KR20170100235A - System and method for security of certificate - Google Patents

System and method for security of certificate Download PDF

Info

Publication number
KR20170100235A
KR20170100235A KR1020160022532A KR20160022532A KR20170100235A KR 20170100235 A KR20170100235 A KR 20170100235A KR 1020160022532 A KR1020160022532 A KR 1020160022532A KR 20160022532 A KR20160022532 A KR 20160022532A KR 20170100235 A KR20170100235 A KR 20170100235A
Authority
KR
South Korea
Prior art keywords
storage object
certificate
protected storage
security system
virtual drive
Prior art date
Application number
KR1020160022532A
Other languages
Korean (ko)
Inventor
구사무엘
Original Assignee
주식회사 미라지웍스
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 미라지웍스 filed Critical 주식회사 미라지웍스
Priority to KR1020160022532A priority Critical patent/KR20170100235A/en
Publication of KR20170100235A publication Critical patent/KR20170100235A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

Disclosed are a system and a method for security of a certificate, capable of protecting the certificate used in authentication software from the outside. According to an aspect of the present invention, provided is the system for security of a certificate, which includes a generating module for generating a protected storage object corresponding to a certificate storage object storing the certificate and private key information corresponding to the certificate, and an alternative module which controls the authentication software to access the protected storage object instead of a certificate storage object if preset authentication software to authenticate a user using the certificate and the private key information corresponding to the certificate accesses the certificate storage object.

Description

System and method for security of certificate

The present invention relates to a public certificate security system and a method thereof. And more particularly, to an authorized certificate security system and method for protecting an authorized certificate used in authentication software from the outside.

An authorized certificate is a kind of electronic ID (certificate) created by adding owner information to a public key (referred to as "digital signature verification information" in the digital signature method) necessary for the verification of the digital signature. Public key certificate, digital certificate, electronic certificate, and the like. The public certificate exists in pairs with the private key (denoted as 'digital signature generation information' in the digital signature law). In noncommunicative online e-commerce, digital signing is required for contract writing and identification of the other party, and at the same time, the identity of the person who generated the digital signature is confirmed by the official certificate. The public key infrastructure (PKI) presupposes the existence of a trusted third party (certification authority) responsible for securely distributing the private and public keys used to generate and verify digital signatures.

Korea's accredited certificate system is also based on a public key infrastructure. A certificate based on a public key infrastructure can be divided into a server certificate used to verify the identity of the server and a personal certificate used to verify the identity of the user. A Korean certificate can be used for both purposes, but a common Korean certificate is used mainly for personal certificates. Certificates can be issued by several authorized organizations such as KFTC, Korea Information Authentication, and Korea Electronic Certification. They can also be issued by registrars such as banks, securities companies, and post offices. The main areas of use are banking Internet banking and online shopping mall real time settlement.

Although the file format of Korean public certificates and private keys conforms to the international standard, the location and method of storing and storing the files are unique and can not be used with general web browsers. Therefore, in order to use Korean public certificates, The program must be installed, and these additional programs are called authentication software. Typical examples of authentication software are Hecom Secure's XecureSmart, CrossCert PKI CS Suite, and INITECH INISAFE.

A public certificate used in the authentication software is stored in a predetermined location (directory). For example, in the case of a Windows operating system, a public certificate is stored in a specific directory such as C: \ Program Files \ NPKI. Since the location where the authorized certificate is stored is determined as described above, there is a problem that when the user's computer is hacked, the authorized certificate itself is easily leaked. When a public certificate is leaked, a serious security problem may arise, so that there is a strong need for security of the public certificate itself.

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide an authorized certificate security system and method for protecting an authorized certificate used in authentication software from the outside.

According to an aspect of the present invention, there is provided a method of authenticating a user, comprising: generating a protected storage object corresponding to a certificate storage object storing an authorized certificate and corresponding private key information; And a control module for controlling the authentication software to access the protected storage object instead of the certificate storage object when a predetermined authentication software that performs authentication of the certificate storage object to access the certificate storage object is to access the certificate storage object.

In one embodiment, when the authentication software calls an application programming interface (API) for requesting file reference information necessary for accessing the certificate storage object, And may return file reference information for accessing the protected storage object.

In one embodiment, the authorized certificate security system may further include an encryption module for encrypting data recorded in the protected storage object and decrypting data read from the protected storage object.

In one embodiment, the encryption module encrypts data recorded in the protected storage object for each predetermined encryption unit, decrypts data read from the protected storage object for each encryption unit, and the encryption unit is a bit Or bytes.

