KR20160116728A - Password generator, Financial transaction system and method using that password generator - Google Patents
Password generator, Financial transaction system and method using that password generator Download PDFInfo
- Publication number
- KR20160116728A KR20160116728A KR1020150044908A KR20150044908A KR20160116728A KR 20160116728 A KR20160116728 A KR 20160116728A KR 1020150044908 A KR1020150044908 A KR 1020150044908A KR 20150044908 A KR20150044908 A KR 20150044908A KR 20160116728 A KR20160116728 A KR 20160116728A
- Authority
- KR
- South Korea
- Prior art keywords
- authentication password
- server
- authentication
- value
- password
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/02—Banking, e.g. interest calculation or account maintenance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Finance (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Marketing (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
There is provided a financial transaction method for a financial transaction system that includes a database unit for storing customer information, a server unique value, and a device serial number of an authentication password generator, and receives an authentication password from a user terminal to authenticate a financial transaction. The financial transaction method includes the steps of: the server receiving payment information and an authentication password from the user terminal; The server extracts a random number from the authentication password, extracts a payment account from the payment information, adds a server unique value and a device serial number of the database unit, and generates an authentication password by applying a hash function; Comparing the received authentication password with the authentication password generated by the server and determining whether the authentication password matches the received authentication password; And a step in which the server completes payment processing using the payment information if the received authentication password matches the authentication password generated by the server, wherein the server generates a value unique to the client and uses the used authentication password To conduct financial transactions.
Description
The present invention relates to an authentication password generator that can be used in Internet commerce and Internet banking, and a financial transaction system and method using the same. More particularly, the present invention relates to an authentication password generator for performing financial transactions using a one- And methods.
In general, security is very important in financial transactions such as bank transfer, remittance transaction or credit card loan.
Therefore, various security programs are installed in the user terminal for security, and an official certificate, an account password, a security card, OTP, or the like is used.
However, the existing one-time password has been vulnerable to reuse attack due to the fact that the password is generated irrespective of the transaction information despite high security.
In particular, in the case of OTP using time synchronization or event synchronization, the generated value can be reused within the validity period, and related attacks are constantly continuing.
In addition, due to the nature of OTP technology, the client and the server generate and validate the same value. This makes it possible to achieve the OTP protection of the domestic electronic signature system, which uses only the client's unique value (public key infrastructure) Since it can not be used independently, it could not be used independently.
SUMMARY OF THE INVENTION The present invention is directed to an authentication password generator for performing a financial transaction using a password generated by a client and generating a unique value, and a financial transaction system and method using the same.
The present invention also provides an authentication password generator with enhanced security and a financial transaction system and method using the same.
The present invention also provides an authentication password generator for enhancing security using transaction signing and random number generation techniques, and a financial transaction system and method using the same.
The present invention also provides an authentication password generator for enhancing security without an authorized certificate, and a financial transaction system and method using the same.
According to an aspect of the present invention,
An authentication password generator for generating and displaying an authentication password according to a user operation,
An input unit for receiving information from a user;
A display unit for displaying the authentication password;
A memory for storing a server unique value, a device serial number value, a device secret value, and a customer unique value that the user inputs;
The customer unique value is received from the user through the input unit and stored in the memory, and when a part or all of the account number is input from the input unit, authentication is performed using the server unique value, the device serial number value, And a control unit for generating a password and displaying it on the display unit.
And the control unit generates the authentication password by the following equation.
Here, Rand (x) is a random number function and RA is all or part of the account number.
And the control unit generates the authentication password by the following process.
H (n) | V (x) | H (server eigenvalue || device serial number value))] tr and OTP-TR = n || x || V ,
(* ||: concatenation, [H ()] tr: truncation of hash result value)
F (n) = [H (customer eigenvalue | device secret value)] (2n-1)
Here, [H ()] n means n hashes. The customer unique value is an arbitrary numerical value inputted by the customer using the keypad of the authentication password generator, and the device secret value is an arbitrary numerical column value generated by the authentication password generator.
In the transaction process, A (x) = Address_F (n) and F (n) is 320 bits (when using 160 bit hashing algorithm such as SHA1)
Here, 0? X? 31 (A (x) = 10x + 1, the first address value of Address_F (n), x ++)
V (x) = Value_A (x) = 10 bits from A (x)
According to an aspect of the present invention, there is provided a financial transaction system comprising:
A financial transaction system for authenticating a financial transaction by receiving an authentication password from a user terminal,
A database unit for storing customer information, a server unique value, and a device serial number of the authentication password generator;
When the payment information and the authentication password are received from the user terminal,
Extracts a random number from the authentication password, extracts an account from the payment information, adds a server unique value and a device serial number of the database unit, generates an authentication password by applying a hash function, And a server for performing an authentication process on the payment information by comparing with a password.
