KR20100061632A - Device for providing internet banking using high-speed wireless internet - Google Patents

Abstract

PURPOSE: An internet banking providing device using a high speed wireless internet network is provided to change a subscriber profile and service flow information, thereby enabling a terminal to access to an internet banking server. CONSTITUTION: An internet banking server(400) comprises the following units. A customer authentication unit(430) is connected to a web page operating unit(415) through a UI processing unit(410) based on customer authentication information of internet banking information. The customer authentication unit provides a customer authentication interface screen to at least one terminal device(145). The customer authentication unit receives at least one customer authentication information based on the customer authentication interface screen.

Description

Device for providing Internet banking using high speed wireless internet network {Device for providing Internet Banking using High-speed Wireless Internet}

The present invention provides a storage medium for maintaining a subscriber profile and service flow information to be allocated to a terminal device connected to a high speed wireless internet network, and a subscriber profile and service for the terminal device when the terminal device accesses a high speed wireless internet network. A high speed radio having means for configuring and assigning the flow information to the terminal device and changing the subscriber profile and the service flow information so that the terminal device accesses the internet banking server when the terminal device is requested to access the internet banking server. The present invention relates to an internet banking providing apparatus using an internet network.

With the development of information and communication technology, conventional window-oriented financial transactions have been commercialized in various non-face-to-face channels such as internet banking, telebanking and wireless banking. Among them, telebanking and wireless banking can be used regardless of time and place. Providing. In particular, Internet banking is limited in some time and place, but can handle all kinds of financial transactions that can be provided through non-face-to-face channels among almost all kinds of financial transactions provided through conventional windows.

However, in the case of the telebanking and wireless banking, there is a problem of providing only credit related tasks such as account inquiry, bank transfer, and utility bill payment among various types of financial transactions provided through the non-face-to-face channel due to the narrow interface. .

An object of the present invention is a storage medium for maintaining a subscriber profile and service flow information to be allocated to a terminal device connected to a high speed wireless internet network, and a subscriber profile for the terminal device when the terminal device accesses a high speed wireless internet network. And means for configuring service flow information and assigning the service flow information to the terminal device and changing the subscriber profile and the service flow information so that the terminal device accesses the internet banking server when the terminal device is requested to access the internet banking server. An object of the present invention is to provide an internet banking providing apparatus using a high speed wireless internet network.

In accordance with another aspect of the present invention, an apparatus for providing an internet banking using a high speed wireless internet network includes a storage medium for maintaining a subscriber profile and service flow information to be allocated to a terminal device connected to the high speed wireless internet network, and the terminal device connected to the high speed wireless internet network. When connected, the subscriber profile and service flow information for the terminal device are configured and assigned to the terminal device. When the terminal device is requested to access the Internet banking server, the terminal device connects to the Internet banking server. And means for changing the profile and the service flow information.

According to the present invention, the subscriber profile may include a context ID uniquely identifying the terminal device, IP address information of the terminal device, a message authentication code (MAC) address of the terminal device, and the terminal. The number of flows to be serviced by the device, the current service state of the terminal device, the number of service classes provided to the terminal device, the service class name, the subscriber name, the address type serviced by the terminal device, and the terminal device Characterized in that it comprises at least one cell (Cell) ID.

According to the present invention, the service flow information may include a context ID uniquely identifying the terminal device, a flow ID uniquely distinguishing a service flow assigned to the terminal device, a service class name, and a quality of service (QoS). And at least one of a form, a maximum sustained traffic rate, a maximum traffic burst, a minimum reserved traffic rate, a flow schedule type, and allowable jitter.

According to an embodiment of the present invention, when the Internet banking server access request is made from the terminal device, the device changes the service grade or the number of flows of the subscriber profile to the class (or number) negotiated with the internet banking server, and the service flow. The flow ID of the information is changed to an ID corresponding to the Internet banking service.

According to the present invention, various types of financial transactions that can be provided through non-face-to-face channels such as conventional internet banking are securely processed while maintaining high security through various types of terminal devices that can access IEEE 802.16x-based high-speed wireless Internet. This has the advantage.

1 is a diagram illustrating a network system configuration for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
2 is a diagram illustrating subscriber information generated and managed in a PAR for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
3A and 3B are diagrams illustrating a communication path between a terminal device for high-speed wireless Internet-based internet banking and an internet banking server according to an embodiment of the present invention.
4 is a diagram illustrating a configuration of an internet banking system according to an embodiment of the present invention.
5A and 5B are diagrams illustrating a security function of a customer authentication unit and a banking processor for high-speed wireless Internet-based Internet banking according to an exemplary embodiment of the present invention.
6 is a diagram illustrating a terminal device function configuration for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
7 is a diagram illustrating a preferred structure of a wireless processing unit of a terminal device according to an embodiment of the present invention.
8 is a diagram illustrating a security module configuration for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
9 is a view showing a certificate profile of a public certificate provided in a terminal device for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
FIG. 10 is a diagram illustrating a high-speed wireless Internet access and an Internet banking server communication process of a terminal device for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
FIG. 11 is a diagram illustrating a process of accessing an internet banking server and authenticating a customer for high speed wireless Internet-based internet banking in a terminal device according to an exemplary embodiment of the present invention.
12A and 12B illustrate a method of transmitting the customer authentication data from the terminal device to the Internet banking server through a symmetric key (or secret key) based security function according to an embodiment of the present invention.
13A and 13B illustrate a method of transmitting the customer authentication data from a terminal device to an Internet banking server through a public key based security function according to an embodiment of the present invention.
14A and 14B illustrate a method of transmitting the customer authentication data from the terminal device to the Internet banking server through an electronic envelope-based security function according to an embodiment of the present invention.
15A, 15B, 15C, and 15D illustrate a method of transmitting the customer authentication data from the terminal device to the Internet banking server through a key exchange security function according to an embodiment of the present invention.
FIG. 16 is a diagram illustrating a process of connecting to an internet banking server and authenticating a customer for high speed wireless Internet-based internet banking in a terminal device according to another exemplary embodiment of the present invention.
17A, 17B, and 17C are diagrams illustrating an exemplary method of dually signing customer authentication data at a terminal device and transmitting the customer authentication data to an Internet banking server through a traffic relay device (or server) according to an embodiment of the present invention. .
18 is a diagram illustrating a web page providing process of an internet banking server for high-speed wireless Internet-based internet banking according to an embodiment of the present invention.
19 is a diagram illustrating a web page receiving process of a terminal device for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
20 is a diagram illustrating a method of encrypting and transmitting internet banking information by a symmetric key (or secret key) method in an internet banking server according to an embodiment of the present invention.
FIG. 21 is a diagram illustrating a method of decrypting received Internet banking information encrypted by a terminal device by a symmetric key (or secret key) method according to an embodiment of the present invention.
22 is a diagram illustrating a method for encrypting and transmitting internet banking information in a public key infrastructure structure in an internet banking server according to an embodiment of the present invention.
FIG. 23 is a diagram illustrating a method of decrypting an Internet banking information encrypted and received by a terminal device using a public key infrastructure according to an embodiment of the present invention.
24 is a diagram illustrating a method of encrypting and transmitting internet banking information by an electronic envelope method in an internet banking server according to an embodiment of the present invention.
FIG. 25 is a diagram illustrating a method of decrypting, by an electronic envelope, Internet banking information received after being encrypted at a terminal device according to an embodiment of the present invention.
FIG. 26 is a diagram illustrating a method of encrypting and transmitting internet banking information by a key exchange method in an internet banking server according to an embodiment of the present invention.
27A and 27B are diagrams illustrating a method of decrypting encrypted Internet banking information received by a terminal device by a key exchange method according to an embodiment of the present invention.
FIG. 28 is a diagram illustrating a process of transmitting Internet banking related information to an internet banking server from a terminal device for high speed wireless Internet based internet banking according to an embodiment of the present invention.
FIG. 29 is a diagram illustrating a process of receiving Internet banking related information from a terminal device in an Internet banking server for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.
30 is a diagram illustrating a method of digitally signing information related to Internet banking transmitted from an terminal device to an Internet banking server according to an embodiment of the present invention.
FIG. 31 is a diagram illustrating a method of confirming an electronic signature of Internet banking related information from a terminal device in an Internet banking server according to an embodiment of the present invention.
32 is a diagram illustrating a method for encrypting and transmitting internet banking related information by a symmetric key (or secret key) method in a terminal device according to an embodiment of the present invention.
FIG. 33 is a diagram illustrating a method of decrypting Internet banking related information encrypted and received by an internet banking server using a symmetric key (or secret key) method according to an embodiment of the present invention.
FIG. 34 is a diagram for a method of encrypting and transmitting Internet banking related information in a public key infrastructure in a terminal device according to an embodiment of the present invention.
35 is a diagram illustrating a method of decrypting Internet banking related information encrypted and received by an Internet banking server according to an embodiment of the present invention using a public key infrastructure.
36 is a diagram illustrating a method of encrypting and transmitting internet banking related information in an electronic envelope method in a terminal device according to an embodiment of the present invention.
FIG. 37 is a diagram illustrating a method of decrypting, by an electronic envelope, Internet banking related information that is encrypted and received by an Internet banking server according to an embodiment of the present invention.
38A and 38B illustrate a method of encrypting and transmitting Internet banking related information in a key exchange method in a terminal device according to an embodiment of the present invention.

Hereinafter, with reference to the accompanying drawings and description will be described in detail the operating principle of the preferred embodiment of the present invention. However, the drawings and the following description shown below are for the preferred method among various methods for effectively explaining the features of the present invention, the present invention is not limited only to the drawings and description below. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. Terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to intentions or customs of users or operators. Therefore, the definition should be based on the contents throughout the present title.

It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. The configuration is omitted as much as possible, and a functional configuration that should be additionally provided for the present invention is mainly described. Those skilled in the art will readily understand the functions of components that have been used in the prior art among the functional configurations that are not shown in the following description, The relationship between the elements and the components added for the present invention will also be clearly understood.

In addition, the following examples will be used to appropriately modify the terms so that those skilled in the art to clearly understand the technical features of the present invention to effectively understand, but the present invention It is by no means limited.

As a result, the technical spirit of the present invention is determined by the claims, and the following examples are one means for efficiently explaining the technical spirit of the present invention to those skilled in the art to which the present invention pertains. It is only.

1 is a diagram showing the configuration of a network system for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, Figure 1 is a 2.3 GHz high-speed wireless Internet network based on HPi (High-Speed Portable Internet) providing a wireless access technology including mobility of more than 60 km / h and a transmission rate of 1 Mbps.

The high-speed wireless Internet system of the 2.3 GHz frequency band is a cellular network configuration using an Orthogonal Frequency Division Multiple Access (OFDMA) / Time Division Duplex (TDD) scheme and a network configuration of IP-based wireless data services. It can effectively adapt to the downlink asymmetric transmission characteristics, support handoff to ensure cell-to-cell mobility without interruption of service, dynamically or statically assign IP to portable terminals, and more efficiently access unauthorized system access. It prevents authentication and guarantees quality of service against delay and packet loss for high speed transmission of various types of IP-based packet data such as streaming video, FTP, mail, chat, etc. It is made, including.

Referring to FIG. 1, the high-speed wireless Internet system includes at least one terminal device 145 (eg, an access terminal (AT) or a portable subscriber station (PSS) having a function of processing a communication protocol stack defined in the high-speed wireless internet). ), A base station 140 (eg, an access point (AP) or a radio access station (RAS)), a packet access router 135, and at least one or more PARs 135 to connect. Characterized in that it consists of a carrier network 100, the operator network 100 is also the home agent (HA) (125) for the mobility of the IP to the terminal device 145, the user authentication and billing It further comprises an AAA (Authentication, Authorization and Accounting) server 110, a management server (Network Management System) 130 and the FA (Foreign Agent) 115 to interwork with an external wireless network.

Referring to FIG. 1 according to a preferred embodiment of the present invention, the high-speed wireless Internet system is a DHCP (Dynamic Host Configuration Protocol) server 105 for allocating and registering a MIP to the terminal device 145 accessing the high-speed wireless Internet. ) And DNS 120, and at least one or more components may be added according to the intention of the service provider and / or the type of additional service.

The terminal device 145 is an endpoint of a wireless channel in the high-speed wireless Internet system, and communicates with the base station 140 in an OFDMA manner, and transmits and receives a wireless channel, a MAC processing function, a handover function, a user authentication and encryption function, Performs radio link control management.

The base station 140 performs a wired / wireless channel conversion function to transfer information (or data) received from the terminal device 145 to the PAR 135 or, conversely, various information (or data) received from the PAR 135. Converts them into OFDMA-based radio signals and transmits them to the terminal device 145, and also provides packet retransmission for error-free packet transmission and reception, packet scheduling for efficient operation of radio resources, and a radio bandwidth allocation function. It performs connection control, handover control and PAR access functions related to ranging, packet call connection establishment, maintenance, and release.

The PAR 135 is connected to and manages a plurality of base stations 140, and performs a handover control function to ensure high-speed mobility in the PAR 135. To this end, the base station 140 and the PAR 135 is connected based on the IP protocol, and is preferably configured based on a Gigabit Ethernet switch for high-speed packet transmission.

In addition, the high-speed wireless Internet system is a Uh interface between the terminal device 145 and the base station 140, Ah interface between the base station 140 and the PAR 135, PAR 135 and PAR to provide high-speed wireless communication The Ph interface is provided between the 135 and the PAR 135 and the Ih interface is provided between the AAA 110 and the HA 125 of the operator network 100.

The Uh interface provided between the terminal device 145 and the base station 140 conforms to HPi's Physical Layer (PHY) and Media Access Control (MAC) standards, and the physical layer and MAC standards are LOS. (Line Of Sight) is based on the 2.3GHz band having a non-guaranteed multipath channel environment, and provides mobility based on the wireless access standard of the IEEE 802.16 series.

According to an embodiment of the present invention, the physical layer standard of the Uh interface includes all items corresponding to OFDMA in the IEEE802.16 standard, and the changed parts of the IEEE 802.16 standard are OFDMA subcarriers for frame structure, uplink and downlink. Allocation method and channel encoding method.

Additional additions include Transmit / Receive Transition Gap (TGT), Receive / Transmit Transition Gap (RTG), and RF parameters to accommodate a maximum radius of 1km. In addition, the MAC standard is optimized for the OFDMA PHY. The ranging and bandwidth request procedures are modified to fit the OFDMA PHY, and a handover function for mobility support is added.

In addition, a sleep mode function for reducing power consumption of the terminal and a mechanism for checking a communication interruption state and recovering resources allocated in case of a disconnection have been added.

The Ah interface between the base station 140 and the PAR 135 uses an Access Network Application Part (ANAP) protocol that defines control messages for smooth communication between the base station 140 and the PAR 135. The Ph interface between the 135 and the PAR 135 uses a PAR-PAR Application Part (PPAP) protocol that defines control messages for smooth communication between the PAR 135.

The standard for the Ih interface between the PAR 135 and the AAA 110 is based on the IETF Diameter Base protocol, and also refers to the IETF Diameter MIP Application and the IETF Diameter Extensible Authentication Protocol (EAP). . In addition, the standard for the Ih interface between the PAR and the HA is based on MIP (Mobile IP) of IETF RFC 3344, and MIP NAI (Network Access Identification) extension, MIP Challenge / Response extension, AAA Registration Key Extension, MIP extension for AAA NAI and MIP extension for reverse tunneling are added and used.

Referring to FIG. 1, the terminal device 145 communicates with an Internet banking server on the Internet through a network component including the base station 140, the PAR 135, and the operator network 100. The wireless section between the terminal device 145 and the base station 140 is applied to the IEEE 802.16x based communication protocol, and the wired section between the Internet banking server in the operator network 100 is TCP / IP (Transmission). It is preferable to apply a communication protocol based on Control Protocol / Internet Protocol.

2 is a diagram illustrating subscriber information generated and managed in the PAR 135 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, FIG. 2 illustrates at least one radio according to a quality of service (QoS) and / or a traffic rate for providing a high speed wireless internet-based internet banking service to at least one terminal device 145 accessing the high speed wireless internet. It illustrates a preferred implementation method for the desired subscriber information stored and managed in the PAR 135, including a policy for providing a communication service.

Referring to FIG. 2, the subscriber information includes predetermined subscriber profile information and at least one service flow information. When the terminal device 145 accesses the high-speed wireless Internet, the AAA server 110 may be used. The service flow information is generated by the PAR 135 when the terminal device 145 requests a service through the high-speed wireless Internet.

The subscriber profile item includes a context ID which is a unique identifier between the base station 140 and the PAR 135, IP address information indicating an internet address of the terminal 145, and hardware recognition of the terminal 145. A Message Authentication Code (MAC) address, which is an address, the number of flows serviced by the terminal device 145, the current service state of the terminal device 145, and the service level provided to the terminal device 145. The number, service class name, subscriber name, address type serviced by the terminal apparatus 145, and a cell ID of a location where the terminal apparatus 145 is located are preferably included. Information necessary for providing at least one service to a predetermined terminal device 145, wherein the service flow item is a unique identifier between the base station 140 and the PAR 135 It is desirable to include a text ID, a flow ID that uniquely distinguishes a service flow, a service class name, a quality of service (QoS) form, a maximum sustained traffic rate, a maximum traffic burst, a minimum reserved traffic rate, a flow schedule type, and allowable jitter. Do.

According to an embodiment of the present invention, the subscriber profile information is transmitted to the subscriber (or terminal device 145) accessing the high speed wireless Internet from the AAA server 110 when the terminal device 145 accesses the high speed wireless internet. After the authentication is completed, the AAA server 110 is preferably provided to the PAR 135, and then to the PAR 135 until the service for the subscriber (or terminal device 145) is released. It is desirable to be managed. In addition, when the terminal device 145 requests a predetermined service through the high-speed wireless Internet, the terminal device 145 generates the service request information based on the service request information, session information and / or connection information, and when a new service is requested. It is generated and managed for each time, thereby providing at least one or more services to the terminal device 145. When the service for the subscriber (or terminal device 145) is released and the subscriber profile information is deleted from the PAR 135, the service flow information associated with the subscriber profile information is also deleted.

3A and 3B illustrate a communication path between a terminal device 145 and an internet banking server for high-speed wireless Internet-based internet banking according to an embodiment of the present invention.

3A and 3B illustrate a preferred method for a communication path between a terminal device 145 and an internet banking server for internet banking based on the high-speed wireless Internet system shown in FIG. Specifically, Figure 3a illustrates a communication path via a predetermined traffic relay device (or server) provided in the operator network of the high-speed wireless Internet system, Figure 3b is a predetermined network provided in the operator network of the high-speed wireless Internet system It illustrates an example of a communication path not passing through the traffic relay apparatus (or server). Those skilled in the art to which the present invention pertains may refer to the communication paths illustrated in FIGS. 3A and 3B to perform the high-speed wireless Internet-based Internet banking without departing from the essential technical matters of the present invention. Various implementation methods for the communication path between the terminal device 145 and the Internet banking server may be easily inferred, and the present invention is not limited thereto.

Referring to FIG. 3A illustrating a communication path via a predetermined traffic relay device (or server) included in a provider network of the high-speed wireless Internet system, the terminal device 145 may include a predetermined base station 140 and a PAR ( 135 and a communication path connected to the Internet banking server through a traffic relay device (or server) provided on the service provider network, wherein the communication path is connected to at least one router in the course of passing through the service provider network. It is preferred to pass through the gateway. Accordingly, the high-speed wireless Internet-based Internet banking data transmitted from the terminal device 145 is transmitted to the Internet banking server through the base station 140, the PAR 135, and a traffic relay device (or server). High-speed wireless Internet-based Internet banking-related information transmitted from the Internet banking server is preferably received by the terminal device 145 through the traffic relay device (or server), the PAR 135 and the base station 140.

According to an embodiment of the present invention, the data transmitted and received between the terminal device 145 and the Internet banking server for the high-speed wireless Internet-based Internet banking should include a high degree of security. It is preferable to pass through a predetermined traffic relay device (or server) that processes data transmission and reception that requires a high degree of security on the high-speed wireless Internet, the traffic relay device (or server) is a terminal authentication on the high-speed wireless Internet And / or include and be provided with an AAA server for performing user authentication and / or charging, and / or a firewall server (not shown), and / or an HA server and / or NMS for managing and maintaining the high speed wireless Internet, and And / or data defined for transmission and reception via the high-speed wireless Internet to maintain high security. Is preferably implemented on a server (not shown).

Referring to FIG. 3B, which illustrates a communication path not via a predetermined traffic relay device (or server) provided in an operator network of the high-speed wireless Internet system, the terminal device 145 may include a predetermined base station 140 and a PAR. It is shown as connecting a communication path with the Internet banking server through the 135, the communication path is preferably via at least one router and / or gateway in the course of passing through the operator network.

As a result, the high-speed wireless Internet-based Internet banking data transmitted from the terminal device 145 is transmitted to the Internet banking server through the base station 140 and the PAR 135, and is transmitted from the Internet banking server. Internet-based Internet banking-related information is preferably received by the terminal device 145 through the PAR 135 and the base station 140.

According to an exemplary embodiment of the present invention, the high-speed wireless Internet system (or the high-speed wireless Internet system to provide high security for data transmitted and received between the terminal device 145 and the Internet banking server in the communication path as shown in FIG. At least one server (or device) provided on the high-speed wireless Internet periodically monitors at least one or more network components (eg, routers) constituting the communication path, thereby allowing the terminal device 145 and the Internet banking server. It is desirable to maintain a high degree of security for the communication path connecting the.

According to another exemplary embodiment of the present invention, in the communication path as shown in FIG. 3b, the communication path is provided only by a predetermined end-to-end security system provided between the terminal device 145 and the internet banking server. If high security is provided for the high-speed wireless Internet system (or at least one server (or device) provided on the high-speed wireless Internet) periodically at least one network component constituting the communication path The monitoring function may be omitted, and the present invention is not limited thereby.

According to the present invention, the Internet banking server connecting the terminal device 145 on the high-speed wireless Internet and the communication path as shown in Figs. 3a and / or 3b is connected to a predetermined network provided in the operator network of the high-speed wireless Internet. Device (e.g., a router connecting the operator's network with an external network (or server or device)) and the Internet and / or a dedicated line based on Transmission Control Protocol / Internet Protocol (TCP / IP). The present invention is not limited.

4 is a block diagram of an internet banking system according to an embodiment of the present invention.

In more detail, FIG. 4 illustrates a predetermined Internet banking in which a terminal device 145 connected through a high-speed wireless Internet, a predetermined operator network, and a communication channel for internet banking are connected through a dedicated line connected to the operator network and / or the Internet. An embodiment of the Internet banking system for processing at least one or more financial transactions requested from the terminal device 145 in conjunction with a predetermined financial system 460 in the server 400, the Internet banking system is the high-speed wireless Internet At least one terminal device 145 connected to and having a predetermined web browser for Internet banking, and an Internet banking server 400 for providing an Internet banking service to the at least one terminal device 145, The internet banking server 400 through the predetermined interface means 455. To provide a net banking and financial system is linked (460) to process the necessary financial services.

Those skilled in the art to which the present invention pertains can easily guess components omitted for convenience because they do not include the core technical matters of the present invention in the Internet banking system shown in FIG. The present invention is not limited to the omitted elements.

The terminal device 145 is connected to the high speed wireless internet, and communicates with the internet banking server 400 for internet banking through a predetermined leased line and / or the internet with the high speed wireless internet and the operator network. And a channel, and the terminal device 145 includes at least one web browser for accessing the internet banking server 400 through the communication channel to receive a browsing-based web service. It is done.

The financial system 460 is a computerized system provided to a predetermined financial institution to open at least one financial account to at least one or more customers and to process a financial transaction based on the financial account. An accounting system 462 for processing window services such as credit or receiving or trust or foreign exchange, an information system 463 for processing the headquarters business, branch office information support, and customer information management; Provides a variety of electronic financial services (e.g., internet banking, phone banking, Cash Dispenser) / ATM (Automatic Teller Machine), other exchanges, call centers, financial settlements, etc. An external interface 461, and an interface corresponding to a middleware platform that provides interfacing between components in the financial system. At least to store and manage the network module 465 and predetermined information (eg, ledger information, and / or customer information, and / or management information, etc.) required for each function in the components of the financial system. It includes a database management system (DBMS) 464 that includes one or more databases, the intention of those skilled in the art and / or the type of each financial institution (eg, commercial banks, savings banks, trust banks) and the purpose of the financial system. And according to the features, it is possible to further include at least one or more components, such as foreign exchange module (not shown), investment finance module (not shown), international module (not shown), in the technical field to which the present invention belongs Those skilled in the art will understand the technical details of the financial system 460 clearly, and thus the detailed description thereof will be omitted for convenience. The present invention is not limited by this.

According to the method of the present invention, the internet banking server 400 interworks with the financial system 460 through the external system 461, and for this purpose, a predetermined interface means 455 is provided to the external system 461. It is preferable to include a component for interworking with the Internet banking server 400 through.

In addition, the Internet banking server 400 may include a client terminal and at least one or more desktop computers and / or notebooks through a predetermined network means 470 including TCP / IP-based Internet. It is desirable to be able to connect a communication channel for banking, whereby the present invention is not limited.

The Internet banking server 400 is a database for storing web operation data including at least one web page source and / or digital content for providing a predetermined web service to at least one terminal device 145, and / or It is provided with a DBMS 420 including a database for storing the Internet banking information required to provide a predetermined Internet banking service in conjunction with the financial system 460, or the DBMS 420 is provided according to the implementation method It is characterized in that the interworking with the data server, thereby providing a predetermined Internet banking service to at least one or more of the terminal device (145).

According to an embodiment of the present invention, the Internet banking information may be configured to authenticate a customer corresponding to the terminal device 145 when at least one terminal device 145 accesses and logs in to the Internet banking server 400, and / Or when the customer authenticates the financial transaction customer during at least one financial transaction through the internet banking server 400, and / or when the customer subscribes to the internet banking server 400 for at least one financial product. Customer authentication information for authenticating a customer to subscribe to, and when a financial transaction request is made from the customer through the terminal device 145, interworking with the financial system 460 to process a financial transaction corresponding to the financial transaction request. It is preferable to include banking element information for, at least one or more necessary for Internet banking according to the intention of the skilled person Boy be further included. However, this Figure 4, it will be omitted for convenience.

Referring to FIG. 4, the Internet banking server 400 connects and manages a Hyper-Text Transfer Protocol (HTTP) -based communication channel for providing a predetermined Internet banking service to at least one or more terminal devices 145. A web page operating unit 415 for operating a web page to be provided to at least one or more of the terminal apparatuses 145 in conjunction with an interface unit 405, the web interface unit 405, and the DBMS 420; A UI processing unit 410 for generating a user interface (UI) screen for providing a predetermined Internet banking service to at least one terminal device 145 in cooperation with the webpage operation unit 415, and the UI processing unit In operation 410, the predetermined content for providing the Internet banking service is extracted from the DBMS 420, or the predetermined content to be stored in the DBMS 420 is received from the terminal device 145. And a content management unit 425, and a communication channel and a user interface for processing internet banking based on HTTP between the terminal device 145 and the internet banking server 400 by the functional configuration. Is implemented.

In addition, the Internet banking server 400 authenticates the customer with at least one terminal device 145 in cooperation with the webpage operation unit 415 through the UI processing unit 410 based on the customer authentication information of the Internet banking information. It is characterized in that it comprises a customer authentication unit 430 to provide an interface screen, or at least one or more customer authentication information based on the interface screen.

In addition, the Internet banking server 400 interoperates with the webpage operation unit 415 through the UI processing unit 410 based on the banking element information of the internet banking information to at least one terminal device 145 for internet banking. Providing a related information providing screen and / or an internet banking related interface screen, receiving at least one or more internet banking related information based on the interface screen, and performing a predetermined internet banking procedure corresponding to the internet banking related information. It is characterized by comprising a processing unit 435.

In addition, the Internet banking server 400 is provided with a ledger processing unit 440 for performing a ledger processing procedure corresponding to the financial transaction requested by the customer in conjunction with the financial system 460 through a predetermined interface means 455. The ledger processing unit 440 may be connected to the external system 461 of the financial system 460 through the interface unit 455.

The customer authentication information stored in the DBMS 420 may include ID / PW information and personal information (eg, name, resident registration number, address, contact information, etc.) of a customer accessing the Internet banking server 400 through the terminal device 145. It is preferable to include the member information including at least one, wherein the customer authentication unit 430 is linked to the UI processing unit 410 to the terminal device 145 to the ID / PW information of the customer Request, receive the ID / PW information from the terminal device 145, and compare the received ID / PW information with ID / PW information included in the member information to authenticate the customer. .

According to an embodiment of the present invention, the ID / PW information may be provided to the Internet banking server 400 according to a conventional ID / PW transmission / reception procedure, but the ID / PW information may be provided to provide a more advanced security function. The terminal device 145 is encrypted using at least one or more of a symmetric key (or secret key) encryption method, and / or public key encryption method, and / or electronic envelope encryption method, and / or key exchange encryption method Preferably, the customer authentication unit 430 further includes a function configuration for decrypting the ID / PW information.

In addition, the customer authentication information stored in the DBMS 420 may be a certification authority information (eg, KFTC) and authentication server information, and / or the issuing a predetermined official certificate to a customer connected through the terminal device 145. Accredited certificate registrar information (e.g., when the accredited certificate is registered through the process, the process information, when the accredited certificate is registered through the process, etc.), and / or certificate information issued to the customer by the certification body. It is preferable that the further comprises, wherein the customer authentication unit 430 requests the authentication certificate-based customer authentication through the authentication certificate registered by the registration authority to the authentication server of the certification authority, the customer from the authentication server By receiving an authentication result, the customer is characterized in that the authentication.

According to the embodiment of the present invention, the customer authentication unit 430 provides the communication session information and the certificate information connected to the terminal device 145 to the authentication server of the certification authority, the authentication server is the communication session information After performing a customer authentication procedure corresponding to the certificate information to the terminal device 145 on the basis, it is preferable to provide the result to the customer authentication unit 430.

In addition, the customer authentication information stored in the DBMS 420 is made, including a copy of the authentication certificate of the customer accessing the Internet banking server 400 through the terminal device 145, and / or predetermined to the customer It is preferable to include the directory connection information of the certification authority that issued the certificate, the client authentication unit 430 in conjunction with the authentication server of the certification authority that issued a predetermined certificate to the customer the terminal device Requesting the certificate-based customer information from the terminal 145, receiving the certificate-based customer information from the terminal device 145, and authenticating the certificate-based customer information through a copy of the certificate and / or a directory of a certification authority, Characterize the customer.

According to an exemplary embodiment of the present invention, the certificate-based customer information may be a predetermined random number generated by the customer authentication unit 430 or a predetermined random number generated by the terminal device 145. The terminal device 145 uses at least one of a symmetric key (or secret key) encryption method, a public key encryption method, and / or an electronic envelope encryption method, and / or a key exchange encryption method for the random number. Encrypted through the above encryption method and provided to the customer authentication unit 430 (for example, when the random number is generated in the terminal device 145 further includes a random number in the form of a plain text), the customer authentication unit 430 Decrypts the encrypted random number based on the copy of the customer's accredited certificate and / or the certificate information of the customer extracted from the directory, compares each other, and / or the evaluation By intercomparison encrypts the form of a random number (e.g., a random number, and / or a random number generated by the terminal apparatus 145 is generated in the client certification unit 430), it is desirable to authenticate the customer.

According to another exemplary embodiment of the present invention, the certificate-based customer information is stored in the terminal device 145 previously stored information (eg, stored in the storage device of the terminal device 145 in the Internet banking server 400). Information, and / or information (or system information) previously stored in the terminal device 145, and / or storage read out from an IC card (and / or IC chip) interworking with the terminal device 145. Information (eg, IC card (and / or IC chip) serial number, and / or information stored in the IC card (and / or IC chip) memory by the IC card (and / or IC chip) issuer) In this case, the terminal device 145 is a symmetric key (or secret key) encryption method, and / or public key encryption method, and / or electronic envelope encryption method, and / or key exchange for the stored information through the certificate Encrypt with at least one of the encryption methods By providing to the customer authentication unit 430, the customer authentication unit 430 decrypts the encrypted stored information based on the copy of the customer's official certificate and / or the certificate information of the customer extracted from the directory By comparison, it is desirable to authenticate the customer.

According to another exemplary embodiment of the present invention, the certificate-based customer information may include input information (eg, a key input device provided in the terminal device 145) input through an input means provided in the terminal device 145. Information input through an input device (eg, a short-range communication device) other than a key input device provided in the terminal device 145, and in this case, the terminal device 145. The at least one encryption method of the symmetric key (or secret key) encryption method, and / or public key encryption method, and / or electronic envelope encryption method, and / or key exchange encryption method for the input information through the public certificate; Encrypt through the customer authentication unit 430, and the customer authentication unit 430, the certificate of the customer extracted from the copy and / or the directory of the certificate of the customer certificate of the customer By intercomparison decrypts the encrypted information input by half, it is desirable to authenticate the customer.

According to an embodiment of the present invention, in order to perform the above-described authentication certificate-based customer authentication procedure, the customer authentication unit 430 is encrypted and transmitted based on a predetermined certificate from the terminal device 145 ( Or a function configuration (not shown in FIG. 4) for decrypting and authenticating data), and a preferred functional configuration example thereof will be described in detail with reference to FIG.

In addition, the customer authentication information stored in the DBMS 420 is preferably made of OTP generation information for generating an OTP authentication code that matches the OTP code generated through the OTP (One Time Password) authenticator provided to the customer, When the customer authentication unit 430 interoperates with the UI processing unit 410 to request a predetermined OTP code to the terminal device 145, receives the OTP code from the terminal device 145, and generates the OTP Generate a predetermined OTP authentication code based on the information, and by comparing the received OTP code and the generated OTP authentication code, characterized in that for authenticating the customer.

According to an embodiment of the present invention, the OTP code is a symmetric key (or secret key) encryption method, and / or public key encryption method, and / or electronic in the terminal device 145 to provide a more advanced security function It is preferable that the data is encrypted and received through at least one or more of an envelope encryption method and / or a key exchange encryption method. For this purpose, the customer authentication unit 430 further includes a function configuration for decrypting the OTP code. It is preferable to make.

In addition, the customer authentication information stored in the DBMS 420 to the customer authentication unit 430 to perform the customer authentication procedure of accessing the high-speed wireless Internet in conjunction with the AAA server 110 on the high-speed wireless Internet, And at least one or more of network connection information for the customer connected through the high-speed wireless Internet, and / or network configuration information for the terminal device 145 used by the customer. The authentication unit 430 authenticates the customer based on the network access information in connection with the AAA server 110 on the operator network to which the terminal device 145 is connected, and / or based on the network configuration information. Characterize the terminal device 145.

According to an embodiment of the present invention, the network access information for the customer connected via the high speed wireless Internet may include a user account and a password for accessing the high speed wireless Internet through a predetermined terminal device 145. It is preferably made, and / or in association with the user account and password to the member information of the customer registered in the AAA server 110 on the high-speed wireless Internet and the customer authentication information of the Internet banking server 400 Member information included is preferably one-to-one matching.

According to another exemplary embodiment of the present invention, in order to prevent the user account and password included in the network access information from being exposed, the terminal device 145 corresponds to an authentication result of the user account and password from the AAA server. After receiving predetermined network access authentication information (e.g., an authentication code assigned after the network access through the user account and password is approved), the network access information is replaced with the network access authentication information instead of the user account and password. It may be used as.

In this case, one-to-one matching information among the member information of the customer registered in the AAA server 110 on the high-speed wireless Internet and the member information included in the customer authentication information of the Internet banking server 400 is referred to as customer identification information for convenience. .

According to the method of the present invention, the one-to-one matching information of the member information of the customer registered in the AAA server 110 on the high-speed wireless Internet and the member information included in the customer authentication information of the Internet banking server 400, External identification information such as social security number and / or e-mail address information and / or mobile phone number of the customer, or the AAA server 110 and the internet banking server 400 on the high-speed wireless Internet It may include internal identification information such as a unique number (or unique code) assigned to identify, by which the present invention is not limited.

According to an embodiment of the present invention, when the customer authentication information further includes network access information for the customer connected through the high-speed wireless Internet, the customer may access the Internet banking server through a predetermined terminal device 145. After connecting to 400, the terminal device 145 accesses the Internet banking server 400 through the high-speed wireless Internet, and at least defined between the terminal device 145 and the internet banking server 400. In performing one or more customer authentication procedures (eg, ID / PW based customer authentication, authorized certificate based customer authentication, OTP based customer authentication, etc.), a predetermined network from the internet banking server 400 to the terminal device 145 is performed. When the access information is requested, and the network access information is received from the terminal device 145, the fast access to the network access information and predetermined customer identification information confirmed by the customer authentication procedure is performed. By providing to the AAA server 110 on the wireless Internet, the AAA server 110 compares the customer identification information included in the member information associated with the network access information and the personal information provided by the Internet banking server 400 and By authenticating and returning the result to the internet banking server 400, it is preferable to authenticate the customer requesting a financial transaction by accessing the internet banking server 400 through the high-speed wireless Internet.

According to another exemplary embodiment of the present invention, when the customer authentication information further includes network access information for the customer connected through the high-speed wireless Internet, the customer may access the Internet through a predetermined terminal device 145. When connected to the server 400, the terminal device 145 is connected to the Internet banking server 400 through the high-speed wireless Internet to at least defined between the terminal device 145 and the Internet banking server 400 In performing one or more customer authentication procedures (eg, ID / PW based customer authentication, authorized certificate based customer authentication, OTP based customer authentication, etc.), a predetermined network from the internet banking server 400 to the terminal device 145 is performed. When the access information is requested and the network access information is transmitted from the terminal device 145, the AAA server 110 checks the network access information on the high-speed wireless Internet, and accesses the network. When the predetermined customer identification information is extracted from the member information associated with the service information and transmitted to the Internet banking server 400, the customer authentication unit 430 of the Internet banking server 400 may receive information from the AAA server 110. By comparing and authenticating the provided customer identification information with predetermined customer identification information identified by the customer authentication procedure, the client accesses the Internet banking server 400 through the high-speed wireless Internet to authenticate a customer who requests a financial transaction. It is preferable.

According to another embodiment of the present invention, the customer authentication procedure using the network configuration information for the terminal device 145 used by the customer connected through the high-speed wireless Internet is the terminal device 145 and the Internet banking server 400 It may be performed separately from at least one customer authentication procedure defined between), and thereby the present invention is not limited.

According to the embodiment of the present invention, the network configuration information for the terminal device 145 used by the customer connected through the high-speed wireless Internet is the terminal device (145) when the terminal device 145 is connected to the high-speed wireless Internet ( Mobile IP (MIP) information assigned to 145, unique information of the terminal device 145 assigned to the terminal device 145 (for example, an electronic serial number (ESN), or information corresponding to the ESN, the terminal device ( 145), if the SIM (Subscriber Identity Module) card and / or the Universal Subscriber Identity Module (USIM) and the like is mounted at least one or more).

According to an embodiment of the present invention, when the customer authentication information further includes network configuration information about the terminal device 145 used by the customer connected through the high-speed wireless Internet, the customer may select a predetermined terminal device 145. After connecting to the Internet banking server 400 through the terminal, the terminal device 145 is connected to the Internet banking server 400 through the high-speed wireless Internet to the terminal device 145 and the Internet banking server ( In performing the at least one customer authentication procedure (for example, ID / PW based customer authentication, authorized certificate based customer authentication, OTP based customer authentication, etc.) defined between 400, the terminal device in the Internet banking server 400 When the predetermined network configuration information is requested to 145, the terminal device 145 extracts and transmits the requested network configuration information, and the customer authentication unit 430 of the Internet banking server 400 is transmitted. By comparing and authenticating the network configuration information received from the terminal device 145 with the network configuration information confirmed by the customer authentication procedure, the banking server 400 is connected to the Internet banking server 400 through the high-speed wireless Internet to perform a financial transaction. It is preferable to authenticate the terminal device 145 of the requesting customer.

According to another exemplary embodiment of the present invention, when the customer authentication information further includes network configuration information about the terminal device 145 used by the customer connected through the high-speed wireless Internet, the customer may select a predetermined terminal device ( After connecting to the Internet banking server 400 through 145, the terminal device 145 is connected to the Internet banking server 400 through the high-speed wireless Internet, the terminal device 145 and the Internet banking server In performing at least one customer authentication procedure (eg, ID / PW-based customer authentication, authorized certificate-based customer authentication, OTP-based customer authentication, etc.) defined between 400, the terminal in the Internet banking server 400 When the device 145 requests predetermined network configuration information, the terminal device 145 extracts and transmits the requested network configuration information, and the customer authentication unit 430 of the Internet banking server 400. If the network configuration information received from the terminal device 145 and predetermined customer identification information confirmed by the customer authentication procedure are provided to the AAA server 110 on the high-speed wireless Internet, the AAA server 110 provides the information. By comparing and authenticating the network configuration information based on customer identification information, and returning the result to the Internet banking server 400, accessing the Internet banking server 400 through the high-speed wireless Internet to perform a financial transaction It is desirable to authenticate the requesting customer.

According to another exemplary embodiment of the present invention, when the customer authentication information further includes network configuration information about the terminal device 145 used by the customer connected through the high-speed wireless Internet, the customer may select a predetermined terminal device. After connecting to the Internet banking server 400 through the 145, the terminal device 145 is connected to the Internet banking server 400 through the high-speed wireless Internet to the terminal device 145 and the Internet banking In performing at least one customer authentication procedure (eg, ID / PW-based customer authentication, certificate-based customer authentication, OTP-based customer authentication, etc.) defined between the servers 400, the Internet banking server 400 may perform the at least one customer authentication procedure. When the terminal device 145 requests predetermined network configuration information, the terminal device 145 extracts and transmits the requested network configuration information, and the customer authentication unit 43 of the Internet banking server 400. Request network configuration information for the terminal device 145 from the AAA server 110 on the high-speed wireless Internet based on predetermined customer identification information confirmed by the customer authentication procedure in 0), and the terminal device 145 By comparing and authenticating the network configuration information received from the network configuration information received from the AAA server 110, the terminal of the customer requesting a financial transaction by accessing the Internet banking server 400 through the high-speed wireless Internet It is desirable to authenticate the device 145.

According to another embodiment of the present invention, the customer authentication procedure using the network configuration information for the terminal device 145 used by the customer connected through the high-speed wireless Internet is the terminal device 145 and the Internet banking server 400 It may be performed separately from at least one customer authentication procedure defined between), and thereby the present invention is not limited.

The banking processor 435 provides internet banking related information to at least one terminal device 145 in association with the webpage operation unit 415 through a UI processor 410 based on the banking element information of the internet banking information. Providing a screen and / or an interface screen related to Internet banking, receiving at least one or more Internet banking related information based on the interface screen, and performing a predetermined Internet banking procedure corresponding to the Internet banking related information. .

According to an exemplary embodiment of the present invention, the internet banking related information may include financial transaction related information through high speed wireless internet based internet banking, and the Internet banking related information providing screen may be based on the high speed wireless internet. It includes a web page for providing information for financial transactions through internet banking (e.g., a web page for providing financial transaction information such as account inquiry, account transfer, etc.), and the internet banking related interface screen is a high speed wireless Internet-based internet banking. Web page corresponding to the information input (or selection) interface screen for financial transactions through (e.g., a web page including an interface screen for inputting (or selecting) information necessary for account inquiry, information necessary for account transfer) Contains interface screens to enter (or select) Preferably comprises a web page).

According to another exemplary embodiment of the present invention, the Internet banking related information includes at least one or more of insurance product related information and / or loan product related information and / or investment product related information through high-speed wireless Internet-based Internet banking. Preferably, when the Internet banking-related information is insurance product-related information, the Internet banking-related information providing screen is an information providing web page (for example, insurance terms and conditions and insurance) through the high-speed wireless Internet-based Internet banking And / or a web page providing insurance contents, etc., wherein the interface screen related to the Internet banking corresponds to an information input (or selection) interface screen for insurance subscription and operation through high-speed wireless Internet-based Internet banking. Webpages (e.g., And a web page including an interface screen for selecting (or selecting) the screen, and / or when the Internet banking related information is loan product related information, the Internet banking related information providing screen is the high speed wireless Internet. It includes an information providing web page (eg, a web page that provides loan terms and / or loan agreement details) for the loan processing through the base Internet banking, the Internet banking-related interface screen is a high-speed wireless Internet-based Internet banking It is preferable to include a web page (for example, a web page including an interface screen for inputting (or selecting) information necessary for loan processing) corresponding to the information input (or selection) interface screen for loan processing through, And / or the information related to the internet banking information is related to the investment product. In this case, the Internet banking-related information providing screen includes an information providing web page (for example, a web page providing information on investment products and investment conditions) for investment product subscription and operation through the high-speed wireless Internet-based internet banking. The Internet banking related interface screen may include inputting (or selecting) information about an investment product subscription and operation through high-speed wireless Internet-based Internet banking (eg, inputting information necessary for subscription of an investment product). Or a web page including an interface screen for selection).

According to another exemplary embodiment of the present invention, the Internet banking related information may include utility bill related information through high-speed wireless Internet-based Internet banking, and the Internet banking related information providing screen may include the high-speed wireless It includes an information providing web page (eg, a web page for providing at least one electronic bill information) for paying bills through Internet-based Internet banking, the interface screen related to the Internet banking is a high-speed wireless Internet-based Internet banking And a web page corresponding to an information input (or selection) interface screen for payment of a utility bill (eg, a web page including a utility billing information input (or selection) interface for paying a payment amount included in an electronic bill). It is preferable.

In addition, when the banking processing unit 435 receives the Internet banking related information from the terminal device 145, the banking processing unit 435 performs a predetermined Internet banking procedure corresponding to the Internet banking related information with reference to the banking element information. It is done.

When predetermined financial transaction request information is input (or selected) and received from the terminal device 145 according to an embodiment of the present invention, the predetermined financial corresponding to the financial transaction request information with reference to the banking element information is received. The transaction information may be generated (or extracted) and provided to the ledger processing unit 440.

For example, when the financial transaction requested from the terminal device 145 is an account transfer transaction, the banking processor 435 interoperates with the UI processing unit 410 to transmit information to the terminal device 145 (for example, the account transfer). And a predetermined interface screen for inputting (or selecting) withdrawal account number, withdrawal account password, deposit bank information, deposit account number, transfer amount information, security code number, etc., and transfer the account through the interface screen. When information (e.g., withdrawal account number, withdrawal account password, deposit bank information, deposit account number, transfer amount information, security code number, etc.) is inputted (or selected) and received, the withdrawal is referred to with reference to the banking element information. Generates predetermined financial transaction information for withdrawing the transfer amount from the account and depositing it into the deposit account and providing the predetermined amount to the ledger processing unit 440.

According to the exemplary embodiment of the present invention, the banking processor 435 receives at least one Internet banking related information from the terminal device 145, and performs at least one customer authentication scheme in cooperation with the customer authentication unit 430. It is preferable to authenticate the customer who requested the financial transaction through the terminal, and thereby, confidentiality of the customer who requested the financial transaction through the terminal device 145 (or a customer who inputs (or selects) an Internet banking related information and transmits the information). Confidentiality, Authentication, Integrity and Nonrepudiation are secured.

According to an embodiment of the present invention, the banking processor 435 may be configured to secure confidentiality, authentication, integrity, and nonrepudiation of at least one Internet banking related information transmitted from the terminal device 145. In step 145, it is preferable to attach the electronic signature of the customer to the Internet banking related information, and to transmit the electronic banking related information with the electronic signature encrypted by a public key encryption method according to a public key infrastructure. In this case, the banking processor 435 receives the Internet banking related information from the terminal device 145, decrypts the public key decryption method according to the public key infrastructure, and confirms the electronic signature. Confidentiality, authentication, integrity and non-repudiation of information related to Internet banking is secured.

Alternatively, the banking processor 435 may secure the confidentiality, authentication, integrity, and nonrepudiation of Internet banking related information transmitted from the terminal device 145 for at least one financial transaction. In this case, it is preferable to encrypt and transmit the Internet banking related information in an electronic envelope method. In this case, the banking processing unit 435 receives the Internet banking related information from the terminal device 145 and decrypts the electronic banking method. Preferably, this ensures confidentiality, authentication, integrity, and nonrepudiation of the Internet banking related information.

The ledger processing unit 440 may be linked with the financial system 460 through a predetermined interface means 455, and predetermined financial transaction information may be generated (or extracted) by the banking processing unit 435. In this case, at least one ledger information to be extracted from the ledger on the financial system 460 corresponding to the financial transaction information is identified, and the identified from the ledger on the financial system 460 through the interface means 455. Extracting ledger information, and / or generating (or extracting) ledger record information recorded in the ledger on the financial system 460 in response to the financial transaction information, and through the interface means 455, the financial system ( The generated (or extracted) ledger record information is recorded in the ledger on 460.

For example, the financial transaction requested from the terminal device 145 is an account inquiry transaction for the last one month, and the financial transaction information (eg, account inquiry section information, account number, etc.) for the account inquiry is performed by the banking processor 435. When it is generated (or extracted), the ledger processing unit 440 is linked to the account ledger (and the customer ledger on the financial system 460 through the interface means 455 based on the financial transaction information for the account inquiry) And / or transaction history information associated with the account ledger) from the transaction history of the account to the banking processor 435.

5A and 5B illustrate the security functions of the customer authentication unit 430 and the banking processing unit 435 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, Figure 5a shows a detailed functional configuration required for the customer authentication unit 430 provided in the Internet banking server 400 on the Internet banking system shown in Figure 4 to perform a certificate-based customer authentication procedure As those skilled in the art to which the present invention pertains, various implementation methods for performing a certificate-based customer authentication procedure may be inferred by referring to and / or modifying the drawing 5a. It includes all the implementation methods inferred, and is not limited to the implementation method shown in this figure 5a.

Those skilled in the art to which the present invention pertains may refer to and / or modify the functional configuration shown in FIG. 5A to modify the ID / PW-based customer authentication in addition to the certificate-based customer authentication procedure as shown in FIG. 5A. It may be inferred that the preferred functional configuration for, and / or the preferred functional configuration for OTP-based customer authentication, etc., but the present invention includes all the methods inferred above.

Referring to FIG. 5A, a customer authentication unit 430 performing a certificate-based customer authentication procedure may access the high-speed wireless Internet in conjunction with the web interface 405 to perform Internet banking with the Internet banking server 400. A receiving unit 505 for receiving encrypted high-speed Internet-based Internet banking data from a terminal device 145 connecting a communication channel for communication, and the encrypted high-speed Internet-based Internet banking data. An encryption unit 510 for decrypting the decryption method and / or decryption algorithm corresponding to the encryption method and / or encryption algorithm used in the apparatus 145, the decrypted high-speed Internet-based Internet banking data, and the DBMS 420. Comparing and authenticating the stored customer authentication information, including an authentication processing unit 520 for authenticating the validity of the customer; It characterized by comprising.

The receiving unit 505 is connected to the high-speed wireless Internet in conjunction with the web interface unit 405 provided in the internet banking server 400, the terminal connecting the Internet banking server 400 and the communication channel for internet banking It is characterized in that for receiving the data for the high-speed Internet-based Internet banking encrypted using at least one encryption key provided in the predetermined certificate from the device 145.

According to an embodiment of the present invention, the encryption method for encrypting the high-speed Internet-based Internet banking data in the terminal device 145 may be a symmetric key (or secret key) encryption method, and / or a public key encryption method, and / or It is preferable to include at least one or more of the electronic envelope encryption method and / or key exchange encryption method.

According to an embodiment of the present invention, the high-speed Internet-based Internet banking data comprises the ID / PW information registered by the customer in the Internet banking server 400 in the Internet banking membership registration process, and / or the terminal A predetermined random number generated by the device 145 and / or a predetermined random number generated by the customer authentication unit 430 and provided to the terminal device 145, and / or the terminal device 145. It includes at least one or more storage information provided in the storage device provided in, and / or comprises at least one or more storage information stored in the SIM / USIM mounted or deposited on the terminal device 145, And / or at least one stored information stored in an IC card inserted into an IC card reader included in the terminal device 145, and / or At least one input information input through a key input device provided in the device 145, and / or at least input from a predetermined input device provided in the terminal device 145 in addition to the key input device. It is possible to include at least one input information, and / or to include at least one or more information (or data) among OTP codes generated from a predetermined OTP authenticator, and the present invention is not limited thereto.

The high-speed Internet-based internet banking data may further include at least one or more of network connection information for the customer connected through the high-speed wireless Internet and / or network configuration information for the terminal device 145 used by the customer. It is possible to include, and the present invention is not limited thereby.

The encryption unit 510 receives the encrypted high-speed Internet-based Internet banking data from the terminal device 145 through at least one encryption method through the receiving unit 505. And decrypts the data through a decryption method and / or a decryption algorithm corresponding to an encryption method and / or an encryption algorithm used in the terminal device 145, wherein the decrypted high-speed Internet-based internet banking data is authenticated. It is provided to the processing unit 520.

According to an embodiment of the present invention, the decryption scheme for decrypting the encrypted high-speed Internet-based Internet banking data in the encryption unit 510 may be a symmetric key (or secret key) decryption scheme, and / or a public key decryption scheme, and And / or at least one of an electronic envelope decryption scheme and / or a key exchange decryption scheme, wherein the decryption scheme is encryption used by the terminal device 145 to encrypt data for the high-speed internet-based internet banking. It is desirable to match the scheme.

According to an embodiment of the present invention, at least one or more key values for the encryption unit 510 to decrypt the encrypted high-speed Internet-based Internet banking data are extracted from the server-side authorized certificate provided in the DBMS 420. And / or a certificate server of a certification authority extracted from at least one or more terminal-side certificate copies provided in the DBMS 420, and / or connected to the Internet banking server 400 through a predetermined communication network, and / or All of them can be extracted from the directory associated with the authentication server 500, whereby the present invention is not limited.

The authentication processing unit 520 compares and authenticates the decrypted high-speed Internet-based Internet banking data and the customer authentication information stored in the DBMS 420 to secure confidentiality, authentication, integrity, and nonrepudiation of the customer. It features.

According to an embodiment of the present invention, when the decoded high-speed Internet-based Internet banking data includes ID / PW information registered in the Internet banking server 400 by the customer during the internet banking member registration process, the authentication processing unit ( 520 compares and authenticates the decrypted ID / PW information with ID / PW information included in the customer authentication information stored in the DBMS 420 to the Internet banking server 400 through the terminal device 145. It is desirable to authenticate customers who request access to financial transactions.

Alternatively, a predetermined random number generated by the terminal device 145 and / or a predetermined random number generated by the customer authentication unit 430 and provided to the terminal device 145 in the decrypted high-speed Internet-based internet banking data. Is included, the authentication processing unit 520 generates the decrypted random number and the predetermined random number generated by the terminal device 145 and / or generated by the customer authentication unit 430 and provides it to the terminal device 145. By comparing and authenticating a predetermined random number, it is preferable to authenticate a customer requesting a financial transaction by accessing the internet banking server 400 through the terminal device 145, or vice versa. The terminal device 145 receives a predetermined random number generated by the terminal device 145 through the unit 510 and / or a predetermined random number generated by the customer authentication unit 430 and provided to the terminal device 145. Used by Encrypted by the same encryption method as one encryption method, by comparing and authenticating the encrypted random number and the random number received encrypted from the terminal device 145, through the terminal device 145 to the Internet banking server 400 It is possible to authenticate a customer requesting a financial transaction by accessing it, and the present invention is not limited thereto.

Alternatively, when at least one stored information is included in the decrypted high-speed Internet-based Internet banking data, the authentication processor 520 stores the decrypted stored information and the customer authentication information stored in the DBMS 420. By comparing and authenticating the information, it is preferable to authenticate the customer requesting the financial transaction by accessing the Internet banking server 400 through the terminal device 145.

Alternatively, when at least one input information is included in the decrypted high-speed Internet-based Internet banking data, the authentication processor compares the decrypted input information with input information included in the customer authentication information stored in the DBMS 420. And by authenticating, accessing the internet banking server 400 through the terminal 145 to authenticate a customer requesting a financial transaction.

Alternatively, when at least one OTP code is included in the decrypted high-speed Internet-based Internet banking data, the authentication processing unit based on the OTP generation information included in the customer authentication information stored in the DBMS 420, the predetermined OTP authentication By generating a code, and comparing and authenticating the decrypted OTP code and the generated OTP authentication code, accessing the Internet banking server 400 through the terminal device 145 to authenticate the customer requesting a financial transaction It is preferable.

According to another exemplary embodiment of the present invention, when the decrypted high-speed Internet-based internet banking data further includes network access information for the customer connected through the high-speed wireless Internet, the authentication processing unit accesses the decrypted network. The customer included in the member information associated with the network access information in the AAA server 110 by providing the AAA server 110 on the high-speed wireless Internet with information and predetermined customer identification information confirmed by the customer authentication procedure. By comparing and authenticating the identification information and the personal information provided by the Internet banking server 400, and returning the result to the Internet banking server 400, to the Internet banking server 400 via the high-speed wireless Internet It is desirable to authenticate customers who request access to financial transactions.

Alternatively, the decrypted high-speed Internet-based Internet banking data further includes network access information for the customer connected through the high-speed wireless Internet, the network access information is authenticated by the AAA server 110 on the high-speed wireless Internet When the result is received and the result is received, the authentication processing unit 520 accesses the banking server 400 through the high-speed wireless Internet by using the authentication result of the network access information received from the AAA server 110 to finance. It is desirable to authenticate the customer requesting a transaction.

According to another exemplary embodiment of the present invention, when the decrypted high-speed Internet-based Internet banking data further includes network configuration information about the terminal device 145 used by the customer, the authentication processor 520 may decrypt the decrypted data. By comparing and authenticating the network configuration information and the network configuration information confirmed by the customer authentication procedure, the terminal device 145 of the customer requesting a financial transaction by accessing the Internet banking server 400 through the high-speed wireless Internet. It is desirable to authenticate.

Alternatively, when the decrypted high-speed Internet-based internet banking data further includes network configuration information for the terminal device 145 used by the customer, the authentication processor 520 may perform the decrypted network configuration information and the customer authentication. When the predetermined customer identification information confirmed by the procedure is provided to the AAA server 110 on the high-speed wireless Internet, the AAA server 110 compares and authenticates the network configuration information based on the customer identification information, and By returning a result to the Internet banking server 400, it is preferable to authenticate the customer requesting a financial transaction by accessing the Internet banking server 400 through the high-speed wireless Internet.

Alternatively, when the decoded high-speed Internet-based Internet banking data further includes network configuration information for the terminal device 145 used by the customer, the authentication processor 520 may determine a predetermined value that is confirmed by the customer authentication procedure. Request network configuration information for the terminal device 145 from the AAA server 110 on the high-speed wireless Internet based on customer identification information, and receive the decoded network configuration information and the network configuration received from the AAA server 110. By comparing and authenticating the information, it is preferable to authenticate the terminal device 145 of the customer who requests the financial transaction by accessing the Internet banking server 400 through the high-speed wireless Internet.

In more detail, Figure 5b is a detailed functional configuration required for the banking processing unit 435 provided in the Internet banking server 400 on the Internet banking system shown in Figure 4 to perform the security function of high-speed wireless Internet-based Internet banking As illustrated, those of ordinary skill in the art to which the present invention pertains may refer to various embodiments of the present disclosure to infer various methods for performing a security function of high-speed wireless Internet-based Internet banking by referring to and / or modifying the present invention. However, the present invention includes all the implementation methods inferred from the above, and is not limited only to the implementation method shown in this figure 5b.

For example, the functional configuration shown in Figure 5b may be provided outside the banking processing section 435, thereby the present invention is not limited.

* Those skilled in the art to which the present invention pertains, in addition to the function of performing high-speed wireless Internet-based Internet banking as shown in FIG. 5B by referring to and / or modifying the functional configuration shown in FIG. In addition, various functions that can be performed through the banking processor 435 may be inferred from other functional configurations, but the present invention includes all the inferred implementation methods.

Referring to FIG. 5B, a banking processor that performs high-speed wireless Internet-based Internet banking accesses the high-speed wireless Internet in conjunction with the web interface unit 405 to establish a communication channel for internet banking with the Internet banking server 400. Receiving unit 505 for receiving the electronic signature and / or encrypted Internet banking-related information from the connected terminal device 145, and the encryption scheme and / or encryption using the encrypted Internet banking-related information in the terminal device 145 An encryption unit 510 for decrypting using a decryption method and / or a decryption algorithm corresponding to an algorithm, an electronic signature verification unit 530 for confirming an electronic signature attached to the decrypted Internet banking related information, and the electronic signature Based on the internet banking-related information, the banking-related information is stored using the banking element information stored in the DBMS 420. The response Internet banking section 525 to perform online banking information processing functions characterized in that formed by having.

The receiving unit 505 is connected to the high-speed wireless Internet in conjunction with the web interface unit 405 provided in the Internet banking server 400, the terminal connecting the Internet banking server 400 and the communication channel for internet banking Receive electronic signature and / or encrypted encrypted internet banking related information from the device 145.

According to the exemplary embodiment of the present invention, the electronic signature and / or encryption for the Internet banking related information in the terminal device 145 is preferably processed based on a public certificate provided in the terminal device 145. The electronic signature for the Internet banking related information is specified in data for Internet banking input (or selected or generated) for processing the Internet banking related information according to the present invention by the Internet banking unit 525 of the Internet banking server 400. Generating a predetermined hash code by applying a one-way hash function of, encrypting the hash code with a terminal-side private key provided in the certificate, and concatenating the encrypted data with the internet banking data. Preferably, the encryption method for the Internet banking-related information is a symmetric key (or secret key) encryption method, and / or Preferably comprises at least one of a public key encryption scheme, and / or an electronic envelope encryption scheme, and / or a key exchange encryption scheme.

When the encryption unit 510 receives the electronic signature and / or encrypted Internet banking related information from the terminal device 145 through the receiving unit 505, the encryption unit 510 receives the encrypted internet banking related information. Decryption method and / or decryption algorithm corresponding to the encryption method and / or encryption algorithm used in the) characterized in that the decrypted Internet banking-related information is provided to the digital signature check unit 530.

According to an embodiment of the present invention, the decryption scheme for decrypting the encrypted Internet banking related information in the encryption unit 510 may be a symmetric key (or secret key) decryption scheme, and / or a public key decryption scheme, and / or electronic. And at least one of an envelope decryption scheme and / or a key exchange decryption scheme. Preferably, the decryption scheme is matched with an encryption scheme used to encrypt the Internet banking related information in the terminal device 145. Do.

According to an embodiment of the present invention, at least one or more key values for the encryption unit 510 to decrypt the encrypted internet banking related information are extracted from the server-side authorized certificate provided in the DBMS 420, and And / or the authentication server 500 and / or extracted from at least one copy of at least one terminal-side certificate provided in the DBMS 420, and / or connected to the internet banking server 400 through a predetermined communication network. All of them can be extracted from the directory associated with the authentication server 500, whereby the present invention is not limited.

The digital signature checking unit 530 checks whether the electronic signature is attached to the decrypted internet banking related information, and if the predetermined digital signature is attached to the internet banking related information, encrypts the terminal private key. A one-way hash function identical to the one-way hash function used by the terminal device 145 to decrypt the hash code included in the Internet banking related information with the terminal-side public key and to use the Internet banking data included in the Internet banking related information. After generating a predetermined hash code through, and comparing and authenticating the decrypted hash code and the generated hash code, characterized in that to secure the confidentiality, authentication, integrity and non-repudiation of the Internet banking-related information .

According to an embodiment of the present invention, the at least one key value for the electronic signature verification unit 530 to confirm the electronic signature attached to the Internet banking related information is at least one terminal side certificate provided in the DBMS 420. It may be extracted from a copy, and / or from the authentication server 500 and / or the directory linked to the authentication server 500 of the certification authority connected to the Internet banking server 400 through a predetermined communication network. The present invention is not limited thereby.

According to the exemplary embodiment of the present invention, after the confidentiality, authentication, integrity, and non-repudiation of the Internet banking related information by the encryption unit 510 and the electronic signature verification unit 530 are secured, the banking processing unit 435 It is possible to further check the validity of the customer and / or the terminal device 145 that has transmitted the Internet banking related information in conjunction with the customer authentication unit 430, for this purpose from the terminal device 145 In the process of receiving the Internet banking-related information, it is preferable to further include at least one or more authentication data.

According to an exemplary embodiment of the present invention, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information to the Internet banking server 400 in the process of joining the Internet banking member registration process. The registered ID / PW information may be further received, and in this case, the banking processor 435 may be included in the ID / PW information and the customer authentication information stored in the DBMS 420 through the customer authentication unit 430. By comparing and authenticating the ID / PW information, it is possible to authenticate the customer who requests the Internet banking related information processing according to the present invention by accessing the Internet banking server 400 through the terminal device 145.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, a predetermined random number generated by the terminal device 145 and / or generated by the customer authentication unit 430 in the Internet banking related information. And may further include a predetermined random number provided to the terminal device 145, in which case the banking processor 435 decrypts the random number through the customer authentication unit 430, and decrypts the decrypted random number. And compares and authenticates a predetermined random number generated by the terminal device 145 and / or a predetermined random number generated by the customer authentication unit 430 and provided to the terminal device 145. Accesses the Internet banking server 400 through a terminal to authenticate a customer requesting processing of the Internet banking related information according to the present invention, or conversely, a predetermined random number generated by the terminal device 145 and / or The predetermined random number generated by the customer authentication unit 430 and provided to the terminal device 145 is encrypted using the same encryption method as that used by the terminal device 145, and the encrypted random number and the terminal device ( By comparing and authenticating the random number included in the Internet banking related information encrypted from 145, accessing the Internet banking server 400 through the terminal device 145 to request the Internet banking related information processing according to the present invention It is possible to authenticate the customer, whereby the present invention is not limited.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include at least one or more stored information. In this case, the banking processor 435 may be configured to authenticate the customer. By comparing and authenticating the stored information and the stored information included in the customer authentication information stored in the DBMS 420 through the unit 430, the terminal 145 accesses the Internet banking server 400 through the terminal device 145. It is possible to authenticate a customer requesting processing of internet banking related information according to the invention.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include at least one or more input information. In this case, the banking processing unit may include the customer authentication unit 430. By comparing and authenticating the input information with the input information included in the customer authentication information stored in the DBMS 420 through), the terminal is connected to the Internet banking server 400 through the terminal 145 according to the present invention. It is possible to authenticate customers requesting processing of Internet banking related information.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include at least one OTP code, in which case the banking processing unit is the customer authentication unit 430 By generating a predetermined OTP authentication code based on the OTP generation information included in the customer authentication information stored in the DBMS 420, and comparing and authenticating the OTP code and the generated OTP authentication code, the terminal device It is possible to authenticate the customer who requests the Internet banking related information processing according to the present invention by accessing the Internet banking server 400 through 145.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include network access information of the customer connected through the high speed wireless Internet. The banking processor 435 provides the AAA server 110 on the high-speed wireless Internet by providing the network access information and the predetermined customer identification information confirmed by the customer authentication procedure through the customer authentication unit 430. The AAA server 110 compares and authenticates the customer identification information included in the member information associated with the network access information with the personal information provided by the Internet banking server 400, and the result is the Internet banking server 400. By returning to the Internet banking server 400 through the high-speed wireless Internet to request the Internet banking related information processing according to the present invention It is possible to authenticate the customer.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the network banking related information further includes network access information for the customer connected through the high speed wireless Internet, and the network access information. The authentication process may be received from the AAA server 110 on the high-speed wireless Internet, and the result may be received. In this case, the banking processing unit 435 may be received from the AAA server 110 through the customer authentication unit 430. By using the authentication result of the network access information to be connected to the Internet banking server 400 through the high-speed wireless Internet it is possible to authenticate the customer requesting the Internet banking-related information processing according to the present invention.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include network configuration information for the terminal device 145 used by the customer. The banking processing unit 435 compares and authenticates the network configuration information and the network configuration information confirmed by the customer authentication procedure through the customer authentication unit 430, thereby verifying the Internet banking server 400 through the high-speed wireless Internet. It is possible to authenticate the terminal device 145 of the customer requesting the Internet banking related information processing according to the present invention.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include network configuration information for the terminal device 145 used by the customer. The banking processing unit 435 provides the AAA server 110 on the high-speed wireless Internet through the customer authentication unit 430 to provide the network configuration information and predetermined customer identification information identified by the customer authentication procedure. The server 110 compares and authenticates the network configuration information based on the customer identification information, and returns the result to the Internet banking server 400, thereby allowing the Internet banking server 400 to operate through the high-speed wireless Internet. It is possible to authenticate the customer requesting the Internet banking-related information processing according to the present invention by accessing.

Alternatively, in the process of receiving the Internet banking related information from the terminal device 145, the Internet banking related information may further include network configuration information for the terminal device 145 used by the customer. The banking processor 435 compares and authenticates the network configuration information and the network configuration information received from the AAA server 110 through the customer authentication unit 430, thereby verifying the Internet banking server 400 through the high-speed wireless Internet. It is possible to authenticate the terminal device 145 of the customer requesting the Internet banking related information processing according to the present invention.

When the internet banking related information is decoded and the validity of the internet banking related information is authenticated through the electronic signature included in the internet banking related information, the electronic signature checking unit 530 is configured to provide the Internet banking related information (eg, Internet banking data included in the Internet banking related information) is provided to the Internet banking unit 525, and the Internet banking unit 525 is stored in the DBMS 420 based on the Internet banking related information. With reference to the banking element information of the Internet banking-related information processing procedure according to the present invention.

According to an exemplary embodiment of the present invention, when the Internet banking related information is Internet banking-based financial transaction-related information including at least one of account inquiry / account transfer, etc., the Internet banking unit 525 may include a high-speed wireless Internet-based Internet. It performs the function of a financial transaction means that performs financial transaction procedures through banking.

In addition, when the Internet banking-related information is Internet banking-based insurance subscription and operation related information for insurance subscription and operation, the Internet banking unit 525 performs the insurance subscription and operation procedures through high-speed wireless Internet-based Internet banking It performs the function of insurance management means.

In addition, when the Internet banking-related information is Internet banking-based loan processing information for insurance subscription and operation, the Internet banking unit 525 functions of insurance management means for performing a loan processing procedure through high-speed wireless Internet-based Internet banking Do this.

In addition, when the information related to the Internet banking is information related to the subscription and operation of the Internet banking-based investment product for insurance subscription and operation, the Internet banking unit 525 performs the procedure of subscription and operation of the investment product through the high-speed wireless Internet-based Internet banking. To carry out the functions of the investment product management means.

In addition, when the Internet banking-related information is Internet banking-based utility bill payment-related information for paying utility bills, the Internet banking unit performs the function of a utility bill payment means for performing a utility bill payment procedure through high-speed wireless Internet-based Internet banking.

6 is a diagram illustrating a functional configuration of a terminal device 145 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, FIG. 6 illustrates a preferred functional configuration of a terminal device 145 for high-speed wireless Internet-based internet banking using the high-speed wireless Internet system shown in FIG. 1, which is common in the art. Those skilled in the art will be able to infer various functional configurations for the terminal device 145 for high-speed wireless Internet-based Internet banking by referring to and / or modifying the present invention, but the present invention provides all the inferred implementation methods. It includes, and is not limited by the functional configuration shown in FIG.

Terminal device 145 for high-speed wireless Internet-based Internet banking according to the present invention, at least one screen output means for screen output, at least one sound processing means for sound input and output, at least one key for key input Input means, wireless communication means for connecting a network component on the high-speed wireless Internet (eg, base station 140 on the high-speed wireless Internet) and an IEEE 802.164 based wireless section, and control means for controlling and managing the means; Control means for controlling and managing the means (or data), information (or data) input through the key input means and information (or data) generated by processing them, and / or the wireless communication means Information (or data) received from a server (or terminal) on the high speed wireless Internet, and / or the high speed wireless internet Characterized in that the storage means for storing at least one or more information (or data) for the base Internet banking, at least one short-range communication protocol to more easily process the high-speed wireless Internet-based Internet banking according to the present invention SIM / USIM (Subscriber Identity Module / Universal Subscriber Identity) having at least one local area communication means for connecting the at least one local area device (440) and a local area communication channel through the communication device, and / or at least one information for high-speed wireless Internet-based Internet banking. And an IC chip interworking means interoperating with the ID-000-based IC chip 450 (or IC card 450) in the form of a module) and / or the IC card 450 in the form of ID-1 / ID-00. It is preferable.

Referring to FIG. 6, the terminal apparatus 145 for high-speed wireless Internet-based internet banking according to the present invention corresponds to the above means, including a control unit 605, a memory unit 655, a screen output unit 610, and a sound processing unit. 615, a key input unit 620, a wireless processing unit 630, a short range communication unit 635, an IC chip reader unit 645, and the like, and a predetermined power supply to the terminal device 145. Preferably, the power supply unit 625 is further provided (eg, a battery when the terminal device 145 is portable).

The control unit 605 controls the overall operation of the terminal device 145, manages the flow of information or data between each component, at least provided to the terminal device 645 for high-speed wireless Internet-based Internet banking It is characterized in that the control and management of one or more components, at least one processor including a Central Processing Unit (CPU) / Micro Processing Unit (MPU) and execution memory that is loaded with at least one memory loading data ( For example, a register and / or a random access memory (RAM) and a bus (BUS) for inputting and outputting at least one or more data into the processor and the execution memory. A predetermined recording medium for performing a defined function (e.g., high-speed wireless Internet-based Internet banking) From being loaded (Loading) in the execution memory it is characterized in that comprises a predetermined program routine (Routine) and / or program data processing operations by the processor.

The memory unit 655 is input when a predetermined program routine (or code) and / or program data (eg, program routine (or code)) for controlling the overall operation of the terminal device 145 is performed. Or at least one information (or data) to be output, and / or to store information (or data) input to the terminal device 145 and information (or data) generated by processing the same, or Storing information (or data) received by the device 145 or storing information (or data) for the high-speed wireless Internet-based Internet banking and program routines (or codes) and / or program data for the internet banking. Is a generic term for non-volatile memory for use in hardware, electrically Erasable and Programmable Read Only Memory (EEPROM) and / or Flash Memory (FM) and / or Hard Disk Driv (HDD). e) comprising at least one storage means comprising e).

According to an embodiment of the present invention, the memory unit 655 is configured for the high-speed wireless Internet-based internet banking through the wireless processor 630 for the high-speed wireless internet-based internet banking. And a communication channel for Internet banking, and receiving and reading at least one web page for high-speed wireless Internet-based Internet banking from the Internet banking server 400 through the communication channel. And a browser program output through the 610, and / or a security function (e.g., encryption / decryption, and / or electronic signature) required in the process of performing the high-speed wireless Internet-based internet banking of the browser program. Etc.) to store a predetermined security module for performing.

According to an exemplary embodiment of the present invention, the browser program is loaded into the controller 605 for the high-speed wireless Internet-based internet banking, and the high-speed wireless internet is connected to the internet banking server 400 through the wireless processor 630. When the communication channel for the base Internet banking is connected, the security module is loaded to perform a security function defined between the terminal device 145 and the internet banking server 400 through the high-speed wireless Internet, and then the When a web page requesting the security function is received and output from the Internet banking server 400, the security function is preferably processed by the security module.

According to another exemplary embodiment of the present invention, the browser program is loaded into the controller 605 for the high-speed wireless Internet-based internet banking, and the internet banking server and the high-speed wireless internet-based internet are loaded through the wireless processor 630. A web page that connects a communication channel for banking and includes a predetermined security function configuration (eg, an encryption / decryption function script, and / or an electronic signature function script, etc.) from the Internet banking server 400 through the communication channel. In this case, the security function between the terminal device 145 and the Internet banking server 400 may be processed by a security function configuration including the web page. 655 may not store the security module.

According to an exemplary embodiment of the present invention, the memory unit 655 may include unique information of the terminal device 145 provided to the terminal device 145 (for example, an electronic serial number (ESN), or information corresponding to the ESN). Preferably, the terminal device 145 stores network configuration information including a SIM (Subscriber Identity Module) card and / or a USIM (Universal Subscriber Identity Module).

The screen output unit 610 is configured by a predetermined browser program provided in the terminal device 145 in the process of performing a function defined in the terminal device 145 (eg, a high speed wireless Internet-based Internet banking function). At least one output device (or data) defined to be exposed to a user, at least one output device including a liquid crystal display (LCD) and / or a cathode ray tube (CRT), and the output It is preferable to include a driver that manages the device and interlocks with the controller 605.

The key input unit 620 may perform a function defined in the terminal device 145 (for example, a high speed wireless Internet-based Internet banking function) from a user through a predetermined browser program provided in the terminal device 145. At least one or more information (or data) defined to be input in the form of a predetermined key data, and at least one input device including a keypad and / or a keyboard, and the controller It is preferable to include a driver that cooperates with 605.

The wireless processor 630 is a network component (eg, base station 140, PAR) of the high-speed wireless Internet system to perform a function defined in the terminal device 145 (for example, high-speed wireless Internet-based Internet banking function). (135), AAA server (110), HA server, NMS, etc.) in conjunction with the terminal device 145 is characterized in that the wireless connection to the high-speed wireless Internet, and the terminal device ( Internet banking server connected through the high speed wireless Internet and the TCP / IP based network and / or leased line to perform the function defined in (145) (e.g., high speed wireless Internet based Internet banking function) and a high speed wireless Internet based internet banking. To connect a communication channel and perform a function (eg, a high speed wireless Internet-based Internet banking function) defined in the terminal device 145 through the communication channel. And characterized by generating a graphic, a preferred hardware configurations for the wireless processing unit 630 will be described in detail through figures 7.

According to the exemplary embodiment of the present invention, when the system is booted with a predetermined power supplied to the terminal device 145 through the power supply unit 625, the base station 140 on the high-speed wireless Internet. After synchronizing with the downlink by acquiring the downlink channel and acquiring channel control parameters for the uplink, the uplink is synchronized through initial ranging, and the base station 140 receives information of the terminal device 145. Performs the Initial Access process.

Subsequently, a basic capability capability negotiation is performed between the terminal device 145 and the base station 140 of the high-speed wireless Internet through the wireless processor 630, and the basic provision capability negotiation is performed. When the capability is negotiated, the wireless connection connection between the terminal device 145 and the base station 140 is extended to a wired section to authenticate and service authority of the terminal device 145 from the AAA server 110 via the PAR 135. Perform the verification process.

According to an embodiment of the present invention, a preferred authentication procedure for verifying authentication and service authority for the terminal device 145 on the high-speed wireless Internet is a subscriber ID (ID) provided from the base station 140 in the PAR 135. When providing a DER (Diameter E4 (E4tensible Authentication Protocol) Request) / Identity message including the AAA server 110 on the high-speed wireless Internet, the AAA server 110 receiving the determination determines whether the user is a legitimate subscriber A DIA EAP Answer (DEA) / Transport Layer Security (TLS) start message is transmitted to the PAR 135. Thereafter, the PAR 135 provides a DER / Client-Hello message including predetermined session information and connection information to the AAA server 110, and the AAA server 110 responds to the PAR 135. Send DEA / Server-Hello. Next, the PAR 135 and the AAA server 110 provides a DER / TLS certificate from the PAR 135 to the AAA server 110 for mutual certificate exchange, and the AAA server 110 provides the PAR In step 135, the DEA / TLS change cipher spec and TLS finished messages are transmitted and transmitted to the PAR 135 that the use of the new encryption algorithm and the hand-shaking procedure are completed. In addition, the PAR 135 transmits a DER / Ack to the AAA server 110 and receives a DEA / Success from the AAA server 110 to complete a certificate authentication process by completing a mutual certificate exchange.

When the basic provision capability negotiation and the authentication and registration procedure for the terminal device 145 are performed, the wireless processing unit 630 manages a mobile IP (MIP) for the terminal device 145. (B) assigning and registering a predetermined IP address, and generating and distributing a traffic encryption key for maintaining security for traffic connection between the terminal device 145 and the base station 140 according to an embodiment. The process can be carried out further.

After the terminal device 145 accesses the high-speed wireless Internet as described above, the wireless processing unit 630 is a user account and password for the customer to access the high-speed wireless Internet through the terminal device 145, and And / or store network connection information in the memory unit 655 including at least one member information of the customer registered in the AAA server 110 on the high-speed wireless Internet in association with the user account and the password. Do.

According to another exemplary embodiment of the present invention, in order to prevent the user account and password included in the network access information from being exposed, the wireless processing unit 630 authenticates the user account and password from the AAA server 110. After receiving predetermined network access authentication information (e.g., an authentication code assigned after the network access through the user account and password is approved) corresponding to the result, the network access authentication information is read instead of the user account and password. It can be used as network connection information.

In addition, after the terminal device 145 accesses the high-speed wireless Internet as described above, the wireless processing unit 630 receives network configuration information including MIP (Mobile IP) information allocated to the terminal device 145. It is preferable to store in the memory unit 655.

The short range communication unit 635 may include infrared ray communication and / or radio frequency (RF) communication and / or Bluetooth and / or wireless LAN and / or Wi-Fi and ultra-wideband. The method may include connecting a predetermined short range device 640 to a short range wireless communication channel through at least one short range wireless communication means including an ultra wide band (UWB). The infrared communication, the RF communication, It includes a predetermined short range wireless communication module for short range wireless communication including Bluetooth, WLAN, Wi-Fi, and ultra-wideband communication, and includes a communication protocol and / or driver for the short range wireless communication in software.

The IC chip reader 645 may include an IC chip 650 having at least one or more information for high-speed wireless Internet-based Internet banking through an IC chip standard including ISO / IEC 7816 and / or ISO / IEC 14443. Alternatively, the IC card 650 may read at least one or more information for the high-speed wireless Internet-based Internet banking through an APDU (Application Protocol Data Unit).

7 is a diagram showing a preferred structure of the wireless processing unit 630 of the terminal device 145 according to the embodiment of the present invention.

In more detail, FIG. 7 illustrates a preferred embodiment of the wireless processor 630 for wirelessly communicating with the base station 140 in the OFDMA scheme according to the IEEE 802.164 series wireless access standard as an end point of a wireless channel in the high-speed wireless Internet system. . However, in the present invention, the wireless processing unit 630 of the terminal device 145 is not limited to the case of FIG. 7, but does not violate the core of the present invention according to the intention and / or components of the terminal manufacturer. The present invention can be modified within the present invention, and the present invention is not limited thereto.

Referring to FIG. 7, the wireless processor 630 converts an analog baseband signal input from the baseband processor into a 2.3 GHz band signal, which is a carrier band, and transmits the signal. It performs the function of delivering to the baseband processor.

In addition, the wireless processing unit 630 includes a transmitting and receiving antenna, and performs an up / down conversion function between an RF front end (FE) and a power amplification function RF signal, and a front end module (FEM) is a PA (Power). It consists of Amplifier, RF SW (RF SWitch), and Low Noise Amplifier (LNA) FEM to perform transmit / receive mode switching function, power amplifier function of transmit signal, low noise amplifier function of received signal according to control signal, UPCM (UP Conversion Module) ) Consists of LPF, I / Q modulator, VGA, and RF BPF to convert baseband signal to RF signal, transmit power control function and filtering function, and DNCM (DowN-Conversion Module) uses RF BPF, It consists of an RF mixer, VGA, I / Q demodulator, LPF, and the DNCM performs the down conversion function of the RF signal to the baseband signal, automatic reception gain control and filtering function.

In addition, since the wireless processing unit 630 uses a Local Oscillator Module (LOM) consisting of a PLL and an RF VCO and a TDD scheme, the wireless processing unit 630 includes an ANTM (ANTenna Module) performing transmission and reception on the same antenna.

8 is a diagram illustrating a security module configuration for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, FIG. 8 illustrates the terminal device 145 for the high-speed wireless Internet-based internet banking shown in FIG. 6, in which the terminal device 145 and the Internet are linked with a browser program included in the terminal device 145. FIG. The configuration of the security module for providing a security function through the encryption and / or electronic signature between the banking server 400, if one of ordinary skill in the art to which the present invention belongs, reference and / or modification By using the terminal device 145 and the Internet banking server 400 for high-speed wireless Internet-based Internet banking can be inferred various implementation methods for the configuration of the security module, the present invention includes all the implementation methods inferred, It is not limited to the implementation method shown in FIG.

Referring to FIG. 8, a security module interoperating with a browser program provided in the terminal device 145 for high-speed wireless Internet-based internet banking may be connected to the browser through a key input unit 620 provided in the terminal device 145. An information input unit 800 which receives at least one information input from a program from the browser program, and an information extraction unit 805 which extracts at least one or more information stored in the memory unit 655 included in the terminal device 145. Information generating unit 810 for generating predetermined high-speed wireless Internet-based internet banking data through information input through the information input unit 800 and / or information extracted through the information extracting unit 805. And an electronic signature unit 815 attaching a predetermined electronic signature to data for high-speed wireless Internet-based internet banking generated through the information generation unit 810, and An encryption processing unit for encrypting data for high-speed wireless Internet-based internet banking generated by the information generating unit 810 and / or data for high-speed wireless internet-based internet banking with a predetermined electronic signature through the electronic signature unit 815 ( 820 and a communication processor 825 for transmitting the digital signature and / or encrypted high-speed wireless Internet-based internet banking data to the internet banking server 400 through the wireless processor 630 based on a high-speed wireless internet communication protocol. It is characterized by comprising a).

In addition, the communication processing unit 825 receives the high-speed wireless Internet-based Internet banking-related information encrypted by the Internet banking server 400 based on the high-speed wireless Internet communication protocol through the wireless processing unit 430, The encryption processing unit may decrypt the encrypted high speed wireless internet based internet banking related information, and the decrypted high speed wireless internet based internet banking related information may be output through the browser program.

The communication channel between the terminal device 145 and the internet banking server 400 connected through the high-speed wireless Internet is made through a browser program provided in the terminal device 145 shown in FIG. 6. When connecting the Internet banking server 400 and the communication channel for high-speed wireless Internet-based Internet banking according to the present invention, the browser program is at least one high-speed wireless Internet-based Internet provided by the Internet banking server 400 Receives, reads and outputs the banking interface screen.

According to an embodiment of the present invention, the high-speed wireless Internet-based Internet banking interface screen is made through a Hyper-Text Markup Language (HTML) compatible web document based on HTTP (Hyper-Text Transfer Protocol) protocol, the browser The program receives the web document and reads an HTML protocol (and / or at least one or more other protocols such as 4ML compatible with the HTML) included in the web document, through the screen output unit 610, through the high-speed wireless. It is preferable to output an interface screen for internet-based internet banking.

In addition, the interface screen for the high-speed wireless Internet-based Internet banking includes a user interface for inputting and / or selecting at least one or more information to be transmitted to the Internet banking server 400 through the high-speed wireless Internet, the user An interface inputs and / or selects at least one information to be transmitted to the internet banking server 400 in association with the key input unit 620, and the input and / or selected information is inputted to the information input unit 800 of the security module. It is preferable that it is input as.

The information input unit 800 may receive input and / or selected information from the key input unit 620 based on an interface screen output through the browser program.

According to another exemplary embodiment of the present invention, the information input unit 800 directly receives predetermined information to be transmitted from the key input unit 620 to the Internet banking server 400 through the high-speed wireless Internet in addition to the browser program. It is possible that the present invention is not limited thereby.

According to another exemplary embodiment of the present invention, the information input unit 800 inputs predetermined information to be transmitted to the Internet banking server 400 from the predetermined short range communication unit 635 via the high speed wireless Internet in addition to the browser program. It is possible to receive, and the present invention is not limited thereby.

The information extracting unit 805 extracts predetermined information from the memory unit 655 to be transmitted to the internet banking server 400 through the high-speed wireless Internet in addition to the information input through the browser program. The information extracted by the information extracting unit 805 from the memory unit 655 may include at least one or more network connection information and / or network configuration information.

