KR20180041052A - Method for providing certificate service based on m of n multiple signatures and server using the same - Google Patents

Abstract

The present invention relates to a method for providing certificate registration, approval, and destroying services by using a multi-signature scheme and an authentication support server using the same. According to an embodiment of the present invention, the certificate service providing method includes the steps of: obtaining a multi-signature certificate generation request message; determining the validity of public keys corresponding to user terminals or supporting an operation for the same executed another device linked to the authentication support server; supporting the generation of signature values of multi-signature location identifiers; determining whether the of signature values of the multi-signature location identifiers are normal or not or supporting an operation for the same executed by another device linked to the authentication support server; and registering certificate execution condition data, signature values of the multi-signature location identifiers, and hash values generated from the multi-signature location identifiers to a public block-chain database or supporting an execution for the same executed by another device linked to the authentication support server.

Description

[0001] METHOD FOR PROVIDING CERTIFICATE SERVICE BASED ON MULTIPLE SIGNATURES AND SERVER USING THE SAME [0002]

The present invention relates to a method of providing a multi-signature-based certificate service and a server using the same, and more particularly, to a method of providing a registration, approval, and destruction service of a multi-signature based certificate and an authentication support server .

With the advancement of IT technology, it became possible to use various services based on the Internet regardless of place regardless of age and sex.

In other words, by accessing a server operated by a bank or a securities company, it can be used for financial services such as account transfer and stock trading, access to servers operated by government agencies, and sales of civil service and goods such as issuance of various proofs Such as e-commerce services, such as purchasing goods from a server connected to a server, can be provided in real time through the Internet.

On the other hand, when using services in various industrial fields, the user who is a customer must perform certification proving himself / herself.

Here, an authorized certificate is electronic information issued by an accredited certification authority (CA) for the purpose of confirming the identity of a user, preventing forgery and alteration of documents, Represents a seal certificate for cyber transactions. Such authorized certificates include the certificate version, the certificate serial number, the validity period of the certificate, the personalization agent, the digital signature verification information of the user, the user name, the identification information, and the digital signature method.

These certificates are used in public key infrastructure (PKI), which is a security standard method.

The public key infrastructure is a user authentication system that encrypts transmission and reception data using a public key composed of encryption and decryption keys, and verifies the identity of a trader using a password possessed by an Internet user.

However, in the public key infrastructure, since the user's private key exists in a file format in the standardized storage location due to the soft token based storage method, file copying and automation collection of the private key is easy, There is also a risk that information theft occurs.

Therefore, a public certificate authority (CA) should establish a public certificate issuing system in which a high security system is interlocked so as to block the hacking as much as possible, and operate and maintain the established public certificate issuing system There is a problem that a large amount of issuance and use is caused when issuing a conventional authorized certificate.

In addition, the authorized certificate is a security module (for example, composed of ActiveX (ActiveX) under a Microsoft Windows Operating System) for the purpose of performing a user authentication process through a web browser Must be installed.

As such, Active X, which occupies most of the security modules that are almost forcibly installed during the user authentication process, is a technology used by Microsoft to develop reusable object-oriented software components. It includes a component object model and object connection insertion ) Is used to use contents downloaded from the World Wide Web (WWW). Most ActiveX is used to create plug-ins for Internet Explorer (IE).

However, since ActiveX can be installed only by lowering the security level of the PC so as to access resources such as a file and a registry of a personal computer (hereinafter referred to as "PC"), The security level of the user's PC is lowered due to ActiveX, which is installed inevitably for security, thereby making it vulnerable to a dangerous environment such as hacking, and complicated and cumbersome process of performing authentication.

For this reason, in the Republic of Korea, the head of state is promoting the policy of abolishing Active X at the government level, such as pointing out Active X as a typical old financial regulation at the press conference of the New Year and the New Year in 2015.

In addition, the public certificate, which is required to install ActiveX in order to ensure security during the authentication process, is available only from Internet Explorer (IE) provided by Microsoft among various kinds of web browsers, Safari, Firefox, etc.) is often impossible to use itself.

In other words, a user connects to a server operated by a bank or a securities company through an Internet-based web browser, and obtains various kinds of proof documents such as financial services such as account transfer and stock trading, a server operated by a government agency, (Internet Explorer) to use a public certificate for user authentication while using services in various industrial fields such as e-commerce services such as purchase of goods by accessing a server that sells goods, etc. In the Internet Explorer (IE) Service is available, but other web browsers do not support ActiveX, so it is not possible to use the service, so it is often limited by usage.

In addition, the currently used public certificate has a problem in that it is vulnerable to security when the certificate and the password are hijacked because the authentication procedure is performed only by checking whether the certificate exists or not.

As described above, the currently used public certificate is not only a security problem, but also a high-cost issuance cost, and there are restrictions on the use of the public certificate. Is requested.

Currently, the authorized certificate distinguishes only the conditions under which a specific user can use the authorized certificate, such as bank / insurance use, securities use, universal use, etc., and only a part Has not restricted the use of the certificate under certain multiple-signature conditions that allow the use of that certificate.

Accordingly, the present inventors propose a multi-signature-based certificate that can overcome the security problems, high cost of issuance, restrictions on use, and the deficiency of the specific condition by replacing the existing certificate.

Patent Document 1: Korean Patent Application Publication No. 10-0411448 (Dec. 03, 2003), an issuing method and a system for issuing an optical recording medium storing a private key and a certificate of a public key infrastructure.

 Non-Patent Document 1: Active X related contents in Wikipedia (https://en.wikipedia.org/wiki/%EC%95%A1%ED%8B%B0%EB%B8%8CX)  Non-Patent Document 2: Media It (internet newspaper) related to the policy of abolishing Active X (http://www.it.co.kr/news/article.html?no=2793878&sec_no=)

An object of the present invention is to solve the problems of the conventional public certificates described above, and it is an object of the present invention to provide a public key certificate that can replace an existing public key certificate with high security and usability at low cost, And to provide a technical solution of a multi-signature based certificate in which conditions are reflected.

It is another object of the present invention to provide a technique in which the certificate related information is recorded in the private / public block chain of the virtual currency, thereby making it impossible to convert the certificate.

In order to accomplish the objects of the present invention as described above and achieve the characteristic effects of the present invention described below, the characteristic structure of the present invention is as follows.

According to an aspect of the present invention, there is provided a method of providing a registration service of a certificate by m: n (m-of-n) multiple signatures, the method comprising: (a) _{U i (i = 1, ...} , n) in the state in which the public key (public key) or a processed data this register corresponding to an individual, the authentication support server, the public corresponding to the user terminal U _i key (public key, a user ID corresponding to the remaining n-1 user terminals, a value of m, a value of n, and a multi-signature certificate, which is a message requesting generation of a certificate based on m: n multiple signatures Directly or indirectly obtaining a generation request message; (b) when the public key, the user ID, the m and n values, and the multi-signature certificate generation request message are obtained, the authentication support server determines validity of the public keys PubKey _i corresponding to the n user terminals ≪ / RTI > (c) if the public keys PubKey _i are determined to be valid, the authentication support server records certificate execution condition data including at least the PubKey _i , the m and the n, and generates a multiple signature Supporting to generate or generate a location identifier PrivTxidABC; (d) The authentication support server transmits the generated multi-signature location identifier PrivTxidABC to the n user terminals, thereby allowing each of the user terminals U _i to transmit a private key corresponding to the PubKey _i , PrivKey _i Signing the multi-signature location identifier PrivTxidABC to generate multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) as a result thereof; (e) If the generated multiple signature location identifier signature values SigPrivKey _i (PrivTxidABC) are obtained, the authentication support server determines whether or not the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) is normally signed Supporting step; And (f) if the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) are determined to be normally signed, the authentication support server sends the certificate execution condition data, the multiple signature location identifier signature values, And registering or registering the hash value generated from the identifier in the public block chain database.

According to a further aspect of the present invention there is provided a method of providing an approval service for a certificate for use by a m: n (m-of-n) multiple signature, the method comprising: 1) user terminals U _i (i = 1, ..., n), a user ID corresponding to the remaining n-1 user terminals, a value of m, And a multi-signature certificate generation request message, which is a message for requesting generation of a certificate based on the m: n multiple signatures, is directly or indirectly obtained by the authentication support server, The certificate execution condition data including the public keys PubKey _i , m and n are recorded and a multiple signature location identifier PrivTxidABC corresponding to the certificate execution condition data is generated, and each of the user terminals U _i corresponds to the PubKey _i Private key (private key) of PrivKey _i as the multi-signature location identifier after PrivTxidABC is to create the signed result is a multi-signature location identifier signature value SigPrivKey _i (PrivTxidABC), running the certificate condition data, the multi-signature location identifier signature value Directly or indirectly acquiring a multi-signature certificate approval request message, which is a message requesting approval of the certificate by the m: n multiple signatures, with the multi-signature location identifier being registered, ; (b) when the multi-signature certificate approval request message is obtained, the authentication support server transmits the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: n multiple signatures and the approval object information TI to the n user terminals so that each of at least m user terminals U _i of the n user terminals sign the approval object information TI or the processed value TI 'as the PrivKey _i To generate an approval target information signature value SigPrivKey _i (TI or TI ') which is a result thereof; And (c) if the authorization target information signature value SigPrivKey _i (TI or TI ') of each of the at least m user terminals U _i is obtained, the authentication support server transmits (i) the at least m user terminals U _i The validity of the certificate with reference to the approval target information signature value SigPrivKey _i (TI or TI ') of the approval target information TI or the approval target information TI or the processed value TI' thereof and (iii) the multiple signature location identifier PrivTxidABC, And determining, by determining, supporting the use of the certificate.

According to a further aspect of the present invention there is provided a method for destroying a certificate in the provision and use of a certificate by m: n (m-of-n) multiple signatures, (> 1) of the user terminal U _i (i = 1, ..., n), public key (public key), the remaining n-1 of the user iD (user id), the value of the m corresponding to the user terminal corresponding to, And a multi-signature certificate generation request message, which is a message for requesting generation of a certificate based on the m: n multiple signatures, is directly or indirectly obtained by the authentication support server, The certificate execution condition data including the public keys PubKey _i , m and n are recorded and a multiple signature location identifier PrivTxidABC corresponding to the certificate execution condition data is generated, and each of the user terminals U _i corresponds to the PubKey _i The private key (p signature position identifier signature values SigPrivKey _i (PrivTxidABC), which is a result obtained by signing the multi-signature location identifier PrivTxidABC as a private key PrivKey _i , is generated, and then the certificate execution condition data, the multiple signature location identifier signature values And directly or indirectly acquiring a multi-signature certificate revocation request message, which is a message for requesting revocation of the certificate by the m: n multiple signatures, in a state where the multi-signature location identifier is registered; (b) if the multi-signature certificate revocation request message is obtained, the authentication support server transmits the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: n multiple signatures and the destruction request information RR to the n user terminals so that each of at least m user terminals U _i of the n user terminals sign the destruction request information RR or the processed value RR 'using the PrivKey _i To generate a result value SigPrivKey _i (RR or RR ') of the destroy request information information; (c) the at least m of the user terminal U _i each of the destroy request information sign value SigPrivKey _i If (RR or RR ') is obtained, which the authentication support server, (i) the at least m of the user terminal U _i each The validity of the certificate is determined with reference to the destruction request information signature value SigPrivKey _i (RR or RR '), (ii) the destruction request information RR or the value RR' processed therefrom and (iii) the multiple signature location identifier PrivTxidABC ; And (d) if the certificate is valid, the authentication support server, the destruction certificate indicating that the destruction is complete the certificate complete record data-complete destruction The certificate write data (i) the at least m of the user terminal U _i each The hash value of the destruction request information signature value SigPrivKey _i (RR or RR '), (ii) the destroy request information RR or the value RR' processed therefrom and (iii) the multiple signature location identifier PrivTxidABC, And registering or registering with the block-chain database.

According to an aspect of the present invention, there is provided an authentication support server for providing a registration service of a certificate by m: n (m-of-n) multiple signatures, of the user terminal _{U i (i = 1, ...} , n) in the state in which the public key (public key) or a processed data this register corresponding to an individual, the public key (public key) corresponding to the user terminal U _i , A user ID corresponding to the remaining n-1 user terminals, a value of m, a value of n, and a request for generating a certificate based on the m: n multiple signatures A communication unit for directly or indirectly acquiring a message; And a processor to assist in determining or determining the validity of the public keys PubKey _i corresponding to the n user terminals when the public key, the user ID, the m and n values, and the multi-signature certificate generation request message are obtained Wherein the processor records certificate execution condition data including at least the PubKey _i , the m, and the n, if the public keys PubKey _i are valid, and generates a multi-signature location identifier PrivTxidABC corresponding to the certificate execution condition data create or support to generate and cause the by transmitting the multi-signature location identifier PrivTxidABC generated in the n user terminals, the user terminal U _i, respectively by the PrivKey _i private key (private key) corresponding to the PubKey _i Sign the multi-signature location identifier PrivTxidABC and generate a multi-signature Normal value identifier signature value s SigPrivKey _i If (PrivTxidABC) support to produce, and the generated the multi-signature location identifier signature value SigPrivKey _i (PrivTxidABC) is obtained, the multi-signature location identifier signature value s SigPrivKey _i (PrivTxidABC) And if it is determined that the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) are normally signed, the certificate execution condition data, the multi-signature location identifier signature values, and the multi- The hash value generated from the identifier is registered or registered in the public block chain database.

According to another aspect of the present invention, a public key corresponding to each of n (> 1) user terminals U _i (i = 1, ..., n) a multi-signature certificate generation request message, which is a message for requesting the generation of a certificate based on the user ID, the value of m, the value of n, and the m: n multiple signature, is directly or indirectly obtained, public keys corresponding to the terminal PubKey _i, wherein m and certificate execution condition data including said n is written to the multi-signature location identifier PrivTxidABC corresponding to the certificate, the execution condition data is generated, wherein, by the user terminal U _i, respectively the private key (private key) and then by _i the PrivKey said multiple signature location identifier PrivTxidABC is to create the signed result is a multi-signature location identifier SigPrivKey signature value _i (PrivTxidABC), corresponding to the _i PubKey Signature certificate approval request message, which is a message requesting approval of the certificate by the m: n multiple signatures, in the state that the certificate execution condition data, the multiple signature location identifier signature values, and the multiple signature location identifier are registered Or indirectly, And when the multi-signature certificate approval request message is obtained, the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: n multiple signatures and the approval object information TI generated for the approval request are transmitted to the n user terminals And transmits each of the at least m user terminals U _i of the n user terminals with the PrivKey _i to sign the approval target information TI or the processed value TI ' A value SigPrivKey _i (TI or TI '), wherein the processor is configured to determine whether the approval target information signature value SigPrivKey _i (TI or TI') of each of the at least m user terminals U _i is obtained , (i) the at least m of the user terminal U _i each of said authorized destination information sign value _{SigPrivKey i (TI or TI ')} , (ii) subject the grant Beam TI or by processing this value TI ', and (iii) by determining the validity of the certificate to the multi-signature location identifier PrivTxidABC by reference, supports the use of the certificate.

According to another aspect of the present invention, there is provided an authentication support server for destroying a certificate in a service for providing and using a certificate by m: n (m-of-n) multiple signatures, a public key corresponding to n (> 1) user terminals U _i (i = 1, ..., n), a user ID corresponding to the remaining n-1 user terminals, , A value of n, and a request for generating a certificate based on the m: n multiple signatures are directly or indirectly obtained, and the public keys PubKey _i , wherein m and a private key (private wherein n certificate execution condition data including a is recorded multiple signature location identifier PrivTxidABC corresponding to the certificate, the execution condition data is generated, by the user terminal U _i respectively corresponding to the PubKey _i key) The PrivKey _i the multi-signature location identifier after PrivTxidABC is to create the signed result is a multi-signature location identifier signature value SigPrivKey _i (PrivTxidABC), running the certificate condition data, the multi-signature location identifier signature value and the multi-as A communication unit for directly or indirectly obtaining a multi-signature certificate revocation request message, which is a message for requesting destruction of a certificate by the m: n multiple signatures, with the signature location identifier registered; And when the multi-signature certificate revocation request message is obtained, the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: n multiple signatures and the destroy request information RR generated for the request of the revocation are transmitted to the n user terminals So that each of at least m user terminals U _i of the n user terminals can sign the destroy request information RR or the processed value RR 'using the PrivKey _i, and outputs the destroy request information signature A value SigPrivKey _i (RR or RR '), wherein the processor is configured to determine whether the destroy request information signature value SigPrivKey _i (RR or RR') of each of the at least m user terminals U _i is obtained , (i) the at least m of the user terminal U _i each of the destroy request information sign value _{SigPrivKey i (RR or RR ')} , (ii) the destruction request (Iii) judging validity of the certificate with reference to the multi-signature location identifier PrivTxidABC, and if the certificate is valid, decrypting the certificate revocation record data < RTI ID = 0.0 > The certificate revocation history data includes (i) the signature request value SigPrivKey _i (RR or RR ') of each of the at least m user terminals U _i , (ii) the revocation request information RR or a value RR And (iii) the hash value of the multi-signature location identifier PrivTxidABC is registered or registered in the public block chain database.

According to the method of the present invention, it is possible to provide a service of a certificate in which a multi-signature condition, which is capable of replacing an existing authorized certificate with a high degree of security and usability, can be used at low cost, have.

Further, according to the method of the present invention, a high level of security is provided through high-level encryption.

In addition, according to the method of the present invention, reliability of the certificate related information is fundamentally prevented.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention to those skilled in the art Other drawings can be obtained based on these figures without an inventive task being performed.
1 is a conceptual diagram schematically showing an exemplary configuration of an authentication support server for performing a method of providing a certificate service by multiple signatures according to the present invention.
FIG. 2 is a sequence diagram exemplarily showing a method of providing a registration service for registering a certificate by multiple signatures according to the present invention.
FIG. 3 is a sequence diagram exemplarily illustrating a method for providing an approval service of a certificate for use by a multiple-signature certificate according to the present invention.
FIG. 4 is a sequence diagram exemplarily showing a method of discarding a certificate in a service for providing and using a certificate by multiple signatures according to the present invention.

The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of example, specific embodiments in which the invention may be practiced in order to clarify the objects, technical solutions and advantages of the invention. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention.

As used herein, the term " public block chain database " refers to utilization of all the computing devices on a virtual money system, which manages a public block chain, which is a block chain widely used in the public domain as a block chain of virtual money, as a database , The authentication support server according to the present invention is accessible thereto.

In the present specification, the term " private block chain database " refers to a database that uses a block chain of virtual money, and which is not a public block chain used for the public domain but is directly managed by an authentication support server according to the present invention Refers to a database using block chains.

Also, throughout the description and claims of this invention, the word 'comprise' and variations thereof are not intended to exclude other technical features, additions, elements or steps. Other objects, advantages and features of the present invention will become apparent to those skilled in the art from this description, and in part from the practice of the invention. The following examples and figures are provided by way of illustration and are not intended to limit the invention.

Moreover, the present invention encompasses all possible combinations of embodiments shown herein. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is to be limited only by the appended claims, along with the full scope of equivalents to which such claims are entitled, if properly explained. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

Unless otherwise indicated herein or clearly contradicted by context, items referred to in the singular are intended to encompass a plurality unless otherwise specified in the context. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.

1 is a conceptual diagram schematically showing an exemplary configuration of an authentication support server for performing a method of providing a certificate service by multiple signatures according to the present invention.

Referring to FIG. 1, an authentication support server 100 according to an embodiment of the present invention includes a communication unit 110 and a processor 120, and may indirectly or directly communicate with a user terminal and an authentication request server.

Specifically, the authentication support server, user terminal, and authentication request server typically include a computing device (e.g., a computer processor, a memory, a storage, an input device and an output device, (Electronic information storage systems such as network attached storage (NAS) and storage area network (SAN)) and computer software (i.e., instructions that make the computing device function in a particular manner) Lt; / RTI > to achieve desired system performance.

The communication unit 110 of such a computing device can send and receive requests and responses to and from other interworking computing devices. As an example, such requests and responses can be made by the same TCP session, For example, as a UDP datagram.

In addition, the processor 120 of the computing device may include a hardware configuration such as a micro processing unit (MPU) or a central processing unit (CPU), a cache memory, and a data bus. It may further include a software configuration of an operating system and an application that performs a specific purpose.

A method for providing a certificate service by multiple signatures according to the present invention will now be described.

FIG. 2 is a sequence diagram exemplarily showing a method of providing a registration service for registering a certificate by multiple signatures according to the present invention.

Referring to FIG. 2, a method of providing a certificate registration service according to the present invention includes a public key corresponding to each of n (> 1) user terminals U _i (i = 1, ..., n) When the processed data is registered, the authentication support server transmits a public key corresponding to the user terminal U _i , a user ID corresponding to the remaining n-1 user terminals, (S205-1 to S205-3 and S210) directly or indirectly obtaining a multi-signature certificate generation request message, which is a message for requesting generation of a certificate based on the m: n multi-signature, .

2, n and m are assumed to be 3 and 2, respectively, it will be appreciated by those of ordinary skill in the art that the method according to the present invention may be extended for any number n and m.

In step S210, if at least one of the user IDs m and n received from the respective user terminals is inconsistent according to the user terminal, the authentication support server transmits a message indicating the inconsistency, that is, a certificate registration error message Transmission or transmission. This corresponds to the step of confirming whether the agreement of the conditions of the multiple signatures among the users is derived.

Next, a method of providing the registration service includes: when the public key, the user ID, the m and n values, and the multi-signature certificate generation request message are acquired, (Sb) (not shown) to determine or determine the validity of the public keys PubKey _i .

Specifically, in one embodiment, the public keys wherein said step (Sb) for determining the validity of PubKey _i, by the authentication support server, the registration of the public key RegPubKey _i or processed data them corresponding to the user terminal U _i (Sb1; not shown), and if the authentication result indicates that the registered RegPubKey _i and the PubKey _i match with each other or the RegPubKey It may comprise; a _i process the data and the processed data is the _i PubKey step (not shown Sb2) supported so as to determine or determining whether or not to agree with each other. In this embodiment, in the step Sb, if the authentication result is not registered, the authentication support server transmits a message indicating that the public key PubKey _i received from the user terminal is not registered, that is, (S280 and S285-1 to S285-3) to send or transmit an error message. The steps in this embodiment (Sb2), the RegPubKey _i and the PubKey _i does not match, or the RegPubKey _i a if not processed the processed data and the PubKey _i data coincide with each other, the authentication support server, (S280 and S285-1 to S285-3) to transmit or transmit a message indicating that the public key PubKey _i received from the user terminal is invalid, that is, a certificate registration error message, When the RegPubKey _i and the _i PubKey the match, or the RegPubKey _i the processed data and the _i PubKey the processed data to each other coincide with each other, and may be determined to be the valid public keys PubKey _i.

Next, a method of providing the registration service is characterized in that if it is determined that the public keys PubKey _i are valid, the authentication support server records certificate execution condition data including at least the PubKey _i , the m and the n, (S215) to generate or generate a multiple signature location identifier PrivTxidABC corresponding to the certificate execution condition data.

Here, the multi-signature location identifier may be generated from the certificate execution condition data through a predetermined hash function. The predetermined hash function includes MD4 function, MD5 function, SHA-0 function, SHA-1 function, SHA-224 function, SHA-256 function, SHA-384 function, SHA-512 function and HAS-160 function But is not limited thereto. For example, Triple SHA256 would be possible.

Also, the certificate execution condition data may be data obtained by sequentially concatenating m, PubKey _i, and n with a delimiter. For example, the data may be "2: PubKey1: PubKey2: Pubkey3: 3".

Next, a method of providing the registration service is characterized in that the authentication support server transmits the generated multiple signature location identifier PrivTxidABC to the n user terminals (S220 and S225-1 to S225-3) allow the terminal U _i, respectively to generate a private key, the multi-signature location identifier to sign the PrivTxidABC the result is a multi-signature location identifier signature value s SigPrivKey _i (PrivTxidABC) as a PrivKey _i (private key) corresponding to the PubKey _i (S230-1 to S230-3).

Referring again to FIG. 2, a method of providing the registration service is described below. When the generated multiple signature location identifier signature values SigPrivKey _i (PrivTxidABC) are acquired (S235-1 to S235-3) (Not shown) for the server to determine or determine whether the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) has been successfully signed.

In the step of determining whether or not the signature is normal, whether or not the signature of the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) can be determined with reference to the PubKey _i and the PrivTxidABC. For example, if the normal signature by whether SigPrivKey _i hash (fingerprint) included in the hash value of PrivTxidABC with the multiple signature location identifier signature value SigPrivKey _i (PrivTxidABC) calculated from (PrivTxidABC) coincide with each other using a PubKey _i Can be determined.

Next, a method of providing the registration service includes: if it is determined that the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) is normally signed, the authentication support server transmits the certificate execution condition data, And supporting (S240, S245) to hold or retain the signature values and hash values generated from the multiple signature location identifiers in a public block chain database.

Referring again to Figure 2, a method of providing a certificate registration service in accordance with the present invention includes the steps of (i) performing the certificate execution condition data, the multiple signature location identifier signature values and the multiple signature location identifier, or (ii) And the hash value of the multi-signature location identifier is registered, the authentication support server transmits a certificate registration completion message indicating that the registration of the certificate is completed to the n user terminals (S250 and S255-1 to S255-3) for supporting the transmission or transmission of the data. At this time, the certificate registration completion message may include the multi-signature location identifier PrivTxidABC to allow the user to obtain the multi-signature location identifier PrivTxidABC.

Next, a method of providing the approval service of the certificate for use of the registered certificate as described above will be described.

FIG. 3 is a sequence diagram exemplarily illustrating a method for providing an approval service of a certificate for use by a multiple-signature certificate according to the present invention.

Referring to FIG. 3, a method of providing an approval service of the certificate includes a public key corresponding to n (> 1) user terminals U _i (i = 1, ..., n) A multi-signature certificate generation request message, which is a message requesting generation of a user ID (user id) corresponding to one user terminal, a value of m, a value of n, and a certificate based on the m: n multiple signatures, And indirectly acquiring, by the authentication support server, certificate execution condition data including public keys PubKey _i , m and n corresponding to the n user terminals are recorded and a multiple signature PrivTxidABC location identifier is generated, the user terminal U _i to the _i PubKey the private key (private key) of the result to which the multi-signature signed with a location identifier PrivTxidABC PrivKey _i values corresponding to a multi-stand by each When the position identifier signature value s SigPrivKey _i (PrivTxidABC) is generated, from the certificate execution condition data, the multiple signature location identifier signature value and a condition that is registered the multi-signature location identifier, that the authentication support server, the m : n directly or indirectly acquiring a multi-signature certificate approval request message (S305), which is a message requesting approval of a certificate by multi-signature.

Meanwhile, the certificate execution condition data, the multi-signature location identifier signature values, and the multi-signature location identifier may be stored in any storage unit, but may be assumed to be registered in a private block chain database in some cases . In one embodiment of the present invention for verifying the integrity of the contents of a certificate registered in the private block chain database, a method of providing the approval service may include: a step of, when the authentication support server generates the private block chain PrivTxidABC, (I) the certificate execution condition data obtained from the chain database, (ii) the multiple signature location identifier signature values, and (iii) the hash value computed from the multiple signature location identifier is associated with the predetermined signature associated with the multiple signature location identifier PrivTxidABC (Sb0; not shown) to determine or determine whether the hash value obtained from the public block chain database corresponds to each other using the transaction ID; And a step (Sb1; not shown) of supporting the authentication support server to determine or determine that the integrity of the certificate is damaged if the determination result does not correspond to each other.

In this embodiment, the step (Sb0) may be such that the authentication support server extracts the certificate execution condition data from the private block chain database using the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: Performing a process (Sb0-1; refer to a process for referring to a transaction ID associated with the multi-signature location identifier PrivTxidABC, a process for obtaining or obtaining the multi-signature location identifier signature values and the multi-signature location identifier; Not shown); And a step (Sb0-2; not shown) of the authentication support server obtaining an OP_RETURN message from the public block chain database using the transaction ID. In this case, the step (Sb1) If the hash value generated using the certificate execution condition data, the multiple signature location identifier signature values, and the multiple signature location identifier obtained from the private block chain database does not correspond to the hash value included in the OP_RETURN message, The support server may be configured to determine whether or not the integrity of the certificate is determined to be damaged.

In the next step, the method for providing the approval service may include receiving the multi-signature certificate approval request message, acquiring the multi-signature certificate approval request message, , The authentication support server transmits the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: n multiple signatures and the approval object information TI generated (S310) to the approval request to the n user terminals (S315, S320-1 to S320-3), thereby allowing each of at least m user terminals U _i of the n user terminals to receive the approval object information TI or the processed value TI 'as the PrivKey _i (Steps S325-1 to S325-3) to generate an approval target information signature value SigPrivKey _i (TI or TI '), which is a result of the signature, .

Here, the approval object information TI may include at least one of the approval request time and the randomly generated nonce, but it should be understood by those skilled in the art. The nonce value may be a random value intended to be used once or a value obtained by processing it.

Specifically, in the steps S310 to S325-3, the authentication support server determines whether the PrivTxidABC obtained directly or indirectly from the user terminal or data processed by the PrivTxidABC is registered, and if the result of the determination And if the certificate is not registered, the authentication support server transmits or transmits a certificate approval error message indicating that the approval of the certificate has failed to the user terminal.

Next, a method of providing an approval service of the certificate includes: when the approval target information signature value SigPrivKey _i (TI or TI ') of each of the at least m user terminals U _i is acquired (S330) (i) the approval object information signature value SigPrivKey _i (TI or TI ') of each of the at least m user terminals U _i , (ii) the approval object information TI or the processed value TI' (S335) of using the certificate by determining the validity of the certificate with reference to the signature location identifier PrivTxidABC (S335).

In one embodiment, the step (S330; S335) determines whether the certificate support server has already registered the hash value of the certificate revocation history data or the certificate revocation history data indicating that the certificate has been revoked The authentication support server transmits a certificate approval error message indicating that the approval of the certificate has failed to the user terminal including the at least m user terminals . Although the certificate may be used several times, if it is used only once, it is necessary to check whether the certificate has already been approved. In this case, the authentication support server may further assist in determining or determining whether or not the hash value of the certificate approval completion record data or the certificate approval completion record data is already registered, and if it is determined that the hash value has already been registered , The authentication support server may support or forward a certificate approval error message indicating that the approval of the certificate has failed to the user terminal including the at least m user terminals.

In another embodiment, which may be combined with the above-described embodiment, the step (S330: S335) may be such that the authentication support server includes a RegPubKey _i corresponding to each of the user terminals including the at least m user terminals, Supporting to confirm or confirm whether or not one data is registered; The check results, which is a registered state, the authentication support server, processing, or whether the RegPubKey _i that the above-the obtained RegPubKey _i and to the at least m of the user directly or indirectly from the terminal registration PubKey _i coincide with each other data And determining whether or not the data processed by the PubKey _i are in agreement with each other; The RegPubKey _i and the PubKey _i coincide with each other, or the RegPubKey _i the processed data and the PubKey _i the processed if the data coincide with each other, the authentication support server, the approved destination information TI or processing this value TI whether normal sign of ", and the at least m of the user terminal U _i, respectively by the PubKey _i with reference to the at least m of the user terminal U _i each of the said authorized destination information sign value corresponding to SigPrivKey _i (TI or TI ') ; And if the approval target information signature value SigPrivKey _i (TI or TI ') is normally signed, the authentication support server judges that the certificate is valid, and if the approval target information signature value SigPrivKey _i (TI or TI') is If not, the authentication support server can determine the validity of the certificate by including the step of determining that the certificate is invalid.

After the step (S330; S335), if the certificate is valid, the authentication support server sends (i) the approval target information signature value SigPrivKey of each of the at least m user terminals U _{i i (TI or TI '),} (ii) the authorization object information TI or by processing this value TI', and (iii) the multi-signature location identifier PrivTxidABC the hash value of the certificate authorization complete record data indicating that authorization is completed in the certificate (S340, S345) to register or register in the public block chain database.

The method of providing the approval service of the certificate may include transmitting a certificate approval completion message indicating that the approval of the certificate is completed to the user terminal including the at least m user terminals under the condition that the certificate is valid (S350 and S355-1 to S355-3) to allow the user to transmit or receive the message. In this case, the certificate approval completion message may include the PrivTxidABC.

Finally, a method of discarding the registered certificate will be described. FIG. 4 is a sequence diagram exemplarily showing a method of discarding a certificate in a service for providing and using a certificate by multiple signatures according to the present invention. 4, the certificate revocation method includes a public key corresponding to n (> 1) user terminals U _i (i = 1, ..., n) A multi-signature certificate generation request message, which is a message requesting the generation of a certificate based on the user ID (user id), the value of m, the value of n, and the m: n multiple signature, is directly or indirectly acquired The support server records certificate execution condition data including public keys PubKey _i , m and n corresponding to the n user terminals, generates a multiple signature location identifier PrivTxidABC corresponding to the certificate execution condition data, Which is a result obtained by signing the multi-signature location identifier PrivTxidABC as PrivKey _i , which is a private key corresponding to the PubKey _i , by each of the user terminals U _i , SigPri After the vKey _i (PrivTxidABC) is generated, the authentication support server transmits the certificate execution condition data, the multi-signature location identifier signature values, and the multi-signature location identifier to the m: n multiple signatures (S405-1 to S405-3) directly or indirectly obtaining a multi-signature certificate revocation request message, which is a message requesting destruction of a certificate by the certificate authority; When the multi-signature certificate revocation request message is obtained, the authentication support server generates the multi-signature location identifier PrivTxidABC corresponding to the certificate by the m: n multiple signatures and the destroy request information (S410) generated It supports to transfer the RR to the n user terminals, transmitted (S420-1 to S420-3) by causing the at least one user terminal m of the n user terminals U _i each of the discarded information requested by the RR or PrivKey _i (S425-1 to S425-3) signing the processed value RR 'to generate a destroy request information signature value SigPrivKey _i (RR or RR') which is a result thereof; At least m of the user terminal U _i each of the destroy request information sign value SigPrivKey _i (RR or RR ') when received, the authentication support server, (i) the at least m of the user terminal U _i each of the destroy request Determining whether the certificate is valid by referring to the information signature value SigPrivKey _i (RR or RR '), (ii) the destroy request information RR or the value RR' processed therefrom, and (iii) the multiple signature location identifier PrivTxidABC S435); And if the certificate is valid, the authentication support server generates certificate revocation history data indicating that revocation of the certificate has been completed, the certificate revocation history record data includes (i) the revocation request information of each of the at least m user terminals U _i The hash value of the signature value SigPrivKey _i (RR or RR '), (ii) the destroy request information RR or the processed value RR' and (iii) the multi-signature location identifier PrivTxidABC to the public block chain database (Step S450 and step S455).

Therefore, the process of discarding is substantially the same as the process of the approval, and only the configuration and effect when the certificate revocation completion record data and the certificate approval completion record data are pre-registered are different as described below.

Specifically, in one embodiment, the step (S435) supports the authentication support server to determine or determine whether the hash value of the certificate revocation history data or the certificate revocation history data is already registered, As a result of the determination, if the certificate has been previously registered, the authentication support server supports to transmit or transmit a certificate revocation error message indicating that the revocation of the certificate is unnecessary to the user terminal including the at least m user terminals .

In another embodiment, which may be combined with the above-described embodiment, the step (S435) may be such that the authentication support server determines whether the certificate approval completion record data indicating that the certificate has been approved or the hash value of the certificate approval completion record data Wherein the authentication support server is configured to perform a certificate revocation process for indicating to the user terminal including the at least m user terminals that the revocation of the certificate is unnecessary, And to forward or forward an error message.

Throughout all of the embodiments of the present invention described above, it is possible to replace an existing public certificate with a high degree of security and usability, at low cost, and a configuration relating to a multi-signature condition, It is effective.

The advantage of the technique described here as the above embodiments is that the authentication of the authentication-related information such as the public key and the hash value is virtually impossible, and thus the authenticity of the certificate is guaranteed, The reliability of the use of the certificate is also guaranteed, and information corresponding to the certificate-related information-certificate and the use approval / revocation information of the corresponding certificate can be recorded in the database, thereby contributing to the prevention of conflicts using the same.

Based on the description of the above embodiments, one of ordinary skill in the art can clearly understand that the present invention can be accomplished through a combination of software and hardware, or achieved by hardware alone. Objects of the technical solution of the present invention or portions contributing to the prior art can be implemented in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, etc., alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be configured to operate as one or more software modules for performing the processing according to the present invention, and vice versa. The hardware device may include a processor, such as a CPU or a GPU, coupled to a memory, such as ROM / RAM, for storing program instructions, and configured to execute instructions stored in the memory, And a communication unit. In addition, the hardware device may include a keyboard, a mouse, and other external input devices for receiving commands generated by the developers.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.

Therefore, the spirit of the present invention should not be construed as being limited to the above-described embodiments, and all of the equivalents or equivalents of the claims, as well as the following claims, I will say.

Claims (1)

A method of providing a registration service of a certificate by m: n (m-of-n) multiple signatures using m user terminals among n user terminals,
(a) In a state where a public key corresponding to each of n (> 1) user terminals U _i (i = 1, ..., n) or data processed by the public key is registered, A public key corresponding to the user terminal U _i , a user ID corresponding to the remaining n-1 user terminals, a value of m, a value of n, Obtaining a multi-signature certificate generation request message, which is a message requesting generation of a certificate;
(b) when the public key, the user ID, the m and n values, and the multi-signature certificate generation request message are obtained, the authentication support server determines validity of the public keys PubKey _i corresponding to the n user terminals Or to allow other devices associated with the authentication support server to make a determination;
(c) if the public keys PubKey _i are determined to be valid, the authentication support server records certificate execution condition data including at least the PubKey _i , the m and the n, and generates a multiple signature Generating a location identifier PrivTxidABC or enabling another device associated with the authentication support server to generate the location identifier PrivTxidABC;
(d) The authentication support server transmits the generated multi-signature location identifier PrivTxidABC to the n user terminals, thereby allowing each of the user terminals U _i to transmit a private key corresponding to the PubKey _i , PrivKey _i Signing the multi-signature location identifier PrivTxidABC to generate multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) as a result thereof;
(e) If the generated multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) are obtained, the authentication support server determines whether the multi-signature location identifier signature values SigPrivKey _i (PrivTxidABC) Supporting other devices associated with the support server to determine; And
(f) if it is determined that the multiple signature location identifier signature values SigPrivKey _i (PrivTxidABC) is normally signed, the authentication support server sends the certificate execution condition data, the multiple signature location identifier signature values, Registering the hash value generated by the authentication support server in the public block chain database or registering the hash value generated by the authentication support server with the authentication support server;
, ≪ / RTI &
The step (b)
(b1) the step of supporting the authentication support server, the user terminal U _i determine whether the registration of the public key RegPubKey _i or processed data corresponding to it or to determine other causes the device to be indexed to the authentication support server in; And
(b2) if said checking results, registered, the authentication support server, the registration of the RegPubKey _i and the PubKey _i are processed data whether or the RegPubKey _i a and the PubKey _i by processing data match each other, Determining whether or not they match with each other or assisting another device associated with the authentication support server to determine;
≪ / RTI >

Images