KR20200118783A - Cloud Type Operating Method for Certificate - Google Patents

Abstract

The present invention relates to a cloud-type certificate operating method executed by a server. According to the present invention, the method performs the procedures of: performing a specified identity authentication procedure for a user when requesting to store a user certificate in a storage medium on the cloud through a user terminal; storing the user certificate in the storage medium on the cloud when the user′s identity authentication is processed; performing the specified identity authentication procedure for the user when requesting to use the user certificate stored in the storage medium on the cloud through the user terminal; and using the user certificate stored in the storage medium on the cloud when the user′s identity authentication is processed.

Description

Cloud Type Operating Method for Certificate}

The present invention, in the cloud-type certificate operating method executed by a server, when a user terminal requests to store a user certificate in a storage medium on the cloud, performs a specified identity authentication procedure for the user, and the user's identity authentication When processed, the user certificate is stored in a storage medium in the cloud, and when a user request to use the user stored in the storage medium in the cloud through the user terminal, a specified identity authentication procedure for the user is performed, and the user's identity authentication is processed. In this case, it relates to a cloud-type certificate operation method for performing a procedure of using a user certificate stored in a storage medium on the cloud.

In order to use banking transactions in a non-face-to-face manner using a communication network, or to use payments of more than a certain amount, certificate processing using a public certificate issued to a user must be accompanied.

For the above-described certificate processing, the user's certificate is stored in the user's terminal that processes non-face-to-face transactions, or the user's portable medium (e.g., USB memory, IC card, HSM, floppy disk) that can be interlocked with the user's terminal. Etc.), the user's certificate must be stored.

However, most users do not process non-face-to-face transactions using only one specific terminal. Any terminal that the user uses can be used for non-face-to-face transactions. However, storing the user's certificate in all terminals available to the user causes a critical security problem. Of course, it is possible to store the user's certificate in the user's portable medium and take out the user's certificate from the portable medium whenever the certificate processing is required. However, the user's portable medium is by no means capable of interworking with all terminals used by the user. That is, other terminals other than a terminal having a module capable of interworking with the user's portable medium cannot take out and write the certificate stored in the user's portable medium.

It is an object of the present invention to provide a cloud-type certificate operation method executed by a server, the first step of performing a specified identity authentication procedure for the user upon requesting to store a user certificate in a storage medium on the cloud through a user terminal, and the The second step of storing the user certificate in a storage medium on the cloud when the user's identity authentication is processed, and a second step of performing a specified identity authentication procedure for the user when requesting to use the user stored in the storage medium on the cloud through the user terminal. It is to provide a cloud-type certificate operation method including step 3 and a fourth step of performing a procedure of using a user certificate stored in a storage medium on the cloud when the user's identity authentication is processed.

In the cloud-type certificate operating method according to the present invention, in the cloud-type certificate operating method executed by a server, when a user terminal requests to store a user certificate in a storage medium on the cloud, a specified identity authentication procedure is performed for the user. The first step and the second step of storing the user certificate in a storage medium on the cloud when the user's identity authentication is processed, and the designated identity authentication for the user when requesting to use the user stored in the storage medium on the cloud through the user terminal And a third step of performing a procedure and a fourth step of performing a procedure of using a user certificate stored in a storage medium on the cloud when the user's identity authentication is processed.

In the cloud-type certificate operating method according to the present invention, the first step includes i identity authentication procedures corresponding to i (i≥1) identity authentication methods set to register the user certificate in a storage medium on the cloud. It characterized in that it comprises a step of performing.

In the cloud-type certificate operating method according to the present invention, the first step is characterized in that it comprises the step of performing the i identity authentication procedures according to a preset sequence.

In the cloud-type certificate operating method according to the present invention, the second step includes receiving the user certificate from a certificate server and storing it in a storage medium on the cloud, or receiving the user certificate through a user's terminal and receiving the storage medium on the cloud. It characterized in that it comprises at least one of the stored in.

In the cloud method certificate operation method according to the present invention, the third step includes j authentication procedures corresponding to j (j≥1) authentication methods set to use a user certificate stored in a storage medium on the cloud. It characterized in that it comprises a step of performing.

In the cloud-type certificate operating method according to the present invention, the third step is characterized in that it comprises the step of performing the j number of identity authentication procedures according to a preset order.

In the cloud-type certificate operating method according to the present invention, the fourth step comprises the step of setting a usage limit specified in a user certificate stored in a storage medium on the cloud and providing it to the user terminal.

In the cloud-type certificate operating method according to the present invention, the fourth step comprises the step of processing a certificate for data received from the user terminal by proxy using a user certificate stored in a storage medium on the cloud. It is characterized.

In the cloud-type certificate operating method according to the present invention, in the cloud-type certificate operating method executed by the server, the first step of storing the user certificate issued to the user in a designated storage medium on the cloud and the user through the user's terminal In order to obtain and store user identification information for identification and authentication, and to pre-specify and identify N (N≥1) terminals that can use the user certificate stored in the storage medium among user terminals that can use the certificate, Obtaining designation target identification information including a combination of previously recorded information and information recorded in the designated identified terminal generated through a program or code generation module designated for the designated identification and stored in association with the user identification information In the second step and when the terminal requests to process a certificate using a user certificate through the user identification information, the terminal that requested the certificate processing by receiving the identification target identification information from the terminal and authenticating through the stored identification target identification information designated in advance The third step of authenticating whether the terminal is an nth (1≤n≤N) terminal among the N terminals, and a user certificate stored in the storage medium when the terminal requesting the certificate processing is authenticated as a predetermined identified nth terminal And a fourth step of performing a procedure for processing a certificate for data received through the authenticated n-th terminal through the proxy.

In the cloud-type certificate operating method according to the present invention, the first step comprises receiving the user certificate from a certificate server and storing it in the storage medium, or receiving the user certificate from the user's terminal and storing it in the storage medium. It characterized in that it comprises at least one of the.

In the cloud-type certificate operating method according to the present invention, the second step further comprises performing a user identity authentication procedure for authenticating whether a user to designate the N terminals is the user who has been issued the user certificate, And registering and storing identification information for the N terminals when the user's identification is processed.

In the cloud-type certificate operating method according to the present invention, in the cloud-type certificate operating method executed by the server, the first step of storing the user certificate issued to the user in a designated storage medium on the cloud and the user through the user's terminal N (N≥1) terminals to obtain and store user identification information for identification and authentication, and to process the certificate processing to be performed on the user's terminal through the user certificate stored in the storage medium among the user's terminals for which the certificate is available. The second step of acquiring N number of target identification information for each N terminals identified in advance and storing it in association with the user identification information, and when requesting certificate processing using a user certificate through the user's terminal, the user identification information At the same time as identifying and authenticating the user who requested the certificate processing, authentication whether the terminal requesting the use of the user certificate is the nth (1≤n≤N) terminal among the N terminals identified in advance through the N number of target identification information In the third step, and when the terminal to use the user certificate is authenticated with the n-th terminal, data corresponding to the subject of the certificate processing is received through the authenticated n-th terminal, and the user certificate stored in the storage medium is And a fourth step of performing a procedure of processing the certificate for the received data via proxy.

In the cloud-type certificate operating method according to the present invention, the first step further comprises performing an identity authentication procedure for the user who has been issued the user certificate, and when the user's identity authentication is processed, the The user certificate issued to the user is stored in the storage medium.

In the cloud-type certificate operating method according to the present invention, the first step comprises receiving the user certificate from a certificate server and storing it in the storage medium, or receiving the user certificate from the user's terminal and storing it in the storage medium. It characterized in that it comprises at least one of the.

In the cloud-type certificate operating method according to the present invention, the second step further comprises performing a user identity authentication procedure for authenticating whether a user to designate the N terminals is a user who has been issued the user certificate, and And registering and storing N pieces of identification target identification information for the N terminals when the user's identification is processed.

In the cloud-type certificate operation method according to the present invention, the user certificate stored in the storage medium can be used as M (M≥1) that can be used as designation target identification information of each terminal based on at least one of the types of terminals available, communication networks, and platforms. ) Further comprising the step of setting a designation target identification information condition for designating the number of designation information, and the second step is m that meets the designation target identification information condition among information obtainable through the terminal designated by the user. And acquiring (1≦m≦M) pieces of designation information and storing designation target identification information including the obtained m pieces of designation information.

In the cloud-type certificate operation method according to the present invention, the third step is m (1≤m) to be used for designating and identifying the user's terminal among M (M≥1) pieces of designation information available as designation target identification information. Receiving designation target identification information including ≤M) pieces of designation information from the user's terminal, and comparing the received designation target identification information with the stored designation target identification information to determine the user's terminal as the designated n-th terminal It characterized in that it further comprises the step of authenticating with.

In the cloud-type certificate operating method according to the present invention, in the cloud-type certificate operating method executed by a server, a first step of storing a certificate issued to a user in a designated storage medium on the cloud and a designated authentication procedure among the user's terminals are performed. The second step of acquiring and storing designation target identification information for designating and identifying N (N≥1) terminals designated as available terminals using the certificate stored in the storage medium on the cloud by the authenticated user through the authentication process and the user who will use the certificate A third step of authenticating whether the terminal of is an nth (1≤n≤N) terminal among the N specified terminals specified and identified by the specified object identification information, and when the user's terminal is authenticated as the specified nth terminal And a fourth step of processing the user's certificate stored in the storage medium to be used through the n-th terminal.

According to the present invention, the first step further includes performing an identity authentication procedure for a user who has been issued a certificate stored in the storage medium, and is issued to the user when the user's identity authentication is processed. The certificate can be stored in the storage medium.

According to the present invention, the first step is to receive a certificate issued to the user from a certificate server that issued the certificate to the user and store it in the storage medium, or provide a certificate issued to the user from the user's terminal. It may include at least one of receiving and storing in the storage medium.

According to the present invention, the second step is characterized in that it further comprises performing an authentication procedure whether the user who has been issued the certificate designates and registers a terminal to use the certificate.

According to the present invention, the cloud-type certificate operation method includes M (M≥) that can be used as designation target identification information of each terminal based on at least one of a type, communication network, and platform of each terminal that can be registered as a terminal for which the certificate will be used. 1) further comprising the step of setting a condition for identification information to be designated for designating the designated information, and the second step is, among information obtainable through a terminal designated by the user, that meets the condition of the designated object identification information. and acquiring m (1≦m≦M) pieces of designation information and storing designation target identification information including the obtained m pieces of designation information.

According to the present invention, the third step includes a user authentication procedure for whether a user who has been issued the certificate requests a certificate stored in the storage medium, and a user who has registered the N terminals provides a certificate stored in the storage medium. It characterized in that it further comprises the step of performing at least one identity authentication procedure of the user identity authentication procedure for whether the request is made.

