KR20180087739A - A FIDO authentication device capable of identity confirmation or non-repudiation and the method thereof - Google Patents

Abstract

The present invention relates to an FIDO authentication device capable of confirming an identity or ensuring non-repudiation, and a method thereof. The FIDO authentication device capable of confirming an identity or ensuring non-repudiation comprises: a biometric information input unit receiving biometric information; a personal key generation and registration unit generating a key pair of a personal key and a public key, storing the personal key, and transmitting the public key to an FIDO server; a biometric authentication mapping unit setting the biometric information, the personal key, a service, and a user ID as one mapping information, and storing the set mapping information in a mapping table; a biometric information verification unit comparing the received biometric information with the biometric information stored in the mapping table to determine whether to verify the biometric information based on whether the two pieces of biometric information are the same; and an authentication response generation unit receiving an authentication request, searching mapping information having a user ID same as the service of the authentication request in the mapping table, verifying the biometric information by using biometric information of the retrieved mapping information, and generating an authentication response by using a personal key of the retrieved mapping information when the biometric information is retrieved. According to the FIDO authentication device and the method thereof, it is possible to confirm an identity or ensure non-repudiation by mapping biometric authentication information for authenticating a user with a user certificate or a certificate key pair and connecting the biometric authentication information with the personal key (or the certificate).

Description

[0001] The present invention relates to a FIDO authentication device capable of performing authentication or non-repudiation,

The present invention relates to an FIDO authentication apparatus and method capable of performing identity verification and non-repudiation of identity and non-repudiation of a biometric data by performing biometric authentication by mapping biometric data and a private key.

In general, FIDO (Fast Identity Online) is a standard for a new authentication system that allows authentication to be handled through a simple procedure, which can not be replaced by fingerprint recognition, iris recognition, or face recognition, to be. FIDO authentication is basically an authentication scheme used to solve the vulnerability of system using ID and password. It is not a password that a user should memorize, but something that he or she owns, for example, biometrics such as fingerprint Is used as a password to further enhance security.

FIDO uses public key cryptography. That is, when a user selects an authentication method and registers it, a new key pair is created and stored. At this time, authentication data is not transmitted to the server. For example, when authentication is performed with a fingerprint, the authentication information is generated using a corresponding private key, and the authentication information is verified with the public key stored in the server to confirm that the personal key is matched. So, if it matches, it confirms the authentication. Therefore, Fido (FIDO) is not a method to check whether the fingerprint that has been used for authentication is transmitted to the server and matches the fingerprint previously registered.

In other words, FIDO authentication uses public key infrastructure (PKI) technology as a base technology for users to access service providing system, but users do not need to know PKI use or public and private keys to use. Due to this characteristic, an additional user device (hereinafter referred to as an FIDO authentication device) called an authenticator is required at the time of authentication. The FIDO authentication device securely stores the private key for logging into the service providing system.

The FIDO authentication apparatus does not limit the form such as H / W or S / W, and it can be determined directly by the service provider. At this time, the service provider can set the security level required for providing the service, compared with the security level that the FIDO authentication device can provide, using the FIDO authentication device allow and block policy.

In addition, since biometric information and a private key are stored in the FIDO authentication device and only the public key portion is stored in the FIDO server, even if the server is hacked, there is nothing that can be done as a user public key. The user needs to access the private key in the FIDO authentication device to access the service to be used, and performs authentication on the FIDO authentication device to access the corresponding private key. At this time, although the FIDO does not limit the means of authentication (hereinafter, local user authentication device), it is in the spotlight by using authentication using biometric information such as fingerprint. However, by using the fingerprint device of the smart phone as the FIDO authentication device, it is impossible to authenticate that the previously registered fingerprint is the fingerprint of the service user. Therefore, when it is necessary to specify the user such as financial transaction, And adverse effects that can not prevent the denial of the user's actions.

In order to solve the above problems, there is proposed a technology for performing identification of a user or denial of a user's behavior in addition to user authentication by performing digital signature and certificate verification using a certificate in addition to FIDO authentication when performing FIDO authentication [Patent Document 1].

However, the conventional FIDO authentication device technology such as the above-described technology has a separate user authentication procedure (a user authentication process by biometric information matching) and a user key pair generation procedure (or a certificate generation / storage process). Therefore, a user other than the user who is the principal of the certificate (or the key pair) can register the user verification data (biometric information). For this reason, there is a problem that the FIDO authentication device of the related art such as the above-described prior art can not be used for authentication or transaction signing.

Korean Patent No. 10-1611872 (Announcement of Apr. 12, 2014)

An object of the present invention is to solve the above-mentioned problems, and it is an object of the present invention to provide a biometric authentication system capable of performing identification and non-repudiation at the time of biometric data authentication by mapping biometric data and a private key, FIDO authentication apparatus and method therefor.

Particularly, it is an object of the present invention to provide a biometric authentication system in which biometric authentication data and a private key (or a certificate) are mapped after registration of biometric data with user authentication data, And to provide a possible FIDO authentication apparatus and method therefor.

According to another aspect of the present invention, there is provided a FIDO authentication device, comprising: a FIDO protocol extension unit configured to set a changeability policy set by a service in a conventional FIDO authentication device standard; The present invention provides a FIDO authentication apparatus and method that can perform identification or non-repudiation of a user, which restricts the registration / modification / deletion of the FIDO.

In order to accomplish the above object, the present invention provides an FIDO authentication device which is called by a FIDO client and communicates with an FIDO server through the FIDO client, the biometric information input part receiving biometric information; Generating a private key and a key pair of the public key, storing the private key, and transmitting the public key to the FIDO server; A biometric authentication mapping unit for setting biometric information, a private key, a service, and a user ID as one mapping information and storing the set mapping information in a mapping table; A biometric information verification unit comparing the input biometric information with biometric information stored in a mapping table to determine whether to verify whether the biometric information is the same or not; And searching the mapping table for the mapping information having the same user ID as the service of the authentication request, verifying the biometric information using the biometric information of the retrieved mapping information, and searching the biometric information, And an authentication response generator for generating an authentication response using the private key of the authentication server.

