KR20160054662A - Efficient Dynamic Group Authentication System - Google Patents

Efficient Dynamic Group Authentication System Download PDF

Info

Publication number
KR20160054662A
KR20160054662A KR1020140153524A KR20140153524A KR20160054662A KR 20160054662 A KR20160054662 A KR 20160054662A KR 1020140153524 A KR1020140153524 A KR 1020140153524A KR 20140153524 A KR20140153524 A KR 20140153524A KR 20160054662 A KR20160054662 A KR 20160054662A
Authority
KR
South Korea
Prior art keywords
group
terminal
certificate
server
authentication
Prior art date
Application number
KR1020140153524A
Other languages
Korean (ko)
Inventor
박성철
이종건
김봉기
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority to KR1020140153524A priority Critical patent/KR20160054662A/en
Publication of KR20160054662A publication Critical patent/KR20160054662A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a group authentication method of a terminal, and in an embodiment of the present invention, a method of performing dynamic authentication when a terminal belonging to a group moves frequently to a new G / W in group authentication, Accessing a G / W having no corresponding group certificate, receiving a corresponding group certificate from the server by the G / W, verifying that the terminal belongs to the group using the newly issued group certificate, When a new terminal belonging to a group attempts to connect to a G / W, the G / W independently verifies the terminal's group certificate without acknowledging interworking between the G / W-servers and recognizing that the terminal belongs to the group, A step of processing a termination request, a step of checking whether a connection with the terminal has been disconnected and automatically performing an interworking peer process, and a step in which there is no remaining terminal belonging to the group in the G / W And notifying the server that the G / W does not belong to the group, and deleting the corresponding group certificate of the G / W.

Figure P1020140153524

Description

[0001] Efficient Dynamic Group Authentication System [

The present invention relates to a group authentication method of a terminal.

"Machine-to-machine communication" or MTC, "Machine type communication" or "Smart device communication" or "Machine oriented communication" Refers to all communication methods in which communication is performed without involvement in the process. Recently, oneM2M has been discussing M2M, but there are no technical elements to meet the architecture and requirements of oneM2M.

In a system such as IoT and M2M, various devices / terminals move and join or depart from various networks or groups. In this case, in order to authenticate a terminal based on a group, an authentication method that reflects the characteristics of group combining of IoT / M2M terminals is required, and thus, the present invention addresses this problem.

In order to solve the above-described problems, an embodiment of the present invention is a method for performing dynamic authentication when a terminal belonging to a group in a group authentication frequently moves to a new G / W, Accessing a G / W that does not exist, receiving a group certificate from the server by the G / W, verifying that the terminal belongs to the group using the newly issued group certificate, When the terminal attempts to connect to the G / W, the G / W alone verifies the terminal's group certificate without interworking between the G / W-server and acknowledges that the terminal belongs to the group, Checking whether the connection with the terminal is disconnected and automatically processing the interworking coworker; and when the terminal no longer belongs to the group in the G / W, Inform a does not belong to that group presents a method comprising the step of deleting the group certificate of the G / W.

In the case of applying the present invention, terminal authentication can be efficiently performed when the terminal moves frequently in a situation where terminals are managed as a group.

When the present invention is applied, if the terminal is dependent on a mobile object such as a car, a train, a motorcycle, a bicycle, a ship, an airplane, or the like, or manages a large number of terminals moving frequently, such as a smart phone or a smart pad, Can be greatly reduced.

FIG. 1 is a diagram for authenticating a mobile station in a static group authentication scheme.
Fig. 2 is a diagram showing an embodiment of the present invention.
3 is a diagram showing an embodiment of the present invention.
4 is a view showing an embodiment of the present invention.

Hereinafter, some embodiments of the present invention will be described in detail with reference to exemplary drawings. It should be noted that, in adding reference numerals to the constituent elements of the drawings, the same constituent elements are denoted by the same reference numerals even though they are shown in different drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

In describing the components of the present invention, terms such as first, second, A, B, (a), and (b) may be used. These terms are intended to distinguish the constituent elements from other constituent elements, and the terms do not limit the nature, order or order of the constituent elements. When a component is described as being "connected", "coupled", or "connected" to another component, the component may be directly connected or connected to the other component, Quot; may be "connected," "coupled," or "connected. &Quot;

Embodiments of the present invention will be described with reference to object communication. Object communication is variously called M2M (Machine to Machine communication), MTC (Machine Type Communication), IoT (Internet of Things), Smart Device Communication (SDC), or Machine Oriented Communication . OneM2M has recently introduced many technical issues related to object communication. Object communication refers to various communication in which communication is performed without a person intervening in the communication process. In the field of telecommunication, there are various fields such as energy field, enterprise field, healthcare field, public service field, residential field, retail field, transportation field, and others Field, and so on. The present invention includes the above-mentioned fields, and is applicable to other fields.

IoT group authentication is a technology that authenticates one group at a time for efficient bulk authentication.

Group authentication is inefficient as the number of members in a group is frequently changed or the number of G / W changes of each member in the group is frequent.

