KR20210045635A - Method and System for Digital Signature which unused Password based on FIDO Authentication - Google Patents

Abstract

The present invention relates to a FIDO-based digital signature method without using a password and a system thereof and, more specifically, to a FIDO-based digital signature method without using a password and a system thereof which perform user authentication through biometric information authentication according to FIDO standards to replace password input and encrypt a certificate and a private key of a user to perform digital signature through a symmetric key generated based on user unique information stored at a time of user registration in a FIDO server so as to store it in a web storage of a web browser.

Description

FIDO-based password-free digital signature method and system {Method and System for Digital Signature which unused Password based on FIDO Authentication}

The present invention relates to a FIDO-based password-free electronic signature method and system, and more particularly, a user who is stored when a user is registered in a FIDO server by performing user authentication through biometric information authentication according to the FIDO standard to replace password input. The present invention relates to a FIDO-based passwordless digital signature method and system capable of encrypting a user's certificate and private key for performing an electronic signature through a symmetric key generated based on unique information and storing it in the web storage of a web browser.

In general, FIDO (Fast Identity Online) is a new authentication system that enables authentication through simple procedures that cannot be replaced through biometric information such as fingerprint recognition, iris recognition, or face recognition instead of ID and password. It is the standard standard of. FIDO authentication is basically an authentication system that is used to solve the vulnerability of a system that uses ID and password.It is not a password that the user must register and remember, but what the user has, for example, fingerprint, Security is further enhanced by using biometric information such as iris and face or biometric information as passwords.

Meanwhile, a digital signature is an electronic type of data that is attached to an electronic document or is logically combined, and is used for the purpose of verifying the identity of the signer and indicating the user's approval of the contents of the signed document. The certificate required to perform such a digital signature includes a public key, and the private key paired with the public key is encrypted and stored with a password according to security risks such as use by others when leaked. However, since the certificate and private key exist in the form of a file, there is a problem in that security is weak because it is easy to access a location (NPKI) stored in the hard disk, and is easy to copy/use. As such, the public certificate encrypted with a password has a problem in that it is decrypted by a password detection attack such as Key Logging and used illegally, as users use a password that is easy to remember and easy to input.

In order to solve this problem, it is possible to perform user authentication with the user's own biometric information without using a password that is easy to hack, solve the problem that is vulnerable to the leakage of the certificate, and strengthen the security of the encryption key that performs encryption. A method is needed, but there is no conventional technology for providing such a service.

The present invention replaces the password input by performing user authentication through biometric information authentication according to the FIDO standard, and uses a symmetric key generated based on the user's unique information stored when registering a user in the FIDO server to perform an electronic signature. It aims to provide a FIDO-based passwordless digital signature method and system that can encrypt certificates and private keys and store them in web storage of a web browser.

In order to solve the above problems, the present invention is a FIDO-based password-free electronic signature method performed by a certificate issuing server, a FIDO server, and a user's terminal, and a web browser can be executed in the user's terminal, and the electronic signature The information for performing the operation can be stored in web storage, and the FIDO server transmits a biometric information authentication request to the user's terminal according to the user registration request sent from the user's terminal, and authenticates the biometric information at the user's terminal. A user registration step of receiving and storing the user-specific information generated according to the performance of the user; The certificate issuing server receives the certificate public key and the certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and transmits the certificate to the user's terminal, and the user's terminal transmits the certificate to the web storage. Certificate storing step to store in; A first authentication step of transmitting, by the FIDO server, symmetric key induction information including user-specific information or derived from information including user-specific information to the user's terminal when user authentication of the user's terminal is completed; A key data storage step of storing encryption key data obtained by encrypting the private key of the certificate in the web storage by the user's terminal by a symmetric key derived based on the symmetric key induction information; A second authentication step of transmitting the symmetric key induction information to the user's terminal when user authentication of the user's terminal is completed by the FIDO server; And decrypting the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key induction information by the user's terminal to derive the private key of the certificate, and electronically for the original text data using the certificate and the private key. It provides a FIDO-based password-free digital signature method including; an electronic signature step of performing a signature.

In one embodiment of the present invention, the user registration step includes: receiving, by a FIDO server, a user registration request from the user's terminal; Transmitting, by the FIDO server, a biometric information authentication request to the user's terminal; Receiving, by a FIDO server, the user-specific information including a FIDO public key generated from a terminal of a user who has performed biometric information authentication according to the biometric information authentication request; And storing, by the FIDO server, the user-specific information including the received FIDO public key in the FIDO server.

In an embodiment of the present invention, the symmetric key induction information may include a FIDO public key and a user ID generated in the user registration step.

In an embodiment of the present invention, the step of storing the certificate includes: generating a certificate public key and a certificate private key by the user's terminal; Receiving, by a certificate issuing server, the certificate public key and a certificate issuance request from a user's terminal; Generating a certificate including the certificate public key by a certificate issuing server and transmitting it to a user's terminal; And storing the certificate in the web storage by the user's terminal.

