KR20140027580A - Method for secure input in on-line service, apparatus and storage medium therefor - Google Patents
Method for secure input in on-line service, apparatus and storage medium therefor Download PDFInfo
- Publication number
- KR20140027580A KR20140027580A KR1020120074041A KR20120074041A KR20140027580A KR 20140027580 A KR20140027580 A KR 20140027580A KR 1020120074041 A KR1020120074041 A KR 1020120074041A KR 20120074041 A KR20120074041 A KR 20120074041A KR 20140027580 A KR20140027580 A KR 20140027580A
- Authority
- KR
- South Korea
- Prior art keywords
- security
- application
- data
- input
- service
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
The present invention relates to a method for secure input in an online service and an apparatus therefor, and more particularly, to a terminal device in which a non-secure area operated by a general operating system and a secure area operated by a secure operating system are physically separated. The present invention relates to a method for secure input in an online service for safely inputting data requiring security in an online service using an isolation environment, an apparatus, and a recording medium therefor.
BACKGROUND OF THE INVENTION A portable terminal device is a terminal device that supports a communication function based on mobility, and is used in a wide range of fields due to its convenience and ease of portability. Such portable terminal devices have recently been developed in the form of smart phones equipped with various user functions, and provide various conveniences and entertainment. These smartphones support the activation of the open market, so that customers can easily obtain a variety of applications you want. The high performance also allows smartphones to handle many of the functions that PCs handle.
However, since smartphones are based on the open operating system (OS), which is a unique feature of smartphones, along with the rapid market expansion, there are various security threats due to the operator's open network and the use of applications through the open market. For example, smartphones are easily exposed to malware and are vulnerable to hacking such as Lab Attack. Smartphones infected with malware can cause not only terminal device malfunction but also excessive battery consumption due to continuous network connection, excessive billing, and leakage of personal and financial information. These malicious codes are mainly dealt with by software through vaccines. On the other hand, in the case of Lab Attack, which is a hack that reads specific information in the internal storage area of the smart phone or references and changes the terminal device itself information, the terminal device subject to Lab Attack has a risk of theft such as duplication due to hacking of IMEI of the terminal device. May be exposed.
Currently, security technology for smart phones to eliminate the security risks described above has been mainly focused on S / W-based vaccine programs or traffic control on the network. However, in the case of smart phones, user information can be easily exposed through hardware control, and conventional S / W-based security technology can not provide sufficient security. In particular, the security technology of the smartphone is essential for the security of the smartphone itself, such as jailbreak or rooting, payment, finance, corporate services, and the like.
In particular, various applications installed in a smart phone mostly include an online operation, and a terminal device often receives a process of receiving various types of data according to a request of a service device and transmitting the data to the service device.
However, during the data input process or the transmission of the input data in the terminal device described above, the data is likely to be exposed to a third party having a malicious purpose, and in this case, it may cause problems such as personal information leakage or financial damage. Therefore, a security measure for this is required.
Accordingly, the present invention securely stores user data required during an online service from a terminal device to a service device by using an isolation environment of a terminal device in which a non-security area operated by a general operating system and a security area operated by a security operating system are physically separated. A method for secure input in an online service for delivery, an apparatus and a recording medium therefor are provided.
As a means for solving the above problems, the present invention, a service device for requesting data input to the application installed in the terminal device, and performing a specific service or function using the received data according to the request; And a non-secure zone operating based on an open operating system and a secure zone operating based on a security operating system, and having a separate isolation environment. Provides a system for secure input in the online service, including a terminal device for receiving and encrypting the user data through the user data and then transmitting the encrypted data to the service device through the application in the non-security area.
In addition, the present invention is a means for solving the above problems, the communication unit for connecting to the service device via a communication network for transmitting and receiving data; An input unit to receive data from a user; And a non-secure area operating based on an open operating system and a secure area operating based on an operating system for security, and executing an application performing a specific service or function by interworking with a service device through the non-secure area. In response to a request of an application, the control unit controls an input unit through a security zone, receives data from a user, encrypts the data, and then transmits the encrypted data to a service device through an application in an insecure area. Provided is a terminal device for secure input.
A terminal device according to the present invention, the control unit includes a security input module for receiving data from a user by accessing an input unit based on a security operating system; An encryption module operating based on a security operating system to encrypt data input from a security input module; And a service API module that executes the secure input module and the encryption module according to a request from an application installed in the non-secure area, and returns the encrypted data to the application as a result value.
In the terminal device according to the present invention, the control unit may further transmit the encryption seed value used to encrypt the data to the service device.
