KR102547694B1 - Method and System for Providing OTP to Access Control System - Google Patents

Abstract

The present invention relates to a method and system for providing an OTP to an access control system, and more particularly, is installed by a first computing device including a management terminal, an access control module, a service server, and a camera, which are components of the access control system. Generates a QR code with information including a seed key loaded from a file, recognizes the QR code by a user terminal, receives the information including the seed key, and generates an OTP based on the seed key and generation time and, when the OTP is input to the first computing device, the first computing device verifies the OTP and determines whether it is valid to unlock the first computing device, wherein the OTP is provided to an access control system; and It's about the system.

Description

Method and System for Providing OTP to Access Control System {Method and System for Providing OTP to Access Control System}

The present invention relates to a method and system for providing an OTP to an access control system, and more particularly, is installed by a first computing device including a management terminal, an access control module, a service server, and a camera, which are components of the access control system. Generates a QR code with information including a seed key loaded from a file, recognizes the QR code by a user terminal, receives the information including the seed key, and generates an OTP based on the seed key and generation time and, when the OTP is input to the first computing device, the first computing device verifies the OTP and determines whether it is valid to unlock the first computing device, wherein the OTP is provided to an access control system; and It's about the system.

The access control system can control access to unspecified outsiders other than employees or officials in public institutions, government offices, companies, etc., and can control access to specific areas such as document storage rooms, goods, and equipment warehouses. Therefore, for internal security, it is important to protect the security of the access control system itself.

When a security issue occurs in the access control system, various problems such as intrusion by outsiders, hacking of information assets, leakage of personal information, malfunction, and propagation of malicious codes may occur.

Recently, 17,000 IoT devices around the world have been infected with a malicious code called the Mozi botnet. An NIS official mentioned that the main target of this attack is equipment that does not change the password set at the time of product purchase or uses a password that can be easily guessed by a third party.

Therefore, in order to strengthen the security of the access control system, there is a need to strengthen the login method for components included in the access control system, such as devices and servers, so that third parties do not easily access the access control system.

Among various methods for strengthening the login method, there is an OTP technology. OTP is an abbreviation of One Time Password, and it is a technology that generates a number every time an OTP device needs it and inputs the number to the server. Because it is a one-time use number, it cannot be reused even if it is exposed, and there is no risk of leakage because it is generated by a hidden algorithm.

However, the conventional OTP technology has a problem in that a separate device for generating the OTP is required and time synchronization is required between the OTP device and the equipment requesting the OTP.

Accordingly, it is necessary to develop a system that does not require a separate OTP device and uses an algorithm different from the existing OTP method.

The present invention relates to a method and system for providing an OTP to an access control system, and more particularly, generates a QR code with information including a seed key loaded from an installation file by a first computing device, and When the information including the seed key is received by recognizing the QR code, an OTP is generated based on the seed key and a generation time, and the OTP is input to the first computing device, the first computing device A method and system for providing an OTP to an access control system that unlocks the first computing device by verifying the OTP and determining whether the OTP is valid is provided.

In order to solve the above problems, an embodiment of the present invention is a method of providing an OTP performed by a first computing device and a user terminal included in an access control system, by the first computing device, a facility code of the first computing device loaded from a file; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including; A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal; an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP; the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and stores the input count and input time of the OTP input by the first computing device; A temporary creation time corresponding to the creation time is extracted from the inputted OTP according to a second preset rule, and a verification OTP is generated according to the preset first rule set based on the seed key and the temporary creation time. , a verification OTP generation step of determining whether the OTP coincides with the verification OTP; and when the OTP and the verification OTP coincide with each other in the verification OTP generating step by the first computing device, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is the limited number of times. It provides a method for providing an OTP, including; an OTP validity determination step of determining that the OTP is valid if it is less than.

In one embodiment of the present invention, the QR code recognition step includes an information mutual verification step,

The mutual information verification step may include: a first OTP generating step of generating a first OTP by the user terminal; A second OTP verification step of receiving the first OTP from the user by the first computing device or the second computing device, receiving the second OTP from the user by the user terminal, and verifying the second OTP. ; and when the 2 OTP is verified in the 2 OTP verification step, the facility code included in the QR code, the seed key, the first computing device information, the limited time, and the limited number of times are stored by the user terminal. It includes, and the first OTP generation step to the second OTP verification step may be repeated a predetermined number of times.

In one embodiment of the present invention, the first preset rule set includes a plurality of rules, and the rule for deriving the temporary creation time from the creation time is the tens digit of each minute and second of the creation time. Corresponds to the rule of deriving the temporary creation time by calculating the remainder of dividing the number and the ones digit by 8, binarizing each of the remainders into 3 bits and arranging them in order, and the seed key and the temporary creation time In the rule for generating the OTP or the verification OTP, in order to derive a temporary OTP having 64 bits, the seed key is input to the first hash function to generate a binaryized seed key, and the binaryized seed key is generated. 52 digit sequences corresponding to bits of 1 are extracted from the front of the seed key, the seed key and the generation time are input to the second hash function to generate a binary temporary key, and the digit is generated from the temporary key. Bit values corresponding to the order are extracted in order, the bit values are sequentially placed in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP, and the temporary generation time is set in the preset 12 digits. Arrange in order to derive the temporary OTP having 64 bits, decompose the temporary OTP into binary numbers having 8 bits each of 8 digits from the front in order, and divide each of the binary numbers having 8 bits by 8 to obtain a remainder. may correspond to a rule for deriving the OTP or verification OTP, which is calculated and arranged in order.

In one embodiment of the present invention, the preset second rule converts the numbers of the OTP into binary numbers each having 8 bits from the front, arranges them in order, extracts bit values from preset 12 digits in order, , may correspond to a rule for deriving the temporary generation time by sequentially decomposing the extracted 12 bit values by 3 digits.

In one embodiment of the present invention, the first computing device includes an OTP module including a first module and a second module, and each of the first module and the second module performs the QR code generating step, the verification OTP an OTP providing unit that performs the generation step and the OTP validity determination step; And a management unit for detecting other modules; wherein, while the OTP providing unit of a specific module among the first module and the second module performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step. , When the OTP providing unit of the specific module is forcedly terminated, the forced termination is detected by the management unit of the other module, and the QR code generating step, the verification OTP generating step, and the OTP by the OTP providing unit of the other module An effective judgment step may be performed subsequently.

In order to solve the above problems, an embodiment of the present invention is a system that provides an OTP including a first computing device included in an access control system and a user terminal, wherein the first computing device is loaded from an installation file. a facility code of the first computing device; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including the number of times, the user terminal recognizes the QR code, and information included in the QR code Performs a QR code recognition step of verifying and storing; and the user terminal generates the OTP by a first set of rules based on the seed key and a generation time, which is a time when the user commands the OTP generation. OTP generation step to perform; the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and the first computing device stores the input count and input time of receiving the OTP; A temporary creation time corresponding to the creation time is extracted from the OTP by a preset second rule, and a verification OTP is generated by the preset first rule set based on the seed key and the temporary creation time, a verification OTP generation step of determining whether the OTP matches the verification OTP; and the first computing device, when the OTP and the verification OTP match in the verification OTP generation step, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is Provides a system for providing OTP, performing an OTP validity determination step of determining that the OTP is valid if the number of times is less than the limit.

According to an embodiment of the present invention, since the first computing device loads information and installation files for generating OTP, the first computing device can provide an OTP providing method without a separate network environment. can

According to an embodiment of the present invention, since the first computing device and the user terminal generate and verify the OTP by the same algorithm, it is possible to achieve an effect of not needing to communicate with each other.

According to one embodiment of the present invention, since the OTP is generated in the user terminal, an effect that does not require a separate OTP generating device can be exerted.

According to an embodiment of the present invention, since the temporary creation time corresponding to the generation time used when generating the OTP is calculated from the OTP, the time in the first computing device does not match the actual current time or the time of the user terminal. Even if it is not, it can exert the effect of verifying the OTP.

According to one embodiment of the present invention, the OTP module may be implemented as a first module and a second module, the first module and the second module detect each other, and the first module and the second module Since other modules operate when a specific module among the modules is forcibly terminated, an attempt to unlock the lock by forcibly manipulating the OTP module of the first computing device can be prevented, thereby enhancing security.

According to an embodiment of the present invention, since an OTP is generated based on a seed key stored in each of the user terminal and the first computing device, and an information mutual verification step of verifying each other is performed, the user terminal and the first computing device perform an information mutual verification step. It can exert an effect of confirming whether the seed key stored in the computing device matches.

According to an embodiment of the present invention, since the facility code and the first computing device information are stored in the user terminal, it is possible to easily distinguish each of a plurality of first computing devices and generate an OTP for each one. can exert

1 schematically illustrates the steps of a method for providing an OTP according to an embodiment of the present invention.
2 schematically illustrates a case in which an OTP module is included in a management terminal according to an embodiment of the present invention.
3 schematically illustrates a case in which an OTP module is included in an access control module according to an embodiment of the present invention.
4 schematically illustrates a case in which an OTP module is included in a service server according to an embodiment of the present invention.
5 schematically illustrates a case in which an OTP module is included in a camera according to an embodiment of the present invention.
6 schematically illustrates a QR code generation step and a QR code recognition step according to an embodiment of the present invention.
7 schematically illustrates an information mutual verification step according to an embodiment of the present invention.
8 schematically shows an information mutual verification step according to an embodiment of the present invention.
9 schematically illustrates an OTP generating step according to an embodiment of the present invention.
10 schematically illustrates a verification OTP generation step according to an embodiment of the present invention.
11 schematically illustrates a verification OTP generation step according to an embodiment of the present invention.
12 schematically illustrates an OTP validity determination step according to an embodiment of the present invention.
13 schematically illustrates a rule for deriving a temporary creation time from a creation time among a first preset rule set according to an embodiment of the present invention.
14 schematically illustrates a rule for deriving a digit sequence from a seed key among a first preset rule set according to an embodiment of the present invention.
15 schematically illustrates rules for arranging temporary keys based on digit order among a first preset rule set according to an embodiment of the present invention.
16 schematically illustrates rules for arranging temporary creation times based on preset 12 digits among preset first rule sets according to an embodiment of the present invention.
17 schematically illustrates rules for deriving an OTP or verification OTP from a temporary OTP among a first preset rule set according to an embodiment of the present invention.
FIG. 18 schematically illustrates conversion of OTP numbers into binary numbers among preset second rules according to an embodiment of the present invention.
19 schematically illustrates derivation of temporary creation time among preset second rules according to an embodiment of the present invention.
20 schematically illustrates a first module and a second module according to an embodiment of the present invention.
21 illustratively illustrates the internal configuration of a computing device according to an embodiment of the present invention.

In the following, various embodiments and/or aspects are disclosed with reference now to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth in order to facilitate a general understanding of one or more aspects. However, it will also be appreciated by those skilled in the art that such aspect(s) may be practiced without these specific details. The following description and accompanying drawings describe in detail certain illustrative aspects of one or more aspects. However, these aspects are exemplary and some of the various methods in principle of the various aspects may be used, and the described descriptions are intended to include all such aspects and their equivalents.

Moreover, various aspects and features will be presented by a system that may include a number of devices, components and/or modules, and the like. It should also be noted that various systems may include additional devices, components and/or modules, and/or may not include all of the devices, components, modules, etc. discussed in connection with the figures. It must be understood and recognized.

"Example", "example", "aspect", "exemplary", etc., used herein should not be construed as preferring or advantageous to any aspect or design being described over other aspects or designs. . The terms '~unit', 'component', 'module', 'system', 'interface', etc. used below generally mean a computer-related entity, and for example, hardware, hardware It may mean a combination of and software, software.

Also, the terms "comprises" and/or "comprising" mean that the feature and/or element is present, but excludes the presence or addition of one or more other features, elements and/or groups thereof. It should be understood that it does not.

In addition, terms including ordinal numbers, such as first and second, may be used to describe various components, but the components are not limited by the terms. These terms are only used for the purpose of distinguishing one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention. The terms and/or include any combination of a plurality of related recited items or any of a plurality of related recited items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein, including technical or scientific terms, are generally understood by those of ordinary skill in the art to which the present invention belongs. has the same meaning as Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the embodiments of the present invention, an ideal or excessively formal meaning not be interpreted as

1 schematically illustrates the steps of a method for providing an OTP according to an embodiment of the present invention.

As shown in FIG. 1, as a method of providing an OTP performed by a first computing device 1000 and a user terminal 2000 included in an access control system, by the first computing device 1000, the installation a facility code of the first computing device 1000 loaded from a file; and a seed key for the first computing device 1000; first computing device information about the first computing device (1000); the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step (S100) of generating a QR code encoded to enable inverse conversion of information including; A QR code recognition step (S200) of recognizing the QR code, verifying and storing information included in the QR code by the user terminal (2000); OTP generation step (S300) of generating the OTP by the user terminal (2000) according to a first set of rules based on the seed key and a generation time, which is a time when the user commanded OTP generation; the first computing device 1000; Alternatively, the second computing device 3000 communicating with the first computing device 1000 receives the OTP from the user, and the OTP is received by the first computing device 1000. The input count and the input time are stored, and a temporary creation time corresponding to the generation time is extracted from the inputted OTP according to a preset second rule, and the preset first generation time is extracted based on the seed key and the temporary creation time. a verification OTP generation step (S400) of generating a verification OTP according to a rule set and determining whether the OTP matches the verification OTP; and by the first computing device 1000, if the OTP and the verification OTP match in the verification OTP generation step (S400), the input time is within the limited time from the decrypted temporary generation time, It may include an OTP validity determination step (S500) of determining that the OTP is valid when the number of inputs is less than the limit number.

The method of providing OTP performed by the first computing device 1000 and the user terminal 2000 included in the access control system includes a QR code generation step (S100), a QR code recognition step (S200), and an OTP generation step (S300). ), a verification OTP generation step (S400), and an OTP validity determination step (S500).

The QR code generating step (S100) is performed by the first computing device 1000, and information including the facility code, the seed key, the first computing device information, the limited time, and the limited number of times is generated. It can be encoded and stored in the form of the QR code. When recognizing the QR code, the information may be received by inversely transforming the QR code.

The QR code recognition step (S200) is performed by the user terminal 2000 and recognizes the QR code generated by the first computing device 1000 to store and verify information included in the QR code. can

Specifically, the first computing device 1000 generates a QR code including information necessary for OTP generation, the user can recognize the QR code using the user terminal 2000, and the user terminal ( 2000) may perform an information mutual verification step of verifying the seed key, which is information included in the QR code.

The information mutual verification step may also be performed by the first computing device 1000 . That is, the mutual information verification step may correspond to a step of confirming whether the seed keys of the user terminal 2000 and the first computing device 1000 are the same seed key. Details of the information mutual verification step will be described later.

The OTP generating step (S300) may be performed by the user terminal 2000 or may be performed by the user's OTP generating command. The user's OTP generation command may be activated by pressing an OTP generation button displayed on the screen of the user terminal 2000 .

The OTP may be generated by applying a predetermined first rule set to a generation time that is the time at which the OTP generation command is received and the seed key.

When the OTP is generated, the user may input the OTP displayed on the screen of the user terminal 2000 to the first computing device 1000 . The OTP may correspond to a password for unlocking the locked first computing device 1000 .

The verification OTP generation step (S400) may be performed by the first computing device 1000, is performed when the OTP is received from the user, and corresponds to a step of verifying the received OTP. In the verification OTP generating step (S400), the verification OTP is generated by the first computing device 1000, and the verification OTP and the OTP are compared, and if they match, it is determined that verification has been completed.

The case where the second computing device 3000 receives the OTP from the user in the verification OTP generating step (S400) will be described later.

The OTP validity determination step ( S500 ) may be performed by the first computing device 1000 and may correspond to a step of determining whether the OTP is a valid OTP. The OTP can have a valid time as a One Time Password, and in the present invention, the valid time can be set by setting a limited time for inputting the OTP. In addition, the number of times of input, which is the number of times of unlocking attempts by inputting the OTP, may be stored and compared with the predetermined limited number of times.

That is, in order for the OTP to be determined to be valid, both conditions must be satisfied: that the OTP is input within a limited time from the generation time and that the number of inputs does not exceed the limited number of times.

In another embodiment of the present invention, it is possible to set a limited number of times within a predetermined time. For example, you can set a limit of 5 times within 1 minute.

In order to provide a method for providing the OTP, the first computing device 1000 and the user terminal 2000 may correspond to computing devices including one or more processors and one or more memories, and providing the OTP A computer program having instructions for implementing the method is recorded, and the corresponding method can be performed by executing the computer program in the first computing device 1000 and the user terminal 2000 . Preferably, the computer program may include an application.

That is, the computer program includes QR code generation, QR code recognition, information inverse conversion from QR code, a first rule set, a second rule, a first hash function, and a second hash function for implementing the method of providing the OTP. things can be included.

According to an embodiment of the present invention, the first computing device 1000 and the user terminal 2000 each have a computer program installed and a plurality of preset rules, so that the first computing device 1000 and The user terminals 2000 can generate and verify the OTP without communicating with each other.

2 to 5 correspond to diagrams illustrating a method of providing an OTP performed in an access control system according to an embodiment of the present invention.

The access control system in the present invention can control the doors of places requiring access control, such as companies, public institutions, and government offices, so that only authorized users can gain access.

To maintain the security of the access control system, access to the access control system by a third party other than the person concerned (user) must be prevented. Accordingly, by using the OTP provided by the present invention in the access control system, it is possible to enhance the security of access by a third party.

The access control system may include an access control module 4000, a service server 5000, a camera 6000, a management terminal 7000, and a user terminal 2000.

The service server 5000 may correspond to a server implemented by a computing device including one or more processors and one or more memories, and includes a control server 5100, an access control server 5200, a DB 5300, and an OTP module. can include

The service server 5000 can perform video-based access control and control the ACU board 4100.

Specifically, the control server 5100 may receive an image of a visitor from the camera 6000, compare the image of the visitor in the image with the visitor information registered in the service server 5000, and The ACU board 4100 can be controlled through the control server 5200 to control (control) the door, or the ACU board 4100 can be directly controlled.

The access control server 5200 can register the ACU board 4100 and control (control) the door by controlling the ACU board 4100. In addition, the access control server 5200 may store the access information received from the ACU board 4100 in the DB 5300, and may inquire the access information stored in the DB 5300.

According to an embodiment of the present invention, it is possible to compare the visitor in the image with the visitor information registered in the service server 5000, so that the security manager can check whether the visitor has entered or not normally entered in real time.

One or more access control modules 4000 may be included, and may correspond to a computing device including one or more processors and one or more memories. The access control module 4000 may include an ACU board 4100, a door device 4200 including a reader 4210 and a locking device 4220, and an OTP module, and may be installed at or near the door. there is.

The ACU board 4100 may be connected to the door device 4200 to control the door device 4200.

The reader 4210 can recognize a door access request in various forms such as a card including an employee ID card, a fingerprint, and a number, and can transmit the access request to the ACU board 4100.

Specifically, when the reader 4210 recognizes an access request, the ACU board 4100 transmits the access request to the control server 5100 or the access control server 5200, and the control server 5100 Alternatively, the locking device 4220 may be controlled according to a command of the access control server 5200 .

The locking device 4220 may release the lock of the door according to the command of the ACU board 4100.

The camera 6000 may include one or more. The camera 6000 may correspond to a computing device including one or more processors and one or more memories, and may include an OTP module.

The camera 6000 may be installed near the door where the access control module 4000 is installed to obtain an image of a person entering or exiting the room.

Specifically, the camera 6000 always records an image of the door or the vicinity of the door (preferably, it may correspond to an image that can confirm the identity of a visitor requesting access to the reader 4210 to pass through the door). can do. This can be transmitted to the service server 5000. The transmitted video may be stored in the DB 5300 by the service server 5000.

The camera 6000 may preferably correspond to an IP camera, but it is preferable to interpret it in the broadest sense as a camera capable of acquiring images including IP cameras, WEBCAMs, CCTVs, and the like.

The access control system may include a plurality of access control modules 4000, a service server 5000, and a camera 6000, and the service server 5000 includes a control server 5100 and an access control server 5200. ) may include one or more of them.

According to another embodiment of the present invention, the access control module 4000 may be included in the service server 5000.

The user terminal 2000 may correspond to a terminal used by the user, such as a smartphone or tablet PC, and the management terminal 7000 may correspond to the service server 5000, such as a smartphone, tablet PC, desktop, or laptop computer. It may correspond to a terminal for managing the access control system including the access control module 4000 and the camera 6000.

Each OTP module of the access control module 4000, the service server 5000, and the camera 6000 may implement a method of providing the OTP.

That is, when each of the access control module 4000, the service server 5000, and the camera 6000 includes an OTP module, the user must input an OTP, but the access control module 4000 and the service The server 5000 and the camera 6000 may be accessed.

When accessing the access control module 4000, an interface for changing the settings of the access control module 4000 can be displayed, and when accessing the DB 5300 of the service server 5000, stored images, access records, etc. can be checked, and an interface for changing the settings of the service server 5000 can be displayed. When accessing the camera 6000, an interface for changing the settings of the camera 6000 can be displayed.

According to an embodiment of the present invention, the method of providing the OTP may lock an access to a corresponding computing device and lock each of a plurality of functions (configurations) that the corresponding computing device may perform. For example, in the camera 6000, an OTP must be input to access the setting interface, or an OTP must be input when attempting to change a specific setting by accessing the setting interface of the camera 6000 without OTP input. can do.

The access control module 4000, the service server 5000, and the camera 6000 may correspond to the first computing device 1000 in the present invention, and the management terminal 7000 in the present invention It may correspond to the first computing device 1000 or the second computing device 3000 .

According to the present invention, if it includes an OTP module, it may correspond to the first computing device 1000. Meanwhile, the second computing device 3000 may correspond to a terminal relaying access to the first computing device 1000 . That is, the second computing device 3000 may display the input/output implemented by the first computing device 1000 and the user's input/output.

2 schematically illustrates a case in which an OTP module is included in the management terminal 7000 according to an embodiment of the present invention.

As shown in FIG. 2 , a user can access each of the access control module 4000 , the service server 5000 , and the camera 6000 through a management terminal 7000 . In the embodiment of FIG. 2 , the management terminal 7000 may include an OTP module and may correspond to the first computing device 1000 .

Specifically, the access control module 4000; the service server 5000; and the camera 6000; When the management terminal 7000 is activated to access each, an OTP input window may be displayed on the initial screen of the management terminal 7000 . That is, the management terminal 7000 may be locked by a program that implements an OTP providing method, and thus, the lock may be unlocked by inputting the OTP.

Therefore, in order to activate the management terminal 7000, the user generates an OTP in the user terminal 2000 and inputs the OTP to the management terminal 7000 according to an OTP providing method described later. By doing so, the lock of the management terminal 7000 can be released.

3 schematically illustrates a case in which an OTP module is included in the access control module 4000 according to an embodiment of the present invention.

As shown in FIG. 3 , an OTP module may be included in the access control module 4000 . That is, in the embodiment of FIG. 3 , the access control module 4000 may include an OTP module and thus correspond to the first computing device 1000 .

When the user accesses the access control module 4000 with a computer program such as an application or a web browser through the management terminal 7000 or the user terminal 2000, the management terminal 7000 or the user terminal 2000 The OTP input window may be displayed.

Therefore, the user generates an OTP in the user terminal 2000 according to an OTP providing method described later, and inputs the OTP into the management terminal 7000 or the user terminal 2000 to control the access. The module 4000 may be unlocked.

According to another embodiment of the present invention, the OTP module of the access control module 4000 includes the ACU board 4100, the reader 4210, and the lock device 4220 included in the access control module 4000. One or more of them can be locked, so functions for unlocked configurations can be used without OTP input.

4 schematically illustrates a case in which an OTP module is included in the service server 5000 according to an embodiment of the present invention.

In the embodiment of FIG. 4 , the service server 5000 may include an OTP module and thus correspond to the first computing device 1000 .

4(A) corresponds to a diagram showing a case where the input/output device 8000 is not connected to the service server 5000.

As shown in (A) of FIG. 4, the service server 5000 may include an OTP module.

When the user activates the service server in the computer program to access the service server 5000 with a computer program such as an application or a web browser through the management terminal 7000 or the user terminal 2000, the management An OTP input window may be displayed on the terminal 7000 or the user terminal 2000 .

Therefore, the user generates an OTP in the user terminal 2000 according to an OTP providing method to be described later, inputs the OTP into the management terminal 7000 or the user terminal 2000, and the service server (5000) can be unlocked.

4(B) corresponds to a diagram showing a case where the input/output device 8000 is connected to the service server 5000.

In the present invention, the case where the service server 5000 is connected to the input/output device 8000 is only an example, and the input/output device may be connected to the first computing device.

As shown in (B) of FIG. 4, the service server 5000 may include an OTP module, and an input/output device 8000 may be connected. A user can access the service server 5000 through the input/output device connected to the service server 5000 . The input/output device may correspond to a monitor, keyboard, and mouse.

Specifically, an input/output device may be connected to the service server 5000, and a screen implemented by the service server 5000 may be displayed. An OTP input window may be displayed on the initial screen of the input/output device for accessing the service server 5000 by a program implementing an OTP providing method.

Therefore, in order to access the service server 5000, the user generates an OTP in the user terminal 2000 according to an OTP providing method described later, and inputs and outputs the generated OTP to the service server 5000. By inputting the information into the device 8000, the service server 5000 can be unlocked to access the service server 5000.

According to another embodiment of the present invention, the OTP module of the service server 5000 includes one of the control server 5100, the access control server 5200, and the DB 5300 included in the service server 5000. Since the above can be locked, functions for unlocked configurations can be used without OTP input. For example, functions according to the control server 5100 of the service server 5000 can be accessed by the user only when OTP is input, and functions of other configurations of the service server 5000 do not require the user to input OTP. can access

5 schematically illustrates a case in which an OTP module is included in a camera 6000 according to an embodiment of the present invention.

As shown in FIG. 5 , an OTP module may be included in the camera 6000 . That is, in the embodiment of FIG. 5 , the camera 6000 may include an OTP module and thus correspond to the first computing device 1000 .

When the user accesses the camera 6000 through a computer program such as an application or web browser through the management terminal 7000 or the user terminal 2000, the management terminal 7000 or the user terminal 2000 receives an OTP. An input window may be displayed.

Therefore, the user generates an OTP in the user terminal 2000 according to a method for providing an OTP to be described later, and inputs the OTP to the management terminal 7000 or the user terminal 2000 to obtain the camera ( 6000) can be unlocked.

In the embodiments of FIGS. 2 to 5 , the user accesses the access control module 4000, the service server 5000, and the camera 6000 with a computer program such as an application or a web browser through the user terminal 2000. In the case of accessing each, the user terminal 2000 may correspond to the second computing device 3000, and the user terminal 2000 may perform a method of providing OTP through two program windows. .

That is, in the user terminal 2000, as a window through which the user terminal 2000 accesses the first computing device 1000, the user terminal 2000 has an interface for the first computing device 1000. and a first program window capable of displaying an OTP providing method performed by the first computing device 1000 may be displayed. In the user terminal 2000, as a window for unlocking the first computing device 1000, a second program window capable of displaying the OTP providing method performed in the user terminal 2000 may be displayed.

2 to 5, the user accesses the access control module 4000, the service server 5000, and the camera 6000 with a computer program such as an application or a web browser through the management terminal 7000. In the case of accessing each, the management terminal 7000 may correspond to the second computing device 3000, and it may be necessary to unlock the computer program by a program implementing a method of providing OTP. . Therefore, functions other than the computer program of the management terminal 7000 may not be locked.

That is, the management terminal 7000 can use functions other than those for the locked first computing device 1000 according to each OTP module.

For example, when only the service server 5000 is locked, all functions (entry and exit) of the management terminal 7000 except for functions according to the interface provided by the service server 5000 without inputting OTP. Access to the control module 4000, access to the camera 6000, etc.) can be used.

2 to 5 are examples only, but are not limited thereto. That is, an OTP module may be included in at least one of the management terminal 7000, the access control module 4000, the service server 5000, and the camera 6000.

Meanwhile, the access control system may include a network device (not shown).

The network device (not shown) may correspond to a device that provides a network of the access control system implemented by a computing device including one or more processors and one or more memories, and includes the access control module 4000, the service The server 5000 and the camera 6000 may communicate through a network.

The network device (not shown) may include an OTP module and may correspond to the first computing device 1000 .

When the user accesses the network device (not shown) with a computer program such as an application or a web browser through the management terminal 7000 or the user terminal 2000, the management terminal 7000 or the user terminal 2000 The OTP input window may be displayed.

Therefore, the user generates an OTP in the user terminal 2000 according to an OTP providing method described later, inputs the OTP to the management terminal 7000 or the user terminal 2000, and the network device (not shown) can be unlocked.

The embodiment of FIGS. 2 to 5 is just one example of the access control system, and the access control system may omit some of the components shown in FIGS. 2 to 5 or include additional components not shown in FIGS. It may be provided, or two or more components may be combined.

6 schematically shows a QR code generation step (S100) and a QR code recognition step (S200) according to an embodiment of the present invention.

As shown in FIG. 6 , in the QR code generating step (S100), the facility code of the first computing device 1000 loaded from an installation file by the first computing device 1000; and the first a seed key for the computing device 1000; first computing device information about the first computing device (1000); the OTP input time limit input by the user; And the OTP input limited number of times; can generate a QR code encoded to enable inverse conversion of information including, the QR code recognition step (S200) by the user terminal 2000, recognizing the QR code, Information included in the QR code may be verified and stored.

In the QR code generating step ( S100 ), information including the facility code, the seed key, the first computing device information, the limited time, and the limited number of times may be generated as a QR code.

The installation file may correspond to an installation file of a computer program for performing the OTP providing method, and the installation file may include a facility code and a seed key.

The seed key may be generated by the issuer in the issuer PC, and may be generated based on issuer PC information including the MAC address of the issuer PC and the current time (time at the time of issue). Specifically, the seed key may be generated by the issuer PC The seed key can be generated by inputting issuer PC information and the current time (time at issuance) of the PC into a hash function. Preferably, the hash function may correspond to HMAC whose output value is a 512 bits hash key. The output value may be output in various base numbers such as hexadecimal and binary numbers.

The facility code may correspond to identification information for the first computing device. For example, the first computing device may correspond to the camera, and the facility code may indicate characteristics of the corresponding first computing device, such as 'camera #1'.

The installation file may include a plurality of pairs of the seed key and the facility code. For example, a seed key corresponding to the 'camera #1' and a seed key corresponding to the 'camera #2' may exist, and the above two seed keys may be different from each other.

The first computing device information may include various information about the first computing device 1000, and preferably includes the name of the first computing device and the type of operating system of the first computing device 1000. can do. Also, the first computing device information may be extracted from the corresponding first computing device 1000 or may be input by a user.

The limited time and the limited number of times may be input by the user. The limited time may correspond to a limited time from when the OTP is generated to input, and the limited number of times may correspond to a limit on the number of times the OTP is input and verification fails. Accordingly, the time limit may mean a time period in which the generated OTP is valid.

That is, among the information included in the QR code, the facility code and the seed key may be loaded from the installation file, and the first computing device information may be extracted from the corresponding first computing device 1000 or input by the user. The limited time and the limited number of times may be set by the user.

According to an embodiment of the present invention, a computer program capable of encoding the information into a QR code is installed in the first computing device 1000. The computer program may be included in a computer program installed by the installation file.

In the QR code recognition step (S200), the QR code generated by the first computing device 1000 may be recognized.

Specifically, the user can recognize the QR code displayed on the screen of the first computing device 1000 using the user terminal 2000, reverse convert the QR code, and include the QR code, information such as the facility code, the seed key, the first computing device information, the limited time, and the limited number of times may be received, and if the seed key is verified, the information may be stored.

Verification of the seed key may be performed in a mutual information verification step included in the QR code recognition step (S200). This will be described later.

According to one embodiment of the present invention, although the first computing device itself displays the QR code in some cases, the QR code is transmitted to another computing device (eg, second computing device) connected to the first computing device. Thus, the QR code can be displayed on the corresponding other computing device.

According to another embodiment of the present invention, when another computing device connected to the first computing device corresponds to a user terminal, a QR code may be displayed on the user terminal, and the user terminal, not the camera of the user terminal, The QR code can be recognized by the QR code recognition program of

7 schematically illustrates an information mutual verification step according to an embodiment of the present invention.

As shown in FIG. 7 , the QR code recognition step (S200) includes a mutual information verification step, wherein the information mutual verification step is, by the user terminal 2000, a first OTP generating step of generating a first OTP; The first computing device 1000 or the second computing device 3000 receives the first OTP from the user, the first computing device 1000 verifies the first OTP, and a first OTP verification step of generating a second OTP when 1 OTP is verified; a second OTP verification step of receiving, by the user terminal 2000, the second OTP from the user and verifying the second OTP; and when the 2 OTP is verified in the 2 OTP verification step, the facility code included in the QR code, the seed key, the first computing device 1000 information, and the limited time by the user terminal 2000 And QR code information storage step for storing the limited number of times; including, the first OTP generation step to the second OTP verification step may be repeated a predetermined number of times.

7 illustrates an embodiment in which the second computing device 2000 is not connected to the first computing device 1000 .

Specifically, the information mutual verification step may correspond to steps S120 to S180 in FIG. 7, and each step may be performed by the user terminal 2000 or the first computing device 1000, respectively. This may correspond to a step of verifying whether the seed keys stored in the terminals (the user terminal 2000 and the first computing device 1000) match.

Step S100 may correspond to the QR code generating step (S100), and the aforementioned QR code may be generated by the first computing device 1000.

Step S110 may correspond to the QR code recognition step (S200), and the QR code may be recognized by the user terminal 2000. Accordingly, the user terminal 2000 can receive the seed key.

In step S120, the user terminal 2000 may generate a first OTP for verification. The 1st OTP may be generated by a first set of predetermined rules based on a seed key received by the user terminal 2000 and a first creation time, which is a time at which the user commands generation of the 1st OTP. It may be displayed on the screen of the terminal 2000.

In step S130, the first OTP displayed on the screen of the user terminal 2000 may be input from the user to the manager terminal.

Step S140 may be performed by the first computing device 1000 and may verify the first OTP. Specifically, a first temporary creation time corresponding to the first creation time may be extracted by applying a predetermined second rule to the first OTP input from the user, and the seed key stored in the manager terminal and the A first verification OTP may be generated by applying the first rule set at a first temporary generation time, and if the first OTP and the first verification OTP match, it may be determined that the first OTP is verified.

In step S150, when the first OTP is verified, it may be performed by the manager terminal, and a second OTP may be generated. Specifically, the second OTP may be generated by a first rule set preset based on a seed key stored in the manager terminal and a second generation time, which is a time to generate the second OTP.

In step S160, the 2 OTP displayed on the screen of the first computing device 1000 may be input to the user terminal 2000 from the user.

Step S170 may be performed by the user terminal 2000 and may verify the second OTP. Specifically, a second provisional creation time corresponding to the second creation time may be extracted by applying a predetermined second rule to the second OTP input from the user, and the seed key received by the user terminal 2000. and a second verification OTP may be generated by applying the first rule set at the second temporary generation time, and if the second OTP and the second verification OTP match, it may be determined that the second OTP is verified.

In step S180, when the second OTP is verified, the seed key received by the user terminal 2000, the facility code, the first computing device information, the limited time, and the limited number of times may be stored.

Steps S120 to S170 may be repeated a predetermined number of times.

The stored facility code, the first computing device information, the limited time, and the limited number of times may be displayed in the user terminal 2000 when an OTP for the corresponding first computing device 1000 is generated. Also, the facility code, the first computing device information, the limited time, and the limited number of times may be displayed on the lock screen of the first computing device 1000 .

For example, in the first computing device 1000, a lock screen may be initially displayed, and the facility code, the first computing device information, the limited time, and the limited number of times may be displayed on the lock screen. . The user can check the facility code and the first computing device information displayed on the lock screen, and generate an OTP from the screen displaying the facility code and the first computing device information in the user terminal. , The OTP may be generated by a corresponding facility code and a corresponding seed key for the corresponding first computing device information.

According to an embodiment of the present invention, since the facility code and the first computing device information are stored in the user terminal 2000, each of the plurality of first computing devices 1000 can be easily distinguished and an OTP for each can be obtained. effects that can be produced.

8 schematically shows an information mutual verification step according to an embodiment of the present invention.

8 illustrates an embodiment in which the second computing device 2000 is connected to the first computing device 1000 . When the second computing device 2000 is connected to the first computing device 1000, the second computing device may display things implemented by the first computing device.

Steps S1000, S1300, S1600, S1700, S2000, and S2100 of FIG. 8 may be the same as steps S100, S120, S140, S150, S170, and S180 of FIG. 7, respectively, and the differences between FIGS. 7 and 8 will be described later. let it do

In step S1100, the QR code generated by the first computing device may be displayed on the second computing device connected to the first computing device.

In step S1200, the user may recognize the QR code displayed on the second computing device using the user terminal.

In step S1400, the user may input the first OTP generated by the user terminal to the second computing device.

In step S1500, the second computing device may transmit the first OTP input to the first computing device.

In step S1800, the second OTP generated by the first computing device may be displayed on the second computing device connected to the first computing device.

In step S1200, the user may input the second OTP displayed on the second computing device to the user terminal.

9 schematically shows an OTP generating step (S300) according to an embodiment of the present invention.

As shown in FIG. 9 , in the OTP generation step (S300), a first rule set preset by the user terminal 2000 based on the seed key and the generation time, which is the time when the user commands the OTP generation, is set. The OTP can be generated by

The OTP generation step ( S300 ) may be performed by the user terminal 2000 and may correspond to a step of generating an OTP for unlocking the locked first computing device 1000 . The user may command the user terminal 2000 to generate the OTP, and the user terminal 2000 may include a generation time according to the command; And a seed key received as the QR code and stored in the user terminal 2000; it is possible to generate an OTP based on.

Specifically, the OTP may be generated by applying a preset first rule set to the generation time and the seed key. The preset first rule set will be described later.

The OTP may be newly generated every predetermined time and displayed on the user terminal 2000 .

The preset time may correspond to the limited time.

10 schematically illustrates a verification OTP generation step (S400) according to an embodiment of the present invention.

10 illustrates an embodiment in which the second computing device 2000 is not connected to the first computing device 1000.

As shown in FIG. 10, in the verification OTP generating step (S400), the OTP is received from the user by the first computing device 1000, and the number of times the OTP is received and the input time are stored, , extracts a temporary creation time corresponding to the creation time from the received OTP by a preset second rule, and generates a verification OTP by the preset first rule set based on the seed key and the temporary creation time Thus, it can be determined whether the OTP matches the verification OTP.

10(A) corresponds to a diagram showing the number of inputs and the input time.

In the verification OTP generation step (S400), when the OTP is received from the user, the number of input times and the input time for the OTP can be stored, and a verification OTP can be generated and verified by comparing with the OTP.

Specifically, the OTP generated by the user terminal 2000 may be displayed on the screen of the user terminal 2000 and may be input to the first computing device 1000 by the user.

When receiving the OTP, the first computing device 1000 may store the input time and number of inputs of the OTP. The input count may be reset when the lock is released. That is, if verification of the input OTP fails, the number of times may be increased.

10 (B) corresponds to a diagram illustrating a process of generating a verification OTP.

The first computing device 1000 may extract the temporary creation time by applying a preset second rule to the OTP. The temporary generation time may correspond to the generation period used when generating the OTP.

When generating the OTP, a temporary creation time based on the generation time may be derived. Therefore, when the OTP is decrypted according to the second predetermined rule, the temporary creation time can be extracted. Details of the preset second rule for extracting the temporary creation time from the OTP will be described later.

Subsequently, the first computing device 1000 may generate the verification OTP by applying the preset first rule set to the seed key stored in the first computing device 1000 and the temporary generation time.

The OTP was generated based on the seed key stored in the user terminal 2000 and the generation time, and the verification OTP was generated based on the seed key stored in the first computing device 1000 and the generation time. Since it is generated based on the temporary generation time corresponding to the time, when the seed key stored in the user terminal 2000 and the seed key stored in the first computing device 1000 match, the OTP and the Verification OTP can be matched.

In the verification OTP generating step (S400), if the OTP and the verification OTP match, it can be determined as verification success, and if the OTP and the verification OTP match, verification failure is determined, and the input count is reset. may not

According to an embodiment of the present invention, since the temporary creation time corresponding to the generation time used when generating the OTP is calculated from the OTP, the time in the first computing device 1000 is the actual current time or the user terminal 2000 ), the effect of verifying the OTP can be exerted even if it does not coincide with the time of .

11 schematically illustrates a verification OTP generation step (S400) according to an embodiment of the present invention.

11 illustrates an embodiment in which the second computing device 2000 is connected to the first computing device 1000. When the second computing device 2000 is connected to the first computing device 1000, the second computing device may display things implemented by the first computing device.

Accordingly, the OTP generated by the user terminal 2000 may be displayed on the screen of the user terminal 2000 and may be input to the second computing device 2000 by the user.

The second computing device 2000 may transmit the received OTP to the first computing device.

Upon receiving the OTP, the first computing device 1000 may store the input time and number of inputs of the OTP. The input count may be reset when the lock is released. That is, if verification of the input OTP fails, the number of times may be increased.

12 schematically illustrates an OTP validity determination step (S500) according to an embodiment of the present invention.

As shown in FIG. 12, in the OTP validity determination step (S500), when the OTP and the verification OTP match in the verification OTP generation step (S400) by the first computing device 1000, the When the input time falls within the limited time from the decoded temporary creation time and the number of times of input is less than the limited number of times, it is determined that the OTP is valid and the lock of the first computing device 1000 is unlocked.

(A) of FIG. 12 corresponds to a diagram showing a criterion for input time.

In the present invention, in order to enhance the security of the OTP, a time limit for inputting the corresponding OTP may be set, and a limit for the number of attempts to unlock the first computing device 1000 may be set.

The OTP validity determination step (S500) may correspond to a step of determining whether the OTP is valid, and may include two criteria for determining whether the OTP is valid.

The first criterion is the criterion for the time limit, and since the time limit is the time from generating the OTP to inputting it, the first criterion is that the input time is a decrypted temporary corresponding to the generation time from the OTP. It corresponds to whether it is within the above limited time from the creation time.

That is, if the temporary creation time is decoded, the creation time can be derived.

(B) of FIG. 12 corresponds to a diagram showing a criterion for the number of inputs.

The second criterion is the criterion for the limited number of times, and the second criterion corresponds to whether the number of inputs stored in the verification OTP generating step (S400) is less than the limited number of times.

When it is determined that the OTP is valid, both of the above two criteria are met, the input time falls within the limited time from the temporary creation time, and the number of inputs is less than the limited number of times, and the OTP is determined to be valid If so, the first computing device 1000 may release the lock.

According to an embodiment of the present invention, when the number of times of input is greater than or equal to the limit, it may be impossible to input OTP to the first computing device 1000 for a predetermined time period.

13 to 17, the preset first rule set includes a plurality of rules, and a rule for deriving the temporary creation time from the creation time includes tens of minutes and seconds, respectively, of the creation time. Corresponds to the rule of deriving the temporary generation time by calculating the remainder of dividing the number of digits and the number of ones digits by 8, binarizing each of the remainders into 3 bits and arranging them in order, and the seed key and the The rule for generating the OTP or the verification OTP at the temporary generation time is to input the seed key to the first hash function to generate the binaryized seed key in order to derive the temporary OTP having 64 bits, and to generate the binaryized seed key. 52 digit numbers corresponding to bits of 1 are extracted from the front of the binary seed key, the seed key and the generation time are input to a second hash function to generate a binary temporary key, and the temporary key extracts bit values corresponding to the digit order in order, arranges the bit values in order in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP, and sets the temporary generation time to the preset The temporary OTP having 64 bits is derived by arranging 12 digits in order, and the temporary OTP is sequentially decomposed into binary numbers having 8 bits each of 8 digits from the front, and 8 for each of the binary numbers having 8 bits. It may correspond to a rule for deriving the OTP or verification OTP arranged in order by calculating the remainder divided by .

The preset first rule set includes a plurality of rules, and when each rule is applied, the OTP and the verification OTP can be derived from the seed key and the generation time. That is, in the OTP generating step (S300) and the verification OTP generating step (S400), detailed steps may be performed by applying each rule of the preset first rule set. The preset first rule set may be stored in the user terminal 2000 and the first computing device 1000 .

13 schematically illustrates a rule for deriving a temporary creation time from a creation time among a first preset rule set according to an embodiment of the present invention.

The generation time may include year, month, day, hour, minute, and second, which are the date and time when the OTP is commanded to be generated. In the rule for deriving the temporary creation time from the creation time, only minutes and seconds can be used in the creation time.

Each of the minutes and seconds of the creation time includes a number corresponding to the tens digit and the ones digit, and each of them can be derived as a part of the temporary creation time.

Specifically, each of the tens digit, the tens digit, the tens digit, and the tens digit of the second may be processed by Mod8 (a function that calculates the remainder divided by 8), and the result for Mod8 The value can be binarized to 3 bits. The temporary generation time can be derived by arranging each of the result values binarized into the 3 bits in order.

That is, the remainder of dividing the tens place of the minute by 8 is calculated, and the resulting value is binarized with 3 bits to obtain the first (A1), second (A2), It can be placed in the third (A3).

The remainder of division by 8 is calculated for the unit digit of the minute, and the resulting value is binarized with 3 bits, and the fourth (A4), fifth (A5), and sixth of the 12 bits of the temporary creation time are calculated. It can be placed in (A6).

The remainder of division by 8 is calculated for the tens digit of the second, and the resulting value is binarized with 3 bits, and the seventh (A7), eighth (A8), and ninth ( A9) can be placed.

Calculate the remainder of dividing the unit digit of the second by 8, and convert the resulting value into a 3-bit binary number to obtain the 10th (A10), 11th (A11), and 12th ( A12) can be placed.

Accordingly, the temporary generation time may correspond to a binary number having 12 bits.

14 schematically illustrates a rule for deriving a digit sequence from a seed key among a first preset rule set according to an embodiment of the present invention.

In order to generate the OTP, a digit sequence number may be calculated from the seed key.

Specifically, the seed key may be input to a first hash function, and may be output after being binarized by the first hash function.

The first hash function can be configured by combining a plurality of hash functions, so that even if the form of the input value is diverse, the output value can be output in binary. The first hash function may preferably include HMAC_SHA512.

The binaryized seed key may have a plurality of bits, and as an embodiment of the present invention, FIG. 14 shows a binaryized seed key having 512 bits.

In FIG. 14, the digit order of the bit value corresponding to 1 among the plurality of bits of the binaryized seed key is 52, including the 1st, 4th, 5th, 9th, 12th, and 512th. can be calculated for

That is, the digit order may mean the order of bits corresponding to 1 among the bits of the binaryized seed key extracted from the front, and may include 52 bits.

In FIG. 14, the binaryized seed key having 512 bits is only an example, but is not limited thereto.

The digit order shown in FIG. 14 is only an example, and is not limited thereto.

15 schematically illustrates rules for arranging temporary keys based on digit order among a first preset rule set according to an embodiment of the present invention.

A bit value extracted from the temporary key based on the digit order corresponds to a part of the temporary OTP.

As a result, the temporary OTP may correspond to a binary number having 64 bits, and 52 bits of the 64 bits may be composed of bit values extracted from the temporary key.

Specifically, the seed key and the generation time may be input to a second hash function, and may be output as a temporary key by the second hash function. The implication may correspond to a binary number.

The second hash function can be configured by combining a plurality of hash functions, so that the output value can be output in binary even if the form of the input value is diverse. The second hash function may preferably include HMAC_SHA512. Also, the first hash function and the second hash function may be the same.

Among the plurality of bits of the temporary key, the bit values of the bits corresponding to the digit order are sequentially extracted, and the extracted 52 bit values are stored in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP. They can be placed in any order.

15 as an example, the above-described rule is as follows. 15 shows a temporary key corresponding to a binary number having 512 bits.

In FIG. 15, when a bit value corresponding to the digit order is extracted from a plurality of bits of the temporary key, it can be shown as shown in A of FIG.

That is, from the plurality of bits of the temporary key, bit values corresponding to 52 positions including the 1st, 4th, 5th, 9th, 12th, and 512th position numbers shown in FIG. 14 are extracted. can

The temporary OTP is a binary number having 64 bits, and the 64 bits should be displayed in a row. However, B in FIG. 15 corresponds to rearranging the incomplete temporary OTP by 8 bits from the front for convenience of explanation. do. Each cell of B corresponds to a bit of the temporary OTP, and 64 bits of the incomplete temporary OTP are shown as a total of 64 cells. In addition, the shaded part in B means the preset 12 digits.

Accordingly, the portions marked B1 to B52 without shading in B correspond to sequential arrangement of the bit values of A.

16 schematically illustrates rules for arranging temporary creation times based on preset 12 digits among preset first rule sets according to an embodiment of the present invention.

After arranging the bit value corresponding to the digit order among the plurality of bits of the temporary key in 52 digits among the 64-bit digits of the temporary OTP, the bits of the temporary generation time are sequentially arranged in the remaining 12 preset digits. A temporary OTP can be derived.

Specifically, the temporary generation time corresponds to a binary number composed of 12 bits, and 12 bits among 64 bits of the temporary OTP correspond to the preset 12 digits. Accordingly, in order to derive the temporary OTP, each of the 12 bits may be sequentially arranged in the preset 12 digits.

The temporary OTP of FIG. 16 can be derived by arranging A1 to A12, which are bits of the temporary generation time, in order in the shaded portion in B (unfinished temporary OTP) of FIG. 15 .

The temporary OTP is a binary number having 64 bits, and the 64 bits should be displayed in a row. . Each cell of B corresponds to a bit of the temporary OTP, and 64 bits of the temporary OTP are shown as a total of 64 cells.

That is, the 1st to 8th bits of the temporary OTP correspond to B1, B2, B3, B4, B5, A1, B6, and A2 in FIG. 16, and the 9th to 16th bits of the temporary OTP are shown in FIG. B7, B8, B9, B10, B11, A3, B12, and B13 correspond to, and the 17th to 24th bits of the temporary OTP are B14, B15, B16, B17, B18, A4, B19, and A5 in FIG. , the 25th to 32nd bits of the temporary OTP correspond to B20, B21, B22, B23, B24, A6, B25, and B26 in FIG. 16, and the 33rd to 40th bits of the temporary OTP are 16 corresponds to B27, B28, B29, B30, B31, A7, B32, and A8, and the 41st to 48th bits of the temporary OTP are B33, B34, B35, B36, B37, A9, B38, and B39, and the 49th to 56th bits of the temporary OTP correspond to B40, B41, B42, B43, B44, A10, B45, and A11 in FIG. 16, and the 57th to 64th bits of the temporary OTP. corresponds to B46, B47, B48, B49, B50, A12, B51, and B52 in FIG. 16 .

The preset 12 digits of the temporary OTP may mean a preset 12 digit sequence number.

17 schematically illustrates rules for deriving an OTP or verification OTP from a temporary OTP among a first preset rule set according to an embodiment of the present invention.

OTP or verification OTP can be derived from the temporary OTP.

Specifically, if the temporary OTP is decomposed in units of 8 bits from the beginning, since the temporary OTP corresponds to 64 bits, a binary number having eight 8 bits can be derived. If the 8 binary numbers having 8 bits are input to the Mod8 function, the remainder of dividing the binary number having 8 bits by 8 can be calculated, and the 8-digit number in which each of the remainders are arranged in order is OTP or verification OTP. can be derived with

Accordingly, the number corresponding to the OTP or the verification OTP may correspond to 0 to 7.

In another embodiment of the present invention, each of the others may be arranged in a predetermined order.

A in FIG. 17 corresponds to the eight 8-bit binary numbers obtained by decomposing the temporary OTP. The eight 8-bit binary numbers are arranged in order.

Therefore, B1, B2, B3, B4, B5, A1, B6, and A2 are placed in the first number of OTP or verification OTP, and the remainder after dividing by 8 is the binary number having 8 bits corresponding to B7. , B8, B9, B10, B11, A3, B12, and B13, the remainder of division by 8 of the binary number with 8 bits corresponding to OTP or verification OTP is placed in the second number, B14, B15, B16, B17, The remainder of division by 8 of the binary number with 8 bits corresponding to B18, A4, B19, and A5 is placed in the third number of OTP or verification OTP, and B20, B21, B22, B23, B24, A6, B25, and The remainder of division by 8 of the binary number with 8 bits corresponding to B26 is placed in the 4th number of OTP or verification OTP, and 8 bits corresponding to B27, B28, B29, B30, B31, A7, B32, and A8 The remainder of division by 8 of the binary number is placed in the 5th digit of the OTP or verification OTP, and is divided by 8 of the binary number with 8 bits corresponding to B33, B34, B35, B36, B37, A9, B38, and B39. The remainder is placed in the 6th digit of the OTP or verification OTP, and the remainder divided by 8 of the binary number with 8 bits corresponding to B40, B41, B42, B43, B44, A10, B45, and A11 is the OTP or verification OTP. It is placed in the 7th number, and the remainder after dividing by 8 of the binary number with 8 bits corresponding to B46, B47, B48, B49, B50, A12, B51, and B52 is placed in the 8th number of OTP or verification OTP.

That is, each value obtained by decimalizing the part corresponding to B in FIG. 17 may correspond to each 8-digit number in order of OTP or verification OTP.

The OTP of FIG. 17 may mean all OTPs generated in the present invention. That is, the first OTP, the second OTP, the OTP, and the verification OTP may be generated according to the above-described first rule set.

As shown in FIGS. 18 to 19, the preset second rule converts the numbers of the OTP into binary numbers each having 8 bits from the front and arranges them in order, and sets the bit values in the preset 12 digits in order. It may correspond to a rule for deriving the temporary generation time by extracting the extracted 12 bit values as described above and sequentially decomposing the extracted 12 bit values by 3 digits.

The OTP was generated by the first preset rule set, and accordingly, when the OTP is decoded, the bit values of the temporary generation time are arranged at a predetermined position (preset 12 digits in the preset first rule set). may have been

Accordingly, when the preset second rule is applied to the OTP, the temporary generation time can be derived.

FIG. 18 schematically illustrates conversion of OTP numbers into binary numbers among preset second rules according to an embodiment of the present invention.

Each of the 8 numbers constituting the OTP may be converted into a binary number having 8 bits, and may be arranged in order. Since the numbers constituting the OTP correspond to 0 to 7, the 1st to 5th bit values of the 8-bit binary number may correspond to 0.

That is, the 1st number constituting OTP is a binary number with the first 8 bits, the 2nd number constituting OTP is a binary number with 2nd 8 bits, and the 2nd number constituting OTP is a binary number with 2nd 8 bits. , the 3rd number constituting OTP is a binary number having the third 8 bits, the 4th number constituting OTP is a binary number having the 4th 8 bits, and the 5th number constituting OTP is It is a binary number with the 5th 8 bits, the 6th number constituting the OTP is a binary number with the 6th 8 bits, the 7th number constituting the OTP is a binary number with the 7th 8 bits, You can place the 8th number as a binary number with the 8th 8 bits. A of FIG. 18 represents this.

According to an embodiment of the present invention, the digit order of the 1st bit of the binary number having the 1st 8 bits may be set to 1, and the digit order of the 8th bit of the binary number having the 8th 8 bits may be set to 64. .

In another embodiment of the present invention, each of the eight numbers constituting the OTP may be converted into a binary number having 8 bits, and a binary number having 64 bits may be derived by combining them in order.

19 schematically illustrates derivation of temporary creation time among preset second rules according to an embodiment of the present invention.

The numbers of the OTP can be converted to binary numbers each having 8 bits from the front, and bit values can be sequentially extracted (B) from 12 digits (shading) preset in the batch (A), and the preset 12 If the 12 bit values extracted from the digits are sequentially decomposed into 3 digits, they can be decomposed into 4 binary numbers, which may correspond to the temporary generation time.

That is, the order in the preset 12 digits may be determined based on the order from the leftmost bit of the binary number having the first 8 bits to the rightmost bit of the binary number having the eighth 8 bits.

The preset 12 digits in the second rule in the present invention may be the same as the preset 12 digits in the first rule set.

According to one embodiment of the present invention, the digit order of the 1st bit of the binary number having the 1st 8 bits is given as 1, and the digit order of the 8th bit of the binary number having the 8th 8 bits is given as 64 in order. and 12 preset digits can be derived according to the digit order of the bits.

In another embodiment of the present invention, it is possible to derive the preset 12 digits by converting each of the 8 numbers constituting the OTP into a binary number having 8 bits and deriving a binary number having 64 bits by summing them in order. there is.

20 schematically illustrates a first module and a second module according to an embodiment of the present invention.

20 may correspond to a diagram showing an OTP module of the service server.

As shown in FIG. 20, the first computing device 1000 includes an OTP module including a first module and a second module, and each of the first module and the second module performs the QR code generating step ( S100), an OTP providing unit that performs the verification OTP generation step (S400) and the OTP validity determination step (S500); And a management unit for detecting other modules; including, wherein the OTP providing unit of a specific module among the first module and the second module performs the QR code generation step (S100), the verification OTP generation step (S400), and the OTP validity During the determination step (S500), if the OTP providing unit of the specific module is forcedly terminated, the forced termination is detected by the management unit of another module, and the QR code generating step by the OTP providing unit of the other module. (S100), the verification OTP generation step (S400) and the OTP validity determination step (S500) can be performed subsequently.

20(A) corresponds to a diagram showing the configuration of the first module 5410 and the second module 5420.

The first computing device 1000 includes a computer program in which instructions are recorded to perform the OTP providing method of the present invention, and the computer program includes the first module 5410 and the second module ( 5420) can be implemented by an OTP module.

Each of the first module 5410 and the second module 5420 may include an OTP providing unit 5411 or 5421 and a management unit 5412 or 5422 . The OTP providing unit (5411 or 5421) may perform the QR code generation step (S100), the verification OTP generation step (S400) and the OTP validity determination step (S500), and the management unit (5412 or 5422) Other modules can be detected.

That is, the management unit 5412 of the first module 5410 can sense the operation of the second module 5420, and the management unit 5422 of the second module 5420 can detect the operation of the first module 5410. motion can be detected.

20(B) corresponds to a diagram illustrating operations of the first module 5410 and the second module 5420.

One of the attempts to forcibly release the lock of the first computing device 1000 may include a method of forcibly terminating the computer program that performs the method of providing the OTP of the first computing device 1000 . In the present invention, in order to prevent the above-described method, a method of providing the OTP may be implemented with a plurality of modules capable of performing the same operation.

That is, the method of providing the OTP may be performed by one of the OTP providing unit of the first module 5410 and the OTP providing unit of the second module 5420 .

The QR code generation step (S100) for the method of providing the OTP in the OTP providing unit of a specific module among the OTP providing unit of the first module 5410 and the OTP providing unit of the second module 5420, the verification During the OTP generation step (S400) and the OTP validity determination step (S500), if the OTP providing unit of the specific module is forcibly terminated due to various external or internal problems, the management unit of the other module detects the forced termination. can do.

The management unit of the other module that detects the forced termination may command the operation of the OTP providing unit of the other module, and accordingly, the OTP providing unit of the other module generates the QR code for the method of providing the OTP ( S100), the verification OTP generation step (S400), and the OTP validity determination step (S500) can be performed subsequently.

Further, according to an embodiment of the present invention, the management unit of the other module may command an operation of the management unit of the specific module, so that an effect of preparing for a case in which the other module is forcibly terminated can be exerted.

Meanwhile, the above-described items may also be applied to the OTP module of the management terminal, the OTP module of the access control module, the OTP module of the service server, and the OTP module of the camera included in the access control system. That is, each OTP module described above may include both the first module and the second module.

21 schematically illustrates the internal configuration of a computing device according to an embodiment of the present invention.

The above-described service server, the management terminal, the access control module, and the first computing device 1000 including the camera, the second computing device, and the user terminal 2000 are the computing device 11000 shown in FIG. may contain components of

As shown in FIG. 21, a computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, an input/output subsystem ( I/O subsystem 11400, a power circuit 11500, and a communication circuit 11600 may be included at least. In this case, the computing device 11000 may correspond to the first computing device 1000, the second computing device, and the user terminal 2000 shown in FIGS. 2 to 5 .

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or non-volatile memory. . The memory 11200 may include a software module, a command set, or other various data necessary for the operation of the computing device 11000.

In this case, access to the memory 11200 from other components, such as the processor 11100 or the peripheral device interface 11300, may be controlled by the processor 11100.

Peripheral interface 11300 may couple input and/or output peripherals of computing device 11000 to processor 11100 and memory 11200 . The processor 11100 may execute various functions for the computing device 11000 and process data by executing software modules or command sets stored in the memory 11200 .

The input/output subsystem can couple various input/output peripherals to peripheral interface 11300. For example, the input/output subsystem may include a controller for coupling a peripheral device such as a monitor, keyboard, mouse, printer, or touch screen or sensor to the peripheral device interface 11300 as needed. According to another aspect, input/output peripherals may be coupled to the peripheral interface 11300 without going through the input/output subsystem.

The power circuit 11500 may supply power to all or some of the terminal's components. For example, power circuit 11500 may include a power management system, one or more power sources such as a battery or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator or power It may contain any other components for creation, management and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, the communication circuit 11600 may include an RF circuit and transmit/receive an RF signal, also known as an electromagnetic signal, to enable communication with other computing devices.

The embodiment of FIG. 21 is just one example of the computing device 11000, and the computing device 11000 may omit some components shown in FIG. 21, further include additional components not shown in FIG. 21, or 2 It may have a configuration or arrangement combining two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware including one or more signal processing or application-specific integrated circuits, software, or a combination of both hardware and software.

Methods according to embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computing devices and recorded in computer readable media. In particular, the program according to the present embodiment may be configured as a PC-based program or a mobile terminal-only application. An application to which the present invention is applied may be installed in one of the first computing device 1000, the second computing device, and the user terminal 2000 through a file provided by the file distribution system. For example, the file distribution system may include a file transmission unit (not shown) that transmits the file according to a request from one of the first computing device 1000, the second computing device, and the user terminal 2000.

The device described above may be implemented as a hardware component, a software component, and/or a combination of hardware components and software components. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA) , a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may run an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of software. For convenience of understanding, there are cases in which one processing device is used, but those skilled in the art will understand that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that it can include. For example, a processing device may include a plurality of processors or a processor and a controller. Other processing configurations are also possible, such as parallel processors.

Software may include a computer program, code, instructions, or a combination of one or more of the foregoing, which configures a processing device to operate as desired or processes independently or collectively. The device can be commanded. Software and/or data may be any tangible machine, component, physical device, virtual equipment, computer storage medium or device, intended to be interpreted by or to provide instructions or data to a processing device. , or may be permanently or temporarily embodied in a transmitted signal wave. Software may be distributed on networked computing devices and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program commands recorded on the medium may be specially designed and configured for the embodiment or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. - includes hardware devices specially configured to store and execute program instructions, such as magneto-optical media, and ROM, RAM, flash memory, and the like. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

According to an embodiment of the present invention, since the first computing device loads information and installation files for generating OTP, the first computing device can provide an OTP providing method without a separate network environment. can

According to an embodiment of the present invention, since the first computing device and the user terminal generate and verify the OTP by the same algorithm, it is possible to achieve an effect of not needing to communicate with each other.

According to one embodiment of the present invention, since the OTP is generated in the user terminal, an effect that does not require a separate OTP generating device can be exerted.

According to an embodiment of the present invention, since the temporary creation time corresponding to the generation time used when generating the OTP is calculated from the OTP, the time in the first computing device does not match the actual current time or the time of the user terminal. Even if it is not, it can exert the effect of verifying the OTP.

According to one embodiment of the present invention, the OTP module may be implemented as a first module and a second module, the first module and the second module detect each other, and the first module and the second module Since other modules operate when a specific module among the modules is forcibly terminated, an attempt to unlock the lock by forcibly manipulating the OTP module of the first computing device can be prevented, thereby enhancing security.

According to an embodiment of the present invention, since an OTP is generated based on a seed key stored in each of the user terminal and the first computing device, and an information mutual verification step of verifying each other is performed, the user terminal and the first computing device perform an information mutual verification step. It can exert an effect of confirming whether the seed key stored in the computing device matches.

According to an embodiment of the present invention, since the facility code and the first computing device information are stored in the user terminal, it is possible to easily distinguish each of a plurality of first computing devices and generate an OTP for each one. can exert

As described above, although the embodiments have been described with limited examples and drawings, those skilled in the art can make various modifications and variations from the above description. For example, the described techniques may be performed in an order different from the method described, and/or components of the described system, structure, device, circuit, etc. may be combined or combined in a different form than the method described, or other components may be used. Or even if it is replaced or substituted by equivalents, appropriate results can be achieved.

Therefore, other implementations, other embodiments, and equivalents of the claims are within the scope of the following claims.

Claims (9)

As a method of providing an OTP performed by a first computing device including an access control module of an access control system and a user terminal,
a facility code of the first computing device loaded from an installation file by the first computing device; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including;
A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal;
an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP;
the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and stores the input count and input time of the OTP input by the first computing device; A temporary creation time corresponding to the creation time is extracted from the inputted OTP according to a second preset rule, and a verification OTP is generated according to the preset first rule set based on the seed key and the temporary creation time. , a verification OTP generation step of determining whether the OTP coincides with the verification OTP; and
By the first computing device, when the OTP and the verification OTP match in the verification OTP generation step, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is less than the limited number of times. In this case, an OTP validity determination step of determining that the OTP is valid;
The first computing device includes an OTP module including a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP method.
As a method of providing OTP performed by a first computing device including a management terminal of an access control system and a user terminal,
a facility code of the first computing device loaded from an installation file by the first computing device; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including;
A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal;
an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP;
the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and stores the input count and input time of the OTP input by the first computing device; A temporary creation time corresponding to the creation time is extracted from the inputted OTP according to a second preset rule, and a verification OTP is generated according to the preset first rule set based on the seed key and the temporary creation time. , a verification OTP generation step of determining whether the OTP coincides with the verification OTP; and
By the first computing device, when the OTP and the verification OTP match in the verification OTP generation step, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is less than the limited number of times. In this case, an OTP validity determination step of determining that the OTP is valid;
The first computing device includes an OTP module including a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP method.
A method of providing an OTP performed by a first computing device including a service server of an access control system and a user terminal,
a facility code of the first computing device loaded from an installation file by the first computing device; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including;
A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal;
an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP;
the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and stores the input count and input time of the OTP input by the first computing device; A temporary creation time corresponding to the creation time is extracted from the inputted OTP according to a second preset rule, and a verification OTP is generated according to the preset first rule set based on the seed key and the temporary creation time. , a verification OTP generation step of determining whether the OTP coincides with the verification OTP; and
By the first computing device, when the OTP and the verification OTP match in the verification OTP generation step, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is less than the limited number of times. In this case, an OTP validity determination step of determining that the OTP is valid;
The first computing device includes an OTP module including a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP method.
A method for providing an OTP performed by a first computing device including a camera of an access control system and a user terminal,
a facility code of the first computing device loaded from an installation file by the first computing device; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And the OTP input limited number of times; QR code generation step of generating a QR code encoded to enable inverse conversion of information including;
A QR code recognition step of recognizing the QR code, and verifying and storing information included in the QR code by the user terminal;
an OTP generating step of generating, by the user terminal, the OTP according to a first rule set based on the seed key and a generation time, which is a time at which the user commands generation of the OTP;
the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and stores the input count and input time of the OTP input by the first computing device; A temporary creation time corresponding to the creation time is extracted from the inputted OTP according to a second preset rule, and a verification OTP is generated according to the preset first rule set based on the seed key and the temporary creation time. , a verification OTP generation step of determining whether the OTP coincides with the verification OTP; and
By the first computing device, when the OTP and the verification OTP match in the verification OTP generation step, the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is less than the limited number of times. In this case, an OTP validity determination step of determining that the OTP is valid;
The first computing device includes an OTP module including a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP method.

According to any one of claims 1 to 4,
The QR code recognition step includes a mutual information verification step,
In the information mutual verification step,
A first OTP generating step of generating a first OTP by the user terminal;
The first computing device or the second computing device receives the first OTP from the user, the first computing device verifies the first OTP, and when the first OTP is verified, the second OTP A first OTP verification step of generating;
a second OTP verification step of receiving, by the user terminal, the second OTP from the user and verifying the second OTP; and
When the 2 OTP is verified in the 2 OTP verification step, the user terminal stores the facility code included in the QR code, the seed key, the first computing device information, the limited time and the limited number of times Including; QR code information storage step;
The OTP providing method of repeating the first OTP generating step to the second OTP verifying step a predetermined number of times.
According to any one of claims 1 to 4,
The preset first rule set includes a plurality of rules,
The rule for deriving the temporary creation time from the creation time is,
Calculate the remainder of dividing the number of tens digits and ones digits of the minutes and seconds of the generation time by 8, binarize each of the remainders into 3 bits, and arrange them in order to derive the temporary creation time conform to the rules,
The rule for generating the OTP or the verification OTP at the seed key and the temporary generation time,
To derive a temporary OTP with 64 bits,
By inputting the seed key into a first hash function, a binaryized seed key is generated, and 52 digit sequences having bits corresponding to 1 are extracted from the front of the binaryized seed key,
generating a binaryized temporary key by inputting the seed key and the generation time into a second hash function;
sequentially extracting bit values corresponding to the digit order from the temporary key;
Arranging the bit values in order in 52 digits excluding the preset 12 digits among the 64-bit digits of the temporary OTP,
The temporary OTP having 64 bits is derived by arranging the temporary generation time in order in the preset 12 digits;
The temporary OTP is sequentially decomposed into binary numbers having 8 bits each of 8 digits from the front, and the remainder of dividing by 8 is calculated for each of the binary numbers having 8 bits to derive the OTP or verification OTP arranged in order Corresponding to the rules, how to provide OTP.
According to any one of claims 1 to 4,
The preset second rule,
The numbers of the OTP are converted into binary numbers each having 8 bits from the front and placed in order, and bit values are extracted in order from preset 12 digits,
A method of providing an OTP corresponding to a rule of deriving the temporary generation time by sequentially decomposing the extracted 12 bit values by 3 digits.
delete A system that provides an OTP including a first computing device and a user terminal included in an access control system,
The first computing device may include: a facility code of the first computing device loaded from an installation file; and a seed key for the first computing device; first computing device information about the first computing device; the OTP input time limit input by the user; And a QR code generation step of generating a QR code encoded so that information including the OTP input limit number of times can be inversely converted;
The user terminal performs a QR code recognition step of recognizing the QR code, verifying and storing information included in the QR code;
The user terminal performs an OTP generation step of generating the OTP according to a first set of rules based on the seed key and a generation time, which is a time when the user commands the OTP generation,
the first computing device; or a second computing device that communicates with the first computing device; receives the OTP from the user, and the first computing device stores the input count and input time of receiving the OTP; A temporary creation time corresponding to the creation time is extracted from the OTP by a preset second rule, and a verification OTP is generated by the preset first rule set based on the seed key and the temporary creation time, a verification OTP generation step of determining whether the OTP matches the verification OTP; and
The first computing device, in the verification OTP generation step, when the OTP and the verification OTP match, when the input time falls within the limited time from the decrypted temporary generation time, and the number of inputs is less than the limited number of times To perform an OTP validity judgment step of determining that the OTP is valid;
The first computing device includes an OTP module including a first module and a second module,
Each of the first module and the second module includes an OTP providing unit that performs the QR code generation step, the verification OTP generation step, and the OTP validity determination step; And a management unit for detecting other modules;
While the OTP providing unit of a specific module among the first module and the second module performs the QR code generating step, the verification OTP generating step, and the OTP validity determining step, the OTP providing unit of the specific module is forcibly terminated In this case, the forced termination is detected by the management unit of the other module, and the QR code generation step, the verification OTP generation step, and the OTP validity determination step are subsequently performed by the OTP providing unit of the other module to provide an OTP system.

Images