KR20140033552A - Method for authentication users using multi-channel based on trusted platform, apparatus thereof, terminal thereof and system thereof - Google Patents

Abstract

The present invention relates to a method for authenticating multi-channel users based on a trusted platform, and a service device, a terminal, and a system therefor. Authentication using an ID and a password of a user using an Internet service and an authenticating procedure through a terminal based on a trusted platform may be performed to prevent hacking against the security outside and to increase security stability by authenticating a user through an ID and a password and performing an authenticating procedure using a certificate between a terminal in which a trusted platform is mounted and a service device. An isolation environment divided into a non-security region operated based on an open operating system and a security region operated based on a security operating system is provided, authorization with respect to user authentication is assigned from a service device on a web so that an authentication procedure is performed at a security region, thereby providing a stable security function without exposing information. [Reference numerals] (10) Terminal; (20) Service device; (30) User PC; (S11) Request first authentication using ID and password; (S13) Perform first authentication; (S15) Request second authentication; (S17) Perform second authentication; (S19) Transmit second authentication result; (S21) Confirm second authentication result; (S23) Authentication success?; (S25) Transmit user authentication complete message; (S27) Provide and execute web service

Description

Trusted platform-based multi-channel user authentication method, service device for the same, terminal and system for the same {Method for authentication users using multi-channel based on trusted platform, apparatus, terminal terminal and system}

The present invention relates to a user authentication method based on a trusted platform, a service apparatus for the same, a terminal for the same, and a system therefor. More specifically, after authentication through an ID and a password at the time of user authentication, the terminal is equipped with a trusted platform. The present invention relates to a trusted platform based multi-channel user authentication method for performing an authentication process using a certificate between a service device and a service device, a service device for the same, a terminal for the same, and a system for the same.

In general, users use a web service to receive their ID after registering their personal information through a membership to a service device that provides a corresponding web service in order to use a specific web service.

In this case, users register their personal information, for example, personal information such as social security numbers, and then use the corresponding web service. As various types of web service providing apparatuses providing various web services increase, user IDs must be managed. As the number of passwords and passwords is also increasing, there are many difficulties in managing IDs from the user's point of view, and they are always exposed to the anxiety that their personal information can be misused if the user's personal information is exposed due to the hacking of weak security devices. .

Accordingly, Trusted Platform (TP) is a technology that provides a strong security function in the CPU of a smartphone to provide a secure execution environment (TEE). It offers a variety of security services, including enterprise solutions.

However, in order to provide services based on the trusted platform, service developers design the application to be divided into general areas and security areas of smartphones, and implement and deploy them using APIs provided by each environment and trusted platform. There is a difficulty to do.

In addition, the user authentication for using the Internet service is generally made through the user's ID and password, but this is inferior in security due to hacking of the user's PC, etc. Also, the authentication method that is performed on the same PC does not provide perfect security in an easy-to-use internet environment.

Therefore, there is a need to supplement security weaknesses through multi-channel authentication using a terminal equipped with a trusted platform along with user authentication consisting of an ID and password.

Korean Laid-Open Patent Publication 10-2008-0076399 A, published August 20, 2008 (Name: Mutual authentication system between user and server using mobile device, method and recording medium)

The present invention has been proposed to solve the above-mentioned conventional problems, and in particular, an object of the present invention is to perform an authentication process through a certificate after authentication using an ID and password using a terminal equipped with a trusted platform during user authentication. By providing a trusted channel-based multi-channel user authentication method, a service device for the same, a terminal for the same and a system therefor that can improve the vulnerability of the security.

In addition, another object of the present invention is to provide a user terminal with an isolation environment divided into an unsecured area operating based on an open operating system and a secure area operating based on a secure operating system. It is intended to provide a multi-channel user authentication method based on a trusted platform that can perform user authentication in the security area of a terminal, a service apparatus for the same, a terminal for the same, and a system for the same.

A multi-channel user authentication system based on a trusted platform for achieving the above object provides a specific web service, a service device and an open operating system that support a user's login by a multi-channel authentication method according to mutual agreement with a terminal. It has an isolation environment that is divided into a non-secure area operating based on and a security area operating based on a security operating system, and a signal for requesting user authentication from the service device through the non-secure area by a user request for using a web service. Is received, after the user authentication is performed based on a pre-registered user certificate in the security area, characterized in that it comprises a terminal for transmitting a user authentication success message to the service device through the non-security area.

The terminal according to an embodiment of the present invention is divided into a non-secure area operating based on an open operating system and a communication unit transmitting and receiving information for user authentication with a service device through a communication network, and a security area operating based on a security operating system. When a signal for requesting user authentication through a non-secure area is received from a service device by a user request for using a web service, after performing user authentication based on a certificate for each user registered in the security area, And a control unit for controlling to transmit the result of the user authentication to the service device through the non-secure area.

In the terminal according to the present invention, the control unit registers a certificate matching the user's ID through the security area at the request of the service apparatus.

In addition, in the terminal according to the present invention, the control unit performs a user authentication using a certificate in a security area when a certificate matching a specific user exists.

In addition, in the terminal according to the present invention, if the certificate matching the specific user does not exist, the control unit in the non-secure area, characterized in that the certificate matching the ID does not exist.

In addition, the terminal according to the present invention, characterized in that it further comprises a storage unit for matching the user's certificate with the user's ID to store in the secondary authentication DB for authentication of the user through the security area.

The service apparatus according to an embodiment of the present invention requests the use of at least one terminal and a web service having an isolation environment divided into a non-secure area operating based on an open operating system and a secure area operating based on a security operating system. Authentication is performed through an ID and password received from a service communication unit for transmitting and receiving data for user authentication and a user PC requesting use of a web service by communicating with at least one user PC, and for user authentication to an unsecured area of the terminal. And a service control unit for requesting authentication, checking a result of authentication received from the terminal, transmitting a user authentication completion message to the user PC according to the confirmed result, and providing a web service.

The multi-channel user authentication method based on the trusted platform according to an embodiment of the present invention comprises the steps of receiving a signal for requesting user authentication through a non-secure area in response to a user request to use a web service provided by the service device; In response to the signal, the terminal performs user authentication based on a user-specific certificate registered in the security area and the terminal transmits the result of the user authentication result to the service device through the non-secure area. do.

In addition, in the trusted platform-based multi-channel user authentication method according to the present invention, before the step of receiving, the terminal receives a request for registration of a certificate matching the user ID from the service device, and the user according to the request The method may further include registering a user ID and a certificate for authentication, and transmitting the certificate registration result to the service device.

In addition, in the multi-channel user authentication method based on the trusted platform according to the present invention, the step of performing a terminal checks whether a certificate matching the user's ID exists and the terminal has a certificate matching the result of the verification. If so, characterized in that it comprises the step of performing the user authentication based on the certificate.

In addition, in the multi-channel user authentication method based on the trusted platform according to the present invention, the step of performing a terminal checks whether a certificate matching the user's ID exists and the terminal has a certificate matching the result of the verification. If not, characterized in that it comprises the step of requesting the certificate registration for the user to the service device.

In a multi-channel user authentication method based on a trusted platform according to an embodiment of the present invention, the service device performs authentication through an ID and a password received from a user PC requesting the use of a web service, and the service device authenticates. Upon completion, requesting authentication for user authentication to the non-secure area of the terminal; when the service device receives a result of authentication from the terminal, transmitting a user authentication completion message to the user PC according to the result; and the service device And providing the web service to the user PC upon completion of the user authentication.

In addition, the multi-channel user authentication method based on the trusted platform according to the present invention, before the step of requesting authentication, the service device further comprises the step of registering a certificate matching the terminal and the user ID. do.

In the multi-channel user authentication method based on the trusted platform according to the present invention, after the request for authentication, if the service device fails user authentication, transmitting a message about the user authentication failure to the user PC; It further comprises.

As another means for solving the problem of the present invention, there is provided a computer-readable recording medium recorded with a program for executing a trusted channel-based multi-channel user authentication method.

According to the present invention, along with authentication using a user ID and password of the user who wants to use the Internet service, the authentication process can be performed through a trusted platform-based terminal to prevent hacking from outside the security, and improve security stability. Can be.

In addition, it has an isolation environment that is divided into a non-secure area based on an open operating system and a secure area operating based on a secure operating system, and performs an authentication process in a secure area by delegating user authentication from a service device on the web. Thus, a stable security function can be provided without a problem of information exposure.

1 is a diagram showing the configuration of a multi-channel user authentication system based on a trusted platform according to an embodiment of the present invention.
2 is a diagram illustrating a configuration of a terminal according to an embodiment of the present invention.
3 is a diagram illustrating the configuration of the controller of FIG. 2 in detail.
4 is a diagram illustrating a configuration of a service apparatus according to an exemplary embodiment of the present invention.
5 is a data flow diagram illustrating a multi-channel user authentication process based on a trusted platform according to an embodiment of the present invention.
6 is a data flow diagram illustrating a certificate registration process based on a trusted platform according to an embodiment of the present invention.
7 is a flowchart illustrating an operation of a terminal according to an embodiment of the present invention.
8 is a flowchart illustrating an operation of a service apparatus according to an exemplary embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description and the accompanying drawings, detailed description of well-known functions or constructions that may obscure the subject matter of the present invention will be omitted. It should be noted that the same constituent elements are denoted by the same reference numerals as possible throughout the drawings.

The terms or words used in the specification and claims described below should not be construed as being limited to ordinary or dictionary meanings, and the inventors are appropriate as concepts of terms for explaining their own invention in the best way. It should be interpreted as meanings and concepts in accordance with the technical spirit of the present invention based on the principle that it can be defined. Therefore, the embodiments described in the present specification and the configurations shown in the drawings are merely the most preferred embodiments of the present invention, and not all of the technical ideas of the present invention are described. Therefore, It is to be understood that equivalents and modifications are possible.

