KR20160123069A - Unification Authentication Control Method for Terminal and Apparatus thereof - Google Patents

Unification Authentication Control Method for Terminal and Apparatus thereof Download PDF

Info

Publication number
KR20160123069A
KR20160123069A KR1020150053126A KR20150053126A KR20160123069A KR 20160123069 A KR20160123069 A KR 20160123069A KR 1020150053126 A KR1020150053126 A KR 1020150053126A KR 20150053126 A KR20150053126 A KR 20150053126A KR 20160123069 A KR20160123069 A KR 20160123069A
Authority
KR
South Korea
Prior art keywords
service
authentication
terminal
server
information
Prior art date
Application number
KR1020150053126A
Other languages
Korean (ko)
Inventor
윤호선
박평구
류호용
신영수
홍성백
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020150053126A priority Critical patent/KR20160123069A/en
Publication of KR20160123069A publication Critical patent/KR20160123069A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The present invention relates to an integrated authentication method for service use of a terminal and a device thereof and, specifically, to an integrated authentication method to combine network authentication, user authentication, and service authentication and to easily perform the authentication and a method thereof. The present invention comprises: a step of performing the network authentication and the user authentication with the terminal; a step of transmitting an accessible service list including service information regarding one or more services to the terminal if the network authentication and the user authentication are successfully performed; and a step of transmitting an authentication key regarding an arbitrary service to the terminal and service authentication information regarding the arbitrary service to a service authentication server if a request regarding the arbitrary service is received from the terminal. The service information regarding the one or more services, the authentication key, and the service authentication information are used to perform the service authentication regarding the arbitrary service by the terminal and the service authentication server.

Description

[0001] The present invention relates to an integrated authentication method for a terminal,

The present invention relates to an integrated authentication method and apparatus for a terminal, and more particularly, to an integrated authentication method and apparatus for integrating network authentication, user authentication, and service authentication.

In general, the types of authentication required in the process of accessing and using a specific service include network connection authentication, user authentication, and service authentication. The network connection authentication is an authentication procedure for confirming whether or not the terminal is authorized to access the network. After the network connection authentication is completed, the terminal can acquire the address. The user authentication is an authentication procedure for confirming authenticity of a specific user, and the service authentication is an authentication procedure for confirming whether or not the user is authorized to use the service.

Currently, most services perform network access authentication and user authentication and then service authentication separately. Therefore, in order to use the service, separate user intervention for service authentication is required in addition to user intervention such as ID and password input for network connection authentication and user authentication. In addition, since the service authentication is performed individually for each service used by the user, the user must perform cumbersome work. In addition, the user must periodically change or systematically manage the password to authenticate the service, and the service server must separately manage the user information and the password information, and the management burden is increased according to the current service authentication .

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and it is an object of the present invention to provide an integrated authentication method and apparatus for a terminal capable of simultaneously performing network connection authentication, user authentication and service authentication through one authentication.

According to another aspect of the present invention, there is provided an integrated authentication method for a terminal, the method including: performing a network authentication and a user authentication with the terminal; when the network authentication and the user authentication are successful, Transmitting an access service list including service information to the terminal, transmitting an authentication key for the arbitrary service to the terminal when a request for the arbitrary service is received from the terminal, Wherein the service information for the at least one service, the authentication key, and the service authentication information are transmitted to the terminal and the service authentication server through the service authentication for the arbitrary service And is used for carrying out the present invention.

In addition, the integrated authentication apparatus of the terminal according to the present invention may further include a communication unit that performs communication with the terminal and the service authentication server, and performs network authentication and user authentication with the terminal, and when the network authentication and the user authentication are successful, Transmits an access service list including service information for at least one service to the terminal, and transmits an access service list to the terminal when a request for an arbitrary service is received from the terminal, The service authentication information, the authentication key, and the service authentication information for the at least one service are transmitted to the terminal and the service authentication server, Which is used to perform service authentication for an arbitrary service .

According to another aspect of the present invention, there is provided an integrated authentication method for a terminal, comprising: receiving service authentication information for an arbitrary service requested by an arbitrary terminal from an integrated authentication control server; And performing authentication of the service using the service authentication information and transmitting the user data included in the packet to the service server providing the arbitrary service if the service authentication is successful .

According to another aspect of the present invention, there is provided an integrated authentication apparatus for a terminal, comprising: a communication unit that communicates with an integrated authentication control server, a terminal, and a service server that provides a service; And when the packet is received from the terminal, performs service authentication using the information included in the packet and the service authentication information, and if the service authentication is successful, transmits the service to the service server providing the arbitrary service And a control unit for controlling the transmission of the user data included in the packet.

The integrated authentication method and apparatus of a terminal according to the present invention increases user convenience by performing network connection authentication, user authentication and service authentication through a single integrated authentication procedure, and integrally manages user information, And the cost associated with user management.

In addition, the integrated authentication method and apparatus of a terminal according to the present invention can perform service authentication using the content itself and improve security of service authentication through interworking with IPSec.

1 is a diagram illustrating the structure of a network according to the present invention.
2 is a view showing a physical structure of a terminal according to the present invention.
3 is a diagram illustrating a logical structure of a terminal according to the present invention.
4 is a diagram illustrating a physical structure of an integrated authentication control server according to the present invention.
5 is a diagram illustrating a logical structure of an integrated authentication control server according to the present invention.
6 is a diagram illustrating a physical structure of a service authentication system according to the present invention.
7 is a diagram illustrating a logical structure of a service authentication system according to the present invention.
8 is a flowchart illustrating an integrated authentication method according to the present invention.
9 is a diagram illustrating a specific operation of the terminal in the integrated authentication method according to the present invention.
10 is a diagram illustrating a specific operation of the integrated authentication control server and the service authentication system in the integrated authentication method according to the present invention.
11 is a diagram specifically illustrating a packet processing method in the integrated authentication method according to the present invention.

In the description of the embodiments of the present invention, if it is determined that the detailed description of the related known structure or function is not satisfactory, the detailed description thereof may be omitted.

When an element is referred to herein as " connected " or " connected " to another element, it is to be understood that the element is not only directly connected or connected to another element, But it should be understood that other components exist between the component and the other component.

Quot ;, " include, "" include," as used herein. And the like are intended to indicate the presence of disclosed features, operations, components, etc., and are not intended to limit the invention in any way. Also, in this specification, "include." Or "having" are intended to designate the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, unless the context clearly dictates otherwise. Elements, parts, or combinations thereof without departing from the spirit and scope of the invention.

As used herein, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise.

Hereinafter, the present invention will be described with reference to the accompanying drawings.

1 is a diagram illustrating the structure of a network according to the present invention.

Referring to FIG. 1, a network 100 according to the present invention includes an integrated authentication control server (UACS) 101, a terminal 102, a service authentication system (SAS) 103, And a service server 104.

The integrated authentication control server 101 controls integrated authentication that simultaneously performs network connection authentication, user authentication, and service authentication. To this end, the integrated authentication control server 101 may store and manage user information for user authentication, information on service list accessible to each user, service information, and the like. For each service, the service information includes a service ID (App ID), a service server address (IP address), and an authentication key for service authentication, which are generated as arbitrary values when a service is requested.

The terminal 102 may be a mobile terminal, a cellular phone, a smart phone, a personal digital assistant (PDA), a portable multimedia player (PMP), a tablet, a desktop PC, a notebook, And may include all electronic devices that perform communication. The terminal 102 performs integrated authentication including user authentication and service authentication by performing an authentication procedure with the integrated authentication control server 101 and the service authentication system 103. To this end, the terminal 102 may include an agent for integrated authentication and a tunnel control module.

The service authentication system 103 performs a service authentication procedure with the integrated authentication control server 101 and the terminal 102. For this, the service authentication system 103 may include a service authentication module and a tunnel control module. The service authentication system 103 may be any device, server, or the like.

The service server 104 provides the corresponding service to the terminal 102 that has completed the service authentication. The service server 104 transmits and receives data for the service authentication system 103 and the terminal 102 to provide services to the terminal 102.

2 is a view showing a physical structure of a terminal according to the present invention.

2, the terminal 102 according to the present invention includes a communication unit 201, a control unit 202, an interface unit 203, and a storage unit 204.

The communication unit 201 performs wired / wireless communication with other devices. In various embodiments of the present invention, the communication unit 201 performs data communication with the integrated authentication control server 101 and the service authentication system 103 for user authentication and service authentication. The communication unit 201 can perform data communication with the integrated authentication control server 101 and the service authentication system 103 through a predetermined tunnel.

The control unit 202 controls each component of the terminal 102 for the integrated authentication operation according to the present invention. The control unit 202 controls the integrated authentication control server 101 to perform user authentication by transmitting and receiving the user authentication information. The control unit 202 obtains a terminal IP address by performing user authentication with the integrated authentication control server 101 and acquires a service list accessible by the terminal 102 from the integrated authentication control server 101 and an authentication key for each service . The control unit 202 generates service authentication information for the service, and uses the authentication key and the service authentication information received from the integrated authentication control server 101 to authenticate the service authentication system 103, To perform data transmission / reception.

The specific operation of the control unit 202 will be described in more detail below.

The interface unit 203 provides an interface for user intervention in user authentication. The interface unit 203 outputs an input window for receiving authentication information from a user or senses authentication information input from a user and transmits the authentication information to the control unit 202. [ In addition, the interface unit 203 receives a service use request for a service use request or a service use from a user, or outputs a service list that the terminal 102 can access. To this end, the interface unit 203 may include at least one display, a touch screen, an input pad, an input button, and a voice input / output unit.

The storage unit 204 may store at least one program, data, and the like necessary for performing an operation according to an embodiment of the present invention. In various embodiments of the present invention, the storage 204 may store user authentication information, an accessible service list, service information, service authentication information, and the like.

3 is a diagram illustrating a logical structure of a terminal according to the present invention.

3, the AT 102 may include an unified authentication agent (UAA) 301 and a service authentication agent (SAA) 306.

The integrated authentication agent 301 performs control for user authentication with the integrated authentication control server 101. [ When the integrated authentication agent 301 is activated according to a user request, the integrated authentication agent 301 can display an input window for receiving user authentication information. When the user authentication information is inputted through the input window, the integrated authentication agent 301 delivers the user authentication information to the integrated authentication server 101 and performs user authentication with the integrated authentication server 101. When the user authentication is completed, the integrated authentication agent 301 requests the authentication server 101 to access the service list of the terminal 102, and stores and manages the accessible service list received from the integrated authentication server 101 can do. For the above operation, the integrated authentication agent 301 may include a tunnel control module 302, a service control module 303, and a communication module 304.

The tunnel control module 302 controls a tunnel between the terminal 102 and the service authentication system 103. In the service authentication, the integrated authentication server 101 and the service authentication system 103, when searching for an authentication key for service authentication, set the IP address of the terminal included in the packet, the IP address of the service server, and the service ID (App ID) Use it as an index. Accordingly, when the terminal IP address or service server IP address included in the packet is changed for each packet by NAT (Network Address Translation) existing in the network, the service authentication system 103 can not retrieve the correct authentication key. The integrated authentication agent 301 establishes a tunnel between the terminal 102 and the service authentication system 103 so that the terminal IP address and the service server IP are not changed by NAT or the like through the tunnel control module 302, So that data communication can be performed. Accordingly, the integrated authentication agent 301 can protect the index so that the index value used when searching for the authentication key is not changed. The tunnels set through the tunnel control module 302 may be of various types, and in various embodiments of the present invention the tunnels may be IP-in-IP tunnels.

The service control module 303 manages a list of accessible services received from the integrated authentication control server 101, and outputs a service list according to a user request. The service list can be output in various forms such as icons, texts, and tables according to the type and environment setting of the terminal 102. The accessible service list is service information of each service, and may include a service ID (App ID), a service server IP address, and a service authentication system IP address. The service ID can be used as a representative value indicating the service, and is assigned to an arbitrary value every time the user authentication is performed.

The communication module 304 is a module for controlling the wired / wireless communication with another device, and performs communication with the integrated authentication control server 101 through a tunnel set by the tunnel control module 302.

In the service application area 305, applications of services available to the terminal 102 are stored.

The service authentication agent 306 performs control for service authentication with the service authentication system 103. The service authentication agent 306 can generate and manage service authentication information used for service authentication using user data and security information for service authentication. The service authentication agent 306 transmits service authentication information to the service authentication system 103 to perform service authentication of the terminal 102. [ For the above operation, the service authentication agent 306 may include a service authentication information (SAI) generation module 307 and a communication module 308.

The service authentication information generation module 307 generates service authentication information based on the terminal IP address and service information received from the integrated authentication control server 101, that is, a service server IP address, a service ID (App ID) You can create and manage.

The communication module 308 is a module for controlling wired / wireless communication with other devices and performs communication with the service authentication system 103 through a tunnel set by the tunnel control module 302. [

The terminal 102 may include a separate tunnel setting module 309 in the kernel area and the tunnel setting module 309 may substantially create or remove the tunnel under the control of the tunnel control module 302.

4 is a diagram illustrating a physical structure of an integrated authentication control server according to the present invention.

Referring to FIG. 4, the integrated authentication control server 101 according to the present invention may include a communication unit 401, a control unit 402, and a storage unit 403.

The communication unit 401 performs wired / wireless communication with other devices. In various embodiments of the present invention, the communication unit 401 performs data communication with the terminal 102 and the service authentication system 103 for user authentication and service authentication. The communication unit 401 can perform data communication with the terminal 102 through a predetermined tunnel.

The control unit 402 controls each component of the integrated authentication control server 101 for integrated authentication according to the present invention. The control unit 402 controls the terminal 102 to perform user authentication by transmitting and receiving the user authentication information. The control unit 402 assigns a terminal IP address to the terminal by performing user authentication of the terminal 102 and transmits a service list accessible by the terminal 102 and an authentication key for each service, (102). The control unit 402 transmits the service authentication information for the corresponding terminal 102 to the service authentication system 103 and the terminal 102 in accordance with the service use request of the terminal 102, Service authentication can be performed.

The storage unit 403 may store at least one program, data, and the like necessary for performing an operation according to an embodiment of the present invention. In various embodiments of the present invention, the storage unit 403 may store user authentication information for each terminal, an accessible service list for each terminal, service information, service authentication information for each terminal, and the like.

5 is a diagram illustrating a logical structure of an integrated authentication control server according to the present invention.

5, the integrated authentication control server 101 may include a communication module 501, a user authentication module 502, a database 503, and a service authentication module 504.

The communication module 501 is a module for controlling wired / wireless communication with another device and communicates with the terminal 102 and the service authentication system 103 through a predetermined tunnel (security channel).

The user authentication module 502 performs control for user authentication with the terminal 102. The user authentication module 502 performs user authentication using the user authentication information for the corresponding terminal 102 and delivers the terminal IP address to the corresponding terminal 102 when the user authentication is completed. The terminal IP address can then be used as an identifier (ID) of the corresponding terminal 102. In one embodiment, when the integrated authentication control server 101 acts as a dynamic host configuration protocol (DHCP) server, the user authentication module 502 may request a terminal IP address To the terminal (102).

The database 503 may store user authentication information for each terminal, an IP pool, a list of accessible services for each terminal, service information, service authentication information for each terminal, and the like.

The service authentication module 504 performs an operation for service authentication between the terminal 102 and the service authentication system 103. Specifically, the service authentication module 504 transmits an accessible service list including service information and an authentication key for the service to the terminal 102 after the user authentication is completed, (Including the authentication key) for the service authentication information. The terminal 102 and the service authentication system 103 can perform service authentication using information received from the service authentication module 504. [

6 is a diagram illustrating a physical structure of a service authentication system according to the present invention.

Referring to FIG. 6, the service authentication system 103 according to the present invention may include a communication unit 601 and a control unit 602.

The communication unit 601 performs wired / wireless communication with other devices. In various embodiments of the present invention, the communication unit 601 performs data communication with the integrated authentication control server 101 and the terminal 102 for service authentication. At this time, the communication unit 401 can perform data communication with the terminal 102 through a predetermined tunnel. In addition, the communication unit 401 can transmit / receive user data for use of the actual service of the terminal 102 that has been authenticated with the service server 104.

The control unit 602 controls each component of the service authentication system 103 for service authentication according to the present invention. The control unit 602 receives the service authentication information for service authentication of the terminal 102 from the integrated authentication control server 101 and transmits the service authentication information to the terminal 102 using the received service authentication information and the service authentication information received from the terminal 102 102). The control unit 602 performs service authentication for a packet when a packet for service use is received from the terminal, and transmits the user data included in the packet to the service server 104 when the service authentication is completed. The control unit 602 can set or remove a tunnel for communication with the terminal 102 and the service server 103. [

7 is a diagram illustrating a logical structure of a service authentication system according to the present invention.

Referring to FIG. 7, the service authentication system 103 may include a service authentication verification module 701 (SAV).

The service authentication verification module 701 performs service authentication of the terminal 102. The service authentication verification module 701 receives the service authentication information for service authentication of the terminal 102 from the integrated authentication control server 101 and uses the received service authentication information and the service authentication information received from the terminal 102 And performs service authentication of the terminal 102. The control unit 602 performs service authentication for a packet when a packet for service use is received from the terminal, and transmits the user data included in the packet to the service server 104 when the service authentication is completed. The service authentication module 701 may include a communication module 702, a tunnel control module 703, a service verification module 704, and a packet reassembly module 705.

The communication module 702 is a module for controlling wired / wireless communication with other devices and performs communication with the integrated authentication control server 101 or communicates with the terminal 102 through a predetermined tunnel (secure channel) .

The tunnel control module 703 controls the tunnel between the terminal 102 and the service authentication system 103. The tunnel control module 703 controls the tunnel with the terminal 102 using the tunnel setting information received from the integrated authentication control server 101. [ Tunnel configuration information may be included in information (e.g., service authentication information) received from the integrated authentication control server 101 by the service verification module 704, and in this case, the tunnel control module 703 may perform service verification Module 704 to receive tunnel configuration information. The tunnel control module 703 controls the tunnel between the terminal 102 and the service authentication system 103 based on the received tunnel setting information.

The service verification module 704 verifies the service use right of the terminal 102 and verifies the service authentication. When a packet for service use is received from the terminal 102, the service verification module 704 performs verification using the service authentication information included in the packet. When the verification is completed, the service verification module 704 removes the service authentication information included in the packet, performs packet processing such as check sum calculation according to the packet change, and transmits the packet to the service server 104.

The packet reassembly module 705 fragment the packet received from the terminal 102 or reassemble the packet to be transmitted to the terminal 102. [ The packet reassembly module 705 extracts the service authentication information by dividing the packet received from the terminal 102, adds the service authentication information to the user data received from the service server 104, and merges the packets.

The service authentication system 103 may include a separate tunnel configuration module 706 in the kernel area and the tunnel configuration module 706 may generate or remove the tunnel substantially under the control of the tunnel control module 703. [ have.

8 is a flowchart illustrating an integrated authentication method according to the present invention.

Referring to FIG. 8, the integrated authentication control server 101 and the terminal 102 perform network connection authentication and user authentication (801). The integrated authentication control server 101 and the terminal 102 perform network connection and user authentication using user authentication information (for example, ID and password). When the user authentication is successfully completed, the integrated authentication control server 101 allocates a terminal IP address to the terminal 102 and a network IP address used when delivering the packet in the real network. The terminal IP address can then be used for an authentication key search for service use. The network IP address can generally be obtained via DHCP.

Then, the integrated authentication control server 101 and the terminal 102 form a secure channel (802). Secure channel formation can be done in the same way as TLS, IPSec, and so on.

When the secure channel is established, the terminal 102 requests the integrated authentication control server 101 to access the list of accessible services of the terminal 102, and the integrated authentication control server 101 transmits the accessible service The terminal 102 may send an accessible service list request to the integrated authentication control server 101. The accessible service list request may include the terminal IP address and the network IP address have. The integrated authentication control server 101 transmits the accessible service list corresponding to the terminal 102 to the terminal 102 based on the terminal IP address. The accessible service list may include a service name, a service ID (App ID), a service server IP address, and a service authentication system IP address as service information.

After that, when the service is started by a user request (804), the terminal 102 requests an authentication key for service authentication to the integrated authentication control server 101 (805). The authentication key request may be transmitted using the secure channel between the terminal 102 and the integrated authentication control server 101. [ In response to the request of the terminal 102, the integrated authentication control server 101 transmits the service authentication information including the terminal IP address, the service server IP address, the service ID, and the authentication key to the service authentication system 103 (806 ). Further, the integrated authentication control server 101 transfers the authentication key to the terminal 102 (807). Here, the authentication key for service authentication may be set to a different value for each service, and the authentication key may be deleted when the service of the terminal 102 is used.

The terminal 102 adds tunnel related information and service authentication information to user data for service use to generate a packet for use of the service (808), and transmits the packet to the service authentication system (809). The service authentication information added to the packet by the terminal 102 may be configured to include the service information and the authentication key received from the integrated authentication control server 101. [

The service authentication system 103 receiving the packet removes the tunnel-related information included in the packet, extracts the service authentication information, and performs the service authentication procedure (810). The service authentication system 103 can perform the service authentication procedure by comparing the service authentication information received from the integrated authentication control server 101 with the service authentication information included in the packet received from the terminal 102. [ When the service authentication is successfully completed, the service authentication system 103 transfers the user data to the service server 104 (811).

The service server 104 generates user data for providing a service to the terminal 102 based on the user data, and transmits the generated user data to the service authentication system 103 (812). The service authentication system 103 generates a packet by adding a tunnel to the received user data (813), and transmits it to the terminal 102 (813). That is, the packet transmitted from the service server 104 to the terminal 102 may not include the service authentication information, and the service authentication system 103 may not perform a separate service authentication procedure for the packet.

The terminal 102 removes the tunnel from the received packet (815) and obtains the user data included in the packet, so that the terminal 102 can receive data related to the service provision from the service server 104.

According to the embodiment of the present invention, the terminal 102 performs network authentication and user authentication with the integrated authentication control server 101, acquires an authentication key for service authentication from the integrated authentication control server 101 , And transmits the user data and the authentication key for actual service use together to the service authentication system 103. Since the integrated authentication control server 101 transmits the service authentication information for service authentication of the terminal 102 having completed the user authentication to the service authentication system 103 instead of the service authentication system 103, And the integrated authentication can be easily performed without intervention for a plurality of times for service authentication.

9 is a diagram illustrating a specific operation of the terminal in the integrated authentication method according to the present invention. In Fig. 9, the dotted line indicates transmission / reception of control messages, and the solid line indicates transmission / reception of user data. Operations to be described later can be controlled through the control unit 202 of the terminal 102 and transmission and reception of control messages or user data can be performed through the communication unit 201 through the control of the control unit 202. [

9, the terminal 102 performs network authentication and user authentication with the integrated authentication control server 101 through the communication module 304 of the integrated authentication agent 301 (901). Through the network authentication and the user authentication, the terminal 102 obtains the terminal IP address that can be used as the identification information of the terminal 102 and the network IP address used in the network packet transmission / reception.

Then, the terminal 102 requests the accessible service list of the terminal 102 through the communication module 304 of the integrated authentication agent 301 (902). The accessible service list request may include a terminal IP address and a network IP address for identifying the corresponding terminal 102. The terminal 102 receives the accessible service list from the integrated authentication control server 101 through the communication module 304 of the integrated authentication agent 301 (903). The accessible service list may include service information for each service, and the service information may include a service ID (App ID) for the service, a service server IP address, and a service authentication system IP address.

The information received through the communication module 304 is transmitted 904 to the tunnel control module 302 and the service control module 303. The tunnel control module 302 generates tunnel configuration information using the received information, and transmits the tunnel configuration information to the tunnel configuration module 309 of the kernel area to generate a tunnel (905). The service control module 303 outputs the service list 907 that can be accessed by using the received information so that the user can confirm it (906). A service ID may be included in the accessible service list 907 to be outputted. When the user selects a service to be actually used through the interface unit 203 in operation 907, the terminal 102 transmits a service ID of the service to the service authentication agent 306 to notify that the service use is requested 908.

The terminal 102 requests an authentication key for the service from the integrated authentication control server 101 through the communication module 308 of the service authentication agent 306 (909). The integrated authentication control server 101 transmits the service authentication information for the service to the service authentication system 104 and transmits the authentication authentication information to the service authentication agent 306 through the communication module 308 of the service authentication agent 306 Key is transmitted (911). The service authentication information may include a terminal IP address, a service server IP address, a service ID, and an authentication key.

The service authentication agent 306 transfers 912 that it is ready for use of the service to the corresponding service application 305. The service application 305 forwards the actual user data to be transmitted to the service server 104 for use of the service to the service authentication agent 306 (913).

The service authentication information generation module 307 of the service authentication agent 306 generates service authentication information by using the information and the authentication key received through the tunnel control module 302 and the service control module 303, To the tunnel setting module 309 of the kernel area (914). The packet is transmitted to the service authentication system 103 through the tunnel generated by the tunnel setting module 309 (915). When the service authentication is completed through the service authentication system 103, after the service authentication information is removed, (916).

10 is a diagram illustrating a specific operation of the integrated authentication control server and the service authentication system in the integrated authentication method according to the present invention. In Fig. 10, the dotted line indicates transmission / reception of a control message, and the solid line indicates transmission / reception of user data. Operations to be described later can be controlled through the integrated authentication server 101 and the control units 402 and 602 of the service authentication system 103. The transmission and reception of control messages or user data can be controlled through the control units 402 and 602, (401, 601).

In FIG. 10, steps 1001, 1002, 1003, 1004, and 1007 are the same as steps 901, 902, 903, 909, 910, 911, 915 in FIG. 9, respectively.

When the step 1004 is completed, the terminal 102 is ready to transmit a packet for service use, and the integrated authentication control server 101 and the service authentication system 103 are all ready for service authentication .

The service verification module 704 of the service authentication verification module 701 transmits the terminal IP address, the network IP address, the service server IP address, and the like among the information received through the communication module 702 to the tunnel control module 703, (1005). The tunnel control module 703 generates tunnel configuration information based on the received information, and transmits the tunnel configuration information to the tunnel configuration module 706 of the kernel area to generate a tunnel (1006).

When a packet is received through the tunnel setting module 706 in the kernel area, the packet removed from the tunnel is transferred to the packet reassembly module 705 (1008), and the packet reassembly module 705 divides the packet And transmits the service authentication information to the service verification module 704 (1009).

The service verification module 704 performs service authentication using the service authentication information, removes the service authentication information in the packet when the service authentication is successfully completed, and then proceeds with the additional process according to the packet modification. Then, the service verification module 704 transmits the generated packet to the service server 104 through the tunnel setting module 706 of the kernel area (1010, 1011).

11 is a diagram specifically illustrating a packet processing method in the integrated authentication method according to the present invention.

Referring to FIG. 11, the service application 305 generates service data 1101 according to a user request. The service data 1101 may include application data (user data) and service ID (App ID). In the terminal 102, the service information and the authentication key received from the integrated authentication control server 101 can be stored, and it can be stored in the form of a table 1102 for the authentication key search as shown in FIG. 11 . Using the service ID (App ID) included in the application data 1101, the terminal 102 obtains, from the table 1102 for the authentication key search, the terminal IP address corresponding to the service ID, the service server IP address, Can be obtained.

The terminal 102 generates service authentication information using the obtained information, and generates a row data packet 1103 using the service data 1101 and the service authentication information. The row data packet 1103 includes application data from which the service ID is removed from the service data 1101, service authentication information, the terminal IP (C) obtained from the table 1102 for the authentication key search and the service server IP (S) .

The service authentication information may include an HMAC 1104, a sequence number (SN) 1105, a service ID (App ID) 1106, and the like. The HMAC 1104 may include a terminal IP address, a service server IP address, application data, a sequence number (SN), a service ID (App ID), and an authentication key. At this time, the authentication key may be included as a hashed value by a variety of hash algorithms that have been verified to be secure including SHA. The sequence number (SN) 1105 is used to prevent a retransmission attack.

The terminal 102 transmits the generated row data packet 1103 to the kernel area (1107). Tunnel configuration information 1108 may be stored in the kernel area. Tunnel configuration information 1108 includes source IP C and destination IP S based on tunnel information such as terminal IP address C and service server IP address S included in the packet received by the low kernel region. . ≪ / RTI > In tunnel configuration information 1108, OP indicates the operation mode, EN indicates encapsulation, and DE indicates decapsulation. In the kernel area, based on the tunnel information, a final packet 1109 to which a tunnel is added is generated.

The generated final packet 1109 is transmitted to the service authentication system 103. Tunnel configuration information 1110 can be stored in the kernel area of the service authentication system 103. When the packet 1109 is received, the kernel searches the table using the tunnels included in the packet header, that is, the source IP (C) and the destination IP (SA) as indexes, and removes the tunnel in the packet. The kernel area transfers the tunnel-removed packet 1111 to the service authentication verification module 701.

The authentication verification module 701 extracts an authentication key for the service using the service ID, the terminal IP address, and the service server IP address included in the packet 1111 transmitted from the kernel region as an index. The authentication verification module 701 performs service authentication using the extracted authentication key. The authentication verification module 701 includes an HMAC 1113 and an end IP address, a service server IP address, application data, a sequence number, a service ID (App ID) included in the packet 1111 transferred from the kernel area, And compares the HMAC calculated using the authentication key extracted from the key search table 1112. [ If the comparison results match, the authentication is successful, otherwise the authentication fails. The authentication verification module 701 transfers the packet including the application data 1114 to the service server 104 when the authentication is successful.

According to the present invention described above, the following effects can be obtained.

First, the terminal 102 can simultaneously perform user authentication and service authentication through one authentication. After the user authentication is completed, the integrated authentication control server 101 provides a list of accessible services that can be accessed by a specific user, and the list of services includes a service ID (App ID) representing a specific service. When a specific service is desired to be used, the terminal 102 can receive the authentication key for authenticating a specific service from the integrated authentication control server 101 and utilize it for the authentication procedure. That is, the terminal 102 can perform the service authentication procedure without further intervention of the user in the service authentication.

Second, according to the present invention, authentication information managed for each service can be integrally managed. Generally, in order to access the service, it is necessary to use the authentication information managed for each service and manage the corresponding information for each service. However, the method proposed by the present invention has an advantage that the authentication information can be integrally managed.

Third, according to the present invention, safety is improved by utilizing the content itself for service authentication. In the conventional method, the service authentication is first performed by receiving the ID and the password, and thereafter, the service authentication is not performed on the actual user data. However, in the present invention, the security is improved by performing the service authentication procedure on all the data packets There are advantages.

Fourth, in the present invention, safety can be improved through interworking with IPSec. With IPSec, after a packet is decrypted at the gateway, the packet can freely attempt to access a particular system. That is, if IPSec is used, there is a danger that the packet can be delivered to the destination IP address included in the decrypted packet. However, in the case where IPSec is interworked with the scheme proposed in the present invention, there is an advantage that data can be protected by IPSec and access to the system can be controlled by the method proposed in the present invention.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. Accordingly, the scope of the present invention should be construed as being included in the scope of the present invention, all changes or modifications derived from the technical idea of the present invention.

100: Network 101: Integrated authentication control server
102: terminal 103: service authentication system
104: service server

Claims (20)

Performing network authentication and user authentication with the terminal;
If the network authentication and the user authentication are successful, transmitting an accessible service list including service information for at least one service to the terminal; And
Transmitting an authentication key for the arbitrary service to the terminal when the request for the arbitrary service is received from the terminal and transmitting the service authentication information for the arbitrary service to the service authentication server,
Wherein the service information, the authentication key, and the service authentication information for the at least one service are used by the terminal and the service authentication server to perform service authentication for the arbitrary service. Way. The method according to claim 1,
A service ID corresponding to the arbitrary service, a service server IP address, and an authentication key corresponding to the arbitrary service, the terminal IP address corresponding to the terminal, the service ID corresponding to the arbitrary service, the service server IP address, and the authentication key. 3. The method of claim 2,
Wherein the terminal is assigned to the terminal through the network authentication and the user authentication. The method as claimed in claim 1, wherein the service information and the authentication key include:
And transmitting the user data to the service authentication server from the terminal,
The service authentication information includes:
Wherein the service authentication server is used for performing the service authentication by comparing the service information and the authentication key with the service authentication information. The information processing apparatus according to claim 1,
Wherein the tunnel is used for establishing a tunnel between the terminal and the service authentication server. A communication unit for performing communication with the terminal and the service authentication server; And
Performing network authentication and user authentication with the terminal, transmitting an accessible service list including service information for at least one service to the terminal when the network authentication and the user authentication are successful, And a control unit for transmitting an authentication key for the arbitrary service to the terminal when the request for the service is received and controlling the service authentication server to transmit service authentication information for the arbitrary service,
Wherein the service information, the authentication key, and the service authentication information for the at least one service are used by the terminal and the service authentication server to perform service authentication for the arbitrary service. Device. 7. The method according to claim 6,
An IP address for the terminal, a service ID for the arbitrary service, a service server IP address for the service server, and an authentication key for the service. 8. The apparatus of claim 7,
Wherein the terminal IP address is allocated to the terminal through the network authentication and the user authentication. 7. The method of claim 6, wherein the service information and the authentication key include:
And transmitting the user data to the service authentication server from the terminal,
The service authentication information includes:
Wherein the service authentication server is used for performing the service authentication by comparing the service information and the authentication key with the service authentication information. 7. The method according to claim 6, wherein the service information and the service authentication information include:
And is used for establishing a tunnel between the terminal and the service authentication server. Receiving service authentication information for an arbitrary service requested by the terminal from the integrated authentication control server;
Performing a service authentication using the information included in the packet and the service authentication information when a packet is received from the terminal; And
And transmitting the user data included in the packet to the service server providing the arbitrary service if the service authentication is successful. 12. The method according to claim 11,
A service ID corresponding to the arbitrary service, a service server IP address, and an authentication key corresponding to the arbitrary service, the terminal IP address corresponding to the terminal, the service ID corresponding to the arbitrary service, the service server IP address, and the authentication key. 13. The method as claimed in claim 12,
Wherein the terminal is assigned to the terminal through the integrated authentication control server and the terminal network authentication and user authentication. The method of claim 11, wherein performing the service authentication comprises:
Obtaining a terminal IP address, a service ID, a service server IP address, and an authentication key included in the packet;
Extracting an authentication key corresponding to the terminal IP address, the service ID, and the service server IP address from the service authentication information; And
Comparing the authentication key obtained from the packet with the authentication key extracted from the service authentication information, and performing the service authentication. 12. The method of claim 11,
Further comprising setting a tunnel with the terminal based on a terminal IP address, a service ID, and a service server IP address included in the packet. A communication unit for communicating with an integrated authentication control server, a terminal, and a service server providing the service; And
Receiving service authentication information for an arbitrary service requested by the terminal from the integrated authentication control server and, when a packet is received from the terminal, performing service authentication using the information included in the packet and the service authentication information, And controlling the user data included in the packet to be transmitted to a service server that provides the arbitrary service if the service authentication is successful. 17. The method according to claim 16,
Wherein the terminal includes at least one of a terminal IP address corresponding to the terminal, a service ID corresponding to the arbitrary service, a service server IP address, and an authentication key. The method as claimed in claim 17,
And the terminal is assigned to the terminal through the integrated authentication control server and the inter-terminal network authentication and user authentication. 17. The apparatus of claim 16,
Acquiring a terminal IP address, a service ID, a service server IP address, and an authentication key included in the packet, extracting an authentication key corresponding to the terminal IP address, the service ID, and the service server IP address from the service authentication information, And compares the authentication key obtained from the packet with the authentication key extracted from the service authentication information to perform the service authentication. 17. The apparatus of claim 16,
And establishes a tunnel with the terminal based on a terminal IP address, a service ID, and a service server IP address included in the packet.
KR1020150053126A 2015-04-15 2015-04-15 Unification Authentication Control Method for Terminal and Apparatus thereof KR20160123069A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150053126A KR20160123069A (en) 2015-04-15 2015-04-15 Unification Authentication Control Method for Terminal and Apparatus thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150053126A KR20160123069A (en) 2015-04-15 2015-04-15 Unification Authentication Control Method for Terminal and Apparatus thereof

Publications (1)

Publication Number Publication Date
KR20160123069A true KR20160123069A (en) 2016-10-25

Family

ID=57446488

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150053126A KR20160123069A (en) 2015-04-15 2015-04-15 Unification Authentication Control Method for Terminal and Apparatus thereof

Country Status (1)

Country Link
KR (1) KR20160123069A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106507357A (en) * 2016-12-30 2017-03-15 广东欧珀移动通信有限公司 A kind of connection control method, and terminal device
KR20180100995A (en) * 2017-03-03 2018-09-12 주식회사 와임 Method and system for processing user authentication
KR102119257B1 (en) * 2019-09-24 2020-06-26 프라이빗테크놀로지 주식회사 System for controlling network access of terminal based on tunnel and method thereof
WO2021060858A1 (en) * 2019-09-24 2021-04-01 프라이빗테크놀로지 주식회사 System for controlling network access of node on basis of tunnel and data flow, and method therefor
WO2021060859A1 (en) * 2019-09-24 2021-04-01 프라이빗테크놀로지 주식회사 System for authenticating and controlling network access of terminal, and method therefor
US11082256B2 (en) 2019-09-24 2021-08-03 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11190494B2 (en) 2019-09-24 2021-11-30 Pribit Technology, Inc. Application whitelist using a controlled node flow
US11271777B2 (en) 2019-09-24 2022-03-08 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11381557B2 (en) 2019-09-24 2022-07-05 Pribit Technology, Inc. Secure data transmission using a controlled node flow
KR20220121320A (en) * 2021-02-25 2022-09-01 유동호 System for authenticating user and device totally and method thereof
WO2022235007A1 (en) * 2021-05-07 2022-11-10 프라이빗테크놀로지 주식회사 Controller-based network access control system, and method thereof
WO2023033585A1 (en) * 2021-09-02 2023-03-09 프라이빗테크놀로지 주식회사 Tunneling and gateway access system optimized for distributed gateway environment, and method related thereto
US11652801B2 (en) 2019-09-24 2023-05-16 Pribit Technology, Inc. Network access control system and method therefor
WO2023146304A1 (en) * 2022-01-26 2023-08-03 프라이빗테크놀로지 주식회사 System for controlling file transmission and reception of application and method for same

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106507357A (en) * 2016-12-30 2017-03-15 广东欧珀移动通信有限公司 A kind of connection control method, and terminal device
CN106507357B (en) * 2016-12-30 2020-01-14 Oppo广东移动通信有限公司 Access control method and terminal equipment
KR20180100995A (en) * 2017-03-03 2018-09-12 주식회사 와임 Method and system for processing user authentication
WO2021060859A1 (en) * 2019-09-24 2021-04-01 프라이빗테크놀로지 주식회사 System for authenticating and controlling network access of terminal, and method therefor
US11082256B2 (en) 2019-09-24 2021-08-03 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
KR102206562B1 (en) * 2019-09-24 2021-01-22 프라이빗테크놀로지 주식회사 System for managing control flow for remote execution code based node and method thereof
WO2021060858A1 (en) * 2019-09-24 2021-04-01 프라이빗테크놀로지 주식회사 System for controlling network access of node on basis of tunnel and data flow, and method therefor
WO2021060857A1 (en) * 2019-09-24 2021-04-01 프라이빗테크놀로지 주식회사 System for remote execution code-based node control flow management, and method therefor
KR102119257B1 (en) * 2019-09-24 2020-06-26 프라이빗테크놀로지 주식회사 System for controlling network access of terminal based on tunnel and method thereof
KR20210045917A (en) * 2019-09-24 2021-04-27 프라이빗테크놀로지 주식회사 System for controlling network access of node based on tunnel and data flow and method thereof
KR102137773B1 (en) * 2019-09-24 2020-07-24 프라이빗테크놀로지 주식회사 System for transmitting secure data via security application and method thereof
US11190494B2 (en) 2019-09-24 2021-11-30 Pribit Technology, Inc. Application whitelist using a controlled node flow
US11271777B2 (en) 2019-09-24 2022-03-08 Pribit Technology, Inc. System for controlling network access of terminal based on tunnel and method thereof
US11381557B2 (en) 2019-09-24 2022-07-05 Pribit Technology, Inc. Secure data transmission using a controlled node flow
US11652801B2 (en) 2019-09-24 2023-05-16 Pribit Technology, Inc. Network access control system and method therefor
KR20220121320A (en) * 2021-02-25 2022-09-01 유동호 System for authenticating user and device totally and method thereof
WO2022235007A1 (en) * 2021-05-07 2022-11-10 프라이빗테크놀로지 주식회사 Controller-based network access control system, and method thereof
WO2023033585A1 (en) * 2021-09-02 2023-03-09 프라이빗테크놀로지 주식회사 Tunneling and gateway access system optimized for distributed gateway environment, and method related thereto
WO2023146304A1 (en) * 2022-01-26 2023-08-03 프라이빗테크놀로지 주식회사 System for controlling file transmission and reception of application and method for same

Similar Documents

Publication Publication Date Title
KR20160123069A (en) Unification Authentication Control Method for Terminal and Apparatus thereof
EP3320523B1 (en) Method and device for authentication using dynamic passwords
CN103873454B (en) Authentication method and equipment
US8763101B2 (en) Multi-factor authentication using a unique identification header (UIDH)
US8549588B2 (en) Systems and methods for obtaining network access
US8191124B2 (en) Systems and methods for acquiring network credentials
EP2314090B1 (en) Portable device association
JP5784827B2 (en) Authentication system via two communication devices
US9374360B2 (en) System and method for single-sign-on in virtual desktop infrastructure environment
CN111050314A (en) Client registration method, device and system
US10050944B2 (en) Process to access a data storage device of a cloud computer system with the help of a modified Domain Name System (DNS)
CN103067158A (en) Encryption and decryption method, terminal device, gateway device and key management system
CN112559993B (en) Identity authentication method, device and system and electronic equipment
DK2924944T3 (en) Presence authentication
JP2013503514A (en) Service access method, system and apparatus based on WLAN access authentication
EP2060050A2 (en) Systems and methods for acquiring network credentials
JP2022519743A (en) How to authenticate users using blockchain, systems, and media
CN101998407B (en) WLAN access authentication based method for accessing services
CN113038192B (en) Video processing method and device, electronic equipment and storage medium
WO2017007767A1 (en) Method and device for authentication using dynamic passwords
US11070978B2 (en) Technique for authenticating a user device
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network
KR101900060B1 (en) Security element operating with wireless router, the wireless router, and method of forming internet network using the security element
CN112242976B (en) Identity authentication method and device
CN112106376A (en) Universal streaming media device configured as a set-top box