KR20170096691A - Key management method using self-extended certification - Google Patents

Key management method using self-extended certification Download PDF

Info

Publication number
KR20170096691A
KR20170096691A KR1020160018219A KR20160018219A KR20170096691A KR 20170096691 A KR20170096691 A KR 20170096691A KR 1020160018219 A KR1020160018219 A KR 1020160018219A KR 20160018219 A KR20160018219 A KR 20160018219A KR 20170096691 A KR20170096691 A KR 20170096691A
Authority
KR
South Korea
Prior art keywords
certificate
user
key
management server
key management
Prior art date
Application number
KR1020160018219A
Other languages
Korean (ko)
Other versions
KR101821645B1 (en
Inventor
이병천
범진규
Original Assignee
중부대학교 산학협력단
주식회사 드림시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 중부대학교 산학협력단, 주식회사 드림시큐리티 filed Critical 중부대학교 산학협력단
Priority to KR1020160018219A priority Critical patent/KR101821645B1/en
Publication of KR20170096691A publication Critical patent/KR20170096691A/en
Application granted granted Critical
Publication of KR101821645B1 publication Critical patent/KR101821645B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention relates to a key management method using self-extended certification, wherein one master device receives a certificate from a certification authority and then issues a self-extended certificate based on the certificate to transmit the self-extended certificate to a key management server and an additional device downloads the self-extended certificate and certificate necessary for user certification in an external device by connecting to the key management server. Accordingly, the user can generate and manage a certification key (more specifically, a second public key and a second private key to receive the self-extended certification) by oneself without receiving the certificate from the certification authority in all the devices which the user has, thereby improving the convenience of key management.

Description

[0001] KEY MANAGEMENT METHOD USING SELF-EXTENDED CERTIFICATION [0002]

The present invention relates to a key management method using self-extended authentication, and more particularly, to a method and apparatus for managing a key by a self-extended certificate, The present invention relates to a key management method using self-extended authentication configured to allow an additional device, which has not issued a certificate directly from a certification authority, to provide user authentication to an external device by issuing the certificate to an additional device through a management server.

In a ubiquitous environment where a user uses a plurality of proprietary devices (computing devices such as desktops, notebooks, smart phones, and tablet PCs), it is very difficult to securely use and manage certificates from a certification authority. Specifically, to use a certified key in a device owned by the user, a public key and a private key pair are generated, and then the private key is securely stored in the device, the public key is submitted to the certification authority, It is a common approach to issue a certificate from a certification authority. If a user uses multiple proprietary devices, how to install the user's authentication key for each proprietary device and how to provide user authentication to the external device very important.

First, the user issues a certificate to only one of the plurality of owned devices, and copies the authentication key (i.e., the public key and the private key, which have been authenticated by the certification authority) To the mobile station. However, this method has a problem that the private key is transmitted to the outside of the own device through communication, and therefore, it is apt to be stolen by an attack of an external attacker. In addition, this method has a problem in that if a private key is stolen from one proprietary device, the private key can not be used by all other proprietary devices. A key pair is generated in a hardware security module such as a smart card, a Trusted Platform Module (TPM), a Universal Subscriber Identity Module (USIM), a Near Field Communication (NFC) On the other hand, when a certificate is issued, the private key can not be copied to the outside of the hardware security module. Therefore, there is a problem that the method of copying the authentication key to another owned device can not be applied.

Next, it is possible to consider a method in which a separate certificate is issued from the certification authority to each owned device. In this case, however, the user has to engage in the certificate issuing process several times in order to receive a certificate as many as the number of devices owned by the user. In addition, it is necessary to manage several certificates issued and their own devices separately. As the number of devices owned by the user increases, it may be very difficult to manage all of them securely. In addition, in the event of loss or damage to the device, the user must apply for certificate revocation to the certification authority, and the certification authority must issue a certificate revocation list, which is very complicated for both the user and the certification authority It is a troublesome thing.

There are a lot of criticisms about the public authentication system in Korea, and its main criticism is that non-standard add-on programs such as ActiveX should be installed in the browser, depend on specific browsers, And it is vulnerable to various hacking attacks because it is difficult to store and use the private key safely. In order to solve this problem, an approach such as FIDO (Fast IDentity Online) which uses a biometric technology to store an authentication key in a smart phone equipped with a USIM and substitute a password has been researched and developed. However, Since it is not a certificate-based system, it is necessary to establish a fundamental countermeasure regarding the distribution of the authentication key to a plurality of the owned devices.

In other words, up to now, there has not been proposed a systematic way to securely and efficiently manage an authentication key in a ubiquitous environment where a user uses a plurality of proprietary devices. , It is necessary to provide a technical basis for allowing a user to directly distribute an authentication key to a plurality of proprietary devices and conveniently manage the device, and to provide user authentication to external devices.

On the other hand, non-patent document 1 discloses a scheme for enabling user authentication in a plurality of devices owned by the user. Specifically, according to Non-Patent Document 1, a user-owned key management server having a user's certificate and a private key issues an extended authentication signature to other devices owned by the user, thereby providing user authentication to other-owned devices . However, since the key management server disclosed in the non-patent document 1 holds the authentication key (in particular, the private key of the user authenticated by the certification authority), it is expected to be an intensive attack target by an external attacker. It is very difficult to operate these key management servers directly and securely. Also, there is a problem that a user directly operates a key management server having such a function, which is economically burdensome.

Lee, Byeongcheon, "Hybrid Key Management Using Self-Extension Authentication and Hardware Security Module", Security Engineering Research Paper, (2014), Vol.11, No.4, pages 273 -286

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a key management method capable of providing user authentication to an external device without depending on a certification authority, . More specifically, the present invention assumes that a user has a master device that has received a certificate from an authentication authority. In this case, the user's private key generated by the master device is stored only in the master device, The present invention provides a key management method for eliminating the possibility that an external attacker attacks the key management server to seize the user's private key and at the same time allows a plurality of users to use the key management server jointly It has its purpose.

In addition, the present invention provides a key management protocol that enables a server expert to operate a key management server, rather than the user himself / herself, thereby solving the inconvenience caused by the user directly operating the key management server, The present invention is directed to providing a key management method capable of reliably operating by a specialist and eliminating the economic burden of a user who is required to operate a key management server.

In order to achieve the above object, a key management method using self-extended authentication according to the present invention is characterized in that a master device generates a first public key and a first private key, A certificate issuing application step to send to the institution; A certificate issuing step in which the certification authority issues a certificate to the master device; A user registration step of the master device transmitting the certificate to a key management server; A device registration request step of an additional device connecting to the key management server to generate a second public key and a second private key, and transmitting a user name, an additional device name, and the second public key to the key management server; A device registration application information acquisition step of the master device accessing the key management server to acquire information on the user name, the additional device name, and the second public key; Issuing a self-extended certificate signed by the master key to the document including the user name, the additional device name, and the second public key, and transmitting the certificate to the key management server; And registering the device to which the additional device accesses the key management server and download the certificate and the self-extended certificate.

At this time, in the user registration step, the key management server creates a user account according to the user information input through the master device, validates the validity of the certificate, and, And in the device registration request step, the key management server stores the user name, the additional device name, and the second public key in the user account, and in the device registration permission step, the key management server And stores the self-extended certificate in the user account only when it is determined that the self-extended certificate is valid after verifying the validity of the self-extended certificate.

Further, a method of managing a key using self-extended authentication according to the present invention may further include generating a signature statement signed by the second private key when the additional device requests authentication of a user from an external device after completing the device registration A user authentication step of providing the certificate, the self-extended certificate and the signature statement to the external device; And a verification step of verifying the certificate, the self-extended certificate, and the signature statement provided to perform authentication of the user by the external device.

In the key management method using the self-extended authentication according to the present invention, the generation of the first public key and the first private key is performed by a hardware security module mounted inside the master device, 2 private key is generated by a hardware security module mounted inside the additional device.

According to the present invention, when one master device issues a certificate from an authentication authority, the master device issues a self-extended certificate to the key management server, and the additional device accesses the key management server to authenticate the user And the self-extended certificate can be downloaded so that the user does not need to obtain a certificate from the certification authority in all the devices he owns, so that the user himself or herself can use the authentication key (more specifically, The second public key and the second private key) can be generated and managed, thereby improving the convenience of key management.

Since the self-extended certificate issued by the master device and transmitted to the key management server does not require variable information such as expiration date and revocation mechanism, once the signature verification is performed from the external device, the validity period of the certificate can be used without additional signature verification .

According to the present invention, since the key management server only mediates communication between the master device that issues the self-extended certificate and the additional device that issues the self-extended certificate without storing the user's private key, It is not necessary to operate the key management server, and a separate server expert can operate the key management server. If there is a key management server operated by a specialist, the user can utilize the key management server in terms of the client in issuing a self-extended certificate to his / her own device. Therefore, convenience in use and operational stability And it is possible to solve the economic burden of the user who is required to operate the key management server.

According to the present invention, since the user's private key is generated and held in the master device and the additional device, but not in the key management server, when the user manages only the private key generated by the master device and the additional device, The possibility that the user's private key is stolen can be greatly reduced. Accordingly, according to the present invention, a plurality of users can use the key management server with peace of mind, thereby greatly enhancing convenience for users. In addition, the master device can be used only when issuing a self-extended certificate, and can be turned off without using it for routine communication with an external device. In this case, the possibility that the first private key is seized from an external attacker is further reduced, Management can be realized.

BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a diagram illustrating a configuration of a key management system capable of implementing the present invention; FIG.
2 is a flowchart illustrating a key management method using self-extended authentication according to the present invention.

Hereinafter, a key management method using self-extended authentication according to the present invention will be described in detail with reference to the accompanying drawings. It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to be illustrative of and in a mature and descriptive sense only and is not for the purpose of limiting the invention as defined by the appended claims and their equivalents. Lt; / RTI > The detailed description of known functions and configurations that may unnecessarily obscure the gist of the present invention will be omitted.

FIG. 1 is a diagram illustrating a configuration of a key management system capable of implementing the present invention, and FIG. 2 is a flowchart illustrating a key management method using self-extended authentication according to the present invention.

An object of the present invention is to provide a key management method capable of providing user authentication to an external device without depending on a certification authority, regardless of how many owned devices a user uses.

To this end, a key management system capable of implementing the present invention includes a certification authority 10, a master device 20, a key management server 30 and an additional device 40 as shown in FIG. 1, An external device 50 may be further included.

The certification authority (10) refers to an organization that verifies the identity of a user and issues a certificate.

The master device 20 is a computing device that requests the certificate authority 10 to issue a certificate from a user's own devices, issues a certificate from the certificate issuer, and issues a self-extended certificate using the first private key.

The additional device 40 does not receive a certificate directly from the certification authority 10 among the user's owned devices and receives a certificate and a self extended certificate from the key management server 30 in order to provide user authentication to the external device 50. [ Quot; refers to a computing device that is downloaded.

The external device 50 is a server operated by a third party or a third party, and means a device that performs authentication of the user to the additional device 40 using a certificate, a self-extended certificate, and a signature do.

The key management server 30 mediates the process of issuing a certificate and issuing a self-extended certificate between the master device 20 and the additional device 40, and creates a user account to store and manage the certificate and self- can do. That is, the key management server 30 receives the certificate and the self-extended certificate from the master device 20, stores it in the user account and provides it to the additional device 40, The device name, and the second public key, stores it in the user account, and provides the master key 20 to the master device 20.

If the master device 20 issues a self-extended certificate and directly transmits the self-extended certificate to the additional device 40, the master device 20 or the additional device 40 is always operating and waiting for an external connection The external attacker can easily access the master device 20 or the additional device 40, which makes it easy to be attacked.

Accordingly, in the present invention, a separate key management server 30 is provided so that the key management server 30 can perform communication between the master device 20 and the additional device 40 for issuing a certificate and issuing a self- And to act as intermediaries. That is, the master device 20 and the additional device 40 allow the key management server 30 to perform the process of issuing the certificate and issuing the self-extended certificate from the client side.

 1 indicates that the master device 20 and the additional device 40 are user-owned computing devices. Although the number of the additional devices 40 is shown in FIG. 1 as one, The number of the additional devices 40 may be a plurality of.

In the present invention, in order to allow the additional device 40, which has not received a certificate directly from the certification authority 10, to provide user authentication to the external device 50, And will be described in more detail with reference to FIG. 2. FIG.

2, the key management method using the self-extended authentication according to an embodiment of the present invention includes a step of generating a first public key and a first private key by the master device 20 (I.e., generates a first key pair), and transmits the user identification information and the first public key to the certification authority (S110).