Hereinafter, a terminal according to an embodiment of the present invention will be described as a representative example of a mobile communication terminal equipped with a trusted platform and connected to a communication network to execute a service device and an authentication process, but the terminal is not limited to the mobile communication terminal. It can be applied to various terminals such as all information communication devices, multimedia terminals, wired terminals, fixed terminals, and IP (Internet Protocol) terminals. Also, the terminal may be a mobile phone, a portable multimedia player (PMP), a mobile Internet device (MID), a smart phone, a desktop, a tablet PC, a notebook, And an information communication device, which can be advantageously used in a mobile terminal having various mobile communication specifications.

Trusted platform-based multi-channel authentication system according to an embodiment of the present invention security through the first authentication using the ID and password according to the user input and the second authentication using the certificate registered to the terminal equipped with the trusted platform It is possible to increase the authentication, the authentication is not limited to the above-described primary authentication and secondary authentication, multi-channel authentication is possible. In addition, the authentication of the present invention may perform an authentication process using an ID and password according to a user's input after performing authentication through a trusted platform-based certificate.

Hereinafter, a multi-channel authentication system based on a trusted platform according to an embodiment of the present invention.

1 is a diagram showing the configuration of a multi-channel user authentication system based on a trusted platform according to an embodiment of the present invention.

Referring to FIG. 1, the trusted platform-based multi-channel user authentication system 100 includes a terminal 10, a service device 20, a user PC 30, and a communication network 40.

In addition, a processor mounted in the terminal 10 or the service apparatus 20 according to the present invention may process program instructions for executing the method according to the present invention. In one implementation, the processor may be a single-threaded processor, and in other embodiments, the processor may be a multithreaded processor. Further, the processor is capable of processing instructions stored on a memory or storage device.

The communication network 40 performs a series of data transmission and reception operations for data transmission and information exchange between the terminal 10 and the service device 20. In particular, the communication network 40 may use various types of communication networks. For example, a WLAN (Wireless LAN), a Wi-Fi, a Wibro, a WiMAX, a High Speed Downlink Packet Access (HSDPA) Or a wired communication method such as Ethernet, xDSL (ADSL, VDSL), HFC (Hybrid Fiber Coax), FTTC (Fiber to the Curb) and FTTH (Fiber To The Home) . In addition, the communication network 40 is not limited to the communication method described above, and may include any other known or later-developed communication methods in addition to the communication methods described above.

The terminal 10 communicates with the service apparatus 20 through the communication network 40 to transmit and receive data for user authentication. Here, the terminal 10 is driven based on the trusted platform, and has an isolation environment divided into a non-security area operating based on an open operating system and a security area operating based on a security operating system. In particular, the terminal 10 according to the present invention receives a signal for requesting user authentication from the service device 20 through the non-secure area by the request of the user PC 30 to use the web service. In addition, the terminal 10 performs user authentication based on a certificate for each user registered in the security area according to the request signal, and then transmits the result of the user authentication to the service device 20 through the non-security area.

The service device 20 communicates with the terminal 10 and the user PC 30 through the communication network 40 to transmit and receive data for user authentication. In particular, the service device 20 according to the present invention performs the first authentication through the ID and password received from the user PC 30 requesting the use of the web service. In addition, the service device 20 requests the second authentication for user authentication to the non-secure area of the terminal 10, and when the second authentication result is received from the terminal 10, a user authentication completion message to the user PC 30. Send it. In addition, the service device 20 provides a web service to the user PC 30 in accordance with user authentication.

Through this, the present invention can perform the authentication process through the trusted platform-based terminal, along with the authentication using the ID and password of the user who wants to use the Internet service, to prevent hacking to the outside of the security, the stability of the security It can increase. In addition, it has an isolation environment that is divided into a non-secure area based on an open operating system and a secure area operating based on a secure operating system, and performs an authentication process in a secure area by delegating user authentication from a service device on the web. Thus, a stable security function can be provided without a problem of information exposure.

A multi-channel user authentication process using the trusted platform-based terminal 10 according to an embodiment of the present invention will be described in more detail with reference to FIGS. 2 to 8.

2 is a diagram illustrating a configuration of a terminal according to an exemplary embodiment of the present invention, and FIG. 3 is a diagram illustrating a configuration of a controller of FIG. 2 in detail.

2, the terminal 10 according to the present invention includes an input unit 11, a display unit 12, a storage unit 13, an audio processing unit 14, and a communication unit 15. In particular, the control unit 11 implements an isolation environment that is divided into a non-security area 130 that operates based on a general open operating system and a security area 140 that operates based on a separate security operating system. The environment may be implemented physically or logically. In this environment, the terminal 10 may perform the second authentication through the certificate with the service device 20 after the first authentication using the ID and password.

In general, the terminal 10 operates based on an open operating system, but the terminal 10 according to an embodiment of the present invention operates in addition to an area operating based on an open operating system, that is, an additional security operating system other than the non-secure area 130. Has an isolation environment, which is divided into security areas 140, and receives information of the non-secure area 130 of the terminal 10 from the service communication unit and delivers the information to the service control unit to be described later. Will perform.

The input unit 12 receives various information such as numeric and character information, and transmits a signal input in connection with setting various functions and function control of the terminal 10 to the terminal control unit 11. The input unit 12 may include at least one of a keypad and a touchpad that generates an input signal according to a user's touch or operation. At this time, the input unit 12 may be configured in the form of a single touch panel (or a touch screen) together with the display unit 13 to simultaneously perform input and display functions. The input unit 12 may be any type of input device that can be developed in addition to an input device such as a keyboard, a keypad, a mouse, a joystick, and the like. In particular, the input unit 12 inputs all data for user authentication.

The display unit 13 displays information on a series of operation states, operation results, and the like that occur while the functions of the terminal 10 are performed. In addition, the display unit 13 can display menus of the terminal 10 and user data input by the user. Here, the display unit 13 may be a liquid crystal display (LCD), a thin film transistor (TFT) LCD, an organic light emitting diode (OLED), a light emitting diode (LED), an active matrix organic LED (AMOLED) display) and a three-dimensional display (three-dimensional display). When the display unit 13 is formed in the form of a touch screen, the display unit 13 may display a part or all of the functions of the input unit 12. In this case, Can be performed. In particular, the display unit 13 according to an embodiment of the present invention displays all execution screens for the user authentication process.

The storage unit 14 is a device for storing data, and includes a main storage device and an auxiliary storage device, and stores an application program required for functional operation of the terminal 10. [ The storage unit 14 may include a program area and a data area. Here, when the terminal 10 activates each function in response to a request from the user, the terminal 10 executes the corresponding application programs under the control of the controller 11 to provide each function. In particular, the program area according to an embodiment of the present invention stores an operating system for booting the terminal 10, a program for registering a certificate for user authentication, a program for performing user authentication using a certificate, and the like. The data area is an area where data generated according to use of the terminal 10 is stored. In particular, the data area according to an embodiment of the present invention includes a second authentication DB 110 for a user-specific certificate for user authentication.

The audio processing unit 15 transmits the audio signal input from the speaker SPK or the microphone MIC to the control unit 11 for reproducing and outputting the audio signal. The audio processor 15 converts an analog audio signal input through a microphone into a digital format and transmits the audio signal to the controller 11. The audio processing unit 15 may convert the digital audio signal output from the control unit 11 into an analog signal and output it through a speaker. In particular, the audio processor 15 outputs all sound effects or execution sounds generated during the user authentication process.

The communication unit 16 performs a function for transmitting and receiving data through the service device 20 and the communication network 40. Here, the communication unit 16 includes RF transmitting means for up-converting and amplifying the frequency of the transmitted signal, RF receiving means for low-noise amplifying the received signal and down-converting the frequency. The communication unit 16 may include at least one of a wireless communication module (not shown) and a wired communication module (not shown). When the terminal 10 uses wireless communication, the wireless communication module uses any one of a wireless network communication module, a wireless LAN communication module, and a wireless fan communication module to transmit / receive data according to a wireless communication method. Data can be transmitted to or received from the service apparatus 20. [ The wired communication module is for transmitting / receiving data by wire. The wired communication module may transmit or receive data to the terminal 10 and the service device 20 by accessing the communication network 40 through a wired line. That is, the terminal 10 may be connected to the communication network 40 using a wired communication module, and may transmit / receive data with the service device 20 through the communication network 40. In particular, the communication unit 16 according to an embodiment of the present invention communicates with the service device 20 to transmit and receive data related to user authentication for using the web service of the user.

The control unit 11 may be an operating system (OS) and a process unit for driving each configuration. For example, the control unit 11 may be a central processing unit (CPU). When the power of the terminal 10 is turned on, the control unit 11 moves the operating system from the auxiliary storage device to the main storage device, performs booting for driving the operating system, and performs necessary signal control . In particular, the control unit 11 according to an embodiment of the present invention performs a second authentication process for user authentication.

That is, the controller 11 performs overall control of the terminal 10 and is divided into a non-secure area 130 that operates based on an open operating system and a security area 140 that operates based on a security operating system as described above. Isolation environment, such as a trusted platform (120).

The configuration of the control unit 11 will be described in more detail with reference to FIG. 3.

Referring to FIG. 3, the control unit 11 according to the present invention may include a non-secure area 130, a secure area 140, and a hardware platform 135.

The non-secure area 130 may include an open operating system (OS) for operating a user function that does not require encrypted information while operating the user function of the terminal 10. The non-security area 130 may perform a control for operating a user function according to an input signal input from the input unit 12 or the display unit 13 including a touch screen function. For example, when the user generates an input signal for activating a camera function, the non-security area 130 may control a camera activation, a camera-based image acquisition function, a storage function of the collected image, and the like. In addition, the non-security area 130 may serve to transmit data for user authentication to the security area 140 under the control of the controller 11.

The non-secure area 130 may include a plurality of client application layers 131, a TEE function API layer 132, a TEE client API layer 133, and a general purpose OS layer 134.

On the other hand, the security area 140 serves to provide the controller 11 with information about the stored certificate according to the call of the non-security area 130. In this process, the non-secure area 130 may transfer the call information for the required certificate to the secure area 140. In particular, the security zone 140 according to an embodiment of the present invention performs a user authentication by checking a certificate divided by user ID according to a second user authentication request transmitted through the non-security zone 130. To this end, the security area 140 may pre-register a user certificate matching the user ID provided from the service device 20.

