KR20160111798A - Security service apparatus and method based mtm - Google Patents

Security service apparatus and method based mtm Download PDF

Info

Publication number
KR20160111798A
KR20160111798A KR1020150036970A KR20150036970A KR20160111798A KR 20160111798 A KR20160111798 A KR 20160111798A KR 1020150036970 A KR1020150036970 A KR 1020150036970A KR 20150036970 A KR20150036970 A KR 20150036970A KR 20160111798 A KR20160111798 A KR 20160111798A
Authority
KR
South Korea
Prior art keywords
security service
mtm
command
instruction
session
Prior art date
Application number
KR1020150036970A
Other languages
Korean (ko)
Inventor
윤승용
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020150036970A priority Critical patent/KR20160111798A/en
Publication of KR20160111798A publication Critical patent/KR20160111798A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method of providing a security service based on MTM is disclosed. The MTM-based security service providing method includes: parsing an encrypted command input by executing an application; Authenticating the session connection if there is a session connection attempt by the parsed instruction; Decrypting the encrypted instruction using the session key of the connected session; Determining whether the decoded instruction is an MTM execution instruction or a security service execution instruction; And executing the MTM when the decoded command is determined to be an MTM execution command, and executing the security service if the parsed command is a security service execution command word.

Description

TECHNICAL FIELD [0001] The present invention relates to an MTM-based security service providing apparatus and method,

The present invention relates to a technology for providing security services based on MTM technology.

Recently, the use of banking and payment services in the mobile environment is rapidly increasing. In addition, damage cases are frequently reported. In addition to monetary damages caused by mobile malicious code infections using phishing or smashing, as well as accreditation certificates stored in smartphones and important personal information leakage damage, security vulnerabilities are used. Various research and solutions Is being developed. Mobile Trusted Module (MTM) is also one of the solutions that are installed in mobile devices such as smart phones to protect security devices from hacking and malicious code by eliminating security vulnerabilities. Since software can be easily manipulated and hacked compared to hardware, efforts have been made to enhance security using MTM technology, which provides physical security. Through MTM's integrity measurement process, it is able to guarantee the integrity of the mobile platform (Chain of Trust), the ability to securely store data and keys in the MTM, and the remote assertion between platforms with MTM Providing a more secure and reliable computing environment. MTM has an encryption co-processor, a random number generator, a Sha-1 / Hmac hash engine, and a key generator module, including the MTM execution engine, to provide the above three functions.

The background art of the present invention is disclosed in Korean Patent Laid-Open Publication No. 10-2014-0058196 (May 2014.05.14).

An object of the present invention is to provide an apparatus and method for providing a security service based on MTM.

According to an aspect of the present invention, there is provided a method of providing an MTM-based security service, the method comprising: parsing an encrypted command input by executing an application; Authenticating the session connection if there is a session connection attempt by the parsed instruction; Decrypting the encrypted instruction using the session key of the connected session; Determining whether the decoded instruction is an MTM execution instruction or a security service execution instruction; And executing a MTM when the decoded command is determined to be an MTM execution command, and executing a security service if the parsed command is determined to be a security service execution command.

According to the embodiment of the present invention, it becomes possible to execute the security service based on the MTM.

1 is a block diagram of a security service providing apparatus according to an embodiment of the present invention.
2 is a flowchart of a security service providing method according to an embodiment of the present invention.
3 is a diagram illustrating an extended instruction format for processing a security service instruction according to an embodiment of the present invention.
4 is a diagram illustrating a session table for executing a plurality of security services according to an embodiment of the present invention.
5 is a diagram illustrating a security service command according to an embodiment of the present invention.

While the present invention has been described in connection with certain exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and similarities. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following description of the present invention, detailed description of known related arts will be omitted when it is determined that the gist of the present invention may be unnecessarily obscured. In addition, the singular phrases used in the present specification and claims should be interpreted generally to mean "one or more " unless otherwise stated.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, wherein like reference numerals refer to like or corresponding components throughout. .

1 is a block diagram of a security service providing apparatus 100 according to an embodiment of the present invention.

1, the security service providing apparatus 100 includes a message processing module 110, a session management module 120, an event processing module 130, an MTM execution engine 140, a security service execution engine 150, And may include a database 160.

The message processing module 110 parses the encrypted instructions that are input as the user executes the application. Apps the user runs may be banking, billing, authentication, encryption, DRM, and so on.

The session management module 120 authenticates the session connection when there is a session connection request by an encrypted command. Specifically, the session management module 120 connects the sessions through the comparison of the AuthData for user authentication based on the user authentication information and the application integrity information stored in the database 160, and the application integrity comparison for detecting whether the application is falsified / do. The session management module 120 decrypts the encrypted command based on the session key when the session connection is authenticated.

In one embodiment, the session management module 120 may simultaneously support a plurality of sessions so that a plurality of applications can use the MTM-based security service at the same time.

The event processing module 130 determines whether the decoded command corresponds to a security service execution command or an MTM execution command.

The MTM execution engine 140 executes the instruction determined by the MTM execution instruction.

When it is determined that the security service execution engine 150 is a security service execution command, the security service execution engine 150 reads information related to command execution from the database 160 and executes the security service.

In one embodiment, the security service execution engine 150 may read user information, bank accounts, credit card information, authorized certificates, encryption keys, and the like from the database 160.

The database 160 stores user information, application integrity information, information related to security service execution (user information, bank account, credit card information, authorized certificate, encryption key, etc.) necessary for session authentication.

In one embodiment, the database 160 determines the integrity of the application installed at the time of installing the application, and stores the application integrity information.

2 is a flowchart of a security service providing method according to an embodiment of the present invention. Hereinafter, the security service providing method performed by the security service providing apparatus 100 will be described as an example.

In step S210, the security service providing apparatus 100 receives the encrypted command according to the execution of the application and parses the inputted encrypted command.

In step S320, the security service providing apparatus 100 authenticates the session connection when there is a session connection request by the parsed encrypted instruction.

In step S230, if the session connection request does not pass the authentication, the security service providing apparatus 100 generates a session connection failure message.

In step S240, when the session connection request passes the authentication, the security service providing apparatus 100 decrypts the encrypted command based on the session key.

In step S250, the security service providing apparatus 100 determines whether the decrypted command corresponds to a security service command.

In step S260, the security service providing apparatus 100 executes the decrypted command determined as a security service command, and generates an execution result message.

In step S270, the security service providing apparatus 100 determines whether the decoded command corresponds to the MTM execution command.

In step S280, the security service providing apparatus 100 generates a failure message.

In step S290, the security service providing apparatus 100 executes the decoded command determined by the MTM command, and generates a message according to the execution result.

3 is a diagram illustrating an extended instruction format for processing a security service instruction in accordance with an embodiment of the present invention. Referring to FIG. 3, the TPM / MTM command (Type 1) uses fields and values defined in the MTM standard specification, and the SSM command (Type 2) for the security service uses an extension of the header field. In the Tag (2 bytes) field of the header, the request used for the general channel of the security service is defined as 0xEDC1, the response is defined as 0xEDC4, the request used for the secure channel for encrypted communication is 0xEDC2, and the response is defined as 0xEDC5 . In addition, the ssnID field added to the header for supporting multiple sessions for executing a plurality of security services can be used for managing the session.

4 is a diagram illustrating a session table for executing a plurality of security services according to an embodiment of the present invention.

Referring to FIG. 4, the session table includes a Session ID for distinguishing one session from another session, an AuthHandle value automatically provided when the session authentication process passes, and a Session key value for supporting encryption communication over a secure channel.

When the authentication process of the user and the application passes, a dynamically assigned AuthHandle value and a SessionKey value for supporting encrypted communication over the secure channel are generated and registered in the session table.

5 is a diagram illustrating a security service command according to an embodiment of the present invention.

The security service provided by the security service providing apparatus 100 is not limited to the security service command illustrated in FIG. 5, and can be extended by defining a new security service command.

The apparatus and method according to embodiments of the present invention may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination.

Program instructions to be recorded on a computer-readable medium may be those specially designed and constructed for the present invention or may be available to those skilled in the computer software arts. Examples of computer-readable media include magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Includes hardware devices specifically configured to store and execute program instructions such as magneto-optical media and ROM, RAM, flash memory, and the like. The above-mentioned medium may also be a transmission medium such as a light or metal wire, wave guide, etc., including a carrier wave for transmitting a signal designating a program command, a data structure and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like.

Claims (1)

A method for providing an MTM-based security service,
Parsing an encrypted instruction input by the execution of the application;
Authenticating the session connection if there is a session connection attempt by the parsed instruction;
Decrypting the encrypted instruction using the session key of the connected session;
Determining whether the decoded instruction is an MTM execution instruction or a security service execution instruction; And
Executing MTM when the decoded command is determined to be an MTM execution command, and executing a security service if the parsed command is a security service execution command;
The method comprising the steps of:
KR1020150036970A 2015-03-17 2015-03-17 Security service apparatus and method based mtm KR20160111798A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150036970A KR20160111798A (en) 2015-03-17 2015-03-17 Security service apparatus and method based mtm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150036970A KR20160111798A (en) 2015-03-17 2015-03-17 Security service apparatus and method based mtm

Publications (1)

Publication Number Publication Date
KR20160111798A true KR20160111798A (en) 2016-09-27

Family

ID=57100957

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150036970A KR20160111798A (en) 2015-03-17 2015-03-17 Security service apparatus and method based mtm

Country Status (1)

Country Link
KR (1) KR20160111798A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102057005B1 (en) 2019-06-03 2020-01-22 (주)키삭 Bus Information System for people vulnerable to bus ride
KR20230000084A (en) 2021-06-24 2023-01-02 이준성 Boarding Guide

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102057005B1 (en) 2019-06-03 2020-01-22 (주)키삭 Bus Information System for people vulnerable to bus ride
KR20230000084A (en) 2021-06-24 2023-01-02 이준성 Boarding Guide

Similar Documents

Publication Publication Date Title
US11126754B2 (en) Personalized and cryptographically secure access control in operating systems
ES2951585T3 (en) Transaction authentication using a mobile device identifier
WO2020192406A1 (en) Method and apparatus for data storage and verification
CN105144626B (en) The method and apparatus of safety is provided
KR101729960B1 (en) Method and Apparatus for authenticating and managing an application using trusted platform module
CN104794388B (en) application program access protection method and application program access protection device
RU2740298C2 (en) Protection of usage of key store content
US20120137372A1 (en) Apparatus and method for protecting confidential information of mobile terminal
EP4195583A1 (en) Data encryption method and apparatus, data decryption method and apparatus, terminal, and storage medium
US20190012664A1 (en) Method and system for enhancing the security of a transaction
KR20130008939A (en) Apparatus and method for preventing a copy of terminal's unique information in a mobile terminal
CN113704826A (en) Privacy protection-based business risk detection method, device and equipment
KR102071438B1 (en) Payment authentication method and apparatus of mobile terminal and mobile terminal
CN109299944B (en) Data encryption method, system and terminal in transaction process
US11520859B2 (en) Display of protected content using trusted execution environment
KR20160111798A (en) Security service apparatus and method based mtm
KR101388935B1 (en) Two channel based user authentication apparatus and method
CN114816549B (en) Method and system for protecting bootloader and environment variable thereof
CN112507302B (en) Calling party identity authentication method and device based on execution of cryptographic module
Lee et al. Classification and analysis of security techniques for the user terminal area in the internet banking service
US9507955B2 (en) System and method for executing code securely in general purpose computer
KR20100114796A (en) Method of controlling financial transaction by financial transaction device and computing device
CN111046440A (en) Tamper verification method and system for secure area content
JP5847345B1 (en) Information processing apparatus, authentication method, and program
Yoon et al. Mobile security technology for smart devices