WO2003036488A1 - Method and system of multistage user certification using active user-certifiable card - Google Patents

Method and system of multistage user certification using active user-certifiable card Download PDF

Info

Publication number
WO2003036488A1
WO2003036488A1 PCT/KR2002/001960 KR0201960W WO03036488A1 WO 2003036488 A1 WO2003036488 A1 WO 2003036488A1 KR 0201960 W KR0201960 W KR 0201960W WO 03036488 A1 WO03036488 A1 WO 03036488A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
card
certifiable
authentication
random number
Prior art date
Application number
PCT/KR2002/001960
Other languages
French (fr)
Inventor
Wel-Young Kim
Hoon-Jae Lee
Original Assignee
N-Line Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by N-Line Co., Ltd. filed Critical N-Line Co., Ltd.
Publication of WO2003036488A1 publication Critical patent/WO2003036488A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor

Definitions

  • the present invention relates to a method and a system of multistage user certification using a USB (Universal Serial Bus) module type active user-certifiable card.
  • USB Universal Serial Bus
  • the invention relates to an active user-certifiable card, which includes a USB module type ASIC chip storing an encoding algorithm in a card that a user can carry conveniently to connect it with a PC-based USB port to prevent illegal users from illegally copying and modifying data and from hacking systems in the event of electronic commerce or on-line data transmission and payment, and a user authentication method using the card.
  • a USB module type ASIC chip storing an encoding algorithm in a card that a user can carry conveniently to connect it with a PC-based USB port to prevent illegal users from illegally copying and modifying data and from hacking systems in the event of electronic commerce or on-line data transmission and payment, and a user authentication method using the card.
  • Encoding systems include a symmetrical encoding system in which keys used for encoding accord with keys used for decoding, an asymmetrical encoding system (open key encoding system) in when the keys used for encoding are different from the keys used for decoding, and RSA (Rivest-Shamir-Adleman) open key encoding system that is an asymmetrical encoding system whose security is based on the fact that it is difficult to resolute a positive integer of lots of figures into factors.
  • a conventional user log-in method of a computer system is a technique of inputting an ID and a password of a user to confirm user authentication. This is being widely used for user authentication in local computers and on-line systems because of convenience. However, this method easily exposes user information to other people. Especially, the user information is exposed to the outside while the user does not recognize it.
  • a user is authenticated through a biological recognition technique of extracting a user's unique characteristic points using a fingerprint, a specimen of handwriting, the shape of a hand and the retina.
  • a system for carrying out the biological recognition technique is expensive to install and manage.
  • the technique may bring about rejection and discomfort of a user because it uses a part of the user's body.
  • a key-lock system can be used in order to prevent a user who has no authority to use a computer system from accessing it at a low cost.
  • the key-lock system can be realized in software or hardware.
  • the key-lock system realized in software communicates with a key lock through a predetermined method to judge if there is a key lock or not or detect error.
  • this system has a problem that a serial number or ID of the key lock is easily exposed to be illegally copied and changed.
  • the software key lock system is being replaced with the hardware key lock system having excellent communication security.
  • the hardware key lock is generally divided into EEPROM (Electrically Erasable and Programmable ROM) type and an ASIC (Application Specific Integrated Circuit) type.
  • EEPROM Electrically Erasable and Programmable ROM
  • ASIC Application Specific Integrated Circuit
  • the EEPROM type key lock system records a unique value in the key lock using a ROM writer so that the value is easily copied and changed. Thus, an unrelated person can give a serial number or ID to the key lock.
  • the ASIC type key lock system cannot duplicate or modify the value once the value is recorded when the system is manufactured so that key locks respectively have different serial numbers. Since the key locks having the same serial number can be manufactured by a corresponding ASIC chip manufacturer, copy and modification of recorded values are impossible in the ASIC type key lock system. Accordingly, a user authentication system employing the ASIC type key lock is required.
  • An object of the present invention is to provide a multistage user certification method and system, constructed in a manner that an ASIC chip is included in a card that a user can carry conveniently, the ASIC chip having a predetermined encoding algorithm that calculates a predetermined function value from a random number provided by a main certification unit to carry out real-time authentication at a specific time interval, to prevent unauthorized persons from illegally accessing a computer system, thereby protecting the computer system from illegal data copy and danger of damage.
  • Another object of the present invention is to provide a multistage user certification method and system, constructed in a manner that an ASIC chip serving as a key lock of a computer system is included in a card that a user can carry conveniently and used for user certification procedures.
  • a USB connection terminal is formed at one of the corners of the card such that the card can be connected with a USB port, and the card is internally provided with power by a power supply formed therein or externally provided with power.
  • data transmission is actively carried out to enable real-time user certification, thereby improving user's convenience.
  • a method of multistage user certification using an active user-certifiable card of USB module type comprising a first step in which, when a user-certifiable card that is a key lock system is connected with a USB port formed at a client part, a client interface is executed to perform the first authentication of judging if a user is legally authorized to use the user- certifiable card, the first authentication being carried out in the user-certifiable card; a second step in which the user-certifiable card transmits its unique serial number to the client part when the first authentication is accomplished in the first step, and the client part sends the serial number, user's ID and password transmitted from the user- certifiable card to a main certification unit such that the main certification unit perform the second authentication of judging if the serial number is the one that has been registered at a card identification part; a third step in which the main certification unit generates a pseudo random number and transmits it to the user-certif
  • the user-certifiable card according to the present invention is composed of the USB connection terminal connected with the USB port of the client part, and the realtime code generator communicated with the main certification unit to perform the user authentication procedure.
  • the real-time code generator consists of a controller that has a CPU controlling corresponding modules to allow the user-certifiable card to communicate with the main certification unit to perform multistage authentication procedures for the user, a USB interface interfacing predetermined data transmitted/received through the USB connection terminal, authentication request and response signals, a code calculating part calculating a predetermined function value password corresponding to a random number into an encoded form, and a code memory storing the serial number, the function value f(x) corresponding to the random number, related data required for user authentication and a predetermined related program; a memory that stores user key values used for calculating the function value f(x) for user authentication and authentication notes of a predetermined authentication system with the user key values and authentication notes being allocated by regions; and a power supply being provided with power supplied from
  • FIG. 1 is an exploded perspective view of a user-certifiable card applied to the present invention
  • FIG. 2 is a block diagram of the user-certifiable card applied to the present invention.
  • FIG. 3 is a circuit diagram of the user-certifiable card applied to the present invention.
  • FIG. 4 is a block diagram of an example of a certification system using the user- certifiable card applied to the present invention
  • FIG. 5 is a flow diagram showing an example of a user certification procedure using the user-certifiable card applied to the present invention
  • FIG. 6 shows the configuration of an encoding algorithm applied to the present invention
  • FIG. 7 shows the configuration of the first pseudo random number generator applied to the present invention
  • FIG. 8 shows the detailed configuration of LFSR used for the first pseudo random number applied to the present invention
  • FIG. 9 shows the configuration of the second pseudo random number generator applied to the present invention.
  • FIG. 10 shows the detailed configuration of LFSR used for the second pseudo random number applied to the present invention.
  • the present invention provides a user-certifiable card 10 including a real-time code generator 12 configured of an ASIC chip, which encodes an arbitrary random number provided by a main certification unit 30 into a predetermined function value and actively transmits the encoded function value to the main certification unit 30.
  • the user- certifiable card 10 has a USB connection terminal 11 to connect with a USB port 21 formed at a client part 20 to pass an authentication procedure such that a user having the card can use a corresponding system.
  • the present invention processes only data transmitted through a path authenticated by the main certification unit 30 to fundamentally prevent unauthorized persons from illegally accessing the system, thereby keeping the system and data from being damaged and protecting legal users from suffering damages
  • the user-certifiable card 10 has a power supply unit 19 formed therein such that power is internally or externally supplied to the card.
  • the card actively transmits/receives encoded password data to/from the main certification unit 30 to pass user authentication procedures without having a separated external operation.
  • the card allows the user to use a computer or on-line transmit predetermined data to a web server and carry out settlement.
  • the user passes through multistage certification procedures that combine a function value password calculated by a predetermined algorithm with a predetermined key value so that an unauthorized person cannot conjecture the password of the user.
