KR20150077379A - Method for authentication using user apparatus, digital system, and authentication system thereof - Google Patents

Abstract

Disclosed are a method for authentication using a user apparatus, a digital system therefor, and an authentication system thereof. The method for authentication using a user apparatus includes the steps of: communicating with the user apparatus for authentication by a digital system; receiving one-time device information produced by a user through the communications by the digital system and transmitting confirm signals including the one-time device information to an authentication system, or producing the one-time terminal information by the digital system and transmitting the confirm signals including the produced one-time terminal information to an authentication system by the digital system; and confirming the correspondence between the one-time device information or one-time terminal information included in the transmitted confirm signals and one-time server information produced by the authentication system. With success in the step of confirming authentication, the authentication request with respect to the digital system, a random data processing unit outputting authentication requests to a service system connected to the authentication system, or the authentication system can be succeeded by the authentication system.

Description

Technical Field [0001] The present invention relates to a user authentication method using a user device, a digital system for the same, and an authentication system using the same,

The present invention relates to a user authentication method using a user device, a digital system and an authentication system therefor, and more particularly to a digital authentication system and a user authentication method using a user who wants to use various services (for example, financial transactions such as login, Authentication method and system using the user device and the digital system (e.g., mobile terminal) when the user authentication is to be performed.

Conventional technology related to identity authentication has traditionally used identity and password authentication. However, such a conventional authentication method has a problem that it is difficult to perform a normal authentication function when an ID and a password are leaked. To complement this, various authentication schemes have appeared.

For example, there are authentication of the mobile phone itself, authentication by a user using an authorized certificate, authentication using an OTP, authentication of an i-PIN (Internet Personal Identification Number), or authentication using a credit card.

Authorized certificate authentication is an authentication protocol with a relatively high security level, but it is not easy to carry the authorized certificate stably and there are disadvantages such as complicated authentication process. In addition, the public certificate has also recently been leaked in large quantities, thus posing a problem of safety.

The i-PIN is a method of performing the identity authentication using a virtual identification number used on the Internet. In this case, in addition to the fact that the user must know a new identification number in advance, It is difficult to perform a normal authentication function.

In addition, since the authentication of the mobile phone is a method of authenticating the occupation of the mobile phone by using the authentication number, there is a problem that the mobile phone is vulnerable to smsing.

Also, since all of these conventional technologies are a method of inputting a password (certificate password, I-PIN password) or an authentication number, if a password or an authentication number is exposed to another person, the authentication of the user is inevitable. There is a high risk of exposure to hacking.

In addition, in the case of authentication using the OTP, the user can authenticate only when the user has the OTP client (OTP token). Also, the user is required to generate the OTP through the OTP client, There is a presence.

Accordingly, a technical idea that can provide a highly secure personal authentication protocol while maintaining convenience compared with conventional authentication technologies is required along with a payment protocol.

In addition, online crime becomes more intelligent and frequent as online financial transactions become more active, so the need for 2-channel authentication is increasing. Technological thinking is required to enable users to easily perform authentication while enabling 2-channel authentication.

In this case, the authentication request and the authentication operation to be performed by a legitimate user may be separated so that the authentication request and the authentication request are authenticated. Therefore, A technical idea is required to permit the use of the service without exposing the information.

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a digital system and a user device which are highly likely to be carried by a user. In addition, the present invention provides a two-channel personal authentication, a long-term personal authentication, or a technical idea enabling a third party to easily perform a personal authentication for allowing a legitimate user to provide a service.

In addition, since authentication can be performed using one-time information (e.g., OTP), it is necessary to have a separate one-time information generating device (e.g., OTP client) for generating one-time information It is to provide a technical idea that can carry out the simple and secure self-certification without.

In addition, the generation of the one-time information can be performed through a digital system or a user device (e.g., a smart card or the like) carried by the user, so that the risk that authentication due to illegal copying of the digital system or the user device can be performed And to provide technological ideas that can be significantly lowered.

In addition, the digital system transmits an acknowledgment signal including the one-time information only when the digital system communicates with the user equipment, thereby providing a higher level of security.

Also, even when the payment card is used for authentication of the user, the settlement financial information (for example, the card number, the expiration date, the CVC, etc.) may not be circulated on the network and even if the outflow of information occurs due to an attack, It is to provide a technical idea about the authentication method which can provide high security by reducing the risk of leakage of financial information.

In addition, it does not require a process of providing the user with the one-time information while inputting the one-time information, thereby providing the user with the technical idea of authentication of the user, which is robust against attacks through key logging .

The present invention also provides a technical idea that allows a digital system and / or a user device to be used for an authentication operation to be predetermined and perform authentication of the user only through the digital system and / or the user device.

In addition, a digital system to be used for the authentication operation and a user apparatus that is paired with the digital system are set in advance, and authentication is successful only when communication (for example, contact or non-contact type) So as to provide a technical idea capable of providing a synergistic effect of remarkable security.

According to another aspect of the present invention, there is provided a method of authenticating a user using a user device, the method comprising: performing communication with a predetermined user device for authenticating the digital system; The method includes receiving device one-time information generated by a user device, transmitting an acknowledgment signal including the device one-time information to an authentication system, or generating a confirmation signal including the generated one- And transmitting an authentication confirmation message to the authentication system and an authentication confirmation procedure for checking whether the device one-time information included in the transmitted confirmation signal or the server one-time information matches the server one-time information generated by the authentication system , And the authentication procedure is successful For a group certification system to the predetermined data processing apparatus or the digital system, output an authentication request to the authentication system or the identification system and associated services by the system it may be characterized in that the authentication request is processed successfully.

The authentication method using the user device may further include a step of transmitting the authentication request information output by the authentication system, which has received the authentication request including the identification information of the digital system output from the data processing device, The method further comprising displaying on the digital system, wherein when the authentication action request information is displayed, the digital system can perform the communication with the user device.

The authentication method using the user device may further include receiving the authentication action request information output from the data processing device that receives the identification information of the digital system, The digital system can perform the communication with the user equipment.

When the server one-time information corresponding to the device one-time information or the terminal one-time information is generated by the authentication system and the generated server one-time information corresponds to the received device one-time information or the terminal one-time information, And the authentication confirmation procedure is successful.

In addition, the authentication method using the user device may further include receiving the device identification information of the user device by the digital system through the communication, and the step of transmitting the confirmation signal to the authentication system may include: Wherein the digital system further includes the device identification information in the confirmation signal and transmits the device identification information to the authentication system, wherein, by the authentication system, the user equipment identification information corresponds to information previously registered in the authentication system, And the authentication confirmation procedure is successful.

Further, the user device is a payment IC card, and the user equipment identification information included in the confirmation signal is identification information of the user apparatus irrespective of the payment financial information of the payment IC card .

The transmitting of the confirmation signal to the authentication system may further include transmitting the terminal identification information of the digital system to the confirmation signal and transmitting the identification signal to the digital system, The authentication verification procedure is successful if the authentication information is previously registered.

The user authentication method using the user device may further include determining whether the digital system is a preset pair so that the user device corresponds to the digital system, and if the user device is a preset pair, And transmits an acknowledgment signal to the authentication system.

In addition, the digital system may include the device one-time information or the terminal one-time information without displaying it in the confirmation signal and transmit the same to the authentication system.

Further, a method for authenticating a user using the user apparatus includes the steps of: the digital system or the authentication system requesting a user of the digital system for user authentication information corresponding to the user apparatus; Further comprising the step of transmitting, to the authentication system, the digital system or the data processing apparatus, wherein the authentication confirmation procedure is successful only when the user authentication information is further authenticated by the authentication system.

In addition, the digital system may be characterized in that the confirmation signal does not include the settlement financial information of the user device and the user device is a settlement IC card.

According to another aspect of the present invention, there is provided a method for authenticating a user using a user device, the method comprising: receiving, by a first user, identification information of a digital system of a second user, Wherein the digital system receives the action request information or the second authentication action request information corresponding to the second authentication request output by the authentication system that has received the second authentication request by the data processing apparatus, Wherein the digital system communicates with a predetermined user device, and wherein the digital system receives device one-time information generated by the user device and transmits an acknowledgment signal including the device one- To the authentication system, or the digital system generates terminal one-time information And transmitting to the authentication system an acknowledgment signal including the generated terminal one-time information, wherein the device transmits the device one-time information or the terminal one-time information to the authentication system by the authentication system based on the confirmation signal, Information or an authentication confirmation procedure in which the terminal one-time information is authenticated, the data processing apparatus outputting the second authentication request to the service system connected to the authentication system or the authentication system by the authentication system or the first authentication The second authentication request or the first authentication request is successfully processed for the digital system outputting the first authentication request corresponding to the action request information.

According to another aspect of the present invention, there is provided a method for authenticating a user using a user device, the method comprising: receiving a confirmation signal from the digital system, Receiving device one-time information generated by the user device or terminal one-time information generated by the digital system; and receiving, by the authentication system, the device one-time information or the one- Wherein the authentication system authenticates the device one-time information or the terminal one-time information, and the authentication system is connected to the authentication system or the service system connected to the authentication system A certain day that output the authentication request For the processor or the digital system it may be characterized in that the successful treatment of the authentication challenge.

The authentication method using the user device may further include the steps of the authentication system receiving the authentication request including the identification information of the digital system from the data processing apparatus, Or transmitting the authentication action request information to the data processing device, wherein, after transmitting the authentication action request information, the authentication system performs the authentication process so that the confirmation signal is received from the digital system . ≪ / RTI >

Further, the step of performing an authentication confirmation procedure for authenticating the device one-time information or the terminal one-time information based on the confirmation signal received by the authentication system may further include the steps of: Generating the server one-time information, and determining whether the server system generated one-time information corresponds to the received device one-time information or the terminal one-time information.

The authentication method using the user device may further include determining whether the user equipment identification information of the user equipment included in the confirmation signal corresponds to information registered in the authentication system in advance and authenticating the user equipment Further comprising determining that the authentication verification procedure is successful if the user device is further authenticated.

The authentication method using the user device may further include determining whether the terminal identification information of the digital system included in the confirmation signal corresponds to information registered in advance in the authentication system and authenticating the terminal identification information Wherein the terminal identification information is further authenticated to determine that the authentication verification procedure is successful.

The authentication method using the user device may further include a step of authenticating whether the digital system to which the authentication signal transmitted the authentication signal and the user device are paired in advance with the authentication system, And it may be determined that the authentication confirmation process is successful if the presence of the pair is not authenticated.

According to another aspect of the present invention, there is provided a method of authenticating a user using a user apparatus, the method comprising: receiving, by a first user, an authentication request output from a data processing apparatus that receives identification information of a digital system of a second user, The system comprising: receiving, by the authentication system, authentication action request information corresponding to the received authentication request to the digital system; when the communication between the digital system and the predetermined user device is performed, Receiving an acknowledgment signal from a digital system, wherein the acknowledgment signal includes device one-time information generated by the user device or terminal one-time information generated by the digital system; The device one-time information or the terminal one-time information And if the authentication procedure succeeds, the authentication system may successfully process the authentication request for the data processing apparatus that has output the authentication request.

The user authentication method using the user device may be recorded in a computer-readable recording medium.

According to an aspect of the present invention, there is provided a digital system for authenticating a user using a user apparatus according to an exemplary embodiment of the present invention. The digital system includes a user equipment The communication module, and the user device communication module, an acknowledgment signal - the confirmation signal includes device one-time information generated by the user device or terminal one-time information generated by the digital system - to the authentication system, wherein the device one-time information or terminal one-time information is authenticated by the authentication system based on the acknowledgment signal including the device one-time information or the terminal one-time information transmitted If the authentication verification procedure is successful, The authentication request is successfully processed for a predetermined data processing apparatus or the digital system that has output the authentication request to the authentication system or the service system connected to the authentication system.

In addition, the digital system may further include a terminal one-time information generation module for generating the terminal one-time information when the communication is performed.

In addition, when the communication is performed, the control module may acquire the device identification information of the user equipment through the user equipment communication module and further include the device identification information in the confirmation signal, or may transmit the terminal identification information of the digital system to the confirmation signal Wherein the apparatus identification information or the terminal identification information is authenticated by the authentication system so that the authentication confirmation procedure is successful.

In addition, the control module does not include the settlement financial information of the user apparatus and the user apparatus as the settlement IC card in the confirmation signal.

According to an aspect of the present invention, there is provided a digital system for authenticating a user using a user apparatus, the apparatus comprising: a data processing unit for receiving identification information of a digital system of a second user by a first user; Receiving second authentication action request information corresponding to the second authentication request output by the authentication system after the second authentication request is transmitted to the authentication system by the data processing apparatus A user equipment communication module for communicating with a given user equipment, and an acknowledgment signal when said communication is performed, wherein said acknowledgment signal includes device one-time information generated by said user equipment or said digital system Includes the terminal one-time information generated by the terminal, to the authentication system And if the authentication confirmation procedure in which the device one-time information or the terminal one-time information is authenticated by the authentication system based on the confirmation signal including the device one-time information or the terminal one-time information transmitted is successful, To the data processing apparatus that has output the second authentication request to the authentication system or to the service system connected to the authentication system or to the digital system that has output the first authentication request corresponding to the first authentication action request information, 2 authentication request or the first authentication request is successfully processed.

According to another aspect of the present invention, there is provided an authentication system for a digital system, the digital system comprising: a confirmation signal output by the digital system, The generated device one-time information, or the terminal one-time information generated by the digital system, and performs the authentication check based on the confirmation signal including the received device one-time information or the terminal one-time information And when the authentication confirmation procedure in which the device one-time information or the terminal one-time information is authenticated is successful, the authentication system performs a predetermined data process for outputting an authentication request to the authentication system or a service system connected to the authentication system Device or said digital system And a control unit for successfully processing the authentication request.

According to an aspect of the present invention, there is provided an authentication system including: an authentication server that receives an authentication request output from a data processing apparatus that receives identification information of a digital system of a second user by a first user, To the digital system, a verification signal when communication is performed between the digital system and a predetermined user device, and the confirmation signal includes device one-time information generated by the user device or the digital system Information on the one-time information of the terminal, which is received by the communication unit, or the terminal one-time information received by the communication unit; A verification process to authenticate one-time information And a control unit for successively processing the authentication request for the data processing apparatus that has output the authentication request when the authentication unit has succeeded in the authentication procedure.

According to the technical idea of the present invention, there is an effect of providing high security and simplicity by performing self-authentication by using two independent objects of a digital system and a user device, both of which are highly likely to be carried by a user and are familiar.

In other words, the authentication request is performed by a data processing apparatus that is separate from the digital system, and the authentication operation is performed through the digital system, It is possible to perform a two-channel authentication, a remote authentication, or a third party authentication by a legitimate user with high security because it can be carried out elsewhere or by another person different from the authentication requestor.

In addition, there is no need for a user to have a device for separate one-time information (e.g., OTP, etc.), and a user device (e.g., IC card, traffic card, electronic ID card, etc.) It is possible to increase both the security and the convenience of the user.

In addition, it does not require the user to input the information while using the one-time information, so that the user is not exposed to the hacking of the key input method such as the key logging as well as the convenience of the user authentication.

In addition, since the digital system to be used for the authentication of the user can be set and specified in advance, there is an effect that the system can be robust against attacks such as smishing or man in the middle attack, It is possible to actively block online crime through the Internet.

In addition, since a user apparatus constituting a pair (pair) with the digital system can be set in advance, it is possible to set up a pair of apparatuses without having all the apparatuses constituting the pair (that is, The apparatus can not be normally authenticated), thereby remarkably improving the security.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.
2 shows a schematic configuration of a digital system according to an embodiment of the present invention.
3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.
4 shows a schematic data flow of authentication of a user using a user device according to an embodiment of the present invention.
FIG. 5 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
6 shows a schematic data flow of authentication of a user using a user apparatus according to another embodiment of the present invention.
7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.
8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

Figure 1 shows schematic systems for implementing identity authentication using a user device in accordance with an embodiment of the present invention.

Referring to FIG. 1, a digital system 100, an authentication system 200, and a user device 300 may be provided to implement a user authentication method using a user device according to an embodiment of the present invention. Depending on the implementation, a predetermined data processing apparatus 400 may be further provided. Further, a service system 500 connected to the authentication system 200 and capable of providing a predetermined service to the digital system 100 and / or the data processing apparatus 400 may be further provided.

The digital system 100 can implement the technical idea of the present invention while transmitting and receiving necessary information through the wired / wireless network with the authentication system 200. The digital system 100 may acquire information (e.g., device identification information) necessary for the technical idea of the present invention from the user device 300 by communicating with the user device 300.

The digital system 100 may perform contact or non-contact communication with the user device 300. For example, the user device 300 may be implemented as a smart card, an IC card, or a transportation card capable of performing contact or non-contact communication with the digital system 100. In particular, the user device 300 may be a payment IC card (credit card, check card, etc.).

According to another embodiment, the user device 300 has its own identification information as the device owned by the user, and any type of device capable of communicating with the digital system 100 is possible. For example, the user device 300 may be a device capable of proving an identity (e.g., an electronic identification card), a communicable OTP device, or a user's mobile phone separate from the digital system 100.

Hereinafter, for convenience of description, the user device 300 will be described as a payment IC card, but the scope of the present invention is not limited thereto. Although the digital system 100 and the user device 300 perform short-range wireless communication, the scope of the present invention is not limited thereto.

The digital system 100 may perform short-range wireless communication with the user device 300. [ To this end, the user may tag the digital system 100 and the user device 300.

In this specification, tagging refers to the case where the digital system 100 and the user device 300 are located within a certain distance (for example, 10 cm or less when the NFC communication is used) in order to carry out contactless communication such as RFID communication and NFC communication. Or the like). The user can perform tagging by bringing the digital system 100 or the user device 300 into a predetermined distance to the user device 300 or the digital system 100. [

If the user device 300 is a payment card, the user device 300 may be a financial transaction means. The user device 300 may include a predetermined communication device (e.g., an RF antenna, an RF tag, and the like) to perform tagging communication with the digital system 100. [ In addition, the user device 300 may further include a storage device in which information necessary for realizing the technical idea of the present invention can be stored. For example, the user device 300 may be implemented as an IC card having an IC chip or various types of smart cards. Of course, the user device 300 may be an apparatus that can not independently perform financial transactions as described above. Even if the user device 300 is not a financial transaction device, according to the technical idea of the present invention, a user device 300 (e.g., an ID, a mobile phone separate from the digital system 100) Etc.) can be used to easily perform authentication of the user. For example, since the user can easily perform the identity authentication only by the tagging operation of the digital system 100 and the user device 300, the user can input the ID / password, select the authorized certificate, As compared with the conventional complicated authentication process, it is possible to perform the self-authentication with high security, which is much simpler.

In addition, when performing short-range wireless communication through tagging, it is not necessary to take out a user device (e.g., an electronic ID card or a payment card 300) from a pocket or a wallet.

Of course, another conventional authentication method (for example, authentication using an authorized certificate, etc.) may be performed before or after the authentication of the user according to the technical idea of the present invention is performed for higher security. It goes without saying that higher security can be provided when such dual security authentication is performed.

According to one embodiment, the user device 300 may generate certain one-time information, which is to define the one-time information generated by the user device 300 as 'device one-time information'. For example, when the user device 300 is a payment card, when the card is tagged with the digital system 100, the card is supplied with power through electromagnetic induction, and through the IC chip mounted on the card, One-time information can be generated. The processor included in the IC chip may generate the device one-time information when power is supplied through the communication with the digital system 100, and may enable the digital system 100 to read the generated device one-time information . Of course, at this time, the digital system 100 may be required to be an authorized system capable of reading the device one-time information. For this purpose, authenticated software capable of reading the device one-time information can be installed in the digital system 100.

The device one-time information may be information that can be authenticated by the authentication system 200. To this end, the authentication system 200 may be provided with an authentication unit for authenticating the device one-time information. The authentication unit may generate one-time information by itself to authenticate the device one-time information, as will be described later. That is, the user device 300 may operate as an OTP client, for example, and the authentication unit may operate as an OTP server. Hereinafter, the one-time information generated by the authentication system 200 will be defined as 'server one-time information' for convenience of explanation.

As described above, according to the technical idea of the present invention, the user device 300 generates device one-time information, and the created device one-time information can be authenticated by the authentication system 200. Accordingly, when the user device 300 is authenticated using fixed device identification information such as UID (Unique Identification Number) of the card 300 that can be acquired from the user device 300, There is an effect that the risk of forgery and falsification of the identification information can be remarkably lowered.

Also, according to one embodiment, the user device 300 may be a payment card. Then, the device one-time information generated by the user device 300 is used as payment financial information, that is, financial information necessary for payment, irrespective of the information (for example, card number, validity period, CVC code, etc.) stored in the IC chip of the card (E.g., UID, time information or any value, etc.). In this case, since the settlement financial information may not be distributed to the digital system 100 or the authentication system 200, the security can be enhanced. In this case, even though the device one-time information and device one-time information generation algorithm are leaked, there is no risk that the settlement financial information is leaked through reverse engineering or the like.

1, the digital system 100 can communicate with the authentication system 200 via a wired / wireless network, and can communicate with the user device 300 through a predetermined communication (e.g., a local area wireless communication) May be defined to include any type of data processing device capable of communicating over a network. For example, the digital system 100 may be a data processing device, such as a tablet, a music player, or the like, which is easy for the user to carry around. Of course, the digital system 100 is preferably capable of communicating with the authentication system 200 and / or the data processing apparatus 400 via a network.

In addition, the digital system 100 may be implemented so as to generate predetermined one-time information in order to implement the technical idea of the present invention. The one-time information generated by the digital system 100 is defined as 'terminal one-time information' in this specification. The function of the digital system 100 to generate the terminal one-time information may be implemented by installing predetermined software in the digital system 100 to implement the technical idea of the present invention.

The terminal's one-time information may also be authenticated by an authentication unit included in the authentication system 200. [ The authentication unit may generate corresponding one-time server information for authenticating the terminal one-time information.

As a result, according to the technical idea of the present invention, the digital system 100 may include the device one-time information generated by the user device 300 in an acknowledgment signal and transmit it to the authentication system 200, May be included in the confirmation signal and transmitted to the authentication system 200. Of course, according to an embodiment, the device one-time information and the terminal one-time information may be included in the confirmation signal and transmitted to the authentication system 200. [ Then, the authentication unit of the authentication system 200 may generate server one-time information corresponding to the device one-time information and / or server one-time information corresponding to the terminal one-time information, and the device one-time information and / When the information is authenticated, it can be judged that the authentication check procedure is successful. Of course, the authentication of the user device 300 by the device identification information as described below, the authentication of the digital system 100 by the terminal identification information, and / or the authentication of the digital system 100 and the user device 300, A pair authentication may be performed to authenticate whether or not the authentication is successful.

The confirmation signal may be defined as including a series of information or signals including information necessary for the authentication procedure performed by the authentication system 200. [ The acknowledgment signal does not necessarily mean one data set (or contiguous packet data), but may be temporally or physically separated information or signal. That is, the digital system 100 may output the confirmation signal to the authentication system 200 a plurality of times.

Of course, when both the device one-time information and the terminal one-time information are authenticated by the authentication system 200, the authentication using the device identification information or the terminal identification information may be optionally omitted.

In any case, according to the technical idea of the present invention, the digital system 100 can include the apparatus one-time information and / or terminal one-time information in an acknowledgment signal and transmit it to the authentication system 200, The one-time information and / or terminal one-time information may be authenticated by the authentication system 200.

Meanwhile, the digital system 100 can generate the terminal one-time information only when the digital system 100 communicates with the user apparatus 300. According to an embodiment, the digital system 100 may generate the one-time information in advance in response to the receipt of the authentication action request information or by a predetermined request of the user in advance, and when the communication is performed, Side system 200 to the settlement-side system 200. The settlement- In any case, the digital system 100 can transmit the confirmation signal to the authentication system 200 only when the digital system 100 and the user device 300 are in communication. Therefore, even if it is described that the authentication method according to the technical idea of the present invention includes a step in which the digital system and the user apparatus communicate with each other and the user apparatus generates the terminal one-time information, It should not be interpreted as a description specifying the sequence to be generated, and may be interpreted as including the case where the communication is performed after generation of the terminal one-time information.

As a result, even if the digital system 100 is attacked by hacking or the like, the terminal's one-time information may not be generated unless the user has the user device 300. Or even if the terminal's one-time information is generated, the confirmation signal may not be transmitted, so that the authentication of the user is not successful.

According to an embodiment, the terminal's one-time information may be information generated by keying (or seeding) at least a part of the identification information of the user equipment 300. Herein, the identification information of the user device 300 may be fixed identification information (e.g., UID) of the user device 300. Of course, in this case, the key may also be registered in the authentication system 200. Therefore, as long as communication with the user device 300 is not performed, the terminal's one-time information may not be generated, and even if the confirmation signal including the terminal's one-time information is transmitted to the authentication system 200, It may not be authenticated by the authentication system 200.

In addition, the terminal one-time information generated by the digital system 100 may be generated based on information (e.g., terminal identification information, time information, an arbitrary value, etc.) irrelevant to the payment financial information. That is, as described in the device one-time information, the terminal's one-time information may be information that is irrelevant to the settlement financial information or information generated from irrelevant information. Therefore, there is no risk that the settlement financial information will be leaked even if the terminal one-time information and the terminal one-time information generation algorithm leak.

In addition, since the confirmation signal transmitted to the authentication system 200 by the digital system 100 may include only information (e.g., device identification information, terminal identification information, etc.) independent of the settlement financial information, The security of the authentication method according to the technical idea of the invention can be enhanced.

The device one-time information generated by the user device 300 may also be generated by the user device 300 only when the digital system 100 and the user device 300 communicate with each other. For example, when the user device 300 is a smart card such as a payment card or an electronic ID card, the smart card is not provided with power independently, so that communication with the digital system 100 must be performed to generate the device one- Of course. Also, even when the user device 300 is powered on and can generate device one-time information by itself, the user device 300 may be configured to generate the device one-time information only when communication with the digital system 100 is performed . Of course, in this case, software for implementing the technical idea of the present invention may also be installed in the user device 300. In addition, the user device 300 may generate the device one-time information only when communication with the digital system 100 set in advance is performed. It is needless to say that information about the digital system 100 forming a pair with the user device 300 may be registered in the user device 300 in advance.

In any case, the confirmation signal transmitted by the digital system 100 to the authentication system 200 may include the device one-time information and / or the terminal one-time information, and the confirmation signal may be transmitted to the digital system 100 It is preferable that the user device 300 can be output from the digital system 100 to the authentication system 200 only when communication is performed. Therefore, even if either of the device one-time information or the terminal one-time information is included in the confirmation signal, it is effective that the user is owned by another device (that is, the digital system 100 or the user device 300) .

The authentication system 200 may perform an authentication confirmation procedure for authenticating the device one-time information and / or the terminal one-time information included in the confirmation signal.

The authentication procedure includes a one-time information authentication procedure for authenticating terminal one-time information generated by the digital system 100 and / or device one-time information generated by the user apparatus 300. [ Whereby the legitimacy of the digital system 100 and / or the user device 300 can be authenticated. Meanwhile, the one-time information authentication procedure may be more strictly called the software (i.e., software for generating the terminal one-time information) installed in the digital system 100 and / or the one-time information generating device (E.g., an IC chip of a smart card, etc.) or software (e.g., software installed in the user device 300 that is a separate mobile phone and generating device one-time information, an applet installed on a smart card, etc.) .

Software installed in the digital system 100 or the user device 300 may be installed only in the digital system 100 or the user device 300 authenticated as a legitimate user's device. In this case, if the validity of the software is authenticated, the digital system 100 is also automatically authenticated.

However, since the software may be leaked or the software may be forged or falsified by attack, the authentication procedure according to the technical idea of the present invention may be performed by authenticating the hardware of the digital system 100 and / And may further include procedures. The authentication procedure of the digital system 100 and / or the hardware of the user device 300 may be performed by the authentication system 200 using the terminal identification information of the digital system 100 and / It may be a procedure of confirming the identification information and judging whether the terminal identification information and / or the device identification information is successful according to whether it corresponds to the information registered in advance in the authentication system 200.

As a result, when the hardware authentication procedure is additionally performed, the security of the authentication method according to the technical idea of the present invention can be further enhanced. Even if the user possessing the digital system 100 does not have the user device 300 registered in the authentication system 200 or holds the user device 300, If the digital system 100 registered in advance in the terminal 200 is not possessed, the authentication of the user is prevented from being successful.

The procedure for authenticating the device identification information according to an embodiment may be performed by the digital system 100. [ Or the procedure for authenticating the terminal identification information may be performed by the user device 300. [ That is, in the digital system 100, the identification information of the user apparatus 300 that can be used for the authentication operation is stored in advance, or the digital system 100 (which can be used for the authentication operation in advance) The digital system 100 or the user device 300 may determine whether the device communicating with the digital device 100 is a device registered in advance by the authentication system 200, There is an effect similar to that the identification information and / or the terminal identification information is authenticated. However, since the digital system 100 and / or the user device 300 may be at a greater risk of being falsified than the authentication system 200, the authentication system 200 may use the device identification information and / Or it may be desirable that the terminal identification information be authenticated.

The authentication procedure performed by the authentication system 200 may further include a pair authentication procedure for authenticating whether the digital system 100 and the user device 300 are a pair. That is, the digital system 100 and the user device 300 may be paired in advance, and only when the two devices forming the pair perform the communication, the authentication system 200 determines that authentication is successful . In this way, the authentication confirmation procedure may be successful in which the two devices used in the authentication confirmation action (that is, the communication between the digital system 100 and the user device 300) for confirming the authentication request by the user is a pair. In this case, if the digital system 100 and the user device 300 are both registered by the authentication system 200, even if they are not paired with each other, the authentication confirmation process may not be successfully processed, It is possible to have a synergistic effect. Whether the two devices (digital system 100 and user device 300) used for authentication verification are a pair may be authenticated by the authentication system 200, but may also be authenticated by the digital system 100 have. That is, the digital system 100 can communicate with the digital system 100 only when it communicates with the user device 300, which is set to pair with the digital system 100 in advance. To this end, the digital system 100 may have previously stored information (e.g., device identification information) about the user device 300 that is paired with the digital system 100 in advance.

Meanwhile, the authentication request may be transmitted to the authentication system 200 before the authentication signal is transmitted to the authentication system 200. For example, the authentication request may be an authentication request transmitted from the predetermined data processing apparatus 400 to the authentication system 200. The data processing apparatus 400 is a device which is used by a user of the digital system 100 and is a separate device from the digital system 100 and is connected to the authentication system 200 to request authentication, Mobile terminal, set-top box, IPTV, and the like. For example, a user may input identification information (e.g., a telephone number) of his or her digital system 100 through the data processing apparatus 400 to perform an authentication request.

According to an embodiment, the data processing apparatus 400 or the digital system 100 may make an authentication request to a predetermined service system 500. The service system 500 may transmit a predetermined service (for example, a request for authentication) to the authentication requesting device (for example, the data processing device 400 or the digital system 100) upon successful authentication of the user according to the technical idea of the present invention. Login, financial transaction, confirmation of specific information, certificate issuance, purchase of goods or services, payment, etc.). A user may access the service system 500 through the data processing apparatus 400 or the digital system 100 and the service system 500 may be connected to the service system 500 in order to perform the service provided by the service system 500. [ And may request the data processing apparatus 400 or the digital system 100 to authenticate the user. In this case, the service system 500 allows the data processing apparatus 400 or the digital system 100 to access the authentication system 200 (for example, a web page or a UI provided by the authentication system 200) The data processing apparatus 400 or the digital system 100 may be controlled to receive the authentication from the authentication system 200 through the data processing apparatus 400 or the digital system 100 have. The data processing apparatus 400 or the digital system 100 may transmit the authentication request to the authentication system 200 by inputting information necessary for the authentication request (for example, identification information of the digital system 100) As shown in FIG.

Of course, in some implementations, the service system 500 may receive an authentication request from the data processing apparatus 400 or the digital system 100 and send the received authentication request to the authentication system 200 . That is, the service system 500 may mediate the authentication process according to the technical idea of the present invention. The fact that the data processing apparatus 400 or the digital system 100 transmits predetermined information or signals to the authentication system 200 is transmitted to the authentication system 200 through the service system 500 And the like. Of course, even when the authentication system 200 transmits predetermined information or signals to the data processing apparatus 400 or the digital system 100, the authentication system 200 may include the case of being transmitted through the service system 500 . ≪ / RTI >

Although the authentication system 200 and the service system 500 are implemented as separate physical devices in FIG. 1, the authentication system 200 may be included in the service system 500 . In other words, since the predetermined software that implements the function of the authentication system 200 is installed in the service system 500, the authentication according to the technical idea of the present invention may be performed.

According to one embodiment, the authentication of the user according to the technical idea of the present invention may be performed for settlement. In this case, the data processing apparatus 400 may be a predetermined merchant terminal (a POS device installed in a store, a mobile merchant terminal, or the like). In this case, the user or the merchant can transmit the authentication request to the authentication system 200 by inputting identification information (e.g., telephone number) of the digital system 100 of the user to the merchant terminal. In some cases, the user may notify identification information of his or her digital system 100 to a merchant site to perform payment at a remote site. Then, the merchant may transmit the authentication request to the authentication system 200 by inputting the identification information using the data processing apparatus 400, that is, a computer used at the merchant, or an affiliate terminal. If the authentication is successful by the authentication system 200, the payment requested by the data processing apparatus 400 may be finally approved. At this time, the service system 500 may be a predetermined card company system (or a financial institution system that performs card settlement). Also, the authentication request and the payment request need not be separated and performed. That is, the authentication request according to the embodiment of the present invention may be performed simultaneously with a predetermined service request (for example, payment, etc.). In this case, identification information of the digital system 100 for the authentication request Of course. Such an example will be described in detail later with reference to FIGS. 4 and 5. FIG.

According to another embodiment, the authentication request may be output by the digital system 100 and transmitted to the authentication system 200 together with the acknowledgment signal or separately from the acknowledgment signal. Such an example will be described with reference to FIG.

When the authentication request is received and an acknowledgment signal is received from the digital system 100, the authentication system 200 performs an authentication check procedure as described above based on the received acknowledgment signal. If the authentication is successful, Can successfully process the authentication of the data processing apparatus 400 or the digital system 100. The service system 500 may then provide the data processing device 400 or a predetermined service requested by the digital system 100. Needless to say, another authentication of the user (for example, authentication using the authorized certificate, etc.) may be required after the authentication of the user according to the technical idea of the present invention succeeds.

When an authentication check operation is performed by the user, the digital system 100 may output an acknowledgment signal to the authentication system 200. The acknowledgment signal may include not only the device one-time information and / The device identification information of the user device 300 and / or the terminal identification information of the digital system 100 may be further included so that the user device 300 and / or the hardware of the digital system 100, as described above, Authentication can be performed as described above.

The terminal identification information may include identification information (e.g., identification information of a USIM, IMSI, IMEI, MAC) of the digital system 100 (hardware included in the digital system 100 Address, etc.). When the terminal identification information is included, the authentication system 200 can determine that the authentication check procedure is successful only when the terminal identification information is registered in advance. Therefore, if the confirmation signal is not received through the digital system 100, which is a pre-registered terminal, even if the confirmation signal is transmitted to the authentication system 200 by a predetermined device, Therefore, there is an effect that a predetermined service may not be provided to the user. That is, it is possible to designate a digital system, thereby blocking unauthorized service requests through other terminals. Further, since an authentication confirmation action (payment authentication action) can be performed only through the designated digital system, there is an effect that smearing or manned middle attack can be prevented.

Meanwhile, the terminal one-time information generated by the digital system 100 or the device one-time information generated by the user apparatus 300 is displayed by the digital system 100, and the user inputs the terminal one- , The inputted terminal's one-time information may be included in the confirmation signal.

However, according to the embodiment of the present invention, the terminal may be automatically included in the confirmation signal without displaying the one-time information or device one-time information and inputting by the user, thereby providing convenience of the authentication operation by the user. In addition, since there is no process of inputting terminal one-time information or device one-time information by the user, the risk of leakage of information through key logging or the like may be lowered. Of course, in such a case, the non-repudiation of the user may cause the user to input the user authentication information (e.g., PIN) of the user device 300 and to authenticate the user by the authentication system 200 And ultimately by ensuring that the authentication procedure is successful.

The authentication system 200 includes all systems participating in receiving an authentication request, communicating with the digital system 100 and / or the data processing apparatus 400, or in deciding whether to grant an authentication request Can be defined as meaning. Of course, the authentication system 200 does not mean only one physical device, but may be a system that is organically coupled to a plurality of devices or systems to implement the technical idea of the present invention. For example, the authentication system 200 may receive the authentication request directly from the digital system 100 or the data processing apparatus 400, or may receive the authentication request via the service system 500 as described above have.

For example, in the case of a payment service, the authentication system 200 can directly transmit a settlement request (the settlement request is an authentication request) from the data processing apparatus 400, for example, a user's computer, an affiliate store terminal Or may receive a payment request (authentication request) via the service system (e.g., web server 500 that provides an online marketplace). In this case, the authentication system 200 may be a credit card company system that can settle the settlement request (authentication request) using the previously registered credit card information (the credit card company system in the present invention is not only an independent card company system, (Meaning that it includes all financial institution systems (not shown) that perform card settlement). Also, according to an embodiment, a VAN system, a PG, or the like, which is connected to the card company system through a network and mediates a payment process, may be further included in the authentication system 200. [

Hereinafter, the process of authenticating the user according to the technical idea of the present invention will be described in more detail. Hereinafter, for convenience of explanation, the digital system 100 is implemented as a mobile phone, and the identification information of the digital system 100 is a mobile phone number of the mobile phone. However, The scope of rights is not limited thereto.

2 shows a schematic configuration of a digital system according to an embodiment of the present invention.

Referring to FIG. 2, the digital system 100 includes a control module 110, a user equipment communication module 120, and a communication module 140. When the digital system 100 is implemented to generate terminal one-time information, the digital system 100 may further include a terminal one-time information generation module 130. [

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

The control module 110 may control the other components included in the digital system 100 such as the user device communication module 120, the terminal one-time information generation module 130, and / or the communication module 140 Functions and / or resources.

The user equipment communication module 120 may communicate with the user equipment 300. [ The communication may be contact or non-contact communication as described above. According to an example, the communication may be a contactless short range wireless communication (e.g., NFC communication). When the communication is the NFC communication, the user can be authenticated by simply tagging the digital system 100 and the user device 300, so that the user's convenience can be enhanced. The NFC communication can be performed without removing the user device 300 even in the case of being in a wallet or a bag, so that the convenience of authentication can be enhanced. The user equipment communication module 120 may be implemented by, for example, an NFC chip or a module provided in the digital system 100. In addition, it is a matter of course that the embodiment of the user equipment communication module 120 may be varied according to the embodiment of the communication performed by the digital system 100 and the user equipment 300.

The control module 110 may generate or transmit an acknowledgment signal according to the technical idea of the present invention.

The communication module 140 may communicate with the authentication system 200. And may perform communication with the data processing apparatus 400 according to an embodiment.

The control module 110 may communicate with the user device 300 through the user device communication module 120. Also, it may receive device one-time information and / or device identification information from the user device 300 according to an embodiment.

The terminal one-time information generation module 130 may generate terminal one-time information. The terminal one-time information generation module 130 may generate the terminal one-time information based on the device identification information of the user device 300 as described above. At this time, the device identification information may be information independent of the settlement financial information. For example, when the user device 300 is a payment card, the payment financial information (e.g., a card number) of the payment card may be the device identification information. However, according to the technical idea of the present invention, (For example, UID, etc.) irrelevant to the settlement financial information may be used as the device identification information. Of course, it is also possible to separately generate the terminal one-time information without using the device identification information as a key or a seed value.

Then, the control module 110 generates an acknowledgment signal including device one-time information and / or terminal one-time information received from the user device 300, and controls the communication module 140 to generate a confirmation signal, To the authentication system 200.

The control module 110 may further include device identification information of the user device 300 obtained through the user device communication module 120 according to an embodiment. Also, the control module 110 may further include terminal identification information of the digital system 100. Or may include an authentication request in the acknowledgment signal. Alternatively, the confirmation signal may include an authentication signal indicating an authentication result using the user authentication information. It should be understood that the acknowledgment signal is not limited to one information or a continuously transmitted signal, and the acknowledgment signal may be transmitted to the authentication system 200 discontinuously in a plurality of times according to an embodiment.

Then, the authentication system 200 can perform an authentication check procedure based on the confirmation signal including the device one-time information and / or the terminal one-time information. If the authentication confirmation process is successful, the authentication system 200 can process the authentication request for the device that issued the authentication request as successful. For example, if the authentication confirmation process is successful, the authentication system 200 may transmit an authentication result indicating that the authentication of the user is successful to the data processing apparatus 400, the digital system 100, and / or the service system 500 Lt; / RTI >

If the confirmation signal further includes the device identification information, the authentication system 200 can authenticate the user device 300 based on the device identification information. Also, when the confirmation signal further includes the terminal identification information, the authentication system 200 can determine whether the digital system 100 is a terminal previously registered based on the terminal identification information.

According to an exemplary embodiment, the settlement financial information of the user equipment (e.g., the payment card 300) may be further included in the confirmation signal as the device identification information. That is, in this case, the user device 300 may be a payment card (i.e., an IC card). The authentication system 200 can authenticate the user device 300 based on the settlement financial information when the settlement financial information is further included in the confirmation signal. However, even if the confirmation signal includes the terminal one-time information, there is a risk that the settlement financial information may be leaked when the settlement financial information is included, and the discharged settlement financial information may be abused. Therefore, when the confirmation signal further includes the settlement financial information of the user equipment, the authentication system 200 determines whether the digital system 100 is a terminal registered in advance, based on the terminal identification information, May be desirable. Of course, the device identification information may be selected as the identification information of the user device 300, which is not related to the payment financial information, as described above.

Meanwhile, the communication module 140 may receive predetermined authentication action request information from the authentication system 200 or from the data processing apparatus 400. [ The authentication action request information may include information for requesting a user to perform an authentication operation, that is, to communicate the digital system 100 and the user device 300. [ Of course, only the signal indicating that the authentication request has been performed in the data processing apparatus 400 or the digital system 100 may be included in the authentication action request information.

The authentication action request information may be displayed on a display device (not shown) included in the digital system 100. The user can confirm the authentication action request information and perform authentication by requesting the digital system 100 and the user device 300 by tagging.

The communication module 140 may receive the authentication action request information from the authentication system 200 or may receive the authentication action request information from the data processing device 400. Such an example will be described later with reference to Figs.

Meanwhile, the control module 110 may determine whether the user device 300 is a device forming a pair with the digital system 100. And transmit the confirmation signal to the authentication system 200 only when the user device 300 is a device forming a pair with the digital system 100. [ Of course, the procedure for authenticating such a pair may be performed by the authentication system 200 as described above.

Also, the control module 110 requests predetermined user authentication information (e.g., PIN) before or after performing communication with the user device 300, and when the user authentication information is transmitted to the user device 300 (e.g., It is possible to generate the terminal one-time information only when it corresponds to the authentication information (for example, PIN information) of the IC card for payment) or transmit the confirmation signal including the device one-time information acquired from the user apparatus 300. [ It is possible to prevent the non-repudiation even if the user does not perform the process of checking the device one-time information or the terminal one-time information and directly inputting the device one-time information to the digital system 100 through the user authentication information.

If the user authentication using the user authentication information is not performed, the digital system may not transmit the confirmation signal to the authentication system 200. For example, the digital system 100 may receive the user authentication information in advance before communicating with the user device 300. Or may receive the user authentication information from the user after the communication is performed. If the user authentication information does not correspond to the information set in the user device 300 in advance, the confirmation signal may not be transmitted. According to an embodiment, the user authentication using the user authentication information may be performed by the digital system 100 after the confirmation signal is transmitted. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication using the user authentication information to the authentication system 200 after transmitting the confirmation signal. Then, the authentication system 200 receiving the authentication signal may finally determine the success or failure of the authentication confirmation procedure.

Or the digital system 100 transmits the user authentication information received from the user to the authentication system 200 and determines whether the user authentication information corresponds to the user device 300 by the authentication system 200 .

3 shows a schematic configuration of an authentication system according to an embodiment of the present invention.

3, an authentication system 200 according to an exemplary embodiment of the present invention includes a control unit 210, a communication unit 220, and an authentication unit 230. The authentication system 200 may further include a DB 240.

The configuration of the control unit 210, the communication unit 220, the authentication unit 230, and the DB 240 included in the authentication system 200 includes hardware for performing the technical idea of the present invention, And the functional and structural combination of the software. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

Also, the authentication system 200 does not mean any physical device. That is, an average expert in the technical field of the present invention can easily deduce that the authentication system 200 can be implemented by organically combining different physical devices through a network.

The authentication system 200 may be included in the service system 500 or may be implemented in a system separate from the service system 500. In addition, the operating system of the authentication system 200 and the service system 500 may be the same or different.

The control unit 331 can control functions and / or resources of other components included in the authentication system 200 (e.g., the communication unit 220, the authentication unit 230, and the DB 240) .

The communication unit 220 may perform communication with the digital system 100. In particular, the communication unit 220 may receive an acknowledgment signal from the digital system 100.

The authentication unit 230 may perform an authentication procedure based on the confirmation signal including the one-time information. The one-time information may include device one-time information and / or terminal one-time information. The authentication process includes authentication using the device identification information, authentication using the terminal identification information, and authentication of the user using the two devices, that is, the digital system 100, And authentication of the user authentication information set in the user device 300 and authentication of the user authentication information set in the user device 300, as described above.

When the one-time information includes the device one-time information, authentication using the device identification information may not be selectively included in the authentication confirmation procedure. If the one-time information includes terminal one-time information, The used authentication may optionally not be included in the authentication procedure. Of course, even if the one-time information includes the device one-time information or the one-time information includes terminal one-time information, the authentication using the device identification information and / or the authentication using the terminal identification information may be performed by the authentication unit 230 And in this case, the one-time information is to authenticate a specific device or software that generates the one-time information, whereas the authentication using the device identification information and / or the terminal identification information may be to authenticate the other hardware. Therefore, even if the device one-time information is authenticated by the authentication unit 230, there is a benefit even if the authentication using the device identification information is separately performed. Similarly, even if the terminal one-time information is authenticated by the authentication unit 230, authentication may be performed using the terminal identification information separately.

If the authentication unit 230 has succeeded in the authentication process, the control unit 210 can successfully process the authentication request that is already received or the authentication request included in the confirmation signal. The control unit 210 may send a signal indicating the authentication result to the service system 500 for success processing.

As described above, the DB 240 may store device identification information of the user device 300, terminal identification information of the digital system 100, and the like according to the technical idea of the present invention in advance. Information on pair formation of the digital system 100 and the user apparatus 300, that is, information on which digital system 100 and which user apparatus 300 are formed in pairs, that is, pair setting information, Can be.

The communication unit 220 may receive an authentication request from the data processing apparatus 400 or the digital system 100. Needless to say, the authentication request may include identification information (e.g., telephone number) of the digital system 100. Then, the control unit 210 may transmit authentication action request information to the digital system 100 or the data processing apparatus 400 through the communication unit 220. [ The user can confirm the authentication action request information and communicate the digital system 100 and the user device 300. [ Then, the communication unit 220 can receive an acknowledgment signal output from the digital system 100.

Then, the authentication unit 230 may perform the authentication procedure.

For this, the authentication unit 230 may generate server one-time information corresponding to the digital system 100 or the user device 300. [ Of course, it is also possible to generate server one-time information corresponding to the digital system 100 and server one-time information corresponding to the user apparatus 300, respectively. For this purpose, the authentication unit 230 may provide at least one key (or seed) for generating one-time information for each digital system 100 and / or for each user device 300, (Or algorithm) to share with the user device 100 and / or with each user device 300, or to obtain the at least one key. Of course, a function or algorithm for generating the server one-time information is also the same as the function or algorithm in which the digital system 100 or the user device 300 generates the terminal one-time information or the device 300 one-time information can do.

When the authentication unit 230 generates server one-time information, the authentication unit 230 authenticates the digital system 100 by determining whether the generated server one-time information corresponds to the one-time information included in the confirmation signal An authentication procedure can be performed. It is noted that there are various embodiments of at least one key and one-time information generation algorithm for the digital system 100, the user device 300, and the authentication unit 230 to generate one-time information, respectively, The average expert of the.

Meanwhile, when the terminal identification information is included in the confirmation signal, the authentication unit 230 determines whether the terminal identification information corresponds to the information registered in advance in the DB 240, It can be judged that the procedure is successful.

The authentication unit 230 determines whether the digital system 100 and the user device 300 form a pair with each other based on information previously registered in the DB 240, The digital system 100 and the user device 300 form a pair to determine that the authentication confirmation procedure is successful.

When the user authentication information (for example, the PIN information of the payment card, etc.) of the user device 300 is received from the digital system 100, the authentication unit 230 transmits the user authentication information to the DB 240) to determine that the authentication check procedure is successful. Or may determine whether the authentication procedure is successful based on the authentication signal received from the digital system 100. [

FIG. 4 shows a schematic data flow of a user authentication method using a user apparatus according to an embodiment of the present invention.

4 illustrates an example in which an authentication request is made via the digital system 100. Referring to FIG. 4, the digital system 100 may send a predetermined authentication request to the authentication system 200 (S100 ). The authentication request is received through the communication unit 220 of the authentication system 200 and the control unit 210 may transmit the authentication action request information to the communication module 140 of the digital system 100 ).

After confirming the authentication action request information, the user can communicate with the digital system 100 and the user device 300 (S120). Then, the user device 300 may generate device one-time information (S130). In this case, the digital system 100 may acquire the device one-time information, and may further acquire the identification information of the user device 300 according to an embodiment (S140).

Of course, the digital system 100 may generate terminal one-time information (S130-1). The control module 110 of the digital system 100 may control the terminal to generate the one-time information only when the communication is performed. In some cases, the terminal may generate the one-time information before the communication is performed (S130-1).

Then, the digital system 100 may transmit at least one of the terminal's one-time information or the device one-time information to the authentication system 200 (S150). Of course, the device identification information or the terminal identification information of the digital system 100 may be further included in the confirmation signal.

According to an embodiment of the present invention, the control module 110 of the digital system 100 does not include the settlement financial information of the settlement card in the confirmation signal even when the user device 300 is a settlement card It is possible. That is, the settlement financial information is not distributed through the network, thereby enhancing the security.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S160). If the authentication verification process is successful, the authentication system 200 may transmit the authentication result, that is, the authentication of the user, to the digital system 100 (S170). Of course, if the digital system 100 accesses a predetermined service system 500 and then transmits the authentication request to the authentication system 200, the authentication system 200 transmits the authentication result to the service system 500 500).

As described above, the authentication system 200 determines whether the device identification information corresponds to previously registered information, whether the terminal identification information corresponds to previously registered information, and / or whether the digital system 100 and / It is of course also possible to determine the success or failure of the authentication procedure based further on whether the user device 300 forms a pair.

FIG. 5 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

5, the data processing apparatus 400 receives an authentication request by inputting identification information of the digital system 100, and transmits the authentication request to the data processing apparatus 400. [ To the authentication system 200 (S200).

The data processing apparatus 400 may be a computer or the like used by the user of the digital system 100. [ For example, the user can request an authentication online (S200) through a computer or the like, and in response, the authentication system 200 can transmit authentication action request information to the computer (S210-1). The user can perform an authentication confirmation operation to confirm the authentication action request information displayed on the computer and to communicate the digital system 100 and the user device 300 in operation S220. According to an embodiment, the authentication system 200 may transmit authentication action request information to the digital system 100 (S210). Then, the user can perform the authentication verification operation in response to this (S220).

According to another embodiment, the data processing apparatus 400 may be an affiliate terminal. That is, the user may want to perform settlement. In this case, the authentication request may be a payment request. The user can notify the merchant in the off-line store of the identification information of his / her digital system 100 or can input the identification information himself / herself. Alternatively, at a remote location, the user may request the merchant to perform a payment (authentication) request for a predetermined payment through telephone, messaging, or e-mail. Then, an authentication (payment) request may be transmitted to the authentication system 200 by inputting the identification information of the digital system 100 to the merchant terminal (S200). At this time, the authentication action request information may also be transmitted to the merchant terminal and / or the digital system 100 (S200, S200-1). In response, the user can communicate an authentication check, that is, the digital system 100 and the user device 300 (S220).

The digital system 100 may then obtain the device one-time information generated by the user device 300 (S230, S240). And may further acquire device identification information of the user device 300 according to an embodiment. Also, the digital system 100 may generate terminal one-time information (S230-1).

The digital system 100 may include at least the terminal one-time information or the device one-time information in the authentication system 200, and may further include the device identification information or the terminal identification information of the digital system 100, (S250). Of course, the device identification information may include settlement financial information of the settlement card. In order to increase the security, the settlement financial information may be transmitted to the user system 300 even if the digital system 100 obtains the confirmation signal .

According to an embodiment, the digital system 100 may acquire only the device identification information without acquiring the device one-time information of the user device 300, or simply acquire the device identification information of the user device 300 . In this case, the digital system 100 preferably generates the terminal one-time information. This is because, according to the technical idea of the present invention, it is preferable that at least one of the user equipment 300 and the terminal one-time information of the digital system 100 is included in the confirmation information.

Then, the authentication system 200 may perform an authentication procedure based on the confirmation signal (S260). Then, the authentication result may be transmitted to the digital system 100 (S270). Or may be transmitted to the data processing apparatus 400 (S270-1). Of course, the authentication result may be transmitted to the service system 500.

Meanwhile, the authentication request according to the embodiment of the present invention may be performed by a person other than the user of the digital system 100. For example, an authentication requester other than the user (that is, a person who performs authentication confirmation) such as a family member, a relative or an acquaintance of the user inputs the identification information of the user to the data processing apparatus 400, (200).

For example, if the authentication requestor, who is an acquaintance of the user, should log in to the user's web account, receive a certificate on behalf of the user, or require payment by a third party, the service system 500 There may be cases. In this case, conventionally, it is not easy to inform the authentication requestor of information (for example, login information, authorized certificate password, etc.) for authentication or to implement it. However, according to the technical idea of the present invention, the authentication request and the authentication confirmation operation can be performed in a spatially separated state, and since the authentication requestor does not need to perform the authentication confirmation operation, have.

Also, in the case of a payment service, when the authentication requester faces the identification information of the user or remotely notifies the affiliation shop side, the affiliate shop sends an authentication request (that is, a payment request ) To the authentication system (200). Of course, at this time, information on the authentication requester (for example, a name of a payment requester, a telephone number, etc.) may be further included, and information on the payment requester may be included in the authentication action request information.

In this case, the authentication system 200 may transmit authentication action request information to the digital system 100 of the user, and the authentication confirmation action as described above may be performed by the user. Then, if an authentication confirmation procedure is performed by the authentication system 200 and the authentication confirmation procedure is successful, the authentication (payment) result can be transmitted to the data processing apparatus 400 and the digital system 100.

According to another embodiment, an authentication requestor that is not a user inputs identification information of the digital system 100 to the data processing apparatus (e.g., a computer, a mobile terminal of an authentication requestor, etc.) 400, The franchisee can input the identification information of the digital system 100 to the data processing device (for example, the franchisee terminal 400) when the identification information of the user is presented face to face or remotely. Then, the data processing apparatus 400 may transmit authentication action request information (that is, payment related information including payment details, etc.) to the digital system 100. Of course, in order to achieve this, predetermined software may be installed in the data processing apparatus 400 to implement the technical idea of the present invention.

The authentication action request information may include information on the merchant, payment details, and / or information on the payment requester. If the user confirms the authentication action request information and wishes to settle the payment request corresponding to the authentication action request information, the user can perform the authentication check as described above. The digital system 100 may then send an acknowledgment signal as described above to the authentication system 200. At this time, the confirmation signal may further include not only the one-time information on the terminal and / or the one-time information on the terminal but also information necessary for a payment request (for example, information on an affiliate shop, payment details, etc.). That is, the confirmation signal may further include an authentication (settlement) request to be transmitted to the authentication system 200.

The authentication system 200 may then perform an authentication procedure based on the acknowledgment signal. The authentication system 200 can transmit the authentication result to the data processing apparatus 400 and / or the digital system 100. [0050] FIG. Of course, in the case of payment, if the authentication confirmation procedure is successful, the authentication system 200 or the service system 500 determines whether or not the payment is approved and transmits the payment result to the data processing apparatus 400 and / (100).

As a result, according to the technical idea of the present invention, it is possible to provide a solution with high security, which is very easy to perform authentication on behalf of a third party authentication requestor.

4 and 5, according to the present invention, only the identification information of the digital system 100 is required for an authentication request, so there is an ease of requesting an authentication. In order to perform an authentication check, (E.g., tagging) the system 100 and the user device 300 of the user. As mentioned above, although the authentication request is easy and the authentication is easy, the security can be very high as described above. Also, as shown in FIG. 4 and FIG. 5, the user can easily determine whether the authentication request is allowed even in the two-channel authentication due to the ease of authentication request and the convenience of the payment confirmation operation. Further, Log-in information, authorized certificate password, etc.), and can perform the authentication confirmation operation safely.

FIG. 6 shows a schematic data flow of an authentication method using a user apparatus according to another embodiment of the present invention.

6, when the user notifies or inputs the identification information of his / her digital system 100, the data processing apparatus 400 receives the identification information (S300) To the digital system 100 (S310). It is needless to say that predetermined software for implementing the technical idea of the present invention may be installed in the data processing apparatus 400.

In this case, the authentication action request information may include information necessary for an authentication request (payment request), and if an authentication confirmation action is performed by the user (S320), the terminal's one-time information generated by the digital system 100 and / Or the authentication request (settlement request) may be included in the confirmation signal and transmitted to the authentication system 200 (S320, S330, S330-1, S340) , S350). Of course, the authentication request (payment request) may be transmitted separately from the acknowledgment signal. That is, the authentication request (payment request) may be output to the authentication system 200 separately before or after the confirmation signal is output to the authentication system 200.

Then, the authentication system 200 can perform an authentication procedure based on the confirmation signal (S360). If the authentication confirmation process is successful, the authentication result may be transmitted to the digital system 100 (S380-1). Of course, the data may be transmitted to the data processing apparatus 400 (S380). Or to a given service system 500.

7 is a diagram for explaining a process of an authentication system performing an authentication procedure according to an embodiment of the present invention.

Referring to FIG. 7, a description will be made of a series of processes in which the authentication unit 230 of the authentication system 200 performs an authentication procedure. A signal can be obtained (S410). Then, the authentication unit 230 may generate server one-time information (S411), and then authenticate the one-time information to determine whether the server one-time information and the one-time information and / (S412). If the authentication of the one-time information is successful, it can be determined that the authentication verification process is successful (S460). If the authentication of the one-time information fails, the authentication verification process may be determined to have failed (S450).

The authentication unit 230 may perform only authentication of the one-time information. However, according to an embodiment, authentication of the device identification information (i.e., authentication of the user device 300) (I. E., Authentication of the hardware of the digital system 100), and / or authentication of the pair. In step S460, it is determined that the authentication is successful if all of the certificates are successful.

7, the authentication of the device identification information, the authentication of the terminal identification information, and the authentication of the pair are sequentially performed. However, it is needless to say that the sequence of such authentication can be changed at any time.

For example, if authentication of the one-time information is successful as shown in FIG. 7, the authentication unit 230 may authenticate the user device 300 using the device identification information (S420). If the authentication of the user device 300 is successful, it may determine that the entire authentication procedure has succeeded (S460), and may further perform authentication using the terminal identification information (S430). If the authentication of the user device 300 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S450).

When the authentication unit 230 further performs the authentication using the terminal identification information at step S430, the authentication unit 230 determines the terminal identification information of the digital system 100 included in the confirmation signal and the terminal identification information of the DB 240, The hardware of the digital system 100 may be authenticated by determining whether the information registered in advance corresponds to the information registered in the digital system 100 (S430). If the hardware of the digital system 100 is successfully authenticated, it may determine that the entire authentication procedure has succeeded (S460), and may further perform authentication of the pair (S430). If the authentication of the hardware of the digital system 100 fails, the authentication unit 230 may determine that the entire authentication procedure has failed (S450).

When the authentication unit 230 further performs the pair authentication (S430), the authentication unit 230 transmits the pair setting information registered in advance in the DB 240, that is, information about the digital system and the user apparatus constituting the pair (Step S440), and confirms whether the digital system 100 and the user device 300 used in the payment confirmation operation are a pair. If the pair authentication is successful, it can be determined that the entire authentication check procedure is successful (S460). Of course, if the pair authentication fails, the authentication unit 230 may determine that the entire authentication verification procedure has failed (S450).

8 is a diagram for explaining a process in which a digital system transmits an acknowledgment signal according to an embodiment of the present invention.

8, a user can input user authentication information (e.g., a PIN of a payment card) of the user device 300 through a predetermined application installed in the digital system 100 to perform an authentication check operation (S500). The digital system 100 may communicate with the user device 300 (S510). Then, the digital system 100 can receive the device identification information of the user device 300 through the communication (S520).

The digital system 100 may perform user authentication to determine whether the user authentication information input from the user through the communication with the user device 300 corresponds to the information set in the user device 300 in operation S530. If the user authentication is successful, the digital system 100 generates an acknowledgment signal including the one-time information and transmits the acknowledgment signal to the authentication system 200 (S550). Of course, if the user authentication fails (S530), the digital system 100 can terminate the process (S560). According to an embodiment, the digital system 100 may perform pair authentication (S540). In step S550, the digital system 100 may generate an acknowledgment signal and transmit the acknowledgment signal in step S550.

In order for the digital system 100 to perform pair authentication, the device identification information of the user device 300 forming a pair with the digital system 100 may be registered in the digital system 100 in advance. According to an embodiment of the present invention, identification information or terminal identification information of the digital system 100 forming a pair with the user device 300 may be stored in the storage device of the user device 300. In this case, the digital system 100 may perform pair authentication by checking the information stored in the storage device.

In any case, if the digital system 100 and the user device 300 are not paired devices, the digital system 100 does not send the acknowledgment signal to the authentication system 200, (S560).

Although FIG. 8 shows an example in which the user authentication is performed before the pair authentication, it is needless to say that the pair authentication may be performed first.

In FIG. 8, the user authentication information (e.g., PIN) of the user device 300 may be input at any time after the confirmation signal is transmitted to the authentication system 200 before the authentication confirmation process is terminated. That is, after the digital system 100 transmits the confirmation signal to the authentication system 200, the digital system 100 may receive user authentication information of the user device 300 from the user and authenticate the user. In this case, the digital system 100 may further transmit a predetermined authentication signal indicating the result of user authentication to the authentication system 200. Then, the control unit 210 included in the authentication system 200 may determine the success or failure of the authentication confirmation process after confirming the authentication signal.

According to an embodiment, the digital system 100 transmits user authentication information to the authentication system 200, and the authentication of the user authentication information may be performed by the authentication system 200. In this case, the digital system 100 may transmit the user authentication information to the authentication system 200 at any time before the payment request is approved by the authentication system 200. For example, the user authentication information may be included in the confirmation signal, and the user authentication information may be transmitted to the authentication system 200 at any time before or after the transmission of the confirmation signal. Then, the authentication unit 230 included in the authentication system 200 can perform the user authentication using the user authentication information of the user device 300 stored in the DB 240. And, if the user authentication is successful, it may be determined that the authentication confirmation process is finally succeeded.

The authentication method using the user apparatus according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a hard disk, a floppy disk, an optical data storage device, and the like in the form of a carrier wave (for example, . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. And functional programs, codes, and code segments for implementing the present invention can be easily inferred by programmers skilled in the art to which the present invention pertains.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (14)

The digital system performing near field wireless communication with a predetermined user apparatus for authenticating the user;
Via the short-range wireless communication, the digital system receives device one-time information generated by the user device and transmits an acknowledgment signal including the device one-time information to an authentication system,
The digital system generates terminal one-time information and transmits an acknowledgment signal including the generated terminal one-time information to an authentication system; And
And an authentication confirmation procedure for checking whether the device one-time information included in the transmitted confirmation signal or the terminal one-time information matches the server one-time information generated by the authentication system,
Characterized in that the authentication request is successfully processed for a predetermined data processing apparatus or the digital system which has output the authentication request to the authentication system or the service system connected to the authentication system by the authentication system, Authentication method using a user device.
The authentication method according to claim 1,
Further comprising the step of the digital system receiving device identification information of the user equipment via the short-range wireless communication,
Wherein the transmitting the confirmation signal to the authentication system comprises:
The digital system further including the device identification information in the confirmation signal and transmitting the identification information to the authentication system,
By the authentication system,
Wherein the authentication confirmation procedure is successful if the user equipment identification information corresponds to information previously registered in the authentication system.
3. The apparatus of claim 2,
IC card for payment,
Wherein the user equipment identification information included in the confirmation signal comprises:
Wherein the authentication information is identification information of the user apparatus irrespective of the payment financial information of the payment IC card.
2. The method of claim 1, wherein transmitting the acknowledgment signal to an authentication system comprises:
The digital system further including terminal identification information of the digital system in the confirmation signal,
By the authentication system,
Wherein the authentication procedure is successful if the terminal identification information corresponds to previously registered information.
The digital system according to claim 1,
Wherein the authentication information includes the device one-time information or the terminal one-time information without displaying the device one-time information or the terminal one-time information, and transmits the authentication information to the authentication system.
The authentication method according to claim 1,
The digital system or the authentication system requesting a user of the digital system for user authentication information corresponding to the user equipment; And
Further comprising the step of transmitting the input user authentication information in response to the request to the digital system or the data processing apparatus to the authentication system,
Wherein the authentication procedure is successful if the user authentication information is further authenticated by the authentication system.
When the digital system performs near field wireless communication with a predetermined user equipment, an authentication system receives an acknowledgment signal from the digital system, the acknowledgment signal includes device one-time information generated by the user equipment or terminal one-time information The method comprising: receiving And
And performing an authentication verification procedure for authenticating the device one-time information or the terminal one-time information based on the confirmation signal received by the authentication system,
If the authentication confirmation procedure in which the device one-time information or the terminal one-time information is authenticated is successful, the authentication system outputs the authentication request to the authentication system or the service system connected to the authentication system, And the authentication request is successfully processed with respect to the authentication request.
8. The authentication method according to claim 7,
Further comprising authenticating the user device by determining whether the user equipment identification information of the user equipment included in the confirmation signal corresponds to information registered in the authentication system,
Wherein the user authentication device determines that the authentication confirmation process is successful if the user device is further authenticated.
8. The authentication method according to claim 7,
Further comprising authenticating the terminal identification information by determining whether the terminal identification information of the digital system included in the confirmation signal corresponds to information previously registered in the authentication system,
And determining that the authentication verification procedure is successful if the terminal identification information is further authenticated.
A computer-readable recording medium recording a program for performing the method according to any one of claims 1 to 9.
In a digital system,
A user equipment communication module for performing short-range wireless communication with the user equipment for authenticating the user of a predetermined authentication request; And
When the short-range wireless communication is performed with the user equipment through the user equipment communication module, an acknowledgment signal includes the device one-time information generated by the user equipment or the terminal one-time information generated by the digital system And a control module for transmitting to the authentication system,
If the authentication confirmation procedure in which the device one-time information or the terminal one-time information is authenticated by the authentication system based on the confirmation signal including the device one-time information or the terminal one-time information transmitted is succeeded by the authentication system, Wherein the authentication request is successfully processed with respect to a predetermined data processing apparatus or a digital data processing apparatus outputting the authentication request to the system or the service system connected to the authentication system.
12. The apparatus of claim 11,
Wherein when the short-range wireless communication is performed, the apparatus identification information of the user apparatus is acquired through the user apparatus communication module and is further included in the confirmation signal,
The terminal identification information of the digital system is further included in the confirmation signal,
Wherein the device identification information or the terminal identification information is authenticated by the authentication system so that the authentication procedure is successful.
12. The apparatus of claim 11,
Wherein the confirmation signal does not include the settlement financial information of the user apparatus and the user apparatus as a settlement IC card.
When the digital system performs near field wireless communication with a predetermined user equipment, an acknowledgment signal output by the digital system, the acknowledgment signal including device one-time information generated by the user equipment or terminal one-time information generated by the digital system - a communication unit for receiving the data;
An authentication unit for performing an authentication check procedure based on the confirmation signal including the device one-time information or the terminal one-time information received; And
If the authentication confirmation procedure in which the device one-time information or the terminal one-time information is authenticated is successful, the authentication system outputs the authentication request to the authentication system or the service system connected to the authentication system, And a control unit for successively processing the authentication request with respect to the authentication request.

Images