KR20170099339A - System and method for providing security membership and login hosting service - Google Patents

Abstract

The present invention relates to a system and a method to provide a security membership and login hosting service. More specifically, the present invention is capable of fundamentally preventing hacking by improving the security of membership and login; and improving user convenience by enabling login and membership to various websites with one scan or click through security authentication. According to an embodiment of the present invention, provided are a system and a method to provide a security membership and login hosting service, capable of fundamentally preventing hacking by improving the security of membership; and improving user convenience by enabling login and membership to various websites with one scan or click through security authentication. The present invention includes: a hosting service server processing membership; and an application transmitting user information to the server.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a security subscription service and a login service providing system,

An embodiment of the present invention relates to a security subscription and login hosting service providing system and method.

Due to the development of network and data communication technologies, online services such as issuance of public documents through the Internet, banking, shopping, and securities trading are being provided.

User authentication technology is being applied to provide such online services. A certificate is electronic information generated by a Certificate Authority (CA) to identify a user online.

Such authorized certificates are generally stored in a hard disk or a removable disk of a computer or a smart device, which may cause a password to be exposed or hacked. In addition, the user can perform user authentication together with the authorized certificate by inputting the number recorded in the financial security card issued offline from the financial institution in the financial transaction.

However, this method requires checking the financial security card at each financial transaction, and when the financial security card is lost, it is not possible to perform the financial transaction, and it is troublesome to visit the financial institution and reissue it.

Accordingly, recently, OTP (One Time Password) using a one-time password has been proposed. An OTP is a one-time password that is generated for user identification of an authorized certificate.

However, since OTP is issued by a financial institution and the issuance cost is incurred and it is necessary to carry it for financial transactions, there is a fear of loss, and there is a possibility of being used for crime.

1. Registration Patent Publication No. 10-1589706 (Registration date: January 22, 2016) 2. Registration Patent Publication No. 10-1601636 (Registration date: March 03, 2016)

The embodiment of the present invention improves the security and blocks the hacking, and enables membership and log-in of various websites through security self-certification with only one scan or click, And a login hosting service providing system and method thereof.

The secure membership subscription hosting service system according to an embodiment of the present invention generates cue-link information for secure membership subscription based on a cue-link request signal received from the website when a website is registered, Link information received from the user and the cue-link information transmitted to the website are identical to each other, and whether the first authentication key received from the user is registered in the website A hosting service server for requesting and receiving user information, transmitting an approval message and the user information to the web site, and processing the membership in the web site; And acquiring the cue-link information by scanning the identification code converted from the cue-link information in the web site, the cue-link information being installed in the user portable terminal, storing the user information and the first authentication key, To the hosting service server together with the first authentication key and transmitting the user information to the hosting service server according to the user information request of the hosting service server.

Also, the web site outputs the cue-link information in the form of an identification code, and the application scans and acquires the identification code through the user portable terminal when the identification code is outputted through a web browser, And may select and acquire the identification code when it is outputted through the browser, and may transmit the cue-link information acquired through the web browser or the mobile browser to the hosting service server together with the first authentication key.

In addition, the application may generate the first authentication key and the second authentication key at the first execution in the user portable terminal, transmit the first authentication key to the hosting service server and register the same, Wherein the first authentication key includes a public key and hardware information of the user portable terminal, and the second authentication key includes a secret key. can do.

Also, the hosting service server may include at least one sub-black box communicating with the website; And a main black box communicating with the sub black box and the application, respectively, wherein the sub black box receives the cue-link request signal from a corresponding web site when joining a user's web site, Link information for security subscription based on a link request signal and transmits the generated cue-link information to the web site and the main black box, respectively, and the main black box transmits the cue-link information and the first authentication Key information received from the sub-black boxes, and if there is the same cue-link information as the cue-link information received from the application, Is a registered key, and it is determined that the first authentication key is a registered key And transmits the approval message, the third authentication key regenerated from the first authentication key, and the user information to the sub-black box. When the sub-black box receives the user information from the application, The black box transmits the approval message, the third authentication key, and the user information transmitted from the main black box to the website, and the website processes the website membership according to the cue-link information .

The cue-link request signal may include at least one of a time stamp, a session key, a session information, an authentication code message, a processing type information, and domain information of the corresponding website. The cue- Session key, session information, authentication code message, processing type information, domain information of the corresponding website, sub-black box ID, and main black box ID.

The secure login hosting service system according to another embodiment of the present invention generates queue-link information for security login based on the cue-link request signal received from the website at the time of login of the web site and transmits the cue- Link information according to whether or not the cue-link information received from the user and the cue-link information transmitted to the website are identical to each other, and whether the first authentication key received from the user is registered in the website, A hosting service server for transferring the web site to the web site to allow the login to be processed; Link information, and acquiring the cue-link information by scanning the identification code obtained by converting the cue-link information in the web site, the cue- And transmits the authentication key to the hosting service server together with the authentication key.