  • a random number provided by the main certification unit 30 is randomly generated without complying with a standardized rule. Because the random number does not comply with the standardized rule, the password encoded into a predetermined function value is changed whenever authentication is carried out at a specific time interval. Accordingly, even if the password is exposed to an unauthorized person, communication security is guaranteed because the password is changed into a new one once it is used.
  • a unique serial number is given to the real-time code generator 12 configured in the ASIC chip included in the user-certifiable card 10.
  • the user connects the card 10 with the USB port 21 of the client part 20 in order to be authorized to use a system, the user passes the primary authentication procedure for allowing him to use the user-certifiable card, that is, the user inputs his ID and password.
  • the user-certifiable card actively communicates with the main certification unit 30 to allow the user to pass the multistage certification procedures to be authorized to access the system. In this manner, the user passes through the user certification procedure to be authorized to use a system requiring security.
  • FIG. 1 is an exploded perspective view of the user-certifiable card 10 applied to the present invention
  • FIG. 2 is a block diagram of the user-certifiable card 10 applied to the present invention
  • FIG. 3 is a circuit diagram of the user-certifiable card 10 applied to the present invention
  • FIG. 4 is a block diagram of an example of the certification system using the user-certifiable card 10 applied to the present invention
  • FIG. 5 is a flow diagram showing an example of the user certification procedure using the user-certifiable card 10 applied to the present invention
  • FIG. 6 shows the configuration of an encoding algorithm applied to the present invention
  • FIG. 7 shows the configuration of the first pseudo random number generator applied to the present invention
  • FIG. 1 is an exploded perspective view of the user-certifiable card 10 applied to the present invention
  • FIG. 2 is a block diagram of the user-certifiable card 10 applied to the present invention
  • FIG. 3 is a circuit diagram of the user-certifi
  • FIG. 8 shows the detailed configuration of LFSR used for the first pseudo random number applied to the present invention
  • FIG. 9 shows the configuration of the second pseudo random number generator applied to the present invention
  • FIG. 10 shows the detailed configuration of LFSR used for the second pseudo random number applied to the present invention.
  • FIG. 1 is an exploded perspective view of the user-certifiable card 10 applied to the present invention
  • FIG. 2 is a block diagram of the user-certifiable card 10 applied to the present invention
  • FIG. 3 is a circuit diagram of the user-certifiable card 10 applied to the present invention.
  • the user-certifiable card 10 includes the real-time code generator 12 in the form of a PCB (Printed circuit board), which communicates with the main certification unit 30 to authenticate a user.
  • the realtime code generator 12 receives power through the power supply unit 19 to actively perform encoding operation to allow the user-certifiable card to pass the user certification procedure.
  • the USB connection terminal 11 is formed at the card 10 such that the card is connected with the USB port 21 formed at the client part 20.
  • the real-time code generator 12 is constructed in an ASIC chip carrying out an encoding operation for user certification and included in the user-certifiable card 10, being designed in the form of a PCB to allow its user to carry it conveniently.
  • the USB connection terminal 11 to be connected with the USB port 21 formed at the client part 20 requiring security is formed in the PCB.
  • the real-time code generator 12 is formed in the ASIC chip so that it can actively communicate with the main certification unit 30.
  • the outer cover of the real-time code generator formed in the PCB is made of hard plastics in order to protect the code generator from external shocks and combined with the user- certifiable card 10 through a predetermined binding medium.
  • One of the corners of the outer cover of the user-certifiable card 10 is cut off in order to externally project the USB connection terminal 11 and smoothly connect it with the USB port 21.
  • the user's photograph is attached onto the card so that the user can use it as his identification card.
  • a magnetic bar is attached to the card to allow various card readers conventionally used to confirm specific information of the user.
  • the real-time code generator 12 is a module that actively communicates with the main certification unit 30 to give permission to the user to access a system requiring security. It consists of a controller 13, a memory 18 and the power supply unit 19. The controller 13 controls corresponding modules to receive the random number, provided by the main certification unit 30 for user certification, to perform the encoding operation and transmit encoded data to the main certification unit 30 so as to carry out the user authentication procedure.
  • the controller 13 consists of a CPU 14, a USB interface 15, a code calculation part 16 and a code memory 17.
  • the CPU 14 controls the user-certifiable card to communicate with the main certification unit 30 to perform the multistage certification operations with respect to the user.
  • the USB interface 15 transmits data received from the outside through the USB connection terminal 11 and a user certification response signal to the CPU 14, and sends encoded function value password data and a user certification request signal to the outside through the USB connection terminal 11.
  • the code calculation part 16 converts the random number, transmitted from the main certification unit 30 for user certification, into an encoded function value password calculated through a predetermined expression and transmits it to the main certification unit 30 through the USB connection terminal 11.
  • the code memory 17 stores the unique serial number given to the user-certifiable card 10 using an EEPROM, and stores a value f(x) obtained by combining a function value g(x) calculated from the random value transmitted from the main certification unit 30 through the predetermined expression with a user key value stored in the memory 18.
  • the code memory also stores related data and a predetermined program required for user authentication.
  • the memory 18 is configured of at least one DRAM having capacity required for calculating the function value f(x).
  • An arbitrary area in the memory 18 is allocated for storing user key values kl, k2, k3,
  • the memory 18 stores notes of authentication of a predetermined authentication system to issue a trustworthy authentication note for settlement in the event of on-line electronic commerce.
  • the power supply unit 19 receives power externally provided through the USB connection terminal 11 and transforms the power into a predetermined form the user- certifiable card 10 requires to supply it to the card.
  • the USB connection terminal 11 is connected with the PCB, specifically, connected with the USB interface 15 to receive predetermined data and the user certification response signal, transmitted from the outside, and send them to the real-time code generator 12. In addition, the USB connection terminal 11 transmits predetermined data and the user certification request signal sent from the real-time code generator 12 to the outside.
  • the USB connection terminal 11 is protruded from one of the corners of the user-certifiable card 10. This structure allows the user to conveniently carry the card.
  • FIG. 4 is a block diagram of an example of the certification system using the user-certifiable card 10 applied to the present invention.
  • the user-certifiable card 10 and the client part 20 are connected to each other through a USB connection mode to authorize the client part 20 to online-communicate with a server system requiring security to transmit/receive predetermined data and perform settlement.
  • the main certification unit 30 of the server system is connected with the client part 20 through the Internet to communicate with the user-certifiable card 10.
  • the user-certifiable card 10 is connected with the USB port 21 formed at the client part 20 through the USB connection terminal 11 formed at the card, being protruded from one of the corners of the card.
  • the client part 20 includes a client interface 22 serving as an application program that allows the USB port 21 connected with the user-certifiable card 10 to communicate with the user-certifiable card 10 and the main certification unit 30, and a communication part 23 for transmitting/receiving data.
  • the USB port 21 is connected with the USB connection terminal 11 of the user- certifiable card 10 to transmit/receive encoded data required for user certification and provide power to the user-certifiable card such that the user-certifiable card 10 and the main certification unit 30 can actively communicate with each other.
  • the client interface 22 which is an application program allowing the client part 20 to recognize the user- certifiable card 10, confirms that a user is authorized to use the user-certifiable card 10. Furthermore, the client interface 22 forms a session together with the main certification unit 30 through the internet such that the user-certifiable card 10 and the main certification unit 30 are connected to each other to communicate with each other.
  • the communication part 23 receives data sent from the user-certifiable card 10 and the main certification unit 30 and transmits it to a corresponding module.
  • the main certification unit 30 includes a connection part 31, a card identification part 32, a random number generator 33 and a code matching part 34 and it receives encoded data transmitted from the user-certifiable card 10 to authorize the client part 20 to use the card.
  • the connection part 31 transmits/receives predetermined data needed for user authentication to/from the user-certifiable card 10.
  • the card identification part 32 checks the unique serial number given to the real-time code generator 12, transmitted from the user-certifiable card 10, to confirms if the user of the client part 20 is an authorized person who can use the card 10. By doing so, the card identification part 32 prevents an unauthorized person from making a fraudulent use of the user-certifiable card and allows the user to pass the authentication procedure carried out by the main certification unit 30.
  • the random number generator 33 generates a pseudo random number when the user is authenticated through the card identification part 32 and transmits the pseudo random number to the user-certifiable card 10.
  • the code matching part 34 compares an encoded function value obtained by encoding the random number through an encoding operation according to a predetermined encoding algorithm in the user-certifiable card 10 with an encoded function value calculated by itself through the encoding operation according to the same encoding algorithm to confirm if the two function values match with each other, and then authorizes the client part 20 to access the server system.
  • the user-certifiable card 10 according to the present invention can be used for general computers used in offices and a place where access of outsiders is prevented as well as for on-line electronic commerce.
  • a computer used by a general user, employs an operating system in the window environment that is convenient to use.
  • the security of the operating system is vulnerable so that in case where there is data the user wants to store in secret the data can be easily copied and modified illegally by another person.
  • the user-certifiable card of the invention can be used for allowing only an authorized user to use a corresponding computer.
  • FIG. 5 is a flow diagram showing an example of the user certification procedure using the user-certifiable card 10 applied to the present invention.
  • a user wants to connect the user-certifiable card 10 that is a key lock system with the USB port 21 formed at the client part 20 to be authorized by a corresponding server system, there is needed an application program that interfaces the client part 20 with the user-certifiable card 10 so that the client part can recognize the card to form a cession with the server system.
  • the application program that is the client interface 22 is downloaded from the server system and registered at a registry of the computer system of the client part 20 such that the operating system of the computer system can recognize the application program.
  • the user-certifiable card 10 is connected with the USB port 21 to be externally provided with power to perform the user authentication procedure.
  • the client part 20 executes the client interface 22 to provide a log-in window used for confirming if the user is a legal user who can use the user-certifiable card 10, to allow the user to input his ID and password into the log-in window (SI 00).
  • the user-certifiable card carries out the first authentication procedure (SI 05). When the ID and password are not correct, the connection is finished. If the user wants to reconnect, the client part executes the client interface 22 again.
  • the ID and password are correct, the unique serial number given to the user- certifiable card 10 is transmitted to the client part 20 through the USB connection terminal 11 (SI 10).
  • the client part 20 sends the serial number transmitted from the user- certifiable card 10 and the user's ID and password to the main certification unit 30 through the communication part (SI 15).
  • the main certification unit 30 receives the data sent from the client part 20 through the connection part 31 , and then performs the second authentication procedure that confirms if the received serial number is the number registered at the card identification part 32 (SI 20).
  • the card identification part 32 transmits a user authentication signal (SI 25).
  • the random number generator 33 When an authentication confirmation signal with respect to the user authentication signal is transmitted from the client part 20 (SI 30), the random number generator 33 generates a random number to transmit it to the client part 20 through the Internet (SI 35).
  • the client part 20 receives the random number data through the communication part 23 and then sends it to the user-certifiable card 10 through the USB port 21 (S140).
  • the real-time code generator 12 of the user-certifiable card 10 processes the random number according to a predetermined algorithm to generate the function value f(x) (SI 45) and converts it into an encoded function value according to a predetermined encoding algorithm.
  • the encoded function value data is transmitted to the client part 20 (SI 50) to be sent to the main certification unit 30 (SI 55).
  • the main certification unit 30 receives the encoded function value and confirms matching of the function value through the code matching part 34 to carry out the third user authentication procedure (SI 60). Specifically, the main certification unit calculates an encoded function value corresponding to the random number transmitted to the user- certifiable card through the same encoding algorithm as the encoding algorithm included in the user-certifiable card 10 and judges if the calculated value is identical to the encoded function value sent from the user-certifiable card.
  • the code matching part 34 disconnects the connection when the encoded function value calculated by itself is not identical to the encoded function value transmitted from the user-certifiable card 10.
  • the code matching part sends a user authentication response signal to the client part 20 when the two function values are identical to each other (SI 65).
  • the client part 20 transmits the user authentication response signal to the user-certifiable card 10 (SI 70).
  • the user-certifiable card confirms that user authentication has been accomplished (SI 75) and sends a response signal indicating that it received the user authentication response signal to the client part (SI 80).
  • the client part 20 transmits it to the main certification unit (SI 85).
  • the main certification unit 30 authorizes the client part 20 to access the server system so that the client part can transmit/receive predetermined data to/from the server system and be provided with web services such as payment (SI 90).
  • the main certification unit 30 In case of the multistage user authentication procedures described above, the main certification unit 30 generates an arbitrary random number at a specific time interval about three seconds and sends it to the user-certifiable card 10 to allow user authentication to be continuously carried out at a specific time interval. This fundamentally blocks on-line invasion of hackers and prevents illegal users from making a fraudulent use of the card to result in safety on-line electronic commerce.
  • a key lock authentication algorithm used for user authentication of the present invention outputs a predetermined encoded function value using a stream code system key progression generator.
  • FIG. 6 shows the configuration of the encoding algorithm. An input is set to INPUT and an output is set to OUTPUT. The size of INPUT is 64-bit and, in case of an input shorter than 64-bit, its size is adjusted to 64-bit through data padding.
  • bit-by-bit exclusive-OR operation is performed for the input to adjust the input size to 64-bit.
  • Parameters used as the input includes the serial number of the user-certifiable card, user's ID, password, random number or continuous arrangement/combination of them, and code output becomes 64- bit OUTPUT.
  • the progression generator proposed by the present invention is composed of two pseudo random number generators as shown in FIG. 6.
  • An external input (Input) becomes the initial value to initialize the first pseudo random number generator.
  • the first pseudo random number generator generates a random output progression to select a specific value from a random table to initialize the second pseudo random number generator.
  • the second pseudo random number generator initialized through the two- stage procedure generates an output random progression.
  • the first pseudo random number generator generates the random progression for the second pseudo random number generator.
  • the internal structure of the first pseudo random number generator includes an LM-BSG summation progression generator having a 2-bit memory, as shown in FIG. 7.
  • LFSP and LFSR 5 are initialized with the input 64-bit initial value, and past carry ( c y _, )
  • LFSR 5 are respectively moved by one bit to the right, as shown in FIG. 7. All bits of 31- stage and 32-stage registers are moved. The bit of the right end is XORed with a specific one or three bits to be fed back to the left end.
  • Each register moved by one bit to the right, generates one-bit output at the right end, and the first pseudo random number generator of LM-BSG type generates a one-bit
  • y means the output of the summation progression generator at the
  • the second pseudo random number generator generates output random progression of key lock and detailed configuration thereof is shown in FIGS.9 and 10.
  • the second pseudo random number generator initializes LFSRi, LFSR 2 and LFSR 3 using the initial value obtained from the output of the first pseudo random
  • LFSRi LFSR 2 and LFSR 3 by one bit to the right, as shown in FIG. 10.
  • all bits of 84-, 85- and 87-stage registers are moved.
  • the bit at the right end is XOR with a specific one or three bits to be fed back to the left end.
  • Each register moved to the right by one bit generates a one-bit output at the right end, and the second pseudo random number generator calculates the real sum from five
  • the progression generator proposed by the present invention is composed of two pseudo random number generators.
  • the first pseudo random number generator generates the random number value for user authentication provided by the main certification unit to the user-certifiable card
  • the second pseudo random number generator calculates the function value f(x) corresponding to the random number and encodes it according to a predetermined encoding algorithm.
  • the main certification unit 30 includes the first and second pseudo random number generators to generate a pseudo random number through the first pseudo random number generator and calculate the function value f(x) corresponding to the pseudo random number through the second pseudo random number generator when the card identification part 32 authenticates the card.
  • the main certification unit 30 allows the user-certifiable card 10 to calculate the function value f(x) corresponding to the random number value provided by the main certification unit 30 through the second pseudo random number generator.
  • the present invention realizes the active multi-stage certification procedures through communication with the main certification unit 30 using the user-certifiable card 10 that is a hardware key lock system. Accordingly, illegal users are prevented from accessing on-line systems requiring security so that data of the systems are safely protected.
  • the present invention provides a hardware key lock system constructed in a PCB in a card to allow its user to conveniently carry it.
  • the present invention confirms if the user is a legal user through multi-stage authentication procedures performed by the main certification unit to authorize the user to access a corresponding system.
  • multi-stage authentication procedures performed by the main certification unit to authorize the user to access a corresponding system.
  • continuous authentication procedures are actively performed.
  • a different encoded password is used for each authentication procedure to fundamentally prevent illegal users from hacking the system and from making fraudulent use of the card. Accordingly, illegal data copy and system damage are prevented to safely protect information from the illegal users.
  • the present invention can be used for transmission and reception of data with respect to personal information of a user and payment in case of on-line electronic commerce as well as data of the users' own computer system.
  • the present invention can be applied to various fields including an open key based system, wireless security solution, encoding toolkit, security application and hardware security device to improve efficiency of products.

Abstract

A key lock device is constructed in a card that its user conveniently carries to authorize the user to use a system requiring security through multistage user authentication procedures. An active user-certifiable card includes a USB module type ASIC chip having an encoding algorithm and the card is connected with a USB port based on a PC. The active user-certifiable card and a user authentication method using the card prevent illegal users from illegally copying and correcting data and from hacking systems in the event of electronic commerce and on-line data transmission and payment.

Description

METHOD AND SYSTEM OF MULTISTAGE USER CERTIFICATION USING ACTIVE USER-CERTIFIABLE CARD'
Technical Field
The present invention relates to a method and a system of multistage user certification using a USB (Universal Serial Bus) module type active user-certifiable card.
More specifically, the invention relates to an active user-certifiable card, which includes a USB module type ASIC chip storing an encoding algorithm in a card that a user can carry conveniently to connect it with a PC-based USB port to prevent illegal users from illegally copying and modifying data and from hacking systems in the event of electronic commerce or on-line data transmission and payment, and a user authentication method using the card.
Background Art
With the recent rapid development of information communication and Internet, a plurality of computers of an office or a company are connected in a LAN (Local Area Network) environment and lots of computers of a local area, a country and the whole world are connected in a WAN (Wide Area Network) environment. Accordingly, users having no authority to use the computers can easily access them using hacker programs that are not expensive and automated so that most of IT (Information Technology) systems are exposed to attacks according to hackers and virus programs, resulting in tremendous loss. As foreseen in "The third wave" by Elvin Toffler, the whole world is composed of a single community so much that the present time is called information era owing to Internet revolution. Accordingly, information and reverse function of information become more important so that information protection for prevention of information leakage and authentication is seriously required. Even the government is constructing super-highway information communication networks that are national basic computer networks after completion of the construction of the five key computer networks including an administration network, a financial network, an education and research network, a national defense network, a public security network and Mugunghwa satellite communication network. Thus, the government is taking a serious view of the communication security. In addition, protection of important information transmitted through Internet or computer communication is becoming a serious program even among companies and private people. Accordingly, studies on actual encoding algorithms for information protection and user certification techniques using the algorithms are being actively carried out.
These encoding techniques are based on the paper of C. E. Shannon, entitled "Communication theory of secrecy system" Bell syst. Tech. J., vol. 28, pp.656-715, Oct, 1949. The encoding techniques include block encoding, stream encoding and so on. Encoding systems include a symmetrical encoding system in which keys used for encoding accord with keys used for decoding, an asymmetrical encoding system (open key encoding system) in when the keys used for encoding are different from the keys used for decoding, and RSA (Rivest-Shamir-Adleman) open key encoding system that is an asymmetrical encoding system whose security is based on the fact that it is difficult to resolute a positive integer of lots of figures into factors.
A conventional user log-in method of a computer system, frequently being used, is a technique of inputting an ID and a password of a user to confirm user authentication. This is being widely used for user authentication in local computers and on-line systems because of convenience. However, this method easily exposes user information to other people. Especially, the user information is exposed to the outside while the user does not recognize it.
To solve security problems caused by user authentication in a computer system, a user exit and entry control system and an electronic commerce system, a user is authenticated through a biological recognition technique of extracting a user's unique characteristic points using a fingerprint, a specimen of handwriting, the shape of a hand and the retina. However, a system for carrying out the biological recognition technique is expensive to install and manage. Furthermore, the technique may bring about rejection and discomfort of a user because it uses a part of the user's body.
Moreover, a key-lock system can be used in order to prevent a user who has no authority to use a computer system from accessing it at a low cost. The key-lock system can be realized in software or hardware. The key-lock system realized in software communicates with a key lock through a predetermined method to judge if there is a key lock or not or detect error. However, this system has a problem that a serial number or ID of the key lock is easily exposed to be illegally copied and changed. Thus, the software key lock system is being replaced with the hardware key lock system having excellent communication security.
The hardware key lock is generally divided into EEPROM (Electrically Erasable and Programmable ROM) type and an ASIC (Application Specific Integrated Circuit) type. The EEPROM type key lock system records a unique value in the key lock using a ROM writer so that the value is easily copied and changed. Thus, an unrelated person can give a serial number or ID to the key lock. Meantime, the ASIC type key lock system cannot duplicate or modify the value once the value is recorded when the system is manufactured so that key locks respectively have different serial numbers. Since the key locks having the same serial number can be manufactured by a corresponding ASIC chip manufacturer, copy and modification of recorded values are impossible in the ASIC type key lock system. Accordingly, a user authentication system employing the ASIC type key lock is required.
Disclosure of Invention
An object of the present invention is to provide a multistage user certification method and system, constructed in a manner that an ASIC chip is included in a card that a user can carry conveniently, the ASIC chip having a predetermined encoding algorithm that calculates a predetermined function value from a random number provided by a main certification unit to carry out real-time authentication at a specific time interval, to prevent unauthorized persons from illegally accessing a computer system, thereby protecting the computer system from illegal data copy and danger of damage. Another object of the present invention is to provide a multistage user certification method and system, constructed in a manner that an ASIC chip serving as a key lock of a computer system is included in a card that a user can carry conveniently and used for user certification procedures. A USB connection terminal is formed at one of the corners of the card such that the card can be connected with a USB port, and the card is internally provided with power by a power supply formed therein or externally provided with power. When the card is connected with the USB port, data transmission is actively carried out to enable real-time user certification, thereby improving user's convenience.
To accomplish the objects of the present invention, there is provided a method of multistage user certification using an active user-certifiable card of USB module type, comprising a first step in which, when a user-certifiable card that is a key lock system is connected with a USB port formed at a client part, a client interface is executed to perform the first authentication of judging if a user is legally authorized to use the user- certifiable card, the first authentication being carried out in the user-certifiable card; a second step in which the user-certifiable card transmits its unique serial number to the client part when the first authentication is accomplished in the first step, and the client part sends the serial number, user's ID and password transmitted from the user- certifiable card to a main certification unit such that the main certification unit perform the second authentication of judging if the serial number is the one that has been registered at a card identification part; a third step in which the main certification unit generates a pseudo random number and transmits it to the user-certifiable card through the client part when the second authentication is made in the second step; a fourth step in which the user-certifiable card receives the random number to calculate a predetermined function value corresponding to the random number through a real-time code generator, converts the function value into an encoded function value, and transmits the encoded function value and an authentication request signal to the main certification unit through the client part; a fifth step in which the main certification unit performs an authentication procedure that judges if the encoded function value received from the user-certifiable card is identical to an encoded function value corresponding to a random number generated by the main certification unit; a sixth step in which the main certification unit transmits an authentication response signal to the user-certifiable card through the client part when the authentication is made in the fifth step and authorizes the user to access a corresponding system; and a seventh step in which the main certification unit continuously transmits a pseudo random number to the user-certifiable card to repeat the third to sixth steps at a specific time interval, thereby accomplishing multistage user authentication. The user-certifiable card according to the present invention is composed of the USB connection terminal connected with the USB port of the client part, and the realtime code generator communicated with the main certification unit to perform the user authentication procedure. The real-time code generator consists of a controller that has a CPU controlling corresponding modules to allow the user-certifiable card to communicate with the main certification unit to perform multistage authentication procedures for the user, a USB interface interfacing predetermined data transmitted/received through the USB connection terminal, authentication request and response signals, a code calculating part calculating a predetermined function value password corresponding to a random number into an encoded form, and a code memory storing the serial number, the function value f(x) corresponding to the random number, related data required for user authentication and a predetermined related program; a memory that stores user key values used for calculating the function value f(x) for user authentication and authentication notes of a predetermined authentication system with the user key values and authentication notes being allocated by regions; and a power supply being provided with power supplied from the outside through the USB connection terminal and transforming it into a predetermined form the user-certifiable card requires to provide it to the card.
Brief Description of the Drawings
Further objects and advantages of the invention can be more fully understood
from the following detailed description taken in conjunction with the accompanying
drawings, in which:
FIG. 1 is an exploded perspective view of a user-certifiable card applied to the present invention;
FIG. 2 is a block diagram of the user-certifiable card applied to the present invention;
FIG. 3 is a circuit diagram of the user-certifiable card applied to the present invention;
FIG. 4 is a block diagram of an example of a certification system using the user- certifiable card applied to the present invention;
FIG. 5 is a flow diagram showing an example of a user certification procedure using the user-certifiable card applied to the present invention; FIG. 6 shows the configuration of an encoding algorithm applied to the present invention;
FIG. 7 shows the configuration of the first pseudo random number generator applied to the present invention;
FIG. 8 shows the detailed configuration of LFSR used for the first pseudo random number applied to the present invention;
FIG. 9 shows the configuration of the second pseudo random number generator applied to the present invention; and
FIG. 10 shows the detailed configuration of LFSR used for the second pseudo random number applied to the present invention.
Best mode for Carrying Out the Invention
The present invention provides a user-certifiable card 10 including a real-time code generator 12 configured of an ASIC chip, which encodes an arbitrary random number provided by a main certification unit 30 into a predetermined function value and actively transmits the encoded function value to the main certification unit 30. The user- certifiable card 10 has a USB connection terminal 11 to connect with a USB port 21 formed at a client part 20 to pass an authentication procedure such that a user having the card can use a corresponding system. In the event of on-line settlement and data transmission, the present invention processes only data transmitted through a path authenticated by the main certification unit 30 to fundamentally prevent unauthorized persons from illegally accessing the system, thereby keeping the system and data from being damaged and protecting legal users from suffering damages
The user-certifiable card 10 according to the present invention has a power supply unit 19 formed therein such that power is internally or externally supplied to the card. When the user just connects the user-certifiable card with the USB port 21, accordingly, the card actively transmits/receives encoded password data to/from the main certification unit 30 to pass user authentication procedures without having a separated external operation. When authentication is accomplished, the card allows the user to use a computer or on-line transmit predetermined data to a web server and carry out settlement.
When the user is authenticated using the user-certifiable card 10 of the invention, the user passes through multistage certification procedures that combine a function value password calculated by a predetermined algorithm with a predetermined key value so that an unauthorized person cannot conjecture the password of the user. A random number provided by the main certification unit 30 is randomly generated without complying with a standardized rule. Because the random number does not comply with the standardized rule, the password encoded into a predetermined function value is changed whenever authentication is carried out at a specific time interval. Accordingly, even if the password is exposed to an unauthorized person, communication security is guaranteed because the password is changed into a new one once it is used. In addition, a unique serial number is given to the real-time code generator 12 configured in the ASIC chip included in the user-certifiable card 10. When the user connects the card 10 with the USB port 21 of the client part 20 in order to be authorized to use a system, the user passes the primary authentication procedure for allowing him to use the user-certifiable card, that is, the user inputs his ID and password. When the user is confirmed to be an authorized person, the user-certifiable card actively communicates with the main certification unit 30 to allow the user to pass the multistage certification procedures to be authorized to access the system. In this manner, the user passes through the user certification procedure to be authorized to use a system requiring security. The method and system of multistage user certification using the active user- certifiable card of USB module type according to the present invention are explained below in detail with reference to the attached drawings.
FIG. 1 is an exploded perspective view of the user-certifiable card 10 applied to the present invention, FIG. 2 is a block diagram of the user-certifiable card 10 applied to the present invention, and FIG. 3 is a circuit diagram of the user-certifiable card 10 applied to the present invention. FIG. 4 is a block diagram of an example of the certification system using the user-certifiable card 10 applied to the present invention, FIG. 5 is a flow diagram showing an example of the user certification procedure using the user-certifiable card 10 applied to the present invention, and FIG. 6 shows the configuration of an encoding algorithm applied to the present invention. FIG. 7 shows the configuration of the first pseudo random number generator applied to the present invention, FIG. 8 shows the detailed configuration of LFSR used for the first pseudo random number applied to the present invention, FIG. 9 shows the configuration of the second pseudo random number generator applied to the present invention, and FIG. 10 shows the detailed configuration of LFSR used for the second pseudo random number applied to the present invention.
FIG. 1 is an exploded perspective view of the user-certifiable card 10 applied to the present invention, FIG. 2 is a block diagram of the user-certifiable card 10 applied to the present invention, and FIG. 3 is a circuit diagram of the user-certifiable card 10 applied to the present invention. Referring to FIGS. 1, 2 and 3, the user-certifiable card 10 includes the real-time code generator 12 in the form of a PCB (Printed circuit board), which communicates with the main certification unit 30 to authenticate a user. The realtime code generator 12 receives power through the power supply unit 19 to actively perform encoding operation to allow the user-certifiable card to pass the user certification procedure. The USB connection terminal 11 is formed at the card 10 such that the card is connected with the USB port 21 formed at the client part 20.
The real-time code generator 12 is constructed in an ASIC chip carrying out an encoding operation for user certification and included in the user-certifiable card 10, being designed in the form of a PCB to allow its user to carry it conveniently. The USB connection terminal 11 to be connected with the USB port 21 formed at the client part 20 requiring security is formed in the PCB. The real-time code generator 12 is formed in the ASIC chip so that it can actively communicate with the main certification unit 30. The outer cover of the real-time code generator formed in the PCB is made of hard plastics in order to protect the code generator from external shocks and combined with the user- certifiable card 10 through a predetermined binding medium.
One of the corners of the outer cover of the user-certifiable card 10 is cut off in order to externally project the USB connection terminal 11 and smoothly connect it with the USB port 21. In addition, to utilize the user-certifiable card 10 for various purposes, the user's photograph is attached onto the card so that the user can use it as his identification card. Furthermore, a magnetic bar is attached to the card to allow various card readers conventionally used to confirm specific information of the user.
The real-time code generator 12 is a module that actively communicates with the main certification unit 30 to give permission to the user to access a system requiring security. It consists of a controller 13, a memory 18 and the power supply unit 19. The controller 13 controls corresponding modules to receive the random number, provided by the main certification unit 30 for user certification, to perform the encoding operation and transmit encoded data to the main certification unit 30 so as to carry out the user authentication procedure. The controller 13 consists of a CPU 14, a USB interface 15, a code calculation part 16 and a code memory 17. The CPU 14 controls the user-certifiable card to communicate with the main certification unit 30 to perform the multistage certification operations with respect to the user. The USB interface 15 transmits data received from the outside through the USB connection terminal 11 and a user certification response signal to the CPU 14, and sends encoded function value password data and a user certification request signal to the outside through the USB connection terminal 11. The code calculation part 16 converts the random number, transmitted from the main certification unit 30 for user certification, into an encoded function value password calculated through a predetermined expression and transmits it to the main certification unit 30 through the USB connection terminal 11. The code memory 17 stores the unique serial number given to the user-certifiable card 10 using an EEPROM, and stores a value f(x) obtained by combining a function value g(x) calculated from the random value transmitted from the main certification unit 30 through the predetermined expression with a user key value stored in the memory 18. The code memory also stores related data and a predetermined program required for user authentication. The memory 18 is configured of at least one DRAM having capacity required for calculating the function value f(x). An arbitrary area in the memory 18 is allocated for storing user key values kl, k2, k3, In addition, the memory 18 stores notes of authentication of a predetermined authentication system to issue a trustworthy authentication note for settlement in the event of on-line electronic commerce. When the value f(x) for user authentication is calculated, a user key values and the value g(x) corresponding to the random number transmitted from the main certification unit 30, which are stored in the memory 18, are combined with each other according to a calculation application program stored in the EEPROM.
The power supply unit 19 receives power externally provided through the USB connection terminal 11 and transforms the power into a predetermined form the user- certifiable card 10 requires to supply it to the card.
The USB connection terminal 11 is connected with the PCB, specifically, connected with the USB interface 15 to receive predetermined data and the user certification response signal, transmitted from the outside, and send them to the real-time code generator 12. In addition, the USB connection terminal 11 transmits predetermined data and the user certification request signal sent from the real-time code generator 12 to the outside. To easily connect the USB connection terminal 11 with the USB port 21 formed at a system requiring security, the USB connection terminal 11 is protruded from one of the corners of the user-certifiable card 10. This structure allows the user to conveniently carry the card.
FIG. 4 is a block diagram of an example of the certification system using the user-certifiable card 10 applied to the present invention.
As shown in FIG. 4, the user-certifiable card 10 and the client part 20 are connected to each other through a USB connection mode to authorize the client part 20 to online-communicate with a server system requiring security to transmit/receive predetermined data and perform settlement. The main certification unit 30 of the server system is connected with the client part 20 through the Internet to communicate with the user-certifiable card 10.
The user-certifiable card 10 is connected with the USB port 21 formed at the client part 20 through the USB connection terminal 11 formed at the card, being protruded from one of the corners of the card. The client part 20 includes a client interface 22 serving as an application program that allows the USB port 21 connected with the user-certifiable card 10 to communicate with the user-certifiable card 10 and the main certification unit 30, and a communication part 23 for transmitting/receiving data. The USB port 21 is connected with the USB connection terminal 11 of the user- certifiable card 10 to transmit/receive encoded data required for user certification and provide power to the user-certifiable card such that the user-certifiable card 10 and the main certification unit 30 can actively communicate with each other. The client interface 22, which is an application program allowing the client part 20 to recognize the user- certifiable card 10, confirms that a user is authorized to use the user-certifiable card 10. Furthermore, the client interface 22 forms a session together with the main certification unit 30 through the internet such that the user-certifiable card 10 and the main certification unit 30 are connected to each other to communicate with each other. The communication part 23 receives data sent from the user-certifiable card 10 and the main certification unit 30 and transmits it to a corresponding module.
The main certification unit 30 includes a connection part 31, a card identification part 32, a random number generator 33 and a code matching part 34 and it receives encoded data transmitted from the user-certifiable card 10 to authorize the client part 20 to use the card. The connection part 31 transmits/receives predetermined data needed for user authentication to/from the user-certifiable card 10. The card identification part 32 checks the unique serial number given to the real-time code generator 12, transmitted from the user-certifiable card 10, to confirms if the user of the client part 20 is an authorized person who can use the card 10. By doing so, the card identification part 32 prevents an unauthorized person from making a fraudulent use of the user-certifiable card and allows the user to pass the authentication procedure carried out by the main certification unit 30.
The random number generator 33 generates a pseudo random number when the user is authenticated through the card identification part 32 and transmits the pseudo random number to the user-certifiable card 10. The code matching part 34 compares an encoded function value obtained by encoding the random number through an encoding operation according to a predetermined encoding algorithm in the user-certifiable card 10 with an encoded function value calculated by itself through the encoding operation according to the same encoding algorithm to confirm if the two function values match with each other, and then authorizes the client part 20 to access the server system. The user-certifiable card 10 according to the present invention can be used for general computers used in offices and a place where access of outsiders is prevented as well as for on-line electronic commerce. A computer, used by a general user, employs an operating system in the window environment that is convenient to use. The security of the operating system is vulnerable so that in case where there is data the user wants to store in secret the data can be easily copied and modified illegally by another person. In this case, the user-certifiable card of the invention can be used for allowing only an authorized user to use a corresponding computer.
FIG. 5 is a flow diagram showing an example of the user certification procedure using the user-certifiable card 10 applied to the present invention. When a user wants to connect the user-certifiable card 10 that is a key lock system with the USB port 21 formed at the client part 20 to be authorized by a corresponding server system, there is needed an application program that interfaces the client part 20 with the user-certifiable card 10 so that the client part can recognize the card to form a cession with the server system. The application program that is the client interface 22 is downloaded from the server system and registered at a registry of the computer system of the client part 20 such that the operating system of the computer system can recognize the application program. By doing so, the user-certifiable card 10 is connected with the USB port 21 to be externally provided with power to perform the user authentication procedure. When the user connects the user-certifiable card 10 with the USB port 21 formed at the client part 20, the client part 20 executes the client interface 22 to provide a log-in window used for confirming if the user is a legal user who can use the user-certifiable card 10, to allow the user to input his ID and password into the log-in window (SI 00). Then, the user-certifiable card carries out the first authentication procedure (SI 05). When the ID and password are not correct, the connection is finished. If the user wants to reconnect, the client part executes the client interface 22 again.
The ID and password are correct, the unique serial number given to the user- certifiable card 10 is transmitted to the client part 20 through the USB connection terminal 11 (SI 10). The client part 20 sends the serial number transmitted from the user- certifiable card 10 and the user's ID and password to the main certification unit 30 through the communication part (SI 15). The main certification unit 30 receives the data sent from the client part 20 through the connection part 31 , and then performs the second authentication procedure that confirms if the received serial number is the number registered at the card identification part 32 (SI 20). When the serial number is confirmed to be the registered one, the card identification part 32 transmits a user authentication signal (SI 25). When an authentication confirmation signal with respect to the user authentication signal is transmitted from the client part 20 (SI 30), the random number generator 33 generates a random number to transmit it to the client part 20 through the Internet (SI 35). The client part 20 receives the random number data through the communication part 23 and then sends it to the user-certifiable card 10 through the USB port 21 (S140). The real-time code generator 12 of the user-certifiable card 10 processes the random number according to a predetermined algorithm to generate the function value f(x) (SI 45) and converts it into an encoded function value according to a predetermined encoding algorithm. The encoded function value data is transmitted to the client part 20 (SI 50) to be sent to the main certification unit 30 (SI 55).
The main certification unit 30 receives the encoded function value and confirms matching of the function value through the code matching part 34 to carry out the third user authentication procedure (SI 60). Specifically, the main certification unit calculates an encoded function value corresponding to the random number transmitted to the user- certifiable card through the same encoding algorithm as the encoding algorithm included in the user-certifiable card 10 and judges if the calculated value is identical to the encoded function value sent from the user-certifiable card.
The code matching part 34 disconnects the connection when the encoded function value calculated by itself is not identical to the encoded function value transmitted from the user-certifiable card 10. The code matching part sends a user authentication response signal to the client part 20 when the two function values are identical to each other (SI 65). The client part 20 transmits the user authentication response signal to the user-certifiable card 10 (SI 70). Upon reception of the response signal, the user-certifiable card confirms that user authentication has been accomplished (SI 75) and sends a response signal indicating that it received the user authentication response signal to the client part (SI 80). The client part 20 transmits it to the main certification unit (SI 85). Then, the main certification unit 30 authorizes the client part 20 to access the server system so that the client part can transmit/receive predetermined data to/from the server system and be provided with web services such as payment (SI 90).
In case of the multistage user authentication procedures described above, the main certification unit 30 generates an arbitrary random number at a specific time interval about three seconds and sends it to the user-certifiable card 10 to allow user authentication to be continuously carried out at a specific time interval. This fundamentally blocks on-line invasion of hackers and prevents illegal users from making a fraudulent use of the card to result in safety on-line electronic commerce.
There is explained below an example of calculating a predetermined encoded function value from an arbitrary random number provided by the main certification unit 30 when the user authentication procedure is carried out through the user-certifiable card 20 according to the present invention as described above.
A key lock authentication algorithm used for user authentication of the present invention outputs a predetermined encoded function value using a stream code system key progression generator. FIG. 6 shows the configuration of the encoding algorithm. An input is set to INPUT and an output is set to OUTPUT. The size of INPUT is 64-bit and, in case of an input shorter than 64-bit, its size is adjusted to 64-bit through data padding.
When the input is larger than 64-bit, bit-by-bit exclusive-OR operation is performed for the input to adjust the input size to 64-bit. Parameters used as the input includes the serial number of the user-certifiable card, user's ID, password, random number or continuous arrangement/combination of them, and code output becomes 64- bit OUTPUT.
The progression generator proposed by the present invention is composed of two pseudo random number generators as shown in FIG. 6. An external input (Input) becomes the initial value to initialize the first pseudo random number generator. The first pseudo random number generator generates a random output progression to select a specific value from a random table to initialize the second pseudo random number generator. The second pseudo random number generator initialized through the two- stage procedure generates an output random progression.
The first pseudo random number generator generates the random progression for the second pseudo random number generator. The internal structure of the first pseudo random number generator includes an LM-BSG summation progression generator having a 2-bit memory, as shown in FIG. 7. The LM-BSG summation progression
generator performs exclusive-OR operation for progression ( a} b} ) acquired from two
linear feedback shift registers, past carry ( cy_, ) and past memory ( d , ), to attain a non-
linear function output, as shown in FIG. 8.
The detailed operation of the first pseudo random number generator is explained.
LFSP and LFSR5 are initialized with the input 64-bit initial value, and past carry ( cy_, )
and past memory ( y_,) are also initialized to zero (c^ -0, </ ,=0). Then, LFSR and
LFSR5 are respectively moved by one bit to the right, as shown in FIG. 7. All bits of 31- stage and 32-stage registers are moved. The bit of the right end is XORed with a specific one or three bits to be fed back to the left end.
Each register, moved by one bit to the right, generates one-bit output at the right end, and the first pseudo random number generator of LM-BSG type generates a one-bit
output progression Z} from 2-bit outputs ( a} , b} ) of the registers, a one-bit carry ( c}_x ) fed back and a memory one-bit ( d y_, ).
Zj =yJ®dJ_ =(aJ®bJ®cJ_x)®dJ_
Cj ={a] ®bJ)-cJ_, +a] -bJ
dJ =(aJ®bJ)-dJ_x+bJ
Here, y means the output of the summation progression generator at the
moment j, a} means the output progression of LFSR1, b indicates the output
progression of LFSR2, and cy represents carry progression of a full adder. In addition,
d indicates memory progression, d}_ = 0 (memory initial value), • means AND, +
indicates OR and θ represents XOR. The summation progression generator has very large correlation such that correlation probability between carry and output is 1/4. Thus, when "0" or "1" appears continuously in the output, it can be decoded. In the LM generator, however, a nonlinear function (memory bit) having correlation probability of 1/2 is additionally XORed with the output of the summation progression generator so that the memory as well as carry cannot be estimated from the output.
The second pseudo random number generator generates output random progression of key lock and detailed configuration thereof is shown in FIGS.9 and 10.
In FIG.9, the real sum of five inputs ( a; , bJ} cX _x , c2j_x , d})is calculated, and then
a 3-bit output (cj , c2j , Z} ) that represents the real sum as a binary number, as shown
in the following table 1. When the input progression is (1,1,1,0,1), for example, the real sum is (4)i0=(l,0,0)2 to generate outputs shown in the table 1.
The detailed operation of the second pseudo random number generator is explained now. The second pseudo random number generator initializes LFSRi, LFSR2 and LFSR3 using the initial value obtained from the output of the first pseudo random
number generator, and initializes c, and c2 y to zero. Then, it moves each of the
LFSRi, LFSR2 and LFSR3 by one bit to the right, as shown in FIG. 10. Here, all bits of 84-, 85- and 87-stage registers are moved. The bit at the right end is XOR with a specific one or three bits to be fed back to the left end.
Each register moved to the right by one bit generates a one-bit output at the right end, and the second pseudo random number generator calculates the real sum from five
inputs (θj , bj , cX j_ , c2 j_x , dj ) to generate a binary 3 -bit output (c ] , c2 , Zy ) as
shown in the table 1.
Figure imgf000023_0001
Figure imgf000024_0001
In case of the aforementioned algorithm executing the encoding operation, the progression generator proposed by the present invention is composed of two pseudo random number generators. The first pseudo random number generator generates the random number value for user authentication provided by the main certification unit to the user-certifiable card, and the second pseudo random number generator calculates the function value f(x) corresponding to the random number and encodes it according to a predetermined encoding algorithm.
The main certification unit 30 includes the first and second pseudo random number generators to generate a pseudo random number through the first pseudo random number generator and calculate the function value f(x) corresponding to the pseudo random number through the second pseudo random number generator when the card identification part 32 authenticates the card. The main certification unit 30 allows the user-certifiable card 10 to calculate the function value f(x) corresponding to the random number value provided by the main certification unit 30 through the second pseudo random number generator.
As described above, the present invention realizes the active multi-stage certification procedures through communication with the main certification unit 30 using the user-certifiable card 10 that is a hardware key lock system. Accordingly, illegal users are prevented from accessing on-line systems requiring security so that data of the systems are safely protected.
The description of the present invention is intended to be illustrative, and not to limit the scope of the claims. Many alternatives, modifications, and variations will be apparent to those skilled in the art.
Industrial applicability
The present invention provides a hardware key lock system constructed in a PCB in a card to allow its user to conveniently carry it. The present invention confirms if the user is a legal user through multi-stage authentication procedures performed by the main certification unit to authorize the user to access a corresponding system. When the user user-certifiable card is being connected with the USB port, continuous authentication procedures are actively performed. At this time, a different encoded password is used for each authentication procedure to fundamentally prevent illegal users from hacking the system and from making fraudulent use of the card. Accordingly, illegal data copy and system damage are prevented to safely protect information from the illegal users. Moreover, the present invention can be used for transmission and reception of data with respect to personal information of a user and payment in case of on-line electronic commerce as well as data of the users' own computer system. In addition, the present invention can be applied to various fields including an open key based system, wireless security solution, encoding toolkit, security application and hardware security device to improve efficiency of products.

Claims

What is claimed is:
1. A method of multistage user certification using an active user- certifiable card of USB module type, comprising: a first step in which, when a user-certifiable card that is a key lock system is connected with a USB port formed at a client part, a client interface is executed to perform the first authentication of judging if a user is legally authorized to use the user- certifiable card, the first authentication being carried out in the user-certifiable card; a second step in which the user-certifiable card transmits its unique serial number to the client part when the first authentication is accomplished in the first step, and the client part sends the serial number, user's ID and password transmitted from the user-certifiable card to a main certification unit such that the main certification unit perform the second authentication of judging if the serial number is the one that has been registered at a card identification part; a third step in which the main certification unit generates a pseudo random number and transmits it to the user-certifiable card through the client part when the second authentication is made in the second step; a fourth step in which the user-certifiable card receives the random number to calculate a predetermined function value corresponding to the random number through a real-time code generator, converts the function value into an encoded function value, and transmits the encoded function value and an authentication request signal to the main certification unit through the client part; a fifth step in which the main certification unit performs an authentication procedure that judges if the encoded function value received from the user-certifiable card is identical to an encoded function value corresponding to a random number generated by the main certification unit; a sixth step in which the main certification unit transmits an authentication response signal to the user-certifiable card through the client part when the authentication is made in the fifth step and authorizes the user to access a corresponding system; and a seventh step in which the main certification unit continuously transmits a pseudo random number to the user-certifiable card to repeat the third to sixth steps at a specific time interval, thereby accomplishing multistage user authentication.
2. The method as claimed in claim 1, wherein, when the predetermined function value g(x) corresponding to the random number used for user authentication, generated by the main certification unit, is calculated, a function value f(x) calculated by combining with a unique user key value given to each user-certifiable card is calculated into an encoded form.
3. A system of multistage user certification using an active user-certifiable card of USB module type, comprising: a user-certifiable card having a USB connection terminal formed in a card that a user can carry conveniently, the card including a real-time code generator in a PCB, the real-time code generator communicating with a main certification unit to perform user authentication; a client part including a USB port, a client interface, and a communication part, the USB port being connected with the USB connection terminal of the user-certifiable card to transmit and receive data, the client interface allowing the client part to recognize the user-certifiable card and forming a session with the main certification unit to enable communication between the user-certifiable card and the main certification unit, the communication part being connected with the main certification unit to transmit and receive predetermined data; the main certification unit including a connection part, a card identification part, a random number generator, and a code matching part, the connection part transmitting/receiving predetermined data for user authentication to/from the user- certifiable card, the card identification part checking the unique serial number given to the user-certifiable card to confirm if the user is an illegal user, the random number generator generating a pseudo random number to transmit it to the user-certifiable card when the card is authenticated by the card identification part, the code matching part judging if an encoded function value transmitted from the user-certifiable card is identical to an encoded function value generated by the main certification unit.
4. The system as claimed in claim 3, wherein the user-certifiable card is composed of the USB connection terminal connected with the USB port of the client part, and the real-time code generator communicated with the main certification unit to perform the user authentication procedure, the real-time code generator consisting of: a controller that has a CPU controlling corresponding modules to allow the user-certifiable card to communicate with the main certification unit to perform multistage authentication procedures for the user, a USB interface interfacing predetermined data transmitted/received through the USB connection terminal, authentication request and response signals, a code calculating part calculating a predetermined function value password corresponding to a random number into an encoded form, and a code memory storing the serial number, the function value f(x) corresponding to the random number, related data required for user authentication and a predetermined related program; a memory that stores user key values used for calculating the function value f(x) for user authentication and authentication notes of a predetermined authentication system with the user key values and authentication notes being allocated by regions; and a power supply being provided with power supplied from the outside through the USB connection terminal and transforming it into a predetermined form the user-certifiable card requires to provide it to the card.
PCT/KR2002/001960 2001-10-25 2002-10-19 Method and system of multistage user certification using active user-certifiable card WO2003036488A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020010066032A KR20030033863A (en) 2001-10-25 2001-10-25 The method and system of multistage user certification using active user-certifiable card of USB module type
KR2001-0066032 2001-10-25

Publications (1)

Publication Number Publication Date
WO2003036488A1 true WO2003036488A1 (en) 2003-05-01

Family

ID=19715390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2002/001960 WO2003036488A1 (en) 2001-10-25 2002-10-19 Method and system of multistage user certification using active user-certifiable card

Country Status (2)

Country Link
KR (1) KR20030033863A (en)
WO (1) WO2003036488A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006092393A2 (en) * 2005-03-02 2006-09-08 International Business Machines Corporation Multiple use secure transaction card
WO2008006294A1 (en) 2006-07-03 2008-01-17 Beijing Huaqi Information Digital Technology Co., Ltd. Method, device and system of obtaing network information using device as service credential

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003216037A (en) * 2001-11-16 2003-07-30 Yazaki Corp Cipher key, enciphering device, enciphering/deciphering device, cipher key management device, and deciphering device
KR20030065761A (en) * 2002-01-31 2003-08-09 주식회사 애드시큐 Fingerprint USB-Key authentication system
WO2005059793A1 (en) * 2003-12-01 2005-06-30 Hyungmin Kim Electronic settlement system and method using serial number including identification of software, contents or electronic information, and computer-readable recording medium for recording program for performing the method
KR100628208B1 (en) * 2003-12-29 2006-09-26 엘지전자 주식회사 Device and Mobile Terminal for Confirming User, and Method for Confirming User of Mobile Terminal
KR100842835B1 (en) * 2007-10-11 2008-07-03 (주)유니윈테크놀러지 A movable storage device, a information security device, a method for protecting information of host device and a system for protecting information
MY146126A (en) * 2007-11-09 2012-06-29 Mimos Berhad Secure software licensing control mechanism
KR100910541B1 (en) * 2009-04-08 2009-07-31 장인천 Computer security system using a tag and the method thereof
KR101539502B1 (en) * 2013-09-11 2015-07-24 농협은행(주) Security apparatus for financial service
KR101668366B1 (en) * 2014-05-23 2016-10-28 배재대학교 산학협력단 Method and Apparatus for Password Based User Authentication Using Portable Storage Medium
KR101538364B1 (en) * 2014-07-04 2015-07-22 유비트론 주식회사 Internet Banking Login Service System by Using Key-Lock Card with Security Card and Internet Banking Login Method thereof
CN105279648A (en) * 2014-07-04 2016-01-27 Ub特伦株式会社 Internet banking login service system by using key-lock card with security card and internet banking login method thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000172412A (en) * 1998-12-01 2000-06-23 Nec Gumma Ltd Individual information storage device and authentication device
JP2000349751A (en) * 1999-03-30 2000-12-15 Sony Corp Information processor, information processing method, authentication method and program storage medium
JP2001312595A (en) * 2000-04-28 2001-11-09 E Card:Kk Electronic authentication system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11184818A (en) * 1997-12-25 1999-07-09 Ntt Data Corp Authentication system, its method and client machine for the certification system
KR19980043045A (en) * 1998-05-22 1998-08-17 강형자 Authentication system of remote financial service using input / output access means
KR100358705B1 (en) * 1999-11-25 2002-10-30 주식회사 소프트 프로텍 An apparatus for information protection using Universal Serial Bus(USB) security module and crypto-chip based on PC
KR20000017956A (en) * 1999-12-30 2000-04-06 김월영 Security & Wildly Administration from Hardware-Lock
KR20010087730A (en) * 2000-03-08 2001-09-21 최성진 Internet password and internet autorization and settlement method using the password
KR20020082235A (en) * 2001-04-19 2002-10-31 김월영 PKI Authentication using H/W Lock connected to USB

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000172412A (en) * 1998-12-01 2000-06-23 Nec Gumma Ltd Individual information storage device and authentication device
JP2000349751A (en) * 1999-03-30 2000-12-15 Sony Corp Information processor, information processing method, authentication method and program storage medium
JP2001312595A (en) * 2000-04-28 2001-11-09 E Card:Kk Electronic authentication system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006092393A2 (en) * 2005-03-02 2006-09-08 International Business Machines Corporation Multiple use secure transaction card
WO2006092393A3 (en) * 2005-03-02 2007-03-08 Ibm Multiple use secure transaction card
WO2008006294A1 (en) 2006-07-03 2008-01-17 Beijing Huaqi Information Digital Technology Co., Ltd. Method, device and system of obtaing network information using device as service credential
EP2045955A1 (en) * 2006-07-03 2009-04-08 Beijing Huaqi Information Digital Technology Co., Ltd. Method, device and system of obtaing network information using device as service credential
EP2045955A4 (en) * 2006-07-03 2012-01-25 Beijing Huaqi Inf Digital Sci Method, device and system of obtaing network information using device as service credential

Also Published As

Publication number Publication date
KR20030033863A (en) 2003-05-01

Similar Documents

Publication Publication Date Title
US10601805B2 (en) Securitization of temporal digital communications with authentication and validation of user and access devices
Xi et al. A fingerprint based bio‐cryptographic security protocol designed for client/server authentication in mobile computing environment
US7596704B2 (en) Partition and recovery of a verifiable digital secret
CA2241052C (en) Application level security system and method
US6185316B1 (en) Self-authentication apparatus and method
US8842887B2 (en) Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device
US7178025B2 (en) Access system utilizing multiple factor identification and authentication
US8826031B2 (en) Methods for secure enrollment and backup of personal identity credentials into electronic devices
EP0043027B1 (en) Electronic signature verification method and system
CN100517354C (en) Computer implemented method for securely acquiring a binding key and securely binding system
US20060235729A1 (en) Application-specific biometric templates
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
EP1379930B1 (en) Security method for transferring shared keys
US7991151B2 (en) Method for secure delegation of calculation of a bilinear application
EP1472816A2 (en) Access system utilizing multiple factor identification and authentication
JP7231023B2 (en) Verification system, client and server
WO2003036488A1 (en) Method and system of multistage user certification using active user-certifiable card
Giri et al. A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB mass storage devices
Xi et al. Bio-cryptography
JPWO2020121461A1 (en) Matching system, client and server
US20220052841A1 (en) Matching system, client and server
Mitchell et al. Security of the Lin-Lai smart card based user authentication scheme
WO2022130528A1 (en) Recovery verification system, collation system, recovery verification method, and non-temporary computer readable medium
Om et al. A 3-D Geometry based Remote Login 2-Way Authentication Scheme using Smart Card
Vielhauer et al. Security for biometric data

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP