KR20220151589A - Device and method for authentication between device based on virtual authentication code - Google Patents

Abstract

The present invention provides a method for authentication between devices based on a virtual authentication code. The method comprises: a first code transmitting step; a second code receiving step of receiving, from a verification device, a second code in which an authentication result for a first code is reflected, wherein the second code includes a hash value and qualification information about a client device generated by the verification device based on the first code; a step of generating a third code that is a virtual authentication code based on the first code and the second code; and a step of transmitting the third code to at least one second device associated with the qualification information.

Description

Authentication method and program between devices based on virtual authentication code {DEVICE AND METHOD FOR AUTHENTICATION BETWEEN DEVICE BASED ON VIRTUAL AUTHENTICATION CODE}

The present invention relates to a method and program for authentication between devices based on a virtual authentication code.

Code type data is used in many fields. Not only card numbers and account numbers used for payment, but also IPIN numbers and resident registration numbers for user identification are code-type data.

However, in the process of using such code data, many leak accidents occur. In the case of a card number, the actual card number is written on the surface of the card as it is, so it is visually leaked to others, and when paying using a magnetic card, the card number is transmitted to the POS device as it is and leaked.

Many attempts have been made to use virtual codes to prevent actual codes from being leaked as they are, but data for identifying users was needed to search for real codes corresponding to virtual codes. For example, in the case of OTP (One Time Password), the code is changed and generated every hour, but it is difficult to apply to various areas because a login procedure is required to determine the algorithm assigned to the user.

Therefore, there is a need for an invention capable of authenticating a user or device based on a virtual authentication code that changes in real time without providing identification information of the user or device, such as a real card number or resident registration number.

In recent years, many websites, platforms, etc., use OAuth authentication methods in which users are granted access rights to registered user information on other websites without registering user information on the corresponding website. In the case of the OAuth authentication method, the client server must obtain an access token in advance in order to be granted access to the user information of the corresponding platform.

At this time, the access token is valid only for specific information about a specific application or website within the corresponding platform. For example, even if a specific client server acquires an access token for Google Calendar for a specific member, access to other applications such as Google Driver and Google Spreadsheet is not allowed. Ultimately, the client server must acquire access tokens for other applications related to a specific member, and must access the authentication server for this purpose. After all, if this situation is repeated, the user must access the authentication server each time to receive an access token, that is, an access right for each server device. Not only does this take unnecessary time, but ultimately, repetitive authentication procedures are accumulated, resulting in reduced efficiency.

Registered Patent Publication No. 10-1316466, 2013.10.01.

The present invention for solving the above problems is to provide a virtual authentication code-based server-to-server authentication device and method.

However, the problems to be solved by the present invention are not limited to the problems mentioned above, and other problems not mentioned will be clearly understood by those skilled in the art from the description below.

A virtual authentication code-based device-to-device authentication method for solving the above problems is a method performed by a first device, and transmits a first code, which is a source code for generating a virtual authentication code received from a client device, The first code is generated based on the identification information of the client device and is used to authorize the client device through verification of the first code in the verification device. Receiving a second code in which an authentication result for the first code is reflected, wherein the second code includes a hash value and qualification information about the client device generated by the verification device based on the first code, Receiving a second code, generating a third code that is the virtual authentication code based on the first code and the second code, and transmitting the third code to at least one second device related to the qualification information Include steps.

or the second code further includes valid time information on the second code, and the first device receives the third code for updating the expired second code from the second device; A first code is transmitted to the verification device, and the verification device updates the second code when authentication of the client device is completed based on the first code, and then transmits the updated second code to the first device. and regenerating a third code based on the first code, the updated second code, and the time data from which the updated second code is received, and transmitting the third code to a second device. .

Alternatively, the second code includes a plurality of detailed codes, and the plurality of detailed codes are changed and generated for each unit count by the client device, and the unit count is set at a specific time interval, so that the time It changes as the interval elapses.

Alternatively, the detailed code includes a plurality of first detailed codes and second detailed codes having a correlation with each other, and the first detailed code determines a search start point for authentication information of the client device in the verification device. and the second detailed code determines a search path for the authentication information from the search start point.

According to another aspect of the present invention for solving the above problems, an authentication method between devices based on a virtual authentication code performed by a second device, comprising the steps of receiving a third code, which is a virtual authentication code, from a first device and the Approving the authority of the client device based on a third code, wherein the authority approval step includes a first code (based on the client device) used to generate the third code included in the third code. Generating a hash value for the device, comparing the generated hash value with the hash value in the third code to verify the client device, and based on the third code, qualification information about the client device and approving the authority of the client device by determining.

Alternatively, the permission approval step may include determining whether or not the second device is included in accessible devices of the client device based on the third code, and based on the time data and the second code included in the third code. In this way, the step of approving the right corresponding to the qualification of the client device to the second device.

or, the second code further includes valid time information regarding the second code, and when the valid time of the second code expires, the third code is returned to the first device to update the second code. It further includes the step of asking to do.

Alternatively, the third code is generated based on the first code, the second code, and time data of receiving the second code, and the permission approval step is based on the third code to the client device. Authorization of the client device is approved based on the time when the second code is received and qualification information about the client device.

or generating information identifying the client device verification success and the approved authority, and generating a new third code for a second device based on the third code and the identification information.

As a device-to-device authentication method based on a virtual authentication code by a verification device according to another aspect of the present invention for solving the above-mentioned problems, the first source code for generating a virtual authentication code from a client device through a first device Receiving a code, wherein the first code is generated based on the identification information of the client device, receiving a first code, based on the first code, searching for a storage location of the identification information of the client device and performing authentication of the client device, generating qualification information about the client device when the authentication of the client device is completed, and generating a hash value of the client device based on the first code. , Generating a second code in which the authentication result for the first code is reflected based on the generated qualification information and hash value, and the first device generating a third code that is the virtual authentication code based on the second code. and sending the second code to the first device to generate a code.

or, the second code further includes valid time information on the second code, and the verification device, in a state in which the valid time of the second code for the first code received from the first device has expired, When a renewal request for the expired second code is received, determining whether the first code received from the first device and the previously stored first code are the same, and performing authentication of the client device and authentication of the client device When this is completed, updating the second code and transmitting it to the first device is further included.

According to another aspect of the present invention for solving the above problems, a method for device-to-device authentication based on a virtual authentication code performed by a client device, based on identification information of the client device, is a source for generating a virtual authentication code. Generating a first code that is a code and transmitting the first code to a verification device through a first device to request authorization of the client device for the first device, includes a plurality of detailed codes, and the plurality of detailed codes are changed and generated for each unit count by the client device, and the unit count is set at a specific time interval, and as the time interval elapses, It will change.

Alternatively, the detailed code includes a plurality of first detailed codes and second detailed codes having a correlation with each other, and the first detailed code determines a search start point for authentication information of the client device in the verification device. and the second detailed code determines a search path for the authentication information from the search start point.

A computer program for performing an authentication method between servers based on a virtual authentication code in another aspect of the present invention for solving the above problems may be stored in a storage medium.

In addition to this, another method for implementing the present invention, another system, and a computer readable recording medium recording a computer program for executing the method may be further provided.

According to the present invention as described above, authorization for a plurality of service devices can be authenticated with only one authentication of a client device in a verification device. Through this, it is possible to save time and cost required to perform an authentication process after a client device accesses a verification device for authorization authentication to each service device.

Meanwhile, by generating a virtual code including qualification information on a plurality of service devices of the client device, it is possible to prevent leakage of information about at least one service device to which the access authority of the client device is recognized.

In addition, according to the present invention, since an algorithm for generating a virtual authentication code and searching for a storage space for qualification information needs only be added, the existing process can be maintained as it is. Through this, it is possible to minimize the parts that need to be changed within the existing process to increase security, and the user does not have to perform a separate step to improve security.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

1 is a flowchart schematically illustrating a server-to-server authentication method based on a virtual authentication code according to an embodiment of the present invention.
2 is a schematic configuration diagram of a client device according to an embodiment of the present invention.
3 is a flowchart schematically illustrating a method of requesting authorization for a first device based on a first code of a client device according to an embodiment of the present invention.
4 is a schematic structural diagram of a first code of a client device according to an embodiment of the present invention;
5 is a schematic configuration diagram of a verification device according to an embodiment of the present invention.
6 is a flowchart schematically illustrating a method of generating a second code by verifying a client device based on a first code, according to an embodiment of the present invention.
7 is an exemplary view of a storage location search algorithm for searching a storage location of authentication information of a client device through k-shaped cloud movement according to an embodiment of the present invention.
8 is a schematic configuration diagram of a second code generated by a verification device according to an embodiment of the present invention.
9 is a schematic configuration diagram of a service device according to an embodiment of the present invention.
10 is a flowchart schematically illustrating a method of generating a third code, which is a virtual authentication code, based on a first code and a second code performed by a first device according to an embodiment of the present invention.
11 is a schematic configuration diagram of a third code according to an embodiment of the present invention.
12 is an exemplary view schematically illustrating a method for authentication between servers based on a third code according to an embodiment of the present invention.
13 is a flowchart schematically illustrating an authentication method between servers based on a third code according to an embodiment of the present invention.
14 is a flowchart schematically illustrating a method for authorizing a client device based on a third code according to an embodiment of the present invention.
15 is a flowchart schematically illustrating a method for authorizing a client device based on a third code according to an embodiment of the present invention.
16 is a flowchart schematically illustrating generation of a new third code based on verification of a client device and authorization information of a second device of the present invention.

Advantages and features of the present invention, and methods of achieving them, will become clear with reference to the detailed description of the following embodiments taken in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, only these embodiments are intended to complete the disclosure of the present invention, and are common in the art to which the present invention belongs. It is provided to fully inform the person skilled in the art of the scope of the invention, and the invention is only defined by the scope of the claims.

Terminology used herein is for describing the embodiments and is not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. As used herein, "comprises" and/or "comprising" does not exclude the presence or addition of one or more other elements other than the recited elements. Like reference numerals throughout the specification refer to like elements, and “and/or” includes each and every combination of one or more of the recited elements. Although "first", "second", etc. are used to describe various components, these components are not limited by these terms, of course. These terms are only used to distinguish one component from another. Accordingly, it goes without saying that the first element mentioned below may also be the second element within the technical spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings commonly understood by those skilled in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

Prior to the description, the meaning of the terms used in this specification will be briefly described. However, it should be noted that the description of terms is intended to help the understanding of the present specification, and is not used in the sense of limiting the technical spirit of the present invention unless explicitly described as limiting the present invention.

Also, the term "unit" used in the specification means a hardware element such as software, FPGA or ASIC, and "unit" performs certain roles. However, "unit" is not meant to be limited to software or hardware. A “unit” may be configured to reside in an addressable storage medium and may be configured to reproduce on one or more processors. Thus, as an example, “unit” can refer to elements such as software elements, object-oriented software elements, class elements and task elements, processes, functions, properties, procedures, subroutines, programs Segments of code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays and variables. Functionality provided within elements and “sections” may be combined into a smaller number of elements and “sections” or further separated into additional elements and “sections”.

In addition, all “units” in this specification may be controlled by at least one processor, and at least one processor may perform operations performed by “units” of the present disclosure.

Embodiments herein may be described in terms of a function or a block performing a function. Blocks that may be referred to as 'units' or 'modules' of the present disclosure include logic gates, integrated circuits, microprocessors, microcontrollers, memories, passive electronic components, active electronic components, optical components, and hardwired circuits. may be physically implemented by analog or digital circuitry such as the like, and optionally driven by firmware and software.

Embodiments herein may be implemented using at least one software program running on at least one hardware device and may perform network management functions to control elements.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings commonly understood by those skilled in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In this specification, a "character" is a component constituting a code, and includes all or part of uppercase alphabets, lowercase alphabets, numbers, and special characters.

In this specification, "code" means a string in which characters are listed.

In this specification, 'detailed code' refers to some codes included in virtual codes. That is, when the virtual code is generated by combining a plurality of separately generated codes, the detailed code refers to an individual code that is separately generated and constitutes the virtual code.

In this specification, a 'unit count' is a unit defined as being set at a specific time interval and changed as the time interval elapses. For example, 1 count may be set to a specific time interval (eg, 1.5 seconds) and used.

In this specification, "ID (identifier)" means a value in the form of a unique code given by a server device so as not to be duplicated for each client device in order to identify the client device.

In this specification, a 'virtual code generating function' refers to a function used to generate virtual codes.

In the present specification, 'cloud movement' means that an object performs translational motion while rotating. That is, 'moving the cloud' means moving while performing both rotational motion and translational motion, and each point of the rotating object moves while contacting the moving barn in turn.

1 is an exemplary diagram schematically illustrating a server-to-server authentication method based on a virtual authentication code according to an embodiment of the present invention.

Referring to FIG. 1 , the client device 100 needs to be authenticated and verified by the verification device 300 when trying to obtain permission to access or use a specific device among a plurality of service devices 200 . This is because authentication information of the corresponding client device 100 stored in the verification device 300 must be used to verify the client device 100 . Referring to FIG. 1 , the client device generates a first code to obtain authorization for the first device and transmits the first code to the verification device through the first device. At this time, the verification device 300 will perform verification on the client device based on the received first code. If the client device 100 wants to obtain permission for the second device 200_2 other than the first device 200_1 among the service devices 200, another first code for authenticating the client device 100 After generating, it must be transmitted to the verification device 300 to perform the verification process again. That is, the client device 100 must request permission approval from the verification device 300 each time for permission approval for each service device 200 . This is time inefficient, and due to repeated processes, efficiency is reduced. Therefore, the present invention solves this problem, and after one-time authentication of the client device 100 in the verification device 300, a virtual authentication code including corresponding authentication information is generated, so that the client device 100 Verification of the client device 100 between service devices 200 is possible without repetitive authorization of the verification device 300 .

Referring to FIG. 1 , the above-described problem solving principle of the present invention can be demonstrated through a third code generated by the first device 200_1 based on the second code generated by the verification device 300 . Hereinafter, embodiments of the present invention will be described in detail.

2 is a schematic configuration diagram of a client device according to an embodiment of the present invention. 3 is a flowchart schematically illustrating a method of requesting authorization for a first device based on a first code of a client device according to an embodiment of the present invention. 4 is a schematic structural diagram of a first code of a client device according to an embodiment of the present invention;

First, the first code is one of the virtual authentication codes described above, and refers to a virtual code generated for authentication of a client device. In order to help understand the invention, the virtual authentication code for the client device will be described as the first code in this specification.

Meanwhile, the first code is used to authenticate the client device in the verification device 300 . Specifically, the storage location of the authentication information of the client device 100 stored in the verification device corresponding to the identification information of the client device 100 included in the first code is searched for, and the client device is authenticated.

Referring to FIGS. 2 and 3 , the client device 100 and the first code generating method of the client device 100 will be described.

Referring to FIG. 2 , the client device 100 includes a detailed code generator 110 , a first code generator 120 and a communication unit 130 . Meanwhile, the client device 100 may correspond to a client server that requests an authentication server for access rights and data use rights for a resource server. However, it is not limited thereto.

The detail code generator 110 generates a plurality of detail codes included in the first code. At this time, the first code generator 120 plays a role of generating a first code by combining one or more detailed codes. In one embodiment, the first code is generated by combining a plurality of detailed codes according to a specific rule.

On the other hand, the detailed code is generated by being changed for each unit count by the client device 100. In this case, the unit count is set at a specific time interval and is changed according to the time interval. For example, if it is assumed that the time interval is 2 seconds, the unit count will be accumulated and calculated whenever each 2 seconds elapses.

Referring to FIG. 3 , the client device 100 generates a first code, which is a source code for generating a virtual authentication code, based on the identification information (S410).

Specifically, the first code generator 120 of the client device 100 generates a first code based on identification information of the client device. At this time, the client device 100 generates a first code according to a first code generation function in order to approve access to a specific service device. The identification information of the client device 100 may be an ID (Identifier) and a secret value of the corresponding client device set in the verification device. However, it is not limited thereto.

Referring to FIG. 4 , a schematic configuration of the first code can be seen. The first code generation unit 120 generates a first code including an ID (Identifier) and hash value for the verification device of the corresponding client device. However, it is not limited thereto.

For example, although not clearly shown in the drawing, in one embodiment of the present invention, a verification device of the client device 100 after generating a virtual authentication code by applying the ID of the client device to the first code generating function The hash value is calculated by applying the secret value (SECRET) to the hash function. In addition, the first code may be finally generated by combining the virtual authentication code and the hash value.

In addition, although not clearly shown in the drawing, time data may be utilized in generating the first code. Here, the time data may be the permission approval request time for the first device of the client device 100 . However, it is not limited thereto. When time data is used, a virtual authentication code is generated by applying the identification information of the client device 100, for example, the ID and the time data to the first code generating function. A hash value is calculated by applying the time data and the secret value of the client device 100 to a hash function. The first code may be generated by combining the virtual authentication code and the hash value.

Meanwhile, referring to FIG. 3 , the client device 100 transmits a first code to the first device and requests authorization of the client device for the first device (S420). More specifically, the client device 100 requests authorization of the client device for the first device by transmitting a first code to the verification device through the first device.

Meanwhile, in an embodiment of the present invention, the client device 100 directly transmits the first code to the verification device 300 in order to authorize the plurality of service devices 200 registered in the verification device 300. By sending, permission approval for the plurality of service devices 200 may be requested. At this time, when authentication of the corresponding client device 100 is completed by the verification device 300, the verification device 300 transmits the second code generated based on the first code to the client device (not the service device 200). 100) is sent directly to

As described above, the client device 100 transmits the first code to the first device for which access authority is to be approved. At this time, as described above, the first device may be determined as a device requesting approval of the first access right of the client device 100 among the plurality of service devices 200 . That is, the first device may be determined by transmitting the first code in order for the client device 100 to request permission for access. However, it is not limited thereto.

For example, when a plurality of service devices 200 are interlocked in order, that is, the client device 100 must receive access to and/or permission to use the first service device 200, and then the remaining service devices 200. If access to 200 and/or permission to use other service devices 200 is approved, the first device may be set in advance. In addition, the names of the remaining devices in the service device 200, including the first device, may be determined based on the order.

The communication unit 130 serves to transmit the first code to the verification device 300 . The communication unit 130 may include various components capable of providing the first code to the outside.

Although not clearly shown in the drawing, a wireless communication module; short distance communication module; IC chip; magnetic field generating unit; It includes all or part of the display unit and the like.

The wireless Internet module refers to a module for wireless Internet access, and may be built into or external to the mobile terminal 100 . Wireless Internet technologies include WLAN (Wireless LAN) (Wi-Fi), Wibro (Wireless broadband), Wimax (World Interoperability for Microwave Access), HSDPA (High Speed Downlink Packet Access), LTE (long term evolution), LTE-A (Long Term Evolution-Advanced) and the like may be used.

The short-distance communication module refers to a module for short-distance communication. Bluetooth, BLE (Bluetooth Low Energy), Beacon, RFID (Radio Frequency Identification), NFC (Near Field Communication), infrared data association (IrDA), UWB (Ultra Wideband), ZigBee, and the like may be used.

Hereinafter, a method for generating the first code by the client device 100 based on the detailed code will be described.

Although not clearly shown in the drawing, the first code generator 120 plays a role of generating a first code by combining one or more detailed codes. In one embodiment, the first code is generated by combining a plurality of detailed codes according to a specific rule. The first code generating function includes a rule for combining a plurality of detailed codes (ie, a detailed code combining function).

Various methods may be applied as a method of generating one virtual code by combining a plurality of detailed codes.

The client device 100, in one embodiment, may include a program (ie, an application) that generates a virtual authentication code, that is, a first code for authentication of the client device.

At this time, the detailed code generator 110 plays a role of generating one or more detailed codes based on client identification information (Identifier, Secret, etc.). The first code generating function includes one or more detailed code generating functions. For example, when the first code includes a plurality of detailed codes, the first code generating function generates a plurality of detailed codes using the plurality of detailed code generating functions and combines the detailed codes to combine the plurality of detailed codes. A first code is generated using a function.

At this time, the first code is generated for each unit count by a dedicated program built into or installed in the client device 100 .

As an embodiment of the present invention, the client device 100 may use identification information of the client device, for example, ID (Identifier) of the client device as one of the seed data of the first code generation function. As a specific example, the detailed code generating unit 110 uses a single detailed code generating function to generate a combined serial number obtained by combining the ID (Identifier) of the client device and the serial number of a dedicated program embedded or installed in the client device 100, respectively. Each detailed code is generated by using it as the seed data of the detailed code generation function.

As an embodiment, the detailed code generating unit 110 may generate a first detailed code and a second detailed code by including a first detailed code generating function and a second detailed code generating function as the detailed code generating function. At this time, the client device 100 only includes a first detailed code generating function for generating a first detailed code and a second detailed code generating function for generating a second detailed code as detailed code generating functions in order to increase security, Data on the correlation between the first detail code and the second detail code may not be included.

The first code generating unit 120 plays a role of generating a first code by combining one or more detailed codes using the first code generating function. In one embodiment, the first code is generated by combining a plurality of detailed codes according to a specific rule. The first code generating function includes a rule for combining a plurality of detailed codes (ie, a detailed code combining function). That is, the first code generator 120 may combine one or more detailed codes using a detailed code combining function included in the first code generating function.

At this time, as an embodiment of the present invention, when the first code is generated by a combination of the first detail code and the second detail code according to a specific rule, the first detail code and the second detail code are the storage locations where the client information is stored. It can perform each role to search for the storage location of client authentication information in the search algorithm. For example, the first detailed code sets the starting point of the storage location search, and the second detailed code sets a search path from the starting point to the storage location of the authentication information of the client device according to a specific search method. That is, when the first code normally generated for each unit count is provided by the client device 100, the verification device 200 searches for the second detailed code from the search start point corresponding to the first detailed code included in the first code. A point moved along the corresponding search path is determined as a point where authentication information of the client device is stored (ie, a storage location of the authentication information of the client device). A detailed method of searching for a storage location of authentication information of a client device based on the first detailed code and the second detailed code constituting the first code will be described later.

As an example of a method in which the detail code generator 110 generates a detail code, the detail code generator 110 generates a new detail code for each unit count, and accordingly, the client device 100 generates a new detail code for each unit count. Generates the first code. The first code newly generated for each unit count is not duplicated. Specifically, the detailed code generation unit 110 may be set so that the first code newly generated for each unit count is not repeatedly generated for a predetermined period for a specific client device 100 .

In addition, as an embodiment of the present invention, a method of generating a plurality of detailed codes based on the identification information of the client device 100 used for generating the above-described first code and ultimately generating the first code is related to Thus, a first detailed code is generated based on the ID of the verification device 300 of the client device 100, and a second detailed code is generated based on the above-described time data, and the first detailed code and the second detailed code are generated. A first code combining detailed codes may be generated. However, it is not limited thereto.

Hereinafter, the client device 100 is verified based on the first code of the verification device 300, and ultimately, qualification information for at least one service device 200 of the client device 100 is extracted, and the qualification A method of generating the second code based on the information will be described in detail.

5 is a schematic configuration diagram of a verification device according to an embodiment of the present invention, and FIG. 6 is a second code generated by verifying a client device based on a first code according to an embodiment of the present invention. 7 is an exemplary view of a storage location search algorithm for searching for a storage location of authentication information of a client device through k-shaped cloud movement according to an embodiment of the present invention. 8 is a schematic configuration diagram of a second code generated by a verification device according to an embodiment of the present invention.

Referring to FIG. 5 , the verification device 300 includes a communication unit 310 , a detailed code extraction unit 320 , an authentication information search unit 330 and a second code generation unit 340 . The verification device 300 may be a server device, and for example, when the client device 100 is a client server using the OAuth authentication method, the access authority of the client device 100 to the resource server is granted. It may be a verification server that grants and manages. However, it is not limited thereto.

First, referring to FIG. 6 , the verification device 300 receives a first code, which is a source code for generating a virtual authentication code, from a client device through the first device (S430). At this time, as described above, the first code is generated based on the identification information of the client device.

Specifically, the verification device 300 receives an authentication request for the client device 100 of the first device 200_1. Then, the verification device 300 verifies whether the corresponding client device 100 corresponds to a trusted device registered in the verification device 300 . That is, authentication information of the client device 100 stored in the verification device 300 is extracted based on the first code and compared with identification information of the client device 100 included in the first code. And if the authentication information and the identification information match or are properly matched, the authentication of the client device 100 will be completed.

Meanwhile, the fact that the client device 100 has been authenticated does not mean that the client device 100 has authorized the first device. This is because the client device 100 may have devices for which access rights are not recognized among the entire service devices 200 . For example, assuming an OAuth authentication method, for a server that has not obtained an Access Token from a verification server, even if the client ID and password of the client server are authenticated, the authority for the corresponding server cannot be recognized. Hereinafter, a process of performing authentication and generating qualification information of the verification device 300 will be described in detail.

Referring to FIG. 6 , the verification device 300 searches the storage location of the authentication information of the client device 100 based on the first code received from the first device and performs authentication of the client device (S440). .

Here, the authentication information of the client device 100 means that when the client device 100 registers with the verification device 300, provided information corresponds to identification information capable of identifying a specific client device. For example, the serial number of the client device 100 itself, an issued ID (eg, Client ID), and a secret value related to the ID (Identifier) (eg, Client Secret) may correspond to this. .

More specifically, referring to FIG. 4 again, the first code is a virtual authentication code generated based on the identification information of the client device 100 . An ID (Identifier) and a secret value (Secret) for the verification device 300 of the client device 100 may be included in the first code. At this time, the authentication information for the client device 100 stored in the verification device 300, for example, the storage location of the stored ID ID (Identifier) and secret value (Secret) is searched. In addition, authentication of the client device 100 may be performed by comparing the identification value included in the first code with the identification value stored in the storage location.

As another embodiment, the authentication information search unit 330 of the verification device 300 may include the same function as the first code generating function of the client device 100 . At this time, the verification device 300 may extract the identification information of the client device 100 by applying the received first code to the first code generating function. For example, the ID (Identifier) of the client device 100 will correspond to this. At this time, the authentication information search unit 330 searches for an authentication information storage location of the client device 100 that matches the ID (Identifier). Then, the secret value of the client device 100 is extracted from the authentication information storage location. The extracted secret value is applied to the hash function to calculate the hash value. And, by comparing the calculated hash value with the hash value in the first code, authentication of the client device 100 may be completed.

Meanwhile, it has been described above that time data can be used in the first code generation process. When authentication of the client device 100 is performed based on the first code generated by utilizing the time data, the time data (when the client device 100 requests authorization for the first device) and the storage location After calculating the hash value by applying the secret value extracted from the hash function and comparing it with the hash value in the first code, authentication of the client device 100 may be completed.

At this time, to perform the above-described authentication, hash functions of the client device 100 and the verification device 300 may correspond to the same function.

Hereinafter, a detailed method of searching for a storage location of identification information based on a detailed code of the client device 100 of the verification device 300 will be described.

The detail code extraction unit 320 extracts a plurality of detail codes included in the first code. The first code is generated by combining a plurality of detailed codes according to a specific rule.

It will be. The detailed code extracting unit 320 of the verification device 300 includes the same detailed code combining function as the client device 100, and the detailed code extracting unit 320 applies the detailed code combining function to obtain a plurality of codes from the first code. The detailed code can be extracted. For example, when the client device 100 generates a first code in which two detailed codes (ie, a first detailed code and a second detailed code) are combined, the detailed code extraction unit 220 extracts the first code. The first detail code and the second detail code may be separated by applying the detail code combining function in the character array.

Further, the authentication information search unit 230 searches for a storage location of the client device 100 based on a plurality of detailed codes. Various methods may be applied as a method for the authentication information search unit 230 to search for a storage location of authentication information based on each detailed code. In order for the authentication information search unit 230 to search for a storage location based on a plurality of detailed codes, a correlation may be included between detailed codes.

When the first code is composed of the first detailed code and the second detailed code, as an embodiment having a correlation between the detailed codes, the authentication information search unit 230 determines a search start point corresponding to the first detailed code. And, a point moved from the search start point along the search path corresponding to the second detailed code can be found as the storage location of the authentication information of the actual code. That is, the detailed code may include a first detailed code for setting a starting point of the storage location search and a second detailed code for setting a search path from the starting point to the storage location according to a specific search method. .

In addition, as another embodiment, as the client device 100 provides a new first code for each unit count, the verification device 300 determines that the first detail code and the second detail code for searching the storage location are the values of the unit count. It changes every time it passes. The verification device 300 may set a search starting point and a search path based on the first detailed code and the second detailed code that are changed for each count to search for the storage location of the authentication information of the client device 100 .

Also, as another embodiment, the authentication information search unit 230 may include a storage location search algorithm to find a storage location of authentication information using a plurality of detailed codes having a correlation. The storage location search algorithm is an algorithm that makes it possible to search the storage location of authentication information when each detailed code included in the first code is applied.

For example, in the case of including a first detailed code for determining the search start point of the storage location of authentication information from the first code and a second detailed code for suggesting a storage location direction from the search start point, the storage location search algorithm is When a direction corresponding to the second detailed code is indicated at a point corresponding to the first detailed code, it is an algorithm that adjusts the storage location matching the authentication information of the client device 100 to the corresponding location. As the storage location search algorithm is used, the verification device 200 searches the storage location of the authentication information of the corresponding client device 100 even if the first detailed code and the second detailed code included in the first code are changed. Matching points can be found. Various methods may be applied to the storage location search algorithm, and specific examples will be described later. However, the storage location search algorithm is not limited to the examples described below.

Referring to FIG. 7, the storage location search algorithm is a k polygon (k is M ^N ) in which M ^N codes corresponding to the first detailed code are rolled and moved along tracks, and the vertex of the k polygon is the first detailed code track. When moving while corresponding to the point where the code is placed on the image, each vertex of the k-gon is matched with the storage location of the authentication information of the client, and the point where the first detailed code track (i.e., the first track) and the k-gon correspond to each other. This may be a storage location search start point corresponding to the first detailed code. At this time, the authentication information search unit 230 may apply cloud movement to the k-gon so that the vertex of the k-gon comes into contact with the point corresponding to the first detailed code extracted by the detailed code extraction unit 220 . Through this, the authentication information search unit 230 determines the angle corresponding to the second detailed code at the position on the first track where the k-gon faces (for example, 180 degrees is divided into M ^N pieces toward the vertex of the k-gon). angle), it is possible to search for a vertex of a k-gon, which is a storage location where authentication information of the client device 100 corresponding to the first code is stored.

Specifically, as shown in FIG. 7, the verification device 300 rolls the k-gon to a point corresponding to the first detailed code (that is, moves while making each vertex of the k-gon and each point on the track contact each other in turn). let it Then, the verification device 200 searches for a vertex corresponding to the storage location of the authentication information of the client device 100 by instructing an angular direction corresponding to the second detailed code. For example, since 2 counts have elapsed since client device B registered in the verification device 200 and received an ID (Identifier) and secret value, client device B receives a second detailed code to which 2 counts are applied as a function value. It is generated and provided to the verification device 200. The verification device 200 matches and stores the second detail code generated by the second detail code generating function for each count at the angle from the point where the k-gon and the track meet to each vertex (that is, the second detail code to which n counts are applied). As the detail code is moved by n counts of the k-gon, it is matched and stored as an angle toward the n-th vertex moved by the cloud), so the verification device 300 converts the angle corresponding to the second detail code to the first detail code corresponding point. , it is possible to search the vertices of the k-gon corresponding to the actual code storage location.

Meanwhile, as another embodiment of the present invention, the first detailed code and the second detailed code are the time when the authentication information of the client device 100 is registered or the time when authentication of the client device 100 is requested (eg, It may be a code for a reference count added as much as a virtual security code (eg, OTP code) randomly generated from the point at which the client device generates the first code.

In a specific embodiment, the client device 100 generates the virtual security code by reflecting it to the first detailed code and the second detailed code without outputting the virtual security code to the outside. The verification device 300 is a part of the serial number (i.e., a unique value) of the client device 100 and identification information of the client device 100 or the serial number of the client device 100 and the program in the client device 100. Generates a virtual security code value (eg, OTP code) based on the combination, generates a first detail code of the count by adding the security code value at the time of registering the authentication information of the client device, and corresponds to the virtual security code value The second detailed code of the count to be generated (ie, the virtual security code itself is generated as the second code).

That is, the first detailed code and the second detailed code are the point A at which the authentication information of the client device is registered in the verification device 300 by the client device 100 (or ID (Identifier) for the client device by the verification device) is issued) based on the shifted count by the virtual security code value. The count shifted by the virtual security code value from point A may be a previous count or a later count than the count corresponding to the current point in time according to the generated virtual security code value.

The verification device 300 may search the authentication information storage location (or registration location) of the client device 100 by applying the first detailed code and the second detailed code included in the received first code to a storage location search algorithm. have.

In addition, as another embodiment, the verification device 300 extracts the virtual security code from the second detailed code generated based on the virtual security code, and then converts the virtual security code generation function (ie, OTP function) to the first code. It is checked whether there is a value matching the virtual security code among the calculated OTP numbers by inputting a count within a specific range from the received count. Further, the verification device 300 obtains a virtual security code value (ie, an OTP function value) used in generating the second code by applying an inverse function of the second function to the second code, and calculates the same value as the virtual security code value. find the count that

The time when the virtual security code is generated by the client device 100 due to the transmission time or delay of the first code and the time when the verification device 300 receives the virtual security code (to be precise, the first code including the virtual security code) Receiving time), the verification device 300 may not match the count of receiving the first code and the count of generating the OTP number corresponding to the virtual security code.

Therefore, the verification device 300 allows an error range from the count of receiving the first code. Through this, the verification device 300 can prevent the authentication of the client device from being performed with the previously generated first code instead of the currently generated first code, so that security can be improved.

In addition, in another embodiment, the client device 100 includes a serial number (ie, a unique value) in the client device 100 or a dedicated program and the client device 100 at the time when authentication of the client device is requested or permission approval is requested. ) It is possible to generate a first detailed code corresponding to a count obtained by adding a virtual security code value generated by using some or a combination of both of the identification information as seed data. At this time, a second detailed code corresponding to a count obtained by adding the virtual security code value and the difference in count between the time when the identification information of the client device is registered (time A) and the time when permission approval is requested (time B) is generated. That is, the formula for generating the first subcode and the second subcode by the exclusive program in the client device 100 that generates the first code is as follows.

1st detailed code = f1 (point B count + virtual security code)

Second detailed code = f2 (point B count - point A count + virtual security code)

(Point A: when the authentication information is registered in the client device, Point B: the count at the time of requesting permission approval from the client device, virtual security code: OTP number)

The verification device 300 searches for a location where the information of the client device is stored based on the first detailed code and the second detailed code in the received first code, and generates seed data (that is, only for generating the first code) stored in the corresponding location. The serial number of the program or client device, the client device information, the serial number of the program dedicated to generating the first code, and the serial number of the client device information used in generating the first code) are extracted. The verification device 300 generates a virtual security code (ie, OTP number) within a specific count range from the time of receiving the permission approval request based on the seed data.

After that, the verification device 300 detects the registration point (point A) of authentication or identification information of the client device by searching for a point where the information of the client device is stored based on the first detailed code and the second detailed code. The verification device 300 calculates the sum of the number of counts and the virtual security code (ie, OTP number) from the time of registering the authentication information of the client device (point A) to the time of receiving the permission approval request to each count within a specific count range. Each corresponding calculated value is calculated, and it is checked whether a count equal to the number of counts corresponding to the second detailed code (ie, a value obtained by applying the inverse function of the second function to the second code) exists among the respective calculated values. Through this, the verification device 300 can check whether the first code is normally provided.

Meanwhile, when authentication of the client device 100 is completed, the verification device 300 generates a second code used for generating a third code to be described later (S450).

Referring to FIG. 6 , first, when authentication of the client device is completed, the verification device 300 generates qualification information about the client device (S451). At this time, the qualification information may be matched with the identification information of the client device 100 and stored. For example, it may be stored in connection with an ID (Identifier) or secret value of the client device 100 stored in the verification device 300 . Therefore, when authentication of the client device 100 is completed, the verification device 300 matches or connects to the corresponding authentication information and extracts stored qualification information.

In this case, the qualification information includes authority information for the service device 200 of the client device 100 . Rights information refers to information on the service device 200 to which the client device 100 has access or use rights (eg, a list of service devices), as well as rights, in relation to the service device 200 to the client. It includes information about a scope that the device 100 can access or use.

Meanwhile, in the case of qualification information, a qualification ID (Role Identifier) and a qualification secret value (Role Secret) corresponding to the corresponding qualification information may be set. The qualification ID (Role Identifier) and the qualification secret value (Role Secert) are set for each client device 100 . As an embodiment of the present invention, the qualification ID (Role Identifier) and the qualification secret value (Role Secert) of each client device 100 may be stored in a storage location of authentication information of each client device 100, Alternatively, the ID of each client device 100 may be matched and stored. However, it is not limited thereto.

Referring back to FIG. 6 , the verification device 300 extracts qualification information about the client device for which authentication has been completed, and then generates a hash value about the client device based on the first code (S452).

That is, each verification device 300 calculates a hash value by applying the first code to the hash function. At this time, as an embodiment of the present invention, the service device 200 may include the same hash function as the hash function of the verification device. Meanwhile, since the hash value is generated based on the first code, it matches the client device 100. As described above, since the first code is generated based on the identification information of each client device 100, the first code of each client device 100 is inevitably different, and therefore, based on the first code It is different for each generated hash value or client device 100 .

Meanwhile, after generating the hash value, the second code generator 340 of the verification device 300 generates a second code reflecting the authentication result of the first code based on the generated qualification information and the hash value. That is, the verification device 300 may generate a second code based on the second code generating function (S453).

Referring to FIG. 8, the second code is a second hash value calculated by applying the first code to a hash function, entitlement information (eg, entitlement ID) for the corresponding client, and a secret (eg, entitlement ID) about the entitlement information. , qualification secret value) to the hash function, and may include a third hash value calculated.

The hash value generated based on the first code is then used in the service device 300 to verify and approve the client device 100. Specifically, the service device 300 extracts the first code included in the third code and generates a hash value. In addition, the verification device 300 may perform authentication and verification of the client device 100 by comparing the hash value generated based on the first code received from the client device 100 . This will be described later in detail.

In one embodiment of the present invention, a virtual authentication code is generated by applying qualification information about a client to the second code generation function, and then a second code is finally generated by combining the second hash value and the third hash value. can do.

Meanwhile, although not clearly shown in the drawing, the second code may include a plurality of detailed codes. In this case, the plurality of detailed codes may be changed and generated for each unit count by the verification device, and the unit count may be set at a specific time interval and changed as the time interval elapses. That is, similar to generating the first code based on the detailed code of the client device 100, the second code generated by the verification device 300 may also include a plurality of detailed codes. In one embodiment, the first code is generated by combining a plurality of detailed codes according to a specific rule. To this end, although not clearly shown in the drawing, the second code generating function may include a rule for combining a plurality of detailed codes (ie, a detailed code combining function). The method for generating a virtual authentication code by combining detailed codes will be omitted as described above.

Meanwhile, as an embodiment of the present invention, the detailed code included in the second code includes a plurality of first detailed codes and second detailed codes having a correlation with each other, and the first detailed code is A search starting point for qualification information of the client device in is determined, and the second detailed code determines a search path for the qualification information from the search starting point. If the first detail code and the second detail code included in the first code are used to search for authentication information of the client device 100, the first detail code and the second detail code included in the second code are It can be used to search for qualification information of (100).

Meanwhile, the qualification information of the client device may be stored in a storage location of authentication information of the client device, or may be matched with or connected to the storage location of authentication information according to an embodiment and stored.

Referring back to FIG. 6 , the verification device 300 transmits the second code to the first device so that the first device 200_1 generates a third code that is a virtual authentication code based on the second code (S460). .

Meanwhile, the second code may further include valid time information about the second code. At this time, when the valid time of the second code for the first code received from the first device 200_1 has expired, the verification device 300 receives a request for renewal of the expired second code, from the first device 200_1. Authentication of the client device may be performed by determining whether the received first code and the pre-stored first code are the same. At this time, when authentication 100 of the client device is completed, the second code is updated and transmitted to the first device. This will be described later in detail.

9 is a schematic configuration diagram of the service device 200, and FIG. 10 shows a method for generating a third code, which is a virtual authentication code, based on a first code and a second code performed by a first device. It is a schematic flowchart, and FIG. 11 is a schematic configuration diagram of the third code.

Referring to FIG. 9 , the service device 200 includes a communication unit 210, a third code generator 220, a first code extraction unit 230, and a qualification information verification unit 240. Meanwhile, in the present specification, according to the permission approval request of the client device 100 of the service device 200, it is described as being divided into a first device and a second device, but this is to be distinguished for understanding of the present invention. That is, the first device 200_1 and the second device 200_2 are devices that provide services interworking with the verification device 300, for example, when using the Oauth authentication method, each Resource Server may correspond to this. Meanwhile, the resource server may be each server provided on the same platform, or may be each resource server provided on different platforms. However, it is not limited thereto.

Referring to FIG. 10 , the first code, which is the source code for generating the virtual authentication code received from the client device 100, is transmitted to the verification device 300 through the communication unit 210 (S430).

At this time, the first code is generated based on the identification information of the client device, and is used to authorize the client device 100 through verification of the first code in the verification device 300 . Meanwhile, although not clearly shown in the drawing, the first device may store the first code in a memory (not shown) in order to generate a third code.

Meanwhile, the first device 100_1 receives the second code to which the authentication result for the first code is reflected from the verification device 300 (S460). In this case, the second code includes a hash value and qualification information about the client device 100 generated by the verification device 300 based on the first code.

As described above, the hash value generated based on the first code generated by the client device 100 and the qualification information extracted after completing the authentication of the client device 100 in the verification device 300 are the second code included in In this regard, detailed descriptions of the foregoing will be omitted.

Specifically, when the first device 200_1 receives the second code in which the verification result for the first code is reflected from the verification device 300, it approves the authority of the client device 100 for the corresponding first device. At this time, the first device 200_1 may verify qualification information for the corresponding first device of the client device 100 in the second code through the qualification information verification unit 240 . In more detail, it will be determined whether the corresponding first device is included in the service device 200 included in the qualification information and authorized to access and/or use the client device 100 . Further, based on the qualification information, the scope of access and/or use rights of the client device 100 to the corresponding first device may be verified. And, when the qualification verification is completed, the authority for the first device of the client device 100 will be approved.

Referring to FIG. 10 , a third code, which is the virtual authentication code, is generated based on the first code and the second code (S470). The third code means a virtual authentication code used in an authentication process between servers.

On the other hand, referring to FIG. 11, in one embodiment of the present invention, the third code is the time (Time Stamp) at which the second code is received from the verification device 300 together with the above-described first code and second code, or It may be generated based on the second code generation time (Time Stamp) in the verification device.

For example, referring to FIG. 11, the third code is the time when authentication of the client device 100 of the verification device 300 is completed (Time Stamp) or the time when the second code is generated after verification is completed (Time Stamp). It may contain more information.

This is because the authorization of the client device 100 for each service device 200 through the third code finally generated based on the verification and verification result of the client device 100 is within a unit count or a preset count This is to approve the authority for the client device 100 if it is not completed. Each service device 200 is authorized by the third code and the second code included in the third code based on the authentication completion time (Time Stamp) or the generation time (Time Stamp) of the second code in the third code. It can be determined whether or not it is normally created for approval. More specifically, it is to determine whether the third code and the second code generated in response to the permission approval request of the client device 100 are used. In order to perform authentication and permission approval for the client device 100 in the plurality of service devices 200, it is necessary to determine whether the second code reflecting the authentication result for the client device 100 in the verification device 300 is valid. do. To this end, it is to sell based on the time stamp included in the third code.

12 is an exemplary diagram schematically illustrating a third code-based server-to-server authentication method according to an embodiment of the present invention.

In the case of the first device for which the client device 100 initially requested permission approval, the corresponding client device 100 could be authenticated and authorized by the verification device 200 . However, referring to FIG. 12 , the third code generated by the first device 200_1 includes the first code related to authentication information of the client device 100 and the second code related to qualification information. , Service devices 200 other than the first device 200_1 can authenticate and authorize the client device 100 without intervention of the verification device 300 . This will be described in detail below.

Also, as another embodiment of the present invention, although not clearly shown in the drawing, the third code may be generated by a client device. To this end, the first device 200_1 may transmit the second code received from the verification device 300 to the client device 100 . At this time, according to the third code generation method, the first device 200_1 transmits the time information at which the second code is received from the verification device or the second code generation time information in the verification device to the client device 100 together with the second code. could also be sent to Meanwhile, the third code generation method of the client device 100 has only a difference between the above-described third code generation method by the first device and the subject of generation, and thus a detailed description thereof will be omitted.

Meanwhile, the first device transmits a third code to at least one second device 200_2 related to qualification information (S480).

In an embodiment of the present invention, the first device 200_1 includes at least one second device 200_2 capable of authenticating the authority of the client device 100 based on qualification information of the second code included in the third code. After identifying, the third code may be transmitted to the second device 200_2. However, it is not limited thereto.

Meanwhile, referring to FIG. 12 , although it is shown that the first device 200_1 transmits a third code to one second device, based on the qualification information of the client device 100, a plurality of second devices among the service devices A third code may be transmitted to the device 200_2. Through this, the client device 100 can be granted access rights without accessing the verification device 300 for authorization authentication of each service device 200 .

13 is a flowchart schematically illustrating an authentication method between servers based on a third code according to an embodiment of the present invention. 14 is a flowchart schematically illustrating a method for authorizing a client device based on a third code according to an embodiment of the present invention, and FIG. 15 is a flowchart for authorizing a client device based on a third code. It is a flow chart schematically showing the method.

Referring to FIG. 13 , the second device 200_2 receives a third code, which is a virtual authentication code, from the first device (S480). Based on the third code, the client device 100 approves the authority for the second device 200_2 (S490).

At this time, referring to FIG. 14, in step S490, a hash value for the client device is generated based on the first code used to generate the third code included in the third code (S491), and the generated The client device is verified by comparing the hash value with the hash value in the third code (S492). Based on the third code, qualification information on the client device is determined and authority of the client device is approved (S493).

Specifically, the second device 200_2 extracts the first code included in the third code. Then, the hash value is calculated by applying the first code to the hash function. To this end, all service devices 200 including the second device include the same hash function as the verification device 300 . Meanwhile, after extracting the hash value, a second code within the third code is extracted, and the hash value included in the second code is compared with the hash value calculated by applying the hash function in the second device 200_2. At this time, if the two hash values match, the client device is authenticated and qualification information about the corresponding client device is determined. As described above, since the second code includes entitlement information (eg, entitlement ID and entitlement secret value), authorization of the client device 100 for the second device is granted based on the entitlement information.

Meanwhile, according to an embodiment of the present invention, the third code may be generated based on the first code, the second code, and time data of receiving the second code. At this time, in the permission approval step, based on the third code, based on the qualification information about the client device 100 and the time at which the second code was received, the permission of the client device may be approved. That is, the second device 100_2 verifies the validity of the second code based on the time data at which the second code was received, and then, based on the entitlement information included in the second code, the second device 100_2 determines information about the client device 100. You will be able to grant permission.

Meanwhile, referring to FIG. 15 , according to an embodiment of the present invention, in the permission approval step (S493), based on a third code, it is determined whether the second device is included in the accessible devices of the client device. And (S493_a), based on the time data and the second code included in the third code, it is possible to approve the right corresponding to the qualification of the client device for the second device (S493_b)

In more detail, it will be determined whether the corresponding second device is included in the service device 200 included in the entitlement information and authorized to access and/or use the client device 100 . In addition, based on the qualification information, the scope of access and/or use rights for the corresponding second device of the client device 100 may be verified. And, when the qualification verification is completed, the authority of the second device of the client device 100 will be approved.

Meanwhile, although not clearly shown in the drawing, the service device 200 may further include a detailed code extraction unit (not shown).

That is, when the second code generated by the verification device 300 includes a plurality of detailed codes, the service device 200 may extract the detailed codes and search the storage location of qualification information. This is because, when the first code includes a plurality of detailed codes, the method is similar to the method of extracting the detailed codes from the verification device 300 and searching for the storage location of the authentication information of the client device 100. The description is omitted.

Meanwhile, as an embodiment of the present invention, the second code may further include valid time information about the second code. That is, although not clearly shown in the drawing, the verification device 300 may further include valid time information of the second code when generating the second code. At this time, the second device 200_2 returns the third code received to the first device 200_1 when the validity time of the second code within the third code received from the first device 200_1 expires, 2 Request to update the code.

The first device 200_1 receives the third code for renewal of the expired second code from the second device 200_2, and transfers the first code included in the third code to the verification device 300. transmit The verification device 300 re-authenticates the client device 100 based on the first code. When the authentication of the client device 100 is completed, the second code may be updated and then the updated second code may be transmitted to the first device. A method of updating the second code is the same as a method of generating the second code, so a detailed description thereof will be omitted.

Meanwhile, when the first code is received by the first device 200_1, the verification device 300 stores the first code, and then transmits the first code through the first device 200_1 of the second device 200_2. When the update request for the 2 codes is received, validity can be confirmed through direct comparison between the stored first code and the first code received from the first device 200_1.

Meanwhile, when the process of updating the second code by the verification device 300 is stopped or the renewal is not allowed, the process of verifying and granting authority to the client device 100 in the second device 200_2 is stopped.

Meanwhile, when the first device 100_1 receives the updated second code from the verification device 300, the first device 100_1 generates a third code based on the first code, the second code, and the time data from which the updated second code is received. It is regenerated and transmitted again to the second device 100_2. Through this, the second device 100_2 will be able to perform the authentication and authorization process for the client device 100 again.

16 is a flowchart schematically illustrating generation of a new third code based on verification of a client device and authorization information of a second device of the present invention.

The second device 200_2, which has been verified and authorized for the client device 100, may generate a new third code for authentication of another device within the service device 200 of the corresponding client device 100. . For example, the client device 100 must complete authentication of the second device 200_2 based on the third code of the first device 200_1 to authorize the client device 300. 3 devices (not shown) may be present. At this time, based on the third code received from the first device 200_1, the second device 200_2 together with information indicating that the verification and authority approval of the client device 100 for the second device 200_2 has been completed. You will be able to generate a new third code.

Referring to FIG. 16 , information identifying success of client device verification and the approved authority is generated, and a new third code for a second device is generated based on the third code and the identification information.

Specifically, after the verification of the second device 200_2 with respect to the client device 100 is completed, the second device 200_2 generates information for authenticating that permission approval for the corresponding second device 200_2 has been completed. Then, a new third code including the corresponding information is generated, and the new third code is transmitted to another device (eg, a third device) requiring authentication of the client device 100 within the service device 200.

This is the third code received by the Nth (N is a natural number of 2 or more) service device from the N-1th service device when the plurality of service devices 300 sequentially require authentication for the client device 100. This is to allow the N+1 th device to recognize that it has completed verification in the N th service device for the client device 100 based on and identified that the authority has been approved. To this end, a new third code may be generated based on the third code received from the N−1 th device and information for authenticating that permission approval has been completed and transmitted to the N+1 th device.

Meanwhile, in the above embodiment, the sequential authentication and verification situation for the client device 100 of the plurality of service devices 200 has been described as an example, but the A service device 200_A is a client for another B service device 200_B. Even when the device 100 requires pre-validation and pre-authorization, the B service device may generate a new third code and transmit it to the A service device.

The virtual authentication code-based device-to-device authentication method according to one embodiment of the present invention described above may be implemented as a program (or application) and stored in a medium to be executed in combination with a server, which is hardware.

The aforementioned program is C, C++, JAVA, machine language, etc. It may include a code coded in a computer language of. These codes may include functional codes related to functions defining necessary functions for executing the methods, and include control codes related to execution procedures necessary for the processor of the computer to execute the functions according to a predetermined procedure. can do. In addition, these codes may further include memory reference related codes for which location (address address) of the computer's internal or external memory should be referenced for additional information or media required for the computer's processor to execute the functions. have. In addition, when the processor of the computer needs to communicate with any other remote computer or server in order to execute the functions, the code uses the computer's communication module to determine how to communicate with any other remote computer or server. It may further include communication-related codes for whether to communicate, what kind of information or media to transmit/receive during communication, and the like.

The storage medium is not a medium that stores data for a short moment, such as a register, cache, or memory, but a medium that stores data semi-permanently and is readable by a device. Specifically, examples of the storage medium include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc., but are not limited thereto. That is, the program may be stored in various recording media on various servers accessible by the computer or various recording media on the user's computer. In addition, the medium may be distributed to computer systems connected through a network, and computer readable codes may be stored in a distributed manner.

Steps of a method or algorithm described in connection with an embodiment of the present invention may be implemented directly in hardware, implemented in a software module executed by hardware, or implemented by a combination thereof. A software module may include random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any form of computer readable recording medium well known in the art to which the present invention pertains.

Although the embodiments of the present invention have been described with reference to the accompanying drawings, those skilled in the art to which the present invention pertains can be implemented in other specific forms without changing the technical spirit or essential features of the present invention. you will be able to understand Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive.

100: client device
110: detailed code generation unit
120: first code generator
130: Ministry of Communication
200: service device
200_1: first device
200_2: Second device
210: Ministry of Communication
220: third code generator
230: first code extraction unit
240: qualification information verification unit
300: verification device
310: Communication Department
320: detail code extraction unit
330: authentication information search unit
340: second code generator

Claims (15)

An authentication method between devices based on a virtual authentication code performed by a first device,
Transmit a first code, which is a source code for generating a virtual authentication code received from a client device, the first code is generated based on identification information of the client device, and the verification device verifies the first code. transmitting a first code, which is used to authorize the client device through;
Receive a second code in which the authentication result for the first code is reflected from the verification device, wherein the second code includes a hash value and qualifications for the client device generated by the verification device based on the first code. receiving a second code, including information;
generating a third code that is the virtual authentication code based on the first code and the second code; and
Transmitting the third code to at least one second device associated with the entitlement information;
Authentication method between devices based on virtual authentication code. According to claim 1
The second code further includes valid time information about the second code,
The first device,
Receiving the third code for renewal of the expired second code from the second device;
By sending the first code to the verification device,
Requesting that the verification device update the second code and transmit the updated second code to the first device when authentication of the client device is completed based on the first code;
Regenerating a third code based on the first code, the updated second code, and the time data from which the updated second code is received, and transmitting the third code to a second device,
Authentication method between devices based on virtual authentication code. According to claim 1,
The second code includes a plurality of detailed codes,
The plurality of detailed codes are changed and generated for each unit count by the client device,
The unit count is set at a specific time interval and is changed as the time interval elapses.
Authentication method between devices based on virtual authentication code. According to claim 1,
The detailed code includes a plurality of first detailed codes and second detailed codes having a correlation with each other;
The first detailed code determines a search start point for qualification information of the client device in the verification device;
The second detailed code determines a search path for the qualification information from the search start point,
Authentication method between devices based on virtual authentication code. As an authentication method between devices based on a virtual authentication code performed by a second device,
Receiving a third code that is a virtual authentication code from the first device; and
Approving the authority of the client device based on the third code; includes,
In the permission approval step,
Generating a hash value for the client device based on the first code (used to generate the third code included in the third code);
verifying the client device by comparing the generated hash value with a hash value in the third code; and
Based on the third code, determining entitlement information about the client device and approving the authority of the client device.
Authentication method between devices based on virtual authentication code. According to claim 5,
In the permission approval step,
determining whether the second device is included in accessible devices of the client device based on the third code; and
Approving an authority corresponding to the qualification of the client device to the second device based on the time data and the second code included in the third code,
Authentication method between devices based on virtual authentication code. According to claim 5,
The second code is,
Further including valid time information about the second code,
When the valid time of the second code expires, returning the third code to the first device to request renewal of the second code.
Authentication method between devices based on virtual authentication code. According to claim 5,
The third code,
Generated based on the first code, the second code, and time data of receiving the second code;
In the permission approval step,
Approving the authority of the client device based on the third code, based on the qualification information about the client device and the time at which the second code was received,
Authentication method between devices based on virtual authentication code. According to claim 5,
generating information identifying the client device verification success and the authorized authority; and
Generating a new third code for a second device based on the third code and the identification information; including,
Authentication method between devices based on virtual authentication code. As a device-to-device authentication method based on a virtual authentication code by a verification device,
Receiving a first code, which is a source code for generating a virtual authentication code, from a client device through a first device, wherein the first code is generated based on identification information of the client device. ;
performing authentication of the client device by searching for a storage location of identification information of the client device based on the first code;
generating entitlement information about the client device when authentication of the client device is completed;
generating a hash value for the client device based on the first code;
generating a second code in which an authentication result for the first code is reflected, based on the generated qualification information and the hash value; and
Transmitting the second code to the first device so that the first device generates a third code that is the virtual authentication code based on the second code; Including,
Authentication method between devices based on virtual authentication code. According to claim 10,
The second code further includes valid time information about the second code,
The verification device,
When a renewal request for the expired second code is received in a state where the validity time of the second code for the first code received from the first device has expired, the first code received from the first device and the previously stored second code are requested. 1 determining whether the codes are the same, and performing authentication of the client device; and.
Further comprising, when the authentication of the client device is completed, updating the second code and transmitting it to the first device.
Authentication method between devices based on virtual authentication code. As a device-to-device authentication method based on a virtual authentication code performed by a client device,
Generating a first code that is a source code for generating a virtual authentication code based on the identification information of the client device; and
Sending the first code to a verification device through a first device to request authorization of the client device for the first device; Including,
Authentication method between devices based on virtual authentication code. According to claim 12,
The first code includes a plurality of detailed codes,
The plurality of detailed codes are changed and generated for each unit count by the client device,
The unit count is set at a specific time interval and is changed as the time interval elapses.
Authentication method between devices based on virtual authentication code. According to claim 13,
The detailed codes include a plurality of first detailed codes and second detailed codes having a correlation with each other;
The first detailed code determines a search start point for authentication information of the client device in the verification device;
The second detailed code determines a search path for the authentication information from the search start point,
Authentication method between devices based on virtual authentication code. A program for providing financial transactions based on a virtual corporate card stored in a medium in order to execute the method of any one of claims 1 to 14 in combination with a computer, which is hardware.

Images