WO2012121497A2 - Distinct identifier-based authentication system and method - Google Patents

Distinct identifier-based authentication system and method Download PDF

Info

Publication number
WO2012121497A2
WO2012121497A2 PCT/KR2012/001246 KR2012001246W WO2012121497A2 WO 2012121497 A2 WO2012121497 A2 WO 2012121497A2 KR 2012001246 W KR2012001246 W KR 2012001246W WO 2012121497 A2 WO2012121497 A2 WO 2012121497A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
unique identifier
computer device
mobile communication
communication terminal
Prior art date
Application number
PCT/KR2012/001246
Other languages
French (fr)
Korean (ko)
Other versions
WO2012121497A3 (en
Inventor
정영석
한형덕
황재연
Original Assignee
(주)잉카인터넷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020110019204A external-priority patent/KR101206854B1/en
Application filed by (주)잉카인터넷 filed Critical (주)잉카인터넷
Publication of WO2012121497A2 publication Critical patent/WO2012121497A2/en
Publication of WO2012121497A3 publication Critical patent/WO2012121497A3/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to an authentication system and method, and more particularly, a unique identifier-based authentication that compares a unique identifier of a primary authenticated computer device with a unique identifier of a computer device that attempts secondary authentication to perform user authentication.
  • System and method a unique identifier-based authentication that compares a unique identifier of a primary authenticated computer device with a unique identifier of a computer device that attempts secondary authentication to perform user authentication.
  • the most commonly used user authentication method is an authentication method using a user ID and password.
  • the user ID and password are registered, and when the user later tries to access the system, Enter the registered user ID and password to verify the identity of the user.
  • the authentication method using the ID and password is easy to steal or hack authentication information (user ID and password), there is a problem that can not block malicious access attempts when the authentication information is exposed.
  • This one-time authentication key-based authentication method usually proceeds with the following procedure.
  • the online service system performs a first authentication procedure (for example, checking a user ID and a password), and after the first authentication, requests the second authentication to the second authentication server.
  • the secondary authentication server sends a text message (SMS) including a one-time authentication key to the user's mobile communication terminal.
  • SMS text message
  • the online service system receives the one-time authentication key through the user's computer device and delivers it to the secondary authentication server.
  • the secondary authentication server verifies whether the one-time authentication key sent to the user's mobile communication terminal and the one-time authentication key input through the online service system are the same.
  • the one-time authentication key-based secondary authentication method can strengthen the security strength of the user authentication to some extent, there are still vulnerabilities due to the following long-range hacking or short-range hacking.
  • a remote hacking technique when a user sends a one-time authentication key to an online service system, the hacker intercepts the one-time authentication key through network spoofing, or the hacker installs a key logger on the user's computer device in advance and remotely sets the user's computer.
  • the authentication key may be extorted by monitoring and removing the one-time authentication key input to the device, or inducing a user to access a phishing site rather than an online service system and extorting the one-time authentication key input to the phishing site. For example, in July 2006, a US bank infiltrated a bank account with an authentication key stolen through a phishing site, a remote hacking technique.
  • a one-time authentication key transmitted to a user's mobile communication terminal may be identified and stolen through a technique such as shoulder surfing or social engineering near the user.
  • An object of the present invention which is designed to solve the problems of the prior art described above, is to remotely hack a user by comparing the unique identifier of the computer device for which primary authentication has been completed with the unique identifier of the computer device that attempts secondary authentication. It is to provide a unique identifier-based authentication system and method that can resist single-use authentication key exploitation through a technique or a near-field hacking technique.
  • the device registration unit for registering the end entity information necessary for the second authentication and the mobile communication terminal matching the end entity information;
  • a second authentication attempt for communicating with an online service system and attempting to perform second authentication with the terminal entity information with the unique identifier of the primary authentication computer device with the end entity information from the unique identifier of the computer device with the second authentication attempt computer device
  • a transmission / reception processing unit for receiving a one-time authentication key input;
  • a unique identifier verification unit for verifying whether the first authenticated computer device and the second authentication attempt computer device are identical by using the unique identifier of the first authenticated computer device and the unique identifier of the second authentication attempt computer device;
  • An authentication key issuing unit for issuing a one-time authentication key to the mobile communication terminal and transmitting it through the transmission / reception processing unit;
  • an authentication key verification unit for verifying whether the one-time authentication key issued by the authentication key issuing unit and the one-time authentication key input to the transmission / reception processing unit are the same
  • the unique identifier-based authentication method includes a device registration step of registering the terminal entity information necessary for secondary authentication and the mobile communication terminal matching the terminal entity information in the secondary authentication system;
  • the secondary authentication system issuing an authentication key issuing a one-time authentication key to the mobile communication terminal Wow;
  • the second authentication system communicates with the online service system to receive a unique identifier of the second authentication attempt computer device that attempts second authentication with the end entity information and a one-time authentication key input from the second authentication attempt computer device.
  • Second authentication attempt step The secondary authentication system verifies whether the primary authenticated computer device and the secondary authentication attempt computer device are the same by using a unique identifier of the first authenticated computer device and a unique identifier of the second authentication attempt computer device. Verifying a unique identifier;
  • the second authentication system includes an authentication key verification step of verifying whether the one-time authentication key issued in the authentication key issuing step and the one-time authentication key input in the second authentication attempt step are the same.
  • the mobile communication terminal comprises a first step of installing a security authentication module; A second step of connecting, by the mobile communication terminal to the secondary authentication system, terminal entity information required for the second authentication and system information of the mobile communication terminal; A third step of the mobile communication terminal accessing a push server to transmit a certificate of the security authentication module and unique information of the mobile communication terminal and request issuance of a device token; Transmitting, by the mobile communication terminal, the issued device token to the secondary authentication system when the device token is issued from the push server;
  • the mobile communication terminal is characterized in that it comprises a fifth step of receiving a one-time authentication key from the secondary authentication system by communicating with the secondary authentication system and outputs on the screen.
  • the unique identifier-based authentication method if the terminal entity information for the primary authentication is input from the user, the computer device comprises a first step of generating a unique identifier of the computer device; A second step of the computer device transmitting a unique identifier of the computer device generated in the first step and end entity information for the first authentication to an online service system; A third step of generating, by the computer device, a unique identifier of the computer device when a one-time authentication key for second authentication is input from a user; And the fourth step of the computer device transmitting the unique identifier of the computer device generated in the third step and the one-time authentication key for the second authentication to the online service system.
  • the user authentication is performed only when the unique identifier of the computer device in which the primary authentication is completed and the unique identifier of the computer device attempting the second authentication is the same, authentication security is further enhanced.
  • FIG. 1 is a schematic block diagram of a unique identifier based authentication system according to the present invention.
  • FIG. 2 is a detailed block diagram of a unique identifier based authentication system according to the present invention.
  • FIG. 3 is an operation flowchart illustrating an operation of a mobile communication terminal according to an embodiment of the present invention.
  • FIG. 4 is a flowchart illustrating an operation of collecting a unique identifier of the computer device by the security authentication module of the computer device according to the present invention.
  • FIG 5 is an operation flowchart showing the operation of the secondary authentication system according to the present invention.
  • FIG. 6 is an operation flowchart illustrating a process of renewing and issuing a one-time authentication key to an end entity by the secondary authentication system according to the present invention.
  • terminal entity 111 computer device
  • transmission and reception processing unit 142 encryption and decryption processing unit
  • the online service system provides online services to users who have passed both primary authentication based on ID and password and secondary authentication based on one-time authentication key. Is also evolving.
  • hacking target computer devices computer devices
  • hacking computer device the nearby computer device
  • a normal user first authenticates by entering an ID and password into an online service system using a hacking target computer device where a hacking program is installed, and receives a one-time authentication key from his mobile communication terminal, and attempts second authentication
  • the hacker can steal information entered during all this process through the hacking computer device.
  • the normal user completes the first authentication by entering the ID and password into the hacked computer device
  • the hacker completes the first authentication by entering the corresponding ID and password into the hacking computer device (duplicate login using the ID and password is performed. If the normal user inputs the one-time authentication key for the second authentication into the hacking target computer device, the hacker also steals the one-time authentication key and inputs it to the hacking computer device.
  • the one-time authentication key input by the normal user through the hacking target computer device is blocked in the process of being delivered to the online service system, and instead, the one-time authentication key input by the hacker through the hacking computer device is transmitted to the online service system.
  • the hacking target computer device which is being used by the normal user cannot be connected to the online service system, and the hacker computer device being used by the hacker is connected to the online service system. That is, the first authentication is performed at the hacking computer device, but the second authentication is performed at the hacking computer device and the hacking computer device is connected to the online service system.
  • the present invention proposes a method of performing stronger identity authentication in such a situation.
  • FIG. 1 is a schematic block diagram of a unique identifier based authentication system according to the present invention.
  • the end entity 110 is an end user using the authentication procedure through this invention.
  • the end entity 110 uses the authentication procedure according to the present invention to receive the online service from the online service system 120 through the communication network 100.
  • the terminal entity 110 is provided with an on-line service of the on-line service system 120 and a computer device 111 for performing first and second authentication according to the present invention through communication with the on-line service system 120; And a mobile communication terminal 112 for performing secondary authentication.
  • the computer device 111 includes various computer environments such as a desktop and a notebook.
  • the computer device 111 includes a security authentication module according to the present invention.
  • the security authentication module extracts unique identifiers of the corresponding computer device 111 during a first authentication process and a second authentication process. To the online service system 120.
  • the mobile communication terminal 112 includes a smartphone equipped with a general feature phone or an operating system (OS) and capable of installing and driving various applications (applications).
  • OS operating system
  • applications applications
  • the online service system 120 is a system on the web that provides an online service to a plurality of users through the communication network 100.
  • the online service system 120 performs primary authentication on the end entity 110.
  • the online service system 120 includes a login processing system 121, and performs the first authentication of the end entity 110 in the login processing system 121.
  • Primary authentication includes all forms of single factor authentication, such as knowledge-based authentication, ownership-based authentication, and entity-based authentication.
  • the online service system 120 transmits a unique identifier of the primary authorized computer device 111 to the secondary authentication system 140 and requests secondary authentication for the primary authenticated end entity.
  • the online service system 120 transmits the one-time authentication key inputted for the second authentication from the computer device 111 and the unique identifier of the computer device 111 to the second authentication system 140.
  • the second authentication system 140 When the second authentication system 140 requests a second authentication from the online service system 120 for any computer device on which the first authentication has been performed, the second authentication system 140 receives a unique identifier of the first authorized computer device and receives the first authentication. Issue a one-time authentication key to the mobile communication terminal 112 of the terminated entity.
  • the secondary authentication system 140 receives a unique identifier of the computer device through which the one-time authentication key and the one-time authentication key are input (second authentication attempt) through the online service system 120.
  • the second authentication system 140 verifies whether the first authenticated computer device and the second authentication attempt computer device are the same by using the unique identifier of the first authenticated computer device and the unique identifier of the second authentication attempt computer device, and terminates.
  • the one-time authentication key issued to the mobile communication terminal 112 of the entity 110 and the one-time authentication key input through the one-time authentication key input computer device are verified, and the verification result is notified to the online service system.
  • the secondary authentication system 140 issues a one-time authentication key to the corresponding mobile communication terminal through an SMS server. .
  • the secondary authentication system 140 issues a one-time authentication key to the corresponding mobile communication terminal using the push server 130. Since the secondary authentication system 140 issues a one-time authentication key to the mobile communication terminal through the SM server, a detailed description thereof will be omitted. In this specification, the secondary authentication system 140 will be described in detail for the process of issuing a one-time authentication key to the mobile communication terminal using a push server.
  • Push (PUSH) server is a service provided by the manufacturer of the mobile terminal of the terminal entity, when the mobile terminal wants to receive a push service for any application, first issue a device token corresponding to the application from the push server Receive. Then, the push server wakes up the mobile communication terminal by sending a push message to the mobile communication terminal (wakeup), and serves to activate the application (security authentication module of the mobile communication terminal of the present invention) corresponding to the token device.
  • PSH Push
  • the secondary authentication system 140 attempts to issue a one-time authentication key to the mobile communication terminal 111 of the terminal entity 110, the device token of the mobile communication terminal 111 of the secondary authentication system 140 is determined.
  • Push (PUSH) server 130 and then push (PUSH) server 130 outputs a push message to the mobile communication terminal 111, the mobile communication terminal 111 wakes up and the secondary authentication system 140 and Communicate.
  • iOS uses Apple Push Notification Service (APNs) provided by Apple as a push server
  • Android uses C2DM (Cloud To Device Messaging) provided by Google as a push server.
  • APIs Apple Push Notification Service
  • C2DM Cloud To Device Messaging
  • the security authentication module installed in the computer device extracts a unique identifier for each computer device.
  • the unique identifier is generated based on the Universally Unique Identifier (UUID) or the Globally Unique Identifier (GUD) designated as a standard by the Open Software Foundation (OSF), thereby uniquely identifying the computer device.
  • UUID Universally Unique Identifier
  • GUID Globally Unique Identifier
  • OSF Open Software Foundation
  • FIG. 2 is a detailed block diagram of a unique identifier based authentication system according to the present invention.
  • the computer device 111 of the terminal entity 110 includes an input / output unit 111A, a transceiver unit 111B, and a security authentication module 111C.
  • the input / output unit 111A is a typical keyboard, mouse, monitor, or the like, and performs an interface with a user.
  • the transceiver 111B is connected to the online service system 120 through a wired communication network.
  • the security authentication module 111C is a software installed and operated in the computer device 111, and encrypts the unique identifier collecting unit for collecting the unique identifier of the computer device and the collected unique identifier and outputs it through the transmitting and receiving unit 111B. It includes a processing unit.
  • the unique identifier collection unit generates a unique identifier of the computer device based on a universally unique identifier (UUID) or a globally unique identifier (GUID) designated as a standard by the Open Software Foundation (OSF). do.
  • UUID universally unique identifier
  • the mobile communication terminal 112 of the terminal entity 110 includes an input / output unit 112A, a transceiver unit 112B, and a security authentication module 112C.
  • the input / output unit 112A is a conventional touch pad or the like and performs an interface with a user.
  • the transceiver 112B communicates with the secondary authentication system 140 and the push server 130 according to the present invention through a mobile communication network.
  • the security authentication module 112C receives a device token corresponding to the security authentication module 112C from the push server 130, registers the issued device token in the secondary authentication system 140, and push server 130. If a one-time authentication key is received from the secondary authentication system 140 after the push message is delivered from the second message, the received one-time authentication key is output on the screen of the input / output unit 112A.
  • the online service system 120 stores the information necessary for the first authentication of the end entity 110, and the second authentication to the second authentication system 140 for the end entity 110 for which the first authentication is completed. Request and receive the result from the secondary authentication system 140. That is, the online service system 120 first authenticates the end entity 110, receives the one-time authentication key for the second authentication from the end entity 110, and delivers the one-time authentication key to the second authentication system 140. In addition, the online service system 120 transmits the unique identifier of the primary authenticated computer device of the end entity and the unique identifier of the secondary authentication attempt computer device to the secondary authentication system 140.
  • the secondary authentication system 140 encrypts or decrypts data transmitted and received with the transmission and reception processing unit 141 for data transmission and reception between the end entity 110 and the online service system 120 and the push server 130.
  • the transmission and reception processing unit 141 is a wired processing unit for communicating with the online service system 120 and the push server 130 and the SMS server (not shown) through a wired communication network, and a mobile communication terminal 110 through a wireless communication network. It includes a wireless processing unit for communicating with).
  • the device registration unit 143 includes a device registration processing unit for processing device registration for each mobile communication terminal, and a device number issuer for issuing a number for the registered mobile communication terminal.
  • the one-time authentication processing unit 144 stores a unique identifier of the computer device that has been firstly authenticated in a memory unit and a unique identifier verification unit that verifies the unique identifier of the computer device that attempts the second authentication, and an authentication key for generating a one-time authentication key.
  • a generation unit, an authentication key issuing unit for issuing the one-time authentication key to a mobile communication terminal matched to the terminal entity that has been firstly authenticated, and a one-time authentication key input to the second authentication attempt computer device are received through an online service system.
  • an authentication key verification unit for comparing and verifying the issued one-time authentication key and the input one-time authentication key.
  • the authentication key generation unit may generate a one-time authentication key based on the unique identifier of the computer device that has been firstly authenticated.
  • the one-time authentication key is generated in the authentication key generation unit, is activated in the authentication key issuing unit, is verified in the authentication key verification unit, and is destroyed when the second authentication is requested for the first authenticated end entity.
  • a new one-time authentication key is repeatedly issued.
  • a malicious hacker may intervene in the security certification procedure of the legitimate end entity and prevent the legitimate end entity from passing the second authentication.
  • the present invention in principle allows the one-time authentication processing unit 144 to proceed sequentially until the one-time authentication key generation, activation, and extinction, so that the one-time authentication key is not repeatedly issued for the same end entity.
  • the one-time-issued one that is issued when the same is compared with the terminal entity computer device that requested the initial one-time authentication key and the terminal entity computer device that requested the renewal of the authentication key. You can discard the authentication key and generate and activate a new one-time authentication key.
  • FIG. 3 is an operation flowchart illustrating an operation of a mobile communication terminal according to an embodiment of the present invention.
  • the security authentication module 112C of the mobile communication terminal 112 is an application program (application) that is manufactured based on an operating system mounted on the mobile communication terminal 112 and performs an authentication procedure according to the present invention.
  • 3 is a procedure required for a mobile communication terminal to receive a device token from a push server and receive a one-time authentication key using the device token.
  • the security authentication module 112C is installed in the mobile communication terminal of the end entity (S301).
  • the security authentication module 112C transmits the end entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) to perform the authentication to the secondary authentication system, whereby the secondary authentication system transmits the mobile communication.
  • the terminal entity information is collected through the terminal (S302).
  • the secondary authentication system checks the collected terminal entity information, performs real name authentication and identity authentication for the mobile communication terminal itself, and transmits the result to the mobile communication terminal, real name authentication and identity from the secondary authentication system. If an authentication failure result is received (S303), it is recognized as a device registration failure and ends (S304).
  • the security authentication module of the mobile communication terminal is connected to the push server certificate and the unique information of the mobile communication terminal Requests to issue the device token while transmitting to the push server (S305).
  • the security authentication module of the mobile communication terminal delivers the issued device token to the secondary authentication system (S307).
  • the secondary authentication system then registers the device token of the mobile communication terminal in the database along with the corresponding end entity information.
  • the security authentication module of the mobile communication terminal is activated to communicate with the secondary authentication system (S309).
  • the one-time authentication key is received from the secondary authentication system (S310)
  • the one-time authentication key is output on the screen of the input / output unit (S311).
  • the security authentication module of the computer device according to the present invention is an application program installed and driven in a computer device connected to an online service system.
  • UUIDs Universally Unique Identifiers
  • GUIDs Globally Unique Identifiers
  • OSF Open Software Foundation
  • the purpose of the universally unique identifier is to uniquely identify each computer device in a distributed system.
  • a universally unique identifier created for identification of an entity (computer device) is rarely the same as a universally unique identifier created for identification of another entity (computer device).
  • UUID-based unique identifier is almost impossible because the UUID of the first authorized computer device and the UUID of the hacker computer device attempting the second authentication are almost the same. Can be.
  • this UUID is applied and used according to the objective of this invention.
  • the component of the unique identifier of the computer device used in the present invention may be a timestamp providing a one-time unique identifier of the unique identifier, information of a service file providing an identification of an online service system, and a corresponding information of the computer device. It consists of unique information.
  • the unique information of the computer device includes a UUID and may additionally include unique information of the system hardware of the computer device.
  • the unique identifier collection unit When a unique identifier collection request occurs in the security authentication module of the end entity computer device, the unique identifier collection unit generates a time stamp based on Universal Time Clock (UTC) (S401), and a service file provided by the online service system. Collect the information (S402).
  • the service file information includes file information generated and processed, such as a message digest of the file, in addition to the basic file information.
  • the unique information of the terminal entity computer device is collected (S403).
  • the collected unique information of the computer device may be reprocessed according to whether the end entity agrees to provide the information. If the end entity agrees to deliver the collected unique information of the computer device to the secondary authentication system (S404), the timestamp calculated in step S401, the service file information of the online service system collected in step S402, and step S403.
  • the unique information of the terminal entity computer device collected in (S405) and generates a unique identifier (S405), and encrypts the generated unique identifier with a symmetric key encryption algorithm (S406).
  • the encryption key of the symmetric key encryption algorithm is shared with the secondary authentication system through various key sharing algorithms, and the encrypted unique identifier is transmitted to the secondary authentication system via the online service system (S407).
  • step 404 if the end entity does not want to provide the secondary authentication system with the unique information of the collected computer device, a hash value (HASH) value, which is a one-way encryption algorithm, is calculated from the unique information of the computer device collected in step S403. (S408), the collected unique information of the computer device is coped with the calculated hash value, and the information is provided to step S405 (S409).
  • HASH hash value
  • FIG 5 is an operation flowchart showing the operation of the secondary authentication system according to the present invention.
  • the online service system When the end entity computer device accesses the online service system, the online service system performs primary authentication on the end entity computer device. At this time, the computer device transmits the terminal entity information necessary for authentication and the unique identifier of the computer device generated through FIG. 4 to the online service system. If the primary authentication is successful, the online service system sends the secondary entity information and the unique identifier of the primary authorized computer device to the secondary authentication system and requests the secondary authentication.
  • the secondary authentication system inputs the terminal actual information and the unique identifier of the primary authenticated computer device from the online service system.
  • S501 When the secondary authentication is requested (S501), whether the mobile communication terminal corresponding to the received terminal entity information is registered. Check (S502). If the mobile communication terminal is registered (S503), a one-time authentication key is generated (S504), and the generated one-time authentication key is issued to the mobile communication terminal (S505).
  • the one-time authentication key of step S504 can be generated based on the unique identifier of the primary authenticated computer device, and other factors such as time / random number besides the primary authenticated unique identifier in order to lower the probability of overlapping the disposable authentication key. Can be generated based on more.
  • the generated one-time authentication key may be issued to the mobile communication terminal in the form of a text message containing the one-time authentication key through the SMS server in step S505, and the secondary authentication with the mobile communication terminal activated by the push server
  • the system may be issued to the corresponding mobile communication terminal through server / client communication.
  • the secondary authentication system transmits a message to the push server in communication with the device token of the corresponding mobile communication terminal and the mobile communication terminal. Then, the push server grasps the mobile communication terminal to deliver the push message from the device token received from the second authentication system, and delivers the push message to the mobile communication terminal to activate the mobile communication terminal and the security authentication module of the mobile communication terminal. Let's do it.
  • the activated security authentication module performs server / client communication with the secondary authentication system, and the secondary authentication system issues a one-time authentication key to the security authentication module.
  • the generated one-time authentication key is transmitted to the mobile communication terminal of the party end entity through the communication network and output to the screen.
  • the unique identifier of the second authentication attempt computer device is collected (S506).
  • step S506 the one-time authentication key input to the second authentication attempt computer and the unique identifier of the second authentication attempt computer device are transferred to the second authentication system via the online service system (S507).
  • the secondary authentication system compares the one-time authentication key issued in step S505 with the one-time authentication key received in step S507 (S508) and performs authentication on the one-time authentication key.
  • the second authentication attempt computer device compares the unique identifier of the first authorized computer device with the unique identifier of the second authentication attempt computer device (S509). Verify that it is the same as the primary certified computer device. If the two computer devices are the same (S509), the process is processed as an authentication approval (S510), and the result is transmitted to the online service system (S511).
  • step S503 if the mobile communication terminal is not registered in step S503 is processed by the unregistered mobile communication terminal (S512), and notifies the online service system that the unregistered mobile communication terminal (S511).
  • the one-time authentication key issued in step S508 and the received one-time authentication key do not match or the two computer devices do not match in step S509, authentication failure is processed (S513) and the result is notified to the online service system (S511). ).
  • FIG. 6 is an operation flowchart illustrating a process of renewing and issuing a one-time authentication key to an end entity by the secondary authentication system according to the present invention.
  • the end entity may need to renew the one-time authentication key issued during the second authentication. For example, if the one-time authentication key issued by the secondary authentication system is lost due to the failure of the communication network without being delivered to the mobile communication terminal, or the one-time authentication key issued due to the physical defect of the computer device to attempt the second authentication. If it cannot be entered, the one-time authentication key should be updated to another value.
  • the secondary authentication system determines whether the end entity that requested the issuance of a one-time authentication key renewal is a legitimate end entity or an end entity having a malicious purpose involved in the security authentication procedure. It is necessary to determine whether or not. Therefore, the secondary authentication system receives the unique request of the renewal request computer device together with the renewal request of the one-time authentication key via the online service system, and verifies whether the initial request computer device and the renewal request computer device of the one-time authentication key are the same. do. This will be described in detail.
  • the secondary authentication system receives the terminal entity information, the one-time authentication key update request, and the unique identifier from the update request computer device (S601). It is checked whether a one-time authentication key issued in the mobile communication terminal matching the received end entity information exists (S602). If there is a one-time authentication key issued by the mobile communication terminal (S603), the unique key of the authentication key issuing computer device issued the one-time authentication key is compared with the unique identifier of the update request computer device, and the authentication key issuing computer It is verified whether the device and the update request computer are the same (S604).
  • the one-time authentication key is renewed and reissued to the mobile communication terminal matched with the corresponding end entity information (S605), and waits until the corresponding one-time reissued authentication key is received from the online service system ( S606). If the one-time authentication key issued in step S603 does not exist or the two computer devices are not the same in step S604, it is determined that the one-time authentication key update failed and the log is collected (S607).

Abstract

A distinct identifier-based authentication system according to the present invention comprises: a device registration unit with which end entity information required for second authentication and a mobile communication terminal matched with the end entity information are registered; a transmission and reception processing unit which communicates with an online service system to receive a distinct identifier of a first-authenticated computer device with the end entity information, a distinct identifier of a second-authentication attempt computer device which attempts a second authentication with the end entity information, and a disposable authentication key inputted from the second-authentication attempt computer device; a distinct identifier verification unit which verifies whether or not the first-authenticated computer device and the second-authentication attempt computer device are identical with each other using the distinct identifier of the first-authenticated computer device and the distinct identifier of the second-authentication attempt computer device; an authentication key issue unit which issues and transmits a disposable authentication key to the mobile communication terminal through the transmission and reception processing unit; and an authentication key verification unit which verifies whether or not the disposable authentication key issued by the authentication key issue unit and the disposable authentication key inputted to the transmission and reception processing unit are identical with each other.

Description

고유식별자 기반 인증시스템 및 방법Unique identifier based authentication system and method
이 발명은 인증시스템 및 방법에 관한 것으로서, 보다 상세하게는 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증을 시도하는 컴퓨터장치의 고유식별자를 비교한 후 사용자 인증이 이루어지도록 하는 고유식별자 기반 인증시스템 및 방법에 관한 것이다.The present invention relates to an authentication system and method, and more particularly, a unique identifier-based authentication that compares a unique identifier of a primary authenticated computer device with a unique identifier of a computer device that attempts secondary authentication to perform user authentication. System and method.
오늘날 인터넷의 발달에 힘입어 다양한 종류의 온라인 서비스가 제공되고 있다. 대부분의 온라인 서비스 시스템들은 인터넷을 통해 해당 시스템에 접근하는 클라이언트 컴퓨터장치가 해당 온라인 서비스를 이용할 자격을 가지는지 여부를 인증하고 있다.Today, thanks to the development of the Internet, various kinds of online services are provided. Most online service systems authenticate whether client computer devices that access the system through the Internet are entitled to use the online service.
가장 보편적으로 사용되는 사용자 인증방법은 사용자 아이디와 비밀번호를 이용한 인증방법으로서, 사용자가 온라인 서비스 시스템에 회원으로 가입할 때 사용자 아이디와 비밀번호를 등록하고, 추후 해당 사용자가 해당 시스템에 접속하고자 할 때 기등록한 사용자 아이디와 비밀번호를 입력받아 그 사용자의 본인 여부를 검증한다.The most commonly used user authentication method is an authentication method using a user ID and password. When a user joins an online service system as a member, the user ID and password are registered, and when the user later tries to access the system, Enter the registered user ID and password to verify the identity of the user.
그러나, 이러한 아이디와 비밀번호를 이용한 인증방법은 인증 정보(사용자 아이디와 비밀번호)가 도용되거나 해킹되기 쉬우며, 인증 정보가 노출될 경우 악의적인 접근 시도를 차단할 수 없는 문제점이 있다.However, the authentication method using the ID and password is easy to steal or hack authentication information (user ID and password), there is a problem that can not block malicious access attempts when the authentication information is exposed.
온라인 서비스 시스템에는 다양한 개인 정보들이 관리되고 있고, 최근 온라인 서비스 시스템을 통한 무형의 자산(예컨대, 온라인 게임에서의 아이템, 사이버 머니 등)이 증가함에 따라, 보다 강력한 본인 인증방법들이 요구되고 있다. Various personal information is managed in the online service system, and as intangible assets (for example, items in online games, cyber money, etc.) through the online service system have recently increased, more powerful identity authentication methods are required.
이러한 요구에 따라 상술한 사용자 아이디와 비밀번호에 의한 1차 인증 후의 다양한 2차 인증방식들이 시도되고 있는데, 특히 사용자의 이동통신단말기를 이용한 일회용 인증키 기반 2차 인증방식이 널리 사용되고 있다. 이 일회용 인증키 기반 인증방식은 통상 다음과 같은 절차로 진행된다. 먼저, 온라인 서비스 시스템은 1차 인증 절차(예컨대, 사용자 아이디와 비밀번호 확인)를 진행하고, 1차 인증 후, 2차인증서버에게 2차 인증을 요청한다. 2차인증서버는 사용자의 이동통신단말기에 일회용 인증키가 포함된 문자메시지(SMS)를 발송한다. 온라인 서비스 시스템은 사용자의 컴퓨터장치를 통해 그 일회용 인증키를 입력받아 2차인증서버에게 전달한다. 그러면 2차인증서버는 사용자의 이동통신단말기에 발송한 일회용 인증키와 온라인 서비스 시스템을 통해 입력받은 일회용 인증키가 동일한 지를 검증한다.According to such a request, various secondary authentication schemes after first authentication based on the above-described user ID and password have been tried. In particular, a one-time authentication key-based secondary authentication scheme using a user's mobile communication terminal has been widely used. This one-time authentication key-based authentication method usually proceeds with the following procedure. First, the online service system performs a first authentication procedure (for example, checking a user ID and a password), and after the first authentication, requests the second authentication to the second authentication server. The secondary authentication server sends a text message (SMS) including a one-time authentication key to the user's mobile communication terminal. The online service system receives the one-time authentication key through the user's computer device and delivers it to the secondary authentication server. The secondary authentication server then verifies whether the one-time authentication key sent to the user's mobile communication terminal and the one-time authentication key input through the online service system are the same.
이러한 일회용 인증키 기반 2차인증방식은 본인 인증 보안 강도를 어느 정도 강화시킬 수는 있으나, 아래와 같은 원거리 해킹이나 근거리 해킹에 의한 취약점이 여전히 존재한다.Although the one-time authentication key-based secondary authentication method can strengthen the security strength of the user authentication to some extent, there are still vulnerabilities due to the following long-range hacking or short-range hacking.
즉, 원거리 해킹 기법으로서, 사용자가 일회용 인증키를 온라인 서비스 시스템으로 전송할 때 해커가 네트워크 스푸핑을 통해 일회용 인증키를 가로채거나, 해커가 사용자의 컴퓨터장치에 미리 키로거를 설치하고 원격에서 사용자의 컴퓨터장치에 입력되는 일회용 인증키를 모니터링하여 빼내거나, 사용자가 온라인 서비스 시스템이 아닌 피싱사이트에 접속하도록 유도하여 피싱사이트로 입력되는 일회용 인증키를 갈취하는 방법 등을 통해 인증키가 갈취될 수 있다. 예로서, 2006년 7월 미국의 한 은행에서 원거리 해킹 기법인 피싱사이트를 통해 갈취한 인증키로 은행 계좌에 침투한 사례가 있다.In other words, as a remote hacking technique, when a user sends a one-time authentication key to an online service system, the hacker intercepts the one-time authentication key through network spoofing, or the hacker installs a key logger on the user's computer device in advance and remotely sets the user's computer. The authentication key may be extorted by monitoring and removing the one-time authentication key input to the device, or inducing a user to access a phishing site rather than an online service system and extorting the one-time authentication key input to the phishing site. For example, in July 2006, a US bank infiltrated a bank account with an authentication key stolen through a phishing site, a remote hacking technique.
또한, 근거리 해킹 기법으로서, 사용자 근처에서 숄더서핑(shoulder surfing)이나 사회공학(social engineering) 등의 기법을 통해 사용자의 이동통신단말기에 전송된 일회용 인증키를 알아내어 도용하기도 한다.In addition, as a short-range hacking technique, a one-time authentication key transmitted to a user's mobile communication terminal may be identified and stolen through a technique such as shoulder surfing or social engineering near the user.
따라서, 일회용 인증키를 이용한 2차 인증방식으로서, 원거리 해킹 기법이나 근거리 해킹 기법 등에 의해 해커에게 일회용 인증키가 갈취되더라도, 이에 저항할 수 있는 보다 강력한 본인 인증기술이 필요하다.Therefore, as a second authentication method using a one-time authentication key, even if a one-time authentication key is extorted by a hacker by a long-range hacking technique or a short-range hacking technique, a stronger personal authentication technique capable of resisting this is needed.
상술한 종래기술의 문제점을 해결하기 위하여 안출된 이 발명의 목적은, 1차인증이 완료된 컴퓨터장치의 고유식별자와 2차 인증을 시도하는 컴퓨터장치의 고유식별자를 비교하여 사용자 인증을 함으로써, 원거리 해킹 기법 또는 근거리 해킹 기법을 통한 일회용 인증키 갈취에 저항할 수 있는 고유식별자 기반 인증시스템 및 방법을 제공하기 위한 것이다.An object of the present invention, which is designed to solve the problems of the prior art described above, is to remotely hack a user by comparing the unique identifier of the computer device for which primary authentication has been completed with the unique identifier of the computer device that attempts secondary authentication. It is to provide a unique identifier-based authentication system and method that can resist single-use authentication key exploitation through a technique or a near-field hacking technique.
상기한 목적을 달성하기 위한 이 발명에 따른 고유식별자 기반 인증시스템은, 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 장치등록부와; 온라인 서비스 시스템과 통신하여 상기 종단실체 정보로 1차 인증된 컴퓨터장치의 고유식별자와 상기 종단실체 정보로 2차 인증을 시도하는 2차 인증 시도 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치로부터 입력되는 일회용 인증키를 수신하는 송수신처리부와; 상기 1차 인증된 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치의 고유식별자를 이용하여 상기 1차 인증된 컴퓨터장치와 상기 2차 인증 시도 컴퓨터장치의 동일 여부를 검증하는 고유식별자검증부와; 상기 이동통신단말기에 일회용 인증키를 발급하여 상기 송수신처리부를 통해 송신하는 인증키 발급부와; 상기 인증키 발급부에서 발급한 일회용 인증키와 상기 송수신처리부로 입력된 일회용 인증키의 동일 여부를 검증하는 인증키 검증부를 포함한 것을 특징으로 한다.Unique identifier-based authentication system according to the present invention for achieving the above object, the device registration unit for registering the end entity information necessary for the second authentication and the mobile communication terminal matching the end entity information; A second authentication attempt for communicating with an online service system and attempting to perform second authentication with the terminal entity information with the unique identifier of the primary authentication computer device with the end entity information from the unique identifier of the computer device with the second authentication attempt computer device A transmission / reception processing unit for receiving a one-time authentication key input; A unique identifier verification unit for verifying whether the first authenticated computer device and the second authentication attempt computer device are identical by using the unique identifier of the first authenticated computer device and the unique identifier of the second authentication attempt computer device; ; An authentication key issuing unit for issuing a one-time authentication key to the mobile communication terminal and transmitting it through the transmission / reception processing unit; And an authentication key verification unit for verifying whether the one-time authentication key issued by the authentication key issuing unit and the one-time authentication key input to the transmission / reception processing unit are the same.
또한, 이 발명에 따른 고유식별자 기반 인증방법은, 2차 인증 시스템이 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 장치등록단계와; 온라인 서비스 시스템과 통신하여 상기 종단실체 정보로 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증 요청이 수신되면, 상기 2차 인증 시스템이 상기 이동통신단말기에 일회용 인증키를 발급하는 인증키 발급단계와; 상기 2차 인증 시스템이 상기 온라인 서비스 시스템과 통신하여 상기 종단실체 정보로 2차 인증을 시도하는 2차 인증 시도 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치로부터 입력되는 일회용 인증키를 수신하는 2차 인증 시도단계와; 상기 2차 인증 시스템이 상기 1차 인증된 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치의 고유식별자를 이용하여 상기 1차 인증된 컴퓨터장치와 상기 2차 인증 시도 컴퓨터장치의 동일 여부를 검증하는 고유식별자 검증단계와; 상기 2차 인증 시스템이 상기 인증키 발급단계에서 발급한 일회용 인증키와 상기 2차 인증 시도단계에서 입력된 일회용 인증키의 동일 여부를 검증하는 인증키 검증단계를 포함한 것을 특징으로 한다.In addition, the unique identifier-based authentication method according to the present invention includes a device registration step of registering the terminal entity information necessary for secondary authentication and the mobile communication terminal matching the terminal entity information in the secondary authentication system; When receiving the unique identifier and the second authentication request of the computer device primary authentication with the terminal entity information by communicating with the online service system, the secondary authentication system issuing an authentication key issuing a one-time authentication key to the mobile communication terminal Wow; The second authentication system communicates with the online service system to receive a unique identifier of the second authentication attempt computer device that attempts second authentication with the end entity information and a one-time authentication key input from the second authentication attempt computer device. Second authentication attempt step; The secondary authentication system verifies whether the primary authenticated computer device and the secondary authentication attempt computer device are the same by using a unique identifier of the first authenticated computer device and a unique identifier of the second authentication attempt computer device. Verifying a unique identifier; The second authentication system includes an authentication key verification step of verifying whether the one-time authentication key issued in the authentication key issuing step and the one-time authentication key input in the second authentication attempt step are the same.
또한, 이 발명에 따른 고유식별자 기반 인증방법은, 이동통신단말기가 보안인증모듈을 설치하는 제1단계와; 상기 이동통신단말기가 2차 인증 시스템에 접속하여 2차 인증에 필요한 종단실체 정보와 상기 이동통신단말기의 시스템 정보를 전송하는 제2단계와; 상기 이동통신단말기가 푸시서버에 접속하여 상기 보안인증모듈의 인증서와 상기 이동통신단말기의 고유정보를 전송하며 장치토큰 발급을 요청하는 제3단계와; 상기 이동통신단말기가 상기 푸시서버로부터 상기 장치토큰이 발급되면 상기 발급된 장치토큰을 상기 2차 인증 시스템에게 전달하는 제4단계와; 상기 푸시서버로부터 푸시메시지가 입력되면, 상기 이동통신단말기가 상기 2차 인증 시스템과 통신하여 상기 2차 인증 시스템으로부터 일회용 인증키를 수신하여 화면에 출력하는 제5단계를 포함한 것을 특징으로 한다.In addition, the unique identifier-based authentication method according to the present invention, the mobile communication terminal comprises a first step of installing a security authentication module; A second step of connecting, by the mobile communication terminal to the secondary authentication system, terminal entity information required for the second authentication and system information of the mobile communication terminal; A third step of the mobile communication terminal accessing a push server to transmit a certificate of the security authentication module and unique information of the mobile communication terminal and request issuance of a device token; Transmitting, by the mobile communication terminal, the issued device token to the secondary authentication system when the device token is issued from the push server; When the push message is input from the push server, the mobile communication terminal is characterized in that it comprises a fifth step of receiving a one-time authentication key from the secondary authentication system by communicating with the secondary authentication system and outputs on the screen.
또한, 이 발명에 따른 고유식별자 기반 인증방법은, 사용자로부터 1차 인증을 위한 종단실체 정보가 입력되면, 컴퓨터장치는 상기 컴퓨터장치의 고유식별자를 생성하는 제1단계와; 상기 컴퓨터장치가 상기 제1단계에서 생성된 상기 컴퓨터장치의 고유식별자와 상기 1차 인증을 위한 종단실체 정보를 온라인 서비스 시스템에게 전송하는 제2단계와; 사용자로부터 2차 인증을 위한 일회용 인증키가 입력되면, 상기 컴퓨터장치가 상기 컴퓨터장치의 고유식별자를 생성하는 제3단계와; 상기 컴퓨터장치가 상기 제3단계에서 생성된 상기 컴퓨터장치의 고유식별자와 상기 2차 인증을 위한 일회용 인증키를 상기 온라인 서비스 시스템에게 전송하는 제4단계를 포함한 것을 특징으로 한다.In addition, the unique identifier-based authentication method according to the present invention, if the terminal entity information for the primary authentication is input from the user, the computer device comprises a first step of generating a unique identifier of the computer device; A second step of the computer device transmitting a unique identifier of the computer device generated in the first step and end entity information for the first authentication to an online service system; A third step of generating, by the computer device, a unique identifier of the computer device when a one-time authentication key for second authentication is input from a user; And the fourth step of the computer device transmitting the unique identifier of the computer device generated in the third step and the one-time authentication key for the second authentication to the online service system.
이상과 같이 이 발명에 따르면, 1차 인증이 완료된 컴퓨터장치의 고유식별자와 2차 인증을 시도하는 컴퓨터장치의 고유식별자가 동일한 경우에만 사용자 인증을 하기 때문에, 인증 보안이 더욱 강화되는 효과가 있다.As described above, according to the present invention, since the user authentication is performed only when the unique identifier of the computer device in which the primary authentication is completed and the unique identifier of the computer device attempting the second authentication is the same, authentication security is further enhanced.
도 1은 이 발명에 따른 고유식별자 기반 인증시스템의 개략적인 구성 블록도이다.1 is a schematic block diagram of a unique identifier based authentication system according to the present invention.
도 2는 이 발명에 따른 고유식별자 기반 인증시스템의 상세 구성 블록도이다.2 is a detailed block diagram of a unique identifier based authentication system according to the present invention.
도 3은 이 발명의 한 실시예에 따른 이동통신단말기의 동작을 도시한 동작 흐름도이다.3 is an operation flowchart illustrating an operation of a mobile communication terminal according to an embodiment of the present invention.
도 4는 이 발명에 따른 컴퓨터장치의 보안인증모듈이 컴퓨터장치의 고유식별자를 수집하는 동작을 도시한 동작 흐름도이다. 4 is a flowchart illustrating an operation of collecting a unique identifier of the computer device by the security authentication module of the computer device according to the present invention.
도 5는 이 발명에 따른 2차 인증 시스템의 동작을 도시한 동작 흐름도이다.5 is an operation flowchart showing the operation of the secondary authentication system according to the present invention.
도 6은 이 발명에 따른 2차 인증 시스템이 종단실체에 일회용 인증키를 갱신 발급하는 과정을 도시한 동작 흐름도이다.6 is an operation flowchart illustrating a process of renewing and issuing a one-time authentication key to an end entity by the secondary authentication system according to the present invention.
[부호의 설명][Description of the code]
110 : 종단실체 111 : 컴퓨터장치110: terminal entity 111: computer device
112 : 이동통신단말기 120 : 온라인 서비스 시스템112: mobile communication terminal 120: online service system
130 : 푸시서버 140 : 2차 인증 시스템130: push server 140: second authentication system
141 : 송수신처리부 142 : 암복호화 처리부141: transmission and reception processing unit 142: encryption and decryption processing unit
143 : 장치등록부 144 : 일회용인증처리부143: device registration unit 144: one-time authentication processing unit
145 : 데이터베이스 146 : 메모리부145: database 146: memory
이하, 첨부된 도면을 참조하여 이 발명에 따른 고유식별자 기반 인증시스템 및 방법을 보다 상세하게 설명한다.Hereinafter, with reference to the accompanying drawings will be described in more detail the unique identifier-based authentication system and method according to the present invention.
최근 온라인 서비스 시스템이 아이디와 비밀번호를 기반으로 한 1차 인증과, 일회용 인증키를 기반으로 한 2차 인증을 모두 통과한 사용자에게 온라인 서비스를 제공함에 따라, 타인의 온라인 서비스 아이디를 도용하는 해킹 방법도 진화하고 있다.Recently, the online service system provides online services to users who have passed both primary authentication based on ID and password and secondary authentication based on one-time authentication key. Is also evolving.
이러한 온라인 서비스 아이디 도용 해킹은 여러 대의 컴퓨터장치가 설치된 피씨방에서 이루어지는 경우가 많은데, 해커는 정상 사용자가 사용할 컴퓨터장치(이하, 해킹 대상 컴퓨터장치라 함)에 스파이웨어나 키로거 등의 해킹 프로그램을 설치한 후, 근방의 컴퓨터장치(이하, 해킹 컴퓨터장치라 함)에서 그 해킹 대상 컴퓨터장치를 해킹한다.Many of these online service identity theft hacks are conducted in PC rooms with multiple computer devices. Hackers install hacking programs such as spyware or keyloggers on computer devices (hereinafter referred to as hacking target computer devices) to be used by normal users. Thereafter, the nearby computer device (hereinafter referred to as hacking computer device) is hacked to the hacking target computer device.
이때, 정상 사용자가 해킹 프로그램이 설치된 해킹 대상 컴퓨터장치를 이용하여 온라인 서비스 시스템에 아이디와 비밀번호를 입력하여 1차 인증하고, 자신의 이동통신단말기로 일회용 인증키를 수신받아 2차 인증을 시도하면, 해커는 해킹 컴퓨터장치를 통해 이 모든 과정에서 입력되는 정보를 갈취할 수 있다. 정상 사용자가 해킹 대상 컴퓨터장치에 아이디와 비밀번호를 입력하여 1차 인증을 완료하면, 해커는 해킹 컴퓨터장치로도 해당 아이디와 비밀번호를 입력하여 1차 인증을 완료하고(아이디와 비밀번호를 이용한 중복 로그인이 가능함), 정상 사용자가 해킹 대상 컴퓨터장치에 2차 인증을 위한 일회용 인증키를 입력하면 해커도 그 일회용 인증키를 갈취하여 해킹 컴퓨터장치에 입력한다.At this time, if a normal user first authenticates by entering an ID and password into an online service system using a hacking target computer device where a hacking program is installed, and receives a one-time authentication key from his mobile communication terminal, and attempts second authentication, The hacker can steal information entered during all this process through the hacking computer device. When the normal user completes the first authentication by entering the ID and password into the hacked computer device, the hacker completes the first authentication by entering the corresponding ID and password into the hacking computer device (duplicate login using the ID and password is performed. If the normal user inputs the one-time authentication key for the second authentication into the hacking target computer device, the hacker also steals the one-time authentication key and inputs it to the hacking computer device.
그러나, 정상 사용자가 해킹 대상 컴퓨터장치를 통해 입력한 일회용 인증키는 온라인 서비스 시스템에 전달되는 과정에서 차단되고, 대신 해커가 해킹 컴퓨터장치를 통해 입력한 일회용 인증키가 온라인 서비스 시스템에 전달된다. 이로써 정상 사용자가 사용중인 해킹 대상 컴퓨터장치는 온라인 서비스 시스템에 접속되지 못하고, 해커가 사용중인 해킹 컴퓨터장치가 온라인 서비스 시스템에 접속되는 불상사가 발생한다. 즉, 1차 인증은 해킹 대상 컴퓨터장치에서 이루어지지만, 2차 인증은 해킹 컴퓨터장치에서 이루어지고 결국 해킹 컴퓨터장치가 온라인 서비스 시스템에 접속된다. 이 발명은 이러한 상황에서 보다 강력한 본인 인증을 수행하는 방법을 제안한다.However, the one-time authentication key input by the normal user through the hacking target computer device is blocked in the process of being delivered to the online service system, and instead, the one-time authentication key input by the hacker through the hacking computer device is transmitted to the online service system. As a result, the hacking target computer device which is being used by the normal user cannot be connected to the online service system, and the hacker computer device being used by the hacker is connected to the online service system. That is, the first authentication is performed at the hacking computer device, but the second authentication is performed at the hacking computer device and the hacking computer device is connected to the online service system. The present invention proposes a method of performing stronger identity authentication in such a situation.
도 1은 이 발명에 따른 고유식별자 기반 인증시스템의 개략적인 구성 블록도이다.1 is a schematic block diagram of a unique identifier based authentication system according to the present invention.
종단실체(110)는 이 발명을 통한 인증 절차를 이용하는 최종 사용자이다. 이 종단실체(110)는 통신망(100)을 통해 온라인 서비스 시스템(120)에서 온라인 서비스를 제공받기 위해 이 발명에 따른 인증 절차를 이용한다. 종단실체(110)는 온라인 서비스 시스템(120)의 온라인 서비스를 제공받고 온라인 서비스 시스템(120)과의 통신을 통해 이 발명에 따른 1차 인증과 2차 인증을 수행하는 컴퓨터장치(111)와, 2차 인증을 수행하기 위한 이동통신단말기(112)를 포함한다.The end entity 110 is an end user using the authentication procedure through this invention. The end entity 110 uses the authentication procedure according to the present invention to receive the online service from the online service system 120 through the communication network 100. The terminal entity 110 is provided with an on-line service of the on-line service system 120 and a computer device 111 for performing first and second authentication according to the present invention through communication with the on-line service system 120; And a mobile communication terminal 112 for performing secondary authentication.
컴퓨터장치(111)는 데스크탑, 노트북과 같은 다양한 컴퓨터 환경을 포함한다. 컴퓨터장치(111)는 이 발명에 따른 보안인증모듈을 포함하는데, 이 보안인증모듈은 1차 인증을 수행하는 과정과 2차 인증을 수행하는 과정에서 각각 해당 컴퓨터장치(111)의 고유식별자를 추출하여, 온라인 서비스 시스템(120)에게 전송한다.The computer device 111 includes various computer environments such as a desktop and a notebook. The computer device 111 includes a security authentication module according to the present invention. The security authentication module extracts unique identifiers of the corresponding computer device 111 during a first authentication process and a second authentication process. To the online service system 120.
이동통신단말기(112)는 일반 피처폰(feature phone) 또는 운영체제(OS)를 탑재하고 다양한 어플리케이션(응용프로그램)의 설치 및 구동이 가능한 스마트폰을 포함한다. 이 발명을 구현하기 위한 컴퓨터장치(111)와 이동통신단말기(112)의 내부 상세 구성과, 컴퓨터장치(111)의 보안인증모듈이 컴퓨터장치의 고유식별자를 추출하는 과정은 후술하기로 한다.The mobile communication terminal 112 includes a smartphone equipped with a general feature phone or an operating system (OS) and capable of installing and driving various applications (applications). Detailed configuration of the computer device 111 and the mobile communication terminal 112 for implementing the present invention, and the process of extracting the unique identifier of the computer device by the security authentication module of the computer device 111 will be described later.
온라인 서비스 시스템(120)은 통신망(100)을 통해 다수의 사용자들에게 온라인 서비스를 제공하는 웹 상의 시스템으로서, 종단실체(110)에 대한 1차 인증을 수행한다. 통상적으로 온라인 서비스 시스템(120)은 로그인 처리 시스템(121)을 구비하고, 이 로그인 처리 시스템(121)에서 종단실체(110)에 대한 1차 인증을 수행한다. 1차 인증은 지식기반인증, 소유기반인증, 존재(신체)기반인증 등의 모든 단일요소인증(Single Factor Authentication) 형태를 포함한다. 온라인 서비스 시스템(120)은 1차 인증된 컴퓨터장치(111)의 고유식별자를 2차 인증 시스템(140)에게 전달하며 1차 인증된 종단실체에 대해 2차 인증을 요청한다. 그리고, 온라인 서비스 시스템(120)은 컴퓨터장치(111)로부터 2차 인증을 위해 입력되는 일회용 인증키와 그 컴퓨터장치(111)의 고유식별자를 2차 인증 시스템(140)에게 전달한다.The online service system 120 is a system on the web that provides an online service to a plurality of users through the communication network 100. The online service system 120 performs primary authentication on the end entity 110. Typically, the online service system 120 includes a login processing system 121, and performs the first authentication of the end entity 110 in the login processing system 121. Primary authentication includes all forms of single factor authentication, such as knowledge-based authentication, ownership-based authentication, and entity-based authentication. The online service system 120 transmits a unique identifier of the primary authorized computer device 111 to the secondary authentication system 140 and requests secondary authentication for the primary authenticated end entity. In addition, the online service system 120 transmits the one-time authentication key inputted for the second authentication from the computer device 111 and the unique identifier of the computer device 111 to the second authentication system 140.
2차 인증 시스템(140)은 1차 인증이 수행된 임의의 컴퓨터장치에 대해 온라인 서비스 시스템(120)으로부터 2차 인증이 요청되면, 1차 인증된 컴퓨터장치의 고유식별자를 입력받고, 1차 인증된 종단실체의 이동통신단말기(112)에게 일회용 인증키를 발급한다. 그리고, 이 2차 인증 시스템(140)은 온라인 서비스 시스템(120)을 통해 일회용 인증키 및 일회용 인증키가 입력된(2차 인증 시도) 컴퓨터장치의 고유식별자를 입력받는다. 2차 인증 시스템(140)은 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증 시도 컴퓨터장치의 고유식별자를 이용하여 1차 인증된 컴퓨터장치와 2차 인증 시도 컴퓨터장치가 동일한지를 검증하고, 종단실체(110)의 이동통신단말기(112)에게 발급한 일회용 인증키와 일회용 인증키 입력 컴퓨터장치를 통해 입력된 일회용 인증키가 동일한지를 검증하며, 그 검증결과를 온라인 서비스 시스템에게 통보한다.When the second authentication system 140 requests a second authentication from the online service system 120 for any computer device on which the first authentication has been performed, the second authentication system 140 receives a unique identifier of the first authorized computer device and receives the first authentication. Issue a one-time authentication key to the mobile communication terminal 112 of the terminated entity. The secondary authentication system 140 receives a unique identifier of the computer device through which the one-time authentication key and the one-time authentication key are input (second authentication attempt) through the online service system 120. The second authentication system 140 verifies whether the first authenticated computer device and the second authentication attempt computer device are the same by using the unique identifier of the first authenticated computer device and the unique identifier of the second authentication attempt computer device, and terminates. The one-time authentication key issued to the mobile communication terminal 112 of the entity 110 and the one-time authentication key input through the one-time authentication key input computer device are verified, and the verification result is notified to the online service system.
이동통신단말기가 일반 피쳐폰이거나 푸시서비스를 위한 장치토큰이 등록되지 않은 스마트폰인 경우, 2차 인증 시스템(140)은 에스엠에스(SMS) 서버를 통해 해당 이동통신단말기에게 일회용 인증키를 발급한다. 한편, 이동통신단말기가 푸시서비스를 위한 장치토큰이 등록된 스마트폰인 경우, 2차 인증 시스템(140)은 푸시서버(130)를 이용하여 해당 이동통신단말기에게 일회용 인증키를 발급한다. 2차 인증 시스템(140)이 에스엠에스 서버를 통해 이동통신단말기에게 일회용 인증키를 발급하는 과정은 통상적인 절차이므로, 상세한 설명은 생략한다. 이 명세서에서는 2차 인증 시스템(140)이 푸시서버를 이용하여 이동통신단말기에게 일회용 인증키를 발급하는 과정에 대해 상세하게 설명한다.If the mobile communication terminal is a general feature phone or a device token for a push service is not registered, the secondary authentication system 140 issues a one-time authentication key to the corresponding mobile communication terminal through an SMS server. . On the other hand, when the mobile communication terminal is a smart phone registered device token for the push service, the secondary authentication system 140 issues a one-time authentication key to the corresponding mobile communication terminal using the push server 130. Since the secondary authentication system 140 issues a one-time authentication key to the mobile communication terminal through the SM server, a detailed description thereof will be omitted. In this specification, the secondary authentication system 140 will be described in detail for the process of issuing a one-time authentication key to the mobile communication terminal using a push server.
푸시(PUSH)서버는 종단실체의 이동통신단말기의 제조업체에서 제공하는 서비스로서, 이동통신단말기는 임의의 어플리케이션에 대해 푸시서비스를 제공받고자 할 경우, 먼저 푸시서버로부터 해당 어플리케이션에 대응하는 장치토큰을 발급받는다. 그러면, 푸시서버는 이동통신단말기에 푸시메시지를 전송하여 이동통신단말기를 깨우고(wakeup), 해당 토큰장치에 대응되는 어플리케이션(이 발명의 이동통신단말기의 보안인증모듈)을 활성화시키는 역할을 수행한다.Push (PUSH) server is a service provided by the manufacturer of the mobile terminal of the terminal entity, when the mobile terminal wants to receive a push service for any application, first issue a device token corresponding to the application from the push server Receive. Then, the push server wakes up the mobile communication terminal by sending a push message to the mobile communication terminal (wakeup), and serves to activate the application (security authentication module of the mobile communication terminal of the present invention) corresponding to the token device.
즉, 2차 인증 시스템(140)이 종단실체(110)의 이동통신단말기(111)에게 일회용 인증키를 발급하고자 할 때, 2차 인증 시스템(140)의 이동통신단말기(111)의 장치토큰을 푸시(PUSH)서버(130)에게 전달하고, 그러면 푸시(PUSH)서버(130)는 이동통신단말기(111)에게 푸시메시지를 출력하여 이동통신단말기(111)가 깨어나서 2차 인증 시스템(140)과 통신하도록 한다.That is, when the secondary authentication system 140 attempts to issue a one-time authentication key to the mobile communication terminal 111 of the terminal entity 110, the device token of the mobile communication terminal 111 of the secondary authentication system 140 is determined. Push (PUSH) server 130, and then push (PUSH) server 130 outputs a push message to the mobile communication terminal 111, the mobile communication terminal 111 wakes up and the secondary authentication system 140 and Communicate.
이동통신단말기가 푸시(PUSH)서버로부터 장치토큰을 발급받는 것에 대한 상세한 설명은 후술하기로 한다. 푸시서버의 예로서, iOS계열은 애플에서 제공하는 APNs(Apple Push Notification Service)를 푸시서버로 사용하고, 안드로이드 계열은 구글에서 제공하는 C2DM(Cloud To Device Messaging)를 푸시서버로 사용한다.A detailed description of the mobile communication terminal issuing the device token from the push server will be described later. As an example of a push server, iOS uses Apple Push Notification Service (APNs) provided by Apple as a push server, while Android uses C2DM (Cloud To Device Messaging) provided by Google as a push server.
컴퓨터장치에 설치된 보안인증모듈은 각 컴퓨터장치마다 유일한 고유식별자를 추출한다. 이때, 고유식별자는 오픈 소프트웨어 파운데이션(Open Software Foundation, OSF)에서 표준으로 지정한 범용고유식별자(Universally Unique Identifier, UUID) 또는 전역고유식별자(Globally unique identifier, GUID)를 기반으로 생성됨으로써, 컴퓨터장치의 고유식별자에 대한 유일성을 제공한다.The security authentication module installed in the computer device extracts a unique identifier for each computer device. At this time, the unique identifier is generated based on the Universally Unique Identifier (UUID) or the Globally Unique Identifier (GUD) designated as a standard by the Open Software Foundation (OSF), thereby uniquely identifying the computer device. Provides uniqueness for the identifier.
도 2는 이 발명에 따른 고유식별자 기반 인증시스템의 상세 구성 블록도이다.2 is a detailed block diagram of a unique identifier based authentication system according to the present invention.
이 발명에 따른 종단실체(110)의 컴퓨터장치(111)는 입출력부(111A)와, 송수신부(111B)와, 보안인증모듈(111C)을 포함한다. 입출력부(111A)는 통상적인 키보드, 마우스, 모니터 등으로서, 사용자와의 인터페이스를 수행한다. 송수신부(111B)는 유선 통신망을 통해 온라인 서비스 시스템(120)과 접속한다. 보안인증모듈(111C)는 컴퓨터장치(111)에 설치되어 동작하는 소프트웨어로서, 컴퓨터장치의 고유식별자를 수집하는 고유식별자수집부와 수집된 고유식별자를 암호화하여 송수신부(111B)를 통해 출력하는 암호화처리부를 포함한다. 고유식별자수집부는 오픈 소프트웨어 파운데이션(Open Software Foundation, OSF)에서 표준으로 지정한 범용고유식별자(Universally Unique Identifier, UUID) 또는 전역고유식별자(Globally unique identifier, GUID)를 기반으로 해당 컴퓨터장치의 고유식별자를 생성한다.The computer device 111 of the terminal entity 110 according to the present invention includes an input / output unit 111A, a transceiver unit 111B, and a security authentication module 111C. The input / output unit 111A is a typical keyboard, mouse, monitor, or the like, and performs an interface with a user. The transceiver 111B is connected to the online service system 120 through a wired communication network. The security authentication module 111C is a software installed and operated in the computer device 111, and encrypts the unique identifier collecting unit for collecting the unique identifier of the computer device and the collected unique identifier and outputs it through the transmitting and receiving unit 111B. It includes a processing unit. The unique identifier collection unit generates a unique identifier of the computer device based on a universally unique identifier (UUID) or a globally unique identifier (GUID) designated as a standard by the Open Software Foundation (OSF). do.
이 발명에 따른 종단실체(110)의 이동통신단말기(112)는 입출력부(112A)와, 송수신부(112B)와, 보안인증모듈(112C)을 포함한다. 입출력부(112A)는 통상적인 터치패드 등으로서, 사용자와의 인터페이스를 수행한다. 송수신부(112B)는 이동 통신망을 통해 이 발명에 따른 2차 인증 시스템(140) 및 푸시서버(130)와 통신한다. 보안인증모듈(112C)는 푸시서버(130)로부터 해당 보안인증모듈(112C)에 대응하는 장치토큰을 발급받고, 그 발급된 장치토큰을 2차 인증 시스템(140)에 등록하며, 푸시서버(130)로부터 푸시메시지가 전달된 후 2차 인증 시스템(140)으로부터 일회용 인증키가 수신되면, 그 수신된 일회용 인증키를 입출력부(112A)의 화면에 출력한다.The mobile communication terminal 112 of the terminal entity 110 according to the present invention includes an input / output unit 112A, a transceiver unit 112B, and a security authentication module 112C. The input / output unit 112A is a conventional touch pad or the like and performs an interface with a user. The transceiver 112B communicates with the secondary authentication system 140 and the push server 130 according to the present invention through a mobile communication network. The security authentication module 112C receives a device token corresponding to the security authentication module 112C from the push server 130, registers the issued device token in the secondary authentication system 140, and push server 130. If a one-time authentication key is received from the secondary authentication system 140 after the push message is delivered from the second message, the received one-time authentication key is output on the screen of the input / output unit 112A.
이 발명에 따른 온라인 서비스 시스템(120)은 종단실체(110)의 1차 인증에 필요한 정보를 저장하고, 1차 인증이 완료된 종단실체(110)에 대해 2차 인증 시스템(140)에게 2차 인증을 요청하고, 2차 인증 시스템(140)으로부터 그 결과를 입력받는다. 즉, 온라인 서비스 시스템(120)은 종단실체(110)를 1차 인증하고, 해당 종단실체(110)로부터 2차 인증을 위한 일회용 인증키를 입력받아 2차 인증 시스템(140)에게 전달한다. 아울러, 온라인 서비스 시스템(120)은 종단실체의 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증 시도 컴퓨터장치의 고유식별자를 2차 인증 시스템(140)에게 전달한다.The online service system 120 according to the present invention stores the information necessary for the first authentication of the end entity 110, and the second authentication to the second authentication system 140 for the end entity 110 for which the first authentication is completed. Request and receive the result from the secondary authentication system 140. That is, the online service system 120 first authenticates the end entity 110, receives the one-time authentication key for the second authentication from the end entity 110, and delivers the one-time authentication key to the second authentication system 140. In addition, the online service system 120 transmits the unique identifier of the primary authenticated computer device of the end entity and the unique identifier of the secondary authentication attempt computer device to the secondary authentication system 140.
이 발명에 따른 2차 인증 시스템(140)은 종단실체(110)와 온라인 서비스 시스템(120)과 푸시서버(130)와의 데이터 송수신을 위한 송수신처리부(141)와, 송수신되는 데이터를 암호화 또는 복호화하는 암복호화 처리부(142)와, 종단실체(110) 정보와 이동통신단말기(112)의 정보(예컨대, 전화번호, 장치토큰 발급 여부, 장치토큰 정보)를 매칭하여 등록하는 장치등록부(143)와, 1차 인증된 종단실체의 기등록된 이동통신단말기에 일회용 인증키를 생성하고 발급하여 2차 인증하고 동일 종단실체에 대해 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증 시도 컴퓨터장치의 고유식별자를 비교하여 1차 인증된 컴퓨터장치와 2차 인증 시도 컴퓨터장치의 동일 여부를 검증하는 일회용 인증 처리부(144)와, 종단실체 정보와 장치토큰 정보와 각 종단실체별 설정 사항을 저장하는 데이터베이스(145)와, 일회용 인증 처리부(144)에서 발급된 일회용 인증키와 1차 인증된 컴퓨터장치의 고유식별자와 처리절차 정보 등을 저장한 메모리부(146)를 포함한다.The secondary authentication system 140 according to the present invention encrypts or decrypts data transmitted and received with the transmission and reception processing unit 141 for data transmission and reception between the end entity 110 and the online service system 120 and the push server 130. An encryption / decryption processing unit 142, a device registration unit 143 that matches and registers information of the terminal entity 110 and information of the mobile communication terminal 112 (eg, a phone number, device token issue or device token information); Generate and issue a one-time authentication key to a pre-registered mobile communication terminal of the first authenticated end entity, and perform the second authentication. The unique identifier of the first authorized computer device and the second authentication attempt for the same end entity. Comparing the first authentication computer device and the second authentication attempt computer device with a one-time authentication processing unit 144 for verifying whether or not the same, and stores the terminal entity information, the device token information and the settings for each terminal entity. And a database 145, and a one-time authentication processing section 144, a one-time authentication key and the first unique identifier to the processing procedure information such as a memory portion 146 which stores the order of the authentication computer device issued.
여기서, 송수신처리부(141)는 유선 통신망을 통해 온라인 서비스 시스템(120)와 푸시서버(130) 및 도시되지 않은 에스엠에스(SMS)서버와 통신하는 유선처리부와, 무선 통신망을 통해 이동통신단말기(110)와 통신하는 무선처리부를 포함한다. 장치등록부(143)는 각 이동통신단말기에 대해 장치 등록을 처리하는 장치등록처리부와, 등록된 이동통신단말기에 대해 번호를 발급하는 장치번호발급기를 포함한다. 일회용 인증 처리부(144)는 1차 인증 완료된 컴퓨터장치의 고유식별자를 메모리부에 저장해놓고 2차 인증을 시도하는 컴퓨터장치의 고유식별자를 검증하는 고유식별자검증부와, 일회용 인증키를 생성하는 인증키 생성부와, 1차 인증 완료된 종단실체에 매칭된 이동통신단말기에게 상기 일회용 인증키를 발급하는 인증키 발급부와, 2차 인증 시도 컴퓨터장치에 입력된 일회용 인증키를 온라인 서비스 시스템을 통해 입력받아 상기 발급된 일회용 인증키와 입력된 일회용 인증키를 비교하여 검증하는 인증키 검증부를 포함한다.Here, the transmission and reception processing unit 141 is a wired processing unit for communicating with the online service system 120 and the push server 130 and the SMS server (not shown) through a wired communication network, and a mobile communication terminal 110 through a wireless communication network. It includes a wireless processing unit for communicating with). The device registration unit 143 includes a device registration processing unit for processing device registration for each mobile communication terminal, and a device number issuer for issuing a number for the registered mobile communication terminal. The one-time authentication processing unit 144 stores a unique identifier of the computer device that has been firstly authenticated in a memory unit and a unique identifier verification unit that verifies the unique identifier of the computer device that attempts the second authentication, and an authentication key for generating a one-time authentication key. A generation unit, an authentication key issuing unit for issuing the one-time authentication key to a mobile communication terminal matched to the terminal entity that has been firstly authenticated, and a one-time authentication key input to the second authentication attempt computer device are received through an online service system. And an authentication key verification unit for comparing and verifying the issued one-time authentication key and the input one-time authentication key.
여기서, 인증키 생성부는 1차 인증 완료된 컴퓨터장치의 고유식별자를 기반으로 일회용 인증키를 생성할 수 있다.Here, the authentication key generation unit may generate a one-time authentication key based on the unique identifier of the computer device that has been firstly authenticated.
일회용 인증키는 1차 인증된 종단실체에 대해 2차 인증이 요청되면, 인증키 생성부에서 생성되고, 인증키 발급부에서 활성되며, 인증키 검증부에서 검증된 후 소멸된다. 종래에는 2차 인증이 요청되어 일회용 인증키가 생성되고 정상적으로 소멸되기 전에라도 2차 인증이 다시 요청되면 새로운 일회용 인증키가 중복 발급되었다. 그러나, 이럴 경우 악의적인 목적을 가진 해커가 정당한 종단실체의 보안인증 절차에 개입하여 정당한 종단실체가 2차 인증을 통과하지 못하도록 방해하는 등의 문제가 발생할 수 있다. 이러한 이유로 말미암아 이 발명은 원칙적으로는 일회용 인증 처리부(144)가 일회용 인증키가 생성, 활성, 소멸까지 순차적으로 진행되도록 하고, 동일한 종단실체에 대해 일회용 인증키가 중복 발급되지 않도록 한다. 한편, 특정 이유에 의해 정당한 종단실체의 일회용 인증키가 갱신되어야 할 경우, 초기 일회용 인증키 발급을 요청한 종단실체 컴퓨터장치와 인증키 갱신을 요청한 종단실체 컴퓨터장치를 비교하여 동일할 경우 기발급된 일회용 인증키를 폐기하고 새로운 일회용 인증키를 생성 및 활성화할 수 있다.The one-time authentication key is generated in the authentication key generation unit, is activated in the authentication key issuing unit, is verified in the authentication key verification unit, and is destroyed when the second authentication is requested for the first authenticated end entity. Conventionally, even when the secondary authentication is requested and the secondary authentication is requested again even before the one-time authentication key is generated and is normally destroyed, a new one-time authentication key is repeatedly issued. However, in this case, a malicious hacker may intervene in the security certification procedure of the legitimate end entity and prevent the legitimate end entity from passing the second authentication. For this reason, the present invention in principle allows the one-time authentication processing unit 144 to proceed sequentially until the one-time authentication key generation, activation, and extinction, so that the one-time authentication key is not repeatedly issued for the same end entity. On the other hand, if the one-time authentication key of the legitimate end entity for a specific reason needs to be renewed, the one-time-issued one that is issued when the same is compared with the terminal entity computer device that requested the initial one-time authentication key and the terminal entity computer device that requested the renewal of the authentication key. You can discard the authentication key and generate and activate a new one-time authentication key.
도 3은 이 발명의 한 실시예에 따른 이동통신단말기의 동작을 도시한 동작 흐름도이다.3 is an operation flowchart illustrating an operation of a mobile communication terminal according to an embodiment of the present invention.
이동통신단말기(112)의 보안인증모듈(112C)은 이동통신단말기(112)에 탑재된 운영체제를 기반으로 제작되어, 이 발명에 따른 인증 절차를 수행하는 응용프로그램(어플리케이션)이다. 도 3은 이동통신단말기가 푸시서버로부터 장치토큰을 발급받고, 이 장치토큰을 이용하여 일회용 인증키를 수신하기 위해 필요한 절차이다.The security authentication module 112C of the mobile communication terminal 112 is an application program (application) that is manufactured based on an operating system mounted on the mobile communication terminal 112 and performs an authentication procedure according to the present invention. 3 is a procedure required for a mobile communication terminal to receive a device token from a push server and receive a one-time authentication key using the device token.
먼저, 종단실체의 이동통신단말기에 보안인증모듈(112C)을 설치한다(S301). 이 보안인증모듈(112C)은 인증 수행을 위한 종단실체 정보(온라인 서비스 시스템에 접속하기 위한 사용자 아이디, 이동통신단말기의 시스템 정보 등)를 2차 인증 시스템에게 전송하고 이로써 2차 인증 시스템은 이동통신단말기를 통해 종단실체 정보를 수집한다(S302).First, the security authentication module 112C is installed in the mobile communication terminal of the end entity (S301). The security authentication module 112C transmits the end entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) to perform the authentication to the secondary authentication system, whereby the secondary authentication system transmits the mobile communication. The terminal entity information is collected through the terminal (S302).
다음, 2차 인증 시스템은 수집된 종단실체 정보를 확인하고, 이동통신단말기 자체에 대한 실명인증 및 본인인증을 수행하고, 그 결과를 이동통신단말기에게 전송하는데, 2차 인증 시스템으로부터 실명인증 및 본인인증 실패 결과가 수신되면(S303), 장치 등록 실패로 인식하고 종료한다(S304).Next, the secondary authentication system checks the collected terminal entity information, performs real name authentication and identity authentication for the mobile communication terminal itself, and transmits the result to the mobile communication terminal, real name authentication and identity from the secondary authentication system. If an authentication failure result is received (S303), it is recognized as a device registration failure and ends (S304).
한편, 2차 인증 시스템으로부터 이동통신단말기에 대한 실명인증 및 본인인증 성공 결과가 수신되면(S303), 이동통신단말기의 보안인증모듈은 푸시서버에 접속하여 보안인증모듈의 인증서와 이동통신단말기 고유정보를 푸시서버에게 전송하면서 장치토큰 발급을 요청한다(S305).On the other hand, when the real name authentication and identity authentication success results for the mobile communication terminal is received from the secondary authentication system (S303), the security authentication module of the mobile communication terminal is connected to the push server certificate and the unique information of the mobile communication terminal Requests to issue the device token while transmitting to the push server (S305).
푸시서버로부터 장치토큰이 발급되면(S306), 이동통신단말기의 보안인증모듈은 그 발급된 장치토큰을 2차 인증 시스템에게 전달한다(S307). 그러면 2차 인증 시스템은 해당 종단실체 정보와 함께 이동통신단말기의 장치토큰을 데이터베이스에 등록한다.When the device token is issued from the push server (S306), the security authentication module of the mobile communication terminal delivers the issued device token to the secondary authentication system (S307). The secondary authentication system then registers the device token of the mobile communication terminal in the database along with the corresponding end entity information.
이 후, 푸시서버로부터 푸시메시지가 수신되면(S308), 이동통신단말기의 보안인증모듈이 활성화되어 2차 인증 시스템과 통신한다(S309). 다음, 2차 인증 시스템으로부터 일회용 인증키가 수신되면(S310), 그 일회용 인증키를 입출력부의 화면에 출력한다(S311).Thereafter, when a push message is received from the push server (S308), the security authentication module of the mobile communication terminal is activated to communicate with the secondary authentication system (S309). Next, when the one-time authentication key is received from the secondary authentication system (S310), the one-time authentication key is output on the screen of the input / output unit (S311).
도 4는 이 발명에 따른 컴퓨터장치의 보안인증모듈이 컴퓨터장치의 고유식별자를 수집하는 동작을 도시한 동작 흐름도이다. 이 발명에 따른 컴퓨터장치의 보안인증모듈은 온라인 서비스 시스템에 접속하는 컴퓨터장치에 설치되어 구동하는 응용프로그램이다.4 is a flowchart illustrating an operation of collecting a unique identifier of the computer device by the security authentication module of the computer device according to the present invention. The security authentication module of the computer device according to the present invention is an application program installed and driven in a computer device connected to an online service system.
컴퓨터장치의 고유식별자는 오픈 소프트웨어 파운데이션(Open Software Foundation, OSF)에서 표준으로 지정한 범용고유식별자(UUID) 혹은 전역고유식별자(GUID)를 기반으로 생성된다. 범용고유식별자의 목적은 분산시스템에서 각 컴퓨터장치를 유일하게 식별하기 위한 것이다. 따라서 어떠한 개체(컴퓨터장치)의 식별을 위해 생성된 범용고유식별자는 다른 개체(컴퓨터장치)의 식별을 위해 생성된 범용고유식별자와 동일한 경우가 거의 없다. 물론 아주 드문 확률로 동일한 경우가 있을 수는 있으나, 1차 인증된 컴퓨터장치의 UUID와 2차 인증을 시도하는 해커 컴퓨터장치의 UUID가 동일한 경우는 거의 불가능하기 때문에 UUID 기반의 고유식별자의 유일성은 신뢰할 수 있다. 본 발명에서는 이 UUID를 본 발명의 목적에 맞추어 응용하여 사용한다.Unique identifiers for computer devices are generated based on Universally Unique Identifiers (UUIDs) or Globally Unique Identifiers (GUIDs) as standardized by the Open Software Foundation (OSF). The purpose of the universally unique identifier is to uniquely identify each computer device in a distributed system. Thus, a universally unique identifier created for identification of an entity (computer device) is rarely the same as a universally unique identifier created for identification of another entity (computer device). Of course, there may be very rare cases of the same case, but the uniqueness of the UUID-based unique identifier is almost impossible because the UUID of the first authorized computer device and the UUID of the hacker computer device attempting the second authentication are almost the same. Can be. In this invention, this UUID is applied and used according to the objective of this invention.
이 발명에서 사용되는 컴퓨터장치의 고유식별자의 구성요소는 고유식별자의 재사용 공격에 대응하기 위해 고유식별자의 일회성을 제공하는 타임스탬프, 온라인서비스 시스템의 식별을 제공하는 서비스 파일의 정보, 해당 컴퓨터장치의 고유정보로 이루어진다. 이 컴퓨터장치의 고유정보는 UUID를 포함하고, 추가적으로 컴퓨터장치의 시스템 하드웨어의 고유정보를 포함할 수 있다.The component of the unique identifier of the computer device used in the present invention may be a timestamp providing a one-time unique identifier of the unique identifier, information of a service file providing an identification of an online service system, and a corresponding information of the computer device. It consists of unique information. The unique information of the computer device includes a UUID and may additionally include unique information of the system hardware of the computer device.
종단실체 컴퓨터장치의 보안인증모듈에 고유식별자 수집요청이 발생하면, 고유식별자수집부는 협정세계시(Universal Time Clock, UTC) 기반의 타임스탬프를 생성하고(S401), 온라인 서비스 시스템에서 제공하는 서비스 파일의 정보를 수집한다(S402). 서비스 파일의 정보는 기본적인 파일 정보 외에 파일의 메시지 다이제스트와 같이 가공되어 생성된 파일 정보를 포함한다. 온라인 서비스 시스템이 제공하는 서비스 파일의 정보 수집이 끝나면, 종단실체 컴퓨터장치의 고유정보를 수집한다(S403).When a unique identifier collection request occurs in the security authentication module of the end entity computer device, the unique identifier collection unit generates a time stamp based on Universal Time Clock (UTC) (S401), and a service file provided by the online service system. Collect the information (S402). The service file information includes file information generated and processed, such as a message digest of the file, in addition to the basic file information. After the information collection of the service file provided by the online service system is completed, the unique information of the terminal entity computer device is collected (S403).