According to another aspect of the present invention, there is provided an FIDO authentication apparatus capable of performing identification or non-repudiation, wherein the biometric authentication mapping unit, when a real name authentication is confirmed, requests mapping information for biometric information to the mapping table Is registered.

The FIDO authentication apparatus may further include a change policy in which the mapping information of the mapping table is set to be changeable or unchangeable, The mapping information for the biometric information is registered in the mapping table only by the registration procedure for performing the real name authentication when the change policy of the biometric information is set to be unchangeable.

The present invention also relates to a FIDO authentication method capable of performing an identification or non-repudiation prevention by an FIDO authentication device, a FIDO client, a service client, a service server, and an FIDO server, wherein (a1) And requesting FIDO registration; (a2) the service client performing real name authentication on the user in cooperation with the service server; (a3) when the real name authentication is completed, the service client requests the service server to open a service, the service server opens a service for the user, and sets a user ID for identifying the service; (a4) the service client requests the FIDO server to register the FIDO, the FIDO server requests the FIDO client to register the FIDO, and transmits the registration policy together when requested; (a5) the FIDO client calls a FIDO authentication device according to a registration policy; (a6) The FIDO authentication device receives the user's biometric information, generates a user's private key and a public key, generates one mapping information of the service, the user ID, the private key, and the inputted biometric information, ; (a7) the FIDO authentication apparatus generates a registration response, and transmits the generated registration response and the user public key to the FIDO server through the FIDO client; And (a8) the FIDO server verifying the registration response and storing the user public key when verified.

According to another aspect of the present invention, there is provided an FIDO authentication method capable of identifying or preventing non-repudiation, the method comprising the steps of: (b1) requesting a service request from a user, (b2) the service server requests the FIDO server to start FIDO authentication, the FIDO server generates a challenge value, and transmits a FIDO authentication request to the FIDO client, together with the challenge value and the authentication policy ; (b3) the FIDO client invoking the FIDO authentication apparatus according to the authentication policy; (b4) receiving the biometric information of the user and determining whether biometrics authentication is performed in comparison with the biometric information of the input biometric information and the mapping information stored in the mapping table; (b5) If the biometric authentication is successful, the FIDO authentication device accesses the user private key of the corresponding mapping information, generates an authentication response using the user private key, and transmits the generated authentication response to the FIDO server through the FIDO client ; (b6) the FIDO server verifies the authentication response with the public key of the user, and transmits the verification result to the service server; And (b7) the service server permitting and providing the requested service if the verification result is successful.

According to another aspect of the present invention, there is provided an FIDO authentication method capable of identifying or preventing non-repudiation, the method comprising the steps of: (c1) receiving a biometric information re-registration request from the service client; (c2) the service client performing real name authentication on the user in cooperation with the service server; (c3) receiving the list of the user authentication devices from the FIDO server through the service server and selecting one of the user authentication devices from the authentication device list; (c4) the FIDO server receives the selected user authentication device and disables the selected user authentication device for the user authentication device; (c5) when the service client requests the FIDO client to re-register the biometric information, the FIDO client calls the user authentication device according to the re-registration request; (c6) the FIDO authentication device receives the user's biometric information and updates the mapping table with the inputted biometric information; (c7) the FIDO authentication device generates and transmits a biometric information re-registration completion message to the service client; And (c8) the service client displaying the re-registration completion result.

The FIDO authentication method according to the present invention is characterized in that the communication between the FIDO client and the FIDO server is performed by relaying the service client and the service server.

Further, the present invention is characterized in that the biometric information is biometric information by iris recognition or fingerprint recognition in a FIDO authentication method capable of identification or non-repudiation.

According to another aspect of the present invention, there is provided an FIDO authentication method capable of performing identification or non-repudiation, wherein the registration response includes a certificate and a signature value of the FIDO authentication apparatus, and in the step (a8) And the authentication device verification is also performed.

As described above, according to the FIDO authentication apparatus and method according to the present invention, the biometric authentication information for user authentication is mapped to a user certificate or a certificate key pair, so that the biometric authentication information and the private key Certificate) can be connected to each other to obtain identity verification or non-repudiation prevention.

Particularly, according to the FIDO authentication apparatus and method of the present invention capable of confirming identity or non-repudiation, the biometric authentication information and the private key (or certificate) are mapped and registered after the face-to- When the user is authenticated, it is possible to guarantee that the user is the identified user by signing with the private key retrieved from the registered biometric information after the confirmation of the real name. Also, at the transaction confirmation of the transfer or the payment amount, The signature can be signed with the key to provide an effect of preventing non-repudiation.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a configuration of an overall system for performing an FIDO authentication apparatus capable of identity verification or non-repudiation according to the present invention; FIG.
2 is a block diagram of a configuration of a user authentication apparatus according to an embodiment of the present invention;
3 is a table showing an example of a mapping table according to an embodiment of the present invention;
4 is a flowchart illustrating a mapping information registration method for FIDO authentication according to an embodiment of the present invention.
5 is a flow chart illustrating a FIDO authentication method capable of identity verification or non-repudiation according to an embodiment of the present invention.
FIG. 6 is a flowchart illustrating a biometric information re-registration method according to an embodiment of the present invention; FIG.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.

In the description of the present invention, the same parts are denoted by the same reference numerals, and repetitive description thereof will be omitted.

First, a configuration of an overall system for performing an FIDO authentication apparatus capable of identity verification or non-repudiation according to the present invention will be described with reference to FIG.

1, the overall system for implementing the present invention includes a user terminal 10 such as a smart phone, a service client 11 and a FIDO client 20 installed in the user terminal 10, And a FIDO server 60 that performs FIDO authentication. The FIDO authentication unit 30 is a device that performs authentication using the FIDO authentication method. The user terminal 10 and the service server 50 or the FIDO server 60 transmit and receive data through the network 40.

First, the user terminal 10 is a terminal used by a user to receive a service, and is a general computer terminal or a dedicated terminal having a computing function such as a smart phone, a tablet PC, a notebook computer, and a personal computer (PC).

The user terminal 10 is provided with a service client 11 for receiving a service from a user and an FIDO client 20 for processing FIDO authentication. That is, the service client 11 and the FIDO client 20 are an application, an application, or a program system installed in the user terminal 10. The FIDO authentication device 30 may be provided in the user terminal 10 or may be configured as a separate device from the user terminal 10.

The service client 11 is a client module (or client system) for accessing the service server 50 to receive a service, and is a web browser, a service app (or an application) for receiving a service, and the like.

The service client 11 accesses the service server 50 to use the service provided by the service provider and transmits an authentication request received from the service server 50 to the FIDO client 20 ). In addition, the service client 11 transmits the authentication response received from the FIDO client 20 to the service server 50 in response to the authentication request. That is, the service client 11 and the service server 50 relays between the FIDO client 20 and the FIDO server 60 for FIDO authentication.

The FIDO client 20 is a client module (or system) for performing FIDO authentication by communicating with the FIDO server 60 by the FIDO protocol. That is, the FIDO client 20 communicates with the FIDO server 60 or the FIDO authentication device 30 according to a standard specified in the FIDO protocol. In particular, the FIDO client 20 has an ASM (Authenticator Specific Module) module, and exchanges authentication information with the FIDO authentication device 30 through the ASM interface.

When the FIDO client 20 receives an authentication request from the FIDO server 60 or the service server 50 or the service client 11, the FIDO client 20 requests the FIDO authentication device 30 to perform FIDO authentication in accordance with the authentication request, And receives and returns an authentication response that is the result.

Preferably, the FIDO client 20 accesses the service server 50 to confirm that the service client 11 is a trusted service client, and transmits the service client 50 to the FIDO client 20 and the FIDO authentication device 30, 11) can receive a list of app IDs.

Preferably, in the FIDO standard version 2.0, since the FIDO client 20 and ASM can be included in the operating system and the browser, the service client 11 requests FIDO authentication to the operating system or browser including the FIDO client 20 and ASM It performs FIDO authentication through the FIDO authentication device 30 or the external FIDO authentication device 30 in the operating system or the browser and transmits the result to the service client 11 through the operating system or the browser.

The FIDO authentication device 30 uses a biometric device (or a biometric module) for recognizing a living body as an apparatus for recognizing or receiving a user's biometric data and using it for user authentication. The FIDO authentication device 30 may be provided with a biometric device (or a biometric module) directly, or a biometric device provided in the user terminal 10 may be used. The biometric device is a device for recognizing a living body such as a face recognition device, a voice recognition device, an EEG authentication device, a heartbeat authentication device, a fingerprint recognition device, and an iris recognition device. For example, in the case of SAMSUNG PHASE, the fingerprint recognition device is attached to the user terminal 10 such as a smart phone.

In addition, the FIDO authentication apparatus 30 can use a self storage medium as a repository, or use a storage device in the user terminal 10. [ For example, the FIDO authentication device 30 can use a storage device in the user terminal 10, such as a security area of Android, a security chip memory, etc. as a storage. Also, roaming of the FIDO authentication device 30 and the repository is allowed if the channel is secured. The implementation form of the FIDO authentication device 30 is not restricted.

The FIDO authentication apparatus 30 has a mapping table for mapping biometric data (or biometric information) and an authentication private key (or certificate). Biometric information is data for recognizing a living body. That is, the input biometric data is compared with the stored biometric data to confirm whether the registered user is biometric. The private key or authentication private key is the private key of the asymmetric key of the public key infrastructure (PKI). The private key may be generated when biometric information is registered, or may be a private key of a previously generated asymmetric key of the user. Alternatively, it may be a private key used for a user's certificate (including a public certificate). Upon receiving the authentication request, the FIDO authentication device 30 performs biometric authentication based on the biometric information. If the biometric authentication is successful, the FIDO authentication device 30 generates an authentication response based on the private key mapped to the biometric authentication.

Preferably, the FIDO authentication device 30 further maps the service (or service and user ID) to the mapping of the biometric information and the private key. That is, biometric information, a private key, a service ID (service identification information such as an application ID), and a user ID are mapped and stored in the mapping table. In this case, when the FIDO authentication device 30 receives the authentication request, the FIDO authentication device 30 performs biometric identification based on the biometric information mapped to the service and the user ID. If the biometric authentication is successful, the FIDO authentication device 30 generates an authentication response do.

Next, the service server 50 is a server for providing the service by the service provider, and provides the service according to the request of the service client 11 to which the service server 50 is connected. When authentication is required for the service provision requested by the service client 11, the service server 50 requests the FIDO server 60 to generate an authentication request. The service server 50 transmits the authentication request received from the FIDO server 60 to the service client 11.

Preferably, the service (or service identification information) may be included in the authentication request. That is, the service included in the authentication request indicates which service requests authentication. For example, when the service server 50 is the banking service of the "A bank", information (service identification information) indicating the service such as "A bank" is included in the authentication request.

According to the FIDO standard, a FIDO protocol message can be wrapped when a service provider transmits it. At this time, signature target information for signature can be additionally sent. For example, in response to a FIDO authentication request, an option may optionally be signed by the information provided by the service provider or transmitted.

In addition, the service server 50 transmits the authentication response received from the service client 11 to the FIDO server 60.

In addition, the service server 50 receives from the FIDO server 60 the verification result of the authentication response generated by the FIDO client 20, with respect to the service access request from the service client 11, do. In addition, the service server 50 receives the verification result of the authentication response of the service client (or the FIDO client) from the FIDO server 60 to verify the identity of the user or the non-repudiation of the user's action.

Next, the FIDO server 60 generates an authentication request for the authentication request generation request received from the service server 50. [ The FIDO server 60 transmits the generated authentication request to the service server 50, the service client 11, or the FIDO client 20.

The FIDO server (60) verifies the authentication response generated by the FIDO client (20). At this time, the FIDO server 60 receives the authentication response from the service server 50. The FIDO server 60 transmits the authentication response verification result to the service server 50.

Further, the FIDO server 60 verifies the authentication response according to the FIDO standard. At this time, the public key and the private key (or the asymmetric key) used for the FIDO authentication are asymmetric keys registered after the real name verification. Therefore, the public key and private key (or asymmetric key) for FIDO authentication act as the user's certificate. Thus, the digital signature by the asymmetric key (or private key) for FIDO authentication can be used for identification or non-repudiation.

Next, a configuration of the FIDO authentication apparatus 30 according to an embodiment of the present invention will be described with reference to FIG.

2, the FIDO authentication apparatus 30 includes a biometric information input unit 31 that receives biometric data (or biometric information), a private key generation and registration unit 32 that generates and registers a private key (or a certificate) A biometric authentication mapping unit 33 for mapping the private key and the biometric information, a biometric information verification unit 34 for verifying (recognizing) the inputted biometric information, and an authentication response generating unit for generating an authentication response for the authentication request 35). In addition, it may further include a storage 39 for storing biometric information, a private key, a mapping table, and the like. In addition, the FIDO authentication apparatus may further include a device authentication management unit 36 for storing and managing device authentication information of the FIDO authentication device itself.

First, the biometric information input unit 31 receives biometric data (or biometric information) from the biometric device or the biometric module 15. The biometric device (module) 15 is a device for recognizing a living body such as a face recognition device, a voice recognition device, an EEG authentication device, a heartbeat authentication device, a fingerprint recognition device, and an iris recognition device. The biometric module 15 may be configured in the FIDO authentication device 30 or the user terminal 10 or the like. The inputted biometric information is biometric data recognized by the biometric module 15 such as a fingerprint recognition device and an iris recognition device.

Next, the private key creation registration unit 32 generates a key pair (a private key and a public key) at the time of user registration, maps the private key to biometric information, stores it in the storage 39, and transmits the public key to the FIDO server 50 .

The private key is the private key of the key pair generated by the private key creation registration unit 32 of the FIDO authentication device 30. [

Next, the biometric authentication mapping unit 33 maps the inputted biometric information and the generated private key and registers them in the mapping table. Preferably, the service (or service identification information) and the user ID are mapped and registered.

As shown in FIG. 3, the mapping table is mapped to biometric information, service (or service identification information), a user ID, a private key, and the like. Preferably, a change policy is added to each mapping and can be mapped. The mapping table is stored in the secure storage 39. In addition, data for user authentication such as biometric information and a private key are also stored in the storage 39.

Preferably, the biometric authentication mapping unit 33 receives the change policy from the service server 50, and registers the mapping content in the mapping table according to the received change policy. The mapping information by user registration of the service provider is a mapping relation, and includes items corresponding to one row in FIG.

For example, the fingerprint authentication device and the iris authentication device may have the same structure as that of FIG. 3 and may be separately configured. In addition, since each authentication device has a storage 39, each authentication device has a separate mapping table as shown in FIGS. 3A and 3B.

In the case of the changeable policy, the fingerprint or iris data previously registered in the user terminal 10 can be used as it is. However, the owner of the fingerprint or iris can not be known, and the user terminal can be arbitrarily changed. Therefore, it can not be used for identification or non-repudiation.

In addition, in the case of the unchangeable policy, biometric information such as a fingerprint or iris is registered after confirming the real name of the user at the time of user registration. At this time, it is possible to confirm identity and non-repudiation at the time of user authentication and transaction confirmation later by setting the service, user ID, generated private key, and unchangeable property together.

In the case of the biometric information set to be unchangeable, the user is limited such that it can not be arbitrarily changed. In this case, if the user wishes to change the biometric information, he or she must perform a blindness check procedure after requesting the service provider and re-register the biometric information. By doing so, identification and non-repudiation can be continued.

On the other hand, biometric information, a service, a user ID, and a private key mapping are required when the change is impossible. When the user authenticates the service, the fingerprint authentication policy receives the fingerprint input and verifies whether the fingerprint is mapped to the service.

According to the FIDO registration and authentication policy, biometric information is registered in one or more authentication devices and the user can be authenticated by fingerprint, iris, fingerprint and iris, fingerprint or iris according to the authentication policy of the service even in user authentication. Follow the standard.

Also, the biometric authentication mapping unit 33 can change the mapping data (or mapping information) of the mapping table.

The changeable method refers to the existing FIDO method. In the existing FIDO method, the fingerprint and iris information previously registered in the user terminal is used as it is. In addition, the FIDO authentication apparatus can not control the change of the corresponding information, and the biometric information can be changed at any time in the setting of the user terminal. A changeable policy means that the user can change the biometric information at any time. At this time, the reason for mapping is that the biometric information used at the time of registration can be known, and the service can be informed of whether the biometric information is authenticated at the time of authentication. Through this, it is possible to judge whether the registrant and the certifier are the same, although it is not at the level of identification and non-repudiation.

Next, the biometric information verification unit 34 verifies the inputted biometric information against the stored biometric information. That is, when the user inputs the biometric information through the biometric module 15, the biometric information verification unit 34 compares the inputted biometric information with the stored biometric information and determines whether the biometric information is identical (or matched) Determine whether or not to verify.

Next, the authentication response generation unit 35 generates an authentication response for the authentication request.

In particular, the authentication response generation unit 35 confirms whether the biometric information is verified by the biometric information verification unit 34, and searches the mapping table for the private key matched with the verified biometric information. The authentication response generation unit 35 generates an authentication response using the retrieved private key.

Preferably, the authentication response generator 35 checks the service (service identification information) requesting the authentication request and the user ID, and checks whether the matching service, the user ID, and the verified biometric information match Retrieve the private key.

The authentication response generation unit 35 generates an authentication response according to a normal FIDO standard. The authentication response is a message containing a signature response signed with the retrieved private key. Further, the authentication response may include additional information required for the service. The additional information may be input by the user, or the service provider (or the service server) may set an object or promise in advance. For example, as additional information, transfer information, user certificate information at login, session information, purchase list and price in online shopping, and nonce for preventing replay attack are used in the Internet banking.

Also, when the FIDO authentication response is to be included in the authentication response according to the FIDO standard, the private key for generating the FIDO authentication response is used as the private key that has been previously matched and searched. That is, the present invention uses the same private key for the FIDO authentication and the private key for the digital signature.

