KR20170108667A - System and method for providing a security service based on a security cloud - Google Patents

System and method for providing a security service based on a security cloud Download PDF

Info

Publication number
KR20170108667A
KR20170108667A KR1020160032935A KR20160032935A KR20170108667A KR 20170108667 A KR20170108667 A KR 20170108667A KR 1020160032935 A KR1020160032935 A KR 1020160032935A KR 20160032935 A KR20160032935 A KR 20160032935A KR 20170108667 A KR20170108667 A KR 20170108667A
Authority
KR
South Korea
Prior art keywords
security
service
cloud
user terminal
secure
Prior art date
Application number
KR1020160032935A
Other languages
Korean (ko)
Inventor
정영우
가니스
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020160032935A priority Critical patent/KR20170108667A/en
Publication of KR20170108667A publication Critical patent/KR20170108667A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system for providing a security service based on security cloud is provided. The system for providing a security service based on security cloud includes: a service user terminal for operating an application and a common application; the security cloud that provides a security service platform; and a service provider server for communicating with the security cloud to provide the security service using the security cloud. The service user terminal communicates with the security cloud through the common application. The service provider server communicates with the security cloud through a gateway. The security cloud provides a user virtual machine that manages confidential data, executes a security application, performs an authentication function, and performs encryption and description functions to each service user terminal. Accordingly, the present invention can secure the reliability of a security application execution environment.

Description

Technical Field [0001] The present invention relates to a security service providing system and a security service based on a security cloud,

The present invention relates to a security service providing system and method.

When a user uses an important service for personal security such as mobile payment, internet banking, and telemedicine provided from a remote service provider using a smart terminal, it is stored in the file system of the smart terminal operating system or connected to the external The personal authentication procedure is performed using the credential information stored in the storage device. In addition, sensitive data such as the user's card information, medical data, etc. are also stored in the smart terminal operating system.

In addition, a user using the service must install a security application for each service provider that provides payment, banking, telemedicine, etc., and the service provider must also install a separate application for each service provider Security applications should be provided.

In such an environment, since the user terminal can easily access the security data stored in the operating system, when the user terminal is hacked or infected with the malicious code, the credential information, the encryption key, etc. can easily leak to the outside .

In addition, since a user using the service must install a plurality of security applications in order to receive different security services, the complexity of the usage environment of the user terminal increases. In addition, since the service provider also has to additionally build a separate system to take into consideration the environment of various users, the management and maintenance costs increase.

Accordingly, it is an object of the present invention to provide a system and method for providing a secure cloud-based security service in which a security service can be performed between a service user terminal and a service provider server using a secure cloud.

According to an aspect of the present invention, there is provided a secure cloud-based security service providing system including a service user terminal for operating an application and a common application; A security cloud that provides a security services platform; And a service provider server for communicating with the secure cloud to provide a security service using the secure cloud, wherein the service user terminal communicates with the secure cloud through the common application, The server communicates with the secure cloud through a gateway. The secure cloud manages a user virtual machine that manages confidential data, executes security applications, performs an authentication function, and performs encryption / For each user terminal.

According to the present invention, the problem of reliability of an application in which security is important, which may occur due to security weakness of an existing user terminal operating system, can be solved. That is, according to the present invention, by using the security cloud, the reliability of the security application execution environment can be ensured and the system can be operated efficiently.

Therefore, according to the present invention, security and efficiency of a system providing security-critical services such as mobile settlement, internet banking, and telemedicine can be enhanced.

1 is a diagram illustrating a configuration of a security cloud-based security service providing system according to the present invention;
BACKGROUND OF THE INVENTION 1. Field of the Invention [0002] The present invention relates to a secure cloud service providing system, and more particularly,
FIG. 3 is a flowchart illustrating a method of requesting and processing execution of a security service after a service user terminal receives a valid security service list by the processes shown in FIG. 2;
4 is a diagram illustrating an example of a function of a service broker in a secure cloud applied to a security cloud-based security service providing system according to the present invention;

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, advantages and features of the present invention and methods of achieving them will be apparent from the following detailed description of embodiments thereof taken in conjunction with the accompanying drawings.