이 수집된 컴퓨터장치의 고유정보는 종단실체의 정보 제공 동의 여부에 따라 재가공될 수 있다. 종단실체가 수집된 컴퓨터장치의 고유정보를 2차 인증 시스템에 전달하는 것을 동의하면(S404), 단계 S401에서 연산한 타임스탬프와, 단계 S402에서 수집한 온라인 서비스 시스템의 서비스 파일 정보와, 단계 S403에서 수집한 종단실체 컴퓨터장치의 고유정보를 병합하여 고유식별자를 생성하고(S405), 생성한 고유식별자를 대칭키 암호화 알고리즘으로 암호화한다(S406). 상기 대칭키 암호화 알고리즘의 암호화 키는 다양한 키공유 알고리즘을 통해 2차 인증 시스템과 공유하며, 암호화된 고유식별자는 온라인 서비스 시스템을 경유하여 2차 인증 시스템으로 전송된다(S407).The collected unique information of the computer device may be reprocessed according to whether the end entity agrees to provide the information. If the end entity agrees to deliver the collected unique information of the computer device to the secondary authentication system (S404), the timestamp calculated in step S401, the service file information of the online service system collected in step S402, and step S403. By merging the unique information of the terminal entity computer device collected in (S405), and generates a unique identifier (S405), and encrypts the generated unique identifier with a symmetric key encryption algorithm (S406). The encryption key of the symmetric key encryption algorithm is shared with the secondary authentication system through various key sharing algorithms, and the encrypted unique identifier is transmitted to the secondary authentication system via the online service system (S407).
단계 404에서, 만약 종단실체가 수집된 컴퓨터장치의 고유정보를 2차 인증 시스템에 제공하기를 원치 않는다면, 단계 S403에서 수집된 컴퓨터장치의 고유정보를 단일 방향 암호화 알고리즘인 해시(HASH)값을 산출하고(S408), 수집된 컴퓨터장치의 고유정보를 그 산출된 해시값으로 대처하여 단계 S405에 제공한다(S409).In step 404, if the end entity does not want to provide the secondary authentication system with the unique information of the collected computer device, a hash value (HASH) value, which is a one-way encryption algorithm, is calculated from the unique information of the computer device collected in step S403. (S408), the collected unique information of the computer device is coped with the calculated hash value, and the information is provided to step S405 (S409).
도 5는 이 발명에 따른 2차 인증 시스템의 동작을 도시한 동작 흐름도이다.5 is an operation flowchart showing the operation of the secondary authentication system according to the present invention.
종단실체 컴퓨터장치가 온라인 서비스 시스템에 접근하면, 온라인 서비스 시스템은 이 종단실체 컴퓨터장치에 대해 1차 인증을 수행한다. 이때, 컴퓨터장치는 인증에 필요한 종단실체 정보와 도 4를 통해 생성된 컴퓨터장치의 고유식별자를 온라인 서비스 시스템에게 전송한다. 1차 인증에 성공하면, 온라인 서비스 시스템은 종단실체 정보와 1차 인증된 컴퓨터장치의 고유식별자를 2차 인증 시스템에게 전달하며 2차 인증을 요청한다.When the end entity computer device accesses the online service system, the online service system performs primary authentication on the end entity computer device. At this time, the computer device transmits the terminal entity information necessary for authentication and the unique identifier of the computer device generated through FIG. 4 to the online service system. If the primary authentication is successful, the online service system sends the secondary entity information and the unique identifier of the primary authorized computer device to the secondary authentication system and requests the secondary authentication.
2차 인증 시스템은 온라인 서비스 시스템으로부터 종단실제 정보와 1차 인증된 컴퓨터장치의 고유식별자가 입력되며 2차 인증이 요청되면(S501), 수신된 종단실체 정보에 대응하는 이동통신단말기가 등록되어 있는지를 확인한다(S502). 이동통신단말기가 등록되어 있으면(S503), 일회용 인증키를 생성하고(S504), 생성된 일회용 인증키를 이동통신단말기에게 발급한다(S505).The secondary authentication system inputs the terminal actual information and the unique identifier of the primary authenticated computer device from the online service system. When the secondary authentication is requested (S501), whether the mobile communication terminal corresponding to the received terminal entity information is registered. Check (S502). If the mobile communication terminal is registered (S503), a one-time authentication key is generated (S504), and the generated one-time authentication key is issued to the mobile communication terminal (S505).
이때, 단계 S504의 일회용 인증키는 1차 인증된 컴퓨터장치의 고유식별자를 기반으로 생성할 수 있고, 일회용 인증키의 중복 확률을 낮추기 위해서 1차 인증된 고유식별자외에 시간/랜덤수 등의 다른 요소를 더 기반하여 생성할 수 있다.At this time, the one-time authentication key of step S504 can be generated based on the unique identifier of the primary authenticated computer device, and other factors such as time / random number besides the primary authenticated unique identifier in order to lower the probability of overlapping the disposable authentication key. Can be generated based on more.
생성된 일회용 인증키는 단계 S505에서, 에스엠에스(SMS) 서버를 통해 일회용 인증키가 포함된 문자메시지 형태로 이동통신단말기에게 발급될 수 있고, 푸시서버에 의해 활성화된 이동통신단말기와 2차 인증 시스템이 서버/클라이언트 통신을 통해 해당 이동통신단말기에게 발급될 수 있다.The generated one-time authentication key may be issued to the mobile communication terminal in the form of a text message containing the one-time authentication key through the SMS server in step S505, and the secondary authentication with the mobile communication terminal activated by the push server The system may be issued to the corresponding mobile communication terminal through server / client communication.
푸시서버를 이용하는 경우, 2차 인증 시스템은 해당 이동통신단말기의 장치토큰과 이동통신단말기와의 통신을 메시지를 푸시서버에게 전달한다. 그러면, 푸시서버는 2차 인증 시스템으로부터 전달받은 장치토큰으로부터 푸시메시지를 전달할 이동통신단말기를 파악하고, 해당 이동통신단말기에 푸시메시지를 전달하여 이동통신단말기와 이 이동통신단말기의 보안인증모듈을 활성화시킨다. 활성화된 보안인증모듈은 2차 인증 시스템과 서버/클라이언트 통신을 수행하며, 2차 인증 시스템은 이 보안인증모듈에게 일회용 인증키를 발급한다.In the case of using the push server, the secondary authentication system transmits a message to the push server in communication with the device token of the corresponding mobile communication terminal and the mobile communication terminal. Then, the push server grasps the mobile communication terminal to deliver the push message from the device token received from the second authentication system, and delivers the push message to the mobile communication terminal to activate the mobile communication terminal and the security authentication module of the mobile communication terminal. Let's do it. The activated security authentication module performs server / client communication with the secondary authentication system, and the secondary authentication system issues a one-time authentication key to the security authentication module.
생성된 일회용 인증키는 통신망을 통해 정당 종단실체의 이동통신단말기로 전송되어 화면에 출력된다. 이 상태에서 정당한 종단실체 또는 해커가 이동통신단말기에 출력된 일회용 인증키를 2차 인증 시도 컴퓨터장치에 입력하면, 그 2차 인증 시도 컴퓨터장치의 고유식별자가 수집된다(S506).The generated one-time authentication key is transmitted to the mobile communication terminal of the party end entity through the communication network and output to the screen. In this state, when the legitimate end entity or the hacker inputs the one-time authentication key output to the mobile communication terminal into the second authentication attempt computer device, the unique identifier of the second authentication attempt computer device is collected (S506).
단계 S506에서 2차 인증 시도 컴퓨터에 입력된 일회용 인증키와 2차 인증 시도 컴퓨터장치의 고유식별자는 온라인 서비스 시스템을 경유하여 2차 인증 시스템으로 전달된다(S507).In step S506, the one-time authentication key input to the second authentication attempt computer and the unique identifier of the second authentication attempt computer device are transferred to the second authentication system via the online service system (S507).
2차 인증 시스템은 단계 S505에서 발급한 일회용 인증키와 단계 S507에서 수신한 일회용 인증키를 비교하여(S508) 일회용 인증키에 대한 인증을 수행한다. 발급한 일회용 인증키와 수신한 일회용 인증키가 일치하면(S508), 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증 시도 컴퓨터장치의 고유식별자를 비교하여(S509) 2차 인증 시도 컴퓨터장치가 1차 인증된 컴퓨터장치와 동일한지에 대한 검증을 수행한다. 두 컴퓨터장치가 동일하면(S509), 인증 승인으로 처리하고(S510) 그 결과를 온라인 서비스 시스템에게 전송한다(S511).The secondary authentication system compares the one-time authentication key issued in step S505 with the one-time authentication key received in step S507 (S508) and performs authentication on the one-time authentication key. When the issued one-time authentication key and the received one-time authentication key match (S508), the second authentication attempt computer device compares the unique identifier of the first authorized computer device with the unique identifier of the second authentication attempt computer device (S509). Verify that it is the same as the primary certified computer device. If the two computer devices are the same (S509), the process is processed as an authentication approval (S510), and the result is transmitted to the online service system (S511).
한편, 단계 S503에서 등록되지 않은 이동통신단말기이면 미등록 이동통신단말기로 처리하고(S512), 미등록 이동통신단말기임을 온라인 서비스 시스템에 통보한다(S511). 또한, 단계 S508에서 발급한 일회용 인증키와 수신한 일회용 인증키가 일치하지 않거나, 단계 S509에서 두 컴퓨터장치가 일치하지 않으면, 인증 실패 처리하고(S513) 온라인 서비스 시스템에게 그 결과를 통보한다(S511).On the other hand, if the mobile communication terminal is not registered in step S503 is processed by the unregistered mobile communication terminal (S512), and notifies the online service system that the unregistered mobile communication terminal (S511). In addition, if the one-time authentication key issued in step S508 and the received one-time authentication key do not match or the two computer devices do not match in step S509, authentication failure is processed (S513) and the result is notified to the online service system (S511). ).
도 6은 이 발명에 따른 2차 인증 시스템이 종단실체에 일회용 인증키를 갱신 발급하는 과정을 도시한 동작 흐름도이다.6 is an operation flowchart illustrating a process of renewing and issuing a one-time authentication key to an end entity by the secondary authentication system according to the present invention.
종단실체는 2차 인증시 발급된 일회용 인증키를 갱신해야 되는 경우가 발생할 수 있다. 예를 들면 통신망의 장애로 인해 2차 인증 시스템에서 발급한 일회용 인증키가 이동통신단말기에 전달되지 않고 소실된 경우 혹은 2차 인증을 시도할 컴퓨터장치의 물리적 결함으로 인해 발급받은 일회용 인증키를 부분적으로 입력할 수 없는 경우 등에는 일회용 인증키를 다른 값으로 갱신해야 한다.The end entity may need to renew the one-time authentication key issued during the second authentication. For example, if the one-time authentication key issued by the secondary authentication system is lost due to the failure of the communication network without being delivered to the mobile communication terminal, or the one-time authentication key issued due to the physical defect of the computer device to attempt the second authentication. If it cannot be entered, the one-time authentication key should be updated to another value.
종단실체로부터 온라인 서비스 시스템을 통해 일회용 인증키 갱신 발급이 요청되면, 2차 인증 시스템은 일회용 인증키 갱신 발급을 요청한 종단실체가 정당한 종단실체인지 혹은 악의적인 목적을 가진 종단실체가 보안인증 절차에 개입하는 것인지를 판단할 필요가 있다. 따라서, 2차 인증 시스템은 일회용 인증키의 갱신 요청과 함께 그 갱신 요청 컴퓨터장치의 고유식별자를 온라인 서비스 시스템을 경유하여 수신받고, 일회용 인증키의 최초 요청 컴퓨터장치와 갱신 요청 컴퓨터장치가 동일한지를 검증한다. 이를 상세하게 설명한다.When an issuance of a one-time authentication key renewal is issued from an end entity through an online service system, the secondary authentication system determines whether the end entity that requested the issuance of a one-time authentication key renewal is a legitimate end entity or an end entity having a malicious purpose involved in the security authentication procedure. It is necessary to determine whether or not. Therefore, the secondary authentication system receives the unique request of the renewal request computer device together with the renewal request of the one-time authentication key via the online service system, and verifies whether the initial request computer device and the renewal request computer device of the one-time authentication key are the same. do. This will be described in detail.
2차 인증 시스템은 갱신 요청 컴퓨터장치로부터 종단실체 정보와 일회용 인증키 갱신 요청 및 고유식별자를 수신받는다(S601). 수신된 종단실체 정보에 매칭되는 이동통신단말기에 기발급된 일회용 인증키가 존재하는 지를 확인한다(S602). 해당 이동통신단말기가 기발급된 일회용 인증키가 존재하면(S603), 상기 일회용 인증키를 기발급한 인증키 발급 컴퓨터장치의 고유식별자와 갱신 요청 컴퓨터장치의 고유식별자를 비교하여, 인증키 발급 컴퓨터장치와 갱신 요청 컴퓨터가 동일한지를 검증한다(S604). 두 컴퓨터장치가 동일하면(S604), 일회용 인증키를 갱신하여 해당 종단실체 정보에 매칭되는 이동통신단말기에게 재발급하고(S605), 온라인 서비스 시스템으로부터 해당 재발급된 일회용 인증키가 수신되기까지 대기한다(S606). 단계 S603에서 기발급된 일회용 인증키가 존재하지 않거나 단계 S604에서 두 컴퓨터장치가 동일하지 않으면 일회용 인증키 갱신 실패로 판단하고 로그를 수집한다(S607).The secondary authentication system receives the terminal entity information, the one-time authentication key update request, and the unique identifier from the update request computer device (S601). It is checked whether a one-time authentication key issued in the mobile communication terminal matching the received end entity information exists (S602). If there is a one-time authentication key issued by the mobile communication terminal (S603), the unique key of the authentication key issuing computer device issued the one-time authentication key is compared with the unique identifier of the update request computer device, and the authentication key issuing computer It is verified whether the device and the update request computer are the same (S604). If the two computer devices are the same (S604), the one-time authentication key is renewed and reissued to the mobile communication terminal matched with the corresponding end entity information (S605), and waits until the corresponding one-time reissued authentication key is received from the online service system ( S606). If the one-time authentication key issued in step S603 does not exist or the two computer devices are not the same in step S604, it is determined that the one-time authentication key update failed and the log is collected (S607).

Claims (28)

  1. 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 장치등록부와;A device registration unit for registering end entity information required for secondary authentication and a mobile communication terminal matching the end entity information;
    온라인 서비스 시스템과 통신하여 상기 종단실체 정보로 1차 인증된 컴퓨터장치의 고유식별자와 상기 종단실체 정보로 2차 인증을 시도하는 2차 인증 시도 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치로부터 입력되는 일회용 인증키를 수신하는 송수신처리부와;A second authentication attempt for communicating with an online service system and attempting to perform second authentication with the terminal entity information with the unique identifier of the primary authentication computer device with the end entity information from the unique identifier of the computer device with the second authentication attempt computer device A transmission / reception processing unit for receiving a one-time authentication key input;
    상기 1차 인증된 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치의 고유식별자를 이용하여 상기 1차 인증된 컴퓨터장치와 상기 2차 인증 시도 컴퓨터장치의 동일 여부를 검증하는 고유식별자검증부와;A unique identifier verification unit for verifying whether the first authenticated computer device and the second authentication attempt computer device are identical by using the unique identifier of the first authenticated computer device and the unique identifier of the second authentication attempt computer device; ;
    상기 이동통신단말기에 일회용 인증키를 발급하여 상기 송수신처리부를 통해 송신하는 인증키 발급부와;An authentication key issuing unit for issuing a one-time authentication key to the mobile communication terminal and transmitting it through the transmission / reception processing unit;
    상기 인증키 발급부에서 발급한 일회용 인증키와 상기 송수신처리부로 입력된 일회용 인증키의 동일 여부를 검증하는 인증키 검증부를 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.A unique identifier-based authentication system comprising an authentication key verification unit for verifying whether the one-time authentication key issued by the authentication key issuing unit and the one-time authentication key input to the transmission and reception processing unit.
  2. 제 1 항에 있어서, 상기 컴퓨터장치의 고유식별자는 범용고유식별자(UUID)를 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.2. The unique identifier based authentication system of claim 1, wherein the unique identifier of the computer device comprises a universal unique identifier (UUID).
  3. 제 1 항에 있어서, 상기 컴퓨터장치의 고유식별자는 전역고유식별자(GUID)를 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.2. The unique identifier based authentication system of claim 1, wherein the unique identifier of the computer device comprises a globally unique identifier (GUID).
  4. 제 1 항에 있어서, 상기 컴퓨터장치의 고유식별자는 범용고유식별자(UUID)의 해쉬값을 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.The unique identifier-based authentication system of claim 1, wherein the unique identifier of the computer device includes a hash value of a universal unique identifier (UUID).
  5. 제 1 항에 있어서, 상기 컴퓨터장치의 고유식별자는 전역고유식별자(GUID)의 해쉬값을 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.The unique identifier-based authentication system of claim 1, wherein the unique identifier of the computer device includes a hash value of a globally unique identifier (GUID).
  6. 제 2 항 내지 제 5 항 중 어느 한 항에 있어서, 상기 컴퓨터장치의 고유식별자는 타임스탬프를 더 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.6. A unique identifier based authentication system according to any one of claims 2 to 5, wherein said unique identifier of said computer device further comprises a timestamp.
  7. 제 2 항 내지 제 5 항 중 어느 한 항에 있어서, 상기 컴퓨터장치의 고유식별자는 상기 온라인 서비스 시스템의 서비스 파일 정보를 더 포함한 것을 특징으로 하는 고유식별자 기반 인증시스템.The unique identifier-based authentication system according to any one of claims 2 to 5, wherein the unique identifier of the computer device further includes service file information of the online service system.
  8. 제 1 항에 있어서, 상기 인증키 발급부에서 발급하는 일회용 인증키는 상기 1차 인증된 컴퓨터장치의 고유식별자로부터 생성되는 것을 특징으로 하는 고유식별자 기반 인증시스템.The unique identifier-based authentication system of claim 1, wherein the one-time authentication key issued by the authentication key issuing unit is generated from a unique identifier of the first authenticated computer device.
  9. 제 1 항에 있어서, 상기 장치등록부는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 등록하고, 상기 인증키 발급부는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 이용하여 상기 이동통신단말기를 활성화시킨 후 상기 이동통신단말기와 통신하여 상기 이동통신단말기에 일회용 인증키를 발급하는 것을 특징으로 하는 고유식별자 기반 인증시스템.The mobile terminal of claim 1, wherein the device registration unit registers a device token of the mobile communication terminal that matches the terminal entity information, and the authentication key issuing unit uses the device token of the mobile communication terminal that matches the terminal entity information. Unique identifier-based authentication system, characterized in that to issue a one-time authentication key to the mobile communication terminal by communicating with the mobile communication terminal after activating the communication terminal.
  10. 제 1 항에 있어서, 상기 인증키 발급부는 에스엠에스(SMS)서버를 통해 상기 상기 이동통신단말기에 일회용 인증키를 발급하는 것을 특징으로 하는 고유식별자 기반 인증시스템.The unique identifier-based authentication system of claim 1, wherein the authentication key issuing unit issues a one-time authentication key to the mobile communication terminal through an SMS server.
  11. 2차 인증 시스템이 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 장치등록단계와;A device registration step of registering, by the secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal that matches the terminal entity information;
    온라인 서비스 시스템과 통신하여 상기 종단실체 정보로 1차 인증된 컴퓨터장치의 고유식별자와 2차 인증 요청이 수신되면, 상기 2차 인증 시스템이 상기 이동통신단말기에 일회용 인증키를 발급하는 인증키 발급단계와;When receiving the unique identifier and the second authentication request of the computer device primary authentication with the terminal entity information by communicating with the online service system, the secondary authentication system issuing an authentication key issuing a one-time authentication key to the mobile communication terminal Wow;
    상기 2차 인증 시스템이 상기 온라인 서비스 시스템과 통신하여 상기 종단실체 정보로 2차 인증을 시도하는 2차 인증 시도 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치로부터 입력되는 일회용 인증키를 수신하는 2차 인증 시도단계와;The second authentication system communicates with the online service system to receive a unique identifier of a second authentication attempt computer device that attempts second authentication with the end entity information and a one-time authentication key input from the second authentication attempt computer device. Second authentication attempt step;
    상기 2차 인증 시스템이 상기 1차 인증된 컴퓨터장치의 고유식별자와 상기 2차 인증 시도 컴퓨터장치의 고유식별자를 이용하여 상기 1차 인증된 컴퓨터장치와 상기 2차 인증 시도 컴퓨터장치의 동일 여부를 검증하는 고유식별자 검증단계와;The secondary authentication system verifies whether the primary authenticated computer device and the secondary authentication attempt computer device are the same by using a unique identifier of the first authenticated computer device and a unique identifier of the second authentication attempt computer device. Verifying a unique identifier;
    상기 2차 인증 시스템이 상기 인증키 발급단계에서 발급한 일회용 인증키와 상기 2차 인증 시도단계에서 입력된 일회용 인증키의 동일 여부를 검증하는 인증키 검증단계를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.Unique identifier-based authentication, characterized in that the secondary authentication system includes an authentication key verification step of verifying whether the one-time authentication key issued in the authentication key issuing step and the one-time authentication key input in the second authentication attempt step are the same. Way.
  12. 제 11 항에 있어서, 상기 컴퓨터장치의 고유식별자는 범용고유식별자(UUID)를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.12. The method of claim 11, wherein the unique identifier of the computer device comprises a universally unique identifier (UUID).
  13. 제 11 항에 있어서, 상기 컴퓨터장치의 고유식별자는 전역고유식별자(GUID)를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.12. The method of claim 11, wherein the unique identifier of the computer device comprises a globally unique identifier (GUID).
  14. 제 11 항에 있어서, 상기 컴퓨터장치의 고유식별자는 범용고유식별자(UUID)의 해쉬값을 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.12. The method of claim 11, wherein the unique identifier of the computer device includes a hash value of a universally unique identifier (UUID).
  15. 제 11 항에 있어서, 상기 컴퓨터장치의 고유식별자는 전역고유식별자(GUID)의 해쉬값을 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.12. The method according to claim 11, wherein the unique identifier of the computer device includes a hash value of a globally unique identifier (GUID).
  16. 제 12 항 내지 제 15 항 중 어느 한 항에 있어서, 상기 컴퓨터장치의 고유식별자는 타임스탬프를 더 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.16. The unique identifier based authentication method according to any one of claims 12 to 15, wherein the unique identifier of the computer device further includes a time stamp.
  17. 제 12 항 내지 제 15 항 중 어느 한 항에 있어서, 상기 컴퓨터장치의 고유식별자는 상기 온라인 서비스 시스템의 서비스 파일 정보를 더 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.The unique identifier based authentication method according to any one of claims 12 to 15, wherein the unique identifier of the computer device further includes service file information of the online service system.
  18. 제 11 항에 있어서, 상기 인증키 발급단계에서 발급된 일회용 인증키는 상기 1차 인증된 컴퓨터장치의 고유식별자로부터 생성되는 것을 특징으로 하는 고유식별자 기반 인증방법.12. The unique identifier-based authentication method of claim 11, wherein the one-time authentication key issued in the authentication key issuing step is generated from a unique identifier of the first authenticated computer device.
  19. 제 11 항에 있어서, 상기 장치등록단계는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 등록하고, 상기 인증키 발급단계는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 이용하여 상기 이동통신단말기를 활성화시킨 후 상기 이동통신단말기와 통신하여 상기 이동통신단말기에 일회용 인증키를 발급하는 것을 특징으로 하는 고유식별자 기반 인증방법.12. The method of claim 11, wherein registering the device registers the device token of the mobile communication terminal that matches the terminal entity information, and issuing the authentication key by using the device token of the mobile communication terminal that matches the terminal entity information. Unique identifier-based authentication method characterized in that for activating the mobile communication terminal and communicating with the mobile communication terminal to issue a one-time authentication key to the mobile communication terminal.
  20. 제 11 항에 있어서, 상기 인증키 발급부는 에스엠에스(SMS)서버를 통해 상기 상기 이동통신단말기에 일회용 인증키를 발급하는 것을 특징으로 하는 고유식별자 기반 인증방법.The unique identifier-based authentication method of claim 11, wherein the authentication key issuing unit issues a one-time authentication key to the mobile communication terminal through an SMS server.
  21. 이동통신단말기가 보안인증모듈을 설치하는 제1단계와,A first step in which the mobile communication terminal installs a security authentication module;
    상기 이동통신단말기가 2차 인증 시스템에 접속하여 2차 인증에 필요한 종단실체 정보와 상기 이동통신단말기의 시스템 정보를 전송하는 제2단계와,A second step of transmitting, by the mobile communication terminal to the secondary authentication system, terminal entity information required for the second authentication and system information of the mobile communication terminal;
    상기 이동통신단말기가 푸시서버에 접속하여 상기 보안인증모듈의 인증서와 상기 이동통신단말기의 고유정보를 전송하며 장치토큰 발급을 요청하는 제3단계와,A third step of the mobile communication terminal accessing a push server to transmit a certificate of the security authentication module and unique information of the mobile communication terminal and request issuance of a device token;
    상기 이동통신단말기가 상기 푸시서버로부터 상기 장치토큰이 발급되면 상기 발급된 장치토큰을 상기 2차 인증 시스템에게 전달하는 제4단계와,A fourth step of the mobile communication terminal transferring the issued device token to the secondary authentication system when the device token is issued from the push server;
    상기 푸시서버로부터 푸시메시지가 입력되면, 상기 이동통신단말기가 상기 2차 인증 시스템과 통신하여 상기 2차 인증 시스템으로부터 일회용 인증키를 수신하여 화면에 출력하는 제5단계를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.When the push message is input from the push server, the mobile communication terminal comprises a fifth step of communicating with the secondary authentication system to receive a one-time authentication key from the secondary authentication system and outputs on the screen Based Authentication Method.
  22. 사용자로부터 1차 인증을 위한 종단실체 정보가 입력되면, 컴퓨터장치는 상기 컴퓨터장치의 고유식별자를 생성하는 제1단계와;When the terminal entity information for the first authentication is input from the user, the computer apparatus may include a first step of generating a unique identifier of the computer apparatus;
    상기 컴퓨터장치가 상기 제1단계에서 생성된 상기 컴퓨터장치의 고유식별자와 상기 1차 인증을 위한 종단실체 정보를 온라인 서비스 시스템에게 전송하는 제2단계와;A second step of the computer device transmitting a unique identifier of the computer device generated in the first step and end entity information for the first authentication to an online service system;
    사용자로부터 2차 인증을 위한 일회용 인증키가 입력되면, 상기 컴퓨터장치가 상기 컴퓨터장치의 고유식별자를 생성하는 제3단계와;A third step of generating, by the computer device, a unique identifier of the computer device when a one-time authentication key for second authentication is input from a user;
    상기 컴퓨터장치가 상기 제3단계에서 생성된 상기 컴퓨터장치의 고유식별자와 상기 2차 인증을 위한 일회용 인증키를 상기 온라인 서비스 시스템에게 전송하는 제4단계를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.And a fourth step of the computer device transmitting the unique identifier of the computer device generated in the third step and the one-time authentication key for the second authentication to the online service system.
  23. 제 22 항에 있어서, 상기 컴퓨터장치의 고유식별자는 범용고유식별자(UUID)를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.23. The method of claim 22, wherein the unique identifier of the computer device comprises a universally unique identifier (UUID).
  24. 제 22 항에 있어서, 상기 컴퓨터장치의 고유식별자는 전역고유식별자(GUID)를 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.23. The method of claim 22, wherein the unique identifier of the computer device comprises a globally unique identifier (GUID).
  25. 제 22 항에 있어서, 상기 컴퓨터장치의 고유식별자는 범용고유식별자(UUID)의 해쉬값을 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.23. The method of claim 22, wherein the unique identifier of the computer device includes a hash value of a universally unique identifier (UUID).
  26. 제 22 항에 있어서, 상기 컴퓨터장치의 고유식별자는 전역고유식별자(GUID)의 해쉬값을 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.23. The method of claim 22, wherein the unique identifier of the computer device includes a hash value of a globally unique identifier (GUID).
  27. 제 23 항 내지 제 26 항 중 어느 한 항에 있어서, 상기 컴퓨터장치의 고유식별자는 타임스탬프를 더 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.27. The method of any one of claims 23 to 26, wherein the unique identifier of the computer device further comprises a timestamp.
  28. 제 23 항 내지 제 26 항 중 어느 한 항에 있어서, 상기 컴퓨터장치의 고유식별자는 상기 온라인 서비스 시스템의 서비스 파일 정보를 더 포함한 것을 특징으로 하는 고유식별자 기반 인증방법.27. The unique identifier based authentication method according to any one of claims 23 to 26, wherein the unique identifier of the computer device further includes service file information of the online service system.
PCT/KR2012/001246 2011-03-04 2012-02-20 Distinct identifier-based authentication system and method WO2012121497A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020110019204A KR101206854B1 (en) 2011-01-19 2011-03-04 Authentication system and method based by unique identifier
KR10-2011-0019204 2011-03-04

Publications (2)

Publication Number Publication Date
WO2012121497A2 true WO2012121497A2 (en) 2012-09-13
WO2012121497A3 WO2012121497A3 (en) 2012-12-20

Family

ID=46798863

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2012/001246 WO2012121497A2 (en) 2011-03-04 2012-02-20 Distinct identifier-based authentication system and method

Country Status (1)

Country Link
WO (1) WO2012121497A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014171797A1 (en) * 2013-04-18 2014-10-23 주식회사 페이스콘 File security method and apparatus for same
KR20190118829A (en) * 2018-04-11 2019-10-21 주식회사 수퍼블리 Method and system for simple login service and apparatus therefor

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100372683B1 (en) * 2000-03-07 2003-02-17 주식회사 모비젠 User authentification system and the method using personal mobile device
KR20050094303A (en) * 2004-03-22 2005-09-27 삼성전자주식회사 Method and apparatus for processing of password authentication
KR100861675B1 (en) * 2007-06-12 2008-10-06 어드밴텍테크놀로지스(주) System for processing the one time certification number for internet banking service

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100372683B1 (en) * 2000-03-07 2003-02-17 주식회사 모비젠 User authentification system and the method using personal mobile device
KR20050094303A (en) * 2004-03-22 2005-09-27 삼성전자주식회사 Method and apparatus for processing of password authentication
KR100861675B1 (en) * 2007-06-12 2008-10-06 어드밴텍테크놀로지스(주) System for processing the one time certification number for internet banking service

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014171797A1 (en) * 2013-04-18 2014-10-23 주식회사 페이스콘 File security method and apparatus for same
US10541980B2 (en) 2013-04-18 2020-01-21 Facecon Co., Ltd. File security method and apparatus for same
US11463419B2 (en) 2013-04-18 2022-10-04 Facecon Co., Ltd. File security method and apparatus for same
KR20190118829A (en) * 2018-04-11 2019-10-21 주식회사 수퍼블리 Method and system for simple login service and apparatus therefor
KR102105110B1 (en) 2018-04-11 2020-04-27 주식회사 수퍼블리 Method and system for simple login service and apparatus therefor

Also Published As

Publication number Publication date
WO2012121497A3 (en) 2012-12-20

Similar Documents

Publication Publication Date Title
EP2332089B1 (en) Authorization of server operations
KR102202547B1 (en) Method and system for verifying an access request
US20090158033A1 (en) Method and apparatus for performing secure communication using one time password
JP2016063533A (en) Network authentication method for electronic transactions
JP2017507549A (en) Authentication device with Bluetooth interface
KR101028882B1 (en) System and method for providing user authentication one time password using a wireless mobile terminal
CN108734031A (en) Secure data storage device with the security function realized in data safety bridge
WO2013176491A1 (en) Method for authenticating web service user
WO2015069018A1 (en) System for secure login, and method and apparatus for same
WO2018021708A1 (en) Public key-based service authentication method and system
US11424915B2 (en) Terminal registration system and terminal registration method with reduced number of communication operations
JP2017152880A (en) Authentication system, key processing coordination method, and key processing coordination program
KR101206854B1 (en) Authentication system and method based by unique identifier
WO2012121497A2 (en) Distinct identifier-based authentication system and method
KR101619928B1 (en) Remote control system of mobile
CN116248351A (en) Resource access method and device, electronic equipment and storage medium
JP5937545B2 (en) Mobile terminal, server device, information terminal, and shared terminal management system
WO2022060156A1 (en) Method, apparatus, and program for updating firmware of authenticator
JP5665592B2 (en) Server apparatus, computer system, and login method thereof
WO2013073780A1 (en) Method and server for providing automatic login function
WO2012128478A2 (en) System and method for image-based authentication
WO2012115403A2 (en) Location information-based authentication system and method
CN115146284A (en) Data processing method and device, electronic equipment and storage medium
CN114510688A (en) Equipment unlocking method and device, computer readable storage medium and electronic equipment
US20220417020A1 (en) Information processing device, information processing method, and non-transitory computer readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12755270

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12755270

Country of ref document: EP

Kind code of ref document: A2