According to another exemplary embodiment of the present invention, the information extracting unit 805 is connected to the IC chip reader unit 645 in addition to the memory unit 655 from a predetermined IC chip and / or IC card through the high-speed wireless Internet. It is possible to extract predetermined information to be transmitted to the Internet banking server 400, whereby the present invention is not limited.

The information generating unit 810 includes information input through the information input unit 800 and / or information extracted through the information extracting unit 805, and the internet banking server 400 through the high speed wireless internet. It generates a predetermined high-speed wireless Internet-based Internet banking data to be transmitted to).

According to an exemplary embodiment of the present invention, the information generating unit 810 may use information input through the information input unit 800 and / or information extracted through the information extracting unit 805 as it is based on high speed wireless Internet. It is desirable to process the data for Internet banking.

For example, the information input through the information input unit 800 and / or the information extracted through the information extracting unit 805 may be an ASCII code-based 12-digit account number, a 4-digit account password, and a 4-digit security code. In this case, the information generation unit 810 processes the ASCII code-based account number, account password and security code as data for high-speed wireless Internet-based Internet banking to be transmitted to the Internet banking server 400 through the high-speed wireless Internet. .

According to another exemplary embodiment of the present invention, the information generating unit 810 may be configured to store information input through the information input unit 800 and / or information extracted through the information extracting unit 805 in the Internet banking server. It is desirable to process the data corresponding to the predetermined data structure agreed with 400.

For example, the information input through the information input unit 800 and / or the information extracted through the information extracting unit 805 may be an ASCII code-based 12-digit account number, a 4-digit account password, and a 4-digit security code. In this case, the information generator 810 substitutes the ASCII code-based account number, account password, and security code into the C language structure as follows.

typedef _ACCOUNT_DATA_

   BYTE btDataCode;

   char strAccountNo [16];

   char strAccountPW [4];

   char strSecurityCode [4];

ACCOUNT_DATA;

Here, the "btDataCode" is an identifier for identifying which data structure among the data structures defined between the terminal device 145 and the Internet banking server 400, and "strAccountNo" indicates the 12-digit account number. "StrAccountPW" is to process the 4-digit account password as a 4-digit string, and "strSecurityCode" is to process the 4-digit security code as a 4-digit string.

The electronic signature unit 815 generates a predetermined hash code by applying the high-speed wireless Internet-based Internet banking data generated by the information generation unit 810 to a predetermined one-way hash function, and generates the predetermined hash code to the terminal device 145. IC chips and / or ICs provided (eg, provided in the memory unit 655 of the terminal device 145 and / or interlocked through the IC chip reader unit 645 provided in the terminal device 145). Read a high-speed wireless Internet-based Internet banking customer private key from an authorized certificate provided on the card, encrypting the hash code with the high-speed wireless Internet-based Internet banking customer private key, the data for the high-speed wireless Internet-based Internet banking and the encryption By concatenating the hash codes, the digital signature is attached to the high-speed wireless Internet-based Internet banking data generated by the information generator 810.

Those skilled in the art will be able to infer various digital signature methods in addition to the digital signature method as described above, but the present invention includes all the types of digital signature methods that can be inferred. It is not limited by the digital signature method.

The encryption processing unit 820 is a high-speed wireless Internet-based Internet banking data generated by the information generation unit 810, and / or a high-speed wireless Internet-based Internet banking attached to the electronic signature by the electronic signature unit 815 And encrypting data through at least one encryption method and an encryption algorithm, wherein the encryption method and encryption algorithm are capable of decrypting the encrypted high-speed wireless Internet-based internet banking data in the internet banking server 400. It is preferable to include an encryption method and an encryption algorithm.

According to an embodiment of the present invention, the encryption method for encrypting the high-speed wireless Internet-based Internet banking data in the encryption processing unit 820 may be a symmetric key (or secret key) encryption method, and / or public key encryption method, and / Or at least one of an electronic envelope encryption scheme and / or a key exchange encryption scheme, wherein the encryption scheme decrypts the encrypted high-speed wireless Internet-based internet banking data in the internet banking server 400. It is preferable to match the decoding scheme used for the purpose.

According to an exemplary embodiment of the present invention, at least one or more key values used by the encryption processing unit 820 to encrypt the high-speed wireless Internet-based internet banking data may be extracted from a public certificate provided in the terminal device 145 or And / or can be extracted from the authentication server of the certification authority connected to the terminal device 145 through the high-speed wireless Internet and / or the directory linked to the authentication server, and the present invention is not limited thereto.

The communication processor 825 generates at least one SDU / PDU from the electronic signature and / or encrypted high-speed wireless Internet-based internet banking data, and applies the same to a protocol stack on the high-speed wireless internet to which the terminal device 145 is connected. It is characterized in that the processing to transmit to the Internet banking server 400 via the wireless processing unit 635 (for example, stored in the upper layer on the protocol stack) via the network component on the high-speed wireless Internet.

According to an embodiment of the present invention, the communication processor 825 generates at least one SDU / PDU from the electronic signature and / or encrypted high-speed wireless Internet-based Internet banking data, and generates the generated SDU / PDU. It is preferable to apply the protocol stack on the high speed wireless Internet in conjunction with the communication function of the browser program, and the SDU / PDU applied to the protocol stack on the high speed wireless Internet is processed as a packet transmitted and received through the high speed wireless Internet and thus It is transmitted to the Internet banking server 400 via a network component on the wireless Internet.

According to another exemplary embodiment of the present invention, the communication processor 825 generates at least one SDU / PDU from the electronic signature and / or encrypted high-speed wireless Internet-based internet banking data, and generates the generated SDU / PDU. It is possible to directly apply to the protocol stack on the high-speed wireless Internet, SDU / PDU applied to the protocol stack on the high-speed wireless Internet is processed into packets transmitted and received through the high-speed wireless Internet to the network component on the high-speed wireless Internet It is transmitted to the Internet banking server 400 via.

When the browser program receives at least one or more packets corresponding to encrypted high-speed wireless Internet-based Internet banking related information from the Internet banking server 400 through the high-speed wireless Internet, the communication processor 825 receives from the packet. Restore the high speed wireless internet based internet banking related information encrypted by the internet banking server 400, and restore the high speed wireless internet based internet banking related information (for example, the high speed wireless internet based encrypted by the internet banking server 400). Internet banking-related information) is provided to the encryption processing unit 820 to be decrypted.

In addition, when the high-speed wireless Internet-based Internet banking-related information encrypted by the Internet banking server 400 is provided from the communication processing unit 825, the encryption processing unit at least one of the encrypted high-speed wireless Internet-based Internet banking related information. It is characterized by decoding through the above decoding method and / or decoding algorithm.

According to the exemplary embodiment of the present invention, the decryption scheme for decrypting the encrypted high-speed wireless Internet-based Internet banking related information by the encryption processing unit 820 may include a symmetric key (or secret key) decryption scheme, a public key decryption scheme, And / or at least one of an electronic envelope decryption scheme and / or a key exchange decryption scheme, wherein the decryption scheme encrypts the high-speed wireless Internet-based Internet banking related information in the Internet banking server 400. It is desirable to match the encryption scheme used to do this.

According to an exemplary embodiment of the present invention, at least one or more key values used by the encryption processing unit 820 to decrypt the high-speed wireless Internet-based Internet banking related information may be extracted from a public certificate provided in the terminal device 145. And / or can be extracted from the authentication server of the certification authority connected to the terminal device 145 through the high-speed wireless Internet and / or the directory linked to the authentication server, and the present invention is not limited thereto.

According to another embodiment of the present invention, when a predetermined electronic signature is attached to the high-speed wireless Internet-based Internet banking related information decrypted by the encryption processing unit 820, the electronic signature unit 815 is based on the high-speed wireless Internet An electronic signature-based validity authentication procedure for the high-speed wireless Internet-based internet banking-related information through an electronic signature attached to the internet banking-related information (e.g., confidentiality and authentication of the high-speed wireless internet-based internet banking related information). , Integrity and Nonrepudiation Ensuring Procedures).

The high-speed wireless Internet-based Internet banking related information decrypted by the encryption processing unit 820 is provided to the browser program and output to the screen output means provided in the terminal device 145 through the screen output unit 610. desirable.

9 is a diagram illustrating a certificate profile of a public certificate provided in the terminal device 145 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, FIG. 9 illustrates an IC chip provided in the memory unit 455 provided in the terminal device 145 and / or the terminal device 145 for high-speed wireless Internet-based internet banking based on the IETF RFC 2459 standard. Regarding the certified certificate profile provided in the IC chip and / or IC card interlocked through the reader unit 445, if you have ordinary knowledge in the technical field to which the present invention belongs, the official certificate profile shown in Figure 9 By referring to and / or modified to be able to easily infer the other public certificate profile provided in the terminal device 145, and / or public certificate profile provided in the Internet banking server 400 side, the present invention is The present invention is not limited by the inferred certificate profile.

Referring to FIG. 9, the certificate profile includes a version field including version information of the certificate, a serial number field including a unique positive integer value for identifying a certificate by a predetermined certification authority that issues the certificate, A signature algorithm field including an Object Identifier (OID) for a signature algorithm used by the certificate authority to generate the certificate, an issuer field for indicating the name of the certificate authority that issued the certificate as a Distinguished Name (DN); A validity field including a validity period of the certificate (eg, a certificate issuance date and a certificate revocation date), an owner field indicating a name of the owner of the certificate as a DN, and an algorithm identifier for the public key of the certificate owner. Possession including owner public key information including (OID and related parameters) and the owner public key value It characterized in that comprises a public key information field.

According to an embodiment of the present invention, the algorithm includes an encryption / decryption service, a signature / verification service including data integrity, a key exchange (key transfer) service, and a secure pseudo random number RSA (Rivest, Shamir, Adleman). Algorithms, and / or Digital Signature Standards (DSSs) of the Federal Information Processing Standards (FIPS) established by the National Institute of Standards and Technology (NIST) under the Department of Commerce (DePAR (135) ment of Commerce). Digital Signature Algorithm (DSA) corresponding to the Digital Signature Standard (DSA), and / or DH (Diffie, Hellman) algorithm, and / or ellipse on the finite field, defined based on algebraic on the finite field At least one elliptic curve DSA (ECDSA) algorithm and / or an elliptic curve DH (ECDH) algorithm defined by a set of groups defined by a solution to an equation for the curve. Becomes the lure, it is preferred that the private key is generated for the algorithm and the associated parameter and the owner based on the owner's public key value.

In addition, the certificate profile further includes an issuer unique identifier field for identifying a different issuer for a single DN, and an owner unique identifier field for identifying a different owner for a single DN. It is preferable to comprise.

The certificate profile may also include public key identification information (eg, information using the public key information or information using the certification authority name and certificate serial number) of the certificate of the certificate authority that issued the certificate. The owner public key identifier field including an identifier field, public key identification information certified by the certification authority, and the purpose of using the public key (e.g., for digital signature, nonrepudiation, key management, encryption, key matching, etc.). ), A key usage purpose field specifying), an owner private key validity field specifying the validity period of the digital signature generation key when the validity period of the owner digital signature generation key is shorter than the validity period of the certificate, and the issuance policy of the certificate. A certificate policy field specifying a certificate and a certificate of the other party's authentication service area upon mutual authentication between the authentication service areas A certificate policy mapping field specifying whether to accept a policy, an owner alternative name field indicating an additional name of the owner (or a unique identification information used in an authentication service area), and an additional name of the issuer (or authentication) Issuer alternative name field to specify unique identification information used in the service area, an owner directory information field indicating additional information about the owner and including the corresponding directory entry, and to prevent an illegal certification authority of the user. A basic restriction field for limiting the certification authority and the length of the certification path, a name restriction field used to limit the range of names used in the owner field and the owner alternative name extension field, and not included in the user certificate, and the certificate Policy Checking Requirements and Certificate Policy Mapping A policy restriction field specifying information (including only a certificate of a certification authority) for the prohibition of the service, an extended key use purpose field specifying a public key use purpose other than that indicated in the key use extension field, and the certificate A standard extension field area including a certificate revocation and revocation list distribution point field including location information from which certificate revocation and revocation list can be obtained when using the certificate revocation and revocation list as a method of checking the status information of the certificate; An extended field area including an issuer information access field for use in obtaining information about an issuing certification authority and an agent field for specifying information on the attorney if an agent is authorized by the owner of the certificate. It is possible to include an extension field including a.

According to the embodiment of the present invention, the fields are preferably digitally signed through the private key of the certification authority, thereby ensuring the validity of the certification authority that issued the certificate.

Hereinafter, the Internet banking customer authentication, as well as the Internet banking customer, further includes the network configuration information in a predetermined high-speed wireless Internet-based Internet banking data transmitted from the terminal device 145 to the Internet banking server 400. A high-speed wireless Internet-based internet banking process for simultaneously performing the terminal device 145 authentication will be described.

However, the high-speed wireless Internet-based Internet banking process according to the present invention is not limited to the embodiment shown below, the high-speed wireless Internet-based Internet banking according to the present invention in addition to the network configuration information shown below the high-speed wireless Internet-based Internet It may be implemented by further including the other information described above in the data for banking, and / or the network configuration information as well as the other information described above may be omitted in the high-speed wireless Internet-based Internet banking data according to the intention of the skilled person. The present invention is not limited thereby.

That is, the embodiment shown below is selected from among various high-speed wireless Internet-based Internet banking method according to the present invention to those skilled in the art to easily understand the high-speed wireless Internet-based Internet banking according to the present invention It is only one implementation method, and the technical features of the present invention are defined by the claims.

FIG. 10 is a diagram illustrating a high-speed wireless Internet access of a terminal device 145 and a communication connection operation to an internet banking server 400 for high-speed wireless Internet-based internet banking according to an embodiment of the present invention.

In more detail, FIG. 10 illustrates a case in which a terminal device 145 equipped with an encryption function as shown in FIG. 6 is connected to high-speed wireless internet, and when high-speed wireless internet-based internet banking is initiated from the terminal device 145, the present invention. The operation process of the terminal device 145 for high-speed wireless Internet-based Internet banking according to the present invention, those skilled in the art to which the present invention pertains, the present invention by referring to and / or modified in this drawing 10 Various implementation methods for the communication connection operation process of the terminal device 145 for the high-speed wireless Internet-based Internet banking according to the present invention can be inferred, but the present invention includes all the implementation methods inferred, as shown in FIG. It is not limited to implementation method.

Hereinafter, in FIG. 10, the Internet banking server 400 to which the terminal device 145 connects for high-speed wireless Internet-based Internet banking according to the present invention will be referred to as a "server".

Referring to FIG. 10, when a predetermined power is supplied to a terminal device 145 having a function of wirelessly connecting to the high-speed wireless Internet and the system is booted, the terminal device 145 is a base station 140 on the high-speed wireless Internet. After synchronizing with the downlink by acquiring the downlink channel and acquiring channel control parameters for the uplink, the uplink is synchronized through initial ranging, and the base station 140 receives information of the terminal device 145. In step 1000, an initial access procedure is informed.

When the initial access process is performed, a basic capability capability negotiation (Basic Capability Negotiation) is determined between the terminal device 145 and the base station 140 of the high-speed wireless Internet to determine the basic capability. When negotiated, the wireless access connection between the terminal device 145 and the base station 140 is extended to a wired section to receive the authentication and service authority of the terminal device 145 from the AAA server 110 via the PAR 135. The authentication procedure is performed (1005).

According to an embodiment of the present invention, a preferred authentication procedure for verifying authentication and service authority for the terminal device 145 on the high-speed wireless Internet is a subscriber ID (ID) provided from the base station 140 in the PAR 135. When providing a DER (Diameter E4 (E4tensible Authentication Protocol) Request) / Identity message including the AAA server 110 on the high-speed wireless Internet, the AAA server 110 receiving the determination determines whether the user is a legitimate subscriber A DIA EAP Answer (DEA) / Transport Layer Security (TLS) start message is transmitted to the PAR 135. Thereafter, the PAR 135 provides a DER / Client-Hello message including predetermined session information and connection information to the AAA server 110, and the AAA server 110 responds to the PAR 135. Send DEA / Server-Hello.

Next, the PAR 135 and the AAA server 110 provides a DER / TLS certificate from the PAR 135 to the AAA server 110 for mutual certificate exchange, and the AAA server 110 provides the PAR In step 135, the DEA / TLS change cipher spec and TLS finished messages are transmitted and transmitted to the PAR 135 that the use of the new encryption algorithm and the hand-shaking procedure are completed.

In addition, the PAR 135 transmits a DER / Ack to the AAA server 100 and receives a DEA / Success from the AAA server 110 to complete a certificate authentication process by completing a mutual certificate exchange.

When the basic provision capability negotiation and the authentication and registration procedure for the terminal device 145 are performed, an HA managing a mobile IP (MIP) for the terminal device 145 is assigned a predetermined IP to the terminal device 145. The process of allocating and registering an address is performed (1010).

According to the exemplary embodiment of the present invention, the terminal device 145 and the high-speed wireless Internet perform a process of generating and distributing a traffic encryption key to maintain security for traffic connection between the terminal device 145 and the base station 140. You can do more.

As described above, when the initial access process, the basic provisioning capability negotiation process, the authentication process for the user or the terminal device 145 and the MIP registration process are completed, the high-speed wireless Internet service for the terminal device 145 is started. During the service, the traffic flow is changed or deleted according to the traffic situation, handover when moving to another cell, management and billing of IP generated accordingly, and the high speed wireless Internet is established by the terminal 145. Various services can be provided through.

When the terminal device 145 normally connects to the high speed wireless internet as described above, the terminal device 145 transmits the network connection information and / or network configuration information checked in the high speed wireless internet access process to the memory unit 455. After storing (1015), the terminal device 145 periodically monitors internal resources (e.g., a resource for initiating Internet banking in the terminal device 145), thereby providing a browser program included in the terminal device 145. Check whether the server 400 is connected to the server 400 for high-speed wireless Internet-based Internet banking according to the present invention, if it is not confirmed that the browser program provided in the terminal device 145 accesses the server (1025). In operation 1030, the terminal device 145 performs other service functions in addition to the Internet banking through the terminal device 145 until the Internet banking is started.

On the other hand, if it is confirmed that the browser program provided in the terminal device 145 is connected to the server 400 for the high-speed wireless Internet-based Internet banking (1025), the terminal device 145 is interlocked with the browser program. Load the security module (1035), request a customer authentication data input interface screen including login information (eg, ID / PW information) to the server on the high-speed wireless Internet through the browser program (1040), and the server In response to the request of the terminal device 145, the user interface 400 provides a customer authentication data input interface screen including the login information to the terminal device 145 and outputs the generated screen (1045).

Thereafter, the terminal device 145 periodically checks whether predetermined login information is input through the customer authentication data input interface screen (1050), and if the predetermined login information is input (1055), the terminal device 145. ) Provides the login information input through the customer authentication data input interface screen output to the browser program to the security module (1060), and the security module provided with the login information provides the stored network configuration information from the memory unit. Is extracted (1065).

FIG. 11 is a diagram illustrating a process of connecting to an internet banking server 400 and a customer authentication process for high-speed wireless Internet-based internet banking in a terminal device 145 according to an exemplary embodiment of the present invention.

In more detail, in FIG. 11, as shown in FIG. 10, the security module which receives predetermined login information from a browser program and extracts network configuration information from a memory unit includes the login information and network configuration information. To generate and encrypt the transmission to the Internet banking server 400 through the high-speed wireless Internet, the Internet banking server 400 performs a customer authentication procedure for high-speed wireless Internet-based Internet banking through the received customer authentication data As a process, one of ordinary skill in the art to which the present invention pertains may refer to and / or modify this drawing 11 to implement various customer authentication procedures for high-speed wireless Internet-based Internet banking according to the present invention. It will be possible to infer the present invention, but the present invention is a method for all inferred And also, it not limited to the exemplary method shown in the figure 11.

Hereinafter, in FIG. 11, the Internet banking server 400 to which the terminal device 145 connects for high-speed wireless Internet-based Internet banking according to the present invention is referred to as a "server" for convenience, and the Internet banking on the high-speed wireless Internet. A network component that authenticates the Internet banking customer and the Internet banking terminal device 145 in association with the server 400 is called an "AAA server."

Referring to FIG. 11, the security module of the terminal device 145 generates predetermined customer authentication data including login information provided from the browser program and network configuration information extracted from the memory unit 455 (1100). In step 1105, the customer authentication data is encrypted and transmitted to the server 400 for providing the high speed wireless internet-based internet banking service through the high speed wireless internet.

According to an embodiment of the present invention, the security module of the terminal device 145 may be configured to convert the customer authentication data into a secret key (or replacement key) encryption method, a public key encryption method, and / or an electronic envelope encryption method, and It is preferable to encrypt using at least one encryption method of the key exchange encryption method, and the encryption method is preferably matched with a decryption method used by the server 400.

Thereafter, the server 400 receives and decrypts the customer authentication data encrypted by the terminal device 145 through the high-speed wireless Internet to restore the customer authentication data (1110).

According to the exemplary embodiment of the present invention, the server 400 decrypts the customer authentication data encrypted by the terminal device 145 in a secret key (or replacement key) decryption method, and / or a public key decryption method, and / or an electronic envelope. It is preferable to decrypt through at least one or more of a decryption scheme and / or a key exchange decryption scheme, and the decryption scheme is preferably matched with the encryption scheme used by the terminal device 145.

When the customer authentication data is restored as described above, the server 400 extracts the login information from the customer authentication data and compares and authenticates the member information provided in the server 400 to log in to the Internet banking customer. Check the information base validity (1115).

If the login information-based validity is not authenticated (1120), the server 400 generates a high-speed wireless Internet-based internet banking validity error result, and transmits and outputs the result to the terminal device 145 through the high-speed wireless Internet ( 1125).

On the other hand, if the login information-based validity is authenticated (1120), the server 400 is a predetermined customer identification information (for example, the server 400 and AAA) corresponding to the customer validation result from the member information provided in the server Information defined to mutually identify Internet banking customers between servers 110) is extracted (1130), and the network configuration information is extracted from the restored customer authentication data (1135).

Thereafter, the server 400 transmits the customer identification information and the network configuration information to the AAA server 110 on the high-speed wireless Internet to the Internet banking customer and the Internet banking terminal device 145 based on the network configuration information. Request a validity authentication (1140).

The AAA server 110 receiving the customer identification information and network configuration information from the server 400 extracts network configuration information of the terminal device 145 with respect to the customer identification information, and extracts the extracted network configuration information. By comparing and authenticating the network configuration information provided from the server 400 with each other, validating the Internet banking customer and the Internet banking terminal device 145 and generating a predetermined validity authentication result (1145). The validity authentication result generated based on the identification information and the network configuration information is transmitted to the server 400 (1150).

Subsequently, the server 400 reads the validity authentication result for the customer identification information and the network configuration information received from the AAA server 110, and network configuration information for the Internet banking customer and the Internet banking terminal device 145. The base validity is checked (1155).

If the network configuration information-based validity of the Internet banking customer and the Internet banking terminal device 145 is not authenticated (1160), the server 400 generates a high-speed wireless Internet-based internet banking validity error result to generate the high-speed wireless Internet. Through the transmission and output to the terminal device 145 (1125).

On the other hand, if the network configuration information-based validity of the Internet banking customer and the Internet banking terminal device 145 is authenticated (1160), the server 400 may determine the login information-based validity authentication result and the network configuration information-based validity authentication result. A predetermined high speed wireless Internet-based internet banking validity approval result is generated and transmitted to the terminal device 145 through the high speed wireless internet (1165).

12A and 12B illustrate a method of transmitting the customer authentication data from the terminal 145 to the Internet banking server 400 through a symmetric key (or secret key) based security function according to an embodiment of the present invention. Drawing.

In more detail, FIG. 12A illustrates an embodiment of the present invention in which a terminal device 145 having an encryption function as shown in FIG. 6 encrypts and transmits the customer authentication data in a symmetric key (or secret key) manner. Those skilled in the art may refer to and / or modify this drawing 12a to variously encrypt the customer authentication data in a symmetric key (or secret key) manner in the terminal device 145 on the high-speed wireless Internet. Although the implementation method may be inferred, the present invention includes all the inferred implementation methods, and is not limited to the implementation method shown in FIG. 12A.

In this figure 12a according to the embodiment of the present invention, the symmetric key (or secret key) is preferably read from the public certificate provided in the terminal device 145, and the public certificate is provided to the terminal device 145. Stored in a predetermined memory unit and / or stored in an ID-000 type IC chip (or IC card) mounted or detached from the terminal device 145, and / or the terminal device 145 In the case where a predetermined IC card reader is provided, all of them can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto.

According to another embodiment of the present invention, the symmetric key (or secret key) is included in the interface screen provided from the internet banking server 400 to the terminal device 145 in addition to the public certificate, and / or the terminal device. It is possible to all be embedded on the communication program to communicate with the Internet banking server 400 on 145, whereby the invention is not limited.

Referring to FIG. 12A, when predetermined customer authentication data including predetermined login information and network configuration information is generated in the information generating unit 810 of the terminal device 145, the predetermined information is provided to the encryption processing unit 820. 1200a, when the customer authentication data is provided, the encryption processing unit 820 reads a predetermined symmetric key (or secret key) for encrypting the customer authentication data from the public certificate provided in the terminal device 145. 1205a, the customer authentication data is encrypted using the read symmetric key (or secret key) (1210a).

Herein, the encryption function of the encryption processing unit 820 is called E (Encryption), the symmetric key (or secret key) is k (key), the customer authentication data is P (Plaintext), and the symmetric key (or secret). If the customer authentication data encrypted with the key) is C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by a formula such as "Ek (P) = C".

According to the embodiment of the present invention, the encryption processing unit 820 encrypts the customer authentication data through the symmetric key (or secret key), SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, It is preferable to include at least one or more of the International Data Encryption Algorithm (IDEA), and various forms of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

When the customer authentication data is encrypted through the symmetric key (or the secret key) as described above, the communication processor 825 generates at least one SDU / PDU from the encrypted customer authentication data and stores it in a higher layer on the communication protocol stack. 1215a, the wireless processor 630 corresponds to a media control layer and a physical layer defined between the wireless processor 630 and the base station 140 based on a communication protocol stack defined on the high-speed wireless Internet. By performing a communication process 1220a, the packet corresponding to the encrypted customer authentication data is transmitted to the internet banking server 400 through a network component on the high-speed wireless internet.

In addition, the Figure 12b is a symmetric key (or secret key) in the Internet banking server 400 as shown in Figure 4 the encrypted customer data received from the terminal device 145 with the encryption function as shown in Figure 6 Method for decrypting by the method, and if the user has ordinary knowledge in the technical field to which the present invention pertains, the encrypted customer in the terminal device 145 on the high-speed wireless Internet will be described with reference to FIG. Various implementation methods for decrypting authentication data using a symmetric key (or secret key) method may be inferred, but the present invention includes all the inferred implementation methods, and is not limited to the implementation method shown in FIG. 12B.

According to the embodiment of the present invention 12b, the symmetric key (or secret key) is preferably read from the public certificate provided in the Internet banking server 400, the public certificate is the Internet banking server 400 Is preferably stored in a predetermined database (not shown) that cooperates with, and the present invention is not limited thereto.

Referring to FIG. 12B, at least one receiver 505 of the Internet banking server 400 includes the encrypted customer authentication data from the operator network of the high-speed wireless Internet through a TCP / IP-based Internet and / or a dedicated line. The packet is received, and the terminal device 145 restores (or generates) encrypted customer authentication data through a symmetric key (or a secret key) from the received packet to provide the encryption unit 510 (1200b). ), The packet including the customer authentication data is received through a communication protocol stack defined in the high-speed wireless Internet.

Thereafter, the encryption unit 510 extracts a predetermined symmetric key (or secret key) for decrypting the encrypted customer authentication data from the public certificate provided in the internet banking server 400 (1205b), and extracts the extracted symmetric key (or secret key). The encrypted customer authentication data is decrypted using the encrypted symmetric key (or secret key) (1210b).

Here, the decryption function of the encryption unit 510 is called D (Decryption), and the customer authentication data encrypted with the symmetric key (or secret key) with k (key) and the symmetric key (or secret key) with C ( Ciphertext) and the decrypted customer authentication data are P (Plaintext), the function of decrypting the encrypted customer authentication data by the encryption unit 510 is " Dk = P, or Dk (Ek (P)) = It can be expressed by an expression such as "P".

According to the embodiment of the present invention, the encryption unit 510 decrypts the encrypted customer authentication data through the symmetric key (or secret key), SEED, DES (Data Encryption Standard), Triple-DES, At least one of Skipjack and International Data Encryption Algorithm (IDEA) is preferably included. Various types of decryption algorithms may be used, but the decryption algorithm matches the encryption algorithm used in the terminal device 145. The present invention is not limited to the specific decoding algorithm.

When the customer authentication data encrypted through the symmetric key (or secret key) is decrypted as described above, the encryption unit 510 provides the decrypted customer authentication data to the authentication processing unit 520 (1215b). The processor 520 is linked with the member information provided in the Internet banking server 400 and / or the AAA server 110 on the high-speed wireless Internet according to the Internet banking customer authentication process defined in the Internet banking server 400. To perform the Internet banking customer authentication process corresponding to the customer authentication data.

13A and 13B illustrate a method of transmitting the customer authentication data from the terminal 145 to the internet banking server 400 through a public key based security function according to an embodiment of the present invention.

In more detail, FIG. 13A illustrates an embodiment of the present invention in which a terminal device 145 having an encryption function as shown in FIG. 6 encrypts and transmits the customer authentication data in a public key infrastructure. With ordinary skill in the art, various implementation methods for encrypting the customer authentication data in a public key manner may be inferred from the terminal device 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 13a. The present invention includes all the inferred implementation methods, and is not limited to the implementation method illustrated in FIG. 13A.

In this figure 13a according to the embodiment of the present invention, the server-side public key is preferably read from the public certificate provided in the terminal device 145, and the public certificate is provided in the terminal device 145. Is stored in the memory unit of the ID and / or in the IC chip (or IC card) of the ID-000 type to be mounted on or detached from the terminal device 145, and / or predetermined in the terminal device 145 When the IC card reader is provided, it is possible to store all of the IC card inserted into the IC card reader, and the present invention is not limited thereto.

Alternatively, the server-side public key may be extracted from a predetermined directory (not shown) that is operated and managed by a certification authority that issues the certificate to the terminal device 145, and thus the present invention is not limited thereto. .

Referring to FIG. 13A, when predetermined customer authentication data including predetermined login information and network configuration information is generated in the information generating unit 810 of the terminal device 145, the predetermined information is provided to the encryption processing unit 820. When the customer authentication data is provided, the encryption processing unit 820 extracts a predetermined server side public key for encrypting the customer authentication data from the authorized certificate (1305a), and extracts the extracted server side public key. The customer authentication data is encrypted through a key (1310a).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the server-side public key is k1 (key), the customer authentication data is P (Plaintext), and the customer authentication encrypted with the server-side public key. When the data is referred to as C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Ek1 (P) = C".

According to an embodiment of the present invention, the algorithm for encrypting the customer authentication data by the encryption processing unit 820 through the server-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm) , DH (Diffie, Hellman), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH, or at least one of the above. Preferably, various types of encryption algorithms may be used. The invention is not limited.

For example, in the case of encrypting the customer authentication data through the RSA encryption algorithm among the encryption algorithms, a public method (Modulus) used in the encryption process is n, and a non-disclosed prime number with different prime factors of n and a b, if the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a- 1) (b-1) ", wherein the encryption function of the encryption processing unit 820 may be expressed as" C = Ek1 (P) = Pe mod n ".

When the customer authentication data is encrypted through the server-side public key as described above, the communication processing unit 825 generates at least one SDU / PDU from the encrypted customer authentication data and stores it in an upper layer on the communication protocol stack (1315a). The wireless processing unit 630 communicates with the media control layer and the physical layer defined between the wireless processing unit 630 and the base station 140 based on the communication protocol stack defined on the high-speed wireless Internet. By performing 1320a, the packet corresponding to the encrypted customer authentication data is transmitted to the Internet banking server 400 through a network component on the high-speed wireless Internet.

FIG. 13B also decrypts the customer authentication data encrypted and received from the terminal device 145 having the encryption function as shown in FIG. 6 in a public key infrastructure structure in the Internet banking server 400 as shown in FIG. The present invention relates to an embodiment of the present invention, which is known in the art to which the present invention pertains. Referring to FIG. 13b and / or modified, the terminal device 145 on the high-speed wireless Internet is encrypted with the server-side public key. Various implementation methods for decrypting customer authentication data in a public key infrastructure scheme may be inferred, but the present invention includes all the inferred implementation methods and is not limited to the implementation method shown in FIG. 13B.

According to the embodiment of the present invention, in FIG. 13B, the server-side private key for decrypting the customer authentication data encrypted with the server-side public key in a public key infrastructure scheme is obtained from the public certificate server provided in the Internet banking server 400. Preferably, the public certificate is stored in a predetermined database (not shown) interworking with the Internet banking server 400, and the present invention is not limited thereto.

Referring to FIG. 13B, the receiving unit 505 of the internet banking server 400 may include at least one or more customer authentication data encrypted from a service provider network of the high-speed wireless Internet through a TCP / IP-based Internet and / or a dedicated line. Receives a packet, restores (or generates) customer authentication data encrypted and transmitted from the terminal device 145 to the encryption unit 510 from the received packet (1300b), and includes the customer authentication data. Preferably, the packet is received through a communication protocol stack defined in the high-speed wireless Internet.

Thereafter, the encryption unit 510 extracts a server-side private key for decrypting the encrypted customer authentication data from the public certificate provided in the internet banking server 400 (1305b), and extracts the extracted server-side private key. The encrypted customer authentication data is decrypted through 1310b.

Here, the decryption function of the encryption unit 510 is called D (Decryption), the server-side private key is k2 (key), and the customer authentication data encrypted with the server-side public key is C (Ciphertext), and the server side. When the customer authentication data decrypted with the private key is called P (Plaintext), the function of decrypting the encrypted customer authentication data by the encryption unit 510 is "Dk2 = P, or Dk2 (Ek (P)) = P" and The same formula can be used.

According to an embodiment of the present invention, the algorithm for decrypting the customer authentication data encrypted with the server-side public key in the terminal device 145 through the server-side private key, RSA (Ron Rivest, Adi). Shamir, Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH, at least one or more of the various forms of decoding algorithms May be used, the decryption algorithm is matched with the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the customer authentication data through the RSA decryption algorithm of the public key-based decryption algorithm, n is a public method (Modulus) used in the decryption process, n, a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e, the undisclosed index is d, the n satisfies "n = a * b", d is "de = 1 mod (a-1) (b-1) ", wherein the decryption function of the encryption unit can be expressed as" P = Dk2 = Cd mod n ".

When the customer authentication data encrypted with the server-side public key is decrypted by the terminal device 145 through the server-side private key as described above, the encryption unit provides the decrypted customer authentication data to the authentication processing unit 520 (1315b). ), The authentication processing unit 520 is a member of the information provided in the Internet banking server 400 and / or AAA server on the high-speed wireless Internet in accordance with the Internet banking customer authentication process defined in the Internet banking server 400 ( In connection with 110, the Internet banking customer authentication process corresponding to the customer authentication data is performed.

14A and 14B illustrate a method of transmitting the customer authentication data from the terminal device 145 to the internet banking server 400 through the electronic bag-based security function according to an embodiment of the present invention.

More specifically, Figure 14a is an embodiment of the method for encrypting and transmitting the customer authentication data in an electronic envelope method in the terminal device 145 with the encryption function as shown in Figure 6, in the technical field to which the present invention belongs With reference to FIG. 14A, various implementation methods for encrypting the customer authentication data in an electronic envelope method may be inferred from the terminal device 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 14a. The invention encompasses all of the inferred practice methods, and is not limited to the practice method shown in FIG. 14A.

In this figure 14a according to the embodiment of the present invention, the server-side public key is preferably read from the public certificate provided in the terminal device 145, and the public certificate is provided in the terminal device 145. Is stored in the memory unit of the ID and / or in the IC chip (or IC card) of the ID-000 type to be mounted on or detached from the terminal device 145, and / or predetermined in the terminal device 145 When the IC card reader is provided, it is possible to store all of the IC card inserted into the IC card reader, and the present invention is not limited thereto.

Alternatively, the server-side public key may be extracted from a predetermined directory (not shown) that is operated and managed by a certification authority that issues the certificate to the terminal device 145, and thus the present invention is not limited thereto. .

Referring to FIG. 14A, when predetermined customer authentication data including predetermined login information and network configuration information is generated in the information generating unit 810 of the terminal device 145, the predetermined information is provided to the encryption processing unit 820. When the customer authentication data is provided, the encryption processing unit 820 generates a predetermined random secret key for encrypting the customer authentication data in a secret key (symmetric key) manner. In operation 1405a, the customer authentication data is encrypted using the generated secret key (1410a).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the secret key is r (random secret key), the customer authentication data P (Plaintext), and the customer authentication data encrypted with the secret key Speaking of C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by a formula such as "Er (P) = C".

According to the embodiment of the present invention, the algorithm for encrypting the customer authentication data by the encryption processing unit 820 through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA (International Data Encryption) It is preferable to include at least one of the algorithm (Algorithm), and various forms of encryption algorithm may be used, but the present invention is not limited by a specific encryption algorithm.

Thereafter, the encryption processing unit 820 encrypts the secret key (random secret key) used to encrypt the customer authentication data. To this end, the encryption processing unit 820 extracts a predetermined server-side public key from the public certificate. The private key is encrypted (1415a) using the server-side public key (1420a).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the server-side public key is k1 (key), the secret key is r (random Secret key), and the secret encrypted with the server-side public key. If the key is C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Ek1 (r) = C".

According to the exemplary embodiment of the present invention, the encryption processing unit 820 encrypts the secret key through the server-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the secret key through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the encryption processing unit 820 may be expressed as" C = Ek1 (r) = re mod n ".

If the customer authentication data is encrypted with the secret key, and the secret key is encrypted with the server-side public key, the encryption processing unit 820 encrypts the customer authentication data encrypted with the secret key and the server-side public key. The transaction data associated with the key is generated and provided to the communication processor 825 (1425a).

The communication processing unit 825 generates at least one SDU / PDU from the transaction data and stores it in an upper layer on a communication protocol stack (1430a), and the wireless processing unit 630 performs the radio processing unit 630 on the communication protocol stack. And a communication process corresponding to the media control layer and the physical layer defined between the base station 140 and the base station 140 (1435a), thereby transmitting the transaction data including the encrypted customer authentication data to the network component on the high-speed wireless Internet. It transmits to the Internet banking server 400 through.

In addition, FIG. 14B shows the transaction data in the Internet banking server 400 as shown in FIG. 4, which receives transaction data including encrypted customer authentication data from the terminal device 145 having the encryption function as shown in FIG. As an embodiment of the present invention, a method of decoding by an electronic envelope method, and if the present invention has a general knowledge, the electronic device in the terminal device 145 on the high-speed wireless Internet by referring to and / or modified in this figure 14b. Various implementation methods for decrypting the envelope-encrypted transaction data in the same electronic envelope method may be inferred, but the present invention includes all the inferred implementation methods, and is not limited to the implementation method shown in FIG. 14B. .

According to an embodiment of the present invention, in FIG. 14B, the server-side private key for decrypting the transaction data in an electronic envelope method is preferably read from the public certificate provided in the internet banking server 400, and the public certificate. Is preferably stored in a predetermined database (not shown) interworking with the Internet banking server 400, whereby the present invention is not limited.

Referring to FIG. 14B, the receiving unit 505 of the Internet banking server 400 may include predetermined customer authentication data encrypted over a TCP / IP-based Internet and / or a dedicated line from a carrier network of the high-speed wireless Internet. Receives at least one packet including transaction data, and restores (or generates) transaction data including customer authentication data encrypted and transmitted by the terminal device 145 from the received packet to the encryption unit 510 1400b, the packet including the transaction data is received through a communication protocol stack defined in the high-speed wireless Internet.

Thereafter, the encryption unit 510 extracts a server-side private key for decrypting the encrypted secret key included in the transaction data from the public certificate provided in the internet banking server 400 (1405b), and extracts the extracted private key. By decrypting the private key encrypted with the server-side public key in the terminal device 145 through a server-side private key (1410b), a predetermined secret key for decrypting the customer authentication data is extracted (1415b), and the extraction is performed. By decrypting the customer authentication data using the secret key (1420b), the terminal device 145 extracts the customer authentication data encrypted with the secret key (1425b).

Here, the decryption function of the encryption unit 510 is called D (Decryption), the server-side private key is k2 (key), and the secret key encrypted with the server-side public key is C (Ciphertext) and the server-side individual. When the secret key decrypted with the key is r (random secret key), the function of decrypting the encrypted secret key by the encryption unit 510 is "Dk2 = r, or Dk2 (Ek1 (r)) = r". It can be expressed as an expression.

According to an exemplary embodiment of the present invention, an algorithm for the encryption unit 510 to decrypt the secret key encrypted with the server-side public key in the terminal device 145 through the server-side private key may be RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the secret key through the RSA decryption algorithm among the public key-based decryption algorithms, n is a public method (Modulus) used in the decryption process, and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Dk2 = Cd mod n ".

Here, the decryption function of the encryption unit 510 is called D (Decryption), the secret key is r (random secret key), the customer authentication data encrypted with the secret key (C (Ciphertext)), and the decrypted When the customer authentication data is called P (Plaintext), the function of decrypting the encrypted customer authentication data by the encryption unit 510 may be expressed by a formula such as "Dr = P, or Dr (Er (P)) = P". Can be.

According to the embodiment of the present invention, the encryption unit 510 decrypts the encrypted customer authentication data through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA (International) It is preferable to include at least one or more of the Data Encryption Algorithm, and in addition to the decryption algorithm of various forms may be used, the decryption algorithm is characterized in that it is matched with the encryption algorithm used in the terminal device (145) However, the present invention is not limited to the specific decoding algorithm.

When the customer authentication data is decrypted as described above, the encryption unit 510 provides the decrypted customer authentication data to the authentication processing unit (1415b), and the authentication processing unit 520 is defined in the Internet banking server 400. Internet banking customer authentication processing corresponding to the customer authentication data in conjunction with the member information and / or AAA server 110 on the high-speed wireless Internet provided in the Internet banking server 400 according to the Internet banking customer authentication processing procedure To perform.

15A, 15B, 15C, and 15D illustrate a method of transmitting the customer authentication data from the terminal 145 to the Internet banking server 400 through a key exchange security function according to an embodiment of the present invention. One drawing.

15A and 15B illustrate a method of encrypting and transmitting the customer authentication data in a key exchange method in a terminal device 145 having an encryption function as shown in FIG. With ordinary skill in the art, various implementation methods for encrypting the customer authentication data in a key exchange method may be inferred from the terminal device 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 15. The present invention includes all the inferred implementation methods, and is not limited to the implementation method illustrated in FIG.

In this figure 15 according to the embodiment of the present invention, the terminal-side private key and the server-side public key are preferably read from the public certificate provided in the terminal device 145, and the public certificate is the terminal device 145. ) Is stored in a predetermined memory unit, and / or stored in an ID-000 type IC chip (or IC card) mounted on or detached from the terminal device 145, and / or the terminal device ( If a predetermined IC card reader is provided at 145, all of them can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto.

Alternatively, the terminal-side private key and the server-side public key may be extracted from a predetermined directory (not shown) operated and managed by a certification authority that issues the certificate to the terminal device 145. The invention is not limited.

15A and 15B, when predetermined customer authentication data including predetermined login information and network configuration information is generated in the information generating unit 810 of the terminal device 145, the encryption processing unit 820 When the customer authentication data is provided, the encryption processing unit 820 provides the customer authentication data with a predetermined one-way hash function (for example, a hash code having a predetermined length regardless of the length of the customer authentication data). A one-way hash function that generates a message digest including a hash code, and cannot identify (or infer) the original message through the hash code (or message digest). 145) and the Internet banking server 400 generate a predetermined message digest through the same hash function (1505a), and send the message digest via the terminal-side private key. By encryption and electronic signature (1510a).

Herein, the encryption function of the encryption processing unit 820 is called E (Encryption), the terminal-side private key is encrypted with t1 (terminal side key), the message digest is m (message digest), and the terminal-side private key. If the message digest is C (Ciphertext), the digital signature function of the encryption processing unit 820 may be expressed by an expression such as "Et1 (m) = C".

According to an embodiment of the present invention, the encryption processing unit 820 encrypts the message digest using the terminal-side private key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the message digest through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the digital signature function of the encryption processing unit 820 may be expressed as" C = Et1 (m) = me mod n ".

In addition, the encryption processing unit 820 generates a predetermined random secret key for encrypting the customer authentication data using a secret key (symmetric key) method (1515a), and the customer authentication data and The message digest encrypted with the terminal-side private key and a copy of a certificate (for example, a certificate including a terminal-side public key) included in the public certificate are linked to each other and encrypted through the generated secret key (1520a).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the secret key is r (random secret key), the customer authentication data and the copy of the certificate P (Plaintext), and the customer encrypted with the secret key When the authentication data and the certificate copy are referred to as C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Er (P) = C".

According to the embodiment of the present invention, the encryption processing unit 820 encrypts the customer authentication data and the certificate copy through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA ( It is preferable to include at least one or more of the International Data Encryption Algorithm, and various types of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

In addition, the encryption processing unit 820 extracts a predetermined server-side public key from the public certificate (1525a) to encrypt the private key that encrypts the customer authentication data (1525a), and uses the server-side public key. The secret key encrypting the authentication data is encrypted (1530a).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the server-side public key is encrypted with s1 (server side key), the secret key is r (random secret key), and the server-side public key. When the secret key is referred to as C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Es1 (r) = C".

According to the exemplary embodiment of the present invention, the encryption processing unit 820 encrypts the secret key through the server-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the secret key through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the encryption processing unit 820 may be expressed as" C = Es1 (r) = re mod n ".

A copy of a certificate including the message digest encrypted with the client authentication data and the terminal-side private key and the terminal-side public key is linked and encrypted through the generated secret key, and the secret key is passed through the server-side public key. When encrypted, the encryption processing unit 820 encrypts a copy of the certificate including the message digest and the terminal-side public key encrypted with the customer authentication data encrypted with the secret key and the terminal-side private key with the server-side public key. The predetermined transaction data is generated in association with the secret key, and the generated transaction data is provided to the communication processing unit 825 (1535a).

The communication processing unit 825 generates at least one SDU / PDU from the transaction data and stores it in an upper layer on a communication protocol stack (1540b), and the wireless processing unit 630 performs the radio processing unit 630 on the communication protocol stack. Communication process corresponding to the media control layer and the physical layer defined between the base station 140 and the base station 140, the Internet banking server sends the encrypted customer authentication data through a network component on the high-speed wireless Internet. Send to 400.

15C and 15D are the same in the Internet banking server 400 as shown in FIG. 4, which receives transaction data including encrypted customer authentication data from the terminal device 145 having the encryption function as shown in FIG. The present invention relates to a method of decrypting a transaction data by a key exchange method, and the terminal device on the high-speed wireless Internet will be described with reference to and / or modified with reference to the drawings 15c and 15d. Although it is possible to infer various implementation methods for decrypting the transaction data encrypted by the key exchange scheme in the same key exchange scheme at 145, the present invention includes all the inferred implementation methods, and FIGS. 15C and 15D. It is not limited to the implementation method shown by.

15C and 15D according to an embodiment of the present invention, the server-side private key and the terminal-side public key for decrypting the transaction data in a key exchange method are read from the public certificate provided in the Internet banking server 400. Preferably, the public certificate is preferably stored in a predetermined database (not shown) interworking with the Internet banking server 400, whereby the present invention is not limited.

15C and 15D, the receiving unit 505 of the Internet banking server 400 includes customer authentication data encrypted through a TCP / IP-based Internet and / or a leased line from a carrier network of the high-speed wireless Internet. Receiving at least one or more packets including the made transaction data, and restoring (or generating) the transaction data including the customer authentication data encrypted and transmitted from the terminal apparatus 145 from the received packet (1500c); Providing restored (or generated) transaction data to the encryption unit (1505c), wherein the packet containing the transaction data is received via a communication protocol stack defined in the high speed wireless Internet, and / or with the secret key The message digest encrypted with the encrypted customer authentication data and the terminal-side private key It comprises a root and the terminal side 's public key certificate including the copy, and the private key encrypted with the public key wherein the server-side is preferred.

Thereafter, the encryption unit 510 extracts the server-side private key from the public certificate provided in the Internet banking server 400 to decrypt the secret key encrypted with the server-side public key (1510d), and the server side. By decrypting the secret key through a private key (1515d), the secret key for decrypting a copy of the certificate including the message digest encrypted with the customer authentication data and the terminal-side private key and the terminal-side public key is extracted. (1520d).

Here, the decryption function of the encryption unit 510 is called D (Decryption), the server side private key is s2 (server side key), the secret key encrypted with the server side public key is C (Ciphertext), and the server. If the secret key decrypted with the side private key is r (random secret key), the function of decrypting the encrypted secret key by the encryption unit 510 is "Ds2 = r, or Ds2 (Es1 (r)) = r". It can be expressed as

According to an exemplary embodiment of the present invention, an algorithm for the encryption unit 510 to decrypt the secret key encrypted with the server-side public key in the terminal device 145 through the server-side private key may be RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the secret key through the RSA decryption algorithm among the public key-based decryption algorithms, n is a public method (Modulus) used in the decryption process, and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Ds2 = Cd mod n ".

When the secret key is extracted as described above, the encryption unit 510 copies the certificate including the message digest and the terminal side public key encrypted with the customer authentication data and the terminal side private key using the extracted secret key. By decrypting (1525d), a copy of the certificate including the client authentication data encrypted with the secret key and the message digest encrypted with the terminal-side private key and the terminal-side public key is extracted.

Here, the decryption function of the encryption unit 510 is called D (Decryption), the secret key is r (random secret key), the message digest encrypted with the secret key and the customer authentication data and the terminal-side private key and C (Cipherte4t) the certificate copy containing the terminal-side public key and P (Plaintext) the certificate copy including the message digest encrypted with the decrypted customer authentication data and the terminal-side private key and the terminal-side public key. In this case, the function of decrypting the copy of the certificate including the message digest encrypted with the encrypted customer authentication data and the terminal-side private key and the terminal-side public key is "Dr = P, or Dr." It can be expressed by an expression such as (Er (P)) = P ".

According to an embodiment of the present invention, the encryption unit 510 decrypts a copy of the certificate including the message digest encrypted with the encrypted customer authentication data and the terminal-side private key and the terminal-side public key through the secret key. Preferably, the algorithm includes at least one or more of SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, and International Data Encryption Algorithm (IDEA). In addition, various types of decryption algorithms may be used. The decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the present invention is not limited by a specific decryption algorithm.

In addition, the encryption unit 510 decrypts the message digest encrypted with the terminal-side private key through the terminal-side public key (1530d), so that the message generated and transmitted from the customer authentication data by the terminal apparatus 145 is transmitted. Extract the digest (1535d).

Here, the decryption function of the encryption unit 510 is called D (Decryption), the terminal side public key is t2 (terminal side key), and the message digest encrypted with the terminal side private key is C (Cipherte4t), and the terminal. If the message digest decrypted with the side public key is m (Message Digest), the function of decrypting the encrypted message digest by the encryption unit 510 is "Dt2 = m, or Dt2 (Es1 (r)) = m"; The same formula can be used.

According to an exemplary embodiment of the present invention, an algorithm for decrypting the message digest encrypted by the terminal device 145 with the terminal-side private key through the terminal-side public key may be RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the message digest through the RSA decryption algorithm of the public key-based decryption algorithm, n is a public method (Modulus) used in the decryption process and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Dt2 = Cd mod n ".

Subsequently, the encryption unit 510 generates a predetermined message digest using the same one-way hash function with the received customer authentication data (1540d), and then generates the decrypted message digest and the decrypted message. By comparing the message digest (1545d), the validity of the received customer authentication data is verified.

If the generated message digest and the decrypted message digest match (1550d), the encryption unit 510 provides the customer authentication data to the authentication processing unit 520 (1515d), and the authentication processing unit 520. In accordance with the Internet banking customer authentication process defined in the Internet banking server 400, the customer authentication in conjunction with the member information and / or AAA server 110 on the high-speed wireless Internet provided in the Internet banking server 400 Perform an internet banking customer authentication process corresponding to the data.

FIG. 16 is a diagram illustrating a process of connecting to an internet banking server 400 and a customer authentication process for high-speed wireless Internet-based internet banking in a terminal device 145 according to another exemplary embodiment of the present invention.

In more detail, in FIG. 16, as shown in FIG. 10, the security module receiving predetermined login information from a browser program, and extracting network configuration information from a memory unit, uses the login information as member authentication data. Generates predetermined customer authentication data using network configuration information as network authentication data and attaches a double signature to the traffic relay device (or server) via the high-speed wireless Internet. Checking and authenticating the electronic signature of the network authentication data included in the customer authentication data, and generates predetermined banking authentication data according to the authentication result and transmits the predetermined banking authentication data to the Internet banking server 400, the Internet banking server 400 in the Customer authentication section for high-speed wireless Internet-based Internet banking with received banking authentication data As a process for performing a car, a person having ordinary knowledge in the art to which the present invention pertains, various customer authentication procedures for high-speed wireless Internet-based Internet banking according to the present invention by referring to and / or modifying the present invention 16 It will be possible to infer an implementation method for the present invention, but the present invention includes all the implementation methods inferred above and is not limited to the implementation method shown in FIG.

Hereinafter, in FIG. 16, the Internet banking server 400 to which the terminal device 145 connects for high-speed wireless Internet-based Internet banking according to the present invention is referred to as a "server" for convenience, and the traffic relay apparatus on the high-speed wireless Internet. (Or server) is called an "AAA server".

Referring to FIG. 16, the security module of the terminal device 145 uses login information provided from the browser program as member authentication data and uses network configuration information extracted from the memory unit 455 as network authentication data. Generates predetermined customer authentication data (1600), attaches a double signature to the generated customer authentication data, and transmits it to the AAA server 110 on the high-speed wireless Internet (1605).

According to an exemplary embodiment of the present invention, the security module electronically signs the login information to be used as the member authentication data in the server, and enables the network configuration information to be used as the network authentication data in the AAA server 110. It is preferable to digitally sign.

The AAA server 110 receives the double-signed customer authentication data through the high-speed wireless Internet, confirms an electronic signature for network authentication data included in the customer authentication data, and corresponds to the network authentication data. The validity of the configuration information is verified (1610).

If the electronic signature for the network authentication data is confirmed, and the validity of the network configuration information corresponding to the network authentication data is not confirmed (1615), the AAA server 110 is a high-speed wireless Internet based Internet according to the present invention A banking validity error result is generated, transmitted and output to the terminal device 145 (1620), and the communication channel between the terminal device 145 and the server 400 is blocked (1625).

On the other hand, if the electronic signature for the network authentication data is confirmed, and the validity of the network configuration information corresponding to the network authentication data is confirmed (1615), the AAA server 110 from the validated customer authentication data The server generates and transmits predetermined banking authentication data for verifying the digital signature of the member authentication data and validity of the login information to the server (1630).

The server 400 receives the banking authentication data from the AAA server 110 through a high-speed wireless Internet, confirms an electronic signature for member authentication data included in the banking authentication data, and corresponds to the member authentication data. The validity of the login information is checked (1635).

If the electronic signature for the member authentication data is confirmed, and the validity of the login information corresponding to the member authentication data is not confirmed (1640), the server receives a result of the high-speed wireless Internet-based internet banking validation error according to the present invention. It generates and transmits to the terminal device 145 and outputs it (1645).

On the other hand, if the electronic signature for the member authentication data is confirmed, and the validity of the login information corresponding to the member authentication data is not confirmed (1640), the server 400 is the high-speed wireless Internet-based Internet banking validity according to the present invention The approval result is generated and transmitted and output to the terminal device 145 (1650).

17A, 17B, and 17C are examples of double signing customer authentication data in a terminal device 145 and transmitting the data to a Internet banking server 400 through a traffic relay device (or server) according to an embodiment of the present invention. A diagram illustrating the method.

In more detail, FIGS. 17A, 17B, and 17C illustrate that the terminal apparatus 145 uses the login information as member authentication data and uses the network configuration information as network authentication data according to the dual signature scheme shown in FIG. Generating predetermined customer authentication data to use and attaching a double signature to the traffic relay device (or server) via the high-speed wireless Internet, the network authentication included in the customer authentication data in the traffic relay device (or server) Checking and authenticating the digital signature of the data, and generating predetermined banking authentication data according to the authentication result and transmitting it to the internet banking server 400, the high speed through the received banking authentication data from the internet banking server 400 As an embodiment of performing a customer authentication procedure for wireless Internet-based Internet banking, the present invention Those skilled in the art can refer to and / or modify the drawings 17a, 17b, and 17c to infer methods for implementing various customer authentication procedures for high-speed wireless Internet-based Internet banking according to the present invention. It will be appreciated that the present invention includes all implementation methods inferred from the above, and is not limited to the implementation methods shown in FIGS. 17A, 17B and 17C.

Referring to FIG. 17A, the terminal device 145 may include a message digest including a predetermined one-way hash function (eg, a hash code having a predetermined length regardless of the length of the network authentication data). One-way hash function that generates (Message Digest) and cannot identify (or infer) the original message through the hash code (or message digest) .The terminal and server side use the same hash function) After generating a predetermined first message digest (1700a), and also generates a predetermined second message digest through a predetermined one-way hash function (1705a), the first message digest and the second message The digest is concatenated (1710a), and the concatenated first message digest and the second message digest are predetermined message dies through a predetermined one-way hash function. It generates a host (1715a).

Here, the network authentication data is information to be transmitted to the traffic relay device (or server) through the wireless section 1745a of the high-speed wireless Internet, and the member authentication data is the wired section 1175b of the high-speed wireless Internet. Information to be finally transmitted to the Internet banking server 400.

Thereafter, the terminal device 145 performs the electronic signature by encrypting the generated message digest through the terminal-side private key (1720a), and the terminal-side private key is assigned to the terminal-side IC card and / or the wireless terminal. It is preferable to extract from the public certificate provided in the IC chip to be mounted or detached.

In addition, the terminal device 145 generates a predetermined secret key (or symmetric key) for encrypting the member authentication data (1725a), and the member authentication data using the generated secret key (or symmetric key). Encrypt (1730a).

In addition, the terminal device 145 is a copy of the server-side certificate included in the authorized certificate included in the terminal-side IC card and / or IC chip mounted on or detached from the wireless terminal, and / or authentication provided on the network Encrypting the secret key (or symmetric key) which extracts the server-side public key from a server (not shown) (and / or a directory (not shown) associated with an authentication server) and encrypts the member authentication data in an electronic envelope method. (1735a).

Thereafter, the terminal device 145 is configured to encrypt the network authentication data, the member authentication data encrypted with the generated secret key (or symmetric key), the secret key (or symmetric key) encrypted with the server-side public key, and A first message digest concatenated with a first message digest generated from network authentication data and a second message digest generated from member authentication data, and a message digest generated from the concatenated first message digest and a second message digest. Concatenates the message digest encrypted with the terminal-side private key to generate predetermined customer authentication data (1740a), and generates the generated customer authentication data through the wireless section 1745a of the predetermined high-speed wireless Internet. Or server).

Referring to FIG. 17B, the traffic relay apparatus (or server) receives customer authentication data transmitted from the terminal device 145 through a wireless section 1745a of the high speed wireless Internet (1700b), and receives the received customer. The network authentication data is extracted from the authentication data (1705b), and the one-way hash function identical to the one-way hash function applied to the network authentication data by the terminal device 145 is applied to the network authentication data extracted from the customer authentication data. Generate a first message digest of (1710b).

According to an embodiment of the present invention, when the network authentication data is extracted from the received customer authentication data, the traffic relay apparatus (or server) further performs a process of checking the authentication and integrity of the extracted network authentication data. The present invention is not limited thereto.

Thereafter, the traffic relay apparatus (or server) concatenates the first message digest generated from the network authentication data and the second message digest generated from the member authentication data from the received customer authentication data. Extract a first message digest (1715b), replace the first message digest of the extracted second message digest with a first message digest generated by the traffic relay (or server) (1720b) ), A predetermined message digest is generated by applying a one-way hash function identical to the one-way hash function applied to the first / second message digest by the terminal device 145 to the first / second message digest in which the first message digest is replaced. (1725b).

Further, the traffic relay apparatus (or server) extracts the message digest encrypted with the terminal-side private key from the received customer authentication data (1730b), and is also provided on a predetermined database (not shown) and / or network. Extracts a predetermined terminal side public key corresponding to the terminal side private key from an authentication server (not shown) (and / or a directory associated with the authentication server (not shown)) and decrypts the message digest encrypted with the terminal side private key. In operation 1740b, the terminal device 145 restores the message digest generated by applying a predetermined one-way hash function to the first message digest.

Thereafter, the traffic relay apparatus (or server) checks the validity of the customer authentication data transmitted from the terminal device 145 by comparing the generated message digest with the restored message digest (1745b).

If the validity of the customer authentication data transmitted from the terminal device 145 is confirmed, the traffic relay device (or server) receives the member authentication data encrypted with the secret key (or symmetric key) from the customer authentication data. Extract (1750b), extract the secret key (or symmetric key) encrypted with the electronic envelope method through the server-side public key (1765b), and generate the first message digest generated by the traffic relay device (or server). Read the replaced 1/2 message digest (1760b), extract the message digest encrypted with the terminal-side private key from the customer authentication data (1765), and then encrypt the member authentication data with the secret (or symmetric) key. And the secret key (or symmetric key) encrypted by the electronic envelope method through the server-side public key, the 1/2 message digest, and the terminal-side individual. Concatenates the encrypted message digest to generate predetermined banking authentication data (1770b), and transmits the generated banking authentication data to the Internet banking server 400 through a wired section 1175b of a predetermined high-speed wireless Internet. .

Referring to FIG. 17c, the internet banking server 400 receives banking authentication data transmitted from the traffic relay apparatus (or server) through the wired section 1175b of the high speed wireless internet (1700c), and receives the received banking authentication data. The terminal apparatus extracts a secret key (or symmetric key) encrypted with the server-side public key from banking authentication data (1705c), and decrypts the encrypted secret key (or symmetric key) with the server-side private key (1710c). In operation 145c, the private key (or symmetric key) generated to encrypt the member authentication data is restored.

In addition, the Internet banking server 400 extracts member authentication data encrypted with the secret key (or symmetric key) from the received banking authentication data (1720c), and restores the encrypted member authentication data to the restored secret key. (Or a symmetric key) (1725), the member authentication data transmitted from the terminal device 145 is restored (1730c).

Thereafter, the internet banking server 400 generates a predetermined second message digest through the same hash function as the one-way hash function used to generate the restored member authentication data in the terminal 145 to generate the second message digest. (C35c).

In addition, the Internet banking server 400 extracts (1740c) the 1/2 message digest from the received banking authentication data, and generates the second message digest of the extracted 1/2 message digest. Replace with 2 message digests (1745c), and generate a predetermined message digest through the same hash function as the one-way hash function used by the terminal device 145 to generate a predetermined message digest from the 1/2 message digest ( 1750c).

In addition, the Internet banking server 400 extracts a message digest encrypted with the terminal-side private key from the received banking authentication data (1755c), and also authenticates a predetermined database (not shown) and / or a network. Extracting a predetermined terminal side public key corresponding to the terminal side private key from a server (not shown) (and / or a directory associated with the authentication server (not shown)) and decrypting the message digest encrypted with the terminal side private key; In operation 1765c, the terminal apparatus 145 restores the message digest generated by applying a predetermined one-way hash function to the first message digest.

Thereafter, the Internet banking server 400 checks the validity of the banking authentication data transmitted from the traffic relay apparatus (or server) by comparing the generated message digest with the restored message digest (1770c). .

If the validity of the banking authentication data transmitted from the traffic relay device (or server) is confirmed, the Internet banking server 400 finally receives member authentication data extracted from the banking authentication data and restored (1775c). .

18 is a diagram illustrating a web page providing process of the Internet banking server 400 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

More specifically, FIG. 18 provides a webpage including at least one information providing screen and / or an interface screen for high-speed wireless Internet-based internet banking from the internet banking server 400 to the terminal device 145 on the high-speed wireless internet. As a person of ordinary skill in the art to which the present invention pertains, a high-speed from the Internet banking server 400 to the terminal device 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 18. Various implementation methods for providing web pages for wireless Internet-based Internet banking may be easily inferred, but the present invention includes all the implementation methods inferred and is not limited to the implementation method shown in FIG.

Hereinafter, in FIG. 18, the Internet banking server 400 that provides the high-speed wireless Internet-based Internet banking service according to the present invention to the terminal device 145 on the high-speed wireless Internet is referred to as a "server" for convenience.

Referring to FIG. 18, when the terminal device 145 on the high speed wireless Internet is connected to the server 400 on the high speed wireless internet and a communication channel for internet banking is connected through the process as shown in FIG. 1800), the server reads the communication session information for the communication channel and performs internet banking customer authentication for the terminal device 145 through at least one customer authentication procedure of the method shown in FIG. 11 and / or FIG. Check whether or not (1805).

If the Internet banking customer authentication for the terminal device 145 is not performed (1810), the server 400 performs at least one or more customer authentication procedures of the method shown in Figure 11 and / or Figure 16 ( 1815).

If the Internet banking customer authentication for the terminal device 145 is performed (1810), the server 400 reads the communication session information for the communication channel and displays the web interface screen information for the terminal device 145. In operation 1820, the web interface screen information may include maximum resolution information (eg, 300 * 200, 640 * 480, or 1024 * 768, etc.) of the terminal device 145 to which the communication channel is connected. .

According to the embodiment of the present invention, the terminal device 145 accessing the server through the high-speed wireless Internet may vary from the portable terminal device 145 in the form of a mobile phone to the desktop computer.

Thereafter, the server 400 generates (or extracts) a predetermined web page that can be output to the terminal device 145 in response to the identified web interface screen information (1825), wherein the web page is the terminal device ( 145 is a web page requested (for convenience, in FIG. 18, a web page request process is omitted from the terminal device 145 to the server 400), and / or the terminal device 145 at the server 400. It may be a web page defined to provide, by which the present invention is not limited.

According to another exemplary embodiment of the present invention, the process of generating (or extracting) the webpage may be performed after predetermined Internet banking information to be transmitted (or generated) from the server 400 to the terminal device 145 is extracted. The present invention is not limited thereto.

In addition, the server 400 extracts (1830) at least one or more Internet banking information to be included in the web page from the DBMS 420 and / or the financial system to provide to the terminal device 145 (1830), the extracted In order to transmit the Internet banking information to the terminal device 145 via the high-speed wireless Internet, it is checked whether the electronic signature and / or the encryption should be performed (1835).

According to an embodiment of the present invention, the Internet banking information may include at least one or more information (or data) for financial transactions using high-speed wireless Internet-based internet banking, and / or insurance and operation using high-speed wireless internet-based internet banking. At least one or more information (or data) for payment, and / or at least one or more information (or data) for loan processing using high speed wireless internet based internet banking, and / or investment product subscription and operation using high speed wireless internet based internet banking At least one or more information (or data) for, and / or at least one or more information (or data) for billing payments using high-speed wireless Internet-based Internet banking is preferably made.

According to an embodiment of the present invention, if the Internet banking information is information that can be provided in common to an unspecified number, the Internet banking information may not be electronically signed and / or encrypted, but the Internet banking information may be a specific Internet banking customer. If the information is provided to (and / or the terminal device 145) (eg, financial information of a specific Internet banking customer), the Internet banking information is preferably electronically signed and / or encrypted.

In addition, the entirety of the extracted internet banking information may be electronically signed and / or encrypted, and / or only a part of the extracted internet banking information may be digitally signed and / or encrypted, and the present invention is not limited thereto. .

If the electronic signature and / or encryption of the extracted Internet banking information does not need to be performed (1840), the server 400 includes the extracted Internet banking information in the web page (1845), and the extraction is performed. In operation 1850, the web page including the Internet banking information is transmitted to the terminal device 145 through the high-speed wireless Internet.

On the other hand, if the electronic signature and / or encryption for the extracted Internet banking information should be performed (1840), the server 400 performs the electronic signature and / or encryption procedure for the Internet banking information to be transmitted to the terminal device (145) Perform (1855).

If the digital signature and / or encryption procedure for the extracted Internet banking information is completed (1860), the server 400 includes the electronic signature and / or encrypted Internet banking information in the web page (1865). In operation 1870, the web page including the electronic signature and / or the encrypted internet banking information is transmitted to the terminal device 145 through the high-speed wireless Internet.

19 is a diagram illustrating a web page receiving process of the terminal device 145 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, FIG. 19 receives a web page including at least one information providing screen and / or an interface screen for high-speed wireless Internet-based internet banking from the Internet banking server 400 in the terminal device 145 on the high-speed wireless internet. As a person of ordinary skill in the art to which the present invention pertains, the present invention refers to and / or modified the high speed radio from the Internet banking server 400 in the terminal device 145 on the high speed wireless Internet. Various implementation methods for receiving web pages for Internet-based Internet banking may be easily inferred, but the present invention includes all the implementation methods inferred above and is not limited to the implementation method shown in FIG.

Hereinafter, in FIG. 19, the Internet banking server 400 that provides the high-speed wireless Internet-based Internet banking service according to the present invention to the terminal device 145 on the high-speed wireless Internet is referred to as a "server" for convenience.

Referring to FIG. 19, when the terminal device 145 on the high-speed wireless Internet is connected to the server 400 on the high-speed wireless internet and a communication channel for internet banking is connected through a process as shown in FIG. 10 ( 1900, the terminal device 145 performs at least one or more customer authentication procedures of the method shown in FIGS. 11 and / or 16 (1905), and if the Internet banking customer authentication for the terminal device (145) When performed (1910), the terminal device 145 requests a predetermined webpage including at least one or more Internet banking information to the server 400 on the high-speed wireless Internet through the communication channel (1915). In operation 1920, the mobile station periodically checks whether a web page including the requested at least one internet banking information is received.

If the requested web page is received from the server 400 through the high-speed wireless Internet (1925), the terminal device 145 reads the received web page and electronically signs and / or the server 400. Check whether the encrypted internet banking information is included (1930).

According to an embodiment of the present invention, the Internet banking information may include at least one or more information (or data) for financial transactions using high-speed wireless Internet-based internet banking, and / or insurance and operation using high-speed wireless internet-based internet banking. At least one or more information (or data) for payment, and / or at least one or more information (or data) for loan processing using high speed wireless internet based internet banking, and / or investment product subscription and operation using high speed wireless internet based internet banking At least one or more information (or data) for, and / or at least one or more information (or data) for billing payments using high-speed wireless Internet-based Internet banking is preferably made.

If the web page does not include the electronic signature and / or the encrypted Internet banking information in the server 400 (1935), the terminal device 145 reads a predetermined web page including the Internet banking information. The terminal device 145 outputs the screen (1940).

On the other hand, if the web page includes the electronic signature and / or the encrypted Internet banking information in the server (400) (1935), the terminal device 145 checks the signature on the Internet banking information contained in the web page and And / or perform a decryption procedure (1945).

If the signature verification and / or decryption procedure for the Internet banking information included in the webpage is completed (1950), the terminal device 145 may access the webpage including the signature verification and / or decrypted Internet banking information. And output (1955).

20 is a diagram illustrating a method of encrypting and transmitting internet banking information by a symmetric key (or secret key) method in an internet banking server 400 according to an exemplary embodiment of the present invention.

More specifically, FIG. 20 illustrates an embodiment of the present invention for encrypting and transmitting predetermined Internet banking information in a symmetric key (or secret key) method in the Internet banking server 400 as shown in FIG. 4. In accordance with the related art, various implementation methods for encrypting the Internet banking information by a symmetric key (or secret key) method in the Internet banking server 400 on the high-speed wireless Internet by referring to and / or modifying the drawing of FIG. It can be inferred, but the present invention includes all the inferred implementation method, and is not limited to the implementation method shown in FIG.

In this figure 20 according to the embodiment of the present invention, the symmetric key (or secret key) is preferably read from the public certificate provided in the Internet banking server 400, the public certificate is the Internet banking server 400 Is preferably stored in a predetermined database (not shown) that cooperates with, and the present invention is not limited thereto.

Referring to FIG. 20, the internet banking unit 525 included in the internet banking server 400 generates (or extracts) predetermined internet banking information to be provided to the terminal device 145, and / or the After performing a predetermined Internet banking procedure in conjunction with a financial system, after generating (or extracting) predetermined Internet banking information, the Internet banking information is provided to the encryption unit 510 (2000).

Thereafter, the Internet banking server 400 extracts a predetermined symmetric key (or secret key) for encrypting the Internet banking information from the certificate (2005), and through the extracted symmetric key (or secret key). The Internet banking information is encrypted (2010).

The encryption function of the encryption processing unit 820 is called E (Encryption), the symmetric key (or secret key) is k (key), the Internet banking information is P (Plaintext), and the symmetric key (or secret). If the Internet banking information encrypted with the key) is referred to as C (Ciphertext), the encryption function of the encryption unit 510 may be expressed by a formula such as "Ek (P) = C".

According to the embodiment of the present invention, the encryption processing unit 820 encrypts the Internet banking information through the symmetric key (or secret key), SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, It is preferable to include at least one or more of the International Data Encryption Algorithm (IDEA), and various forms of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

When the internet banking information is encrypted through the symmetric key (or secret key) as described above, the transmission unit 515 generates at least one SDU / PDU from the encrypted internet banking information to form a higher layer on the communication protocol stack. (2015), generate a packet corresponding to the communication protocol stack defined between the Internet banking server 400 and the Internet and / or leased line connecting the operator network of the high-speed wireless Internet, and the generated packet It transmits to the terminal device 145 through a network component on the high speed wireless Internet.

FIG. 21 is a diagram illustrating a method of decrypting the Internet banking information encrypted and received by the terminal device 145 using a symmetric key (or secret key) method according to an embodiment of the present invention.

More specifically, FIG. 21 shows the Internet banking information received through the encryption procedure as shown in FIG. 20 from the Internet banking server 400 as shown in FIG. 4 in the terminal device 145 equipped with the encryption function as shown in FIG. The present invention relates to a method for decrypting by a symmetric key (or secret key) method. If the present invention belongs to a general knowledge, an Internet banking server on the high-speed wireless Internet will be described with reference to FIG. 21 and / or modified. It will be able to infer various implementation methods for decrypting the encrypted Internet banking information in a symmetric key (or secret key) method at 400, but the present invention includes all the inferred implementation methods, as shown in FIG. It is not limited to the implemented method.

In this figure 21 according to the embodiment of the present invention, the symmetric key (or secret key) is preferably read from the public certificate provided in the terminal device 145, the public certificate is the terminal device (145) Stored in a predetermined memory unit and / or stored in an ID-000 type IC chip (or IC card) mounted or detached from the terminal device 145, and / or the terminal device 145 In the case where a predetermined IC card reader is provided, all of them can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto.

According to another embodiment of the present invention, the symmetric key (or secret key) is included in the interface screen provided from the internet banking server 400 to the terminal device 145 in addition to the public certificate, and / or the terminal device. It is possible to all be embedded on the communication program to communicate with the Internet banking server 400 on 145, whereby the invention is not limited.

Referring to FIG. 21, the wireless processing unit 630 of the terminal device 145 may include at least one or more Internet banking information encrypted by the Internet banking server 400 in association with a network component on the high-speed wireless Internet. In receiving a packet (2100), the packet including the Internet banking information is preferably received through a communication protocol stack defined in the high-speed wireless Internet.

Thereafter, the communication processor 825 restores (or generates) Internet banking information encrypted through a symmetric key (or a secret key) in the Internet banking server 400 from the received packet (2105), and restores ( Alternatively, the generated internet banking information is provided to the encryption processing unit 820 (2110).

The encryption processing unit 820 extracts a predetermined symmetric key (or secret key) for decrypting the encrypted internet banking information from the public certificate provided in the terminal device 145 (2115), and extracts the extracted symmetry. The encrypted internet banking information is decrypted using a key (or secret key) (2120).

Here, the decryption function of the encryption processing unit 820 is called D (Decryption), and the Internet banking information encrypted with the symmetric key (or secret key) k (key) and the symmetric key (or secret key) is C ( Ciphertext), and the decrypted Internet banking information is P (Plaintext), the function of decrypting the encrypted Internet banking information by the encryption unit 510 is "Dk = P, or Dk (Ek (P)) = It can be expressed by an expression such as "P".

According to the embodiment of the present invention, the encryption processing unit 820 decrypts the encrypted internet banking information through the symmetric key (or secret key), SEED, DES (Data Encryption Standard), Triple-DES, It is preferable to include at least one or more of Skipjack, International Data Encryption Algorithm (IDEA), and various types of decryption algorithms may be used. However, the decryption algorithm may be used as the encryption algorithm used in the Internet banking server 400. Characterized by matching, the present invention is not limited by a specific decoding algorithm.

When the internet banking information encrypted through the symmetric key (or the secret key) is decrypted as described above, the encryption processing unit 820 screens the internet banking information in cooperation with the screen output unit 610 (2125).

22 is a diagram illustrating a method for encrypting and transmitting internet banking information in a public key infrastructure in the Internet banking server 400 according to an embodiment of the present invention.

More specifically, FIG. 22 illustrates an implementation method of encrypting and transmitting predetermined Internet banking information in a public key infrastructure scheme in the Internet banking server 400 as shown in FIG. 4. As shown in FIG. With knowledge, various implementation methods for encrypting the Internet banking information in a public key infrastructure scheme in the Internet banking server 400 on the high-speed wireless Internet may be inferred by referring to and / or modifying the present invention. The present invention includes all the inferred implementation methods, and is not limited to the implementation method illustrated in FIG.

In this figure 22 according to an embodiment of the present invention, the terminal-side public key is extracted from a predetermined database (not shown) provided in the Internet banking server 400, and / or is predetermined by the terminal apparatus 145. It is possible to extract from a predetermined directory (not shown) that is operated and managed by the certification authority that issued the certificate, thereby not limiting the present invention.

Referring to FIG. 22, the internet banking unit 525 provided in the internet banking server 400 generates (or extracts) predetermined internet banking information to be provided to the terminal device 145, and / or the After performing a predetermined Internet banking procedure in conjunction with a financial system, after generating (or extracting) predetermined Internet banking information, the Internet banking information is provided to the encryption unit 510 (2200).

Thereafter, the Internet banking server 400 extracts a predetermined terminal side public key for encrypting the Internet banking information from the database (not shown) or a directory (not shown) (2205), and extracts the extracted terminal side. The Internet banking information is encrypted using the public key (2210).

Here, the encryption function of the encryption unit 510 is called E (Encryption), and the Internet banking encrypted with the terminal public key k1 (key), the Internet banking information P (Plaintext), and the terminal public key. When the information is referred to as C (Ciphertext), the encryption function of the encryption unit 510 may be expressed by a formula such as "Ek1 (P) = C".

According to an embodiment of the present invention, the encryption processing unit 820 encrypts the Internet banking information through the terminal-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm). , DH (Diffie, Hellman), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH, or at least one of the above. Preferably, various types of encryption algorithms may be used. The invention is not limited.

For example, in the case of encrypting the Internet banking information through the RSA encryption algorithm, among the encryption algorithms, a public method (Modulus) used in the encryption process is n, and a prime number that is not disclosed by different prime factors of n and a b, if the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a- 1) (b-1) ", wherein the encryption function of the encryption unit 510 may be expressed as" C = Ek1 (P) = Pe mod n ".

When the Internet banking information is encrypted using the terminal-side public key as described above, the transmission unit 515 generates at least one SDU / PDU from the encrypted Internet banking information and stores it in an upper layer on the communication protocol stack ( 2215), generating a packet corresponding to a communication protocol stack defined between the Internet banking server 400 and the Internet and / or a dedicated line connecting the operator network of the high speed wireless Internet, and generating the packet on the high speed wireless Internet. It transmits to the terminal device 145 through a network component.

FIG. 23 is a diagram illustrating a method of decrypting the received Internet banking information encrypted by the terminal apparatus 145 in a public key based structure according to an embodiment of the present invention.

In more detail, FIG. 23 shows the Internet banking information received through the encryption procedure as shown in FIG. 22 from the Internet banking server 400 as shown in FIG. 4 in the terminal device 145 equipped with the encryption function as shown in FIG. The present invention relates to a method of decrypting by using a public key infrastructure. If the skilled in the art to which the present invention pertains, the Internet banking server 400 on the high-speed wireless Internet will be described with reference to FIG. In various embodiments of the present invention, it is possible to infer various methods of decrypting the encrypted internet banking information by using a public key infrastructure. However, the present invention includes all the inferred implementation methods and is not limited to the implementation method illustrated in FIG. No.

In FIG. 23 according to an embodiment of the present invention, a terminal-side private key for decrypting the Internet banking information encrypted by the terminal-side public key in a public key infrastructure scheme in the Internet banking server 400 may include the terminal apparatus ( It is preferable to be read out from the official certificate provided in 145, and the public certificate is stored in a predetermined memory unit provided in the terminal device 145, and / or mounted or detached from the terminal device 145. Is stored in an IC chip (or IC card) of ID-000 type, and / or stored in an IC card inserted into the IC card reader when a predetermined IC card reader is provided in the terminal device 145. It is possible, and the invention is not limited thereby.

Referring to FIG. 23, the wireless processor 630 of the terminal device 145 may include at least one or more Internet banking information encrypted by the Internet banking server 400 in association with a network component on the high-speed wireless Internet. In receiving a packet (2300), the packet including the Internet banking information is preferably received through a communication protocol stack defined in the high-speed wireless Internet.

Thereafter, the communication processing unit 825 restores (or generates) Internet banking information encrypted and transmitted from the received packet to the Internet banking server 400 through the terminal-side public key (2305), and restores ( Alternatively, the generated internet banking information is provided to the encryption processing unit 820 (2310).

The encryption processing unit 820 extracts a predetermined terminal-side private key for decrypting the Internet banking information encrypted by the public key infrastructure from the public certificate provided in the terminal device 145 (2315). The encrypted internet banking information is decrypted through the extracted terminal-side private key (2320).

Here, the decryption function of the encryption processing unit 820 is called D (Decryption), the public key is k2 (key), the Internet banking information encrypted with the public key is C (Ciphertext), and the decrypted Internet banking information is Speaking of P (Plaintext), the function of decrypting the encrypted Internet banking information by the encryption unit 510 may be expressed by a formula such as "Dk2 = P, or Dk2 (Ek (P)) = P".

According to an embodiment of the present invention, the encryption processing unit 820 decrypts the encrypted Internet banking information through the terminal-side private key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature). Algorithm), DH (Diffie, Hellman), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH is preferably included at least one or more, and various forms of decoding algorithms may be used, but the decoding algorithm is Characterized by matching the encryption algorithm used in the Internet banking server 400, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the Internet banking information through the RSA decryption algorithm of the public key-based decryption algorithm, n is a public method (Modulus) used in the decryption process, where n is a prime number not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e, the undisclosed index is d, the n satisfies "n = a * b", d is "de = 1 mod (a-1) (b-1) ", wherein the decryption function of the encryption processing unit 820 may be expressed as" P = Dk2 = Cd mod n ".

When the internet banking information encrypted by the server is decrypted through the terminal-side private key as described above, the encryption processing unit 820 screens the Internet banking information in cooperation with the screen output unit 610 (2325).

24 is a diagram illustrating a method of encrypting and transmitting internet banking information by an electronic envelope method in an internet banking server 400 according to an exemplary embodiment of the present invention.

More specifically, FIG. 24 is an embodiment of a method of encrypting and transmitting predetermined Internet banking information by an electronic envelope method in the Internet banking server 400 as shown in FIG. 4, and the general knowledge in the technical field to which the present invention pertains. With reference to FIG. 24 and / or modifications, various implementation methods for encrypting the Internet banking information in an electronic envelope method in the Internet banking server 400 on the high-speed wireless Internet may be inferred. It includes all the inferred implementation method, and is not limited to the implementation method shown in FIG.

In FIG. 24 according to the embodiment of the present invention, the terminal-side public key is extracted from a predetermined database (not shown) provided in the Internet banking server 400, and / or predetermined to the terminal device 145. It is possible to extract from a predetermined directory (not shown) that is operated and managed by the certification authority that issued the certificate, thereby not limiting the present invention.

Referring to FIG. 24, the Internet banking unit 525 included in the Internet banking server 400 generates (or extracts) predetermined Internet banking information to be provided to the terminal device 145, and / or the After performing a predetermined internet banking procedure in conjunction with a financial system, after generating (or extracting) predetermined internet banking information, the internet banking information is provided to the encryption unit 510 (2400).

Subsequently, the encryption unit 510 generates a random secret key for encrypting the Internet banking information using a secret key (symmetric key) method (2405), and generates the generated secret key. Encrypt the Internet banking information using (2410).

Here, the encryption function of the encryption unit 510 is called E (Encryption), the secret key is r (random secret key), the Internet banking information P (Plainte4t), and the Internet banking information encrypted with the secret key Suppose C (Cipherte4t), the encryption function of the encryption unit 510 can be expressed by a formula such as "Er (P) = C".

According to an embodiment of the present invention, the encryption unit 510 encrypts the Internet banking information through the terminal-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm). , DH (Diffie, Hellman), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH, or at least one of the above. Preferably, various types of encryption algorithms may be used. The invention is not limited.

In addition, the encryption unit 510 extracts a predetermined terminal side public key from the authorized certificate in order to encrypt the secret key that encrypts the Internet banking information (2415), and uses the terminal side public key to access the Internet. The secret key encrypting the banking information is encrypted (2420).

Here, the encryption function of the encryption unit 510 is called E (Encryption), the terminal-side public key is k1 (key), the secret key is r (random secret key), and the secret encrypted with the terminal-side public key. If the key is C (Ciphertext), the encryption function of the encryption unit 510 can be expressed by an expression such as "Ek1 (r) = C".

According to an embodiment of the present invention, the encryption unit 510 encrypts the secret key through the terminal-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the secret key through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the encryption unit 510 may be expressed as" C = Ek1 (r) = re mod n ".

If the Internet banking information is encrypted with the secret key and the secret key is encrypted with the terminal side public key, the encryption unit 510 encrypts the Internet banking information encrypted with the secret key and the terminal side public key. Produces transaction data associated with and provides it to the transmission unit.

Thereafter, the transmission unit 515 generates at least one SDU / PDU from the transaction data, stores it in a higher layer on a communication protocol stack (2425), and establishes an operator network of the Internet banking server 400 and a high-speed wireless Internet. A packet corresponding to a communication protocol stack defined between the connecting Internet and / or a dedicated line is generated, and the generated packet is transmitted to the terminal device 145 through a network component on the high-speed wireless Internet.

25 is a diagram illustrating a method of decrypting the Internet banking information encrypted and received by the terminal device 145 by an electronic envelope method according to an embodiment of the present invention.

In more detail, FIG. 25 shows the Internet banking information received through the encryption procedure as shown in FIG. 24 from the Internet banking server 400 as shown in FIG. 4 in the terminal device 145 equipped with the encryption function as shown in FIG. As an embodiment of the present invention, the present invention relates to a method of decoding by an electronic enveloping method. Various implementation methods for decrypting transaction data including encrypted internet banking information by electronic envelope method may be inferred, but the present invention includes all the inferred implementation methods and is limited to the implementation method shown in FIG. Not.

In FIG. 25 according to an embodiment of the present invention, a terminal-side private key for decrypting the transaction data in an electronic envelope method in the Internet banking server 400 is read from the public certificate provided in the terminal device 145. Preferably, the authorized certificate is stored in a predetermined memory unit provided in the terminal device 145, and / or IC chip of the ID-000 type (or IC) mounted on or detached from the terminal device 145 Card) and / or the terminal device 145 has a predetermined IC card reader, all of which can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto. .