The present invention may, however, be embodied in many different forms and should not be construed as being limited to the exemplary embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, And advantages of the present invention are defined by the description of the claims.

It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. &Quot; comprises "and / or" comprising ", as used herein, unless the recited component, step, operation, and / Or added.

1 is a diagram illustrating a configuration of a security cloud-based security service providing system according to the present invention.

1, a cloud-based security service providing system according to the present invention (hereinafter simply referred to as a security service providing system) includes a variety of applications 101 and a service user terminal 100, a security cloud 200 that provides a security service platform, and a service provider server 300 that performs communication with the secure cloud to provide a security service using the secure cloud.

The security cloud 200 includes a service user API 210 that is an entry point for the service user terminal 100 to communicate with the secure cloud 200 and a service provider API 300 that allows the service provider server 300 to communicate with the secure cloud 200 A service user management unit 220 for managing an account and password of a service user using the service user terminal 100 and a service provider management unit 220 for controlling the service user terminal 100 and the security cloud 100. [ A service provider management unit 270 for managing the registration and release of the service provider server 300, a service provider management unit 270 for managing the registration and release of the service provider server 300, the secure cloud 200, A communication channel management unit 280 for managing a communication channel (security channel) between the service provider servers 300, An authentication server 240 for processing authentication for the service user terminal 100 and a service management unit 250 for providing an available service to the service user terminal 100 and a service management server 250 for providing the service user terminal 100 with the service provider server 300 And a service broker 260 for providing an actual security service between the service broker 260 and the service broker 260.

The service broker 260 interacts with the user virtual machine 600 to perform various functions. The user virtual machine 600 is included in the secure cloud 200.

The user virtual machine 600 includes confidential data 611 for each service user, a security application 620, an authentication module 630 and an encryption / decryption module 640. The user virtual machine 600 manages confidential data, executes a security application, performs an authentication function, and performs an encryption / decryption function.

The service user terminal 100 and the service provider server 300 can perform various security services through the interface provided by the secure cloud 200. The processing for all security data and the security application are performed in the security cloud 200, so that the security for the security service can be enhanced.

The service provider server 300 includes a gateway 301 for communicating with the secure cloud to provide a security service using the secure cloud 200.

FIG. 2 is a flowchart illustrating a method of exchanging data between a service user terminal and a secure cloud through a secure session, which is applied to a secure cloud-based security service providing system according to the present invention.

The service user inputs ID / PWD for accessing the secure cloud 200 through the service user terminal 100 (701).

The common application 110 of the service user terminal 100 generates a master key to encrypt 702 the password PWD and the service user terminal 100 transmits the ID and the encrypted PWD to the secure cloud 200. [ A password PWD is transmitted to request authentication (703).

The secure cloud 200 generates a master key using the transmitted ID and the password PWD previously registered in the secure cloud 200 and decrypts the received password PWD 704.

If the passwords PWD match, the secure cloud 200 generates a session key 1, encrypts it using the master key (705), and transmits the authentication result and the encrypted session key 1 to the service user terminal 100 (706).

When the common application 110 of the service user terminal 100 decrypts the session key 1 using its master key in step 707, a session key is generated between the service user terminal 100 and the secure cloud 200, 1 is used to create a secure session 730.

Thereafter, the service user terminal 100 and the secure cloud 200 encrypt all the data using the session key 1 and deliver the encrypted data to the other party, and the other party decrypts the session key 1 using the session key 1.

The service user terminal 100 requests a valid security service list from the security cloud 200 in step 708 and the service management unit in the security cloud 200 searches for a valid security service list in step 709, To the service user terminal 100 (710).

In the above steps, there is no mutual operation between the service provider server 300 and the service user terminal 100, and there is no mutual operation between the service provider server 300 and the secure cloud 200.

3 is a flowchart illustrating a method of requesting and processing execution of a security service after a service user terminal receives a valid security service list through the processes shown in FIG. 2

When the service user terminal 100 requests the security service to perform the security service through the generated security session 730 in operation 711, the security cloud 200 generates the master key and encrypts the authentication credential information (712), transmits the service ID and the encrypted credential information to the service provider server (300), and requests authentication (713).

The service provider server 300 generates a master key by using the credential information corresponding to the service ID held by the service provider server 300, decrypts the credential information (714), and stores the credential information If a match is found, a session key 2 is generated and encrypted with a master key (715), and the session key 2 is transmitted to the secure cloud 200 together with the authentication result (716).

The secure cloud 200 decrypts the session key 2 using the master key generated by the secure cloud 200 and generates a secure session between the secure cloud 200 and the service provider server 300 in operation 740.

The security cloud 200 transmits the security service information requested by the user to the service provider server 300 in step 718. The service provider server 300 performs the security service in step 719, The security cloud 200 transmits the result to the service user terminal 100 (721).

If the service user requests the termination of the security service 722, the security session between the service user terminal 100 and the secure cloud 200 is terminated 723 and 724, (725), the security session between the secure cloud (200) and the service provider server (300) is terminated (726, 727).

When all security sessions are terminated, all session keys that were created are invalidated. When the security service is subsequently restarted, a new session key is generated and the security service is performed.

FIG. 4 is a diagram illustrating a service broker function of a security cloud applied to a security cloud-based security service providing system according to the present invention. In particular, FIG. 8 is an exemplary diagram illustrating the role of a service broker to enable security services to be performed.

The service user terminal 100 requests the service broker 260 for a security service through the secure session 730 created between the security cloud 200 and the service user terminal 100. [

The service broker 260 transmits confidential data, a security application, an authentication process, and an encryption / decryption process result processed in the user virtual machine 600 allocated to each user to the service user terminal 100 or the service provider To the server (300).

Data exchange between the service provider server 300 and the service broker 260 is provided through a secure session 740 created between the secure cloud 200 and the service provider server 300.

The present invention described above is summarized as follows.

It is an object of the present invention to provide a method and system for processing secure user data and performing a security application in secure secure cloud 200, Output result of the service user terminal 100, and the service provider server 300 performs mutual operation only with the security application executed in the secure cloud 200, The present invention provides a security cloud-based security service providing system and method capable of fundamentally preventing damage or leakage of security data that can occur and reducing maintenance and management costs of the service provider server 300.

The present invention provides security service between the service user terminal 100 and the service provider server 300 through a common security platform based on a security cloud, thereby securing reliability for a mobile application in which security is important. Further, the present invention supports efficient operation of the system, thereby enhancing the security of services requiring security such as mobile settlement, internet banking, and telemedicine, and can reduce the cost of the service.

According to the present invention, an actual security service such as a function of retaining user credential information and an encryption process is performed in the security cloud 200 with enhanced security, and the service user terminal 100 transmits the security cloud 200 The mobile terminal 200 may be connected to the security cloud 200 through a secure communication channel provided by the mobile terminal 200 to request the execution of the security service and confirm the result. Also, the service provider server 300 may provide the security service to the service user terminal 100 through the secure cloud 200 using the secure communication channel provided by the secure cloud 200. The service user terminal 100 does not store and process any security data and sensitive data and uses the user credential information stored in the secure cloud 200 to access the service user terminal 100 ) And the service provider server 300, and all data is encrypted and transmitted / received through a secure communication channel.

Also, in the present invention, a common application is provided so that various applications executed in the service user terminal 100 can use the service user API of the secure cloud 200, and the service provider server 300 provides the security The service can be mounted using the service provider API provided by the cloud 200. [

In addition, the security cloud 200 may isolate the security service execution environment from other users by providing the user virtual machine for each service user terminal 100, and may use the existing interface supported by the existing authentication administrator The existing security application and the authentication manager operating in the existing service user terminal can be used without modification.

The present invention manages and operates security data stored and operated in an existing service user terminal and a security application performing security data processing in a virtualized security cloud environment.

The present invention allows the service user terminal (100) and the service provider server (300) to exchange data through a secure communication channel provided by the secure cloud (200). Accordingly, the service user can use the security service in the enhanced security environment, and the service provider can provide the environment that the service user can use by registering the security service in the secure cloud 200 without additional system building cost . Accordingly, the present invention can provide enhanced security to the existing environment and reduce the additional cost for the security service.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

Claims (1)

A service user terminal for operating an application and a common application;
A security cloud that provides a security services platform; And
And a service provider server for communicating with the secure cloud to provide a security service using the secure cloud,
The service user terminal communicates with the secure cloud through the common application, and the service provider server communicates with the secure cloud through a gateway. The secure cloud manages confidential data, And provides a user virtual machine for performing an authentication function or an encryption / decryption function for each service user terminal.
KR1020160032935A 2016-03-18 2016-03-18 System and method for providing a security service based on a security cloud KR20170108667A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160032935A KR20170108667A (en) 2016-03-18 2016-03-18 System and method for providing a security service based on a security cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160032935A KR20170108667A (en) 2016-03-18 2016-03-18 System and method for providing a security service based on a security cloud

Publications (1)

Publication Number Publication Date
KR20170108667A true KR20170108667A (en) 2017-09-27

Family

ID=60036435

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160032935A KR20170108667A (en) 2016-03-18 2016-03-18 System and method for providing a security service based on a security cloud

Country Status (1)

Country Link
KR (1) KR20170108667A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4030320A1 (en) * 2021-01-19 2022-07-20 Assa Abloy AB Secure cloud processing

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4030320A1 (en) * 2021-01-19 2022-07-20 Assa Abloy AB Secure cloud processing
US11847232B2 (en) 2021-01-19 2023-12-19 Assa Abloy Ab Secure cloud processing

Similar Documents

Publication Publication Date Title
EP3408987B1 (en) Local device authentication
US9917829B1 (en) Method and apparatus for providing a conditional single sign on
CN110582768B (en) Apparatus and method for providing secure database access
CN105187362B (en) Method and device for connection authentication between desktop cloud client and server
CA2725992C (en) Authenticated database connectivity for unattended applications
CN109587101B (en) Digital certificate management method, device and storage medium
US9374360B2 (en) System and method for single-sign-on in virtual desktop infrastructure environment
CN109905350B (en) Data transmission method and system
US9544137B1 (en) Encrypted boot volume access in resource-on-demand environments
WO2019062666A1 (en) System, method, and apparatus for securely accessing internal network
EP2702744B1 (en) Method for securely creating a new user identity within an existing cloud account in a cloud system
US20150121498A1 (en) Remote keychain for mobile devices
CN111447220B (en) Authentication information management method, server of application system and computer storage medium
EP3973423A1 (en) Computing system and methods providing session access based upon authentication token with different authentication credentials
KR20150092890A (en) Security-Enhanced Device based on Virtualization and the Method thereof
CA2903749A1 (en) Apparatus, system and method for secure data exchange
JP5452192B2 (en) Access control system, access control method and program
KR102012262B1 (en) Key management method and fido authenticator software authenticator
JP2020535530A (en) Resource processing methods, equipment, systems and computer readable media
KR101348079B1 (en) System for digital signing using portable terminal
CN113037736B (en) Authentication method, device, system and computer storage medium
KR101836211B1 (en) Electronic device authentication manager device
US9509503B1 (en) Encrypted boot volume access in resource-on-demand environments
KR101502999B1 (en) Authentication system and method using one time password
KR20170108667A (en) System and method for providing a security service based on a security cloud