KR20160122556A - Apparatus and method for otp authentication - Google Patents

Apparatus and method for otp authentication Download PDF

Info

Publication number
KR20160122556A
KR20160122556A KR1020150052631A KR20150052631A KR20160122556A KR 20160122556 A KR20160122556 A KR 20160122556A KR 1020150052631 A KR1020150052631 A KR 1020150052631A KR 20150052631 A KR20150052631 A KR 20150052631A KR 20160122556 A KR20160122556 A KR 20160122556A
Authority
KR
South Korea
Prior art keywords
secret
image
user
key
server
Prior art date
Application number
KR1020150052631A
Other languages
Korean (ko)
Inventor
임용훈
Original Assignee
임용훈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 임용훈 filed Critical 임용훈
Priority to KR1020150052631A priority Critical patent/KR20160122556A/en
Priority to PCT/KR2015/009523 priority patent/WO2016039568A1/en
Publication of KR20160122556A publication Critical patent/KR20160122556A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention discloses an apparatus and method for enhancing security in a disposable secret password authentication scheme. A user device communicating with a server according to an aspect of the present invention for authenticating a user may generate secret hash values by inputting a secret divisor input from a user as a seed value into a hash function to store the secret hash value, A secret hash value generation module for transmitting and registering a hash value; A one-time secret password input module for receiving a one-time secret password; And generating a user authentication key by inputting the one-time secret password and the secret hash value received from the one-time secret password input module to the hash function as a seed value, and transmitting the user authentication key to the server, And a user authentication key generation module for receiving a comparison result of the user authentication key generated by the server from the server, wherein the user authentication key generated by the server includes a secret hash value registered in the server, And a value generated by inputting a one-time secret password as a seed value in a hash function.

Description

[0001] APPARATUS AND METHOD FOR OTP AUTHENTICATION [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to user authentication, and more specifically, to a user authentication technique using a One Time Password (OTP) scheme.

The one-time secret password (OTP) authentication method is a method of authenticating a user by using a random number generated randomly, and is introduced to overcome the security weakness caused by repeated use of the same password.

Currently, OTP authentication methods include software and hardware methods. Software methods operate as software in PCs or smart devices, including application-based OTPs and server-based OTPs. The hardware method uses a portable one-time secret password generator. A typical example of server-based OTP among software methods is SMS authentication. When the server transmits a short message including the one-time secret password to the portable terminal of the user, the user inputs the one-time secret password included in the short message to the portable terminal or the web site, and returns it to the server. The hardware-based OTP authentication is a method of comparing the one-time secret password generated by the portable one-time secret password generator and the one-time secret password generated by the server. To this end, the server stores the device serial number of the user's portable one-time secret password generator, and at the time of authentication, the server and the portable one-time secret password generator generate a one-time secret password using the same time stamp and device serial number.

Korean Patent Publication No. 10-2014-0106360

The above-mentioned OTP authentication can expose the disposable secret cipher by peer of another when the user inputs the one-time secret cipher to the user device, and also can prevent the disposable secret cipher by hacking during communication between the user terminal and the server Lt; / RTI > In addition, there is a possibility that a one-time password is issued to a person who is not a legitimate user and is maliciously used.

Disclosure of Invention Technical Problem [8] The present invention has been proposed in order to solve the above problems and aims to enhance security in an authentication method of one-time secret password.

According to an aspect of the present invention, there is provided a user equipment for communicating with a server and authenticating a user, the method including generating secret hash values by inputting seed secret values input from a user as seed values in a hash function, A secret hash value generation module for transmitting and registering the secret hash value to the server; A one-time secret password input module for receiving a one-time secret password; And generating a user authentication key by inputting the one-time secret password and the secret hash value received from the one-time secret password input module to the hash function as a seed value, and transmitting the user authentication key to the server, And a user authentication key generation module for receiving a comparison result of the user authentication key generated by the server from the server, wherein the user authentication key generated by the server includes a secret hash value registered in the server, And a value generated by inputting a one-time secret password as a seed value in a hash function.

The disposable secret password is generated at the server and received at a destination specified by the user, and the disposable secret password input module can receive the disposable secret password received at the receiver from the user.

The destination designated by the user may be any one of the wearable device of the user device or the wearer of the user.

The disposable secret code may be a value generated by inputting the time stamp and the secret hash value registered in the server into the random number function as a seed value at the server.

The disposable secret code is generated by a portable disposable secret code generator, and the disposable secret code input module can receive the disposable secret code generated by the portable disposable secret code generator from the user.

Wherein the portable disposable secret password generator stores a secret hash value identical to the secret hash value generated by the secret hash value generation module, and the one-time secret password is a secret random number generated by randomizing a secret hash value and a time stamp in the portable one- It can be a value generated by inputting a seed value into a function.

And a device authentication key generation module for storing the device authentication key generated by inputting the unique information of the user device as a seed value into the hash function and transmitting the device authentication key to the server and registering the device authentication key .

The device authentication key generation module may receive the device authentication key stored in the server from the server after transmitting the device authentication key stored in advance to the server at the time of authentication.

The user device stores a program authentication key generated by inputting the time stamp, the device authentication key, and the secret hash value as seed values in a hash function, and transmits the program authentication key to the server to register the program authentication key And a generation module.

The program authentication key generation module may transmit the program authentication key stored in advance to the server at the time of authentication, and may receive a result of the comparison with the program authentication key stored in the server from the server.

The disposable secret password input module receives the candidate image and the code of the candidate image from the server to display the candidate image and transmits the key image and the code of the camouflage image selected by the user among the candidate images to the server An image registration module for registering and storing a code of the key image; Receiving a key image and a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And a disposable secret cipher module for extracting a candidate secret cipher located in the same orientation as the key image displayed on the interface in the remaining interface with a one-time secret cipher, based on a code of the key image stored in the image registration module; . ≪ / RTI >

Wherein the key image is at least two or more, and the image registration module further stores order information of the at least two key images, and the one-time secret password extraction module sequentially The one-time secret password can be extracted from the remaining interface.

The disposable secret password input module receives the candidate image and the code of the candidate image from the server to display the candidate image, and displays the key image, the code of the camouflaged image, An image registration module for registering the image to be transmitted to the server; Receiving a key image, a camouflage image and identification information of the code and the key image from the server, receiving the candidate secret code and its code from the server, and displaying at least two or more interfaces, An image input module for displaying a key image and a spoofed image received from the server, displaying a candidate secret code received from the server on the remaining interface, and moving at least one interface according to a user's input; And a disposable secret password extraction module for extracting a candidate secret password located in the same orientation as the key image displayed on the interface in the remaining interface with a one-time secret password, based on the key image discrimination information received from the server .

Wherein the key image is at least two or more and the image registration module further registers and transmits the order information of the key image to the server and the image input module further receives the order information of the key image from the server, The one-time secret password extraction module may sequentially extract the one-time secret password from the remaining interface based on the identification information and the order information of the key image received from the server.

The disposable secret password input module receives the candidate image and the code of the candidate image from the server to display the candidate image, and displays the key image, the code of the camouflaged image, An image registration module for registering the image to be transmitted to the server; Receiving a key image, a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And a disposable secret cryptographic module for extracting a code matrix of the image from the one of the interfaces as a one-time secret cryptographic code and extracting a code matrix of the candidate secret cryptogram from the remaining interface upon receiving the movement completion input of the interface from the user have.

According to another aspect of the present invention, there is provided a server apparatus for communicating with a user apparatus and authenticating a user, the apparatus comprising: a secret value input unit operable to input a secret hash input from a user as a seed value into a hash function, A secret hash value registration module for receiving and registering from the user device; A one-time secret password generation module for generating a one-time secret password; And comparing the user authentication key generated by inputting the received user authentication key, the registered secret hash value, and the generated one-time secret password as seed values in a hash function, when receiving the user authentication key from the user device And an authentication processing module for authenticating the user.

Wherein the one-time secret password generation module transmits the generated one-time secret password to a destination specified by the user, and the authentication processing module stores the one-time secret password sent to the recipient and the secret hash value stored in the user device in a hash function The user authentication key generated by inputting the seed value can be received from the user device.

The one-time secret password generation module may generate the one-time secret password by inputting the registered secret hash value and the time stamp as a seed value into the random number function.

The authentication processing module may receive from the user device a user authentication key generated by inputting a one-time secret password generated by the portable disposable secret password generator and a secret hash value stored in the user device as a seed value in a hash function .

Wherein the portable one-time secret password generator stores a secret hash value that is the same as the registered secret hash value, and the one-time secret password generated by the portable one-time secret password generator includes a secret hash value stored in the portable one- The disposable secret cryptographic module may generate the one-time secret cryptosystem by inputting the registered secret hash value and the time stamp to the random function as a seed value.

Wherein the authentication processing module receives and registers a device authentication key generated by inputting unique information of the user device as a seed value in a hash function from the user device and registers the device authentication key received from the user device and the registration The device authentication key can be compared.

Wherein the authentication processing module receives and registers the program authentication key generated by inputting the time stamp, the device authentication key, and the secret hash value into the hash function as a seed value, and transmits the program authentication key to the user device And the registered program authentication key can be compared with each other.

Wherein the authentication processing module transmits the candidate image and the code of the candidate image to the user device, receives and registers the code of the key image and the camouflaged image selected by the user from the user device, Wherein at least two interfaces in which at least one interface is moved according to a user's input are displayed on the user device, and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the remaining interface And transmits the registered key image, the camouflage image and their codes, the candidate secret code and the code thereof to the user device, and the user authentication key received from the user device is a key code image of the key image Lt; RTI ID = 0.0 > Extracting a candidate secret password which is located in the bearing, such as a key image displayed on the interface in any of the interface as a secret one-time password, and can be generated by using the extracted secret one-time password.

The authentication processing module transmits the candidate image and the code of the candidate image to the user apparatus, receives the code image of the key image and the camouflage image selected by the user among the candidate images, and the division information of the key image from the user apparatus At least two interfaces in which at least one interface is moved in accordance with a user's input are displayed at the time of authentication and at the time of authentication, a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code The user authentication key received from the user device is transmitted to the user device, and the user authentication key is transmitted to the user device, from Wherein the user device extracts a candidate secret cipher located in the same orientation as the key image displayed on the interface on the remaining interface as the one-time secret cipher based on the identification information of the key image transmitted to the user device, It may have been created using a secret password.

The authentication processing module transmits the candidate image and the code of the candidate image to the user apparatus, receives the code image of the key image and the camouflage image selected by the user among the candidate images, and the division information of the key image from the user apparatus At least two interfaces in which at least one interface is moved in accordance with a user's input are displayed at the time of authentication and at the time of authentication, a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code And transmits the registered key image, the camouflage image and their codes, and the candidate secret code and its code to the user device so that the at least one interface is moved, the user authentication key received from the user device, When, phase The base user apparatus may extract the code matrix of the image of any of the interfaces and the code matrix of the candidate secret code of the remaining interface as the one time use secret code and generate using the extracted one time use secret code.

According to another aspect of the present invention, there is provided an authentication system including a secret number input unit configured to input a secret number input from a user as a seed value into a hash function to generate and store a secret hash value, Device; And an authentication server for receiving and registering the secret hash value transmitted from the user device, generating a one-time secret password, and transmitting the one-time secret password to the destination designated by the user, wherein the user device further comprises: The authentication server transmits the secret hash value stored in the user device as a seed value to the hash function to generate a user authentication key and transmits the user authentication key to the authentication server, And generating a user authentication key by inputting the disposable secret password transmitted to the recipient as a seed value in a hash function, compares the generated user authentication key with the user authentication key transmitted from the user device, and performs authentication processing do.

In the present invention, when a user is authenticated by using a one-time secret password, instead of simply encrypting the one-time secret password, the secret hash value generated from the secret number, which is the unique information of the user, is used as the seed value of the hash function together with the one- Thereby blocking the hacking of the one-time secret password.

In addition, the present invention allows the user to input a one-time secret password using the circle interface and the image when the user inputs the one-time secret password at the user terminal, thereby preventing the user from knowing the one-time secret password at all. Therefore, it is possible to enhance security when inputting a one-time secret password.

Further, the present invention can acquire a one-person program by performing additional device authentication and program authentication using the device authentication key and the program authentication key. That is, even if an authentication program (for example, an application) is copied and transplanted to another user terminal, the device authentication key verification fails and authentication fails. Also, if a program is deleted from the same terminal and reinstalled, the program authentication key also changes, and authentication fails again. Therefore, personal information hacking by program deletion and reinstallation can be blocked.

1 is a diagram illustrating an authentication system according to an embodiment of the present invention.
FIG. 2 is a diagram showing a configuration of a user terminal of FIG. 1. FIG.
3 is a diagram illustrating a configuration of an authentication program according to an embodiment of the present invention.
4 is a diagram showing the configuration of the authentication server of FIG.
5 is a flowchart illustrating a method of registering a secret hash value according to an embodiment of the present invention.
6 is a flowchart illustrating an authentication method according to an embodiment of the present invention.
7 is a block diagram illustrating a configuration of a disposable secret password input module according to an embodiment of the present invention.
8 is a diagram illustrating candidate images according to an embodiment of the present invention.
9 is a diagram illustrating a circle interface according to an embodiment of the present invention.
10 is a diagram illustrating three circle interfaces according to an embodiment of the present invention.
11 is a diagram showing a configuration of an authentication program according to another embodiment of the present invention.

The foregoing and other objects, features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, in which: There will be. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. Hereinafter, a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a diagram illustrating an authentication system according to an embodiment of the present invention, and FIG. 2 is a diagram illustrating a configuration of a user terminal of FIG.

1, the authentication system according to the present embodiment includes a user terminal 100, an authentication server 200, a communication network 300 for connecting the user terminal 100 and the authentication server 200, .

The user terminal 100 is a terminal used by a user and installs an authentication program, communicates with the authentication server 200 through the authentication program, and performs OTP (One Time Password) authentication using a hash algorithm. To this end, the user terminal 100 generates and stores a secret hash value. Here, the secret hash value is a result obtained by inputting the secret divisor input from the user as a seed value to the hash function, and the secret divisor may be any one of a long string, an image file, a sound file, or a video file. The user terminal 100 transmits the secret hash value to the authentication server 200 and registers the secret hash value.

The authentication server 200 communicates with the user terminal 100 to perform OTP authentication. When the secret hash value is received from the user terminal 100, the authentication server 200 stores and registers the secret hash value. That is, the authentication server 200 shares a secret hash value together with the user terminal 100. When the authentication server 200 receives the OTP authentication request from the user terminal 100, the authentication server 200 generates a one-time secret password and transmits the generated one-time secret password to the user terminal 100, Side user authentication key using the secret hash value and the one-time secret password stored in the server side user authentication key, and compares the server side user authentication key with the user side user authentication key. The authentication server 200 processes authentication success if the user authentication key is the same, and fails authentication if the user authentication key is not the same. Here, the authentication server 200 may be a bank, a card company, a communication company, or a server of a general portal site, or a server of a payment agency service (PG). In this embodiment, only the authentication server is described singly, and the authentication server can communicate with the service server and return the authentication result of the user according to the request of the service server. The authentication server of this embodiment can be understood to include a service server.

The OTP authentication method between the user terminal 100 and the authentication server 200 will be described in detail below.

The user terminal 100 may be a mobile communication terminal such as a smart phone or a personal computer. 2, the user terminal 100 includes a memory 110, a memory controller 121, one or more processors (CPUs) 122, a peripheral interface 123, an input / output (I / O) A display device 141, an input device 142, and an RF circuit 152. The display device 141, These components communicate through one or more communication buses or signal lines. The various components shown in FIG. 2 may be implemented in hardware, software, or a combination of both hardware and software, including one or more signal processing and / or application specific integrated circuits.

The memory 110 may include a high-speed random access memory and may also include one or more magnetic disk storage devices, non-volatile memory such as a flash memory device, or other non-volatile semiconductor memory device. In some embodiments, the memory 110 may include a storage device, e.g., RF circuitry 152, located remotely from the one or more processors 122, and an Internet, Intranet, Local Area Network (WLAN) , A Storage Area Network (SAN), or the like, or any suitable combination thereof, via a network (not shown). Access to the memory 110 by other components of the user terminal 100, such as the processor 122 and the peripheral interface 123, may be controlled by the memory controller 121.

The peripheral interface 123 connects the input / output peripheral device of the user terminal 100 to the processor 122 and the memory 110. The one or more processors 122 execute various software programs and / or a set of instructions stored in the memory 110 to perform various functions for the device 100 and process the data.

In some embodiments, peripheral interface 123, processor 122, and memory controller 121 may be implemented on a single chip, such as chip 120. In some other embodiments, these may be implemented as separate chips.

The I / O subsystem 130 provides an interface between the input / output peripheral of the user terminal 100, such as the display device 141, the input device 142, and the peripheral interface 123.

The display device 141 may be a liquid crystal display (LCD) technology or a light emitting polymer display (LPD) technology. The display device 141 may be capacitive, resistive, infrared, or the like. The touch display provides an output interface and an input interface between the terminal and the user. The touch display displays a visual output to the user. The visual output may include text, graphics, video, and combinations thereof. Some or all of the visual output may correspond to a user interface object. The touch display forms a touch sensitive surface that accommodates user input.

Processor 122 is a processor configured to perform an operation associated with user terminal 100 and to perform instructions, such as, for example, using instructions retrieved from memory 110, Reception and manipulation of data can be controlled.

In some embodiments, software components are installed (installed) in memory 110, such as an operating system 111, a graphics module (instruction set) 112, and an authentication program (instruction set)

The operating system 111 may be an embedded operating system such as, for example, Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS or VxWorks, Android, Management, storage control, power management, etc.), and facilitates communication between the various hardware and software components.

Graphics module 112 includes a number of well known software components for providing and displaying graphics on display device 141. The term "graphics" includes, without limitation, text, web pages, icons (e.g., user interface targets including soft keys), digital images, video, animations, .

The RF circuit 152 transmits and receives electromagnetic waves. The RF circuit 152 converts electrical signals to electromagnetic waves and vice versa and communicates with the communication network, other mobile gateways, and communication devices through the electromagnetic waves. The RF circuit 152 includes, for example, an antenna system, an RF transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a CODEC chipset, a subscriber identity module And may include well-known circuits for performing such functions without limitation. The RF circuitry 152 may be an Internet, referred to as the World Wide Web (WWW), a network such as an intranet and / or a cellular telephone network, a wireless LAN and / or a metropolitan area network (MAN) It can communicate with other devices by communication. The wireless communication may be implemented in a variety of communication systems such as Global System for Mobile Communications (GSM), Enhanced Data GSM Environment (EDGE), wideband code division multiple access (WCDMA), code division multiple access (CDMA), time division multiple access (TDMA) Protocol), Wi-MAX, Bluetooth, zigbee, Near Field Communication (NFC), or any other suitable communication protocol including communication protocols not yet developed at the time of the filing of the present application But not limited to, any of a plurality of communication standards, protocols, and techniques.

The authentication program 113 can be downloaded and installed from the authentication server 200 or downloaded and installed from an app store such as Google Play or Apple Market. The authentication program 113 transmits the secret hash value obtained by inputting the secret divisor input from the user as the seed value to the hash function, and transmits the secret hash value to the authentication server 200 for registration. The authentication program 113 communicates with the authentication server 200, receives the one-time secret password from the authentication server 200, and performs user authentication using the one-time secret password. The authentication program 113 will be described in detail with reference to FIG.

3 is a diagram illustrating a configuration of an authentication program according to an embodiment of the present invention.

3, the authentication program 113 according to the present embodiment includes a secret hash value generation module 310, a one-time secret password input module 320, and a user authentication key generation module 330. [

The secret hash value generation module 310 receives the secret divisor from the user through the input device. Here, the secret divisor may be any one of a long string, an image file, a sound file, or a video file, but is not limited thereto and is data that only the user can know.

The secret hash value generation module 310 sets the result obtained by inputting the secret divisor as a seed value to the hash function as a secret hash value. The secret hash value may be stored in a binary file. The secret hash value generation module 310 transmits the secret hash value to the authentication server 200 and registers the secret hash value. The secret hash value generated in the secret hash value generation module 310 may be stored in the user terminal 100 or may be stored in a separate storage medium such as an NFC card through the RF circuit 152. [ When the secret hash value is stored in a separate storage medium such as an NFC card, the secret hash value is not stored in the user terminal 100. [

The disposable secret password input module 320 receives the disposable secret password generated at the authentication server 200 and received at the destination designated by the user. The destination designated by the user may be the user terminal 100 or a wearable device carried by another user, or it may be an email address. However, it is not limited thereto. The one-time secret password may be received in the form of a short message (SMS) or a push message. The disposable secret password input module 320 can receive the disposable secret password through a keypad or input through an image. A method of receiving an input through an image will be described later.

The user authentication key generation module 330 inputs the disposable secret code inputted from the disposable secret password input module 320 and the secret hash value generated by the secret hash value generation module 310 as a seed value in a hash function And generates a user authentication key. That is, the user authentication key is a result obtained by inputting the disposable secret password and the secret hash value as a seed value into the hash function. When the secret hash value is stored in a separate storage medium such as an NFC card, the user authentication key generation module 330 generates a user authentication key from the storage medium such as an NFC card through the RF circuit 152, To read the secret hash value.

The user authentication key generation module 330 transmits the user authentication key to the authentication server 200 and receives the authentication result from the authentication server 200. Here, the authentication result is an authentication success response or an authentication failure response, and the authentication success response or failure response is a response based on a comparison result of the user authentication key.

4, the authentication server 200 includes a secret hash value registration module 410, a one-time secret password generation module 420, and an authentication processing module (430).

The authentication server 200 is configured to include a memory, a memory controller, one or more processors (CPUs), a peripheral interface, an input / output (I / O) subsystem, and a communication circuit. These components communicate through one or more communication buses or signal lines. Such components may be implemented in hardware, software, or a combination of both hardware and software, including one or more signal processing and / or application specific integrated circuits.

The memory may include high speed random access memory and may also include one or more magnetic disk storage devices, non-volatile memory such as flash memory devices, or other non-volatile semiconductor memory devices. In some embodiments, the memory may include a storage device located remotely from one or more processors. Access to the memory by other components such as the processor and the peripheral interface may be controlled by the memory controller.

The peripheral interface connects the input / output peripheral to the processor and memory. The one or more processors execute various functions for the authentication server 200 and process data by executing a set of instructions stored in various software programs and / or memory.

The I / O subsystem provides an interface between the I / O peripheral and the peripheral interface.

A processor is a processor configured to perform the operations associated with the authentication server 200 and to perform the instructions and to receive and manipulate input and output data between components of the authentication server 200 using, for example, Can be controlled. In some embodiments, software components are installed (installed) in an operating system, graphics module (instruction set).

The operating system may be an embedded operating system such as, for example, Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS or VxWorks, Android, etc. and may include general system tasks Device control, power management, etc.), and facilitates communication between the various hardware and software components.

The secret hash value registration module 410, the one-time secret password generation module 420 and the authentication processing module 430 may be implemented by software installed in a memory or by a combination of hardware and software.

The secret hash value registration module 410 receives and registers the secret hash value generated in the user terminal 100 from the user terminal 100. Here, the registration may mean mapping the user's identification information, for example, the ID and the secret hash value, and storing it. The authentication server 200 receives the account information (ID and password) from the user and performs a membership process. After the user logs in, the secret hash value registration module 410 can receive the secret hash value.

The one-time secret password generation module 420 generates a one-time secret password for authentication of the user. A one-time secret password can be generated as a random number function. The one-time secret password generation module 420 can generate a one-time secret password when receiving an OTP authentication request from the user terminal 100, specifically, the authentication program 113. [ At this time, the one-time secret password generation module 420 may generate the one-time secret password by inputting the registered secret hash value and the time stamp into the random number function as the seed value.

The one-time secret password generation module 420 transmits the generated one-time secret password to a destination designated by the user. The one-time secret password may be transmitted in the form of a text message (SMS) or a push message or an email or an Automatic Response Service (ARS). To this end, the one-time secret password generation module 420 may receive a telephone number or an e-mail address from the user.

The authentication processing module 430 receives the user authentication key from the user terminal 100. The authentication processing module 430 inputs the one-time secret password generated by the one-time secret password generation module 420 and the secret hash value of the user registered in the secret hash value registration module 410 as a seed value to the hash function, Key. The authentication processing module 430 compares the generated user authentication key with the user authentication key received from the user terminal 100. If they match, the authentication processing module 430 transmits an authentication success response to the user terminal 100. If they do not match And sends an authentication failure response to the user terminal 100.

The one-time secret password generation module 420 and the authentication processing module 430 are connected to the user terminal 100 using the IP address of the logged-in user terminal 100 or the session information (including the ID information) 100). That is, when the user authentication key is received from the user terminal 100, the one-time secret password transmitted to the user terminal 100 using the IP address or the session information of the user terminal 100 and the secret hash value of the user Can be identified.

5 is a flowchart illustrating a method of registering a secret hash value according to an embodiment of the present invention.

Referring to FIG. 5, the user terminal 100 receives a secret divisor from a user through an input device (S501). Here, the secret divisor may be any one of a long string, an image file, a sound file, or a video file, but is not limited thereto and is data that only the user can know. At this time, the user terminal 100 accesses the authentication server 200 and receives the login web page from the authentication server 200. After the user inputs the ID and the password to the login web page and logs in, You can perform the described process.

The user terminal 100 generates a secret hash value by inputting the input secret seed to the hash function as a seed value (S503). The user terminal 100 stores the generated secret hash value as a binary file and transmits the generated secret hash value to the authentication server 200 (S505). The authentication server 200 registers the secret hash value received from the user terminal 100 (S507). Here, the registration may mean mapping the user's identification information, for example, the ID and the secret hash value, and storing it.

6 is a flowchart illustrating an authentication method according to an embodiment of the present invention.

Referring to FIG. 6, the user accesses the authentication server 200 using the user terminal 100 and requests authentication server 200 to perform OTP authentication (S601). The authentication server 200 generates a one-time secret password (OTP) (S603). A one-time secret password can be generated as a random number function. At this time, the authentication server 200 may generate the one-time secret password by inputting the registered secret hash value and the time stamp into the random number function as the seed value.

The authentication server 200 transmits the generated one-time secret password to the user terminal 100 (S605). The authentication server 200 may receive the telephone number from the user terminal 100 and transmit the disposable secret code in a text message to the user terminal 100 using the telephone number as the incoming telephone number. Alternatively, the authentication server 200 may send a call to the user terminal 100 and transmit the one-time secret password to the ARS (Automatic Response Service). Although the present embodiment describes transmitting the one-time secret code to the user terminal 100, the present invention is not limited thereto and may be transmitted to another device such as a user's wearable device.

Upon receiving the one-time secret password from the authentication server 200, the user inputs the received one-time secret password to the user terminal 100 (S607). The user terminal 100 generates a user authentication key by inputting the inputted disposable secret password and the secret hash value stored in the user terminal 100 as a seed value in the hash function (S609). When the secret hash value is stored in a separate storage medium such as an NFC card, the user terminal 100 performs near-field communication such as Bluetooth communication or NFC communication from a storage medium such as an NFC card through the RF circuit 152 The secret hash value can be read. The user terminal 100 transmits the generated user authentication key to the authentication server 200 (S611).

Upon receiving the user authentication key from the user terminal 100, the authentication server 200 transmits the one-time secret password generated in step S603 and the secret hash value received and registered from the user terminal 100 Is input to the hash function as a seed value to generate a user authentication key (S613). In step S615, the authentication server 200 compares the user authentication key received from the user terminal 100 in step S611 with the user authentication key generated in step S613.

If the user authentication key is not the same as the result of the comparison, the authentication server 200 determines that authentication has failed and transmits an authentication failure response to the user terminal 100 (S617). On the other hand, if the user authentication key is identical, the authentication server 200 determines that the authentication is successful and transmits an authentication success response to the user terminal 100 (S619).

Hereinafter, a method of inputting the disposable secret code will be described with reference to the drawings.

7 is a block diagram illustrating a configuration of a disposable secret password input module according to an embodiment of the present invention.

Referring to FIG. 7, the disposable secret password input module 320 includes an image registration module 710, an image input module 720, and a disposable secret password extraction module 730.

The image registration module 710 communicates with the authentication server 200 to receive candidate images and their codes from the authentication server 200, displays the candidate images on the screen, and selects a key image and a camouflage image from the user. Here, the camouflage image means an image displayed together with the key image so that the key image is not exposed to the other person. To this end, the authentication processing module 430 of the authentication server 200 stores candidate images and their codes, and transmits candidate images and their codes to the user terminal 100 upon connection of the user terminal 100.

8 is a diagram illustrating candidate images according to an embodiment of the present invention. The image registration module 710 receives candidate images and their codes from the authentication server 200 and displays candidate images as shown in FIG. The user selects the key image and the camouflage image from the candidate images shown in Fig. For example, select three key images and nine camouflage images.

The image registration module 710 transmits the code of the key image selected by the user and the code of the camouflage image to the authentication server 200. [ At this time, the image registration module 710 does not transmit information distinguishing the code of the key image and the code of the camouflaged image. Therefore, even though the authentication server 200 receives the code of the images, it can not know which code is the key image designated by the user as the key. The authentication processing module 430 of the authentication server 200 maps the codes of the received images to the identification information (e.g., ID) of the user and stores the codes.

The image registration module 710 stores the key image and the key image of the user in the user terminal 100, and does not store the code of the camouflage image in the user terminal 100 . That is, only the code image and the order information of the key image are stored in the user terminal 100, and the key image and the code of the camouflage image are stored in the authentication server 200. However, in the authentication server 200, the key image and the identification information of the camouflage image are not stored.

The image input module 720 displays an interface through which an image can be input by the user as the one-time secret password received from the authentication server 200. The image input module 720 displays two concentric circle interfaces. To this end, the authentication processing module 430 of the authentication server 200 transmits the key image and the camouflage image set by the user and their codes to the image input module 720.

The first circle interface of the two circle interfaces is displayed with a candidate secret code such as a number, a special character or an alphabet, along the circumference, and the second circle interface displays the key image and the camouflage image along the circumference. The first circle interface does not rotate, and the second circle interface can rotate according to the user's input. Conversely, however, the first circle interface may rotate and the second circle interface may not. Or both the first and second circle interfaces. In the present embodiment, it is assumed that only the second circle interface rotates.

The image input module 720 receives the key image and the camouflage image registered by the user from the authentication processing module 430 of the authentication server 200 and their codes and outputs the received key image and camouflage image to the 2 Circle the circle along the perimeter. The image input module 720 may also receive the candidate secrets of the first circle interface and their code from the authentication server 200 and list the received candidate secrets along the perimeter of the first circle interface. Of course, the candidate secret codes of the first circle interface and their codes can be stored in the terminal itself.

9 is a diagram illustrating a circle interface according to an embodiment of the present invention. 9, numeral numbers 1 to 12 are arranged along the circumference of the circle in the first circle interface 910 of the circle interface, a first circle interface 910 is arranged in the second circle interface 920, And a key image and a false image registered by the user in the authentication server 200 are received from the authentication server 200 and are randomly arranged along the circumference of the circle.

The image input module 720 receives the rotation input for the second circle interface from the user and rotates the second circle interface. The rotation input can be touch-and-drop or can be a mouse or button input.

When the user rotates the second circle interface and then presses the completion input, the one-time secret password extraction module 730 extracts the first secret key cryptographic key from the first key image stored in the user terminal 100 Extract candidate secret ciphers from the circle interface. The disposable secret password extraction module 730 performs this process as many times as the number of key images the user has stored in the user terminal 100, and thus extracts the one time secret password.

The extraction of the disposable secret cipher using the above-described key image can be performed through a matrix operation. The user rotates the second circle interface and then presses the completion input. The user presses the completion input when the one of the candidate secrets listed in the first circle interface and the key image among the images listed in the second circle interface are located in the same orientation. When the completion input is pressed, the disposable secret password extraction module 730 extracts a matrix of codes of images of the second circle interface according to a certain criterion. For example, the code of the images listed in the second circle interface is extracted clockwise from 12 o'clock to produce a 1x12 matrix. These 1 x 12 matrices are made as many as the number of key images. The user inputs the rotation and completion of the second circle interface according to the number of key images in the images listed in the second circle interface and the order of the key image set by the user and the disposable secret password extraction module 730 Every time there is an input, the codes of the images listed in the second circle interface are extracted and a 1 × 12 matrix is generated. If the number of key images is n, then an n x 12 matrix is created.

For example, if the disposable secret cipher received from the authentication server 200 is (1, 2, 7) and the key image is a soccer ball, a baseball ball, or a rugby ball, the user rotates the second circle interface Place the soccer ball image in the same orientation as the number "1" on the first circle interface and enter finish. The disposable secret password extraction module 730 extracts the codes of the images of the second circle interface in order clockwise with reference to the 12 o'clock direction to generate the first 1 x 12 matrix. Next, the user rotates the second circle interface again to position the baseball image to be in the same orientation as the number ' 2 ' of the first circle interface and enter the finish. The one-time secret password extraction module 730 extracts the code of the images of the second circle interface in order clockwise with respect to the 12 o'clock direction to generate a second 1 × 12 matrix. Finally, the user rotates the second circle interface again to place the rugby ball image in the same orientation as the number ' 7 ' of the first circle interface and enter the finish. The disposable secret password extraction module 730 extracts codes of images of the second circle interface in order clockwise with respect to the 12 o'clock direction to generate a third 1 × 12 matrix. Thus, a 3 × 12 matrix is finally extracted.

The disposable secret password extraction module 730 extracts the coordinates of the code image of the key image from the extracted matrix based on the key image set by the user and the order thereof, and extracts the one-time secret password based on the extracted coordinates. As described above, the disposable secret password extracting module 730 may be configured such that the key image set by the user and the order thereof (soccer ball, baseball ball, and rugby ball) , And extracts the number " 1 " of the first circle interface corresponding to the coordinate. Next, the coordinates of the baseball ball code are confirmed in the second row of the 3x12 matrix, and the number '2' of the first circle interface corresponding to the coordinates is extracted. Finally, the coordinates of the rugby hole code are checked in the third row of the 3x12 matrix, and the number '7' of the first circle interface corresponding to the coordinates is extracted. Therefore, the one-time secret password (1, 2, 7) is finally extracted.

In the above embodiment, it is explained that the user registers and uses at least two or more key images. However, without limitation, the user can register and use a single key image. In this case, the order of the key images does not need to be considered, and the user can use one key image repeatedly. In the above example, the user places the image of one key in the same orientation as the number "1" of the first circle interface first, then enters the completion, then places it in the same orientation as the number "2" , And finally put in the same direction as the number '7' and then enter the completion. Then, (1, 2, 7) is extracted as the one-time secret code.

In addition, two circle interfaces will be described in the embodiment with reference to FIG. However, it is not limited thereto and three circle interfaces are available. For example, when the authentication server 200 issues a one-time secret password with a six-digit number, and the user registers three key images, the user terminal 100 transmits the one-time secret password Can be input.

10 is a diagram illustrating three circle interfaces according to an embodiment of the present invention. 10, candidate secret codes such as numerals and special characters are arranged along the periphery of the circle in the first circle interface 1010 among the three circle interfaces, A candidate secret code surrounding the outer periphery of the circle interface 1010 and the same as the first circle interface 1010 is arranged along the circumference of the circle. In the third circle interface 1030, the key image and the camouflage image are randomly arranged along the circumference of the circle. At this time, all of the first to third circle interfaces may be rotated, or only two circle interfaces may be rotated. In this embodiment, the case where the second and third circle interfaces rotate is described.

For example, if the one-time secret password received from the authentication server 200 is a six-digit number of 100207 and the key image is a soccer ball, a baseball ball, or a rugby ball, So that the number '1' of the first circle interface and the number '0' of the second circle interface and the 'soccer ball' image of the third circle interface are positioned in the same direction, and the completion is inputted. Next, the user rotates the second and third circle interfaces again so that the number '0' of the first circle interface and the number '2' of the second circle interface and the 'baseball ball' image of the third circle interface are positioned in the same orientation And enter completion. Finally, the user rotates the second and third circle interfaces again so that the number "0" of the first circle interface and the number "7" of the second circle interface and the "rugby ball" image of the third circle interface are positioned in the same orientation And enter completion. By performing three operations in this manner, it is possible to extract candidate secret ciphers, i.e., numbers, of the first and second circle interfaces located in the same orientation as the key image in each sequence. In the above example, '10' can be extracted from the first operation, '02' extracted from the second operation, and '07' extracted from the third operation.

The extraction of the one-time secret password using the key image in the three circle interfaces described with reference to FIG. 10 can be performed by matrix operation like the two circle interfaces. Each of the first and second circle interfaces is mapped with candidate secret codes and their code, and the third circle interface is mapped with images and code of the images. Each circle interface has one row created according to certain criteria. Here, a certain criterion is, for example, when the first circle interface is displayed, the first row in which the candidate secret password or image is arranged clockwise at 12 o'clock is set as the first row, and when the circle interface is rotated, , The value of each column belonging to each row after the shift can be identified. When the user rotates the third circle interface and then presses the completion button, the coordinates of the key image are extracted from the matrix values of the third circle interface, and the matrix values of the first and second circle interfaces of the same coordinates are extracted as the one-time secret code.

In the above embodiment, the key image and the camouflage image set by the user are stored in the authentication server 200, but the identification information of the key image and the camouflage image is not stored, so that the authentication server 200 determines which one of the images is the key image The authentication server 200 only transmits the key image and the camouflage image set by the user and their codes to the user terminal 100. [ The key image classification information is stored in the user terminal 100 and used.

As another embodiment, the key image and the camouflage image set by the user may be stored in the authentication server 200, and the key image distinction information may be stored together. In order to implement the circle interface, When the interface data such as the camouflage image is transmitted to the user terminal 100, it is possible to transmit the key image division information together. In this case, the user terminal 100 does not need to store the information of the key image. Only when the authentication is performed, the user terminal 100 receives the key image classification information from the authentication server 200 and temporarily stores the key image. To this end, the image registration module 710 transmits to the authentication server 200 information identifying the code of the key image and the code of the camouflage image.

Meanwhile, in the above-described embodiment, the one-time secret password is extracted from the user terminal 100 through the circle interface, and then the extracted one-time secret password is transmitted to the authentication server 200. FIG. However, it is not limited to this.

As another embodiment, the authentication server 200 stores key images and camouflage images set by the user, and also stores key image distinction information. When the user operates the circle interface to input the one-time secret code without directly extracting the one-time secret code from the circle interface, the user terminal 100 generates a matrix extracted from the circle interface (e.g., A 2 × 12 matrix extracted from the first and second circle interfaces, and a 3 × 12 matrix shown in FIG. 10) as a one-time secret password, and transmits the user authentication key to the authentication server 200. Since the authentication server 200 stores the identification information of the key image and knows the disposable secret password, the authentication server 200 can generate the user authentication key in the same manner as the user terminal 100, And compares the authentication key with the user authentication key received from the user terminal 100 to perform authentication.

To this end, the user authentication key generation module 330 generates a secret hash value by using the matrix generated by the circle interface in the one-time secret password input module 320 and the secret hash value generated by the secret hash value generation module 310 as a hash function And generates a user authentication key by inputting the seed value. The authentication processing module 430 of the authentication server 200 generates a matrix by the circle interface using the key image and the camouflage image registered by the user and the disposable secret code issued by the server, Generates a user authentication key using the secret hash value, and compares the user authentication key with the user authentication key received from the user terminal 100. At this time, the authentication server 200 transmits the key image and the code image of the camouflage image to the user terminal 100, so that the circle interface is implemented. The key image and the camouflage image code are one- . The authentication server 200 can issue and use a disposable virtual code as a code of a key image and a camouflage image each time authentication is performed. Therefore, even if the matrix is hacked at the network end by the hacker, the code of the image is changed at the time of the next authentication, so that secure authentication becomes possible.

11 is a diagram showing a configuration of an authentication program according to another embodiment of the present invention.

Referring to FIG. 11, the authentication program 113 according to the present embodiment further includes a device authentication key generation module 1110 and a program authentication key generation module 1120, as compared with FIG.

The device authentication key generation module 1110 collects unique information of the user terminal 100 such as the MAC address of the network interface card NIC when the authentication program 113 is executed for the first time and uses the collected unique information And generates a device authentication key. Specifically, the device authentication key management module 1110 inputs the unique information of the user terminal 100 as a seed value into the hash function, stores the generated value as a device authentication key, and transmits the generated device authentication key to the authentication server 200, And registers it in the authentication server 200 like the hash value. The secret hash value registration module 410 of the authentication server 200 stores the secret hash value of the user and the device authentication key together.

The device authentication key generation module 1110 can transmit the stored device authentication key to the authentication server 200 at each authentication and receive the authentication result. The authentication processing module 430 of the authentication server 200 compares the previously registered device authentication key with the device authentication key received from the device authentication key generation module 1110 at each authentication, And returns the authentication result. That is, when authentication is attempted at another terminal other than the predetermined user terminal 100, authentication is failed.

Also, the device authentication key generation module 1110 can generate a device authentication key at each execution of the authentication program 113 and compare it with the previously stored device authentication key. The device authentication key generation module 1110 automatically deletes the authentication program 113 when the device authentication key does not match as a result of the comparison. For example, when the authentication program 113 installed in the user terminal 100 is copied and transferred to another device and executed, the previously stored device authentication key and the device authentication key generated at the time of execution are not coincident with each other, The authentication program 113 copied to the device is automatically deleted.

The program authentication key generation module 1120 generates and stores a program authentication key using the device authentication key, the time stamp, and the secret hash value generated by the device authentication key generation module 1110, And transmits it to the authentication server 300 and registers it together with the secret hash value. The secret hash value registration module 410 of the authentication server 200 stores the secret hash value of the user and the program authentication key together. The program authentication key may be stored in the authentication program 113 as a binary file. The time stamp is a character string indicating the time at which the program authentication key is generated.

The program authentication key generation module 1120 can transmit the program authentication key to the authentication server 200 at each authentication and receive the authentication result. The authentication processing module 430 of the authentication server 200 compares the previously registered program authentication key with the program authentication key received from the program authentication key generation module 1120 at each authentication, And returns the result. That is, not only when the authentication is attempted at another terminal other than the predetermined user terminal 100, but also when reinstalling or duplicating the authentication program 113, the time stamp value is changed and authentication is failed.

In the present invention as described above, when a user inputs a one-time secret password issued by the authentication server 200 to the user terminal 100, the one-time secret password is encrypted with a secret hash value using a hash algorithm, It is impossible to hack the one-time secret password.

In addition, when the disposable secret password is inputted from the user terminal 100, by inputting the disposable secret password using the circle interface, it is impossible to know the disposable secret password at all even if someone peers. Therefore, it is possible to enhance security when inputting a one-time secret password.

Further, according to the present invention, the authentication of the additional device and the program authentication are performed by using the device authentication key and the program authentication key, thereby ensuring a one-in-one program. That is, even if an authentication program (for example, an application) is copied and transplanted to another user terminal, the device authentication key verification fails and authentication fails. Also, if a program is deleted from the same terminal and reinstalled, the program authentication key also changes, and authentication fails again. Therefore, personal information hacking by program deletion and reinstallation can be blocked.

On the other hand, in the above-described embodiment, it is described that the authentication server 200 generates the one-time secret password and transmits it to the destination specified by the user. The authentication server 200 may not transmit the one-time secret password. That is, the portable disposable secret code generator is carried by the user, and the portable disposable secret code generator stores the secret hash value equal to the secret hash value stored in the user terminal 100. [ The portable one-time secret password generator generates a one-time secret password using the same algorithm as that of the authentication server 200. A portable one-time secret password generator generates and displays a one-time secret password by inputting a secret hash value and a time stamp into a random number function as a seed value. The user inputs the one-time secret password displayed on the portable one-time secret password generator to the user terminal 100 and transmits the user authentication key to the authentication server 200. [ The input at this time may be the image input method described above, or may be a text input. The authentication server 200 generates a one-time secret password by inputting the same time stamp as the portable one-time secret password generator and a secret hash value already registered in the random number function as a seed value. The authentication server 200 generates the user authentication key by inputting the generated one-time secret password and secret hash value into the hash function as a seed value, and then compares the generated one-time secret password and the secret hash value with the user authentication key received from the user terminal 100. [

In the above example, the portable one-time secret password generator is described as storing secret hash values. However, the portable one-time secret password generator can generate a one-time secret password using the time stamp and the device serial number, as well as the existing one-time secret password generator, without storing the secret hash value, The user terminal 100 may input a disposable secret password and a secret hash value to the hash function as a seed value to generate a user authentication key and transmit the generated user authentication key to the authentication server 200. [ That is, the user authentication is performed using the existing hardware-based one-time secret password authentication method, the user terminal 100 receives the one-time secret password using the image, hash secret encryption using the secret hash value To the authentication server (200).

While the specification contains many features, such features should not be construed as limiting the scope of the invention or the scope of the claims. In addition, the features described in the individual embodiments herein may be combined and implemented in a single embodiment. Conversely, various features described in the singular < Desc / Clms Page number 5 > embodiments herein may be implemented in various embodiments individually or in combination as appropriate.

Although the operations have been described in a particular order in the figures, it should be understood that such operations are performed in a particular order as shown, or that all described operations are performed to obtain a sequence of sequential orders, or a desired result . In certain circumstances, multitasking and parallel processing may be advantageous. It should also be understood that the division of various system components in the above embodiments does not require such distinction in all embodiments. The above-described program components and systems can generally be implemented as a single software product or as a package in multiple software products.

The method of the present invention as described above can be implemented by a program and stored in a computer-readable recording medium (CD-ROM, RAM, ROM, floppy disk, hard disk, magneto optical disk, etc.). Such a process can be easily carried out by those skilled in the art and will not be described in detail.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. The present invention is not limited to the drawings.

100: user terminal, 200: authentication server
310: Secret hash value generation module
320: Disposable secret password input module
330: User Authentication Key Generation Module
410: Secret hash value registration module
420: Disposable secret password generation module
430: authentication processing module

Claims (29)

A user device communicating with a server for authenticating a user,
A secret hash value generation module for generating and storing a secret hash value by inputting a secret divisor input from a user as a seed value into a hash function and transmitting and registering the secret hash value to the server;
A one-time secret password input module for receiving a one-time secret password; And
Generating a user authentication key by inputting the one-time secret password and the secret hash value received from the one-time secret password input module to the hash function as a seed value, transmitting the user authentication key to the server, And a user authentication key generation module for receiving the comparison result of the user authentication key generated in the server from the server
Wherein the user authentication key generated by the server is a value generated by inputting a secret hash value registered in the server and a disposable secret password generated by the server into a hash function as a seed value,
User device. The method according to claim 1,
Wherein the one-time secret password is generated in the server, received at a destination designated by the user,
Wherein the disposable secret password input module receives the disposable secret password received at the destination from the user. 3. The method of claim 2,
Wherein the destination specified by the user is one of the wearable device of the user device or the wearer of the wearer. 3. The method of claim 2,
Wherein the one-time secret password is a value generated by inputting the time stamp and the secret hash value registered in the server into the random number function as a seed value in the server. The method according to claim 1,
The one-time secret password is generated in a portable one-time secret password generator,
Wherein the one-time secret password input module receives the one-time secret password generated by the portable one-time secret password generator from the user. 6. The method of claim 5,
Wherein the portable disposable secret password generator stores a secret hash value identical to the secret hash value generated by the secret hash value generation module,
The one-
And a value generated by inputting a secret hash value and a time stamp into the random number function as a seed value in the portable disposable secret password generator. 7. The method according to any one of claims 1 to 6,
The secret hash value generated by the secret hash value generation module is stored in an NFC card,
Wherein the user authentication key generation module generates the user authentication key by reading a secret hash value stored in the NFC card from the NFC card. 7. The method according to any one of claims 1 to 6,
And a device authentication key generation module for storing the device authentication key generated by inputting the unique information of the user device as a seed value in a hash function and transmitting the device authentication key to the server and registering the device authentication key. Device. 9. The method of claim 8,
Wherein the device authentication key generation module comprises:
And transmits the device authentication key stored in the server to the server after the device authentication key is stored in the server. 9. The method of claim 8,
A program authentication key generation module for storing a program authentication key generated by inputting a time stamp, the device authentication key, and the secret hash value into a hash function as a seed value, and transmitting the program authentication key to the server and registering the program authentication key User device. 11. The method of claim 10,
Wherein the program authentication key generation module comprises:
And transmits the program authentication key stored in advance to the server, and receives a result of the comparison with the program authentication key stored in the server. 7. The method according to any one of claims 1 to 6,
The disposable secret password input module includes:
Receiving the code of the candidate image and the candidate image from the server to display the candidate image, transmitting the key image and the code of the camouflaged image selected by the user among the candidate images to the server without any distinction, and registering the code of the key image An image registration module for storing the image;
Receiving a key image and a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And
A one-time secret password extraction module for extracting a candidate secret password located in the same orientation as a key image displayed on the interface in the remaining interface with a one-time secret password based on a code of the key image stored in the image registration module; Comprising a user device. 13. The method of claim 12,
Wherein the key image is at least two,
Wherein the image registration module further stores order information of the at least two key images,
Wherein the disposable secret password extraction module sequentially extracts the one-time secret password from the remaining interface based on the order information of the key image. 13. The method of claim 12,
Wherein the at least two interfaces are concentric circle interfaces. 7. The method according to any one of claims 1 to 6,
The disposable secret password input module includes:
Receiving the code of the candidate image and the candidate image from the server to display the candidate image, transmitting the code image of the key image selected by the user, the code of the camouflage image, and the key image of the candidate image to the server, module;
Receiving a key image, a camouflage image and identification information of the code and the key image from the server, receiving the candidate secret code and its code from the server, and displaying at least two or more interfaces, An image input module for displaying a key image and a spoofed image received from the server, displaying a candidate secret code received from the server on the remaining interface, and moving at least one interface according to a user's input; And
And a one-time secret password extraction module for extracting a candidate secret password located in the same orientation as the key image displayed on the one interface in the remaining interface with the one-time secret password, based on the identification information of the key image received from the server Lt; / RTI > 16. The method of claim 15,
Wherein the key image is at least two,
Wherein the image registration module further registers and transmits the order information of the key image to the server,
Wherein the image input module further receives sequence information of a key image from the server,
Wherein the one-time secret password extraction module sequentially extracts the one-time secret password from the remaining interface based on the identification information and the order information of the key image received from the server. 7. The method according to any one of claims 1 to 6,
The disposable secret password input module includes:
Receiving the code of the candidate image and the candidate image from the server to display the candidate image, transmitting the code image of the key image selected by the user, the code of the camouflage image, and the key image of the candidate image to the server, module;
Receiving a key image, a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And
And a disposable secret cryptographic module for extracting a code matrix of an image from the one of the interfaces and extracting a code matrix of a candidate secret code from the remaining interface as a disposable secret code upon receiving a movement completion input of the interface from the user, . A server apparatus for authenticating a user by communicating with a user apparatus,
A secret hash value registration module for receiving and registering a secret hash value generated by inputting a secret divisor input from a user as a seed value into a hash function;
A one-time secret password generation module for generating a one-time secret password; And
The method comprising: receiving a user authentication key from the user device, comparing the received user authentication key, the registered secret hash value, and the generated one-time secret key with a user authentication key generated by inputting the generated disposable secret password as a seed value, And an authentication processing module for authenticating the user. 19. The method of claim 18,
Wherein the one-time secret password generation module transmits the generated one-time secret password to a destination designated by the user,
Wherein the authentication processing module receives the user authentication key generated by inputting the one-time secret password transmitted to the destination and the secret hash value stored in the user device as a seed value in the hash function from the user device Device. 20. The method of claim 19,
Wherein the one-time secret password generation module generates the one-time secret password by inputting the registered secret hash value and the time stamp into a random number function as a seed value. 19. The method of claim 18,
The authentication processing module receives from the user device a user authentication key generated by inputting a one-time secret password generated by the portable disposable secret password generator and a secret hash value stored in the user device as a seed value in a hash function . 22. The method of claim 21,
Wherein the portable disposable secret password generator stores a secret hash value equal to the registered secret hash value,
The disposable secret code generated by the portable disposable secret password generator is generated by inputting a secret hash value and a time stamp stored in the portable disposable secret password generator as a seed value into a random number function,
Wherein the one-time secret password generation module generates the one-time secret password by inputting the registered secret hash value and the time stamp as a seed value into the random number function. 23. The method according to any one of claims 18 to 22,
The authentication processing module,
Receiving a device authentication key generated by inputting unique information of the user device as a seed value in a hash function from the user device and registering the device authentication key and comparing the device authentication key received from the user device and the registered device authentication key at each authentication The server apparatus comprising: 24. The method of claim 23,
The authentication processing module,
Receiving a program authentication key generated by inputting a time stamp, the device authentication key, and the secret hash value as a seed value in a hash function from the user device and registering the program authentication key; And compares the registered program authentication key. 23. The method according to any one of claims 18 to 22,
The authentication processing module,
Transmitting the candidate image and the code of the candidate image to the user device, receiving the key image and the code of the camouflaged image selected by the user from the user device without discrimination,
Wherein at least two interfaces in which at least one interface is moved in accordance with a user's input are displayed in the user device during authentication and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the other interface, Transmitting the registered key image and the camouflage image and their codes, a candidate secret code and its code to the user device,
Wherein the user authentication key received from the user device comprises:
Wherein the user device extracts a candidate secret cipher located in the same orientation as the key image displayed on the interface in the remaining interface as a one-time secret cipher based on the code of the previously stored key image, Wherein the server device is a server device. 23. The method according to any one of claims 18 to 22,
The authentication processing module,
Transmitting the candidate image and the code of the candidate image to the user apparatus, receiving the code image of the key image selected by the user, the code of the camouflage image, and the key image discrimination information from the user apparatus,
Wherein at least two interfaces in which at least one interface is moved in accordance with a user's input are displayed in the user device during authentication and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the other interface, Transmitting the registered key image and the camouflage image together with the identification information of the code and the key image and the candidate secret code and the code thereof to the user device,
Wherein the user authentication key received from the user device comprises:
A candidate secret cryptosystem in which the user device is located in the same orientation as the key image displayed on the interface on the remaining interface, based on the identification information of the key image transmitted from the authentication processing module to the user device, And extracting the extracted one-time secret password and generating the extracted one-time secret password. 23. The method according to any one of claims 18 to 22,
The authentication processing module,
Transmitting the candidate image and the code of the candidate image to the user apparatus, receiving the code image of the key image selected by the user, the code of the camouflage image, and the key image discrimination information from the user apparatus,
Wherein at least two interfaces in which at least one interface is moved in accordance with a user's input are displayed in the user device during authentication and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the other interface, Transmits the registered key image and the camouflage image and their codes and a candidate secret code and its code to the user device,
Wherein the user authentication key received from the user device comprises:
When the at least one interface is moved, the user device extracts a code matrix of an image of the interface and a code matrix of a candidate secret code of the remaining interface as a one-time secret code, Wherein the server device is generated using a password. In an authentication system,
A user apparatus for generating and storing a secret hash value by inputting a secret divisor input from a user as a seed value into a hash function, and transmitting the secret hash value;
And an authentication server for receiving and registering the secret hash value transmitted from the user device, generating a one-time secret password, and transmitting the generated secret password to a destination designated by the user,
The user device comprising:
Generating a user authentication key by inputting a one-time secret password inputted from a user and a secret hash value stored in the user device as a seed value in a hash function, and transmitting the user authentication key to the authentication server,
The authentication server includes:
Generating a user authentication key by inputting a secret hash value received from the user device and registered as a seed value into a hash function and generating a user authentication key, And the authentication processing is performed by comparing the user authentication key. Combined with hardware
A computer program stored on a medium for carrying out the method according to any one of claims 1 to 6.
KR1020150052631A 2014-09-11 2015-04-14 Apparatus and method for otp authentication KR20160122556A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020150052631A KR20160122556A (en) 2015-04-14 2015-04-14 Apparatus and method for otp authentication
PCT/KR2015/009523 WO2016039568A1 (en) 2014-09-11 2015-09-10 Device and method for user authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150052631A KR20160122556A (en) 2015-04-14 2015-04-14 Apparatus and method for otp authentication

Publications (1)

Publication Number Publication Date
KR20160122556A true KR20160122556A (en) 2016-10-24

Family

ID=57256590

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150052631A KR20160122556A (en) 2014-09-11 2015-04-14 Apparatus and method for otp authentication

Country Status (1)

Country Link
KR (1) KR20160122556A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180131007A (en) * 2017-05-31 2018-12-10 삼성에스디에스 주식회사 Authentication apparatus and method for providing emm service
WO2024045680A1 (en) * 2022-08-31 2024-03-07 华为技术有限公司 Device authentication method and related device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140106360A (en) 2013-02-26 2014-09-03 (주)이스톰 System and Method for OTP authentication

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140106360A (en) 2013-02-26 2014-09-03 (주)이스톰 System and Method for OTP authentication

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20180131007A (en) * 2017-05-31 2018-12-10 삼성에스디에스 주식회사 Authentication apparatus and method for providing emm service
WO2024045680A1 (en) * 2022-08-31 2024-03-07 华为技术有限公司 Device authentication method and related device

Similar Documents

Publication Publication Date Title
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
EP2798777B1 (en) Method and system for distributed off-line logon using one-time passwords
US10565357B2 (en) Method for securely transmitting a secret data to a user of a terminal
US10171428B2 (en) Confidential data management method and device, and security authentication method and system
US9727715B2 (en) Authentication method and system using password as the authentication key
US20160104154A1 (en) Securing host card emulation credentials
US9769154B2 (en) Passcode operating system, passcode apparatus, and super-passcode generating method
CN112425114B (en) Password manager protected by public key-private key pair
US20100186074A1 (en) Authentication Using Graphical Passwords
US9729545B2 (en) Method and apparatus for managing passcode
JP2019505941A (en) One-time dynamic location authentication method and system, and one-time dynamic password change method
CN111475832B (en) Data management method and related device
CN109075972B (en) System and method for password anti-theft authentication and encryption
US20190258829A1 (en) Securely performing a sensitive operation using a non-secure terminal
KR20160122556A (en) Apparatus and method for otp authentication
US11558375B1 (en) Password protection with independent virtual keyboard
US10911236B2 (en) Systems and methods updating cryptographic processes in white-box cryptography
CA2904646A1 (en) Secure authentication using dynamic passcode
EP3319001A1 (en) Method for securely transmitting a secret data to a user of a terminal
KR102005543B1 (en) Apparatus and method for user authentication
KR101746598B1 (en) Apparatus for user authentication
EP3319002B1 (en) Method for securely performing a sensitive operation using a non-secure terminal

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application