In addition, the web site may output the cue-link information in the form of an identification code, and the application may scan the identification code through the user portable terminal when the identification code is outputted through a web browser Link information obtained through the web browser or the mobile browser can be transmitted to the hosting service server together with the first authentication key when the identification code is outputted through the mobile browser have.

The application may be configured such that the application generates the first authentication key and the second authentication key at the first execution in the user portable terminal and transmits the first authentication key to the hosting service server for registration, Wherein the first authentication key stores the second authentication key in the user portable terminal and receives and stores user information from the user, wherein the first authentication key includes a public key and hardware information of the user portable terminal, And may include a secret key.

Also, the hosting service server may include at least one sub-black box communicating with the website; And a main black box in communication with the sub-black box and the application, respectively, the sub-black box receiving the cue-link request signal from the corresponding web site upon login of the user's web site, Link information for secure login based on the request signal and transmits the generated cue-link information to the web site and the main black box, respectively, and the main black box transmits the cue-link information and the first authentication key Link information that is the same as the received cue-link information from the application among the cue-link information received from the sub-black boxes, and if there is the same cue-link information, It is checked whether the registered first authentication key is a registered key, and if it is confirmed that the registered key is a registered key The application requests user authentication using the application, and the application performs authentication for the user with the authentication information input from the user, and when authentication to the user is successful, transfers the authentication approval message to the main black box, Upon receipt of the authentication approval message, the black box generates a login approval message and transmits the login approval message to the web site so that the web site can process the web site login according to the cue-link information.

The cue-link request signal may include at least one of a time stamp, a session key, a session information, an authentication code message, a processing type information, and domain information of the corresponding website. The cue- Session key, session information, authentication code message, processing type information, domain information of the corresponding website, sub-black box ID, and main black box ID.

Upon receiving the authentication approval message, the main black box generates a proof key for the cue-link information and transmits the proof key to the application. The application signs the proof key and transmits the proof key to the website, The site transmits the signed authentication key to the sub black box, and when the sub black box receives the signed authentication key, the site generates and transmits the login approval message to the website.

According to the embodiment of the present invention, hacking is fundamentally blocked by improving security, and membership and log-in of various web sites can be enabled through authentication of security identity by a single scan or click, Subscription and login hosting service providing system and method thereof.

1 is a block diagram illustrating a configuration of a security subscription hosting service system according to an embodiment of the present invention.
2 is a diagram illustrating a method and a procedure for a security subscription hosting service according to an embodiment of the present invention.
3 is a diagram illustrating a procedure for executing a security membership of a user through a web browser for a PC according to an embodiment of the present invention.
4 is a diagram illustrating a procedure for executing a security subscription of a user through a mobile web browser according to an embodiment of the present invention.
5 is a block diagram illustrating a configuration of a secure login hosting service system according to another embodiment of the present invention.
FIG. 6 is a diagram illustrating a method and procedure for a secure login hosting service according to another embodiment of the present invention.
FIG. 7 is a diagram illustrating a procedure for executing a secure login of a user through a web browser for a PC according to another embodiment of the present invention.
8 is a diagram illustrating a procedure for executing a secure login of a user through a web browser for mobile according to another embodiment of the present invention.
9 is a block diagram illustrating a configuration of a system for providing a secure login hosting service through a QR code according to another embodiment of the present invention.
10 is a flowchart illustrating a method for providing a secure login hosting service through a QR code according to another embodiment of the present invention.
11 is a flowchart of a hacking source blocking protocol according to another embodiment of the present invention.
12 and 13 are flowcharts for processing login of a web site of a PC using a 'FASSKEY' application of a smartphone according to an embodiment of the present invention.
14 is a flowchart illustrating a user progress process when connecting to a PC according to an embodiment of the present invention.
15 is a flow diagram illustrating a user-initiated process at mobile access according to another embodiment of the present invention.

The terms used in this specification will be briefly described and the present invention will be described in detail.

While the present invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments. Also, in certain cases, there may be a term selected arbitrarily by the applicant, in which case the meaning thereof will be described in detail in the description of the corresponding invention. Therefore, the term used in the present invention should be defined based on the meaning of the term, not on the name of a simple term, but on the entire contents of the present invention.

When an element is referred to as "including" an element throughout the specification, it is to be understood that the element may include other elements, without departing from the spirit or scope of the present invention. Also, the terms "part," " module, "and the like described in the specification mean units for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software .

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

1 is a block diagram illustrating a configuration of a security subscription hosting service system according to an embodiment of the present invention.

Referring to FIG. 1, a security subscription hosting service system 100 according to an exemplary embodiment of the present invention includes at least one of a hosting service server 110 and an application 120, . In addition, the security subscription using the security subscription hosting service system 100 can be executed through a Web browser for a user portable terminal (mobile) such as a smart phone or a tablet PC as well as a web browser for a PC.

The hosting service system 100 generates cue-link information for a security membership based on a cue-link request signal received from the web site 10 at the time of membership of the web site 10, Link information received from the user and the cue-link information transmitted to the corresponding website are identical to each other, and whether the first authentication key received from the user is registered in the web site, And transmits the approval message and the user information to the corresponding web site 10 so that the membership can be processed in the corresponding web site 10. [ To this end, the hosting service server 110 includes a plurality of sub black boxes 111 communicating with the web site 10, and a sub black box 111 communicating with the application 120 installed in the user's portable terminal, Box 112, and a detailed description thereof will be given later.

The application 120 is installed in the user portable terminal and stores the user information and the first authentication key. The application 120 acquires the cue-link information provided from the website 10 and transmits the cue-link information together with the first authentication key to the hosting service server 110 And transmit the corresponding user information to the hosting service server 110 according to the user information request of the hosting service server 110. [ The application 120 will be described in detail later.

2 is a diagram illustrating a method and a procedure for a security subscription hosting service according to an embodiment of the present invention.

Hereinafter, each configuration will be described in detail in accordance with the order of proceeding with the security subscription hosting service.

The process of proceeding (or registering) when the application 120 is first executed after the user installs the application 120 on the portable terminal prior to the security member subscription.

The application 120 may output a message for requesting input of user information at the time of initial execution, and may receive and store user information from the user according to the request message.

The user information includes a mandatory item including at least one of a user's name, sex, nationality, date of birth, mobile phone number, and user's ID, and further includes an additional item including an email address and / .

Also, the application 120 may generate and store the first authentication key and the second authentication key, and the first authentication key may be transmitted to the main black box 112 of the hosting service server 110 . Here, the main black box 112 may automatically register the first authentication key received from the application 120 in advance before joining the website.

The first authentication key includes a public key for encryption and hardware information of the user terminal, and may further include a MAC address and / or USIM information of the user terminal. Here, the hardware information of the user terminal may include at least one of the device ID information of the user terminal and the serial number of the user terminal. And the second authentication key includes a private key for decryption.

Thereafter, a procedure for the user's web site membership can be performed. For example, it is assumed that a user tries to join a specific web site by using a web browser installed on the PC.

When the user accesses a specific web site and tries to join the web site (that is, when the user selects the membership button to move to the membership page), the web site 10 determines that the user tries to join the membership And transmits a Q-link request signal for secure membership to the sub black box 111. [

The main black box 112 may correspond to one of the plurality of sub black boxes 111. However, the main black box 112 may correspond to a plurality of sub black boxes 111, The configuration of the sub black box 111 and the main black box 112 is not limited. However, the hosting service server 110 can allocate and operate a plurality of sub black boxes 111 in one main black box 112.

For example, the hosting service server 110 may include a plurality of black boxes each having one main black box 112 and 100 sub black boxes 111 as a unit. Also, the hosting service server 110 may be configured to operate one sub-black box corresponding to one web site.

The cue-link information is string-based information for security subscription, and includes information included in the cue-link request signal sent by the web site 10. [ The cue-link information may refer to configuration information of an identification code that allows the application 120 to quickly recognize the identification information of the sub-black box 111 and the main black box 112. [

The sub black box 111 may transmit the generated cue-link information to the web site 10 and the main black box 112, respectively.

At this time, the web site 10 converts the cue-link information received from the sub black box 111 into an identification code and outputs it through a PC web browser. The main black box 112 includes a sub black box 111, Lt; RTI ID = 0.0 > cue-link < / RTI > Here, the identification code can be output in the form of at least one of a QR code, a barcode, and NFC tag information, and can be output to a variety of devices for transmitting the identification code to a user portable terminal through a local wireless communication such as Bluetooth, It can also be generated by an identification code of the form.

The application 120 can acquire the cue-link information provided from the web site 10 by scanning the identification code output through the PC web browser through the portable terminal.

Meanwhile, when the user intends to proceed with the membership registration procedure through the mobile web browser of his or her portable terminal, the web site 10 transmits the identification code to the mobile web browser, and the application 120 transmits the identification code to the user portable terminal Link information by clicking (or touching) the identification code output through the terminal.

However, in an embodiment of the present invention, it is possible to transmit the cue-link information to the application 120 in various forms such as the NFC, the Bluetooth, or the text message as well as the identification code.

The application 120 may transmit the cue-link information obtained through the web browser and the stored first authentication key to the main black box 112. [

The main black box 112 receives the cue-link information and the first authentication key from the application 120, compares and extracts the same cue-link information, Can be performed.

Specifically, the main black box 112 stores the cue-link information received from the sub black box 111 as described above, and the first authentication key received from the application 120 is registered in advance. Accordingly, the main black box 112 performs a process of comparing whether there is the same information as the cue-link information received from the current application 120 based on the pre-stored cue-link database for each website, It is possible to extract the corresponding cue-link information.

If it is determined that the same queue-link information exists, the main black box 112 stores the first authentication key received from the current application 120 based on the database of the first registered authentication key in advance Key.

When the main black box 112 confirms that the same first authentication key exists, the main black box 112 can request user information to the application 120.

In response to a request from the main black box 112, the application 120 may transmit user information (for example, user name, sex, nationality, date of birth, mobile phone number, user ID , E-mail address, and residence information) to the main black box 112.

Upon receiving the user information from the application 120, the main black box 112 generates a subscription approval message and generates a third authentication key. The third authentication key is a key regenerated for each site based on the first authentication key. The third authentication key includes at least one of a public key for encryption, hardware information of the user terminal, and domain information of the site, and further includes a MAC address and / ) ≪ / RTI > information. The public key included in the third authentication key may be the same key as the public key included in the first authentication key, but it is preferable that the public key included in the third authentication key is a different key for each site as a regenerated key based on the public key included in the first authentication key.

The main black box 112 may transmit the subscription grant message, the third authentication key, and the received user information to the sub black box 111.

The sub black box 111 may forward the subscription approval message, the third authentication key, and the user information received from the main black box 112 to the website 10.

The web site 10 receives the subscription approval message, the third authentication key and the user information from the sub black box 111 and processes the web service corresponding to the corresponding cue-link related session based on the received information, The web page can be updated by processing membership of the web site.

The web site 10 may store user information and utilize it for membership management and marketing.

With this configuration and method, the security subscription hosting service can be completed.

3 is a diagram illustrating a procedure for executing a security membership of a user through a web browser for a PC according to an embodiment of the present invention.

First, when a user accesses a specific web site and attempts membership, the web site 11 can receive the cue-link information from the hosting service server 110 to obtain user information (step (1)).

The web site 11 can output an identification code through a PC web browser using the cue-link information received from the hosting service server 110 (step (2)).

At this time, the application 120 is executed by the user and can scan the identification code output through the PC-based web browser to obtain the cue-link information (step (3)).

The hosting service server 110 receives approval from the user for providing user information and receives user information from the application 120 (step (4)).

The hosting service server 110 may transmit the user information to the web site 11 (step (5)).

The web site 11 can acquire user information from the hosting service server 110 and complete the membership process (step (6)).

In this process, when the user performs only the operation for the identification code scan [step (3)] and the user information provision approval [step (4)], the membership to the specific web site can be completed.

4 is a diagram illustrating a procedure for executing a security subscription of a user through a mobile web browser according to an embodiment of the present invention.

First, when a user accesses a specific web site and attempts to join the web site 12, the web site 12 can receive the cue-link information from the hosting service server 110 to obtain user information (step (1)).

The web site 11 can output the identification code through the mobile web browser using the cue-link information received from the hosting service server 110 (step (2)).

At this time, the application 120 can directly obtain the cue-link information by clicking on the identification code output through the mobile web browser of the user portable terminal (step (3)).

The hosting service server 110 receives approval from the user for providing user information and receives user information from the application 120 (step (4)).

The hosting service server 110 may transmit the user information to the web site 11 (step (5)).

The web site 11 can acquire user information from the hosting service server 110 and complete membership (step (6)).

In this process, if the user performs only the operation for the click of the identification code [(3) process] and the approval of the user information provision [(4)], membership of the specific web site can be completed.

5 is a block diagram illustrating a configuration of a secure login hosting service system according to another embodiment of the present invention.

5, a secure login hosting service system 200 according to another embodiment of the present invention includes at least one of a hosting service server 210 and an application 220, Can operate. In addition, the security login using the secure login hosting service system 200 can be executed through a web browser for a user portable terminal (mobile) such as a smart phone or a tablet PC as well as a web browser for a PC.

The hosting service server 210 generates cue-link information for security login based on the cue-link request signal received from the corresponding website 20 upon login of the website 20, Link information received from the user and the cue-link information transmitted to the website 20 are identical to each other, and whether or not the first authentication key received from the user is registered in the website 20 Accordingly, by transmitting an approval message to the website 20, the login can be processed at the website 20. To this end, the hosting service server 210 includes a plurality of sub black boxes 211 for communicating with the web site 20, and a sub black box 211 for communicating with the application 220 installed in the user's portable terminal. Box 212, and a detailed description thereof will be given later.

The application 220 is installed in the user portable terminal, stores the first authentication key, acquires the cue-link information provided from the website 20, and transmits the cue-link information together with the first authentication key to the hosting service server 210 . The application 220 will be described in detail later.

FIG. 6 is a diagram illustrating a method and procedure for a secure login hosting service according to another embodiment of the present invention.

Hereinafter, each configuration will be described in detail according to the procedure of the secure login hosting service.

It is needless to say that the procedure (or registration) procedure or the membership registration procedure in FIG. 2 may be performed when the application 220 is first executed after the user installs the application 220 in the portable terminal prior to security login.

The application 220 may generate and store the first authentication key and the second authentication key when the first application is executed. The first authentication key may be transmitted to the main black box 212 of the hosting service server 210 have. Here, the main black box 212 may automatically register the first authentication key received from the application 220 in advance before joining the website.

Meanwhile, the application 220 may request authentication information from a user at the time of initial execution, input and store the authentication information. Here, the authentication information is information for user authentication with respect to the application 220, and includes information on at least one of a password and biometric information. The password may be at least one of the user's password, the password of the bank account, the password of the authorized certificate, the password for transferring money, and the password of the card, and the biometric information may include at least one of fingerprints, And face image information. In addition, the authentication information can be used not only as a user authentication but also as information for automatic login.

The first authentication key includes a public key for encryption and hardware information of the user terminal, and may further include a MAC address and / or USIM information of the user terminal. Here, the hardware information of the user terminal may include at least one of the device ID information of the user terminal and the serial number of the user terminal. And the second authentication key includes a private key for decryption.

Thereafter, a procedure for the user's web site login can be performed. For example, it is assumed that a user tries to log in to a specific web site using a web browser installed on the PC.

When the user accesses a specific web site and tries to log in to the corresponding web site (i.e., when the login button is selected to move to the login page), the corresponding web site 20 recognizes that the user tries to log in, And may send a Q-link request signal for secure login to box 211.

Here, the cue-link request signal includes at least one of a timestamp, a session key, session information, a message authentication code, processing type information, and domain information of the corresponding website.

The processing type information may include information on a content of a process type of 'login process request'. Since such a web site is hosted through a web server, the web site includes a specific function of the web server for convenience of explanation.

The sub-black box 211 may generate the cue-link information based on information included in the cue-link request signal received from the website 20. [ Specifically, the sub-black box 211 stores at least one of a timestamp, a session key, session information, a message authentication code, processing type information, and domain information of the corresponding website And generates the cue-link information including the cue-link information. The cue-link information may further include the ID of the sub black box 211 and the ID information of the main black box 212. [

The main black box 212 may correspond to one of the plurality of sub black boxes 211. The main black box 212 may correspond to the sub black boxes 211, The configuration of the sub-black box 211 and the main black box 212 is not limited. However, the hosting service server 210 can allocate a plurality of sub-black boxes 211 to one main black box 212 and operate the same.

For example, the hosting service server 210 may include a plurality of black boxes each having one main black box 212 and 100 sub black boxes 211 as a unit. In addition, the hosting service server 210 may be configured to operate one sub-black box corresponding to one web site.

The cue-link information is string-based information for secure login, and includes information included in the cue-link request signal sent by the web site 20. This cue-link information may mean the configuration information of the identification code that allows the application 220 to quickly recognize the identification information for the sub-black box 211 and the main black box 212. [

The sub black box 211 may transmit the generated cue-link information to the web site 20 and the main black box 212, respectively.

At this time, the website 20 converts the cue-link information received from the sub-black box 211 into an identification code and outputs it through a PC web browser. The main black box 212 is connected to the sub- Lt; RTI ID = 0.0 > cue-link < / RTI > Here, the identification code can be output in the form of at least one of a QR code, a barcode, and NFC tag information, and can be output to a variety of devices for transmitting the identification code to a user portable terminal through a local wireless communication such as Bluetooth, It can also be generated by an identification code of the form.

The application 220 can acquire the cue-link information provided from the web site 20 by scanning the identification code output through the PC web browser through the portable terminal.

On the other hand, when the user intends to proceed with the login procedure through the mobile web browser of his / her portable terminal, the web site 20 transmits the identification code to the mobile web browser, and the application 220 The corresponding cue-link information can be obtained by clicking (or touching) the output identification code.

However, in an embodiment of the present invention, it is possible to transmit the cue-link information to the application 220 in various forms such as NFC, Bluetooth, or text message as well as the above-described identification code.

The application 220 may transmit the cue-link information acquired through the web browser and the stored first authentication key to the main black box 212.

The main black box 212 receives the cue-link information and the first authentication key from the application 220, compares and extracts the same cue-link information, and determines whether the first authentication key is a key registered beforehand Can be performed.

Specifically, the main black box 212 stores the cue-link information received from the sub black box 211 as described above, and the first authentication key received from the application 220 is registered in advance. Accordingly, the main black box 212 performs a process of comparing whether there is the same information as the cue-link information received from the current application 220 on the basis of the previously stored cue-link database for each website, It is possible to extract the corresponding cue-link information.

Also, if the main black box 212 confirms that the same cue-link information exists, the first authentication key received from the current application 220 based on the database of the first registered authentication key is registered in advance Key.

When the main black box 212 confirms that the same first authentication key exists, the main black box 212 can request user authentication to the application 220.

The application 220 transmits the authentication approval message to the main black box 212 when the user inputs the authentication information (input of the password or biometric information) in response to the user authentication request of the main black box 212 . Of course, if the authentication information is not correct, the application 220 outputs an authentication failure message to the user portable terminal to notify the user of the authentication failure, or transmits an authentication failure message to the main black box 212, And terminate the corresponding login procedure.

After receiving the authentication grant message from the application 220, the main black box 212 generates a proof key for the cue-link information and transmits it to the application 220.

The application 220 signs the received proof key and transmits the signed proof key to the web site 10. [ Digital signatures can be used as a way of signing.

The web site 10 delivers the signed proof key to the sub black box 211.

Upon receipt of the signed authentication key, the sub-black box 211 finally generates a login approval message for the login, and transmits the generated login approval message to the web site 10.

Meanwhile, the sub-black box 211 may transmit the new third authentication key regenerated together with the login approval message to the website 10. [ Here, the web site 10 communicates with the application 120 using the same third authentication key generated and transmitted in the membership step for the web site in Fig. 2, or newly generated in the sub black box 111 And may communicate with the application 120 by receiving the third authentication key. That is, the third authentication key in the login process may be used as it is in the membership registration step of the web site of FIG. 2, or a new third authentication key may be newly regenerated for each login.

As described above, the third authentication key is a key regenerated for each site based on the first authentication key. The third authentication key includes at least one of a public key for encryption, hardware information of the user terminal, and domain information of the site, and further includes a MAC address and / ) ≪ / RTI > information. The public key included in the third authentication key may be the same key as the public key included in the first authentication key but is preferably a different key for each website as a regenerated key based on the public key included in the first authentication key .

Upon receiving the login approval message, the web site 10 finally approves the login procedure and performs the post-login process. Of course, the web site 10 and the application 220 can perform secure communication with respect to the login procedure and subsequent procedures by performing encrypted communication using the third authentication key and the second authentication key, respectively.

Meanwhile, the main black box 212 may omit the process of generating and transmitting the authentication key after receiving and confirming the authentication approval message from the application 220. That is, after receiving the authentication approval message from the application 220, the main black box 212 delivers the login approval message and the third authentication key to the sub black box 211, and the sub black box 211 transmits the login approval message And the third authentication key to the web site 10 so that the login process can be completed.

FIG. 7 is a diagram illustrating a procedure for executing a secure login of a user through a web browser for a PC according to another embodiment of the present invention.

First, when the user accesses a specific web site and attempts to log in, the web site 21 can receive the cue-link information from the hosting service server 110 (step (1)).

The web site 21 can output the QR code through the PC web browser using the cue-link information received from the hosting service server 210 (step (2)).

At this time, the application 220 is executed by the user and can acquire the cue-link information by scanning the QR code output through the PC-based web browser [step (3)].

The application 220 may process the user authentication by receiving the user approval for providing the password stored in advance when the application 220 is initially executed (step (4)). At this time, the password may include a combination of numbers and characters including a combination of numbers and letters or a symbol, and may include biometric information such as a fingerprint or iris of a user.

The web site 21 receives user authentication processing result information from the application 220 and the hosting service server 210 and can complete the login (step (6)).

In this process, if only the user performs the operation for the QR code scan [(3) process] and the password provision approval [4] process for user authentication, the login to the specific web site can be completed.

8 is a diagram illustrating a procedure for executing a secure login of a user through a web browser for mobile according to another embodiment of the present invention.

First, when the user accesses a specific web site and attempts to log in, the web site 21 can receive the cue-link information from the hosting service server 110 (step (1)).

The web site 21 can output the QR code through the mobile web browser using the cue-link information received from the hosting service server 210 (step (2)).

At this time, the application 120 can execute the user and click (or touch) the QR code outputted through the mobile web browser to acquire the cue-link information (step (3)).

The application 220 may process the user authentication by receiving the user approval for providing the password stored in advance when the application 220 is initially executed (step (4)). At this time, the password may include a combination of numbers and characters including a combination of numbers and letters or a symbol, and may include biometric information such as a fingerprint or iris of a user.

The web site 21 receives user authentication processing result information from the application 220 and the hosting service server 210 and can complete the login (step (5)).

In this process, if only the user performs the operation for the QR code scan [(3) process] and the password provision approval [4] process for user authentication, the login to the specific web site can be completed.

9 is a block diagram illustrating a configuration of a system for providing a secure login hosting service through a QR code according to an embodiment of the present invention.

9, a system for providing a secure login hosting service through a QR code according to an embodiment of the present invention includes a Virtual Private Network (VPN) connection, a Total Link Encryption (TLE) protocol, and an optional SSL / TLS Layer Security connections.

The VPN (Virtual Private Network) connection receives a QR code obtained from a BB (Black Box) through a website, transmits the response to the BB (Black Box), and allows a user approval through the BB (Black Box) And receive the user ID.

The Total Link Encryption (TLE) protocol sends the QR code to a Main Black Box (MBB) for user confirmation, receives a proof key from the MBB (Main Black Box) for authentication of the Web site, Total Link Encryption) response to the web site, and can be configured to encrypt communication between client servers in a Perfect Forward Secrecy-Advanced Encryption Standard (PFS-AES) scheme.

The optional SSL / TLS (Secure Socket Layer / Transport Layer Security) connection 300 can log in and update the web site.

A supplementary description of the security protocol according to an embodiment of the present invention is as follows.

Crypto standards used / The Next Generation Crypto Technology

1. Total Link Encryption (TLE)

- All communication between the client and the server is encrypted by the PFS-AES method, which can not be broken.

2. Web server To BB Protocol (HAPI) Allows)

- Any web programming language can be implemented simply, all difficult and sensitive cryptographic operations are done only on the BB, and the BB works on the VPN.

3. Secure Storage Protocol (SSP)

- USER's personal data is stored securely and reliably on the provider's server. However, the Provider can not read the data. Only users can decrypt and modify.

4. Secure Attestation Protocol (SAP)

- Ensures that clients and servers that are unlikely to be 'meson attack' are in direct physical communication

5. Secure ID System (SIS)

- Used to verify the USER ID sent to the Provider by a special "Identity Server".

6. PFS

- Because it uses an arbitrary component that is not stored in the Key, Key does not allow decryption of previous traffic when compromised.

The protocols may vary depending on the situation.

10 is a flowchart illustrating a method for providing a secure login hosting service through a QR code according to another embodiment of the present invention.

Referring to FIG. 10, a method (S200) for providing a secure login hosting service through a QR code according to another embodiment of the present invention includes a step (S210) of obtaining a QR code from a web site (BB) A step S230 of receiving the QR code from the web site at step S220, a step S230 of sending the QR code to the main black box for confirmation by the user, A step S250 of transmitting a response to the Web site by the user, a step S260 of transmitting a response to the BB (Black Box) A step S270 of allowing the BB to send a user ID and a user ID, and a step S280 of updating the screen of the web site and logging in the web site.

11 is a flowchart of a hacking source blocking protocol according to an embodiment of the present invention.

(1) Website obtains QR code from BB (Black Box) [VPN connection (100)].

(2) User receives QR code from Website [VPN connection (100)].

(3) The user sends QR code to the provider (MBB: Main Black Box) for checking [TLE protocol (200)].

(4) The user receives the authentication key from the provider (MBB: Main Black Box) to authenticate the website [TLE protocol (200)].

(5) User sends the signed TLE response to the website [TLE protocol (200)].

(6) The Website forwards the response to the BB [VPN connection (100)].

(7) The BB (Black Box) accepts the User and delivers the USER ID [VPN Connection (100)].

(8) Website is logged in and the screen is updated [SSL / TLS connection (300)]

12 and 13 are flowcharts for processing login of a web site of a PC using a 'FASSKEY' application of a smartphone according to an embodiment of the present invention.

As shown in FIGS. 12 and 13, by authenticating and completing a dedicated application through a log-in secure QR code scan displayed through a web site using a dedicated application of the smartphone, log-in can be easily performed.

FIG. 14 is a flowchart illustrating a user progress process when a PC is connected according to an embodiment of the present invention, and FIG. 15 is a flowchart illustrating a user progress process when a mobile connection is performed according to an embodiment of the present invention.

As shown in FIG. 14 and FIG. 15, once the QR code scan and the password input in the 'FASSKEY' application are completed, the web site security login can be completed. When the mobile web site is accessed, 'FASSKEY' And the security login can be completed only by inputting the password.

According to the embodiment of the present invention, it is possible to provide a service which enables security authentication and hacking as a source, and a single QR code scan to enable login of all sites in the world.

The security subscription hosting service system 100 and the secure login hosting service system 200 according to the present embodiment may be implemented as one system for subscription and login. That is, the hosting service server 110 of the embodiment and the hosting service server 210 of another embodiment are functionally separated to perform member registration and login, and are implemented as a single server, and functions for membership registration and login are executed The application 120 of one embodiment and the application 220 of another embodiment may be implemented as an application so that functions for membership registration and login can be executed.

The above description is only one embodiment for implementing the security subscription and login hosting service providing system and method according to the present invention, and the present invention is not limited to the above embodiment, It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

100, 200: Secure hosting service system
110, 210: Hosting service server
111, 211: Sub-black box
112, 212: main black box
120, 220: Application
10, 20: Website

Claims (11)