Referring to FIG. 25, the wireless processing unit 630 of the terminal device 145 includes the Internet banking information and the secret key encrypted by the Internet banking server 400 in association with a network component on the high-speed wireless Internet. Receiving at least one packet corresponding to transaction data (2500), the packet corresponding to the transaction data is preferably received via a communication protocol stack defined in the high speed wireless Internet.

Thereafter, the communication processing unit 825 restores (or generates) transaction data encrypted and transmitted from the received packet to the Internet banking server 400 through the terminal-side public key (2505), and restores (or The generated transaction data is provided to the encryption processing unit 820 (2510).

The encryption processing unit 820 extracts a predetermined terminal side private key for decrypting the encrypted secret key of the transaction data from the authorized certificate provided in the terminal device 145 (2515), and extracts the terminal side. By decrypting the secret key encrypted with the terminal-side public key through the private key (2520), extracting the secret key for decrypting the Internet banking information (2525), and using the extracted secret key, the Internet banking information. By decrypting (2530), the Internet banking information encrypted with the secret key is extracted (2535).

Here, the decryption function of the encryption processing unit 820 is called D (Decryption), the public key is k2 (key), the secret key encrypted with the public key is C (Cipherte4t), and the decrypted secret key is r ( random secret key), the function of decrypting the encrypted secret key by the encryption processing unit 820 may be expressed by a formula such as "Dk2 = r, or Dk2 (Ek (r)) = r".

According to the embodiment of the present invention, the encryption processing unit 820 decrypts the encrypted secret key through the terminal-side private key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm). ), DH (Diffie, Hellman), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH is preferably included at least one or more, and various forms of decoding algorithms may be used, the decoding algorithm is Characterized by matching the encryption algorithm used in the Internet banking server 400, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the secret key through the RSA decryption algorithm among the public key-based decryption algorithms, n is a public method (Modulus) used in the decryption process, and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption processing unit 820 may be expressed as" r = Dk2 = rd mod n ".

Here, the decryption function of the encryption processing unit 820 is called D (Decryption), the secret key is r (random secret key), the Internet banking information encrypted with the secret key (C (Ciphertext)), and the decrypted Internet banking When the information is referred to as P (Plaintext), the function of decrypting the encrypted Internet banking information by the encryption processing unit 820 may be expressed by a formula such as "Dr = P, or Dr (Er (P)) = P". .

According to the embodiment of the present invention, the encryption processing unit 820 decrypts the encrypted Internet banking information through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA (International) It is preferable to include at least one or more of the Data Encryption Algorithm, and in addition, various forms of decryption algorithms may be used, but the decryption algorithm is matched with the encryption algorithm used in the Internet banking server 400. The present invention is not limited to the specific decoding algorithm.

When the internet banking information is decrypted as described above, the encryption processing unit 820 screens the internet banking information in cooperation with the screen output unit (2540).

FIG. 26 is a diagram illustrating a method of encrypting and transmitting internet banking information by a key exchange method in an internet banking server 400 according to an exemplary embodiment of the present invention.

More specifically, FIG. 26 is an embodiment of the method for encrypting and transmitting predetermined Internet banking information in a key exchange method in the Internet banking server 400 as shown in FIG. 4. With reference to FIG. 26 and / or modified with reference to FIG. 26, various implementation methods for encrypting the Internet banking information in a key exchange method in the Internet banking server 400 on the high-speed wireless Internet may be inferred. It includes all the inferred implementation method, and is not limited to the implementation method shown in FIG.

Referring to FIG. 26, the internet banking unit 525 included in the internet banking server 400 generates (or extracts) predetermined internet banking information to be provided to the terminal device 145, and / or the After performing a predetermined Internet banking procedure in conjunction with a financial system, after generating (or extracting) predetermined Internet banking information, the Internet banking information is provided to the encryption unit 510 (2600).

Thereafter, the encryption unit 510 generates a message digest including a predetermined one-way hash function (eg, a hash code of a predetermined length regardless of the length of the Internet banking information). A one-way hash function that cannot generate and verify (or infer) the original message through the hash code (or message digest) The internet banking server 400 and the terminal 145 have the same hash function. Generate a predetermined message digest (2605), and digitally sign the message digest by encrypting the message digest with the server-side private key (2610).

Here, the encryption function of the encryption unit 510 is called E (Encryption), the server side private key is encrypted with s1 (server side key), the message digest is m (message digest), and the server side private key. If the message digest is C (Cipherte4t), the digital signature function of the encryption unit 510 may be expressed by an expression such as "Es1 (m) = C".

According to an embodiment of the present invention, the encryption unit 510 encrypts the message digest through the server-side private key, including RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the message digest through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the digital signature function of the encryption unit 510 may be expressed as" C = Es1 (m) = me mod n ".

In addition, the encryption unit 510 generates a predetermined random secret key for encrypting the Internet banking information using a secret key (symmetric key) method (2615), and the Internet banking information The message digest encrypted with the server-side private key and a copy of a certificate including the server-side public key are linked to each other and encrypted through the generated secret key (2620).

Here, the encryption function of the encryption unit 510 is called E (Encryption), the secret key is r (random secret key), the Internet banking information and the copy of the certificate P (Plaintext), and the Internet encrypted with the secret key When the banking information and the copy of the certificate are referred to as C (Ciphertext), the encryption function of the encryption unit 510 may be expressed by an equation such as "Er (P) = C".

According to the method of the present invention, the encryption unit 510 encrypts the Internet banking information and the certificate copy through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA ( It is preferable to include at least one or more of the International Data Encryption Algorithm, and various types of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

In addition, the encryption unit 510 extracts a predetermined terminal side public key from the authorized certificate to encrypt the secret key that encrypts the Internet banking information (2625), and uses the terminal to extract the secret key used for encryption. The encryption is performed using the side public key (2630).

Here, the encryption function of the encryption unit 510 is called E (Encryption), and the terminal side public key is encrypted with t1 (terminal side key), the secret key with r (random secret key), and the terminal side public key. When the secret key is referred to as C (Ciphertext), the encryption function of the encryption unit 510 may be expressed by an expression such as "Et1 (r) = C".

According to an embodiment of the present invention, the encryption unit 510 encrypts the secret key through the terminal-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the secret key through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the encryption unit 510 may be expressed as" C = Et1 (r) = re mod n ".

The Internet banking information and a copy of a certificate including the message digest encrypted with the server-side private key and the server-side public key are linked and encrypted through the generated secret key, and the secret key is encrypted through the terminal-side public key. When encrypted, the encryption unit 510 encrypts a copy of a certificate including the message digest and the server-side public key encrypted with the Internet banking information and the server-side private key encrypted through the secret key with the terminal-side public key. The predetermined transaction data is generated in association with the secret key provided to the transmission unit 515.

The transmission unit 515 generates at least one SDU / PDU from the transaction data and stores it in a higher layer on a communication protocol stack (2635), thereby connecting the Internet banking server 400 to a carrier network of high-speed wireless Internet. A packet corresponding to a communication protocol stack defined between the Internet and / or a dedicated line is generated, and the generated packet is transmitted to the terminal device 145 through a network component on the high speed wireless Internet.

27A and 27B are diagrams illustrating a method of decrypting received Internet banking information encrypted by the terminal device 145 by a key exchange method according to an embodiment of the present invention.

In more detail, FIGS. 27A and 27B show the Internet received from the Internet banking server 400 as shown in FIG. 4 through the encryption procedure as shown in FIG. 26 in the terminal device 145 equipped with the encryption function as shown in FIG. The present invention relates to a method of decrypting banking information by a key exchange method. If the present invention has a general knowledge, the banking server 400 on the high-speed wireless Internet will be described with reference to FIG. 27 and / or modified. However, various implementation methods for decrypting transaction data including the encrypted internet banking information in a key exchange method may be inferred, but the present invention includes all the inferred implementation methods, and is illustrated in FIG. 27. It is not limited to the method.

In FIG. 27 according to the embodiment of the present invention, the terminal-side private key for decrypting the transaction data by the key exchange method in the Internet banking server 400 is read from the public certificate provided in the terminal device 145. Preferably, the authorized certificate is stored in a predetermined memory unit provided in the terminal device 145, and / or IC chip of the ID-000 type (or IC) mounted on or detached from the terminal device 145 Card) and / or the terminal device 145 has a predetermined IC card reader, all of which can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto. .

Referring to FIGS. 27A and 27B, the wireless processing unit 630 of the terminal device 145 may include Internet banking information encrypted from the operator network of the high-speed wireless Internet through the TCP / IP-based Internet and / or a dedicated line. Receives at least one packet containing the transaction data (2700), the communication processing unit 825, the communication processing unit 825 is the transaction data transmitted encrypted by the Internet banking server 400 from the received packet (E.g., a copy of a certificate including the Internet banking information encrypted with a predetermined private key, the message digest encrypted with the server-side private key and the server-side public key, and the secret key encrypted with the terminal-side public key) (Or create) 2705 and provide the restored (or generated) transaction data to the cryptographic processor 820 (2710). ).

The encryption processing unit 820 extracts a predetermined terminal-side private key for decrypting the secret key encrypted with the terminal-side public key from the authorized certificate provided in the terminal device 145 (2715), and the terminal-side public disclosure. Decrypting the private key encrypted with the key with the terminal-side private key (2720), thereby decrypting the private copy for decrypting a copy of the certificate including the message digest and the server-side public key encrypted with the Internet banking information and the server-side private key. It is extracted (2725).

Here, the decryption function of the encryption processing unit 820 is called D (Decryption), the terminal-side private key is t2 (terminal side key), the secret key encrypted with the terminal-side public key is C (Cipherte4t), and the terminal. When the secret key decrypted with the side private key is r (random secret key), the function of decrypting the encrypted secret key by the encryption processing unit 820 is "Dt2 = r, or Dt2 (Es1 (r)) = r". It can be expressed as

According to the embodiment of the present invention, the encryption processing unit 820 decrypts the secret key encrypted with the terminal-side public key in the server through the terminal-side private key, RSA (Ron Rivest, Adi Shamir, Len Adleman) , Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH is preferably included at least one or more, and various forms of decoding algorithms may be used. The decryption algorithm is matched with an encryption algorithm used in the server, and the present invention is not limited to a specific decryption algorithm.

For example, when decrypting the secret key through the RSA decryption algorithm among the public key-based decryption algorithms, n is a public method (Modulus) used in the decryption process, and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption processing unit 820 may be expressed as" P = Dt2 = Cd mod n ".

When the secret key is extracted as described above, the encryption processing unit 820 copies the certificate including the message digest and the server-side public key encrypted with the Internet banking information and the server-side private key using the extracted secret key. By decrypting (2730), a copy of the certificate including the Internet banking information encrypted with the secret key and the message digest encrypted with the server side private key and the server side public key is extracted.

Here, the decryption function of the encryption processing unit 820 is referred to as D (Decryption), the secret key is r (random secret key), the Internet banking information encrypted with the secret key and the message digest encrypted with the server-side private key; C (Cipherte4t) a copy of the certificate containing the server-side public key, and P (Plainte4t) a copy of the certificate containing the message digest and the server-side public key encrypted with the decrypted Internet banking information and the server-side private key. In this regard, the function of decrypting the copy of the certificate including the message digest encrypted with the encrypted internet banking information and the server-side private key and the server-side public key is "Dr = P, or Dr." It can be expressed by an expression such as (Er (P)) = P ".

According to an embodiment of the present invention, the encryption processing unit 820 decrypts a copy of the certificate including the message digest encrypted with the encrypted internet banking information and the server-side private key through the secret key and the server-side public key. Preferably, the algorithm includes at least one or more of SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, and International Data Encryption Algorithm (IDEA). In addition, various types of decryption algorithms may be used. The decryption algorithm is matched with an encryption algorithm used in the server, and the present invention is not limited by a specific decryption algorithm.

The encryption processing unit 820 decrypts the message digest encrypted with the server-side private key through the server-side public key (2735), thereby generating a message digest generated and transmitted from the Internet banking information by the encryption processing unit 820. Extract (2740).

Here, the decryption function of the encryption processing unit 820 is called D (Decryption), the server side public key is s2 (server side key), the message digest encrypted with the server side private key is C (Ciphertext), and the terminal. When the message digest decrypted with the public key is m (Message Digest), the function of decrypting the encrypted message digest by the encryption processing unit 820 is "Ds2 = m, or Ds2 (Es1 (r)) = m" and the message digest. The same formula can be used.

According to an embodiment of the present invention, the encryption processing unit 820 decrypts the message digest encrypted with the server-side private key in the terminal device 145 through the server-side public key, RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the server, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the message digest through the RSA decryption algorithm of the public key-based decryption algorithm, n is a public method (Modulus) used in the decryption process and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption processing unit 820 may be expressed as" P = Ds2 = Cd mod n ".

Thereafter, the encryption processing unit 820 generates a predetermined message digest through the same one-way hash function with the received Internet banking information (2745), and then generates the generated message digest and the decrypted message. By comparing the message digest (2750), the validity of the received Internet banking information is verified.

If the generated message digest and the decrypted message digest coincide with each other (2755), the encryption processing unit 820 screens the Internet banking information in cooperation with the screen output unit (2760). ).

28 is a diagram illustrating a process of transmitting information related to Internet banking from the terminal device 145 to the internet banking server 400 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

In more detail, FIG. 28 requests a predetermined information input (or selection) interface screen from the terminal device 145 on the high-speed wireless Internet to the Internet banking server 400, and selects a predetermined information through the information input (or selection) interface screen. This is about the process of inputting (or selecting) the Internet banking related information to the Internet banking server 400, and those skilled in the art to which the present invention pertains, refer to and / or modify this figure 28 By inputting (or selecting) predetermined Internet banking-related information from the terminal device 145 on the high-speed wireless Internet to the Internet banking server 400, various implementation methods for easily transmitting the Internet banking server 400 can be easily inferred. However, the present invention includes all implementation methods inferred from the above, and is not limited to the implementation method shown in FIG.

For example, a person having ordinary knowledge in the art to which the present invention pertains may implement the method, wherein the Internet banking related information further includes high-speed wireless Internet-based network access information and / or network configuration information with reference to FIG. / Or an implementation method of attaching a double signature to the Internet banking-related information with reference to Figure 16 may be inferred, but the present invention includes all the implementation methods inferred, the implementation method shown in Figure 28 It is not limited to this.

Hereinafter, in FIG. 28, the Internet banking related information transmitted from the terminal device 145 on the high-speed wireless Internet is referred to as the "server" for convenience.

Referring to FIG. 28, the terminal device 145 on the high-speed wireless internet accesses a communication channel for accessing a server on the high-speed wireless internet and banks the internet through a process as shown in FIG. 10, and FIG. 11 and / or After the customer authentication procedure shown in FIG. 16 is performed, a predetermined information input (or selection) interface corresponding to a predetermined Internet banking procedure is transmitted from the terminal device 145 to the server through the communication channel. When requesting to provide a web page (2800), the server 400 generates (or extracts) a predetermined web page including a predetermined information input (or selection) interface and transmits the predetermined web page to the terminal device 145 (2805). ).

Thereafter, the terminal device 145 periodically checks whether at least one or more Internet banking related information is input (or selected) through the information input (or selection) interface (2810). If at least one Internet banking related information is input through the terminal 2815, the terminal device 145 checks whether the electronic signature and / or encryption is performed on the input (or selected) internet banking related information (2820). .

According to an embodiment of the present invention, the Internet banking related information is at least one or more information (or data) input (or selected) from the terminal device 145 for financial transactions using high-speed wireless Internet-based Internet banking, and / or At least one or more information (or data) input (or selected) from the terminal device 145 for insurance and operation using high-speed wireless Internet-based internet banking, and / or for loan processing using high-speed wireless internet-based internet banking At least one or more information (or data) input (or selected) at the terminal 145, and / or input (or selection) at the terminal 145 for subscription and operation of an investment product using high-speed wireless Internet-based Internet banking. One or more pieces of information (or data), and / or utility bills using high-speed wireless Internet-based Internet banking. Preferably, the terminal device 145 includes at least one or more information (or data) input (or selected).

If the electronic signature and / or encryption for the Internet banking related information input (or selected) through the information input (or selection) interface does not need to be performed (2825), the terminal device 145 may enter the input (or The selected banking related information is transmitted to the server 400 through the high-speed wireless Internet (2830).

On the other hand, if the electronic signature and / or encryption on the Internet banking related information input (or selected) through the information input (or selection) interface is to be performed (2825), the terminal device 145 may enter (or select) the input. The digital signature and / or encryption procedure is performed for the internet banking related information (2835).

If the electronic signature and / or encryption procedure for the Internet banking related information is performed (2840), the terminal device 145 transmits the electronic signature and / or encrypted Internet banking related information to the server through the high-speed wireless Internet. To the server (2845).

29 is a diagram illustrating a process of receiving Internet banking related information from the terminal device 145 in the Internet banking server 400 for high-speed wireless Internet-based Internet banking according to an embodiment of the present invention.

More specifically, FIG. 29 illustrates a process of receiving Internet banking related information transmitted from the terminal device 145 on the high-speed wireless Internet through the process as shown in FIG. 28 in the Internet banking server 400. Those skilled in the art may refer to and / or modify this drawing 29 to receive various Internet banking related information transmitted from the terminal 145 on the high-speed wireless Internet in the Internet banking server 400. It can be easily inferred, but the present invention includes all the implementation methods inferred above, it is not limited to the implementation method shown in this figure 29.

For example, a person having ordinary knowledge in the art to which the present invention pertains may implement the method, wherein the Internet banking related information further includes high-speed wireless Internet-based network access information and / or network configuration information with reference to FIG. / Or an implementation method of attaching a double signature to the Internet banking-related information with reference to Figure 16 may be inferred, but the present invention includes all the implementation methods inferred, shown in Figure 29 It is not limited to this.

Hereinafter, the Internet banking related information transmitted from the terminal device 145 on the high-speed wireless Internet is referred to as "server" in FIG. 29 for convenience.

Referring to FIG. 29, the terminal device 145 on the high speed wireless Internet accesses the communication channel for accessing the server 400 on the high speed wireless internet and internet banking through the process as shown in FIG. And / or after the customer authentication procedure shown in FIG. 16 is performed, the server 400 periodically checks whether a predetermined information input (or selection) interface screen is requested from the terminal device 145 (2900). If a predetermined information input (or selection) interface is requested from the terminal device 145 (2905), the server 400 reads communication session information for the terminal device 145 to the terminal device 145. Confirm (2910) web interface screen information for the; and include a predetermined information input (or selection) interface corresponding to the identified web interface screen information via the high-speed wireless Internet. The above is transmitted to the terminal device 145 generates the output possible predetermined Web page (or extraction) 2915.

Thereafter, the server 400 transmits a web page including the information input (or selection) interface to the terminal device 145 through the high-speed wireless Internet, and inputs (or selects) information from the terminal device 145. (2920) periodically checks whether Internet banking related information inputted (or selected) through the interface is received.

If the Internet banking related information input (or selected) through the information input (or selection) interface is received from the terminal device 145 (2925), the server 400 receives from the terminal device 145. It is checked whether a signature verification and / or decryption procedure is performed on the internet banking related information (2930).

If a signature verification and / or decryption procedure for the received Internet banking related information is not necessary (2935), the server 400 may verify the signature on the Internet banking related information received from the terminal device 145 and / or Alternatively, a predetermined internet banking procedure for the decryption procedure is performed (2940).

On the other hand, if the signature verification and / or decryption procedure for the received Internet banking related information should be performed (2935), the server 400 checks the signature for the Internet banking related information received from the terminal device 145 and / or Or perform a decoding procedure (2945).

If the signature verification and / or decryption procedure for the Internet banking related information is completed (2950), the server performs the Internet banking procedure for the Internet banking related information for which the signature verification and / or decryption procedure is completed (2955). .

30 is a diagram illustrating a method of digitally signing Internet banking related information transmitted from the terminal device 145 to the internet banking server 400 according to an embodiment of the present invention.

More specifically, FIG. 30 is an embodiment of a method of processing an electronic signature on the Internet banking data in a terminal device 145 equipped with an electronic signature function as shown in FIG. 6, which is commonly known in the art. With reference to FIG. 30, and / or modified with reference to FIG. 30, the terminal apparatus 145 on the high-speed wireless Internet may infer various implementation methods for digitally signing the Internet banking data. It includes all the inferred implementation methods, and is not limited to the implementation method shown in FIG.

In this figure 30 according to the embodiment of the present invention, the terminal-side private key is preferably read from the public certificate provided in the terminal device 145, and the public certificate is provided in the terminal device 145. Is stored in the memory unit of the ID and / or in the IC chip (or IC card) of the ID-000 type to be mounted on or detached from the terminal device 145, and / or predetermined in the terminal device 145 When the IC card reader is provided, it is possible to store all of the IC card inserted into the IC card reader, and the present invention is not limited thereto.

Referring to FIG. 30, when predetermined data for internet banking is generated in the information generating unit 810 of the terminal device 145, the information generating unit 810 is provided to the electronic signature unit 815 (3000). When the data for the Internet banking is provided, the electronic signature unit 815 may include a message digest including a predetermined one-way hash function (eg, a hash code having a predetermined length regardless of the length of the data for the Internet banking). One-way hash function that generates (Message Digest) and cannot identify (or infer) the original message via the hash code (or message digest) .The sender and the receiver use the same hash function) In operation 3005, a predetermined message digest is generated from the data for internet banking.

Here, the one-way hash function is characterized by being defined as the same one-way hash function as the hash function defined in the Internet banking server 400 for confirming the digital signature according to this drawing.

Thereafter, the electronic signature unit 815 extracts a predetermined terminal side private key for encrypting the message digest from the public certificate (3010), and encrypts the message digest through the extracted terminal side private key (3015). ).

Here, the encryption function of the digital signature unit 815 is called E (Encryption), the terminal private key is k1 (key), the message digest is M (Messge digest), and the message digest encrypted with the terminal side private key. If C (Ciphertext), the encryption function of the digital signature unit 815 can be expressed by the formula, such as "Ek1 (M) = C".

According to an embodiment of the present invention, the algorithm that the digital signature unit 815 encrypts the message digest through the terminal-side private key includes RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the message digest through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the digital signature unit can be expressed as" C = Ek1 (M) = Me mod n ".

Thereafter, the electronic signature unit 815 concatenates the Internet banking data and the message digest encrypted with the terminal-side private key to generate predetermined Internet banking related information (3020), and encrypts the generated Internet banking related information. Provided to the processor 820 (3025).

31 is a diagram illustrating a method for confirming an electronic signature of Internet banking related information from a terminal device 145 in an internet banking server 400 according to an exemplary embodiment of the present invention.

In more detail, FIG. 31 shows the digital signature on the Internet banking server 400 as shown in FIG. As an embodiment of the present invention, a person having ordinary knowledge in the art to which the present invention pertains may refer to and / or modify this drawing 31, and the Internet is electronically signed by the terminal device 145 on the high-speed wireless Internet. Various implementation methods for confirming an electronic signature for banking data may be inferred, but the present invention includes all the inferred implementation methods and is not limited to the implementation method shown in FIG.

In FIG. 31 according to the embodiment of the present invention, the terminal-side public key for confirming the electronic signature is extracted from a predetermined directory operated and managed by a certification authority that issues the certificate to the terminal device 145. Preferably, and / or a copy of the certificate including the terminal-side public key may be further attached from the terminal device 145 and received by the Internet banking server 400 (not shown), thereby limiting the present invention. Not.

Referring to FIG. 31, when the Internet banking related information is decrypted by the encryption unit 510 of the Internet banking server 400 and provided to the digital signature verification unit (3100), the electronic signature unit 815 is the authentication authority. Extracts a terminal side public key for decrypting a message digest encrypted with the terminal side private key from the predetermined directory and / or the Internet banking related information (3105), and through the extracted terminal side public key The encrypted message digest is decrypted (3110).

Here, the decryption function of the digital signature checker 530 is called D (Decryption), the terminal side public key is k2 (key), and the message digest encrypted with the terminal side private key is C (Cipherte4t), and the terminal. If the message digest to be decrypted with the side public key is M (Message digest), the function of the digital signature verification unit to decrypt the encrypted message digest is a formula such as "Dk2 = M, or Dk2 (Ek (M)) = M". It can be expressed as

According to an embodiment of the present invention, an algorithm for decrypting the message digest encrypted by the terminal-side private key by the terminal-side public key through the terminal-side public key is RSA (Ron Rivest). , Adi Shamir, Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. A decryption algorithm may be used, but the decryption algorithm is matched with an encryption algorithm used in the terminal device 145, and the present invention is not limited to a specific decryption algorithm.

For example, in the case of decoding the message digest through the RSA decryption algorithm, among the decryption algorithms, n is a published method used in the decryption process, n is a non-disclosed prime number with different prime factors of n and a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). ) (b-1) ", wherein the decryption function of the digital signature verification unit may be expressed as" M = Dk2 = Cd mod n ".

Subsequently, the electronic signature unit 815 applies a one-way hash function identical to the one-way hash function generated by the terminal device 145 to the data for internet banking included in the internet banking related information, thereby prescribing a predetermined message digest. By generating 3115 and comparing the generated message digest with the decrypted message digest (3120), the validity of the data for the Internet banking is verified.

If the generated message digest coincides with the decrypted message digest (3125), the electronic signature unit 815 controls the confidentiality, authentication, integrity, and nonrepudiation of the Internet banking data. (Non-repudiation) and the like to ensure the electronic signature to check, and provides the Internet banking data for the Internet banking unit 525 is verified (3130), the Internet banking unit 525 is The internet banking process corresponding to the data for internet banking is performed according to the internet banking processing procedure defined in the internet banking server 400.

On the other hand, if the generated message digest and the decrypted message digest do not match (3125), the electronic signature unit 815 treats the data for internet banking as invalid.

32 is a diagram for a method of encrypting and transmitting internet banking related information by a symmetric key (or secret key) method in a terminal device 145 according to an embodiment of the present invention.

More specifically, FIG. 32 is an embodiment of the present invention for encrypting and transmitting the Internet banking related information by a symmetric key (or secret key) method in a terminal device 145 having an encryption function as shown in FIG. 6. If there is a general knowledge in the art, the Internet banking-related information is encrypted in a symmetric key (or secret key) method in the terminal device 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 32. Various implementation methods may be inferred, but the present invention includes all the implementation methods inferred above and is not limited to the implementation method shown in FIG.

In this figure 32 according to the embodiment of the present invention, the symmetric key (or secret key) is preferably read from the public certificate provided in the terminal device 145, the public certificate is the terminal device 145 Stored in a predetermined memory unit and / or stored in an ID-000 type IC chip (or IC card) mounted or detached from the terminal device 145, and / or the terminal device 145 In the case where a predetermined IC card reader is provided, all of them can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto.

According to another embodiment of the present invention, the symmetric key (or secret key) is included in the interface screen provided from the internet banking server 400 to the terminal device 145 in addition to the public certificate, and / or the terminal device. It is possible to all be embedded on the communication program to communicate with the Internet banking server 400 on 145, whereby the invention is not limited.

Referring to FIG. 32, the electronic signature unit 815 of the terminal apparatus 145 includes predetermined Internet banking-related information including predetermined Internet banking data and network configuration information (and / or network access information). Is generated, it is provided to the encryption processing unit 820 (3200), if the Internet banking-related information is provided, the encryption processing unit 820 is Internet banking-related information from the official certificate provided in the terminal device 145 A predetermined symmetric key (or secret key) for encrypting is read (3205), and the Internet banking related information is encrypted (3210) through the read symmetric key (or secret key).

Herein, the encryption function of the encryption processing unit 820 is called E (Encryption), the symmetric key (or secret key) is k (key), the Internet banking related information is P (Plaintext), and the symmetric key (or If the Internet banking-related information encrypted with a secret key) is C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by a formula such as "Ek (P) = C".

According to the embodiment of the present invention, the encryption processing unit 820 encrypts the Internet banking related information through the symmetric key (or secret key), SEED, DES (Data Encryption Standard), Triple-DES, Skipjack It is preferable to include at least one or more of an International Data Encryption Algorithm (IDEA), and various types of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

When the internet banking related information is encrypted through the symmetric key (or the secret key) as described above, the communication processor 825 generates at least one SDU / PDU from the encrypted internet banking related information to form a higher layer on the communication protocol stack. 3320, the wireless processor 630 is configured to a media control layer and a physical layer defined between the wireless processor 630 and the base station 140 based on a communication protocol stack defined on the high-speed wireless Internet. By performing the corresponding communication process (3220), the packet corresponding to the encrypted Internet banking-related information is transmitted to the Internet banking server 400 through a network component on the high-speed wireless Internet.

FIG. 33 is a diagram illustrating a method of decrypting received Internet banking related information encrypted by the Internet banking server 400 using a symmetric key (or secret key) method according to an embodiment of the present invention.

In more detail, FIG. 33 is a symmetric key (or secret) of the Internet banking-related information received from an encrypted terminal device 145 having the encryption function as shown in FIG. 6 in the Internet banking server 400 as shown in FIG. The present invention relates to a method for decrypting by using a key) method, and if the present invention belongs to the general knowledge, the encryption is performed by the terminal apparatus 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 33. Although various embodiments of the present invention may be inferred by decoding the Internet-related banking related information using a symmetric key (or secret key) method, the present invention includes all the inferred implementation methods and is limited to the implementation method illustrated in FIG. Not.

In this figure 33 according to the embodiment of the present invention, the symmetric key (or secret key) is preferably read from the public certificate provided in the Internet banking server 400, the public certificate is the Internet banking server 400 Is preferably stored in a predetermined database (not shown) that cooperates with, and the present invention is not limited thereto.

Referring to FIG. 33, the receiving unit 505 of the Internet banking server 400 includes at least the encrypted Internet banking related information from the operator network of the high-speed wireless Internet through a TCP / IP-based Internet and / or a dedicated line. Receives one or more packets, and restores (or generates) Internet banking related information encrypted through a symmetric key (or a secret key) in the terminal device 145 from the received packet to provide to the encryption unit 510. 3300, the packet including the Internet banking-related information is preferably received through a communication protocol stack defined in the high-speed wireless Internet.

Thereafter, the encryption unit 510 extracts a predetermined symmetric key (or secret key) for decrypting the encrypted Internet banking related information from the public certificate provided in the Internet banking server 400 (3305). The encrypted internet banking related information is decrypted using the extracted symmetric key (or secret key) (3310).

Here, the decryption function of the encryption unit 510 is called D (Decryption), and the Internet banking-related information encrypted with the symmetric key (or secret key) k (key) and the symmetric key (or secret key) is C. (Ciphertext) and the decrypted Internet banking related information is P (Plaintext), the function of decrypting the encrypted Internet banking related information by the encryption unit 510 is "Dk = P, or Dk (Ek (P )) = P ".

According to the embodiment of the present invention, the encryption unit 510 decrypts the encrypted Internet banking related information through the symmetric key (or secret key), SEED, DES (Data Encryption Standard), Triple-DES Preferably, at least one of Skipjack, International Data Encryption Algorithm (IDEA), and various other decryption algorithms can be used, but the decryption algorithm is the encryption algorithm used in the terminal device (145) Characterized by matching, the present invention is not limited by a specific decoding algorithm.

When the internet banking related information encrypted through the symmetric key (or the secret key) is decrypted as described above, the encryption unit 510 provides the decrypted internet banking related information to the digital signature checker 530 (3315). The digital signature verification unit 530 performs the digital signature verification process on the traffic data according to the digital signature verification procedure defined in the internet banking server 400.

34 is a diagram illustrating a method for encrypting and transmitting internet banking related information in a public key infrastructure structure in a terminal device 145 according to an embodiment of the present invention.

More specifically, FIG. 34 illustrates an embodiment of the present invention in which a terminal device 145 having an encryption function as shown in FIG. 6 encrypts and transmits the Internet banking related information in a public key infrastructure. Those skilled in the art can refer to and / or modify this drawing 34 to infer various implementation methods for encrypting the Internet banking related information in a public key manner in the terminal device 145 on the high-speed wireless Internet. It will be appreciated that the present invention encompasses all of the inferred implementation methods and is not limited to the implementation method shown in FIG.

In this figure 34 according to the embodiment of the present invention, the server-side public key is preferably read from the public certificate provided in the terminal device 145, and the public certificate is provided in the terminal device 145. Is stored in the memory unit of the ID and / or in the IC chip (or IC card) of the ID-000 type to be mounted on or detached from the terminal device 145, and / or predetermined in the terminal device 145 When the IC card reader is provided, it is possible to store all of the IC card inserted into the IC card reader, and the present invention is not limited thereto.

Alternatively, the server-side public key may be extracted from a predetermined directory (not shown) that is operated and managed by a certification authority that issues the certificate to the terminal device 145, and thus the present invention is not limited thereto. .

Referring to FIG. 34, the electronic signature unit 825 of the terminal device 145 includes predetermined Internet banking data and network configuration information (and / or network access information). Is generated, it is provided to the encryption processing unit 820 (3400), if the Internet banking-related information is provided, the encryption processing unit 820 is a predetermined server for encrypting the Internet banking-related information from the certificate The side public key is extracted (3405), and the Internet banking related information is encrypted (3410) using the extracted server side public key.

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the server-side public key is k1 (key), the Internet banking related information is P (Plaintext), and the Internet encrypted with the server-side public key. When the banking related information is referred to as C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Ek1 (P) = C".

According to an embodiment of the present invention, the encryption processing unit 820 encrypts the Internet banking related information through the server-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm). ), DH (Diffie, Hellman), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH is preferably included at least one or more, in addition to various encryption algorithms may be used, but by a specific encryption algorithm The present invention is not limited.

For example, in the case of encrypting the Internet banking related information through the RSA encryption algorithm, among the encryption algorithms, a public method (Modulus) used in the encryption process is n, and a prime number that is not disclosed by different prime factors of n is a. And b, if the published index (e.g., 3 or 216+) is e, and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a -1) (b-1) ", wherein the encryption function of the encryption processing unit 820 may be expressed as" C = Ek1 (P) = Pe mod n ".

When the internet banking related information is encrypted through the server-side public key as described above, the communication processing unit 825 generates at least one SDU / PDU from the encrypted internet banking related information and stores it in a higher layer on the communication protocol stack. 3414, the wireless processor 630 communicates with the media control layer and the physical layer defined between the wireless processor 630 and the base station 140 based on the communication protocol stack defined on the high-speed wireless Internet. By performing the process (3420), the packet corresponding to the encrypted Internet banking-related information is transmitted to the Internet banking server 400 through a network component on the high-speed wireless Internet.

35 is a diagram illustrating a method of decrypting the Internet banking related information encrypted and received by the Internet banking server 400 in a public key infrastructure according to an embodiment of the present invention.

In more detail, in FIG. 35, a public key infrastructure scheme is used in the Internet banking server 400 as shown in FIG. The present invention relates to an embodiment of the present invention, which has ordinary knowledge in the technical field to which the present invention pertains, referring to FIG. 35 and / or modified to the server-side public key from the terminal device 145 on the high-speed wireless Internet. Various implementation methods for decrypting encrypted Internet banking related information in a public key infrastructure scheme may be inferred, but the present invention includes all the inferred implementation methods and is not limited to the implementation method illustrated in FIG. .

In FIG. 35 according to an embodiment of the present invention, the server-side private key for decrypting the Internet banking related information encrypted with the server-side public key in a public key infrastructure structure is the public certificate provided in the Internet banking server 400. It is preferable to read from the certificate, and the public certificate is preferably stored in a predetermined database (not shown) interworking with the Internet banking server 400, whereby the present invention is not limited thereto.

Referring to FIG. 35, at least one receiver 505 of the Internet banking server 400 includes Internet banking related information encrypted from a network of a carrier of the high-speed wireless Internet through a TCP / IP-based Internet and / or a leased line. Receives the above packet, and restores (or generates) Internet banking related information encrypted and transmitted by the terminal device 145 from the received packet and provides the packet to the encryption unit 510 (3500). The packet containing information is preferably received via a communication protocol stack defined in the high speed wireless Internet.

Thereafter, the encryption unit 510 extracts a server-side private key for decrypting the encrypted Internet banking related information from the authorized certificate provided in the Internet banking server 400 (3505), and extracts the extracted server-side individual. The encrypted internet banking related information is decrypted through a key (3510).

Here, the decryption function of the encryption unit 510 is called D (Decryption), the server-side private key is k2 (key), and the Internet banking related information encrypted with the server-side public key is C (Ciphertext) and the server. If the Internet banking related information decrypted with the side private key is P (Plaintext), the function of decrypting the encrypted Internet banking related information by the encryption unit 510 is "Dk2 = P, or Dk2 (Ek (P)) =" It can be expressed by an expression such as "P".

According to an embodiment of the present invention, the encryption unit 510 decrypts the Internet banking related information encrypted with the server-side public key in the terminal device 145 through the server-side private key, RSA (Ron Rivest, Adi Shamir, Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, ECDH, at least one or more of the various forms of decoding An algorithm may be used, but the decryption algorithm is matched with an encryption algorithm used in the terminal device 145, and the present invention is not limited by a specific decryption algorithm.

For example, when decrypting the Internet banking related information through the RSA decryption algorithm among the public key based decryption algorithms, the published method (Modulus) used in the decryption process is not disclosed by n and the different prime factors of n. If the prime is a and b, the published exponent (e.g. 3 or 216+) is e and the undisclosed exponent is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Dk2 = Cd mod n ".

As described above, when the Internet banking related information encrypted by the server side public key is decrypted by the terminal device 145 through the server side private key, the encryption unit 510 sends the decrypted Internet banking related information to the electronic signature checker. In operation 3515, the electronic signature verification unit performs an electronic signature verification process for the traffic data according to the electronic signature verification procedure defined in the internet banking server 400.

36 is a diagram illustrating a method of encrypting and transmitting internet banking related information in an electronic envelope method in a terminal device 145 according to an embodiment of the present invention.

More specifically, FIG. 36 illustrates an embodiment of the present invention for encrypting and transmitting the Internet banking related information in an electronic envelope method in the terminal device 145 having the encryption function as shown in FIG. 6. With ordinary knowledge, various implementation methods for encrypting the Internet banking related information in an electronic envelope method can be inferred from the terminal device 145 on the high-speed wireless Internet by referring to and / or modifying the drawing 36. The present invention includes all the inferred implementation methods, and is not limited to the implementation method illustrated in FIG.

In this figure 36 according to the embodiment of the present invention, the server-side public key is preferably read from the public certificate provided in the terminal device 145, and the public certificate is provided in the terminal device 145. Is stored in the memory unit of the ID and / or in the IC chip (or IC card) of the ID-000 type to be mounted on or detached from the terminal device 145, and / or predetermined in the terminal device 145 When the IC card reader is provided, it is possible to store all of the IC card inserted into the IC card reader, and the present invention is not limited thereto.

Alternatively, the server-side public key may be extracted from a predetermined directory (not shown) that is operated and managed by a certification authority that issues the certificate to the terminal device 145, and thus the present invention is not limited thereto. .

Referring to FIG. 36, when the electronic signature unit of the terminal device 145 generates predetermined internet banking related information including the predetermined internet banking data and network configuration information (and / or network access information), the electronic signature process is generated. And, this is provided to the encryption processing unit 820 (3600), if the Internet banking-related information is provided, the encryption processing unit 820 encrypts the Internet banking-related information by a secret key (symmetric key) method A predetermined random secret key is generated (3605), and the internet banking related information is encrypted using the generated secret key (3610).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the secret key is r (random secret key), the Internet banking related information P (Plaintext), and the Internet banking encrypted with the secret key When the information is referred to as C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by a formula such as "Er (P) = C".

According to the embodiment of the present invention, the encryption processing unit 820 encrypts the Internet banking related information through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA (International Data). It is preferable to include at least one or more of the Encryption Algorithm, and various forms of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

Thereafter, the encryption processing unit 820 encrypts the secret key (random secret key) used to encrypt the Internet banking related information. For this purpose, the encryption processing unit 820 obtains a predetermined server-side public key from the public certificate. In operation 3620, the private key is encrypted using the server-side public key.

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the server-side public key is k1 (key), the secret key is r (random Secret key), and the secret encrypted with the server-side public key. If the key is C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Ek1 (r) = C".

According to the exemplary embodiment of the present invention, the encryption processing unit 820 encrypts the secret key through the server-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the secret key through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the encryption processing unit 820 may be expressed as" C = Ek1 (r) = re mod n ".

If the Internet banking related information is encrypted with the secret key and the secret key is encrypted with the server side public key, the encryption processing unit 820 encrypts the Internet banking related information encrypted with the secret key with the server side public key. The transaction data associated with the secret key is generated and provided to the communication processor 825 (3625).

The communication processor 825 generates at least one SDU / PDU from the transaction data and stores it in an upper layer on a communication protocol stack (3630), and the wireless processor 630 performs the radio processing unit 630 on the communication protocol stack. By performing communication processing corresponding to the media control layer and the physical layer defined between the base station 140 and the base station 140 (3635), transaction data including the encrypted Internet banking-related information is transmitted to the network component on the high-speed wireless Internet. It transmits to the Internet banking server 400 through.

FIG. 37 is a diagram illustrating a method of decrypting, by an electronic envelope, Internet banking related information that is encrypted and received by an Internet banking server 400 according to an embodiment of the present invention.

More specifically, FIG. 37 shows the transaction in the Internet banking server 400 as shown in FIG. 4 that receives transaction data including encrypted Internet banking related information from the terminal device 145 having the encryption function as shown in FIG. The present invention relates to a method of decoding data using an electronic envelope method. If the present invention belongs to those skilled in the art, the terminal apparatus 145 on the high-speed wireless Internet will be described with reference to FIG. Various implementation methods for decrypting the transaction data encrypted by the electronic envelope method may be inferred by the same electronic envelope method, but the present invention includes all the inferred implementation methods and is limited to the implementation method shown in FIG. 37. Not.

In this figure 37 according to an embodiment of the present invention, the server-side private key for decrypting the transaction data in an electronic envelope method is preferably read from the public certificate provided in the Internet banking server 400, and the public certificate. Is preferably stored in a predetermined database (not shown) interworking with the Internet banking server 400, whereby the present invention is not limited.

Referring to FIG. 37, the receiving unit 505 of the Internet banking server 400 includes Internet banking related information encrypted from the operator network of the high-speed wireless Internet through the TCP / IP-based Internet and / or a dedicated line. Receiving at least one packet including transaction data, and restoring (or generating) transaction data including Internet banking related information encrypted and transmitted from the terminal device 145 from the received packet to the encryption unit ( 510, the packet containing the transaction data is preferably received via a communication protocol stack defined in the high speed wireless Internet.

Thereafter, the encryption unit 510 extracts a server-side private key for decrypting the encrypted secret key included in the transaction data from the public certificate provided in the internet banking server 400 (3705), and extracts the extracted private key. By decrypting the private key encrypted with the server-side public key in the terminal device 145 through a server-side private key (3710), a predetermined secret key for decrypting the Internet banking related information is extracted (3715), and The Internet banking related information is decrypted using the extracted secret key (3720), and the terminal device 145 extracts the internet banking related information encrypted with the secret key (3725).

Here, the decryption function of the encryption unit 510 is called D (Decryption), the server-side private key is k2 (key), the secret key encrypted with the server-side public key is C (Cipherte4t), and the server-side individual. When the secret key decrypted with the key is r (random secret key), the function of decrypting the encrypted secret key by the encryption unit 510 is "Dk2 = r, or Dk2 (Ek1 (r)) = r". It can be expressed as an expression.

According to an exemplary embodiment of the present invention, an algorithm for the encryption unit 510 to decrypt the secret key encrypted with the server-side public key in the terminal device 145 through the server-side private key may be RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the secret key through the RSA decryption algorithm among the public key-based decryption algorithms, n is a public method (Modulus) used in the decryption process, and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Dk2 = Cd mod n ".

Here, the decryption function of the encryption unit 510 is called D (Decryption), the secret key is r (random secret key), the Internet banking related information encrypted with the secret key (C (Ciphertext)), and the decryption. When the Internet banking related information is called P (Plaintext), the function of decrypting the encrypted Internet banking related information by the encryption unit 510 is "Dr = P, or Dr (Er (P)) = P". It can be expressed as an expression.

According to the embodiment of the present invention, the encryption unit 510 decrypts the encrypted Internet banking related information through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA ( International Data Encryption Algorithm) preferably comprises at least one or more, and various forms of decryption algorithms may be used, but the decryption algorithm is matched with the encryption algorithm used in the terminal device (145) The present invention is not limited to the specific decoding algorithm.

When the internet banking related information is decrypted as described above, the encryption unit 510 provides the decrypted internet banking related information to the digital signature verification unit (3715), and the electronic signature verification unit is provided to the Internet banking server 400. The digital signature verification process for the traffic data is performed according to the defined digital signature verification procedure.

38A and 38B illustrate a method of encrypting and transmitting Internet banking related information in a key exchange method in a terminal device 145 according to an embodiment of the present invention.

In more detail, FIGS. 38A and 38B illustrate an embodiment of the present invention for encrypting and transmitting the Internet banking related information by a key exchange method in a terminal device 145 having an encryption function as shown in FIG. 6. Those skilled in the art can refer to and / or modify this drawing 38 to infer various implementation methods for encrypting the Internet banking related information in a key exchange method in the terminal device 145 on the high-speed wireless Internet. It will be appreciated that the present invention encompasses all of the inferred practice methods and is not limited to the practice method shown in FIG.

In the diagram 38 according to the embodiment of the present invention, the terminal-side private key and the server-side public key are preferably read from the public certificate provided in the terminal device 145, and the public certificate is the terminal device 145. ) Is stored in a predetermined memory unit, and / or stored in an ID-000 type IC chip (or IC card) mounted on or detached from the terminal device 145, and / or the terminal device ( If a predetermined IC card reader is provided at 145, all of them can be stored in an IC card inserted into the IC card reader, and the present invention is not limited thereto.

Alternatively, the terminal-side private key and the server-side public key may be extracted from a predetermined directory (not shown) operated and managed by a certification authority that issues the certificate to the terminal device 145. The invention is not limited.

Referring to FIGS. 38A and 38B, predetermined Internet banking-related information, which is electronically signed, includes predetermined Internet banking data and network configuration information (and / or network access information) in the electronic signature unit of the terminal device 145. Is generated, it is provided to the encryption processing unit 820 (3800), if the Internet banking-related information is provided, the encryption processing unit 820 is a predetermined one-way hash function (for example, the Internet) Regardless of the length of banking-related information, a message digest including a hash code of a certain length may be generated, and the original message may be checked (or inferred) through the hash code (or message digest). One-way hash function that cannot be generated.The terminal device 145 and the internet banking server 400 use the same hash function to generate a predetermined message digest. And (3805), by encrypting the private key with the terminal side for the message digest and digital signature (3810).

Herein, the encryption function of the encryption processing unit 820 is called E (Encryption), the terminal-side private key is encrypted with t1 (terminal side key), the message digest is m (message digest), and the terminal-side private key. If the message digest is C (Ciphertext), the digital signature function of the encryption processing unit 820 may be expressed by an expression such as "Et1 (m) = C".

According to an embodiment of the present invention, the encryption processing unit 820 encrypts the message digest using the terminal-side private key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the message digest through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the digital signature function of the encryption processing unit 820 may be expressed as" C = Et1 (m) = me mod n ".

In addition, the encryption processing unit 820 generates a predetermined random secret key for encrypting the Internet banking related information in a secret key (symmetric key) method (3815), and the Internet banking related The message digest encrypted with the terminal-side private key and a copy of a certificate (eg, a certificate including the terminal-side public key) included in the public certificate are linked and encrypted through the generated secret key (3820).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the secret key is r (random secret key), the Internet banking related information and the copy of the certificate is encrypted with P (Plaintext), and the secret key If the banking related information and the copy of the certificate is called C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an equation such as "Er (P) = C".

According to the embodiment of the present invention, the encryption processing unit 820 encrypts the Internet banking related information and the certificate copy through the secret key, SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, IDEA It is preferable to include at least one or more of the International Data Encryption Algorithm, and in addition, various types of encryption algorithms may be used, but the present invention is not limited to a specific encryption algorithm.

In addition, the encryption processing unit 820 extracts (3825) a predetermined server-side public key from the authorized certificate in order to encrypt the secret key that encrypts the Internet banking related information, and uses the server-side public key. The secret key encrypting the Internet banking related information is encrypted (3830).

Here, the encryption function of the encryption processing unit 820 is called E (Encryption), the server-side public key is encrypted with s1 (server side key), the secret key is r (random secret key), and the server-side public key. When the secret key is referred to as C (Ciphertext), the encryption function of the encryption processing unit 820 may be expressed by an expression such as "Es1 (r) = C".

According to the exemplary embodiment of the present invention, the encryption processing unit 820 encrypts the secret key through the server-side public key, RSA (Ron Rivest, Adi Shamir, Len Adleman), DSA (Digital Signature Algorithm), It is preferable to include at least one or more of DH (Diffie, Hellman), ECC (Elliptic Curve Cryptosystem), KCDSA, ECDSA, ECDH, in addition to various encryption algorithms may be used, the present invention by a specific encryption algorithm This is not limited.

For example, in the case of encrypting the secret key through the RSA encryption algorithm among the encryption algorithms, the public method (Modulus) used in the encryption process is n, and the non-public prime numbers with different prime factors of n are a and b. , If the published index (e.g., 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod (a-1). (b-1) ", wherein the encryption function of the encryption processing unit 820 may be expressed as" C = Es1 (r) = re mod n ".

The Internet banking-related information and a copy of a certificate including the message digest encrypted with the terminal-side private key and the terminal-side public key are linked to each other and encrypted through the generated secret key, and the secret key is used to store the server-side public key. When encrypted through the encryption processing unit 820, the server-side public copy of the certificate including the Internet banking related information encrypted through the secret key and the message digest encrypted with the terminal-side private key and the terminal-side public key. The predetermined transaction data is generated in association with the secret key encrypted with the key, and the generated transaction data is provided to the communication processor 825 (3835).

The communication processor 825 generates at least one SDU / PDU from the transaction data and stores it in a higher layer on a communication protocol stack (3840), and the wireless processor 630 transmits the radio processor 630 to the communication protocol stack. By performing a communication process corresponding to the media control layer and the physical layer defined between the base station 140 and the base station 140 (3845), the encrypted Internet banking-related information is transmitted through the network component on the high-speed wireless Internet. Send to server 400.

39A and 39B illustrate a method of decrypting received Internet banking related information encrypted by the Internet banking server 400 by a key exchange method according to an embodiment of the present invention.

In more detail, FIGS. 39A and 39B illustrate an Internet banking server 400 as shown in FIG. 4, which receives transaction data including encrypted Internet banking related information from a terminal device 145 having an encryption function as shown in FIG. 6. The present invention relates to a method for decrypting the transaction data in a key exchange method, and if the present invention belongs to one of ordinary skill in the art, referring to FIG. Although various implementation methods for decrypting the transaction data encrypted by the key exchange scheme in the same key exchange scheme may be inferred at 145, the present invention includes all the inferred implementation methods, and is illustrated in FIG. 39. It is not limited to implementation method.

In this figure 39 according to an embodiment of the present invention, the server-side private key and the terminal-side public key for decrypting the transaction data in a key exchange method are preferably read from the public certificate provided in the Internet banking server 400. In addition, the public certificate is preferably stored in a predetermined database (not shown) interworking with the Internet banking server 400, whereby the present invention is not limited.

Referring to FIGS. 39A and 39B, the receiver 505 of the Internet banking server 400 includes Internet banking related information encrypted through a TCP / IP-based Internet and / or a leased line from a carrier network of the high-speed wireless Internet. Receiving at least one packet including transaction data, and restoring (or generating) transaction data including Internet banking related information encrypted and transmitted by the terminal device 145 from the received packet (3900). And providing the restored (or generated) transaction data to the encryption unit 510 (3905), wherein the packet including the transaction data is received through a communication protocol stack defined in the high speed wireless Internet. And / or the image encrypted with the Internet banking related information encrypted with the secret key and the terminal-side private key. It comprises a message digest with the terminal side 's public key, the private key encrypted with the public key certificate with a copy of the server-side that includes preferred.

Thereafter, the encryption unit 510 extracts the server-side private key from the public certificate provided in the Internet banking server 400 to decrypt the secret key encrypted with the server-side public key (3910), and the server side. By decrypting the secret key through a private key (3915), the secret key for decrypting a copy of a certificate including the message digest encrypted with the Internet banking related information and the terminal-side private key and the terminal-side public key is extracted. (3920)

Here, the decryption function of the encryption unit 510 is called D (Decryption), the server side private key is s2 (server side key), the secret key encrypted with the server side public key is C (Ciphertext), and the server. If the secret key decrypted with the side private key is r (random secret key), the function of decrypting the encrypted secret key by the encryption unit 510 is "Ds2 = r, or Ds2 (Es1 (r)) = r". It can be expressed as

According to an exemplary embodiment of the present invention, an algorithm for the encryption unit 510 to decrypt the secret key encrypted with the server-side public key in the terminal device 145 through the server-side private key may be RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the secret key through the RSA decryption algorithm among the public key-based decryption algorithms, n is a public method (Modulus) used in the decryption process, and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Ds2 = Cd mod n ".

When the secret key is extracted as described above, the encryption unit 510 includes a certificate including the message digest and the terminal side public key encrypted with the Internet banking related information and the terminal side private key using the extracted secret key. By decrypting the copy (3925), a certificate copy including the Internet banking related information encrypted with the secret key and the message digest encrypted with the terminal-side private key and the terminal-side public key is extracted.

Here, the decryption function of the encryption unit 510 is called D (Decryption), the secret key is r (random secret key), the Internet banking-related information encrypted with the secret key and the message digest encrypted with the terminal-side private key And a copy of the certificate including the terminal-side public key C (Ciphertext), and a copy of the certificate including the message digest and the terminal-side public key encrypted with the decrypted Internet banking related information and the terminal-side private key P ( Plaintext), the encryption unit 510 decrypts a copy of the certificate including the encrypted Internet banking related information, the message digest encrypted with the terminal-side private key, and the terminal-side public key. , Or Dr (Er (P)) = P ".

According to an embodiment of the present invention, the encryption unit 510 copies a certificate including the message digest and the terminal side public key encrypted with the encrypted internet banking related information and the terminal side private key through the secret key. The decryption algorithm may include at least one or more of SEED, DES (Data Encryption Standard), Triple-DES, Skipjack, and International Data Encryption Algorithm (IDEA), and various types of decryption algorithms may be used. The decryption algorithm is matched with the encryption algorithm used in the terminal device 145, and the present invention is not limited to the specific decryption algorithm.

In addition, the encryption unit 510 decrypts the message digest encrypted with the terminal-side private key through the terminal-side public key (3930), thereby generating and transmitting the Internet banking related information from the terminal device 145. The message digest is extracted (3935).

Here, the decryption function of the encryption unit 510 is called D (Decryption), the terminal side public key is t2 (terminal side key), the message digest encrypted with the terminal side private key is C (Ciphertext), and the terminal. If the message digest decrypted with the side public key is m (Message Digest), the function of decrypting the encrypted message digest by the encryption unit 510 is "Dt2 = m, or Dt2 (Es1 (r)) = m"; The same formula can be used.

According to an exemplary embodiment of the present invention, an algorithm for decrypting the message digest encrypted by the terminal device 145 with the terminal-side private key through the terminal-side public key may be RSA (Ron Rivest, Adi Shamir). , Len Adleman (DSA), Digital Signature Algorithm (DSA), Diffie, Hellman (DH), Elliptic Curve Cryptosystem (ECC), KCDSA, ECDSA, and ECDH. Although it can be used, the decryption algorithm is characterized in that it matches the encryption algorithm used in the terminal device 145, the invention is not limited by a specific decryption algorithm.

For example, when decrypting the message digest through the RSA decryption algorithm of the public key-based decryption algorithm, n is a public method (Modulus) used in the decryption process and n is a prime number that is not disclosed by different prime factors of n. If a and b, the published index (e.g. 3 or 216+) is e and the undisclosed index is d, then n satisfies "n = a * b" and d is "de = 1 mod ( a-1) (b-1) ", wherein the decryption function of the encryption unit 510 may be expressed as" P = Dt2 = Cd mod n ".

Thereafter, the encryption unit 510 generates a predetermined message digest using the same one-way hash function with the received Internet banking-related information (3940), and then generates the generated message digest and the decryption. By comparing the received message digest (3945), the validity of the received Internet banking related information is verified.

If the generated message digest coincides with the decrypted message digest (3950), the encryption unit 510 provides the decrypted Internet banking related information to the digital signature verification unit (3915), and the digital signature verification unit The digital signature verification process for the traffic data is performed according to the digital signature verification procedure defined in the internet banking server 400.

400: Internet banking server 405: Web interface unit
410: UI processing unit 415: web page operation unit
420: DBMS 425: content management unit
430: customer authentication unit 435: banking processing unit
440: ledger processing unit

Claims (4)

A storage medium for retaining service profile information to be allocated to a subscriber profile and a terminal device accessing a high-speed wireless Internet network;
When the terminal device accesses the high-speed wireless Internet network, the terminal device configures the subscriber profile and service flow information for the terminal device, assigns the terminal profile to the terminal device, and when the terminal device is requested to access the Internet banking server, And means for changing the subscriber profile and service flow information to access the internet banking server.
The method of claim 1, wherein the subscriber profile is:
A context ID uniquely identifying the terminal device, IP address information of the terminal device, a message authentication code (MAC) address of the terminal device, the number of flows to be serviced to the terminal device, At least one current service state of the terminal device, the number of service classes provided to the terminal device, a service class name, a subscriber name, an address type serviced by the terminal device, and a cell ID where the terminal device is located. Internet banking providing device using a high-speed wireless Internet network, characterized in that made.
The method of claim 1, wherein the service flow information,
A context ID uniquely identifying the terminal device, a flow ID uniquely identifying a service flow assigned to the terminal device, a service class name, a quality of service (QoS) type, a maximum sustained traffic rate, a maximum traffic burst, An apparatus for providing internet banking using a high-speed wireless internet network comprising at least one of a minimum reservation traffic rate, a flow schedule type, and allowable jitter.
The method of claim 1, wherein the apparatus,
When a request is made to access an internet banking server from the terminal device, the service class or the number of flows of the subscriber profile is changed to a class (or number) negotiated with the internet banking server, and the flow ID of the service flow information is transferred to the internet banking service. Internet banking providing device using a high-speed wireless Internet network, characterized in that for changing to a corresponding ID.

Images