KR20210045634A - Method and System for OTP authentication based on Bio-Information - Google Patents

Abstract

The present invention relates to a biometric information-based OTP authentication method and system and, more specifically, to a biometric information-based OTP authentication method and system performing user authentication by applying FIDO authentication according to the FIDO standard performing user authentication based on biometric information and performing OTP authentication through OTP information created by using common information of a user as a seed. The biometric information-based OPT authentication method comprises: a user registration step; a user authentication step; and an OTP authentication step.

Description

Bio-information based OTP authentication method and system {Method and System for OTP authentication based on Bio-Information}

The present invention relates to a biometric information-based OTP authentication method and system, and more particularly, to perform user authentication by applying FIDO authentication according to the FIDO standard for performing user authentication based on biometric information, and to perform user authentication. It relates to a biometric information-based OTP authentication method and system capable of performing OTP authentication through OTP information generated by using as a seed.

In general, FIDO (Fast Identity Online) is a new authentication system that enables authentication through simple procedures that cannot be replaced through biometric information such as fingerprint recognition, iris recognition, or face recognition instead of ID and password. It is the standard standard of. FIDO authentication is basically an authentication system that is used to solve the vulnerability of a system that uses ID and password.It is not a password that the user must register and remember, but what the user has, for example, fingerprint, Security is further enhanced by using biometric information such as iris and face or biometric information as passwords.

Meanwhile, the OTP device is a random number generation device that generates a one-time password having a different arrangement each time a password is generated using a programmed and stored OTP generation program. As such, the OTP device generates a password composed of a different number each time a one-time password is generated, so that a myriad of passwords can be generated, and security is excellent. However, in the case of electronic authentication using an existing OTP, there is an inconvenience that a user must always carry an OTP device that generates a one-time password. In addition, in the case of OTP, user authentication is not required, so in the case of a hardware type OTP such as an OTP device, anyone presses a button to generate an OTP number. OTP number can be generated later, but there is a problem that security is weak because the correlation between user authentication information and OTP number is low. For this reason, when the OTP medium is lost or hacked, there is a problem that the authentication strength is considerably degraded in that user authentication is not performed. In order to solve this problem, a technology for generating an OTP number by performing user authentication with high security is required in providing an OTP service, but such a conventional technology is absent.

In the present invention, user authentication can be performed by applying FIDO authentication according to the FIDO standard that performs user authentication based on biometric information, and OTP authentication can be performed through OTP information generated by using the user's common information as a seed. It is an object of the present invention to provide a biometric information-based OTP authentication method and system.

In order to solve the above problems, the present invention provides a biometric information-based OTP authentication method performed in a service authentication server and a FIDO server capable of directly or indirectly performing data communication with a user's terminal, by the FIDO server, A user registration step of transmitting a local authentication request to the user's terminal according to the user registration request sent by the user's terminal, and receiving and storing user common information generated according to local authentication performed in the user's terminal; Transmitting one-time verification information to the user's terminal by the FIDO server, receiving a verification response for the one-time verification information, and performing user authentication through verification of the verification response according to the information included in the user common information. User authentication step; And receiving, by the service authentication server, first OTP information generated in the user's terminal by using the user common information stored in the user's terminal as a seed. Generating second OTP information by using the common user information stored in the FIDO server as a seed by the FIDO server; And an OTP authentication step including, by the service authentication server, receiving the second OTP information generated by the FIDO server and determining whether the first OTP information and the second OTP information match or not; including, biometric information-based OTP Provides an authentication method.

In an embodiment of the present invention, the user registration step includes, by the FIDO server, receiving the user registration request from the user's terminal; Transmitting, by the FIDO server, a local authentication request to the user's terminal; Receiving, by the FIDO server, the user common information including a public key generated from a terminal of a user who has performed local authentication according to the local authentication request; And storing, by the FIDO server, the user common information including the received public key in the FIDO server.

In an embodiment of the present invention, the user common information may include a public key and a user ID generated in the user's terminal.

In an embodiment of the present invention, the local authentication may be performed by determining whether the user's biometric information previously stored in the user's terminal and the biometric information input to the user's terminal match.

In an embodiment of the present invention, the user authentication step includes, by the service authentication server, receiving a service request from the user's terminal; Receiving, by the FIDO server, a user authentication request from the service authentication server; Generating one-time verification information by the FIDO server and transmitting it to a user's terminal; Receiving, by the FIDO server, the verification response including the one-time verification information encrypted with the user's private key from the user's terminal for which local authentication has been performed; Decrypting the verification response received by the FIDO server using the user's public key stored in the user registration step; And performing user authentication by determining whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server are matched by the FIDO server.

In an embodiment of the present invention, the OTP authentication step may include: receiving, by the service authentication server, first OTP information generated and transmitted by the user's terminal; Receiving, by the FIDO server, the user's OTP authentication request from the service authentication server; Generating, by the FIDO server, an OTP seed based on the user common information; Generating, by the FIDO server, second OTP information based on the OTP generation information including the OTP seed and time information; Transmitting the second OTP information to the service authentication server by the FIDO server; And performing OTP authentication by determining whether the first OTP information and the second OTP information match by the service authentication server.

In an embodiment of the present invention, the OTP authentication step may be executed only when user authentication is completed in the user authentication step.

In order to solve the above problems, an embodiment of the present invention is a biometric information-based OTP authentication system implemented by a service authentication server and a FIDO server capable of directly or indirectly performing data communication with a user's terminal, The FIDO server transmits a local authentication request to the user's terminal according to the user registration request sent by the user's terminal, and the FIDO server receives and stores the user common information generated according to local authentication in the user's terminal. And, the FIDO server transmits one-time verification information to the user's terminal, and the FIDO server receives a verification response for the one-time verification information and verifies the verification response according to the information included in the user common information. After performing authentication, the service authentication server receives the first OTP information generated in the user's terminal by using the user common information stored in the user's terminal as a seed, and the FIDO server uses the user common information stored in the FIDO server as a seed. To generate second OTP information, the service authentication server receives the second OTP information generated by the FIDO server, and the service authentication server determines whether the first OTP information and the second OTP information match. Provides an authentication system.

In order to solve the above problems, an embodiment of the present invention is a biometric information-based OTP authentication method performed in a service authentication server and a FIDO server capable of directly or indirectly performing data communication with a user's terminal, the User registration that transmits a local authentication request to the user's terminal according to the user registration request sent by the user's terminal by the FIDO server, and receives and stores user common information generated by performing local authentication in the user's terminal step; An OTP seed encryption step of generating an encrypted OTP seed by encrypting the OTP seed stored in the FIDO server using a symmetric key derived based on the user common information by the FIDO server; Transmitting one-time verification information to the user's terminal by the FIDO server, receiving a verification response for the one-time verification information, and performing user authentication through verification of the verification response according to the information included in the user common information. User authentication step; Receiving, by the service authentication server, first OTP information generated in the user's terminal based on the OTP seed information stored in the user's terminal; Deriving an OTP seed by decrypting the encrypted OTP seed using a symmetric key derived based on the user common information by the FIDO server, and generating second OTP information based on the derived OTP seed; And, by the service authentication server, receiving the second OTP information generated by the FIDO server and determining whether the first OTP information and the second OTP information match or not; including an OTP authentication step; including, based on biometric information Provides OTP authentication method.

According to an embodiment of the present invention, OTP information is generated and authenticated only when user authentication is performed through biometric information, thereby reducing the risk of OTP leakage occurring when the OTP device is lost or an OTP program is hacked, By performing user authentication through irreplaceable biometric information, an effect of improving the security of the OTP service can be exerted.

According to an embodiment of the present invention, by storing user information in a FIDO server and registering a user, generating OTP information using the user information stored in the FIDO server as a seed, and providing an OTP service. By preventing information from being viewed, the effect of improving security can be exerted.

According to an embodiment of the present invention, by performing local authentication based on biometric information, and verifying the verification response to the one-time verification information based on user common information shared only with the user's terminal and FIDO server only when local authentication is completed, Since user authentication is performed only for registered users, the effect of enhancing the security of user authentication can be exerted.

According to an embodiment of the present invention, by performing authentication by generating OTP information using user common information shared only with the FIDO server and the user's terminal as a seed, it is possible to exert an effect of reinforcing the security vulnerability of OTP information. .

According to an embodiment of the present invention, since a seed for generating OTP information is generated using common information of a user stored only in the FIDO server and the user's terminal, it is possible to reduce damage caused by information leakage. .

1 schematically shows the overall system form of a biometric information-based OTP authentication method according to an embodiment of the present invention.
FIG. 2 schematically shows steps of an overall process of performing an OTP authentication method based on biometric information in a server system according to an embodiment of the present invention.
3 schematically shows a process of performing a user registration step according to an embodiment of the present invention.
4 schematically shows a process of performing a user authentication step according to an embodiment of the present invention.
5 schematically shows a process of performing an OTP authentication step according to an embodiment of the present invention.
6 schematically shows a process of performing an OTP authentication step according to another embodiment of the present invention.
7 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

Various embodiments will now be described with reference to the drawings, in which like reference numbers are used to indicate like elements throughout the drawings. In this specification, various descriptions are presented to provide an understanding of the invention. However, it is clear that these embodiments may be implemented without such detailed description. In other examples, well-known structures and devices are provided in block diagram form to facilitate description of the embodiments.

As used herein, the terms "component", "module", "system", "~ unit" and the like refer to a computer-related entity, hardware, firmware, software, a combination of software and hardware, or execution of software. For example, a component may be, but is not limited to, a process executed on a processor, a processor, an object, an execution thread, a program, and/or a computer. For example, both an application running on a computing device and a computing device may be components. One or more components may reside within a processor and/or thread of execution, and one component is a computer

It can be localized within, or it can be distributed between two or more computers. In addition, these components can execute from a variety of computer readable media having various data structures stored therein. Components are, for example, signals with one or more data packets (e.g., data from one component interacting with another component in a local system, a distributed system, and/or data via a signal over another system and a network such as the Internet. ) To communicate via local and/or remote processes.

In addition, the terms "comprising" and/or "comprising" mean that the corresponding feature and/or component is present, but excludes the presence or addition of one or more other features, components, and/or groups thereof. It should be understood as not doing.

In addition, terms including ordinal numbers such as first and second may be used to describe various elements, but the elements are not limited by the terms. The terms are used only for the purpose of distinguishing one component from another component. For example, without departing from the scope of the present invention, a first element may be referred to as a second element, and similarly, a second element may be referred to as a first element. The term and/or includes a combination of a plurality of related listed items or any of a plurality of related listed items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein including technical or scientific terms are generally understood by those of ordinary skill in the art to which the present invention belongs. It has the same meaning as. Terms as defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related technology, and unless explicitly defined in the embodiments of the present invention, an ideal or excessively formal meaning Is not interpreted as.

The "user terminal" mentioned below may be implemented as a computer or portable terminal that can access a server or other terminal through a network. Here, the computer includes, for example, a notebook equipped with a web browser, a desktop, a laptop, and the like, and the portable terminal is, for example, a wireless communication device that guarantees portability and mobility. , PCS (Personal Communication System), GSM (Global System for Mobile communications), PDC (Personal Digital Cellular), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) terminal, etc. may include all kinds of handheld-based wireless communication devices. In addition, the "network" refers to a wired network such as a local area network (LAN), a wide area network (WAN), or a value added network (VAN), or a mobile radio communication network or satellite. It can be implemented with any type of wireless network such as a communication network.

1 schematically shows the overall system form of a biometric information-based OTP authentication method according to an embodiment of the present invention.

The user terminal of FIG. 1 may correspond to the above-described user terminal, and the service authentication server 1000 and the FIDO server 2000 correspond to a computing device including at least one processor and at least one memory. In FIG. 1, the service authentication server 1000 and the FIDO server 2000 included in the server system are shown separately, but in another embodiment, the service authentication server 1000 and the FIDO server 2000 are integrated. May exist as.

The user's terminal may access the service authentication server 1000 and the FIDO server 2000 through a web browser program or through a dedicated application. The user's terminal can log in to his or her account by performing authentication through biometric information or by entering an ID and password.

In the present invention, FIDO (Fast Identity Online) is a new authentication system that enables authentication through a simple procedure that cannot be replaced through biometric information such as fingerprint recognition, iris recognition, or face recognition instead of ID and password. It is the standard standard of. FIDO authentication is used to resolve vulnerabilities in systems that use IDs and passwords. The biometric information should be interpreted as biometric information that can be extracted from a living body such as fingerprint, iris, face recognition, voice, vein, etc., or information including all biometric information of behavioral characteristics such as motion.

The FIDO server 2000 may receive a user registration request from a user's terminal and store and register user common information, receive a user authentication request, and perform user authentication based on information included in the user common information. I can. In addition, the second OTP information may be generated by using the stored user common information as a seed. Alternatively, the pre-stored OTP seed is encrypted and stored with a symmetric key derived based on the user common information, and second OTP information is generated by decrypting the OTP seed encrypted with the symmetric key derived based on the user common information through user authentication. can do.

The service authentication server 1000 performs OTP authentication by receiving the first OTP information generated from the user's terminal and the second OTP information generated from the FIDO server 2000 to determine whether the first OTP information and the second OTP information match. can do.

Hereinafter, the operation of the user's terminal and server system will be described in more detail.

2 schematically shows the steps of the overall process of performing an OTP authentication method based on biometric information in a server system according to an embodiment of the present invention.

The server system of the present invention can provide a biometric information-based OTP authentication method. Schematically, user authentication can be performed by applying FIDO authentication according to the FIDO standard that performs user authentication based on biometric information, and OTP authentication can be performed through OTP information generated by using the user's common information as a seed. have.

2 shows a process of performing a user registration step, a user authentication step, and an OTP authentication step of the server system of the present invention. Specifically, the biometric information-based OTP authentication method performed in the service authentication server 1000 and FIDO server 2000 that can directly or indirectly perform data communication with the user's terminal, by the FIDO server 2000, A user registration step of transmitting a local authentication request to the user's terminal according to the user registration request sent by the user's terminal, and receiving and storing user common information generated according to local authentication performed in the user's terminal; The FIDO server 2000 transmits one-time verification information to the user's terminal, receives a verification response for the one-time verification information, and authenticates the user through verification of the verification response according to the information included in the user common information. A user authentication step of performing; And receiving, by the service authentication server 1000, first OTP information generated by the user's terminal by using the user common information stored in the user's terminal as a seed. Generating second OTP information by using the common user information stored in the FIDO server 2000 as a seed by the FIDO server 2000; And an OTP authentication step including, by the service authentication server 1000, receiving the second OTP information generated by the FIDO server 2000 and determining whether the first OTP information and the second OTP information match. do.

Specifically, in step (A), the user's terminal transmits a user registration request to the FIDO server 2000. In the case of a user who is not registered in the FIDO server 2000, a user registration request can be sent to the FIDO server 2000 to register the user.

In step (b), a local authentication request is transmitted to the user's terminal by the FIDO server 2000 that has received the user registration request from the user's terminal.

Local authentication is an authentication performed independently by a user's terminal.In the present invention, a user who authenticates a subject using the user's terminal based on the user's biometric information is not performed by another server but through the user's terminal. It means authentication.

In step (C), the terminal of the user receiving the local authentication request from the FIDO server 2000 performs local authentication. When local authentication is completed, the user's terminal generates user information including user common information. Preferably, the user information includes user-specific information including a user ID, a public key, and a private key.

In step (D), the user's terminal transmits the user common information generated in step (C) to the FIDO server 2000. Preferably, the user common information includes a public key and a user ID generated in the user's terminal.

In step (E), the FIDO server 2000 stores user common information received from the user's terminal to perform user registration.

After user registration is performed in this way, the user can perform user authentication through the user's terminal and then receive an OTP authentication service through OTP authentication.

The steps (A) to (E) may correspond to the user registration step.

Meanwhile, in another embodiment of the present invention, after storing the user common information in step (E), the FIDO server 2000 uses a symmetric key derived based on the user common information by the FIDO server 2000. An OTP seed encryption step (not shown) of generating an encrypted OTP seed by encrypting the OTP seed stored in the device may be further performed.

Specifically, when the OTP seed, which is the basis for OTP information generation, is shared in the past and previously stored in the user's terminal and the FIDO server 2000, the FIDO server 2000 includes the user common information stored in the step (E). The symmetric key is derived based on it. Thereafter, the OTP seed stored in the FIDO server 2000 is encrypted by the derived symmetric key to generate and store the encrypted OTP seed. Preferably, the OTP seed may be an OTP seed generated based on common user information, or may be an OTP seed generated based on other information.

Thereafter, in step (F), the user's terminal transmits a service request to the service authentication server 1000.

In step (G), a user authentication request is transmitted to the FIDO server 2000 by the service authentication server 1000 that has received the service request from the user's terminal.

In step (H), the FIDO server 2000 receiving the user authentication request from the service authentication server 1000 transmits the one-time verification information to the user's terminal.

In step (I), the terminal of the user who has received the one-time verification information from the FIDO server 2000 performs local authentication, and when local authentication is completed, generates a verification response for the received one-time verification information.

In step (J), the user's terminal transmits the verification response generated in step (I) to the FIDO server 2000.

In step (K), the FIDO server 2000 performs user authentication through verification of the verification response received from the user's terminal according to the information included in the user common information stored in the FIDO server 2000. Preferably, the user common information includes a user's public key and user ID, and verification of a verification response is performed by the public key.

In step L, the FIDO server 2000 transmits a notification about the completion of user authentication to the user's terminal.

The steps (F) to (L) may correspond to the user authentication step.

Thereafter, in step (M), the user's terminal generates first OTP information by using the user common information stored in the user's terminal as a seed.

In step (N), the user's terminal transmits the first OTP information generated in step (M) to the service authentication server 1000.

In step O, an OTP authentication request is transmitted to the FIDO server 2000 by the service authentication server 1000 that has received the first OTP information.

In step P, the FIDO server 2000 generates second OTP information by using the common user information stored in the FIDO server 2000 as a seed.

In step Q, the FIDO server 2000 transmits the second OTP information generated in step P.

In step (R), the service authentication server 1000 determines whether the first OTP information received from the user's terminal and the second OTP information received from the FIDO server 2000 match to complete the OTP authentication.

The steps (M) to (R) may correspond to the OTP authentication step.

In this way, OTP information is generated and authenticated only when user authentication is performed through biometric information, thereby reducing the risk of OTP leakage that occurs when the OTP device is lost or the OTP program is hacked, and non-replaceable biometric information By performing authentication of the user through the device, the effect of improving the security of the OTP service can be exerted.

3 schematically shows a process of performing a user registration step according to an embodiment of the present invention.

Specifically, the user registration step includes, by the FIDO server 2000, receiving the user registration request from the user's terminal (S100); Transmitting a local authentication request to the user's terminal by the FIDO server 2000 (S110); Receiving, by the FIDO server 2000, the user common information including a public key generated from a terminal of a user who has performed local authentication according to the local authentication request (S140); And storing the user common information including the received public key in the FIDO server 2000 by the FIDO server 2000 (S150).

In step S100, the user's terminal transmits a user registration request to the FIDO server 2000. That is, the FIDO server 2000 receives a user registration request from the user's terminal.

In step S110, by the FIDO server 2000 receiving the user registration request, a local authentication request is transmitted to the user's terminal.

In step S120, the terminal of the user who has received the local authentication request performs local authentication. Preferably, the local authentication is performed by determining whether the user's biometric information previously stored in the user's terminal and the biometric information input to the user's terminal match.

For example, if the pre-stored biometric information registered in the user's terminal by the user to perform local authentication is a fingerprint, the local authentication is the user's fingerprint previously stored in the user's terminal and the user entered into the user's terminal when performing local authentication. It determines whether the fingerprints of are matched. When the input user's fingerprint and the previously stored user's fingerprint match, local authentication is completed.

In step S130, when local authentication is completed, the user's terminal generates the user's public key and private key. Preferably, if local authentication is not completed, the user's terminal does not generate a public key and a private key.

In step S140, the user's terminal transmits the user common information including the public key and user ID generated in step S130 to the FIDO server 2000. That is, the FIDO server 2000 receives user common information including a public key generated from a terminal of a user who has performed local authentication.

In step S150, the FIDO server 2000 stores user common information including the received public key in the FIDO server 2000 to perform user registration.

Thereafter, in step S160, the FIDO server 2000 transmits a user registration notification to the user's terminal.

In this way, the user information is stored in the FIDO server 2000 and the user is registered, generating OTP information using the user information stored in the FIDO server 2000 as a seed, and providing an OTP service, so that the user is not a registered user. It is possible to exert an effect that can improve security by making it impossible to read OTP information.

4 schematically shows a process of performing a user authentication step according to an embodiment of the present invention.

Specifically, the user authentication step includes, by the service authentication server 1000, receiving a service request from the user's terminal (S200); Receiving a user authentication request from the service authentication server 1000 by the FIDO server 2000 (S210); Generating one-time verification information by the FIDO server 2000 and transmitting it to the user's terminal (S220); Receiving, by the FIDO server 2000, the verification response including the one-time verification information encrypted with the user's private key from the user's terminal for which local authentication has been performed (S250); Decrypting the verification response received by the FIDO server 2000 by the user's public key stored in the user registration step (S260); And performing user authentication by determining whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server 2000 match by the FIDO server 2000 (S270).

In step S200, the user's terminal transmits a service request to the service authentication server 1000. That is, the service authentication server 1000 receives a service request from the user's terminal.

In step S210, the FIDO server 2000 receives a user authentication request from the service authentication server 1000.

In step S220, the one-time verification information is generated by the FIDO server 2000 receiving the user authentication request, and the one-time verification information is transmitted to the user's terminal.

In the FIDO server 2000, a random number may be generated as a random value for user authentication, and may be transmitted to the user as a challenge. The one-time verification information means a randomly generated challenge number to perform the user's authentication as a one-time operation as described above.

In step S230, the terminal of the user who has received the one-time verification information from the FIDO server 2000 performs local authentication. Preferably, the local authentication is performed by determining whether the user's biometric information previously stored in the user's terminal and the biometric information input to the user's terminal match.

For example, if the user registers in the user's terminal to perform local authentication and the pre-stored biometric information is a fingerprint, local authentication is performed between the user's fingerprint previously stored in the user's terminal and the user's fingerprint input to the user's terminal. Determine whether or not they match. When the input user's fingerprint and the previously stored user's fingerprint match, local authentication is completed.

In step S240, when local authentication is completed, the user's terminal encrypts the one-time verification information received by the private key generated in the user registration step.

In step S250, the user's terminal transmits a verification response including encrypted one-time verification information to the FIDO server 2000. That is, by the FIDO server 2000, a verification response including one-time verification information encrypted with the user's private key is received from the user's terminal.

In step S260, decryption of the encrypted one-time verification information included in the verification response received by the user's public key stored in the FIDO server 2000 in the user registration step by the FIDO server 2000 receiving the verification response. Carry out. The private key and public key generated in the user's terminal are asymmetric keys that can be decrypted only with the other key when encryption is performed with each key. In other words, when certain data is encrypted with a private key, the data encrypted with the public key paired with the private key can be decrypted, and in the opposite case, when encrypted with the public key, only the private key paired with the public key is encrypted. Data can be decrypted. Accordingly, when the decryption is completed by performing the decryption of the encrypted one-time verification information, the one-time verification information may be authenticated as the one-time verification information transmitted through the user's terminal by the user who is currently attempting to authenticate.

In step S270, the FIDO server 2000 determines whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server 2000 are matched to perform user authentication. If the one-time verification information decrypted in step S260 and the one-time verification information generated by the FIDO server 2000 and transmitted to the user's terminal match, the user authentication is completed. If the decrypted one-time verification information and the one-time verification information generated by the FIDO server 2000 do not match, user authentication is not completed.

When user authentication is completed, in step S280, a user authentication completion notification is received from the FIDO server 2000 by the service authentication server 1000, and in step S290, the user's terminal authenticates the user from the service authentication server 1000. Receive a notification of completion.

In this way, local authentication is performed based on biometric information, and only when the local authentication is completed, the registered user's terminal and the FIDO server 2000 verify the verification response to the one-time verification information based on the shared user common information. Since user authentication is performed only for users, the effect of enhancing the security of user authentication can be exerted.

5 schematically shows a process of performing an OTP authentication step according to an embodiment of the present invention.

Specifically, the OTP authentication step may include receiving, by the service authentication server 1000, the first OTP information generated and transmitted by the user's terminal (S320); Receiving an OTP authentication request from the user from the service authentication server 1000 by the FIDO server 2000 (S330); Generating an OTP seed based on the user common information by the FIDO server 2000 (S340); Generating second OTP information based on the OTP generation information including the OTP seed and time information by the FIDO server 2000 (S350); Transmitting the second OTP information to the service authentication server 1000 by the FIDO server 2000 (S360); And performing OTP authentication by determining whether the first OTP information and the second OTP information match by the service authentication server 1000 (S370).

In step S300, the user's terminal generates an OTP seed based on the user common information including the public key stored in the user's terminal. Preferably, the user common information includes a public key and a user ID generated in the user's terminal.

In step S310, the user's terminal generates first OTP information based on the OTP seed and time information generated in step S300.

In step S320, the user's terminal transmits the first OTP information generated in step S310 to the service authentication server 1000. That is, the service authentication server 1000 receives the first OTP information generated and transmitted by the user's terminal. Preferably, the user's terminal transmits a verification response to the one-time verification information received from the FIDO server 2000 to the FIDO server 2000 by sending a service request, and when user authentication is completed, the first OTP information is transmitted. A process of generating and transmitting to the service authentication server 1000, that is, a process in the form of a program for performing a user authentication step and an OTP authentication step may be operated.

In step S330, the FIDO server 2000 transmits the user's OTP authentication request from the service authentication server 1000.

In step S340, the FIDO server 2000 generates an OTP seed based on the user common information including the public key stored in the FIDO server 2000.

In step S350, the FIDO server 2000 generates second OTP information based on the OTP seed and time information generated in step S340.

In step S360, the FIDO server 2000 transmits the second OTP information generated in step S350 to the service authentication server 1000.

In step S370, the service authentication server 1000 determines whether the first OTP information received from the user's terminal matches the second OTP information received from the FIDO server 2000, and performs OTP authentication. When the first OTP information and the second OTP information match, the OTP authentication is completed, and when the first OTP information and the second OTP information do not match, the OTP authentication is not completed. Preferably, the OTP authentication step may be executed only when user authentication is completed in the user authentication step.

In this way, by performing authentication by generating OTP information using the user common information shared only with the FIDO server 2000 and the user's terminal as a seed, the security vulnerability of the OTP information can be enhanced.

6 schematically shows a process of performing an OTP authentication step according to another embodiment of the present invention.

According to another embodiment of the present invention, the biometric information-based OTP authentication method transmits, by the FIDO server 2000, a local authentication request to the user's terminal according to the user registration request sent by the user's terminal, and A user registration step of receiving and storing user common information generated according to local authentication in the terminal; An OTP seed encryption step of generating an encrypted OTP seed by encrypting the OTP seed stored in the FIDO server 2000 by the FIDO server 2000 by the symmetric key derived based on the user common information; The FIDO server 2000 transmits one-time verification information to the user's terminal, receives a verification response for the one-time verification information, and authenticates the user through verification of the verification response according to the information included in the user common information. A user authentication step of performing; Receiving, by the service authentication server, first OTP information generated in the user's terminal based on the OTP seed information stored in the user's terminal; By the FIDO server 2000, the FIDO server 2000 decrypts the encrypted OTP seed by the symmetric key derived based on the user common information to derive an OTP seed, and based on the derived OTP seed Generating second OTP information; And an OTP authentication step including; receiving, by the service authentication server, the second OTP information generated by the FIDO server and determining whether the first OTP information and the second OTP information match.

In another embodiment of the present invention, in performing OTP authentication, when the OTP seed for generating OTP information is previously shared and previously stored in the user's terminal and the FIDO server 2000, after the user registration step is performed, the user An OTP seed encryption step (not shown) of generating an encrypted OTP seed by encrypting the OTP seed stored in the FIDO server 2000 by the symmetric key derived based on the common information may be further performed. Thereafter, as described in FIG. 4, a user authentication step is performed. Preferably, only when user authentication is completed in the user authentication step, the OTP authentication step as shown in FIG. 6 may be performed.

As shown in FIG. 6, in another embodiment of the present invention, the OTP authentication step is a step of receiving, by the service authentication server 1000, first OTP information generated and transmitted by the user's terminal (S420). ; Receiving the OTP authentication request of the user from the service authentication server 1000 by the FIDO server 2000 (S430); Deriving an OTP seed by decrypting the encrypted OTP seed using a symmetric key derived based on the user common information by the FIDO server 2000 (S440); Generating second OTP information based on the OTP generation information including the derived OTP seed and time information by the FIDO server 2000 (S450); Transmitting the second OTP information to the service authentication server 1000 by the FIDO server 2000 (S460); And performing OTP authentication by determining whether the first OTP information and the second OTP information match by the service authentication server 1000 (S470).

In step S410, the user's terminal generates first OTP information based on the OTP seed and time information shared and stored in the past.

In step S420, the user's terminal transmits the first OTP information generated in step S410 to the service authentication server 1000. That is, the service authentication server 1000 receives the first OTP information generated and transmitted by the user's terminal. Preferably, the user's terminal transmits a verification response to the one-time verification information received from the FIDO server 2000 to the FIDO server 2000 by sending a service request, and when user authentication is completed, the first OTP information is transmitted. A process of generating and transmitting to the service authentication server 1000, that is, a process in the form of a program for performing a user authentication step and an OTP authentication step may be operated.

In step S430, the FIDO server 2000 transmits the user's OTP authentication request from the service authentication server 1000.

In step S440, the FIDO server 2000 decrypts the encrypted OTP seed using the symmetric key derived based on the user common information to derive the OTP seed. When user authentication is completed in the user authentication step, the FIDO server derives a symmetric key based on the user common information. Thereafter, the OTP seed is derived by decrypting using the symmetric key derived from the encrypted OTP seed generated in the OTP seed encryption step and stored in the FIDO server. Preferably, the user common information includes a public key and a user ID generated in the user's terminal.

In step S450, the FIDO server 2000 generates second OTP information based on the OTP generation information including the OTP seed and time information derived in step S440.

In step S460, the FIDO server 2000 transmits the second OTP information generated in step S450 to the service authentication server 1000.

In step S470, the service authentication server 1000 determines whether the first OTP information received from the user's terminal matches the second OTP information received from the FIDO server 2000, and performs OTP authentication. When the first OTP information and the second OTP information match, the OTP authentication is completed, and when the first OTP information and the second OTP information do not match, the OTP authentication is not completed. Preferably, the OTP authentication step may be executed only when user authentication is completed in the user authentication step.

In this way, the FIDO server 2000 and the user's terminal have already been shared and stored in the past, or the OTP seed created and stored using common user information or other information as a seed performs FIDO-based user authentication, and By encrypting with a symmetric key derived based on it, the effect of reinforcing the security vulnerability of OTP information can be exhibited.

7 exemplarily shows an internal configuration of a computing device according to an embodiment of the present invention.

All or part of the components illustrated in FIG. 1 may include components of a computing device to be described later.

7, the computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, and an input/output subsystem ( I/Osubsystem) 11400, a power circuit 11500, and a communication circuit 11600 may be included at least.

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or nonvolatile memory. have. The memory 11200 may include a software module, an instruction set, or other various data necessary for the operation of the computing device 11000.

In this case, access to the memory 11200 from another component such as the processor 11100 or the peripheral device interface 11300 may be controlled by the processor 11100. The processor 11100 may be configured as a single unit or a plurality of units, and may include a processor in the form of a GPU and a TPU in order to improve operation processing speed.

The peripheral device interface 11300 may couple input and/or output peripheral devices of the computing device 11000 to the processor 11100 and the memory 11200. The processor 11100 may execute various functions for the computing device 11000 and process data by executing a software module or instruction set stored in the memory 11200.

The input/output subsystem 11400 may couple various input/output peripherals to the peripherals interface 11300. For example, the input/output subsystem 11400 may include a monitor, a keyboard, a mouse, a printer, or a controller for coupling a peripheral device such as a touch screen or a sensor to the peripheral device interface 11300 as needed. According to another aspect, the input/output peripheral devices may be coupled to the peripheral device interface 11300 without going through the input/output subsystem 11400.

The power circuit 11500 may supply power to all or part of the components of the terminal. For example, the power circuit 11500 may include a power management system, one or more power sources such as batteries or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator or power. It may contain any other components for creation, management, and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, if necessary, the communication circuit 11600 may enable communication with other computing devices by transmitting and receiving an RF signal, also known as an electromagnetic signal, including an RF circuit.

The embodiment of FIG. 7 is only an example of the computing device 11000, and the computing device 11000 omits some of the components shown in FIG. 7 or further includes additional components not shown in FIG. It can have a configuration or arrangement that combines two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. 7, and various communication methods (WiFi, 3G, LTE) in the communication circuit 11600 , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware, software, or a combination of hardware and software including one or more signal processing or application-specific integrated circuits.

Methods according to an embodiment of the present invention may be implemented in the form of program instructions that can be executed through various computing devices and recorded in a computer-readable medium. In particular, the program according to the present embodiment may be configured as a PC-based program or an application dedicated to a mobile terminal. An application to which the present invention is applied may be installed on a user terminal through a file provided by the file distribution system. As an example, the file distribution system may include a file transmission unit (not shown) that transmits the file according to the request of the user terminal.

The apparatus described above may be implemented as a hardware component, a software component, and/or a combination of a hardware component and a software component. For example, the devices and components described in the embodiments are, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, such as one or more general purpose computers or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications executed on the operating system. Further, the processing device may access, store, manipulate, process, and generate data in response to the execution of software. For the convenience of understanding, although it is sometimes described that one processing device is used, one of ordinary skill in the art, the processing device is a plurality of processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, the processing device may include a plurality of processors or one processor and one controller. In addition, other processing configurations are possible, such as a parallel processor.

The software may include a computer program, code, instruction, or a combination of one or more of these, configuring the processing unit to operate as desired or processed independently or collectively. You can command the device. Software and/or data may be interpreted by a processing device or to provide instructions or data to a processing device, of any type of machine, component, physical device, virtual equipment, computer storage medium or device. , Or may be permanently or temporarily embodyed in a transmitted signal wave. The software may be distributed over networked computing devices and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as flOTPical disks. -Optical media (Magneto-OTPical media), and hardware devices specially configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those produced by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operation of the embodiment, and vice versa.

Although the embodiments have been described by the limited embodiments and drawings as described above, various modifications and variations can be made from the above description to those of ordinary skill in the art. For example, the described techniques are performed in a different order from the described method, and/or components such as systems, structures, devices, circuits, etc. described are combined or combined in a form different from the described method, or other components Alternatively, even if substituted or substituted by an equivalent, an appropriate result can be achieved.

Therefore, other implementations, other embodiments, and those equivalent to the claims also fall within the scope of the claims to be described later.

Claims (9)

As a biometric information-based OTP authentication method performed in a service authentication server and FIDO server that can directly or indirectly perform data communication with a user's terminal,
A user who transmits a local authentication request to the user's terminal according to the user registration request sent by the user's terminal by the FIDO server, and receives and stores user common information generated according to the local authentication performed in the user's terminal. Registration step;
Transmitting one-time verification information to the user's terminal by the FIDO server, receiving a verification response for the one-time verification information, and performing user authentication through verification of the verification response according to the information included in the user common information. User authentication step; And
Receiving, by the service authentication server, first OTP information generated in the user's terminal by using the user common information stored in the user's terminal as a seed; Generating second OTP information by using the common user information stored in the FIDO server as a seed by the FIDO server; And an OTP authentication step including, by the service authentication server, receiving the second OTP information generated by the FIDO server and determining whether the first OTP information and the second OTP information match or not; including, biometric information-based OTP Authentication method.
The method according to claim 1,
The user registration step,
Receiving, by the FIDO server, the user registration request from the user's terminal;
Transmitting, by the FIDO server, a local authentication request to the user's terminal;
Receiving, by the FIDO server, the user common information including a public key generated from a terminal of a user who has performed local authentication according to the local authentication request; And
Storing the user common information including the received public key in the FIDO server by the FIDO server.
The method according to claim 1.
The user common information,
Biometric information-based OTP authentication method including a public key and a user ID generated in the user's terminal.
The method according to claim 1,
The local authentication,
Biometric information-based OTP authentication method performed by determining whether the user's biometric information previously stored in the user's terminal and the biometric information input to the user's terminal match.
The method according to claim 1.
The user authentication step,
Receiving, by the service authentication server, a service request from the user's terminal;
Receiving, by the FIDO server, a user authentication request from the service authentication server;
Generating one-time verification information by the FIDO server and transmitting it to a user's terminal;
Receiving, by the FIDO server, the verification response including the one-time verification information encrypted with the user's private key from the user's terminal for which local authentication has been performed;
Decrypting the verification response received by the FIDO server using the user's public key stored in the user registration step; And
Comprising, by the FIDO server, determining whether the one-time verification information decrypted and the one-time verification information generated by the FIDO server match and performing user authentication; comprising, biometric information-based OTP authentication method.
The method according to claim 1,
The OTP authentication step,
Receiving, by the service authentication server, first OTP information generated and transmitted by the user's terminal;
Receiving, by the FIDO server, the user's OTP authentication request from the service authentication server;
Generating, by the FIDO server, an OTP seed based on the user common information;
Generating, by the FIDO server, second OTP information based on OTP generation information including the OTP seed and time information;
Transmitting the second OTP information to the service authentication server by the FIDO server;
Including, biometric information-based OTP authentication method; determining whether the first OTP information and the second OTP information are matched by the service authentication server.
The method according to claim 1,
The OTP authentication step can be executed only when user authentication is completed in the user authentication step, biometric information-based OTP authentication method.
As a biometric information-based OTP authentication system implemented by a service authentication server and FIDO server that can directly or indirectly perform data communication with a user's terminal,
The FIDO server transmits a local authentication request to the user's terminal according to the user registration request sent by the user's terminal,
The FIDO server receives and stores user common information generated according to local authentication performed in the user's terminal,
The FIDO server transmits one-time verification information to the user's terminal,
The FIDO server receives a verification response for the one-time verification information and performs user authentication through verification of the verification response according to the information included in the user common information,
The service authentication server receives the first OTP information generated by the user's terminal by using the user common information stored in the user's terminal as a seed,
The FIDO server generates second OTP information by using the user common information stored in the FIDO server as a seed,
The service authentication server receives the second OTP information generated by the FIDO server,
The service authentication server determines whether the first OTP information and the second OTP information match.
As a biometric information-based OTP authentication method performed in a service authentication server and FIDO server that can directly or indirectly perform data communication with a user's terminal,
A user who transmits a local authentication request to the user's terminal according to the user registration request sent by the user's terminal by the FIDO server, and receives and stores user common information generated according to the local authentication performed in the user's terminal. Registration step;
An OTP seed encryption step of generating an encrypted OTP seed by encrypting the OTP seed stored in the FIDO server using a symmetric key derived based on the user common information by the FIDO server;
Transmitting one-time verification information to the user's terminal by the FIDO server, receiving a verification response for the one-time verification information, and performing user authentication through verification of the verification response according to the information included in the user common information. User authentication step;
Receiving, by the service authentication server, first OTP information generated in the user's terminal based on the OTP seed information stored in the user's terminal; Deriving an OTP seed by decrypting the encrypted OTP seed using a symmetric key derived based on the user common information by the FIDO server, and generating second OTP information based on the derived OTP seed; And, by the service authentication server, receiving the second OTP information generated by the FIDO server and determining whether the first OTP information and the second OTP information match or not; including an OTP authentication step; including, based on biometric information OTP authentication method.

Images