KR20170087663A - Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof - Google Patents

Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof Download PDF

Info

Publication number
KR20170087663A
KR20170087663A KR1020160007506A KR20160007506A KR20170087663A KR 20170087663 A KR20170087663 A KR 20170087663A KR 1020160007506 A KR1020160007506 A KR 1020160007506A KR 20160007506 A KR20160007506 A KR 20160007506A KR 20170087663 A KR20170087663 A KR 20170087663A
Authority
KR
South Korea
Prior art keywords
key
private key
digital signature
client terminal
encrypted
Prior art date
Application number
KR1020160007506A
Other languages
Korean (ko)
Other versions
KR101776635B1 (en
Inventor
차현성
박동진
이영호
송정수
김진욱
고성호
Original Assignee
주식회사 한컴시큐어
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 한컴시큐어 filed Critical 주식회사 한컴시큐어
Priority to KR1020160007506A priority Critical patent/KR101776635B1/en
Publication of KR20170087663A publication Critical patent/KR20170087663A/en
Application granted granted Critical
Publication of KR101776635B1 publication Critical patent/KR101776635B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3827Use of message hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

An electronic signature proxy device for a client terminal and an operation method thereof are disclosed. An apparatus and method for performing an electronic signature for a client terminal in accordance with the present invention includes the steps of issuing a private key and a public key for an electronic signature to transmit the public key to a content providing server, Dividing the private key into a plurality of key stores, distributing the private key to the plurality of key stores, and, when receiving an electronic signature substitution request from the client terminal, combining the plurality of private key fragments distributed and stored in the plurality of key stores, Generating a digital signature value based on the private key, and transmitting the digital signature value to the content providing server instead of the client terminal, so that the private key is not stored in the client terminal, A predetermined program for generating an electronic signature value on a browser is installed in a plug-in form The user can easily perform digital signature by simply connecting to the digital signature proxy device for the client terminal by using various client terminals at any time and anywhere, .

Description

TECHNICAL FIELD [0001] The present invention relates to an apparatus and method for performing an electronic signature for a client terminal, and an operation method thereof. ≪ Desc / Clms Page number 1 >

Embodiments of the present invention are directed to a technique for performing digital signature in response to an electronic signature request of a content providing server accessed through a network.

Recently, with the widespread use of the Internet and the like, the use of electronic payment or online-based banking services is increasing rapidly.

Generally, an electronic payment or an online-based banking service provides a content providing electronic payment or an online-based banking service when a user wants to use an electronic payment or an online-based banking service after issuing a predetermined certificate to a user terminal (Contents Provider) server receives the digital signature value from the terminal through the certificate installed in the terminal and performs the user authentication.

The user authentication method uses a PKI (Public Key Infrastructure) based encryption / decryption technology. More specifically, when a user accesses a content providing server through his / her client terminal and wants to use an electronic payment or an online banking service , The content providing server requests the client terminal to transmit the digital signature value.

At this time, the client terminal receives the digital signature subject data from the contents providing server in response to the transmission request of the digital signature value, encrypts the digital signature subject data with the private key stored in the memory, .

At this time, the hash value generated by applying the original text data such as the electronic payment information, the account information, and the like to the hash function as input is mainly used as the digital signature subject data.

Then, the client terminal transmits the digital signature subject data and the digital signature value to the contents providing server, and at this time, when the digital signature subject data and the digital signature value are received, Decrypting the digital signature value with a public key corresponding to the private key stored in the server, and if it is determined that the decryption result value and the digital signature subject data coincide with each other, an electronic signature is performed by a true user .

Such a user authentication method is widely used in companies providing electronic payment service or online banking service because it can enhance security.

However, such a user authentication method has recently been proposed in that a predetermined program for generating an electronic signature value on a web browser must be mounted in a plug-in form in order for a client terminal to generate an electronic signature value It is difficult to utilize it in a web browser which can not install the plug-in being introduced.

Especially, in a web browser based on HTML (Hyper Text Markup Language) 5, which is recently introduced, it is not possible to install a program in a form of a plug-in in the web browser itself. Therefore, a company providing electronic payment service or online banking service It is difficult to introduce such a PKI-based user authentication system.

In addition, in the conventional PKI-based user authentication system, the private key must be stored on the client terminal. Therefore, it is difficult for the user to proceed with the digital signature using various client terminals. In addition, It has been inconvenient to carry a portable storage device in which a private key is always stored in order to carry out a signature.

Accordingly, it is possible to perform PKI-based user authentication without installing a predetermined program in a plug-in form in the web browser, and at the same time, to support a user to proceed with electronic signature anywhere regardless of the client terminal Research is needed.

An apparatus and method for performing an electronic signature for a client terminal in accordance with the present invention includes the steps of issuing a private key and a public key for an electronic signature to transmit the public key to a content providing server, Dividing the private key into a plurality of key stores, distributing the private key to the plurality of key stores, and, when receiving an electronic signature substitution request from the client terminal, combining the plurality of private key fragments distributed and stored in the plurality of key stores, Generating a digital signature value based on the private key, and transmitting the digital signature value to the content providing server instead of the client terminal, so that the private key is not stored in the client terminal, A predetermined program for generating an electronic signature value on a browser is installed in a plug-in form Jaedoel so you do not have to, and want to help users simply connect the digital signature proxy device performs for the client terminal to take advantage of a variety of client terminals anywhere, anytime, you can easily perform an electronic signature.

An apparatus for performing an electronic signature for a client terminal according to an embodiment of the present invention includes a plurality of private key pieces, wherein the plurality of private key pieces are divided into a plurality of data pieces, A content providing server storing a plurality of key stores and a public key corresponding to the private key requests a digital signature to the client terminal, and an electronic signature agency request based on the private key is received from the client terminal A data receiving unit for receiving digital signature subject data from the contents providing server, extracting the plurality of private key pieces from the plurality of key stores in response to the digital signature substitution request, and combining the plurality of private key pieces A private key restoring unit for restoring the private key, An electronic signature value generation unit for encrypting the self signature subject data to generate an electronic signature value, and an electronic signature transmission unit for transmitting the digital signature subject data and the digital signature value to the contents providing server.

According to another aspect of the present invention, there is provided a method of operating an apparatus for performing an electronic signature for a client terminal, the method comprising: generating a plurality of private key fragments, each of the plurality of private key fragments having a private key divided into a plurality of data fragments, The method comprising the steps of: maintaining a plurality of key stores that are distributed and stored; receiving, from the client terminal, the private key as a basis for requesting a digital signature to a client terminal, the content providing server storing a public key corresponding to the private key; Receiving, from the content providing server, digital signature subject data when the electronic signature subscription request is received, extracting the plurality of private key pieces from the plurality of key stores in response to the digital signature substitution request, Restoring the private key by combining the private key fragments of the private key, On the basis of a step, and transmitting the digital signature target data and the digital signature value to the content providing server that generates an electronic signature value by encrypting the digital signature object data.

An apparatus and method for performing an electronic signature for a client terminal in accordance with the present invention includes the steps of issuing a private key and a public key for an electronic signature to transmit the public key to a content providing server, Dividing the private key into a plurality of key stores, distributing the private key to the plurality of key stores, and, when receiving an electronic signature substitution request from the client terminal, combining the plurality of private key fragments distributed and stored in the plurality of key stores, Generating a digital signature value based on the private key, and transmitting the digital signature value to the content providing server instead of the client terminal, so that the private key is not stored in the client terminal, A predetermined program for generating an electronic signature value on a browser is installed in a plug-in form The user can easily perform digital signature by simply connecting to the digital signature proxy device for the client terminal by using various client terminals at any time and anywhere, .

1 is a system conceptual diagram schematically illustrating an entire system for explaining an electronic signature proxy device for a client terminal according to an embodiment of the present invention.
2 is a block diagram illustrating an apparatus for performing an electronic signature proxy for a client terminal according to an exemplary embodiment of the present invention.
3 is a flowchart illustrating an operation method of an electronic signature proxy device for a client terminal according to an exemplary embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a system conceptual diagram schematically illustrating an entire system for explaining an electronic signature proxy device for a client terminal according to an embodiment of the present invention.

Referring to FIG. 1, an electronic signature proxy device 110, a client terminal 120, and a contents provider server 130 for a client terminal are illustrated.

Here, the content providing server 130 may be a server capable of providing various contents through a network, such as an electronic payment or an online-based banking service. The client terminal 120 may be a desktop PC, a mobile terminal, a PDA, A microprocessor-based device capable of connecting to the content providing server 130 such as a tablet PC and transmitting / receiving data.

Hereinafter, with reference to FIG. 1, it is assumed that the client terminal 120 accesses the content providing server 130 that provides an online-based banking service and performs electronic signature in the process of performing account transfer, Will be described in detail.

When the client terminal 120 accesses the content providing server 130 and performs the account transfer, it is checked whether the user of the client terminal 120 requesting the transfer of money from the content providing server 130 is a true account ownership user That is, it is necessary to perform user authentication for non-repudiation. For this, the content providing server 130 and the client terminal 120 must perform the digital signature process.

First, in order for the client terminal 120 to proceed with the digital signature to the content providing server 130, the client terminal 120 must perform an initial use registration process for performing digital signature.

In this regard, when the first use registration request for performing digital signature substitution is received from the client terminal 120, the digital signature proxy execution device 110 for the client terminal transmits a private key to be used for the digital signature and the private key corresponding to the private key Generate a public key, and request a password for use in encrypting the private key with respect to the client terminal 120.

At this time, the client terminal 120 can display a password input window for initial use registration on the screen, and the user can input his or her own password into the password input window. Accordingly, the client terminal 120 may transmit the password to the digital signature agent 110 for the client terminal.

At this time, when the password is received from the client terminal 120, the digital signature proxy execution device 110 for the client terminal encrypts the password based on a predetermined encryption key to generate a secret key, Key can be stored in the secret key storage unit.

Then, the digital signature agent 110 for a client terminal generates a random key composed of random data, and then encrypts the random key with the random key so as to authenticate the private key Key can be generated.

At this time, the digital signature substitution execution device 110 for a client terminal divides the random key into a plurality of data pieces to generate a plurality of random key pieces, and then the random key pieces are divided into a plurality of keys You can distribute it to the repositories.

Here, as a method of dividing the random key into the plurality of random key fragments, a method of simply dividing data constituting the random key into specific data size units may be used, and the random key may be divided into a plurality of partial recoverable A method of dividing into locally repairable codes can be used, and various data dividing methods can be used.

Thereafter, the digital signature substitution execution device 110 for the client terminal can generate the encrypted private key by encrypting the private key based on the authentication key, and generate the encrypted private key as a plurality of pieces of data By splitting, a plurality of private key fragments can be generated.

Here, as a method of dividing the encrypted private key into the plurality of private key fragments, a method of simply dividing data constituting the encrypted private key into specific data size units may be used, and the encrypted private key A method of dividing a plurality of partial recoverable codes into a plurality of partial recoverable codes can be used.

Then, the digital signature proxy execution device 110 for the client terminal may distribute and store the plurality of pieces of private key to the plurality of key stores, and transmits the public key to the contents providing server 130, The first use registration for the user of the client terminal 120 can be completed.

After the first use registration for digital signature is completed, the user of the client terminal 120 accesses the content providing server 130 and performs the account transfer, so that the content providing server 130 transmits the account registration request to the client terminal 120 The digital signature proxy execution unit 110 for the client terminal can receive the digital signature proxy request based on the private key previously issued from the client terminal 120, And can request the client terminal 120 to transmit a password for decrypting the encrypted private key.

Here, the digital signature object data includes a hash value generated by applying transfer information such as account information, transfer amount, sender information, recipient information, etc. of the user of the client terminal 120 according to the account transfer to a predetermined hash function .

That is, the content providing server 130 generates a hash value using a predetermined hash function for the transfer information, and transmits the hash value to the digital signature substitution execution device 110 for the client terminal, As shown in FIG.

At this time, the client terminal 120 may display a password input window for digital signature on the screen in response to the password transmission request, and may allow the user to input the same password The client terminal 120 may transmit the password to the digital signature agent 110 for the client terminal.

At this time, when the password is received from the client terminal 120, the digital signature proxy execution device 110 for the client terminal encrypts the password using the same encryption key as the selected encryption key used for the first use registration To generate an encrypted value.

Then, the digital signature proxy execution unit 110 for the client terminal extracts the secret key from the secret key storage unit, compares the encrypted value with the secret key, and determines whether the encrypted value matches the secret key It can be judged.

If it is determined that the encryption value and the secret key match with each other, the digital signature proxy execution device 110 for the client terminal completes use authentication for the client terminal 120, Extracts the plurality of random key fragments scattered from the random key and reconstructs the random key by combining the plurality of random key fragments.

In addition, the digital signature proxy execution unit 110 for the client terminal may generate an authentication key for decrypting the encrypted private key by performing encryption with the recovered random key for the encrypted value.

When the generation of the authentication key for decrypting the encrypted private key is completed, the digital signature substitution execution device 110 for the client terminal transmits the private key of the private key, which is distributed from the plurality of key stores, After extracting fragments, the plurality of private key fragments may be combined to recover the encrypted private key.

Then, the digital signature proxy execution device 110 for the client terminal decrypts the encrypted private key using the authentication key, and encrypts the digital signature subject data based on the decrypted private key, Value can be generated.

When the generation of the digital signature value is completed, the digital signature proxy execution device 110 for the client terminal transmits the digital signature subject data and the digital signature value to the content providing server 130, ). ≪ / RTI >

At this time, when the electronic signature subject data and the digital signature value are received from the digital signature agent 110 for the client terminal, the contents providing server 130 transmits the public key stored in the contents providing server 130 If it is determined that the decrypted digital signature value and the received digital signature subject data coincide with each other after the decryption of the digital signature value on the basis of the decrypted digital signature value, the account transfer can be executed by completing the authentication on the client terminal 120 .

As a result, the digital signature proxy execution device 110 for the client terminal according to the present invention issues a private key and a public key for digital signature, transmits the public key to the content providing server 130, Divided into the plurality of key stores, and then distributed to the plurality of key stores, when the digital signature request is received from the client terminal 120, the plurality of private key pieces And transmits the digital signature value to the content providing server 130 instead of the client terminal 120 to generate a digital signature value based on the private key, 120, a predetermined program for generating an electronic signature value is loaded in a plug-in form on the web browser of the client terminal 120 And the user can easily perform digital signature by simply connecting to the digital signature agent 110 for the client terminal by using various client terminals anytime and anywhere. Can be guaranteed.

2 is a block diagram illustrating an apparatus for performing an electronic signature proxy for a client terminal according to an exemplary embodiment of the present invention.

Referring to FIG. 2, an electronic signature proxy execution apparatus 210 for a client terminal according to an exemplary embodiment of the present invention includes a plurality of key stores 201, 202, 203 and 204, a data receiving unit 211, A restoring unit 212, a digital signature value generating unit 213, and an electronic signature transmitting unit 214.

A plurality of private key pieces are distributedly stored in the plurality of key stores 201, 202, 203,

Here, the plurality of private key pieces mean that the private key is divided into a plurality of data pieces.

The data receiving unit 211 receives the private key from the client terminal 230 by the content providing server 240 storing the public key corresponding to the private key from the client terminal 230 And receives the electronic signature subject data from the contents providing server 240. [

The private key restoring unit 212 extracts the plurality of private key pieces from the plurality of key stores 201, 202, 203, and 204 in response to the digital signature substitution request, combines the plurality of private key pieces, Restore the private key.

The digital signature value generator 213 encrypts the digital signature subject data based on the restored private key to generate an electronic signature value.

The digital signature transmitting unit 214 transmits the digital signature subject data and the digital signature value to the contents providing server 240.

In this case, according to an embodiment of the present invention, when the digital signature subject data and the digital signature value are received, the content providing server 240 decrypts the digital signature value based on the public key, When it is determined that the signature value and the received digital signature subject data coincide with each other, the authentication for the client terminal 230 can be completed.

Also, according to an embodiment of the present invention, the plurality of private key pieces may be one in which the encrypted private key generated by encrypting the private key is divided into a plurality of data pieces. At this time, when the digital signature subscription request based on the private key is received from the client terminal 230, the data receiving unit 211 receives the digital signature subject data from the contents providing server 240 and simultaneously transmits the digital signature subject data to the client terminal 230 The private key restoring unit 212 may receive a password for decrypting the encrypted private key from the plurality of key stores 201, 202, 203, and 204 in response to the electronic signature substitution request, After extracting the plurality of private key fragments, the encrypted private key may be reconstructed by combining the plurality of private key fragments. The digital signature value generation unit 213 decrypts the encrypted private key based on the secret key And encrypt the digital signature subject data based on the decrypted private key to generate the digital signature value.

According to an embodiment of the present invention, an electronic signature proxy execution device 210 for a client terminal includes a usage registration processor 215, a secret key generator 216, an authentication key generator 217, An install unit 218 and a key processing unit 219. [

The use registration processor 215 generates the public key corresponding to the private key and the private key when the first use registration request for performing an electronic signature substitution is received from the client terminal 230, To request the password for use in encrypting the private key.

When the password is received from the client terminal 230, the secret key generation unit 216 generates the secret key based on the selected encryption key, encrypts the secret key, and transmits the secret key to the secret key storage unit (not shown) .

The authentication key generation unit 217 generates a random key composed of random data, and then encrypts the random key with the random key to generate an authentication key for encrypting the private key.

The private key division unit 218 encrypts the private key based on the authentication key to generate the encrypted private key, and divides the encrypted private key into the plurality of private key fragments.

The key processing unit 219 distributes the plurality of pieces of private key to a plurality of key stores 201, 202, 203 and 204, and transmits the public key to the contents providing server 240.

In this case, according to an embodiment of the present invention, the digital signature proxy execution device 210 for the client terminal may further include a random key storage unit 220.

The random key storage unit 220 divides the random key into a plurality of data pieces to generate a plurality of random key pieces, and then transmits the random key pieces to a plurality of key stores 201, 202, 203, .

According to an embodiment of the present invention, an electronic signature proxy execution device 210 for a client terminal includes a password encryption unit 221, a usage authentication unit 222, a random key recovery unit 223, (224). ≪ / RTI >

When the password for decrypting the encrypted private key together with the digital signature substitution request is received from the client terminal 230, the password encryption unit 221 encrypts the secret key received from the client terminal 230, And performs encryption based on the encryption key to generate an encryption value.

The usage authentication unit 222 extracts the secret key from the secret key storage unit, compares the encrypted value with the secret key, and if the encrypted value matches the secret key, .

The random key recovery unit 223 extracts the plurality of random key fragments from the plurality of key stores 201, 202, 203, and 204 when the use authentication for the client terminal 230 is completed, And combines the pieces to recover the random key.

The decryption authentication key generation unit 224 generates the authentication key for decrypting the encrypted private key by performing encryption using the recovered random key with respect to the encrypted value.

In this case, according to an embodiment of the present invention, when the generation of the authentication key for decrypting the encrypted private key is completed, the private key restoring unit 212 restores the private key to a plurality of key stores Extracts the plurality of private key fragments from the plurality of private keys 201, 202, 203, 204, and combines the plurality of private key fragments to recover the encrypted private key.

Then, the digital signature value generator 213 decrypts the encrypted private key using the authentication key, and encrypts the digital signature subject data based on the decrypted private key to generate the digital signature value .

2, the digital signature proxy device 210 for a client terminal according to an embodiment of the present invention has been described. Here, the digital signature proxy execution device 210 for a client terminal according to an embodiment of the present invention may correspond to the configuration of the digital signature proxy execution device 110 for the client terminal described with reference to FIG. 1, A detailed description thereof will be omitted.

3 is a flowchart illustrating an operation method of an electronic signature proxy device for a client terminal according to an exemplary embodiment of the present invention.

In step S310, a plurality of key stores in which a plurality of pieces of private key are distributed are stored.

Here, the plurality of private key pieces mean that the private key is divided into a plurality of data pieces.

In step S320, when a content providing server storing a public key corresponding to the private key requests a digital signature to the client terminal, an electronic signature subscription request based on the private key is received from the client terminal , And receives digital signature subject data from the contents providing server.

In step S330, the plurality of private key fragments are extracted from the plurality of key stores in response to the digital signature substitution request, and the private key is recovered by combining the plurality of private key fragments.

In step S340, the digital signature subject data is encrypted based on the restored private key to generate an electronic signature value.

In step S350, the digital signature subject data and the digital signature value are transmitted to the contents providing server.

According to an embodiment of the present invention, when the digital signature subject data and the digital signature value are received, the content providing server decrypts the digital signature value based on the public key, and then transmits the decrypted digital signature value And the received digital signature data match with each other, authentication of the client terminal can be completed.

Also, according to an embodiment of the present invention, the plurality of private key pieces may be one in which the encrypted private key generated by encrypting the private key is divided into a plurality of data pieces. In this case, in step S320, when the electronic signature subscription request based on the private key is received from the client terminal, the digital signature subject data is received from the contents providing server and the encrypted private key In step S330, the plurality of private key fragments are extracted from the plurality of key stores in response to the digital signature substitution request, and the plurality of private key fragments are combined to extract the plurality of private key fragments In step S340, the encrypted private key is decrypted on the basis of the secret number, and the digital signature subject data is encrypted based on the decrypted private key, Can be generated.

According to an embodiment of the present invention, there is provided a method for operating an electronic signature proxy agent for a client terminal, the method comprising: when receiving an initial use registration request for performing an electronic signature proxy from the client terminal, The method comprising: generating the public key corresponding to the public key and requesting the client terminal for the password to be used for encrypting the private key, receiving the password from the client terminal, Storing the secret key in a secret key storage unit, generating a random key composed of random data, encrypting the random key with the random key to encrypt the private key, Generating an authentication key for encrypting the private key based on the authentication key, Creating the encrypted private key, partitioning the encrypted private key into the plurality of private key fragments, and distributing the plurality of private key fragments to the plurality of key stores, To the content providing server.

According to an embodiment of the present invention, an operation method of an apparatus for performing digital signature for a client terminal includes dividing the random key into a plurality of data pieces to generate a plurality of random key pieces, And distributing key pieces to the plurality of key stores.

In this case, according to an embodiment of the present invention, an operation method of an electronic signature proxy execution device for the client terminal includes: when the password for decrypting the encrypted private key together with the digital signature proxy request is received from the client terminal Generating an encrypted value by performing encryption based on the selected encryption key with respect to the password received from the client terminal, extracting the secret key from the secret key storage unit, The method comprising: completing use authentication for the client terminal when the encrypted value matches the secret key; and when the use authentication for the client terminal is completed, extracting the plurality of random key pieces from the plurality of key stores And then combines the plurality of random key pieces Generating the authentication key to perform the encrypting the recovered random key decrypting the encrypted private key for the step and the encryption value to restore the random key may be further included.

According to an embodiment of the present invention, in step S330, when the generation of the authentication key for decrypting the encrypted private key is completed, After extracting the plurality of private key fragments, the encrypted private key may be recovered by combining the plurality of private key fragments. In step S340, the encrypted private key is decrypted using the authentication key, And encrypts the digital signature subject data based on the generated private key to generate the digital signature value.

The operation of the digital signature proxy device for the client terminal according to the embodiment of the present invention has been described above with reference to FIG. Herein, an operation method of the digital signature proxy execution device for a client terminal according to an embodiment of the present invention will be described with reference to FIGS. 1 and 2 for the operation of the digital signature proxy execution devices 110 and 210 for the client terminal And therefore, a detailed description thereof will be omitted.

The method for operating the digital signature proxy device for a client terminal according to an exemplary embodiment of the present invention may be implemented by a computer program stored in a storage medium for execution through a combination with a computer.

In addition, the method of operating the digital signature proxy device for a client terminal according to an exemplary embodiment of the present invention may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

As described above, the present invention has been described with reference to particular embodiments, such as specific elements, and specific embodiments and drawings. However, it should be understood that the present invention is not limited to the above- And various modifications and changes may be made thereto by those skilled in the art to which the present invention pertains.

Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

110: Digital signature agent for client terminal
120: client terminal 130: content providing server
210: Digital signature agent for client terminal
201, 202, 203, 204: a plurality of key stores
211: Data receiving unit 212: Private key restoring unit
213: digital signature value generator 214: digital signature transmitter
215: use registration processor 216: secret key generator
217: Authentication key generation unit 218: Private key distribution unit
219: Key processing unit 220: Random key storage unit
221: Password encryption unit 222:
223 random key recovery unit 224 decryption authentication key generation unit
230: client terminal
240: Content providing server

Claims (16)

A plurality of private key fragments, the plurality of private key fragments having a private key divided into a plurality of data fragments; a plurality of key stores;
When a content providing server storing a public key corresponding to the private key requests an electronic signature to the client terminal, when an electronic signature subscription request based on the private key is received from the client terminal, A data receiving unit for receiving digital signature subject data from the digital signature subject data;
A private key recovery unit for extracting the plurality of private key fragments from the plurality of key stores corresponding to the digital signature substitution request, and restoring the private key by combining the plurality of private key fragments;
An electronic signature value generation unit for generating an electronic signature value by encrypting the digital signature subject data based on the restored private key; And
An electronic signature transmission unit for transmitting the digital signature subject data and the digital signature value to the contents providing server,
And an electronic signature agent for the client terminal.
The method according to claim 1,
The content providing server
When the digital signature data and the digital signature value are received, decrypting the digital signature value based on the public key, and if it is determined that the decrypted digital signature value and the received digital signature subject data coincide with each other, And completing the authentication for the client terminal.
The method according to claim 1,
The plurality of private key pieces
The encrypted private key generated by encrypting the private key is divided into a plurality of data pieces,
The data receiving unit
When receiving the electronic signature subscription request based on the private key from the client terminal, receiving the digital signature subject data from the contents providing server and receiving a password for decrypting the encrypted private key from the client terminal In addition,
The private key restoring unit
Extracting the plurality of private key fragments from the plurality of key stores corresponding to the digital signature substitution request, combining the plurality of private key fragments to recover the encrypted private key,
The digital signature value generation unit
And decrypting the encrypted private key based on the password and encrypting the digital signature subject data based on the decrypted private key to generate the digital signature value.
The method of claim 3,
The method comprising: generating a public key corresponding to the private key and the private key when the first use registration request for performing an electronic signature substitution is received from the client terminal, A use registration processing unit for requesting a password;
A secret key generation unit for generating a secret key by encrypting the secret key based on a predetermined encryption key and storing the secret key in a secret key storage unit when the password is received from the client terminal;
An authentication key generation unit for generating a random key composed of random data and generating an authentication key for encrypting the private key by performing encryption using the random key for the secret key;
A private key division unit for encrypting the private key based on the authentication key to generate the encrypted private key, and dividing the encrypted private key into the plurality of private key fragments; And
A key processing unit for distributively storing the plurality of private key pieces in the plurality of key stores, and transmitting the public key to the contents providing server,
Further comprising: means for generating a digital signature for the client terminal;
5. The method of claim 4,
A random key storage unit for dividing the random key into a plurality of data pieces to generate a plurality of random key pieces and distributing the plurality of random key pieces to the plurality of key stores,
Further comprising: means for generating a digital signature for the client terminal;
6. The method of claim 5,
When receiving the password for decrypting the encrypted private key together with the digital signature substitution request from the client terminal, encrypting the password received from the client terminal based on the selected encryption key, A password encryption unit for generating a password;
A usage authentication unit for extracting the secret key from the secret key storage unit and comparing the encrypted value with the secret key to complete use authentication for the client terminal when the encrypted value matches the secret key;
A random key restoring unit for extracting the plurality of random key fragments from the plurality of key stores and restoring the random key by combining the plurality of random key fragments when the use authentication for the client terminal is completed; And
A decryption authentication key generation unit for generating the authentication key for decrypting the encrypted private key by performing encryption using the recovered random key for the encrypted value,
Further comprising: means for generating a digital signature for the client terminal;
The method according to claim 6,
The private key restoring unit
Extracting the plurality of private key fragments from the plurality of key stores in response to the digital signature substitution request when the generation of the authentication key for decrypting the encrypted private key is completed, To recover the encrypted private key,
The digital signature value generation unit
And decrypting the encrypted private key using the authentication key, and encrypting the digital signature subject data based on the decrypted private key to generate the digital signature value.
The method comprising: maintaining a plurality of private key fragments, the plurality of private key fragments having a private key divided into a plurality of data fragments;
When a content providing server storing a public key corresponding to the private key requests an electronic signature to the client terminal, when an electronic signature subscription request based on the private key is received from the client terminal, Receiving digital signature subject data from the digital signature subject data;
Extracting the plurality of private key fragments from the plurality of key stores corresponding to the digital signature substitution request, and restoring the private key by combining the plurality of private key fragments;
Encrypting the digital signature subject data based on the restored private key to generate an electronic signature value; And
Transmitting the digital signature subject data and the digital signature value to the contents providing server
The method comprising the steps of:
9. The method of claim 8,
The content providing server
When the digital signature data and the digital signature value are received, decrypting the digital signature value based on the public key, and if it is determined that the decrypted digital signature value and the received digital signature subject data coincide with each other, And completing the authentication for the client terminal.
9. The method of claim 8,
The plurality of private key pieces
The encrypted private key generated by encrypting the private key is divided into a plurality of data pieces,
The step of receiving the digital signature subject data
When receiving the electronic signature subscription request based on the private key from the client terminal, receiving the digital signature subject data from the contents providing server and receiving a password for decrypting the encrypted private key from the client terminal In addition,
The step of restoring the private key
Extracting the plurality of private key fragments from the plurality of key stores corresponding to the digital signature substitution request, combining the plurality of private key fragments to recover the encrypted private key,
The step of generating the digital signature value
And decrypting the encrypted private key based on the password and encrypting the digital signature subject data based on the decrypted private key to generate the digital signature value.
11. The method of claim 10,
The method comprising: generating a public key corresponding to the private key and the private key when the first use registration request for performing an electronic signature substitution is received from the client terminal, Requesting a password;
Storing the secret key in a secret key storage unit after encrypting the secret key based on a predetermined encryption key to generate a secret key when the password is received from the client terminal;
Generating a random key composed of random data and generating an authentication key for encrypting the private key by performing encryption using the random key for the private key;
Encrypting the private key based on the authentication key to generate the encrypted private key, and partitioning the encrypted private key into the plurality of private key fragments; And
Distributing the plurality of pieces of private key to the plurality of key stores, and transmitting the public key to the contents providing server
The method comprising the steps of: receiving an electronic signature;
12. The method of claim 11,
Dividing the random key into a plurality of data pieces to generate a plurality of random key fragments, and distributing the plurality of random key fragments to the plurality of key stores
The method comprising the steps of: receiving an electronic signature;
13. The method of claim 12,
When receiving the password for decrypting the encrypted private key together with the digital signature substitution request from the client terminal, encrypting the password received from the client terminal based on the selected encryption key, ;
Extracting the secret key from the secret key storage unit, comparing the encrypted value with the secret key, and completing use authentication for the client terminal if the encrypted value matches the secret key;
Extracting the plurality of random key fragments from the plurality of key stores and reconstructing the random key by combining the plurality of random key fragments when the use authentication for the client terminal is completed; And
Generating the authentication key for decrypting the encrypted private key by performing encryption with the recovered random key for the encrypted value
The method comprising the steps of: receiving an electronic signature;
14. The method of claim 13,
The step of restoring the private key
Extracting the plurality of private key fragments from the plurality of key stores in response to the digital signature substitution request when the generation of the authentication key for decrypting the encrypted private key is completed, To recover the encrypted private key,
The step of generating the digital signature value
An operation method of an electronic signature proxy execution device for a client terminal for decrypting the encrypted private key using the authentication key and then encrypting the digital signature subject data based on the decrypted private key to generate the digital signature value .
A computer-readable recording medium recording a program for performing the method of any one of claims 8 to 14. 15. A computer program stored in a storage medium for executing the method of any one of claims 8 to 14 through a combination with a computer.
KR1020160007506A 2016-01-21 2016-01-21 Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof KR101776635B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160007506A KR101776635B1 (en) 2016-01-21 2016-01-21 Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160007506A KR101776635B1 (en) 2016-01-21 2016-01-21 Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof

Publications (2)

Publication Number Publication Date
KR20170087663A true KR20170087663A (en) 2017-07-31
KR101776635B1 KR101776635B1 (en) 2017-09-11

Family

ID=59418993

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160007506A KR101776635B1 (en) 2016-01-21 2016-01-21 Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof

Country Status (1)

Country Link
KR (1) KR101776635B1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101952641B1 (en) * 2017-10-13 2019-02-27 주식회사 오스랩스 Location based multi-channel login authentication method in a cloud environments
KR101984254B1 (en) 2018-09-21 2019-05-30 김성완 Node device constituting a block-chain network and an operation method of the node device
KR20190097998A (en) * 2018-02-12 2019-08-21 주식회사 한컴위드 User authentication apparatus supporting secure storage of private key and operating method thereof
KR20190098397A (en) * 2018-02-14 2019-08-22 주식회사 코드박스 Management method for private key of virtual money
KR20190118376A (en) * 2018-04-10 2019-10-18 (주)키스톤랩 Method for trading blockchain exchange based real electronic wallet and method for trading the same
KR20200034565A (en) 2019-05-23 2020-03-31 김성완 Node device constituting a block-chain network and an operation method of the node device
KR20200118303A (en) * 2019-04-04 2020-10-15 (주)누리텔레콤 Private key securing methods of decentralizedly storying keys in owner's device and/or blockchain nodes
KR102210448B1 (en) * 2020-04-07 2021-02-02 블랍스 주식회사 Method, apparatus and computer program for providing ownership registration and counterfeit judgment service for product using blockchain
KR20210067518A (en) 2019-11-29 2021-06-08 한국정보통신주식회사 A payment terminal apparatus for providing multi van services using a distributed management network of encryption key based on block chains
KR20210067493A (en) 2019-11-29 2021-06-08 한국정보통신주식회사 A payment terminal apparatus for providing payment services using a distributed management network of encryption key based on block chains
KR20210125804A (en) * 2020-04-09 2021-10-19 건양대학교산학협력단 Method for Authenticating Genuineness by Substituting the Autograph of the Work

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102087285B1 (en) * 2018-08-08 2020-03-10 주식회사 한글과컴퓨터 Chatbot system server capable of system control based on interactive messaging and operating method thereof
KR102087287B1 (en) * 2018-08-20 2020-03-10 주식회사 한글과컴퓨터 Chatbot system server capable of executing events based on interactive messaging and operating method thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3793042B2 (en) 2001-05-14 2006-07-05 日本電信電話株式会社 Electronic signature proxy method, apparatus, program, and recording medium
JP6045018B2 (en) * 2012-05-07 2016-12-14 日本電気株式会社 Electronic signature proxy server, electronic signature proxy system, and electronic signature proxy method

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101952641B1 (en) * 2017-10-13 2019-02-27 주식회사 오스랩스 Location based multi-channel login authentication method in a cloud environments
KR20190097998A (en) * 2018-02-12 2019-08-21 주식회사 한컴위드 User authentication apparatus supporting secure storage of private key and operating method thereof
KR20190098397A (en) * 2018-02-14 2019-08-22 주식회사 코드박스 Management method for private key of virtual money
KR20190118376A (en) * 2018-04-10 2019-10-18 (주)키스톤랩 Method for trading blockchain exchange based real electronic wallet and method for trading the same
KR101984254B1 (en) 2018-09-21 2019-05-30 김성완 Node device constituting a block-chain network and an operation method of the node device
WO2020060094A1 (en) * 2018-09-21 2020-03-26 김성완 Node device constituting blockchain network and method for operation of node device
WO2020204444A3 (en) * 2019-04-04 2020-12-17 (주)누리텔레콤 Secret key security method of distributing and storing key in blockchain node and/or possession device having wallet app installed therein
KR20200118303A (en) * 2019-04-04 2020-10-15 (주)누리텔레콤 Private key securing methods of decentralizedly storying keys in owner's device and/or blockchain nodes
KR20200034565A (en) 2019-05-23 2020-03-31 김성완 Node device constituting a block-chain network and an operation method of the node device
KR20210067518A (en) 2019-11-29 2021-06-08 한국정보통신주식회사 A payment terminal apparatus for providing multi van services using a distributed management network of encryption key based on block chains
KR20210067493A (en) 2019-11-29 2021-06-08 한국정보통신주식회사 A payment terminal apparatus for providing payment services using a distributed management network of encryption key based on block chains
KR102210448B1 (en) * 2020-04-07 2021-02-02 블랍스 주식회사 Method, apparatus and computer program for providing ownership registration and counterfeit judgment service for product using blockchain
KR20210125804A (en) * 2020-04-09 2021-10-19 건양대학교산학협력단 Method for Authenticating Genuineness by Substituting the Autograph of the Work

Also Published As

Publication number Publication date
KR101776635B1 (en) 2017-09-11

Similar Documents

Publication Publication Date Title
KR101776635B1 (en) Apparatus for performing on behalf an electronic signature for client terminal and operating method thereof
KR20200002985A (en) Data sharing methods, clients, servers, computing devices, and storage media
US10341106B2 (en) Location aware cryptography
CN105580311A (en) Data security using request-supplied keys
CN106487765B (en) Authorized access method and device using the same
CN103457733A (en) Data sharing method and system under cloud computing environment
CN110417750B (en) Block chain technology-based file reading and storing method, terminal device and storage medium
CN102281300A (en) digital rights management license distribution method and system, server and terminal
CN105991563B (en) Method and device for protecting security of sensitive data and three-party service system
CN103414727A (en) Encryption protection system for input password input box and using method thereof
CN103281187A (en) Security authentication method, equipment and system
KR20180101870A (en) Method and system for data sharing using attribute-based encryption in cloud computing
JP2013115522A (en) Link access control method, program, and system
CN107306254B (en) Digital copyright protection method and system based on double-layer encryption
JP2014167675A (en) Document authority management system, terminal equipment, document authority management method and program
CN110798315A (en) Data processing method and device based on block chain and terminal
CN104462877A (en) Digital resource acquisition method and system under copyright protection
KR101797571B1 (en) Client terminal device for generating digital signature and digital signature generation method of the client terminal device, computer readable recording medium and computer program stored in the storage medium
CN106411520B (en) Method, device and system for processing virtual resource data
CN111031352A (en) Audio and video encryption method, security processing method, device and storage medium
KR102070248B1 (en) User authentication apparatus supporting secure storage of private key and operating method thereof
CN110661814A (en) Bidding file encryption and decryption method, device, equipment and medium
CN107919958B (en) Data encryption processing method, device and equipment
JP2011227673A (en) File management system, storage server, client, file management method and program
CN109547198A (en) The method and system of network transmission video file

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant