KR20060020305A - Mobile 3d secure protocol using ecc - Google Patents

Abstract

The present invention discloses an authentication method using an authentication method using a mobile integrated safety authentication protocol.

Authentication method using the mobile integrated safety authentication protocol according to the present invention, in the authentication method using a mobile 3-D Secure protocol, the card user to use the integrated safety authentication to the card issuer (PAN), PAM (PAM) Requesting user registration by providing user information including a card password, a card expiration date, a user name, a question (a question for checking a user when a password is lost), and an answer (answering a question for checking a user); Issuing a public key, a secret key, and issuing a certificate using an elliptic curve password based on information provided from a card issuer or a card user; And separating and storing the credit information input from the card user using a hash function and providing a certificate to the card user and the authentication server, respectively.

The authentication method using the mobile integrated safety authentication protocol configured as described above, the data transmission security using the elliptic curve cryptography (ECC) algorithm during the 3-D Secure user registration process, and the user in the wireless section using the certificate issuance The authentication process can be operated easily and efficiently. By using elliptic curve cryptography and HASH function, PAN separate storage method is provided to prepare for the leakage of credit information from the authentication server. To provide.

Public key infrastructure, digital signature, encryption, authentication server, card

Description

Authentication method using mobile integrated safety authentication protocol {Mobile 3d secure protocol using ECC}

1 is a view showing the structure of a mobile 3-D Secure according to the prior art.

2 is a view for explaining the authentication process of the mobile 3-D Secure using a mobile communication device according to the prior art;

3 is a view showing an example of a 3-D Secure user registration screen in the present invention;

Figure 4 is a schematic diagram for explaining the separation and storage of the PAN in the present invention,

<Explanation of symbols for the main parts of the drawings>

The present invention relates to an authentication method using a mobile integrated safety authentication protocol, and more particularly, to elevate application information using an elliptic curve password and a hash function while performing data transmission security using an elliptic curve password and a hash function in a mobile environment. The present invention relates to an authentication method using a mobile integrated safety authentication protocol that blocks and provides a simple authentication procedure.

The explosive growth of computer and Internet users has provided a convenient e-commerce environment for credit card users and those who run Internet shopping malls. The volume of e-commerce transactions has been steadily growing year by year, and with the emergence of a new mobile shopping environment using mobile communication terminals, which are currently being introduced, we expect to see remarkable changes and growth in the future. Behind such growth, however, there are constant risks of theft and fraud of credit cards and the leakage of credit information due to hacking.

Bankruptcy transactions in Asia-Pacific Internet transactions amount to $ 20 million annually, and in 2004, bankruptcy transactions will increase to $ 300 million annually, and credit card member processing costs will increase to $ 100 million annually. have.

These negative news arising from e-commerce gave anxiety to credit card users from the Internet that their credit card information and credit information could be leaked. Such a situation is becoming more serious in the mobile Internet. If the Internet e-commerce market continues to grow at the current rate without proper security measures, it may cause social confusion.

To solve this problem, in 1999, Visa developed SET, a payment protocol, in cooperation with MasterCard, IBM, and Microsoft. However, various problems such as installation cost and time were revealed. 3D Secure and Mobile 3-D Secure have been proposed.

With the development of 3D Secure, the security system market has been divided into Visa's 3D Secure, MasterCard's SPA, and SET, but it is very likely that Visa, which accounts for more than 60% of the global card market, will be adopted by standardization. It became.

1 is a view showing the structure of a mobile 3-D Secure according to the prior art.

(1) Issuer domain

The issuing company issues credit card and manages 3-D Secure service registration and authentication. Cardholders must apply for 3-D Secure service to be authenticated when paying on the Internet.

(2) Acquirer domain

The purchaser is the place where the credit card slip is purchased from the store. In the domestic case, the issuer and the purchaser have the same meaning.

(3) Interoperability domain

The issuer domain and the acquirer domain correspond to areas of the visa network where authentication and payment messages are operated.

The authentication process of the mobile 3-D Secure having such a structure is as follows.

3-D Secure is an SSL-based authentication payment protocol. It is a process of receiving user authentication from the issuer first when making payment in an internet shopping mall. The method of authenticating a credit card user may use various methods in addition to a password method, but a password method is widely used as a payment authentication method using an initial mobile communication device.

The authentication process of the mobile 3-D Secure using the mobile communication device is shown in FIG.

(1) The user puts a purchase in a shopping cart and proceeds to a payment.                         

(2) MPI transmits PAN (visa password), channel information and user device information to Visa directory.

(3) If the PAN is a valid number, the Visa Directory sends an ACS (Access Control System) whether it can be authenticated.

(4) The ACS will return to the Visa Directory whether the PAN is registered with 3-D Secure and whether authentication is possible under the credit card user's device and channel information.

(5) The visa directory forwards the ACS's response to the MPI.

(6) The MPI sends a summarized Payment Authorization Request (CPRQ) to the user's mobile terminal via the ACS.

(7) The ACS receives a request for payment verification.

(8) The ACS verifies the user through PAN and PAM and prepares a payment certification certificate (CPRS).

(9) ACS sends payment authentication confirmation to user's device through MPI and sends all data about payment authentication request to authentication server.

(10) The MPI receives the payment verification certificate, verifies the signature, and executes the rest of the input process.

(11) The store receives the sales approval from the purchaser and completes the purchase process.

* PAN (Personal Assurance Number)

* PAM (Personal Assurance Message)

* MPI (Merchant Plug-in: program installed on store server using 3-D Secure)

However, the mobile 3-D Secure according to the prior art as described above provides a cause for making the transmission protocol more complicated by including various authentication methods, and for this reason, the procedures required for authentication and payment are complicated. Not only the convenience of the deterioration but also the use efficiency of the mobile communication terminal causes a problem that is deteriorated.

The present invention was created to solve the above problems, and an object of the present invention is to use an elliptic curve password and a HASH function while enhancing data transmission security using an elliptic curve encryption algorithm in a 3-D secure user registration process. The present invention provides an authentication method using a mobile integrated safety authentication protocol to block the leakage of credit information from the authentication server.

Another object of the present invention is to provide an authentication method using a mobile integrated safety authentication protocol so that a user authentication procedure can be easily and efficiently performed in a wireless section using certificate issuance.

In the authentication method using a mobile integrated safety authentication protocol according to the present invention for realizing the above object, in the authentication method using a mobile 3-D Secure protocol,

In order for cardholders to use integrated security authentication with the card issuer, the cardholder (PAN), PAM, card password, card expiration date, user name, question (question to confirm user in case of lost password), answer (user verification) Requesting user registration by providing user information);

Issuing a public key, a secret key, and issuing a certificate using an elliptic curve password based on information provided from a card issuer or a card user;

And storing the credit information input from the card user by using a hash function and separating the fan from the card user and providing the certificate to the card user and the authentication server, respectively.

The features and advantages of the present invention will become more apparent from the following detailed description based on the accompanying drawings. Prior to this, the terms or words used in the present specification and claims are consistent with the technical spirit of the present invention based on the principle that the inventor can appropriately define the concept of the term in order to explain the invention in the best way. It must be interpreted as meaning and concept.

Hereinafter, a preferred embodiment of an authentication method using a mobile integrated safety authentication protocol according to the present invention will be described in detail with reference to the accompanying drawings.

3 is a view showing an example of the 3-D Secure user registration screen in the present invention, Figure 4 is a schematic diagram for explaining the separate storage of the PAN in the present invention.

As shown in the figure, the authentication method using the mobile integrated safety authentication protocol of the present invention is performed by data transmission and reception between the card user, the card issuer and the authentication server of the authentication authority.

In this case, the user has a mobile device (mobile communication terminal, PDA equipped with a communication kit, etc.), and if the user requests a user registration to use 3-D Secure from the card issuer using the mobile device, The card issuer generates and issues a certificate based on the information, and the certificate is provided to the authentication server.

In other words, the authentication method using the mobile integrated safety authentication protocol of the present invention, the card user to use the integrated safety authentication card issuer (PAN), PAM (PAM), card password, card expiration date, user name, question ( Requesting user registration by providing user information such as a question for checking the user when the password is lost), an answer (answering a question for checking the user),

Following the above steps, issuing a public key, secret key generation and certificate using an elliptic curve password based on information provided from the card issuer or the card user, and hashing the credit information input from the card user. Using the fan (PAN) is separated and stored and the card user and the authentication server to provide a certificate respectively.

Hereinafter, the authentication method of the present invention will be described in detail.

(1) User Registration based on Elliptic Curve Cryptography (ECC)

In order to use 3-D Secure, which is provided as an item "Visa Safe Payment Service" in the Internet shopping mall, the card user first applies for a 3-D Secure user registration with the card issuer.

Here, the registration requirements of 3-D Secure are: PAN, PAM, card password, card expiration date, username, question (question to confirm user if password is lost), answer (question to verify user) Answer), the item specified by the card issuer. Mobile 3-D Secure registration can be registered in both wired and wireless, and a security program applied for wired data transmission is used.

3 shows an implementation screen. The language used was Java (J2SDK 1.4.0), the registration server used Windows 2000 Server and Explorer, and the elliptic curve password ( ECC) encrypted and transmitted by public key.

(2) Issuance of Certificate based on Elliptic Curve Cryptography (ECC)

There are two methods for issuing a certificate: a method of directly issuing a certificate by a mobile terminal user and receiving a certificate from a certification authority.

The efficient method of using a certificate is to provide a user from a trusted third-party authentication server after thorough identification to the user who wants wireless payment, and then use the certificate and electronic payment stored in the card user's terminal for payment. It is.

(3) Elliptic Curve Cryptography (ECC) based Credit Information Management

Figure 4 is a schematic diagram for explaining the separate storage of the PAN in the present invention.

In the existing authentication server, all credit information input from the card user is stored in the ACS when 3-D Secure is registered. However, if a separate fan storage method using the HASH function is used, authentication of the credit card user is managed. Even if credit information is leaked to the server, it can prevent fraudulent card use.

The key to 3-D Secure is that it uses a PAN to verify the identity of the cardholder before making a payment. In other words, the PAN must be protected because it is the most important key to payment.

1) User Registration Process

The PAN isolation storage method of the ACS proposed in the present invention is as follows.

(1) The authentication server that receives the credit information of PAN and INFO (PAM, card password, user name, and card expiration date) makes the credit information file into output value of a certain length by using HASH algorithm, and then completes PAN from the authentication server. Delete it.

(2) Only the INFO and HASH output values are stored in the ACS.

2) Payment process

(1) Select the desired item in the shopping mall and proceed with the payment. Enter your credit card number and password to send.

(2) The cardholder receives a message requesting a certificate and a PAN.

(3) The card user inputs a PAN to send a response message.

(4) The authentication server performs the authentication procedure by adding the PAN provided from the card user and the information stored in the authentication server to obtain the output value by the HASH algorithm and then comparing it with the stored HASH output value.

(5) If there is nothing wrong with the verification, proceed with payment.

(6) When payment is completed, the authentication server deletes the PAN input from the card user again.

The authentication method using the mobile integrated safety authentication protocol performed as described above is the elliptic curve cryptography (ECC) -based electronic payment protocol provides a convenient and secure payment environment for users who make payment first and foremost on the wireless Internet, in particular wireless In the environment, elliptic curve cryptography (ECC) minimizes the resources of the mobile terminal, thereby increasing security and convenience, which is the most important part of payment.

On the other hand, the present invention is not limited to the described embodiments, it is apparent to those skilled in the art that various modifications and variations can be made without departing from the spirit and scope of the present invention. Therefore, such modifications or variations will have to belong to the claims of the present invention.

The authentication method using the mobile integrated safety authentication protocol configured and operated as described above, has enhanced data transmission security using an elliptic curve cryptography (ECC) algorithm in the process of 3-D Secure user registration, wireless section using certificate issuance The user authentication process can be operated easily and efficiently. Also, by using elliptic curve password and HASH function, PAN separate storage method can be used to prepare for the leakage of credit information from the authentication server. Provide a useful effect.

Claims (1)

In the authentication method using the mobile integrated safety authentication protocol, In order for cardholders to use integrated security authentication with the card issuer, the cardholder (PAN), PAM, card password, card expiration date, user name, question (question to confirm user in case of lost password), answer (user verification) Requesting user registration by providing user information); Issuing a public key, a secret key, and issuing a certificate using an elliptic curve password based on information provided from a card issuer or a card user; Separating and storing the credit information input from the card user using a HASH function and providing a certificate to the card user and the authentication server, respectively; Authentication method using a mobile integrated safety authentication protocol comprising a.

Images