In order to allow a user to use his / her computing device in an open network, it is required to use a public key cryptography method. In the public key cryptography method, a public key of a specific entity is checked It should be used with certificates using Public Key Infrastructure (PKI) technology. Public-key cryptography algorithms widely used in PKI environments include RSA cryptography and ECC cryptography, among which RSA cryptography is advantageous because it has an advantage in that the algorithm is intuitive and encryption and signatures can be handled by the same algorithm have.

Accordingly, when the master device 20 generates the first public key and the first private key in step S110, it is possible to use the RSA encryption technique. At this time, the master device 20 can install a hardware security module therein and generate a first key pair within the hardware security module.

That is, the first one of the first key pairs generated by the master device 20 equipped with the hardware security module is stored in the hardware security module and is not leaked to the outside, and only the first public key is associated with the user identification information To the certification authority (10). Here, the master device 20 transmits the user identification information required according to the policy of the certification authority, including the user name (for example, the user's ID), to the certification authority 10, So that the identity of the user can be verified before issuing the certificate.

After the certificate application is performed, the certification authority 10 issues a certificate to the master device 20 as a certificate issuing step (S120). That is, when the certification authority 10 receives the user identification information and the first public key from the master device 20, it verifies the identity of the user. Thereafter, the user identification information and the first public key And issues a document, i.e., a certificate, signed by the private key of the certification authority to the master device 20. [

The certificate issued by the certification authority 10 to the master device 20 includes the user name and the first public key and is also valid for limiting the attributes that the certification authority 10 gives to the user in the public network It contains complex fields such as duration, key usage purpose, and extension field. As the master device 20 receives a certificate from the certification authority 10, the first key pair generated in step S110 becomes an authentication key pair authenticated by the certification authority 10.

After the certificate is issued to the master device 20, as a user registration step, the master device 20 accesses the key management server 30 and transmits the certificate to the key management server 30 (S130). That is, the user can connect to the key management server 30 through the master device 20 and transmit the certificate issued from the certification authority 10 to the key management server 30, It can be understood that the user of the device 20 is informed to the key management server 30 to request the key management server 30 to register the user.

The certificate transmitted to the key management server 30 may be stored in a user account database (not shown) of the key management server 30. [ Specifically, when the master device 20 is connected to the key management server 30, the key management server 30 can execute a program for creating a user account and provide it to the screen of the master device 20 . The key management server 30 creates a user account in the database in accordance with user information (for example, a user ID and a password) input through a keypad or a touch pad of the master device 20, The certificate can be stored in. When the key management server 30 is configured to store a certificate in a user account, a plurality of users may use the key management server 30 together to store their respective user information in a separate storage space So that efficient key management becomes possible.

On the other hand, when the key management server 30 receives the certificate from the master device 20, the validity of the certificate can be verified. Validation of the certificate can be done using the public key of the certification authority 10. The key management server 30 may store the certificate in the user account only when it is determined that the certificate is valid through the certificate verification, and may not store the certificate otherwise. The key management server 30 verifies the validity of the certificate in this way, so that the additional device 40, which downloads the certificate and the self-extended certificate in the future, can provide a reliable user authentication to the external device 50.

After the certificate is transmitted to the key management server 30, the certificate is transmitted to the additional device 40 and the self-extended certificate is issued. The certificate is transmitted to the key management server 30 through the device registration request step, The device registration completion step is performed.

First, as a device registration application step, the additional device 40 connects to the key management server 30 to generate a second public key and a second private key (i.e., generate a second key pair) And the second public key to the key management server 30 (S140). That is, the user can access the key management server 30 through the device (that is, the device that desires to download the certificate and the self-extended certificate) that wants to provide the user authentication to the external device 50 among the owned devices . The additional device 40 generates the second public key and the second private key, and then transmits the second public key together with the user name and the additional device name. This causes the master device 20 to issue the self- In order to make it possible. The additional device 40 transmits the user name and the additional device name to the key management server 30 by notifying the key management server 30 of the user and the device name of the additional device 40, ) To register the additional device (40).

On the other hand, when the additional device 40 generates the second public key and the second private key, the RSA cipher technology may be used as in S110, and generation of the second key pair may be performed in the additional device 40 Or a hardware security module.