A system for providing a secure membership subscription hosting service of a web site,
Link information for a security subscription based on a cue-link request signal received from the website when subscribing to a web site, and transmits the cue-link information to the web site, Requesting and receiving user information from the user according to whether the first authentication key received from the user is registered in the web site and whether the cue-link information transmitted to the site is identical to each other, A hosting service server for transmitting membership information to the web site and processing the membership in the web site; And
Link information, acquiring the cue-link information by scanning the identification code obtained by converting the cue-link information in the website, storing the user information and the first authentication key in the user portable terminal, And an application for transmitting the user information to the hosting service server together with the first authentication key and for transmitting the user information to the hosting service server according to a user information request of the hosting service server. system.
The method according to claim 1,
The web site outputs the cue-link information in the form of an identification code,
The application comprises:
Wherein the identification code is scanned and acquired through the user portable terminal when the identification code is outputted through the web browser, and when the identification code is outputted through the mobile browser,
And transmits the cue-link information acquired through the web browser or the mobile browser together with the first authentication key to the hosting service server.
3. The method of claim 2,
Wherein the application, when executed by the user portable terminal for the first time,
The first authentication key and the second authentication key are generated, the first authentication key is transmitted to the hosting service server to register the second authentication key, the second authentication key is stored in the user portable terminal, Input and save,
Wherein the first authentication key includes a public key and hardware information of the user portable terminal, and the second authentication key includes a secret key.
The method of claim 3,
The hosting service server,
At least one sub-black box in communication with the website; And
And a main black box communicating with the sub black box and the application, respectively,
The sub-
Receiving a cue-link request signal from the web site when the user is a member of a web site, generating cue-link information for a security membership based on the cue-link request signal, Box, respectively,
The main black box includes:
Receiving, from the application, the cue-link information and the first authentication key, and determining whether there is the same cue-link information as the cue-link information received from the application among the cue- And if the same cue-link information exists, it is checked whether the first authentication key received from the application is a registered key. If it is determined that the registered key is a registered key, the application requests user information from the application. Transmits the approval message, the third authentication key regenerated from the first authentication key, and the user information to the sub black box,
The sub-
And transmitting the approval message, the third authentication key, and the user information transmitted from the main black box to the website, so that the website processes the website membership according to the cue-link information A security subscription hosted service offering system.
5. The method of claim 4,
The cue-link request signal includes:
A time stamp, a session key, a session information, an authentication code message, processing type information, and domain information of the corresponding website,
The cue-
Wherein the information includes at least one of a time stamp, a session key, session information, an authentication code message, processing type information, domain information of the corresponding website, a sub black box ID, and a main black box ID system.
A system for providing a secure login hosting service of a web site,
Link information for security login based on the cue-link request signal received from the website at the time of log-in of the web site, and transmits the cue-link information to the web site, Transmitting a approval message to the website according to whether the transmitted cue-link information is identical to each other and whether the first authentication key received from the user is registered in the website, server; And
Link information is acquired by scanning the identification code obtained by converting the cue-link information from the website, the cue-link information being stored in the user portable terminal and storing the first authentication key, Key to the hosting service server, and transmits the application to the hosted service server.
The method according to claim 6,
The web site outputs the cue-link information in the form of an identification code,
The application comprises:
Wherein the identification code is scanned and acquired through the user portable terminal when the identification code is outputted through the web browser, and when the identification code is outputted through the mobile browser,
And transmits the cue-link information acquired through the web browser or the mobile browser together with the first authentication key to the hosting service server.
8. The method of claim 7,
Wherein the application, when executed by the user portable terminal for the first time,
The first authentication key and the second authentication key are generated, the first authentication key is transmitted to the hosting service server to register the second authentication key, the second authentication key is stored in the user portable terminal, Input and save,
Wherein the first authentication key includes a public key and hardware information of the user portable terminal, and the second authentication key includes a secret key.
9. The method of claim 8,
The hosting service server,
At least one sub-black box in communication with the website; And
And a main black box communicating with the sub black box and the application, respectively,
The sub-
Receiving a cue-link request signal from the web site when the user logs in to the web site, generating cue-link information for secure login based on the cue-link request signal, Respectively,
The main black box includes:
Receiving, from the application, the cue-link information and the first authentication key, and determining whether there is the same cue-link information as the cue-link information received from the application among the cue- And if the same cue-link information exists, it is checked whether the first authentication key received from the application is a registered key. If it is determined that the registered key is a registered key,
The application comprises:
The authentication method of the present invention is a method for authenticating a user using authentication information input from a user,
The sub-
And when the authentication approval message is received, generates a login approval message and transmits the login approval message to the web site so that the web site processes the web site login according to the cue-link information.
10. The method of claim 9,
The cue-link request signal includes:
A time stamp, a session key, a session information, an authentication code message, processing type information, and domain information of the corresponding website,
The cue-
Wherein the information includes at least one of a time stamp, a session key, session information, an authentication code message, processing type information, domain information of the corresponding website, a sub black box ID, and a main black box ID system.
10. The method of claim 9,
Wherein the main black box generates a proof key for the cue-link information and transmits the proof key to the application upon receiving the authentication approval message,
The application signing the proof key and transmitting it to the website,
The web site transmits the signed authentication key to the sub-black box,
Wherein the sub black box generates the login approval message and transmits the login approval message to the website when receiving the signed authentication key.

Images