In addition, the present invention is another means for solving the above problems, the non-security area operating based on the open operating system and the security area operating based on the security operating system is executed in the non-secure area of the physically separated terminal device An application server unit for requesting input of user data to an application, receiving encrypted data from the application in response thereto, and performing a specific service or function based on data obtained through decryption of the encrypted data; And a security input server unit for decrypting the encrypted data.
In the service apparatus according to the present invention, the application server unit further receives an encryption seed value together with the encrypted data from the application of the terminal device, the security input server unit generates a decryption key through the encryption seed value, and generates the decryption key Encrypted data can be decrypted.
In addition, the present invention is another means for solving the above problems, the terminal device, the step of executing an application for performing a specific service or function in conjunction with a service based on an open operating system in the non-security area; Receiving user data through a security area based on a security operating system according to a request of an application; Encrypting data received through the secure area; And transmitting the encrypted data to the service device through the application in the non-secure area.
In the method for secure input in an online service according to the present invention, before the step of receiving user data through the secure area, the application receives a data input request from the service device, and a service configured for secure input service in the secure area. The method may further include requesting data input to a security area through an application program interface (API).
In the service device for secure input in the online service according to the present invention, the step of transmitting to the service device comprises the steps of: returning encrypted data to the application in the secure area; And transmitting, by the application, the returned encrypted data to the service device.
According to another aspect of the present invention, there is provided a service device in a non-secure area of a terminal device in which a service device is physically separated from a non-secure area that operates based on an open operating system and a secure area that operates based on a security operating system. Requesting input of user data to an executed application; Receiving encrypted data from the application in response to the request; And decrypting the encrypted data, and performing a specific service or function based on the decrypted data.
The method for secure input in the above-described online service may further include receiving an encryption seed value from an application of a terminal device and generating a decryption key to be applied to data encrypted through the encryption seed value.
In addition, the present invention is another means for solving the above-described problem, in response to a request of an application that is executed by a computer, based on an open operating system in a non-secure area, through a security area based on a security operating system Receiving user data; Encrypting data received through the security area; And a computer readable recording medium storing a program implemented to perform a step of returning encrypted data to the application.
As described above, according to the method and apparatus for secure input in an online service according to the present invention, when an arbitrary application installed in a terminal device operates in connection with a service device connected through a communication network, it is based on an open operating system. Through the isolation environment technology in which the non-security area in operation and the security area in operation by the security operating system are physically separated, data requested by the service device can be securely delivered.
In particular, the present invention, by driving the security input module installed in the security area in response to the request of any application installed in the non-security area, it is possible to securely receive data necessary to perform the service from the user, and also to drive the encryption module installed in the security area By encrypting the input data and returning the encrypted data to an application operating in the non-secure area, so that the data can be securely transferred to the service device through an application.
In particular, in transmitting the encrypted data to the service device, by transmitting the encryption seed value, it is possible to securely obtain the original data by decrypting the encrypted data using the encryption seed value received at the service device.
1 is a diagram schematically showing the configuration of a system for secure input in an online service according to an embodiment of the present invention.
2 is a block diagram showing the overall configuration of a terminal device for secure input in an online service according to an embodiment of the present invention.
3 is a block diagram schematically illustrating an isolation environment structure in a terminal device according to an exemplary embodiment of the present invention.
4 is a block diagram illustrating a detailed configuration for secure input in a terminal device for secure input in an online service according to an embodiment of the present invention.
5 is a diagram illustrating a processing procedure in a system for secure input in an online service according to an exemplary embodiment of the present invention.
6 is a flowchart illustrating a method for secure input in an online service performed by a terminal device according to an exemplary embodiment of the present invention.
7 is a flowchart illustrating a method for secure input in an online service performed by a service apparatus according to an exemplary embodiment of the present invention.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description and the accompanying drawings, detailed description of well-known functions or constructions that may obscure the subject matter of the present invention will be omitted. It should be noted that the same constituent elements are denoted by the same reference numerals as possible throughout the drawings.
1 is a diagram schematically showing the configuration of a system for secure input in an online service according to an embodiment of the present invention.
As shown in FIG. 1, the present invention may be applied to a case in which the
Here, the
The
In addition, the
2 is a block diagram illustrating a configuration of a
Referring to FIG. 2, the
The
First, the
The
The
The
The
The
The
The
For example, when a payment request using secure data is generated, the
The
In addition, the
When the power supply is applied to the
In the above-described configuration, when a data input request is generated from the
3 is a view for explaining the hierarchical structure of the
In this case, the
The
4 is a block diagram illustrating a configuration for secure input processing in an online service according to the present invention in the
Referring to FIG. 4, in the
The
In addition, as shown in FIG. 5, the
Next, the security input procedure in the online service made between the
1 to 5, any
The
The
In addition, the data input by the
The
Accordingly, the
The
The
For example, when the
In this case, the
Since the data is input and encrypted through the
In addition, the
Meanwhile, the above-described
In addition, the
6 is a flowchart sequentially illustrating a security input method in an online service of a terminal device according to the present invention.
Referring to FIG. 6, the security input method of the online service will be described again. An application installed in the
The application receiving the data input request of the
Accordingly, the
Subsequently, the
The encrypted input data is returned to the application of the
Accordingly, the
7 is a flowchart illustrating a security input method in an online service performed by the
Referring to FIG. 7, the
Thus, as described above with reference to FIG. 6, the application that receives the input request requests a security input to the
At this time, the
In addition, an encryption seed value is also received from the application of the
Here, the encrypted data and the encryption seed value may be received together.
The
In addition, the above-described security input method in the online service of the present invention may be implemented in a software form readable through various computer means and recorded in a computer readable recording medium. For example, a program implemented to execute a secure input method in an online service according to the present invention may be configured to execute a security input based on an operating system for security in response to a request of an application running based on an open operating system in an unsecured area. It may be implemented to perform a function of receiving user data, a function of encrypting data input through a security area, and a function of returning encrypted data to the application.
Here, the recording medium may include program commands, data files, data structures, and the like, alone or in combination. Program instructions to be recorded on a recording medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. For example, the recording medium may be an optical recording medium such as a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, a compact disk read only memory (CD-ROM), a digital video disk (DVD) Includes a hardware device that is specially configured to store and execute program instructions such as a magneto-optical medium such as a floppy disk and a ROM, a random access memory (RAM), a flash memory, do. Examples of program instructions may include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. Such hardware devices may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
As described above, preferred embodiments of the present invention have been described through the specification and drawings, although specific terms have been used, these are merely used in a general sense to easily explain the technical contents of the present invention and to help understanding of the present invention. It is only intended to limit the scope of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention may be practiced without departing from the scope of the invention disclosed herein.
The present invention can be applied to various types of user terminal devices having a communication function, and when any application installed in the terminal device operates in connection with a service device connected through a communication network, a non-security area that operates on a general open operating system and Through the isolation environment technology in which the security area operated by the security operating system is physically separated, data requested by the service device can be securely delivered.
In particular, the present invention, by driving the security input module installed in the security area in response to the request of any application installed in the non-security area, it is possible to securely receive data required to perform the service from the user, and also by driving the encryption module installed in the security area The data is encrypted and returned to an application operating in the non-secure area, so that the data can be securely transferred to the service device through the application.
In particular, in transmitting the encrypted data to the service device, by transmitting the encryption seed value, it is possible to securely obtain the original data by decrypting the encrypted data using the encryption seed value received at the service device.
100: terminal device 110: communication unit 120: input unit
130: output unit 140: storage unit 150: control unit
151: non-security area 152: security area 200: service device
210: application server unit 220: secure input server unit 300: communication network
Claims (12)
A non-secure area operating based on an open operating system and a security area operating based on a security operating system have a physically separated isolation environment, and while executing the application through the non-secure area, the security is requested at the request of the application. And a terminal device for receiving and encrypting user data through an area, and then transmitting the encrypted data to the service device through the application in an insecure area.
An input unit to receive data from a user; And
The non-secure area operating based on the open operating system and the secure area operating based on the security operating system are physically separated, and executing an application that performs a specific service or function through interworking with the service device through the non-secure area. And a control unit which controls the input unit through the secure area according to a request of the application, receives data from a user, encrypts the data, and transmits the encrypted data to the service device through an application in the non-secure area. Terminal device for secure input in the online service.
A security input module installed in the security area and receiving data from a user by accessing an input unit based on the security operating system;
An encryption module installed in the security area and operating based on the security operating system to encrypt data input from the security input module; And
A service API module installed in the secure area to execute the secure input module and the encryption module in response to a request from an application installed in the non-secure area, and return the encrypted data to the application as a result; Terminal device for secure input in the online service comprising a.
And the control unit further transmits an encryption seed value used for encrypting the data to the service device.
And a security input server unit for decrypting the encrypted data.
The application server unit further receives an encryption seed value together with the encrypted data from the application of the terminal device,
And the security input server unit generates a decryption key using the encryption seed value, and decrypts the encrypted data by using the generated decryption key.