On the other hand, as described above, the authentication response is a message composed of a digital signature-signed response using a private key (or certificate). The digital signature of the authentication response is transmitted to the FIDO server 60 and verified. Identity verification and non-repudiation are done by verifying ownership of the private key (or certificate) used in the digital signature. Signing with a private key that is paired with the public key in the certificate means that in the case of general authentication, the user knows the password of the encrypted private key so that it can decrypt the private key and use it for digital signatures or know the PIN of the security token, This allows you to verify that the user owns the corresponding private key. Likewise, when the private key is matched with the biometric information, since the real name confirmation is confirmed by the service server 50, the relationship between the certificate (or the private key) and the owner (user) can be confirmed by digital signature verification. This relationship allows only the owner (user) to use the private key, thereby preventing denial of the act using the private key or confirming the identity.

Next, the device authentication management unit 36 stores and manages the device authentication information in order to verify the FIDO authentication device 30 itself. The device authentication information may include a unique identification number of the device, a manufacturer private key, a device private key, and the like.

When the manufacturer of the FIDO authentication device wants to register the FIDO authentication device with the FIDO standard association, the certificate for the FIDO authentication device is issued through the manufacturer CA (certificate authentication server), and the metadata (root CA certificate) To the FIDO Standards Association. Also, the service providers who want to use the FIDO authentication apparatus register the metadata provided by the FIDO standard association in the FIDO server 60 of the service provider.

Also, the manufacturers of the FIDO authentication device store the certificate (public key) and the private key of the corresponding authentication device created at the time of generating the metadata in the storage 39 of the authentication device, Respectively.

In the FIDO user registration process, the registration message transmitted to the FIDO server includes the certificate of the corresponding authentication device and data (user ID, authentication device ID, user public key, etc.) signed by the private key of the authentication device. The FIDO server verifies the validity of the certificate through the root CA certificate or the manufacturer's CA (certificate authentication server), and if the certificate is valid, verifies the signature with the corresponding public key. If the verification is successful, the user information (user ID, authentication device ID, user public key, etc.) included in the registration message is stored.

Next, a mapping information registration method for FIDO authentication according to an embodiment of the present invention will be described with reference to FIG.

4, the FIDO server 60 sets the registration policy and the change policy in advance (S1), and transmits the identification information of the registration policy, that is, the registration policy ID to the service server 50 (S2 ).

A registration policy is a policy on the type of biometric at the site. That is, the policy applied at the time of user registration is a registration policy, and only one registration policy (registration policy example: fingerprint and iris) exists in the site (company). The registration policy ID is an ID that has been previously registered in the FIDO server 60 and issued when a service administrator uses a policy (registration policy example: fingerprint and iris) when the FIDO user is registered. In one site (company), a plurality of service servers 50 can jointly use one FIDO server 60, but the registration policy is one. Of course, the site's change policy (changeable, unchangeable) is also one. In the case of a site where the registration policy is 'fingerprint and iris' and the change policy is 'unchangeable', the user can not use the fingerprint and iris registered in the existing phone when registering the FIDO user and must newly register the fingerprint and iris. It is set to be unchangeable when stored.

For reference, the authentication policy can be created through the FIDO server as desired on the site, and an authentication policy ID is issued. For example, the authentication policy 1 may be set as a fingerprint, the authentication policy 2 as an iris, the authentication policy 3 as a fingerprint or iris, and the authentication policy 4 as a fingerprint and iris. The service server 50 requests the FIDO server 60 to select one of the registered authentication policies when requesting the user authentication for the service. For example, Kookmin Bank has one registration policy (fingerprint and iris), and N authentication policies. When registering, fingerprints and iris are registered according to the registration policy. When Kookmin Bank services request authentication to FIDO server, another authentication policy is selected according to the service and authentication is requested to FIDO server. For example, the authentication policy 1 (fingerprint) may be selected in the case of an account inquiry, and the authentication policy 2 (iris) may be selected in the case of an account transfer.

Next, the service client 11 is requested to open a service from the user and to register the FIDO for the service (step S10). The service is a service that requires financial transaction or real name authentication, such as opening a financial account or registering a credit card service. Hereinafter, for convenience of description, services for opening face-to-face or non-face-to-face financial accounts will be described as an example.

At this time, the service client 11 performs real name authentication on the user in cooperation with the service server 50 (S20). That is, the service client S11 receives data necessary for real name authentication from the user (S21), and transmits the data to the service server 50 (S22).

As an example, for real name authentication, a user transmits identification information or the like through the service client 11, confirms a cell phone (mobile communication) number, or performs image face-up through image connection. That is, the service server 50 receives data necessary for real name authentication from the service client 11, or performs a service for real name authentication such as image face-up in cooperation with the service client 11. [

When the real name authentication is completed (or succeeds), the service client 11 requests the service server 50 to open the service, inputs information necessary for opening the service, and transmits the information (S31, S32). That is, the service server 50 requests the user through the service client 11 for information necessary for opening the service, receives them, and opens a service (S32). The service server 50 transmits a user ID for service use to the service client 11 when the service is opened.

As an example, when opening an account, the service server 50 requests the agreement of the account use, the signature of the user, the temporary password, etc., and opens the account by receiving these account opening information. In addition, when the account is opened, the service server 50 transmits the account number to the service client 11. The account number is for identifying a transaction of a user of the service, and is a kind of user ID.

Next, the service client 11 requests the FIDO server 60 to register the FIDO through the service server 50, thereby starting the FIDO registration procedure (S41). That is, the FIDO registration request is transmitted from the service client 11 to the FIDO server 60 through the service server 50. [ The service client 11 transmits the service (or service identification information) at the time of the FIDO registration request and the user ID for using it to the FIDO server 60 together.

Specifically, when the service client 11 starts the FIDO user registration to the service server 50, the service server 50 calls the user registration API provided by the FIDO server 60, and at this time, the service ID, user ID, Registration policy ID and so on. And sends the registration request message to the FIDO client 20 for registration.

In addition, the FIDO server 60 requests the FIDO client 20 to register a FIDO registration request (or a registration request message) (S42). At this time, the FIDO registration request is transmitted from the FIDO server 60 to the FIDO client 20 by the relay of the service server 50 or the service client 11.

At this time, the FIDO server 60 transmits a registration policy and a change policy set in advance together with the FIDO registration request. In the FIDO registration process, the biometric information is also received and registered according to the registration policy (fingerprint, iris, fingerprint and iris).

That is, the registration request message includes a service ID, a user ID, a registration policy ID, a change policy, and the like.

Then, the FIDO client 20 receives the FIDO registration request from the FIDO server 60 and calls the FIDO authentication device 30 according to the registration policy (S43). For example, an iris recognition device (or an FIDO authentication device for iris recognition) is called for iris recognition, or a fingerprint recognition device is called for fingerprint recognition.

Next, the FIDO authentication device 30 requests the user to input biometric information, recognizes the inputted biometric information, and registers it as biometric information (S51). Then, a key pair (a private key and a public key) matching the registered biometric information is generated (S52).

The FIDO authentication device 30 generates biometric information, a service, a user ID, a private key, and a change policy as one mapping information, and registers the mapping information in the mapping table (S53).

Then, the FIDO authentication apparatus 30 generates a response message to be transmitted to the FIDO server 60, that is, a registration response (S54). The registration response message includes the user public key. Preferably, the registration response further comprises a certificate and signature value of the authentication device. That is, these values can be transmitted to the FIDO server 60 together. The certificate and signature value of the authentication device is a certificate and signature for the FIDO authentication device 30. [

The generated registration response message is transmitted from the FIDO authentication device 30 to the FIDO client 20, and the FIDO client 20 transmits it to the FIDO server 60 (S55). At this time, the registration response message is transmitted to the FIDO server 60 by the relay of the service client 11 and the service server 50.

On the other hand, the signed data of the registration response message is encrypted with a private key by putting together a challenge (e.g., a random value, etc.), a registration counter, and the like.

Next, the FIDO server 60 verifies the registration response or the registration response message (S61). That is, the FIDO server 60 verifies the authentication apparatus by verifying the certificate and the signature value of the authentication apparatus received in the registration response.

First, the FIDO server 60 verifies the authentication apparatus by verifying the authentication apparatus certificate. That is, the FIDO server 60 verifies the certificate of the authentication device by checking the validity of the authentication device certificate of the registration response through the root CA certificate of the corresponding authentication device metadata stored in the FIDO server 60 or the manufacturer CA server.

Also, the FIDO server 60 decrypts data (authentication device ID, challenge, registration counter, user public key) signed with the public key of the corresponding certificate. Then, the integrity of the transmitted data is verified by comparing the value transmitted to the plain text (authentication device ID, challenge, registration counter, user public key).

That is, the registration response verification verifies both the authentication device and the signature value.

Then, the FIDO server 60 stores the received user public key (S63). That is, the FIDO server 60 maps and stores the user ID, authentication device ID, and user public key. The FIDO server 60 acts as a certificate management server, and can manage the validity of the public key, forcibly invalidate the public key, and the like.

Then, the FIDO server 60 transmits the FIDO registration result to the service client 11 (S64).

The service client 11 can display the received FIDO registration result (S70).

As described above, when the user requests the FIDO registration, biometrics information registration, key generation, and mapped storage are directly performed in the session after the confrontation / non-presence real name confirmation. After they succeed, FIDO registration ends. Even if the user intends to re-register the biometric information for a specific reason, the biometric information is re-registered immediately after completion of the face-to-face / non-face-real-name confirmation and ends after the successful re-registration. Therefore, face-to-face / face-to-face blindness is verified and FIDO registration and biometric information re-registration are performed immediately in that state.

Next, an FIDO authentication method capable of identity verification or non-repudiation according to an embodiment of the present invention will be described with reference to FIG.

As shown in FIG. 5, the FIDO server 60 sets an authentication policy in advance (S101), and transmits identification information on the authentication policy, that is, the authentication policy ID to the service server 50 (S102).

The authentication policy is a policy for the type of biometric authentication. There is only one registration policy (registration policy example: fingerprint and iris) in the site (company). An authentication policy is a policy that can be selected for each service provided by the site, and can be set within the registration policy. The authentication policy can be created through the FIDO server as desired on the site, and an authentication policy ID is issued. For example, the authentication policy 1 may be set as a fingerprint, the authentication policy 2 as an iris, the authentication policy 3 as a fingerprint or iris, and the authentication policy 4 as a fingerprint and iris.

The service server 50 may request the FIDO server 60 to select one of the registered authentication policies when requesting the user authentication. For example, Kookmin Bank has one registration policy (fingerprint and iris), and N authentication policies. When registering, fingerprints and iris are registered according to the registration policy. When Kookmin Bank services request authentication to FIDO server, another authentication policy is selected according to the service and authentication is requested to FIDO server. For example, the authentication policy 1 (fingerprint) may be selected in the case of an account inquiry, and the authentication policy 2 (iris) may be selected in the case of an account transfer.

Next, the service client 11 receives a service provision request from the user (S111). A service is a financial transaction such as a financial account or a credit card payment, or a service that requires identification. Then, the service client 11 requests the service server 50 to request the service of the user (S112).

The service server 50 requests the FIDO server 60 to start FIDO authentication (S121). The various service servers of the site request the user authentication API provided by the FIDO server to start the FIDO authentication. At this time, after selecting the authentication policy for the service, the service ID, the user ID, and the authentication policy ID are transmitted to the FIDO server. That is, when the service client 11 initiates the FIDO user authentication to the service server 50, the service server 50 calls the user authentication API provided by the FIDO server 60 and registers the service ID, the user ID, . The authentication request message is sent to the FIDO client. The authentication policy ID indicates whether the service administrator uses a policy (authentication policy 1: fingerprint, authentication policy 2: iris, authentication policy 3: fingerprint or iris, authentication policy 4: fingerprint and iris) And is an ID that has been issued. There is only one registration and change policy for the site, but the authentication policy can be created as desired.

When the FIDO server 60 receives the FIDO authentication start request, it first generates a challenge value for FIDO authentication (S122). Then, the FIDO server 60 transmits the challenge value and the predetermined authentication policy to the FIDO client 20 together with the FIDO authentication request (S123). At this time, the authentication request is transmitted according to the relay of the service server 50 and the service client 11.

The server challenge value is a random number generated by the server. When the challenge value is transmitted and the authentication device returns the signature with the private key, the authentication response is verified by comparing the received challenge value with the original challenge value by decrypting with the public key.

On the other hand, transaction details can be included when requesting FIDO authentication start. In case of general user authentication, three values such as a service ID, a user ID, and an authentication policy ID are sufficient when a FIDO server user authentication API is called. However, if the service client requires non-repudiation of specific text (eg, transfer amount), the text is transferred to the transaction history when the FIDO server authentication API is called. Accordingly, the corresponding details are displayed on the FIDO authentication device, and the user confirms the details of the details (biometrics according to the authentication policy), signs it with the user's private key, and transmits the signature to the FIDO server.

Next, the FIDO client 20 calls the FIDO authentication device 30 according to the authentication policy of the FIDO authentication request (S130). For example, the user terminal 10 is provided with a plurality of FIDO authentication devices such as an iris recognition device and a fingerprint recognition device, and among these, the FIDO authentication device according to the authentication policy is called.

Next, the called FIDO authentication device 30 requests the user to perform biometric authentication and receives the biometric authentication data (S141). The FIDO authentication device 30 compares the inputted biometric authentication data with the stored biometric authentication data, and determines whether the biometric authentication is successful or not (S142).

If the biometric authentication is successful, the FIDO authentication device 30 accesses the user private key corresponding to the biometric authentication, service, and user ID (S143).

Then, the FIDO authentication apparatus 30 generates an authentication response using the accessed user private key (S144).

Then, the FIDO client 20 receives the generated authentication response or authentication response message from the FIDO authentication device 30, and transmits the authentication response to the FIDO server 60. At this time, the authentication response message is transmitted to the FIDO server 60 by relaying between the service client 11 and the service server 50.

Next, the FIDO server 60 receives the authentication response message and verifies the authentication response (S151). At this time, the FIDO server 60 decrypts the authentication response with the user public key and verifies the authentication response.

The authentication request message generated by the FIDO server includes the server challenge value and is transmitted to the FIDO authentication device. When the user biometric authentication is successful according to the authentication policy, a value obtained by signing the challenge value with the user's private key is transmitted as an authentication response message to the FIDO server. Then, the FIDO server verifies the authentication response by verifying the signature with the user's public key, decrypting the challenge value, and comparing it with the original challenge value.

Then, the FIDO server 60 determines the final result of the FIDO authentication according to the authentication result of the authentication response and transmits the FIDO authentication result to the service server 50 (S152). That is, the end result is failure or success of the FIDO authentication.

Next, when the service server 50 receives that the FIDO authentication is successful, the service server 50 permits a service provision request of the service client 11 (S161). That is, the service server 50 determines that the authentication required for the service request is completed, and then provides the service to the user or the service client 11 (S162).

In the case of the above-mentioned financial account, it provides services such as inquiry and transfer related to the financial account, and provides services such as inquiry and settlement in the case of a financial card.

Next, a biometrics information re-registration method for FIDO authentication according to an embodiment of the present invention will be described with reference to FIG.

As shown in FIG. 6, first, the service client 11 receives a biometric information re-registration request from the user (S210). At this time, the user ID is input and an authentication device to be re-registered is selected. That is, when the service client requests re-registration of the biometric information, the user ID is input on the corresponding screen and the authentication device to re-register the biometric information should be selected. The service ID (eg, app id) is already known by the service client.

Next, in response to the biometric information re-registration request, the service client 11 performs real name authentication on the user in cooperation with the service server 50 (S220). That is, the service client S11 receives the data required for the real name authentication from the user (S221), transmits the data to the service server 50, and performs the real name authentication for the user in the service server 50 (S222). As in the FIDO registration process, the user transmits identification information or the like through the service client 11, confirms the cellular phone (mobile communication) number, or performs image face-to-face connection through image connection, for real name authentication. When the real name authentication is completed, the service server 50 transmits the result to the service client 11 (S223).

Next, the service server 50 requests the FIDO server 60 for the user authentication device list (S231), and receives the list of the user authentication devices (S232). Then, the service client 11 obtains the user authentication device list from the service server 60, and selects an authentication device to re-register the biometric information in the list (S233). That is, it is possible to request a user to re-register biometric information of a biometric authentication device, and to select one biometric authentication device to be registered among a plurality of biometric authentication devices.

Next, the service client 11 transmits to the FIDO server 60 via the service server 50 that the changed state of the authentication apparatus (state in which the biometric information is updated) (S236). The FIDO server 60 sets an unusable state for the user authentication apparatus (S237).

Next, the service client 11 requests the FIDO client 20 to re-register the biometric information (S241). At this time, the service client 11 transmits the service, the user ID, and the authentication device to the FIDO client 20 together.

The FIDO client 20 calls the biometric authentication device or the FIDO authentication device according to the user's request (S242).

Next, the called FIDO authentication device 30 receives the user's biometric information through the biometric authentication device (S251).

Searches the mapping table for mapping information identical to that of the service and the user ID, and updates the biometric information with the newly input biometric information in the retrieved mapping information (S253).

Then, the FIDO authentication apparatus 30 notifies the FIDO client 20 of the updated state of the mapping table, and the FIDO client 20 transmits the result to the service client 11 (S254).

In addition, the service client 11 transmits a re-registration completion response to the FIDO server 60 (S255). The FIDO server 60 receives the re-registration completion response, and confirms that the biometric information is updated.

The modification result message for the biometric information of the authentication device mapping table is transmitted to the FIDO server via the FIDO client, the service client, and the service server. The message consists of user ID, authentication device ID, and biometric information change result (success, failure). In addition, the message is delivered as a generic test message without the need for a signature.

Next, the FIDO server 60 sets the user authentication apparatus to the usable state (S261). That is, the user authentication apparatus is changed from the disabled state to the enabled state in advance.

Then, the FIDO server 60 transmits the re-registered result to the service client 11 through the service server 50 (S262), and the service client 11 notifies the user terminal 10 that the biometric information re- (S263).

On the other hand, in the case of the changeable policy, the biometric information re-registration can be arbitrarily changed by the user entering the setting of the terminal. In the case of the irrevocable policy, biometric information re-registration is a method of newly registering a fingerprint or iris of a user in the same terminal if the user's fingerprint is not well recognized.

The biometric information re-registration is a method when the user wants to change the biometric information while the FIDO user is registered and is in use. For example, if fingerprints or iris recognition are not well known due to changes in body image, it is a method to allow an existing user to check and change his / her name through verification of his / her real name.

At the time of re-registration of the biometric information, only the biometric information part of the mapping table is updated without generating a key pair. That is, in the case of the changeable policy, it is possible to modify the fingerprint at the user's discretion by registering the fingerprint on the existing smartphone setting screen. In the case of the unchangeable policy,

And, inputting live information in a smart phone is the same whether it is a changeable policy or a changeable policy. However, there is a difference that the modification is carried out without permission or permission.

The invention made by the present inventors has been described concretely with reference to the embodiments. However, it is needless to say that the present invention is not limited to the embodiments, and that various changes can be made without departing from the gist of the present invention.

10: user terminal 11: service client
15: biometric module 20: FIDO client
30: FIDO authentication device 31: biometric information input unit
32: private key generation registration unit 33: biometric authentication mapping unit
34: biometric information verification unit 35: authentication response generation unit
36: device authentication management unit 39:
40: network 50: service server
60: FIDO server

Claims (8)

An FIDO authentication device called by an FIDO client and communicating with the FIDO server via the FIDO client,
A biometric information input unit for inputting biometric information;
Generating a private key and a key pair of the public key, storing the private key, and transmitting the public key to the FIDO server;
A biometric authentication mapping unit for setting biometric information, a private key, a service, and a user ID as one mapping information and storing the set mapping information in a mapping table;
A biometric information verification unit comparing the input biometric information with biometric information stored in a mapping table to determine whether to verify whether the biometric information is the same or not; And
The biometrics information of the retrieved mapping information is used to verify the biometrics information, and when the biometrics information is retrieved, the individual of the retrieved mapping information And an authentication response generator for generating an authentication response using the key.
The method according to claim 1,
Wherein the biometric authentication mapping unit registers the mapping information on the biometric information in the mapping table at the request of the FIDO server only when the real name authentication is confirmed.
The method according to claim 1,
Wherein the mapping information of the mapping table is configured to be changeable or unchangeable,
Wherein the biometric authentication mapping unit registers the mapping information on the biometric information in the mapping table only by a registration procedure for performing a blindness check if the change policy of the FIDO server can not be changed. FIDO certified device.
A FIDO authentication method capable of performing identification or non-repudiation performed by an FIDO authentication device, a FIDO client, a service client, a service server, and an FIDO server,
(a1) receiving the service establishment and FIDO registration request from the user by the service client;
(a2) the service client performing real name authentication on the user in cooperation with the service server;
(a3) when the real name authentication is completed, the service client requests the service server to open a service, the service server opens a service for the user, and sets a user ID for identifying the service;
(a4) the service client requests the FIDO server to register the FIDO, the FIDO server requests the FIDO client to register the FIDO, and transmits the registration policy together when requested;
(a5) the FIDO client calls a FIDO authentication device according to a registration policy;
(a6) The FIDO authentication device receives the user's biometric information, generates a user's private key and a public key, generates one mapping information of the service, the user ID, the private key, and the inputted biometric information, ;
(a7) the FIDO authentication apparatus generates a registration response, and transmits the generated registration response and the user public key to the FIDO server through the FIDO client; And
(a8) the FIDO server verifying the registration response and storing the user's public key when verified.
5. The method of claim 4,
(b1) the service client is requested to provide a service from a user and requests a service request of the user from the service server;
(b2) the service server requests the FIDO server to start FIDO authentication, the FIDO server generates a challenge value, and transmits a FIDO authentication request to the FIDO client, together with the challenge value and the authentication policy ;
(b3) the FIDO client invoking the FIDO authentication apparatus according to the authentication policy;
(b4) receiving the biometric information of the user and determining whether biometrics authentication is performed in comparison with the biometric information of the input biometric information and the mapping information stored in the mapping table;
(b5) If the biometric authentication is successful, the FIDO authentication device accesses the user private key of the corresponding mapping information, generates an authentication response using the user private key, and transmits the generated authentication response to the FIDO server through the FIDO client ;
(b6) the FIDO server verifies the authentication response with the public key of the user, and transmits the verification result to the service server; And
(b7) the service server permitting and providing the requested service if the verification result is successful, and the FIDO authentication method enabling identification or non-repudiation.
5. The method of claim 4,
(c1) receiving the biometric information re-registration request from the service client;
(c2) the service client performing real name authentication on the user in cooperation with the service server;
(c3) receiving the list of the user authentication devices from the FIDO server through the service server and selecting one of the user authentication devices from the authentication device list;
(c4) the FIDO server receives the selected user authentication device and disables the selected user authentication device for the user authentication device;
(c5) when the service client requests the FIDO client to re-register the biometric information, the FIDO client calls the user authentication device according to the re-registration request;
(c6) the FIDO authentication device receives the user's biometric information and updates the mapping table with the inputted biometric information;
(c7) the FIDO authentication device generates and transmits a biometric information re-registration completion message to the service client; And
(c8) displaying the re-registration completion result by the service client.
5. The method of claim 4,
Wherein the communication between the FIDO client and the FIDO server is performed by relaying the service client and the service server.
5. The method of claim 4,
The registration response also includes the certificate and signature value of the FIDO authentication device,
In the step (a8), the FIDO server verifies the authentication device using the certificate of the FIDO authentication device and verifies the signature value.

Images