In an embodiment of the present invention, the first authentication step includes: receiving, by a FIDO server, a user authentication request from a user's terminal; Transmitting, by the FIDO server, a biometric information authentication request to the user's terminal; And transmitting the symmetric key induction information including the user's FIDO public key to the user's terminal when user authentication is completed according to the execution of biometric information authentication in the user's terminal by the FIDO server. .

In an embodiment of the present invention, the second authentication step includes: receiving, by a FIDO server, a user authentication request from the user's terminal; Transmitting, by the FIDO server, a biometric information authentication request to the user's terminal; Including, by the FIDO server, transmitting the symmetric key induction information including the user's first public key to the user's terminal when user authentication is completed according to the execution of biometric information authentication in the user's terminal; and The digital signing step may include inducing a symmetric key by performing biometric information authentication based on the symmetric key induction information by the user's terminal; And decrypting, by the user's terminal, encryption key data stored in the web storage using the symmetric key. And performing, by the user's terminal, an electronic signature using the private key of the certificate decrypted from the encryption key data.

In an embodiment of the present invention, the symmetric key may be derived by the user's terminal based on the symmetric key induction information after performing the user's biometric information authentication.

In order to solve the above problems, an embodiment of the present invention is a FIDO-based password-free digital signature system implemented by a certificate issuing server, a FIDO server, and a user's terminal. The information for performing the digital signature may be stored in the web storage, the FIDO server transmits a biometric information authentication request to the user's terminal according to the user registration request sent from the user's terminal, and the FIDO server Receives and stores the user-specific information generated according to the performance of biometric information authentication in the terminal of the user, and the certificate issuing server receives the certificate public key and the certificate issuance request from the user's terminal, and stores the certificate including the certificate public key. It is generated and transmitted to the user's terminal, and the user's terminal stores the certificate in web storage, and the FIDO server includes user-specific information or from information that includes user-specific information when user authentication of the user's terminal is completed. The derived symmetric key induction information is transmitted to the user's terminal, and the user's terminal stores encryption key data by encrypting the private key of the certificate in the web storage by the symmetric key derived based on the symmetric key induction information. And, when the user authentication of the user's terminal is completed, the FIDO server transmits the symmetric key induction information to the user's terminal, and the user's terminal encrypts stored in the web storage with a symmetric key derived based on the symmetric key induction information. The key data is decrypted to derive the private key of the certificate, and the user's terminal provides a system for digitally signing the original text data using the certificate and the private key.

According to an embodiment of the present invention, when using a PKI certificate in a user's PC, user authentication is performed using a biometric information authentication method according to the FIDO standard, so that an electronic signature can be easily performed without entering a password. It can exert an effect.

According to an embodiment of the present invention, by storing encryption key data that encrypts a certificate and a certificate private key, which are information necessary to perform digital signature, in web storage, and performing digital signature with the certificate and private key stored in the web storage, Since there is no need to carry a certificate and a private key on the user's terminal, it can be effective in preventing the leakage of personal information due to the loss of the terminal.

According to an embodiment of the present invention, by inducing a symmetric key based on symmetric key induction information derived based on user-specific information stored after user registration in a FIDO server, the security of an encryption key for encrypting data can be strengthened. It can exert the effect that can be done.

According to an embodiment of the present invention, by performing user authentication using a biometric information authentication method and not using a password, an effect of preventing personal information leakage due to password hacking such as Key Logging can be exhibited. .

According to an embodiment of the present invention, by storing and using a certificate and a private key in a web storage of a web browser, it is possible to exhibit the effect of performing an electronic signature even if a security program such as Active X is not installed in the user's terminal. have.

1 schematically shows the overall system form of a FIDO-based passwordless digital signature method according to an embodiment of the present invention.
2 schematically shows the steps of the overall execution process of the FIDO-based passwordless digital signature method according to an embodiment of the present invention.
3 schematically shows a process of performing a user registration step according to an embodiment of the present invention.
4 schematically shows a process of performing a certificate storage step according to an embodiment of the present invention.
5 schematically shows a process of performing a first authentication step and a key data storage step according to an embodiment of the present invention.
6 schematically shows a process of performing a second authentication step and an electronic signature step according to an embodiment of the present invention.
7 schematically shows a process of performing a first authentication step and a second authentication step according to an embodiment of the present invention.
8 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

Various embodiments will now be described with reference to the drawings, in which like reference numbers are used to indicate like elements throughout the drawings. In this specification, various descriptions are presented to provide an understanding of the invention. However, it is clear that these embodiments may be implemented without such detailed description. In other examples, well-known structures and devices are provided in block diagram form to facilitate description of the embodiments.

As used herein, the terms "component", "module", "system", "~ unit" and the like refer to a computer-related entity, hardware, firmware, software, a combination of software and hardware, or execution of software. For example, a component may be, but is not limited to, a process executed on a processor, a processor, an object, an execution thread, a program, and/or a computer. For example, both an application running on a computing device and a computing device may be components. One or more components may reside within a processor and/or thread of execution, and one component is a computer

It can be localized within, or it can be distributed between two or more computers. In addition, these components can execute from a variety of computer readable media having various data structures stored therein. Components are, for example, signals with one or more data packets (e.g., data from one component interacting with another component in a local system, a distributed system, and/or data via a signal over another system and a network such as the Internet. ) To communicate via local and/or remote processes.

In addition, the terms "comprising" and/or "comprising" mean that the corresponding feature and/or component is present, but excludes the presence or addition of one or more other features, components, and/or groups thereof. It should be understood as not doing.

In addition, terms including ordinal numbers such as first and second may be used to describe various elements, but the elements are not limited by the terms. The terms are used only for the purpose of distinguishing one component from another component. For example, without departing from the scope of the present invention, a first element may be referred to as a second element, and similarly, a second element may be referred to as a first element. The term and/or includes a combination of a plurality of related listed items or any of a plurality of related listed items.

In addition, in the embodiments of the present invention, unless otherwise defined, all terms used herein including technical or scientific terms are generally understood by those of ordinary skill in the art to which the present invention belongs. It has the same meaning as. Terms as defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related technology, and unless explicitly defined in the embodiments of the present invention, an ideal or excessively formal meaning Is not interpreted as.

The "user terminal" mentioned below may be implemented as a computer or portable terminal that can access a server or other terminal through a network. Here, the computer includes, for example, a notebook equipped with a web browser, a desktop, a laptop, and the like, and the portable terminal is, for example, a wireless communication device that guarantees portability and mobility. , PCS (Personal Communication System), GSM (Global System for Mobile communications), PDC (Personal Digital Cellular), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) terminal, etc. may include all kinds of handheld-based wireless communication devices. In addition, the "network" refers to a wired network such as a local area network (LAN), a wide area network (WAN), or a value added network (VAN), or a mobile radio communication network or satellite. It can be implemented with any type of wireless network such as a communication network.

1 schematically shows the overall system form of a FIDO-based passwordless digital signature method according to an embodiment of the present invention.

The user terminal of FIG. 1 may correspond to the user terminal described above, and the FIDO server 1000 and the certificate issuing server 2000 correspond to a computing device including at least one processor and at least one memory. In FIG. 1, the FIDO server 1000 and the certificate issuing server 2000 included in the server system are shown separately, but in another embodiment, the FIDO server 1000 and the certificate issuing server 2000 are integrated. May exist as. Preferably, the user's terminal is a notebook, desktop, or laptop equipped with a web browser. The user's terminal can access the FIDO server 1000 and the certificate issuing server 2000 through a web browser program, and can log in to his or her account by performing authentication through biometric information.

In the present invention, FIDO (Fast Identity Online) is a new authentication system that enables authentication through a simple procedure that cannot be replaced through biometric information such as fingerprint recognition, iris recognition, or face recognition instead of ID and password. It is the standard standard of. The biometric information should be interpreted as biometric information that can be extracted from a living body such as fingerprint, iris face recognition, voice, vein, etc., or information including all biometric information of behavioral characteristics such as motion.

In the present invention, the web browser mounted on the user's terminal includes all application applications that allow the user to access the web site, such as Microsoft's Internet Explorer, Google's Chrome, and Apple's Safari, and is a client other than a server through a web browser. You can use web storage that can store data on your computer. Web storage includes local storage that can semi-permanently store data in a browser and session storage that can individually store data for each session, and the web storage of the present invention includes either local storage or session storage. Can be used.

The FIDO server 1000 may receive a user registration request from a user's terminal and store user-specific information to perform user registration, and transmit a biometric information authentication request to the user's terminal for which biometric information authentication has been completed. It is possible to transmit symmetric key induction information derived from information including unique information or information including user-specific information.

The certificate issuing server 2000 may receive a certificate public key and a certificate issuance request from the user's terminal, generate a certificate including the certificate public key, and transmit it to the user's terminal.

The user's terminal performs user authentication based on biometric information through the FIDO server 1000, and the user's terminal who has performed the user authentication receives the symmetric key induction information from the FIDO server 1000, and The symmetric key can be derived based on it. In addition, the certificate issuance server 2000 may receive a certificate through a certificate issuance request and store it in web storage. Encryption key data that encrypts the private key of the certificate generated in the user's terminal by the derived symmetric key can be stored in web storage, and the private key of the certificate is derived by decrypting the encryption key data stored with the derived symmetric key. Electronic signatures can be performed on the original text data using the private key.

Hereinafter, the operation of the user's terminal and server system will be described in more detail.

2 schematically shows the steps of the overall execution process of the FIDO-based passwordless digital signature method according to an embodiment of the present invention.

The server system of the present invention can provide a FIDO-based passwordless digital signature method. Schematically, user authentication is performed through biometric information authentication according to the FIDO standard, replacing password input, and using a symmetric key generated by using the user-specific information stored when registering a user in the FIDO server 1000 as symmetric key induction information. Information for performing the digital signature may be encrypted, and the user's certificate and private key may be stored in the web storage of a web browser that can be executed in the user's terminal.

2 shows a process of performing a user registration step, a certificate storage step, a first authentication step, a key data storage step, a second authentication step, and an electronic signature step by the server system and the user's terminal of the present invention. Specifically, as a FIDO-based password-free electronic signature method performed by the certificate issuing server 2000, the FIDO server 1000, and the user's terminal, a web browser can be executed in the user's terminal, and the electronic signature is performed. The information for authentication may be stored in the web storage, and the FIDO server 1000 transmits a biometric information authentication request to the user's terminal according to the user registration request sent from the user's terminal, and biometric information from the user's terminal. A user registration step (S1000) of receiving and storing user-specific information generated according to the execution of authentication; The certificate issuing server 2000 receives a certificate public key and a certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and transmits the certificate to the user's terminal, and by the user's terminal, the certificate A certificate storing step of storing the data in web storage (S2000); When the user authentication of the user's terminal is completed by the FIDO server 1000, the first authentication step of transmitting the symmetric key induction information derived from information including user-specific information or user-specific information to the user's terminal (S3000); A key data storage step (S4000) of storing encryption key data obtained by encrypting the private key of the certificate in the web storage using a symmetric key derived based on the symmetric key induction information by the user's terminal (S4000); A second authentication step (S5000) of transmitting the symmetric key induction information to the user's terminal when user authentication of the user's terminal is completed by the FIDO server 1000; And decrypting the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key induction information by the user's terminal to derive the private key of the certificate, and electronically for the original text data using the certificate and the private key. And an electronic signature step (S6000) of performing a signature.

Specifically, in the user registration step (S1000), the FIDO server 1000 receives a user registration request from the user's terminal and transmits a biometric information authentication request to the user's terminal. Receives and stores user-specific information created according to the execution. Preferably, the user-specific information includes user information including a user ID and a FIDO public key.

In the certificate storage step (S2000), the certificate issuing server 2000 receives a certificate public key and a certificate issuance request from the user's terminal, and transmits a certificate including the certificate public key to the user's terminal. The user's terminal receiving the certificate including the certificate public key stores the received certificate in the web storage of the web browser.

In the first authentication step (S3000), when the user authentication of the user's terminal is completed by the FIDO server 1000, the symmetric key induction information derived from the information including the user's unique information or the user's unique information is Send to the user's terminal. Preferably, the symmetric key derivation information includes a FIDO public key and a user ID.

In the key data storage step S4000, the user's terminal derives a symmetric key based on the symmetric key induction information received from the FIDO server 1000 after performing biometric information authentication. Thereafter, the private key of the certificate is encrypted by the derived symmetric key to generate encryption key data, and the generated encryption key data is stored in web storage.

In the second authentication step (S5000), when the user authentication of the user's terminal is completed by the FIDO server 1000, the symmetric key induction information derived from the information including the user's unique information or the user's unique information is Send to the user's terminal.

In the electronic signature step (S6000), the user's terminal derives a symmetric key based on the symmetric key induction information received from the FIDO server 1000 after performing biometric information authentication. Thereafter, the encryption key data stored in the web storage is decrypted using the derived symmetric key to derive the private key of the certificate, and digitally sign the original text data using the certificate and the private key.

In this way, since the user does not use a password and performs user authentication by using a biometric information authentication method according to the FIDO standard, it is possible to achieve the effect of being able to easily perform an electronic signature even if the password is not entered.

3 schematically shows a process of performing a user registration step according to an embodiment of the present invention.

Specifically, the user registration step (S1000) includes, by the FIDO server 1000, receiving a user registration request from the user's terminal (S100); Transmitting a biometric information authentication request to the user's terminal by the FIDO server 1000 (S110); Receiving, by the FIDO server 1000, the user-specific information including a FIDO public key generated from a terminal of a user who has performed biometric information authentication according to the biometric information authentication request (S140); And storing, by the FIDO server 1000, the user-specific information including the received FIDO public key in the FIDO server 1000 (S150).

In step S100, the user's terminal transmits a user registration request to the FIDO server 1000. That is, the FIDO server 1000 receives a user registration request from the user's terminal.

In step S110, by the FIDO server 1000 receiving the user registration request, a biometric information authentication request is transmitted to the user's terminal.

In step S120, the terminal of the user who has received the biometric information authentication request performs biometric information authentication. Preferably, the biometric information authentication request is performed by determining whether the user's biometric information previously stored in the user's terminal and the biometric information input to the user's terminal match. For example, if the user's biometric information previously stored in the user's terminal is a fingerprint to perform biometric information authentication, the biometric information authentication is input to the user's terminal when performing biometric information authentication with the user's fingerprint previously stored in the user's terminal. It determines whether or not the fingerprint of the authenticated user is matched. When the input user's fingerprint and the previously stored user's fingerprint match, biometric information authentication is completed.

In step S130, when biometric information authentication is completed, the user's terminal generates the user's FIDO public key and FIDO private key. Preferably, when biometric information authentication is not completed, the user's terminal does not generate a FIDO public key and a FIDO private key.

In step S140, the user's terminal transmits the user-specific information including the FIDO public key and the user ID generated in step S130 to the FIDO server 1000. That is, the FIDO server 1000 receives user-specific information including a FIDO public key generated from a terminal of a user who has performed biometric information authentication.

In step S150, the FIDO server 1000 stores user-specific information including the received FIDO public key in the FIDO server 1000 to perform user registration.

In this way, by storing the user information in the FIDO server 1000 and registering the user, it is possible to derive the symmetric key induction information based on the user-specific information stored in the FIDO server 1000 to derive the symmetric key, Encryption and decryption can be performed, and the effect of enhancing the security of an encryption key for encrypting data can be exerted.

4 schematically shows a process of performing a certificate storage step according to an embodiment of the present invention.

Specifically, the step of storing the certificate may include generating a certificate public key and a certificate private key by the user's terminal (S200); Receiving the certificate public key and certificate issuance request from the user's terminal by the certificate issuing server 2000 (S210); Generating a certificate including the certificate public key by the certificate issuing server 2000 and transmitting the certificate to the user's terminal (S220 and S230); And storing the certificate in the web storage by the user's terminal (S240).

In step S200, the user's terminal generates a certificate public key and a certificate private key for performing digital signature.

In step S210, the user's terminal transmits the certificate public key and the certificate issuance request generated in step S200 to the certificate issuing server 2000. That is, the certificate issuing server 2000 receives a certificate public key and a certificate issuance request from the user's terminal.

In step S220, the certificate issuing server 2000 generates a certificate including a certificate public key and transmits it to the user's terminal. The certificate generated by the certificate issuing server 2000 may further include certificate information such as the issuing subject, the issuing authority, the issuing authority's signature, and the certificate serial number in addition to the certificate public key.

In step S230, the certificate issuing server 2000 transmits the certificate generated in step S220 to the user's terminal.

In step S240, the user's terminal receives the certificate including the certificate public key sent by the certificate issuing server 2000, and stores the received certificate in web storage.

By storing the issued certificate in the web storage of the web browser running on the user's terminal, the user's terminal can perform an electronic signature through the certificate stored in the web storage when attempting to perform an electronic signature. By not storing the certificate directly in the terminal, the risk of personal information leakage due to the loss of the certificate due to the loss of the user's terminal can be exhibited.

5 schematically shows a process of performing a first authentication step and a key data storage step according to an embodiment of the present invention.

Specifically, the first authentication step, by the FIDO server 1000, receiving a user authentication request from the user's terminal (S300)); Transmitting a biometric information authentication request to the user's terminal by the FIDO server 1000 (S310); When user authentication is completed according to the execution of biometric information authentication in the user's terminal by the FIDO server 1000, transmitting the symmetric key induction information including the user's FIDO public key to the user's terminal (S350) Including, the key data storage step (S4000), by the user's terminal, performing biometric information authentication, and inducing the symmetric key based on the symmetric key induction information (S360); Generating encryption key data in which the private key of the certificate is encrypted by the user's terminal by the derived symmetric key (S370); And storing encryption key data obtained by encrypting the private key of the certificate in web storage (S380).

In step S300, the user's terminal transmits a user authentication request to the FIDO server 1000. That is, the FIDO server 1000 receives a user authentication request from the user's terminal.

In step S310, the FIDO server 1000 transmits a biometric information authentication request to the user's terminal.

In step S320, the user's terminal performs biometric information authentication according to the biometric information authentication request transmitted from the FIDO server 1000, and when the biometric information authentication is completed, generates an authentication response for biometric information authentication.

In step S330, the user's terminal transmits the authentication response generated after performing biometric information authentication in step S320 to the FIDO server 1000.

In step S340, the FIDO server 1000 verifies the authentication response received from the user's terminal to perform user authentication.

In step S350, when user authentication is completed, the FIDO server 1000 transmits symmetric key induction information to the user's terminal. Preferably, the symmetric key induction information includes a FIDO public key and a user ID generated in the user registration step.

In step S360, the user's terminal receiving the symmetric key induction information from the FIDO server 1000 performs biometric information authentication. When biometric information authentication is completed, the user's terminal derives a symmetric key based on the received symmetric key induction information.

In step S370, the terminal of the user who has derived the symmetric key encrypts the certificate private key using the derived symmetric key to generate encryption key data.

In step S380, the user's terminal stores encryption key data in which the certificate private key is encrypted by the symmetric key in the web storage.

Preferably, a process in the form of a program that performs such steps may be operated in the web browser of the user's terminal.

Preferably, the key data storage step may be performed only when user authentication is completed in the first authentication step.

In this way, the user's terminal stores the encryption key data that encrypts the certificate and the certificate private key, which is the information necessary to perform the digital signature, in the web storage, without the need to carry the certificate and the private key in the user's terminal, By performing an electronic signature with a certificate and a private key stored in the web storage, it is possible to exhibit the effect of preventing the leakage of personal information due to the loss of the terminal.

6 schematically shows a process of performing a second authentication step and an electronic signature step according to an embodiment of the present invention.

Specifically, the second authentication step (S5000) includes, by the FIDO server 1000, receiving a user authentication request from the user's terminal (S400); Transmitting a biometric information authentication request to the user's terminal by the FIDO server 1000 (S410); When user authentication is completed according to the execution of biometric information authentication in the user's terminal by the FIDO server 1000, transmitting the symmetric key induction information including the user's first public key to the user's terminal (S420 ); Including, the electronic signing step includes, by the user's terminal, inducing a symmetric key by performing biometric information authentication based on the symmetric key induction information (S460); And decrypting the encryption key data stored in the web storage using the symmetric key by the user's terminal (S470). And performing, by the user's terminal, an electronic signature using the private key of the certificate decrypted from the encryption key data (S480).

In step S400, the user's terminal transmits a user authentication request to the FIDO server 1000. That is, the FIDO server 1000 receives a user authentication request from the user's terminal.

In step S410, the FIDO server 1000 transmits a biometric information authentication request to the user's terminal.

In step S420, the user's terminal performs biometric information authentication according to the biometric information authentication request transmitted from the FIDO server 1000, and when the biometric information authentication is completed, generates an authentication response for biometric information authentication.

In step S430, the user's terminal transmits the authentication response generated after performing biometric information authentication in step S420 to the FIDO server 1000.

In step S440, the FIDO server 1000 verifies the authentication response received from the user's terminal to perform user authentication.

In step S450, when user authentication is completed, the FIDO server 1000 transmits symmetric key induction information to the user's terminal. Preferably, the symmetric key induction information includes a FIDO public key and a user ID generated in the user registration step.

The steps S400 to S450 correspond to the second authentication step.

In step S460, the user's terminal receiving the symmetric key induction information from the FIDO server 1000 performs biometric information authentication. When biometric information authentication is completed, the user's terminal derives a symmetric key based on the received symmetric key induction information.

In step S470, the terminal of the user who derived the symmetric key decrypts the encryption key data, which is the private key of the encrypted certificate stored in the web storage by the derived symmetric key, and derives the private key of the certificate.

In step S480, the user's terminal digitally signs the original text data using the private key and the certificate of the certificate decrypted from the encryption key data.

The steps S460 to S480 correspond to the digital signature step.

Preferably, a process in the form of a program that performs such steps may be operated in the web browser of the user's terminal.

Preferably, the digital signature step may be performed only when user authentication is completed in the second authentication step.

In this way, the user's terminal stores the encryption key data that encrypts the certificate and the certificate private key, which is the information necessary to perform the digital signature, in the web storage, without the need to download the certificate and the private key to the user's terminal, By performing an electronic signature through a web browser, it is possible to exert the effect of preventing the leakage of personal information due to the loss of the terminal.

7 schematically shows a process of performing a first authentication step and a second authentication step according to an embodiment of the present invention.

Specifically, the first authentication step and the second authentication step, by the FIDO server 1000, receiving a user authentication request from the user's terminal (S510); Generating one-time verification information by the FIDO server 1000 and transmitting it to the user's terminal (S520); Receiving, by the FIDO server 1000, an authentication response including the one-time verification information encrypted with the user's FIDO private key from the user's terminal on which biometric information authentication has been performed (S550); Decrypting the authentication response received by the FIDO server 1000 by the user's FIDO public key stored in the user registration step (S560); And performing user authentication by determining whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server 1000 match by the FIDO server 1000 (S570).

In step S510, the FIDO server 1000 (2000) receives a user authentication request from the user's terminal.

In step S520, the FIDO server 1000 receiving the user authentication request generates one-time verification information, and transmits the one-time verification information to the user's terminal.

The FIDO server 1000 may generate a random number with a random value for user authentication and transmit it to the user through a challenge. The one-time verification information means a randomly generated challenge number to perform the user's authentication as a one-time operation as described above.

In step S530, the user's terminal receiving the one-time verification information from the FIDO server 1000 performs biometric information authentication. Preferably, the biometric information authentication is performed by determining whether the biometric information of the user previously stored in the user's terminal and the biometric information input to the user's terminal match.

In step S540, when biometric information authentication is completed, the user's terminal encrypts the one-time verification information received using the FIDO private key generated in the user registration step.

In step S550, the user's terminal transmits an authentication response including encrypted one-time verification information to the FIDO server 1000. That is, the FIDO server 1000 receives an authentication response including one-time verification information encrypted with the user's private key from the user's terminal.

In step S560, the FIDO server 1000 receiving the verification response decrypts the encrypted one-time verification information included in the authentication response received by the user's FIDO public key stored in the FIDO server 1000 in the user registration step. To do. The FIDO private key and FIDO public key generated in the user's terminal are asymmetric keys that can be decrypted only with the other key when encryption is performed with each key. In other words, when certain data is encrypted with a private key, the data encrypted with the public key paired with the private key can be decrypted, and in the opposite case, when encrypted with the public key, only the private key paired with the public key is encrypted. Data can be decrypted. Accordingly, when the decryption is completed by performing the decryption of the encrypted one-time verification information, the one-time verification information may be authenticated as the one-time verification information transmitted through the user's terminal by the user who is currently attempting to authenticate.

In step S570, the FIDO server 1000 determines whether the decrypted one-time verification information and the one-time verification information generated by the FIDO server 1000 are matched to perform user authentication. If the one-time verification information decrypted in step S560 and the one-time verification information generated by the FIDO server 1000 and transmitted to the user's terminal match, the user authentication is completed. If the decrypted one-time verification information and the one-time verification information generated by the FIDO server 1000 do not match, user authentication is not completed.

In this way, when user authentication is completed in the first authentication step and the second authentication step, the FIDO server 1000 transmits symmetric key induction information to the user's terminal.

In this way, biometric information authentication is performed based on biometric information, and only when biometric information authentication is completed, the verification response to the one-time verification information is verified by the user common information shared only with the user's terminal and the FIDO server 1000. In addition, since user authentication is performed only for registered users, the effect of reinforcing the security of user authentication can be exerted.

8 schematically illustrates an internal configuration of a computing device according to an embodiment of the present invention.

All or part of the components illustrated in FIG. 1 may include components of a computing device to be described later.

As shown in FIG. 8, the computing device 11000 includes at least one processor 11100, a memory 11200, a peripheral interface 11300, and an input/output subsystem ( I/Osubsystem) 11400, a power circuit 11500, and a communication circuit 11600 may be included at least.

The memory 11200 may include, for example, high-speed random access memory, magnetic disk, SRAM, DRAM, ROM, flash memory, or nonvolatile memory. have. The memory 11200 may include a software module, an instruction set, or other various data necessary for the operation of the computing device 11000.

In this case, access to the memory 11200 from another component such as the processor 11100 or the peripheral device interface 11300 may be controlled by the processor 11100. The processor 11100 may be configured as a single unit or a plurality of units, and may include a processor in the form of a GPU and a TPU in order to improve operation processing speed.

The peripheral device interface 11300 may couple input and/or output peripheral devices of the computing device 11000 to the processor 11100 and the memory 11200. The processor 11100 may execute various functions for the computing device 11000 and process data by executing a software module or instruction set stored in the memory 11200.

The input/output subsystem 11400 may couple various input/output peripherals to the peripherals interface 11300. For example, the input/output subsystem 11400 may include a monitor, a keyboard, a mouse, a printer, or a controller for coupling a peripheral device such as a touch screen or a sensor to the peripheral device interface 11300 as needed. According to another aspect, the input/output peripheral devices may be coupled to the peripheral device interface 11300 without going through the input/output subsystem 11400.

The power circuit 11500 may supply power to all or part of the components of the terminal. For example, the power circuit 11500 may include a power management system, one or more power sources such as batteries or alternating current (AC), a charging system, a power failure detection circuit, a power converter or inverter, a power status indicator or power. It may contain any other components for creation, management, and distribution.

The communication circuit 11600 may enable communication with another computing device using at least one external port.

Alternatively, as described above, if necessary, the communication circuit 11600 may enable communication with other computing devices by transmitting and receiving an RF signal, also known as an electromagnetic signal, including an RF circuit.

The embodiment of FIG. 8 is only an example of the computing device 11000, and the computing device 11000 omits some of the components shown in FIG. 8, further includes additional components not shown in FIG. 8, or 2 It can have a configuration or arrangement that combines two or more components. For example, a computing device for a communication terminal in a mobile environment may further include a touch screen or a sensor in addition to the components shown in FIG. 8, and various communication methods (WiFi, 3G, LTE , Bluetooth, NFC, Zigbee, etc.) may include a circuit for RF communication. Components that may be included in the computing device 11000 may be implemented as hardware, software, or a combination of hardware and software including one or more signal processing or application-specific integrated circuits.

Methods according to an embodiment of the present invention may be implemented in the form of program instructions that can be executed through various computing devices and recorded in a computer-readable medium. In particular, the program according to the present embodiment may be configured as a PC-based program or an application dedicated to a mobile terminal. An application to which the present invention is applied may be installed on a user terminal through a file provided by the file distribution system. As an example, the file distribution system may include a file transmission unit (not shown) that transmits the file according to the request of the user terminal.

The apparatus described above may be implemented as a hardware component, a software component, and/or a combination of a hardware component and a software component. For example, the devices and components described in the embodiments are, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA). , A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions, such as one or more general purpose computers or special purpose computers. The processing device may execute an operating system (OS) and one or more software applications executed on the operating system. Further, the processing device may access, store, manipulate, process, and generate data in response to the execution of software. For the convenience of understanding, although it is sometimes described that one processing device is used, one of ordinary skill in the art, the processing device is a plurality of processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, the processing device may include a plurality of processors or one processor and one controller. In addition, other processing configurations are possible, such as a parallel processor.

The software may include a computer program, code, instruction, or a combination of one or more of these, configuring the processing unit to operate as desired or processed independently or collectively. You can command the device. Software and/or data may be interpreted by a processing device or to provide instructions or data to a processing device, of any type of machine, component, physical device, virtual equipment, computer storage medium or device. , Or may be permanently or temporarily embodyed in a transmitted signal wave. The software may be distributed over networked computing devices and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like alone or in combination. The program instructions recorded on the medium may be specially designed and configured for the embodiment, or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as flOTPical disks. -Optical media (Magneto-OTPical media), and hardware devices specially configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine language codes such as those produced by a compiler, but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operation of the embodiment, and vice versa.

Although the embodiments have been described by the limited embodiments and drawings as described above, various modifications and variations can be made from the above description to those of ordinary skill in the art. For example, the described techniques are performed in a different order from the described method, and/or components such as systems, structures, devices, circuits, etc. described are combined or combined in a form different from the described method, or other components Alternatively, even if substituted or substituted by an equivalent, an appropriate result can be achieved.

Therefore, other implementations, other embodiments, and those equivalent to the claims also fall within the scope of the claims to be described later.

Claims (8)

As a FIDO-based password-free digital signature method performed by a certificate issuing server, a FIDO server, and a user's terminal,
In the user's terminal, a web browser may be executed, and information for performing an electronic signature may be stored in web storage,
The FIDO server transmits the biometric information authentication request to the user's terminal according to the user registration request sent from the user's terminal, and receives and stores the user-specific information generated by performing the biometric information authentication at the user's terminal. User registration step;
The certificate issuing server receives the certificate public key and the certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and sends it to the user's terminal, and the user's terminal transmits the certificate to the web storage. Certificate storing step to store in;
A first authentication step of transmitting, by the FIDO server, symmetric key induction information including user-specific information or derived from information including user-specific information to the user's terminal when user authentication of the user's terminal is completed;
A key data storage step of storing encryption key data obtained by encrypting the private key of the certificate in the web storage by the user's terminal by a symmetric key derived based on the symmetric key induction information;
A second authentication step of transmitting the symmetric key induction information to the user's terminal when user authentication of the user's terminal is completed by the FIDO server; And
The user's terminal decrypts the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key induction information to derive the private key of the certificate, and digitally sign the original data using the certificate and the private key. Digital signature step of performing a; FIDO-based password-free digital signature method comprising a.
The method according to claim 1,
The user registration step,
Receiving, by the FIDO server, a user registration request from the user's terminal;
Transmitting, by the FIDO server, a biometric information authentication request to the user's terminal;
Receiving, by a FIDO server, the user-specific information including a FIDO public key generated from a terminal of a user who has performed biometric information authentication according to the biometric information authentication request; And
FIDO-based password-free digital signature method comprising; storing, by a FIDO server, the user-specific information including the received FIDO public key in a FIDO server.
The method according to claim 1,
The symmetric key induction information,
FIDO-based password-free digital signature method, including the FIDO public key and user ID generated in the user registration step.
The method according to claim 1,
The certificate storage step,
Generating a certificate public key and a certificate private key by the user's terminal;
Receiving, by a certificate issuing server, the certificate public key and a certificate issuance request from a user's terminal;
Generating a certificate including the certificate public key by a certificate issuing server and transmitting it to a user's terminal; And
Including, FIDO-based password-free digital signature method; storing the certificate in the web storage by the user's terminal.
The method according to claim 1,
The first authentication step,
Receiving, by the FIDO server, a user authentication request from the user's terminal;
Transmitting, by the FIDO server, a biometric information authentication request to the user's terminal;
Including, FIDO, including, by the FIDO server, transmitting the symmetric key induction information including the user's FIDO public key to the user's terminal when user authentication is completed according to the execution of biometric information authentication in the user's terminal. Digital signature method without password based.
The method according to claim 1,
The second authentication step,
Receiving, by the FIDO server, a user authentication request from the user's terminal;
Transmitting, by the FIDO server, a biometric information authentication request to the user's terminal;
Including, by the FIDO server, when user authentication is completed according to the execution of biometric information authentication in the user terminal, transmitting the symmetric key induction information including the user's first public key to the user's terminal; Including,
The electronic signature step,
Deriving a symmetric key by performing biometric information authentication based on the symmetric key induction information by a user's terminal; And
Decrypting, by the user's terminal, encryption key data stored in the web storage using the symmetric key; And
FIDO-based password-free digital signature method comprising; performing an electronic signature using a private key of a certificate decrypted from the encryption key data by a user's terminal.
The method according to claim 1,
The symmetric key,
A FIDO-based password-free digital signature method that is derived by the user's terminal based on the symmetric key induction information after performing the user's biometric information authentication.
As a FIDO-based password-free digital signature system implemented by a certificate issuing server, a FIDO server, and a user's terminal,
In the user's terminal, a web browser may be executed, and information for performing an electronic signature may be stored in web storage,
The FIDO server transmits a biometric information authentication request to the user's terminal according to the user registration request sent from the user's terminal,
The FIDO server receives and stores user-specific information generated according to the execution of biometric information authentication in the user's terminal,
The certificate issuing server receives the certificate public key and the certificate issuance request from the user's terminal, generates a certificate including the certificate public key, and sends it to the user's terminal,
The user's terminal stores the certificate in web storage,
When the user authentication of the user's terminal is completed, the FIDO server transmits symmetric key induction information including user-specific information or derived from information including user-specific information to the user's terminal,
The user's terminal stores encryption key data that encrypts the private key of the certificate in the web storage by means of a symmetric key derived based on the symmetric key induction information,
When the user authentication of the user's terminal is completed, the FIDO server transmits the symmetric key induction information to the user's terminal,
The user's terminal derives the private key of the certificate by decrypting the encryption key data stored in the web storage with the symmetric key derived based on the symmetric key induction information,
The user's terminal performs an electronic signature on the original text data using the certificate and the private key, a FIDO-based passwordless digital signature system.

Images