KR20150004260A - Method, Apparatus and System for using an IC card as authentication medium - Google Patents

Method, Apparatus and System for using an IC card as authentication medium Download PDF

Info

Publication number
KR20150004260A
KR20150004260A KR1020140065285A KR20140065285A KR20150004260A KR 20150004260 A KR20150004260 A KR 20150004260A KR 1020140065285 A KR1020140065285 A KR 1020140065285A KR 20140065285 A KR20140065285 A KR 20140065285A KR 20150004260 A KR20150004260 A KR 20150004260A
Authority
KR
South Korea
Prior art keywords
card
identification information
authentication
user
user terminal
Prior art date
Application number
KR1020140065285A
Other languages
Korean (ko)
Inventor
김수형
김석현
김승현
노종혁
조상래
조영섭
조진만
진승헌
최대선
조현숙
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to US14/319,412 priority Critical patent/US20150007300A1/en
Publication of KR20150004260A publication Critical patent/KR20150004260A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance

Abstract

The present invention relates to the management and usage of an authentication medium and, more particularly, to an apparatus and a method for registering and using an IC card as an authentication medium in a user terminal. According to the present invention, the apparatus for using an IC card as an authentication medium includes: an identification information extracting module to extract identification information from an IC card performing short-range wireless communications with a user terminal; an identification information verifying module to verify whether the extracted identification information coincides with the identification information of the IC card registered in advance as an authentication medium; and a security service module to provide a security service interface in order to enable a user to use a security service provided by the IC card whose identification information is verified.

Description

TECHNICAL FIELD [0001] The present invention relates to a method, apparatus, and system for using an IC card as an authentication medium.

The present invention relates to management and use of an authentication medium, and more specifically, to an apparatus and method for registering and using an IC card as an authentication medium in a user terminal.

In recent years, the spread of IC cards as a secure storage medium for personal information has been actively promoted. IC card technology for public use such as electronic passport and electronic ID card has been developed, and most of the cash cards and credit cards are being converted into IC cards. In addition, IC cards are widely used as physical access control means in places such as companies, government offices, and the like. This is because it is difficult to maliciously delete or change the IC card information issued to the user, and there is a technical advantage that the user information stored in the IC card can be conveniently read. Therefore, users can issue various services (eg, account management / withdrawal, payment, access control, etc.) provided by a specific environment (eg ATM, POS, etc.) prepared by an IC card issuer .

However, the use of an IC card in an open environment such as a user terminal is not yet universal. The latest technology in this field is to use an SE (Secure Element) such as an IC card, a UICC (USIM card), mounted on a mobile phone. Some of the e-wallets that have recently been introduced by many vendors offer mobile payment services using these SEs. However, these latest technologies also have limitations in ensuring diversity of services. The number of IC cards that can be loaded on the user terminal is very limited (for example, 1 to 3), and limiting the applications that can use the IC card for security reasons is also a limiting factor for service expansion.

In addition, an IC card installed in the user terminal basically has an attack (for example, an IC card, an IC card, etc.) that hinders important personal information from being leaked by a terminal hacking or a malicious application, Locking), it is not easy to take countermeasures against various external risks.

SUMMARY OF THE INVENTION Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art, and it is an object of the present invention to provide a device capable of storing authentication information such as a public certificate in an IC card existing separately from a user terminal, And methods.

In order to achieve the above object, there is provided an apparatus for using an IC card as an authentication medium according to an embodiment of the present invention. The apparatus includes an identification information extracting module for extracting identification information from an IC card performing short-range wireless communication with a user terminal; An identification information checking module for checking whether the extracted identification information is identical with identification information of an IC card previously registered as an authentication medium; And a security service module for providing a security service interface for using the security service provided by the identified IC card.

In one embodiment, the identification information extraction module may include a command code for extracting identification information for at least one of a standardized IC card standard and a private IC card standard.

In one embodiment, the identification information extracting module identifies the IC card as a card conforming to an IC card standard usable as an authentication medium, and executes an identification information extracting instruction code corresponding to the identified card standard, thereby identifying Information can be extracted.

In one embodiment, when the request for registering the IC card as an authentication medium is received from the user, the identification information extraction module extracts the extracted identification information from the memory in the user terminal or a security element (Secure Element).

In one embodiment, when the request for registering the IC card as the authentication medium is received from the user, the identification information extraction module transmits the extracted identification information to the card management server so as to be managed by the card management server can do.

In one embodiment, in the case where a request to use the security service of the IC card is received from the user, the identification information confirmation module may transmit the extracted identification information to a memory in the user terminal or a security element coupled to the user terminal in advance It is possible to confirm whether it matches the stored identification information.

In one embodiment, when the request for using the security service of the IC card is received from the user, the identification information confirmation module transmits the extracted identification information to the card management server, It may request to confirm whether or not it matches with the identification information stored in advance in the server.

In one embodiment, the apparatus may further include a user authentication module for, when the user authentication is requested from the IC card, transmitting the user authentication information acquired from the user terminal to the IC card.

In one embodiment, the apparatus may further include a terminal authentication module for transmitting the terminal authentication information generated by the user terminal to the IC card when the user terminal authentication is requested from the IC card.

According to an embodiment of the present invention, an authentication system using an IC card as an authentication medium is provided. A user terminal for extracting identification information from the IC card, registering the IC card as an authentication medium, and using a security service provided by the registered IC card; And a card management server for judging whether the IC card can be registered as an authentication medium of the IC card by using the identification information extracted from the IC card or judging whether the IC card is a card already registered as an authentication medium.

In one embodiment, the user terminal comprises: a short range wireless communication unit performing wireless communication based on the IC card; A memory in which an IC card manager program command for providing an application program command requiring a security service and a security service required by the application program using the IC card registered as an authentication medium is stored; And a processor for executing the application program command and the IC card manager program command stored in the memory, wherein the IC card manager program command comprises: instruction for extracting identification information from the IC card; An instruction for confirming whether the extracted identification information matches the identification information of the IC card previously registered as the authentication medium; And a security service interface for using the security service provided by the identified IC card.

According to an embodiment of the present invention, a method for using an IC card as an authentication medium is provided. The method includes: requesting a user to touch an IC card to be registered as an authentication medium to a user terminal; Checking whether the IC card touched to the user terminal is an IC card standard registerable as an authentication medium; Extracting identification information from the IC card by executing an identification information extracting instruction code corresponding to the identified card standard from the IC card identified as being registerable; And storing the extracted identification information in one of a security element (SE) associated with a memory in the user terminal and the user terminal, or transmitting the stored identification information to a card management server to be stored in the card management server .

In one embodiment, the method may further include transmitting the terminal authentication information of the user terminal to the IC card so as to be stored in the IC card.

In one embodiment, the method further comprises: requesting the user to touch the IC card registered with the authentication medium to the user terminal when the user intends to use the IC card registered as the authentication medium; Extracting identification information from the touched IC card by executing an identification information extracting instruction code corresponding to the registered IC card standard; Checking whether the extracted identification information matches the identification information of the IC card registered as an authentication medium; And using the security service provided by the identified IC card.

In one embodiment, the method further includes transmitting the terminal authentication information of the user terminal to the IC card when authentication for the user terminal is required to use the security service provided by the IC card can do.

In one embodiment, the method may further comprise transmitting the user authentication information of the user to the IC card when authentication for the user is required to use the security service provided by the IC card have.

According to the present invention, a user can register an IC card possessed by himself / herself as a secure authentication medium through a user's own terminal, and securely and conveniently manage and use authentication information such as a public certificate through a registered IC card Provide a method. By allowing the IC card equipped with the user's authorized certificate to be registered and made available through the user terminal without additional hardware, it is possible to use the service at a low cost while providing high security as the existing security token.

In addition, a problem in using an IC card mounted in the user terminal, that is, business constraints, restrictions due to security problems, and the like can be partially solved.

Also, it is possible to limit the security information and the security service provided by the IC card to use only through the registered terminal of the user, and to cope with the danger such as fraudulent use and external attack, and to use the security service such as the electronic signature more safely .

Further, by utilizing the identification information or the like of the registered IC card, it is possible to optimize the procedure required when using the IC card, and to improve the usability of the user.

1 schematically shows an authentication system for using an IC card as an authentication medium according to an embodiment of the present invention.
2 is a diagram illustrating a detailed configuration of an IC card manager installed in a user terminal according to an embodiment of the present invention.
3 is a flowchart illustrating a process of registering an IC card as an authentication medium according to an embodiment of the present invention.
4 is a flowchart illustrating a process of using an IC card registered as an authentication medium according to an embodiment of the present invention.
5 illustrates an example of an IC card registration screen shot according to an embodiment of the present invention.
Figure 6 illustrates an example of a screen shot for digitally signing using an IC card in accordance with an embodiment of the present invention.
FIG. 7 shows an example of a screen shot showing a case where certificate update previously stored in the IC card fails according to an embodiment of the present invention.

While the present invention has been described in connection with certain exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and similarities. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

In addition, the singular phrases used in the present specification and claims should be interpreted generally to mean "one or more " unless otherwise stated.

Also, the terms "module," "part," "interface, " and the like, used in the present specification generally mean computer-related objects and may mean, for example, hardware, software and combinations thereof.

Since most recent user terminals (smart phones, tablets, etc.) basically adopt a near field wireless communication (NFC) function, the present invention can be applied to a case where an IC card equipped with a public certificate, As an authentication medium. To this end, the present invention should solve the following problems.

(1) The user terminal must be able to identify and use the services provided by the IC card and the IC card equipped with the public certificate.

(2) Because IC cards are at risk of being lost, a malicious user should be able to prevent the use of IC cards with certificates of others.

(3) The malicious terminal should be able to block the attack of the IC card with the certificate. An IC card capable of short-range wireless communication can easily be attacked from the outside in an open place where it is easy to contact with an outside person such as a subway even though it is in a user's wallet.

(4) The user should be able to use the authentication service conveniently with minimal operation. Since the user terminal serving as the service medium and the IC card serving as the authentication medium are separated from each other, the IC card is used at the point of time when the service is required, and thus the security is high.

Hereinafter, embodiments of the present invention designed to solve these problems will be described with reference to FIGS. 1 to 7 attached hereto. The present invention will be described in detail with reference to the portions necessary for understanding the operation and operation according to the present invention.

1 schematically shows an authentication system for using an IC card as an authentication medium according to an embodiment of the present invention. As shown, the authentication system may include an IC card 1100, a user terminal 1200, and a card management server 1300.

In one embodiment, the IC card 1100 is an IC card capable of noncontact wireless LAN communication, and may be a contactless card, a hybrid card, a Combi Card, or the like. For example, a transportation card, a cash card, a credit card, an e-passport, an electronic resident card, an employee ID (student ID card), and a certificate card issued for various purposes may be applied. In addition, one IC card can provide a plurality of IC card standards together. For example, a transportation card, a credit card, and an employee ID (student ID) standard can be provided as one IC card.

The IC card 1100 used in the present invention extracts identification information (e.g., traffic card unique number, account number, credit card number, passport number, resident registration number, employee number, certificate identification information, etc.) from the IC card 1100 It should be possible. In addition, the IC card stores security information such as a certificate and a secret key in an internal memory and can provide it when necessary. The IC card provides security services such as key generation, certificate storage and management, digital signature, OTP, mutual authentication can do.

The user terminal 1200 may be one of various types of personal terminals having a short-range wireless communication function as a personal terminal of a user such as a smart phone or a tablet. In one embodiment, the user terminal 1200 is an apparatus that extracts identification information from the IC card 1100, registers the IC card as an authentication medium, and uses the security service provided by the registered IC card, A security information storage unit 1220, a memory 1230, and a processor 1240. The security information storage unit 1220,

The communication unit 1210 performs wireless communication (NFC) based on the IC card.

The security information storage unit 1220 is a storage for storing identification information of the IC card 1100 or storing terminal authentication information of a user terminal. For example, the security information storage unit 1220 may include a secure element (SE) Hereinafter referred to as "terminal SE").

The memory 1230 may store an IC card manager 1231 and an application program 1232 executed by the processor 1240. [

In one embodiment, the IC card manager 1231 may register the IC card 1100 as an authentication medium in the user terminal 1200 and provide the application 1232 with the security service provided by the registered IC card. IC card manager 1231 may act as a part of application 1232 as a library or service process or as an independent process to provide the security services required by application 1232. [ The IC card manager 1231 will be described in more detail with reference to FIG.

The application 1232 is software that uses the security service provided by the IC card manager 1231. For example, the application 1232 may be a mobile banking, an electronic wallet, an online payment, a certificate This may be the management software.

The card management server 1300 can use the identification information extracted from the IC card to judge whether the IC card can be registered as an authentication medium of the IC card or whether the IC card is a card registered as an authentication medium. For example, even if the IC card standard conforms to a registerable card standard, the card management server 1300 can restrict registration of the card as an authentication medium according to the card issuer.

The card management server 1300 may also be connected to the IC card 1100 for authentication (e.g., terminal authentication), information updating (e.g., renewal of a public certificate), and information generation (E.g., public key / private key information).

In one embodiment, the card management server 1300 may correspond to an authorized certificate management server, a financial institution server, or the like depending on the use purpose of the IC card.

2 is a diagram illustrating a detailed configuration of an IC card manager installed in a user terminal according to an embodiment of the present invention.

In one embodiment, the IC card manager 200 is software that operates when a user touches an IC card to a user terminal. The IC card manager 200 includes an identification information extraction module 210, an identification information confirmation module 220, a security service module 230 ), A user authentication module 240, and a terminal authentication module 250.

The identification information extraction module 210 extracts identification information from an IC card that performs short-range wireless communication with a user terminal.

In one embodiment, the identification information extraction module 210 extracts identification information from an IC card by using an IC card standard (e.g., a transportation card standard, a financial IC card standard, a certificate related standard, etc.) And may include identification information instruction codes for one or more of the specifications of a private IC card (e.g., employee ID, visitor ID, etc.).

In one embodiment, the identification information extraction module 210 determines whether the IC card touched to the user terminal is a card conforming to an IC card standard that can be used as an authentication medium, and executes an identification information extraction instruction code corresponding to the confirmed card specification The identification information can be extracted from the IC card.

In one embodiment, the identification information extraction module 210 can check the specification of the IC card by checking whether an application of a specific standard is loaded on the IC card, which can be done by querying a fixed application ID (AID). For example, the application ID of the visa credit card mounted on the IC card is "A0000000031010 ", and it can be confirmed through the application ID that the visa credit card is mounted on the IC card.

In one embodiment, when a request to register the IC card as an authentication medium is received from a user, the identification information extraction module 210 stores the extracted identification information in a memory in the user terminal 1200 or a terminal SE As shown in FIG. In another embodiment, the identification information extraction module 210 may transmit the extracted identification information to the card management server 1300 so as to be managed by the server 1300.

The identification information confirmation module 220 checks whether the identification information extracted by the identification information extraction module 210 matches the previously stored identification information when a request to use the security service of the IC card is received from the user.

In one embodiment, the pre-stored identification information may be stored in a memory or security element SE in the user terminal 1200. In this case, the identification information confirmation module 220 compares the extracted identification information with the identification information stored in the memory or the terminal SE to confirm whether they match or not.

In another embodiment, the identification information may be stored in the card management server 1300. In this case, the identification information confirmation module 220 may transmit the extracted identification information to the card management server 1300, and request the card management server 1300 to confirm whether the extracted identification information matches the previously stored identification information.

The security service module 230 provides a security service interface for using a security service (e.g., authentication information storage / deletion / update / inquiry, electronic signature, etc.) provided by the identified IC card. For example, if an IC card provides a certificate-related security token service, it may provide a Public-Key Cryptography Standards (PKCS) # 11 interface to utilize it.

When user authentication is requested to receive a security service such as an electronic signature from the IC card, the user authentication module 240 provides the user authentication information acquired from the user terminal to the IC card when the user touches the IC card to the user terminal can do. The IC card can perform user authentication using the user authentication information provided from the user authentication module 240. [

When terminal authentication is required to extract identification information from an IC card or to provide a security service, the terminal authentication module 250 transmits the terminal authentication information previously generated from the user terminal to the IC card when the user touches the IC card to the user terminal. As shown in FIG.

In one embodiment, the terminal authentication module 250 generates authentication information using the API provided by the user terminal, obtains the authentication information through the terminal SE, obtains the authentication information through the card management server Authentication information can be provided. The terminal authentication information may be the same as or different from the time of registering the IC card and the time of using the IC card, and this is in accordance with the terminal authentication mechanism and is not particularly limited in the present invention.

On the other hand, an authentication module is provided on the IC card side to confirm the authentication information provided by the user terminal, and to provide identification information and / or a security service to only the identified user terminal.

3 is a flowchart illustrating a process of registering an IC card as an authentication medium according to an embodiment of the present invention. Specifically, FIG. 5 illustrates a process of allowing a user to touch an IC card to use as an authentication medium or to receive a security service, and to extract and register identification information of the IC card according to an embodiment of the present invention.

In step S301, the application or the IC card manager requests the user to touch the IC card to be registered as the authentication medium to the user terminal. In one embodiment, the application or the IC card manager can display the IC card type of the standard that can be registered with the user on the terminal screen through the GUI. At this time, the application can perform a procedure for communicating with the IC card to be touched to the user terminal by using the IC card manager in advance. For example, it is possible to minimize the time for communicating with the IC card by preloading the specification module to communicate with the IC card (for example, loading the PKCS # 11 library of the financial IC card security token).

The user touches the IC card to be registered with the user terminal. At this time, the user will place the IC card within a range in which the communication module and the IC card can communicate with each other so that the communication module of the user terminal can recognize the IC card. When the communication module recognizes the IC card, the application can communicate with the IC card.

In step S302, the IC card manager determines whether or not the IC card touched to the user terminal is a card that conforms to an IC card standard (e.g., a traffic card standard, a financial IC card standard, a certificate related standard, an ID card private standard, . In one embodiment, the specification of the IC card can be confirmed by confirming whether an application of a specific standard is loaded on the IC card, which is possible by inquiring a fixed application ID (AID). .

In step S303, if the specification of the IC card touched to the user terminal is not confirmed or the specification of the confirmed IC card is not a registerable standard, the user may be requested to again touch another IC card.

In step S304, the IC card manager extracts the identification information by executing an identification information extracting instruction code corresponding to the confirmed card standard from the IC card identified as being registerable. The format and the type of the identification information can be variously defined according to the standard of the IC card, and the procedure for extracting the identification information can also be different according to the standard. Further, the identification information may be composed of a collection of various information of the IC card. For example, in the case of registering an IC card of a certificate-related standard such as PKCS # 11, at least one of the certificate key ID and the owner name may be used as the identification information

In step S305, the IC card manager stores the extracted identification information in the memory of the user terminal or the terminal SE (e.g., UICC). Alternatively, the extracted identification information may be transmitted to the card management server and managed by the card management server.

In one embodiment, in order to store the extracted identification information in the terminal SE, it may be necessary for the IC card manager to perform procedures for using the SE (e.g., UICC connection, UICC applet selection, etc.) in advance.

In another embodiment, in order to store the extracted identification information in the IC card management server, the IC card manager performs a procedure (for example, server connection, user account selection and authentication, etc.) for using the IC card management server in advance .

In addition, when the extracted identification information is to be stored in the IC card management server, the card management server can restrict the registration of the identification information. The card management server can use the identification information to check whether the IC card is within the range that the IC card needs to manage, or to check whether the card conforms to the security policy. For example, it is possible to identify an issuer of an IC card using the confirmed standard and identification information of the IC card, and to restrict the registration of a card of a specific provider.

Further, when the user information is confirmed by using the identification information of the IC card, the registration of the IC card can be restricted through whether or not the user of the user terminal matches the user of the IC card.

In step S306, it is determined whether to perform authentication of the user terminal in the future communication process between the user terminal and the IC card.

When terminal authentication is to be performed, the terminal authentication information can be registered (stored) in advance in the IC card in step S307. The IC card, which has registered the terminal authentication information, can perform terminal authentication with respect to a user terminal communicating with itself.

For example, the terminal authentication information may be a public key of the user terminal. When the public key of the user terminal is stored in the IC card, the IC card can request a digital signature for arbitrary data from the user terminal communicating later. The user terminal can provide the IC card with information that has been digitally signed using the private key, and the IC card can authenticate the terminal by checking the provided digital signature information using the registered public key.

As another example, the unique identification information of the user terminal can be registered as the terminal authentication information. Since it is not easy to guess and generate unique identification information of a specific user terminal from other user terminals, terminal unique identification information can be used as terminal authentication information in a low-level security service.

In one embodiment, the terminal authentication information is stored and managed in the terminal SE or the card management server and may be transmitted to the IC card. When the terminal authentication information is managed by the terminal SE or the card management server, terminal authentication can be normally performed even when the user terminal is replaced in the future.

4 is a flowchart illustrating a process of using an IC card registered as an authentication medium according to an embodiment of the present invention.

In step S401, the application displays the IC card previously registered with the user in a GUI form, and requests the user to touch the card. For example, if the registered IC card stores the user's authorized certificate and provides the digital signature service, the owner information of the authorized certificate may be displayed. At this time, the owner information is extracted and stored in the registration step of the IC card. Further, the application can perform a procedure for communicating with the IC card to be touched to the user terminal by using the IC card manager in advance. For example, the time for communication with the IC card can be minimized by preloading the standard module to communicate with the IC card (for example, loading the PKCS # 11 library of the financial IC card security token) or receiving the authentication information in advance.

The user touches the pre-registered IC card to the user terminal. At this time, the user will place the IC card within a range where the user terminal and the IC card can communicate with each other so that the user terminal can recognize the IC card. The application can communicate with the IC card.

In step S402, the IC card manager extracts the identification information from the IC card touched by the user by executing the identification information extraction instruction code corresponding to the previously registered IC card standard.

In step S403, the IC card manager checks whether the extracted identification information matches the identification information of the IC card previously registered as the authentication medium. If it is confirmed that the identification information is not the same, the user may be requested to touch another IC card.

In step S404, it is determined whether or not terminal authentication is necessary. In such a case, terminal authentication information may be transmitted to the IC card (S405). At this time, the terminal authentication information generated at the time of registering the IC card may be used as the terminal authentication information, or information associated with or modified from the terminal authentication information may be used.

It is determined whether the terminal authentication of the IC card has succeeded (S407). If the authentication is successful, the process proceeds to the next step (S406). Otherwise, the user can request a touch of another IC card.

In step S406, it is determined whether user authentication is necessary. In such a case, user authentication information may be transmitted to the IC card in step S407. The user authentication information is preferably acquired from the user before the IC card is touched, and PIN, password, bio information, or the like can be used as the user authentication information. The user authentication information is issued, for example, as a credit card, And may be stored in advance at the time of receiving, and may be registered by receiving authentication information from a user in the IC card registration process of the present invention.

FIG. 4 illustrates that user authentication is performed after user terminal authentication. However, in some implementations, user authentication may be performed before terminal authentication, and user authentication and terminal authentication may be performed together. For example, it is possible to provide the IC card with information generated by cryptographically combining the terminal authentication information and the user authentication information, and the IC card can cryptographically confirm the provided information.

Next, if it is determined in step S409 that the user authentication of the IC card is successful, the user can use the security service provided by the IC card. In one embodiment, the security services provided by the IC card may include storing, retrieving, renewing, revoking, digital signing, and the like of an authorized certificate.

Meanwhile, the storage of security information (e.g., a public certificate) necessary for the security service provided by the IC card can be performed through the security service (e.g., security token service) of the IC card in the security service utilization step S409 of the present invention But may be stored in advance in the IC card through the IC card issuer system irrespective of the present invention.

5 illustrates an example of an IC card registration screen shot according to an embodiment of the present invention. Referring to FIG. 5, the application may be mobile bank software. The mobile bank software may request the user to register a 'touch sign' card (an IC card supporting the certificate-related IC card specification in accordance with the present invention) for transferring money. When the user touches his / her 'touch sign' card to the user terminal, the identification information extracted from the 'touch sign' card and the standard supported by the 'touch sign' card can be confirmed.

In this case, the extracted identification information is used to output a portion requiring confirmation by the user, and may not be output unless user confirmation is required. In the embodiment shown in FIG. 5A, a part of the identification information is output for the purpose of confirming the owner information of the certificate stored in the IC card.

In addition, the verified card standard also outputs a portion requiring confirmation by the user, and may not be output unless user confirmation is required. FIG. 5 shows a detailed description of the specification in order to explain the present invention. However, the application may notify the user whether or not the card is a card that can be registered by judging through the support standard of the IC card and the provided data.

When the user clicks the registration button on the registerable IC card, the registration process of the IC card according to the present invention will be performed.

Figure 6 illustrates an example of a screen shot for digitally signing using an IC card in accordance with an embodiment of the present invention. Referring to FIG. 6, the application may be mobile bank software. It is assumed that an IC card for providing a security service (for example, an electronic signature service for transferring money) to the user terminal is already registered. The mobile bank software requests the user authentication information (for example, the certificate password) of the IC card in which the 'Hong Kil-Dong' public certificate is stored to secure the electronic signature data. When the user inputs the user authentication information and clicks the OK button, the mobile bank software requests to touch the previously registered IC card. When the user touches the previously registered IC card, the mobile bank software confirms the identification information of the IC card and can perform the digital signature after performing the user authentication. At this time, if the terminal authentication information is registered in the IC card, the terminal authentication may be performed before the digital signature is performed.

In the above example, requesting the user to input the user authentication information for the 'Hong Kil-Dong' authentication certificate and requesting the user to touch the IC card stored with the authentication certificate has a different aspect from the use of the general authentication certificate. The general certificate-related software obtains the authorized certificate data from the terminal repository or the security token, extracts the owner information from the acquired data and outputs the extracted information to the screen, and inputs the user authentication information of the authorized certificate selected by the user who verified the output owner information , The process proceeds to a procedure of digital signature after confirming the identity of the user through the inputted user authentication information. On the other hand, in the present invention, the registration process is performed in consideration of the usage characteristic of the IC card (for example, The electronic signature procedure may be slightly changed, for example, by requesting the user to touch the registered IC card after pre-selecting the registered authorized certificate of the IC card and inputting the user authentication information.

FIG. 7 shows an example of a screen shot showing a case where certificate update previously stored in the IC card fails according to an embodiment of the present invention. Referring to FIG. 7, the application may be authorized certificate management software. It is assumed that the IC card on which the authorized certificate is mounted has already been registered in the corresponding user terminal and that the authorized certificate needs to be renewed. The authorized certificate management software obtains the user authentication information and other data for renewal of the authorized certificate, outputs the related contents to the screen, and requests the user to touch the IC card stored with the 'Hong Kil-Dong' certificate of the renewal target. The user touches the IC card, but the certificate management software displays on the screen that the certificate renewal has failed. At this time, there are various reasons why certificate renewal may fail. However, there are two possibilities in the scope of the present invention. One may be a card in which an IC card touched by the user is not registered as shown in the screen of Fig. That is, the certificate management software expects an IC card stored with a public certificate of 'Hong Gil Dong', but a card not associated with an IC card or a public certificate stored with another public certificate is touched. The other is a case where the terminal authentication performed by the IC card fails because another user terminal is used in performing terminal authentication through the terminal authentication information registered at the time of registering the IC card.

The authorized certificate management SW according to the present invention can request the user terminal to touch an IC card that can register itself in order to issue or update the authorized certificate to the user through the user terminal screen. When a user touches an unregistered IC card, it can recognize that the card is an unregistered card through the card identification information and output a failure screen. In the case where the IC card performs authentication for the user terminal, when the user terminal authentication information received from the user terminal is different from the user terminal authentication information registered by the user terminal at the time of registration of the IC card, You may.

It is to be understood that the present invention is not limited to these embodiments, and all elements constituting the embodiment of the present invention described above are described as being combined or operated in one operation. That is, within the scope of the present invention, all of the components may be selectively coupled to one or more of them. In addition, although all of the components may be implemented as one independent hardware, some or all of the components may be selectively combined to perform a part or all of the functions in one or a plurality of hardware. As shown in FIG. In addition, such a computer program may be stored in a computer-readable medium such as a USB memory, a CD disk, a flash memory, etc., and read and executed by a computer, thereby implementing embodiments of the present invention. As the storage medium of the computer program, a magnetic recording medium, an optical recording medium, a carrier wave medium, or the like may be included.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or essential characteristics thereof. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

Claims (16)

1. An apparatus for using an IC card as an authentication medium,
An identification information extracting module for extracting identification information from an IC card performing short-range wireless communication with a user terminal;
An identification information checking module for checking whether the extracted identification information is identical with identification information of an IC card previously registered as an authentication medium; And
A security service module providing a security service interface for using the security service provided by the identified IC card
/ RTI > The apparatus of claim 1, wherein the identification information extraction module includes a command code for extracting identification information for at least one of a standardized IC card standard and a private IC card standard. 3. The IC card according to claim 2, wherein the identification information extraction module confirms that the IC card is a card conforming to an IC card standard usable as an authentication medium, and executes an identification information extraction instruction code corresponding to the identified card standard, An apparatus for extracting identification information. The information processing apparatus according to claim 1, wherein the identification information extraction module extracts the extracted identification information from the memory in the user terminal or a security associated with the user terminal when receiving a request from the user to register the IC card as an authentication medium. A device to store in a Secure Element. The information processing apparatus according to claim 1, wherein when the request for registering the IC card as an authentication medium is received from the user, the identification information extraction module transmits the extracted identification information to the card management server, . The information processing apparatus according to claim 1, wherein, when a request to use the security service of the IC card is received from the user, the extracted identification information is stored in a memory in the user terminal or a security element And confirms whether the identification information matches the previously stored identification information. The information processing apparatus according to claim 1, wherein the identification information confirmation module is configured to identify the information generated by using the extracted identification information or the extracted identification information when a request to use the security service of the IC card is received from the user, And requests the server to confirm whether the extracted identification information matches the identification information stored in advance in the card management server. The apparatus of claim 1, further comprising a user authentication module for transmitting user authentication information acquired from the user terminal to the IC card when user authentication is requested from the IC card. The apparatus of claim 1, further comprising a terminal authentication module for transmitting terminal authentication information generated by the user terminal to the IC card when authentication of the terminal is requested from the IC card. An authentication system using an IC card as an authentication medium,
An IC card,
A user terminal that extracts identification information from the IC card, registers the IC card as an authentication medium, and uses the security service provided by the registered IC card; And
Determining whether the IC card can be registered as an authentication medium of the IC card by using the identification information extracted from the IC card or determining whether the IC card is a card already registered as an authentication medium,
. 11. The method of claim 10,
A short range wireless communication unit for performing wireless communication based on the IC card;
A memory in which an IC card manager program command for providing an application program command requiring a security service and a security service required by the application program using the IC card registered as an authentication medium is stored; And
And a processor for executing the application program and the IC card manager program stored in the memory, wherein the IC card manager program causes the processor to execute, when executed by the processor,
Extracting identification information from the IC card,
Confirms whether the extracted identification information matches the identification information of the IC card previously registered as the authentication medium,
And providing a security service interface for using the security service provided by the identified IC card. A method for using an IC card as an authentication medium,
Requesting a user to touch an IC card to be registered as an authentication medium to a user terminal;
Checking whether the IC card touched to the user terminal is an IC card standard registerable as an authentication medium;
Extracting identification information from the IC card by executing an identification information extracting instruction code corresponding to the identified card standard from the IC card identified as being registerable; And
Storing the extracted identification information in one of a security element (SE) associated with a memory in the user terminal and the user terminal, or transmitting the stored identification information to a card management server to be stored in the card management server
≪ / RTI > 13. The method of claim 12, wherein the method further comprises transmitting the terminal authentication information of the user terminal to the IC card so as to be stored in the IC card. 13. The method of claim 12,
When the user intends to use the IC card registered as the authentication medium,
Requesting the user to touch an IC card registered as an authentication medium to the user terminal;
Extracting identification information from the touched IC card by executing an identification information extracting instruction code corresponding to the registered IC card standard;
Checking whether the extracted identification information matches the identification information of the IC card previously registered as an authentication medium; And
Using the security service provided by the identified IC card
≪ / RTI > 15. The method of claim 14,
Further comprising transmitting the terminal authentication information of the user terminal to the IC card when authentication of the user terminal is required to use the security service provided by the IC card. 15. The method according to claim 14, further comprising the step of transmitting the user authentication information of the user to the IC card when authentication for the user is required to use the security service provided by the IC card Way.
KR1020140065285A 2013-07-01 2014-05-29 Method, Apparatus and System for using an IC card as authentication medium KR20150004260A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/319,412 US20150007300A1 (en) 2013-07-01 2014-06-30 Method, apparatus, and system for using ic card as authentication medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR20130076554 2013-07-01
KR1020130076554 2013-07-01

Publications (1)

Publication Number Publication Date
KR20150004260A true KR20150004260A (en) 2015-01-12

Family

ID=52476593

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020140065285A KR20150004260A (en) 2013-07-01 2014-05-29 Method, Apparatus and System for using an IC card as authentication medium

Country Status (1)

Country Link
KR (1) KR20150004260A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160100192A (en) * 2015-02-13 2016-08-23 (주)엠앤스마트 System for digital authentication using pairing between universal RF tag and smart phone
WO2017188550A1 (en) * 2016-04-28 2017-11-02 한양대학교 산학협력단 Binder composite and preparation method therefor
KR20180039450A (en) * 2016-10-10 2018-04-18 주식회사 엘지유플러스 Mobile Using NFC Function Conducting Certification and Method thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160100192A (en) * 2015-02-13 2016-08-23 (주)엠앤스마트 System for digital authentication using pairing between universal RF tag and smart phone
WO2017188550A1 (en) * 2016-04-28 2017-11-02 한양대학교 산학협력단 Binder composite and preparation method therefor
KR20180039450A (en) * 2016-10-10 2018-04-18 주식회사 엘지유플러스 Mobile Using NFC Function Conducting Certification and Method thereof

Similar Documents

Publication Publication Date Title
US20210226798A1 (en) Authentication in ubiquitous environment
US20190122212A1 (en) Methods and systems for provisioning payment credentials
JP6629952B2 (en) Method and apparatus for securing mobile applications
JP6381833B2 (en) Authentication in the ubiquitous environment
US7357309B2 (en) EMV transactions in mobile terminals
US20090307140A1 (en) Mobile device over-the-air (ota) registration and point-of-sale (pos) payment
US20150242844A1 (en) System and method for secure remote access and remote payment using a mobile device and a powered display card
EP2237519A1 (en) Method and system for securely linking digital user's data to an NFC application running on a terminal
US11887022B2 (en) Systems and methods for provisioning point of sale terminals
KR20170133307A (en) Online financial transactions, identity authentication system and method using real cards
KR20110002968A (en) Method and system for providing financial trading service by using biometrics and portable memory unit therefor
US20150007300A1 (en) Method, apparatus, and system for using ic card as authentication medium
KR101834365B1 (en) Service providing system and method for payment based on electronic tag
KR101834367B1 (en) Service providing system and method for payment using sound wave communication based on electronic tag
KR20150004260A (en) Method, Apparatus and System for using an IC card as authentication medium
JP2019004475A (en) Authentication under ubiquitous environment
KR20110029031A (en) System and method for authenticating financial transaction using electric signature and recording medium
KR102348823B1 (en) System and Method for Identification Based on Finanace Card Possessed by User
KR20110029032A (en) Method for processing issue public certificate of attestation, terminal and recording medium
WO2015107346A1 (en) Authentication method and system
KR101103189B1 (en) System and Method for Issueing Public Certificate of Attestation using USIM Information and Recording Medium
EP4177810A1 (en) Method and device for authorizing mobile transactions
US20230385418A1 (en) Information processing device, information processing method, program, mobile terminal, and information processing system
KR20230045875A (en) User authenitication system using real card and the method
JP2020115386A (en) Authentication in ubiquitous environment

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application