According to the present invention, the third step includes m (1≦m≦M) pieces of designation information used to designate and identify the user's terminal among M (M≧1) pieces of designation information available as designation target identification information. Confirming the configuration of the included designation target identification information, receiving designation target identification information including the m pieces of designation information from the user's terminal, and the received designation target identification information and the stored designation target identification The method may further include comparing information to authenticate the user's terminal as the designated n-th terminal.

According to the present invention, the fourth step is characterized in that the user's certificate stored in the storage medium is provided to the n-th terminal.

According to the present invention, in the fourth step, in the fourth step, the certificate processing of the n-th terminal is performed on behalf of the user through the user's certificate stored in the storage medium.

According to the present invention, it is possible to process the certificate for the non-face-to-face transaction by using the user's certificate stored in a designated storage medium on the network through the terminal anytime and anywhere as long as the terminal used by the user for non-face-to-face transaction is connected to the communication network. There is an advantage to lose.

1 is a diagram showing the configuration of a cloud certificate operating system according to the present invention.
2 is a diagram illustrating a functional configuration of an application provided in a user's terminal according to an exemplary method of the present invention.
3 is a diagram illustrating a process of registering a certificate in a cloud-based certificate operation according to the present invention.
4 is a diagram showing a process of designating and registering a terminal capable of using a certificate in the cloud type certificate operation according to the present invention.
5 is a diagram showing a process of registering a user who can use a certificate in a cloud-based certificate operation according to the present invention.
6 is a diagram showing a process of checking/extracting a certificate registered in a storage medium in the cloud type certificate operation according to the present invention.
7 or 8 is a diagram illustrating a process of using a certificate in a cloud method according to an implementation method of the present invention.

Hereinafter, the operating principle of a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. However, the drawings and the description to be described below are for a preferred implementation method among various methods for effectively describing the features of the present invention, and the present invention is not limited to the following drawings and description. For example, the configuration unit provided on the server side may be implemented on the terminal side, or conversely, the configuration unit provided on the terminal side may be implemented on the server side.

In addition, in the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. In addition, terms to be described later are terms defined in consideration of functions in the present invention, which may vary according to the intention or custom of users or operators. Therefore, the definition should be made based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following examples are a means for efficiently explaining the technical idea of the present invention to those of ordinary skill in the art to which the present invention belongs. Only.

Figure 1 is a diagram showing the configuration of a cloud certificate operating system according to the present invention.

In more detail, Figure 1 shows that after storing the certificate issued to the user in the designated storage medium 115 on the network, the terminal 200 used by the user can use the certificate stored in the storage medium 115 through a communication network. As a diagram showing a system configuration for processing so that the present invention pertains to those of ordinary skill in the art, various implementation methods for the cloud-type certificate operating system (e.g., some The component parts are omitted, or subdivided, or a combined implementation method) may be inferred, but the present invention includes all of the above inferred implementation methods, and the technical characteristics thereof are limited only by the implementation method shown in FIG. It doesn't work. Preferably, the implementation method described with reference to the drawings of the present invention will be described with a basic configuration in which a terminal capable of using a certificate stored in the storage medium 115 is designated in advance, and the features of the present invention will be described. However, the technical features of the present invention are by no means limited thereto, and if it is possible to maintain the security of the user identification procedure at the time when the certificate is stored in the storage medium 115 and the time when the stored certificate is used, the It should be noted that the configuration for designating a terminal that can use the certificate may be omitted, and the present invention clearly includes all implementation methods implemented by omitting or modifying some configurations of the present invention.

The cloud-type certificate operating system of the present invention stores one or more terminals 200 used by a user who has been issued a certificate, and a certificate issued to the user in a designated storage medium 115, and a terminal 200 used by the user. When requesting to use the certificate stored in the storage medium 115 through this communication network, processing so that the certificate stored in the storage medium 115 can be used through the user's terminal 200 at the request of the user It is configured to include an operating server 100. The operation server 100 may be implemented in the form of at least one or a combination of two or more servers depending on the implementation method, and may be built on the side of a business operator operating the cloud-type certificate, as well as issuing the certificate. Any server existing on the network, including an institution or a registration authority (eg, financial institution, etc.) of the certificate and various affiliated institutions (eg, KFTC, etc.) may be constructed in any form. In addition, according to the business conditions and related laws at the time the present invention is implemented, it has been found that some components of the operation server 100 are built on the business side, and some of the other components can be rescued by the issuing agency, registration agency, or affiliated agency. It is a bar. In addition, the drawings and description of the present invention are illustrated and described as operating the cloud-type certificate of the present invention in one operation server 100, but when the operation server 100 is implemented in the form of two or more servers, the two or more Of the servers, the server 2 actually processes a specific process, but for this purpose, when the terminal or server 1 triggers a specific process of the server 2 or a related process is executed, the terminal or server 1 also It should be noted that the term "treat so that" can be used for a particular process.

The terminal 200 used by the user is a generic term for all terminals that the user can use for certificate registration or use, as well as terminals owned by the user, and preferably, a wired computer including a personal computer and a laptop computer used by the user. It may include a terminal 200, a wireless terminal 200 including a user's mobile phone, smart phone, tablet PC, and the like. However, the user's terminal 200 is not limited to the wired terminal 200 and the wireless terminal 200 described above, and a payment terminal 200 (eg, POS, CAT, etc.) connected to a communication network, and a financial terminal 200 ) (E.g., CD, ATM), call terminal 200 (e.g., landline telephone, wireless telephone, VoIP phone), home appliance terminal 200, etc. can include all types of terminals are clearly revealed.

According to an exemplary method of the present invention, the user's terminal 200 may be equipped with one or more programs to register or use the certificate. The program is implemented in the form of an application running in the operating system of the user's terminal 200 and mounted on the user's terminal 200, or an application program (e.g., a browser, etc.) provided in the user's terminal 200 It may be mounted on the user's terminal 200 in the form of a plug-in program (eg, ActiveX, etc.) that is plugged into a banking program or a payment program. Meanwhile, when the user's terminal 200 accesses the operation server 100 through a browser, the operation server 100 is a program for registering or using the certificate on a page provided to the user's terminal 200 Code (eg, JavaScript, etc.) can be inserted and provided to the user's terminal 200, in this case, even if a separate program is not mounted on the user's terminal 200

The operation server 100 is a generic term for at least one server or a combination of two or more servers that operate a cloud-type certificate according to the present invention for one or more user's terminals 200 using a communication network, and issued to the user. A procedure for storing a certificate in a designated storage medium 115, a procedure for storing designation target identification information for designating and identifying N (N≥1) terminals 200 that can use the stored certificate, and a terminal used by the user A procedure for authenticating whether 200 is the nth (1≤n≤N) terminal 200 among the N designated terminals 200 designated and identified by the designation target identification information, and the user's terminal 200 When authenticated by the designated n-th terminal 200, a process of processing the user's certificate stored in the storage medium 115 to be used through the n-th terminal 200 is performed. If the operation server 100 is made of a combination of two or more servers, it should be clearly stated that the procedure can be performed by interworking with each other. In addition, the user's terminal 200 and the operation server 100 are set with a security protocol (e.g., encryption/decryption method, key exchange algorithm, etc.) at a level that allows the use of a certificate through a communication network, and detailed description thereof is omitted for convenience I will do it.

Referring to Fig. 1, the operation server 100 includes an identity authentication procedure unit 120 that performs an identity authentication procedure for a user who has received a certificate to be stored in a designated storage medium 115, and the storage medium 115 ) And a certificate acquiring unit 105 for acquiring a user's certificate to be stored in ), and a certificate storage unit 110 storing the acquired user's certificate in a designated storage medium 115.

When requested to register the certificate issued to the user in the designated storage medium 115 from the user's terminal 200 connected to the operation server 100, the identity authentication procedure unit 120 Perform the identity verification process. Preferably, the identity authentication for the user is an ID/PW that authenticates by receiving an ID/PW for the user from the user's terminal 200 when the user is registered as a member of the operation server 100 Authentication, Internet real name authentication, which receives personal information including the user's name and resident registration number from the user's terminal 200 and provides it to a real name authentication server (not shown) to authenticate the user's real name, the user's terminal Communication means information (e.g., communication company information, phone number, device identification information, etc.) of the subscription communication network (e.g., mobile communication network, telephone network, VoIP network, etc.) to which the user subscribes is provided from 200, and the user's personal information and Communication subscriber authentication for authenticating the subscriber name for the user by providing communication means information to a communication company server (not shown) of the subscription communication network, and card identification for a card issued to the user by a card company from the user's terminal 200 Card holder authentication that receives information (e.g., card company information and card number) and provides the user's personal information and card identification information to the card company server (not shown) that issued the card to authenticate the card holder. The bank server in which the account is opened by receiving account identification information (eg, bank information and account number) corresponding to the user's account opened in the bank from the user's terminal 200 and receiving the user's personal information and account identification information (Not shown) to authenticate the account holder to authenticate the account holder, generate an authentication number and send it to the user's wireless terminal, and then input it to the user's terminal 200 (here, the user whose authentication number is inputted) The terminal 200 includes a wireless terminal receiving the authentication number as well as a terminal 200 used by a user other than the wireless terminal), and a wireless terminal occupation authentication for comparing and authenticating the received authentication number, the user's terminal 200 ), if there is a certificate issued to the user, a certificate using a certificate (eg, a public certificate previously issued to the user, etc.) provided in the user's terminal 200 Among the authentication, it may include at least one or two or more identity authentication specified by the operation server 100. However, the identity authentication procedure of the present invention is by no means limited to the above-described method, and any method may be applied as long as it is a method capable of authenticating the user's identity through a communication network. In addition, all types of personal authentication that can authenticate the user's identity (e.g., personal authentication using ARS, face-to-face authentication using an ID card, identity authentication through image (face) recognition, identity authentication using biometric information, etc.) ) Is clearly included.

According to the implementation method of the present invention, the identity authentication procedure unit 120 sets i (i≥1) identity authentication methods to process identity authentication for a user who has been issued a certificate, and the identity authentication procedure unit 120 processes the identity authentication for the user who has been issued a certificate by performing the set i identity authentication procedures in a specified order.

The certificate acquisition unit 105 acquires a user's certificate to be stored in the designated storage medium 115. The user's certificate is the original certificate issued by the certificate issuing authority to the user, or a copy of the certificate issued by the certificate issuing authority to the user, or a copy of the certificate issued by the certificate issuing authority to the user. It may contain at least one of the copies of the certificate.

According to the first certificate obtaining method of the present invention, the certificate obtaining unit 105 may obtain a certificate issued to the user from a certificate server provided in a certificate issuing authority that issued the certificate to the user. Preferably, the user applies for issuance of a certificate to the certificate issuing authority, and certificate issuance information for the certificate issued to the user from the user's terminal 200 as the certificate issuance is approved (or issuance) from the certificate issuing authority. When (e.g., various information transmitted from a certificate issuing authority to a user who will be issued a certificate) is received, the certificate obtaining unit 105 can obtain a certificate issued to the user from the certificate server based on the certificate issuance information. have.