In one embodiment, the generation module generates the protected storage object on a predetermined virtual drive, and the encryption module encrypts data recorded in the virtual drive for each encryption unit, and reads the encrypted storage object from the virtual drive The encryption unit is implemented in the form of a device driver for the virtual drive that performs a function of decrypting data for each encryption unit, and the encryption unit is a unit block of a bit, byte, or file system of the virtual drive .

In one embodiment, the encryption module may only allow access to the virtual drive requested by a predetermined application program or a predefined process.

In one embodiment, the generating module deletes the public key certificate and its corresponding private key information stored in the certificate storage object after creating the protected storage object if the certificate storage object is a directory, The object and the subdirectory structure included in the certificate storage object can be preserved.

According to another aspect of the present invention, there is provided a method of generating a secure storage object, the method comprising: generating a protected storage object corresponding to a certificate storage object storing an authorized certificate and corresponding private key information; There is provided an authorized certificate security method comprising the step of controlling the authentication software to access the protected storage object instead of the certificate storage object when a predetermined authentication software that performs authentication attempts to access the certificate storage object .

In one embodiment, the replacing step may include, when the authentication software calls an API requesting file reference information required to access the certificate storage object, returning the protected storage object to the authentication software in response to the API call And returning file reference information for access.

In one embodiment, the public certificate security system further includes an encryption step of performing encryption of data recorded in the protected storage object, and a decryption step of decrypting data read from the protected storage object can do.

In one embodiment, the encrypting step may include encrypting data recorded in the protected storage object for each predetermined encryption unit, and the decrypting step may include encrypting data read from the protected storage object, And the encryption unit may be a bit or a byte.

In one embodiment, the generating step includes generating the protected storage object on a predetermined virtual drive, and the encrypting step and the decrypting step may include encrypting data recorded in the virtual drive in each of the encryption units And a device driver for the virtual drive that performs a function of decrypting data read from the virtual drive for each of the encryption units, wherein the encryption unit is a bit, a byte, or a unit block of a file system of the virtual drive .

In one embodiment, the device driver may only allow access to the virtual drive requested by a predetermined application program or a predefined process.

In one embodiment, when the certificate storage object is a directory, the generating step deletes the public key certificate and corresponding private key information stored in the certificate storage object after creating the protected storage object, The object and the subdirectory structure included in the certificate storage object may be preserved.

According to another aspect of the present invention, a computer program installed in a data processing apparatus and stored in a computer-readable recording medium for performing the above-described method is provided.

According to another aspect of the present invention there is provided an authorized certificate security system comprising a processor and a memory for storing a computer program executed by the processor, wherein the computer program, when executed by the processor, An authorized certificate security system is provided in which the system performs the above-described method.

According to the technical idea of the present invention, it is possible to provide an authorized certificate security system and method for protecting the authorized certificate used in the authentication software from the outside.

In the past, since the location where the authorized certificate and the corresponding private key information are stored is predetermined, it is highly likely that the authorized certificate itself is leaked to the outside. On the other hand, according to the technical idea of the present invention, since the authorized certificate is stored in a separate protected storage object and it is difficult to grasp the path in the case of the protected storage object, it is difficult to take out the authorized certificate and the corresponding private key information There are advantages.

Also, according to an embodiment of the present invention, the authorized certificate and the corresponding private key information may be stored in encrypted form in the protected storage object. Therefore, even if the protected storage object is leaked for some reason, And the security for the corresponding private key information can be maintained.

According to an embodiment of the present invention, only a part of data required by the authentication software can be decrypted from the entire encrypted data. That is, it is not necessary to decrypt the entire protected storage object to read data from the protected storage object that stores the encrypted data, and only the necessary portion is decrypted. Therefore, (For example, decoding time, computing power, and the like) required for reading data can be reduced.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
1 is a schematic diagram for explaining a public certificate security system according to an embodiment of the present invention.
FIG. 2A is a view for explaining a method of accessing a certificate storage object by an authentication software of a typical user terminal. FIG. 2B is a view for explaining a method of authenticating a certificate storage object according to an embodiment of the present invention The security system controls the authentication software to access the protected storage object instead of the certificate storage object.
3 is a block diagram illustrating a schematic configuration of a public certificate security system according to an embodiment of the present invention.
4 is a flowchart illustrating a method of securing an authorized certificate according to an exemplary embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise.

In this specification, the terms "comprises" or "having" and the like refer to the presence of stated features, integers, steps, operations, elements, components, or combinations thereof, But do not preclude the presence or addition of features, numbers, steps, operations, components, parts, or combinations thereof.

Also, in this specification, when any one element 'transmits' data to another element, the element may transmit the data directly to the other element, or may be transmitted through at least one other element And may transmit the data to the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

Hereinafter, the present invention will be described in detail with reference to the embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

1 is a schematic diagram for explaining a public certificate security system according to an embodiment of the present invention. As shown in FIG. 1, in order to implement the public certificate security method according to the technical idea of the present invention, a public certificate security system 100 may be provided.

The authorized certificate security system 100 may be implemented in the form of being included in the user terminal 10. According to an embodiment, the authorized certificate security system 100 may be in the form of hardware constituting the user terminal 10, software installed in the user terminal 10, or a combination of hardware and / or software.

The user terminal 10 may be any data processing apparatus that computes, processes data, accepts input data, processes the data, stores the data, processes the data, and outputs a result. For example, the user terminal 10 may be a general purpose computer, personal computer, server, mobile terminal, mobile terminal, remote station, remote terminal, access terminal, terminal, communication device, (UE), a terminal, a notebook, a tablet PC, a smart phone, or the like.

The user terminal 10 may be provided with a predetermined authentication software 20. The authentication software is used to authenticate the user and obtain public key information corresponding to the public key and the corresponding public key information from the server of the personalization institution and store the public key information in the user terminal 10, An application that can perform the procedure, or a web browser plug-in (e.g., ActiveX, etc.). For example, the authentication software may be XecureSmart from Hancom Secure, CrossCert PKI CS Suite, INITECH INISAFE, and the like.

The authorized certificate may be a digital certificate in the form of an international protocol (for example, X.509) issued by an authorized Certificate Authority (CA) or a registration agency thereof, and may be a public key certificate Certificate. Certification bodies can be, for example, Korea Information Assurance (KICA), Koscom (KOSCOM), KFTC, Korea Electronic Certification (KECA), Korea Trade Information Telecommunication (KTNET), Korea Information Society Promotion Agency. The authorized certificate may include the unique number assigned by the CA, the encryption algorithm information used for the signature, the issuer (CA) information, the valid period, information on the subject of the authorized certificate, the subject's public key, and the signature information of the CA . The authorized certificate may be in the form of a file having extensions such as .cer, .der, .pem, .p7b, .p7c, .pfx, .p12, and the like. Meanwhile, the private key information corresponding to the public key certificate may be information on a private key paired with the public key of the subject included in the public key certificate. The private key information may be present in the corresponding public key certificate or in a separate file (.key file, etc.).

Meanwhile, the authentication software 20 may store the public key certificate issued from the server of the certification authority and the corresponding private key information in the certificate storage object 30. The certificate storage object 30 may reside on a storage device (e.g., a local hard drive) that the user terminal 10 has. The certificate storage object 30 may typically be in the form of a directory, but is not limited thereto, and may be an area, a place, or a file capable of storing data therein. If the certificate storage object 30 is in the form of a directory, the public key certificate and its corresponding private key information may be stored in any one of subdirectories in the certificate storage object 3. [

The path of the certificate storage object 30 may be predetermined. For example, the path of the certificate storage object 30 may be "C: / NPKI", "C: / Program Files / NPKI", "C: / User / user name / Appdata / LocalLow / NPKI" The type of the authentication software 20 of the user terminal 10, the storage protocol of the authorized certificate, and the like. Or the path of the certificate storage object 30 may be preset on a specific area in the authentication software 20 or on a predetermined setting file used / managed by the authentication software 20. [

Meanwhile, the authorized certificate security system 100 may generate a protected storage object 200 corresponding to the certificate storage object 30. The protected storage object 200 stores data (e.g., encrypted data) that is the same as or converted to the data stored in the certificate storage object 30 (i.e., the public key certificate and the corresponding private key information) ). However, after the authorized certificate security system 100 generates the protected storage object 200, the data stored in the protected storage object 200 is different from the data stored in the certificate storage object 30 can do. For example, the authorized certificate security system 100 may delete the data stored in the certificate storage object 30 after creating the protected storage object, and then the authentication software 20 may issue And store the received public certificate in the protected storage object 200 only.

Meanwhile, the public certificate security system 100 may store the virtual storage object 200 on the virtual drive 300. Virtual drive 300 may mean that a drive (e.g., hard disk drive, CD / DVD drive, network share drive, etc.) is emulated in a particular manner on a computer. For example, the authorized certificate security system 100 can occupy a part of a local hard disk of the user terminal 10 and emulate it as a virtual drive. The virtual drive 300 may be sometimes referred to as a virtual disk or the like. The data stored on the virtual drive 300 is actually stored in the local drive of the user terminal 10. [ However, a virtual drive can provide a user experience, such as storing and reading data on a separate device separate from the local drive.

At least some of the components of the public certificate security system 100 may be implemented in the form of a device driver for the virtual drive 300. A device driver may refer to a separate computer program that is created to interact with a computer hardware device, such as a program or application that operates as part of the kernel to control a particular hardware or device. The device driver herein may be used in a broad sense including a filter driver. A filter driver is an optional driver that intercepts I / O requests to an existing device driver for a particular device and provides drivers with the opportunity to supplement the functionality provided by existing device drivers or to add new features It can mean.

Meanwhile, when the authentication software 20 attempts to access the certificate storage object 30, the authorized certificate security system 100 may allow the authentication software 20 to store the protected storage object 30 instead of the certificate storage object 30. [ It is possible to control access to the terminal 200.

In this specification, accessing a storage object may mean writing data to the storage object or reading data stored in the storage object. Also, access to the storage object may refer to access to the storage object (file) itself if the storage object is in the form of a file. If the storage object is in the form of a directory, (E. G., A public certificate file or a private key file).

In one embodiment, the authorized certificate security system 100 is configured to allow the authentication software 20 to access the protected storage object 200 in place of the certificate storage object 30 When requesting the file reference information necessary for accessing the certificate storage object 30, the authentication software 20 may return file reference information for accessing the protected storage object. The file reference information may refer to information providing an interface for a file input / output (I / O) operation or an abstract key for accessing a specific file, for example, a file descriptor or a file handle, Lt; / RTI >

To this end, at least some of the components of the authorized certificate security system 100 may be implemented in the form of a hooking module. That is, at least a part of the components of the authorized certificate security system 100 includes a process executed on the user terminal 10 (for example, a process corresponding to the authentication software 20) A predetermined operation for realizing the technical idea of the present invention can be performed by intercepting and handling a system call, a message, or an event occurring between operating operating systems (not shown). For example, the authentication software 20 may call the API to access the certificate storage object 30 or the individual files stored in the certificate storage object 30, 100 intercepts and handles this, the technical idea of the present invention can be realized.

2A is a diagram for explaining a method for an authentication software of a typical user terminal without the authorized certificate security system 100 accessing a certificate storage object, 30 to access the protected storage object 200 instead of the certificate storage object 30 in order for the authorized certificate security system 100 to access the protected storage object 200 FIG.

First, referring to FIG. 2A, in a typical case, the authentication software may request file reference information necessary for accessing the certificate storage object A by an operating system (OS) (S10). For example, for requesting file reference information, the authentication software may call the file open API provided by the operating system. Then, the operating system may return file reference information Ha for accessing A (S20).

The authentication software can then write data to the certificate storage object A or read the data from the certificate storage object A via the file reference information Ha. For example, the authentication software can call the write API provided by the operating system for data recording using the file reference information Ha (S30), and the operating system can record the data (S40). Also, the authentication software can call the read API provided by the operating system to read the data using the file reference information Ha (S50), and the operating system reads the data from the certificate storage object A (S60) , And can return it to the authentication software (S70).

In contrast, FIG. 2B illustrates a case where the public certificate security system 100 according to the technical idea of the present invention is provided. Referring to FIG. 2B, the authentication software 20 may request file reference information necessary for accessing the certificate storage object A as an operating system (S110). For example, the authentication software 20 may call the file open API provided by the operating system in order to request the file reference information. The public certificate security system 100 intercepts the file open API and returns file reference information Hb for accessing the protected storage object B instead of file reference information for accessing the certificate storage object A (S120).

The authentication software 20 can write data to the protected storage object B or read data from the protected storage object B via the returned file reference information Hb. For example, the authentication software 20 may call a write API to record data using the file reference information Hb (S130), and the authorized certificate security system 100 transmits the protected storage object B) (S140). Also, the authentication software 20 can call the read API for reading data using the file reference information Hb (S150), and the authorized certificate security system 100 reads data from the virtual storage object B (S160), and returns it to the authentication software 20 (S170).

In FIG. 2B, in reality, the authorized certificate and the corresponding private key information are stored in the protected storage object B instead of the certificate storage object A. However, since the authentication software 20 requests file reference information of the certificate storage object A and performs data I / O using the file reference information returned in response to the request, the authentication software 20, It can be seen from the viewpoint of the user using the public key certificate 20 that the public key certificate and its corresponding private key information are stored in the certificate storage object A. [

Since the location where the authentication software 20 stores the public certificate and the corresponding private key information (i.e., the path of the certificate storage object 30) is widely known, the possibility of the certificate storage object 30 itself being leaked out high. On the other hand, according to the technical idea of the present invention, in the case of the protected storage object 200 in which the public key certificate and the corresponding private key information are actually stored, it is difficult to grasp the path thereof, .

Meanwhile, the public certificate security system 100 may encrypt data recorded in the protected storage object 200 and decrypt data read from the protected storage object 200. [0033] FIG. Accordingly, the authorized certificate and the corresponding private key information may be stored in the protected storage object 200 in an encrypted form. Accordingly, even if the protected storage object is leaked for some reason, there is an effect that the security of the public key certificate and its corresponding private key information can be maintained.

Meanwhile, the authorized certificate security system 100 may not encrypt the meta area of the file system for the virtual drive, and may encrypt only the data area of the file system in which data is actually stored.

In addition, the public certificate security system 100 may encrypt data recorded in the protected storage object for each predetermined encryption unit, and decrypt data read from the protected storage object for each encryption unit, The encryption unit may be a bit, a byte, or a unit block of the file system of the virtual drive.

FIG. 3 is a block diagram illustrating a schematic configuration of an authorized certificate security system 100 according to an embodiment of the present invention.

Referring to FIG. 3, the authorized certificate security system 100 may include a generation module 110, a replacement module 120, an encryption module 130, and an isolation module 140. However, according to an embodiment of the present invention, some of the components in FIG. 1 may not necessarily be necessary components necessary for implementation of the present invention, and the authorized certificate security system 100 Of course, may include more components. For example, the public certificate security system 100 may include other components included in the public certificate security system 100 (for example, the generation module 110, the replacement module 120, the encryption module 130, (Not shown) that can control the functions and / or resources of the mobile terminal (e.g., mobile terminal 140).

The authorized certificate security system 100 may include a hardware resource and / or software necessary for implementing the technical idea of the present invention, and it means one physical component or one device It is not. That is, the authorized certificate security system 100 may mean a logical combination of hardware and / or software provided to implement the technical idea of the present invention. If necessary, May be implemented as a set of logical structures for implementing the technical idea of the present invention. Also, the authorized certificate security system 100 may mean a set of configurations separately implemented for each function or role for implementing the technical idea of the present invention. For example, the generation module 110, the replacement module 120, the encryption module 130, and the isolation module 140 may be located in different physical devices or may be located in the same physical device. Also, according to an embodiment, the software and / or hardware constituting each module such as the generation module 110, the replacement module 120, the encryption module 130, and the isolation module 140 may be located in different physical devices , And configurations located in different physical devices may be combined with each other to realize functions performed by the respective modules.

In this specification, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, the module may mean a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and it does not necessarily mean a physically connected code or a kind of hardware. It can easily be deduced to a technician.

The generation module 110 may generate the protected storage object 200 corresponding to the certificate storage object 30 storing the public key certificate and the corresponding private key information.

The generation module 110 may read the authorized certificate and the corresponding private key information from the certificate storage object 30 and copy it to the protected storage object 200. [

The generation module 110 can encrypt the public key certificate stored in the protected storage object 200 and the corresponding private key information through the encryption module 130, which will be described later.

In one embodiment, the creation module 110 may create the protected storage object 200 in a different drive than the drive in which the certificate storage object is stored. In particular, the creation module 110 may create a virtual drive and create the protected storage object 200 on the virtual drive.

The generation module 110 generates a certificate corresponding to the certificate storage object 30 at the time when the public certificate security system 100 is installed in the user terminal 10 or when the certificate is first activated in the user terminal 10. [ The protected storage object 200 can be created.

Meanwhile, the path of the protected storage object 200 may be defined in advance, and may be determined dynamically according to an implementation. In one embodiment, the name of the protected storage object 200 may be the same as the certificate storage object 30. Or the portion of the path of the protected storage object excluding the drive name may be the same as the portion excluding the drive name in the path of the certificate storage object 30. [

If the certificate storage object 30 is in the form of a file, the protected storage object 200 may also be in the form of a file. If the certificate storage object 30 is in the form of a directory, the protected storage object 200 may be in the form of a directory having the same subdirectory structure.

In one embodiment, the creation module 110 deletes the public key certificate and its corresponding private key information stored in the certificate storage object 30 after creating the protected storage object 200, Even when the object 30 is leaked to the outside, it is possible to prevent the public certificate stored therein from being leaked together with the corresponding private key information.

If the certificate storage object is a directory, the generation module 110 deletes only individual files stored in the certificate storage object 30, and the subdirectory structure included in the certificate storage object and the certificate storage object is preserved can do. By doing so, the authorized certificate stored in the protected storage object 200 and the corresponding private key information can be easily restored to the certificate storage object.

The replacement module 120 may allow the authentication software 20 to access the protected storage object 200 instead of the certificate storage object when the authentication software 20 wishes to access the certificate storage object 30. [ Can be controlled.

The replacement module 120 can detect the file I / O of the authentication software 20. For this, the replacement module 120 may be implemented in the form of a hooking module. That is, the replacement module 120 performs a function of hooking an API call generated in the authentication software 20, or a function of hooking an event or a message to the authentication software 20 Module.

In one example, the replacement module 120 may perform API hooking. For example, when the authentication software 20 calls an API requesting file reference information necessary to access the certificate storage object 30, the substitution module 120 responds to the API call, It may return file reference information for accessing the protected storage object 200 to the protected object 20. The file reference information may refer to abstract information for accessing a specific file, for example, a file descriptor or a file handle.

The substitution module 120 may allow the authentication software 20 to store the protected storage object 30 instead of the certificate storage object 30 without modifying the path information of the certificate storage object 30 set in the authentication software 20. [ (20) to be accessed. For example, the replacement module 120 may include a write API for writing predetermined data in the certificate storage object 30 called by the authentication software 20 or a read API for reading data from the certificate storage object 30 You can also hook APIs.

The encryption module 130 may encrypt data stored in the protected storage object 200 and decrypt data read from the protected storage object 200. [

The encryption module 130 encrypts data recorded in the protected storage object 200 for each specific encryption unit and decrypts data read from the protected storage object 200 for each encryption unit can do. In this case, the encryption unit may be a bit, a byte, or a unit block of a file system of a drive (for example, a virtual drive) in which the protected storage object 200 is generated.

Normally, in the case of a block device such as a hard disk drive or a virtual drive, a method of recording and reading data depends on block-level I / O. That is, in the case of a block device, I / O is performed in units of blocks (for example, 512 bytes, 4 KB, 8 KB, etc.) of a predetermined size specified in the file system of the corresponding device, instead of reading or writing data in units of bits or bytes. Therefore, the public-key certificate security system 100 encrypts / decrypts data in units of blocks or smaller bits or bytes of the file system of the virtual drive, thereby decrypting only the portion corresponding to the data requested by the authentication software 20 There is an effect that can be done. That is, it is not necessary to decrypt the whole of the protected storage object 200 to read data from the protected storage object 200 storing the encrypted data, (E.g., decoding time, computing power, and the like) required to read decoded data from the stored storage object 200 can be reduced.

Meanwhile, the encryption module 130 may be implemented as a device driver for a drive in which the protected storage object 200 is created. In particular, if the protected storage object 200 is created on the virtual drive 300, the encryption module 130 may be implemented in the form of a device driver for the virtual drive 300. In this case, the device driver may take charge of at least a part of the data I / O control of the virtual drive 300. Device drivers can be part of the operating system's kernel and can be loaded into the kernel at runtime. That is, the device driver may exist in the form of a compiled file (* .sys of Windows or * .o of Linux), and when the user terminal 10 is booted or when necessary, the file is loaded and integrated with the kernel .

The encryption module 130 may allow only access to the virtual drive 300 requested by a predetermined application program or a predetermined process.

At this time, the predetermined application program may include the authentication software 20, and the predetermined process may include a process corresponding to the authentication software 20 or the authorized certificate security system 100 or a process generated thereby have.

The encryption module 130 compares the ID of a predetermined application program or a predetermined process that is permitted to access the virtual drive 300 with the ID of a process that is going to access the virtual drive 300 The access to the virtual drive 300 may be permitted.

4 is a flowchart illustrating a method of securing an authorized certificate according to an exemplary embodiment of the present invention.

4, the public certificate security system 100 may generate a protected storage object 200 corresponding to the certificate storage object 30 storing the public key certificate and the corresponding private key information (S200 ).

In step S200, when the certificate storage object is a directory, the public certificate security system 100 generates a public certificate stored in the certificate storage object and its corresponding private key information after generating the protected storage object 200 And the subdirectory structure included in the certificate storage object and the certificate storage object can be preserved.

Meanwhile, in one embodiment, the public certificate security system 100 may generate the protected storage object 200 on the created virtual drive 300 after creating the virtual drive 300. [0041] FIG.

The authorized certificate security system 100 can detect whether the authentication software 20 desires to access the certificate storage object 30 in step S210 and if the authentication software 20 detects the certificate storage object 30 in step S210, It is possible to control access to the protected storage object 200 instead of the stored object 30 (S220).

If the authentication software 20 requests data recording at step S230, the public certificate security system 100 encrypts the data, and transmits the encrypted data to the protected storage object 200 (S240).

In this case, the public certificate security system 100 may encrypt data recorded in the protected storage object for each predetermined encryption unit, and the encryption unit may be a bit or byte or a unit block of the file system of the virtual drive .

When the authentication software 20 requests reading of data stored in the protected storage object S250, the authorized certificate security system 100 reads the data read from the protected storage object 200 May be decrypted for each encryption unit and returned to the authentication software (S260).

Meanwhile, according to an embodiment, the public certificate security system 100 may include a processor and a memory for storing a program executed by the processor. The processor may include a single-core CPU or a multi-core CPU. The memory may include high speed random access memory and may include non-volatile memory such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid state memory devices. Access to the memory by the processor and other components can be controlled by the memory controller. Here, when the program is executed by a processor, the program may cause the authorized certificate security system 100 according to the present embodiment to perform the above-described authorized certificate security method.

Meanwhile, the public certificate security method according to the embodiment of the present invention may be implemented in the form of computer-readable program instructions and stored in a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

Program instructions to be recorded on a recording medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of software.

Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk and a magnetic tape, optical media such as CD-ROM and DVD, a floptical disk, And hardware devices that are specially configured to store and execute program instructions such as magneto-optical media and ROM, RAM, flash memory, and the like. The above-mentioned medium may also be a transmission medium such as a light or metal wire, wave guide, etc., including a carrier wave for transmitting a signal designating a program command, a data structure and the like. The computer readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner.

Examples of program instructions include machine language code such as those produced by a compiler, as well as devices for processing information electronically using an interpreter or the like, for example, a high-level language code that can be executed by a computer.

The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be.

It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive. For example, each component described as a single entity may be distributed and implemented, and components described as being distributed may also be implemented in a combined form.

It is intended that the present invention covers the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. .

Claims (16)

A generation module for generating a protected storage object corresponding to a certificate storage object storing a public certificate and its corresponding public key information;
And a substitute module for controlling the authentication software to access the protected storage object instead of the certificate storage object when a predetermined authentication software that performs user authentication using the authorized certificate intends to access the certificate storage object Certificate security system.
The method according to claim 1,
The replacement module includes:
When the authentication software calls an application programming interface (API) for requesting file reference information necessary for accessing the certificate storage object, a file reference for accessing the protected storage object by the authentication software in response to the API call Authorized certificate security system that returns information.
The method according to claim 1,
The authorized certificate security system comprises:
Further comprising an encryption module for encrypting data recorded in the protected storage object and decrypting data read from the protected storage object.
The method of claim 3,
The encryption module includes:
Encrypting data recorded in the protected storage object for each predetermined encryption unit, decrypting data read from the protected storage object for each encryption unit,
Wherein the encryption unit is a bit or a byte.
The method of claim 3,
Wherein the generation module comprises:
Creating the protected storage object on a predetermined virtual drive,
The encryption module includes:
And a device driver for the virtual drive that performs a function of encrypting data recorded in the virtual drive for each encryption unit and decrypting data read from the virtual drive for each encryption unit,
Wherein the encryption unit is a bit, a byte, or a unit block of a file system of the virtual drive.
6. The method of claim 5,
The encryption module includes:
And permits access only to the virtual drive requested by a predetermined application or a predefined process.
The method according to claim 1,
Wherein the generating module, when the certificate storage object is a directory,
The certificate storage object and the certificate storage object are deleted, the public key certificate stored in the certificate storage object and the corresponding private key information are deleted, and the subdirectory structure included in the certificate storage object and the certificate storage object is preserved .
A public key certificate security system comprising: a generating step of generating a protected storage object corresponding to a certificate storage object storing an authorized certificate and corresponding public key information; And
When a predetermined authentication software that performs user authentication using an authorized certificate intends to access the certificate storage object, the authorized certificate security system performs control such that the authentication software accesses the protected storage object instead of the certificate storage object A method of securing an authorized certificate, the method comprising:
9. The method of claim 8,
Wherein said replacing comprises:
Returning file reference information for accessing the protected storage object to the authentication software in response to the API call when the authentication software calls an API requesting file reference information required to access the certificate storage object The method comprising:
9. The method of claim 8,
The authorized certificate security method includes:
Wherein the authorized certificate security system comprises: an encryption step of encrypting data recorded in the protected storage object; And
Wherein the authorized certificate security system further comprises a decryption step of decrypting data read from the protected storage object.
11. The method of claim 10,
Wherein the encrypting step comprises:
And encrypting data recorded in the protected storage object for each predetermined encryption unit,
The decoding step includes:
And decrypting data read from the protected storage object for each encryption unit
Wherein the encryption unit is a bit or a byte.
11. The method of claim 10,
Wherein the generating comprises:
And creating the protected storage object on a predetermined virtual drive,
Wherein the encrypting step and the decrypting step comprise:
And a device driver for the virtual drive that performs a function of encrypting data recorded in the virtual drive for each encryption unit and decrypting data read from the virtual drive for each encryption unit,
Wherein the encryption unit is a bit, a byte, or a unit block of a file system of the virtual drive.
13. The method of claim 12,
The device driver includes:
Allowing only access to the virtual drive requested by a predetermined application or a predefined process.
9. The method of claim 8,
Wherein if the certificate storage object is a directory,
Deleting the public certificate stored in the certificate storage object and corresponding private key information after creating the protected storage object, and preserving the subdirectory structure included in the certificate storage object and the certificate storage object How to Secure Certified Certificates.
A computer program installed in a data processing apparatus and stored in a computer-readable medium for performing the method of any one of claims 8 to 14.
As an authorized certificate security system,
A processor; And
A memory for storing a computer program executed by the processor,
The computer program causes the authorized certificate security system to perform the method of any one of claims 8 to 14 when executed by the processor.
KR1020160022532A 2016-02-25 2016-02-25 System and method for security of certificate KR20170100235A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160022532A KR20170100235A (en) 2016-02-25 2016-02-25 System and method for security of certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160022532A KR20170100235A (en) 2016-02-25 2016-02-25 System and method for security of certificate

Publications (1)

Publication Number Publication Date
KR20170100235A true KR20170100235A (en) 2017-09-04

Family

ID=59924263

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160022532A KR20170100235A (en) 2016-02-25 2016-02-25 System and method for security of certificate

Country Status (1)

Country Link
KR (1) KR20170100235A (en)

Similar Documents

Publication Publication Date Title
EP3704621B1 (en) Secure identity and profiling system
JP6117317B2 (en) Non-repudiation method, settlement management server for this, and user terminal
US8966580B2 (en) System and method for copying protected data from one secured storage device to another via a third party
US7526649B2 (en) Session key exchange
KR101608510B1 (en) System and method for key management for issuer security domain using global platform specifications
US9075957B2 (en) Backing up digital content that is stored in a secured storage device
JP4067985B2 (en) Application authentication system and device
US9769654B2 (en) Method of implementing a right over a content
EP2600275A1 (en) Method for accessing a secure storage, secure storage and system comprising the secure storage
US20090276474A1 (en) Method for copying protected data from one secured storage device to another via a third party
CN110868291B (en) Data encryption transmission method, device, system and storage medium
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN111310213A (en) Service data protection method, device, equipment and readable storage medium
JP6756056B2 (en) Cryptographic chip by identity verification
WO2015117523A1 (en) Access control method and device
JP2009543211A (en) Content management system and method using a generic management structure
WO2019083379A1 (en) Data transmission
JP6199712B2 (en) Communication terminal device, communication terminal association method, and computer program
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method
WO2022212396A1 (en) Systems and methods of protecting secrets in use with containerized applications
Kim et al. Secure user authentication based on the trusted platform for mobile devices
CN117063174A (en) Security module and method for inter-app trust through app-based identity
KR20170100235A (en) System and method for security of certificate
Gerard Identity and Access Management Via Digital Certificates
JP2008171116A (en) Storage device and its access control system

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application