Even in this case, a dynamic group authentication method capable of efficient group authentication is proposed. Hereinafter, the present invention proposes an IoT terminal group authentication method.

Until recently, a large number of terminals did not often work with one server, and it was even less likely that a terminal would move multiple G / Ws.

In recent years, IoT has become an issue, and it is assumed that a large number of terminals and sensors are controlled and managed by the server.

In this situation, terminal group authentication technology capable of efficiently managing a large number of sensors in IoT based building control and smart grid is mentioned.

In the future, it is expected that grouping of mobile devices including smart car and mobile smart phone into SNS, or discussion of personal sensing device group service in the mobile situation will be started soon.

In such a situation where the device group moves frequently and the group information changes frequently, the group authentication based on the fact that the device is fixed is inefficient. To solve this problem, the present invention proposes a dynamic group authentication method.

The static group authentication (existing group authentication) operation flow is as follows.

1. Classify service server terminals into groups according to policy and generate group certificate for each group.

2. The service server performs G / W and end-to-end authentication. At this time, the G / W is linked to the server with the certificate issued in advance.

3. The terminal is linked with the G / W with the certificate issued in advance.

4. The service server performs end-to-end authentication with the terminal interworking with the G / W. At this time, the terminal interacts with the server with the certificate issued in advance.

5. When the terminal belongs to the group, the service server transmits the group certificate by interworking the G / W and the terminal with each other end-to-end.

6. After that, the terminal encrypts / decrypts the message with the group certificate when interworking with the G / W or the server, and sends / receives the message.

7. The server sends a command for the group to G / W. The G / W is encrypted with the group certificate and transmitted to all terminals connected to the G / W. Of the terminals receiving the message, only the terminal having the group certificate decrypts the message and executes the command.

The purposes / benefits of group authentication are as follows.

Reduce the number of interworking between G / W and server. In the case of IoT, the number of interworking terminals may be very large. When the server cooperates with the terminal 1: 1, the load on the server is large, and the amount of traffic is increased, which causes a heavy load on the network. When many terminals are grouped and the service server is linked in groups, the service server can only issue commands once per group, and the traffic between the server and the G / W can be greatly reduced.

The problems of static group authentication are as follows.

Since the server issues a group certificate directly to the terminal, if the terminal in the group frequently joins or leaves the terminal or frequently changes over several G / Ws, the load of issuing the group certificate and the load of the authentication traffic increase in the server.

Whether there is one or more terminals belonging to a group in a G / W, the service server transmits the certificate to the corresponding G / W.

Therefore, as a terminal of a group spreads to multiple G / W, the service server must transmit the certificate several times (G / W number).

FIG. 1 is a diagram for authenticating a mobile station in a static group authentication scheme.

When a terminal of a new group is attached to the G / W, end-to-end authentication is performed between the server and the terminal, and a new group certificate is issued. If the terminal frequently moves to another G / W, the authentication load (server load, traffic) becomes larger because the new terminal authenticates each time it attaches to the new G / W and newly receives the group certificate.

In FIG. 1, the terminal n of group 1 has moved to G / W 2.

G / W2 does not know the existence of group 1, so it authenticates with pre-provisioned certificate, server and terminal n newly authenticate, and group 1 certificate is newly issued to G / W 2 and terminal n.

As the number of G / W is larger than the size of the group, the more frequently the terminal moves between the G / Ws, the more times the server newly authenticates the terminal.

Whenever a terminal attaches to a new G / W, the server frequently newly authenticates the group, checks the group, and newly issues a group certificate. The authentication load of the server and the traffic load for authentication become very large.

In the prior art, when a new terminal is attached to the G / W, the terminal is newly authenticated. In the present invention, however, the existing group certificate can be utilized as it is,

Fig. 2 is a diagram showing an embodiment of the present invention.

End-to-end authentication between the server and the terminal is performed only when a new group terminal is attached to the G / W. If the G / W has the certificate of the corresponding group, it approves the access by only G / W-terminal authentication.

3 is a diagram showing an embodiment of the present invention.

If all terminals belonging to a group attached to the G / W are disconnected, the G / W informs the server of the release of the group and deletes the certificate of the group.

4 is a view showing an embodiment of the present invention.

When the terminal can predict the G / W movement pattern, the terminal may issue a group certificate in advance to the new G / W to be moved forward. Then, when the terminal requests to connect to the new G / W, the connection process is fast because the G / W judges whether or not the G / W itself is allowed to connect without interworking with the server. Even if the terminal switches the G / W, seamless interworking can be maintained.

In FIG. 4, in the case of a terminal on a car / train / train running on the road, the G / W to be connected in the future can be predicted according to the traveling direction of the road

In the case of applying the present invention, terminal authentication can be efficiently performed when the terminal moves frequently in a situation where terminals are managed as a group.

If the terminal is dependent on a mobile object such as a car, a train, a motorcycle, a bicycle, a ship, an airplane, or the like, and manages a large number of terminals that are frequently moving, such as smart phones and smart pads,

A method for performing dynamic authentication when a terminal belonging to a group frequently moves to a new G / W in group authentication, the method comprising: connecting a terminal having a group certificate to a G / W having no corresponding group certificate; The method comprising the steps of: receiving a group certificate from a server, verifying whether the terminal belongs to the group using the newly issued group certificate, and transmitting the group certificate to the G / W when the new terminal belongs to the group, A step in which the G / W alone verifies the group certificate of the terminal and the corresponding terminal belongs to the group without interworking between the W-server and the W-server, processing a connection termination request of the terminal, And a step of automatically processing the interworking coworker, and a step of notifying the server that the G / W does not belong to the corresponding group when no terminal belonging to the corresponding group is left in the G / W, It consists of a method comprising the step of deleting the Group certificate.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

Claims (1)

A method for performing dynamic authentication when a terminal belonging to a group frequently moves to a new G / W in group authentication,
Connecting a terminal having a group certificate to a G / W having no corresponding group certificate;
G / W receives the group certificate from the server,
Checking whether the terminal belongs to the group using the newly issued group certificate,
When a new terminal belonging to the group tries to connect to the G / W, the G / W alone verifies the terminal's group certificate without the interoperation of the G / W-server and acknowledges that the terminal belongs to the group,
Processing a connection termination request of the terminal;
Checking whether the connection with the terminal is disconnected, and automatically processing the linked peer;
And notifying the server that the G / W does not belong to the group when the terminal belonging to the group no longer remains in the G / W, and deleting the corresponding group certificate of the G / W.
KR1020140153524A 2014-11-06 2014-11-06 Efficient Dynamic Group Authentication System KR20160054662A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020140153524A KR20160054662A (en) 2014-11-06 2014-11-06 Efficient Dynamic Group Authentication System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020140153524A KR20160054662A (en) 2014-11-06 2014-11-06 Efficient Dynamic Group Authentication System

Publications (1)

Publication Number Publication Date
KR20160054662A true KR20160054662A (en) 2016-05-17

Family

ID=56109319

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020140153524A KR20160054662A (en) 2014-11-06 2014-11-06 Efficient Dynamic Group Authentication System

Country Status (1)

Country Link
KR (1) KR20160054662A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017209467A1 (en) * 2016-05-30 2017-12-07 주식회사 알티캐스트 Method and apparatus for providing p2p data security service in iot environment
CN111447616A (en) * 2020-03-26 2020-07-24 西南交通大学 Group authentication and key agreement method facing L TE-R mobile relay

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017209467A1 (en) * 2016-05-30 2017-12-07 주식회사 알티캐스트 Method and apparatus for providing p2p data security service in iot environment
KR20170135103A (en) * 2016-05-30 2017-12-08 주식회사 알티캐스트 Method and apparatus for Providing Security Service of Peer to Peer Data in Internet of Things
CN111447616A (en) * 2020-03-26 2020-07-24 西南交通大学 Group authentication and key agreement method facing L TE-R mobile relay
CN111447616B (en) * 2020-03-26 2021-04-13 西南交通大学 Group authentication and key agreement method for LTE-R mobile relay

Similar Documents

Publication Publication Date Title
JP6902020B2 (en) Establishing machine type communication using shared SIM parameters
EP2790370B1 (en) Authentication method and system oriented to heterogeneous network
AU2013368381B2 (en) Method and apparatus for receiving a data stream during an incident
CN103167498B (en) A kind of ability control method and system
CN102292959A (en) Media data transmission method, device and system based on ott
US20120202492A1 (en) Method and apparatus for enabling identification of a rejecting network in connection with registration area updating
CN104580116A (en) Management method and equipment of security policy
CN105516960A (en) Non-perceptual authentication method system, management method and system based on the method system
CN102547701A (en) Authentication method and wireless access point as well as authentication server
CN102137069A (en) Method and system for realizing application of internet of things
CA2972455C (en) Method and apparatus for providing access to local services and applications to multi-agency responders
CN103442358A (en) Method for local forwarding concentrated authentication and control device
CN105491093A (en) Terminal authentication method, network access methods, server, wireless access point and terminal
CN106231605A (en) For dynamic creation and the method for deletion vWLAN in shared fixed access network
EP2617218B1 (en) Authentication in a wireless access network
CN104519560A (en) Mobile terminal request intercepting method and mobile terminal
WO2018222132A3 (en) Network authentication method, network device and core network device
CN102201930B (en) MTC device is carried out the method and system of grouping management
CN102255904B (en) Communication network and terminal authentication method thereof
CN103595712A (en) Method, device and system for Web authentication
KR20160054662A (en) Efficient Dynamic Group Authentication System
CN102843683B (en) Wireless local area network (WLAN) access method, WLAN access device and WLAN access system
TWI685267B (en) Method and equipment for access control
JP2017520181A (en) Method, apparatus and system for controlling the total number of users attached online
US20170019872A1 (en) Registering, Deregistering and Standby Processing Methods and Systems for Terminal Peripheral

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination