KR20010044312A - public-key infrastructure based digital certificate, methods of issuing, security for the same certificate, using the same certificate and the system for issuing the same certificate, using optical recording media - Google Patents

Abstract

PURPOSE: An optical record medium storing a public key based private key and a certificate, issuing method and system and an usage thereof are provided to make issuing of private key and certificate and use thereof comfortable. CONSTITUTION: An optical record medium storing a public key based private key and a certificate records one and more certificates of certification facilities, a user certificate and a private key of user. One and more certificates of certification facilities have a public key that is for verifying the certificate of user in public key based structure. The user certificate is issued by the certification facilities and has public key that is for verifying electronic signature. The private key of user is encrypted using the electronic signature password by standard method of password based encryption and is for the electronic signature.

Description

Optical record medium for storing private key and certificate of public key infrastructure, its issuance method and issuing system and method of use {public-key infrastructure based digital certificate, methods of issuing, security for the same certificate, using the same certificate and the system for issuing the same certificate, using optical recording media}

The present invention relates to an optical recording medium storing a private key and a certificate of a public key infrastructure for authentication and security in electronic transactions, an issuing method thereof, an issuing system and a using method thereof, and more particularly, such as a CD and a DVD. It utilizes the characteristics of optical recording media to perform electronic signatures for authentication, message forgery verification, and prevention of unauthorized transactions, and facilitates the application and issuance of private keys and certificates in the public key infrastructure for message encryption and communication security. The present invention relates to an optical record medium storing a private key and a certificate of a public key infrastructure for improving the usability and security of a private key and a certificate contained in an optical record medium, an issuing method thereof, an issuing system, and a method of using the same.

With the development of communication networks such as the Internet, electronic transactions are rapidly increasing and various business processes are being performed. However, such a network has a lot of risks due to lack of security provision. In terms of e-commerce service providers such as banks, securities firms, shopping mall vendors, and public offices, there is a risk of disguising suppliers or illegally misusing customer information, and on the contrary, in terms of users who use such services, If you send information such as credit card number, account number and password, there is a risk of exposing each user's important information, and if such information is exposed and forged or forged, there is a problem of serious damage to users. Occurs. Therefore, the importance of authentication and security technology that can enhance the security that can securely trust each other between the supplier side and the user side using the service to handle the e-commerce services providing services.

Due to the necessity of such technology, various researches are being actively conducted, and such authentication and security technologies have already been developed and put into practical use by some companies, universities, and research institutes.

First, looking at how to use the ID and password, the user is familiar and convenient, but there is a risk that the ID and password is transmitted in plain text. In order to secure this, ID and password are encrypted and transmitted. However, the method of writing ID and password relies on the user's memorization, and the method is simple, so it is not safe for electronic transactions requiring security. In addition to these methods, there are methods for authenticating and securing by using physical media, fingerprints, handwriting, etc., but they do not provide all authentication and security of electronic transactions merely by authentication or limited security.

For this reason, a trusted certificate authority verifies the user's identity and issues a public key certificate, and the user performs a digital signature and encryption by using his or her private key and public key certificate securely stored. A public-key infrastructure has been proposed as a standard that completely addresses the issues of integrity, confidentiality and nonrepudiation.

In the public key infrastructure, in order to use a private key and a certificate for digital signature and encryption, it is necessary to first apply and issue it. However, the application, issuance, and use of the current private key and certificate are complicated and the procedures are separated from each other, which makes users feel difficult. Consequently, the utilization of the certificate is low and the certificate cannot be spread. to be.

The procedure for applying and issuing an existing certificate is shown in FIG.

First, a user visits a registration authority (RA) to apply for issuance of a certificate and applies for certificate issuance (step 1).

Next, the registrar verifies the user's identity (step 2), issues the token to the user, stores it on a smart card or diskette, issues it to the user, or prints or copies the paper document to the user (step 3). The token delivered to the user offline includes information such as an ID and password or an encrypted code for the user to generate his or her public / private key pair and to issue a certificate.

The user downloads and installs a certificate management program in advance on his terminal located in a home or office where a certificate is to be used (step 4), and then generates a public key and a private key using the certificate management program (step 5).

When the user requests a certificate by sending a certificate request message (PKCS # 10) containing a token issued by the registrar and his public key to the server of the certificate authority (step 6), the server of the certificate authority (CA) Validates the certificate request message (step 7), then issues a response to the certificate request, that is, issues the certificate and stores it in the certificate store (X.500 directory or LDAP server) (step 8). Transmit (step 9).

The user stores the certificate and key downloaded from the server of the certification authority in a medium such as a hard disk, a diskette, an IC card, or a smart card, and uses the same for digital signature, message encryption, and secure communication (step 10).

However, in the case of using the current method as described above, the certificate management program is installed in one's own terminal, which is a step performed from step 1 to step 3, which receives information for accessing the server of the certification authority after verifying the identity, and is performed online. Step 4, generating a private key and public key pair, step 6, step 9 and step 10, in which the user is issued a certificate from the server of the certification authority, are separated from each other. Users who are unfamiliar with encryption can feel complicated and reluctant to use certificates.

In addition, in selecting a public key-based private key and certificate storage medium, a hard disk, a floppy disk, a smart card, and an IC card are generally recommended, but such a storage medium has problems. The method of storing the certificate information on the hard disk media has the problem of liquidity because it can be used only in a fixed place with the risk of hacking.However, the method of storing on the floppy disk has a small capacity and damages with the risk of duplication. There is a problem that it is difficult to store for a long time because it is easy, and the method of storing on a smart card or IC card medium requires an additional device (smart card or IC card reader) that has not yet become common, and costs a lot of devices for development. Because of its own development, there was a problem such that it was not standardized and the compatibility was poor.

The present invention was made to solve the problems of the existing private key, certificate issuance and use, and problems of the existing private key, certificate storage medium,

An object of the present invention is to provide an optical recording medium for storing a private key and a certificate of a public key infrastructure which facilitates issuance and use of a private key and a certificate.

Another object of the present invention is to provide a method for issuing an optical recording medium for storing a private key and a certificate of a public key infrastructure, so that a user who is not familiar with a computer can be conveniently issued a private key and a certificate.

Another object of the present invention is to provide a system for issuing an optical recording medium which stores a private key and a certificate of a public key infrastructure to improve usability and security.

In another aspect, the present invention provides a method of using an optical recording medium for storing the private key and certificate of the public key infrastructure to facilitate the issuance and use of the private key, certificate and to improve the usability and security during use. Another purpose.

1 is a system diagram showing a certificate issuing process according to the prior art.

2 is a block diagram showing the configuration of an entire system for issuing an optical recording medium storing a private key and a certificate of the present invention.

3 is a flowchart illustrating a process of issuing an optical recording medium storing a private key and a certificate according to an embodiment of the present invention.

4 is a flowchart illustrating a process of issuing an optical recording medium storing a private key and a certificate using a security key management server according to another embodiment of the present invention.

5 is a flowchart illustrating a process of issuing an optical recording medium storing a private key and a certificate using an optical recording medium label output device according to another embodiment of the present invention.

6 is a flowchart illustrating a process of issuing an optical recording medium storing a private key and a certificate by using a registered unique number registered in a user information database according to another embodiment of the present invention.

7 is a flowchart illustrating a process of issuing an optical recording medium storing a private key and a certificate using a serial number of a certificate issued by a certification authority according to another embodiment of the present invention.

8 and 9 are schematic diagrams showing the contents stored in the storage device of the registration authority and the created optical record medium, respectively.

Fig. 10 is a schematic diagram showing the format of a user certificate used in the optical recording medium of the present invention.

11 is a flowchart illustrating a process of using an optical record medium storing a private key and a certificate according to an embodiment of the present invention.

12 is a flowchart illustrating a process of using an optical recording medium storing a private key and a certificate by using a security key management server according to another embodiment of the present invention.

FIG. 13 is a schematic diagram illustrating a process of a user using an optical recording medium storing a private key and a certificate of the present invention selecting and paying through a mobile communication provider.

In order to achieve the above object, the optical record medium storing the private key and the certificate of the public key infrastructure of the present invention, the method of issuing the system and the method of using the certificate are provided by a user such as a registration authority (RA). (digital certificate) After confirming the identity of the applicant at the place where the application for issuance is issued, registering the user, generating a private key and public key, and processing the certificate issuance process, the generated private key and The certificate can be issued by storing it in optical recording media such as CD and DVD along with the necessary software, so that the application and issue can be processed in one place. The user can save the private key and digital certificate through the optical recording media. It handles all the tasks related to user authentication and message security by digital certificate.

In addition, the optical recording medium with a large storage capacity may include a certificate management software, an automatic access program, and an application and a promotional material related to the use of the public key infrastructure, so that the user can conveniently use the private key and certificate. Since the portability to carry the optical recording medium is enhanced, it can be used anywhere regardless of a specific computer or terminal.

That is, in the optical recording medium storing the private key and the certificate, which is a key storage medium of the public key infrastructure according to the present invention, a certificate of at least one certification authority that verifies the user's certificate in the public key infrastructure is issued from a certificate authority. The user's certificate for digital signature verification, encrypted with the digital signature password stored by the user by the standard method of password-based encryption (PKCS # 5), and records the user's private key to perform the digital signature.

The private key is encrypted with the optical recording medium security key stored in the security key management server to prevent misuse due to the loss of the optical recording medium and to enhance security. Save it to the server.

The user's certificate is formed according to the standard format (X.509) of the certificate, and the extended field of the certificate may include a user registration unique number for accessing user information stored in the user information database server.

In addition, the optical recording medium using a certificate management program for performing functions such as the management of digital signatures and the user's certificate and private key, application for revocation and reissuance, and the certificate management program using the user's certificate and private key. An installation program that registers the configuration for the user's computer on the user's computer, an automatic connection program that provides an automatic connection to a specific web server to use the user's certificate for electronic transactions or electronic business, and a web and mail plug-in program. It can record more public key-based applications and promotional materials, such as other electronic wallet programs.

The above-described optical recording medium may include a magnetic stripe, an RF chip, an IC chip, or the like to be used not only for online electronic authentication but also for offline use of credit cards, debit cards, prepaid cards, membership cards and bus cards. colorPIMS etc. can be attached.

On the other hand, the present invention is a method for issuing an optical recording medium for storing private keys and certificates, such as a user's certificate and private key,

According to the user's request, the employee of the registrar checks the identity, receives the information from the user, enters the registration management program and transmits the registration information to the user information database server by the registration management program.

Forming a temporary storage space in a storage device of the computer and generating a key pair of a public key and a private key of a public key infrastructure;

The temporary storage space refers to a storage area of a storage device which is temporarily stored in order to record each user's private key and certificate data on an optical recording medium through an optical recorder and then deleted.

Encrypting the private key with an electronic signature password stored by the user and storing the private key in the temporary storage space;

Creating and sending a certificate request message (PKCS # 10) including the public key to a server of the certification authority;

Receiving a certificate of a user issued from a server of the certification authority and storing the certificate of the user in the temporary storage space;

Recording a certificate of the user, a private key stored in the temporary storage space, and a certificate of the one or more certification authorities previously stored in a storage device of the computer on an optical recording medium;

And permanently deleting the temporary storage space from the storage of the computer.

Here, the user who has already been identified can apply for certificate issue on the web.

In addition, generating a key pair of a public key and a private key, encrypting the private key with a digital signature password, and storing the key pair in a temporary storage space allows the user to generate the key pair directly without using the staff of the registrar to increase safety. For this purpose, the certificate issuing terminal can be separated from the registrar's staff or the issue screen and the key pair generation screen can be separated and the private key can be encrypted and stored with a password for the digital signature.

In addition, after receiving the user's certificate from the server of the certification authority, register the serial number of the certificate in the user information database server, or receive the user registration unique number generated from the user information database server to create the certificate request message In the transmission, the user registration unique number is included in the certificate request message so that the certificate and the user information database can be linked to each other so that the user information that the user certificate does not have can be utilized.

In addition, after receiving the certificate issued from the server of the certification authority to enhance the security of the private key, the private key is encrypted with the optical record medium security key as the secret key, and the optical record medium security key is managed with the optical record medium security key. You can also save it to the server.

In addition, the system for issuing an optical recording medium for storing the private key and certificate of the public key infrastructure according to the present invention, the user information database server, security key management server and the server of the certificate authority to communicate using a computer communication network Is a system for issuing an optical recording medium for storing the private key and certificate during the execution,

A storage device, a processing device connected to the storage device, an optical recording medium recorder connected to the storage device and the processing device,

The storage device stores a program for controlling the processing device and information according to the operation.

The processing device operates in conjunction with the program and receives user information and registers it in a user information database server, forms a temporary storage space associated with the user in a storage device, and generates a key pair of a public key and a private key of a public key infrastructure. Generate and encrypt the private key with a digital signature password and store it in a temporary storage space. Create a certificate request message containing the public key and send it to the server of the certification authority. Receive the user's certificate from the server of the certification authority. A user's certificate and private key stored in a temporary storage space and a user's certificate previously stored in a computer storage device, a certificate of one or more certificate authorities previously stored in a storage device of a private key and computer, Digital signature and certificate management, revocation and reissue using user's certificate and private key A certificate management program that can be applied for, etc., an installation program for registering an environment setting for using the certificate management program to a computer for using a user's certificate on an optical recording medium using an optical recording medium recorder, and temporarily And a storage space is permanently deleted from the storage device of the computer.

On the other hand, a method of using an optical recording medium storing the private key and certificate, the method comprising the steps of connecting to any web server using a computer equipped with an optical recording medium reader,

Receiving a digital signature request from a web server,

Driving the certificate management program;

Inserting the optical recording medium if the optical recording medium for storing the private key and the certificate is not inserted in the optical recording medium reader;

Delivering the user's certificate received from the web server,

And receiving the password for the digital signature from the user and digitally signing the digital signature.

The user certificate has a basic area and an extended area according to the standard format (X.509).

In addition, the method of using the optical recording medium storing the private key and the certificate by using the security key management server is that the security key is not stored in the storage device after the certificate management program is run, and is secured from the security key management server. After receiving the key and storing it in the storage device, it is characterized in that the digital signature is performed by decrypting the encrypted private key using the security key.

If a user who owns an optical recording medium storing a private key and a certificate of a public key infrastructure selects a payment method through a mobile communication provider to purchase goods or services in a shopping mall and make a payment, the optical recording medium described above After the authentication process by digital signature is performed through the optical recording medium storing the private key and certificate of the public key infrastructure according to the usage method, the mobile phone number presented by the user to the mobile communication provider in the authentication server is owned by the user. The license is confirmed to the mobile communication provider to confirm that the transaction is performed by a normal user, and the charging is performed.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

2 is a schematic diagram showing a configuration of an entire system for issuing a certificate according to an embodiment of the present invention.

As shown in FIG. 2, the system of the present invention largely stores the server 110 and the user information of the certification authority that digitally sign the computer 100 of the registration authority and the user certificate of the public key infrastructure with its own private key. It is composed of a user information database server 120 and a security key management server 130 to be stored.

The user 140 should visit the computer 100 of the registrar and apply for issuance of a certificate.

If the user's identity is confirmed, the user can apply for a certificate through a web or telephone call without visiting the registrar.

In response to the request of the user 140, the computer 100 of the registration authority communicates with the computer 110 of the certification authority and the user information database server 120 using an internet network not illustrated. After the certificate is issued, the certificate is recorded on the optical recording medium 150 such as a CD to be issued to the user.

The computer 100 of the registration authority for issuing an optical recording medium 150 storing a user certificate and a private key of a public key infrastructure using a communication network,

A memory device 101 which stores a program for controlling internal operations while controlling the processing device 102 and information according to the operation;

A processing device 102 connected to the storage device 101 and operated by the program;

By including the optical recording medium recorder 103 connected to the storage device 101 and the processing device 102 described above,

The user device receives the user information from the processing device 102 operating with the program, registers the user information in the user information database server 120, forms a temporary storage space associated with the user in the storage device 101, and uses a public key. To create a certificate request message (PKCS # 10) with a structure, a key pair of a public key and a private key is generated, and the private key is stored as an electronic signature password stored by the user by the standard method of password-based encryption (PKCS # 5). Encrypt and store in the temporary storage space, create a certificate request message containing the public key to transmit to the server 110 of the certification authority, and receives the user's certificate issued from the server 110 of the certification authority The user's certificate and private key stored in the temporary storage space and the storage device 101 of the computer. After recording the certificates, etc. of the certificate authority that Li is stored in the optical recording medium 150, and the removal of the temporary storage space in the storage device 101 of the computer.

The computer 100 of the registration authority includes an optical recording medium label output device 104 in addition to a storage device 101, a processing device 102, and an optical record medium recorder 103, for processing a certificate issuance process. The registration management program 105 is incorporated.

By the security key management server 130 of the optical recording medium for accessing the user's private key stored in the optical recording medium 150,

When the private key is encrypted with an electronic signature password and stored in a temporary storage space, the private key encrypted with the digital signature password is stored while encrypting the optical record medium security key as a secret key once more and the optical record medium security key is stored. It can be sent to the security key management server 130 to manage.

After registering the user information in the user information database server 120 in the processing apparatus 101, and receives a user registration unique number generated from the user information database server 120,

The user registration unique number may be included in the certificate request message when the certificate request message is created and transmitted so that the user registration unique number is included in the extension field of the user certificate.

In addition, the processing apparatus 102 receives a user's certificate from the server 110 of the certification authority and stores the user's certificate in the temporary storage space, and then registers the serial number of the user certificate in the user information database server 120. can do.

After recording on the optical recording medium 150 in the computer 100 of the registration authority to output a label including the user's name, unique number, barcode, colorPIMS, etc. using the optical recording medium label output device 104. Can be.

When recording on the optical recording medium 150 through the optical recording medium recorder 103 in the computer 100 of the registration authority,

A certificate management program that performs functions such as managing the digital signature using the user's certificate and the private key, the user's certificate and the private key, revocation, and applying for reissuance;

An installation program for registering an environment setting for using the certificate management program in a user computer;

An automatic access program that provides automatic access to a specific web server for use of the user's certificate for electronic transactions or electronic business processing;

Web and mail plug-in programs,

Public key-based application programs such as other electronic wallet programs and biometric information such as fingerprints and irises are recorded together to enable various uses of optical recording media.

3 illustrates a process of issuing an optical recording medium storing a private key and a certificate by using the optical recording medium issuing system according to the above embodiment.

A user information database server (120) for storing user information and a registrar that can communicate using a computer communication network with a server (110) of a certification authority that digitally signs and generates a user certificate of a public key infrastructure with its own private key. Using the computer 100 to issue an optical recording medium 150 that stores a user's certificate and private key, etc.

If there is a request for issuance of a certificate from the user (step 21), the registrar's staff checks the user's identity and confirms it (step 22) and informs the user of the user information to enter and receives correct user information from the user ( Step 23) The user information database server 120 transmits the registration to the user information database server 120 (step 24).

After the temporary storage space associated with the user is formed in the storage device 101 of the computer 100 of the registration authority (step 25), a key pair of a public key and a private key for use in digital signature and encryption of the public key infrastructure. Create (step 26).

The private key is encrypted with the digital signature password stored by the user according to the standard method of password-based encryption (PKCS # 5) (step 27) and stored in the temporary storage space (step 28).

A certificate request message including the public key is created (step 29) and transmitted to the server 110 of the certification authority (step 30).

When the user's certificate issued from the server 110 of the certification authority is received (step 31), it is stored in the temporary storage space of the storage device 101 (step 32).

After reading the user's certificate stored in the temporary storage space and the private key information encrypted with the user's digital signature password (PKCS # 5) (step 33). Information, such as a certificate of the one or more certification authorities, stored in advance in the storage device of the computer 100 of the registration authority is read (step 34), and then recorded and issued on the optical recording medium 150 (step 35).

The temporary storage space is permanently deleted from the storage device 101 of the computer 100 (step 36).

In steps 26 to 28, a key pair of the public key and the private key is generated, and the private key is encrypted with an electronic signature password and stored in a temporary storage space.

It is also possible to separate the certificate issuing terminal or separate the registration related screen and the password input screen without allowing the employee of the registrar to directly input the digital signature password so that the user can directly generate a key pair and input the digital signature password. .

4 shows a certificate issuing process using a security key management server according to another embodiment of the present invention.

When the private key is further encrypted with an electronic signature password and stored in a temporary storage space by further using the security key management server 130 of the optical medium to access the user's private key stored in the optical recording medium 150. Encrypt the private key encrypted with the digital signature password again using the optical record medium security key as a secret key (step 27 ?? 1) and then send the stored private key to the optical record medium security key management server 130 for storage. After that (step 27-2), it is stored in the temporary storage space (step 28).

5 is a view illustrating a certificate issuing process using an optical record carrier label output device according to another embodiment of the present invention.

The optical recording medium label is further recorded on the optical recording medium 150 by using the optical recording medium label output unit 104 for outputting a label to be attached to the optical recording medium 150 on the optical recording medium 150. Using the output unit 104, a label including a user's name, a unique number, a barcode, colorPIMS, and the like is output (step 35-1).

FIG. 6 illustrates that a certificate and a user information database can be linked using a unique number registered in a user information database according to another embodiment of the present invention.

After the user information is registered in step 24 of FIG. 3, the certificate request message is created in step 29 by receiving a user registration unique number generated from the user information database server 120 (step 24-1). When the user registration unique number may be included in the certificate request message,

7 is a diagram for enabling interworking of a certificate and a user information database using a serial number of a certificate issued by a certification authority according to another embodiment of the present invention.

After receiving the user's certificate from the server 110 of the certification authority in step 31 of FIG. 3, the serial number of the user certificate may be registered in the user information database server 120 (step 31-1). .

8 illustrates a storage area of a storage device of a registration authority computer according to an embodiment of the present invention.

In the previously created storage space 101a of the storage device 101,

At the same time as storing the certificates of one or more

A certificate management program that performs functions such as managing digital signatures using the private key, the user's certificate and private key, revocation, and reissuing applications

An installation program for registering an environment setting for using the certificate management program in a user computer;

An automatic access program for providing automatic access to a specific web server for use of the user's private key and certificate in electronic transactions or electronic business processing;

Selectively store public key-based applications such as web and mail plug-in programs and other electronic wallet programs.

In the temporarily created storage space 101b of the storage device 101,

A user's certificate issued by the certificate authority and including a public key for digital signature verification;

By the standard method of password-based encryption, the digital signature password is encrypted by the user and temporarily stores the user's private key for digital signature.

9 shows an internal configuration of an optical recording medium according to an embodiment of the present invention.

In the optical recording medium 150 for storing the private key and certificate of the public key infrastructure issued by the system and the issuing method,

One or more certificate authorities' certificates, including a public key for verifying a user's certificate in a public key infrastructure,

A user's certificate issued from the certification authority and including a public key for digital signature verification;

By the standard method of password-based encryption, it is encrypted with the digital signature password that the user stores, and records the user's private key for digital signature.

The private key may be encrypted once more using the optical key of the optical recording medium stored and managed by the security key management server 130 as a secret key.

At least one certificate of the certification authority, one certificate of the user, and one private key of the user may be recorded.

In addition, the optical recording medium 150 for storing the private key and certificate,

A certificate management program that performs functions such as managing the digital signature of the user and the user's certificate, the user's certificate, and the private key;

An installation program for registering an environment setting for using the certificate management program in a user computer;

An automatic access program that provides automatic access to a specific web server for use of the user's certificate for electronic transactions or electronic business processing;

Selectively store public key-based applications such as web and mail plug-in programs and other electronic wallet programs.

On the other hand, the optical recording medium 150 that stores the private key and certificate of the public key infrastructure is not only authenticated by electronic signature online but also offline by credit card or debit card, prepaid card, membership card, bus card. Magnetic stripe or RF chip or IC chip is additionally attached for use.

10 shows a format of a user certificate used in the optical recording medium of the present invention.

The user's certificate includes a user name, serial number, expiration date, and issuer name, which are general information recorded on the optical recording medium 150 in the basic field 150a of the certificate according to the standard format (X.509) of the certificate. , Write down your email address, etc.

The extended field 150b of the certificate includes a user registration unique number for accessing user information stored in the user information database server.

11 illustrates a process of using an optical recording medium for storing a private key and a certificate according to an embodiment of the present invention.

In the case of using the optical recording medium 150 for storing the private key and the certificate of the public key infrastructure in which the user certificate and the private key are recorded,

A computer equipped with an optical record medium reader is used to connect to any web server that requires authentication (step 41) to receive an electronic signature request from the web server (step 42).

By using the user's certificate and private key to drive a digital certificate and certificate management program for certificate management, revocation, re-issuance, etc. (step 43), if the optical recording medium reader to the optical recording medium 150 If it is inserted (step 44), the optical recording medium 150 is inserted into the optical recording medium reader (step 45).

When the password for the digital signature is input from the user, the private key of the user encrypted and stored on the optical recording medium 150 is decrypted (step 46), and the digital signature is performed using the decrypted user's private key (step 47). The signature is then passed to the web server for verification (step 48).

12 illustrates a process of using an optical recording medium storing a private key and a certificate by using a security key management server according to another embodiment of the present invention.

A computer equipped with an optical record medium reader is used to connect to any web server that requires authentication (step 51), and receive an electronic signature request from the web server (step 52).

And a communication function with a security key management server 130 for storing and managing an optical signature medium, such as an electronic signature, certificate management, revocation, reissue request, etc. using the user's certificate and private key. A certificate management program that can be stored and used in a storage device of a computer is driven (step 53) to check whether the optical recording medium 150 is inserted into the optical recording medium reader (step 54). The optical recording medium 150 is inserted into the optical recording medium reader (step 55).

Check if there is an optical record medium security key stored in the storage of the user's computer (step 56), and if so, read it (step 57).

Next, the user's private key encrypted and stored on the optical recording medium 150 is decrypted using a security key (step 57-1), a password for electronic signature is input from the user, and the private key is decrypted (step 58). After the digital signature is performed (step 59), the digital signature is transmitted to the web server (step 60).

On the other hand, if there is no optical recording medium security key in the storage device of the user computer in step 56, it is determined whether to receive the optical recording medium security key directly from the security key management server or via the mail server (step 61).

When receiving the certificate of the security key management server 130 from the security key management server 130 that stores and manages the security key (step 62), the certificate of the security key management server 130 that received the certificate management program Verify (step 63).

The certificate management program generates an arbitrary session key for encrypting communication data (step 64), and the user-specific information for requesting the security key and the generated session key of the security key management server 130. Encrypted with the public key contained in the certificate (step 65) and transmitted to the security key management server 130 (step 66).

The security key management server 130 encrypts the security key using the received session key (step 67), and then transfers it to the certificate management program (step 68), wherein the certificate management program stores the security key. The security key received from the management server is stored in the storage of the user computer (step 69).

In the case where the security key is to be delivered to the user's e-mail through the mail server from the security key management server 130 that stores and manages the security key, the certificate manager is recorded in the basic field of the user's certificate. Requesting the security key to a security key management server 130 that stores and manages the security key with an e-mail address (step 71), the security key management server 130 is a mail of the security key management server 130 The security key stored in the server is transmitted to the e-mail address of the requested user (step 72).

When the user inputs the security key included in the requested e-mail to the certificate management program (step 73), the certificate management program stores the input security key in a storage device of the user computer (step 74).

The e-mail may use a secure mail method such as PGP or S / MIME.

And before driving the above certificate management program,

If the environment setting for using the certificate management program is not registered in the computer,

An environment for using the certificate management program is registered in the computer by running an installation program for registering the environment setting for using the certificate management program in the computer.

After sending the above digital signature,

When the web server accesses the user information database server and requests user information using the user registration unique number, the user information of the user is transmitted from the user information database server to the web server.

After the above step of electronic signature,

The web server may request user information from the user information database using a serial number included in the basic field of the user certificate received from the user information database server.

Meanwhile, FIG. 13 illustrates a process in which a user who owns an optical recording medium storing a private key and a certificate of a public key infrastructure selects a payment method through a mobile communication provider in a shopping mall, and makes a payment.

When a user with an optical recording medium storing a private key and certificate of a public key infrastructure needs to purchase goods or services and make a payment, the shopping mall asks the user to select which payment to make. (Step 81) If the payment is to be made by card or Giro, the payment is made by a general payment process, and when the payment method is selected through a mobile carrier, the public key is used according to the above-described method of using the optical recording medium. An optical recording medium storing the private key and certificate of the infrastructure is inserted and a digital signature is required (step 82).

The shopping mall transmits the user certificate and the digital signature information by the user certificate and the private key received from the optical recording medium to the authentication server (step 83), so that the authentication server confirms the identity and the identity by electronic signature. (Step 84).

The authentication server performing the authentication procedure by the electronic signature requests the mobile operator to confirm whether the mobile telephone number presented by the user is owned by the user (step 85). If it is confirmed (step 86), the normal transaction by the normal user is transmitted to the shopping mall so that the settlement is completed (step 87).

As described above, according to the optical recording medium storing the private key and the certificate of the public key infrastructure of the present invention, its issuing method and using method, and the issuing system thereof, in applying, issuing, and using a certificate from a certification authority, The registrar replaces the existing procedures of applying for a certificate, generating a key pair, issuing a certificate and installing related software, and provide the user with the necessary information on a CD. It becomes possible.

In addition, certification services can be provided on any computer with a high penetration rate and standardized CD-ROM drive or DVD drive such as a CD drive, providing portability and scalability of the certificate. Falling, unstandardized IC card. Unlike smart card media, it offers economics and standardization.

In addition, the registrar provides a method for interworking with a user information database when issuing a certificate in an optical recording medium, thereby providing a function for effectively and efficiently managing user information.

In addition, it is more secure than using a fixed storage medium such as a hard disk in that the user always has an optical recording medium as a certificate storage medium, and the registrar issues the private key and certificate in the optical recording medium. In this case, by providing a security method for accessing the optical recording medium, it provides high security to prevent the risk of loss or duplication of the medium.

In addition, by utilizing the capacity of the optical recording medium and the design of the label, it provides a function to effectively inform the user of the promotion or information of each service provider and identify the type of service.

These features will be a new proposal to improve the low prevalence and utilization of user certificate issuance necessary for e-commerce and electronic business process. Thus, the optical recording media storing private keys and certificates such as CDs and DVDs can be used. When the distribution is activated, medical administration as well as electronic commerce and financial settlement (electronic payment system: EFT, E-Credit Card, E-cash, etc.) based on the user information database and interworking function and security. Services (medical insurance card, reservation, prescription issuance, medicine storage, etc.), civil service (pay local tax, issue issuance of resident registration, marriage, etc., birth notification, car registration and license application), adult site access problems and corporate or public Strong strength of public key infrastructure for employee management inside the institution and secure electronic commerce using mobile phone as a payment method in shopping mall Provide authentication, non-repudiation, confidentiality, integrity, and service, and is expected to contribute significantly to improving the efficient and convenient for the existing range of services to apply the public-key infrastructure in society.

Claims (19)

One or more certification authorities' certificates, including the public key to verify the user's certificate in the public key infrastructure, User's certificate issued from the certification authority, including a public key for digital signature verification, The private key and certificate of the public key infrastructure, which are encrypted with the digital signature password stored by the user by the standard method of password-based encryption (PKCS # 5), and record the private key of the user for digital signature. Optical recording medium for storing. The method of claim 1, The private key is an optical recording medium storing a private key and a certificate of a public key infrastructure recorded by encrypting an optical recording medium security key stored in a security key management server with a secret key once more. The method of claim 1, And a private key and a certificate of a public key infrastructure in which at least one of a certificate of the certification authority, a certificate of the user, and at least one private key of the user are recorded. The method of claim 1, A certificate management program for performing functions such as managing the digital signature of the user, the private key of the user, the certificate of the user, the private key, revocation, and application for reissuance; An installation program for registering an environment setting for using the certificate management program in a user computer; An automatic access program that provides automatic access to a specific web server for use of the user's certificate for electronic transactions or electronic business processing; Web and mail plug-in programs, Public key-based applications, such as electronic wallet programs; An optical recording medium storing a private key and a certificate of a public key infrastructure that further records biometric information and promotional materials such as fingerprints and irises. The method of claim 1, An individual with a public key infrastructure that has a magnetic stripe, RF chip, or IC chip attached to make it available for credit, debit, prepaid, membership, and bus cards offline, as well as online electronic signatures. Optical record carrier for storing keys and certificates. A user information database server that stores user information and a server of a certification authority that digitally signs a user certificate of a public key infrastructure with its own private key and a computer of a registrar that can communicate using a computer communication network. A method of issuing an optical recording medium storing a private key and a certificate of a public key infrastructure for issuing an optical recording medium storing a certificate and a private key, Upon registration of the user, the employee of the registrar checks the user's identity, and the registration management program receives the user's information from the user and transmits the user's information to the user information database server to register with the user information database server. Forming a temporary storage space associated with a user in a storage device of the computer; Generating a key pair of a public key and a private key of a public key infrastructure, Encrypting the private key with an electronic signature password stored by the user according to a standard method of password-based encryption (PKCS # 5) and storing the private key in the temporary storage space; Creating and transmitting a certificate request message including the public key to a server of the certification authority; Receiving a certificate of a user issued from a server of the certification authority and storing the certificate of the user in the temporary storage space; Recording a certificate of the user, a private key stored in the temporary storage space, a certificate of the certification authority previously stored in a storage device of the computer, on an optical recording medium; And issuing the temporary storage space permanently from the storage device of the computer. The method of claim 6, In the step of storing the private key and certificate of the public key infrastructure to generate a key pair of the public key and private key and encrypt the private key with an electronic signature password to store in a temporary storage space, The public key base allows the user to create a key pair and input the digital signature password by separating the certificate issuing terminal or separating the registration related screen and the password input screen without directly performing the digital signature password by an employee of the registration authority. Method of issuing an optical recording medium storing a private key and a certificate of a structure. The method of claim 6, And after registering the user information, receiving the user registration unique number generated from the user information database server, when generating and transmitting the certificate request message, the user registration unique number is included in the certificate request message. Issuing method of optical recording medium storing private key and certificate of public key infrastructure. The method of claim 6, And receiving the certificate of the user from the server of the certification authority, and registering the serial number of the user certificate in the user information database server. How to issue? The method of claim 6, The certificate issuing method may further include using a security key management server of an optical recording medium to access the private key of the user stored in the optical recording medium and encrypting the private key with an electronic signature password and storing the private key in a temporary storage space. A private key encrypted with the digital signature password of the public key infrastructure to encrypt and store the optical record medium security key as a secret key once more and send the optical record medium security key to the optical medium security key management server for storage. Issuing method of optical recording medium storing private key and certificate. The method of claim 6, The certificate issuing method may further include using the optical recording medium label output device for outputting a label to be attached to the optical recording medium, recording the user certificate, private key, etc. on the optical recording medium, and then using the optical recording medium label output device. Issuing method of an optical recording medium storing a private key and a certificate of a public key infrastructure that outputs a label including a user's name, a unique number, a barcode, and colorPIMS. The method of claim 6, A certificate management program for performing functions such as managing the digital signature using the user's certificate, the private key, and managing the user's certificate, the private key, applying for reissuance, and the like, when recording on the optical recording medium; An installation program for registering an environment setting for using the certificate management program in a user computer; An automatic access program that provides automatic access to a specific web server for use of the user's certificate for electronic transactions or electronic business processing; Web and mail plug-in programs, Issuance method of an optical recording medium for storing public key-based applications such as other electronic wallet programs and private keys and certificates of a public key infrastructure for further recording biometric information and promotional materials such as fingerprints and irises. The user information database server that stores user information and the user certificate and public key of the public key infrastructure are stored using the server and computer communication network of the certification authority that digitally sign the user certificate of the public key infrastructure with its own private key. In the issuing system of an optical recording medium for storing the private key and certificate of the public key infrastructure that can issue the optical recording medium, A memory device for storing information according to a program and an operation for controlling the processing device; A processing device connected to the storage device and operated by the program; Including an optical recording medium recorder connected to the storage device and the processing device, The user device receives the user information from the processing device operating with the program, registers the user information in the user information database server, forms a temporary storage space related to the user in the storage device, and publishes a certificate request message with a public key infrastructure. Generates a key pair of a key and a private key, encrypts the private key with an electronic signature password stored by the user according to a standard method of password-based encryption, stores it in the temporary storage space, and includes a certificate request message including the public key. Prepare and transmit the certificate to the server of the certification authority, receive the user's certificate issued from the server of the certification authority, store it in the temporary storage space, store the certificate and private key of the user and the computer stored in the temporary storage space. Of the certification authority previously stored in the storage device of the An optical recording medium issuing system for storing a private key and a certificate of a public key infrastructure for recording a certificate or the like on an optical recording medium and permanently deleting the temporary storage space from the storage device of the computer. A method of using an optical recording medium for storing a private key and a certificate of a public key infrastructure in which a user certificate and a private key are recorded, Connecting to any web server that requires authentication and security using a computer equipped with an optical record reader; Receiving a digital signature request from a web server, Using a certificate and a private key of the user to drive a certificate management program for digital signature, certificate management, revocation, reissue application, etc .; If the optical recording medium is not inserted into the optical recording medium reader, inserting the optical recording medium into the optical recording medium reader; Receiving a password for an electronic signature from a user and decrypting the user's private key encrypted and stored on an optical recording medium; Digitally signing using the decrypted user's private key; A method of using an optical record carrier for storing a private key and a certificate of a public key infrastructure, characterized by the steps of transferring an electronic signature to a web server. A method of using an optical recording medium for storing a private key and a certificate of a public key infrastructure, Connecting to any web server that requires authentication and security using a computer equipped with an optical record reader; Receiving a digital signature request from a web server, It is equipped with a communication function and a security key management server that stores and manages the digital signature, certificate management, revocation, reissue application, etc. using the user's certificate and private key and stores the optical record medium security key. Running a certificate management program that is stored and available on the device; Checking whether the optical recording medium is inserted into the optical recording medium reader and inserting the optical recording medium into the optical recording medium reader if not inserted; Checking if there is an optical record medium security key stored in the storage device of the user's computer, Decrypting the user's private key encrypted and stored on an optical recording medium using a security key; Receiving the password for the digital signature from the user to perform the digital signature and transmitting the digital signature to the web server; Receiving a certificate of the security key management server from a security key management server that stores and manages the security key if there is no optical recording medium security key in a storage device of the user computer; Verifying a certificate of the security key management server that has received the certificate management program; The certificate management program generates an arbitrary session key for encrypting communication data, encrypts user-specific information for requesting the security key and the generated session key with a public key contained in a certificate of the security key management server. Delivering to the security key management server; The security key management server encrypts the security key using the received session key, transfers the security key to the certificate management program, and stores the security key received from the key management server in a storage device of a user computer. Method of using an optical recording medium for storing the private key and certificate of the public key infrastructure, characterized in that performed by. The method of claim 15, After running the certificate management program, If the optical recording medium security key necessary for accessing the user's private key stored in the optical recording medium is not stored in the storage device of the user's computer, The certificate management program requesting the security key from a security key management server that stores and manages the security key with an e-mail address recorded in a basic field of the user's certificate; The security key management server using the mail server of the security key management server to send the security key to the mail address of the requested user; Inputting the security key included in the requested e-mail into the certificate management program; And the certificate management program stores a private key and a certificate of a public key infrastructure to be performed by storing the inputted security key in a storage device of a user computer. The method according to claim 14 or 15, The user's certificate includes a private key including a user registration unique number for accessing user information stored in a user information database server in an extension field according to a standard format (X.509), and an optical recording medium extension field for storing a certificate. After the digital signature is performed, Accessing the user information database server from the web server and requesting user information using the user registration unique number; And transmitting the user information of the user from the user information database server to the web server. The method according to claim 14 or 15, After the electronic signature step, The web server stores an optical key storing a private key and a certificate of a public key infrastructure that allow user information to be requested to the user information database using a serial number included in a basic field of the user certificate received from a user information database server. How to use the media. The method according to claim 14 or 15, When a user with an optical recording medium storing the private key and certificate of the public key infrastructure purchases goods and services in a shopping mall, the user selects a payment method through a mobile communication provider, the private key of the public key infrastructure Inserting an optical recording medium storing a certificate and requesting an electronic signature; The shopping mall that receives the user certificate and the private key information obtained from the optical recording medium storing the private key and the certificate of the public key infrastructure delivers the user's private key, certificate, and digital signature information to the authentication server for authentication. Checking the certificate on the server and verifying the identity by electronic signature; The authentication server that has performed the authentication process by the above-mentioned electronic signature requests the mobile operator to confirm whether the mobile telephone number presented by the user is owned by the user and if it is confirmed that the transaction is performed by a normal user, the normal transaction. Method of using an optical recording medium for storing the private key and the certificate of the public key infrastructure to make a payment by the step of transmitting to the shopping mall to complete the payment accordingly.