Executing an application that performs a specific service or function in association with a service based on an open operating system in an insecure area;
Receiving user data through a security area based on a security operating system according to a request of the application;
Encrypting data received through the security area;
Transmitting encrypted data to a service device via an application in the non-secure area.
And receiving, by the application, a data input request from a service device, and requesting data input to a security zone through a service application program interface (API) configured for a security input service of the security zone. Method for secure input in services.
Returning the encrypted data to the application in the secure area; And
And sending, by the application, the returned encrypted data to a service device.
Receiving encrypted data from the application in response to the request; And
Decrypting the encrypted data and performing a specific service or function based on the decrypted data.
Receiving an encryption seed value from the application, and generating a decryption key to be applied to the encrypted data through the encryption seed value.
A function of receiving user data through a security zone based on a security operating system according to a request of an application running on an open operating system in an insecure zone;
Encrypting data received through the security area; And
A computer-readable recording medium storing a program implemented to perform a function of returning encrypted data to the application.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120074041A KR20140027580A (en) | 2012-07-06 | 2012-07-06 | Method for secure input in on-line service, apparatus and storage medium therefor |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120074041A KR20140027580A (en) | 2012-07-06 | 2012-07-06 | Method for secure input in on-line service, apparatus and storage medium therefor |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140027580A true KR20140027580A (en) | 2014-03-07 |
Family
ID=50641390
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120074041A KR20140027580A (en) | 2012-07-06 | 2012-07-06 | Method for secure input in on-line service, apparatus and storage medium therefor |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140027580A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017018719A1 (en) * | 2015-07-27 | 2017-02-02 | 삼성전자 주식회사 | Security network system and data processing method therefor |
-
2012
- 2012-07-06 KR KR1020120074041A patent/KR20140027580A/en not_active Application Discontinuation
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017018719A1 (en) * | 2015-07-27 | 2017-02-02 | 삼성전자 주식회사 | Security network system and data processing method therefor |
KR20170012957A (en) * | 2015-07-27 | 2017-02-06 | 삼성전자주식회사 | system for secure network and data processing method thereof |
US10637827B2 (en) | 2015-07-27 | 2020-04-28 | Samsung Electronics Co., Ltd. | Security network system and data processing method therefor |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220247739A1 (en) | Multifactor Contextual Authentication and Entropy from Device or Device Input or Gesture Authentication | |
US11669465B1 (en) | Secure storage of data through a multifaceted security scheme | |
KR101878149B1 (en) | Device, system, and method of secure entry and handling of passwords | |
CN107222485B (en) | Authorization method and related equipment | |
KR101671351B1 (en) | Privacy enhanced key management for a web service provider using a converged security engine | |
CN112733107A (en) | Information verification method, related device, equipment and storage medium | |
US9356922B2 (en) | Operation of mobile device as trusted mobile web client or trusted mobile web server | |
CN108769027B (en) | Secure communication method, device, mobile terminal and storage medium | |
US9165128B1 (en) | System and method of securing content from public display on a mobile communication device | |
US20150039908A1 (en) | System and Method for Securing A Credential Vault On A Trusted Computing Base | |
CN109600223A (en) | Verification method, Activiation method, device, equipment and storage medium | |
US20140090041A1 (en) | Method, apparatus and system for authenticating open identification based on trusted platform | |
CN103929307A (en) | Password input method, intelligent secret key device and client device | |
JP2015506153A (en) | Method and system for distributed off-line logon using one-time password | |
US10645077B2 (en) | System and method for securing offline usage of a certificate by OTP system | |
CN109672523A (en) | Information ciphering method, device, equipment and readable storage medium storing program for executing based on filter | |
WO2019089399A1 (en) | Provisioning trusted execution environment based on chain of trust including platform | |
US11379564B2 (en) | Network and device security system, method, and apparatus | |
AU2015218632A1 (en) | Universal authenticator across web and mobile | |
WO2017071296A1 (en) | Vpn-based secure data access method, device and system | |
KR20100023635A (en) | Secutiry method using virtual keyboard | |
CN103250162B (en) | For the protection of method, communication facilities, the server of the voucher in remote warehouse | |
KR101570773B1 (en) | Cloud authentication method for securing mobile service | |
KR20140027580A (en) | Method for secure input in on-line service, apparatus and storage medium therefor | |
KR20140123353A (en) | Secure message transmission system, apparatus therefor and secure message processing method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E902 | Notification of reason for refusal | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |