KR20140123353A - Secure message transmission system, apparatus therefor and secure message processing method thereof - Google Patents

Secure message transmission system, apparatus therefor and secure message processing method thereof Download PDF

Info

Publication number
KR20140123353A
KR20140123353A KR1020130040625A KR20130040625A KR20140123353A KR 20140123353 A KR20140123353 A KR 20140123353A KR 1020130040625 A KR1020130040625 A KR 1020130040625A KR 20130040625 A KR20130040625 A KR 20130040625A KR 20140123353 A KR20140123353 A KR 20140123353A
Authority
KR
South Korea
Prior art keywords
message
security
terminal device
secure
service
Prior art date
Application number
KR1020130040625A
Other languages
Korean (ko)
Inventor
위인환
김현욱
신정금
Original Assignee
에스케이플래닛 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 에스케이플래닛 주식회사 filed Critical 에스케이플래닛 주식회사
Priority to KR1020130040625A priority Critical patent/KR20140123353A/en
Publication of KR20140123353A publication Critical patent/KR20140123353A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a security message transmission system for securely transmitting a message requiring security in a message service using an isolation environment of a terminal device in which a non-security area and a security area are physically separated, an apparatus therefor, and a secure message processing method thereof A message including specific sender information is encrypted using a key generated based on the terminal information of the receiving terminal device, and transmitted to the receiving terminal device And a secure message processing module operating in the secure area, wherein when the received message transmitted from the service device is an encrypted message, the receiving terminal device comprises: a non-secure message processing module operating in the non- , Operated by an insecure operating system A terminal device which decrypts the received message through a security message processing module of a security domain which is physically separated from the non-security area and operates independently by the security operating system, and outputs the decrypted message through the non- Lt; / RTI >

Description

Technical Field [0001] The present invention relates to a secure message transmission system, a device for the secure message transmission system, and a secure message transmission system,

[0001] The present invention relates to a message transmission service, and more particularly, to a message transmission service using a security service in a message service using an isolation environment of a terminal device in which a non-security area operated by a general operating system and a security area operated by a security operating system are physically separated To a security message transmission system for securely transmitting a required message, an apparatus therefor, and a security message processing method therefor.

2. Description of the Related Art A portable terminal device is a terminal device that supports communication functions based on mobility and has been used in a wide variety of fields due to its ease of use and portability. In recent years, such a portable terminal device has been developed in the form of a smart phone equipped with various user functions, thereby providing various convenience and enjoyment.

The smartphone enables easy access to a wide variety of applications that customers want by activating the open market. With its high performance, smartphones can handle many functions that are handled by PCs.

However, since smartphones are based on an open operating system (OS), which is a feature unique to smart phones, with the rapid expansion of the market, there are various security threats due to the use of applications through open communication networks and open markets. For example, smartphones are easily exposed to malicious codes and are vulnerable to hacking such as Lab Attack. In the case of a smartphone infected with malicious code, it may cause excessive battery consumption, excessive charging, personal information and financial information leakage due to continuous network access as well as terminal malfunction. These malicious codes are mainly managed by software through vaccines. On the other hand, in the case of a Lab Attack which corresponds to hacking to read specific information in the internal storage area of the smart phone or to refer to and change the terminal device information, the terminal device which has been subjected to the Lab Attack, Lt; / RTI >

Current security technologies for smart phones to eliminate the security risks described above have been mainly focused on software programs based on S / W and traffic control on the network. However, in the case of smart phones, user information can be easily exposed through hardware control, and conventional S / W-based security technology can not provide sufficient security. In particular, smartphone security technologies are essential for smartphone security, payment, finance, and corporate services such as jailbreak or rooting.

Particularly, recently, as a result of a rapid increase in the number of small payments and electronic commerce using a portable terminal device, information related to settlement, user authentication, etc. is transmitted through a message service such as SMS or MMS. Is often encountered.

Accordingly, security measures for securely transmitting authentication and settlement related important messages among the messages transmitted to the portable terminal device through the message service are required.

Patent Document 1: KR 10-2008-0030266 A, April 4, 2008 (name: short message encryption service method and apparatus)

A security message transmission system for securely transmitting a message requiring security in a message service using an isolation environment of a terminal device in which a non-security area and a security area are physically separated, an apparatus therefor, and a security message processing method therefor .

In particular, the present invention confirms the sender information of a message transmitted from the source terminal device to the destination terminal device, and the message including the specific sender information is encrypted using a key generated based on the terminal information of the destination terminal device Wherein the receiving terminal device comprises a non-secure message processing module operating in the non-secured area, and a secure message processing module operating in the secure area, wherein when the received message transmitted from the service device is an encrypted message, And decrypting the received message through a security message processing module of a security domain that is physically separated from the non-security area operated by the non-security operating system and operates independently by the security operating system, and transmits the decrypted message to the non- To provide security. A security message transmission system for securely transmitting a message, an apparatus therefor, and a security message processing method thereof.

According to an embodiment of the present invention, a secure message sender management unit registers a specific sender information as a sender of a secure message according to a sender's request for using a secure message service; Receiving a message transmitted from the calling terminal device and transmitting the message to the receiving terminal device, confirming the calling party information of the message, delivering a message including the specific calling party information to the security service module, A message service unit for transmitting a message to a receiving terminal device; And a security service unit for encrypting the message delivered from the message service unit using a key generated based on the terminal information of the reception side terminal device.

Here, the security service unit may receive the terminal information from the receiving-side terminal apparatus according to the request from the receiving-side terminal apparatus, and may generate the key based on the received terminal information.

In addition, as another means for solving the above-mentioned problems, the present invention provides a communication apparatus comprising: a communication unit for sending and receiving a message; A storage unit including a message DB storing a received message received through a communication unit; And a secure message processing module that operates in a secure area, wherein the secure message processing module is physically separated from a non-security area that operates based on a non-security operating system and a security area that operates based on a security operating system, A control unit for decrypting the received message by the security message processing module of the secure area and controlling the unsecure message processing module of the non-secured area to output the decrypted message when the received message is an encrypted message; And an output unit for outputting the decrypted message according to the control of the control unit.

In a terminal device according to an exemplary embodiment of the present invention, a secure message processing module may include an MSISDN (Mobile Station International ISDN Number), an IMEI (International Mobile Equipment Identity), an IMSI (International Mobile Station Identity), a TMSI (Temporary Mobile Subscriber Identity) , MIN (Mobile Identification Number), transmits the extracted terminal information to the service device, requests a key for decrypting the security message, and decrypts the received key from the service device Lt; / RTI >

In addition, as another solution to the above-described problem, the present invention provides a method for receiving a message transmitted from a source terminal device and transmitting the message to a destination terminal device, wherein the message including the specific sender information is A service device for encrypting the encrypted message using a key generated based on terminal information of the receiving terminal device and transmitting the encrypted message to the receiving terminal device; And a secure message processing module that operates in a secure area, wherein the secure message processing module is physically separated from a non-security area that operates based on a non-security operating system and a security area that operates based on a security operating system, And a terminal device for decrypting the received message through the security message processing module of the secure area when the received message is transmitted from the service device and outputting the decrypted message through the unsecured message processing module in the non- And provides a secure message transmission system.

In addition, according to another aspect of the present invention, a service device generates a key for encrypting and decrypting a message for each receiving terminal, and providing a key to the receiving terminal; Registering the specific sender information as a security message transmission service target by the service device; The service device receiving a message from the calling terminal device; Confirming whether the service device is the sender information of the received message or specific sender information registered in the secure message transmission service; Encrypting the received message using a key assigned to the receiving terminal device when the service device is specific sender information; And transmitting the encrypted message to the receiving terminal device by the service device.

In addition, according to another aspect of the present invention, a non-secure message processing module installed in an insecure area based on a non-secure operating system checks a message received by a terminal device; If the received message is an encrypted message, transmitting the message to a security message processing module installed in a security area physically separated from the non-security area and operating based on a security operating system; Decrypting the message by the secure message processing module and transmitting the decrypted message to the non-secured message processing module; And outputting a decrypted message by the non-secured message processing module.

The secure message processing method according to an embodiment of the present invention may further include receiving a key to be used for decrypting a message generated based on the terminal information of the terminal device from the service device.

According to the present invention, among messages transmitted from a source terminal device to a destination terminal device, a message including specific sender information based on sender information is encrypted with a key generated based on the terminal information of the destination terminal device And the receiving terminal device can decrypt the encrypted message with a key generated based on the terminal information through a security area that is physically separated from the non-security area operated by a general operating system and operates based on an independent security operating system Thus, when an enterprise user transmits security-related information related to settlement, user authentication, and the like through a message service, it is possible to securely transmit the origination message of the enterprise to the reception-side terminal device.

In particular, the present invention utilizes an isolation environment of a terminal device in which a non-security area operated by a general operating system and a security area operated by a security operating system are physically separated, so that not only hacking on a network, There is an excellent effect of ensuring the safety of the required message.

1 is a block diagram illustrating a configuration of a security service transmission system according to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of a terminal device according to an embodiment of the present invention.
3 is a block diagram hierarchically illustrating a message processing structure based on an isolation environment in a terminal device according to an embodiment of the present invention.
4 is a block diagram illustrating a configuration of a service apparatus for transmitting a secure message according to an embodiment of the present invention.
5 to 7 are a message flow diagram illustrating a security message processing method according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description and the accompanying drawings, detailed description of well-known functions or constructions that may obscure the subject matter of the present invention will be omitted. It should be noted that the same constituent elements are denoted by the same reference numerals as possible throughout the drawings.

1 is a block diagram illustrating a configuration of a secure message transmission system according to an embodiment of the present invention.

Referring to FIG. 1, a secure message transmission system according to an embodiment of the present invention may include a terminal device 100 and a service device 200 connected to each other through a communication network 300 to transmit and receive data.

Here, the terminal apparatus 100 is a user's information processing terminal having a communication function, and the communication function includes both wired communication as well as wireless communication. For example, the terminal device 100 may be a smart phone, a tablet PC, a desktop personal computer, a notebook, a personal digital assistant (PDA), or the like. In the following description, the terminal apparatus 100 will be described separately as a source terminal apparatus 100a for transmitting a message for convenience of description and a destination terminal apparatus 100b for receiving a message. In an embodiment of the present invention, the source terminal 100a may be a device of an enterprise user, and the destination terminal 100b may be a device of an individual user. In particular, in the present invention, the receiving-side terminal apparatus 100b provides an isolation environment in which a non-security area driven by a generally used non-security operating system and a security area driven by a separate security operating system are physically separated , And processes the message based on the isolation environment.

On the other hand, the service device 200 is a device for providing a message service between the terminal devices 100 connected through the communication network 300. Here, the message service is a service for delivering a message including at least one of character, image, voice, and image among the terminal devices 100 through the communication network 300.

The communication network 300 is a medium for transmitting data by connecting the terminal device 100 and the service device 200. The communication network 300 may be a wired communication method such as the Internet or the like, a wireless communication method including Wi-Fi, , 3G, 4G, and the like, as shown in FIG.

In this system, the service apparatus 200 confirms the sender information of the message in the process of delivering the message requested to be transmitted from the source terminal apparatus 100a to the receiver terminal apparatus 100b, Encrypts the message using the key generated based on the terminal information of the receiving terminal device 100b, and transmits the encrypted message to the receiving terminal device 100b. Herein, the terminal information includes, for example, MSISDN (Mobile Station International ISDN Number), IMEI (International Mobile Equipment Identity), IMSI (International Mobile Station Identity), TMSI Mobile Subscriber Identity), and MIN (Mobile Identification Number). The key generated based on the terminal information includes a key generated by using the terminal information as an input value through a key generation algorithm, and a key generated corresponding to the terminal information.

For this, the service apparatus 200 includes a message service unit 210 and a security service unit 220. The message service unit 210 receives the message requested to be transmitted from the source terminal device 100a and transmits the message to the recipient terminal device 100b. The message service unit 210 confirms the sender information of the message, To the security service unit 220 and transmits a message encrypted by the security service unit 220 to the receiving-side terminal device 100b. The security service unit 220 encrypts the message transmitted from the message service unit 210 using a key generated based on the terminal information of the receiving terminal device 100b. To this end, the security service unit 220 generates and registers a key for encrypting / decrypting a message based on the terminal information of the receiving terminal device 100b, registers the generated key in the receiving terminal device 100b The key issuance process can be further performed.

At this time, the receiving-side terminal device 100b can securely transmit the encrypted message in the secure area based on the isolation environment where the non-security area based on the non-security operating system and the security area based on the security operating area are physically separated Decryption.

The configuration and operation of the above-described receiving-side terminal apparatus 100b will be described in more detail with reference to Figs. 2 and 3. Fig.

FIG. 2 is a block diagram showing a configuration of a terminal device according to an embodiment of the present invention, wherein the terminal device represents the receiving terminal device 100b. That is, the configuration of the calling-side terminal apparatus 100a is not particularly limited, and therefore, the description thereof will be omitted.

2, the receiving-side terminal apparatus 100b may include a communication unit 110, an input unit 120, an output unit 130, a storage unit 140, and a controller 150. Referring to FIG.

The receiving terminal device 100b of the present invention implements an isolation environment for physically separating a non-security area operated by a non-security operating system and a security area operated by a separate security operating system through the controller 150. [ Here, the non-secure operating system (OS) means an open OS such as iOS, Android, and the sea. When the encrypted message is received from the service device 200, the receiving-side terminal device 100b securely decrypts the received message in the secure domain using the isolation environment, and outputs the decrypted message to the user. The concrete operation of the element is as follows.

First, the communication unit 110 may be configured as a communication module according to at least one of various communication methods for forming a communication channel with the communication network 300. For example, the communication unit 110 may include at least one of communication modules supporting various mobile communication systems such as CDMA, GSM, WCDMA, and OFDMA. Also, the communication unit 110 can be implemented as an IP-based wired / wireless communication module.

The communication unit 110 forms a communication channel with the service device 200 through the communication network 300 under the control of a predetermined routine or control unit 150 in order to perform a message service through interoperation with the service device 200 And transmits and receives a message through the communication channel. In particular, the communication unit 110 may receive the encrypted message from the service device 200. The communication unit 110 may request the service device 200 to generate a key for decrypting a message under the control of the control unit 150 and receive the generated key as a response thereto.

The input unit 120 may be a variety of input means such as a keyboard, a keypad, a mouse, a motion sensor, and the like, 100b are manufactured as a touch screen, it may include a soft key and a side key, a separate hot key, a shortcut key, etc. implemented on the touch screen. The input unit 120 may include a plurality of input keys and function keys for a user to compose a message and confirm a received message.

The output unit 130 is an output unit for displaying the operation status and the operation result of the reception-side terminal device 100b or providing predetermined information to the user, and includes various menus, information input by the user, information . That is, the output unit 130 provides various screens such as an idle screen, a menu screen, a message creation screen, a call screen, a terminal device end screen, a terminal device boot screen, etc. according to use of the reception side terminal device 100b can do. In particular, the output unit 130 outputs the received message so that the user can recognize the message according to the control of the control unit 150. [

The output unit 130 may be formed in the form of a flat panel display panel such as a liquid crystal display (OLED) or an organic light emitting diode (OLED). The output unit 130 may be manufactured in a structure including a display panel and a touch panel according to a manufacturing form.

The storage unit 140 stores programs and data necessary for the operation of the reception-side terminal device 100b and data generated as a result of the operation, and may largely include a program area and a data area. In the program area, general unsecure OS programs and security OS programs for establishing an execution environment of the receiving-side terminal device 100b are stored, and application programs necessary for various user functions are stored. Here, the application program may include a general application program operating on the basis of the non-secure OS program and a security application program (for example, a security applet) operating on the basis of the security OS program. To this end, the storage unit 140 divides the storage space into two areas, one of which is accessible only through the OS for security of the security area, The security OS program and the security application program.

In particular, the storage unit 140 may include a message DB 140a for storing a message received through the communication unit 110 according to the message service. Accordingly, when a message is received through the communication unit 110, the message is stored in the message DB 140a of the storage unit 140. [

The control unit 150 controls the overall operation of the receiving terminal device 100b. In the present invention, the controller 150 controls the non-security area operated by the general OS program stored in the storage unit 140, The security area operated by the security OS program implements the physically separated isolation environment. In the non-security area, an unsecured operating system program for supporting a user function that does not use security data is executed, and a standard interface thereof is disclosed. Accordingly, an ordinary user can create an application program corresponding to various functions operated on a non-security OS. On the other hand, the security area is not open and an independent separate OS program for security is executed.

The non-security area and the security area described above can be alternately driven according to the time division. The security area executes processing that requires security in response to a request from the non-security area, for example, authentication, encryption, To the non-security area. In this case, the non-security area can perform the remaining processing of the corresponding function using the returned result value.

The non-security area and the security area mean a control area physically separated from each other. For example, the non-security area and the security area may be implemented through a multi-core technology including two or more microprocessors.

The non-security area and the security area operate independently of each other. The non-security area and the security area operate alternately according to the time division, or the security area may operate according to the call of the non-security area.

The control unit 150 processes a message based on the isolation environment including the non-security area and the security area. To this end, the control unit 150 includes a non-security message processing module 31 And a security message processing module 32 installed in the security area.

The non-secured message processing module 31 operates in the non-secure operating system environment and stores the received message in the message DB 140a of the storage unit 140 when the message is received through the communication unit 110, And notifies the security message processing module 32 of the secure area if the message is an encrypted message.

The secure message processing module 32 operates in a security operating system environment and decrypts the received message using a key generated based on the terminal information of the receiving-side terminal device 100b.

Then, the non-secure message processing module 31 fetches the decrypted message and outputs the decrypted message through the output unit 130.

Therefore, the message can be confirmed only through the legitimate receiving-side terminal device 100b.

The non-secured message processing module 31 and the secure message processing module 32 described above are implemented by software, and operate independently on the non-secured operating system and the security operating system, respectively.

3 is a block diagram hierarchically illustrating a message processing structure based on an isolation environment in a receiving-side terminal apparatus according to an embodiment of the present invention.

3, a receiving terminal device 100b according to an embodiment of the present invention includes a hardware element 10, for example, a communication unit 110, an input unit 120, an output unit 130, A hardware layer 10 which is a physical layer including an application program 140 and a software layer 20 composed of an OS program and various application programs.

In this case, the software layer 20 operates independently on the hardware layer 10 to implement respective execution environments, and the non-security OS 10 performing control and access to a plurality of hardware devices of the hardware layer 10 Program 21 and a security OS program 22 and an execution environment implemented by the non-secure OS program 21 to access a plurality of hardware devices of the hardware layer 10 via the non- A security OS program 22 and a security OS program 22. The non-secure message processing module 31 accesses the security module 10 and performs message processing on the security module 10, And a security message processing module 32 for accessing a plurality of hardware devices and performing message related processing. The secure message processing module 32 may be implemented, for example, in the form of an applet.

The non-secure OS program 21 and the non-secured message processing module 31 constitute a non-secured area 41. The secured OS program 22 and the secure message processing module 32 constitute a secure area 42 .

FIG. 4 is a block diagram illustrating a configuration of a service apparatus for transmitting a secure message according to an embodiment of the present invention. Referring to FIG. 4, the configuration and operation of a service apparatus 200 according to the present invention will be described in more detail. Explain.

The service apparatus 200 basically includes the message service unit 210 and the security service unit 220 and further includes the user management unit 230 and the secure message sender management unit 240 And may further include one or more.

First, the message service unit 210 is a unit for performing a message service. As described above, in transmitting a message between a source terminal apparatus 100a and a destination terminal apparatus 100b, Transmits a message including specific sender information to the security service unit 220, and transmits the message encrypted by the security service unit 220 to the reception-side terminal device 100b. The message service unit 210 may be implemented by a conventional Short Message Service Center (SMSC) or an application server (AS) of an IP Multimedia Subsystem (IMS). That is, the message service unit 210 encrypts, through the security service unit 220, a message including specific sender information registered in the secure message service, to an apparatus that executes an existing message service, And the like.

The security service unit 220 is a configuration for encrypting a message transmitted from a specific sender requesting a secure message service. At this time, the security service unit 220 uses the key generated based on the terminal information of the receiving-side terminal device 100b corresponding to the recipient information of the message, from the message delivered from the message service unit 210 Encrypt. To this end, the security service unit 220 receives terminal information from the receiving terminal device 100b in response to a request from the receiving terminal device 100b, and generates the key based on the received terminal information And transmits the generated key to the receiving-side terminal device 100b. The encrypted message can be decrypted only by the receiving terminal device 100b having the key.

The user management unit 230 manages user information of the terminal devices 100, user subscription service information, and the like, and particularly manages user information of the receiving terminal device 100b. In particular, the user management unit 230 performs service subscription processing for the reception-side terminal device 100b in response to a security service subscription request from the reception-side terminal device 100b. At this time, the user management unit 230 receives the terminal information from the receiving terminal device 100b, and based on the terminal information, the receiving terminal device 100b determines whether the non- It is possible to determine whether or not the service can be subscribed. If it is determined that the service can be subscribed as a result of the determination, the security service unit 220 can activate the security service in the user information of the receiving terminal device 100b and request the security service unit 220 to generate the key.

That is, the key for encrypting and decrypting the reception-side terminal device 100b is stored in the storage device 100a according to a request from the reception-side terminal device 100b as needed after the security service subscription time or the security service subscription time of the reception-side terminal device 100b Lt; / RTI >

In addition, the service device 200 may further include a secure message sender management unit 240. The secure message sender management unit 240 manages the secure message sender management unit 240 according to a request for use of the sender's secure message service, And registers the specific sender information corresponding to the sender as a target of the secure message service, and provides the specific sender information thus registered to the message service unit 210.

In addition, the secure message sender management unit 240 authenticates the sender requesting the use of the secure message service, receives the message from the source terminal apparatus 100a of the authenticated sender, and transmits the message to the message service unit 210 have.

Here, the sender requesting the secure message service may be an enterprise user using the message service in the processing of electronic commerce, user authentication, payment, and the like. Therefore, after the enterprise user receives the user authentication through the secure message sender management unit 240, the sender requesting the secure message service configures the information related to the e-commerce, the user authentication, the payment, etc. as a message, And can request a transfer through the management unit 240.

In addition, the security message sender management unit 240 may further perform a charging process for transmission of a security message of a sender requesting the use of the secure message service.

The message service unit 210, the security service unit 220, the user management unit 230, and the secure message sender management unit 240 may be implemented as one or more independent server apparatuses in a distributed server system, May be integrated into one server device.

5 to 7, a security message processing method in a secure message transmission system according to the present invention will be described with reference to a flow diagram of a message.

FIG. 5 is a message flow diagram illustrating a security message processing method according to an embodiment of the present invention, illustrating a process of performing a security service subscription procedure for a receiving-side terminal device 100b.

5, the user of the receiving terminal device 100b installs the secure message processing module 32 in the secure area of the terminal device 100b for receiving the secure message, and the secure message processing module 32 ) To request security service subscription. Here, the security service means a service that receives an encrypted message and can securely decrypt the received message in the security domain.

When the security message processing module 32 confirms the security service subscription request of the user (S105), the security message processing module 32 first extracts the terminal information of the terminal device 100b (S110). The terminal information includes identification information related to a terminal device, for example, an MSISDN (Mobile Station International ISDN Number), an IMEI (International Mobile Equipment Identity), an IMSI (International Mobile Station Identity), a TMSI (Temporary Mobile Subscriber Identity) And a Mobile Identification Number (MIN).

The security message processing module 32 of the receiving-side terminal device 100b transmits the extracted terminal information to the service device 200 to request a security service subscription (S115).

The security service subscription request is transmitted to and processed by the user management unit 230. The user management unit 230 checks the reception-side terminal apparatus 100b based on the terminal information to check whether the service subscription is available, The subscription process is performed (S120).

The user management unit 230 requests the security service unit 220 to generate a key for encrypting and decrypting a message transmitted to the receiving terminal device 100b (S125).

The security service unit 220 generates a key for the receiving terminal device 100b using a predetermined key generation algorithm (S130). At this time, the key may be stored corresponding to the terminal information, or may be generated using the terminal information.

The security service unit 220 transmits the generated key to the user management unit 230 in step S135 and the user management unit 230 transmits the generated key to the secure message processing module of the reception side terminal device 100b, (32).

The secure message processing module 32 stores the received subscription information, in particular, stores a key for encryption / decryption of the message in the secure area (S145).

A secure message transmission procedure may be performed for the receiving-side terminal apparatus 100b subscribed to the security service as shown in FIG.

FIG. 6 illustrates a process of transmitting a security message to a receiving terminal device 100b in a secure message processing method according to an exemplary embodiment of the present invention.

The message service unit 210 of the service device 200 can receive the message requested to be transmitted from the given source terminal device 100a to the destination terminal device 100b at step S205.

Upon receiving the message transmission request, the message service unit 210 extracts the sender information included in the message before confirming the message, and confirms whether the sender information is the specific sender information subscribed to the security message service (S210 ). This can be accomplished by inquiring the security message sender management unit 240 about whether the message service unit 210 subscribes to the secure message service for the extracted sender information. For this process, the service device 200 may further perform a process of registering the specific sender information of a sender requesting a service as a target of a secure message transmission service through the secure message sender management unit 240.

If the sender information of the message is the specific sender information requesting the security message service, the message service unit 210 of the service device 200 transmits the encryption of the message to the security service unit 220 (S215).

Accordingly, the security service unit 220 of the service device 200 extracts the recipient information included in the message and encrypts the message so that it can be decrypted only by the receiving-side terminal device 100b (S220).

The security service unit 220 transmits the encrypted message to the message service unit 210 in step S225 and the message service unit 210 transmits the encrypted message received from the security service unit 220 to the reception side terminal apparatus 100b (S230).

The message transmitted to the reception-side terminal device 100b is received through the communication unit 110 and stored in the message DB 140a. The message DB 140a transmits the message reception to the non-secured message processing module 31 in the non- (S235).

In step S240, the non-secured message processing module 31 performs message reception processing such as message reception notification. In step S240, the non-secured message processing module 31 checks whether the message is an encrypted message.

If the received message is an encrypted message, the non-secure message processing module 31 requests the secure message processing module 32 of the secure area to decrypt the received message (S245).

In response to the request, the security message processing module 32 decrypts the received message using the key received through the procedure shown in FIG. 5 (S250).

Then, the decrypted message is transmitted to the non-secured message processing module 31 in the non-secured area (S255).

The non-secure message processing module 31 outputs the decrypted message through the output unit 130 (S260).

 Accordingly, only the receiving-side terminal device 100b that normally receives the key from the security service unit 220 of the service device 200 can decrypt the message.

FIG. 7 is a message flow diagram illustrating a key management process in the secure message processing method according to the embodiment of the present invention.

7, in the receiving-side terminal device 100b according to the embodiment of the present invention, the security message processing module 32 includes a first security message processing module 32-1, And a module 32-2.

The first security message processing module 32-1 is installed in a non-security area of the receiving terminal device 100b and performs a key management request and an interlocking operation with the non-secure message processing module 31, 2 security message processing module 32-2 is a part for performing key management and message decryption according to a request of the first security message processing module 32-1 in the actual security domain.

A key management procedure using the first and second security message processing modules 32-1 and 32-2 will be described with reference to FIG.

Referring to FIG. 7, the first security message module 32-1 of the receiving terminal device 100b receives a request from the user requesting or non-secured message processing module 31, 32-2 may request the key management (S305).

The second security message processing module 32-2 receiving the key management request confirms whether a key for decrypting the message exists in the secure area (S310).

If the key exists (S315), the second security message processing module 32-2 transmits the result (response) of the key management request to the first secure message processing module 32-1, , The Null value can be transmitted as the result value (S345).

The first security message processing module 32-1 checks the result of the received key management request, and if it is null, the first security message processing module 32-1 terminates the process (S350).

If it is determined in step S310 that the key does not exist in step S315, the second secure message processing module 32-2 extracts the terminal information of the receiving terminal device 100b in step S320, To the security service unit 220 of the service device 200 to request the key issuance (S325).

In response to the key issuance request, the security service unit 220 issues a key based on the received terminal information in step S330, and transmits the issued key to the second security message processing module 32-2 (S335).

The second security message processing module 32-2 may transmit the hash value of the key to the resultant value of the key management request (S345).

The first security message processing module 32-1 checks the key management result value of the second security message processing module 32-2, and if the result value is not Null value (S350) The security service unit 220 transmits a response to the result transmission to the first security message processing module 32-1 (step S355) ).

Through the above-described processing, the receiving-side terminal device 100b can receive a key re-issued as needed after joining the security service.

The security message processing method according to the present invention can be implemented in software form readable by various computer means and recorded in a computer readable recording medium. Here, the recording medium may include program commands, data files, data structures, and the like, alone or in combination. Program instructions to be recorded on a recording medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. For example, the recording medium may be an optical recording medium such as a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, a compact disk read only memory (CD-ROM), a digital video disk (DVD) Includes a hardware device that is specially configured to store and execute program instructions such as a magneto-optical medium such as a floppy disk and a ROM, a random access memory (RAM), a flash memory, do. Examples of program instructions may include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. Such a hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be apparent to those skilled in the art. Furthermore, although specific terms are used in this specification and the drawings, they are used in a generic sense only to facilitate the description of the invention and to facilitate understanding of the invention, and are not intended to limit the scope of the invention.

According to the present invention, among messages transmitted from a source terminal device to a destination terminal device, a message including specific sender information based on sender information is encrypted with a key generated based on the terminal information of the destination terminal device The receiving terminal device can decrypt the encrypted message with a key generated based on the terminal information through a security area that is physically separated from the non-security area operated by a general operating system and operates based on an independent security operating system Thus, when an enterprise user transmits security-related information related to settlement, user authentication, and the like through a message service, it is possible to securely transmit the origination message of the enterprise to the reception-side terminal device.

In particular, the present invention utilizes an isolation environment of a terminal device in which a non-security area operated by a general operating system and a security area operated by a security operating system are physically separated, so that not only hacking on a network, There is an excellent effect of ensuring the safety of the required message.

100: terminal device 100a: originating terminal device
100b: receiving-side terminal apparatus 200: service apparatus
210: message service unit 220: security service unit
300: Network

Claims (8)

A security message sender management unit for registering specific sender information as a security message transmission destination in response to a sender request for using a secure message service;
Receiving the message transmitted from the calling terminal device and transmitting the message to the receiving terminal device, confirming the calling party information of the message, delivering the message including the specific calling party information to the security service module, A message service unit for transmitting the message to the receiving terminal device; And
And a security service unit for encrypting the message delivered from the message service unit using a key generated based on the terminal information of the receiving terminal device. The system of claim 1, wherein the security service
Receives the terminal information from the receiving terminal device, and generates the key based on the received terminal information. A communication unit for transmitting and receiving a message;
A storage unit including a message DB for storing a received message received through the communication unit;
A secure message processing module that physically separates a non-security area operating on a non-security operating system and a security area operating on a security operating system, the secure message processing module operating in the non-security area, and the secure message processing module operating in the secure area Wherein the security message processing module of the secure area decrypts the received message when the received message is an encrypted message, and controls the non-secured message processing module of the non-secured area to output the decrypted message;
And an output unit for outputting the decrypted message under the control of the control unit. 4. The method of claim 3, wherein the secure message processing module
Terminal information including at least one of an MSISDN (Mobile Station International ISDN Number), an International Mobile Equipment Identity (IMEI), an International Mobile Station Identity (IMSI), a Temporary Mobile Subscriber Identity (TMSI), and a Mobile Identification Number (MIN) And transmits the extracted terminal information to the service device, requests a key for decrypting the secure message, and receives a key for decrypting the received message from the service device. The message including the specific sender information is transmitted to the receiving terminal device by receiving the message transmitted from the calling terminal device and transmitting the message to the receiving terminal device by checking the sender information of the message, And transmits the encrypted message to the receiving terminal device; And
A secure message processing module that physically separates a non-security area operating on a non-security operating system and a security area operating on a security operating system, the secure message processing module operating in the non-security area, and the secure message processing module operating in the secure area Decrypts the received message through the security message processing module of the secure area if the received message is an encrypted message, and outputs the decrypted message through the non-secured message processing module in the non-secured area A secure message transmission system comprising a terminal device. The service device generating a key for encrypting and decrypting a message for each receiving terminal device and providing the key to the receiving terminal device;
The service device registering specific sender information as a subject of a secure message transmission service;
The service device receiving a message from a calling terminal device;
Confirming that the service device is the specific sender information registered in the secure message transmission service;
Encrypting the received message using the key assigned to the receiving terminal device when the service device is the specific sender information; And
And the service device transmitting the encrypted message to the receiving terminal device. Insecure message processing module installed in a non-security area operating on a non-secure operating system, the message confirming a message received by the terminal device;
When the received message is an encrypted message, transmitting the message to a security message processing module installed in a security area physically separated from the non-security area and operating based on a security operating system;
Decrypting the message by the secure message processing module and transmitting the decrypted message to the non-secured message processing module; And
And the non-secured message processing module outputting the decrypted message. 8. The method of claim 7,
Further comprising the step of the security message processing module receiving a key to be used for decrypting the message generated based on the terminal information of the terminal device from the service device.
KR1020130040625A 2013-04-12 2013-04-12 Secure message transmission system, apparatus therefor and secure message processing method thereof KR20140123353A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020130040625A KR20140123353A (en) 2013-04-12 2013-04-12 Secure message transmission system, apparatus therefor and secure message processing method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020130040625A KR20140123353A (en) 2013-04-12 2013-04-12 Secure message transmission system, apparatus therefor and secure message processing method thereof

Publications (1)

Publication Number Publication Date
KR20140123353A true KR20140123353A (en) 2014-10-22

Family

ID=51994089

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020130040625A KR20140123353A (en) 2013-04-12 2013-04-12 Secure message transmission system, apparatus therefor and secure message processing method thereof

Country Status (1)

Country Link
KR (1) KR20140123353A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017034378A1 (en) * 2015-08-26 2017-03-02 주식회사 포제 Information security device and information security method using accessibility
KR20180003089A (en) * 2016-06-30 2018-01-09 (주)에이티솔루션즈 Method for Providing Server type One Time Password by using Secure Operating System
US10187359B2 (en) 2015-02-12 2019-01-22 Samsung Electronics Co., Ltd. Secure message transmission apparatus and processing method thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10187359B2 (en) 2015-02-12 2019-01-22 Samsung Electronics Co., Ltd. Secure message transmission apparatus and processing method thereof
WO2017034378A1 (en) * 2015-08-26 2017-03-02 주식회사 포제 Information security device and information security method using accessibility
KR20180003089A (en) * 2016-06-30 2018-01-09 (주)에이티솔루션즈 Method for Providing Server type One Time Password by using Secure Operating System

Similar Documents

Publication Publication Date Title
Melamed An active man-in-the-middle attack on bluetooth smart devices
Wang et al. Smartphone security challenges
US9344882B2 (en) Apparatus and methods for preventing information disclosure
EP2798777B1 (en) Method and system for distributed off-line logon using one-time passwords
WO2015180691A1 (en) Key agreement method and device for verification information
CN102761870B (en) Terminal authentication and service authentication method, system and terminal
CN113821835B (en) Key management method, key management device and computing equipment
CN204360381U (en) mobile device
US10021562B2 (en) Mobile trusted module (MTM)-based short message service security system and method thereof
WO2017147890A1 (en) Verification code short message display method and mobile terminal
CN113553572B (en) Resource information acquisition method, device, computer equipment and storage medium
Hufstetler et al. Nfc unlock: Secure two-factor computer authentication using nfc
US20160330239A1 (en) Hacking prevention system for mobile terminal and method therefor
US10985921B1 (en) Systems and methods for out-of-band authenticity verification of mobile applications
CN113821821B (en) Security architecture system, cryptographic operation method of security architecture system and computing device
KR20140123353A (en) Secure message transmission system, apparatus therefor and secure message processing method thereof
CN106453398B (en) A kind of data encryption system and method
US9854444B2 (en) Apparatus and methods for preventing information disclosure
KR101329789B1 (en) Encryption Method of Database of Mobile Communication Device
Igor et al. Security Software Green Head for Mobile Devices Providing Comprehensive Protection from Malware and Illegal Activities of Cyber Criminals.
CN108769989B (en) Wireless network connection method, wireless access device and equipment
CN102393886A (en) Safety control method of mobile terminal, device and system
KR101357367B1 (en) Method and system for managing authentication information using SE
Talreja et al. Sectrans: Enhacing user privacy on android platform
CN102780812A (en) Method and system for achieving safe input by using mobile terminal

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination