KR20170096691A - Key management method using self-extended certification - Google Patents
Key management method using self-extended certification Download PDFInfo
- Publication number
- KR20170096691A KR20170096691A KR1020160018219A KR20160018219A KR20170096691A KR 20170096691 A KR20170096691 A KR 20170096691A KR 1020160018219 A KR1020160018219 A KR 1020160018219A KR 20160018219 A KR20160018219 A KR 20160018219A KR 20170096691 A KR20170096691 A KR 20170096691A
- Authority
- KR
- South Korea
- Prior art keywords
- certificate
- user
- key
- management server
- key management
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
The present invention relates to a key management method using self-extended authentication, and more particularly, to a method and apparatus for managing a key by a self-extended certificate, The present invention relates to a key management method using self-extended authentication configured to allow an additional device, which has not issued a certificate directly from a certification authority, to provide user authentication to an external device by issuing the certificate to an additional device through a management server.
In a ubiquitous environment where a user uses a plurality of proprietary devices (computing devices such as desktops, notebooks, smart phones, and tablet PCs), it is very difficult to securely use and manage certificates from a certification authority. Specifically, to use a certified key in a device owned by the user, a public key and a private key pair are generated, and then the private key is securely stored in the device, the public key is submitted to the certification authority, It is a common approach to issue a certificate from a certification authority. If a user uses multiple proprietary devices, how to install the user's authentication key for each proprietary device and how to provide user authentication to the external device very important.
First, the user issues a certificate to only one of the plurality of owned devices, and copies the authentication key (i.e., the public key and the private key, which have been authenticated by the certification authority) To the mobile station. However, this method has a problem that the private key is transmitted to the outside of the own device through communication, and therefore, it is apt to be stolen by an attack of an external attacker. In addition, this method has a problem in that if a private key is stolen from one proprietary device, the private key can not be used by all other proprietary devices. A key pair is generated in a hardware security module such as a smart card, a Trusted Platform Module (TPM), a Universal Subscriber Identity Module (USIM), a Near Field Communication (NFC) On the other hand, when a certificate is issued, the private key can not be copied to the outside of the hardware security module. Therefore, there is a problem that the method of copying the authentication key to another owned device can not be applied.
Next, it is possible to consider a method in which a separate certificate is issued from the certification authority to each owned device. In this case, however, the user has to engage in the certificate issuing process several times in order to receive a certificate as many as the number of devices owned by the user. In addition, it is necessary to manage several certificates issued and their own devices separately. As the number of devices owned by the user increases, it may be very difficult to manage all of them securely. In addition, in the event of loss or damage to the device, the user must apply for certificate revocation to the certification authority, and the certification authority must issue a certificate revocation list, which is very complicated for both the user and the certification authority It is a troublesome thing.
There are a lot of criticisms about the public authentication system in Korea, and its main criticism is that non-standard add-on programs such as ActiveX should be installed in the browser, depend on specific browsers, And it is vulnerable to various hacking attacks because it is difficult to store and use the private key safely. In order to solve this problem, an approach such as FIDO (Fast IDentity Online) which uses a biometric technology to store an authentication key in a smart phone equipped with a USIM and substitute a password has been researched and developed. However, Since it is not a certificate-based system, it is necessary to establish a fundamental countermeasure regarding the distribution of the authentication key to a plurality of the owned devices.
In other words, up to now, there has not been proposed a systematic way to securely and efficiently manage an authentication key in a ubiquitous environment where a user uses a plurality of proprietary devices. , It is necessary to provide a technical basis for allowing a user to directly distribute an authentication key to a plurality of proprietary devices and conveniently manage the device, and to provide user authentication to external devices.
On the other hand, non-patent document 1 discloses a scheme for enabling user authentication in a plurality of devices owned by the user. Specifically, according to Non-Patent Document 1, a user-owned key management server having a user's certificate and a private key issues an extended authentication signature to other devices owned by the user, thereby providing user authentication to other-owned devices . However, since the key management server disclosed in the non-patent document 1 holds the authentication key (in particular, the private key of the user authenticated by the certification authority), it is expected to be an intensive attack target by an external attacker. It is very difficult to operate these key management servers directly and securely. Also, there is a problem that a user directly operates a key management server having such a function, which is economically burdensome.
SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a key management method capable of providing user authentication to an external device without depending on a certification authority, . More specifically, the present invention assumes that a user has a master device that has received a certificate from an authentication authority. In this case, the user's private key generated by the master device is stored only in the master device, The present invention provides a key management method for eliminating the possibility that an external attacker attacks the key management server to seize the user's private key and at the same time allows a plurality of users to use the key management server jointly It has its purpose.
In addition, the present invention provides a key management protocol that enables a server expert to operate a key management server, rather than the user himself / herself, thereby solving the inconvenience caused by the user directly operating the key management server, The present invention is directed to providing a key management method capable of reliably operating by a specialist and eliminating the economic burden of a user who is required to operate a key management server.
In order to achieve the above object, a key management method using self-extended authentication according to the present invention is characterized in that a master device generates a first public key and a first private key, A certificate issuing application step to send to the institution; A certificate issuing step in which the certification authority issues a certificate to the master device; A user registration step of the master device transmitting the certificate to a key management server; A device registration request step of an additional device connecting to the key management server to generate a second public key and a second private key, and transmitting a user name, an additional device name, and the second public key to the key management server; A device registration application information acquisition step of the master device accessing the key management server to acquire information on the user name, the additional device name, and the second public key; Issuing a self-extended certificate signed by the master key to the document including the user name, the additional device name, and the second public key, and transmitting the certificate to the key management server; And registering the device to which the additional device accesses the key management server and download the certificate and the self-extended certificate.
At this time, in the user registration step, the key management server creates a user account according to the user information input through the master device, validates the validity of the certificate, and, And in the device registration request step, the key management server stores the user name, the additional device name, and the second public key in the user account, and in the device registration permission step, the key management server And stores the self-extended certificate in the user account only when it is determined that the self-extended certificate is valid after verifying the validity of the self-extended certificate.
Further, a method of managing a key using self-extended authentication according to the present invention may further include generating a signature statement signed by the second private key when the additional device requests authentication of a user from an external device after completing the device registration A user authentication step of providing the certificate, the self-extended certificate and the signature statement to the external device; And a verification step of verifying the certificate, the self-extended certificate, and the signature statement provided to perform authentication of the user by the external device.
In the key management method using the self-extended authentication according to the present invention, the generation of the first public key and the first private key is performed by a hardware security module mounted inside the master device, 2 private key is generated by a hardware security module mounted inside the additional device.
According to the present invention, when one master device issues a certificate from an authentication authority, the master device issues a self-extended certificate to the key management server, and the additional device accesses the key management server to authenticate the user And the self-extended certificate can be downloaded so that the user does not need to obtain a certificate from the certification authority in all the devices he owns, so that the user himself or herself can use the authentication key (more specifically, The second public key and the second private key) can be generated and managed, thereby improving the convenience of key management.
Since the self-extended certificate issued by the master device and transmitted to the key management server does not require variable information such as expiration date and revocation mechanism, once the signature verification is performed from the external device, the validity period of the certificate can be used without additional signature verification .
According to the present invention, since the key management server only mediates communication between the master device that issues the self-extended certificate and the additional device that issues the self-extended certificate without storing the user's private key, It is not necessary to operate the key management server, and a separate server expert can operate the key management server. If there is a key management server operated by a specialist, the user can utilize the key management server in terms of the client in issuing a self-extended certificate to his / her own device. Therefore, convenience in use and operational stability And it is possible to solve the economic burden of the user who is required to operate the key management server.
According to the present invention, since the user's private key is generated and held in the master device and the additional device, but not in the key management server, when the user manages only the private key generated by the master device and the additional device, The possibility that the user's private key is stolen can be greatly reduced. Accordingly, according to the present invention, a plurality of users can use the key management server with peace of mind, thereby greatly enhancing convenience for users. In addition, the master device can be used only when issuing a self-extended certificate, and can be turned off without using it for routine communication with an external device. In this case, the possibility that the first private key is seized from an external attacker is further reduced, Management can be realized.
BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a diagram illustrating a configuration of a key management system capable of implementing the present invention; FIG.
2 is a flowchart illustrating a key management method using self-extended authentication according to the present invention.
Hereinafter, a key management method using self-extended authentication according to the present invention will be described in detail with reference to the accompanying drawings. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to be illustrative of and in a mature and descriptive sense only and is not for the purpose of limiting the invention as defined by the appended claims and their equivalents. Lt; / RTI > The detailed description of known functions and configurations that may unnecessarily obscure the gist of the present invention will be omitted.
FIG. 1 is a diagram illustrating a configuration of a key management system capable of implementing the present invention, and FIG. 2 is a flowchart illustrating a key management method using self-extended authentication according to the present invention.
An object of the present invention is to provide a key management method capable of providing user authentication to an external device without depending on a certification authority, regardless of how many owned devices a user uses.
To this end, a key management system capable of implementing the present invention includes a
The certification authority (10) refers to an organization that verifies the identity of a user and issues a certificate.
The
The
The
The
If the
Accordingly, in the present invention, a separate
1 indicates that the
In the present invention, in order to allow the
2, the key management method using the self-extended authentication according to an embodiment of the present invention includes a step of generating a first public key and a first private key by the master device 20 (I.e., generates a first key pair), and transmits the user identification information and the first public key to the certification authority (S110).
In order to allow a user to use his / her computing device in an open network, it is required to use a public key cryptography method. In the public key cryptography method, a public key of a specific entity is checked It should be used with certificates using Public Key Infrastructure (PKI) technology. Public-key cryptography algorithms widely used in PKI environments include RSA cryptography and ECC cryptography, among which RSA cryptography is advantageous because it has an advantage in that the algorithm is intuitive and encryption and signatures can be handled by the same algorithm have.
Accordingly, when the
That is, the first one of the first key pairs generated by the
After the certificate application is performed, the
The certificate issued by the
After the certificate is issued to the
The certificate transmitted to the
On the other hand, when the
After the certificate is transmitted to the
First, as a device registration application step, the
On the other hand, when the
A hardware security module refers to a hardware chip capable of performing functions such as random number generation, key generation, secure storage of keys, encryption and decryption, digital signature and signature verification, and includes a trusted platform module (TPM) An example of a general purpose subscriber identity module (USIM), an NFC chip, and a USB security token embedded in a communication device.
Specifically, the latest computers to be released today are being released in the form of a trusted platform module (TPM), which is a hardware-based security chip, on the main board. In addition, mobile communication terminals such as a smart phone and a tablet PC are equipped with a USIM, which is a universal subscriber identification module used for managing a subscriber in a communication company. Such a USIM is used for implementing various security functions including key management . In recent years, the spread of smart phones with embedded NFC chips has been expanding. In Korea, a USB security token, which is a smart card chip embedded in a USB-type interface, And it is trying to spread it widely as a storage device.
This hardware security module serves not only as a secure repository of key pairs, but also allows key pair generation, digital signatures, signature verification, etc., to be performed securely inside the device without leaking the private key.
Accordingly, the first public key and the first private key generated in step S110 are generated in the hardware security module installed in the
The second private key of the second key pair generated by the
When the
On the other hand, when the
After the device registration request is made, in step S150, the
More specifically, when the
After the
Here, issuing the self-extended certificate by the
The self-extended certificate issued by the
The self-extended certificate generated by the
When the
After the device registration is approved, the
Specifically, the user can access the
As the
Since the self-expanding certificate is logically linked to the certificate and is always used with the certificate, the
The
A typical example is a digital signature login. For example, when the user accesses the login page of the server (external device 50) operated by the third party through the
Thus, when the
In this case, the
Specifically, the
The
Finally, the
The
As described above, according to the present invention, one
The present invention can be conveniently used not only in a conventional computing environment composed of wired and wireless, but also in key management in mobile, object Internet, and cloud environments.
For example, in the Internet environment of objects, mutual authentication is required between many devices such as sensor devices, gateways, cloud service platform, and user terminals. According to the present invention, the user can systematically manage the membership of many owned devices by using a certificate issued by a certificate authority and a self-extended certificate issued based on the certificate. In addition, it can provide clear access control and authorization control functions with other sensor devices and terminals based on certificates and self-extended certificates.
While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Of course, this is possible. Accordingly, it is intended that the technical scope of the present invention be defined only by the appended claims, and that all equivalent or equivalent variations thereof fall within the technical scope of the present invention.
10: Certification Body
20: Master device
30: Key management server
40: Additional devices
50: External device
Claims (4)
A certificate issuing step in which the certification authority issues a certificate to the master device;
A user registration step of the master device transmitting the certificate to a key management server;
A device registration request step of an additional device connecting to the key management server to generate a second public key and a second private key, and transmitting a user name, an additional device name, and the second public key to the key management server;
A device registration application information acquisition step of the master device accessing the key management server to acquire information on the user name, the additional device name, and the second public key;
Issuing a self-extended certificate signed by the master key to the document including the user name, the additional device name, and the second public key, and transmitting the certificate to the key management server; And
And a step of completing registration of the device, wherein the additional device accesses the key management server and downloads the certificate and the self-extended certificate.
In the user registration step, the key management server creates a user account according to user information input through the master device, verifies the validity of the certificate, and stores the certificate in the user account only when it is determined to be valid and,
In the device registration request step, the key management server stores the user name, the additional device name, and the second public key in the user account,
Wherein the key management server verifies the validity of the self-extended certificate and then stores the self-extended certificate in the user account only when it is determined to be valid in the device registration permission step. Way.
The method comprising the steps of: when the additional device requests authentication of a user from an external device after completion of the device registration step, generating a signature statement signed with the second private key, and transmitting the certificate, To a user; And
Wherein the external device further includes a verification step of verifying the certificate, the self-extended certificate, and the signature statement provided to perform the authentication of the user.
Wherein the generation of the first public key and the first private key is performed by a hardware security module mounted inside the master device,
Wherein the generation of the second public key and the second private key is performed by a hardware security module mounted inside the additional device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160018219A KR101821645B1 (en) | 2016-02-17 | 2016-02-17 | Key management method using self-extended certification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160018219A KR101821645B1 (en) | 2016-02-17 | 2016-02-17 | Key management method using self-extended certification |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170096691A true KR20170096691A (en) | 2017-08-25 |
KR101821645B1 KR101821645B1 (en) | 2018-01-25 |
Family
ID=59761642
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160018219A KR101821645B1 (en) | 2016-02-17 | 2016-02-17 | Key management method using self-extended certification |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101821645B1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768664B (en) * | 2018-06-06 | 2020-11-03 | 腾讯科技(深圳)有限公司 | Key management method, device, system, storage medium and computer equipment |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100395424B1 (en) * | 2000-08-22 | 2003-08-21 | 쓰리알소프트(주) | The system and method of automatic issue and search of certificate in relation to security web mail |
-
2016
- 2016-02-17 KR KR1020160018219A patent/KR101821645B1/en active IP Right Grant
Also Published As
Publication number | Publication date |
---|---|
KR101821645B1 (en) | 2018-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11223614B2 (en) | Single sign on with multiple authentication factors | |
CN109951489B (en) | Digital identity authentication method, equipment, device, system and storage medium | |
US9135415B2 (en) | Controlling access | |
US10523441B2 (en) | Authentication of access request of a device and protecting confidential information | |
EP2893484B1 (en) | Method and system for verifying an access request | |
US20140189799A1 (en) | Multi-factor authorization for authorizing a third-party application to use a resource | |
WO2012158803A1 (en) | Trusted mobile device based security | |
EP3080946A2 (en) | Near field communication authentication mechanism | |
US10237057B2 (en) | Method and system for controlling the exchange of privacy-sensitive information | |
US9565211B2 (en) | Managing exchanges of sensitive data | |
US20200322151A1 (en) | Apparatus and methods for secure access to remote content | |
US20210320790A1 (en) | Terminal registration system and terminal registration method | |
GB2554082B (en) | User sign-in and authentication without passwords | |
CN106992978B (en) | Network security management method and server | |
CN110838919B (en) | Communication method, storage method, operation method and device | |
US11082236B2 (en) | Method for providing secure digital signatures | |
JP2018022501A (en) | Server system and method for controlling multiple service systems | |
KR101821645B1 (en) | Key management method using self-extended certification | |
KR102053993B1 (en) | Method for Authenticating by using Certificate | |
JP2019134333A (en) | Information processing system, client device, authentication and authorization server, control method, and program thereof | |
KR102542840B1 (en) | Method and system for providing finance authentication service based on open api | |
JP6364957B2 (en) | Information processing system, information processing method, and program | |
KR101737925B1 (en) | Method and system for authenticating user based on challenge-response | |
KR101657932B1 (en) | Key management and user authentication method using self-extended certification | |
JP2015220526A (en) | Information processing system, information processing method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |