WO2012165716A1 - Appareil d'agent d'authentification, et procédé et système d'authentification d'un service en ligne - Google Patents

Appareil d'agent d'authentification, et procédé et système d'authentification d'un service en ligne Download PDF

Info

Publication number
WO2012165716A1
WO2012165716A1 PCT/KR2011/006789 KR2011006789W WO2012165716A1 WO 2012165716 A1 WO2012165716 A1 WO 2012165716A1 KR 2011006789 W KR2011006789 W KR 2011006789W WO 2012165716 A1 WO2012165716 A1 WO 2012165716A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user
token
service
server
Prior art date
Application number
PCT/KR2011/006789
Other languages
English (en)
Inventor
Tae Yang Kim
Won Ki Kim
Sung Gook Jang
Jae Ro LEE
Young-Jae Park
Original Assignee
Neowiz Games Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neowiz Games Co., Ltd. filed Critical Neowiz Games Co., Ltd.
Publication of WO2012165716A1 publication Critical patent/WO2012165716A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Definitions

  • the present invention relates to authentication of an online service, and more particularly to an authentication agent for executing authentication of an online service, and a method and a system for authenticating an online service.
  • Such online services may be provided by predetermined service providers, but the types and the number of online services provided by the service providers are strictly limited inevitably.
  • users recently prefer an online service portal which acts as a relay such that the users can receive various online services through a single web-site.
  • a representative example of an online service portal is a game portal, such as pmang web.
  • game users can enjoy various game services provided by a game portal by performing a log-in procedure and accessing the corresponding game portal. Then, in order to use a game service, it is necessary to authenticate whether a corresponding game user has an authority to rightfully use the game.
  • a password necessary for hash in authentication of a user of an online service is set in a program logic of a portal server (e.g. a game portal server) and a service server (e.g. a game server) which actually provides a corresponding online service. Therefore, there is a possibility that a corresponding password becomes leaked to the outside.
  • a portal server e.g. a game portal server
  • a service server e.g. a game server
  • an authentication token an authentication hash value
  • an aspect of the present invention is to provide an authentication agent apparatus for executing user authentication of an online service, and a method and a system for authenticating an online service through the authentication agent apparatus.
  • an aspect of the present invention is to provide a method and a system for authenticating an online service, which can prevent leakage and hacking of an authentication key (password) to be used for generation of an authentication token, and an authentication agent apparatus for the method and system for authenticating the online service.
  • an authentication key password
  • a portal server and a service server communicated with a portal server and a service server, the method including:
  • a computer-readable recording medium in which a program for executing the method of authenticating the online service.
  • a portal server and a service server communicated with a portal server and a service server, the method comprising:
  • a computer-readable recording medium in which a program for executing the method of authenticating the online service.
  • a portal server and a service server communicated with a portal server and a service server, the method comprising:
  • a computer-readable recording medium in which a program for executing the method of authenticating the online service.
  • an authentication agent apparatus communicated with a portal server and a service server, the authentication agent apparatus including:
  • a receiver for receiving seed data from the portal server and an authentication token and verification data from the service server, the seed data containing user identification information on a user making a request for an online service through the portal server and being used for generating the authentication token, the verification data containing user identification information on a user making an attempt at user authentication of the online service; a token generator for generating, whenever the seed data is received, the authentication token using a new authentication key and generating a verification token with reference to the verification data and an authentication key corresponding to the user identification information contained in the verification data; an authentication result generator for generating an authentication identification result of the attempt at the user authentication depending on accordance between the authentication token received from the service server and the verification token; and a transmitter for transmitting the authentication identification result to the service server and the authentication token generated according to the receipt of the seed data to the portal server.
  • a system for authenticating an online service including:
  • a portal server for acquiring, when an online service request is received from a client terminal, seed data, the seed data containing user identification information on a user making the online service request through the portal server and being used for generating an authentication token to be used for user authentication of the online service; and an authentication agent apparatus for generating, whenever the seed data is received from the portal server, an authentication token using a new authentication key, for transmitting the generated authentication token to the portal server, for generating, when the authentication token and verification data are received from a service server for providing the online service, a verification token with reference to the verification data and an authentication key corresponding to the user identification information contained in the verification data, and for transmitting an authentication identification result of an attempt at the user authentication of the user of the online service to the service server depending on accordance between the authentication token received from the service server and the verification token.
  • the present invention has an effect of preventing leakage and hacking of an authentication key (password) to be used for generation of an authentication token.
  • the present invention can greatly reduce time, efforts, and costs required for changing an authentication key to be used for authentication of an online service and changing an authentication process.
  • the present invention it is not necessary to separately establish an online service authentication process in a portal server and a service server, so that the present invention can prevent a problem of an authentication process discordance which may exist between a portal server and a service server.
  • the present invention fundamentally blocks an abnormal authentication attempt, so that it is possible to more efficiently use server resources of a portal server and a service server and network resources.
  • FIG. 1 is a diagram illustrating an online service authentication system according to an embodiment of the present invention
  • FIG. 2 is a diagram illustrating a general process of authenticating an online service according to an embodiment of the present invention
  • FIG. 3 is a flowchart illustrating an example of a process of an online service request and an authentication attempt by a client terminal
  • FIG. 4 is a block diagram illustrating an authentication agent apparatus according to an embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating an example of a process of generating an authentication token in an authentication agent according to receipt of seed data from a game portal server;
  • FIG. 6 is a flowchart illustrating an example of a process of identifying authentication of an authentication token received from a game server in an authentication agent apparatus
  • FIG. 7 is a flowchart illustrating an example of a process of identifying authentication in an authentication agent apparatus through comparing an authentication reference time with a service reference time;
  • FIG. 8 is a diagram illustrating a case which is determined as an abnormal authentication attempt by an online service authentication method according to an embodiment of the present invention.
  • FIG. 9 is a diagram illustrating another example of a process of identifying authentication of an authentication token received from a game server in an authentication agent apparatus.
  • FIG. 10 is a diagram illustrating another example of a process of identifying authentication of an authentication token received from a game server in an authentication agent apparatus.
  • a third component may be “connected to” “access” between the first and second components unless they are not described otherwise, although the first component may be directly connected to or access the second component.
  • FIG. 1 is a diagram illustrating an online service authentication system according to an embodiment of the present invention.
  • a service server for providing an online service and a portal server for acting as a relay of the online service are a game server and a game portal server, respectively.
  • online services to which the present invention may be applied may be various and are not limited to a game service described in the present specification as a matter of course.
  • FIG. 1 illustrates the online service authentication system includes a client terminal 10, a game portal server 200, and a game server 300.
  • the client terminal 10 is a terminal used by a user who intends to use a game service.
  • the user can access a web interface for relaying a game service provided by the game portal server 200 through a web browser 12 installed in the client terminal 10.
  • the game portal server 200 serves to relay such an online game service to registered members.
  • the game portal server 200 generally has a membership DB 202 for authenticating and managing memberships of the users.
  • the game server 300 serves to actually provide users with an online game service. Therefore, the game server 300 may have a game DB 302 for providing the online game service.
  • the user authentication for the corresponding game service should be performed.
  • the user can use the corresponding game service through the game client 14 installed in the client terminal 10.
  • the online service authentication system for the user authentication may include the game portal server 200, the game server 300, and an authentication agent apparatus 100 connected to the game portal server 200 and the game server 300 through a communication network 50.
  • the authentication agent apparatus 100 serves to execute user authentication for the corresponding game service.
  • the authentication agent apparatus 100 may refer to an authentication key DB 102 and an access history DB 104.
  • FIG. 2 illustrates a general process of the online service authentication according to the embodiment of the present invention.
  • the game portal server 200 transmits seed data to the authentication agent apparatus 100.
  • the seed data is basic data necessary for generating an authentication token to be used for user authentication for the game service requested by the user.
  • Data usable as the seed data is not specially limited, and various predetermined data may be used as the seed data depending on an actual implementation scheme of the online service authentication system.
  • the seed data transmitted from the game portal server 200 to the authentication agent apparatus 100 may contain at least user identification information through which it is possible to identify a user making the request for a corresponding game service.
  • An example of the user identification information includes a user serial number used by the game portal server 200 for managing members of a game service of a company to which the game portal server 200 pertains.
  • the authentication agent apparatus 100 When the authentication agent apparatus 100 receives the seed data from the game portal server 200, it acquires an authentication key, generates an authentication token using the acquired authentication key and the received seed data, and transmits the generated authentication token to the game portal server 200. At this time, a predetermined hash function may be used for the generation of the authentication token.
  • the game portal server 200 transmits the authentication token and the seed data received from the authentication agent apparatus 100 to the game client 14 installed in the client terminal 10.
  • the game client 14 transmits the authentication token and the seed data received from the game portal server 200 to the game server 300.
  • the game server 300 When the game server 300 receives the authentication token and the seed data from the game client 14, it transmits the authentication token and predetermined verification data to the authentication agent apparatus 100.
  • the seed data received from the game client 14 may be used as the verification data as it is.
  • the verification data may not completely accord with the seed data received from the game client 14 depending on an actual implementation scheme of an authentication system.
  • the game server 300 may transmit only a part of the seed data as the verification data to the authentication agent apparatus 100 depending on an actual implementation scheme of an authentication system, which will be clearly understood from the descriptions of FIGs. 9 and 10.
  • the seed data as the verification data as it is will be mainly described.
  • the authentication agent apparatus 100 verifies the authentication token received from the game server 300 based on the verification data.
  • a method of verifying the authentication token will be clearly understood through the explanation of FIGs. 6, 9, and 10.
  • a result of the verification i.e. an authentication identification result
  • the game server 300 processes the user authentication for the game service according to the authentication identification result received from the authentication agent apparatus 100.
  • the user authentication of the online service is executed in the authentication agent apparatus 100, and the game server 300 identifies only the result of the authentication transferred from the authentication agent apparatus 100. Therefore, contrary to a conventional user authentication scheme, the game portal server 200 and the game server 300 do not need to perform the process of directly generating and verifying the authentication token for the user authentication of the online service. Then, it is also not necessary to manage the authentication key to be used for the generation of the authentication token in the game portal server 200 and the game server 300, so that a burden on the game portal server 200 and the game server 300 for performing the authentication process can be greatly reduced.
  • the present invention can advantageously prevent leakage of an authentication key and a problem of an online service hacking caused by the leakage of the authentication key.
  • FIG. 3 is a flowchart illustrating an example of a process of an online service request and an authentication attempt by the client terminal. That is, FIG. 3 illustrates processes [1] to [5] of FIG. 2, and it is assumed that the online service is a game service.
  • step S10 a user accesses the game portal server 200 using the web browser 12 and performs a log-in procedure using a password/ID of the user through steps S12 and S14.
  • step 16 the user makes a request for an execution of a predetermined game service among online services provided by the game portal server 200. That is, process [1] of FIG. 2 corresponds to step S16 of FIG. 3.
  • a launcher is driven in step S18, the launcher calls the game client 14 in step S20, and then the game client 14 is executed through the client terminal 10 in step 22.
  • the game portal server 200 acquires seed data used for the generation of an authentication token in step 24.
  • the acquired seed data is transmitted to the authentication agent apparatus 100 in step S26. That is, process [2] of FIG. 2 corresponds to step S26 of FIG. 3.
  • the authentication agent apparatus 100 generates the authentication token using the received seed data, which will be described later with reference to FIG. 5.
  • the game portal server 200 receives the authentication token from the authentication agent apparatus 100 in step S38. That is, process [3] of FIG. 2 corresponds to step S38 of FIG. 3.
  • step S40 the game portal server 200 transmits the authentication token and the seed data received from the authentication agent apparatus 100 to the game client 14 of the client terminal 10. That is, process [4] of FIG. 2 corresponds to step S40 of FIG. 3.
  • step S42 when the user makes an attempt to access the game server 300 through the game client 14 (i.e. an attempt to authenticate the corresponding online service) in step S42, the game client 14 transmits the authentication token and the seed data received from the game portal server 200 to the game server 300 in step S44. That is, process [5] of FIG. 2 corresponds to step S44 of FIG. 3.
  • the authentication agent apparatus 100 and an authentication process executed in the authentication agent apparatus 100 will be described with reference to FIGs. 5 to 7 together with the block diagram of FIG. 4.
  • FIG. 5 is a flowchart illustrating an example of a process of generating an authentication token in the authentication agent apparatus according to receipt of the seed data from the game portal server. That is, FIG. 5 illustrates an authentication process executed in the authentication agent apparatus 100 between process [2] and process [3] of FIG. 2.
  • step S28 the authentication agent apparatus 100 receives seed data from the game portal server 200 through a receiver 110.
  • the authentication agent apparatus 100 acquires an authentication key from the authentication key DB 102 in step S30.
  • the authentication key may be acquired by an authentication key manager 120 of the authentication agent apparatus 100.
  • a pool of the authentication keys usable for the generation of the authentication token is registered in the authentication key DB 102. Therefore, when the authentication agent apparatus 100 receives the seed data through the receiver 110, the authentication key manager 120 may extract one authentication key from the authentication key pool registered in the authentication key DB 102 and utilize the extracted authentication key as an authentication key to be used for the generation of the authentication token. In this case, the authentication key may be randomly selected from the pool of the authentication keys.
  • the authentication key is acquired whenever the seed data is received from the game portal server 200. Therefore, in the embodiment of the present invention, a new authentication key is acquired whenever the seed data is received from the game portal server 200.
  • the scheme of acquiring the authentication key is described mainly based on the case where the authentication key is randomly selected (extracted) from the pool of the authentication keys registered in the authentication key DB 102, but it is a matter of course that other various schemes of acquiring the authentication key may be applied thereto.
  • the authentication key manager 120 may directly generate a new authentication key whenever the seed data is received using a preset random number generating algorithm.
  • the scheme of acquiring the authentication key will be described hereinafter on the assumption that a scheme of extracting the authentication key from the pool of the authentication keys is used.
  • step S32 the authentication key manager 120 links information (hereinafter, referred to as ‘authentication key identification information’) through which the extracted authentication key can be identified with user identification information contained in the received seed data and stores (registers) the linked information in the access history DB 104.
  • authentication key identification information information
  • the authentication key manager 120 links information (hereinafter, referred to as ‘authentication key identification information’) through which the extracted authentication key can be identified with user identification information contained in the received seed data and stores (registers) the linked information in the access history DB 104.
  • the authentication key manager 120 acquires a new authentication key for an identical user, it replaces the authentication key identification information linked with the user identification information to be stored with authentication key identification information corresponding to the changed authentication key. That is, when the authentication key for the identical user is changed, the authentication key identification information is also renewed in the access history DB 104 in accordance with the change of the authentication key. Thus, if the authentication key identification information registered in the access history DB 104 is identified, it is possible to recognize an authentication key which has been most recently used for each user (i.e. a game member). This will be described later in a process of verifying the authentication token of FIGs. 6, 9, and 10 in detail.
  • Authentication key index information or authentication key address information may be used as the authentication key identification information. For example, if the pool including a total of 100 authentication keys is registered in the authentication key DB 102, an index number granted to each authentication key or address information indicating a storage location of the authentication key may be utilized as the authentication key identification information.
  • the authentication key identification information may be stored in the access history DB 104 through being linked with the user identification information (in the present example, the user serial number).
  • the authentication key identification information not the authentication key itself, is linked with the user identification information to be stored.
  • the acquired authentication key itself may be linked with the user identification information to be stored as a matter of course.
  • service reference time information may be also linked with the user identification information to be stored.
  • the service reference time information is information for defining a determination reference time concerning the game service request of the user through the game portal server 200.
  • any one of a time of making a game service request by the user through the game portal server 200, a time of acquiring the seed data in the game portal server 200, a time of receiving the seed data in the authentication agent apparatus 100, and a time of acquiring the authentication key in the authentication agent apparatus 100 according to the receipt of the seed data may be used as the service reference time information.
  • the game portal server 200 may use the time of making a game service request or the time of acquiring the seed data as the seed data. In this case, the game portal server 200 may not separately transmit the game service request time or the seed data acquisition time to the authentication agent apparatus 100 in addition to the seed data.
  • the aforementioned service reference time information may be utilized for a process of user authentication for the game service according to a specific embodiment (see FIG. 7 to be described later) of the present invention.
  • a token generator 130 of the authentication agent apparatus 100 generates an authentication token using the authentication key acquired in previous step S30 and the seed data received from the game portal server 200 in previous step S28 in accordance with a preset specific hash function.
  • step S36 a transmitter 160 of the authentication agent apparatus 100 transmits the generated authentication token to the game portal server 200.
  • the authentication token to be used for the user authentication of the online service is newly generated by the authentication agent apparatus 100 using a new authentication key whenever the user makes a request for the corresponding online service and is transferred to the game portal server 200.
  • the authentication token transferred to the game portal server 200 is transferred to the game server 300 through the game client 14 installed in the client terminal 10 at the time when the user makes an attempt to authenticate, so that the present invention can fundamentally prevent the hacking risk by an ill-intentioned user in the authentication process.
  • FIG. 6 is a flowchart illustrating an example of a process of identifying the authentication of the authentication token received from the game server in the authentication agent apparatus. That is, FIG. 6 illustrates an authentication process (i.e. a process of verifying the authentication token) performed in the authentication agent apparatus 100 between process [6] and process [7] of FIG. 2.
  • an authentication process i.e. a process of verifying the authentication token
  • the game server 300 When the game server 300 receives an attempt to authenticate a specific authentication token from the game client 14 in step S46, it transmits the authentication token received from the game client 14 and verification data to the authentication agent apparatus 100.
  • the verification data may be identical to the seed data transmitted from the game server 300 through the game client 14 from the game portal server 200. That is, the game server 300 may use the seed data received from the game portal server 200 through the game client 14 as the verification data as it is. It will be described later with reference to FIG. 9, but the verification data may not be necessarily identical to the seed data depending on an implementation scheme of the authentication system. However, in FIG. 6, the description is made on the assumption that the verification data is identical to the seed data.
  • a verification information acquisition unit 140 of the authentication agent apparatus 100 acquires authentication key identification information corresponding to the user attempting authentication who makes an attempt at the user authentication for the corresponding game service from the access history DB 104 in step S50.
  • the authentication key manager 120 of the authentication agent apparatus 100 registers the authentication key identification information of the authentication key, which is linked with the user identification information of the game service requestor and then is used for the generation of the authentication token to be used for the authentication of the corresponding game service requestor, in the access history DB 104.
  • the verification information acquisition unit 140 may identify the authentication key identification information linked with the user identification information corresponding to the corresponding user attempting the authentication to be stored from the access history DB 104.
  • the verification information acquisition unit 140 may extract (acquire) the authentication key corresponding to the corresponding user attempting the authentication from the access history DB 102 based on the identified authentication key identification information in step S52.
  • the token generator 130 when the authentication key is extracted, the token generator 130 generates a verification token with reference to the extracted authentication key and the verification data in step S54.
  • the hash function used for the generation of the authentication token in previous step S34 of FIG. 3 is identically used in the generation of the verification token.
  • an authentication result generator 150 of the authentication agent apparatus 100 compares the verification token with the authentication token received in previous step S48 and generates an authentication identification result. That is, when the two tokens are the same, the authentication result generator 150 generates an authentication identification result (e.g. authentication success) indicating that the authentication attempt is normal. However, when the two tokens are not the same, the authentication result generator 150 generates an authentication identification result (e.g. authentication failure) indicating that the authentication attempt is abnormal.
  • an authentication identification result e.g. authentication success
  • the generated authentication identification result is transmitted to the game server 300 by the transmitter 160 in step S58, and the game server 300 processes the authentication based on the received authentication identification result in step S60. That is, when the received authentication identification result is an authentication success, the game server 300 allows the user attempting the authentication to use the game service. However, when the received authentication identification result is an authentication failure, the game server 300 prevents the user attempting the authentication from using the game service.
  • FIG. 8 illustrates a case where the client terminal 10 makes an attempt at the user authentication of an online service provided by the specific game server 300 without passing the game portal server 200.
  • the seed data at the most recent time is ‘seed data 1’ and an authentication token generated using ‘seed data 1’ and an authentication key randomly extracted at the most recent time is ‘authentication token 1’.
  • a hacker conventionally deciphers a predetermined authentication token used for the game service user authentication of user A, acquires the specific authentication key based on the deciphered authentication token, and then generates ‘authentication token 2’ using the acquired specific authentication key
  • the authentication key is newly changed every time in the embodiment of the present invention, and the attempt of the hacker may be processed as the authentication failure as shown in FIG. 8.
  • FIG. 7 is a flowchart illustrating an example of a process of identifying the authentication in the authentication agent apparatus through comparing an authentication reference time with a service reference time. That is, FIG. 7 illustrates an example in which a specific time range reference is further added as an authentication reference, and the example may be applied to a case in which the service reference time information is linked with the user identification information to be registered in the access history DB through previous step S32 of FIG. 5.
  • the verification information acquisition unit 140 of the authentication agent apparatus 100 acquires (identifies) service reference time information corresponding to the user identification information of the corresponding user attempting the authentication from the access history DB 104 in step S70.
  • step S72 the verification information acquisition unit 140 acquires authentication reference time information.
  • the authentication reference time information is information for defining a determination reference time related to the authentication of a user of a corresponding service.
  • any one of a time of making the authentication attempt, a time of receiving the authentication token or verification data from the game server 300, a time of acquiring the authentication key in the authentication agent apparatus 100 according to the receipt of the verification data, and a current time of comparing the service reference time information with the authentication reference time may be used as the authentication reference time information.
  • step S74 the authentication result generator 150 of the authentication agent apparatus 100 identifies if a time difference between the authentication reference time information and the acquired service reference time information exceeds a predetermined time range T0.
  • the authentication result generator 150 When the time difference exceeds the predetermined time range To as a result of the identification, the authentication result generator 150 generates an authentication identification result indicating that the authentication attempt is abnormal in step S76 and the transmitter 160 transmits the authentication identification result to the game server 300 in step S78. In this case, the game server 300 processes the authentication (i.e. block) based on the authentication identification result indicating the abnormal authentication attempt in step S80.
  • a specific time range (e.g. 15 minutes) is additionally set as the authentication reference because if the authentication attempt is normal, the game service authentication is immediately attempted after a request for a game service is made in general. That is, it is difficult to consider that the case in which the time difference exceeds the time range definitely has an ill intention, such as a hacking attempt, but there is a high possibility that the case has an ill intention.
  • the time reference it is possible to further enhance the security of the user authentication.
  • the authentication result generator 150 may process aforementioned step S50 of FIG. 6. That is, depending on an implementation scheme of an authentication system, the authentication process may be set such that only when the time difference is within the time range, steps of and prior to step S50 of FIG. 6 are executed.
  • FIGs. 9 and 10 have several technical contents common to those of FIGs. 4 to 7, and thus a difference only will be mainly and briefly described.
  • FIG. 9 is a diagram illustrating another example of a process of identifying the authentication for the authentication token received from the game server in the authentication agent apparatus.
  • steps S46, S58, and S60 of FIG. 9 are identical to those of FIG. 6, so that their detailed descriptions will be omitted.
  • Steps S83 and S89 of FIG. 9 are similar to steps S50 and S56 of FIG. 6, so that their detailed descriptions will be also omitted.
  • the authentication agent apparatus 100 generates the verification token using the verification data received from the game server 300 as it is in step S54.
  • the authentication agent apparatus 100 generates the verification token by using the seed data which has been previously received from the game portal server 200 (see steps S85 and S87). Steps S85 and S87 can be simply implemented by the authentication agent apparatus 100 through linking the seed data received from the game portal server 200 with the user identification information and storing them when the authentication agent apparatus 100 receives the seed data from the game portal server 200 (see step S81).
  • the verification data transmitted from the game server 300 to the authentication agent apparatus 100 contains only the user identification information of the user attempting the authentication.
  • FIG. 10 is a diagram illustrating another example of a process of identifying the authentication for the authentication token received from the game server in the authentication agent apparatus.
  • steps S46, S58, and S60 of FIG. 10 are identical to those of FIG. 6, so that their detailed descriptions will be omitted.
  • the authentication agent apparatus 100 generates the verification token by using the verification data or the seed data and extracting the authentication key identification information and/or the authentication key. However, in FIG. 10, the authentication agent apparatus 100 links the authentication token generated in previous step S34 of FIG. 5 with the user identification information and directly stores the authentication token in the access history DB in step S91, so that a process of generating the verification token is not additionally required.
  • the authentication agent apparatus 100 may simply generate an authentication identification result.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

L'invention concerne un procédé d'authentification d'un service en ligne par l'intermédiaire d'un agent d'authentification en communication avec un serveur de portail et un serveur de service. Le procédé consiste à : générer, chaque fois que des données de germe sont reçues à partir du serveur de portail, un jeton d'authentification à l'aide d'une nouvelle clé d'authentification ; transmettre le jeton d'authentification généré au serveur de portail ; générer un jeton de vérification en référence à des données de vérification et à une clé d'authentification correspondant aux informations d'identification d'utilisateur contenues dans les données de vérification ; et transmettre un résultat d'identification d'authentification de la tentative d'authentification au serveur de service en fonction de la conformité entre le jeton d'authentification reçu à partir du serveur de service et le jeton de vérification.
PCT/KR2011/006789 2011-06-03 2011-09-15 Appareil d'agent d'authentification, et procédé et système d'authentification d'un service en ligne WO2012165716A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020110054198A KR101273285B1 (ko) 2011-06-03 2011-06-03 인증 에이전트 장치, 온라인 서비스 인증 방법 및 시스템
KR10-2011-0054198 2011-06-03

Publications (1)

Publication Number Publication Date
WO2012165716A1 true WO2012165716A1 (fr) 2012-12-06

Family

ID=47259538

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2011/006789 WO2012165716A1 (fr) 2011-06-03 2011-09-15 Appareil d'agent d'authentification, et procédé et système d'authentification d'un service en ligne

Country Status (3)

Country Link
KR (1) KR101273285B1 (fr)
TW (1) TW201251413A (fr)
WO (1) WO2012165716A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015023341A3 (fr) * 2013-05-23 2015-04-23 Intertrust Technologies Corporation Systèmes et procédés d'autorisation sécurisée
EP3008874A4 (fr) * 2013-06-13 2017-01-11 Masergy Communications, Inc. Jeton de communication à clé
CN109861954A (zh) * 2018-07-24 2019-06-07 西安新路网络科技有限公司 一种认证方法及设备

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101473656B1 (ko) * 2013-01-07 2014-12-24 주식회사 안랩 모바일 데이터 보안 장치 및 방법
TWI499269B (zh) * 2013-02-04 2015-09-01 Delta Networks Xiamen Ltd 認證與授權的方法及系統
TWI746920B (zh) * 2019-01-04 2021-11-21 臺灣網路認證股份有限公司 透過入口伺服器跨網域使用憑證進行認證之系統及方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040001814A (ko) * 2002-06-28 2004-01-07 주식회사 케이티 에이전트를 이용한 타임스탬프 서비스 방법
EP2051469A1 (fr) * 2007-10-15 2009-04-22 Axalto SA Délégation d'authentification
KR20100012360A (ko) * 2008-07-28 2010-02-08 주식회사 엔씨소프트 통신망을 이용한 pc 인증 및 과금 처리 시스템과 그 방법

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7900247B2 (en) 2005-03-14 2011-03-01 Microsoft Corporation Trusted third party authentication for web services
KR20090054774A (ko) * 2007-11-27 2009-06-01 한국정보보호진흥원 분산 네트워크 환경에서의 통합 보안 관리 방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040001814A (ko) * 2002-06-28 2004-01-07 주식회사 케이티 에이전트를 이용한 타임스탬프 서비스 방법
EP2051469A1 (fr) * 2007-10-15 2009-04-22 Axalto SA Délégation d'authentification
KR20100012360A (ko) * 2008-07-28 2010-02-08 주식회사 엔씨소프트 통신망을 이용한 pc 인증 및 과금 처리 시스템과 그 방법

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015023341A3 (fr) * 2013-05-23 2015-04-23 Intertrust Technologies Corporation Systèmes et procédés d'autorisation sécurisée
CN105379177A (zh) * 2013-05-23 2016-03-02 英特托拉斯技术公司 安全授权系统和方法
EP3000200A4 (fr) * 2013-05-23 2016-06-08 Intertrust Tech Corp Systèmes et procédés d'autorisation sécurisée
US10021091B2 (en) 2013-05-23 2018-07-10 Intertrust Technologies Corporation Secure authorization systems and methods
US11070544B2 (en) 2013-05-23 2021-07-20 Intertrust Technologies Corporation Resource access management and secure authorization systems and methods
EP3008874A4 (fr) * 2013-06-13 2017-01-11 Masergy Communications, Inc. Jeton de communication à clé
CN109861954A (zh) * 2018-07-24 2019-06-07 西安新路网络科技有限公司 一种认证方法及设备
CN109861954B (zh) * 2018-07-24 2021-12-10 西安新路网络科技有限公司 一种认证方法、移动终端、pc端及辅助认证服务器

Also Published As

Publication number Publication date
KR20120134942A (ko) 2012-12-12
KR101273285B1 (ko) 2013-06-11
TW201251413A (en) 2012-12-16

Similar Documents

Publication Publication Date Title
WO2012165716A1 (fr) Appareil d'agent d'authentification, et procédé et système d'authentification d'un service en ligne
WO2018101727A1 (fr) Procédé et système de prévention de violation d'informations personnelles, dans lesquels une authentification biométrique et une division de phase d'un processus d'authentification sont combinées
US20070162748A1 (en) Apparatus for Encrypted Communication on Network
WO2017057899A1 (fr) Système d'authentification intégré pour authentification grâce à des nombres aléatoires à usage unique
WO2021150032A1 (fr) Procédé permettant de fournir un service d'authentification à l'aide d'une identité décentralisée, et serveur utilisant ledit procédé
WO2010062045A2 (fr) Système de sécurité et procédé pour système de communication sans fil
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
WO2015069018A1 (fr) Système d'ouverture de session sécurisée et procédé et appareil pour celui-ci
WO2014119936A1 (fr) Procédé et appareil de traitement de logiciel à l'aide d'une fonction de hachage pour sécuriser le logiciel, et support lisible par ordinateur stockant des instructions exécutables pour mettre en œuvre le procédé
WO2019132272A1 (fr) Identifiant en tant que service basé sur une chaîne de blocs
WO2019009492A1 (fr) Procédé de vérification de livraison/réception de courrier électronique, support d'enregistrement contenant un programme pour l'implémentation du procédé, et programme pour l'implémentation du procédé contenu dans un support d'enregistrement
WO2018151480A1 (fr) Procédé et système de gestion d'authentification
WO2010128747A1 (fr) Procédé et dispositif propres à rehausser la sécurité dans un protocole de communication sans fil zigbee
WO2019059453A1 (fr) Dispositif et procédé de communication utilisant une clé de sécurité fondée sur l'historique de messages au moyen d'une chaîne de blocs
WO2010038938A1 (fr) Procédé pour filtrage d'un terminal de réseau optique avec un même numéro de série dans un système gpon
WO2022235007A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande, et son procédé
WO2021145555A1 (fr) Procédé d'authentification de multiples nœuds sur la base d'une chaîne de blocs et appareil associé
WO2017054444A1 (fr) Procédé d'ouverture de session de système, serveur, système, et dispositif de stockage en réseau
WO2013085217A1 (fr) Système de gestion de la sécurité ayant de multiples serveurs de relais, et procédé de gestion de la sécurité
WO2019182377A1 (fr) Procédé, dispositif électronique et support d'enregistrement lisible par ordinateur permettant de générer des informations d'adresse utilisées pour une transaction de cryptomonnaie à base de chaîne de blocs
WO2015178597A1 (fr) Système et procédé de mise à jour de clé secrète au moyen d'un module puf
CN1759550A (zh) 使用重新生成安全密钥和下网的wlan会话管理技术
WO2018004114A2 (fr) Système d'authentification de proxy, et procédé d'authentification pour fournir un service de proxy
WO2018026108A1 (fr) Procédé, terminal autorisé et support d'enregistrement lisible par ordinateur permettant de décider d'autoriser l'accès au portail au moyen d'un réseau
WO2024029658A1 (fr) Système de contrôle d'accès dans un réseau et procédé associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11866593

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11866593

Country of ref document: EP

Kind code of ref document: A1