WO2012128478A2 - System and method for image-based authentication - Google Patents

System and method for image-based authentication Download PDF

Info

Publication number
WO2012128478A2
WO2012128478A2 PCT/KR2012/001249 KR2012001249W WO2012128478A2 WO 2012128478 A2 WO2012128478 A2 WO 2012128478A2 KR 2012001249 W KR2012001249 W KR 2012001249W WO 2012128478 A2 WO2012128478 A2 WO 2012128478A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
mobile communication
communication terminal
key
image
Prior art date
Application number
PCT/KR2012/001249
Other languages
French (fr)
Korean (ko)
Other versions
WO2012128478A3 (en
Inventor
정영석
한형덕
황재연
Original Assignee
(주)잉카인터넷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)잉카인터넷 filed Critical (주)잉카인터넷
Publication of WO2012128478A2 publication Critical patent/WO2012128478A2/en
Publication of WO2012128478A3 publication Critical patent/WO2012128478A3/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V30/00Character recognition; Recognising digital ink; Document-oriented image-based pattern recognition
    • G06V30/10Character recognition
    • G06V30/22Character recognition characterised by the type of writing
    • G06V30/224Character recognition characterised by the type of writing of printed characters having additional code marks or containing code marks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to an authentication system and method, and more particularly, an image-based authentication system and method for allowing a user to be authenticated by transmitting a authentication key corresponding to an image for authentication to an authentication server. It is about.
  • the most commonly used user authentication method is an authentication method using a user ID and password.
  • the user ID and password are registered, and when the user later tries to access the system, Enter the registered user ID and password to verify the identity of the user.
  • the authentication method using the ID and password is easy to steal or hack authentication information (user ID and password), there is a problem that can not block malicious access attempts when the authentication information is exposed.
  • This one-time authentication key-based authentication method usually proceeds with the following procedure.
  • the online service system performs a first authentication procedure (for example, checking a user ID and a password), and after the first authentication, requests the second authentication to the second authentication server.
  • the secondary authentication server sends a text message (SMS) including a one-time authentication key to the user's mobile communication terminal.
  • SMS text message
  • the online service system receives the one-time authentication key through the user's computer device and delivers it to the secondary authentication server.
  • the secondary authentication server verifies that the one-time authentication key sent to the user's mobile terminal and the one-time authentication key input through the online service system are the same,
  • the one-time authentication key-based secondary authentication method can strengthen the security strength of the user authentication to some extent, there are still vulnerabilities due to the following long-range hacking or short-range hacking.
  • a remote hacking technique when a user sends a one-time authentication key to an online service system, the hacker intercepts the one-time authentication key through network spoofing, or the hacker installs a key logger on the user's computer device in advance and remotely sets the user's computer.
  • the authentication key may be extorted by monitoring and removing the one-time authentication key input to the device, or inducing a user to access a phishing site rather than an online service system and extorting the one-time authentication key input to the phishing site. For example, in July 2006, a US bank infiltrated a bank account with an authentication key stolen through a phishing site, a remote hacking technique.
  • a one-time authentication key transmitted to a user's mobile communication terminal may be identified and stolen through a technique such as shoulder surfing or social engineering near the user.
  • An object of the present invention devised to meet the needs of the prior art described above is to receive an image-based authentication key from a pre-registered mobile communication terminal corresponding to a computer device for which primary authentication is completed, and compare it with a previously registered authentication key. By authenticating the user, it is to provide an image-based authentication system and method that can resist the extinction of single-use authentication key through a remote hacking technique or a short-range hacking technique.
  • An image-based authentication system for achieving the above object, a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a system for authenticating an end entity comprising: a mobile communication terminal registration unit for registering end entity information required for secondary authentication and a mobile communication terminal matching the end entity information; An authentication key generation unit for generating a second authentication key to be issued to the primary entity having completed primary authentication; An authentication image generation unit for generating an authentication image corresponding to the generated second authentication key and displaying the authentication image on a computer device of the primary authenticated terminal entity through the online service system; And an authentication key verification unit for activating the mobile communication terminal registered in the primary authentication-completed end entity and then verifying the secondary authentication key received from the activated mobile communication terminal.
  • the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a method for authenticating the information comprising: a mobile communication terminal registration step of registering, by a secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information; An authentication key generation step of generating, by the second authentication system, a second authentication key to be issued to an end entity that has been first authenticated when the second authentication of the end entity is requested from the online service system; An authentication image generation step of generating, by the secondary authentication system, an authentication image corresponding to the generated second authentication key and displaying the image on the computer device of the first authenticated end entity through the online service system; And an authentication key verification step in which the secondary authentication system activates a mobile communication terminal registered in the primary authentication-completed end entity after the authentication image generation step and verifies a secondary authentication key received from the activated mobile communication terminal. It is characterized by
  • the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a system for authenticating the information comprising: a mobile communication terminal registration unit for registering end entity information necessary for secondary authentication and a mobile communication terminal matching the end entity information;
  • An authentication image receiver configured to receive an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit;
  • An authentication key generation issue unit for generating and storing a second authentication key from the received authentication image and issuing and storing the secondary authentication key to the mobile communication terminal;
  • an authentication key verification unit for activating the mobile communication terminal registered in the terminal entity having the primary authentication and receiving and verifying a second stored authentication key from the activated mobile communication terminal.
  • the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a method for authenticating the information comprising: a mobile communication terminal registration step of registering, by a secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information; An authentication image receiving step of receiving, by the secondary authentication system, an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit; An authentication key generation issuing step for the secondary authentication system to generate and store a secondary authentication key from the received authentication image and to issue and store the secondary authentication key to the mobile communication terminal;
  • the second authentication system activates a mobile communication terminal registered in the terminal entity for which primary authentication has been completed, and the second authentication key previously stored from the activated mobile communication terminal. Characterized in that it comprises an authentication key verification step of receiving and verifying.
  • the second authentication for the user is performed by receiving an image-based authentication key from a pre-registered mobile communication terminal that matches the computer device in which the first authentication is completed, authentication security is further enhanced. .
  • FIG. 1 is a schematic structural block diagram of an image-based authentication system according to the present invention.
  • FIG. 2 is a detailed block diagram of an image-based authentication system according to a first embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating an operation of a mobile communication terminal of the image-based authentication system according to the first embodiment of the present invention.
  • FIG. 4 is an operation flowchart showing the operation of the secondary authentication system of the image-based authentication system according to a first embodiment of the present invention.
  • FIG. 5 is a detailed block diagram of an image-based authentication system according to a second embodiment of the present invention.
  • FIG. 6 is a flowchart illustrating a process of registering and issuing a secondary authentication key in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a process of registering and issuing a secondary authentication key in a secondary authentication system based on an image based authentication system according to a second embodiment of the present invention.
  • FIG. 8 is an operation flowchart illustrating a second authentication process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention.
  • FIG. 9 is an operation flowchart illustrating a second authentication process in the second authentication system based on the image-based authentication system according to the second embodiment of the present invention.
  • terminal entity 111 computer device
  • transmission and reception processing unit 142 encryption and decryption processing unit
  • FIG. 1 is a schematic structural block diagram of an image-based authentication system according to the present invention.
  • the end entity 110 is an end user using the authentication procedure through this invention.
  • the end entity 110 uses the authentication procedure according to the present invention to receive the online service from the online service system 120 through the communication network 100.
  • the end entity 110 receives the on-line service of the on-line service system 120 and performs the first authentication through communication with the on-line service system 120, and performs the second authentication according to the present invention.
  • It includes a mobile communication terminal 112 for performing.
  • the computer device 111 includes various computer environments such as a desktop and a notebook.
  • the mobile communication terminal 112 is preferably a smartphone that is equipped with an operating system (OS) and capable of installing and driving various applications (applications). Detailed configuration of the computer device 111 and the mobile communication terminal 112 for implementing the present invention will be described later.
  • OS operating system
  • the online service system 120 is a system on the web that provides an online service to a plurality of users through the communication network 100.
  • the online service system 120 performs primary authentication on the end entity 110.
  • the online service system 120 includes a login processing system 121, and performs the first authentication of the end entity 110 in the login processing system 121.
  • Primary authentication includes all forms of single factor authentication, such as knowledge-based authentication, ownership-based authentication, and entity-based authentication.
  • the push (PUSH) server 130 is a service provided by the manufacturer of the mobile communication terminal 112 of the end entity 110.
  • a device token corresponding to the corresponding application is issued from the push server 130.
  • the push server 130 wakes up the mobile communication terminal 112 by sending a push message to the mobile communication terminal 112 (wakeup), and activates the application (security authentication module in the present invention) corresponding to the corresponding token device Play a role.
  • a detailed description of the mobile terminal 112 issuing a device token from the push server will be described later.
  • the iOS series uses Apple Push Notification Service (APNs) provided by Apple as a push server
  • the Android series uses C2DM (Cloud To Device Messaging) provided by Google as a push server. do.
  • APIs Apple Push Notification Service
  • C2DM Cloud To Device Messaging
  • the second authentication system 140 uses the device token of the end entity 110 to pre-register mobile communication. Wake up the terminal 112 to activate the security authentication module installed in the mobile communication terminal 112, and receives the secondary authentication key from the mobile communication terminal 112 and performs a second authentication procedure.
  • two embodiments are proposed as a second authentication procedure.
  • the secondary authentication system 140 registers the mobile communication terminal 112 of the end entity 110 corresponding to the primary authentication information.
  • the second authentication system 140 issues the second authentication key and generates an authentication image corresponding to the issued second authentication key to determine the end entity 110. It is displayed on the computer device 111 and receives a second authentication key based on the authentication image through the mobile terminal 112 registered.
  • the secondary authentication system 140 performs user authentication by comparing the secondary authentication key inputted through the mobile communication terminal 112 with the issued secondary authentication key.
  • FIG. 2 is a detailed block diagram of an image-based authentication system according to a first embodiment of the present invention.
  • the computer device 111 of the terminal entity 110 includes an input / output unit 111A and a transceiver unit 111B.
  • the input / output unit 111A is a typical keyboard, mouse, monitor, or the like, and performs an interface with a user.
  • the transceiver 111B is connected to the online service system 120 through a wired communication network.
  • the computer device 111 receives the authentication image from the secondary authentication system 140 and outputs it to the screen of the input / output unit 111A.
  • the mobile communication terminal 112 of the terminal entity 110 includes an input / output unit 112A, a transceiver unit 112B, a camera 112C, and a security authentication module 112D.
  • the input / output unit 112A is a conventional touch pad or the like and performs an interface with a user.
  • the transceiver 112B is connected to the push server 130 and the secondary authentication system 140 through a mobile communication network.
  • the camera 112C acquires image data by capturing an image (image) according to a user of a mobile communication terminal.
  • the security authentication module 112D is a device register for issuing a device token for communication with the secondary authentication system 140 from the push server 130 and registering the issued device token in the secondary authentication system 140, An authentication key output unit is executed by the push message transmitted from the push server 130 to transmit the secondary authentication key based on the authentication image displayed on the screen of the computer device 111 to the secondary authentication system 140.
  • the security authentication module 112D may further include an access key processing unit for accessing the secondary authentication system 140 using an access key delivered with a push message from the push server 130.
  • the processor may further include a function of decrypting the encrypted access key. That is, the secondary authentication system 140 encrypts and transmits the access key along with the push message to the mobile communication terminal 112, and the access key processing unit decrypts the encrypted access key by using the decrypted access key. Access system 140.
  • the secondary authentication system 140 verifies the access authority of the mobile communication terminal 112 attempting the corresponding access by using the access key input from the mobile communication terminal 112.
  • the authentication key output unit of the security authentication module 112D may output the secondary authentication key directly input through the input / output unit 112A to the secondary authentication system 140. That is, the authentication image is an image including a figure, a number, and a letter, and the name of the figure included in the corresponding authentication image (for example, an animal, a plant, or an object such as an elephant, a sunflower, an umbrella, etc.) by a user using the input / output unit 112A. Name) or numbers and letters included in the authentication image.
  • the security authentication module 112D may further include an image analysis unit for automatically extracting the second authentication key by analyzing the authentication image data input through the camera 112C. That is, the authentication image is a two-dimensional bar code, and the image analyzing unit may be a bar code analyzing unit. Two-dimensional barcodes include a QR code (Quick Response Code), PDF417, Data Matrix, Maxi code and the like.
  • the online service system 120 stores the information necessary for the first authentication of the end entity 110, and the second authentication to the second authentication system 140 for the end entity 110 in which the first authentication is completed. Request, receives the authentication image from the secondary authentication system 140, and provides the web page including the authentication image to the computer device 111 of the end entity 110.
  • the secondary authentication system 140 encrypts or decrypts data transmitted and received with the transmission and reception processing unit 141 for data transmission and reception between the end entity 110, the online service system 120, and the push server 130.
  • An authentication processing unit 144 for receiving and verifying a second authentication key corresponding to the authentication image from the mobile communication terminal 112, and a database 145 for storing end entity information, device token information, and settings for each end entity. ), And authentication The memory unit 146 stores secondary authentication key information and processing procedure information issued by the unit 144.
  • the transmission and reception processing unit 141 includes a wired processing unit communicating with the online service system 120 and the push server 130 through a wired communication network, and a wireless processing unit communicating with the mobile communication terminal 112 through a wireless communication network.
  • the mobile communication terminal registration unit 143 includes a device registration processing unit for processing device registration for each mobile communication terminal 112, and a device number issuer for issuing a number for the registered mobile communication terminal.
  • the authentication processing unit 144 generates an authentication key generation unit for generating a second authentication key to be issued to the terminal entity 110 that has been firstly authenticated, and generates an authentication image corresponding to the second authentication key.
  • An authentication image generation unit configured to display on the computer device 111 of the primary authentication-completed end entity 110 and from the pre-registered mobile communication terminal 112 of the primary authentication-completed end entity 110.
  • an authentication key verification unit for comparing and verifying the inputted secondary authentication key and the secondary authentication key generated by the authentication key generator.
  • the authentication processing unit 144 issues an access key to the pre-registered mobile communication terminal 112 of the terminal entity 110, the primary authentication is completed, and the access key and the access issued from the mobile communication terminal 112.
  • the apparatus further includes an access key issuing / verifying unit for verifying the mobile communication terminal 112 by comparing the keys, and the memory unit 146 further stores the issued access key information issued to the mobile communication terminal 112.
  • FIG. 3 is a flowchart illustrating an operation of a mobile communication terminal of the image-based authentication system according to the first embodiment of the present invention.
  • the security authentication module 112D of the mobile communication terminal 112 is an application program (application) that is manufactured based on an operating system mounted on the mobile communication terminal 112 and performs an authentication procedure according to the present invention.
  • the security authentication module 112D is installed in the mobile communication terminal 112 of the end entity (S301).
  • the security authentication module 112D transmits the end entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication to the secondary authentication system 140, thereby performing secondary authentication.
  • the system 140 collects end entity information through the mobile communication terminal 112 (S302).
  • the secondary authentication system 140 confirms the collected end entity information, performs real name authentication and self authentication for the mobile communication terminal itself, and transmits the result to the mobile communication terminal 112.
  • the security authentication module 112D of the mobile communication terminal recognizes that the device registration failed and ends (S304).
  • the security authentication module 112D of the mobile communication terminal is connected to the push server 130.
  • the push server 130 By transmitting the certificate of the security authentication module and the unique information of the mobile communication terminal to the push server and requests the device token issuance (S305).
  • the security authentication module 112D of the mobile communication terminal transfers the issued device token to the secondary authentication system (S307). Then, the secondary authentication system 140 registers the device token of the mobile communication terminal 112 together with the corresponding terminal entity information in the database.
  • the mobile communication terminal wakes up and activates the security authentication module 112D (S309).
  • the security authentication module 112D of the mobile communication terminal decrypts the encrypted access key (S311).
  • the security authentication module 112D extracts the second authentication key from the second authentication information (S313), and accesses the second authentication system with the access key decrypted in step S311.
  • the secondary authentication key is transmitted to the secondary authentication system (S314).
  • the second authentication information may be authentication image data obtained by photographing an authentication image displayed on the screen of the computer device of the end entity, and the security authentication module 112D interprets the authentication image data to extract the second authentication key.
  • the authentication image is a two-dimensional barcode.
  • the secondary authentication information is a value directly input through the input / output unit of the mobile communication terminal, and the security authentication module 112D extracts the secondary authentication key from the input value.
  • FIG. 4 is an operation flowchart showing the operation of the secondary authentication system of the image-based authentication system according to a first embodiment of the present invention.
  • the secondary authentication system is the terminal entity information (for example, the user ID for accessing the online service system and the mobile terminal) System information, etc.), confirm the collected terminal entity information, perform real-name authentication and self-authentication on the mobile communication terminal itself, and transmit the result (authentication success / failure) to the mobile communication terminal, and verify successful mobile communication. It registers his device token from the terminal.
  • the terminal entity information for example, the user ID for accessing the online service system and the mobile terminal
  • System information etc.
  • the online service system performs primary authentication on the end entity computer device.
  • the computer device transmits the terminal entity information necessary for authentication to the online service system. If the first authentication is successful, the online service system sends the end entity information to the second authentication system and requests the second authentication.
  • the secondary authentication system checks whether the mobile communication terminal is registered in response to the received end entity information (S402).
  • the secondary authentication system If the mobile communication terminal is registered (S403), the secondary authentication system generates and stores the secondary authentication key, generates an authentication image corresponding to the generated secondary authentication key, and completes the primary authentication through the online service system. It displays on the terminal entity computer device (S404). At this time, the authentication image corresponding to the secondary authentication key may be a two-dimensional barcode image including the secondary authentication key information.
  • the secondary authentication key generates a timestamp based on the Universal Time Clock (UTC) and prevents the issuance, and generates the timestamp and the end entity information as seed values.
  • UTC Universal Time Clock
  • the secondary authentication system generates, stores and encrypts an access key (S405).
  • the secondary authentication system activates the security authentication module 112D of the mobile communication terminal by using the device token of the mobile communication terminal that is registered in the terminal entity that successfully authenticates the first authentication, and issues an encrypted access key to the mobile communication terminal. Deliver the message to the push server (S406).
  • the push server identifies the mobile communication terminal that will deliver the message from the device token received from the secondary authentication system, delivers the push message to the mobile communication terminal to activate the security authentication module, and sends the encrypted access key to the security authentication module. To pass.
  • the mobile communication terminal decrypts the encrypted access key and prepares to receive the second authentication information from the user, receives the second authentication information from the user, extracts the second authentication key therefrom, and decrypts the access key.
  • the secondary authentication system receives the access key and the secondary authentication key from the mobile communication terminal (S407).
  • the secondary authentication system compares the access key received in step S407 with the access key generated in step S405 and issued to the mobile communication terminal (S408). If the two access keys match as a result of the comparison in step S408, the secondary authentication system compares the secondary authentication key received in step S407 with the secondary authentication key stored in step S404 (S409). If the result of the comparison of step S409 matches the two secondary authentication keys, the secondary authentication system approves the authentication (S410) and transmits the result to the online service system (S411).
  • step S409 the secondary authentication system fails to authenticate (S412), and the result is sent to the online service system. It transmits (S411).
  • the mobile communication terminal is not registered in step S403, it is processed by the unregistered mobile communication terminal (S413), and the result of the processing is notified to the online service system (S411).
  • the secondary authentication system 140 registers the mobile communication terminal 112 of the terminal entity 110 corresponding to the primary authentication information.
  • a secondary authentication key is generated and stored from an arbitrary image input from the terminal 112 and issued to the mobile communication terminal 112.
  • the mobile communication terminal 112 receives an authentication keyer equipment password (pin number) from the user and encrypts and stores the second authentication key issued from the secondary authentication system 140.
  • the mobile communication terminal 112 receives the authentication keyer password from the user, decrypts the encrypted second stored authentication key, and then the second authentication system 140.
  • the secondary authentication system 140 performs user authentication by comparing the secondary authentication key input from the mobile communication terminal 112 and the pre-stored secondary authentication key when the second authentication request is made.
  • FIG. 5 is a detailed block diagram of an image-based authentication system according to a second embodiment of the present invention.
  • the computer head, the online service system, and the push server of the end entity constituting the image-based authentication system according to the second embodiment are the computer devices, the online service system, and the push server of the end entity constituting the image-based authentication system according to the first embodiment.
  • the online service system receives the authentication image from the second authentication system and displays it on the computer device of the end entity. In the example, this process is omitted.
  • the secondary authentication key issued by the secondary authentication system of the first embodiment is stored in the memory unit because of the strong nature of the one-time authentication key, but the secondary authentication key issued by the secondary authentication system of the second embodiment is continuously Since it is a usable authentication key, it is preferably stored as an item of end entity information of the database.
  • the image-based authentication system according to the first embodiment and the image-based authentication system according to the second embodiment have a difference in the internal configuration of the security authentication module of the mobile communication terminal of the end entity and the authentication processing unit of the secondary authentication system. The difference will be explained mainly.
  • the mobile communication terminal includes a typical input / output unit, a transceiver unit, a camera, a storage unit, and a security authentication module 510 for performing image-based authentication according to the present invention.
  • the storage unit may be a universal subscriber identity module card (USIM card) or internal memory that is typically mounted in the mobile communication terminal.
  • the security authentication module 510 receives a device token for communication with the secondary authentication system from the push server, registers the issued device token in the secondary authentication system, and registers any authentication image captured by the camera in the secondary authentication system.
  • An authentication key inputted from a user by a device registration unit 511 for receiving a second authentication key corresponding to the authentication image from the secondary authentication system and a second authentication key issued by the device registration unit 511 after being transmitted to the user;
  • An encryption key storage device password that is encrypted by a storage password and stored in the storage in the encrypted secondary authentication key and executed by a push message transmitted from a push server to read the encrypted secondary authentication key from the storage unit and input from a user.
  • the security authentication module 510 may further include an access key processing unit 513 for accessing the secondary authentication system using an access key delivered with a push message from a push server, and the access key processing unit 513. ) May further include a function of decrypting the encrypted access key. That is, the secondary authentication system issues an encrypted access key to the mobile communication terminal, and the access key processing unit 513 decrypts the encrypted access key and then accesses the secondary authentication system using the decrypted access key.
  • the authentication processing unit 520 of the secondary authentication system generates an authentication image receiving unit 521 for receiving an authentication image from a mobile communication terminal and a second authentication key from the received authentication image.
  • Authentication key generation issuer 522 which stores and issues to the mobile communication terminal, a second authentication key input from a pre-registered mobile communication terminal of the terminal entity that has been first authenticated, and a second authentication key issued to the mobile communication terminal.
  • the authentication key verification unit 523 compares and verifies.
  • the authentication processing unit 520 issues an encrypted access key to a pre-registered mobile communication terminal of the first-end terminal is completed by comparing the access key input from the mobile communication terminal and the issued access key. It further includes an access key issuance / verification unit 524 to verify the.
  • the secondary authentication system generates and stores a secondary authentication key from authentication image data photographed by the user using the camera of the mobile communication terminal in the process of registering the mobile communication terminal. And issue it to the mobile communication terminal.
  • the mobile communication terminal receives the authentication key device password from the user, encrypts the second authentication key with the input authentication key device password, and stores the encrypted second authentication key in the storage unit. After that, whenever the user performs the second authentication to use the online service system, the mobile communication terminal receives the authentication keyer password again from the user, decrypts the encrypted second authentication key, and provides it to the second authentication system. .
  • the secondary authentication key is generated and issued from the authentication image data photographed by the user, it is possible to prevent duplicate issuance of the secondary authentication key.
  • every second authentication does not require issuing a one-time secondary authentication key to an online service system or a mobile communication terminal.
  • FIG. 6 is an operation flowchart illustrating a registration and secondary authentication key issuing process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention
  • FIG. 7 is an image-based authentication method according to a second embodiment of the present invention.
  • Authentication System Operation flow chart illustrating the registration and secondary authentication key issuing process in the secondary authentication system.
  • FIG. 6 and Figure 7 looks at the device registration and secondary authentication key issuance process through the mobile communication terminal and the secondary authentication system.
  • the security authentication module 510 is installed in the mobile communication terminal of the end entity (S601).
  • the security authentication module 510 transmits the terminal entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication to the secondary authentication system (S602).
  • the secondary authentication system receives terminal entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication from the mobile communication terminal (S701), the real name of the mobile communication terminal itself is received. Perform authentication and identity verification (S702), and transmits the result to the mobile communication terminal (S703).
  • terminal entity information user ID for accessing the online service system, system information of the mobile communication terminal, etc.
  • the mobile communication terminal recognizes the device registration failure and ends (S604).
  • the security authentication module of the mobile communication terminal accesses the push server to push the certificate of the security authentication module and the unique information of the mobile communication terminal.
  • the device token is requested while transmitting to the server (S605).
  • the security authentication module 510 of the mobile communication terminal transfers the issued device token to the secondary authentication system (S607). If the second authentication system receives the device token from the mobile communication terminal (S704), it registers the device token of the mobile communication terminal with the corresponding terminal entity information in the database (S705).
  • the security authentication module 510 of the mobile communication terminal After registering the device token, the security authentication module 510 of the mobile communication terminal makes a request for photographing the authentication image to the user (S608), and when the authentication image data is input (S609), transmits the authentication image data to the secondary authentication system (S609). S610).
  • the second authentication system When the authentication image is received from the mobile communication terminal in which the device token is registered (S706), the second authentication system generates and stores a second authentication key from the received authentication image (S707), and generates the corresponding second authentication key. Is issued to the mobile communication terminal (S708).
  • the mobile communication terminal When the secondary authentication key is issued from the secondary authentication system (S611), the mobile communication terminal requests the user to input the authentication keyer equipment password (S612).
  • the security authentication module 510 encrypts the secondary authentication key issued in step S611 with the authentication keyer device password input in step S612 and stores it in the storage unit (S614). .
  • FIG. 8 is an operation flowchart illustrating a second authentication process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention
  • FIG. 9 is a second image-based authentication system according to a second embodiment of the present invention. It is an operation flowchart showing the second authentication process in the authentication system.
  • the secondary authentication system checks whether the mobile communication terminal is registered in response to the received terminal entity information (S901) when the secondary authentication is requested while the terminal actual information is input from the online service system (S901).
  • the secondary authentication system If the mobile communication terminal is registered (S903), the secondary authentication system generates, stores and encrypts the access key (S904). In addition, the secondary authentication system activates the security authentication module of the mobile communication terminal by using the device token of the mobile communication terminal that is registered in the terminal entity that has successfully authenticated the first time, and issues a message for issuing an encrypted access key to the mobile communication terminal. To the push server.
  • the push server identifies the mobile communication terminal that will deliver the message from the device token received from the secondary authentication system, delivers the push message to the mobile communication terminal to activate the security authentication module, and sends the encrypted access key to the security authentication module. To pass.
  • the mobile communication terminal wakes up and activates the security authentication module (S802).
  • the security authentication module of the mobile communication terminal decrypts the encrypted access key (S804), and requests the user to input the authentication key equipment password (S805).
  • the security authentication module decrypts the encrypted secondary authentication key stored in the storage unit into the authentication keyer device password (S807).
  • the security authentication module accesses the secondary authentication system with the access key decrypted in step S804 and transmits the second authentication key decrypted in step S807 (S808).
  • the secondary authentication system receives the access key and the secondary authentication key from the mobile communication terminal (S906).
  • the secondary authentication system compares the access key received in step S906 with the access key issued in step S905 (S907). If the two access keys match as a result of the comparison in step S907, the secondary authentication system compares the secondary authentication key received in step S906 with the previously stored secondary authentication key (S908). If the result of the comparison of step S908 matches the two secondary authentication keys, the secondary authentication system approves the authentication (S909), and transmits the result to the online service system (S910).
  • step S907 if the two access keys do not match as a result of the comparison in step S907, or the two secondary authentication keys do not match as a result of the comparison in step S908, the secondary authentication system fails to authenticate (S911), and the result is sent to the online service system. Transmit (S910).
  • the mobile communication terminal is not registered in step S903, it is processed by an unregistered mobile communication terminal (S912), and the result of the processing is notified to the online service system (S910).

Abstract

The present invention relates to a system and method for image-based authentication, wherein user authentication is performed by the preregistered mobile communication terminal of a user transmitting, to an authentication server, an authentication key corresponding to an authentication image. In the image-based authentication system according to the present invention, a system for authenticating an end entity comprises a computer device for performing a first authentication through communication with an online service system and a mobile communication terminal for performing a second authentication, and includes: a unit for registering a mobile communication terminal, which registers the end entity information needed for the second authentication, and a mobile communication terminal matching the end entity information; a unit for generating an authentication key, which generates a second authentication key issued to the end entity in which the first authentication is completed; a unit for generating an authentication image, which generates an authentication image corresponding to the generated second authentication key and provides the authentication image for display on the computer device of the end entity in which the first authentication is completed through the online service system; and a unit for verifying authentication, which verifies the second authentication key received from the activated mobile communication terminal after activating the mobile communication terminal registered in the end entity in which the first authentication is completed.

Description

이미지 기반 인증시스템 및 방법Image based authentication system and method
이 발명은 인증시스템 및 방법에 관한 것으로서, 보다 상세하게는 사용자의 기등록된 이동통신단말기가 인증용 이미지에 대응하는 인증키를 인증서버에게 전송함으로써 사용자 인증이 이루어지도록 하는 이미지 기반 인증시스템 및 방법에 관한 것이다.The present invention relates to an authentication system and method, and more particularly, an image-based authentication system and method for allowing a user to be authenticated by transmitting a authentication key corresponding to an image for authentication to an authentication server. It is about.
오늘날 인터넷의 발달에 힘입어 다양한 종류의 온라인 서비스가 제공되고 있다. 대부분의 온라인 서비스 시스템들은 인터넷을 통해 해당 시스템에 접근하는 클라이언트 컴퓨터장치가 해당 온라인 서비스를 이용할 자격을 가지는지 여부를 인증하고 있다.Today, thanks to the development of the Internet, various kinds of online services are provided. Most online service systems authenticate whether client computer devices that access the system through the Internet are entitled to use the online service.
가장 보편적으로 사용되는 사용자 인증방법은 사용자 아이디와 비밀번호를 이용한 인증방법으로서, 사용자가 온라인 서비스 시스템에 회원으로 가입할 때 사용자 아이디와 비밀번호를 등록하고, 추후 해당 사용자가 해당 시스템에 접속하고자 할 때 기등록한 사용자 아이디와 비밀번호를 입력받아 그 사용자의 본인 여부를 검증한다.The most commonly used user authentication method is an authentication method using a user ID and password. When a user joins an online service system as a member, the user ID and password are registered, and when the user later tries to access the system, Enter the registered user ID and password to verify the identity of the user.
그러나, 이러한 아이디와 비밀번호를 이용한 인증방법은 인증 정보(사용자 아이디와 비밀번호)가 도용되거나 해킹되기 쉬우며, 인증 정보가 노출될 경우 악의적인 접근 시도를 차단할 수 없는 문제점이 있다.However, the authentication method using the ID and password is easy to steal or hack authentication information (user ID and password), there is a problem that can not block malicious access attempts when the authentication information is exposed.
온라인 서비스 시스템에는 다양한 개인 정보들이 관리되고 있고, 최근 온라인 서비스 시스템을 통한 무형의 자산(예컨대, 온라인 게임에서의 아이템, 사이버 머니 등)이 증가함에 따라, 보다 강력한 본인 인증방법들이 요구되고 있다. Various personal information is managed in the online service system, and as intangible assets (for example, items in online games, cyber money, etc.) through the online service system have recently increased, more powerful identity authentication methods are required.
이러한 요구에 따라 상술한 사용자 아이디와 비밀번호에 의한 1차 인증 후의 다양한 2차 인증방식들이 시도되고 있는데, 특히 사용자의 이동통신단말기를 이용한 일회용 인증키 기반 2차 인증방식이 널리 사용되고 있다. 이 일회용 인증키 기반 인증방식은 통상 다음과 같은 절차로 진행된다. 먼저, 온라인 서비스 시스템은 1차 인증 절차(예컨대, 사용자 아이디와 비밀번호 확인)를 진행하고, 1차 인증 후, 2차인증서버에게 2차 인증을 요청한다. 2차인증서버는 사용자의 이동통신단말기에 일회용 인증키가 포함된 문자메시지(SMS)를 발송한다. 온라인 서비스 시스템은 사용자의 컴퓨터장치를 통해 그 일회용 인증키를 입력받아 2차인증서버에게 전달한다. 그러면 2차인증서버는 사용자의 이동통신단말기에게 발송한 일회용 인증키와 온라인 서비스 시스템을 통해 입력받은 일회용 인증키가 동일한 지를 검증함으로써, According to such a request, various secondary authentication schemes after first authentication based on the above-described user ID and password have been tried. In particular, a one-time authentication key-based secondary authentication scheme using a user's mobile communication terminal has been widely used. This one-time authentication key-based authentication method usually proceeds with the following procedure. First, the online service system performs a first authentication procedure (for example, checking a user ID and a password), and after the first authentication, requests the second authentication to the second authentication server. The secondary authentication server sends a text message (SMS) including a one-time authentication key to the user's mobile communication terminal. The online service system receives the one-time authentication key through the user's computer device and delivers it to the secondary authentication server. The secondary authentication server then verifies that the one-time authentication key sent to the user's mobile terminal and the one-time authentication key input through the online service system are the same,
이러한 일회용 인증키 기반 2차인증방식은 본인 인증 보안 강도를 어느 정도 강화시킬 수는 있으나, 아래와 같은 원거리 해킹이나 근거리 해킹에 의한 취약점이 여전히 존재한다.Although the one-time authentication key-based secondary authentication method can strengthen the security strength of the user authentication to some extent, there are still vulnerabilities due to the following long-range hacking or short-range hacking.
즉, 원거리 해킹 기법으로서, 사용자가 일회용 인증키를 온라인 서비스 시스템으로 전송할 때 해커가 네트워크 스푸핑을 통해 일회용 인증키를 가로채거나, 해커가 사용자의 컴퓨터장치에 미리 키로거를 설치하고 원격에서 사용자의 컴퓨터장치에 입력되는 일회용 인증키를 모니터링하여 빼내거나, 사용자가 온라인 서비스 시스템이 아닌 피싱사이트에 접속하도록 유도하여 피싱사이트로 입력되는 일회용 인증키를 갈취하는 방법 등을 통해 인증키가 갈취될 수 있다. 예로서, 2006년 7월 미국의 한 은행에서 원거리 해킹 기법인 피싱사이트를 통해 갈취한 인증키로 은행 계좌에 침투한 사례가 있다.In other words, as a remote hacking technique, when a user sends a one-time authentication key to an online service system, the hacker intercepts the one-time authentication key through network spoofing, or the hacker installs a key logger on the user's computer device in advance and remotely sets the user's computer. The authentication key may be extorted by monitoring and removing the one-time authentication key input to the device, or inducing a user to access a phishing site rather than an online service system and extorting the one-time authentication key input to the phishing site. For example, in July 2006, a US bank infiltrated a bank account with an authentication key stolen through a phishing site, a remote hacking technique.
또한, 근거리 해킹 기법으로서, 사용자 근처에서 숄더서핑(shoulder surfing)이나 사회공학(social engineering) 등의 기법을 통해 사용자의 이동통신단말기에 전송된 일회용 인증키를 알아내어 도용하기도 한다.In addition, as a short-range hacking technique, a one-time authentication key transmitted to a user's mobile communication terminal may be identified and stolen through a technique such as shoulder surfing or social engineering near the user.
따라서, 일회용 인증키를 이용한 2차 인증방식으로서, 원거리 해킹 기법이나 근거리 해킹 기법 등에 의해 해커에게 일회용 인증키가 갈취되더라도, 이에 저항할 수 있는 보다 강력한 본인 인증기술이 필요하다.Therefore, as a second authentication method using a one-time authentication key, even if a one-time authentication key is extorted by a hacker by a long-range hacking technique or a short-range hacking technique, a stronger personal authentication technique capable of resisting this is needed.
상술한 종래기술의 필요성을 충족시키기 위하여 안출된 이 발명의 목적은, 1차인증이 완료된 컴퓨터장치에 대응되어 기등록된 이동통신단말기로부터 이미지 기반 인증키를 입력받아 기등록된 인증키와 비교하여 사용자 인증을 함으로써, 원거리 해킹 기법 또는 근거리 해킹 기법을 통한 일회용 인증키 갈취에 저항할 수 있는 이미지 기반 인증시스템 및 방법을 제공하기 위한 것이다.An object of the present invention devised to meet the needs of the prior art described above is to receive an image-based authentication key from a pre-registered mobile communication terminal corresponding to a computer device for which primary authentication is completed, and compare it with a previously registered authentication key. By authenticating the user, it is to provide an image-based authentication system and method that can resist the extinction of single-use authentication key through a remote hacking technique or a short-range hacking technique.
상술한 목적을 달성하기 위한 이 발명의 제1실시예에 따른 이미지 기반 인증 시스템은, 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 시스템에 있어서, 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록부와; 1차 인증 완료된 종단실체에 발급할 2차인증키를 생성하는 인증키생성부와; 상기 생성된 2차인증키에 대응하는 인증 이미지를 생성하고 상기 온라인 서비스 시스템을 통해 상기 1차 인증 완료된 종단실체의 컴퓨터장치에 표시되도록 제공하는 인증 이미지 생성부와; 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시킨 후 상기 활성화된 이동통신단말기로부터 수신되는 2차인증키를 검증하는 인증키검증부를 포함한 것을 특징으로 한다.An image-based authentication system according to a first embodiment of the present invention for achieving the above object, a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication A system for authenticating an end entity comprising: a mobile communication terminal registration unit for registering end entity information required for secondary authentication and a mobile communication terminal matching the end entity information; An authentication key generation unit for generating a second authentication key to be issued to the primary entity having completed primary authentication; An authentication image generation unit for generating an authentication image corresponding to the generated second authentication key and displaying the authentication image on a computer device of the primary authenticated terminal entity through the online service system; And an authentication key verification unit for activating the mobile communication terminal registered in the primary authentication-completed end entity and then verifying the secondary authentication key received from the activated mobile communication terminal.
또한, 이 발명의 제1실시예에 따른 이미지 기반 인증 방법은, 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 방법에 있어서, 2차인증시스템이 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록단계와; 상기 온라인 서비스 시스템으로부터 상기 종단실체의 2차 인증이 요청되면, 상기 2차인증시스템이 1차 인증 완료된 종단실체에 발급할 2차인증키를 생성하는 인증키생성단계와; 상기 2차인증시스템이 상기 생성된 2차인증키에 대응하는 인증 이미지를 생성하고 상기 온라인 서비스 시스템을 통해 상기 1차 인증 완료된 종단실체의 컴퓨터장치에 표시되도록 제공하는 인증 이미지 생성단계와; 상기 2차인증시스템이 상기 인증 이미지 생성단계 후 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시키고 상기 활성화된 이동통신단말기로부터 수신되는 2차인증키를 검증하는 인증키검증단계를 포함한 것을 특징으로 한다.In addition, the image-based authentication method according to the first embodiment of the present invention, the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication A method for authenticating the information, the method comprising: a mobile communication terminal registration step of registering, by a secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information; An authentication key generation step of generating, by the second authentication system, a second authentication key to be issued to an end entity that has been first authenticated when the second authentication of the end entity is requested from the online service system; An authentication image generation step of generating, by the secondary authentication system, an authentication image corresponding to the generated second authentication key and displaying the image on the computer device of the first authenticated end entity through the online service system; And an authentication key verification step in which the secondary authentication system activates a mobile communication terminal registered in the primary authentication-completed end entity after the authentication image generation step and verifies a secondary authentication key received from the activated mobile communication terminal. It is characterized by.
또한, 이 발명의 제2실시예에 따른 이미지 기반 인증 시스템은, 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 시스템에 있어서, 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록부와; 상기 이동통신단말기등록부에 등록된 상기 이동통신단말기를 통해 인증이미지를 수신하는 인증이미지수신부와; 상기 수신된 인증이미지로부터 2차인증키를 생성하여 저장하고 상기 이동통신단말기에게 발급하여 저장되도록 하는 인증키생성발급부와; 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시킨 후 상기 활성화된 이동통신단말기로부터 기저장된 2차인증키를 수신하여 검증하는 인증키검증부를 포함한 것을 특징으로 한다.In addition, the image-based authentication system according to a second embodiment of the present invention, the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication A system for authenticating the information, comprising: a mobile communication terminal registration unit for registering end entity information necessary for secondary authentication and a mobile communication terminal matching the end entity information; An authentication image receiver configured to receive an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit; An authentication key generation issue unit for generating and storing a second authentication key from the received authentication image and issuing and storing the secondary authentication key to the mobile communication terminal; And an authentication key verification unit for activating the mobile communication terminal registered in the terminal entity having the primary authentication and receiving and verifying a second stored authentication key from the activated mobile communication terminal.
또한, 이 발명의 제2실시예에 따른 이미지 기반 인증 방법은, 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 방법에 있어서, 2차인증시스템이 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록단계와; 상기 2차인증시스템이 상기 이동통신단말기등록부에 등록된 상기 이동통신단말기를 통해 인증이미지를 수신하는 인증이미지수신단계와; 상기 2차인증시스템이 상기 수신된 인증이미지로부터 2차인증키를 생성하여 저장하고 상기 이동통신단말기에게 발급하여 저장되도록 하는 인증키생성발급단계와; 상기 온라인 서비스 시스템으로부터 상기 종단실체의 2차 인증이 요청되면, 상기 2차인증시스템이 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시키고 상기 활성화된 이동통신단말기로부터 기저장된 2차인증키를 수신하여 검증하는 인증키검증단계를 포함한 것을 특징으로 한다.In addition, the image-based authentication method according to a second embodiment of the present invention, the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication A method for authenticating the information, the method comprising: a mobile communication terminal registration step of registering, by a secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information; An authentication image receiving step of receiving, by the secondary authentication system, an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit; An authentication key generation issuing step for the secondary authentication system to generate and store a secondary authentication key from the received authentication image and to issue and store the secondary authentication key to the mobile communication terminal; When the second authentication of the end entity is requested from the on-line service system, the second authentication system activates a mobile communication terminal registered in the terminal entity for which primary authentication has been completed, and the second authentication key previously stored from the activated mobile communication terminal. Characterized in that it comprises an authentication key verification step of receiving and verifying.
이상과 같이 이 발명에 따르면 1차 인증이 완료된 컴퓨터장치와 매칭되어 기등록된 이동통신단말기로부터 이미지 기반 인증키를 입력받아 사용자에 대한 2차 인증을 하기 때문에, 인증 보안이 더욱 강화되는 효과가 있다.As described above, according to the present invention, since the second authentication for the user is performed by receiving an image-based authentication key from a pre-registered mobile communication terminal that matches the computer device in which the first authentication is completed, authentication security is further enhanced. .
도 1은 이 발명에 따른 이미지 기반 인증시스템의 개략적인 구성 블록도이다.1 is a schematic structural block diagram of an image-based authentication system according to the present invention.
도 2는 이 발명의 제1실시예에 따른 이미지 기반 인증시스템의 상세 구성 블록도이다.2 is a detailed block diagram of an image-based authentication system according to a first embodiment of the present invention.
도 3은 이 발명의 제1실시예에 따른 이미지 기반 인증시스템의 이동통신단말기의 동작을 도시한 동작 흐름도이다.3 is a flowchart illustrating an operation of a mobile communication terminal of the image-based authentication system according to the first embodiment of the present invention.
도 4는 이 발명의 제1실시예에 따른 이미지 기반 인증시스템의 2차인증시스템의 동작을 도시한 동작 흐름도이다.4 is an operation flowchart showing the operation of the secondary authentication system of the image-based authentication system according to a first embodiment of the present invention.
도 5는 이 발명의 제2실시예에 따른 이미지 기반 인증시스템의 상세 구성 블록도이다.5 is a detailed block diagram of an image-based authentication system according to a second embodiment of the present invention.
도 6은 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 이동통신단말기에서의 등록 및 2차인증키 발급 과정을 도시한 동작 흐름도이다.6 is a flowchart illustrating a process of registering and issuing a secondary authentication key in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention.
도 7은 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 2차인증시스템에서의 등록 및 2차인증키 발급 과정을 도시한 동작 흐름도이다.7 is a flowchart illustrating a process of registering and issuing a secondary authentication key in a secondary authentication system based on an image based authentication system according to a second embodiment of the present invention.
도 8은 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 이동통신단말기에서의 2차 인증 과정을 도시한 동작 흐름도이다.8 is an operation flowchart illustrating a second authentication process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention.
도 9는 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 2차인증시스템에서의 2차 인증 과정을 도시한 동작 흐름도이다.9 is an operation flowchart illustrating a second authentication process in the second authentication system based on the image-based authentication system according to the second embodiment of the present invention.
[부호의 설명][Description of the code]
110 : 종단실체 111 : 컴퓨터장치110: terminal entity 111: computer device
112 : 이동통신단말기 120 : 온라인 서비스 시스템112: mobile communication terminal 120: online service system
130 : 푸시서버 140 : 2차인증시스템130: push server 140: secondary authentication system
141 : 송수신처리부 142 : 암복호화 처리부141: transmission and reception processing unit 142: encryption and decryption processing unit
143 : 이동통신단말기등록부 144 : 인증처리부143: mobile terminal registration unit 144: authentication processing unit
145 : 데이터베이스 146 : 메모리부145: database 146: memory
이하, 첨부된 도면을 참조하여 이 발명에 따른 이미지 기반 인증시스템 및 방법을 보다 상세하게 설명한다.Hereinafter, with reference to the accompanying drawings will be described in more detail the image-based authentication system and method according to the present invention.
도 1은 이 발명에 따른 이미지 기반 인증시스템의 개략적인 구성 블록도이다.1 is a schematic structural block diagram of an image-based authentication system according to the present invention.
종단실체(110)는 이 발명을 통한 인증 절차를 이용하는 최종 사용자이다. 이 종단실체(110)는 통신망(100)을 통해 온라인 서비스 시스템(120)에서 온라인 서비스를 제공받기 위해 이 발명에 따른 인증 절차를 이용한다. 종단실체(110)는 온라인 서비스 시스템(120)의 온라인 서비스를 제공받고 온라인 서비스 시스템(120)과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치(111)와, 이 발명에 따른 2차 인증을 수행하기 위한 이동통신단말기(112)를 포함한다. 컴퓨터장치(111)는 데스크탑, 노트북과 같은 다양한 컴퓨터 환경을 포함한다. 이동통신단말기(112)는 운영체제(OS)를 탑재하고 다양한 어플리케이션(응용프로그램)의 설치 및 구동이 가능한 스마트폰인 것이 바람직하다. 이 발명을 구현하기 위한 컴퓨터장치(111)와 이동통신단말기(112)의 내부 상세 구성은 후술하기로 한다.The end entity 110 is an end user using the authentication procedure through this invention. The end entity 110 uses the authentication procedure according to the present invention to receive the online service from the online service system 120 through the communication network 100. The end entity 110 receives the on-line service of the on-line service system 120 and performs the first authentication through communication with the on-line service system 120, and performs the second authentication according to the present invention. It includes a mobile communication terminal 112 for performing. The computer device 111 includes various computer environments such as a desktop and a notebook. The mobile communication terminal 112 is preferably a smartphone that is equipped with an operating system (OS) and capable of installing and driving various applications (applications). Detailed configuration of the computer device 111 and the mobile communication terminal 112 for implementing the present invention will be described later.
온라인 서비스 시스템(120)은 통신망(100)을 통해 다수의 사용자들에게 온라인 서비스를 제공하는 웹 상의 시스템으로서, 종단실체(110)에 대한 1차 인증을 수행한다. 통상적으로 온라인 서비스 시스템(120)은 로그인 처리 시스템(121)을 구비하고, 이 로그인 처리 시스템(121)에서 종단실체(110)에 대한 1차 인증을 수행한다. 1차 인증은 지식기반인증, 소유기반인증, 존재(신체)기반인증 등의 모든 단일요소인증(Single Factor Authentication) 형태를 포함한다.The online service system 120 is a system on the web that provides an online service to a plurality of users through the communication network 100. The online service system 120 performs primary authentication on the end entity 110. Typically, the online service system 120 includes a login processing system 121, and performs the first authentication of the end entity 110 in the login processing system 121. Primary authentication includes all forms of single factor authentication, such as knowledge-based authentication, ownership-based authentication, and entity-based authentication.
푸시(PUSH)서버(130)는 종단실체(110)의 이동통신단말기(112)의 제조업체에서 제공하는 서비스이다. 이동통신단말기(112)는 임의의 어플리케이션에 대해 푸시서비스를 제공받고자 할 경우, 먼저 푸시서버(130)로부터 해당 어플리케이션에 대응하는 장치토큰을 발급받는다. 그러면, 푸시서버(130)는 이동통신단말기(112)에 푸시메시지를 전송하여 이동통신단말기(112)를 깨우고(wakeup), 해당 토큰장치에 대응되는 어플리케이션(이 발명에서는 보안인증모듈)을 활성화시키는 역할을 수행한다. 이동통신단말기(112)가 푸시(PUSH)서버로부터 장치토큰을 발급받는 것에 대한 상세한 설명은 후술하기로 한다. 푸시서버(130)의 예로서, iOS 계열은 애플사에서 제공하는 APNs(Apple Push Notification Service)를 푸시서버로 사용하고, 안드로이드 계열은 구글사에서 제공하는 C2DM(Cloud To Device Messaging)을 푸시서버로 사용한다.The push (PUSH) server 130 is a service provided by the manufacturer of the mobile communication terminal 112 of the end entity 110. When the mobile communication terminal 112 wants to receive a push service for a certain application, first, a device token corresponding to the corresponding application is issued from the push server 130. Then, the push server 130 wakes up the mobile communication terminal 112 by sending a push message to the mobile communication terminal 112 (wakeup), and activates the application (security authentication module in the present invention) corresponding to the corresponding token device Play a role. A detailed description of the mobile terminal 112 issuing a device token from the push server will be described later. As an example of the push server 130, the iOS series uses Apple Push Notification Service (APNs) provided by Apple as a push server, and the Android series uses C2DM (Cloud To Device Messaging) provided by Google as a push server. do.
2차인증시스템(140)은 1차 인증이 완료된 종단실체(110)에 대해 온라인 서비스 시스템(120)으로부터 2차 인증이 요청되면, 종단실체(110)의 장치토큰을 이용하여 기등록된 이동통신단말기(112)를 깨우면서 이동통신단말기(112)에 설치된 보안인증모듈을 활성화시키고, 그 이동통신단말기(112)로부터 2차인증키를 입력받아 2차 인증 절차를 수행한다. 이 발명의 명세서에서는 2차 인증 절차로서, 2가지 실시예를 제안한다.When the secondary authentication system 140 requests a second authentication from the online service system 120 for the end entity 110 on which the primary authentication is completed, the second authentication system 140 uses the device token of the end entity 110 to pre-register mobile communication. Wake up the terminal 112 to activate the security authentication module installed in the mobile communication terminal 112, and receives the secondary authentication key from the mobile communication terminal 112 and performs a second authentication procedure. In this specification, two embodiments are proposed as a second authentication procedure.
제1실시예에 따른 2차 인증 절차를 간략하게 설명하면, 2차인증시스템(140)은 1차 인증 정보에 대응하는 종단실체(110)의 이동통신단말기(112)를 등록한다. 온라인 서비스 시스템(120)으로부터 2차 인증이 요청되면, 2차인증시스템(140)은 2차인증키를 발급하고 그 발급된 2차인증키에 대응하는 인증 이미지를 생성하여 종단실체(110)의 컴퓨터장치(111)에 표시되도록 하며 기등록된 이동통신단말기(112)를 통해 상기 인증 이미지에 기반한 2차인증키를 입력받는다. 2차인증시스템(140)은 이동통신단말기(112)를 통해 입력되는 2차인증키와 기발급된 2차인증키를 비교하여 사용자 인증을 수행한다.Briefly describing the secondary authentication procedure according to the first embodiment, the secondary authentication system 140 registers the mobile communication terminal 112 of the end entity 110 corresponding to the primary authentication information. When the second authentication is requested from the online service system 120, the second authentication system 140 issues the second authentication key and generates an authentication image corresponding to the issued second authentication key to determine the end entity 110. It is displayed on the computer device 111 and receives a second authentication key based on the authentication image through the mobile terminal 112 registered. The secondary authentication system 140 performs user authentication by comparing the secondary authentication key inputted through the mobile communication terminal 112 with the issued secondary authentication key.
도 2는 이 발명의 제1실시예에 따른 이미지 기반 인증시스템의 상세 구성 블록도이다.2 is a detailed block diagram of an image-based authentication system according to a first embodiment of the present invention.
이 발명에 따른 종단실체(110)의 컴퓨터장치(111)는 입출력부(111A)와, 송수신부(111B)를 포함한다. 입출력부(111A)는 통상적인 키보드, 마우스, 모니터 등으로서, 사용자와의 인터페이스를 수행한다. 송수신부(111B)는 유선 통신망을 통해 온라인 서비스 시스템(120)과 접속한다. 컴퓨터장치(111)는 2차인증시스템(140)으로부터 인증 이미지를 입력받아 입출력부(111A)의 화면에 출력한다.The computer device 111 of the terminal entity 110 according to the present invention includes an input / output unit 111A and a transceiver unit 111B. The input / output unit 111A is a typical keyboard, mouse, monitor, or the like, and performs an interface with a user. The transceiver 111B is connected to the online service system 120 through a wired communication network. The computer device 111 receives the authentication image from the secondary authentication system 140 and outputs it to the screen of the input / output unit 111A.
이 발명에 따른 종단실체(110)의 이동통신단말기(112)는 입출력부(112A)와, 송수신부(112B)와, 카메라(112C)와, 보안인증모듈(112D)을 포함한다. 입출력부(112A)는 통상적인 터치패드 등으로서, 사용자와의 인터페이스를 수행한다. 송수신부(112B)는 이동 통신망을 통해 푸시서버(130) 및 2차인증시스템(140)과 접속한다. 카메라(112C)는 이동통신단말기 사용자의 조작에 따라 영상(이미지)을 촬영하여 이미지 데이터를 획득한다.The mobile communication terminal 112 of the terminal entity 110 according to the present invention includes an input / output unit 112A, a transceiver unit 112B, a camera 112C, and a security authentication module 112D. The input / output unit 112A is a conventional touch pad or the like and performs an interface with a user. The transceiver 112B is connected to the push server 130 and the secondary authentication system 140 through a mobile communication network. The camera 112C acquires image data by capturing an image (image) according to a user of a mobile communication terminal.
보안인증모듈(112D)은 푸시서버(130)로부터 2차인증시스템(140)과의 통신을 위한 장치토큰을 발급받고 그 발급된 장치토큰을 2차인증시스템(140)에 등록하는 장치등록부와, 푸시서버(130)로부터 전달된 푸시메시지에 의해 실행되어 상기 컴퓨터장치(111)의 화면에 표시된 인증 이미지를 기반한 2차인증키를 2차인증시스템(140)에게 전송하는 인증키출력부를 포함한다.The security authentication module 112D is a device register for issuing a device token for communication with the secondary authentication system 140 from the push server 130 and registering the issued device token in the secondary authentication system 140, An authentication key output unit is executed by the push message transmitted from the push server 130 to transmit the secondary authentication key based on the authentication image displayed on the screen of the computer device 111 to the secondary authentication system 140.
또한, 보안인증모듈(112D)은 푸시서버(130)로부터 푸시메시지와 함께 전달되는 접근키를 이용하여 상기 2차인증시스템(140)에 접근하는 접근키처리부를 더 포함할 수 있으며, 이 접근키처리부는 암호화된 접근키를 복호화하는 기능을 추가적으로 포함할 수도 있다. 즉, 2차인증시스템(140)은 이동통신단말기(112)에게 푸시메시지와 함께 접근키를 암호화하여 전송하고, 접근키처리부는 암호화된 접근키를 복호화하여 복호화된 접근키를 이용하여 2차인증시스템(140)에 접근한다. 2차인증시스템(140)은 이동통신단말기(112)로부터 입력되는 접근키를 이용하여 해당 접근을 시도하는 이동통신단말기(112)의 접근 권한을 검증한다.In addition, the security authentication module 112D may further include an access key processing unit for accessing the secondary authentication system 140 using an access key delivered with a push message from the push server 130. The processor may further include a function of decrypting the encrypted access key. That is, the secondary authentication system 140 encrypts and transmits the access key along with the push message to the mobile communication terminal 112, and the access key processing unit decrypts the encrypted access key by using the decrypted access key. Access system 140. The secondary authentication system 140 verifies the access authority of the mobile communication terminal 112 attempting the corresponding access by using the access key input from the mobile communication terminal 112.
보안인증모듈(112D)의 인증키출력부는 입출력부(112A)를 통해 직접 입력되는 2차인증키를 2차인증시스템(140)에게 출력할 수 있다. 즉, 인증 이미지는 그림, 숫자, 문자를 포함한 이미지이고, 사용자가 입출력부(112A)를 이용하여 해당 인증 이미지에 포함된 그림의 이름(예컨대, 코끼리, 해바라기, 우산 등과 같은 동,식물 또는 사물의 이름)이나, 인증 이미지에 포함된 숫자와 문자를 직접 입력하도록 할 수 있다.The authentication key output unit of the security authentication module 112D may output the secondary authentication key directly input through the input / output unit 112A to the secondary authentication system 140. That is, the authentication image is an image including a figure, a number, and a letter, and the name of the figure included in the corresponding authentication image (for example, an animal, a plant, or an object such as an elephant, a sunflower, an umbrella, etc.) by a user using the input / output unit 112A. Name) or numbers and letters included in the authentication image.
또한, 보안인증모듈(112D)은 카메라(112C)를 통해 입력되는 인증 이미지 데이터를 해석하여 자동으로 2차인증키를 추출하는 이미지해석부를 더 포함할 수 있다. 즉, 이 인증 이미지는 이차원 바코드이고, 이미지해석부는 바코드 해석부일 수 있다. 이차원 바코드는 QR 코드(Quick Response Code), PDF417, 데이터 매트릭스(Data Matrix), 맥시 코드(Maxi code) 등이 포함된다. In addition, the security authentication module 112D may further include an image analysis unit for automatically extracting the second authentication key by analyzing the authentication image data input through the camera 112C. That is, the authentication image is a two-dimensional bar code, and the image analyzing unit may be a bar code analyzing unit. Two-dimensional barcodes include a QR code (Quick Response Code), PDF417, Data Matrix, Maxi code and the like.
이 발명에 따른 온라인 서비스 시스템(120)은 종단실체(110)의 1차 인증에 필요한 정보를 저장하고, 1차 인증이 완료된 종단실체(110)에 대해 2차인증시스템(140)에게 2차 인증을 요청하고, 2차인증시스템(140)으로부터 인증 이미지를 입력받아 그 인증 이미지가 포함된 웹페이지를 종단실체(110)의 컴퓨터장치(111)에게 제공한다.The online service system 120 according to the present invention stores the information necessary for the first authentication of the end entity 110, and the second authentication to the second authentication system 140 for the end entity 110 in which the first authentication is completed. Request, receives the authentication image from the secondary authentication system 140, and provides the web page including the authentication image to the computer device 111 of the end entity 110.
이 발명에 따른 2차인증시스템(140)은 종단실체(110)와 온라인 서비스 시스템(120)과 푸시서버(130)와의 데이터 송수신을 위한 송수신처리부(141)와, 송수신되는 데이터를 암호화 또는 복호화하는 암복호화 처리부(142)와, 종단실체(110) 정보와 이동통신단말기(112)의 장치토큰을 매칭하여 등록하는 이동통신단말기등록부(143)와, 1차 인증 완료된 종단실체(110)에 발급할 2차인증키를 생성하고 2차인증키에 대응하는 인증 이미지를 생성하여 온라인 서비스 시스템(120)을 통해 종단실체(110)의 컴퓨터장치(111)에게 제공하고 1차 인증 완료된 종단실체(110)의 이동통신단말기(112)로부터 상기 인증 이미지에 대응하는 2차인증키를 입력받아 검증하는 인증 처리부(144)와, 종단실체 정보와 장치토큰 정보와 각 종단실체별 설정사항을 저장하는 데이터베이스(145)와, 인증 처리부(144)에서 발급된 2차인증키 정보와 처리절차 정보 등을 저장한 메모리부(146)를 포함한다.The secondary authentication system 140 according to the present invention encrypts or decrypts data transmitted and received with the transmission and reception processing unit 141 for data transmission and reception between the end entity 110, the online service system 120, and the push server 130. The encryption / decryption processing unit 142, the mobile communication terminal registration unit 143 for matching and registering the device information of the terminal entity 110 and the device token of the mobile communication terminal 112, and the terminal entity 110 that has been primarily authenticated. Generate the secondary authentication key and generate an authentication image corresponding to the secondary authentication key to provide to the computer device 111 of the end entity 110 through the online service system 120 and the primary end authentication 110 is completed An authentication processing unit 144 for receiving and verifying a second authentication key corresponding to the authentication image from the mobile communication terminal 112, and a database 145 for storing end entity information, device token information, and settings for each end entity. ), And authentication The memory unit 146 stores secondary authentication key information and processing procedure information issued by the unit 144.
여기서, 송수신처리부(141)는 유선 통신망을 통해 온라인 서비스 시스템(120) 및 푸시서버(130)와 통신하는 유선처리부와, 무선 통신망을 통해 이동통신단말기(112)와 통신하는 무선처리부를 포함한다.Here, the transmission and reception processing unit 141 includes a wired processing unit communicating with the online service system 120 and the push server 130 through a wired communication network, and a wireless processing unit communicating with the mobile communication terminal 112 through a wireless communication network.
이동통신단말기등록부(143)는 각 이동통신단말기(112)에 대해 장치 등록을 처리하는 장치등록처리부와, 등록된 이동통신단말기에 대해 번호를 발급하는 장치번호발급기를 포함한다. The mobile communication terminal registration unit 143 includes a device registration processing unit for processing device registration for each mobile communication terminal 112, and a device number issuer for issuing a number for the registered mobile communication terminal.
인증 처리부(144)는 1차 인증 완료된 종단실체(110)에게 발급할 2차인증키를 생성하는 인증키생성부와, 상기 2차인증키에 대응하는 인증 이미지를 생성하여 온라인 서비스 시스템(120)에게 제공하여 상기 1차 인증 완료된 종단실체(110)의 컴퓨터장치(111)에 표시되도록 하는 인증 이미지 생성부와, 상기 1차 인증 완료된 종단실체(110)의 기등록된 이동통신단말기(112)로부터 입력되는 2차인증키와 상기 인증키생성부에서 생성된 2차인증키를 비교하여 검증하는 인증키검증부를 포함한다. 또한, 인증 처리부(144)는 상기 1차 인증 완료된 종단실체(110)의 기등록된 이동통신단말기(112)에 접근키를 발급하고 상기 이동통신단말기(112)로부터 입력되는 접근키와 발급한 접근키를 비교하여 이동통신단말기(112)를 검증하는 접근키 발급/검증부를 더 포함하고, 상기 메모리부(146)는 이동통신단말기(112)에게 발급된 발급 접근키 정보를 더 저장한다.The authentication processing unit 144 generates an authentication key generation unit for generating a second authentication key to be issued to the terminal entity 110 that has been firstly authenticated, and generates an authentication image corresponding to the second authentication key. An authentication image generation unit configured to display on the computer device 111 of the primary authentication-completed end entity 110 and from the pre-registered mobile communication terminal 112 of the primary authentication-completed end entity 110. And an authentication key verification unit for comparing and verifying the inputted secondary authentication key and the secondary authentication key generated by the authentication key generator. In addition, the authentication processing unit 144 issues an access key to the pre-registered mobile communication terminal 112 of the terminal entity 110, the primary authentication is completed, and the access key and the access issued from the mobile communication terminal 112. The apparatus further includes an access key issuing / verifying unit for verifying the mobile communication terminal 112 by comparing the keys, and the memory unit 146 further stores the issued access key information issued to the mobile communication terminal 112.
도 3은 이 발명의 제1실시예에 따른 이미지 기반 인증시스템의 이동통신단말기의 동작을 도시한 동작 흐름도이다.3 is a flowchart illustrating an operation of a mobile communication terminal of the image-based authentication system according to the first embodiment of the present invention.
이동통신단말기(112)의 보안인증모듈(112D)은 이동통신단말기(112)에 탑재된 운영체제를 기반으로 제작되어, 이 발명에 따른 인증 절차를 수행하는 응용프로그램(어플리케이션)이다.The security authentication module 112D of the mobile communication terminal 112 is an application program (application) that is manufactured based on an operating system mounted on the mobile communication terminal 112 and performs an authentication procedure according to the present invention.
먼저, 종단실체의 이동통신단말기(112)에 보안인증모듈(112D)을 설치한다(S301). 이 보안인증모듈(112D)은 인증 수행을 위한 종단실체 정보(온라인 서비스 시스템에 접속하기 위한 사용자 아이디, 이동통신단말기의 시스템 정보 등)를 2차인증시스템(140)에게 전송하고, 이로써 2차인증시스템(140)은 이동통신단말기(112)를 통해 종단실체 정보를 수집한다(S302).First, the security authentication module 112D is installed in the mobile communication terminal 112 of the end entity (S301). The security authentication module 112D transmits the end entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication to the secondary authentication system 140, thereby performing secondary authentication. The system 140 collects end entity information through the mobile communication terminal 112 (S302).
2차인증시스템(140)은 수집된 종단실체 정보를 확인하고, 이동통신단말기 자체에 대한 실명인증 및 본인인증을 수행하고, 그 결과를 이동통신단말기(112)에게 전송한다. 2차인증시스템(140)으로부터 실명인증 및 본인인증 실패 결과가 수신되면(S303), 이동통신단말기의 보안인증모듈(112D)은 장치 등록 실패로 인식하고 종료한다(S304).The secondary authentication system 140 confirms the collected end entity information, performs real name authentication and self authentication for the mobile communication terminal itself, and transmits the result to the mobile communication terminal 112. When the real name authentication and identity authentication failure results are received from the secondary authentication system 140 (S303), the security authentication module 112D of the mobile communication terminal recognizes that the device registration failed and ends (S304).
한편, 2차인증시스템(140)으로부터 이동통신단말기(112)에 대한 실명인증 및 본인인증 성공 결과가 수신되면(S303), 이동통신단말기의 보안인증모듈(112D)은 푸시서버(130)에 접속하여 보안인증모듈의 인증서와 이동통신단말기 고유정보를 푸시서버에게 전송하면서 장치토큰 발급을 요청한다(S305).On the other hand, when the real name authentication and identity authentication success results for the mobile communication terminal 112 is received from the secondary authentication system 140 (S303), the security authentication module 112D of the mobile communication terminal is connected to the push server 130. By transmitting the certificate of the security authentication module and the unique information of the mobile communication terminal to the push server and requests the device token issuance (S305).
이동통신단말기의 보안인증모듈(112D)은 푸시서버(130)로부터 장치토큰이 발급되면(S306), 그 발급된 장치토큰을 2차인증시스템에게 전달한다(S307). 그러면 2차인증시스템(140)은 해당 종단실체 정보와 함께 이동통신단말기(112)의 장치토큰을 데이터베이스에 등록한다.When the device token is issued from the push server 130 (S306), the security authentication module 112D of the mobile communication terminal transfers the issued device token to the secondary authentication system (S307). Then, the secondary authentication system 140 registers the device token of the mobile communication terminal 112 together with the corresponding terminal entity information in the database.
이러한 환경에서, 푸시서버로부터 푸시메시지가 수신되면(S308), 이동통신단말기는 깨어나서 보안인증모듈(112D)을 활성화시킨다(S309). 그리고, 암호화된 접근키가 수신되면(S310), 이동통신단말기의 보안인증모듈(112D)은 암호화된 접근키를 복호화한다(S311). 사용자로부터 2차인증정보가 입력되면(S312), 보안인증모듈(112D)은 2차인증정보로부터 2차인증키를 추출하고(S313), 단계 S311에서 복호화한 접근키로 2차인증시스템에 접근하여 2차인증시스템에게 2차인증키를 전송한다(S314).In this environment, when a push message is received from the push server (S308), the mobile communication terminal wakes up and activates the security authentication module 112D (S309). When the encrypted access key is received (S310), the security authentication module 112D of the mobile communication terminal decrypts the encrypted access key (S311). When the second authentication information is input from the user (S312), the security authentication module 112D extracts the second authentication key from the second authentication information (S313), and accesses the second authentication system with the access key decrypted in step S311. The secondary authentication key is transmitted to the secondary authentication system (S314).
상기 2차인증정보는 종단실체의 컴퓨터장치의 화면에 표시된 인증 이미지를 촬영한 인증 이미지 데이터일 수 있으며, 보안인증모듈(112D)은 인증 이미지 데이터를 해석하여 2차인증키를 추출한다. 특히, 인증 이미지는 이차원 바코드이다. 또는, 2차인증정보는 이동통신단말기의 입출력부를 통해 직접 입력되는 값이며, 보안인증모듈(112D)은 입력값에서 2차인증키를 추출한다.The second authentication information may be authentication image data obtained by photographing an authentication image displayed on the screen of the computer device of the end entity, and the security authentication module 112D interprets the authentication image data to extract the second authentication key. In particular, the authentication image is a two-dimensional barcode. Alternatively, the secondary authentication information is a value directly input through the input / output unit of the mobile communication terminal, and the security authentication module 112D extracts the secondary authentication key from the input value.
도 4는 이 발명의 제1실시예에 따른 이미지 기반 인증시스템의 2차인증시스템의 동작을 도시한 동작 흐름도이다.4 is an operation flowchart showing the operation of the secondary authentication system of the image-based authentication system according to a first embodiment of the present invention.
먼저, 보안인증모듈이 설치된 이동통신단말기가 도 3의 단계 S302를 수행하면, 2차인증시스템은 2차 인증에 필요한 종단실체 정보(예컨대, 온라인 서비스 시스템에 접속하기 위한 사용자 아이디와 이동통신단말기의 시스템 정보 등)를 수집하고 수집된 종단실체 정보를 확인하며 이동통신단말기 자체에 대해 실명인증 및 본인인증을 수행하고, 그 결과(인증 성공/실패)를 이동통신단말기에게 전송하고, 인증 성공한 이동통신단말기로부터 그의 장치토큰을 입력받아 등록한다.First, when the mobile communication terminal installed with the security authentication module performs step S302 of Figure 3, the secondary authentication system is the terminal entity information (for example, the user ID for accessing the online service system and the mobile terminal) System information, etc.), confirm the collected terminal entity information, perform real-name authentication and self-authentication on the mobile communication terminal itself, and transmit the result (authentication success / failure) to the mobile communication terminal, and verify successful mobile communication. It registers his device token from the terminal.
이러한 환경에서, 종단실체 컴퓨터장치가 온라인 서비스 시스템에 접근하면, 온라인 서비스 시스템은 이 종단실체 컴퓨터장치에 대해 1차 인증을 수행한다. 이때, 컴퓨터장치는 인증에 필요한 종단실체 정보를 온라인 서비스 시스템에게 전송한다. 1차 인증에 성공하면, 온라인 서비스 시스템은 종단실체 정보를 2차인증시스템에게 전달하며 2차 인증을 요청한다.In this environment, when the end entity computer device accesses the online service system, the online service system performs primary authentication on the end entity computer device. At this time, the computer device transmits the terminal entity information necessary for authentication to the online service system. If the first authentication is successful, the online service system sends the end entity information to the second authentication system and requests the second authentication.
2차인증시스템은 온라인 서비스 시스템으로부터 종단실제 정보가 입력되면서 2차 인증이 요청되면(S401), 수신된 종단실체 정보에 대응하여 이동통신단말기가 등록되어 있는지를 확인한다(S402).If the secondary authentication system requests secondary authentication while terminating actual information is input from the online service system (S401), the secondary authentication system checks whether the mobile communication terminal is registered in response to the received end entity information (S402).
이동통신단말기가 등록되어 있으면(S403), 2차인증시스템은 2차인증키를 생성하여 저장하고, 생성된 2차인증키에 대응하는 인증 이미지를 생성하여 온라인 서비스 시스템을 통해 1차 인증이 완료된 종단실체 컴퓨터장치에 표시한다(S404). 이때, 2차인증키에 대응하는 인증 이미지는 2차인증키 정보를 포함한 이차원 바코드 이미지일 수 있다. 2차인증키는 중복 발급을 방지하기 위해, 협정시계시(Universal Time Clock, UTC)를 기반으로 타임스탬프를 생성하고 그 타임스탬프와 종단실체 정보를 시드값으로 하여 생성한다.If the mobile communication terminal is registered (S403), the secondary authentication system generates and stores the secondary authentication key, generates an authentication image corresponding to the generated secondary authentication key, and completes the primary authentication through the online service system. It displays on the terminal entity computer device (S404). At this time, the authentication image corresponding to the secondary authentication key may be a two-dimensional barcode image including the secondary authentication key information. The secondary authentication key generates a timestamp based on the Universal Time Clock (UTC) and prevents the issuance, and generates the timestamp and the end entity information as seed values.
2차인증시스템은 접근키를 생성하고 저장하며 암호화한다(S405).The secondary authentication system generates, stores and encrypts an access key (S405).
2차인증시스템은 1차 인증에 성공한 종단실체에 기등록된 이동통신단말기의 장치토큰을 이용하여 이동통신단말기의 보안인증모듈(112D)을 활성화시키고 암호화된 접근키를 이동통신단말기에게 발급하기 위한 메시지를 푸시서버에게 전달한다(S406).The secondary authentication system activates the security authentication module 112D of the mobile communication terminal by using the device token of the mobile communication terminal that is registered in the terminal entity that successfully authenticates the first authentication, and issues an encrypted access key to the mobile communication terminal. Deliver the message to the push server (S406).
이 푸시서버는 2차인증시스템으로부터 전달받은 장치토큰으로부터 메시지를 전달할 이동통신단말기를 파악하고, 해당 이동통신단말기에 푸시메시지를 전달하여 보안인증모듈을 활성화시키고, 암호화된 접근키를 보안인증모듈에게 전달한다.The push server identifies the mobile communication terminal that will deliver the message from the device token received from the secondary authentication system, delivers the push message to the mobile communication terminal to activate the security authentication module, and sends the encrypted access key to the security authentication module. To pass.
그러면, 이동통신단말기는 암호화된 접근키를 복호화하고 사용자로부터 2차인증정보를 입력받을 준비를 하며, 사용자로부터 2차인증정보를 입력받고 이로부터 2차인증키를 추출하여, 복호화된 접근키와 2차인증키를 2차인증시스템에게 전송한다. 이로써, 2차인증시스템은 이동통신단말기로부터 접근키와 2차인증키를 수신한다(S407). 2차인증시스템은 단계 S407에서 수신한 접근키와 단계 S405에서 생성하여 이동통신단말기에게 발급한 접근키를 비교한다(S408). 단계 S408의 비교 결과 두 접근키가 일치하면, 2차인증시스템은 단계 S407에서 수신한 2차인증키와 단계 S404에서 저장한 2차인증키를 비교한다(S409). 단계 S409의 비교 결과 두 2차인증키가 일치하면, 2차 인증시스템은 인증을 승인 처리하고(S410), 온라인 서비스 시스템에게 그 결과를 전송한다(S411).Then, the mobile communication terminal decrypts the encrypted access key and prepares to receive the second authentication information from the user, receives the second authentication information from the user, extracts the second authentication key therefrom, and decrypts the access key. Send the secondary authentication key to the secondary authentication system. Thus, the secondary authentication system receives the access key and the secondary authentication key from the mobile communication terminal (S407). The secondary authentication system compares the access key received in step S407 with the access key generated in step S405 and issued to the mobile communication terminal (S408). If the two access keys match as a result of the comparison in step S408, the secondary authentication system compares the secondary authentication key received in step S407 with the secondary authentication key stored in step S404 (S409). If the result of the comparison of step S409 matches the two secondary authentication keys, the secondary authentication system approves the authentication (S410) and transmits the result to the online service system (S411).
한편, 단계 S408의 비교 결과 두 접근키가 일치하지 않거나, 단계 S409의 비교 결과 두 2차인증키가 일치하지 않으면, 2차 인증시스템은 인증을 실패 처리하고(S412), 온라인 서비스 시스템에게 그 결과를 전송한다(S411). 한편, 단계 S403에서 이동통신단말기가 등록되어 있지 않으면 미등록 이동통신단말로 처리하고(S413), 그 처리 결과를 온라인 서비스 시스템에 통보한다(S411).On the other hand, if the two access keys do not match as a result of the comparison of step S408, or if the two secondary authentication keys do not match as a result of the comparison of step S409, the secondary authentication system fails to authenticate (S412), and the result is sent to the online service system. It transmits (S411). On the other hand, if the mobile communication terminal is not registered in step S403, it is processed by the unregistered mobile communication terminal (S413), and the result of the processing is notified to the online service system (S411).
제2실시예에 따른 2차 인증 절차를 간략하게 설명하면, 2차인증시스템(140)은 1차 인증 정보에 대응하는 종단실체(110)의 이동통신단말기(112)를 등록하는데, 이때 이동통신단말기(112)로부터 입력되는 임의의 이미지로부터 2차인증키를 생성하여 저장하고, 이동통신단말기(112)에게 발급한다. 이동통신단말기(112)는 사용자로부터 인증키저장비밀번호(핀번호)를 입력받아 2차인증시스템(140)으로부터 발급된 2차인증키를 암호화한 후 저장한다. 이 후, 온라인 서비스 시스템(120)으로부터 2차 인증이 요청되면 이동통신단말기(112)는 사용자로부터 인증키저장비밀번호를 입력받아 암호화되어 저장된 2차인증키를 복호화한 후 2차인증시스템(140)에게 전송하고, 2차인증시스템(140)은 2차 인증 요청시 이동통신단말기(112)로부터 입력되는 2차인증키와 기저장된 2차인증키를 비교하여 사용자 인증을 수행한다.Briefly describing the secondary authentication procedure according to the second embodiment, the secondary authentication system 140 registers the mobile communication terminal 112 of the terminal entity 110 corresponding to the primary authentication information. A secondary authentication key is generated and stored from an arbitrary image input from the terminal 112 and issued to the mobile communication terminal 112. The mobile communication terminal 112 receives an authentication keyer equipment password (pin number) from the user and encrypts and stores the second authentication key issued from the secondary authentication system 140. After that, when the second authentication is requested from the online service system 120, the mobile communication terminal 112 receives the authentication keyer password from the user, decrypts the encrypted second stored authentication key, and then the second authentication system 140. The secondary authentication system 140 performs user authentication by comparing the secondary authentication key input from the mobile communication terminal 112 and the pre-stored secondary authentication key when the second authentication request is made.
도 5는 이 발명의 제2실시예에 따른 이미지 기반 인증시스템의 상세 구성 블록도이다.5 is a detailed block diagram of an image-based authentication system according to a second embodiment of the present invention.
제2실시예에 따른 이미지 기반 인증시스템을 구성하는 종단실체의 컴퓨터장와 온라인 서비스 시스템 및 푸시서버는 제1실시예에 따른 이미지 기반 인증시스템을 구성하는 종단실체의 컴퓨터장치와 온라인 서비스 시스템 및 푸시서버와 각각 동일하다. 다만, 이 제1실시예의 온라인 서비스 시스템은 2차인증시스템에게 종단실체에 대한 2차인증을 요청한 후, 2차인증시스템으로부터 인증이미지를 수신받아 종단실체의 컴퓨터장치에 표시되도록 하였지만, 제2실시예에서는 이러한 과정이 생략된다. 또한, 제1실시예의 2차인증시스템에서 발급되는 2차인증키는 일회용 인증키의 성질이 강하기 때문에 메모리부에 저장되지만, 제2실시예의 2차인증시스템에서 발급되는 2차인증키는 지속적으로 사용가능한 인증키이므로 데이터베이스의 종단실체정보의 한 항목으로서 저장되는 것이 바람직하다. 제1실시예에 따른 이미지 기반 인증시스템과 제2실시예에 따른 이미지 기반 인증시스템은 종단실체의 이동통신단말기의 보안인증모듈과, 2차인증시스템의 인증처리부의 내부 구성상 차이점이 있다. 그 차이점을 중심으로 설명한다.The computer head, the online service system, and the push server of the end entity constituting the image-based authentication system according to the second embodiment are the computer devices, the online service system, and the push server of the end entity constituting the image-based authentication system according to the first embodiment. Are the same as However, after the on-line service system of the first embodiment requests the secondary authentication system for the second authentication of the end entity, the online service system receives the authentication image from the second authentication system and displays it on the computer device of the end entity. In the example, this process is omitted. In addition, the secondary authentication key issued by the secondary authentication system of the first embodiment is stored in the memory unit because of the strong nature of the one-time authentication key, but the secondary authentication key issued by the secondary authentication system of the second embodiment is continuously Since it is a usable authentication key, it is preferably stored as an item of end entity information of the database. The image-based authentication system according to the first embodiment and the image-based authentication system according to the second embodiment have a difference in the internal configuration of the security authentication module of the mobile communication terminal of the end entity and the authentication processing unit of the secondary authentication system. The difference will be explained mainly.
제2실시예에 따른 이동통신단말기는 통상적인 입출력부와 송수신부와 카메라와 저장부와 이 발명에 따른 이미지 기반 인증을 수행하기 위한 보안인증모듈(510)을 포함한다. 저장부는 이동통신단말기에 통상적으로 장착되는 USIM 카드(universal subscriber identity module card) 또는 내부 메모리일 수 있다.The mobile communication terminal according to the second embodiment includes a typical input / output unit, a transceiver unit, a camera, a storage unit, and a security authentication module 510 for performing image-based authentication according to the present invention. The storage unit may be a universal subscriber identity module card (USIM card) or internal memory that is typically mounted in the mobile communication terminal.
보안인증모듈(510)은 푸시서버로부터 2차인증시스템과의 통신을 위한 장치토큰을 발급받고 그 발급된 장치토큰을 2차인증시스템에 등록하고 카메라에서 촬영된 임의의 인증 이미지를 2차인증시스템에 전송한 후 상기 2차인증시스템으로부터 상기 인증 이미지에 대응하는 2차인증키를 발급받는 장치등록부(511)와, 상기 장치등록부(511)에서 발급받은 2차인증키를 사용자로부터 입력되는 인증키저장비밀번호로 암호화하여 그 암호화된 2차인증키를 저장부에 저장하고 푸시서버로부터 전달된 푸시메시지에 의해 실행되어 상기 저장부로부터 상기 암호화된 2차인증키를 읽어 사용자로부터 입력되는 인증키저장비밀번호로 복호화하여 상기 2차인증시스템에게 전송하는 인증키처리부(512)를 포함한다.The security authentication module 510 receives a device token for communication with the secondary authentication system from the push server, registers the issued device token in the secondary authentication system, and registers any authentication image captured by the camera in the secondary authentication system. An authentication key inputted from a user by a device registration unit 511 for receiving a second authentication key corresponding to the authentication image from the secondary authentication system and a second authentication key issued by the device registration unit 511 after being transmitted to the user; An encryption key storage device password that is encrypted by a storage password and stored in the storage in the encrypted secondary authentication key and executed by a push message transmitted from a push server to read the encrypted secondary authentication key from the storage unit and input from a user. Decryption to include an authentication key processing unit 512 for transmitting to the secondary authentication system.
또한, 보안인증모듈(510)은 푸시서버로부터 푸시메시지와 함께 전달되는 접근키를 이용하여 상기 2차인증시스템에 접근하는 접근키처리부(513)를 더 포함할 수 있으며, 이 접근키처리부(513)는 암호화된 접근키를 복호화하는 기능을 추가적으로 포함할 수도 있다. 즉, 2차인증시스템은 암호화된 접근키를 이동통신단말기에게 발급하며, 접근키처리부(513)는 이 암호화된 접근키를 복호화한 후 복호화된 접근키를 이용하여 2차인증시스템에 접근한다.In addition, the security authentication module 510 may further include an access key processing unit 513 for accessing the secondary authentication system using an access key delivered with a push message from a push server, and the access key processing unit 513. ) May further include a function of decrypting the encrypted access key. That is, the secondary authentication system issues an encrypted access key to the mobile communication terminal, and the access key processing unit 513 decrypts the encrypted access key and then accesses the secondary authentication system using the decrypted access key.
이 발명의 제2실시예에 따른 2차인증시스템의 인증처리부(520)는 이동통신단말기로부터 인증이미지를 수신하는 인증이미지수신부(521)와, 상기 수신된 인증이미지로부터 2차인증키를 생성하여 저장하고 이동통신단말기에게 발급하는 인증키생성발급부(522)와, 1차 인증 완료된 종단실체의 기등록된 이동통신단말기로부터 입력되는 2차인증키와 상기 이동통신단말기에게 발급한 2차인증키를 비교하여 검증하는 인증키검증부(523)를 포함한다. 또한, 인증처리부(520)는 상기 1차 인증 완료된 종단실체의 기등록된 이동통신단말기에 암호화된 접근키를 발급하고 상기 이동통신단말기로부터 입력되는 접근키와 발급한 접근키를 비교하여 이동통신단말기를 검증하는 접근키 발급/검증부(524)를 더 포함한다.The authentication processing unit 520 of the secondary authentication system according to the second embodiment of the present invention generates an authentication image receiving unit 521 for receiving an authentication image from a mobile communication terminal and a second authentication key from the received authentication image. Authentication key generation issuer 522, which stores and issues to the mobile communication terminal, a second authentication key input from a pre-registered mobile communication terminal of the terminal entity that has been first authenticated, and a second authentication key issued to the mobile communication terminal. The authentication key verification unit 523 compares and verifies. In addition, the authentication processing unit 520 issues an encrypted access key to a pre-registered mobile communication terminal of the first-end terminal is completed by comparing the access key input from the mobile communication terminal and the issued access key. It further includes an access key issuance / verification unit 524 to verify the.
즉, 제2실시예에 따른 인증 기술은, 2차인증시스템이 이동통신단말기를 등록하는 과정에서, 사용자가 이동통신단말기의 카메라를 이용하여 촬영한 인증 이미지 데이터로부터 2차인증키를 생성하여 저장하고 이동통신단말기에게 발급한다. 이동통신단말기는 사용자로부터 인증키저장비밀번호를 입력받아 그 입력된 인증키저장비밀번호로 2차인증키를 암호화하고 그 암호화된 2차인증키를 저장부에 저장한다. 그 후, 사용자가 온라인 서비스 시스템을 이용하기 위해 2차인증을 할 때마다 이동통신단말기는 사용자로부터 인증키저장비밀번호를 다시 입력받아 암호화된 2차인증키를 복호화한 후 2차인증시스템에게 제공한다.That is, in the authentication technology according to the second embodiment, the secondary authentication system generates and stores a secondary authentication key from authentication image data photographed by the user using the camera of the mobile communication terminal in the process of registering the mobile communication terminal. And issue it to the mobile communication terminal. The mobile communication terminal receives the authentication key device password from the user, encrypts the second authentication key with the input authentication key device password, and stores the encrypted second authentication key in the storage unit. After that, whenever the user performs the second authentication to use the online service system, the mobile communication terminal receives the authentication keyer password again from the user, decrypts the encrypted second authentication key, and provides it to the second authentication system. .
이러한 제2실시예에 따르면 사용자가 촬영한 인증 이미지 데이터로부터 2차인증키를 생성하여 발급하기 때문에, 2차인증키의 중복 발급을 원천적으로 방지할 수 있다. 또한, 2차 인증을 할 때마다 온라인 서비스 시스템이나 이동통신단말기에게 일회용 2차 인증키를 발급할 필요가 없다.According to this second embodiment, since the secondary authentication key is generated and issued from the authentication image data photographed by the user, it is possible to prevent duplicate issuance of the secondary authentication key. In addition, every second authentication does not require issuing a one-time secondary authentication key to an online service system or a mobile communication terminal.
도 6은 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 이동통신단말기에서의 등록 및 2차인증키 발급 과정을 도시한 동작 흐름도이고, 도 7은 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 2차인증시스템에서의 등록 및 2차인증키 발급 과정을 도시한 동작 흐름도이다.6 is an operation flowchart illustrating a registration and secondary authentication key issuing process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention, and FIG. 7 is an image-based authentication method according to a second embodiment of the present invention. Authentication System Operation flow chart illustrating the registration and secondary authentication key issuing process in the secondary authentication system.
도 6과 도 7을 참조하면서 이동통신단말기와 2차인증시스템을 통한 장치 등록 및 2차인증키 발급 과정을 살펴본다.Referring to Figure 6 and Figure 7 looks at the device registration and secondary authentication key issuance process through the mobile communication terminal and the secondary authentication system.
먼저, 종단실체의 이동통신단말기에 보안인증모듈(510)을 설치한다(S601). 이 보안인증모듈(510)은 인증 수행을 위한 종단실체 정보(온라인 서비스 시스템에 접속하기 위한 사용자 아이디, 이동통신단말기의 시스템 정보 등)를 2차인증시스템에게 전송한다(S602).First, the security authentication module 510 is installed in the mobile communication terminal of the end entity (S601). The security authentication module 510 transmits the terminal entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication to the secondary authentication system (S602).
2차인증시스템은 이동통신단말기로부터 인증 수행을 위한 종단실체 정보(온라인 서비스 시스템에 접속하기 위한 사용자 아이디, 이동통신단말기의 시스템 정보 등)이 수신되면(S701), 해당 이동통신단말기 자체에 대한 실명인증 및 본인인증을 수행하고(S702), 그 결과를 이동통신단말기에게 전송한다(S703).When the secondary authentication system receives terminal entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication from the mobile communication terminal (S701), the real name of the mobile communication terminal itself is received. Perform authentication and identity verification (S702), and transmits the result to the mobile communication terminal (S703).
이동통신단말기는 2차인증시스템으로부터 실명인증 및 본인인증 실패 결과가 수신되면(S603), 장치 등록 실패로 인식하고 종료한다(S604).If the real name authentication and identity authentication failure results are received from the secondary authentication system (S603), the mobile communication terminal recognizes the device registration failure and ends (S604).
2차인증시스템으로부터 이동통신단말기에 대한 실명인증 및 본인인증 성공 결과가 수신되면(S603), 이동통신단말기의 보안인증모듈은 푸시서버에 접속하여 보안인증모듈의 인증서와 이동통신단말기 고유정보를 푸시서버에게 전송하면서 장치토큰 발급을 요청한다(S605).When real name authentication and identity authentication success result is received from the secondary authentication system (S603), the security authentication module of the mobile communication terminal accesses the push server to push the certificate of the security authentication module and the unique information of the mobile communication terminal. The device token is requested while transmitting to the server (S605).
이동통신단말기의 보안인증모듈(510)은 푸시서버로부터 장치토큰이 발급되면(S606), 그 발급된 장치토큰을 2차인증시스템에게 전달한다(S607). 2차인증시스템은 이동통신단말기로부터 장치토큰이 수신되면(S704), 해당 종단실체 정보와 함께 이동통신단말기의 장치토큰을 데이터베이스에 등록한다(S705).When the device token is issued from the push server (S606), the security authentication module 510 of the mobile communication terminal transfers the issued device token to the secondary authentication system (S607). If the second authentication system receives the device token from the mobile communication terminal (S704), it registers the device token of the mobile communication terminal with the corresponding terminal entity information in the database (S705).
장치토큰 등록 후, 이동통신단말기의 보안인증모듈(510)은 사용자에게 인증이미지 촬영 요청을 하고(S608), 인증이미지 데이터가 입력되면(S609) 그 인증이미지 데이터를 2차인증시스템에게 전송한다(S610). 2차인증시스템은 장치토큰이 등록된 이동통신단말기로부터 인증 이미지가 수신되면(S706), 그 수신된 인증 이미지로부터 2차인증키를 생성하여 저장하고(S707), 생성된 2차인증키를 해당 이동통신단말기에게 발급한다(S708).After registering the device token, the security authentication module 510 of the mobile communication terminal makes a request for photographing the authentication image to the user (S608), and when the authentication image data is input (S609), transmits the authentication image data to the secondary authentication system (S609). S610). When the authentication image is received from the mobile communication terminal in which the device token is registered (S706), the second authentication system generates and stores a second authentication key from the received authentication image (S707), and generates the corresponding second authentication key. Is issued to the mobile communication terminal (S708).
이동통신단말기는 2차인증시스템으로부터 2차인증키가 발급되면(S611), 사용자에게 인증키저장비밀번호 입력을 요청한다(S612). 인증키저장비밀번호가 입력되면(S613), 보안인증모듈(510)은 단계 S611 단계에서 발급된 2차인증키를 단계 S612에서 입력된 인증키저장비밀번호로 암호화한 후 저장부에 저장한다(S614).When the secondary authentication key is issued from the secondary authentication system (S611), the mobile communication terminal requests the user to input the authentication keyer equipment password (S612). When the authentication keyer device password is input (S613), the security authentication module 510 encrypts the secondary authentication key issued in step S611 with the authentication keyer device password input in step S612 and stores it in the storage unit (S614). .
도 8은 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 이동통신단말기에서의 2차 인증 과정을 도시한 동작 흐름도이고, 도 9는 이 발명의 제2실시예에 따른 이미지 기반 인증시스템 2차인증시스템에서의 2차 인증 과정을 도시한 동작 흐름도이다.8 is an operation flowchart illustrating a second authentication process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention, and FIG. 9 is a second image-based authentication system according to a second embodiment of the present invention. It is an operation flowchart showing the second authentication process in the authentication system.
도 8과 도 9를 참조하면서 이동통신단말기와 2차인증시스템을 통한 2차 인증 과정을 살펴본다.8 and 9, the second authentication process through the mobile communication terminal and the second authentication system will be described.
2차인증시스템은 온라인 서비스 시스템으로부터 종단실제 정보가 입력되면서 2차 인증이 요청되면(S901), 수신된 종단실체 정보에 대응하여 이동통신단말기가 등록되어 있는지를 확인한다(S902).The secondary authentication system checks whether the mobile communication terminal is registered in response to the received terminal entity information (S901) when the secondary authentication is requested while the terminal actual information is input from the online service system (S901).
이동통신단말기가 등록되어 있으면(S903), 2차인증시스템은 접근키를 생성하고 저장하며 암호화한다(S904). 그리고, 2차인증시스템은 1차 인증에 성공한 종단실체에 기등록된 이동통신단말기의 장치토큰을 이용하여 이동통신단말기의 보안인증모듈을 활성화시키고 암호화된 접근키를 이동통신단말기에게 발급하기 위한 메시지를 푸시서버에게 전달한다.If the mobile communication terminal is registered (S903), the secondary authentication system generates, stores and encrypts the access key (S904). In addition, the secondary authentication system activates the security authentication module of the mobile communication terminal by using the device token of the mobile communication terminal that is registered in the terminal entity that has successfully authenticated the first time, and issues a message for issuing an encrypted access key to the mobile communication terminal. To the push server.
이 푸시서버는 2차인증시스템으로부터 전달받은 장치토큰으로부터 메시지를 전달할 이동통신단말기를 파악하고, 해당 이동통신단말기에 푸시메시지를 전달하여 보안인증모듈을 활성화시키고, 암호화된 접근키를 보안인증모듈에게 전달한다.The push server identifies the mobile communication terminal that will deliver the message from the device token received from the secondary authentication system, delivers the push message to the mobile communication terminal to activate the security authentication module, and sends the encrypted access key to the security authentication module. To pass.
푸시서버로부터 푸시메시지가 수신되면(S801), 이동통신단말기는 깨어나서 보안인증모듈을 활성화시킨다(S802). 그리고, 암호화된 접근키가 수신되면(S803), 이동통신단말기의 보안인증모듈은 암호화된 접근키를 복호화하고(S804), 사용자에게 인증키저장비밀번호 입력을 요청한다(S805). 사용자로부터 인증키저장비밀번호가 입력되면(S806), 보안인증모듈은 저장부에 저장되어 있는 암호화된 2차인증키를 인증키저장비밀번호로 복호화한다(S807). 그리고, 보안인증모듈은 단계 S804에서 복호화한 접근키로 2차인증시스템에 접근하여 단계 S807에서 복호화한 2차인증키를 전송한다(S808). 이로써, 2차인증시스템은 이동통신단말기로부터 접근키와 2차인증키를 수신한다(S906). 2차인증시스템은 단계 S906에서 수신한 접근키와 단계 S905에서 발급한 접근키를 비교한다(S907). 단계 S907의 비교 결과 두 접근키가 일치하면, 2차인증시스템은 단계 S906에서 수신한 2차인증키와 기저장된 2차인증키를 비교한다(S908). 단계 S908의 비교 결과 두 2차인증키가 일치하면, 2차 인증시스템은 인증을 승인 처리하고(S909), 온라인 서비스 시스템에게 그 결과를 전송한다(S910).When the push message is received from the push server (S801), the mobile communication terminal wakes up and activates the security authentication module (S802). When the encrypted access key is received (S803), the security authentication module of the mobile communication terminal decrypts the encrypted access key (S804), and requests the user to input the authentication key equipment password (S805). When the authentication keyer device password is input from the user (S806), the security authentication module decrypts the encrypted secondary authentication key stored in the storage unit into the authentication keyer device password (S807). The security authentication module accesses the secondary authentication system with the access key decrypted in step S804 and transmits the second authentication key decrypted in step S807 (S808). Thus, the secondary authentication system receives the access key and the secondary authentication key from the mobile communication terminal (S906). The secondary authentication system compares the access key received in step S906 with the access key issued in step S905 (S907). If the two access keys match as a result of the comparison in step S907, the secondary authentication system compares the secondary authentication key received in step S906 with the previously stored secondary authentication key (S908). If the result of the comparison of step S908 matches the two secondary authentication keys, the secondary authentication system approves the authentication (S909), and transmits the result to the online service system (S910).
한편, 단계 S907의 비교 결과 두 접근키가 일치하지 않거나, 단계 S908의 비교 결과 두 2차인증키가 일치하지 않으면, 2차 인증시스템은 인증을 실패 처리하고(S911), 온라인 서비스 시스템에게 그 결과를 전송한다(S910). 한편, 단계 S903에서 이동통신단말기가 등록되어 있지 않으면 미등록 이동통신단말로 처리하고(S912), 그 처리 결과를 온라인 서비스 시스템에 통보한다(S910).On the other hand, if the two access keys do not match as a result of the comparison in step S907, or the two secondary authentication keys do not match as a result of the comparison in step S908, the secondary authentication system fails to authenticate (S911), and the result is sent to the online service system. Transmit (S910). On the other hand, if the mobile communication terminal is not registered in step S903, it is processed by an unregistered mobile communication terminal (S912), and the result of the processing is notified to the online service system (S910).

Claims (20)

  1. 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 시스템에 있어서,In the system for authenticating the end entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication,
    2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록부와;A mobile communication terminal registration unit for registering end entity information necessary for secondary authentication and a mobile communication terminal matching the end entity information;
    1차 인증 완료된 종단실체에 발급할 2차인증키를 생성하는 인증키생성부와;An authentication key generation unit for generating a second authentication key to be issued to the primary entity having completed primary authentication;
    상기 생성된 2차인증키에 대응하는 인증 이미지를 생성하고 상기 온라인 서비스 시스템을 통해 상기 1차 인증 완료된 종단실체의 컴퓨터장치에 표시되도록 제공하는 인증 이미지 생성부와;An authentication image generation unit for generating an authentication image corresponding to the generated second authentication key and displaying the authentication image on a computer device of the primary authenticated terminal entity through the online service system;
    상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시킨 후 상기 활성화된 이동통신단말기로부터 수신되는 2차인증키를 검증하는 인증키검증부를 포함한 것을 특징으로 하는 이미지 기반 인증 시스템.And an authentication key verifying unit for activating a mobile communication terminal registered in the primary authentication-completed end entity and then verifying a secondary authentication key received from the activated mobile communication terminal.
  2. 제 1 항에 있어서, 상기 이동통신단말기등록부는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 등록하고, 상기 인증키검증부는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 이용하여 푸시서버를 통해 상기 이동통신단말기를 활성화시킨 후 상기 이동통신단말기와 통신하여 상기 이동통신단말기로부터 상기 2차인증키를 수신하는 것을 특징으로 하는 이미지 기반 인증 시스템.The terminal of claim 1, wherein the mobile communication terminal registration unit registers a device token of the mobile communication terminal that matches the terminal entity information, and the authentication key verification unit uses a device token of the mobile communication terminal that matches the terminal entity information. Activating the mobile communication terminal through a push server and communicating with the mobile communication terminal to receive the secondary authentication key from the mobile communication terminal.
  3. 제 1 항에 있어서, 상기 인증 이미지는 이차원 바코드인 것을 특징으로 하는 이미지 기반 인증 시스템.The image-based authentication system of claim 1, wherein the authentication image is a two-dimensional barcode.
  4. 제 1 항에 있어서, 상기 인증 이미지는 상기 2차원인증키에 대응하는 그림, 문자, 숫자 중 적어도 하나를 포함한 이미지인 것을 특징으로 하는 이미지 기반 인증 시스템.The image-based authentication system of claim 1, wherein the authentication image is an image including at least one of a picture, a letter, and a number corresponding to the two-dimensional authentication key.
  5. 제 1 항에 있어서, 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기에 접근키를 발급하고 상기 이동통신단말기로부터 수신되는 접근키와 발급한 접근키를 비교하여 상기 이동통신단말기를 검증하는 접근키 발급/검증부를 더 포함한 것을 특징으로 하는 이미지 기반 인증 시스템.2. The method of claim 1, wherein the access terminal issues an access key to a mobile communication terminal registered in the primary-authenticated terminal entity and compares the access key received from the mobile communication terminal with the issued access key to verify the mobile communication terminal. Image-based authentication system further comprises a key issuance / verification unit.
  6. 제 5 항에 있어서, 상기 접근키 발급/검증부는 상기 접근키를 암호화하여 상기 이동통신단말기에게 발급하고, 상기 이동통신단말기로부터 복호화된 접근키를 수신하는 것을 특징으로 하는 이미지 기반 인증 시스템.The image-based authentication system of claim 5, wherein the access key issuing / verifying unit encrypts the access key, issues it to the mobile communication terminal, and receives the decrypted access key from the mobile communication terminal.
  7. 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 방법에 있어서,In the method for authenticating an end entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication,
    2차인증시스템이 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록단계와;A mobile communication terminal registration step of registering, by the secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information;
    상기 온라인 서비스 시스템으로부터 상기 종단실체의 2차 인증이 요청되면, 상기 2차인증시스템이 1차 인증 완료된 종단실체에 발급할 2차인증키를 생성하는 인증키생성단계와;An authentication key generation step of generating, by the second authentication system, a second authentication key to be issued to an end entity that has been first authenticated when the second authentication of the end entity is requested from the online service system;
    상기 2차인증시스템이 상기 생성된 2차인증키에 대응하는 인증 이미지를 생성하고 상기 온라인 서비스 시스템을 통해 상기 1차 인증 완료된 종단실체의 컴퓨터장치에 표시되도록 제공하는 인증 이미지 생성단계와;An authentication image generation step of generating, by the secondary authentication system, an authentication image corresponding to the generated second authentication key and displaying the image on the computer device of the first authenticated end entity through the online service system;
    상기 2차인증시스템이 상기 인증 이미지 생성단계 후 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시키고 상기 활성화된 이동통신단말기로부터 수신되는 2차인증키를 검증하는 인증키검증단계를 포함한 것을 특징으로 하는 이미지 기반 인증 방법.And an authentication key verification step in which the secondary authentication system activates a mobile communication terminal registered in the primary authentication-completed end entity after the authentication image generation step and verifies a secondary authentication key received from the activated mobile communication terminal. Image-based authentication method characterized in that.
  8. 제 7 항에 있어서, 상기 이동통신단말기등록단계는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 등록하는 단계이고, 상기 인증키검증단계는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 이용하여 푸시서버를 통해 상기 이동통신단말기를 활성화시키고 상기 이동통신단말기와 통신하여 상기 이동통신단말기로부터 상기 2차인증키를 수신하는 단계인 것을 특징으로 하는 이미지 기반 인증 방법.8. The method of claim 7, wherein the registering of the mobile communication terminal is a step of registering a device token of the mobile communication terminal that matches the terminal entity information, and wherein the authentication key verification step is a device of the mobile communication terminal that matches the terminal entity information. Activating the mobile communication terminal through a push server using a token and communicating with the mobile communication terminal to receive the secondary authentication key from the mobile communication terminal.
  9. 제 7 항에 있어서, 상기 인증 이미지는 이차원 바코드인 것을 특징으로 하는 이미지 기반 인증 방법.8. The method of claim 7, wherein the authentication image is a two-dimensional barcode.
  10. 제 7 항에 있어서, 상기 인증 이미지는 상기 2차원인증키에 대응하는 그림, 문자 또는 숫자 중 적어도 하나를 포함한 이미지인 것을 특징으로 하는 이미지 기반 인증 방법.The image-based authentication method of claim 7, wherein the authentication image is an image including at least one of a picture, a letter, and a number corresponding to the two-dimensional authentication key.
  11. 제 7 항에 있어서, 상기 2차인증시스템이 상기 인증키생성단계 내지 상기 인증키검증단계를 진행하는 동안에 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기에 접근키를 발급하고 상기 이동통신단말기로부터 수신되는 접근키와 발급한 접근키를 비교하여 상기 이동통신단말기를 검증하는 접근키 발급/검증단계를 더 포함한 것을 특징으로 하는 이미지 기반 인증 방법.8. The method of claim 7, wherein the secondary authentication system issues an access key to a mobile communication terminal registered in the primary authentication-completed end entity during the authentication key generation step or the authentication key verification step, and the mobile communication terminal. And an access key issuing / verifying step for verifying the mobile communication terminal by comparing the access key received from the access key received from the access key.
  12. 제 11 항에 있어서, 상기 접근키 발급/검증단계는 상기 접근키를 암호화하여 상기 이동통신단말기에게 발급하고, 상기 이동통신단말기로부터 복호화된 접근키를 수신하는 것을 특징으로 하는 이미지 기반 인증 방법.The image-based authentication method of claim 11, wherein the issuing / verifying the access key encrypts the access key, issues it to the mobile communication terminal, and receives the decrypted access key from the mobile communication terminal.
  13. 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 시스템에 있어서,In the system for authenticating the end entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication,
    2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록부와;A mobile communication terminal registration unit for registering end entity information necessary for secondary authentication and a mobile communication terminal matching the end entity information;
    상기 이동통신단말기등록부에 등록된 상기 이동통신단말기를 통해 인증이미지를 수신하는 인증이미지수신부와;An authentication image receiver configured to receive an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit;
    상기 수신된 인증이미지로부터 2차인증키를 생성하여 저장하고 상기 이동통신단말기에게 발급하여 저장되도록 하는 인증키생성발급부와;An authentication key generation issue unit for generating and storing a second authentication key from the received authentication image and issuing and storing the secondary authentication key to the mobile communication terminal;
    1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시킨 후 상기 활성화된 이동통신단말기로부터 기저장된 2차인증키를 수신하여 검증하는 인증키검증부를 포함한 것을 특징으로 하는 이미지 기반 인증 시스템.And an authentication key verification unit for activating the mobile communication terminal registered to the terminal entity having the primary authentication and receiving and verifying a second stored authentication key from the activated mobile communication terminal.
  14. 제 13 항에 있어서, 상기 이동통신단말기등록부는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 등록하고, 상기 인증키검증부는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 이용하여 푸시서버를 통해 상기 이동통신단말기를 활성화시킨 후 상기 이동통신단말기와 통신하여 상기 이동통신단말기로부터 상기 2차인증키를 입력받는 것을 특징으로 하는 이미지 기반 인증 시스템.The terminal of claim 13, wherein the mobile communication terminal registration unit registers a device token of the mobile communication terminal that matches the terminal entity information, and the authentication key verification unit uses a device token of the mobile communication terminal that matches the terminal entity information. And activating the mobile communication terminal through a push server and communicating with the mobile communication terminal to receive the secondary authentication key from the mobile communication terminal.
  15. 제 13 항에 있어서, 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기에 접근키를 발급하고 상기 이동통신단말기로부터 수신되는 접근키와 발급한 접근키를 비교하여 상기 이동통신단말기를 검증하는 접근키 발급/검증부를 더 포함한 것을 특징으로 하는 이미지 기반 인증 시스템.15. The method of claim 13, wherein the access terminal issues an access key to a mobile communication terminal registered to the terminal entity that has been first authenticated, and compares the access key received from the mobile communication terminal with the issued access key to verify the mobile communication terminal. Image-based authentication system further comprises a key issuance / verification unit.
  16. 제 15 항에 있어서, 상기 접근키 발급/검증부는 상기 접근키를 암호화하여 상기 이동통신단말기에게 발급하고, 상기 이동통신단말기로부터 복호화된 접근키를 수신하는 것을 특징으로 하는 이미지 기반 인증 시스템.The image-based authentication system of claim 15, wherein the access key issuing / verifying unit encrypts the access key, issues it to the mobile communication terminal, and receives the decrypted access key from the mobile communication terminal.
  17. 온라인 서비스 시스템과의 통신을 통해 1차 인증을 수행하는 컴퓨터장치와, 2차 인증을 수행하기 위한 이동통신단말기를 포함하는 종단실체를 인증하는 방법에 있어서,In the method for authenticating an end entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication,
    2차인증시스템이 2차 인증에 필요한 종단실체 정보와 상기 종단실체 정보와 매칭되는 이동통신단말기를 등록하는 이동통신단말기등록단계와;A mobile communication terminal registration step of registering, by the secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information;
    상기 2차인증시스템이 상기 이동통신단말기등록부에 등록된 상기 이동통신단말기를 통해 인증이미지를 수신하는 인증이미지수신단계와;An authentication image receiving step of receiving, by the secondary authentication system, an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit;
    상기 2차인증시스템이 상기 수신된 인증이미지로부터 2차인증키를 생성하여 저장하고 상기 이동통신단말기에게 발급하여 저장되도록 하는 인증키생성발급단계와;An authentication key generation issuing step for the secondary authentication system to generate and store a secondary authentication key from the received authentication image and to issue and store the secondary authentication key to the mobile communication terminal;
    상기 온라인 서비스 시스템으로부터 상기 종단실체의 2차 인증이 요청되면, 상기 2차인증시스템이 1차 인증 완료된 종단실체에 등록된 이동통신단말기를 활성화시키고 상기 활성화된 이동통신단말기로부터 기저장된 2차인증키를 수신하여 검증하는 인증키검증단계를 포함한 것을 특징으로 하는 이미지 기반 인증 방법.When the second authentication of the end entity is requested from the on-line service system, the second authentication system activates a mobile communication terminal registered in the terminal entity for which primary authentication has been completed, and the second authentication key previously stored from the activated mobile communication terminal. Image-based authentication method comprising the authentication key verification step of receiving and verifying.
  18. 제 17 항에 있어서, 상기 이동통신단말기등록단계는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 등록하고, 상기 인증키검증단계는 상기 종단실체 정보와 매칭되는 이동통신단말기의 장치토큰을 이용하여 푸시서버를 통해 상기 이동통신단말기를 활성화시킨 후 상기 이동통신단말기와 통신하여 상기 이동통신단말기로부터 상기 2차인증키를 입력받는 것을 특징으로 하는 이미지 기반 인증 방법.18. The apparatus of claim 17, wherein the registering of the mobile communication terminal registers a device token of the mobile communication terminal that matches the terminal entity information, and wherein the authentication key verification step comprises registering a device token of the mobile communication terminal that matches the terminal entity information. And activating the mobile communication terminal through a push server to communicate with the mobile communication terminal to receive the secondary authentication key from the mobile communication terminal.
  19. 제 17 항에 있어서, 상기 2차인증시스템이 상기 인증키검증단계를 진행하는 동안에 상기 1차 인증 완료된 종단실체에 등록된 이동통신단말기에 접근키를 발급하고 상기 이동통신단말기로부터 수신되는 접근키와 발급한 접근키를 비교하여 상기 이동통신단말기를 검증하는 접근키 발급/검증단계를 더 포함한 것을 특징으로 하는 이미지 기반 인증 방법.18. The method of claim 17, wherein the secondary authentication system issues an access key to a mobile communication terminal registered in the primary authentication-completed end entity during the authentication key verification step, and receives an access key received from the mobile communication terminal. And an access key issuing / verifying step for verifying the mobile communication terminal by comparing the issued access key.
  20. 제 19 항에 있어서, 상기 접근키 발급/검증단계는 상기 접근키를 암호화하여 상기 이동통신단말기에게 발급하고, 상기 이동통신단말기로부터 복호화된 접근키를 수신하는 것을 특징으로 하는 이미지 기반 인증 방법.20. The method of claim 19, wherein the issuing / verifying the access key encrypts the access key and issues it to the mobile communication terminal, and receives the decrypted access key from the mobile communication terminal.
PCT/KR2012/001249 2011-03-21 2012-02-20 System and method for image-based authentication WO2012128478A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2011-0024704 2011-03-21
KR1020110024704A KR101257761B1 (en) 2011-03-21 2011-03-21 Image based authentication system and method therefor

Publications (2)

Publication Number Publication Date
WO2012128478A2 true WO2012128478A2 (en) 2012-09-27
WO2012128478A3 WO2012128478A3 (en) 2012-12-27

Family

ID=46879841

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2012/001249 WO2012128478A2 (en) 2011-03-21 2012-02-20 System and method for image-based authentication

Country Status (2)

Country Link
KR (1) KR101257761B1 (en)
WO (1) WO2012128478A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021093162A1 (en) * 2020-01-16 2021-05-20 Zte Corporation Method, device, and system for anchor key generation and management in a communication network for encrypted communication with service applications
US11830290B2 (en) 2021-05-07 2023-11-28 Bendix Commercial Vehicle Systems, Llc Systems and methods for driver identification using driver facing camera of event detection and reporting system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288159A1 (en) * 2008-05-19 2009-11-19 Dirk Husemann Method and Apparatus for Secure Authorization
KR100992573B1 (en) * 2010-03-26 2010-11-05 주식회사 아이그로브 Authentication method and system using mobile terminal
KR20110006734A (en) * 2010-01-08 2011-01-20 김주한 Member registration system using mobile devices and authentication systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288159A1 (en) * 2008-05-19 2009-11-19 Dirk Husemann Method and Apparatus for Secure Authorization
KR20110006734A (en) * 2010-01-08 2011-01-20 김주한 Member registration system using mobile devices and authentication systems
KR100992573B1 (en) * 2010-03-26 2010-11-05 주식회사 아이그로브 Authentication method and system using mobile terminal

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021093162A1 (en) * 2020-01-16 2021-05-20 Zte Corporation Method, device, and system for anchor key generation and management in a communication network for encrypted communication with service applications
US11830290B2 (en) 2021-05-07 2023-11-28 Bendix Commercial Vehicle Systems, Llc Systems and methods for driver identification using driver facing camera of event detection and reporting system

Also Published As

Publication number Publication date
KR20120107175A (en) 2012-10-02
KR101257761B1 (en) 2013-04-24
WO2012128478A3 (en) 2012-12-27

Similar Documents

Publication Publication Date Title
WO2018124857A1 (en) Blockchain database-based method and terminal for authenticating user non-face-to-face by utilizing mobile id, and server utilizing method and terminal
WO2018030707A1 (en) Authentication system and method, and user equipment, authentication server, and service server for performing same method
WO2011118871A1 (en) Authentication method and system using portable terminal
WO2017111383A1 (en) Biometric data-based authentication device, control server linked to same, and biometric data-based login method for same
US10282541B2 (en) Method and system for verifying an access request
WO2019074326A1 (en) Method and apparatus for secure offline payment
WO2013176491A1 (en) Method for authenticating web service user
JP2016063533A (en) Network authentication method for electronic transactions
WO2013141632A1 (en) Authentication method and system for same
WO2018124856A1 (en) Method and terminal for authenticating user by utilizing mobile id by means of blockchain database, and server utilizing method and terminal
WO2018021708A1 (en) Public key-based service authentication method and system
WO2017043717A1 (en) Biometric user authentication method
WO2012043963A1 (en) Authentication method and server
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
CN112912875A (en) Authentication system, authentication method, application providing device, authentication device, and authentication program
WO2012074275A2 (en) User authentication apparatus for internet security, user authentication method for internet security, and recorded medium recording same
WO2015069028A1 (en) Multi-channel authentication, and financial transfer method and system using mobile communication terminal
WO2020032351A1 (en) Method for establishing anonymous digital identity
KR101206854B1 (en) Authentication system and method based by unique identifier
JP3889030B1 (en) Authentication system, authentication program, and authentication method
WO2018151392A1 (en) Smart login method using messenger service and apparatus therefor
CN107548542A (en) Through the user authen method for strengthening integrality and security
KR20210095061A (en) Method for providing authentification service by using decentralized identity and server using the same
WO2012128478A2 (en) System and method for image-based authentication
KR20210006782A (en) An OTP configuration method of setting time seed with unique cycle by using active time offset window per each client

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12761358

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12761358

Country of ref document: EP

Kind code of ref document: A2