According to the second certificate obtaining method of the present invention, the certificate obtaining unit 105 can obtain a certificate issued to the user from an authority server provided in a management institution that stores or manages a copy of the certificate issued to the user. have. Preferably, the copy of the certificate issued to the user may be stored in an institutional server of a management institution including a registration authority that processes an application for issuance of the certificate or a financial institution that processes various authentications through the user's certificate. , The certificate obtaining unit 105 may obtain a certificate issued to the user from an authority server that manages a copy of the user's certificate.

According to the third certificate obtaining method of the present invention, the certificate obtaining unit 105 may obtain the user's certificate in the form of copying or transferring the certificate issued to the user from the user's terminal 200. Preferably, a memory provided in the user's terminal 200 (eg, a hard disk provided in a computer, a nonvolatile memory provided in the wireless terminal 200) or a user capable of interlocking with the user's terminal 200 The certificate issued to the user may be stored in various portable media (eg, USB memory, IC card, HSM, floppy disk, etc.), and the certificate acquisition unit 105 The certificate stored in the memory of 200 or various portable media can be obtained according to the designated certificate copy/movement procedure.

On the other hand, if the obtained user's certificate is not obtained from the certificate server, the certificate obtaining unit 105 determines that the obtained user's certificate is the same as the certificate issued to the user by the certificate issuing authority through the certificate server. You can verify that it is a certificate. Preferably, the certificate obtaining unit 105 provides the obtained certificate to the certificate server to verify the validity of the certificate, or provides a hash value obtained by hashing a certificate file corresponding to the certificate to the certificate server. After verifying the validity of the certificate or receiving a hash value of the original certificate issued to the user from the certificate server, the validity of the certificate may be verified by comparing it with the hash value of the obtained certificate. When the user's certificate is verified, it means that the obtained certificate is the same as the original certificate issued to the user and there is no forgery, alteration, or damage to the certificate.

When the user's certificate is obtained, the certificate storage unit 110 stores the obtained user's certificate in a designated storage medium 115. The storage medium 115 in which the certificate is stored is a generic term for a storage medium that has security enough to store a user's certificate on a network, and the storage medium 115 operated by the issuing authority of the certificate according to an implementation method , At least one of a storage medium 115 operated by the registration authority of the certificate, a storage medium 115 provided in the operation server 100, and a storage medium 115 on a network accessible from the operation server 100 I can. The drawing 1 will be described by showing that the storage medium 115 is provided in the operation server 100 for convenience.

According to the implementation method of the present invention, the user's certificate stored in the storage medium 115 includes the entire configuration of the certificate issued to the user, or stores a partial configuration of the certificate issued to the user. It is possible. Preferably, the partial configuration of the certificate may include t (1≤t<T) configuration items among T (T≥1) configuration items constituting a certificate file corresponding to the user's certificate. have. Alternatively, some configurations of the certificate may include some configuration values of t configuration items among the T configuration items constituting the certificate file. For example, if the configuration value of a specific configuration item among T configuration items constituting the certificate file is "123456789", some configuration of the certificate is "12345" or "13579" among the configuration values of "123456789". It may contain some configuration values such as.

On the other hand, when some configurations are included in the certificate stored in the storage medium 115, the remaining configurations except for some configurations of the stored certificate are stored in N designated terminals 200 using the certificate, or the N designated It may be stored in a portable medium owned by the user (eg, USB memory, IC card, HSM, floppy disk, etc.) that stores a certificate to be authenticated through the terminal 200.

According to an exemplary method of the present invention, the user's certificate stored in the storage medium 115 may be mapped and stored with user identification information that uniquely identifies who the stored certificate is the certificate issued to.

Referring to Figure 1, the operation server 100, an identity authentication procedure unit 120 that performs a user identity authentication procedure for whether the user who has been issued the certificate designates and registers the terminal 200 to be used with the certificate. And, the identification information acquisition unit 125 for obtaining the identification information of the designated object to designate and identify the terminal 200 that can use the stored certificate, and N (N≥1) obtained by the identification information acquisition unit 125 It includes an identification information storage unit 130 for storing N number of target identification information for the number of designated terminals 200. If the terminal 200 that can use the certificate is not designated and registered according to the implementation method of the present invention, the identification information acquisition unit 125 and the identification information storage unit 130 may be omitted.

At some point before, during, and after the user's certificate is stored in the designated storage medium 115, a procedure for designating and registering the terminal 200 that can use the certificate stored in the storage medium 115 is performed. In order to do so, the identity authentication procedure unit 120 interlocks with the terminal 200 of the user accessing the operation server 100 to specify registration of the terminal 200 that can use the certificate, so that the user who received the certificate One or more user authentication procedures for specifying and registering the terminal 200 to be used are performed. Preferably, the identity authentication for the user is at least specified by the operation server 100 among ID/PW authentication, Internet real name authentication, communication subscriber authentication, card holder authentication, account holder authentication, wireless terminal occupation authentication, and certificate authentication. As described above, it may include one or two or more identity authentication, and that various types of identity authentication may be performed in addition to the above-described method.

According to the implementation method of the present invention, the identity authentication procedure unit 120 is j (j≥) for processing user identity authentication as to whether the user who has been issued the certificate designates and registers the terminal 200 to be used for the certificate. 1) There are set authentication methods, and the identity authentication procedure unit 120 performs the set j authentication procedures in a specified order, and the user who has received the certificate is the terminal 200 to which the certificate will be used. Processes the user's self-authentication as to whether to specify and register. When the registration procedure of the certificate issued to the user and the terminal designation registration procedure are connected and processed collectively, the identity authentication procedure for the user may be performed only once. However, the terminal designation registration procedure of the present invention may be repeatedly performed within a specified limit, and in this case, the user identity authentication for the terminal designation registration procedure may be performed.

The identification information acquisition unit 125 acquires designation target identification information for designating and identifying the terminal 200 that can use the certificate stored in the storage medium 115 designated by the certificate storage unit 110. Preferably, the designation target identification information is information stored in the read/write memory of the designated and registered terminal 200, information stored in an IC chip provided in the designated and registered terminal 200, and designated and registered terminal 200 Information recorded in the read-only memory of the device, information allocated to the hardware components of the terminal 200 to be designated and registered, communication identification information of the designated and registered terminal 200, information generated by the designated and registered terminal 200, designation It may be composed of at least one or a combination of two or more of information input from the registered terminal 200, information identifying a program provided in the designated registered terminal 200, and information dynamically generated through a designated code generation module.

The information stored in the read/write memory of the designated and registered terminal 200 is stored in a hard disk, a nonvolatile read/write memory, etc. of the designated and registered terminal 200 to uniquely identify the designated and registered terminal 200. As a generic term for identification information, preferably, various key values stored in the memory, identification values of programs related to (or designated) use of the certificate, values generated and stored by the program, and received and stored from a communication network through the program Value, the unique value of the program (eg, the serial number of the program, the token assigned to the program, etc.), the unique value of the operating system (eg, the serial number of the operating system), the value stored by the operating system, the user's certificate stored in the memory, The storage medium 115 may include at least one designation information of the remaining part of the user certificate, card information, account information, and financial information.

The information stored in the IC chip provided in the designated and registered terminal 200 is an IC chip mounted or detached from the designated and registered terminal 200 (eg, USIM, financial IC chip, security element (SE), etc.) As a generic term for information that is stored in the IC chip and uniquely identifies the designated and registered terminal 200, preferably the unique code of the IC chip, the chip serial number, the applet identification code provided on the IC chip, the The key value stored in the IC chip, the user's certificate stored in the IC chip, the remaining part of the user certificate stored in the storage medium 115, card information, account information, and at least one designation information of financial information may be included. have.

The information recorded in the read-only memory of the designated and registered terminal 200 is a generic term for information stored in a ROM provided in the designated and registered terminal 200 or a ROM of a hardware component constituting the terminal 200 As, it may preferably include at least one designation information of various key values, unique codes, identification codes, and serial numbers stored in the memory.

The information allocated to the hardware components of the designated and registered terminal 200 is a generic term of information allocated to the hardware components by the manufacturer of the hardware components constituting the designated and registered terminal 200, preferably A unique code assigned to the CPU constituting the designated terminal 200, a unique code assigned to the main board, a unique code assigned to a memory, a unique code assigned to a hard disk, a unique code assigned to a nonvolatile memory, communication It may include designation information of at least one of a unique code provided in the module (eg, a MAC address), a unique code assigned to an input module, and a unique code assigned to an output module (eg, a display).

The communication identification information of the designated and registered terminal 200 is a generic term of information allocated to the terminal 200 for access to the communication network of the designated and registered terminal 200, and is preferably accessed by the terminal 200. In addition to including at least one IP address, MAC address, and phone number according to the type/protocol of the communication network, designation of at least one of network ID, system ID, and subscriber identification value registered in the communication network to which the terminal 200 is connected May contain information.

The information generated by the designated and registered terminal 200 is a generic term for information dynamically generated by a program provided in the designated and registered terminal 200, and is preferably dynamically generated by the designated and registered terminal 200. In addition to including at least one disposable code and various key values, the dynamically generated disposable code or various key values are processed (e.g., processed in the form of text, images, 1/2D barcodes, sound, multimedia, etc.) or It may include at least one designation information of information processed (eg, encrypted) of other information using the dynamically generated disposable code or various key values.

The information inputted from the designated and registered terminal 200 is a generic term for key input information through an input module provided in the designated and registered terminal 200, and preferably, the input information is a key based on the user's memory. It may include at least one of input information (eg, password, PIN, etc.) and key input information while displayed on another terminal or medium.

The information for identifying a program provided in the designated and registered terminal 200 is essential for identifying a program provided in the designated and registered terminal 200 in connection with the use of the certificate or for the designated and registered terminal 200 As a generic term for information identifying a program provided as, preferably, an identification value of the program, a value generated by the program, a value received from a communication network through the program, a unique value of the program (e.g., the serial number of the program , Tokens allocated to the program, etc.).

The information dynamically generated through the designated code generation module may be transmitted to a code generation module provided in the designated and registered terminal 200, or to a code generation module provided in an external device or server related to the designated and registered terminal 200. As a generic term for information dynamically generated by the designated code generation module, preferably, a one-time code dynamically generated through the designated code generation module and various key values include at least one designation information, as well as processing the dynamically generated one-time code or various key values. Processing other information (e.g., encryption, etc.) using designated information (e.g., text, image, 1/2-dimensional barcode, sound, multimedia, etc.) or using the dynamically generated disposable code or various key values It may include at least one designation information among one designation information. Meanwhile, when the designated code generation module exists outside the designated and registered terminal 200, the designation information dynamically generated by the code generation module is received by the designated and registered terminal 200 through a communication network, or NFC Through the designated registered terminal 200, or through a camera provided in the designated registered terminal 200, it may be recognized as the designated registered terminal 200 (eg, 1/2-dimensional barcode recognition). have.

However, the designation information constituting the designation target identification information of the present invention is by no means limited to the designation information described above, and any information that can designate and identify the designated and registered terminal 200 is the designation target identification information. It should be noted that the designation target identification information of the present invention includes all designation information capable of designating and identifying the designated and registered terminal 200.

According to the implementation method of the present invention, the identification information acquisition unit 125 is based on at least one of a type, a communication network, and a platform of each terminal 200 that can be registered as the terminal 200 to be used for the certificate. ), a designated target identification information condition that designates M (M≥1) pieces of designated information available as designated target identification information of) may be set, and in this case, the designated target identification information condition of the registered terminal 200 It is possible to obtain designation target identification information including m (1≦m≦M) pieces of designation information from among the corresponding M pieces of designation information.

According to the first terminal designation registration method of the present invention, a terminal 200 of a user who has accessed for terminal designation registration may be designated and registered as a terminal 200 that can use the certificate. In this case, the identification information acquiring unit 125 receives designation target identification information including one or more designated designation information from the user's terminal 200 connected for the terminal designation registration, or the user's terminal 200 The stored certificate of the user's terminal 200 through at least one or a combination of two or more of receiving designation target identification information including one or more designation information designated to the user's terminal 200 from a managing management server It is possible to obtain designation target identification information including m pieces of designation information that can be designated as the terminal 200 to be used.

According to the second terminal designation registration method of the present invention, in addition to the user's terminal 200 accessed for terminal designation registration, other terminals 200 available to the user may be designated and registered as terminals 200 that can use the certificate. I can. In this case, the identification information acquiring unit 125 receives the designation target identification information including one or more designation information designated to the target terminal 200 registered as the terminal 200 that can use the certificate from the user's terminal 200. Receiving or receiving designation target identification information including one or more designated information designated from the target terminal 200 based on terminal information for the target terminal 200 provided from the user's terminal 200, or Receiving one or more designation target identification information designated to the target terminal 200 from a management server that manages the target terminal 200, the other terminal 200 available to the user through at least one or a combination of two or more Designation target identification information including m pieces of designation information that can be designated as the terminal 200 in which the stored certificate is to be used may be obtained.

Meanwhile, the identification information acquisition unit 125 verifies whether the obtained identification target identification information includes designation information capable of uniquely designating and identifying the designated and registered terminal 200. Preferably, the identification information acquisition unit 125 of the m pieces of designation information including the designation target identification information, for one or more pieces of information fixedly maintained in the designated and registered terminal 200, to other designated target identification information stored in advance. By performing a redundancy check for each included designated information item, it is possible to verify the validity of whether the acquired designation target identification information can uniquely designate and identify the designated and registered terminal 200. For example, when the acquired designation target identification information includes the MAC address of the designated and registered terminal 200, the MAC address must not overlap with the MAC address included in other previously stored designation target identification information.

When designation target identification information for designating and identifying the terminal 200 that can use the stored certificate is obtained, the identification information storage unit 130 stores the designation target identification information obtained by the identification information acquisition unit 125. . Preferably, the identification information acquisition unit 125 may acquire N number of target identification information for designating and identifying N terminals 200, and the identification information storage unit 130 includes the identification information acquisition unit 125 It stores N number of target identification information for the N number of designated terminals 200 obtained by ).

According to the implementation method of the present invention, the N number of designation target identification information is directly mapped and stored with the certificate in the storage medium 115 in which the user's certificate is stored, or other than the storage medium 115 in which the certificate is stored. It can be stored in another database. Even if the N pieces of identification target identification information are stored in a database other than the storage medium 115 in which the certificate is stored, the N pieces of identification target identification information are indirectly with the certificate stored in the storage medium 115 through the designated identifier. It is desirable to be mapped.

Meanwhile, the identification information acquisition unit 125 may acquire user identification information for uniquely authenticating the user who has received the certificate at any point before, during, or after the point in time when the designation target identification information is obtained. The user identification information is a generic term for information that uniquely identifies a user who has been issued a certificate stored in the storage medium 115 and/or a user who designated and registered the terminal 200 to which the stored certificate will be used, and at the same time authenticates the user. As a result of the user identification procedure performed by the identification procedure unit 120, the user identification information registration process that includes the information used for identification, or is interlocked with the user identification procedure or processed separately User information (eg, ID/PW, etc.) received from the user's terminal 200 may be included. Alternatively, one or more of the designation information constituting the designation target identification information may be used as the user identification information.

Meanwhile, the identification information acquisition unit 125 identifies the same person as the user who received the certificate stored in the storage medium 115, or the same person as the user who designates and registers the terminal 200 in the obtained user identification information. Verify that they are identified. Preferably, the identification information acquisition unit 125 checks the user name corresponding to the user identification information, and the confirmed user name is the same as the name of the issuer of the certificate stored in the storage medium 115, or the terminal It can be verified that the name of the user who designated (200) and registered the same person is identified. If the user identification information is obtained as a result of an identity authentication procedure for the user, validity verification for the user identification information may be omitted.

When user identification information for uniquely authenticating the user is obtained by the identification information acquisition unit 125, the identification information storage unit 130 includes N number of identification target identification information obtained by the identification information acquisition unit 125 And the user identification information are mapped and stored.

According to an implementation method of the present invention, the N pieces of identification target identification information and user identification information are directly mapped and stored together with the certificate in a storage medium 115 in which the user's certificate is stored, or a storage medium in which the certificate is stored. It may be mapped and stored in a database other than (115). Even if the N pieces of identification target identification information and user identification information are stored in a database other than the storage medium 115 in which the certificate is stored, the N pieces of identification target identification information or user identification information are stored in the storage medium ( 115) is preferably mapped indirectly with the stored certificate.

Meanwhile, when the terminal designation registration is omitted according to another implementation method of the present invention, the identification information acquisition unit 125 may acquire user identification information that uniquely authenticates the user, and in this case, the user identification information is As described above, the user's certificate may be directly/indirectly mapped and stored.

As described above, the certificate issued to the user is stored in the designated storage medium 115, and at least one of designation target identification information for the N designated terminals 200 in which the certificate will be used and user identification information that uniquely authenticates the user. The identification information is directly/indirectly mapped and stored with the certificate, thereby completing preparation for using the certificate stored in the storage medium 115 in a cloud manner.

Referring to Figure 1, the operation server 100, request information for receiving request information for requesting to use the certificate stored in the storage medium 115 from the user's terminal 200 in the user's terminal 200 A receiving unit 135 is provided, and an identity authentication procedure unit 120 that performs an identity authentication procedure for a user requesting the use of the certificate is further provided, or user identification information for uniquely authenticating the user identifies the designated target When the information is mapped and stored, a user authentication unit 140 for authenticating a user requesting the use of the certificate through the user identification information may be further provided.

The user accesses the operation server 100 through the terminal 200 used by the user and requests that the certificate stored in the storage medium 115 be used by the user's terminal 200, the request information receiving unit 135 ) Receives request information from the user's terminal 200 to request that the certificate stored in the storage medium 115 be used in the user's terminal 200. Here, the request information may include one or more configuration information necessary to request a certificate stored in the storage medium 115 (eg, user identification information, certificate use method, information on use, target, related server, etc.), and , Depending on the implementation method, the connection of the user's terminal 200 designated and identified through the designation target identification information to the operation server 100 itself may be interpreted as request information requesting to use the certificate.

If user identification information for uniquely authenticating the user is stored by the identification information storage unit 130, the user authentication unit 140 provides user identification information (or separate communication) included in the request information receiving unit 135. The user who requests the use of the stored certificate is authenticated by comparing and authenticating (or authenticating the predicted result after a verification operation) between the user identification information received from the user's terminal 200 through the connection.

On the other hand, when the user identification information for uniquely authenticating the user is not stored by the identification information storage unit 130, or the identification target identification information for the terminal 200 that can use the stored certificate is not stored, the user The authentication procedure unit 120 is a user authentication procedure for whether a user who has been issued the certificate requests the stored certificate, and a user authentication procedure for whether a user who has registered the N terminals 200 requests the stored certificate. At least one of the ID verification procedures is performed. Preferably, the identity authentication for the user is at least specified by the operation server 100 among ID/PW authentication, Internet real name authentication, communication subscriber authentication, card holder authentication, account holder authentication, wireless terminal occupation authentication, and certificate authentication. As described above, it may include one or two or more identity authentication, and that various types of identity authentication may be performed in addition to the above-described method.

According to the implementation method of the present invention, the identity authentication procedure unit 120 determines whether the user who has been issued the certificate requests the stored certificate, or whether the user who has registered the N terminals 200 requests the stored certificate. There are k (k≥1) self-authentication methods for processing the user's identity authentication, and the identity authentication procedure unit 120 may perform the set k identity authentication procedures in a specified order.

Referring to Figure 1, the operation server 100, the terminal 200 of the user requesting the use of the certificate is the n-th (1 ≤ n ≤N) The designation target authentication unit 145 for authenticating whether the terminal 200 or not, and the user stored in the storage medium 115 when the user's terminal 200 is authenticated as the designated n-th terminal 200 A certificate processing unit 150 for processing a certificate to be used through the n-th terminal 200 is provided.

The designation target authentication unit 145 receives designation target identification information including one or more designation information designated to the corresponding terminal 200 from the terminal 200 of the user requesting the use of the certificate, and the received designation target identification information By comparing the N number of designated target identification information for the N designated terminals 200 stored by the identification information storage unit 130, the terminal 200 of the user requesting the use of the certificate is determined by the designated target identification information. It is authenticated whether it is the n-th terminal 200 corresponding to any one of the designated and identified N designated terminals 200. Preferably, the designation target identification information received from the user's terminal 200 includes designation information stored in the user's terminal 200, designation information generated by the user's terminal 200, and the user's terminal 200. ), including one or more of the designated information inputted in.

According to the implementation method of the present invention, the designation target authentication unit 145 is a designation including m designation information used to designate and identify the user's terminal 200 among M designation information available as designation target identification information. After checking the configuration of the target identification information, receiving the designated target identification information including the m pieces of designated information from the user's terminal 200, the received designated target identification information is stored in the identification information storage unit 130 By comparing the N number of designated target identification information for the N designated terminals 200 stored by the user, the terminal 200 of the user requesting the use of the certificate is designated and identified by the designated target identification information. ), it is possible to authenticate whether the n-th terminal 200 corresponds to any one of.

