KR20170001633A - Tokenization-based encryption key managemnent sytem and method - Google Patents

Tokenization-based encryption key managemnent sytem and method Download PDF

Info

Publication number
KR20170001633A
KR20170001633A KR1020160078885A KR20160078885A KR20170001633A KR 20170001633 A KR20170001633 A KR 20170001633A KR 1020160078885 A KR1020160078885 A KR 1020160078885A KR 20160078885 A KR20160078885 A KR 20160078885A KR 20170001633 A KR20170001633 A KR 20170001633A
Authority
KR
South Korea
Prior art keywords
token
key
secret key
user terminal
secret
Prior art date
Application number
KR1020160078885A
Other languages
Korean (ko)
Inventor
박준후
강지훈
류재철
Original Assignee
충남대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 충남대학교산학협력단 filed Critical 충남대학교산학협력단
Publication of KR20170001633A publication Critical patent/KR20170001633A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The present invention relates to a tokenization-based encryption key management system and a method thereof. According to an embodiment of the present invention, the encryption key management system includes: a token generation unit which is connected to a user terminal on a wired or wireless communication network, receives an encryption key transmitted from the user terminal, and generates a token corresponding to the received encryption key; first database which stores the received encryption key and the generated token; and an encryption key management unit which receives the token transmitted from the user terminal and searches for the encryption key corresponding to the received token to transmit the encryption key to the user terminal.

Description

TECHNICAL FIELD [0001] The present invention relates to a tokenization-based secret key management system and method,

The present invention relates to a tokenization-based secret key management system and method.

As the importance of privacy has increased, the necessity of encrypting personal data has been increased not only for large corporations but also small business owners or small business owners. Encryption uses public algorithms to take security measures. It is very important to securely manage the encryption key (secret key) when actually encrypting and storing the data. That is, if the cipher key (secret key) used for encryption can not be safely managed even if the data is encrypted, an information leakage accident due to the leakage of the cipher key may occur. For this reason, encryption keys must be separately managed by introducing a cryptographic key management solution together with an encryption solution for secure cryptography.

However, the conventional data encryption and encryption key management solution includes a user terminal, an authentication period, a registration authority, and a trusting authority. When a certification authority generates a half secret key of the user and registers the secret key in the public directory, After selecting the half secret key of the organization, it must pass the blind decryption request to the certification authority to acquire its half secret key and acquire the final secret key including the half secret key of the certification authority and the half secret key of the user The number of operations to be processed by the user terminal and the certification authority is large and the structure is complicated. In addition, it is costly for small business owners or small businesses to purchase both data encryption and cryptographic key management solutions.

An object of an embodiment of the present invention is to provide a system and method for managing a secret key used for encrypting personal information using a tokenizing technique.

Embodiments according to the present invention can be used to accomplish other tasks not specifically mentioned other than the above-described tasks.

According to an embodiment of the present invention, there is provided a method of generating a token for generating a token corresponding to a received secret key by receiving a secret key transmitted from a user terminal and connected to a user terminal through a wired or wireless communication network, A first database for storing the received secret key and the generated token, and a secret key manager for receiving the token transmitted from the user terminal and searching for the secret key corresponding to the received token and transmitting the secret key to the user terminal We propose a key management system.

The first database may further include a first encryption key generator for generating a first public key and a first private key and transmitting the generated first public key to a user terminal, Key, and a second public key transmitted from the first user terminal.

The token generating unit may include a first secret key receiving unit that receives the secret key transmitted from the user terminal and verifies the digital signature of the received secret key using the second public key, A first decrypting unit for decrypting the decrypted secret key, and a first token transmitting unit for generating a token corresponding to the decrypted secret key and transmitting the token to the user terminal.

The first token transmitting unit may encrypt the generated token using the second public key, sign it using the first private key, and transmit the signed token to the user terminal.

The token generating unit may encrypt the received secret key through the first public key and store the encrypted secret key in the first database.

The secret key management unit may further include a first token receiving unit that receives the token transmitted from the user terminal and verifies the digital signature of the received token using the second public key, A secret key search unit for searching for a secret key corresponding to the decrypted token, and a second secret key searching unit for encrypting the searched secret key using the second public key, signing the first secret key using the first private key, Lt; / RTI >

According to an aspect of the present invention, there is provided a method for transmitting a user key to a user terminal using a secret key management system connected to a user terminal through a wired or wireless communication network, the method including generating a first public key and a first private key, Receiving and storing a second public key from a terminal, receiving a secret key transmitted from a user terminal, and generating a token corresponding to the received secret key and transmitting the generated token to the user terminal .

Wherein receiving the private key includes verifying the digital signature of the received private key using the second public key and decrypting the verified private key using the first public key .

The generating of the token may generate a token corresponding to the decrypted secret key, encrypt the generated token using the second public key, sign it using the first private key, and transmit the token to the user terminal.

The method further includes receiving a token transmitted from the user terminal, verifying the signature of the token received using the second public key, decrypting the token verified with the signature using the first private key, Searching for a secret key corresponding to the token, and transmitting the secret key to the user terminal.

The step of transmitting the secret key may encrypt the retrieved secret key using the second public key, sign it using the first private key, and transmit the encrypted secret key to the user terminal.

According to one embodiment of the present invention, the secret key used for encryption can be securely protected, thereby preventing leakage of personal information. In addition, the data encryption and secret key management structure can be implemented easily, and a separate encryption and secret key management solution is not required, thereby reducing the cost of encryption and secret key management.

1 shows a configuration of a secret key management system according to an embodiment of the present invention.
2 shows a token generation method using the secret key management system of FIG.
FIG. 3 illustrates a secret key transmission method using the secret key management system of FIG.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, which will be readily apparent to those skilled in the art to which the present invention pertains. The present invention may be embodied in many different forms and is not limited to the embodiments described herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and the same reference numerals are used for the same or similar components throughout the specification. In the case of publicly known technologies, detailed description thereof will be omitted.

In this specification, when a part is referred to as "including " an element, it is to be understood that it may include other elements as well, without departing from the other elements unless specifically stated otherwise. Also, the terms "part," " module, "and the like, which are described in the specification, refer to a unit for processing at least one function or operation, and may be implemented by hardware or software or a combination of hardware and software.

In this specification, 'ENCRYPTION KEY' means a key used for data encryption and decryption. Also, the 'Public Key' means a key disclosed for 'secret key' encryption based on the Rivest Shamir Adleman (RSA) algorithm, and the 'Private Key' means an RSA (Rivest Shamir Adleman) Quot; secret key " decryption based on the " secret key "

In this specification, 'data' refers to personal information to be protected from leakage, and includes at least one of, for example, a resident registration number, a card number, financial transaction information, real estate transaction information, medical records and a criminal record.

1 shows a configuration of a secret key management system according to an embodiment of the present invention.

The secret key management system 100 of FIG. 1 is connected to the user terminal 200 through a wired communication network or a wireless communication network, and manages a secret key transmitted from the user terminal 200. According to an embodiment of the present invention, a token corresponding to the secret key transmitted from the user terminal 200 is generated and transmitted to the user terminal 200, and a secret key corresponding to the token transmitted from the user terminal 200 is searched To the user terminal (200).

The secret key management system 100 of FIG. 1 includes a first encryption key generation unit 110, a first database 120, a token generation unit 130, and a secret key management unit 140.

The first cryptographic key generation unit 110 generates and stores the first public key KU TTP and the first private key KR TTP and transmits the generated first public key KU TTP to the user terminal 200 send. The first cryptographic key generation unit 110 may generate the first public key KU TTP and the first private key KR TTP using the random number generator.

The first database 120 stores the first public key KU TTP and the first private key KR TTP generated by the first cryptographic key generation unit 110, And stores the public key (KU user ).

Token generator 130 generates a token corresponding to the user terminal 200, the secret key (K user) receiving a secret key (K user) to be transmitted and received from and sent to the user terminal 200. Here, the secret key K user is a key used for data encryption in the user terminal 200.

The token generating unit 130 includes a first secret key receiving unit 131, a first decoding unit 132, and a first token transmitting unit 133.

The first secret key receiving unit 131 receives the secret key (K user ) transmitted from the user terminal 200 and stores it in the first database 120. At this time, it is possible to further receive the user information transmitted from the user terminal 200 or the encrypted data through the K user , and store the encrypted data in the first database 120. According to the embodiment of the present invention, the first secret-key receiver 131 verifies the digital signature of the secret-key (K user ) using the second public-key KU user stored in the first database 120 .

The first decryption unit 132 decrypts the secret key (K user ) whose digital signature has been verified using the first private key (KR TTP ).

The first token transmitting unit 133 generates a token corresponding to the decrypted secret key K user and transmits the token to the user terminal 200. According to the embodiment of the present invention, the first token transmitting unit 133 generates a token corresponding to the decrypted secret key K user and transmits the generated token to the second public key < RTI ID = 0.0 > (KU user ). Thereafter, the encrypted token is signed using a first private key (KR TTP ), and then transmitted to the user terminal 200. At this time, the generated token is stored in the first database 120. At this time, the decrypted secret key K user may be encrypted through the first public key KU TTP and stored in the first database 120.

The secret key management unit 140 receives the token transmitted from the user terminal 200, searches for the secret key corresponding to the received token, and transmits the secret key to the user terminal 200.

The secret key management unit 140 includes a first token receiving unit 141, a second decrypting unit 142, a secret key retrieving unit 143 and a first encrypting unit 144.

The first token receiving unit 141 receives the token transmitted from the user terminal 200 and verifies the digital signature of the token using the second public key KU user .

The second decryption unit 142 decrypts the token that has been verified with the digital signature using the first private key (KR TTP ).

The secret key searching unit 143 searches the first database 120 for a secret key (K user ) corresponding to the decrypted token.

The first encryption unit 144 encrypts the retrieved secret key (K user ) and transmits it to the user terminal 200. According to an embodiment of the invention, a first individual to a first encryption unit 144 is a secret key (K user) the second public key (KU user) to, and an encrypted secret key (K user) encrypted using the retrieved Key (KR TTP ), and transmits the signature to the user terminal 200.

1 includes a secret key generation unit 210, a second encryption key generation unit 220, a second database 230, a token request unit 240, a second token reception unit 250, And a secret key key request unit 260. Here, the user terminal 200 is a terminal that handles data to be protected from leakage, and may be, for example, a point-of-sale terminal of a small business owner or a self-employed person.

The secret key generation unit 210 generates a secret key (K user ) for encrypting the data input through the user terminal 200. [ The secret key generation unit 210 may generate a secret key (K user ) using a random number generator.

The second encryption key generating unit 220 generates and stores the second public key KU user and the second private key KR user and the generated second public key KU user is transmitted to the secret key management system 100 ).

The second database 230 stores the second public key KU user and the second private key KR user generated by the second encryption key generating unit 220 and transmits the second public key KU user And stores the first public key KU TTP .

The token request unit 240 transmits the secret key used for data encryption to the secret key management system 100 and includes the data receiving unit 241, the second encrypting unit 242, and the secret key transmitting unit 243 do.

The data receiving unit 241 receives data input through the user terminal 200.

The second encryption unit 242 is released first in the received data, encrypted using the secret key (K user), it is stored in a secret key (K user) used for the encryption in the second database 230, the key ( KU TTP ).

The secret key transmission unit 243 transmits the secret key K (K user ) through the first public key (KU TTP ) using the second private key (KR user ) to the secret key management system 100 do.

The second token receiving unit 250 receives the token transmitted from the secret key management system 100, verifies and decrypts the signature, and stores the signature in the second database 230.

The secret key request unit 260 requests a secret key for data decryption from the secret key management system 100 based on the token stored in the second database 230, 2 secret key receiving unit 262, and a third decrypting unit 263.

The second token transmission unit 261 encrypts the token stored in the second database 230 through the first public key KU TTP , signs it using the second private key KR user , To the system 100.

The second secret key receiving unit 262 receives the secret key K user transmitted from the secret key management system 100 after transmitting the token through the second token transmitting unit 261 and transmits the first public key KU TTP ) to verify the digital signature of the received private key (K user ).

The third decryption unit 253 decrypts the secret key (K user ) whose digital signature is verified by using the second private key (KR user ), and decrypts the data using the decrypted secret key (K user ).

2 shows a token generation method using the secret key management system of FIG.

First, the secret key used for data encryption is transmitted to the secret key management system 100 through the token request unit 240 of the user terminal 200 (S10). Specifically, a secret key (K user ) is generated through the secret key generation unit 210 (S11). Thereafter, the data (Data) is encrypted (K user [Data]) (S12) using the secret key (K user ) generated in step S11 through the second encryption unit 242, The secret key K user is encrypted using the first public key KU TTP (KU TTP [K user ]) (S13). And since, with the secret key transmission unit 243, sent to the secret key the second private key (KR user), private key management system 100 and then signed using the (K user) encrypted in step S13 (KR user [KU TTP [K user ]]) (S14).

Then, the secret key management system 100 to generate a token corresponding to the received the secret key (K user) which is sent in step S14 from the token generator 130 receives a secret key (K user) the user terminal ( 200 (S20). First, a secret key (K user ) transmitted in step S14 is received through the first secret key receiving unit 131 and a digital signature is verified using a second public key KU user ([KU TTP [K user ] ]) (S21). Thereafter, the secret key K user whose signature has been verified in step S21 is decrypted through the first decryption unit 132 ([K user ]) (S22). In step S22, the private key (K user ) is decrypted using the first private key (KR TTP ). Thereafter, a token Token corresponding to the secret key K user decrypted in step S22 is generated through the first token transmitting unit 133 (S23), and the token Token generated in step S23 is transmitted to the second public ([KU user [Token]]) (S24) by using the key (KU user ). Then, in step S24, the encrypted token Token is signed using the first private key (KR TTP ), and then transmitted to the user terminal 200 (KR TTP [KU user [Token])) (S25).

Thereafter, the user terminal 200 receives and decodes the token transmitted in step S25 through the second token receiver 250, and stores the decrypted token in the second database 230 (step S30). More specifically, the token transmitted in step S25 is received and the signature is verified using the first public key (KU TTP ) ([KU user [Token]) (S31). Thereafter, the token is decrypted using the second private key KR user and stored in the second database 230 (S32).

FIG. 3 illustrates a secret key transmission method using the secret key management system of FIG.

First, the user terminal 200 transmits a token corresponding to a secret key required for data decryption to the secret key management system 100 through the second token transmission unit 261 (S110). Specifically, first, encrypted by the token stored in the second database 230 by using the first public key (KU TTP) (KU TTP [Token]) (S111), the second private key to the encrypted token (KR user (KR user [KU TTP [Token]]) to the secret key management system 100 (S112).

Then, the secret key management system 100 receives the token transmitted in step S112 through the private key management unit 140, and transmits the secret key corresponding to the received token to the user terminal 200 (S210). First, the first token receiving unit 141 receives the token transmitted in step S112 and verifies the signature using the second public key KU user ([KU TTP [Token]) (S211). Thereafter, the second decryption unit 142 decrypts the token using the first private key KR TTP (S212). In step S213, the first database 120 searches for a secret key (K user ) corresponding to the decrypted token in step S212. Then, the secret key K user searched in step S213 is encrypted using the second public key KU user through the first encryption unit 144 ([KU user [K user ]]) (S214) (KR TTP [KU user [K user ]]) (S215) after signing using the private key (KR TTP ).

Then, the user terminal 200 receives the secret key transmitted in step S215 through the second secret-key receiver 262 and verifies the signature using the first public key KU TTP ([KU user [K user ])) (S311). Thereafter, the secret key received in step S311 is decrypted through the third decryption unit 263 ([K user ]) (S312), and data is decrypted using the decrypted secret key (S313).

The tokenization-based secret key management system according to an embodiment of the present invention separately manages a secret key required for data decryption through a secret key management system. When a secret key request corresponding to a token is received through a user terminal, It is unnecessary to manage the secret key through the user terminal, thereby preventing leakage during the data transmission and storage and improving the management efficiency.

The tokenization-based secret key management system according to the embodiment of the present invention can be implemented with a simple structure and can reduce the management cost since the amount of operations to be processed in the user terminal and the secret key management system is small compared to the public key cryptosystem .

While the present invention has been particularly shown and described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It belongs to the scope.

100: secret key management system 110: first encryption key generation unit
120: first database 130: token generating unit
131: first secret key receiving unit 132: first decoding unit
133: first token transmission unit 140: secret key management unit
141: first token receiving unit 142: second token receiving unit
143: Private Key Retrieval Unit 144:
200: user terminal 210: secret key generation unit
220: second encryption key generation unit 230: second database
240: Token requesting unit 241: Data receiving unit
242: second encryption unit 243: secret key transmission unit
250: second token receiving unit 260: secret key request unit
261: second token transmitting unit 262: second secret key receiving unit
263: Third decoding unit

Claims (11)

A secret key management system connected to a user terminal via a wired or wireless communication network,
A token generating unit for receiving the secret key transmitted from the user terminal and generating a token corresponding to the received secret key,
A first database for storing the received secret key and the generated token, and
A secret key manager for receiving a token transmitted from the user terminal and searching for a secret key corresponding to the received token to transmit to the user terminal,
Wherein the secret key management system comprises: The method of claim 1,
Further comprising a first cryptographic key generator for generating a first public key and a first private key and transmitting the generated first public key to the user terminal,
Wherein the first database further stores the generated first public key, the first private key, and the second public key transmitted from the first user terminal. 3. The method of claim 2,
Wherein the token generation unit comprises:
A first secret key receiving unit for receiving the secret key transmitted from the user terminal and verifying the digital signature of the received secret key using the second public key,
A first decryption unit for decrypting the secret key whose digital signature is verified using the first private key,
And generating a token corresponding to the decrypted secret key and transmitting the token to the user terminal. 4. The method of claim 3,
Wherein the first token transmission unit encrypts the generated token using the second public key, signs the first token using the first private key, and transmits the signed token to the user terminal. 3. The method of claim 2,
Wherein the token generation unit encrypts the received secret key through the first public key and stores the encrypted secret key in the first database. 3. The method of claim 2,
The secret key management unit,
A first token receiver for receiving the token transmitted from the user terminal and verifying the electronic signature of the received token using the second public key,
A second decryption unit for decrypting the digital signature verified token using the first private key,
A secret key search unit for searching for a secret key corresponding to the decrypted token,
Encrypts the searched private key using the second public key, signs the first private key using the first private key, and transmits the signed private key to the user terminal. A secret key management method using a secret key management system connected to a user terminal through a wired or wireless communication network,
Generating a first public key and a first private key,
Receiving and storing a second public key from the user terminal,
Receiving a secret key transmitted from the user terminal, and
Generating a token corresponding to the received secret key and transmitting the generated token to the user terminal
The method comprising: 8. The method of claim 7,
Wherein the receiving the secret key comprises:
Verifying the digital signature of the received secret key using the second public key, and
And decrypting the signature-verified secret key using the first public key. 9. The method of claim 8,
Wherein the generating the token comprises:
Generating a token corresponding to the decrypted secret key, encrypting the generated token using the second public key, signing the first token using the first private key, and transmitting the token to the user terminal. 8. The method of claim 7,
Receiving a token transmitted from the user terminal,
Verifying the signature of the received token using the second public key,
Decrypting the verified token using the first private key, and
Searching for a secret key corresponding to the decrypted token, and transmitting the secret key to the user terminal. 11. The method of claim 10,
Wherein the transmitting the secret key comprises:
Encrypting the searched private key using the second public key, signing the private key using the first private key, and transmitting the signed private key to the user terminal.
KR1020160078885A 2015-06-25 2016-06-23 Tokenization-based encryption key managemnent sytem and method KR20170001633A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020150090624 2015-06-25
KR20150090624 2015-06-25

Publications (1)

Publication Number Publication Date
KR20170001633A true KR20170001633A (en) 2017-01-04

Family

ID=57831614

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160078885A KR20170001633A (en) 2015-06-25 2016-06-23 Tokenization-based encryption key managemnent sytem and method

Country Status (1)

Country Link
KR (1) KR20170001633A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102311996B1 (en) * 2020-04-02 2021-10-13 국민대학교산학협력단 Device and method for anti-forensic unlocking for media files
KR102319709B1 (en) * 2020-04-27 2021-11-02 국민대학교산학협력단 Anti-forensic unlocking device and method based on database encryption

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102311996B1 (en) * 2020-04-02 2021-10-13 국민대학교산학협력단 Device and method for anti-forensic unlocking for media files
KR102319709B1 (en) * 2020-04-27 2021-11-02 국민대학교산학협력단 Anti-forensic unlocking device and method based on database encryption

Similar Documents

Publication Publication Date Title
US11677729B2 (en) Secure multi-party protocol
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
US8239679B2 (en) Authentication method, client, server and system
JP5562687B2 (en) Securing communications sent by a first user to a second user
EP1676281B1 (en) Efficient management of cryptographic key generations
US8396218B2 (en) Cryptographic module distribution system, apparatus, and program
US20060204003A1 (en) Cryptographic communication system and method
CN111371790B (en) Data encryption sending method based on alliance chain, related method, device and system
EP2879323A1 (en) Method and distributed data processing system for managing access to data
US20220109661A1 (en) System and method to improve user authentication for enhanced security of cryptographically protected communication sessions
CN113225302A (en) Data sharing system and method based on proxy re-encryption
Sun et al. A new design of wearable token system for mobile device security
KR20170001633A (en) Tokenization-based encryption key managemnent sytem and method
KR20060078768A (en) System and method for key recovery using distributed registration of private key
KR102025989B1 (en) DATA MANAGEMENT SCHEME BASED ON PROXY RE-ENCRYPTION IN IoT LIGHTWEIGHT DEVICES AND SYSTEM
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
CN116599771B (en) Data hierarchical protection transmission method and device, storage medium and terminal
JP2005151004A (en) Radio tag privacy protection method, radio tag device, security server, program for radio tag device, and program for security server
CN113162766B (en) Key management method and system for key component
Reddy et al. Data Storage on Cloud using Split-Merge and Hybrid Cryptographic Techniques
KP et al. Sequential Computational Time-Released Encryption Technique Using Variable Time Delay
JP2007521525A (en) System for authenticating and authorizing a party in a secure communication network
CN117294522A (en) Block chain-based financial data sharing method, device, equipment and storage medium
WO2023110148A1 (en) Secure data transmission
CN115766268A (en) Processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application