KR20160122556A - Apparatus and method for otp authentication - Google Patents
Apparatus and method for otp authentication Download PDFInfo
- Publication number
- KR20160122556A KR20160122556A KR1020150052631A KR20150052631A KR20160122556A KR 20160122556 A KR20160122556 A KR 20160122556A KR 1020150052631 A KR1020150052631 A KR 1020150052631A KR 20150052631 A KR20150052631 A KR 20150052631A KR 20160122556 A KR20160122556 A KR 20160122556A
- Authority
- KR
- South Korea
- Prior art keywords
- secret
- image
- user
- key
- server
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses an apparatus and method for enhancing security in a disposable secret password authentication scheme. A user device communicating with a server according to an aspect of the present invention for authenticating a user may generate secret hash values by inputting a secret divisor input from a user as a seed value into a hash function to store the secret hash value, A secret hash value generation module for transmitting and registering a hash value; A one-time secret password input module for receiving a one-time secret password; And generating a user authentication key by inputting the one-time secret password and the secret hash value received from the one-time secret password input module to the hash function as a seed value, and transmitting the user authentication key to the server, And a user authentication key generation module for receiving a comparison result of the user authentication key generated by the server from the server, wherein the user authentication key generated by the server includes a secret hash value registered in the server, And a value generated by inputting a one-time secret password as a seed value in a hash function.
Description
BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to user authentication, and more specifically, to a user authentication technique using a One Time Password (OTP) scheme.
The one-time secret password (OTP) authentication method is a method of authenticating a user by using a random number generated randomly, and is introduced to overcome the security weakness caused by repeated use of the same password.
Currently, OTP authentication methods include software and hardware methods. Software methods operate as software in PCs or smart devices, including application-based OTPs and server-based OTPs. The hardware method uses a portable one-time secret password generator. A typical example of server-based OTP among software methods is SMS authentication. When the server transmits a short message including the one-time secret password to the portable terminal of the user, the user inputs the one-time secret password included in the short message to the portable terminal or the web site, and returns it to the server. The hardware-based OTP authentication is a method of comparing the one-time secret password generated by the portable one-time secret password generator and the one-time secret password generated by the server. To this end, the server stores the device serial number of the user's portable one-time secret password generator, and at the time of authentication, the server and the portable one-time secret password generator generate a one-time secret password using the same time stamp and device serial number.
The above-mentioned OTP authentication can expose the disposable secret cipher by peer of another when the user inputs the one-time secret cipher to the user device, and also can prevent the disposable secret cipher by hacking during communication between the user terminal and the server Lt; / RTI > In addition, there is a possibility that a one-time password is issued to a person who is not a legitimate user and is maliciously used.
Disclosure of Invention Technical Problem [8] The present invention has been proposed in order to solve the above problems and aims to enhance security in an authentication method of one-time secret password.
According to an aspect of the present invention, there is provided a user equipment for communicating with a server and authenticating a user, the method including generating secret hash values by inputting seed secret values input from a user as seed values in a hash function, A secret hash value generation module for transmitting and registering the secret hash value to the server; A one-time secret password input module for receiving a one-time secret password; And generating a user authentication key by inputting the one-time secret password and the secret hash value received from the one-time secret password input module to the hash function as a seed value, and transmitting the user authentication key to the server, And a user authentication key generation module for receiving a comparison result of the user authentication key generated by the server from the server, wherein the user authentication key generated by the server includes a secret hash value registered in the server, And a value generated by inputting a one-time secret password as a seed value in a hash function.
The disposable secret password is generated at the server and received at a destination specified by the user, and the disposable secret password input module can receive the disposable secret password received at the receiver from the user.
The destination designated by the user may be any one of the wearable device of the user device or the wearer of the user.
The disposable secret code may be a value generated by inputting the time stamp and the secret hash value registered in the server into the random number function as a seed value at the server.
The disposable secret code is generated by a portable disposable secret code generator, and the disposable secret code input module can receive the disposable secret code generated by the portable disposable secret code generator from the user.
Wherein the portable disposable secret password generator stores a secret hash value identical to the secret hash value generated by the secret hash value generation module, and the one-time secret password is a secret random number generated by randomizing a secret hash value and a time stamp in the portable one- It can be a value generated by inputting a seed value into a function.
And a device authentication key generation module for storing the device authentication key generated by inputting the unique information of the user device as a seed value into the hash function and transmitting the device authentication key to the server and registering the device authentication key .