The database unit,
A member DB for storing customer information including an ID and a password for login;
An authentication information DB for storing the device serial number of the member's authentication password generator and the server unique value;
And a ledger DB for storing account information.
The server comprises:
A member management unit for performing member authentication by referring to the member DB;
Extracts a random number from the authentication password, extracts an account from the payment information, adds a server unique value and a device serial number of the database unit, generates an authentication password by applying a hash function, An authentication processing unit for performing an authentication process on the payment information compared with a password;
And a financial processing unit for completing settlement processing using the settlement information when the authentication processing unit completes the authentication.
According to an aspect of the present invention,
A financial transaction method for a financial transaction system, comprising a database unit for storing customer information, a server unique value, and a device serial number of an authentication password generator, and receiving an authentication password from a user terminal to authenticate a financial transaction,
The server receiving payment information and an authentication password from the user terminal;
The server extracts a random number from the authentication password, extracts a payment account from the payment information, adds a server unique value and a device serial number of the database unit, and generates an authentication password by applying a hash function;
Comparing the received authentication password with the authentication password generated by the server and determining whether the authentication password matches the received authentication password;
And if the received authentication password matches the authentication password generated by the server, the server completes the payment processing using the payment information.
In the embodiment of the present invention, it is possible to provide an authentication password generator for performing a financial transaction using an authentication password used by generating a unique value only for a client, and a financial transaction system and method using the same.
Also, it is possible to provide an authentication password generator having enhanced security and a financial transaction system and method using the same.
Also, an authentication password generator for enhancing security using transaction signing and random number generation technology, and a financial transaction system and method using the same can be provided.
Also, it is possible to provide an authentication password generator for enhancing security without an authorized certificate, and a financial transaction system and method using the same.
1 is a configuration diagram of a financial transaction system according to an embodiment of the present invention.
2 is a block diagram of the authentication password generator of FIG.
3 is a flowchart illustrating an operation of a financial transaction method according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.
Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise. Also, the terms " part, "" module," and " module ", etc. in the specification mean a unit for processing at least one function or operation and may be implemented by hardware or software or a combination of hardware and software have.
1 is a configuration diagram of a financial transaction system according to an embodiment of the present invention.
Referring to FIG. 1, a financial transaction system according to an embodiment of the present invention includes:
A financial transaction system (100) for receiving an authentication password from a user terminal (400) and authenticating a financial transaction,
A
When the payment information and the authentication password are received from the
The
A
An
And a
The server (110)
A member management unit 111 for referring to the member DB to perform member authentication;
Extracts a random number from the authentication password, extracts a payment account from the payment information, adds a server unique value and a device serial number of the
And a financial processing unit (113) for completing settlement processing using the settlement information when the authentication processing unit completes the authentication.
2 is a block diagram of the authentication password generator of FIG.
Referring to FIG. 2, the authentication-
An authentication password generator for generating and displaying an authentication password according to a user operation,
A
An
A
A
The customer eigenvalue is received from the user through the
The operation of the financial transaction system according to the embodiment of the present invention having such a configuration will now be described in detail.
3 is a flowchart illustrating an operation of a financial transaction method according to an embodiment of the present invention.
Referring to FIG. 3, a user accesses a server 110 (financial institution) with a terminal 400 such as a PC or a smart phone, and inputs an ID and a password. Then, the member management unit of the
If it is determined that the user is a legitimate user, the authentication processing unit transmits information (account information, etc.) of the customer to the terminal (S320). Here, the Internet banking is explained with an example, and the authentication method of the present invention can be applied to other financial transactions as needed.
The customer who has confirmed the account information inputs payment information such as a receipt account number and an amount and a value of the
Here, the process of confirming the account number is well known in the art, so that detailed description is omitted.
The authentication password generation process of the
First, the user customer inputs the account number (all or a part of the account number) using the number buttons of the
Then, the
Here, Rand (x) is a random number function and RA is all or part of the account number
Also, in the above equation, there are a variety of methods for generating the random number Rand (x).
When the customer receives the
In the following, it is assumed that the customer has entered a value 12346245 as the customer unique value (N).
Then, the
At this time, the calculation result value is stored as n.
12346245 Since mod 32 = 5, the value of n is 5.
Here, 1? N? 31 (n ++), the initial n value is determined by the customer eigenvalue. This is because n is defined as N mod 32.
Then, define the function as follows.
F (n) = [H (customer eigenvalue | device secret value)] (2n-1)
Here, [H ()] n means n hash
The
For example, the value obtained by hashing the customer unique value (N) 12346245 nine times is 160 bits in hexadecimal. That is, 8BEFCA89A8DA744A941901E09DDA56092F7628EE (value for example, the hash result value below is an example value, not the actual operation value).
The value obtained by hashing the customer unique value N 12346245 10 times is represented by 160 bits in hexadecimal. That is, F1AA2CC8D3FB9BE00029595364A49F1BDBABE2A8.
Therefore, F (5) = 8BEFCA89A8DA744A941901E09DDA56092F7628EEF1AA2CC8D3FB9BE00029595364A49F1BDBABE2A8. The
In the transaction process, the size of A (x) = Address_F (n) and F (n) is 320 bits.
Here, it is assumed that 0? X? 31 (A (x) = 10x + 1, the first address value of Address_F (n), x ++) and V (x) = Value_A (5 bits) represented by two digits), and the 32-digit number consists of a number and 22 alphabets.
Then, the
That is, the authentication password value (OTP-TR) is as follows.
OTP-TR = n || x || V (x) || [H (n || x || V (x) || RA || H (server eigenvalue |
※: |: Concatenation, [H ()] tr: Truncation of hash result value (ex 20bit value before)
In this process, for example, the
For the first transaction, select x = 0. Therefore, A (x) = 10 * 0 + 1 = 1.
Here, the x value is continuously increased according to the number of trades.
Since A (0) = 1, the value of V (0) is a bit value of A (0) of F (5), that is, a value of 10 bits from the first bit.
The value of F (5) is "1000 1011 1110 ~" since it starts from "8BE ~". Since the 10-bit value is 1000 1011 11, V (0) = 1000101111. If it is represented by 5-bit expression, it is 10001 (decimal 17, H ) and 01111 (decimal 16, G ). Here, the 32-bit number is 0123456789 ABCDEFGHJKLMNPRSTVWXYZ. Therefore, the value of n || x || V (x) is "50HG".
When the customer inputs the account number (RA, payee account number) to the
The authentication password value,
OTP-TR = n || x || V (x) || [H (n || x || V (x) || RA || H (server eigenvalue || device serial number value) .
To this end, the
Another example is OTP-TR = 7AB2 49X3 when n = 7, x = A, V (x) = B2, and [H ()] tr = 49X3.
Then, the
First, the
For example, after extracting n, x, and V (x) values from the received values, verifying the previous n value comparison, increasing range of x value, adding RA, server unique value, Configure the TR value and compare it with the received value. Here, the
The customer unique value N is an arbitrary value entered by the customer into the
[H ()] value can not be configured because the server unique value and device serial number value can not be known even if the hacker intercepts the OTP-TR value and knows the value of n, x, and V (x). The number of cases requires 2 ^ 160 hours)
Therefore, a hacker 's only attack method is a method in which a customer seizes it when using the same RA value as a hacker, but when the RA is the same, the attack is meaningless. That is, since the account of the hacker is the receiving account, it is meaningless.
If the received authentication password matches the authentication password generated by the
Meanwhile, in case of authentication inconsistency, the
Although the above embodiment has been described as an example of Internet banking, the present invention can be applied to card settlement of electronic commerce as needed.
In the above embodiment of the present invention, the client can generate a unique value and perform the financial transaction using the used authentication password.
In addition, security can be enhanced by using transaction signing and random number generation techniques.
Also, security can be enhanced without an authorized certificate.
The embodiments of the present invention described above are not only implemented by the apparatus and method but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded, The embodiments can be easily implemented by those skilled in the art from the description of the embodiments described above.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.
Claims (6)
An input unit for receiving information from a user;
A display unit for displaying the authentication password;
A memory for storing a server unique value, a device serial number value, and a device secret value input by a user;
Wherein the device secret value is received from the user through the input unit and is stored in the memory, and when a part or all of the account number is input from the input unit, authentication is performed using the server unique value, the device serial number value, And generating a password and displaying it on the display unit.
Wherein the control unit generates the authentication password by the following formula.
Here, Rand (x) is a random number function and RA is all or part of the account number
Wherein the control unit generates an authentication password (OTP-TR) by the following process.
OTP-TR = n || x || V (x) || [H (n || x || V (x) || RA || H (server eigenvalue |
(* ||: concatenation, [H ()] tr: truncation of hash result value)
Here, n is a remainder obtained by dividing the customer secret value (N) inputted by the customer by 32
F (n) = [H (customer eigenvalue | device secret value)] (2n-1)
Here, [H ()] n means n hash
In the transaction process, A (x) = Address_F (n) and F (n) is 320 bits.
Here, 0? X? 31 (A (x) = 10x + 1, the first address value of Address_F (n), x ++)
V (x) = Value_A (x) = 10 bits from A (x)
A database unit for storing customer information, a server unique value, and a device serial number of the authentication password generator;
When the payment information and the authentication password are received from the user terminal,
Extracts a random number from the authentication password, extracts an account from the payment information, adds a server unique value and a device serial number of the database unit, generates an authentication password by applying a hash function, And a server for performing an authentication process on the payment information compared with a password.
The database unit,
A member DB for storing customer information including an ID and a password for login;
An authentication information DB storing the device serial number of the authentication password generator and the server unique value;
And a ledger DB for storing account information,
The server comprises:
A member management unit for performing member authentication by referring to the member DB;
Extracts a random number from the authentication password, extracts an account from the payment information, adds a server unique value and a device serial number of the database unit, generates an authentication password by applying a hash function, An authentication processing unit for performing an authentication process on the payment information compared with a password;
And a financing processing unit for finishing payment processing using the payment information when the authentication processing unit completes the authentication.
The server receiving payment information and an authentication password from the user terminal;
The server extracts a random number from the authentication password, extracts a payment account from the payment information, adds a server unique value and a device serial number of the database unit, and generates an authentication password by applying a hash function;
Comparing the received authentication password with the authentication password generated by the server and determining whether the authentication password matches the received authentication password;
And completing payment processing using the payment information when the received authentication password matches the authentication password generated by the server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150044908A KR101686157B1 (en) | 2015-03-31 | 2015-03-31 | Password generator, Financial transaction system and method using that password generator |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150044908A KR101686157B1 (en) | 2015-03-31 | 2015-03-31 | Password generator, Financial transaction system and method using that password generator |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20160116728A true KR20160116728A (en) | 2016-10-10 |
KR101686157B1 KR101686157B1 (en) | 2016-12-13 |
Family
ID=57146493
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150044908A KR101686157B1 (en) | 2015-03-31 | 2015-03-31 | Password generator, Financial transaction system and method using that password generator |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101686157B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117032592A (en) * | 2023-10-08 | 2023-11-10 | 湖南省金河计算机科技有限公司 | Cash register collection data storage system based on blockchain |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070117371A (en) * | 2006-06-08 | 2007-12-12 | 주식회사 프럼나우 | Apparatus for generating random numbers for object oriented otp |
KR20100001811A (en) * | 2008-06-27 | 2010-01-06 | (주)한국아이피보호기술연구소 | Method for generating one time password and system therefor |
-
2015
- 2015-03-31 KR KR1020150044908A patent/KR101686157B1/en active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070117371A (en) * | 2006-06-08 | 2007-12-12 | 주식회사 프럼나우 | Apparatus for generating random numbers for object oriented otp |
KR20100001811A (en) * | 2008-06-27 | 2010-01-06 | (주)한국아이피보호기술연구소 | Method for generating one time password and system therefor |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117032592A (en) * | 2023-10-08 | 2023-11-10 | 湖南省金河计算机科技有限公司 | Cash register collection data storage system based on blockchain |
CN117032592B (en) * | 2023-10-08 | 2023-12-12 | 湖南省金河计算机科技有限公司 | Cash register collection data storage system based on blockchain |
Also Published As
Publication number | Publication date |
---|---|
KR101686157B1 (en) | 2016-12-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11770369B2 (en) | System and method for identity verification across mobile applications | |
CN106575416B (en) | System and method for authenticating a client to a device | |
CN111756533B (en) | System, method and storage medium for secure password generation | |
US10586229B2 (en) | Anytime validation tokens | |
US8640203B2 (en) | Methods and systems for the authentication of a user | |
US20170011394A1 (en) | Cryptographic security for mobile payments | |
CN107257284B (en) | Method and device for carrying out virtual card transaction | |
JP2016526810A (en) | Systems and methods for encryption | |
KR101070727B1 (en) | System and method for performing user authentication using coordinate region and password | |
US20100241865A1 (en) | One-Time Password System Capable of Defending Against Phishing Attacks | |
CN113711560A (en) | System and method for efficient challenge-response verification | |
CN108764904B (en) | Double-key anti-theft method in distributed account system | |
KR101686157B1 (en) | Password generator, Financial transaction system and method using that password generator | |
US9438420B2 (en) | Unpredictable number generation | |
CN106355404B (en) | Debit credit transaction system and method with security vulnerability protection mechanism | |
EP3785410B1 (en) | Validation of short authentication data with a zero knowledge proof | |
JP5589471B2 (en) | Royalty management system, royalty management method and token | |
KR101686158B1 (en) | Token generator, Financial transaction system and method using that token generator | |
AU2015200701B2 (en) | Anytime validation for verification tokens | |
KR102196347B1 (en) | System for electronic payment and method for operating the same | |
CN114830092A (en) | System and method for protecting against malicious program code injection | |
CN115461710A (en) | Trusted identification of registered user based on image and unique identifier associated with initiating user | |
GB2510793A (en) | Method and apparatus for electronic payment authorization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20191007 Year of fee payment: 4 |