The security zone 140 receives a signal for requesting user authentication through the non-security zone 130 in response to a user request for using a web service provided by the service device 20. The security zone 140 performs user authentication based on a pre-registered user certificate according to the requested signal. In this case, the security area 140 checks whether a certificate matching the ID of the corresponding user exists and, if a matching certificate exists, performs user authentication based on the corresponding certificate. On the other hand, if there is no matching certificate, the security area 140 notifies the non-security area 130 to request the service device 20 to register the certificate for the user.

The security area 140 may transmit the user authentication result to the service device 20 through the non-security area 130.

The security zone 140 of the present invention includes a plurality of trusted application layers 141, a TEE internal API layer 142, a trusted core layer 143, and a plurality of trusted functional layers 144, hardware security. It may be configured to include a resource layer 146. Here, the trusted core layer 143, the trusted function layer 144, and the TEE internal API layer 142 are disposed on the TEE kernel layer 145, and the hardware security resource layer 146 is the hardware platform 135. It can be disposed on).

When the TEE client API layer 133 performs a specific user function through the client application layer 131, the controller 11 based on the trusted platform of the above-described configuration requires a certificate stored in the security area 140 to be stored. The TEE function API layer 132 forwards the call to the TEE client API layer 133.

Then, the TEE client API layer 133 requests an encrypted and stored certificate necessary for operating a security function through message transmission and reception with the TEE internal API layer 142. The TEE internal API layer 142 then performs user authentication via a certificate stored in a hardware security resource through the trusted function layer 144. At this time, if the user authentication that is authorized from the non-secure area 130 fails, the TEE internal API rare 142 again transmits information indicating that the user authentication was not successful to the TEE client API layer 133. On the other hand, if the user authentication is successful, the TEE internal API rare 142 may inform the service device 20 that the user authentication was successful through the non-secure area 130.

As a result, when a certificate stored in the hardware secure resource layer 146 accessible only through the trusted platform 120 mounted in the secure area 140 is called in the non-secure area 130, a user authorized from the non-secure area 130 is provided. After the user authentication is performed in the secure area 140 based on the ID, the result is returned to the non-secure area 130.

In such a process, the trusted function layer 144 may support to perform a process of re-checking a predefined user ID in order to secure the authenticity of the authentication process through a certificate, and the non-secure area 130 performs a process of user authentication. May be output to the display unit 16.

The main components of the terminal 10 according to the embodiment of the present invention have been described above. However, not all components illustrated in FIG. 2 are essential components, and the terminal 10 may be implemented by more components than the illustrated components, and the terminal 10 may be implemented by fewer components. It may be implemented.

4 is a diagram illustrating a configuration of a service apparatus according to an exemplary embodiment of the present invention.

Referring to FIG. 4, the service apparatus 20 according to the present invention includes a service control unit 21, a service storage unit 22, and a service communication unit 13. In particular, the service control unit 21 includes a primary authentication module 21a and a secondary authentication module 21b, and the service storage unit 22 includes a primary authentication DB 22a.

The service communication unit 23 performs a function for transmitting and receiving data with the terminal 10 through the communication network 40. In particular, the service communication unit 23 according to an embodiment of the present invention is a terminal having an isolation environment divided into a non-secure area 130 operating based on an open operating system and a security area 140 operating based on a security operating system. 10 and communicate with the user PC 30 requesting the use of the web service to transmit and receive data for user authentication.

The service storage unit 22 stores overall data according to the function of the service device 20. [ In particular, the service storage unit 22 according to an embodiment of the present invention is an operating system for booting the service device 20, a program for performing user authentication using a user ID and password, a program for registering a certificate for user authentication, certificate To store a program for performing user authentication. In addition, the service storage unit 22 stores data generated according to the use of the service device 20, and includes a primary authentication DB (22a) storing the user ID and password for user authentication.

The service control unit 21 may be a process device for driving the operating system and each component. In particular, the service control unit 21 according to an embodiment of the present invention performs the first authentication through the ID and password received from the user PC 30 requesting the use of the web service. Here, the service control unit 21 communicates with the terminal 10 before registering the second authentication, and registers a certificate matching the ID for each user.

When the first authentication using the ID and password is completed, the service control unit 21 requests the second authentication for user authentication to the non-secure area 130 of the terminal 10. Here, if the second authentication for the user authentication fails, the service control unit 21 transmits a message about the user authentication failure to the user PC (30).

When the service control unit 21 receives a result of the second authentication from the terminal 10, the service control unit 21 transmits a user authentication completion message to the user PC 30 according to the confirmed result, and uses the web service according to the user authentication completion. It is provided to the PC 30.

In order to more effectively perform such a function of the service apparatus 20, the service control unit 21 according to an embodiment of the present invention further includes a primary authentication module 21a and a secondary authentication module 21b. In particular, the primary authentication module 21a according to an embodiment of the present invention performs user authentication using a user ID and password as a primary authentication step for providing a web service according to a user's request. To this end, the primary authentication module 21a collects the user's ID and password for the first authentication through membership registration or real name authentication on the web service and controls to store the user ID separately. In addition, the secondary authentication module 21b controls the secondary authentication process based on the user certificate after performing primary authentication based on ID and password in order to more stably perform the user authentication process. Here, the secondary authentication module 21b may perform user authentication based on a pre-registered user certificate classified by user ID.

In addition, the service device 20 configured as described above may be implemented as one or more servers operating in a server-based computing-based manner or in a cloud-based manner. In particular, data executed by a plug-in method using a cloud computing device and data about a specific component of the application may be provided through a cloud computing function that may be permanently stored in a cloud computing device on the Internet. Here, cloud computing utilizes Internet technology in digital terminals such as desktops, tablet computers, laptops, netbooks and smart phones to provide virtualized IT (Information Technology) resources such as hardware (server, storage, (Database, security, web server, etc.), service, data, etc. on demand.

On the other hand, a memory mounted on the terminal 10 or the service apparatus 20 stores information in the apparatus. In one embodiment, the memory is a computer readable medium. In one implementation, the memory may be a volatile memory unit, and in other embodiments, the memory may be a non-volatile memory unit. In one embodiment, the storage device is a computer readable medium. In various different implementations, the storage device may include, for example, a hard disk device, an optical disk device, or any other mass storage device.

Although the present specification and drawings describe exemplary device configurations, the functional operations and subject matter implementations described herein may be embodied in other types of digital electronic circuitry, or alternatively, of the structures disclosed herein and their structural equivalents May be embodied in computer software, firmware, or hardware, including, or in combination with, one or more of the foregoing. Implementations of the subject matter described herein may be embodied in one or more computer program products, i. E. One for computer program instructions encoded on a program storage medium of the type for < RTI ID = 0.0 & And can be implemented as a module as described above. The computer-readable medium can be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of matter that affects the machine readable propagation type signal, or a combination of one or more of the foregoing.

5 is a data flow diagram illustrating a multi-channel user authentication process based on a trusted platform according to an embodiment of the present invention.

5, the multi-channel user authentication based on the trusted platform of the present invention The user PC 30 requests the first authentication using the ID and password to the service device 20 to use the web service according to the user's request in step S11. In operation S13, the service apparatus 20 first performs user authentication by checking an ID and a password input from the user PC 30. If the user ID and password of the user input from the user PC 30 for Web service use do not match with the previously stored user ID and password, the service device 20 may display the first authentication failure message of the user PC 30. ) Can be sent.

When the primary authentication is completed, the service device 20 requests the user terminal 10 for secondary authentication in step S15. Here, the terminal 10 has an isolation environment that is divided into an insecure area 130 operating based on an open operating system and a security area 140 operating based on a security operating system.

The terminal 10 performs second authentication in step S17 according to the second authentication request. That is, the security area 140 of the terminal 10 receives a signal for requesting user authentication through the non-security area 130 in response to a user request for using a web service provided by the service device 20. The security zone 140 performs user authentication based on a pre-registered user certificate according to a signal. At this time, the security area 140 checks whether a certificate matching the ID of the corresponding user exists, and if a matching certificate exists, the user performs authentication based on the certificate. On the other hand, if there is no matching certificate, the security area 140 notifies the non-security area 130 to request the service device 20 to register the certificate for the user.

When the second authentication is completed, the terminal 10 transmits the result of the second authentication to the service device 20 in step S19. When the result of the second authentication is received, the service device 20 checks the result of the second authentication in step S21, and confirms whether authentication is successful in step S23.

If the second authentication is successful, the service device 20 transmits a user authentication completion message to the user PC 30 in step S25. In operation S27, the service apparatus 30 may provide a web service to the user PC 30, and may use the user PC 30 through the service apparatus 20. On the other hand, if the secondary authentication fails, the service device 20 may transmit a message about the user authentication failure to the user PC 30, or may end the authentication.

Through this, the present invention can perform the authentication process through the trusted platform-based terminal, along with the authentication using the ID and password of the user who wants to use the Internet service, to prevent hacking to the outside of the security, the stability of the security It can increase. In addition, it has an isolation environment that is divided into a non-secure area based on an open operating system and a secure area operating based on a secure operating system, and performs an authentication process in a secure area by delegating user authentication from a service device on the web. Thus, a stable security function can be provided without a problem of information exposure.

6 is a data flow diagram illustrating a certificate registration process based on a trusted platform according to an embodiment of the present invention.

Referring to FIG. 6, in order to register a certificate based on a trusted platform according to the present invention, the user PC 30 and the service device 20 perform a first authentication process using an ID and a password in step S31. In operation S33, the user PC 10 requests the service device 20 to register a certificate for the second authentication applied to the use of the web service.

Thus, the service device 20 generates a matching table between the user ID and the trusted platform in step S35. Here, the service device 20 may generate a password, an identification number, etc. for each user ID, and match and store them. In operation S37, the service device 20 requests a certificate registration from the terminal 10. Subsequently, the terminal 10 registers a certificate matched for each user's ID through the security area 140 for the second authentication according to the request of the service apparatus 20 in step S39.

The terminal 10 transmits a certificate registration completion message to the service device 20 in step S41. Then, the service device 20 confirms the certificate registration through the certificate registration completion message received from the terminal 10 in step S43.

The service device 20 returns to the user PC 30 that the registration of the certificate for the second authentication is completed in step S45.

7 is a flowchart illustrating an operation of a terminal according to an embodiment of the present invention.

Referring to FIG. 7, the terminal 10 for multi-channel user authentication based on the trusted platform of the present invention includes a non-secure area 130 operating based on an open operating system and a security area 140 operating based on a security operating system. A quarantine environment separated by) is provided. In particular, the terminal 10 registers a certificate matched for each user's ID through the security area 140 at the request of the service device 20.

In step S51, the terminal 10 receives a signal for requesting the second authentication of the user whose first authentication is completed using the user's ID and password.

The terminal 10 performs the second authentication in step S53 in response to the second authentication request from the service device 20. That is, the security area 140 of the terminal 10 receives a signal for requesting user authentication through the non-security area 130 in response to a user request for using a web service provided by the service device 20. The security zone 140 performs user authentication based on a pre-registered user certificate according to a signal. At this time, the security area 140 checks whether a certificate matching the ID of the corresponding user exists, and if a matching certificate exists, the user performs authentication based on the certificate. On the other hand, if there is no matching certificate, the security area 140 notifies the non-security area 130 to request the service device 20 to register the certificate for the user.

When the secondary authentication is completed, the terminal 10 transmits the result of the secondary authentication to the service device 20 in step S55.

8 is a flowchart illustrating an operation of a service apparatus according to an exemplary embodiment of the present invention.

Referring to FIG. 8, the service apparatus 20 for authenticating a multi-channel user based on the trusted platform of the present invention has a first authentication for an ID and a password to use a web service from the user PC 30 in step S61. If requested, perform primary authentication using them.

The service device 20 checks whether the first authentication using the ID and the password is completed in step S63. If the primary authentication is completed, the service device 20 requests the user terminal 10 for secondary authentication in step S65. On the other hand, the service device 20, if the user ID and password input from the user PC 30 to use the web service does not match the pre-stored user ID and password, in step S67 the first authentication failure message user Can be transferred to the PC 30. Here, the terminal 10 has an isolation environment that is divided into a non-secure area 130 operating based on an open operating system and a security area 140 operating based on a security operating system.

The service device 20 checks whether a result of the user secondary authentication is received from the terminal 10 in step S69.

When the result of the second authentication is received, the service device 20 checks the authentication result received in step S71, and confirms whether the second authentication succeeds in step S73. On the other hand, if the second authentication result is not received, the service device 20 requests the terminal 10 for the second authentication result again.

If the second authentication is successful, the service device 20 transmits a user authentication completion message to the user PC 30 in step S75, and provides a web service to the user PC (30). On the other hand, if the secondary authentication fails, the service device 20 may transmit a message about the user authentication failure to the user PC 30, or may end the authentication.

Computer-readable media suitable for storing computer program instructions and data include, for example, magnetic media such as hard disks, floppy disks, and magnetic tape, compact disk read only memory (CD-ROM) A magneto-optical medium such as a floppy disk and an optical recording medium such as a digital video disk, a magneto-optical medium such as a floppy disk, and a read only memory (ROM) Access Memory), a flash memory, an erasable programmable ROM (EPROM), and a semiconductor memory such as an Electrically Erasable Programmable ROM (EEPROM). The processor and memory may be supplemented by, or incorporated in, special purpose logic circuits. Examples of program instructions may include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. Such a hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the specification contains a number of specific implementation details, it should be understood that they are not to be construed as limitations on the scope of any invention or claim, but rather on the description of features that may be specific to a particular embodiment of a particular invention Should be understood. Certain features described herein in the context of separate embodiments may be implemented in combination in a single embodiment. Conversely, various features described in the context of a single embodiment may also be implemented in multiple embodiments, either individually or in any suitable subcombination. Further, although the features may operate in a particular combination and may be initially described as so claimed, one or more features from the claimed combination may in some cases be excluded from the combination, Or a variant of a subcombination.

Likewise, although the operations are depicted in the drawings in a particular order, it should be understood that such operations must be performed in that particular order or sequential order shown to achieve the desired result, or that all illustrated operations should be performed. In certain cases, multitasking and parallel processing may be advantageous. Also, the separation of the various system components of the above-described embodiments should not be understood as requiring such separation in all embodiments, and the described program components and systems will generally be integrated together into a single software product or packaged into multiple software products It should be understood.

It should be noted that the embodiments of the present invention disclosed in the present specification and drawings are only illustrative of specific examples for the purpose of understanding and are not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention are possible in addition to the embodiments disclosed herein.

The present invention, in the multi-channel user authentication method based on the trusted platform, after authentication through the ID and password at the time of user authentication, performs an authentication process using a certificate between the terminal and the service device equipped with the trusted platform. Accordingly, authentication through the trusted platform-based terminal as well as authentication through the ID and password of the user who wants to use the Internet service can prevent hacking to the outside of security and improve the stability of the security. . In addition, it has an isolation environment that is divided into a non-secure area based on an open operating system and a secure area operating based on a secure operating system, and performs an authentication process in a secure area by delegating user authentication from a service device on the web. Thus, a stable security function can be provided without a problem of information exposure. This is not only a possibility of commercialization or sales, but also a possibility of being industrially applicable since it is practically possible to carry out clearly.

10: terminal 20: service device 30: user PC
11: control unit 12: input unit 13:
14: storage unit 15: audio processing unit 16:
21: service control unit 22: service storage unit 23: service communication unit
110: second authentication DB 120: TP 130: non-secure
140: security area 21a: primary authentication DB 22a: primary authentication module
22b: 2nd authentication module 40: communication network
100: multi-channel user authentication system

Claims (15)

A service device providing a specific web service and supporting a user's login by a multi-channel authentication method according to mutual agreement with a terminal; And
It has an isolation environment that is divided into a non-secure area operating based on an open operating system and a security area operating based on a security operating system, and the user uses the non-secure area from the service device by a user request to use the web service. If a signal for requesting authentication is received, the terminal performs user authentication based on a user-specific certificate registered in the security area, and then transmits a user authentication success message to the service device through the non-security area;
Trusted platform-based multi-channel user authentication system comprising a. A communication unit for transmitting and receiving information for user authentication with a service device through a communication network; And
It has an isolation environment divided into a non-secure area operating based on an open operating system and a security area operating based on a security operating system, and through the non-secure area from the service device in response to a user request to use the web service. When a signal for requesting user authentication is received, the controller performs a user authentication based on a certificate for each user registered in the security area and then transmits a result of user authentication to the service device through the non-secure area. ;
And a second terminal. 3. The apparatus of claim 2, wherein the control unit
And a certificate matching the user's ID through the security area according to a request of the service device. 3. The apparatus of claim 2, wherein the control unit
And when a certificate matching a specific user exists, performing the user authentication using the certificate in the security area. 3. The apparatus of claim 2, wherein the control unit
And when there is no certificate matching the specific user, notifying the service device that the certificate matching the ID does not exist in the non-secure area. 3. The method of claim 2,
A storage unit for matching the user's certificate with the user's ID for storing the user's ID through the security area in a second authentication DB;
Further comprising: User authentication by communicating with at least one user PC requesting the use of at least one terminal and a web service having an isolation environment divided into an unsecured area operating based on an open operating system and a secure area operating based on a security operating system Service communication unit for transmitting and receiving data for; And
Perform authentication through an ID and password received from the user PC requesting the use of the web service, request authentication for the user authentication to an unsecured area of the terminal, and receive a result of authentication received from the terminal. A service control unit which checks and transmits a user authentication completion message to the user PC according to a confirmation result and provides the web service;
Wherein the service device comprises: Receiving, by the terminal, a signal for requesting user authentication through the non-secure area according to a user request for using a web service provided by a service device;
Performing, by the terminal, the user authentication based on a user-specific certificate previously registered in the security area according to the signal; And
Transmitting, by the terminal, a result of the user authentication to the service device through the non-secure area;
Trusted platform-based multi-channel user authentication method comprising a. The method of claim 8, wherein prior to the receiving step,
Receiving, by the terminal, a certificate registration matching the user ID from the service device;
Registering, by the terminal, an ID and a certificate for each user for user authentication according to the request; And
Transmitting, by the terminal, the certificate registration result to the service device;
Trusted platform-based multi-channel user authentication method further comprising a. 9. The method of claim 8, wherein performing
Checking, by the terminal, whether a certificate matching the ID of the user exists; And
Performing, by the terminal, the user authentication based on the certificate when a certificate matching the verification result exists;
Trusted platform-based multi-channel user authentication method comprising a. 9. The method of claim 8, wherein performing
Checking, by the terminal, whether a certificate matching the ID of the user exists; And
Requesting, by the terminal, the certificate of registration of the user to the service device when there is no matching certificate;
Trusted platform-based multi-channel user authentication method comprising a. Performing authentication by the service apparatus through an ID and a password received from a user PC requesting the use of a web service;
Requesting, by the service apparatus, authentication for user authentication to the non-secure area of the terminal when the authentication is completed;
When the service device receives a result of authentication from the terminal, transmitting a user authentication completion message to the user PC according to the result; And
Providing, by the service apparatus, the web service to the user PC upon completion of the user authentication;
Trusted platform-based multi-channel user authentication method comprising a. The method of claim 12, wherein prior to the requesting authentication,
Registering, by the service apparatus, a certificate matching the terminal and user ID;
Trusted platform-based multi-channel user authentication method further comprising a. The method of claim 12, wherein after the requesting authentication,
When the service device fails to authenticate the user authentication, transmitting a message about the user authentication failure to the user PC;
Trusted platform-based multi-channel user authentication method further comprising a. A computer-readable recording medium having recorded thereon a program for executing the trusted channel-based multichannel user authentication method according to any one of claims 8 to 14.

Images