The device authentication key generation module may receive the device authentication key stored in the server from the server after transmitting the device authentication key stored in advance to the server at the time of authentication.
The user device stores a program authentication key generated by inputting the time stamp, the device authentication key, and the secret hash value as seed values in a hash function, and transmits the program authentication key to the server to register the program authentication key And a generation module.
The program authentication key generation module may transmit the program authentication key stored in advance to the server at the time of authentication, and may receive a result of the comparison with the program authentication key stored in the server from the server.
The disposable secret password input module receives the candidate image and the code of the candidate image from the server to display the candidate image and transmits the key image and the code of the camouflage image selected by the user among the candidate images to the server An image registration module for registering and storing a code of the key image; Receiving a key image and a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And a disposable secret cipher module for extracting a candidate secret cipher located in the same orientation as the key image displayed on the interface in the remaining interface with a one-time secret cipher, based on a code of the key image stored in the image registration module; . ≪ / RTI >
Wherein the key image is at least two or more, and the image registration module further stores order information of the at least two key images, and the one-time secret password extraction module sequentially The one-time secret password can be extracted from the remaining interface.
The disposable secret password input module receives the candidate image and the code of the candidate image from the server to display the candidate image, and displays the key image, the code of the camouflaged image, An image registration module for registering the image to be transmitted to the server; Receiving a key image, a camouflage image and identification information of the code and the key image from the server, receiving the candidate secret code and its code from the server, and displaying at least two or more interfaces, An image input module for displaying a key image and a spoofed image received from the server, displaying a candidate secret code received from the server on the remaining interface, and moving at least one interface according to a user's input; And a disposable secret password extraction module for extracting a candidate secret password located in the same orientation as the key image displayed on the interface in the remaining interface with a one-time secret password, based on the key image discrimination information received from the server .
Wherein the key image is at least two or more and the image registration module further registers and transmits the order information of the key image to the server and the image input module further receives the order information of the key image from the server, The one-time secret password extraction module may sequentially extract the one-time secret password from the remaining interface based on the identification information and the order information of the key image received from the server.
The disposable secret password input module receives the candidate image and the code of the candidate image from the server to display the candidate image, and displays the key image, the code of the camouflaged image, An image registration module for registering the image to be transmitted to the server; Receiving a key image, a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And a disposable secret cryptographic module for extracting a code matrix of the image from the one of the interfaces as a one-time secret cryptographic code and extracting a code matrix of the candidate secret cryptogram from the remaining interface upon receiving the movement completion input of the interface from the user have.
According to another aspect of the present invention, there is provided a server apparatus for communicating with a user apparatus and authenticating a user, the apparatus comprising: a secret value input unit operable to input a secret hash input from a user as a seed value into a hash function, A secret hash value registration module for receiving and registering from the user device; A one-time secret password generation module for generating a one-time secret password; And comparing the user authentication key generated by inputting the received user authentication key, the registered secret hash value, and the generated one-time secret password as seed values in a hash function, when receiving the user authentication key from the user device And an authentication processing module for authenticating the user.
Wherein the one-time secret password generation module transmits the generated one-time secret password to a destination specified by the user, and the authentication processing module stores the one-time secret password sent to the recipient and the secret hash value stored in the user device in a hash function The user authentication key generated by inputting the seed value can be received from the user device.
The one-time secret password generation module may generate the one-time secret password by inputting the registered secret hash value and the time stamp as a seed value into the random number function.
The authentication processing module may receive from the user device a user authentication key generated by inputting a one-time secret password generated by the portable disposable secret password generator and a secret hash value stored in the user device as a seed value in a hash function .
Wherein the portable one-time secret password generator stores a secret hash value that is the same as the registered secret hash value, and the one-time secret password generated by the portable one-time secret password generator includes a secret hash value stored in the portable one- The disposable secret cryptographic module may generate the one-time secret cryptosystem by inputting the registered secret hash value and the time stamp to the random function as a seed value.
Wherein the authentication processing module receives and registers a device authentication key generated by inputting unique information of the user device as a seed value in a hash function from the user device and registers the device authentication key received from the user device and the registration The device authentication key can be compared.
Wherein the authentication processing module receives and registers the program authentication key generated by inputting the time stamp, the device authentication key, and the secret hash value into the hash function as a seed value, and transmits the program authentication key to the user device And the registered program authentication key can be compared with each other.
Wherein the authentication processing module transmits the candidate image and the code of the candidate image to the user device, receives and registers the code of the key image and the camouflaged image selected by the user from the user device, Wherein at least two interfaces in which at least one interface is moved according to a user's input are displayed on the user device, and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the remaining interface And transmits the registered key image, the camouflage image and their codes, the candidate secret code and the code thereof to the user device, and the user authentication key received from the user device is a key code image of the key image Lt; RTI ID = 0.0 > Extracting a candidate secret password which is located in the bearing, such as a key image displayed on the interface in any of the interface as a secret one-time password, and can be generated by using the extracted secret one-time password.
The authentication processing module transmits the candidate image and the code of the candidate image to the user apparatus, receives the code image of the key image and the camouflage image selected by the user among the candidate images, and the division information of the key image from the user apparatus At least two interfaces in which at least one interface is moved in accordance with a user's input are displayed at the time of authentication and at the time of authentication, a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code The user authentication key received from the user device is transmitted to the user device, and the user authentication key is transmitted to the user device, from Wherein the user device extracts a candidate secret cipher located in the same orientation as the key image displayed on the interface on the remaining interface as the one-time secret cipher based on the identification information of the key image transmitted to the user device, It may have been created using a secret password.
The authentication processing module transmits the candidate image and the code of the candidate image to the user apparatus, receives the code image of the key image and the camouflage image selected by the user among the candidate images, and the division information of the key image from the user apparatus At least two interfaces in which at least one interface is moved in accordance with a user's input are displayed at the time of authentication and at the time of authentication, a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code And transmits the registered key image, the camouflage image and their codes, and the candidate secret code and its code to the user device so that the at least one interface is moved, the user authentication key received from the user device, When, phase The base user apparatus may extract the code matrix of the image of any of the interfaces and the code matrix of the candidate secret code of the remaining interface as the one time use secret code and generate using the extracted one time use secret code.
According to another aspect of the present invention, there is provided an authentication system including a secret number input unit configured to input a secret number input from a user as a seed value into a hash function to generate and store a secret hash value, Device; And an authentication server for receiving and registering the secret hash value transmitted from the user device, generating a one-time secret password, and transmitting the one-time secret password to the destination designated by the user, wherein the user device further comprises: The authentication server transmits the secret hash value stored in the user device as a seed value to the hash function to generate a user authentication key and transmits the user authentication key to the authentication server, And generating a user authentication key by inputting the disposable secret password transmitted to the recipient as a seed value in a hash function, compares the generated user authentication key with the user authentication key transmitted from the user device, and performs authentication processing do.
In the present invention, when a user is authenticated by using a one-time secret password, instead of simply encrypting the one-time secret password, the secret hash value generated from the secret number, which is the unique information of the user, is used as the seed value of the hash function together with the one- Thereby blocking the hacking of the one-time secret password.
In addition, the present invention allows the user to input a one-time secret password using the circle interface and the image when the user inputs the one-time secret password at the user terminal, thereby preventing the user from knowing the one-time secret password at all. Therefore, it is possible to enhance security when inputting a one-time secret password.
Further, the present invention can acquire a one-person program by performing additional device authentication and program authentication using the device authentication key and the program authentication key. That is, even if an authentication program (for example, an application) is copied and transplanted to another user terminal, the device authentication key verification fails and authentication fails. Also, if a program is deleted from the same terminal and reinstalled, the program authentication key also changes, and authentication fails again. Therefore, personal information hacking by program deletion and reinstallation can be blocked.
1 is a diagram illustrating an authentication system according to an embodiment of the present invention.
FIG. 2 is a diagram showing a configuration of a user terminal of FIG. 1. FIG.
3 is a diagram illustrating a configuration of an authentication program according to an embodiment of the present invention.
4 is a diagram showing the configuration of the authentication server of FIG.
5 is a flowchart illustrating a method of registering a secret hash value according to an embodiment of the present invention.
6 is a flowchart illustrating an authentication method according to an embodiment of the present invention.
7 is a block diagram illustrating a configuration of a disposable secret password input module according to an embodiment of the present invention.
8 is a diagram illustrating candidate images according to an embodiment of the present invention.
9 is a diagram illustrating a circle interface according to an embodiment of the present invention.
10 is a diagram illustrating three circle interfaces according to an embodiment of the present invention.
11 is a diagram showing a configuration of an authentication program according to another embodiment of the present invention.
The foregoing and other objects, features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, in which: There will be. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. Hereinafter, a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 is a diagram illustrating an authentication system according to an embodiment of the present invention, and FIG. 2 is a diagram illustrating a configuration of a user terminal of FIG.
1, the authentication system according to the present embodiment includes a
The
The
The OTP authentication method between the
The
The
The
In some embodiments,
The I /
The
In some embodiments, software components are installed (installed) in
The operating system 111 may be an embedded operating system such as, for example, Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS or VxWorks, Android, Management, storage control, power management, etc.), and facilitates communication between the various hardware and software components.
Graphics module 112 includes a number of well known software components for providing and displaying graphics on
The
The
3 is a diagram illustrating a configuration of an authentication program according to an embodiment of the present invention.
3, the
The secret hash
The secret hash
The disposable secret
The user authentication key generation module 330 inputs the disposable secret code inputted from the disposable secret
The user authentication key generation module 330 transmits the user authentication key to the
4, the
The
The memory may include high speed random access memory and may also include one or more magnetic disk storage devices, non-volatile memory such as flash memory devices, or other non-volatile semiconductor memory devices. In some embodiments, the memory may include a storage device located remotely from one or more processors. Access to the memory by other components such as the processor and the peripheral interface may be controlled by the memory controller.
The peripheral interface connects the input / output peripheral to the processor and memory. The one or more processors execute various functions for the
The I / O subsystem provides an interface between the I / O peripheral and the peripheral interface.
A processor is a processor configured to perform the operations associated with the
The operating system may be an embedded operating system such as, for example, Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS or VxWorks, Android, etc. and may include general system tasks Device control, power management, etc.), and facilitates communication between the various hardware and software components.
The secret hash
The secret hash
The one-time secret password generation module 420 generates a one-time secret password for authentication of the user. A one-time secret password can be generated as a random number function. The one-time secret password generation module 420 can generate a one-time secret password when receiving an OTP authentication request from the
The one-time secret password generation module 420 transmits the generated one-time secret password to a destination designated by the user. The one-time secret password may be transmitted in the form of a text message (SMS) or a push message or an email or an Automatic Response Service (ARS). To this end, the one-time secret password generation module 420 may receive a telephone number or an e-mail address from the user.
The
The one-time secret password generation module 420 and the
5 is a flowchart illustrating a method of registering a secret hash value according to an embodiment of the present invention.
Referring to FIG. 5, the
The
6 is a flowchart illustrating an authentication method according to an embodiment of the present invention.
Referring to FIG. 6, the user accesses the
The
Upon receiving the one-time secret password from the
Upon receiving the user authentication key from the
If the user authentication key is not the same as the result of the comparison, the
Hereinafter, a method of inputting the disposable secret code will be described with reference to the drawings.
7 is a block diagram illustrating a configuration of a disposable secret password input module according to an embodiment of the present invention.
Referring to FIG. 7, the disposable secret
The
8 is a diagram illustrating candidate images according to an embodiment of the present invention. The
The
The
The
The first circle interface of the two circle interfaces is displayed with a candidate secret code such as a number, a special character or an alphabet, along the circumference, and the second circle interface displays the key image and the camouflage image along the circumference. The first circle interface does not rotate, and the second circle interface can rotate according to the user's input. Conversely, however, the first circle interface may rotate and the second circle interface may not. Or both the first and second circle interfaces. In the present embodiment, it is assumed that only the second circle interface rotates.
The
9 is a diagram illustrating a circle interface according to an embodiment of the present invention. 9, numeral numbers 1 to 12 are arranged along the circumference of the circle in the
The
When the user rotates the second circle interface and then presses the completion input, the one-time secret password extraction module 730 extracts the first secret key cryptographic key from the first key image stored in the
The extraction of the disposable secret cipher using the above-described key image can be performed through a matrix operation. The user rotates the second circle interface and then presses the completion input. The user presses the completion input when the one of the candidate secrets listed in the first circle interface and the key image among the images listed in the second circle interface are located in the same orientation. When the completion input is pressed, the disposable secret password extraction module 730 extracts a matrix of codes of images of the second circle interface according to a certain criterion. For example, the code of the images listed in the second circle interface is extracted clockwise from 12 o'clock to produce a 1x12 matrix. These 1 x 12 matrices are made as many as the number of key images. The user inputs the rotation and completion of the second circle interface according to the number of key images in the images listed in the second circle interface and the order of the key image set by the user and the disposable secret password extraction module 730 Every time there is an input, the codes of the images listed in the second circle interface are extracted and a 1 × 12 matrix is generated. If the number of key images is n, then an
For example, if the disposable secret cipher received from the
The disposable secret password extraction module 730 extracts the coordinates of the code image of the key image from the extracted matrix based on the key image set by the user and the order thereof, and extracts the one-time secret password based on the extracted coordinates. As described above, the disposable secret password extracting module 730 may be configured such that the key image set by the user and the order thereof (soccer ball, baseball ball, and rugby ball) , And extracts the number " 1 " of the first circle interface corresponding to the coordinate. Next, the coordinates of the baseball ball code are confirmed in the second row of the 3x12 matrix, and the number '2' of the first circle interface corresponding to the coordinates is extracted. Finally, the coordinates of the rugby hole code are checked in the third row of the 3x12 matrix, and the number '7' of the first circle interface corresponding to the coordinates is extracted. Therefore, the one-time secret password (1, 2, 7) is finally extracted.
In the above embodiment, it is explained that the user registers and uses at least two or more key images. However, without limitation, the user can register and use a single key image. In this case, the order of the key images does not need to be considered, and the user can use one key image repeatedly. In the above example, the user places the image of one key in the same orientation as the number "1" of the first circle interface first, then enters the completion, then places it in the same orientation as the number "2" , And finally put in the same direction as the number '7' and then enter the completion. Then, (1, 2, 7) is extracted as the one-time secret code.
In addition, two circle interfaces will be described in the embodiment with reference to FIG. However, it is not limited thereto and three circle interfaces are available. For example, when the
10 is a diagram illustrating three circle interfaces according to an embodiment of the present invention. 10, candidate secret codes such as numerals and special characters are arranged along the periphery of the circle in the
For example, if the one-time secret password received from the
The extraction of the one-time secret password using the key image in the three circle interfaces described with reference to FIG. 10 can be performed by matrix operation like the two circle interfaces. Each of the first and second circle interfaces is mapped with candidate secret codes and their code, and the third circle interface is mapped with images and code of the images. Each circle interface has one row created according to certain criteria. Here, a certain criterion is, for example, when the first circle interface is displayed, the first row in which the candidate secret password or image is arranged clockwise at 12 o'clock is set as the first row, and when the circle interface is rotated, , The value of each column belonging to each row after the shift can be identified. When the user rotates the third circle interface and then presses the completion button, the coordinates of the key image are extracted from the matrix values of the third circle interface, and the matrix values of the first and second circle interfaces of the same coordinates are extracted as the one-time secret code.
In the above embodiment, the key image and the camouflage image set by the user are stored in the
As another embodiment, the key image and the camouflage image set by the user may be stored in the
Meanwhile, in the above-described embodiment, the one-time secret password is extracted from the
As another embodiment, the
To this end, the user authentication key generation module 330 generates a secret hash value by using the matrix generated by the circle interface in the one-time secret
11 is a diagram showing a configuration of an authentication program according to another embodiment of the present invention.
Referring to FIG. 11, the
The device authentication key generation module 1110 collects unique information of the
The device authentication key generation module 1110 can transmit the stored device authentication key to the
Also, the device authentication key generation module 1110 can generate a device authentication key at each execution of the
The program authentication key generation module 1120 generates and stores a program authentication key using the device authentication key, the time stamp, and the secret hash value generated by the device authentication key generation module 1110, And transmits it to the
The program authentication key generation module 1120 can transmit the program authentication key to the
In the present invention as described above, when a user inputs a one-time secret password issued by the
In addition, when the disposable secret password is inputted from the
Further, according to the present invention, the authentication of the additional device and the program authentication are performed by using the device authentication key and the program authentication key, thereby ensuring a one-in-one program. That is, even if an authentication program (for example, an application) is copied and transplanted to another user terminal, the device authentication key verification fails and authentication fails. Also, if a program is deleted from the same terminal and reinstalled, the program authentication key also changes, and authentication fails again. Therefore, personal information hacking by program deletion and reinstallation can be blocked.
On the other hand, in the above-described embodiment, it is described that the
In the above example, the portable one-time secret password generator is described as storing secret hash values. However, the portable one-time secret password generator can generate a one-time secret password using the time stamp and the device serial number, as well as the existing one-time secret password generator, without storing the secret hash value, The
While the specification contains many features, such features should not be construed as limiting the scope of the invention or the scope of the claims. In addition, the features described in the individual embodiments herein may be combined and implemented in a single embodiment. Conversely, various features described in the singular < Desc /
Although the operations have been described in a particular order in the figures, it should be understood that such operations are performed in a particular order as shown, or that all described operations are performed to obtain a sequence of sequential orders, or a desired result . In certain circumstances, multitasking and parallel processing may be advantageous. It should also be understood that the division of various system components in the above embodiments does not require such distinction in all embodiments. The above-described program components and systems can generally be implemented as a single software product or as a package in multiple software products.
The method of the present invention as described above can be implemented by a program and stored in a computer-readable recording medium (CD-ROM, RAM, ROM, floppy disk, hard disk, magneto optical disk, etc.). Such a process can be easily carried out by those skilled in the art and will not be described in detail.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. The present invention is not limited to the drawings.
100: user terminal, 200: authentication server
310: Secret hash value generation module
320: Disposable secret password input module
330: User Authentication Key Generation Module
410: Secret hash value registration module
420: Disposable secret password generation module
430: authentication processing module
Claims (29)
A secret hash value generation module for generating and storing a secret hash value by inputting a secret divisor input from a user as a seed value into a hash function and transmitting and registering the secret hash value to the server;
A one-time secret password input module for receiving a one-time secret password; And
Generating a user authentication key by inputting the one-time secret password and the secret hash value received from the one-time secret password input module to the hash function as a seed value, transmitting the user authentication key to the server, And a user authentication key generation module for receiving the comparison result of the user authentication key generated in the server from the server
Wherein the user authentication key generated by the server is a value generated by inputting a secret hash value registered in the server and a disposable secret password generated by the server into a hash function as a seed value,
User device.
Wherein the one-time secret password is generated in the server, received at a destination designated by the user,
Wherein the disposable secret password input module receives the disposable secret password received at the destination from the user.
Wherein the destination specified by the user is one of the wearable device of the user device or the wearer of the wearer.
Wherein the one-time secret password is a value generated by inputting the time stamp and the secret hash value registered in the server into the random number function as a seed value in the server.
The one-time secret password is generated in a portable one-time secret password generator,
Wherein the one-time secret password input module receives the one-time secret password generated by the portable one-time secret password generator from the user.
Wherein the portable disposable secret password generator stores a secret hash value identical to the secret hash value generated by the secret hash value generation module,
The one-
And a value generated by inputting a secret hash value and a time stamp into the random number function as a seed value in the portable disposable secret password generator.
The secret hash value generated by the secret hash value generation module is stored in an NFC card,
Wherein the user authentication key generation module generates the user authentication key by reading a secret hash value stored in the NFC card from the NFC card.
And a device authentication key generation module for storing the device authentication key generated by inputting the unique information of the user device as a seed value in a hash function and transmitting the device authentication key to the server and registering the device authentication key. Device.
Wherein the device authentication key generation module comprises:
And transmits the device authentication key stored in the server to the server after the device authentication key is stored in the server.
A program authentication key generation module for storing a program authentication key generated by inputting a time stamp, the device authentication key, and the secret hash value into a hash function as a seed value, and transmitting the program authentication key to the server and registering the program authentication key User device.
Wherein the program authentication key generation module comprises:
And transmits the program authentication key stored in advance to the server, and receives a result of the comparison with the program authentication key stored in the server.
The disposable secret password input module includes:
Receiving the code of the candidate image and the candidate image from the server to display the candidate image, transmitting the key image and the code of the camouflaged image selected by the user among the candidate images to the server without any distinction, and registering the code of the key image An image registration module for storing the image;
Receiving a key image and a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And
A one-time secret password extraction module for extracting a candidate secret password located in the same orientation as a key image displayed on the interface in the remaining interface with a one-time secret password based on a code of the key image stored in the image registration module; Comprising a user device.
Wherein the key image is at least two,
Wherein the image registration module further stores order information of the at least two key images,
Wherein the disposable secret password extraction module sequentially extracts the one-time secret password from the remaining interface based on the order information of the key image.
Wherein the at least two interfaces are concentric circle interfaces.
The disposable secret password input module includes:
Receiving the code of the candidate image and the candidate image from the server to display the candidate image, transmitting the code image of the key image selected by the user, the code of the camouflage image, and the key image of the candidate image to the server, module;
Receiving a key image, a camouflage image and identification information of the code and the key image from the server, receiving the candidate secret code and its code from the server, and displaying at least two or more interfaces, An image input module for displaying a key image and a spoofed image received from the server, displaying a candidate secret code received from the server on the remaining interface, and moving at least one interface according to a user's input; And
And a one-time secret password extraction module for extracting a candidate secret password located in the same orientation as the key image displayed on the one interface in the remaining interface with the one-time secret password, based on the identification information of the key image received from the server Lt; / RTI >
Wherein the key image is at least two,
Wherein the image registration module further registers and transmits the order information of the key image to the server,
Wherein the image input module further receives sequence information of a key image from the server,
Wherein the one-time secret password extraction module sequentially extracts the one-time secret password from the remaining interface based on the identification information and the order information of the key image received from the server.
The disposable secret password input module includes:
Receiving the code of the candidate image and the candidate image from the server to display the candidate image, transmitting the code image of the key image selected by the user, the code of the camouflage image, and the key image of the candidate image to the server, module;
Receiving a key image, a camouflage image and their codes from the server, receiving a candidate secret and its code from the server, and displaying at least two or more interfaces, An image input module that displays a key image and a camouflage image, displays a candidate secret code received from the server on the remaining interface, and moves at least one interface according to a user's input; And
And a disposable secret cryptographic module for extracting a code matrix of an image from the one of the interfaces and extracting a code matrix of a candidate secret code from the remaining interface as a disposable secret code upon receiving a movement completion input of the interface from the user, .
A secret hash value registration module for receiving and registering a secret hash value generated by inputting a secret divisor input from a user as a seed value into a hash function;
A one-time secret password generation module for generating a one-time secret password; And
The method comprising: receiving a user authentication key from the user device, comparing the received user authentication key, the registered secret hash value, and the generated one-time secret key with a user authentication key generated by inputting the generated disposable secret password as a seed value, And an authentication processing module for authenticating the user.
Wherein the one-time secret password generation module transmits the generated one-time secret password to a destination designated by the user,
Wherein the authentication processing module receives the user authentication key generated by inputting the one-time secret password transmitted to the destination and the secret hash value stored in the user device as a seed value in the hash function from the user device Device.
Wherein the one-time secret password generation module generates the one-time secret password by inputting the registered secret hash value and the time stamp into a random number function as a seed value.
The authentication processing module receives from the user device a user authentication key generated by inputting a one-time secret password generated by the portable disposable secret password generator and a secret hash value stored in the user device as a seed value in a hash function .
Wherein the portable disposable secret password generator stores a secret hash value equal to the registered secret hash value,
The disposable secret code generated by the portable disposable secret password generator is generated by inputting a secret hash value and a time stamp stored in the portable disposable secret password generator as a seed value into a random number function,
Wherein the one-time secret password generation module generates the one-time secret password by inputting the registered secret hash value and the time stamp as a seed value into the random number function.
The authentication processing module,
Receiving a device authentication key generated by inputting unique information of the user device as a seed value in a hash function from the user device and registering the device authentication key and comparing the device authentication key received from the user device and the registered device authentication key at each authentication The server apparatus comprising:
The authentication processing module,
Receiving a program authentication key generated by inputting a time stamp, the device authentication key, and the secret hash value as a seed value in a hash function from the user device and registering the program authentication key; And compares the registered program authentication key.
The authentication processing module,
Transmitting the candidate image and the code of the candidate image to the user device, receiving the key image and the code of the camouflaged image selected by the user from the user device without discrimination,
Wherein at least two interfaces in which at least one interface is moved in accordance with a user's input are displayed in the user device during authentication and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the other interface, Transmitting the registered key image and the camouflage image and their codes, a candidate secret code and its code to the user device,
Wherein the user authentication key received from the user device comprises:
Wherein the user device extracts a candidate secret cipher located in the same orientation as the key image displayed on the interface in the remaining interface as a one-time secret cipher based on the code of the previously stored key image, Wherein the server device is a server device.
The authentication processing module,
Transmitting the candidate image and the code of the candidate image to the user apparatus, receiving the code image of the key image selected by the user, the code of the camouflage image, and the key image discrimination information from the user apparatus,
Wherein at least two interfaces in which at least one interface is moved in accordance with a user's input are displayed in the user device during authentication and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the other interface, Transmitting the registered key image and the camouflage image together with the identification information of the code and the key image and the candidate secret code and the code thereof to the user device,
Wherein the user authentication key received from the user device comprises:
A candidate secret cryptosystem in which the user device is located in the same orientation as the key image displayed on the interface on the remaining interface, based on the identification information of the key image transmitted from the authentication processing module to the user device, And extracting the extracted one-time secret password and generating the extracted one-time secret password.
The authentication processing module,
Transmitting the candidate image and the code of the candidate image to the user apparatus, receiving the code image of the key image selected by the user, the code of the camouflage image, and the key image discrimination information from the user apparatus,
Wherein at least two interfaces in which at least one interface is moved in accordance with a user's input are displayed in the user device during authentication and a key image and a camouflage image are displayed on one of the interfaces and a candidate secret code is displayed on the other interface, Transmits the registered key image and the camouflage image and their codes and a candidate secret code and its code to the user device,
Wherein the user authentication key received from the user device comprises:
When the at least one interface is moved, the user device extracts a code matrix of an image of the interface and a code matrix of a candidate secret code of the remaining interface as a one-time secret code, Wherein the server device is generated using a password.
A user apparatus for generating and storing a secret hash value by inputting a secret divisor input from a user as a seed value into a hash function, and transmitting the secret hash value;
And an authentication server for receiving and registering the secret hash value transmitted from the user device, generating a one-time secret password, and transmitting the generated secret password to a destination designated by the user,
The user device comprising:
Generating a user authentication key by inputting a one-time secret password inputted from a user and a secret hash value stored in the user device as a seed value in a hash function, and transmitting the user authentication key to the authentication server,
The authentication server includes:
Generating a user authentication key by inputting a secret hash value received from the user device and registered as a seed value into a hash function and generating a user authentication key, And the authentication processing is performed by comparing the user authentication key.
A computer program stored on a medium for carrying out the method according to any one of claims 1 to 6.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150052631A KR20160122556A (en) | 2015-04-14 | 2015-04-14 | Apparatus and method for otp authentication |
PCT/KR2015/009523 WO2016039568A1 (en) | 2014-09-11 | 2015-09-10 | Device and method for user authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150052631A KR20160122556A (en) | 2015-04-14 | 2015-04-14 | Apparatus and method for otp authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20160122556A true KR20160122556A (en) | 2016-10-24 |
Family
ID=57256590
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150052631A KR20160122556A (en) | 2014-09-11 | 2015-04-14 | Apparatus and method for otp authentication |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20160122556A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180131007A (en) * | 2017-05-31 | 2018-12-10 | 삼성에스디에스 주식회사 | Authentication apparatus and method for providing emm service |
WO2024045680A1 (en) * | 2022-08-31 | 2024-03-07 | 华为技术有限公司 | Device authentication method and related device |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140106360A (en) | 2013-02-26 | 2014-09-03 | (주)이스톰 | System and Method for OTP authentication |
-
2015
- 2015-04-14 KR KR1020150052631A patent/KR20160122556A/en not_active Application Discontinuation
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140106360A (en) | 2013-02-26 | 2014-09-03 | (주)이스톰 | System and Method for OTP authentication |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20180131007A (en) * | 2017-05-31 | 2018-12-10 | 삼성에스디에스 주식회사 | Authentication apparatus and method for providing emm service |
WO2024045680A1 (en) * | 2022-08-31 | 2024-03-07 | 华为技术有限公司 | Device authentication method and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11764966B2 (en) | Systems and methods for single-step out-of-band authentication | |
EP2798777B1 (en) | Method and system for distributed off-line logon using one-time passwords | |
US10565357B2 (en) | Method for securely transmitting a secret data to a user of a terminal | |
US10171428B2 (en) | Confidential data management method and device, and security authentication method and system | |
US9727715B2 (en) | Authentication method and system using password as the authentication key | |
US20160104154A1 (en) | Securing host card emulation credentials | |
US9769154B2 (en) | Passcode operating system, passcode apparatus, and super-passcode generating method | |
CN112425114B (en) | Password manager protected by public key-private key pair | |
US20100186074A1 (en) | Authentication Using Graphical Passwords | |
US9729545B2 (en) | Method and apparatus for managing passcode | |
JP2019505941A (en) | One-time dynamic location authentication method and system, and one-time dynamic password change method | |
CN111475832B (en) | Data management method and related device | |
CN109075972B (en) | System and method for password anti-theft authentication and encryption | |
US20190258829A1 (en) | Securely performing a sensitive operation using a non-secure terminal | |
KR20160122556A (en) | Apparatus and method for otp authentication | |
US11558375B1 (en) | Password protection with independent virtual keyboard | |
US10911236B2 (en) | Systems and methods updating cryptographic processes in white-box cryptography | |
CA2904646A1 (en) | Secure authentication using dynamic passcode | |
EP3319001A1 (en) | Method for securely transmitting a secret data to a user of a terminal | |
KR102005543B1 (en) | Apparatus and method for user authentication | |
KR101746598B1 (en) | Apparatus for user authentication | |
EP3319002B1 (en) | Method for securely performing a sensitive operation using a non-secure terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |