WO2012128478A2 - Système et procédé d'authentification sur base d'une image - Google Patents

Système et procédé d'authentification sur base d'une image Download PDF

Info

Publication number
WO2012128478A2
WO2012128478A2 PCT/KR2012/001249 KR2012001249W WO2012128478A2 WO 2012128478 A2 WO2012128478 A2 WO 2012128478A2 KR 2012001249 W KR2012001249 W KR 2012001249W WO 2012128478 A2 WO2012128478 A2 WO 2012128478A2
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
mobile communication
communication terminal
key
image
Prior art date
Application number
PCT/KR2012/001249
Other languages
English (en)
Korean (ko)
Other versions
WO2012128478A3 (fr
Inventor
정영석
한형덕
황재연
Original Assignee
(주)잉카인터넷
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)잉카인터넷 filed Critical (주)잉카인터넷
Publication of WO2012128478A2 publication Critical patent/WO2012128478A2/fr
Publication of WO2012128478A3 publication Critical patent/WO2012128478A3/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3215Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V30/00Character recognition; Recognising digital ink; Document-oriented image-based pattern recognition
    • G06V30/10Character recognition
    • G06V30/22Character recognition characterised by the type of writing
    • G06V30/224Character recognition characterised by the type of writing of printed characters having additional code marks or containing code marks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to an authentication system and method, and more particularly, an image-based authentication system and method for allowing a user to be authenticated by transmitting a authentication key corresponding to an image for authentication to an authentication server. It is about.
  • the most commonly used user authentication method is an authentication method using a user ID and password.
  • the user ID and password are registered, and when the user later tries to access the system, Enter the registered user ID and password to verify the identity of the user.
  • the authentication method using the ID and password is easy to steal or hack authentication information (user ID and password), there is a problem that can not block malicious access attempts when the authentication information is exposed.
  • This one-time authentication key-based authentication method usually proceeds with the following procedure.
  • the online service system performs a first authentication procedure (for example, checking a user ID and a password), and after the first authentication, requests the second authentication to the second authentication server.
  • the secondary authentication server sends a text message (SMS) including a one-time authentication key to the user's mobile communication terminal.
  • SMS text message
  • the online service system receives the one-time authentication key through the user's computer device and delivers it to the secondary authentication server.
  • the secondary authentication server verifies that the one-time authentication key sent to the user's mobile terminal and the one-time authentication key input through the online service system are the same,
  • the one-time authentication key-based secondary authentication method can strengthen the security strength of the user authentication to some extent, there are still vulnerabilities due to the following long-range hacking or short-range hacking.
  • a remote hacking technique when a user sends a one-time authentication key to an online service system, the hacker intercepts the one-time authentication key through network spoofing, or the hacker installs a key logger on the user's computer device in advance and remotely sets the user's computer.
  • the authentication key may be extorted by monitoring and removing the one-time authentication key input to the device, or inducing a user to access a phishing site rather than an online service system and extorting the one-time authentication key input to the phishing site. For example, in July 2006, a US bank infiltrated a bank account with an authentication key stolen through a phishing site, a remote hacking technique.
  • a one-time authentication key transmitted to a user's mobile communication terminal may be identified and stolen through a technique such as shoulder surfing or social engineering near the user.
  • An object of the present invention devised to meet the needs of the prior art described above is to receive an image-based authentication key from a pre-registered mobile communication terminal corresponding to a computer device for which primary authentication is completed, and compare it with a previously registered authentication key. By authenticating the user, it is to provide an image-based authentication system and method that can resist the extinction of single-use authentication key through a remote hacking technique or a short-range hacking technique.
  • An image-based authentication system for achieving the above object, a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a system for authenticating an end entity comprising: a mobile communication terminal registration unit for registering end entity information required for secondary authentication and a mobile communication terminal matching the end entity information; An authentication key generation unit for generating a second authentication key to be issued to the primary entity having completed primary authentication; An authentication image generation unit for generating an authentication image corresponding to the generated second authentication key and displaying the authentication image on a computer device of the primary authenticated terminal entity through the online service system; And an authentication key verification unit for activating the mobile communication terminal registered in the primary authentication-completed end entity and then verifying the secondary authentication key received from the activated mobile communication terminal.
  • the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a method for authenticating the information comprising: a mobile communication terminal registration step of registering, by a secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information; An authentication key generation step of generating, by the second authentication system, a second authentication key to be issued to an end entity that has been first authenticated when the second authentication of the end entity is requested from the online service system; An authentication image generation step of generating, by the secondary authentication system, an authentication image corresponding to the generated second authentication key and displaying the image on the computer device of the first authenticated end entity through the online service system; And an authentication key verification step in which the secondary authentication system activates a mobile communication terminal registered in the primary authentication-completed end entity after the authentication image generation step and verifies a secondary authentication key received from the activated mobile communication terminal. It is characterized by
  • the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a system for authenticating the information comprising: a mobile communication terminal registration unit for registering end entity information necessary for secondary authentication and a mobile communication terminal matching the end entity information;
  • An authentication image receiver configured to receive an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit;
  • An authentication key generation issue unit for generating and storing a second authentication key from the received authentication image and issuing and storing the secondary authentication key to the mobile communication terminal;
  • an authentication key verification unit for activating the mobile communication terminal registered in the terminal entity having the primary authentication and receiving and verifying a second stored authentication key from the activated mobile communication terminal.
  • the terminal entity including a computer device for performing the first authentication through communication with the online service system, and a mobile communication terminal for performing the second authentication
  • a method for authenticating the information comprising: a mobile communication terminal registration step of registering, by a secondary authentication system, terminal entity information necessary for secondary authentication and a mobile communication terminal matching the terminal entity information; An authentication image receiving step of receiving, by the secondary authentication system, an authentication image through the mobile communication terminal registered in the mobile communication terminal registration unit; An authentication key generation issuing step for the secondary authentication system to generate and store a secondary authentication key from the received authentication image and to issue and store the secondary authentication key to the mobile communication terminal;
  • the second authentication system activates a mobile communication terminal registered in the terminal entity for which primary authentication has been completed, and the second authentication key previously stored from the activated mobile communication terminal. Characterized in that it comprises an authentication key verification step of receiving and verifying.
  • the second authentication for the user is performed by receiving an image-based authentication key from a pre-registered mobile communication terminal that matches the computer device in which the first authentication is completed, authentication security is further enhanced. .
  • FIG. 1 is a schematic structural block diagram of an image-based authentication system according to the present invention.
  • FIG. 2 is a detailed block diagram of an image-based authentication system according to a first embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating an operation of a mobile communication terminal of the image-based authentication system according to the first embodiment of the present invention.
  • FIG. 4 is an operation flowchart showing the operation of the secondary authentication system of the image-based authentication system according to a first embodiment of the present invention.
  • FIG. 5 is a detailed block diagram of an image-based authentication system according to a second embodiment of the present invention.
  • FIG. 6 is a flowchart illustrating a process of registering and issuing a secondary authentication key in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a process of registering and issuing a secondary authentication key in a secondary authentication system based on an image based authentication system according to a second embodiment of the present invention.
  • FIG. 8 is an operation flowchart illustrating a second authentication process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention.
  • FIG. 9 is an operation flowchart illustrating a second authentication process in the second authentication system based on the image-based authentication system according to the second embodiment of the present invention.
  • terminal entity 111 computer device
  • transmission and reception processing unit 142 encryption and decryption processing unit
  • FIG. 1 is a schematic structural block diagram of an image-based authentication system according to the present invention.
  • the end entity 110 is an end user using the authentication procedure through this invention.
  • the end entity 110 uses the authentication procedure according to the present invention to receive the online service from the online service system 120 through the communication network 100.
  • the end entity 110 receives the on-line service of the on-line service system 120 and performs the first authentication through communication with the on-line service system 120, and performs the second authentication according to the present invention.
  • It includes a mobile communication terminal 112 for performing.
  • the computer device 111 includes various computer environments such as a desktop and a notebook.
  • the mobile communication terminal 112 is preferably a smartphone that is equipped with an operating system (OS) and capable of installing and driving various applications (applications). Detailed configuration of the computer device 111 and the mobile communication terminal 112 for implementing the present invention will be described later.
  • OS operating system
  • the online service system 120 is a system on the web that provides an online service to a plurality of users through the communication network 100.
  • the online service system 120 performs primary authentication on the end entity 110.
  • the online service system 120 includes a login processing system 121, and performs the first authentication of the end entity 110 in the login processing system 121.
  • Primary authentication includes all forms of single factor authentication, such as knowledge-based authentication, ownership-based authentication, and entity-based authentication.
  • the push (PUSH) server 130 is a service provided by the manufacturer of the mobile communication terminal 112 of the end entity 110.
  • a device token corresponding to the corresponding application is issued from the push server 130.
  • the push server 130 wakes up the mobile communication terminal 112 by sending a push message to the mobile communication terminal 112 (wakeup), and activates the application (security authentication module in the present invention) corresponding to the corresponding token device Play a role.
  • a detailed description of the mobile terminal 112 issuing a device token from the push server will be described later.
  • the iOS series uses Apple Push Notification Service (APNs) provided by Apple as a push server
  • the Android series uses C2DM (Cloud To Device Messaging) provided by Google as a push server. do.
  • APIs Apple Push Notification Service
  • C2DM Cloud To Device Messaging
  • the second authentication system 140 uses the device token of the end entity 110 to pre-register mobile communication. Wake up the terminal 112 to activate the security authentication module installed in the mobile communication terminal 112, and receives the secondary authentication key from the mobile communication terminal 112 and performs a second authentication procedure.
  • two embodiments are proposed as a second authentication procedure.
  • the secondary authentication system 140 registers the mobile communication terminal 112 of the end entity 110 corresponding to the primary authentication information.
  • the second authentication system 140 issues the second authentication key and generates an authentication image corresponding to the issued second authentication key to determine the end entity 110. It is displayed on the computer device 111 and receives a second authentication key based on the authentication image through the mobile terminal 112 registered.
  • the secondary authentication system 140 performs user authentication by comparing the secondary authentication key inputted through the mobile communication terminal 112 with the issued secondary authentication key.
  • FIG. 2 is a detailed block diagram of an image-based authentication system according to a first embodiment of the present invention.
  • the computer device 111 of the terminal entity 110 includes an input / output unit 111A and a transceiver unit 111B.
  • the input / output unit 111A is a typical keyboard, mouse, monitor, or the like, and performs an interface with a user.
  • the transceiver 111B is connected to the online service system 120 through a wired communication network.
  • the computer device 111 receives the authentication image from the secondary authentication system 140 and outputs it to the screen of the input / output unit 111A.
  • the mobile communication terminal 112 of the terminal entity 110 includes an input / output unit 112A, a transceiver unit 112B, a camera 112C, and a security authentication module 112D.
  • the input / output unit 112A is a conventional touch pad or the like and performs an interface with a user.
  • the transceiver 112B is connected to the push server 130 and the secondary authentication system 140 through a mobile communication network.
  • the camera 112C acquires image data by capturing an image (image) according to a user of a mobile communication terminal.
  • the security authentication module 112D is a device register for issuing a device token for communication with the secondary authentication system 140 from the push server 130 and registering the issued device token in the secondary authentication system 140, An authentication key output unit is executed by the push message transmitted from the push server 130 to transmit the secondary authentication key based on the authentication image displayed on the screen of the computer device 111 to the secondary authentication system 140.
  • the security authentication module 112D may further include an access key processing unit for accessing the secondary authentication system 140 using an access key delivered with a push message from the push server 130.
  • the processor may further include a function of decrypting the encrypted access key. That is, the secondary authentication system 140 encrypts and transmits the access key along with the push message to the mobile communication terminal 112, and the access key processing unit decrypts the encrypted access key by using the decrypted access key. Access system 140.
  • the secondary authentication system 140 verifies the access authority of the mobile communication terminal 112 attempting the corresponding access by using the access key input from the mobile communication terminal 112.
  • the authentication key output unit of the security authentication module 112D may output the secondary authentication key directly input through the input / output unit 112A to the secondary authentication system 140. That is, the authentication image is an image including a figure, a number, and a letter, and the name of the figure included in the corresponding authentication image (for example, an animal, a plant, or an object such as an elephant, a sunflower, an umbrella, etc.) by a user using the input / output unit 112A. Name) or numbers and letters included in the authentication image.
  • the security authentication module 112D may further include an image analysis unit for automatically extracting the second authentication key by analyzing the authentication image data input through the camera 112C. That is, the authentication image is a two-dimensional bar code, and the image analyzing unit may be a bar code analyzing unit. Two-dimensional barcodes include a QR code (Quick Response Code), PDF417, Data Matrix, Maxi code and the like.
  • the online service system 120 stores the information necessary for the first authentication of the end entity 110, and the second authentication to the second authentication system 140 for the end entity 110 in which the first authentication is completed. Request, receives the authentication image from the secondary authentication system 140, and provides the web page including the authentication image to the computer device 111 of the end entity 110.
  • the secondary authentication system 140 encrypts or decrypts data transmitted and received with the transmission and reception processing unit 141 for data transmission and reception between the end entity 110, the online service system 120, and the push server 130.
  • An authentication processing unit 144 for receiving and verifying a second authentication key corresponding to the authentication image from the mobile communication terminal 112, and a database 145 for storing end entity information, device token information, and settings for each end entity. ), And authentication The memory unit 146 stores secondary authentication key information and processing procedure information issued by the unit 144.
  • the transmission and reception processing unit 141 includes a wired processing unit communicating with the online service system 120 and the push server 130 through a wired communication network, and a wireless processing unit communicating with the mobile communication terminal 112 through a wireless communication network.
  • the mobile communication terminal registration unit 143 includes a device registration processing unit for processing device registration for each mobile communication terminal 112, and a device number issuer for issuing a number for the registered mobile communication terminal.
  • the authentication processing unit 144 generates an authentication key generation unit for generating a second authentication key to be issued to the terminal entity 110 that has been firstly authenticated, and generates an authentication image corresponding to the second authentication key.
  • An authentication image generation unit configured to display on the computer device 111 of the primary authentication-completed end entity 110 and from the pre-registered mobile communication terminal 112 of the primary authentication-completed end entity 110.
  • an authentication key verification unit for comparing and verifying the inputted secondary authentication key and the secondary authentication key generated by the authentication key generator.
  • the authentication processing unit 144 issues an access key to the pre-registered mobile communication terminal 112 of the terminal entity 110, the primary authentication is completed, and the access key and the access issued from the mobile communication terminal 112.
  • the apparatus further includes an access key issuing / verifying unit for verifying the mobile communication terminal 112 by comparing the keys, and the memory unit 146 further stores the issued access key information issued to the mobile communication terminal 112.
  • FIG. 3 is a flowchart illustrating an operation of a mobile communication terminal of the image-based authentication system according to the first embodiment of the present invention.
  • the security authentication module 112D of the mobile communication terminal 112 is an application program (application) that is manufactured based on an operating system mounted on the mobile communication terminal 112 and performs an authentication procedure according to the present invention.
  • the security authentication module 112D is installed in the mobile communication terminal 112 of the end entity (S301).
  • the security authentication module 112D transmits the end entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication to the secondary authentication system 140, thereby performing secondary authentication.
  • the system 140 collects end entity information through the mobile communication terminal 112 (S302).
  • the secondary authentication system 140 confirms the collected end entity information, performs real name authentication and self authentication for the mobile communication terminal itself, and transmits the result to the mobile communication terminal 112.
  • the security authentication module 112D of the mobile communication terminal recognizes that the device registration failed and ends (S304).
  • the security authentication module 112D of the mobile communication terminal is connected to the push server 130.
  • the push server 130 By transmitting the certificate of the security authentication module and the unique information of the mobile communication terminal to the push server and requests the device token issuance (S305).
  • the security authentication module 112D of the mobile communication terminal transfers the issued device token to the secondary authentication system (S307). Then, the secondary authentication system 140 registers the device token of the mobile communication terminal 112 together with the corresponding terminal entity information in the database.
  • the mobile communication terminal wakes up and activates the security authentication module 112D (S309).
  • the security authentication module 112D of the mobile communication terminal decrypts the encrypted access key (S311).
  • the security authentication module 112D extracts the second authentication key from the second authentication information (S313), and accesses the second authentication system with the access key decrypted in step S311.
  • the secondary authentication key is transmitted to the secondary authentication system (S314).
  • the second authentication information may be authentication image data obtained by photographing an authentication image displayed on the screen of the computer device of the end entity, and the security authentication module 112D interprets the authentication image data to extract the second authentication key.
  • the authentication image is a two-dimensional barcode.
  • the secondary authentication information is a value directly input through the input / output unit of the mobile communication terminal, and the security authentication module 112D extracts the secondary authentication key from the input value.
  • FIG. 4 is an operation flowchart showing the operation of the secondary authentication system of the image-based authentication system according to a first embodiment of the present invention.
  • the secondary authentication system is the terminal entity information (for example, the user ID for accessing the online service system and the mobile terminal) System information, etc.), confirm the collected terminal entity information, perform real-name authentication and self-authentication on the mobile communication terminal itself, and transmit the result (authentication success / failure) to the mobile communication terminal, and verify successful mobile communication. It registers his device token from the terminal.
  • the terminal entity information for example, the user ID for accessing the online service system and the mobile terminal
  • System information etc.
  • the online service system performs primary authentication on the end entity computer device.
  • the computer device transmits the terminal entity information necessary for authentication to the online service system. If the first authentication is successful, the online service system sends the end entity information to the second authentication system and requests the second authentication.
  • the secondary authentication system checks whether the mobile communication terminal is registered in response to the received end entity information (S402).
  • the secondary authentication system If the mobile communication terminal is registered (S403), the secondary authentication system generates and stores the secondary authentication key, generates an authentication image corresponding to the generated secondary authentication key, and completes the primary authentication through the online service system. It displays on the terminal entity computer device (S404). At this time, the authentication image corresponding to the secondary authentication key may be a two-dimensional barcode image including the secondary authentication key information.
  • the secondary authentication key generates a timestamp based on the Universal Time Clock (UTC) and prevents the issuance, and generates the timestamp and the end entity information as seed values.
  • UTC Universal Time Clock
  • the secondary authentication system generates, stores and encrypts an access key (S405).
  • the secondary authentication system activates the security authentication module 112D of the mobile communication terminal by using the device token of the mobile communication terminal that is registered in the terminal entity that successfully authenticates the first authentication, and issues an encrypted access key to the mobile communication terminal. Deliver the message to the push server (S406).
  • the push server identifies the mobile communication terminal that will deliver the message from the device token received from the secondary authentication system, delivers the push message to the mobile communication terminal to activate the security authentication module, and sends the encrypted access key to the security authentication module. To pass.
  • the mobile communication terminal decrypts the encrypted access key and prepares to receive the second authentication information from the user, receives the second authentication information from the user, extracts the second authentication key therefrom, and decrypts the access key.
  • the secondary authentication system receives the access key and the secondary authentication key from the mobile communication terminal (S407).
  • the secondary authentication system compares the access key received in step S407 with the access key generated in step S405 and issued to the mobile communication terminal (S408). If the two access keys match as a result of the comparison in step S408, the secondary authentication system compares the secondary authentication key received in step S407 with the secondary authentication key stored in step S404 (S409). If the result of the comparison of step S409 matches the two secondary authentication keys, the secondary authentication system approves the authentication (S410) and transmits the result to the online service system (S411).
  • step S409 the secondary authentication system fails to authenticate (S412), and the result is sent to the online service system. It transmits (S411).
  • the mobile communication terminal is not registered in step S403, it is processed by the unregistered mobile communication terminal (S413), and the result of the processing is notified to the online service system (S411).
  • the secondary authentication system 140 registers the mobile communication terminal 112 of the terminal entity 110 corresponding to the primary authentication information.
  • a secondary authentication key is generated and stored from an arbitrary image input from the terminal 112 and issued to the mobile communication terminal 112.
  • the mobile communication terminal 112 receives an authentication keyer equipment password (pin number) from the user and encrypts and stores the second authentication key issued from the secondary authentication system 140.
  • the mobile communication terminal 112 receives the authentication keyer password from the user, decrypts the encrypted second stored authentication key, and then the second authentication system 140.
  • the secondary authentication system 140 performs user authentication by comparing the secondary authentication key input from the mobile communication terminal 112 and the pre-stored secondary authentication key when the second authentication request is made.
  • FIG. 5 is a detailed block diagram of an image-based authentication system according to a second embodiment of the present invention.
  • the computer head, the online service system, and the push server of the end entity constituting the image-based authentication system according to the second embodiment are the computer devices, the online service system, and the push server of the end entity constituting the image-based authentication system according to the first embodiment.
  • the online service system receives the authentication image from the second authentication system and displays it on the computer device of the end entity. In the example, this process is omitted.
  • the secondary authentication key issued by the secondary authentication system of the first embodiment is stored in the memory unit because of the strong nature of the one-time authentication key, but the secondary authentication key issued by the secondary authentication system of the second embodiment is continuously Since it is a usable authentication key, it is preferably stored as an item of end entity information of the database.
  • the image-based authentication system according to the first embodiment and the image-based authentication system according to the second embodiment have a difference in the internal configuration of the security authentication module of the mobile communication terminal of the end entity and the authentication processing unit of the secondary authentication system. The difference will be explained mainly.
  • the mobile communication terminal includes a typical input / output unit, a transceiver unit, a camera, a storage unit, and a security authentication module 510 for performing image-based authentication according to the present invention.
  • the storage unit may be a universal subscriber identity module card (USIM card) or internal memory that is typically mounted in the mobile communication terminal.
  • the security authentication module 510 receives a device token for communication with the secondary authentication system from the push server, registers the issued device token in the secondary authentication system, and registers any authentication image captured by the camera in the secondary authentication system.
  • An authentication key inputted from a user by a device registration unit 511 for receiving a second authentication key corresponding to the authentication image from the secondary authentication system and a second authentication key issued by the device registration unit 511 after being transmitted to the user;
  • An encryption key storage device password that is encrypted by a storage password and stored in the storage in the encrypted secondary authentication key and executed by a push message transmitted from a push server to read the encrypted secondary authentication key from the storage unit and input from a user.
  • the security authentication module 510 may further include an access key processing unit 513 for accessing the secondary authentication system using an access key delivered with a push message from a push server, and the access key processing unit 513. ) May further include a function of decrypting the encrypted access key. That is, the secondary authentication system issues an encrypted access key to the mobile communication terminal, and the access key processing unit 513 decrypts the encrypted access key and then accesses the secondary authentication system using the decrypted access key.
  • the authentication processing unit 520 of the secondary authentication system generates an authentication image receiving unit 521 for receiving an authentication image from a mobile communication terminal and a second authentication key from the received authentication image.
  • Authentication key generation issuer 522 which stores and issues to the mobile communication terminal, a second authentication key input from a pre-registered mobile communication terminal of the terminal entity that has been first authenticated, and a second authentication key issued to the mobile communication terminal.
  • the authentication key verification unit 523 compares and verifies.
  • the authentication processing unit 520 issues an encrypted access key to a pre-registered mobile communication terminal of the first-end terminal is completed by comparing the access key input from the mobile communication terminal and the issued access key. It further includes an access key issuance / verification unit 524 to verify the.
  • the secondary authentication system generates and stores a secondary authentication key from authentication image data photographed by the user using the camera of the mobile communication terminal in the process of registering the mobile communication terminal. And issue it to the mobile communication terminal.
  • the mobile communication terminal receives the authentication key device password from the user, encrypts the second authentication key with the input authentication key device password, and stores the encrypted second authentication key in the storage unit. After that, whenever the user performs the second authentication to use the online service system, the mobile communication terminal receives the authentication keyer password again from the user, decrypts the encrypted second authentication key, and provides it to the second authentication system. .
  • the secondary authentication key is generated and issued from the authentication image data photographed by the user, it is possible to prevent duplicate issuance of the secondary authentication key.
  • every second authentication does not require issuing a one-time secondary authentication key to an online service system or a mobile communication terminal.
  • FIG. 6 is an operation flowchart illustrating a registration and secondary authentication key issuing process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention
  • FIG. 7 is an image-based authentication method according to a second embodiment of the present invention.
  • Authentication System Operation flow chart illustrating the registration and secondary authentication key issuing process in the secondary authentication system.
  • FIG. 6 and Figure 7 looks at the device registration and secondary authentication key issuance process through the mobile communication terminal and the secondary authentication system.
  • the security authentication module 510 is installed in the mobile communication terminal of the end entity (S601).
  • the security authentication module 510 transmits the terminal entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication to the secondary authentication system (S602).
  • the secondary authentication system receives terminal entity information (user ID for accessing the online service system, system information of the mobile communication terminal, etc.) for performing authentication from the mobile communication terminal (S701), the real name of the mobile communication terminal itself is received. Perform authentication and identity verification (S702), and transmits the result to the mobile communication terminal (S703).
  • terminal entity information user ID for accessing the online service system, system information of the mobile communication terminal, etc.
  • the mobile communication terminal recognizes the device registration failure and ends (S604).
  • the security authentication module of the mobile communication terminal accesses the push server to push the certificate of the security authentication module and the unique information of the mobile communication terminal.
  • the device token is requested while transmitting to the server (S605).
  • the security authentication module 510 of the mobile communication terminal transfers the issued device token to the secondary authentication system (S607). If the second authentication system receives the device token from the mobile communication terminal (S704), it registers the device token of the mobile communication terminal with the corresponding terminal entity information in the database (S705).
  • the security authentication module 510 of the mobile communication terminal After registering the device token, the security authentication module 510 of the mobile communication terminal makes a request for photographing the authentication image to the user (S608), and when the authentication image data is input (S609), transmits the authentication image data to the secondary authentication system (S609). S610).
  • the second authentication system When the authentication image is received from the mobile communication terminal in which the device token is registered (S706), the second authentication system generates and stores a second authentication key from the received authentication image (S707), and generates the corresponding second authentication key. Is issued to the mobile communication terminal (S708).
  • the mobile communication terminal When the secondary authentication key is issued from the secondary authentication system (S611), the mobile communication terminal requests the user to input the authentication keyer equipment password (S612).
  • the security authentication module 510 encrypts the secondary authentication key issued in step S611 with the authentication keyer device password input in step S612 and stores it in the storage unit (S614). .
  • FIG. 8 is an operation flowchart illustrating a second authentication process in an image-based authentication system mobile communication terminal according to a second embodiment of the present invention
  • FIG. 9 is a second image-based authentication system according to a second embodiment of the present invention. It is an operation flowchart showing the second authentication process in the authentication system.
  • the secondary authentication system checks whether the mobile communication terminal is registered in response to the received terminal entity information (S901) when the secondary authentication is requested while the terminal actual information is input from the online service system (S901).
  • the secondary authentication system If the mobile communication terminal is registered (S903), the secondary authentication system generates, stores and encrypts the access key (S904). In addition, the secondary authentication system activates the security authentication module of the mobile communication terminal by using the device token of the mobile communication terminal that is registered in the terminal entity that has successfully authenticated the first time, and issues a message for issuing an encrypted access key to the mobile communication terminal. To the push server.
  • the push server identifies the mobile communication terminal that will deliver the message from the device token received from the secondary authentication system, delivers the push message to the mobile communication terminal to activate the security authentication module, and sends the encrypted access key to the security authentication module. To pass.
  • the mobile communication terminal wakes up and activates the security authentication module (S802).
  • the security authentication module of the mobile communication terminal decrypts the encrypted access key (S804), and requests the user to input the authentication key equipment password (S805).
  • the security authentication module decrypts the encrypted secondary authentication key stored in the storage unit into the authentication keyer device password (S807).
  • the security authentication module accesses the secondary authentication system with the access key decrypted in step S804 and transmits the second authentication key decrypted in step S807 (S808).
  • the secondary authentication system receives the access key and the secondary authentication key from the mobile communication terminal (S906).
  • the secondary authentication system compares the access key received in step S906 with the access key issued in step S905 (S907). If the two access keys match as a result of the comparison in step S907, the secondary authentication system compares the secondary authentication key received in step S906 with the previously stored secondary authentication key (S908). If the result of the comparison of step S908 matches the two secondary authentication keys, the secondary authentication system approves the authentication (S909), and transmits the result to the online service system (S910).
  • step S907 if the two access keys do not match as a result of the comparison in step S907, or the two secondary authentication keys do not match as a result of the comparison in step S908, the secondary authentication system fails to authenticate (S911), and the result is sent to the online service system. Transmit (S910).
  • the mobile communication terminal is not registered in step S903, it is processed by an unregistered mobile communication terminal (S912), and the result of the processing is notified to the online service system (S910).

Abstract

La présente invention concerne un système et un procédé d'authentification sur base d'une image. L'authentification d'un utilisateur est effectuée par le terminal de communication mobile préenregistré d'un utilisateur transmettant à un serveur d'authentification une clé d'authentification correspondant à une image d'authentification. Dans le système d'authentification sur base d'une image d'après la présente invention, un système d'authentification d'une entité terminale comprend un dispositif informatique permettant de procéder à une première authentification par l'intermédiaire d'une communication avec un système de services en ligne, ainsi qu'un terminal de communication mobile permettant de procéder à une seconde authentification, et il comprend en outre : une unité d'enregistrement d'un terminal de communication mobile qui enregistre les informations sur l'entité terminale requises pour la seconde authentification, et un terminal de communication mobile mettant en correspondance les informations sur l'entité terminale ; une unité de production d'une clé d'authentification qui produit une seconde clé d'authentification délivrée à l'entité terminale dans laquelle la première authentification est achevée ; une unité de production d'une image d'authentification qui produit une image d'authentification correspondant à la seconde clé d'authentification produite et transmet l'image d'authentification à des fins d'affichage sur le dispositif informatique de l'entité terminale dans laquelle la première authentification est achevée par l'intermédiaire du système de services en ligne ; et une unité de vérification d'authentification qui vérifie la seconde clé d'authentification provenant du terminal de communication mobile activé après l'activation du terminal de communication mobile enregistré dans l'entité terminale dans laquelle la première authentification est achevée.
PCT/KR2012/001249 2011-03-21 2012-02-20 Système et procédé d'authentification sur base d'une image WO2012128478A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020110024704A KR101257761B1 (ko) 2011-03-21 2011-03-21 이미지 기반 인증시스템 및 방법
KR10-2011-0024704 2011-03-21

Publications (2)

Publication Number Publication Date
WO2012128478A2 true WO2012128478A2 (fr) 2012-09-27
WO2012128478A3 WO2012128478A3 (fr) 2012-12-27

Family

ID=46879841

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2012/001249 WO2012128478A2 (fr) 2011-03-21 2012-02-20 Système et procédé d'authentification sur base d'une image

Country Status (2)

Country Link
KR (1) KR101257761B1 (fr)
WO (1) WO2012128478A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021093162A1 (fr) * 2020-01-16 2021-05-20 Zte Corporation Procédé, dispositif et système de génération et de gestion de clés d'ancrage dans un réseau de communication pour une communication chiffrée avec des applications de service
US11830290B2 (en) 2021-05-07 2023-11-28 Bendix Commercial Vehicle Systems, Llc Systems and methods for driver identification using driver facing camera of event detection and reporting system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288159A1 (en) * 2008-05-19 2009-11-19 Dirk Husemann Method and Apparatus for Secure Authorization
KR100992573B1 (ko) * 2010-03-26 2010-11-05 주식회사 아이그로브 휴대단말기를 이용한 인증 방법 및 시스템
KR20110006734A (ko) * 2010-01-08 2011-01-20 김주한 휴대 단말을 이용한 회원 등록 시스템 및 인증 시스템

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288159A1 (en) * 2008-05-19 2009-11-19 Dirk Husemann Method and Apparatus for Secure Authorization
KR20110006734A (ko) * 2010-01-08 2011-01-20 김주한 휴대 단말을 이용한 회원 등록 시스템 및 인증 시스템
KR100992573B1 (ko) * 2010-03-26 2010-11-05 주식회사 아이그로브 휴대단말기를 이용한 인증 방법 및 시스템

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021093162A1 (fr) * 2020-01-16 2021-05-20 Zte Corporation Procédé, dispositif et système de génération et de gestion de clés d'ancrage dans un réseau de communication pour une communication chiffrée avec des applications de service
US11830290B2 (en) 2021-05-07 2023-11-28 Bendix Commercial Vehicle Systems, Llc Systems and methods for driver identification using driver facing camera of event detection and reporting system

Also Published As

Publication number Publication date
KR20120107175A (ko) 2012-10-02
WO2012128478A3 (fr) 2012-12-27
KR101257761B1 (ko) 2013-04-24

Similar Documents

Publication Publication Date Title
WO2018124857A1 (fr) Procédé et terminal d'authentification sur la base d'une base de données de chaînes de blocs d'un utilisateur sans face-à-face au moyen d'un id mobile, et serveur utilisant le procédé et le terminal
WO2018030707A1 (fr) Système et procédé d'authentification, et équipement d'utilisateur, serveur d'authentification, et serveur de service pour exécuter ledit procédé
WO2017111383A1 (fr) Dispositif d'authentification sur la base de données biométriques, serveur de commande relié à celui-ci, et procédé de d'ouverture de session sur la base de données biométriques
WO2011118871A1 (fr) Procédé d'authentification et système utilisant un terminal mobile
US10282541B2 (en) Method and system for verifying an access request
WO2019074326A1 (fr) Procédé et appareil de paiement hors ligne sécurisé
WO2013176491A1 (fr) Procédé d'authentification d'utilisateur de service web
WO2013141632A1 (fr) Procédé d'authentification et système correspondant
WO2015069018A1 (fr) Système d'ouverture de session sécurisée et procédé et appareil pour celui-ci
WO2018124856A1 (fr) Procédé et terminal d'authentification d'un utilisateur au moyen d'un id mobile grâce à une base de données de chaînes de blocs, et serveur utilisant le procédé et le terminal
WO2017043717A1 (fr) Procédé d'authentification biométrique d'un utilisateur
WO2018021708A1 (fr) Procédé et système d'authentification de service basée sur une clé publique
WO2012043963A1 (fr) Procédé et serveur d'authentification
KR20210095093A (ko) 탈중앙화 아이디 앱을 이용하여 인증 서비스를 제공하는 방법 및 이를 이용한 탈중앙화 아이디 인증 서버
CN112912875A (zh) 认证系统、认证方法、应用提供装置、认证装置、认证用程序
WO2012074275A2 (fr) Appareil d'authentification d'utilisateur pour un usage sécurisé de l'internet, procédé d'authentification d'utilisateur pour un usage sécurisé de l'internet et support enregistré l'enregistrant
WO2015069028A1 (fr) Authentification multicanal, procédé de transfert financier et système utilisant un terminal de communication mobile
WO2020032351A1 (fr) Procédé permettant d'établir une identité numérique anonyme
KR101206854B1 (ko) 고유식별자 기반 인증시스템 및 방법
WO2018151392A1 (fr) Procédé intelligent d'ouverture de session faisant appel à un service de messagerie et appareil associé
CN107548542A (zh) 经强化完整性及安全性的用户认证方法
KR20210095061A (ko) 탈중앙화 아이디 앱을 이용하여 인증 서비스를 제공하는 방법 및 이를 이용한 탈중앙화 아이디 인증 서버
WO2012128478A2 (fr) Système et procédé d'authentification sur base d'une image
KR20210006782A (ko) 클라이언트별 능동적 시각 오프셋 윈도우를 통한 고유 시각 방식의 otp 설정 방법
WO2022060156A1 (fr) Procédé, appareil et programme de mise à jour d'un micrologiciel d'authentificateur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12761358

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12761358

Country of ref document: EP

Kind code of ref document: A2