WO2011043557A2 - Appareil d'authentification d'utilisateur et système de gestion d'authentification universel - Google Patents

Appareil d'authentification d'utilisateur et système de gestion d'authentification universel Download PDF

Info

Publication number
WO2011043557A2
WO2011043557A2 PCT/KR2010/006696 KR2010006696W WO2011043557A2 WO 2011043557 A2 WO2011043557 A2 WO 2011043557A2 KR 2010006696 W KR2010006696 W KR 2010006696W WO 2011043557 A2 WO2011043557 A2 WO 2011043557A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
information
terminal
vpn
ubiquitous
Prior art date
Application number
PCT/KR2010/006696
Other languages
English (en)
Korean (ko)
Other versions
WO2011043557A3 (fr
Inventor
최운호
Original Assignee
Choi Unho
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Choi Unho filed Critical Choi Unho
Publication of WO2011043557A2 publication Critical patent/WO2011043557A2/fr
Publication of WO2011043557A3 publication Critical patent/WO2011043557A3/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • An embodiment of the present invention relates to an identity authentication device and a ubiquitous authentication management system. More specifically, the present invention relates to a personal authentication device that provides a stronger service authentication function, and a ubiquitous authentication management system that provides high security and convenience using the same.
  • Conventional information security related systems control a user's terminal attempting to access a business system such as a company or a government agency using user information or network information of the terminal, or after the terminal is granted access.
  • the object of the embodiments of the present invention is to further strengthen the unauthorized use of a specific user's card, etc., even if the other person knows the simple personal information, card information, certificate information, etc. of the specific user without permission.
  • the present invention provides a personal authentication device in the form of a biometric card or a USB information protection token that provides a service authentication function.
  • Another object of the embodiment of the present invention when a user who is remote to access a work system built in a virtual private network to perform remote work, the user is carrying or computer, IPTV set-top box, CD / ATM, kiosk ( KIOSK) and the self-authentication device installed in mobile phones, etc., to provide enhanced service authentication for users to strengthen information protection for remote access of work systems.
  • Another object of the embodiment of the present invention when a user who is remote to access a work system established in a virtual private network to perform remote work, the user through a portable personal authentication device mounted on the terminal for the user
  • a portable personal authentication device mounted on the terminal for the user
  • users can conveniently access the business system remotely from any terminal, from any place, and at any place, as long as they have their own authentication device, such as Internet banking, electronic payment, e-commerce, home shopping, and electronic
  • the purpose of the present invention is to enable various tasks such as bidding.
  • Another object of the embodiment of the present invention in the situation where a remote user accesses a work system established in a virtual private network after the service authentication for the user through a user authentication device to view the work, a variety of work systems It is to provide information security related services.
  • a personal authentication device for performing a service authentication by combining at least one of a biometric information recognition result through the biometric information recognition device, a public certificate based on the public key infrastructure and one-time password;
  • a terminal connected to a virtual private network (VPN) according to a result of performing the service authentication by the attached personal authentication device;
  • an information protection relay server that controls the terminal to be connected to the VPN.
  • VPN virtual private network
  • the identity authentication device is mounted on the terminal or the identity verification device mounting / confirmation step confirmed in the terminal;
  • An embodiment of the present invention provides a personal authentication device that performs service authentication by combining one or more of a biometric information recognition result through a biometric information recognition device, a public certificate based on a public key infrastructure, and a one-time password.
  • the other person even if the other person knows the simple personal information, card information, or certificate information of the specific user without permission, the other person cannot use the card of the specific user without permission. It is effective to provide a personal authentication device such as a biometric card or a USB information protection token that provides enhanced service authentication.
  • a personal authentication device such as a biometric card or a USB information protection token that provides enhanced service authentication.
  • a remote user when a remote user wants to perform a remote work by accessing a business system constructed as a virtual private network, the user carries a computer, an IPTV set-top box, a CD / ATM, a kiosk (KIOSK ), It provides effective service authentication for the user through the self-authentication device installed in the mobile phone, thereby enhancing the information protection for remote access of the work system.
  • KIOSK KIOSK
  • a remote user wants to perform a remote work by accessing a business system constructed as a virtual private network
  • service authentication for the user through a portable personal authentication device mounted on the terminal
  • virtual private network module implementation allowing users to carry any device or any device at any place as long as the device is pre-equipped with a computer, IPTV set-top box, CD / ATM, kiosk, mobile phone, etc.
  • there is an effect that can conveniently access the work system remotely to perform various tasks such as Internet banking, electronic payment, e-commerce, home shopping and e-bidding.
  • FIG. 1 is a schematic diagram of a ubiquitous authentication management system according to an embodiment of the present invention.
  • FIG. 2 is a block diagram of an integrated information protection system in a ubiquitous authentication management system according to an embodiment of the present invention
  • FIG. 3 is a flowchart illustrating a ubiquitous authentication management method according to an embodiment of the present invention.
  • FIG. 4 is a block diagram of an identity authentication device for ubiquitous authentication management according to an embodiment of the present invention.
  • FIG 5 is an exemplary view in which the authentication device according to an embodiment of the present invention is implemented as a biometric card.
  • FIG. 1 is a schematic diagram of a ubiquitous identity management system 100 according to an embodiment of the present invention.
  • a one-time password hereinafter referred to as "OTP”
  • a personal authentication device 110 that performs service authentication by combining one or more
  • a terminal 120 connected to a virtual private network (hereinafter referred to as "VPN") 130 according to a result of performing service authentication by the personal authentication device 110 mounted on the terminal 120;
  • VPN virtual private network
  • an information protection relay server 140 that controls the terminal 120 to be connected to the VPN 130.
  • a certificate is a type of electronic guarantee that can be trusted and trusted when doing business or transactions on the Internet web. It is issued by a specific certification authority, and the contents of the certificate verify the owner's name, expiration date, and owner's electronic signature.
  • a public key that can be used, and the digital signature value of the certificate authority to prove that the information is true.
  • FIG. 1 illustrates a ubiquitous authentication management system 100 according to an embodiment of the present invention, in which a terminal 120 is connected to a VPN 130 and attempts to access various internal servers 150.
  • the server 120 performs the access control function, intrusion detection function and intrusion prevention function for the internal server 150 that is accessed through the VPN 130, server information protection
  • An integrated information security service system 170 including a system may be provided.
  • the terminal 120 may be, for example, a computer, an IPTV set-top box, a CD / ATM, a kiosk, a mobile phone, or the like, which may be equipped with the identity authentication device 110 or may be installed in advance.
  • the integrated information security service system 170 detects and blocks illegal code execution and file forgery by the terminal 120 in addition to the server information protection system 210 mentioned above.
  • a digital forensic system 220 generating data for legal evidence submission based on a result of performing service authentication;
  • a black box system 230 that interoperates with a black box module driven by the terminal 120 to monitor, collect, and record biometric authentication related log information and a result of performing service authentication;
  • the terminal 120 or the VPN 130 monitors whether or not an information protection threat event has occurred, and responds to the internal server 150 accessed by the terminal 120 through the VPN 130. It may further include one or more of the information protection control system 240, etc. for backing up the stored important data.
  • the ubiquitous authentication management system 100 includes a computer user evidence information storage 160 that stores various information of a computer user.
  • the identity authentication device 110 may be implemented in the form of a smart card.
  • FIG. 1 illustrates that the authentication device 110 is configured independently from the terminal 120, the present invention is not limited thereto.
  • the smart card 110 and the terminal 120 may be combined to be implemented as a single user authentication device. have.
  • the biometric information recognition device (for example, a recognition scanner, a recognition device, a recognition semiconductor, a recognition sensor, etc.) included in the personal authentication device 110 described above may be selected from among fingerprint information, blood vessel information, voice information, and iris information for a specific user. One or more may be recognized as biometric information.
  • the above-described personal authentication device 110 so that the terminal 120 is connected to the VPN 130, according to the result of the service authentication performed by combining the biometric information recognition result, at least one of the public certificate and the OTP,
  • the VPN module may be controlled to be driven by an agent or a program installed in the terminal 120 or the biometric information recognition device.
  • the identity authentication device 110 described above may control one or more of the information protection module, the black box module, etc. to be driven by the terminal 120 according to the result of the service authentication.
  • FIG. 3 is a flowchart illustrating a ubiquitous authentication management method provided by the ubiquitous authentication management system 100 according to an embodiment of the present invention described above.
  • the identity authentication device 110 is mounted on the terminal 120 or the identity authentication device is installed / confirmed in the terminal 120 (S300). ); Biometric information recognition step (S302) that the user authentication device 110 recognizes the user's biometric information; According to the recognition result of the biometric information by the identity authentication device 110, the VPN connection is connected to the VPN 130, the terminal 120 equipped with the identity authentication device 110 through the control of the information protection relay server 140 Step S304; And a service authentication step (S306) for performing service authentication by combining at least one of the biometric information recognized by the user authentication device 110, a public certificate based on the public key structure, and a one-time password.
  • the ubiquitous authentication management method when the terminal 120 connected to the VPN 130 approaches the internal server 150 through the VPN 130, the electronic certificate of the certificate
  • the server may further include a server information protection step (S308) for performing signature verification and performing access control and user action recording according to the digital signature authentication of the public certificate.
  • FIG. 4 is a block diagram of a user authentication device 110 for ubiquitous authentication management according to an embodiment of the present invention.
  • the user authentication device 110 for ubiquitous authentication management may include a biometric information recognition result through a biometric information recognition device in a biometric information recognition unit 410, and an authorized certificate.
  • the service authentication unit 440 performs service authentication by combining one or more of an official certificate generated by the public key infrastructure managed by the management unit 420 and an OTP managed by the OTP management unit 430.
  • the identity authentication device 110 for ubiquitous authentication management whether to combine biometric information and public certificate, biometric information and OTP, biometric information, public certificate and OTP
  • service authentication including authentication of a user, can be performed.
  • the personal authentication device 110 for ubiquitous authentication management may be implemented as a biometric card including a sensor type recognition device or a USB information protection token having a universal serial bus (USB) interface. have.
  • a biometric card including a sensor type recognition device or a USB information protection token having a universal serial bus (USB) interface.
  • the biometric card 500 which is an embodiment of the personal authentication device 110, includes a biometric device 510 capable of recognizing biometric information such as fingerprint information, and an OTP display unit 520 on which an OTP is displayed. And an IC chip 530 or the like.
  • the biometric card 500 stores the biometric information, and other various information, which are registered in advance, in order to be compared with an accredited certificate, recognized biometric information, and the like to the biometric device 510, the IC chip 530, or the card internal storage.
  • the biometric card 500 may be implemented in the form of a smart card.
  • the biometric information recognition device included in the identity authentication device 110 for ubiquitous authentication management may include one or more of fingerprint information, blood vessel information, voice information, and iris information for a specific user. It can be recognized as
  • the biometric information recognition device included in the personal authentication device 110 for ubiquitous authentication management may be configured as a result of performing service authentication by the service authentication unit 440.
  • the apparatus may further include a program module driving controller 450 that controls driving of one or more program modules among a VPN module, an information protection module, a black box module, and the like.
  • the above-mentioned identity authentication device 110 may include a computer such as a desktop or laptop, a portable terminal such as a PDA, an automated teller machine (ATM), a kiosk as an information transmission system, an IPTV set-top box, and the like. It can be installed in the terminal.
  • a personal authentication device 110 in the form of a biometric card or USB information protection token that provides enhanced service authentication.
  • the user authentication device carried by the user when a remote user wants to perform a remote work by accessing a work system including the internal server 150 built by the VPN 130 By providing enhanced service authentication for the user through 110, there is an effect of strengthening information protection for remote access of the work system including the internal server 150.
  • a remote user wants to perform a remote work by accessing a work system including an internal server 150 built as a VPN 130
  • the user is connected to the terminal 120
  • the terminal 120 By providing service authentication and virtual private network module execution for the user through the equipped identity authentication device 110, as long as the user possesses the identity authentication device 110, even in a specific place or terminal 120 is not installed
  • accessing a business system including the internal server 150 conveniently from a remote location it is possible to perform various tasks such as Internet banking, electronic payment, electronic commerce, home shopping, and electronic bidding.
  • a business system including an internal server 150 constructed as a VPN 130 In the situation of viewing the work, there is an effect of providing a variety of information protection related services for the work system including the internal server 150.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Un mode de réalisation de la présente invention concerne un appareil d'authentification d'utilisateur et un système de gestion d'authentification universel. L'appareil d'authentification d'utilisateur combine le résultat d'une reconnaissance d'informations biométriques et un certificat public et/ou un mot de passe à usage unique (OTP) généré par une infrastructure de clé publique, de manière à effectuer une authentification de service. L'appareil d'authentification d'utilisateur est monté sur un terminal à un emplacement arbitraire, puis il est vérifié si le terminal est le terminal de l'utilisateur ou non. De plus, l'invention concerne un système de gestion d'authentification universel qui offre un environnement permettant d'accéder à un serveur interne par le biais d'un réseau privé virtuel (VPN), ainsi que divers types de services de protection d'informations intégrées dans ledit environnement.
PCT/KR2010/006696 2009-10-08 2010-09-30 Appareil d'authentification d'utilisateur et système de gestion d'authentification universel WO2011043557A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020090095869A KR20110038545A (ko) 2009-10-08 2009-10-08 본인인증 장치 및 유비쿼터스 인증 관리 시스템
KR10-2009-0095869 2009-10-08

Publications (2)

Publication Number Publication Date
WO2011043557A2 true WO2011043557A2 (fr) 2011-04-14
WO2011043557A3 WO2011043557A3 (fr) 2011-09-01

Family

ID=43857253

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2010/006696 WO2011043557A2 (fr) 2009-10-08 2010-09-30 Appareil d'authentification d'utilisateur et système de gestion d'authentification universel

Country Status (2)

Country Link
KR (1) KR20110038545A (fr)
WO (1) WO2011043557A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103826220A (zh) * 2014-03-12 2014-05-28 西安电子科技大学 基于矩阵变换算法的隐私匹配方法
CN111711520A (zh) * 2015-04-23 2020-09-25 崔云虎 泛在环境中的认证

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101442820B1 (ko) * 2013-02-25 2014-09-23 동신대학교산학협력단 바이오 정보 인식장치를 이용한 인증 시스템 및 그 인증 방법
KR101510290B1 (ko) * 2013-04-04 2015-04-10 건국대학교 산학협력단 Vpn에서 이중 인증을 구현하기 위한 장치 및 이의 동작 방법
KR102500733B1 (ko) * 2021-06-07 2023-02-20 한국전자통신연구원 원격업무용 사용자 단말의 보안성 보장을 위한 원격업무환경 구축 방법 및 이를 이용한 장치

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030013210A (ko) * 2001-08-07 2003-02-14 김명 각종 Card의 보안
KR20030030405A (ko) * 2001-10-11 2003-04-18 손정일 스마트카드와 휴대용 플래쉬 메모리를 이용한 피케이아이지문인식 방법
KR20080075956A (ko) * 2007-02-14 2008-08-20 에스케이씨앤씨 주식회사 생체정보를 이용하는 사용자 인증방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030013210A (ko) * 2001-08-07 2003-02-14 김명 각종 Card의 보안
KR20030030405A (ko) * 2001-10-11 2003-04-18 손정일 스마트카드와 휴대용 플래쉬 메모리를 이용한 피케이아이지문인식 방법
KR20080075956A (ko) * 2007-02-14 2008-08-20 에스케이씨앤씨 주식회사 생체정보를 이용하는 사용자 인증방법

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103826220A (zh) * 2014-03-12 2014-05-28 西安电子科技大学 基于矩阵变换算法的隐私匹配方法
CN111711520A (zh) * 2015-04-23 2020-09-25 崔云虎 泛在环境中的认证
CN111711520B (zh) * 2015-04-23 2023-12-15 崔云虎 泛在环境中的认证

Also Published As

Publication number Publication date
KR20110038545A (ko) 2011-04-14
WO2011043557A3 (fr) 2011-09-01

Similar Documents

Publication Publication Date Title
WO2011062364A2 (fr) Système et appareil d'authentification d'utilisateur, carte intelligente et procédé d'authentification d'utilisateur pour une gestion d'authentification universelle
JP4726950B2 (ja) 携帯電話機及びアクセス制御方法
US8510572B2 (en) Remote access system, gateway, client device, program, and storage medium
WO2011062365A2 (fr) Système et procédé pour authentifier de l'argent électronique à l'aide d'une carte intelligente et d'un terminal de communication
US7861015B2 (en) USB apparatus and control method therein
US8656455B1 (en) Managing data loss prevention policies
CN101661599B (zh) 一种对设备系统自带的软件进行合法性认证的方法
JPWO2005073843A1 (ja) セキュアデバイス、端末装置、ゲート機器、機器
CN101933286A (zh) 无线认证
WO2011043557A2 (fr) Appareil d'authentification d'utilisateur et système de gestion d'authentification universel
EP1669833A1 (fr) Method de validation d'un systéme informatique securisé
WO2014061897A1 (fr) Procédé pour mettre en œuvre un service de confirmation de connexion et d'autorisation au moyen d'un terminal d'utilisateur mobile
CN101324913B (zh) 计算机文件保护方法和装置
CN104010306A (zh) 一种移动设备使用者身份认证系统及方法
WO2012169752A2 (fr) Système et procédé d'authentification d'un dispositif qui tente d'établir une connexion
WO2011043559A2 (fr) Procédé de commande d'un véhicule à l'aide d'une authentification de conducteur, terminal de véhicule, carte d'identité biométrique, système d'identification biométrique et procédé permettant d'offrir une fonction de protection et de suivi des occupants du véhicule à l'aide de la carte d'identité biométrique et du terminal
CN1193298C (zh) 以存储卡来保护文件的系统与方法
JP2004206258A (ja) 多重認証システム、コンピュータプログラムおよび多重認証方法
CN110784395B (zh) 一种基于fido认证的邮件安全登录方法及系统
KR101314822B1 (ko) 모바일 오피스 시스템 및 그 방법, 및 기록 매체
US8285746B2 (en) Securing data from a shared device
WO2010002227A2 (fr) Procédé de sécurisation des mots de passe utilisés dans les pages web et support d’enregistrement lisible par ordinateur et sur lequel est installé un programme exécutant ledit procédé
KR101613664B1 (ko) 인증서를 이용한 전자거래에서의 본인확인기능을 강화한 보안 시스템
US20080127300A1 (en) Method and apparatus for issuing certificate including legal guardian's agreement to ward
WO2023127977A1 (fr) Système d'authentification et de transaction basé sur une chaîne de blocs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10822202

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10822202

Country of ref document: EP

Kind code of ref document: A2