WO2018124430A1 - Online information security system utilizing cell broadcasting service - Google Patents

Online information security system utilizing cell broadcasting service Download PDF

Info

Publication number
WO2018124430A1
WO2018124430A1 PCT/KR2017/010689 KR2017010689W WO2018124430A1 WO 2018124430 A1 WO2018124430 A1 WO 2018124430A1 KR 2017010689 W KR2017010689 W KR 2017010689W WO 2018124430 A1 WO2018124430 A1 WO 2018124430A1
Authority
WO
WIPO (PCT)
Prior art keywords
location
password
authentication
generating
management system
Prior art date
Application number
PCT/KR2017/010689
Other languages
French (fr)
Inventor
Young Kyung Park
Original Assignee
L Fin Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by L Fin Co., Ltd. filed Critical L Fin Co., Ltd.
Publication of WO2018124430A1 publication Critical patent/WO2018124430A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/73Access point logical identity

Definitions

  • the present invention relates to an online service method and system having a user authentication method, and more particularly, to an online service method and system which generates a location password by utilizing unique codes received at a certain period from a mobile communication base station where a user is located, and uses the generated location password for authentication of various wired/wireless and offline services in addition to existing authentication methods such as ID/password, certificate, and OTP.
  • existing online and mobile services generally provide user authentication and access by using ID (including e-mail) and password, and in the case of financial service where information security and identity verification are important, additionally use enhanced authentication media such as One Time Password (OTP), security card, and ARS authentication.
  • OTP One Time Password
  • ARS authentication ARS authentication
  • various methods such as mobile phone authentication (SMS authentication), international IP blocking, and re-login procedure when access IP changes are continuously developed and applied to provide a secure access environment and protect personal information.
  • the present invention significantly improves a security system by complementarily combining location-based coding information which is difficult to receive and hack when a hacker is not located in the area where a user is located.
  • the present invention provides an online information security service method and system which generates location information of a user continuously changing in time and space dimensions and a code interworked therewith, by combining the location information that is difficult for a hacker to substantially understood with a cell broadcasting technology of a mobile communication network even when personal information such as an ID and a password is leaked.
  • the present invention employs a method of setting a zone to the unit of base station or an administrative district/region and broadcasting a code to a mobile communication subscriber connected to the corresponding zone in a one-way manner (see the service concept of FIG. 1), by utilizing a cell broadcasting technology established as a standard in a mobile communication network such as Long Term Evolution (LTE). Accordingly, only a user in the corresponding zone may receive the code that a specific base station transmits, and the user in other zones (area, base station) may not receive the code and receive only a code of the zone to which the user belongs.
  • LTE Long Term Evolution
  • the user when a user is requested to input a location password, the user downloads and installs a location password application in a smartphone of his/her name, and the corresponding application provides the location password matched with base station information that is periodically received.
  • the corresponding information and the mobile phone number of a user are transmitted to a mobile communication carrier, and based thereon, the procedure is performed to compare with a password extracted from the system.
  • a pass code is transmitted to the service provider by the mobile communication carrier, and when mismatched, a fail code is transmitted to the service provider.
  • the service provider performs approval, blocking or re-authentication procedure according to the received code.
  • the code matched with the code of the base station may be primarily compared, and when dismatched, all passwords of the adjacent base stations may be compared. For example, when a user is located at the base station A of FIG. 3, the comparison with the password of the base station A is performed, and then the comparison with the passwords of the adjacent six base stations B, C, D, E, F, and G is performed (see the password comparison flowchart of FIG. 3).
  • the location password concept proposed by the present invention is a solution that can be universally used for various services and security levels, and can be mounted as applications of portable smart phone carried at all times, thereby securing high convenience and security.
  • FIG. 1 is a conceptual view illustrating an online information security service method and system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating an online information security service method and system according to an embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating a password matching process according to an online information security service method according to an embodiment of the present invention.
  • FIG. 4 is a flowchart illustrating a service scenario of the online information security service method according to an embodiment of the present invention.
  • FIG. 5 is a view illustrating a configuration of an application menu for implementing an online information security service method according to an embodiment of the present invention.
  • FIG. 6 is a view illustrating a configuration of an online information security service system according to an embodiment of the present invention.
  • FIG. 7 is a conceptual view illustrating a user authentication and premium authentication of an online information security service according to an embodiment of the present invention.
  • FIG. 8 is a conceptual view illustrating a simple authentication of an online information security service according to an embodiment of the present invention.
  • FIG. 9 is a view illustrating a password matching logic according to an online information security service method according to an embodiment of the present invention.
  • FIG. 10 is a view illustrating a code retransmission by a user request of the online information security service according to an embodiment of the present invention.
  • FIG. 11 is a view illustrating a method of interworking between an application and a server of an online information security service system according to an embodiment of the present invention.
  • FIG. 12 is a view illustrating a first CBS transmission method of an online information security service according to an embodiment of the present invention.
  • FIG. 13 is a view illustrating a second CBS transmission method of an online information security service according to an embodiment of the present invention.
  • FIG. 14 is a view illustrating a method for generating code of an online information security service according to an embodiment of the present invention.
  • FIG. 15 is a view illustrating a configuration of an integrated authentication gateway (200) in the online information security service system according to an embodiment of the present invention.
  • FIG. 16 is a view illustrating a configuration of a location authentication management system (500) in an online information security service system according to an embodiment of the present invention.
  • FIG. 17 is a view illustrating a configuration of an application server (600) in an online information security service system according to an embodiment of the present invention.
  • FIG. 18 is a view illustrating a configuration of a mobile phone terminal 700 in an online information security service system according to an embodiment of the present invention.
  • the authentication procedure may be set to input a location password at a login timepoint when the security of personal information or provided information is very important, or to input a password only when designated as important events such as remittance, payment, and personal information correction.
  • a user When accessing the bank's homepage on a PC, a user logs in through ID, password or certificate, and then transfers money to another person, or enters the certificate's password, OTP/security card number, etc when applying for an important service such as a loan.
  • an input window requesting for the location password is additionally displayed regardless of the transaction amount of money, and a user executes a location password application on a smartphone of his/her name to confirm and input the password.
  • the bank site transmits the inputted location password and the mobile phone number of the corresponding customer to a location integrated authentication server of the authentication provider, and the server determines who the mobile communication carrier of the corresponding number is in the same manner as provided in the current number mobile communication service to transmit information to the corresponding mobile communication carrier.
  • the mobile communication carrier checks the customer location and the base station ID of the received mobile phone number, and extracts and compares the password connected with a code generated at the corresponding base station.
  • the authentication when the authentication finally fails, that is, when dismatched, a failure code is transmitted to the integrated authentication server, and the bank blocks the corresponding process, and requests the re-authentication procedure from a user.
  • a failure code when a failure occurs in the second authentication procedure, the customer is allowed to undergo a two-step authentication such as SMS and ARS authentication.
  • the authentication provider enhances the security system such as access path analysis and hacking possibility monitoring and shares relevant information with affiliated companies, by utilizing a Fraud Detection system (FDS) separately from the bank.
  • FDS Fraud Detection system
  • the corresponding authentication may be added only for important processes such as change of customer information or need of privacy protection, and may be utilized to check for hacking such as illegal access by randomly requesting authentication by unit of month or quarter.
  • the user authentication procedure through the mobile phone authentication is performed only once in consideration of security. After the authentication is completed, a password to be used for access is set to 6 digits, and thereafter, a user can use services only with the password.
  • a location code It may be checked through an upper icon whether or not a location code is received from a base station, and a location password that is matched with the received code is displayed.
  • a user may request a base station of an area where the user is located to retransmit the code using an update function (button) on the app.
  • the retransmission request is delivered to a location authentication management system through an application server. After inquiring the user's location in a subscriber location management system, the code of the location is transmitted through a cell broadcast system (see the code retransmission view by user's request in FIG. 10).
  • a system for providing services includes the following four elements, and interworking is important.
  • LTE interworks with Mobility Management Entity (MME) and CDMA interworks with user location registration management system such as Home Location Register (HLR)
  • MME Mobility Management Entity
  • HLR Home Location Register
  • an online information security system utilizing cell broadcasting service includes an authentication system 100 transmitting a location password and a mobile phone number inputted by a user to desire to be authenticated to an integrated authentication gateway 200, requesting the integrated authentication gateway 200 to authenticate the location password, and receiving an authentication result of the location password from the integrated authentication gateway 200, an integrated authentication gateway 200 checking a mobile communication carrier that a user uses with the mobile phone number and then transmitting the mobile phone number and the location password to a location authentication management system 500, requesting the location authentication management system 500 to authenticate the location password, and receiving an authentication result of the location password from the location authentication management system 500 to transmit the authentication result to the authentication system 100, a subscriber location management system 300 for checking the location of a user's mobile communication terminal 700 based on a mobile communication base station, a cell broadcast system 400 transmitting a location code received from the authentication management system 500 to the user's mobile communication terminal 700 in a cell broadcast manner through the mobile communication base station, a location authentication management system 500 authenticating the location
  • the location authentication management system 500 generates a new location password based on the location of the mobile communication terminal 700 of a user, and determines whether or not the received location password is matched.
  • the integrated authentication gateway 200 includes an integrated authentication gateway communication unit 210 checking the mobile communication carrier that a user uses with the mobile phone number to transmit the location password, the mobile phone number and the location password authentication request inputted by a user who desires to receive an authentication transmitted from the authentication system 100 to the location authentication management system 500 of the mobile communication carrier through a carrier confirmation unit 220, and receiving the authentication result of the location password from the location authentication management system 500 to transmit the authentication result to the authentication system 100, and a carrier confirmation unit 220 for confirming a mobile communication carrier corresponding to the mobile phone number of a user who desires to receive the authentication that the integrated authentication gateway communication unit 210 receives.
  • the location authentication management system 500 includes a location authentication management system communication unit 510 receiving the location password, the mobile phone number and the location password authentication request inputted by a user who desires to receive the authentication transmitted from the integrated authentication gateway 200, transmitting the authentication result of the location password to the integrated authentication gateway 200 through a verification unit 550, and transmitting at least one of the algorithm and the table for generating the location password to the application server 600 by a password generating unit 540, a location confirming unit 520 for confirming the location of the mobile phone terminal 700 corresponding to the mobile phone number received by the location authentication management system communication unit 510 through the subscriber location management system 300, a code generating unit 530 for generating the location code based on the location of the mobile phone terminal 700 confirmed through the location confirming unit 520, a password generating unit 540 for generating the location password using at least one of the password algorithm and the table from the location code generated by the code generating unit 530, and a verification unit 550 determining whether or not the location password
  • the verification unit 550 authenticates the location password, if the received location password and the generated location password match each other, the authentication is successful, and if not, the authentication fails.
  • the application server 600 includes a server communication unit 610 receiving at least one of the algorithm and the table for generating the location password from the location authentication management system 500 and encoding at least one of the algorithm and the table for generating the location password through an encoding unit 620, and an encoding unit 620 for encoding at least one of the algorithm and the table for generating the location code received by the server communication unit 610.
  • a preferred embodiment where the encoding unit 620 encodes at least one of the algorithm and the table for generating the location password may be implemented by an AES method that is an advanced encoding standard, a method based on the advanced encoding standard, or a method corresponding to the advanced encoding standard.
  • the mobile phone terminal 700 includes a password generating unit 710 for generating the location password from the location information code received from the cell broadcast system 400 in the same manner as the location authentication management system 500 using at least one of the algorithm and the table for generating the location code received from the application server 600, and an output unit 720 for outputting the location password generated through the password generating unit 710 such that a user visually confirms the location password with naked eyes.
  • a password generating unit 710 for generating the location password from the location information code received from the cell broadcast system 400 in the same manner as the location authentication management system 500 using at least one of the algorithm and the table for generating the location code received from the application server 600
  • an output unit 720 for outputting the location password generated through the password generating unit 710 such that a user visually confirms the location password with naked eyes.
  • a mobile communication method such as LTE
  • the following two types may be implemented.
  • the location authentication management system when a table of encrypted code type matched with the base station ID is generated and transmitted to the Cell Broadcast System (CBS) at a certain period, the corresponding system broadcasts a unique code by unit of base station by utilizing the message ID designated for this services. If emergency alerts such as an earthquake or a tsunami are transmitted to the CBS at the same time, an emergency alert having higher importance and urgency is first transmitted, and then the code of this service is broadcasted (see first CBS transmission method in FIG. 12).
  • CBS Cell Broadcast System
  • the second CBS transmission method shown in FIG. 13, which simplifies the broadcast procedure may be differentially implemented.
  • a code may be generated using a unique seed data and generation algorithm and a matching table, and may be generated by combining a PLMN ID, a Cell ID, and a Tracking ID of a mobile communication network according to a need.
  • an encoding system including obfuscation is applied in consideration of the risk of leakage in the transmission process.
  • a location password generated based on a location information code inputted from a mobile phone terminal by a user and received through a mobile communication base station and a mobile phone number used by the user are received (a).
  • an authentication result of the location password is provided to an authentication system of a service provider together with the mobile phone number (c).
  • the receiving of the location password includes providing the mobile telephone terminal with at least one of an algorithm and a table for generating the location code such that the mobile telephone terminal generates the location password with the location information code.
  • the providing of the authentication result includes providing the mobile telephone number to a subscriber location management system to confirm the location of the mobile telephone terminal through the subscriber location management system and generating a location code based on the confirmed location (c1).
  • the providing of the mobile telephone number includes generating a location password for the authentication with the location code using at least one of the algorithm and the table for generating the location password (c2).
  • the generating of the location password includes generating the authentication result by determining whether or not the location password received from the mobile phone terminal matches the location password generated from the location code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to an online service system having a user authentication method, which generates a location password by utilizing unique codes received at a certain period from a mobile communication base station where a user is located, and uses the generated location password for authentication of various wired/wireless and offline services in addition to existing authentication methods such as ID/password, certificate, and OTP. Thus, by providing a solution that is universally usable for various services and security levels, the present invention can be in a form of applications of portable smart phone capable of being carried at all times, thereby securing high convenience and security.

Description

ONLINE INFORMATION SECURITY SYSTEM UTILIZING CELL BROADCASTING SERVICE
[0001] The present invention relates to an online service method and system having a user authentication method, and more particularly, to an online service method and system which generates a location password by utilizing unique codes received at a certain period from a mobile communication base station where a user is located, and uses the generated location password for authentication of various wired/wireless and offline services in addition to existing authentication methods such as ID/password, certificate, and OTP.
[0001] Internet banking (including mobile communication) which was used less than 10% due to security concerns, lack of Internet infrastructure, and inconvenience in the past is being extended to 37% due to the rapid spread of smart phones and the development of security technologies, and its growth is gradually increasing.
[0002] However, the damage cases of financial and personal information caused by hacking are increasing faster than the rapid growth of online services such as Internet banking. In the past, a small-scale damage occurred due to carelessness of personal information management and hacking of individual criminals. However, in recent years, large-scale damage cases are spreading in spite of efforts of financial companies, E-commerce companies, and Internet portals for information protection improvement as multinational and organized hacking from China and North Korea increases
[0003] While these large-scale security attacks are developing day by day, defensive measures for security, including financial and personal information, is limited to the use of IDs, passwords, and user identification information (iris, fingerprint, etc.) which are stored in a server.
[0004] Specifically, existing online and mobile services generally provide user authentication and access by using ID (including e-mail) and password, and in the case of financial service where information security and identity verification are important, additionally use enhanced authentication media such as One Time Password (OTP), security card, and ARS authentication. In addition, various methods such as mobile phone authentication (SMS authentication), international IP blocking, and re-login procedure when access IP changes are continuously developed and applied to provide a secure access environment and protect personal information.
However, as mentioned above, personal information including IDs and passwords is abroad circulated in quantity due to hacking and leakage. Also, copying and leakage of accredited certificates, security cards, and OTPs having a relatively high security level are increasing every year, and a high-level hacking technology that disables authentication systems such as memory hacking is emerging. In addition, the existing authentication and information security systems have limitations in that hackers can remotely and perfectly adjust smartphones due to click of SMS installed with malignant codes and zero-day vulnerabilities shown in iOS 9.3.5 emergency patches.
[0001] Although various alternatives such as security-enhanced block-chain and biometric authentication are carried forward, these alternatives also employ a method in which the source information is stored in a server and is compared with inputted information. Accordingly, concerns about the risk of hacking and copying probability of stored information are continuously raised.
[0002] Thus, the present invention significantly improves a security system by complementarily combining location-based coding information which is difficult to receive and hack when a hacker is not located in the area where a user is located.
[0003] Specifically, the present invention provides an online information security service method and system which generates location information of a user continuously changing in time and space dimensions and a code interworked therewith, by combining the location information that is difficult for a hacker to substantially understood with a cell broadcasting technology of a mobile communication network even when personal information such as an ID and a password is leaked.
[0001] In order to achieve the above object, the present invention employs a method of setting a zone to the unit of base station or an administrative district/region and broadcasting a code to a mobile communication subscriber connected to the corresponding zone in a one-way manner (see the service concept of FIG. 1), by utilizing a cell broadcasting technology established as a standard in a mobile communication network such as Long Term Evolution (LTE). Accordingly, only a user in the corresponding zone may receive the code that a specific base station transmits, and the user in other zones (area, base station) may not receive the code and receive only a code of the zone to which the user belongs.
[0002] In this case, it is possible to block access of a hacker in other zones or countries, by using unique characteristics that the codes received per zone are different and only a user in the zone can receive location-based code. Also, even when personal information is leaked from a home page or an application, if a password based on the location code is allowed to be inputted in the middle of important procedures such as login or transaction, it is difficult for a hacker to understand the changing location of a user, and hacking from the outside can be almost fundamentally blocked due to a structure in which reception is possible only when a hacker moves to the corresponding location.
[0003] In addition, since a service user continuously moves according to a life pattern and the base station where a user is located may also change the base station information broadcasted by unit of minute/hour/day, it is substantially impossible for a hacker to know a password based on the location, thereby enabling significant improvement of security (see the service flowchart of FIG. 2).
[0004] Referring to the flow of the service provided by the present invention, when a user is requested to input a location password, the user downloads and installs a location password application in a smartphone of his/her name, and the corresponding application provides the location password matched with base station information that is periodically received. When a password is entered in the service window accessed by the user, the corresponding information and the mobile phone number of a user are transmitted to a mobile communication carrier, and based thereon, the procedure is performed to compare with a password extracted from the system. When matched, a pass code is transmitted to the service provider by the mobile communication carrier, and when mismatched, a fail code is transmitted to the service provider. The service provider performs approval, blocking or re-authentication procedure according to the received code.
In this case, in consideration of the coverage overlapping with the neighboring base station according to the characteristics of mobile communication electronic wave, the code matched with the code of the base station may be primarily compared, and when dismatched, all passwords of the adjacent base stations may be compared. For example, when a user is located at the base station A of FIG. 3, the comparison with the password of the base station A is performed, and then the comparison with the passwords of the adjacent six base stations B, C, D, E, F, and G is performed (see the password comparison flowchart of FIG. 3).
[0001] The unique location code broadcasting concept for each base station through the cell broadcasting technology proposed by the present invention and the application of information and codes that dynamically change according to user's movement and time change are entirely new, and have strong competitiveness compared to other authentication/security media.
[0002] In particular, the location password concept proposed by the present invention is a solution that can be universally used for various services and security levels, and can be mounted as applications of portable smart phone carried at all times, thereby securing high convenience and security.
[0003] When the present invention is combined with an existing security medium, it is impossible to steal information received according to the location of a user without a physical location movement of a hacker even when the first step security by the existing medium is broken. Also, when a user moves, a hacker has to together move for hacking. Although the location information is stolen, a hacker has to hack the location password application equipped with security to obtain the password and then has to breach all of three mobile communication carriers having excellent security systems. Accordingly, since hacking is almost impossible, perfect security can be achieved.
[0004] Also, even when customer information stored in the server is stolen, fixed information such as ID and password may be exposed. However, when there is a location password authentication procedure for each important process, information changed every minute/hour/day is actually impossible to continuously hack. Accordingly, there is an advantage of reducing and preventing additional security risks.]
In addition, although all users in the corresponding zone receive the same code in addition to the current method of receiving the same location code, it is possible to provide an advanced service by a method of generating different location passwords for each individual in linkage with the mobile phone number and application of the corresponding customer. On the other hand, in the case of a mobile phone that cannot download an application according to a provided service policy, it is possible to provide a simplified version capable of authentication only by a location code (see the concept of the user and premium authentication of FIG. 7, and see the concept of simple authentication of FIG. 8).
[0001] FIG. 1 is a conceptual view illustrating an online information security service method and system according to an embodiment of the present invention.
[0002] FIG. 2 is a flowchart illustrating an online information security service method and system according to an embodiment of the present invention.
[0003] FIG. 3 is a flowchart illustrating a password matching process according to an online information security service method according to an embodiment of the present invention.
[0004] FIG. 4 is a flowchart illustrating a service scenario of the online information security service method according to an embodiment of the present invention.
[0005] FIG. 5 is a view illustrating a configuration of an application menu for implementing an online information security service method according to an embodiment of the present invention.
[0006] FIG. 6 is a view illustrating a configuration of an online information security service system according to an embodiment of the present invention.
[0007] FIG. 7 is a conceptual view illustrating a user authentication and premium authentication of an online information security service according to an embodiment of the present invention.
[0008] FIG. 8 is a conceptual view illustrating a simple authentication of an online information security service according to an embodiment of the present invention.
[0009] FIG. 9 is a view illustrating a password matching logic according to an online information security service method according to an embodiment of the present invention.
[0010] FIG. 10 is a view illustrating a code retransmission by a user request of the online information security service according to an embodiment of the present invention.
[0011] FIG. 11 is a view illustrating a method of interworking between an application and a server of an online information security service system according to an embodiment of the present invention.
[0012] FIG. 12 is a view illustrating a first CBS transmission method of an online information security service according to an embodiment of the present invention.
[0013] FIG. 13 is a view illustrating a second CBS transmission method of an online information security service according to an embodiment of the present invention.
[0014] FIG. 14 is a view illustrating a method for generating code of an online information security service according to an embodiment of the present invention.
[0015] FIG. 15 is a view illustrating a configuration of an integrated authentication gateway (200) in the online information security service system according to an embodiment of the present invention.
[0016] FIG. 16 is a view illustrating a configuration of a location authentication management system (500) in an online information security service system according to an embodiment of the present invention.
[0017] FIG. 17 is a view illustrating a configuration of an application server (600) in an online information security service system according to an embodiment of the present invention.
FIG. 18 is a view illustrating a configuration of a mobile phone terminal 700 in an online information security service system according to an embodiment of the present invention.
[0001] Hereinafter, an online information security service method according to an embodiment of the present invention will be described.
[0002] When a user accesses sites or apps such as financial institutions, government agencies, shopping malls, and portals which deal with customer information through various devices such as PCs, smartphones, tablets, etc., an authentication procedure proceeds according to the policies of the corresponding provider and the option settings of the user.
[0003] The authentication procedure may be set to input a location password at a login timepoint when the security of personal information or provided information is very important, or to input a password only when designated as important events such as remittance, payment, and personal information correction.
[0004] A description will be made with reference to the service flowchart of FIG. 4.
[0005] 1. Access from PC
[0006] When accessing the bank's homepage on a PC, a user logs in through ID, password or certificate, and then transfers money to another person, or enters the certificate's password, OTP/security card number, etc when applying for an important service such as a loan. In this case, an input window requesting for the location password is additionally displayed regardless of the transaction amount of money, and a user executes a location password application on a smartphone of his/her name to confirm and input the password. The bank site transmits the inputted location password and the mobile phone number of the corresponding customer to a location integrated authentication server of the authentication provider, and the server determines who the mobile communication carrier of the corresponding number is in the same manner as provided in the current number mobile communication service to transmit information to the corresponding mobile communication carrier. The mobile communication carrier checks the customer location and the base station ID of the received mobile phone number, and extracts and compares the password connected with a code generated at the corresponding base station.
[0007] When the authentication is normally dealt with, that is, when the password is matched, a pass code is immediately transmitted to the integrated authentication server, and the integrated authentication server stores and then transmits the pass code to the accessed bank site such that the corresponding process is normally performed. In the case of mismatching, when secondarily compared with the password of a neighboring base station of the corresponding base station and matched, the pass notification is similarly transmitted through the integrated authentication server (see the password matching logic view of FIG. 9).
[0008] On the other hand, when the authentication finally fails, that is, when dismatched, a failure code is transmitted to the integrated authentication server, and the bank blocks the corresponding process, and requests the re-authentication procedure from a user. In addition, when a failure occurs in the second authentication procedure, the customer is allowed to undergo a two-step authentication such as SMS and ARS authentication. The authentication provider enhances the security system such as access path analysis and hacking possibility monitoring and shares relevant information with affiliated companies, by utilizing a Fraud Detection system (FDS) separately from the bank.
[0009] On the other hand, in the case of wired/wireless portals and applications that are frequently accessed, when a password is requested for every login, convenience may be hindered. Accordingly, it is possible to flexibly apply the authentication policy and procedure in consideration of the characteristics of the service. For example, the corresponding authentication may be added only for important processes such as change of customer information or need of privacy protection, and may be utilized to check for hacking such as illegal access by randomly requesting authentication by unit of month or quarter.
[0010] 2. Access through mobile
[0011] The same procedures and regulations as PCs are also applied to access and transactions through smartphones. However, it is difficult to provide services for mobile phones such as feature phones that are impossible to install apps.
[0012] 3. User Interface
[0013] Referring to FIG. 5, the user authentication procedure through the mobile phone authentication is performed only once in consideration of security. After the authentication is completed, a password to be used for access is set to 6 digits, and thereafter, a user can use services only with the password.
[0014] It may be checked through an upper icon whether or not a location code is received from a base station, and a location password that is matched with the received code is displayed. When an icon indicating that the location code is not received is displayed or a password error occurs, a user may request a base station of an area where the user is located to retransmit the code using an update function (button) on the app. The retransmission request is delivered to a location authentication management system through an application server. After inquiring the user's location in a subscriber location management system, the code of the location is transmitted through a cell broadcast system (see the code retransmission view by user's request in FIG. 10).
[0015] Hereinafter, an online information security service system according to an embodiment of the present invention will be described.
[0016] As shown in FIG. 6, a system for providing services includes the following four elements, and interworking is important.
[0017] 1. Authentication and service system of service providers such as financial companies and portals
[0018] - Perform progress and blocking of function/process according to request of location password, password with integrated authentication gateway, mobile phone number linkage, and reply of authentication result
[0019] 2. Location authentication integrated gateway system relaying mobile phone number resource management, authentication information and verification result
[0020] - Almost similar to a system for providing mobile number portability service that is currently being provided by Korea Telecommunications Operations Association (KTOA)
[0021] - Confirm a mobile communication carrier corresponding to the transmitted mobile phone number and deliver the location password and mobile phone number to the corresponding carrier
[0022] - Deliver and store the result of the verification reply to the service provider to interwork with FDS and accumulate the result
[0023] 3. System of managing the location of a mobile phone customer in LTE and 3G networks and system of transmitting individual information for each base station at a certain period
[0024] - LTE interworks with Mobility Management Entity (MME) and CDMA interworks with user location registration management system such as Home Location Register (HLR)
[0025] - SMS and Data pushable cell broadcasting system
[0026] - Code and password generation, management, and matching system
[0027] 4. Application and service provision server for providing location password
[0028] - Whole list of codes and passwords and matching table management and encoding
[0029] - Table refresh through application update, upgrade of security function, etc. (see interworking method between application and server in FIG. 11)
[0030] As shown in FIG. 6, an online information security system utilizing cell broadcasting service includes an authentication system 100 transmitting a location password and a mobile phone number inputted by a user to desire to be authenticated to an integrated authentication gateway 200, requesting the integrated authentication gateway 200 to authenticate the location password, and receiving an authentication result of the location password from the integrated authentication gateway 200, an integrated authentication gateway 200 checking a mobile communication carrier that a user uses with the mobile phone number and then transmitting the mobile phone number and the location password to a location authentication management system 500, requesting the location authentication management system 500 to authenticate the location password, and receiving an authentication result of the location password from the location authentication management system 500 to transmit the authentication result to the authentication system 100, a subscriber location management system 300 for checking the location of a user's mobile communication terminal 700 based on a mobile communication base station, a cell broadcast system 400 transmitting a location code received from the authentication management system 500 to the user's mobile communication terminal 700 in a cell broadcast manner through the mobile communication base station, a location authentication management system 500 authenticating the location of the user's mobile communication terminal 700 and the location password Through the location management system 300, transmitting the authentication result to the integrated authentication gateway 200, and transmitting at least one of an algorithm and a table for generating the location password to an application server 600, an application server 600 encoding at least one of the algorithm and the table for generating the location password transmitted from the location authentication management system 500 and transmitting the location password to a mobile phone terminal 700, and a mobile phone terminal 700 generating the location password using at least one of the algorithm and the table for generating the location password received from the application server 600 with the location code received from the cell broadcast system 400.
[0031] In addition, according to a preferred embodiment of the present invention, the location authentication management system 500 generates a new location password based on the location of the mobile communication terminal 700 of a user, and determines whether or not the received location password is matched.
[0032] In this case, as shown in FIG. 15, the integrated authentication gateway 200 includes an integrated authentication gateway communication unit 210 checking the mobile communication carrier that a user uses with the mobile phone number to transmit the location password, the mobile phone number and the location password authentication request inputted by a user who desires to receive an authentication transmitted from the authentication system 100 to the location authentication management system 500 of the mobile communication carrier through a carrier confirmation unit 220, and receiving the authentication result of the location password from the location authentication management system 500 to transmit the authentication result to the authentication system 100, and a carrier confirmation unit 220 for confirming a mobile communication carrier corresponding to the mobile phone number of a user who desires to receive the authentication that the integrated authentication gateway communication unit 210 receives.
[0033] Also, as shown in FIG. 16, the location authentication management system 500 includes a location authentication management system communication unit 510 receiving the location password, the mobile phone number and the location password authentication request inputted by a user who desires to receive the authentication transmitted from the integrated authentication gateway 200, transmitting the authentication result of the location password to the integrated authentication gateway 200 through a verification unit 550, and transmitting at least one of the algorithm and the table for generating the location password to the application server 600 by a password generating unit 540, a location confirming unit 520 for confirming the location of the mobile phone terminal 700 corresponding to the mobile phone number received by the location authentication management system communication unit 510 through the subscriber location management system 300, a code generating unit 530 for generating the location code based on the location of the mobile phone terminal 700 confirmed through the location confirming unit 520, a password generating unit 540 for generating the location password using at least one of the password algorithm and the table from the location code generated by the code generating unit 530, and a verification unit 550 determining whether or not the location password received through the location authentication management system communication unit 510 matches the location password generated through the password generating unit 540 and authenticating the location password received through the location authentication management system communication unit 510.
[0034] In addition, according to a preferred embodiment where the verification unit 550 authenticates the location password, if the received location password and the generated location password match each other, the authentication is successful, and if not, the authentication fails.
[0035] Also, as shown in FIG. 17, the application server 600 includes a server communication unit 610 receiving at least one of the algorithm and the table for generating the location password from the location authentication management system 500 and encoding at least one of the algorithm and the table for generating the location password through an encoding unit 620, and an encoding unit 620 for encoding at least one of the algorithm and the table for generating the location code received by the server communication unit 610.
[0036] In addition, a preferred embodiment where the encoding unit 620 encodes at least one of the algorithm and the table for generating the location password may be implemented by an AES method that is an advanced encoding standard, a method based on the advanced encoding standard, or a method corresponding to the advanced encoding standard.
[0037] Also, as shown in FIG. 18, the mobile phone terminal 700 includes a password generating unit 710 for generating the location password from the location information code received from the cell broadcast system 400 in the same manner as the location authentication management system 500 using at least one of the algorithm and the table for generating the location code received from the application server 600, and an output unit 720 for outputting the location password generated through the password generating unit 710 such that a user visually confirms the location password with naked eyes.
[0038] Hereinafter, a cell broadcast system and operation method of the online information security service according to an embodiment of the present invention will be described.
[0039] According to a mobile communication method such as LTE, the following two types may be implemented. In the location authentication management system, when a table of encrypted code type matched with the base station ID is generated and transmitted to the Cell Broadcast System (CBS) at a certain period, the corresponding system broadcasts a unique code by unit of base station by utilizing the message ID designated for this services. If emergency alerts such as an earthquake or a tsunami are transmitted to the CBS at the same time, an emergency alert having higher importance and urgency is first transmitted, and then the code of this service is broadcasted (see first CBS transmission method in FIG. 12).
[0040] In order to quickly transmit the code and reduce a load on the related system including the CBS, the second CBS transmission method shown in FIG. 13, which simplifies the broadcast procedure, may be differentially implemented.
[0041] Hereinafter, a method of generating a code of an online information security service according to an embodiment of the present invention will be described.
[0042] Referring to FIG. 14, a code may be generated using a unique seed data and generation algorithm and a matching table, and may be generated by combining a PLMN ID, a Cell ID, and a Tracking ID of a mobile communication network according to a need. In this case, an encoding system including obfuscation is applied in consideration of the risk of leakage in the transmission process.
[0043] Hereinafter, a location authentication management method performed in the location authentication management system 500 will be described according to an embodiment of the present invention.
[0044] First, a location password generated based on a location information code inputted from a mobile phone terminal by a user and received through a mobile communication base station and a mobile phone number used by the user are received (a).
[0045] Next, a request for authentication of the location password is received (b).
[0046] Next, an authentication result of the location password is provided to an authentication system of a service provider together with the mobile phone number (c).
[0047] The receiving of the location password includes providing the mobile telephone terminal with at least one of an algorithm and a table for generating the location code such that the mobile telephone terminal generates the location password with the location information code.
[0048] The providing of the authentication result includes providing the mobile telephone number to a subscriber location management system to confirm the location of the mobile telephone terminal through the subscriber location management system and generating a location code based on the confirmed location (c1).
[0049] The providing of the mobile telephone number includes generating a location password for the authentication with the location code using at least one of the algorithm and the table for generating the location password (c2).
[0050] The generating of the location password includes generating the authentication result by determining whether or not the location password received from the mobile phone terminal matches the location password generated from the location code.
Meanwhile, since the method and system for online information security service utilizing the cell broadcasting service as described above is only one embodiment for facilitating understanding of the present invention, the right and technical scopes of the present invention should not be construed as limited to those described above.

Claims (10)

  1. An online information security system utilizing cell broadcasting service, the system comprising:
    an authentication system (100) transmitting a location password and a mobile phone number inputted by a user to desire to be authenticated to an integrated authentication gateway (200), requesting the integrated authentication gateway (200) to authenticate the location password, and receiving an authentication result of the location password from the integrated authentication gateway (200);
    an integrated authentication gateway (200) checking a mobile communication carrier that a user uses with the mobile phone number and then transmitting the mobile phone number and the location password to a location authentication management system (500), requesting the location authentication management system (500) to authenticate the location password, and receiving an authentication result of the location password from the location authentication management system (500) to transmit the authentication result to the authentication system (100);
    a subscriber location management system (300) for checking the location of a user's mobile communication terminal (700) based on a mobile communication base station;
    a cell broadcast system (400) transmitting a location code received from the authentication management system (500) to the user's mobile communication terminal (700) in a cell broadcast manner through the mobile communication base station;
    a location authentication management system (500) authenticating the location of the user's mobile communication terminal (700) and the location password Through the location management system (300), transmitting the authentication result to the integrated authentication gateway (200), and transmitting at least one of an algorithm and a table for generating the location password to an application server (600);
    an application server (600) encoding at least one of the algorithm and the table for generating the location password transmitted from the location authentication management system (500) and transmitting the location password to a mobile phone terminal (700); and
    a mobile phone terminal (700) generating the location password using at least one of the algorithm and the table for generating the location password received from the application server (600) with the location code received from the cell broadcast system (400).
  2. The online information security system of claim 1, wherein the integrated authentication gateway (200) comprises:
    an integrated authentication gateway communication unit (210) checking the mobile communication carrier that a user uses with the mobile phone number to transmit the location password, the mobile phone number and the location password authentication request inputted by a user who desires to receive an authentication transmitted from the authentication system (100) to the location authentication management system (500) of the mobile communication carrier through a carrier confirmation unit (220), and receiving the authentication result of the location password from the location authentication management system (500) to transmit the authentication result to the authentication system (100); and
    a carrier confirmation unit (220) for confirming a mobile communication carrier corresponding to the mobile phone number of a user who desires to receive the authentication that the integrated authentication gateway communication unit (210) receives.
  3. The online information security system of claim 1, wherein the location authentication management system (500) comprises:
    a location authentication management system communication unit (510) receiving the location password, the mobile phone number and the location password authentication request inputted by a user who desires to receive the authentication transmitted from the integrated authentication gateway (200), transmitting the authentication result of the location password to the integrated authentication gateway (200) through a verification unit (550), and transmitting at least one of the algorithm and the table for generating the location password to the application server (600) by a password generating unit (540);
    a location confirming unit (520) for confirming the location of the mobile phone terminal (700) corresponding to the mobile phone number received by the location authentication management system communication unit (510) through the subscriber location management system (300);
    a code generating unit (530) for generating the location code based on the location of the mobile phone terminal (700) confirmed through the location confirming unit (520);
    a password generating unit (540) for generating the location password using at least one of the password algorithm and the table from the location code generated by the code generating unit (530); and
    a verification unit (550) determining whether or not the location password received through the location authentication management system communication unit (510) matches the location password generated through the password generating unit (540) and authenticating the location password received through the location authentication management system communication unit (510).
  4. The online information security system of claim 1, wherein the application server (600) comprises:
    a server communication unit (610) receiving at least one of the algorithm and the table for generating the location password from the location authentication management system (500) and encoding at least one of the algorithm and the table for generating the location password through an encoding unit (620); and
    an encoding unit (620) for encoding at least one of the algorithm and the table for generating the location code received by the server communication unit (610).
  5. The online information security system of claim 1, wherein the mobile phone terminal (700) comprises:
    a password generating unit (710) for generating the location password from the location information code received from the cell broadcast system (400) in the same manner as the location authentication management system (500) using at least one of the algorithm and the table for generating the location code received from the application server (600); and
    an output unit (720) for outputting the location password generated through the password generating unit (710) such that a user visually confirms the location password with naked eyes.
  6. A location authentication management method performed in a location authentication management system, the method comprising:
    (a) receiving a location password generated based on a location information code inputted from a mobile phone terminal by a user and received through a mobile communication base station and a mobile phone number used by the user;
    (b) receiving a request for authentication of the location password; and
    (c) providing an authentication result of the location password to an authentication system of a service provider together with the mobile phone number.
  7. The location authentication management method of claim 6, wherein the receiving of the location password comprises,
    providing the mobile telephone terminal with at least one of an algorithm and a table for generating the location code such that the mobile telephone terminal generates the location password with the location information code.
  8. The location authentication management method of claim 6, wherein the providing of the authentication result comprises,
    providing the mobile telephone number to a subscriber location management system to confirm the location of the mobile telephone terminal through the subscriber location management system and generating a location code based on the confirmed location.
  9. The location authentication management method of claim 8, wherein the providing of the authentication result comprises,
    generating a location password for the authentication with the location code using at least one of the algorithm and the table for generating the location password.
  10. The location authentication management method of claim 9, wherein the providing of the authentication result comprises,
    generating the authentication result by determining whether or not the location password received from the mobile phone terminal matches the location password generated from the location code.
PCT/KR2017/010689 2016-10-31 2017-09-27 Online information security system utilizing cell broadcasting service WO2018124430A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
KR20160142851 2016-10-31
KR10-2016-0180272 2016-12-27
KR1020160180272A KR101927976B1 (en) 2016-10-31 2016-12-27 Online information security system utilizing cell broadcasting service

Publications (1)

Publication Number Publication Date
WO2018124430A1 true WO2018124430A1 (en) 2018-07-05

Family

ID=62185248

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/010689 WO2018124430A1 (en) 2016-10-31 2017-09-27 Online information security system utilizing cell broadcasting service

Country Status (2)

Country Link
KR (1) KR101927976B1 (en)
WO (1) WO2018124430A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102088391B1 (en) * 2018-09-03 2020-03-12 (주)태백보안컨설팅 Security bag possible control of Smart phone

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090222669A1 (en) * 2005-08-23 2009-09-03 Tea Vui Huang Method for controlling the location information for authentication of a mobile station
US20110151891A1 (en) * 2007-12-14 2011-06-23 Motorola, Inc. Communication system and a mobile station, proxy location server and method of operation for use in the system
KR101280050B1 (en) * 2012-02-17 2013-06-28 구글 인코포레이티드 Location-based security system for portable electronic device
US20140075493A1 (en) * 2012-09-12 2014-03-13 Avaya, Inc. System and method for location-based protection of mobile data
US20160021103A1 (en) * 2013-09-25 2016-01-21 Juniper Networks, Inc. Providing a service based on time and location based passwords

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090222669A1 (en) * 2005-08-23 2009-09-03 Tea Vui Huang Method for controlling the location information for authentication of a mobile station
US20110151891A1 (en) * 2007-12-14 2011-06-23 Motorola, Inc. Communication system and a mobile station, proxy location server and method of operation for use in the system
KR101280050B1 (en) * 2012-02-17 2013-06-28 구글 인코포레이티드 Location-based security system for portable electronic device
US20140075493A1 (en) * 2012-09-12 2014-03-13 Avaya, Inc. System and method for location-based protection of mobile data
US20160021103A1 (en) * 2013-09-25 2016-01-21 Juniper Networks, Inc. Providing a service based on time and location based passwords

Also Published As

Publication number Publication date
KR101927976B1 (en) 2018-12-12
KR20180048219A (en) 2018-05-10

Similar Documents

Publication Publication Date Title
US9578025B2 (en) Mobile network-based multi-factor authentication
US11882442B2 (en) Handset identifier verification
EP1058872B2 (en) Method, arrangement and apparatus for authentication through a communications network
US8869253B2 (en) Electronic system for securing electronic services
EP2476272B1 (en) Method and system for user authentication by means of a cellular mobile radio network
US20210234850A1 (en) System and method for accessing encrypted data remotely
US20050239440A1 (en) Replaceable sequenced one-time pads for detection of cloned service client
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
CN110278084B (en) eID establishing method, related device and system
US7099476B2 (en) Method for updating a network ciphering key
KR101659847B1 (en) Method for two channel authentication using smart phone
JP2006033780A (en) Network authentication system using identification by calling-back
WO2014061897A1 (en) Method for implementing login confirmation and authorization service using mobile user terminal
CN103401686A (en) User Internet identity authentication system and application method thereof
JP7231010B2 (en) CONTROL DEVICE, WIRELESS COMMUNICATION SYSTEM, CONTROL METHOD AND PROGRAM
JP6101088B2 (en) Status change notification method, subscriber authentication device, status change detection device, and mobile communication system
WO2018124430A1 (en) Online information security system utilizing cell broadcasting service
WO2011074878A2 (en) Service security system and method for same
Igor et al. Security Software Green Head for Mobile Devices Providing Comprehensive Protection from Malware and Illegal Activities of Cyber Criminals.
KR20210003529A (en) Authentication method and telecommunication server using IP address and SMS
WO2017109652A1 (en) Associating a token identifier with a user accessible data record
KR101294804B1 (en) Registration method of authentication application for 2-channel authentication, and registration system thereof
WO2015076522A1 (en) Internet security method and system using otid
Hon Mobile wireless/cellular communications networks
KR102705620B1 (en) Secure user two factor authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17885973

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.10.2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17885973

Country of ref document: EP

Kind code of ref document: A1