According to the implementation method of the present invention, the designation target identification information may include two or more designation information fixedly maintained in the designated terminal 200, in which case the designation target authentication unit 145 is the designated terminal 200 It is determined whether some of the two or more pieces of information fixedly maintained in the terminal are authenticated and some of the other information are not authenticated. Information can be discarded or re-registered. That is, if some of the two or more pieces of information fixedly held in the designated terminal 200 are authenticated and some of the other information is not authenticated, this means that the terminal 200 ) Means that designation information for designating and identifying has been changed, and thus, the designation target authentication unit 145 may perform a discard procedure or a re-registration procedure for the designation target identification information. Meanwhile, the designation target identification information may include at least one designation information that is input or generated by the designated terminal 200, in which case the designation target authentication unit 145 does not authenticate the input or generated information. In this case, an error for identification of the designated terminal occurs. Alternatively, the designation target identification information may include designation information fixedly maintained in the designated terminal 200, in this case, the designation target authentication unit 145 authenticates all designation information fixedly maintained in the designated terminal 200 If not, an error for identification of the designated terminal may occur.

If the terminal 200 of the user requesting the use of the certificate is authenticated with the n-th terminal 200 that can use the certificate, the certificate processing unit 150 determines the user's certificate stored in the storage medium 115. Process to be used through the terminal 200. In the present invention, processing the certificate stored through the designated n-th terminal 200 to be used means that the user's certificate stored in the storage medium 115 is provided to the designated n-th terminal 200 and the n-th terminal 200 ) To use the certificate, and the operation (or task) to be processed using the certificate in the n-th terminal 200, the operation server 100 (or a server equipped with a certificate processing unit 150) Means at least one or a combination of two of processing on behalf of the n-th terminal 200.

According to the first certificate use method of the present invention, the certificate processing unit 150 provides the stored user's certificate to the designated n-th terminal 200, and the n-th terminal 200 receives the user's certificate. Then, the received certificate is used (eg, user authentication, encryption/decryption, electronic signature, etc.) for various types of certificate use targets including financial transactions and payments by using it as a certificate of the n-th terminal 200.

In the first certificate use method, the certificate processing unit 150 provides the entire configuration of the stored user certificate to the designated n-th terminal 200, or provides a partial configuration of the stored user certificate to the n-th terminal 200 It is possible to provide as (however, even when a partial configuration of the certificate is provided to the n-th terminal 200, the entire configuration of the certificate may be stored in the storage medium 115).

If the certificate processing unit 150 provides a partial configuration of the stored user certificate to the designated n-th terminal 200, the n-th terminal 200 is provided with the remaining configurations except for the partial configuration of the provided certificate. Or, it is preferable that the remaining configuration of the certificate provided in the user-owned portable medium is available, and the entire configuration of the certificate is created by combining some configurations of the received certificate with the remaining configurations. It can be used for various certificate processing by using the entire configuration of the certificate. On the other hand, when the certificate processing unit 150 provides some configurations of the stored user certificates to the designated terminal 200, some configurations of the provided certificates are the same for N designated terminals 200, or N designated It is possible to be different for each terminal 200, and at this time, the rest of the configuration of the certificate provided on the side of the designated terminal 200 is the same for the N number of designated terminals 200 corresponding to the received partial configuration, or It is possible to be different for each of the N designated terminals 200.

According to an exemplary method of the present invention, it is preferable that a specified use limit is set for the certificate provided to the designated n-th terminal 200. Preferably, the certificate provided to the n-th terminal 200 may be temporarily stored in the n-th terminal 200. That is, the certificate provided to the n-th terminal 200 is stored in the volatile memory of the n-th terminal 200, and thus may be automatically destroyed when the power supply of the n-th terminal 200 is cut off. Alternatively, the certificate provided to the n-th terminal 200 may be set for a one-time use or a limit of the number of uses within a specified number. That is, the certificate provided to the n-th terminal 200 can be used only a specified number of times regardless of the form stored in the n-th terminal 200, and then automatically extinguished (e.g., an automatic extinguishing code in the certificate file) Is included), or the certificate function may be automatically stopped. Alternatively, an expiration date and time limit may be set for the certificate provided to the n-th terminal 200. That is, the certificate provided to the n-th terminal 200 can be used only at a limited expiration date such as a few minutes to several hours, or a day to a week, and then it may be automatically extinguished or the certificate function may be automatically stopped. have.

Meanwhile, in the first certificate use method, the certificate processing unit 150 may process the certificate into a structure usable in the n-th terminal 200 and provide it to the n-th terminal 200. That is, even if the user's certificate stored in the storage medium 115 is an original having the same configuration information as when the certificate was issued, the file structure of the certificate file including the configuration information is in the n-th terminal 200. It may be processed into a usable file structure, or may be processed into a form usable through a program provided in the n-th terminal 200. In addition, when a specified usage restriction is set for a certificate provided to the n-th terminal 200, some of the configuration information of the certificate (eg, certificate expiration date, etc.) is changed according to the usage restriction, or the usage restriction is set. A data set to be set or execution code (eg, auto-destruct script code, etc.) may be attached to the certificate.

According to an embodiment of the present invention, in the first certificate use method, the certificate processing unit 150 mounts the storage medium 115 storing the certificate as a virtual storage area usable in the n-th terminal 200 ( Mounting) may be performed, and in this case, the n-th terminal 200 may use the certificate stored in the storage medium 115 as a certificate provided in the n-th terminal 200.

According to the second certificate use method of the present invention, the certificate processing unit 150 may perform certificate processing of the n-th terminal 200 through the stored user's certificate. In this case, the proxy certificate processing may perform all certificate processing (eg, certificate-based user authentication, encryption/decryption, digital signature, etc.) that can use the certificate in the n-th terminal 200.

In the second certificate use method, the certificate processing unit 150 receives data to be processed for a certificate from the designated n-th terminal 200, and a certificate processing procedure for the received data using the stored certificate (e.g., certificate-based After performing a user authentication procedure, encryption/decryption procedure, digital signature procedure, etc.), the certificate-processed data is transferred to a designated target device (e.g., certificate-processed data from the n-th terminal 200 or the n-th terminal 200). To the authentication server (not shown) to receive the message. According to an implementation method of the present invention, the certificate processing unit 150 receives target device identification information for identifying a target device to which the certificate-processed data is to be transmitted from the n-th terminal 200, and the received target device identification information The certificate-processed data can be delivered. If the target device is fixed, it is not necessary to receive the target device identification information.

According to the implementation method of the present invention, in the second certificate use method, the certificate processing unit 150 may link the storage medium 115 and the certificate processing unit 150 for storing the certificate to the n-th terminal 200. Mounting as a virtual external device can be performed, and in this case, the n-th terminal 200 processes the certificate processing to be performed by the n-th terminal 200 through the mounted virtual device. You can use it like you do.

2 is a diagram showing a functional configuration of an application 215 provided in a user's terminal 200 according to an exemplary method of the present invention.

In more detail, FIG. 2 shows a program provided in the user's wireless terminal 200 in the form of an application for registering and using a certificate according to the present invention when the user's terminal 200 is the wireless terminal 200. As shown in the functional configuration, if a person of ordinary skill in the art to which the present invention belongs, refer to and/or modify this Figure 2 to provide the function of the application 215 provided in the various terminals 200 used by the user. Various implementation methods may be inferred, but the present invention includes all of the inferred implementation methods, and the technical features are not limited only by the implementation methods shown in FIG. 2.

Referring to Fig. 2, the wireless terminal 200 includes a control unit 201, a memory unit 213, a screen output unit 202, a key input unit 203, a sound output unit 204, and a sound input unit 205. And a camera unit 206, a wireless network communication module 209, a short-range wireless communication module 208, an NFC module 210, a positioning module 211, a USIM reader unit 212 and a USIM, and supply power It has a battery 207 for.

The control unit 201 is a generic term for a configuration that controls the operation of the wireless terminal 200, and includes at least one processor and an execution memory, and each component and a bus provided in the wireless terminal 200 ( BUS). According to the present invention, the control unit 201 loads at least one program code provided in the wireless terminal 200 into the execution memory through the processor and calculates, and calculates the result of at least one configuration through the bus. Transfer to the negative to control the operation of the wireless terminal 200. Hereinafter, for convenience, the configuration of the application 215 for registering and using a certificate according to the present invention will be described by showing in the controller 201.

The memory unit 213 is a generic term for a nonvolatile memory corresponding to a storage resource provided in the wireless terminal 200, and includes at least one program code executed through the control unit 201 and at least one program code used by the program code. One dataset is stored and maintained. The memory unit 213 basically includes a system program code and a system data set corresponding to the operating system of the wireless terminal 200, a communication program code and a communication data set for processing a wireless communication connection of the wireless terminal 200, and at least One application program code and application data set are stored, and a program code and data set corresponding to the application 215 of the present invention are also stored in the memory unit 213.

The screen output unit 202 is composed of a screen output device (eg, a liquid crystal display (LCD) device) corresponding to an output resource provided in the wireless terminal 200 and a screen output module that drives the screen output module. 201) is connected to a bus to output an operation result corresponding to a screen output among various operation results of the control unit 201 to the screen output device.

The key input unit 203 is composed of a key input device corresponding to an input resource provided in the wireless terminal 200 (or a touch screen device interlocking with the screen output unit 202) and a key input module driving the same. , It is connected to the control unit 201 by a bus to input a command for commanding various operations of the control unit 201 or input data necessary for the operation of the control unit 201.

The sound output unit 204 is composed of a speaker corresponding to an output resource provided in the wireless terminal 200 and a sound module that drives the speaker, and is connected to the control unit 201 by a bus to the control unit 201 Among the various calculation results of, the calculation result corresponding to the sound output is output through the speaker. The sound module decodes sound data to be output through an existing speaker and converts it into a sound signal.

The sound input unit 205 is composed of a microphone corresponding to an input resource provided in the wireless terminal 200 and a sound module that drives the microphone, and transfers sound data input through the microphone to the control unit 201 do. The sound module encodes and encodes a sound signal input through the microphone.

The camera unit 206 is a generic term for camera resources provided in the wireless terminal 200, and is composed of an optical unit, a charge coupled device (CCD), and a camera module driving the same, and input to the CCD through the optical unit. Acquire bitmap data. The bitmap data may include both image data of a still image and video data.

The wireless network communication module 209 and the short-range wireless communication module 208 are communication resources provided in the wireless terminal 200, and the wireless network communication module 209 accesses a wireless communication network through a base station, and The wireless communication module 208 connects to a short-range communication device or wireless AP located in a short distance.

The wireless network communication module 209 is a generic term for a communication configuration for connecting the wireless terminal 200 to wireless communication, and includes an antenna, an RF module, a baseband module, and a signal processing module for transmitting and receiving radio frequency signals of a specific frequency band. It is configured to include at least one, and is connected to the control unit 201 by a bus to transmit an operation result corresponding to wireless communication among various calculation results of the control unit 201 through wireless communication or to receive data through wireless communication. This transfers to the control unit 201 and maintains procedures of access, registration, communication, and handoff of the wireless communication. According to the present invention, the wireless network communication module 209 may connect the wireless terminal 200 to a telephone communication network including a telephone communication channel and a data channel through an exchange, and in some cases, not through the exchange. It can be connected to a data network that provides wireless network data communication based on packet communication.

According to the implementation method of the present invention, the wireless network communication module 209 is a mobile communication configuration that performs at least one access to a mobile communication network, location registration, call processing, call connection, data communication, and handoff according to CDMA/WCDMA standards. Includes. Meanwhile, according to the intention of a person skilled in the art, the wireless network communication module 209 may further include a portable Internet communication configuration that performs at least one access to the portable Internet, location registration, data communication, and handoff according to IEEE 802.16 related standards, It should be clearly understood that the present invention is not limited by the wireless communication configuration provided by the wireless network communication module 209.

The short-range wireless communication module 208 is a short-range communication module that connects a communication session using a radio frequency signal as a communication medium within a predetermined distance, and preferably includes at least one of Wi-Fi communication, Bluetooth communication, and public wireless communication. I can. According to an embodiment of the present invention, the short-range wireless communication module 208 may be integrated with the wireless network communication module 209. According to the present invention, the short-range wireless communication module 208 connects the wireless terminal 200 to a data network providing short-range wireless data communication based on packet communication through a wireless AP.

The NFC module 210 is a generic term for NFC resources provided in the wireless terminal 200, and is a proximity that transmits data between terminals at a proximity distance of about 10cm according to the NFC (Near Field Communication) standard using a 13.56Mz frequency band. It consists of a communication module. The NFC module may be implemented integrally with the short-range wireless communication module 208 or may be implemented as a separate communication module. According to the intention of a person skilled in the art, the NFC module 210 may provide proximity communication in other frequency bands (eg, 900Mhz band) supported by the ISO 18000 series standard in addition to the 13.56Mz frequency band, whereby the present invention is not limited. No. Meanwhile, the NFC module 210 may be included in a communication resource provided in the wireless terminal 200 according to an object to which the NFC module 210 communicates in proximity.

The location positioning module 211 is a generic term for location positioning resources provided in the wireless terminal 200, and consists of a GPS positioning module for positioning the moving position of the wireless terminal 200, and at least three orbiting the earth orbit. By receiving satellite signals transmitted from at least two GPS satellites, the moving position information of the wireless terminal 200 is calculated. Meanwhile, according to another implementation method of the present invention, the location positioning module 211 is connected to a positioning device on a communication network linked to at least two or more base stations (or access points), and the wireless terminal 200 and the base station (or access point) ) It may include a terrestrial positioning module for positioning the position of the wireless terminal 200 in a terrestrial positioning method using the inter-frequency arrival time (or arrival angle).

The USIM reader 212 is a generic term for exchanging at least one data set with a Universal Subscriber Identity Module mounted on or detached from the wireless terminal 200 based on the ISO/IEC 7816 standard. As a result, the data set is exchanged in a half-duplex communication method through an application protocol data unit (APDU).

The USIM is a SIM-type card equipped with an IC chip according to the ISO/IEC 7816 standard, an input/output interface including at least one contact connected to the USIM reader 212, and at least one IC chip program code And an IC chip memory for storing a data set and an IC chip memory connected to the input/output interface to calculate the program code for the IC chip or extract (or process) the data set according to at least one command transmitted from the wireless terminal 200 It includes a processor that transmits to the input/output interface.

The application 215 of the present invention is downloaded from a program providing server (eg, Apple's app store, etc.) through a data network to which the communication resource is accessible, and stored in the memory unit 213. The downloaded application 215 operates in conjunction with the operation server 100 and may be manually driven by a user, or automatically driven (or activated) after user confirmation or by receiving a message. Meanwhile, a separate program may be running in advance to automatically drive the application 215 after user confirmation or automatically, and the present invention is not limited thereby.

Referring to Fig. 2, the application 215 connects to the operation server 100 through a data network to which the communication resource is accessible and subscribes a user as a member, or a member sign-up/authentication that receives the user's membership qualification. A unit 220 and an application authentication unit 225 for authenticating the validity of the application 215 through at least one communication network to which the communication resource is accessible, and the operation server 100 includes the member subscription/ A configuration unit (not shown) for performing a server-side operation corresponding to the operation of the authentication unit 220 and the application authentication unit 225 is provided.

The application 215 includes communication connection macro information for accessing the operation server 100 through a data network to which the communication resource is accessible, and the membership registration/authentication unit 220 is the screen output unit 202 User information (e.g., name, resident registration number, etc.) and an interface for inputting a member account are output through the data network, and user information input through the interface to the operation server 100 and The user is registered as a member by sending a member account.

Meanwhile, the user's membership subscription may be subscribed through a separate user's terminal 200 other than the wireless terminal 200. Therefore, when the user is already registered as a member or has been registered as a member through the user's terminal 200, the member registration/authentication unit 220 outputs an interface for inputting the user's member account, The member account input through the interface is transmitted to the operation server 100 through the data network to authenticate whether the user is a member.

The application authentication unit 225 authenticates the validity of the application 215 to the operation server 100 through at least one of a data network and a telephone communication network to which the communication resource is accessible. According to the implementation method of the present invention, the process of authenticating the validity of the application 215 is an encryption/decryption communication process agreed in advance between the application 215 and the operation server 100, and for convenience, the encryption/decryption Detailed description of the process will be omitted.

According to the first application authentication method of the present invention, the application 215 is downloaded through the program providing server in a state in which a unique key value for identifying that it is an application operated by the operation server 100 is set. In this case, the application authentication unit 225 may authenticate that the application 215 is an application operated by the operation server 100 by transmitting the unique key value to the operation server 100. Meanwhile, in the process of transmitting the unique key value to the operation server 100, the application authentication unit 225 stores at least one unique information stored in the wireless terminal 200 or allocated to a communication network with the unique key value. By transmitting together, it is possible to simultaneously authenticate that the application 215 is an application operated by the operation server 100 and that the application 215 is running in the wireless terminal 200.

According to the second application authentication method of the present invention, after the application 215 is downloaded through the program providing server, an app identification value that uniquely identifies the application 215 on the data network according to a predetermined procedure (for example, A device token, etc. allocated by APNS of Apple Inc.) may be allocated, and in this case, the application authentication unit 225 transmits the app identification value to the operation server 100, so that the application 215 It can be authenticated that the application is operated by the operation server 100. On the other hand, the application authentication unit 225 in the process of transmitting the app identification value to the operation server 100, the at least one unique information stored in the wireless terminal 200 or allocated to the communication network with the app identification value By transmitting together, it is possible to simultaneously authenticate that the application 215 is an application operated by the operation server 100 and that the application 215 is running in the wireless terminal 200.

According to the third application authentication method of the present invention, the application 215 has at least one key value, a key exchange protocol, and an encryption/decryption rule set, and an authentication procedure for authenticating the application 215 is defined using this. It can be downloaded through the program providing server while the certificate is mounted, in this case, the application authentication unit 225 is at least one key value and a key exchange protocol set in the certificate according to the authentication procedure defined in the certificate. And it is possible to authenticate that the application 215 is an application operated by the operation server 100 by selectively using an encryption/decryption rule. Meanwhile, the application authentication unit 225 further uses at least one unique information stored in the wireless terminal 200 or allocated to a communication network in the process of using the certificate for the authentication procedure, so that the application 215 It is possible to simultaneously authenticate that the application is operated by the operation server 100 and that the application 215 is running in the wireless terminal 200.

According to the fourth application authentication method of the present invention, when the authentication number sent from the operation server 100 is received through the message exchange protocol of the telephone communication network, the wireless terminal 200 stores the received authentication number. By receiving input and transmitting it to the operation server 100 through the data network, the application 215 may be authenticated as an application operated by the operation server 100. Meanwhile, the application authentication unit 225 transmits at least one unique information stored in the wireless terminal 200 or allocated to a communication network together with the authentication number in the process of transmitting the authentication number to the operation server 100 By doing so, it is possible to simultaneously authenticate that the application 215 is an application operated by the operation server 100 and that the application 215 is running in the wireless terminal 200.

According to the fifth application authentication method of the present invention, the application authentication unit 225 from the operation server 100 through an authentication method that selectively combines one or more of the first to fourth application authentication methods ( 215), and the present invention is not limited thereto.

Referring to Fig. 2, the application 215 includes an identity authentication processing unit 230 that processes identity authentication for the user in connection with the identity authentication procedure unit 120 of the operation server 100.

The identity authentication processing unit 230 is a configuration unit that performs an operation on the terminal side for one or more identity authentication procedures performed by the identity authentication procedure unit 120 of the operation server 100 in a specified order for identity authentication of the user. As a generic term, preferably, one or more of ID/PW authentication, Internet real name authentication, communication subscriber authentication, card holder authentication, account holder authentication, wireless terminal occupation authentication, and certificate authentication may be performed.

The identity authentication processing unit 230 performs an operation of authenticating the identity of the user in at least one of a process of registering a certificate, registering a terminal designation, and using a certificate.

Referring to Figure 2, the application 215, the certificate issued to the user through the certificate acquisition unit 105 of the operation server 100 is obtained, and the certificate storage unit 110 of the operation server 100 And a certificate registration unit 235 that processes the user's certificate to be stored in the storage medium 115 designated through the method.

The certificate registration unit 235 processes to obtain a user's certificate to be stored in the designated storage medium 115 through the certificate acquisition unit 105 of the operation server 100.

When the user's certificate is obtained through a certificate server according to the first certificate acquisition method of the present invention, the certificate registration unit 235 is configured to receive the certificate acquisition unit 105 of the operation server 100 through the certificate server. By transmitting the certificate issuance information necessary for obtaining the user's certificate to the operation server 100, the user's certificate to be stored in the designated storage medium 115 through the certificate acquisition unit 105 of the operation server 100 It can be processed to be obtained.

When the user's certificate is obtained through the designated authority server according to the second certificate acquisition method of the present invention, the certificate registration unit 235 operates the identification information uniquely identifying the user and the agency information operating the authority server. By transmitting to the server 100, the user's certificate to be stored in the designated storage medium 115 through the certificate acquisition unit 105 of the operation server 100 can be processed to be obtained.

When a user's certificate provided in the user's terminal 200 or being used in the user's terminal 200 is obtained according to the third certificate acquisition method of the present invention, the certificate registration unit 235 ) Of the memory unit 213 (or IC chip including USIM) or extracts a certificate stored in the user's portable medium, and transfers the extracted certificate to the operation server 100 according to a specified certificate copy/transfer procedure. ), it is possible to process to obtain a user's certificate to be stored in the designated storage medium 115 through the certificate acquisition unit 105 of the operation server 100.

The certificate obtained through at least one of the first to third certificate obtaining methods is stored in the designated storage medium 115.

Meanwhile, the certificate registration unit 235 may receive the remaining part of the certificate stored in the storage medium 115 from the operation server 100 and store it in the memory unit 213 or the IC chip, and the remaining part of the certificate The configuration is used as the designation target identification information, or combined with some configurations of the certificate received from the operation server 100 at the time the certificate stored in the storage medium 115 is used to configure the entire configuration of the available certificate It is used to

Referring to Figure 2, the application 215, through the identification information acquisition unit 125 of the operation server 100, the wireless terminal 200 (or other terminals available to the user other than the wireless terminal 200 ( 200)), and a terminal designation processing unit 240 for processing such that the target identification information is obtained and stored through the identification information storage unit 130 of the operation server 100.

The terminal designation processing unit 240 includes information stored in the memory unit 213, information stored in an IC chip including the USIM, information recorded in a read-only memory of the wireless terminal 200, and the wireless terminal 200 Information assigned to the hardware configuration unit of, communication identification information of the wireless terminal 200, information generated by the wireless terminal 200, information input through the key input unit 203, and identification of the application 215 Obtaining m pieces of designation information in which at least one or two or more of the information and information dynamically generated through the designated code generation module are combined, and the operation of identification target identification information including the obtained m pieces of designation information through a communication network By providing it to the server 100, it processes so that the designation target identification information is obtained through the identification information acquisition unit 125 of the operation server 100.

According to an embodiment of the present invention, the designation target identification information for the wireless terminal 200 includes designation information stored in the wireless terminal 200, designation information generated by the wireless terminal 200, and the wireless terminal 200. The terminal designation processing unit 240 includes various resources (eg, storage resources, etc.) provided in the wireless terminal 200 to configure the designation target identification information. The rights to use output resources, input resources, camera resources, communication resources, NFC resources, location positioning resources, etc.) are acquired, and m pieces of designated information to be included in the target identification information of the wireless terminal 200 are acquired through this. For example, the terminal designation processing unit 240 acquires specific designation information to be included in the designation target identification information from various resources provided in the wireless terminal 200, or by using information obtained from the various resources. You can create specific information.

Referring to Figure 2, the application 215, the wireless terminal 200 through the designation target authentication unit 145 of the operation server 100 can use the certificate stored in the storage medium 115 The certificate stored in the designated storage medium 115 is interlocked with the designated terminal authentication unit 245 for authenticating with the n-th terminal 200 among the designated terminals 200 and the certificate processing unit 150 of the operation server 100. It includes a certificate using unit 250 to process the used certificate processing to be performed.

When the certificate processing using the user's certificate is to be performed through the certificate use unit 250, the designated terminal authentication unit 245 stores information stored in the memory unit 213 and an IC chip including the USIM. Information, information recorded in a read-only memory of the wireless terminal 200, information allocated to a hardware component of the wireless terminal 200, communication identification information of the wireless terminal 200, and the wireless terminal 200 M pieces of designated information in which at least one or two or more of information generated from, information input through the key input unit 203, information identifying the application 215, and information dynamically generated through a designated code generation module are combined. The wireless terminal through the designation target authentication unit 145 of the operation server 100 by obtaining and providing designation target identification information including the obtained m pieces of designation information to the operation server 100 through a communication network 200 processes the certificate stored in the storage medium 115 to be authenticated as the n-th terminal 200 among the N number of designated terminals 200 available.

According to an implementation method of the present invention, the designation target identification information for authenticating the wireless terminal 200 to the n-th terminal 200 is designated information stored in the wireless terminal 200, and the designation generated by the wireless terminal 200 Information, including one or more designation information of designated information input from the wireless terminal 200, and the designated terminal authentication unit 245 is provided in the wireless terminal 200 to configure the designation target identification information Acquires the right to use various resources (eg, storage resources, output resources, input resources, camera resources, communication resources, NFC resources, positioning resources, etc.), and through this, m to be included in the designation target identification information of the wireless terminal 200 Obtain specified information of dogs. For example, the designated terminal authentication unit 245 obtains specific designated information to be included in the designated target identification information from various resources provided in the wireless terminal 200, or by using information obtained from the various resources. You can create specific designation information.

When the wireless terminal 200 is authenticated with the n-th terminal 200 that can use the user's certificate stored in the storage medium 115 through the designated terminal authentication unit 245, the certificate use unit 250 The user's certificate stored in the storage medium 115 is provided through the certificate processing unit 150 of the operation server 100, or the certificate processing transmits data to the certificate processing unit 150 of the operation server 100.

When the user's certificate stored in the storage medium 115 is received through the certificate processing unit 150 of the operation server 100 according to the first certificate use method of the present invention, the certificate use unit 250 receives the The user's certificate is stored in a designated storage area (e.g., volatile memory area, nonvolatile memory area, etc.), and data corresponding to the subject of certificate processing using the user's certificate (eg, financial transaction information, payment information, etc.) ), and then performs a certificate processing procedure for the data using various keys (eg, user's public key, private key, etc.) provided in the certificate. The certificate use unit 250 transmits the certificate-processed data to a designated authentication server through a communication network.

According to the second certificate use method of the present invention, when the certificate processing unit 150 of the operation server 100 performs certificate processing on the certificate processing target data, the certificate use unit 250 stores the user's certificate. Data corresponding to the used certificate processing target (eg, financial transaction information, payment information, etc.) is checked and transmitted to the operation server 100 through a communication network. If the certificate-processed data is designated to be received by the wireless terminal 200, the certificate using unit 250 is the user's stored in the storage medium 115 from the certificate processing unit 150 of the operation server 100 After receiving the certificate-processed data through a certificate, the certificate-processed data is transmitted to a designated authentication server through a communication network. Meanwhile, the certificate processing unit 150 of the operation server 100 may directly transmit the certificate-processed data to the designated authentication server, whereby the present invention is not limited.

Figure 3 is a diagram showing a process of registering a certificate in the cloud-type certificate operation according to the present invention.

In more detail, FIG. 3 shows an implementation method for the process of registering the certificate issued to the user by the certificate issuing authority in the designated storage medium 115 on the network after authenticating the user. Those of ordinary skill in the art can infer various implementation methods for the certificate registration process (e.g., implementation methods in which some steps are omitted or the order is changed) by referring and/or modifying this Figure 3 Although there may be, the present invention includes all of the above inferred implementation methods, and the technical features are not limited only by the implementation method shown in FIG. 3.

Referring to FIG. 3, the user's terminal 200 accesses the operation server 100 through a communication network and requests to register a certificate issued to the user by a certificate issuing authority in a designated storage medium 115 on the network (300 ), in response to this, the operation server 100 checks the i identity authentication methods available in the user's terminal 200 (305), and the i identity authentication procedures in connection with the user's terminal 200 Is performed according to the specified order (310).

If the user's identity authentication is not processed, the operation server 100 provides and outputs an identity authentication error to the user's terminal 200 (315). Meanwhile, when the user's identity authentication is processed, the operation server 100 obtains a user's certificate to be stored in the designated storage medium 115 (320). The user's certificate to be stored in the designated storage medium 115 is obtained from a certificate server (320) provided in the certificate issuing authority that issued the user's certificate according to the first certificate acquisition method described in FIG. 1, or Obtained from the authority server of the management institution that manages the certificate issued to the user according to the second certificate acquisition method (320), or copy the certificate being used in the user's terminal 200 according to the third certificate acquisition method It may be obtained in a transfer manner (320).

If the user's certificate to be stored in the designated storage medium 115 is not obtained, the operation server 100 provides and outputs a certificate acquisition error to the user's terminal 200 (325). Meanwhile, when a user's certificate to be stored in the designated storage medium 115 is obtained, the operation server 100 verifies the validity of the obtained user's certificate (330).

If the validity of the obtained user's certificate is verified, the operation server 100 stores the obtained user's certificate in a designated storage medium 115 (340).

FIG. 4 is a diagram showing a process of designating and registering a terminal 200 that can use a certificate in the cloud type certificate operation according to the present invention.

In more detail, FIG. 4 shows an implementation method for the process of pre-designating and registering N terminals 200 that can use the user's certificate stored in the storage medium 115 through the process shown in FIG. 3. As such, if a person of ordinary skill in the art to which the present invention belongs, various implementation methods for the terminal designation registration process (e.g., some steps are omitted or the order is changed) by referring and/or modifying this drawing 4 Implementation method) may be inferred, but the present invention includes all of the inferred implementation methods, and the technical features are not limited only by the implementation method shown in FIG. 4. Meanwhile, the process shown in FIG. 4 may be performed before the process of FIG. 3. In addition, if the terminal 200 capable of using the certificate is not previously designated and registered, the process shown in FIG. 4 may be omitted.

Referring to Figure 4, the user's terminal 200 is able to use the user's certificate stored in the storage medium 115 through the process shown in Figure 3 for itself (or other various terminals 200 available to the user). Requests to be designated and registered as the terminal 200 (400), and in response thereto, the operation server 100 checks j authentication methods available in the user's terminal 200 (405), and the user's terminal In connection with 200, the j authentication procedures are performed in a specified order (410). On the other hand, if FIG. 4 is collectively performed together with the process of FIG. 3, the user authentication may be omitted since it has already been performed in FIG.

If the user's identity authentication is not processed, the operation server 100 provides and outputs an identity authentication error to the user's terminal 200 (415). Meanwhile, when the user's identity authentication is processed, the operation server 100 checks m pieces of designated information corresponding to the designation target identification information for the terminal 200 to be designated and registered by the user's terminal 200 ( 420), a request for identification target identification information including m pieces of designation information on the terminal 200 to be designated and registered is requested to the user's terminal 200 (425).

The user's terminal 200 extracts, generates, or receives the designation target identification information including m pieces of designation information for the terminal 200 to be designated and registered (430) , And transmits the designation target identification information including the obtained m designation information to the operation server 100 (435).

The operation server 100 receives the designation target identification information including the m designation information (440), and performs validation on at least one of the m designation information included in the designation target identification information (445). ).

If the received designation target identification information is not verified, the operation server 100 provides and outputs the designation target identification information error to the user's terminal 200 (450). Meanwhile, if the received designation target identification information is verified, the operation server 100 directly/indirectly stores the designation target identification information with the user's certificate stored in the designated storage medium 115 through the process shown in FIG. 3. Mapped and stored (455).

FIG. 5 is a diagram showing a process of registering a user who can use a certificate in a cloud type certificate operation according to the present invention.

In more detail, FIG. 5 is an implementation method for a process of pre-identifying and registering a user who registered a certificate through the process shown in FIG. 3 or a user who designated and registered the terminal 200 through the process shown in FIG. As shown, if a person of ordinary skill in the art to which the present invention belongs, various implementation methods for the user registration process (e.g., some steps are omitted, or order The modified implementation method) may be inferred, but the present invention includes all the inferred implementation methods, and the technical features are not limited only by the implementation method shown in FIG. 5. In particular, this figure 5 is for simplifying or automating authentication for the user in the process of using the certificate stored in the storage medium 115. If the user's identity authentication procedure is used in the process of using the certificate, this figure 5 is Can be omitted.

Referring to FIG. 5, during the process shown in FIG. 3 or 4, the operation server 100 uniquely authenticates a user corresponding to a certificate stored in the storage medium 115 to the user's terminal 200 In response to the request for identification information 500, the user's terminal 200 determines user identification information for uniquely authenticating the user and transmits it to the operation server 100 (505), and the operation server 100 ) Acquires user identification information for uniquely authenticating the user from the user's terminal 200 (510). Meanwhile, the user identification information may be obtained from information used in the user identification process as a result of the user identification process performed in the process shown in FIG. 3 or 4 (510).

The operation server 100 verifies the validity of the obtained user identification information (515). If the validity of the user identification information is not verified, the operation server 100 is the user's terminal 200 An error for user identification information is provided and output (520). On the other hand, when the validity of the user identification information is verified, the operation server 100 transmits the designation target identification information registered through the process shown in Fig. 4 and the user's identification information through the process shown in Fig. 3. The user's certificate stored in the storage medium 115 is directly/indirectly mapped and stored (525).

6 is a diagram showing a process of checking/extracting a certificate registered in the storage medium 115 in the cloud type certificate operation according to the present invention.

In more detail, FIG. 6 shows an implementation method for a process of checking or extracting a certificate stored in the storage medium 115 through the process shown in FIG. 3 in order to use the certificate in a cloud method. For those of ordinary skill in the relevant technical field, various implementation methods for the certificate verification/extraction process by referring and/or modifying this Figure 6 (e.g., some steps are omitted or the order is changed) Although it may be inferred, the present invention includes all the inferred implementation methods, and the technical features are not limited only by the implementation methods shown in FIG. 6. Meanwhile, the process shown in FIG. 6 may be performed before the process of FIG. 3. In addition, if the terminal 200 capable of using the certificate is not previously designated and registered, the process illustrated in FIG. 6 may be omitted.

Referring to Fig. 6, the user's terminal 200 requests the operation server 100 to use the certificate stored in the storage medium 115 through the process shown in Fig. 3 (600), and the operation The server 100 checks the k identity authentication methods available in the user's terminal 200 (605), and performs the k identity authentication procedures in a specified order in connection with the user's terminal 200 (610). Meanwhile, when the user identification information is registered through the process shown in FIG. 5, the operation server 100 may authenticate the user through the registered user identification information (615).

If the user's identity authentication is not processed or the user authentication through the user identification information is not processed, the operation server 100 provides and outputs an authentication error for the user to the user's terminal 200 (620). On the other hand, when the user's identity authentication is processed or the user authentication through the user identification information is processed, the operation server 100 authenticates the terminal 200 of the user requesting the use of the certificate as a designated registered terminal 200 The m pieces of designation information are checked (625), and the designation target identification information including the m pieces of designation information is requested to the user's terminal 200 (630).

The user's terminal 200 extracts, generates, or obtains the identification target identification information including the requested m pieces of designation information through at least one of receiving inputs (635), and then the acquired m pieces of designation Designation target identification information including information is transmitted to the operation server 100 (640).

The operation server 100 acquires designation target identification information including the m pieces of designation information (645), and stores the designation target identification information registered through the process shown in Fig. 4 and the obtained designation target identification information. By comparison, the user's terminal 200 is authenticated as the designated and registered n-th terminal 200 through the process shown in FIG. 4 (650).

If the user's terminal 200 is not authenticated as the designated and registered n-th terminal 200, the operation server 100 provides and outputs a designation target error for the user's terminal 200 (655). , If necessary, the user's terminal 200 may be discarded, or the process of registering the user's terminal 200 as a designated target may be performed by applying the process shown in FIG. have. On the other hand, when the user's terminal 200 is authenticated with the designated and registered n-th terminal 200, the operation server 100 directly/indirectly maps the designated storage medium 115 to the designated target identification information. Confirm or extract the certificate (660). Meanwhile, according to the implementation method of the present invention, the user's terminal 200 receives the user's certificate stored in the storage medium 115 from the operation server 100 as the user's certificate stored in the storage medium 115 is checked. It can be confirmed that the status is available (665).

7 is a diagram showing a process of using a certificate in a cloud method according to an exemplary method of the present invention.

In more detail, FIG. 7 shows an implementation method for a process of providing and processing a user's certificate stored in a designated storage medium 115 to the user's terminal 200 to be used. In the technical field to which the present invention belongs. Those of ordinary skill in the art will be able to infer various implementation methods (e.g., implementation methods in which some steps are omitted or the order is changed) for the process of using the certificate by referring and/or modifying this Figure 7, The present invention includes all of the above inferred implementation methods, and the technical features are not limited only by the implementation method shown in FIG. 7. Meanwhile, the process shown in FIG. 7 may be performed before the process of FIG. 3. In addition, if the terminal 200 that can use the certificate is not previously designated and registered, the process shown in FIG. 7 may be omitted.

Referring to FIG. 7, when the user's certificate stored in the storage medium 115 is extracted through the process shown in FIG. 6, the operation server 100 is assigned to the user's certificate extracted from the storage medium 115. After setting the usage restriction (700), the user's certificate is provided to the n-th terminal 200 of the authenticated user through the process shown in Fig. 6 (705), and in response thereto, the user's n-th terminal 200 receives the user's certificate extracted from the storage medium 115 through a communication network and maintains it according to the usage restrictions set in the certificate (710).

Thereafter, the n-th terminal 200 of the user checks the data subject to certificate processing (715), and the certificate processing procedure for the data through the maintained user's certificate (e.g., user authentication, encryption/decryption, digital signature) Etc.) is performed (720).

If the certificate processing for the data is completed, the n-th terminal 200 of the user transmits the certificate-processed data to a designated authentication server (725), and in response to this, the authentication server sends the certificate-processed data. After receiving (730), the certificate-processed data is authenticated (eg, user authentication, encryption/decryption, digital signature verification, etc.) through a certificate issued to the user (735).

If the certificate-processed data is authenticated, the authentication server processes to provide the requested service from the user's terminal 200 using the authenticated data (740), and the service using the authenticated data is It may be provided through a separate service providing server (eg, a bank server, a card company server, etc.) interlocking with the authentication server.

FIG. 8 is a diagram illustrating a process of using a certificate in a cloud method according to another embodiment of the present invention.

In more detail, FIG. 8 shows an implementation method of a process of proxying the certificate processing to be performed in the user's terminal 200 through the user's certificate stored in the designated storage medium 115, and the technology to which the present invention belongs. Those of ordinary skill in the field can infer various implementation methods (e.g., implementation methods in which some steps are omitted or the order is changed) for the process of using the certificate by referring and/or modifying this Figure 8. However, the present invention includes all the inferred implementation methods, and the technical features are not limited only by the implementation method shown in FIG. 8. Meanwhile, the process shown in FIG. 8 may be performed before the process of FIG. 3. In addition, if the terminal 200 capable of using the certificate is not previously designated and registered, the process illustrated in FIG. 8 may be omitted.

Referring to FIG. 8, when it is confirmed that the user's certificate stored in the storage medium 115 is available through the process shown in FIG. 6, the n-th terminal 200 of the user checks the certificate processing target data ( 800), by transmitting the certificate processing target data to the operation server 100 to request that the certificate processing is performed using the user's certificate stored in the storage medium 115 (805), and in response thereto, the operation server 100 ) Receives the certificate processing target data from the user's n-th terminal 200 (810), and a certificate processing procedure for the received data through the user's certificate stored in the storage medium 115 (e.g., user Authentication, encryption/decryption, electronic signature, etc.) are performed on behalf of (815).

If the certificate processing for the data is completed, the operation server 100 transmits the certificate-processed data to a designated target device (820). Preferably, the certificate-processed data may be transmitted to the user's n-th terminal 200, in which case the user's terminal 200 receives the certificate-processed data through the user's certificate (825). ), the certificate-processed data may be transmitted to a designated authentication server (830). Alternatively, the certificate-processed data may be directly transmitted to the authentication server.

The authentication server receives the certificate-processed data through the user's certificate from the user's terminal 200 or the operation server 100 (835), and authenticates the certificate-processed data through a certificate issued to the user. (Eg, user authentication, encryption/decryption, digital signature verification, etc.) (840).

If the certificate-processed data is authenticated, the authentication server processes the service requested from the user's terminal 200 to be provided using the authenticated data (845), and the service using the authenticated data is It may be provided through a separate service providing server (eg, a bank server, a card company server, etc.) interlocking with the authentication server.

100: operation server 105: certificate acquisition unit
110: certificate storage unit 115: storage medium
120: Identity verification process unit 125: Identification information acquisition unit
130: identification information storage unit 135: request information receiving unit
140: user authentication unit 145: designation target authentication unit
150: certificate processing unit 200: terminal

Claims (8)

In the cloud method certificate operation method executed by the server,
A first step of performing a specified identity authentication procedure for the user upon requesting to store a user certificate in a storage medium on the cloud through a user terminal;
A second step of storing the user certificate in a storage medium on the cloud when the user's identity authentication is processed;
A third step of performing a specified identity authentication procedure for the user when requesting to use a user stored in a storage medium on the cloud through a user terminal; And
A fourth step of performing a procedure of using a user certificate stored in a storage medium on the cloud when the user's identification is processed.
The method of claim 1, wherein the first step,
And performing i identity authentication procedures corresponding to i (i≥1) identity authentication methods set to register the user certificate in a storage medium on the cloud.
The method of claim 2, wherein the first step,
And performing the i identity authentication procedures according to a preset sequence.
The method of claim 1, wherein the second step,
Receive the user certificate from the certificate server and store it in a storage medium on the cloud, or
A method of operating a cloud-based certificate, comprising at least one of receiving the user certificate through a user's terminal and storing it in a storage medium on the cloud.
The method of claim 1, wherein the third step,
A cloud method certificate operation method comprising the step of performing j authentication procedures corresponding to j (j≥1) authentication methods set to use a user certificate stored in a storage medium on the cloud.
The method of claim 5, wherein the third step,
And performing the j authentication procedures according to a preset sequence.
The method of claim 1, wherein the fourth step,
And setting a usage limit specified in a user certificate stored in a storage medium on the cloud and providing it to the user terminal.
The method of claim 1, wherein the fourth step,
And processing a certificate for data received from the user terminal by using a user certificate stored in a storage medium on the cloud.

Images