WO2015137760A1 - Procédé et dispositif de gestion de données confidentielles et procédé et système d'authentification de sécurité - Google Patents

Procédé et dispositif de gestion de données confidentielles et procédé et système d'authentification de sécurité Download PDF

Info

Publication number
WO2015137760A1
WO2015137760A1 PCT/KR2015/002441 KR2015002441W WO2015137760A1 WO 2015137760 A1 WO2015137760 A1 WO 2015137760A1 KR 2015002441 W KR2015002441 W KR 2015002441W WO 2015137760 A1 WO2015137760 A1 WO 2015137760A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication terminal
security
server
secret data
decryption key
Prior art date
Application number
PCT/KR2015/002441
Other languages
English (en)
Korean (ko)
Inventor
양기호
황재엽
Original Assignee
주식회사 로웸
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 로웸 filed Critical 주식회사 로웸
Priority to US15/125,866 priority Critical patent/US10171428B2/en
Priority to ES15761711T priority patent/ES2895110T3/es
Priority to MX2016011988A priority patent/MX369234B/es
Priority to JP2016575278A priority patent/JP2017518712A/ja
Priority to BR112016021120-0A priority patent/BR112016021120B1/pt
Priority to CN201580020032.0A priority patent/CN106255976B/zh
Priority to EP15761711.9A priority patent/EP3118771B1/fr
Priority claimed from KR1020150034723A external-priority patent/KR101579962B1/ko
Publication of WO2015137760A1 publication Critical patent/WO2015137760A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Definitions

  • the present invention relates to secret data management technology and authentication technology, and more particularly, to a method for securely managing secret data and a security authentication method and system for performing security authentication using the secret data.
  • the present invention relates to Korean Patent Application No. 10-2014-0030395, filed March 14, 2014, Korean Patent Application No. 10-2014-0040224, filed April 3, 2014, and March 13, 2015. Claims priority based on the application No. 10-2015-0034723, all the contents disclosed in the specification and drawings of that application are incorporated in this application.
  • users To keep secret data secure, users enter an encryption key to encrypt the secret data and store it on a computer. Users enter a decryption key to decrypt the encrypted secret data again to access the secret data.
  • the conventional data decryption method has a problem of causing user's hassle by requesting a user to decrypt the encrypted data whenever the user accesses the encrypted data.
  • the present invention has been proposed to solve such a conventional problem, and an object thereof is to provide a secret data management method and apparatus for enhancing the security of secret data and improving user convenience.
  • a method for managing a user's secret data in conjunction with a security server that stores a decryption key, storing the encrypted secret data of the user Receiving a push notification message including a decryption key from the security server when the secret data is required to be used; And decrypting the encrypted secret data using a decryption key included in the push notification message.
  • the secret data is required to be used, receiving a push notification message including the encrypted secret data from the security server; And decrypting the encrypted secret data included in the push notification message using the stored decryption key.
  • At least one processor for achieving the above object; Memory; And one or more programs stored in the memory and configured to be executed by the one or more processors, the program comprising: a storage module for storing encrypted secret data; A server interworking module for receiving a push notification message including a decryption key from a security server storing a decryption key when the secret data is required to be used; And a decryption module for decrypting the encrypted secret data stored in the storage module by using a decryption key included in the push notification message.
  • a method for performing a security authentication of a user in an authentication system the service server, receiving a service request from the first communication terminal; Receiving, by the security server, a notification message from the service server, and transmitting a notification message including a stored decryption key to a second communication terminal; Decrypting, by the second communication terminal, the encrypted code table stored using the decryption key received from the security server; When the second communication terminal outputs a security keypad on the screen and receives one or more input values through the security keypad, checking each code corresponding to the received one or more input values in the decrypted code table. ; Generating, by the second communication terminal, authentication information combining the identified codes, and transmitting the authentication information to the service server; And authenticating, by the service server, the first communication terminal based on the authentication information received from the second communication terminal.
  • the service server receiving a service request from the first communication terminal; A security server for storing a decryption key of a code table, and transmitting a notification message including a decryption key stored in a received request from the service server to a second communication terminal; And a code that stores an encrypted code table, decrypts the encrypted code table using a decryption key received from the security server, and decrypts each code corresponding to one or more input values received through a security keypad.
  • a second communication terminal that checks in a table and generates authentication information combining the identified codes and transmits the generated authentication information to the service server, wherein the service server includes a first communication terminal based on the authentication information received from the second communication terminal. It is characterized by authenticating a communication terminal.
  • a method for performing a security authentication of a user in an authentication system the service server, receiving a service request from the first communication terminal; Receiving, by the security server, a notification message from the service server, and transmitting a notification message including a stored decryption key to a second communication terminal; Decrypting, by the second communication terminal, encrypted security table identification information stored using the decryption key; Outputting, by the second communication terminal, a security keypad to a screen, receiving one or more input values from the user through the security keypad, and transmitting the plurality of input values and the decrypted code table identification information to an authentication information generating server; ; Selecting, by the authentication information generating server, a code table having the code table identification information, and identifying codes corresponding to the plurality of input values in the selected code table; Generating, by the authentication information generation server, authentication information in which the identified codes are combined; And receiving, by the service server, the generated authentication information and authenticating the
  • the user when a user accesses secret data, the user receives a push notification message from a server without requiring a decryption key from the user, and decrypts the encrypted secret data based on the decryption key included in the push notification message.
  • a push notification message from a server without requiring a decryption key from the user, and decrypts the encrypted secret data based on the decryption key included in the push notification message.
  • the present invention stores the decryption key and the encrypted secret data in each of the plurality of physically separated devices, and by encrypting the encrypted secret data through the interworking of the two devices, the advantage of improving the security of the user's secret data There is this.
  • the security authentication system by generating the authentication information having a complex character string corresponding to the input value of the security keypad, and authenticates the user based on the authentication information, there is an advantage to strengthen the security of the authentication information .
  • the security authentication system even if the user selects the same key button, by generating authentication information with each other according to the use, not only to provide convenience to the user, but also to authenticate the user's authentication information from external hacking such as a peeping attack. It is effective to protect more securely.
  • the security authentication system ensures that secret data cannot be normally checked using only data stored in any one of a specific device or server, thereby reliably protecting user data from external hacking.
  • FIG. 1 is a diagram illustrating a configuration of a secret data management system according to an embodiment of the present invention.
  • FIG. 2 is a diagram illustrating a configuration of a secret data management apparatus according to an embodiment of the present invention.
  • FIG. 3 is a diagram illustrating a configuration of a secret data management program according to an embodiment of the present invention.
  • FIG. 4 is a flowchart illustrating a method of managing secret data in association with a security server in a secret data management apparatus according to an embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating a method of managing secret data in association with a security server in a secret data management apparatus according to another embodiment of the present invention.
  • FIG. 6 is a diagram showing the configuration of a security authentication system according to another embodiment of the present invention.
  • FIG. 7 is a diagram illustrating a security keypad and a code table according to an embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating a method of registering authentication information and a decryption key in a security authentication system according to another embodiment of the present invention.
  • FIG. 9 is a flowchart illustrating a method for authenticating a user in a security authentication system according to another embodiment of the present invention.
  • FIG. 10 is a diagram showing the configuration of a security authentication system according to another embodiment of the present invention.
  • FIG. 11 is a flowchart illustrating a method of registering authentication information and a decryption key in a security authentication system according to another embodiment of the present invention.
  • FIG. 12 is a flowchart illustrating a method of authenticating a user in a security authentication system according to another embodiment of the present invention.
  • FIG. 1 is a diagram illustrating a configuration of a secret data management system according to an embodiment of the present invention.
  • a secret data management system includes a security server 200 and a secret data management apparatus 100.
  • the security server 200 and the secret data management apparatus 100 communicate with each other via the network 300.
  • the network 300 includes a mobile communication network, a short range wireless communication network, and a wired internet network. Since the network 300 corresponds to well-known conventional techniques, detailed description thereof will be omitted.
  • the security server 200 stores the decryption key of the user in correspondence with the identification information of the secret data management apparatus 100.
  • the security server 200 extracts a decryption key corresponding to the identification information of the secret data management device 100, and includes a push notification message including the decryption key.
  • the security server 200 includes the decryption key in a push-type notification message and transmits the decryption key to the secret data management apparatus 100.
  • the security server 200 When the security server 200 receives a request for storing the decryption key from the user, the security server 200 checks the identification information of the designated secret data management device 100, and stores the identification information in association with the decryption key received from the user. In addition, if the security server 200 is requested to discard the decryption key from the user, after performing the user authentication, discards the decryption key registered by the user.
  • the security server 200 may store encrypted secret data in correspondence with identification information of the secret data management apparatus 100.
  • the security server 200 extracts encrypted secret data corresponding to the identification information of the secret data management apparatus 100, and the encrypted secret data. Transmits the push notification message including the secret data management device 100. That is, the security server 200 includes the encrypted secret data in a push type notification message and transmits the encrypted secret data to the secret data management apparatus 100.
  • the identification information of the secret data management apparatus 100 may be security application identification information, subscriber identity module (SIM) identification information of the secret data management apparatus 100, a manufacturing serial number or a telephone number of the secret data management apparatus 100, or the like. have.
  • the secret data also includes passwords, certificates, files, photos, and the like.
  • the apparatus 100 for managing secret data performs a function of controlling access of the secret data in association with the security server 200.
  • the secret data management apparatus 100 stores the encrypted secret data, and when the user accesses the secret data, requests the decryption key to the security server 200 to decrypt the encrypted secret data normally.
  • the secret data management device 100 receives the decryption key from the security server 200, the secret data management device 100 decrypts the secret data encrypted using the decryption key.
  • the secret data management apparatus 100 stores the decryption key, and when the user attempts to access the secret data, requests the encrypted secret data from the security server 200 and receives the secret data from the security server 200.
  • the encrypted secret data is decrypted with the decryption key being stored.
  • FIG. 2 is a diagram illustrating a configuration of a secret data management apparatus according to an embodiment of the present invention.
  • the secret data management apparatus 100 may include a memory 110, a memory controller 121, one or more processors 122, and a peripheral interface 123. , Input / output (I / O) subsystem 130, display device 141, input device 142, and communication circuitry 150. These components communicate via one or more communication buses or signal lines.
  • the various components shown in FIG. 2 may be implemented in hardware, software or a combination of both hardware and software, including one or more signal processing and / or application specific integrated circuits.
  • the memory 110 may include fast random access memory, and may also include one or more magnetic disk storage devices, nonvolatile memory such as flash memory devices, or other nonvolatile semiconductor memory devices.
  • memory 110 is a storage device located remote from one or more processors 122, such as communication circuitry 150, the Internet, an intranet, a local area network (LAN), and a wide area network (WLAN).
  • processors 122 such as communication circuitry 150, the Internet, an intranet, a local area network (LAN), and a wide area network (WLAN).
  • LAN local area network
  • WLAN wide area network
  • Network attached storage devices that are accessed through a communication network, such as a storage area network (SAN), or any suitable combination thereof. Access to the memory 110 by other components of the secret data management device 100, such as the processor 122 and the peripheral interface 123, may be controlled by the memory controller 121.
  • the peripheral interface 123 connects the input / output peripheral device with the processor 122 and the memory 110.
  • One or more processors 122 execute a set of instructions stored in various software programs and / or memory 110 to perform various functions and process data for the secret data management apparatus 100.
  • peripheral interface 123, processor 122, and memory controller 121 may be implemented on a single chip, such as chip 120. In some other embodiments, they may be implemented in separate chips.
  • I / O subsystem 130 provides an interface between an input / output peripheral of peripheral data management device 100, such as display device 141, other input device 142, and peripheral interface 123.
  • the display device 141 may be a liquid crystal display (LCD) technology, a light emitting polymer display (LPD) technology, a light emitting diode (LED) technology, or the like, and the display device 141 may be capacitive, resistive, or infrared. It may be a touch display such as a type.
  • the touch display provides an output interface and an input interface between the device and the user.
  • the touch display presents visual output to the user.
  • the visual output may include text, graphics, video, and combinations thereof. Some or all of the visual output may correspond to user interface objects.
  • the touch display forms a touch sensitive surface that accepts user input.
  • the input device 142 is an input means such as a keypad or a keyboard, and receives an input signal of a user.
  • the processor 122 is a processor configured to perform operations associated with the secret data management apparatus 100 and to perform instructions, for example, by using the instructions retrieved from the memory 110, and a component of the secret data management apparatus 100. The reception and manipulation of the input and output data of the liver can be controlled.
  • the communication circuit 150 transmits and receives wireless electromagnetic waves through an antenna or transmits and receives data through a wired cable.
  • the communication circuit 150 converts an electrical signal into an electromagnetic wave and vice versa and can communicate with the communication network, another mobile gateway device, and the communication device through the electromagnetic wave.
  • Communications circuit 150 includes, but is not limited to, for example, an antenna system, an RF transceiver, one or more amplifiers, tuners, one or more oscillators, digital signal processors, CODEC chipsets, subscriber identity module (SIM) cards, memory, and the like. It may include, but is not limited to, known circuitry for performing this function.
  • the communication circuit 150 may be via a wired or wireless network such as the Internet, intranet and network and / or mobile communication network, wireless LAN and / or metropolitan area network (MAN), called the World Wide Web (WWW). Communicate with other devices.
  • the operating system 111 may be, for example, a built-in operating system such as Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS, VxWorks, Tizen, IOS or Android, and may be a general system task (e.g., For example, it may include various software components and / or devices for controlling and managing memory management, storage device control, power management, and the like.
  • a built-in operating system such as Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS, VxWorks, Tizen, IOS or Android
  • a general system task e.g., For example, it may include various software components and / or devices for controlling and managing memory management, storage device control, power management, and the like.
  • Graphics module 112 includes various well-known software components for presenting and displaying graphics on display device 141.
  • graphics includes all objects that can be displayed to the user, including, without limitation, text, web pages, key buttons, digital images, videos, animations, and the like.
  • the secret data management program 113 performs a function of storing and managing secret data of an encrypted user.
  • the secret data management program 113 accesses the encrypted secret data
  • the secret data management program 113 receives a push notification message including a decryption key for decrypting the secret data normally from the security server 200, and receives the decryption key. Decrypt the encrypted secret data.
  • the secret data management program 113 may store the decryption key of the user instead of the encrypted secret data. In this case, when the user accesses the secret data, the secret data management program 113 receives a push notification message containing the encrypted secret data from the security server 200 and decrypts the encrypted secret data. Decrypt with key.
  • the secret data management program 113 may be mounted in the memory 110 when a secret data management application is installed.
  • FIG. 3 is a diagram illustrating a configuration of a secret data management program according to an embodiment of the present invention.
  • the secret data management program 113 includes a storage module 31, a server interworking module 32, and a data decoding module 33.
  • the storage module 31 stores the encrypted user's secret data. Passwords, certificates, files, photos and the like may be encrypted as secret data and stored in the storage module 31. As another example, the storage module 31 may store the decryption key.
  • the server interworking module 32 When using the secret data, the server interworking module 32 transmits a decryption key request message including the identification information of the secret data management apparatus 100 to the security server 200, and decrypts the decryption key from the security server 200. Receive a push notification message containing. In another embodiment, the server interworking module 32 transmits the secret data request message including the identification information of the secret data management apparatus 100 to the security server 200 when the secret data is required to be used. 200, a push notification message including the encrypted user's secret data may be received.
  • the data decoding module 33 decrypts the secret data stored in the storage module 31 using the decryption key included in the push notification message. In another embodiment, the data decryption module 33 may decrypt the encrypted secret data included in the push notification message using the decryption key stored in the storage module 31.
  • FIG. 4 is a flowchart illustrating a method of managing secret data in association with a security server in a secret data management apparatus according to an embodiment of the present invention.
  • the encrypted secret data is stored in the storage module 31, and the decryption key is stored in the security server 200.
  • the server interworking module 32 when the server interworking module 32 detects that the user accesses the secret data (S401), the server interworking module 32 determines that the use of the secret data is necessary, and identifies the identification information (eg, for example, of the secret data management device 100).
  • the secret data management application ID, the SIM identification information, or the manufacturing serial number or telephone number of the secret data management device) are checked (S403).
  • the server interworking module 32 may determine that use of the secret data is necessary.
  • the server interworking module 32 transmits the decryption key request message including the identification information of the secret data management apparatus 100 to the security server 200 using the communication circuit 150 (S405).
  • the security server 200 checks the identification information of the secret data management apparatus 100 included in the decryption key request message, and extracts a decryption key corresponding to the identification information (S407). That is, the security server 200 extracts a decryption key registered in advance by the user based on the identification information of the secret data management apparatus 100. Subsequently, the security server 200 transmits the push notification message including the extracted decryption key to the secret data management apparatus 100 (S409).
  • the server interworking module 32 receives the push notification message through the communication circuit 150 and delivers the push notification message to the data decoding module 33, and the data decoding module 33 includes a decoding key included in the push notification message.
  • Check (S411).
  • the data decryption module 33 then extracts the encrypted secret data from the storage module 31.
  • the data decryption module 33 decrypts the extracted encrypted secret data using the decryption key identified in the push notification message (S413), and allows the user to use the secret data normally.
  • FIG. 5 is a flowchart illustrating a method of managing secret data in association with a security server in a secret data management apparatus according to another embodiment of the present invention.
  • the decryption key is stored in the storage module 31 and the encrypted secret data is stored in the security server 200.
  • the server interworking module 32 determines that the use of the secret data is necessary, and confirms identification information of the secret data management apparatus 100. (S503).
  • the storage module 31 stores a dummy file associated with the secret data, and the server interworking module 32 needs to use the secret data when the user accesses the dummy file stored in the storage module 31. It can be judged that.
  • the server interworking module 32 transmits the secret data request message including the identification information of the secret data management apparatus 100 to the security server 200 using the communication circuit 150 (S505).
  • the security server 200 checks the identification information of the secret data management apparatus 100 included in the secret data request message, and extracts encrypted secret data corresponding to the identification information (S507). That is, the security server 200 extracts encrypted secret data registered in advance by the user based on the identification information of the secret data management apparatus 100. Subsequently, the security server 200 transmits the push notification message including the extracted secret data to the secret data management apparatus 100 (S509).
  • the server interworking module 32 receives the push notification message through the communication circuit 150 and delivers the push notification message to the data decoding module 33, and the data decoding module 33 encrypts the data included in the push notification message.
  • the secret data is checked (S511).
  • the data decoding module 33 extracts the decryption key from the storage module 31.
  • the data decryption module 33 decrypts the encrypted secret data by using the extracted decryption key, thereby allowing the user to use the secret data normally (S513).
  • the secret data management apparatus 100 receives the push notification message from the server without requesting a decryption key from the user and sends the push notification message to the push notification message.
  • the user's convenience is increased by decrypting the encrypted secret data based on the included decryption key.
  • the present invention improves the security of the user's secret data by storing the decryption key and the encrypted secret data in each of the plurality of physically separated devices, and allowing the encrypted secret data to be decrypted through the interworking of the two devices.
  • the security server 200 if there is no specific request from the secret data management device 100, when the secret data is used, decryption key to the secret data management device 100 Alternatively, the push notification message including the encrypted secret data may be transmitted. For example, instead of receiving a decryption key or secret data from the secret data management device 100, the security server 200 receives a push notification message from another device and sends the request to the secret data management device 100. It is also possible to send a push notification message. That is, when the secret data management apparatus 100 needs to use the secret data, the secret data management apparatus 100 may transmit a push notification message including the decryption key or the encrypted secret data to the secret data management apparatus 100.
  • FIG. 6 is a diagram showing the configuration of a security authentication system according to another embodiment of the present invention.
  • the security authentication system includes a first communication terminal 610, a second communication terminal 620, a service server 630, and a security server 640. Each server and terminal communicate with each other via the network 300.
  • the service server 630 is a server that provides web-based services such as online financial services, portal Internet services, and game services.
  • the service server 630 includes authentication information (eg, a password) and user identification information (eg, a mobile telephone number, an email address, User information including login ID).
  • the service server 630 receives and stores the authentication information generated through the security keypad mounted on the second communication terminal 620 from the user.
  • the service server 630 requests the security server 640 to transmit the push notification message.
  • the service server 630 transmits the identification information of the user and the usage information (eg, a site address) of the authentication information to the security server 640.
  • the service server 630 receives the user's authentication information from the second communication terminal 620 receiving the push notification message, and authenticates the user based on the authentication information.
  • the security server 640 maps and stores the usage information, the decryption key, and the user identification information of the code table (refer to (b) and (c) of FIG. 7), and the second communication terminal 620 based on the stored mapping data. This function provides the decryption key. That is, the security server 640 stores usage information of each code table stored in the second communication terminal 620 and a decoding key for each code table used to decrypt the code table.
  • the security server 640 when the security server 640 receives a push notification request from the service server 630, the security server 640 extracts a decryption key mapped with usage information of the authentication information received from the service server 630 and identification information of the user. In addition, the security server 640 transmits a push notification message including the extracted decryption key to the second communication terminal 620.
  • the security server 640 stores a destination (ie, an address of a second communication terminal) of a push notification message mapped to user identification information, and uses the destination of the push notification message to the second communication terminal 620. Send a push notification message.
  • the first communication terminal 610 requests a specific service to the service server 630, and according to the authentication result of the authentication information transmitted from the second communication terminal 620 to the service server 630, from the service server 630 Get an online service.
  • the first communication terminal 610 may be a desktop computer, a laptop, a tablet computer, a mobile communication terminal, a smart phone, and the like.
  • the second communication terminal 620 is a communication device for storing secret data of a user, and particularly, stores a plurality of encrypted code tables, and includes a security keypad. Each code table is generated for each user by dividing by user, and stores different code tables for each terminal. In addition, each code recorded in the code table is one or more letters, numbers, or a combination thereof, which is not associated with the user's personal information and is randomly generated in correspondence with the key button.
  • FIG. 7 is a diagram illustrating a security keypad and a code table according to an embodiment of the present invention.
  • FIG. 7A illustrates a security keypad, which is an input interface in which a plurality of key buttons are arranged. Meanwhile, although twelve key buttons are arranged on the security keypad, various sizes (eg, 5 * 5, 5 * 4, 6 * 6, etc.) may be applied to the present invention. In addition, in FIG. 7A, key buttons indicating numbers are disposed on the security keypad, but various types of key buttons such as emoticons, icons, characters, and symbols may be disposed on the security keypad.
  • each code table is classified according to the use of the authentication information.
  • the first code table may be used for login authentication of the first site
  • the second code table may be used for electronic signature for financial transactions
  • the third code table may be used for login authentication of the second site.
  • each code table records a different code for the same key button placed on the security keypad.
  • the first code table (b) of FIG. 7 records the codes 's ⁇ b' corresponding to the '1' key button and the '2' key button.
  • the second code table ((c) of FIG. 7) records the '42A' code corresponding to the '1' key button and records 'AA9' corresponding to the '2' key button.
  • the second communication terminal 620 generates authentication information of the user through a security keypad and registers the authentication information with the service server 630 in advance. In this case, the second communication terminal 620 confirms the use place where the authentication information registered with the service server 630 is used, and generates and stores a code table according to the use place.
  • the second communication terminal 620 may generate and store a code table using a preloaded code table generation algorithm.
  • the second communication terminal 620 generates an encryption key and a decryption key for the generated code table, encrypts the code table using the encryption key, and stores the decryption key in the security server 640.
  • the second communication terminal 620 stores the usage information, decryption key, and user identification information of the generated code table in the security server 640, and discards the corresponding decryption key.
  • the second communication terminal 620 checks the decryption key and the usage information included in the push notification message, and checks the encrypted code table corresponding to the usage information. Extract.
  • the second communication terminal 620 decrypts the encrypted code table using the decryption key included in the push notification message
  • the second communication terminal 620 checks the code corresponding to the user's input value in the decrypted code table, and the codes
  • the combined authentication information is transmitted to the service server 630.
  • the second communication terminal 620 is equipped with a security authentication application, and interlocks with the security server 640 and the service server 630 through the security authentication application.
  • the second communication terminal 620 is a desktop computer, a notebook computer, a tablet computer, a mobile communication terminal, and the like, and is preferably a portable smartphone.
  • FIG. 8 is a flowchart illustrating a method of registering authentication information and a decryption key in a security authentication system according to another embodiment of the present invention.
  • the second communication terminal 620 requests service registration, such as membership registration, to the service server 630 (S801).
  • the service server 630 requests authentication information from the second communication terminal 620 in order to proceed with service registration (S803).
  • the second communication terminal 620 confirms the use place of the authentication information (for example, the site address) (S805), and generates a code table used only in the use place by using the built-in code table generation algorithm (S807). That is, the second communication terminal 620 generates a code table in which a code corresponding to each key button of the security keypad is recorded. On the other hand, if there is a code table to which the use destination is not specified among the code tables already generated, the second communication terminal 620 may select the code table as the code table dedicated to the use destination.
  • the authentication information for example, the site address
  • S807 built-in code table generation algorithm
  • the second communication terminal 620 outputs a security keypad (S809), and receives input values for a plurality of key buttons from the user through the security keypad (S811).
  • the second communication terminal 620 checks the code corresponding to each key button input by the user in the generated code table. Subsequently, the second communication terminal 620 arranges codes corresponding to each key button sequentially input by the user according to the input order of the key buttons, and uses the string in which the codes are arranged in the service server 630. It sets as authentication information (S813). For example, in a state where the security keypad is (a) of FIG. 7 and the generated code table is (b) of FIG. 7, the user sequentially selects '1', '2', '3', and '4' on the security keypad. Assume the case entered.
  • codes corresponding to '1', '2', '3', and '4' are 's ⁇ b', 'fF *' 't # A', 'y' .p 'is confirmed in the code table, and' s ⁇ bfF * t # Ay.p ', in which the codes are arranged in the input order, is generated as authentication information.
  • the second communication terminal 620 transmits the generated authentication information of the user to the service server 630 (S815).
  • the service server 630 stores the received authentication information.
  • the second communication terminal 620 transmits user identification information to the service server 630, in which case the service server 630 stores user information including user identification information and authentication information.
  • the second communication terminal 620 generates a decryption key and an encryption key dedicated to the generated code table, and encrypts and stores the code table using the encryption key (S817 and S819). Subsequently, the second communication terminal 620 transmits a decryption key registration request message including user identification information, generated decryption key, and usage destination information of the authentication information to the security server 640 (S821). Preferably, the second communication terminal 620 discards the generated encryption key and decryption key, so that the decryption key is stored only in the security server 640.
  • the security server 640 maps and stores user identification information, decryption key, and usage information included in the decryption key registration request message (S823).
  • the second communication terminal 620 may request generation of a code table from the security server 640 and may receive and store a code table generated by the security server 640. In this case, when the generated code table is stored in the second communication terminal 620, the security server 640 discards the code table. In addition, the second communication terminal 620 may request the security server 640 to generate the encryption key and the decryption key. In this case, the security server 640 generates a decryption key and an encryption key dedicated to the code table, and then transmits the encryption key to the second communication terminal 620 so that the code table is encrypted through the encryption key. Stores one decryption key.
  • FIG. 9 is a flowchart illustrating a method for authenticating a user in a security authentication system according to another embodiment of the present invention.
  • the first communication terminal 610 requests a service requiring authentication information to the service server 630 (S901).
  • the service server 630 checks the user's identification information (e.g., mobile phone number, login ID, e-mail address, etc.) and the usage information (e.g., the site address of the service server) in which the authentication information is used.
  • the push notification request message including the information and the usage information is transmitted to the security server 640 (S903).
  • the service server 630 may request and receive the user identification information from the first communication terminal 610, and may check the user identification information based on the registered user information.
  • the security server 640 checks the usage information and the user identification information included in the push notification request message, and extracts a decryption key mapped with the usage information and the user identification information (S905 and S907). Subsequently, the security server 640 transmits a push notification message including the usage information and the extracted decryption key to the second communication terminal 620 (S909).
  • the security server 640 stores a destination (ie, an address of a second communication terminal) of a push notification message mapped to user identification information, and uses the destination of the push notification message to the second communication terminal 620. Send a push notification message.
  • the second communication terminal 620 activates a security authentication application, and outputs a notification window notifying that authentication information is requested from a specific site (ie, a service server) through the security authentication application. do. Subsequently, the second communication terminal 620 selects an encrypted code table corresponding to the usage information included in the push notification message, from among the plurality of code tables (S911). In operation S913, the second communication terminal 620 decrypts the selected encrypted code table using a decryption key included in the push notification message.
  • the second communication terminal 620 outputs a security keypad on the screen (S915), and receives input values for a plurality of key buttons from the user through the security keypad (S917).
  • the second communication terminal 620 checks the code corresponding to each key button input by the user in the decoded code table. Subsequently, the second communication terminal 620 arranges codes corresponding to each key button sequentially input by the user according to the input order of the key buttons, and sets the string in which the codes are arranged as authentication information, thereby authenticating the user. Generate information (S919). Subsequently, the second communication terminal 620 transmits the generated authentication information of the user to the service server 630 (S921).
  • the service server 630 authenticates the user by checking whether the authentication information received from the second communication terminal 620 matches the authentication information of the user registered in advance, and if the authentication is successful, the first communication terminal ( In step 610, the service is provided (S923).
  • FIG. 10 is a diagram showing the configuration of a security authentication system according to another embodiment of the present invention.
  • the security authentication system includes a first communication terminal 610, a second communication terminal 720, a service server 630, a security server 740, and an authentication.
  • An information generating server 750 includes a first communication terminal 610, a second communication terminal 720, a service server 630, a security server 740, and an authentication.
  • the security server 740 maps and stores the usage information, the decryption key, and the user identification information of the authentication information, and performs a function of providing the decryption key to the second communication terminal 720 based on the stored mapping data.
  • the security server 740 stores the decryption key used to decode the code table identification information in the second communication terminal 720 according to the code table identification information.
  • the second communication terminal 720 interoperates with the authentication information generating server 750 to generate authentication information of the user, and registers the authentication information with the service server 630 in advance. At this time, the second communication terminal 720 checks the usage information of the authentication information, and requests the authentication information generation server 750 to generate a code table to be used exclusively for this usage information. In addition, the second communication terminal 720 transmits a plurality of input values received from the user through the security keypad to the authentication information generation server 750, and transmits the authentication information received from the authentication information generation server 750 to the service. Register with server 630.
  • the second communication terminal 720 receives the identification information of the code table generated from the authentication information generation server 750, encrypts and stores the identification information of the code table, and decrypts the encrypted code table identification information.
  • the decryption key may be stored in the security server 740.
  • the second communication terminal 720 stores the usage information of the authentication information, the decryption key, and the user identification information together in the security server 740.
  • the second communication terminal 720 when the second communication terminal 720 receives the push notification message from the security server 740, the second communication terminal 720 checks the decryption key and the usage information included in the push notification message, and identifies the encrypted code table corresponding to the usage information. Extract the information. In addition, after the second communication terminal 720 decrypts the encrypted code table identification information using the decryption key included in the push notification message, the second communication terminal 720 identifies the identification information of the user's input value and code table input on the security keypad. Send to the generation server 750, and requests the generation of authentication information. In addition, the second communication terminal 620 performs authentication of the first communication terminal 610 by providing the authentication information received by the authentication information generating server 750 to the service server 630.
  • the authentication information generation server 750 stores a code table having respective identification information, and generates authentication information of the user based on the code table and an input value of the security keypad received from the second communication terminal 720.
  • the authentication information generation server 750 receives a request for generating a code table from the second communication terminal 720, the authentication information generation server 750 generates a code table in which a code corresponding to a key button of a security keypad is recorded, and generates identification information of the code table.
  • the authentication information generation server 750 receives the code table identification information and the input value from the second communication terminal 720, the authentication information generation server 750 generates the authentication information of the user based on the code table having the code table identification information and the input value.
  • FIG. 11 is a flowchart illustrating a method of registering authentication information and a decryption key in a security authentication system according to another embodiment of the present invention.
  • the second communication terminal 720 requests a service registration from the service server 630 (S1101).
  • the service server 630 requests the authentication information to the second communication terminal 720 (S1103).
  • the second communication terminal 720 confirms the use place of the authentication information (for example, the site address) (S1105), and generates the code table used for the service server 630 to generate the authentication information generation server 750. To request (S1107).
  • the authentication information for example, the site address
  • the authentication information generation server 750 generates a code table that is used only in the use place by using the built-in code table generation algorithm (S1109). Subsequently, the authentication information generation server 750 allocates identification information of the code table, and transmits the code table identification information to the second communication terminal 720 (S1111).
  • the second communication terminal 720 outputs a security keypad to the screen (S1113).
  • the second communication terminal 720 receives input values for a plurality of key buttons from the user through the security keypad.
  • the second communication terminal 720 generates an authentication information generation request message including a plurality of input values (ie, input information on a security keypad) input by the user and the code table identification information. To transmit (S1117).
  • the authentication information generation server 750 checks the code table identification information included in the authentication information generation request message, and selects a code table having the identification information from a plurality of stored code tables (S1119). Subsequently, the authentication information generation server 750 checks the code corresponding to each key button input by the user in the selected code table. Subsequently, the authentication information generation server 750 arranges codes corresponding to each key button sequentially input by the user according to the input order of the key buttons, and sets the string in which the codes are arranged as authentication information, thereby authenticating the user. Information is generated (S1121). Subsequently, the authentication information generation server 750 transmits the generated authentication information to the second communication terminal 720 (S1123).
  • the second communication terminal 720 transmits the received authentication information to the service server 630 (S1125).
  • the service server 630 stores the received authentication information.
  • the second communication terminal 720 transmits user identification information to the service server 630, in which case the service server 630 stores user information including user identification information and authentication information.
  • the second communication terminal 720 generates a decryption key and an encryption key for only the code table identification information received from the authentication information generation server 750, and encrypts and stores the code table identification information using the encryption key. (S1127, S1129). Subsequently, the second communication terminal 720 transmits a decryption key registration request message including user identification information, generated decryption key, and usage information of authentication information to the security server 740 (S1131). Preferably, the second communication terminal 720 discards the generated encryption key and decryption key so that the decryption key is stored only in the security server 740.
  • the security server 740 maps and stores the user identification information, the decryption key, and the usage information included in the decryption key registration request message (S1133).
  • the second communication terminal 720 may request the security server 740 to generate an encryption key and a decryption key.
  • the security server 740 generates a decryption key and an encryption key dedicated to the code table identification information, and then transmits the encryption key to the second communication terminal 720 so that the code table identification information is encrypted through the encryption key. And stores the generated decryption key.
  • FIG. 12 is a flowchart illustrating a method of authenticating a user in a security authentication system according to another embodiment of the present invention.
  • the first communication terminal 610 requests a service requiring authentication information to the service server 630 (S1201). Subsequently, the service server 630 checks usage information on which the identification information and the authentication information of the user are used, and transmits a push notification request message including the identification information and the usage information to the security server 740 (S1203).
  • the security server 740 checks the usage information and the user identification information included in the push notification request message, and extracts a decryption key mapped with the usage information and the user identification information (S1205). Subsequently, the security server 740 transmits a push notification message including the usage information and the extracted decryption key to the second communication terminal 720 (S1207).
  • the second communication terminal 720 activates a security authentication application and outputs a notification window notifying that authentication information is requested from a specific site through the security authentication application. Subsequently, the second communication terminal 720 checks the encrypted code table identification information corresponding to the usage information included in the push notification message (S1209). The second communication terminal 720 decrypts the encrypted code table identification information using the decryption key included in the push notification message (S1211).
  • the second communication terminal 720 outputs the security keypad to the screen (S1213), and receives input values for a plurality of key buttons from the user through the security keypad (S1215).
  • the second communication terminal 720 generates an authentication information generation request message including a plurality of input values (ie, input information on a security keypad) input by the user and the code table identification information. To transmit (S1217).
  • the authentication information generation server 750 checks the code table identification information included in the authentication information generation request message, and selects a code table having the identification information from a plurality of security tables (S1219). Subsequently, the authentication information generation server 750 checks the code corresponding to each key button input by the user in the selected code table. Subsequently, the authentication information generation server 750 arranges codes corresponding to each key button sequentially input by the user according to the input order of the key buttons, and sets the string in which the codes are arranged as authentication information, thereby authenticating the user. Information is generated (S1221). Subsequently, the authentication information generation server 750 transmits the generated authentication information to the second communication terminal 720 (S1223).
  • the second communication terminal 720 transmits the received authentication information to the service server 630 to request authentication of the first communication terminal 610 (S1225).
  • the authentication information generation server 750 may directly transmit the generated authentication information to the service server 630.
  • the authentication information generation server 750 receives the address (that is, the site address) of the service server 630 from the second communication terminal 720 and transmits the authentication information to the service server 630 based on this address. do.
  • the service server 630 authenticates the user by checking whether the received authentication information matches the authentication information of a user registered in advance, and provides a service to the first communication terminal 610 when the authentication is successful. (S1227).
  • the security authentication system generates authentication information having a complicated character string corresponding to an input value of the security keypad, and uses the authentication information to enhance security of the authentication information.
  • the security authentication system not only provides convenience to the user by generating authentication information with each user, but also securely protects the user's authentication information from external hacking such as a sneak attack. do.
  • the security authentication system ensures that secret data cannot be normally checked only with data stored in either a specific device or server, thereby reliably protecting user data from external hacking.
  • the method of the present invention as described above may be implemented as a program and stored in a recording medium (CD-ROM, RAM, ROM, floppy disk, hard disk, magneto-optical disk, etc.) in a computer-readable form. Since this process can be easily implemented by those skilled in the art will not be described in more detail.
  • a recording medium CD-ROM, RAM, ROM, floppy disk, hard disk, magneto-optical disk, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé permettant de gérer en toute sécurité des données confidentielles, ainsi qu'un procédé et un système d'authentification de sécurité permettant de procéder à une authentification de sécurité en utilisant les données confidentielles. D'après la présente invention, le procédé de gestion de données confidentielles d'un utilisateur en liaison avec un serveur de sécurité qui stocke une clé de décodage dans un dispositif de gestion de données confidentielles comprend les étapes consistant à : stocker des données confidentielles codées d'un utilisateur ; recevoir un message de notification de diffusion sélective contenant une clé de décodage provenant du serveur de sécurité si une utilisation des données confidentielles est nécessaire ; et décoder les données confidentielles codées en utilisant la clé de décodage contenue dans le message de notification de diffusion sélective.
PCT/KR2015/002441 2014-03-14 2015-03-13 Procédé et dispositif de gestion de données confidentielles et procédé et système d'authentification de sécurité WO2015137760A1 (fr)

Priority Applications (7)

Application Number Priority Date Filing Date Title
US15/125,866 US10171428B2 (en) 2014-03-14 2015-03-13 Confidential data management method and device, and security authentication method and system
ES15761711T ES2895110T3 (es) 2014-03-14 2015-03-13 Procedimiento y dispositivo de gestión de datos confidenciales, y procedimiento y sistema de autenticación de seguridad
MX2016011988A MX369234B (es) 2014-03-14 2015-03-13 Metodo y dispositivo de administracion de datos confidenciales, y metodo y sistema de autenticacion de seguridad.
JP2016575278A JP2017518712A (ja) 2014-03-14 2015-03-13 秘密データ管理方法及び装置、並びに保安認証方法及びシステム
BR112016021120-0A BR112016021120B1 (pt) 2014-03-14 2015-03-13 Método e dispositivo de gerenciamento de dados confidenciais; método e sistema de autenticação segura
CN201580020032.0A CN106255976B (zh) 2014-03-14 2015-03-13 机密数据管理方法及装置以及安全认证方法及系统
EP15761711.9A EP3118771B1 (fr) 2014-03-14 2015-03-13 Procédé et dispositif de gestion de données confidentielles et procédé et système d'authentification de sécurité

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
KR10-2014-0030395 2014-03-14
KR20140030395 2014-03-14
KR10-2014-0040224 2014-04-03
KR20140040224 2014-04-03
KR1020150034723A KR101579962B1 (ko) 2014-03-14 2015-03-13 비밀 데이터 관리 방법과 장치 및 보안 인증 방법 및 시스템
KR10-2015-0034723 2015-03-13

Publications (1)

Publication Number Publication Date
WO2015137760A1 true WO2015137760A1 (fr) 2015-09-17

Family

ID=54072117

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2015/002441 WO2015137760A1 (fr) 2014-03-14 2015-03-13 Procédé et dispositif de gestion de données confidentielles et procédé et système d'authentification de sécurité

Country Status (1)

Country Link
WO (1) WO2015137760A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH08106412A (ja) * 1994-03-17 1996-04-23 Toshiba Corp ファイル編集システム及び共有ファイル編集システム
KR20030012556A (ko) * 2001-08-01 2003-02-12 (주)마크텍 워터마킹 및 암호화 기술을 이용한 메일 송수신 시스템 및그 방법
KR20070029864A (ko) * 2005-09-09 2007-03-15 삼성전자주식회사 일 대 일로 데이터를 안전하게 송수신하는 방법 및 장치
KR100826522B1 (ko) * 2006-11-15 2008-04-30 삼성전자주식회사 이동통신 시스템에서 동적 암호화 장치 및 방법
KR101172876B1 (ko) * 2011-10-19 2012-08-10 인포섹(주) 사용자 단말기와 서버 간의 상호 인증 방법 및 시스템

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH08106412A (ja) * 1994-03-17 1996-04-23 Toshiba Corp ファイル編集システム及び共有ファイル編集システム
KR20030012556A (ko) * 2001-08-01 2003-02-12 (주)마크텍 워터마킹 및 암호화 기술을 이용한 메일 송수신 시스템 및그 방법
KR20070029864A (ko) * 2005-09-09 2007-03-15 삼성전자주식회사 일 대 일로 데이터를 안전하게 송수신하는 방법 및 장치
KR100826522B1 (ko) * 2006-11-15 2008-04-30 삼성전자주식회사 이동통신 시스템에서 동적 암호화 장치 및 방법
KR101172876B1 (ko) * 2011-10-19 2012-08-10 인포섹(주) 사용자 단말기와 서버 간의 상호 인증 방법 및 시스템

Similar Documents

Publication Publication Date Title
JP6400866B2 (ja) 秘密データ管理方法及び装置、並びに保安認証方法及びシステム
WO2013162296A1 (fr) Système d'exploitation de code, appareil à code et procédé de génération de super code
WO2014104507A1 (fr) Système et procédé d'ouverture de session sécurisée et appareil correspondant
WO2015093734A1 (fr) Système et procédé d'authentification utilisant un code qr
WO2016129929A1 (fr) Système d'authentification de sécurité pour la connexion d'un membre d'un site web en ligne, et procédé associé
WO2019093573A1 (fr) Système d'authentification de signature électronique sur la base d'informations biométriques, et procédé d'authentification de signature électronique associé
WO2014104539A1 (fr) Procédé et appareil de gestion de mot de passe
WO2013157864A1 (fr) Procédé d'authentification d'utilisateur à l'aide d'une icône combinée à un motif d'entrée, et dispositif d'entrée de mot de passe
WO2022102930A1 (fr) Système did utilisant une authentification par pin de sécurité basée sur un navigateur, et procédé de commande associé
WO2013191325A1 (fr) Procédé pour authentifier un identifiant d'ouverture par plate-forme de confiance, et appareil et système associés
KR102124838B1 (ko) 스마트 키를 이용한 출입관리방법 및 이를 위한 출입관리시스템
WO2017105072A1 (fr) Dispositif d'authentification basé sur des informations biométriques et son procédé de fonctionnement
WO2014200163A1 (fr) Système de cryptage d'informations et procédé de cryptage d'informations à l'aide d'une reconnaissance optique de caractères
WO2020091525A1 (fr) Procédé de paiement à l'aide d'une authentification biométrique et dispositif électronique associé
WO2020235733A1 (fr) Dispositif et procédé permettant d'authentifier un utilisateur et d'obtenir une signature d'utilisateur grâce à la biométrie de l'utilisateur
KR102112975B1 (ko) 하이브리드 보안환경 기반의 스마트 키를 이용한 출입관리방법 및 이를 위한 출입관리시스템
WO2016064040A1 (fr) Terminal utilisateur utilisant des informations de signature pour détecter si programme d'application a été altéré et procédé de détection de fraude à l'aide du terminal utilisateur
WO2013009120A2 (fr) Terminal de communication mobile et appareil et procédé d'authentification d'applications
CN113051542A (zh) 二维码处理方法和设备
WO2015137760A1 (fr) Procédé et dispositif de gestion de données confidentielles et procédé et système d'authentification de sécurité
WO2022080547A1 (fr) Procédé de fourniture de service pour la sécurité d'un contenu basé sur un navigateur web
WO2019231140A1 (fr) Système de mise en œuvre de service à l'aide d'informations biométriques et procédé de commande correspondant
WO2014014295A1 (fr) Système numérique permettant un paiement par carte par l'intermédiaire d'un marquage, système côté paiement et procédé de mise en œuvre associé
WO2014010875A1 (fr) Procédé pour exécuter une application en liaison avec un dispositif apparié et effectuer un paiement, et système numérique associé
WO2017082483A1 (fr) Procédé d'authentification d'utilisateur à l'aide d'un clavier virtuel

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15761711

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016575278

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 15125866

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: MX/A/2016/011988

Country of ref document: MX

REEP Request for entry into the european phase

Ref document number: 2015761711

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015761711

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: IDP00201606932

Country of ref document: ID

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112016021120

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 112016021120

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20160913