A hardware security module refers to a hardware chip capable of performing functions such as random number generation, key generation, secure storage of keys, encryption and decryption, digital signature and signature verification, and includes a trusted platform module (TPM) An example of a general purpose subscriber identity module (USIM), an NFC chip, and a USB security token embedded in a communication device.

Specifically, the latest computers to be released today are being released in the form of a trusted platform module (TPM), which is a hardware-based security chip, on the main board. In addition, mobile communication terminals such as a smart phone and a tablet PC are equipped with a USIM, which is a universal subscriber identification module used for managing a subscriber in a communication company. Such a USIM is used for implementing various security functions including key management . In recent years, the spread of smart phones with embedded NFC chips has been expanding. In Korea, a USB security token, which is a smart card chip embedded in a USB-type interface, And it is trying to spread it widely as a storage device.

This hardware security module serves not only as a secure repository of key pairs, but also allows key pair generation, digital signatures, signature verification, etc., to be performed securely inside the device without leaking the private key.

Accordingly, the first public key and the first private key generated in step S110 are generated in the hardware security module installed in the master device 20, and the second public key and the first private key generated in step S140 2 private key is generated in the hardware security module installed inside the additional device 40, the first private key and the second private key can be more securely protected from attacks by external attackers.

The second private key of the second key pair generated by the additional device 40 is stored in the additional device 40 so as not to leak to the outside and only the second public key is transmitted to the key management server 30. [

When the additional device 40 transmits the second public key to the key management server 30, the user name and the additional device name are transmitted together. For example, when the user accesses the key management server 30 through the additional device 40, the window of the additional device 40 provides a window for inputting the user name and the additional device name by the key management server 30 . Accordingly, the user can input a user name (e.g., a user ID) capable of identifying himself / herself through the additional device 40 and an additional device name (e.g., pc1, pc2 , phone1, phone2). If the key management server 30 receives the user name, the additional device name, and the second public key from the additional device 40, the key management server 30 may store the user name, the additional device name, and the second public key in the user account created in step S130.

On the other hand, when the additional device 40 transmits the user name, the additional device name, and the second public key to the key management server 30, in order to verify the validity of the second public key information and ownership of the second private key, The user name, the device name, and the second public key may be signed with the second private key and transmitted.

After the device registration request is made, in step S150, the master device 20 accesses the key management server 30 to acquire the user name, the device name, and the second public key as the device registration application information acquiring step.

More specifically, when the master device 20 is connected to the key management server 30, the device registration application performed by the user in the step S 140 may be provided on the screen of the master device 20 have. Accordingly, the user can confirm whether or not he or she is the same as the application made by using the additional device 40 (i.e., confirms whether the user name is correct or the name of the additional device is correct) , The information on the user name, the additional device name, and the second public key can be downloaded from the master device 20 to the master device 20.

After the master device 20 obtains the device registration application information, as the device registration permission step, in step S110, the master device 20, for the document including the user name, the additional device name, and the second public key, In step S120, it issues a self-extended certificate signed with the first private key authenticated by the certification authority 10 and transmits it to the key management server 30 in step S160.

Here, issuing the self-extended certificate by the master device 20 means that the registration of the additional device 40 is permitted.

The self-extended certificate issued by the master device 20 includes the user name, the additional device name, and the second public key. However, the self-extended certificate is issued to extend the user authentication to the devices owned by the user Because it is a document, it does not have to be composed of complex fields like certificates (for example, self-expanding certificates do not need to be validated).

The self-extended certificate generated by the master device 20 may be transmitted to the key management server 30 and stored in the database of the key management server 30. [ At this time, the key management server 30 can store the self-extended certificate in the user account created in the step S 130, so that efficient key management can be performed. Accordingly, the user account created by the key management server 30 includes the master The certificate of the user issued by the device 20 from the certification authority 10 and the self extended certificate of the user issued by the master device 20 are stored.

When the key management server 30 receives the self-extended certificate, the validity of the self-extended certificate can be verified. The validation of the self-extended certificate may be performed using the first public key included in the certificate. The key management server 30 may store the self-extended certificate in the user account only when it is determined that the self-extended certificate is valid through the self-extended certificate verification, and otherwise, the self-extended certificate may not be stored. The key management server 30 verifies the validity of the self-extended certificate in this way, so that the additional device 40, which downloads the certificate and self-extended certificate in the future, can provide reliable user authentication to the external device 50 .

After the device registration is approved, the additional device 40 accesses the key management server 30 to download the certificate and the self-extended certificate as the device registration completion step (S170).

Specifically, the user can access the key management server 30 with the additional device 40 that has requested the device registration, and then input the user name (for example, the user ID) and the additional device name (for example, pc1) have. Accordingly, a self-extended certificate issued by the master device 20 as the device registration permission details can be displayed on the screen of the additional device 40, and the self-extended certificate can be displayed from the key management server 30 to the additional device 40 Extension certificates can be downloaded.

As the additional device 40 receives the self-extended certificate from the key management server 30, the second key pair generated in step S140 becomes a self-extended authentication key pair authenticated by the master device 20 itself .

Since the self-expanding certificate is logically linked to the certificate and is always used with the certificate, the additional device 40 needs to download the certificate together with the self-expanding certificate to provide user authentication to the external device 50. [ Accordingly, the additional device 40 can store the certificate and the self-extended certificate, thereby completing the device registration procedure.

The additional device 40 can provide the user authentication to the external device 50 with the certificate and the self-extended certificate as described above.

A typical example is a digital signature login. For example, when the user accesses the login page of the server (external device 50) operated by the third party through the additional device 40, the external device 50 requests the additional device 40 to authenticate the user . In this case, since the additional device 40 is not a device that has been directly issued a certificate from the certification authority 10, the external device 50 may be configured to allow the external device 50 to confirm that the user's identity and the additional device 40 are owned by the user. shall.

Thus, when the additional device 40 is requested to authenticate the user from the external device 50 (for example, the additional device 40 can be requested to log in from the external device 50) 40 provide user authentication to the external device 50. That is, as the user authentication step, the additional device 40 can generate a signature (i.e., digital signature) signed by the second private key that has undergone self-extension authentication in step S170, And provides it to the external device 50 together with the downloaded certificate and the self-extended certificate (S180).

In this case, the external device 50 performs a verification step to perform user authentication of the additional device 40 (S190). That is, the external device 50 can validate the log-in (user verification) after verifying the certificate, self-extended certificate, and signature statement provided from the additional device 40.

Specifically, the external device 50 can verify the identity of the user by verifying the certificate provided from the additional device 40 using the public key of the certification authority 10.

The external device 50 can verify that the additional device 40 is owned by the user by verifying the self-extended certificate provided from the additional device 40 using the first public key included in the certificate.

Finally, the external device 50 can verify the validity of the signature by verifying the signature provided by the additional device 40 using the second public key included in the self-extended certificate.

The external device 50 is able to authenticate the user even in an environment where the user is using the additional device 40 by performing the three-step verification process as described above.

As described above, according to the present invention, one master device 20 issues a certificate to the key management server 30 after issuing a certificate from the certification authority 10, The authentication server 40 is configured to be able to access the key management server 30 and download the certificate and the self-extended certificate necessary for providing the user authentication to the external device 50. Therefore, The user can generate and manage the authentication key (more specifically, the second public key and the second private key that have undergone self-extended authentication) without needing to obtain a certificate from the authority 10, thereby improving the convenience of key management .

The present invention can be conveniently used not only in a conventional computing environment composed of wired and wireless, but also in key management in mobile, object Internet, and cloud environments.

For example, in the Internet environment of objects, mutual authentication is required between many devices such as sensor devices, gateways, cloud service platform, and user terminals. According to the present invention, the user can systematically manage the membership of many owned devices by using a certificate issued by a certificate authority and a self-extended certificate issued based on the certificate. In addition, it can provide clear access control and authorization control functions with other sensor devices and terminals based on certificates and self-extended certificates.

While the invention has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Of course, this is possible. Accordingly, it is intended that the technical scope of the present invention be defined only by the appended claims, and that all equivalent or equivalent variations thereof fall within the technical scope of the present invention.

10: Certification Body
20: Master device
30: Key management server
40: Additional devices
50: External device

Claims (4)

A certificate issuing application step in which the master device generates the first public key and the first private key, and transmits the user identification information and the first public key to the certification authority;
A certificate issuing step in which the certification authority issues a certificate to the master device;
A user registration step of the master device transmitting the certificate to a key management server;
A device registration request step of an additional device connecting to the key management server to generate a second public key and a second private key, and transmitting a user name, an additional device name, and the second public key to the key management server;
A device registration application information acquisition step of the master device accessing the key management server to acquire information on the user name, the additional device name, and the second public key;
Issuing a self-extended certificate signed by the master key to the document including the user name, the additional device name, and the second public key, and transmitting the certificate to the key management server; And
And a step of completing registration of the device, wherein the additional device accesses the key management server and downloads the certificate and the self-extended certificate. The method according to claim 1,
In the user registration step, the key management server creates a user account according to user information input through the master device, verifies the validity of the certificate, and stores the certificate in the user account only when it is determined to be valid and,
In the device registration request step, the key management server stores the user name, the additional device name, and the second public key in the user account,
Wherein the key management server verifies the validity of the self-extended certificate and then stores the self-extended certificate in the user account only when it is determined to be valid in the device registration permission step. Way. The method according to claim 1,
The method comprising the steps of: when the additional device requests authentication of a user from an external device after completion of the device registration step, generating a signature statement signed with the second private key, and transmitting the certificate, To a user; And
Wherein the external device further includes a verification step of verifying the certificate, the self-extended certificate, and the signature statement provided to perform the authentication of the user. The method according to claim 1,
Wherein the generation of the first public key and the first private key is performed by a hardware security module mounted inside the master device,
Wherein the generation of the second public key and the second private key is performed by a hardware security module mounted inside the additional device.
KR1020160018219A 2016-02-17 2016-02-17 Key management method using self-extended certification KR101821645B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160018219A KR101821645B1 (en) 2016-02-17 2016-02-17 Key management method using self-extended certification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160018219A KR101821645B1 (en) 2016-02-17 2016-02-17 Key management method using self-extended certification

Publications (2)

Publication Number Publication Date
KR20170096691A true KR20170096691A (en) 2017-08-25
KR101821645B1 KR101821645B1 (en) 2018-01-25

Family

ID=59761642

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160018219A KR101821645B1 (en) 2016-02-17 2016-02-17 Key management method using self-extended certification

Country Status (1)

Country Link
KR (1) KR101821645B1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768664B (en) * 2018-06-06 2020-11-03 腾讯科技(深圳)有限公司 Key management method, device, system, storage medium and computer equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100395424B1 (en) * 2000-08-22 2003-08-21 쓰리알소프트(주) The system and method of automatic issue and search of certificate in relation to security web mail

Also Published As

Publication number Publication date
KR101821645B1 (en) 2018-01-25

Similar Documents

Publication Publication Date Title
US11223614B2 (en) Single sign on with multiple authentication factors
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
US9135415B2 (en) Controlling access
US10523441B2 (en) Authentication of access request of a device and protecting confidential information
EP2893484B1 (en) Method and system for verifying an access request
US20140189799A1 (en) Multi-factor authorization for authorizing a third-party application to use a resource
WO2012158803A1 (en) Trusted mobile device based security
EP3080946A2 (en) Near field communication authentication mechanism
US10237057B2 (en) Method and system for controlling the exchange of privacy-sensitive information
US9565211B2 (en) Managing exchanges of sensitive data
US20200322151A1 (en) Apparatus and methods for secure access to remote content
US20210320790A1 (en) Terminal registration system and terminal registration method
GB2554082B (en) User sign-in and authentication without passwords
CN106992978B (en) Network security management method and server
CN110838919B (en) Communication method, storage method, operation method and device
US11082236B2 (en) Method for providing secure digital signatures
JP2018022501A (en) Server system and method for controlling multiple service systems
KR101821645B1 (en) Key management method using self-extended certification
KR102053993B1 (en) Method for Authenticating by using Certificate
JP2019134333A (en) Information processing system, client device, authentication and authorization server, control method, and program thereof
KR102542840B1 (en) Method and system for providing finance authentication service based on open api
JP6364957B2 (en) Information processing system, information processing method, and program
KR101737925B1 (en) Method and system for authenticating user based on challenge-response
KR101657932B1 (en) Key management and user authentication method using self-extended certification
JP2015220526A (en) Information processing system, information processing method, and program

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant