arranging the bit value corresponding to the digit order among the plurality of bits of the temporary key in 52 digits among the 64-bit digits of the temporary OTP, the bits of the temporary generation time are sequentially arranged in the remaining 12 preset digits. A temporary OTP can be derived.

Specifically, the temporary generation time corresponds to a binary number composed of 12 bits, and 12 bits among 64 bits of the temporary OTP correspond to the preset 12 digits. Accordingly, in order to derive the temporary OTP, each of the 12 bits may be sequentially arranged in the preset 12 digits.

The temporary OTP of FIG. 10 can be derived by arranging A1 to A12, which are bits of the temporary generation time, in order in the shaded portion in B (unfinished temporary OTP) of FIG. 9 .

The temporary OTP is a binary number having 64 bits, and the 64 bits should be displayed in a row. However, the temporary OTP of FIG. 10 corresponds to rearranging the temporary OTP by 8 bits from the front for convenience of explanation. . Each cell of B corresponds to a bit of the temporary OTP, and 64 bits of the temporary OTP are shown as a total of 64 cells.

That is, the 1st to 8th bits of the temporary OTP correspond to B1, B2, B3, B4, B5, A1, B6, and A2 in FIG. 10, and the 9th to 16th bits of the temporary OTP in FIG. B7, B8, B9, B10, B11, A3, B12, and B13 correspond to, and the 17th to 24th bits of the temporary OTP are B14, B15, B16, B17, B18, A4, B19, and A5 in FIG. , the 25th to 32nd bits of the temporary OTP correspond to B20, B21, B22, B23, B24, A6, B25, and B26 in FIG. 10, and the 33rd to 40th bits of the temporary OTP are 10 corresponds to B27, B28, B29, B30, B31, A7, B32, and A8, and the 41st to 48th bits of the temporary OTP are B33, B34, B35, B36, B37, A9, B38, and B39, and the 49th to 56th bits of the temporary OTP correspond to B40, B41, B42, B43, B44, A10, B45, and A11 in FIG. 10, and the 57th to 64th bits of the temporary OTP. corresponds to B46, B47, B48, B49, B50, A12, B51, and B52 in FIG. 10 .

The preset 12 digits of the temporary OTP may mean a preset 12 digit sequence number.

11 schematically illustrates rules for deriving an OTP or verification OTP from a temporary OTP among a first preset rule set according to an embodiment of the present invention.

OTP or verification OTP can be derived from the temporary OTP.

Specifically, if the temporary OTP is decomposed in units of 8 bits from the beginning, since the temporary OTP corresponds to 64 bits, a binary number having eight 8 bits can be derived. If the 8 binary numbers having 8 bits are input to the Mod8 function, the remainder of dividing the binary number having 8 bits by 8 can be calculated, and the 8-digit number in which each of the remainders are arranged in order is OTP or verification OTP. can be derived with

Accordingly, the number corresponding to the OTP or the verification OTP may correspond to 0 to 7.

In another embodiment of the present invention, each of the others may be arranged in a predetermined order.

A in FIG. 11 corresponds to the eight 8-bit binary numbers obtained by decomposing the temporary OTP. The eight 8-bit binary numbers are arranged in order.

Therefore, B1, B2, B3, B4, B5, A1, B6, and A2 are placed in the first number of OTP or verification OTP, and the remainder after dividing by 8 is the binary number having 8 bits corresponding to B7. , B8, B9, B10, B11, A3, B12, and B13, the remainder of division by 8 of the binary number with 8 bits corresponding to OTP or verification OTP is placed in the second number, B14, B15, B16, B17, The remainder of division by 8 of the binary number with 8 bits corresponding to B18, A4, B19, and A5 is placed in the third number of OTP or verification OTP, and B20, B21, B22, B23, B24, A6, B25, and The remainder of division by 8 of the binary number with 8 bits corresponding to B26 is placed in the 4th number of OTP or verification OTP, and 8 bits corresponding to B27, B28, B29, B30, B31, A7, B32, and A8 The remainder of division by 8 of the binary number is placed in the 5th digit of the OTP or verification OTP, and is divided by 8 of the binary number with 8 bits corresponding to B33, B34, B35, B36, B37, A9, B38, and B39. The remainder is placed in the 6th digit of the OTP or verification OTP, and the remainder divided by 8 of the binary number with 8 bits corresponding to B40, B41, B42, B43, B44, A10, B45, and A11 is the OTP or verification OTP. It is placed in the 7th number, and the remainder after dividing by 8 of the binary number with 8 bits corresponding to B46, B47, B48, B49, B50, A12, B51, and B52 is placed in the 8th number of OTP or verification OTP.

That is, each value obtained by decimalizing the part corresponding to B in FIG. 11 may correspond to each 8-digit number in order of OTP or verification OTP.

The OTP of FIG. 11 may mean all OTPs generated in the present invention. That is, the first OTP, the second OTP, the OTP, and the verification OTP may be generated according to the above-described first rule set.

As shown in FIGS. 12 and 13, the preset second rule converts the numbers of the OTP into binary numbers each having 8 bits from the front and arranges them in order, and sets the bit values in the preset 12 digits in order. It may correspond to a rule for deriving the temporary generation time by extracting the extracted 12 bit values as described above and sequentially decomposing the extracted 12 bit values by 3 digits.

The OTP was generated by the first preset rule set, and accordingly, when the OTP is decoded, the bit values of the temporary generation time are arranged at a predetermined position (preset 12 digits in the preset first rule set). may have been

Accordingly, when the preset second rule is applied to the OTP, the temporary creation time can be derived.

12 schematically illustrates conversion of OTP numbers into binary numbers among preset second rules according to an embodiment of the present invention.

Each of the 8 numbers constituting the OTP may be converted into a binary number having 8 bits and may be arranged in order. Since the numbers constituting the OTP correspond to 0 to 7, the 1st to 5th bit values of the 8-bit binary number may correspond to 0.

That is, the 1st number constituting OTP is a binary number with the first 8 bits, the 2nd number constituting OTP is a binary number with 2nd 8 bits, and the 2nd number constituting OTP is a binary number with 2nd 8 bits. , the 3rd number constituting OTP is a binary number having the third 8 bits, the 4th number constituting OTP is a binary number having the 4th 8 bits, and the 5th number constituting OTP is It is a binary number with the 5th 8 bits, the 6th number constituting the OTP is a binary number with the 6th 8 bits, the 7th number constituting the OTP is a binary number with the 7th 8 bits, You can place the 8th number as a binary number with the 8th 8 bits. A of FIG. 12 represents this.

According to an embodiment of the present invention, the digit order of the 1st bit of the binary number having the 1st 8 bits may be set to 1, and the digit order of the 8th bit of the binary number having the 8th 8 bits may be set to 64. .

In another embodiment of the present invention, each of the eight numbers constituting the OTP may be converted into a binary number having 8 bits, and a binary number having 64 bits may be derived by combining them in order.

13 schematically illustrates derivation of temporary creation time among preset second rules according to an embodiment of the present invention.

The numbers of the OTP can be converted to binary numbers each having 8 bits from the front, and bit values can be sequentially extracted (B) from 12 digits (shading) preset in the batch (A), and the preset 12 If the 12 bit values extracted from the digits are sequentially decomposed into 3 digits, they can be decomposed into 4 binary numbers, which may correspond to the temporary generation time.

That is, the order in the preset 12 digits may be determined based on the order from the leftmost bit of the binary number having the first 8 bits to the rightmost bit of the binary number having the eighth 8 bits.

The preset 12 digits in the second rule in the present invention may be the same as the preset 12 digits in the first rule set.

According to one embodiment of the present invention, the digit order of the 1st bit of the binary number having the 1st 8 bits is given as 1, and the digit order of the 8th bit of the binary number having the 8th 8 bits is given as 64 in order. and 12 preset digits can be derived according to the digit order of the bits.

In another embodiment of the present invention, it is possible to derive the preset 12 digits by converting each of the 8 numbers constituting the OTP into a binary number having 8 bits and deriving a binary number having 64 bits by summing them in order. there is.

14 schematically illustrates a first module and a second module according to an embodiment of the present invention.

As shown in FIG. 14, the management terminal 1000 includes a first module 1100 and a second module 1200, each of the first module 1100 and the second module 1200 OTP providing unit for performing the QR code generation step (S100), the verification OTP generation step (S400) and the OTP validity determination step (S500); And a management unit for detecting other modules; including, the OTP providing unit of a specific module among the first module 1100 and the second module 1200, the QR code generating step (S100), the verification OTP generating step ( S400) and during the OTP validity determination step (S500), if the OTP providing unit of the specific module is forcibly terminated, the forced termination is detected by the management unit of another module, and the OTP providing unit of the other module detects the forced termination. The QR code generation step (S100), the verification OTP generation step (S400), and the OTP validity determination step (S500) can be performed subsequently.

14(A) corresponds to a diagram showing the configuration of the first module 1100 and the second module 1200.

The management terminal 1000 is provided with a computer program in which instructions are recorded to perform the OTP providing method of the present invention, and the computer program includes the first module 1100 and the second module 1200 can be implemented by

Each of the first module 1100 and the second module 1200 may include an OTP providing unit 1110 or 1210 and a management unit 1120 or 1220. The OTP providing unit (1110 or 1210) may perform the QR code generation step (S100), the verification OTP generation step (S400) and the OTP validity determination step (S500), and the management unit (1120 or 1220) Other modules can be detected.

That is, the management unit 1120 of the first module 1100 can detect the operation of the second module 1200, and the management unit 1220 of the second module 1200 can detect the operation of the first module 1100. motion can be sensed.

14 (B) corresponds to a diagram showing the operation of the first module 1100 and the second module 1200.

One of the attempts to forcibly release the lock of the management terminal 1000 may include a method of forcibly terminating the computer program that performs the method of providing the OTP of the management terminal 1000 . In the present invention, in order to prevent the above-described method, a method of providing the OTP may be implemented with a plurality of modules capable of performing the same operation.

That is, the method of providing the OTP may be performed by one of the OTP providing unit of the first module 1100 and the OTP providing unit of the second module 1200 .

The QR code generation step (S100) for the method of providing the OTP in the OTP providing unit of a specific module among the OTP providing unit of the first module 1100 and the OTP providing unit of the second module 1200, the verification During the OTP generation step (S400) and the OTP validity determination step (S500), if the OTP providing unit of the specific module is forcibly terminated due to various external or internal problems, the management unit of the other module detects the forced termination. can do.

The management unit of the other module that detects the forced termination may command the operation of the OTP providing unit of the other module, and accordingly, the OTP providing unit of the other module generates the QR code for the method of providing the OTP ( S100), the verification OTP generation step (S400), and the OTP validity determination step (S500) can be performed subsequently.

Further, according to an embodiment of the present invention, the management unit of the other module may command an operation of the management unit of the specific module, so that an effect of preparing for a case in which the other module is forcibly terminated can be exerted.

15 schematically illustrates the internal configuration of a computing device according to an embodiment of the present invention.

The management terminal 1000 and the user terminal 2000 illustrated in FIG. 2 described above may include components of the computing device 11000 illustrated in FIG. 15 .

As shown in FIG. 15, a computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, an input/output subsystem ( I/O subsystem 11400, a power circuit 11500, and a communication circuit 11600 may be included at least. In this case, the computing device 11000 may correspond to the management terminal 1000 and the user terminal 2000 shown in FIG. 2 .

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or non-volatile memory. . The memory 11200 may include a software module, a command set, or other various data necessary for the operation of the computing device 11000.

In this case, access to the memory 11200 from other components, such as the processor 11100 or the peripheral device interface 11300, may be controlled by the processor 11100.

Peripheral interface 11300 may couple input and/or output peripherals of computing device 11000 to processor 11100 and memory 11200 . The processor 11100 may execute various functions for the computing device 11000 and process data by executing software modules or command sets stored in the memory 11200 .

The input/output subsystem can couple various input/output peripherals to peripheral interface 11300. For example, the input/output subsystem may include a controller for coupling a peripheral device such as a monitor, keyboard, mouse, printer, or touch screen or sensor to the peripheral device interface 11300 as needed. According to another aspect, input/output peripherals may be coupled to the peripheral interface 11300 without going through the input/output subsystem.

The power circuit 11500 may supply power to all or some of the terminal's components. For example, power circuit 11500 may include a power management system, one or more power sources such as a battery or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator or power It may contain any other components for creation, management and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, the communication circuit 11600 may include an RF circuit and transmit/receive an RF signal, also known as an electromagnetic signal, to enable communication with other computing devices.

The embodiment of FIG. 15 is only an example of the computing device 11000, and the computing device 11000 may omit some of the components shown in FIG. 15, further include additional components not shown in FIG. It may have a configuration or arrangement combining two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware including one or more signal processing or application-specific integrated circuits, software, or a combination of both hardware and software.

Methods according to embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computing devices and recorded in computer readable media. In particular, the program according to the present embodiment may be composed of a PC-based program or a mobile terminal-specific application. An application to which the present invention is applied may be installed in the management terminal 1000 or the user terminal 2000 through a file provided by a file distribution system. For example, the file distribution system may include a file transmission unit (not shown) for transmitting the file according to a request of the management terminal 1000 or the user terminal 2000 .

The device described above may be implemented as a hardware component, a software component, and/or a combination of hardware components and software components. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA) , a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may run an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of software. For convenience of understanding, there are cases in which one processing device is used, but those skilled in the art will understand that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that it can include. For example, a processing device may include a plurality of processors or a processor and a controller. Other processing configurations are also possible, such as parallel processors.

Software may include a computer program, code, instructions, or a combination of one or more of the foregoing, which configures a processing device to operate as desired or processes independently or collectively. You can command the device. Software and/or data may be any tangible machine, component, physical device, virtual equipment, computer storage medium or device, intended to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed on networked computing devices and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program commands recorded on the medium may be specially designed and configured for the embodiment or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. - includes hardware devices specially configured to store and execute program instructions, such as magneto-optical media, and ROM, RAM, flash memory, and the like. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

According to an embodiment of the present invention, since the management terminal loads information and installation files for generating an OTP from an external storage medium, the management terminal can exert an effect that does not require a network environment.

According to an embodiment of the present invention, since the management terminal and the user terminal generate and verify the OTP by the same algorithm, it is possible to achieve an effect of not requiring communication with each other.

According to one embodiment of the present invention, since the OTP is generated in the user terminal, an effect that does not require a separate OTP generating device can be exerted.

According to an embodiment of the present invention, since the temporary generation time corresponding to the generation time used when generating the OTP is calculated from the OTP, even if the time in the management terminal does not match the actual current time or the time of the user terminal, the OTP can exert an effect that can verify.

According to an embodiment of the present invention, the management terminal may be implemented as a first module and a second module, wherein the first module and the second module detect each other, and the first module and the second module detect each other. When a specific module among the modules is forcibly terminated, other modules operate, so that an attempt to release the lock by forcibly manipulating the management terminal can be prevented, thereby enhancing security.

According to an embodiment of the present invention, since an OTP is generated based on a seed key stored in each of the user terminal and the management terminal and an information mutual verification step of verifying each other is performed, the information is stored in the user terminal and the management terminal. It is possible to exert an effect of confirming whether the seed keys that have been created match.

According to an embodiment of the present invention, since the facility code and the management terminal information are stored in the user terminal, it is possible to easily distinguish each of a plurality of management terminals and generate an OTP for each.

As described above, although the embodiments have been described with limited examples and drawings, those skilled in the art can make various modifications and variations from the above description. For example, the described techniques may be performed in an order different from the method described, and/or components of the described system, structure, device, circuit, etc. may be combined or combined in a different form than the method described, or other components may be used. Or even if it is replaced or substituted by equivalents, appropriate results can be achieved.

Therefore, other implementations, other embodiments, and equivalents of the claims are within the scope of the following claims.

Claims (6)

As a method of providing OTP performed by a public facility management terminal and a user terminal,
a facility code of the public facility loaded from an external storage medium by the management terminal; and a seed key for the corresponding management terminal; management terminal information about the management terminal; a time limit for the OTP input input by the user; QR code generation step of generating a QR code encoded to enable inverse conversion of information including; and a limited number of times for the OTP input;
A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal;
an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP;
The management terminal receives the OTP from the user, stores the input count and input time of the OTP input, and temporarily creates a temporary creation time corresponding to the creation time according to a second rule preset in the received OTP. a verification OTP generation step of extracting and determining whether the OTP matches the verification OTP by generating a verification OTP according to the preset first rule set based on the seed key and the temporary generation time; and
When the OTP and the verification OTP match in the verification OTP generation step by the management terminal, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is less than the limited number of times An OTP validity determination step of determining that the OTP is valid and releasing the lock of the management terminal;
The management terminal includes a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP method.
The method of claim 1,
The QR code recognition step includes a mutual information verification step,
In the information mutual verification step,
A first OTP generating step of generating a first OTP by the user terminal;
a first OTP verification step of receiving, by the management terminal, the first OTP from the user, verifying the first OTP, and generating a second OTP when the first OTP is verified;
a second OTP verifying step of receiving, by the user terminal, the second OTP from the user and verifying the second OTP; and
If the 2 OTP is verified in the 2 OTP verification step, the user terminal stores the facility code included in the QR code, the seed key, the management terminal information, the limited time, and the QR code for storing the limited number of times. Including; information storage step;
Wherein the first OTP generating step to the second OTP verifying step are repeated a predetermined number of times.
The method of claim 1,
The preset first rule set includes a plurality of rules,
The rule for deriving the temporary creation time from the creation time is,
Calculate the remainder of dividing the number of tens digits and ones digits of the minutes and seconds of the generation time by 8, binarize each of the remainders into 3 bits, and arrange them in order to derive the temporary creation time conform to the rules,
The rule for generating the OTP or the verification OTP at the seed key and the temporary generation time,
To derive a temporary OTP with 64 bits,
By inputting the seed key into a first hash function, a binaryized seed key is generated, and 52 digit sequences having bits corresponding to 1 are extracted from the front of the binaryized seed key,
generating a binaryized temporary key by inputting the seed key and the generation time into a second hash function;
sequentially extracting bit values corresponding to the digit order from the temporary key;
Arranging the bit values in order in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP,
The temporary OTP having 64 bits is derived by arranging the temporary generation time in order in the preset 12 digits;
The temporary OTP is sequentially decomposed into binary numbers having 8 bits each of 8 digits from the front, and the remainder of dividing by 8 is calculated for each of the binary numbers having 8 bits to derive the OTP or verification OTP arranged in order Corresponding to the rules, how to provide OTP.
The method of claim 1,
The preset second rule,
The numbers of the OTP are converted into binary numbers each having 8 bits from the front and placed in order, and bit values are extracted in order from preset 12 digits,
A method of providing an OTP corresponding to a rule of deriving the temporary generation time by sequentially decomposing the extracted 12 bit values by 3 digits.
delete A system that provides an OTP including a public facility management terminal and a user terminal,
The user terminal,
A QR code recognition step of recognizing a QR code, verifying and storing information included in the QR code; and
An OTP generating step of generating an OTP according to a first rule set preset based on a seed key and a generation time, which is the time at which the user commands OTP generation, and inputting the OTP to the locked management terminal by the user; perform,
The management terminal,
a facility code of the public facility loaded from an external storage medium; and a seed key for the corresponding management terminal; management terminal information about the management terminal; a time limit for the OTP input input by the user; And a limited number of times for the OTP input; QR code generation step of generating the QR code encoded to enable inverse conversion of information including;
The OTP is received from the user, the number of times the OTP is input and the input time are stored, a temporary creation time corresponding to the creation time is extracted from the received OTP according to a second rule set in advance, and the seed a verification OTP generation step of generating a verification OTP according to the preset first rule set based on a key and the temporary generation time, and determining whether the OTP matches the verification OTP; and
In the verification OTP generating step, if the OTP coincides with the verification OTP, the OTP is determined to be valid if the input time falls within the limited time from the decrypted temporary creation time and the number of inputs is less than the limited number of times To perform an OTP validity determination step of unlocking the management terminal;
The management terminal includes a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP system.

Images