WO2018164408A1 - Procédé de sécurité d'application et système de mise en œuvre associé - Google Patents

Procédé de sécurité d'application et système de mise en œuvre associé Download PDF

Info

Publication number
WO2018164408A1
WO2018164408A1 PCT/KR2018/002420 KR2018002420W WO2018164408A1 WO 2018164408 A1 WO2018164408 A1 WO 2018164408A1 KR 2018002420 W KR2018002420 W KR 2018002420W WO 2018164408 A1 WO2018164408 A1 WO 2018164408A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
client device
verification
file
identification information
Prior art date
Application number
PCT/KR2018/002420
Other languages
English (en)
Korean (ko)
Inventor
박형주
김영균
박천일
김양호
김기웅
Original Assignee
주식회사 케이비금융지주
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이비금융지주 filed Critical 주식회사 케이비금융지주
Publication of WO2018164408A1 publication Critical patent/WO2018164408A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Definitions

  • Embodiments of the present invention relate to security techniques.
  • An embodiment of the present invention is to provide an application security method and a system for performing the same that can increase the security according to the use of the application.
  • the application security system downloads a security incomplete application in which the static security related file is mounted among static security related files and dynamic security related files, and transmits a verification request for the security incomplete application.
  • a client device transmitting a security file request for the dynamic security related file according to the verification result related information corresponding to the verification request;
  • a verification server that receives the verification request from the client device, performs verification of the security incomplete application, and transmits the verification result related information to the client device;
  • a management server that receives the security file request from the client device and transmits an encrypted dynamic security related file to the client device.
  • the verification request may include identification information of the security incomplete application and unique identification information of the client device.
  • the verification server performs verification by comparing the identification information of the security incomplete application included in the verification request with the identification information of the security incomplete application, and based on the unique identification information of the client device according to the verification result.
  • a key value may be generated, and verification result related information including the verification result and the encryption related key value may be transmitted to the client device.
  • the verification server may generate an encryption related key value based on management unique information in which unique identification information of the client device and preset dummy management information are combined when an abnormal symptom occurs.
  • the verification server may determine that the abnormal indication occurs when the total number of verification failures according to the verification request of each client for a predetermined time exceeds a preset first number.
  • the verification server may determine that the abnormal indication has occurred when the verification failure according to the verification request for the client device exceeds a preset second number.
  • the security file request may include unique identification information of the client device, the encryption related key value, and operating system related information of the client device.
  • the management server extracts a dynamic security related file corresponding to operating system related information of the client device, encrypts the extracted dynamic security related file using the encryption related key value, and encrypts the encrypted dynamic security related file and The encryption related key value may be transmitted to the client device.
  • the security file request may include at least one of unique identification information of the client device, an encryption related key value generated based on the unique identification information of the client device, and operating system related information of the client device.
  • the application security system further includes a blockchain that receives the unique identification information and the encryption-related key value of each client device from the management server, and matches and stores the unique identification information of each client device with the corresponding encryption-related key value, respectively. can do.
  • the management server transmits unique identification information of the client device included in the security file request to the blockchain, and the blockchain extracts an encryption related key value matched with the unique identification information of the client device. Transmitting to the management server, wherein the management server extracts a dynamic security related file corresponding to the operating system related information of the client device, and uses the encryption related key value received from the blockchain to extract the extracted dynamic security related file. And encrypts the encrypted dynamic security related file and the encryption related key value to the client device.
  • the client device decrypts the encrypted dynamic security-related file based on the encryption-related key value, wherein the dynamic security-related file is configured to retrieve a portion of the dynamic security-related file according to the remaining capacity of the memory of the client device. It may include instructions for loading into memory.
  • the static security related file may include instructions for transmitting the verification request to the verification server when the security incomplete application is executed; And a result of confirming the verification result related information and terminating the security incomplete application if the verification of the security incomplete application fails.
  • An application security method is a method performed in a computing device having one or more processors and a memory storing one or more programs executed by the one or more processors, the method comprising: Downloading a security insecure application including the static security related file among dynamic security related files; Transmitting a verification request for the insecure application; Receiving verification result related information corresponding to the verification request and transmitting a security file request for the dynamic security related file according to the verification result related information; Receiving an encrypted dynamic security related file and an encryption related key value in response to the secure file request; And decrypting the encrypted security related file using the encryption related key value.
  • the verification request may include identification information of the security incomplete application and unique identification information of the client device.
  • the verification result related information is generated based on the verification result of performing verification by comparing the identification information of the security incomplete application included in the verification request with the identification information of the security incomplete application and the unique identification information of the client device. It may include encryption-related key values.
  • the security file request may include unique identification information of the client device, the encryption related key value, and operating system related information of the client device.
  • the dynamic security related file may include instructions for identifying a remaining capacity of memory of the client device; Instructions for comparing the remaining capacity of the memory with the capacity of the dynamic security related file; According to a result of the comparison may include a command for loading a portion of the dynamic security-related files in the memory.
  • the static security related file may include instructions for transmitting the verification request when the security incomplete application is executed; And a result of confirming the verification result related information and terminating the security incomplete application if the verification of the security incomplete application fails.
  • An application security method is a method performed on a computing device having one or more processors and a memory storing one or more programs executed by the one or more processors, the method comprising static security from a client device.
  • the generating of the verification result related information may include generating an encryption related key value based on the unique identification information of the client device according to the verification result.
  • the generating of the encryption-related key value may generate the hashed unique identification information of the client device when the verification is successful.
  • the generating of the encryption-related key value may include determining whether an abnormal indication is made based on log information according to a verification request of each client device; And generating an encryption related key value based on management unique information in which unique identification information of the client device and preset dummy management information are combined when the abnormality symptom occurs.
  • An application security method is a method performed in a computing device having one or more processors and a memory storing one or more programs executed by the one or more processors, the static security related file And receiving a security file request for the dynamic security related file from a client device which has downloaded a security insecure application in which the static security related file is mounted among the dynamic security related files. Extracting unique identification information of the client device included in the secure file request; Transmitting the extracted unique identification information of the client device to a blockchain; Receiving an encryption related key value matching the unique identification information of the client device from the blockchain; And encrypting the dynamic security related file with the received encryption related key value, and transmitting an encrypted dynamic security related file and the encryption related key value to the client device.
  • the secure file request includes unique identification information of the client device and operating system related information of the client device
  • the step of transmitting the encrypted dynamic security related file to the client device comprises: operating system related of the client device Extracting a dynamic security related file corresponding to the information; And encrypting the extracted dynamic security related file with the received encryption related key value.
  • the verification server performs verification of the security incomplete application, and accordingly transmits an encryption-related key value to the client device, so that the integrity of whether the application is forged or tampered can be checked.
  • the encryption-related key value based on the unique identification information of the client device, it is possible to encrypt and decrypt differently for each client device, thereby increasing the security of the application use.
  • FIG. 1 is a diagram illustrating a configuration of an application security system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart illustrating a process of verifying forgery in an application security method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating a process of receiving a file related to dynamic security in an application security method according to an embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating and describing a computing environment including a computing device suitable for use in example embodiments.
  • the terms "transfer”, “communication”, “transmit”, “receive” and other similar meanings of signals or information are not only meant to directly convey the signal or information from one component to another. It also includes passing through other components.
  • “transmitting” or “sending” a signal or information to a component indicates the final destination of the signal or information and does not mean a direct destination. The same is true for the "reception” of a signal or information.
  • that two or more pieces of data or information are "related” means that if one data (or information) is obtained, at least a portion of the other data (or information) can be obtained based thereon.
  • FIG. 1 is a diagram showing the configuration of an application security system according to an embodiment of the present invention.
  • the application security system 100 may include a client device 102, a verification server 104, a management server 106, and a blockchain 108.
  • the client device 102 is communicatively connected with the verification server 104 and the management server 106 via a communication network, respectively.
  • the management server 106 is communicatively connected with the blockchain 108 via a communication network.
  • the communication network may comprise the Internet, one or more local area networks, wire area networks, cellular networks, mobile networks, other types of networks, or a combination of these networks. It may include.
  • the client device 102 is a communication device used by a user, and examples of the client device 102 include various types of wired and wireless devices that can be connected to the server computing devices 104 and 106 such as mobile phones, smartphones, tablets, wearable devices, and laptop computers. It includes a communication device.
  • the client device 102 can download certain applications from a server computing device (eg, the verification server 104 or management server 106 or other server computing device not shown in FIG. 1) by the user.
  • the downloaded application may be stored in a computer readable storage medium of the client device 102.
  • the application includes a predetermined set of instructions executable by the processor of the client device 102.
  • the instructions of the application when executed by the processor of the client device 102, may cause the processor to perform an operation according to an example embodiment.
  • the computer readable storage medium includes components of an operating system for executing a set of instructions, such as the application, on a client device 102.
  • an operating system may be Apple's iOS or Google's Android.
  • the application downloaded by the client device 102 may be an application for performing a job requiring security such as a financial transaction (account transfer, payment, etc.) online.
  • the downloaded application may be an application for Internet banking.
  • some security related files may be omitted (that is, only some security related files are included). That is, the downloaded application may be for performing a task requiring security online, or a part of the security related file may be omitted so that the security related task cannot be normally or completely performed.
  • the downloaded application may be referred to as a security incomplete application.
  • the security related file may include a static security related file and a dynamic security related file.
  • Insufficient security applications may include only static security-related files and no dynamic security-related files.
  • the static security related file may be a file for basic security of a security incomplete application.
  • the static security related file may be, for example, for performing user authentication, access control, anti debugging, source obfuscation, and the like.
  • the user authentication may mean performing user authentication through a password, biometric authentication, public authentication, pin number, etc. when the security incomplete application is executed.
  • the access control may mean that the security incomplete application is terminated when a result of the verification request to be described later is a verification failure.
  • the dynamic security related file may be a file for additional security of an insecure application.
  • Dynamic security related files may include, for example, keyboard security, root detection, antivirus programs, and the like.
  • the static security-related file may mean a security-related file mounted in a security insecure application
  • the dynamic security-related file may mean a security-related file that must be received separately from the outside without being mounted in the security insecure application. Can be.
  • the client device 102 downloads an application (security incomplete application) in which security-related files are partially omitted (that is, dynamic security-related files are omitted), the dynamic security-related files are externally executed when the security insecure application runs.
  • an application security incomplete application
  • the dynamic security-related files are externally executed when the security insecure application runs.
  • the client device 102 may transmit a verification request for the security incomplete application to the verification server 104.
  • the verification request may include identification information of the security incomplete application (for example, an ID of the security incomplete application and a hash value of the security incomplete application).
  • the verification request may further include management specific information for generating a unique encryption-related key value for the client device 102.
  • the management specific information may be unique identification information of the client device 102.
  • the unique identification information of the client device 102 may vary depending on the operating system of the client device 102.
  • the unique identification information of the client device 102 may include Universally Unique Identifier (UUID), International Mobile Equipment Identifier (IMEI), serial number of the SIM card, and client device. It may be a device unique value of 102.
  • UUID Universally Unique Identifier
  • IMEI International Mobile Equipment Identifier
  • serial number of the SIM card and client device. It may be a device unique value of 102.
  • the unique identification information of the client device 102 may be a Universally Unique Identifier (UUID).
  • UUID Universally Unique Identifier
  • the unique identification information of the client device 102 may be included in the initial request for verification.
  • the client device 102 may receive the verification result related information for the verification request from the verification server 104.
  • the verification result related information may include a verification result for the verification request, a verification time, and an encryption related key value.
  • the encryption-related key value may be a value (ie, a hash value) hashed unique identification information of the client device 102.
  • the encryption-related key value may be included only when the verification result is the verification success.
  • the client device 102 checks the verification result related information, and when the verification result is the verification failure, the client device 102 may terminate the security incomplete application. In this case, the client device 102 may notify the user that the security incomplete application is terminated. The client device 102 may perform this operation based on static security related files included in the security insecure application. That is, the static security-related file may include a command to terminate the security insecure application in case of verification failure.
  • the security that is, the security of the application can be guaranteed first by terminating the insecure application. In other words, by verifying whether the downloaded application is forged or tampered with, the integrity of the downloaded application can be confirmed.
  • the client device 102 may transmit a security file request to the management server 106 when the received verification result is the verification success.
  • the secure file request may include unique identification information of the client device 102 and an encryption related key value. That is, when the client device 102 sends the security file request to the management server 106, the client device 102 may include the encryption related key value received from the verification server 104 in the security file request. Client device 102 may delete the encryption-related key value after sending it to management server 106.
  • the encryption-related key value may be included when initially transmitting the security file request.
  • the secure file request may further include operating system related information of the client device 102.
  • the OS related information may include OS type information and OS version information.
  • Client device 102 may receive encrypted dynamic security related files and encryption related key values from management server 106.
  • the client device 102 may decrypt the dynamic security related file encrypted with the encryption related key value, load the dynamic security related file into a computer readable storage medium, and execute the dynamic security related file.
  • the client device 102 may delete the dynamic security related file after executing the dynamic security related file.
  • the dynamic security-related file is deleted while being loaded in a computer-readable storage medium (ie, memory), thereby preventing the dynamic security-related file from being decompiled. In this case, unless the memory itself of the client device 102 is hacked, the dynamic security related files will not be leaked to the third party.
  • the dynamic security-related files check the remaining capacity of the memory of the client device 102, and if only the remaining capacity of the memory cannot load all of the dynamic security-related files, loading only some of the dynamic security-related files into the memory. It may include a command for.
  • the dynamic security-related file may load some dynamic security-related files into the memory according to a predetermined priority among the dynamic security-related files based on the remaining capacity of the memory. For example, if the dynamic security-related file includes an antivirus program, a virtual keyboard program, or the like, the antivirus program, which should always be operated, may be preferentially loaded into memory rather than the virtual keyboard program used only during key input.
  • the client device 102 receives the encryption-related key value while verifying the application through the verification server 104 at the first execution of the insecure application, and transmits a security file request to the management server 106 to transmit the client device 102.
  • Unique identification information and encryption-related key value can be registered.
  • the client device 102 may receive the encrypted dynamic security related file and the decryption key from the management server 106, and decrypt the encrypted dynamic security related file using the decryption key. Thereafter, each time client device 102 executes a security insecure application to perform a financial transaction or payment online, it performs verification through verification server 104 and sends a dynamic security file request to management server 106.
  • the management server 106 then extracts the encryption-related key value matched with the unique identification information of the client device 102 included in the security file request to encrypt the dynamic security-related file, and encrypts the encrypted dynamic security-related file and encryption-related file.
  • the key is sent to the client device 102.
  • the verification server 104 may serve to verify security incomplete applications distributed to each client device 102. Specifically, the verification server 104 may check whether the security insecure application is forged or tampered with. The verification server 104 may store identification information of the security incomplete application (for example, an ID of the security incomplete application and a hash value of the security incomplete application) before the predetermined version of the security incomplete application is distributed.
  • identification information of the security incomplete application for example, an ID of the security incomplete application and a hash value of the security incomplete application
  • the verification server 104 may receive a verification request from each client device 102 that has executed a security incomplete application.
  • the verification server 104 may perform verification by checking whether identification information of the security incomplete application included in the verification request matches identification information of the security incomplete application.
  • the verification server 104 may determine that the identification information of the security incomplete application included in the verification request (for example, the ID of the security incomplete application and the hash value of the security incomplete application) matches the identification information of the security incomplete application. In this case, it may be determined that the verification is successful (that is, the corresponding security incomplete application is not forged or tampered with). If the identification information of the security incomplete application included in the verification request does not match with the identification information of the security incomplete application stored in the verification request, the verification server 104 determines that the verification has failed (that is, determines that the security incomplete application is forged or tampered with. )can do.
  • the identification information of the security incomplete application included in the verification request for example, the ID of the security incomplete application and the hash value of the security incomplete application
  • the verification server 104 may generate verification result related information in response to the verification request of the client device 102 and transmit the generated verification result related information to the client device 102.
  • the verification result related information may include a verification result (ie, verification success or verification failure), verification time, and encryption-related key value for the verification request.
  • the verification server 104 hashes the unique identification information of the client device 102 when the verification request includes management specific information (eg, unique identification information of the client device 102), and then the client.
  • the hash value of the unique identification information of the device 102 may be set as an encryption related key value.
  • the encryption related key value may be an encryption key value for encrypting the security related file in the management server 106 and a decryption key value for decrypting the security related file encrypted in the client device 102.
  • the encryption key value and the decryption key value may be the same.
  • the verification server 104 may include an encryption related key value in the verification result related information and transmit the verification result only when the verification result is successful.
  • the verification server 104 may hash the management unique information added with the preset dummy management information to the unique identification information of the client device 102 when determining the abnormal symptoms, and may set it as an encryption-related key value.
  • the management unique information may be dummy management information added to the front end or the rear end of the unique identification information of the client device 102.
  • the verification server 104 usually generates an encryption related key value using the unique identification information of the client device 102 as the management unique information, and the unique identification information of the client device 102 and the unique identification information of the client device 102 are determined when an abnormal symptom is determined. Encryption-related key values may be generated using management-specific information in which the set dummy management information is combined.
  • the verification server 104 may manage log information according to the verification request for each client device 102.
  • the log information may include a verification request reception time, a verification result, and a verification result related information transmission time.
  • the verification server 104 may determine whether an abnormal symptom is based on log information according to the verification request. For example, the verification server 104 may determine that an abnormal symptom occurs when the total number of verification failures according to the verification request of each client occurs for more than a predetermined first number of times for a predetermined time. In addition, the verification server 104 may determine that an abnormal symptom occurs when a verification failure according to the verification request for the predetermined client device 102 exceeds the second preset number.
  • the first number and the second number may be appropriately set in consideration of the number of service subscribers.
  • the management server 106 can receive a secure file request from the client device 102.
  • the management server 106 may check whether the client device 102 that transmits the security file request is a registered device, and if the device is not registered, the management device 106 may register the client device 102 with the blockchain 108. . Specifically, the management server 106 extracts the unique identification information of the client device 102 from the security file request, and transmits the extracted unique identification information of the client device 102 to the blockchain 108 to transmit the client device 102. ) Can be registered. If the client device 102 is not registered, the management server 106 may transmit the encryption related key value included in the security file request to the blockchain 108 so that the client device 102 is registered. . In this case, the blockchain 108 may register unique identification information of the client device 102 by matching the encryption-related key value.
  • the management server 106 may transmit the dynamic security related file to the client device 102 based on the operating system related information of the client device 102 included in the security file request.
  • the management server 106 may store dynamic security related files according to the operating system version for each operating system type.
  • the management server 106 may extract the dynamic security related file corresponding to the operating system related information of the client device 102, and then encrypt the extracted dynamic security related file with an encryption related key value included in the security file request.
  • the encrypted dynamic security related file may be transmitted to the client device 102 together with the encryption related key value.
  • the encryption-related key value is generated based on the unique identification information of the client device 102, the dynamic security-related file is encrypted and decrypted differently for each client device 102.
  • the management server 106 matches the unique identification information of the client device 102 from the blockchain 108. Encryption-related key values can be received.
  • the management server 106 may extract the dynamic security related file corresponding to the operating system related information of the client device 102, and then encrypt the extracted dynamic security related file with the encryption related key value received from the blockchain 108. .
  • the encrypted dynamic security related file may be transmitted to the client device 102 together with the encryption related key value.
  • the management server 106 checks whether the client device 102 that transmits the secure file request is already registered, and dynamically uses an encryption-related key value that matches the unique identification information of the client device 102. By encrypting security-related files, it is possible to make secondary security of the application (ie security).
  • the blockchain 108 may manage encryption-related key values for each client device 102.
  • the blockchain 108 can register the client device 102 with the blockchain 108.
  • the blockchain 108 may check whether the corresponding client device 102 is registered based on the unique identification information. If the client device 102 is an unregistered device, the blockchain 108 receives the encryption related key value from the management server 106 and matches the unique identification information of the client device 102 with the encryption related key value.
  • the client device 102 can be registered.
  • the client device 102 may include an encryption related key value in the security file request along with the unique identification information of the client device 102 in the initial security file request.
  • the blockchain 108 registers the verified client device 102.
  • the blockchain 108 extracts an encryption-related key value matched with the unique identification information of the client device 102 and manages the extracted encryption-related key value. And transmit to 106.
  • the blockchain 108 may include an API server 108a and a plurality of distributed nodes 108b.
  • the application program interface (API) server 108a may provide an interface between the management server 106 and the blockchain 108.
  • the API server 108a may receive the unique identification information of the client device 102 from the management server 106 to confirm whether the client device 102 is registered.
  • the API server 108a may store unique identification information and encryption related key values of a given client device 102 in the plurality of distributed nodes 108b.
  • the API server 108a may extract encryption related key values matching the unique identification information of the client device 102 from the plurality of distributed nodes 108b and forward them to the management server 106.
  • the plurality of distributed nodes 108b may match and store unique identification information and encryption-related key values for each client device 102.
  • the plurality of distributed nodes 108b may store unique identification information and encryption-related key values for each client device 102 based on the blockchain technology. In this case, it is possible to secure the integrity of the encryption-related key value, it is possible to prevent the encryption-related key value from being hacked or stolen.
  • the security exposure of the application mounted in the client device 102 is exposed. Can be minimized, and security-related files of the application can be prevented from being stolen or stolen by malicious third parties.
  • the verification server 104 performs verification of the security inferior application, and accordingly transmits an encryption-related key value to the client device 102, so that the integrity of whether the application is forged or tampered can be checked. .
  • the verification server 104 by generating an encryption-related key value based on the unique identification information of the client device 102, it is possible to encrypt and decrypt differently for each client device 102, thereby providing security It can be increased.
  • the security insecure application by distributing the security insecure application to the client device 102, it is possible to minimize the size of the application to distribute to the client device 102, and even if dynamic security-related files are changed or updated, there is a need to download the application again
  • the application can automatically receive and execute updated dynamic security-related files when the application is executed.
  • the blockchain 108 is described as storing the unique identification information for each client device 102 by matching the encryption-related key value, the present invention is not limited thereto, and the management server 106 may store each client device 102. Unique identification information may be matched with an encryption-related key value and stored.
  • the incomplete security application described that the static security-related files are mounted, dynamic security-related files are not mounted, it may be that both the static security-related files and dynamic security-related files are not mounted. That is, a security insecure application may not be loaded with the security-related file itself.
  • the client device 102 may decrypt and execute the encrypted static security related file and the encrypted dynamic security related file from the management server 106.
  • FIG. 2 is a flowchart illustrating a process of verifying forgery in an application security method according to an embodiment of the present invention.
  • the method is divided into a plurality of steps, but at least some of the steps may be performed in a reverse order, in combination with other steps, omitted, divided into substeps, or not shown.
  • One or more steps may be added and performed.
  • the client device 102 downloads a security incomplete application (S 101).
  • Insecure applications are intended to perform security-relevant tasks such as financial transactions or payments online, but only security-related files are included in the security-related files and dynamic security-related files are omitted so that security-related operations can be performed normally or fully. It may be in a missing state.
  • client device 102 may download a security insecure application from a server computing device, such as verification server 104 or management server 106.
  • the client device 102 transmits a verification request related to the security incomplete application to the verification server 104 (S 103).
  • the client device 102 may transmit a verification request to the verification server 104 when the security incomplete application is executed by the user.
  • the client device 102 sends a verification request to the verification server 104 including identification information of the security incomplete application and unique identification information of the client device 102. Can be.
  • the verification server 104 performs verification by comparing the identification information of the security incomplete application included in the verification request with the identification information of the security incomplete application previously stored (S 105).
  • step S 105 when the identification information of the security incomplete application included in the verification request and the identification information of the previously stored security incomplete application match, the verification server 104 is unique to the client device 102 included in the verification request.
  • An encryption-related key value is generated based on the identification information (S 107). For example, the verification server 104 may hash the unique identification information of the client device 102 to generate an encryption related key value.
  • the verification server 104 transmits the verification result related information to the client device 102 (S 109).
  • the verification result related information may include a verification result value corresponding to the verification request, a verification time, and an encryption related key value.
  • the verification server 104 includes an encryption related key value in the verification result related information. You can't let that happen.
  • the verification server 104 may manage log information according to the verification request of the client device 102.
  • FIG. 3 is a flowchart illustrating a process of receiving a file related to dynamic security in an application security method according to an embodiment of the present invention.
  • the method is divided into a plurality of steps, but at least some of the steps may be performed in a reverse order, in combination with other steps, omitted, divided into substeps, or not shown.
  • One or more steps may be added and performed.
  • the client device 102 transmits a security file request to the management server 106 (S 201).
  • the secure file request may include unique identification information of the client device 102, encryption related key values, and operating system related information of the client device 102.
  • the client device 102 may terminate the security incomplete application.
  • the management server 106 extracts the unique identification information of the client device 102 included in the security file request, and then transmits the unique identification information of the extracted client device 102 to the blockchain 108 (S 203). ).
  • the blockchain 108 selects the encryption-related key value. It extracts and transmits it to the management server 106 (S205).
  • the blockchain 108 from the management server 106 The encryption related key value may be received, and the corresponding client device 102 may be registered by matching the unique identification information of the client device 102 with the encryption related key value.
  • the management server 106 extracts a dynamic security related file corresponding to the operating system related information of the client device 102 included in the security file request (S 207). That is, the management server 106 may extract a dynamic security related file corresponding to the operating system type and operating system version of the client device 102.
  • the management server 106 encrypts the extracted dynamic security-related file using the encryption-related key value received from the blockchain 108 (S 209), and encrypts the encrypted dynamic security-related file and the encryption-related key value (that is, And a decryption key value) are transmitted to the client device 102 (S 211).
  • the client device 102 decrypts the encrypted dynamic security related file using the received decryption key (S 213). Then, the decrypted dynamic security related file is loaded into the memory to execute the dynamic security related file and then deleted (S 215).
  • FIG. 4 is a block diagram illustrating and describing a computing environment 10 that includes a computing device suitable for use in example embodiments.
  • each component may have different functions and capabilities in addition to those described below, and may include additional components in addition to those described below.
  • the illustrated computing environment 10 includes a computing device 12.
  • computing device 12 may be a client device (eg, client device 102).
  • computing device 12 may be a server computing device (eg, verification server 104 or management server 106).
  • Computing device 12 includes at least one processor 14, computer readable storage medium 16, and communication bus 18.
  • the processor 14 may cause the computing device 12 to operate according to the example embodiments mentioned above.
  • processor 14 may execute one or more programs stored in computer readable storage medium 16.
  • the one or more programs may include one or more computer executable instructions that, when executed by the processor 14, cause the computing device 12 to perform operations in accordance with an exemplary embodiment. Can be.
  • Computer readable storage medium 16 is configured to store computer executable instructions or program code, program data and / or other suitable forms of information.
  • the program 20 stored in the computer readable storage medium 16 includes a set of instructions executable by the processor 14.
  • computer readable storage medium 16 includes memory (volatile memory, such as random access memory, nonvolatile memory, or a suitable combination thereof), one or more magnetic disk storage devices, optical disk storage devices, flash Memory devices, or any other form of storage medium that is accessible by computing device 12 and capable of storing desired information, or a suitable combination thereof.
  • the communication bus 18 interconnects various other components of the computing device 12, including the processor 14 and the computer readable storage medium 16.
  • Computing device 12 may also include one or more input / output interfaces 22 and one or more network communication interfaces 26 that provide an interface for one or more input / output devices 24.
  • the input / output interface 22 and the network communication interface 26 are connected to the communication bus 18.
  • the input / output device 24 may be connected to other components of the computing device 12 via the input / output interface 22.
  • Exemplary input / output devices 24 may include pointing devices (such as a mouse or trackpad), keyboards, touch input devices (such as touchpads or touchscreens), voice or sound input devices, various types of sensor devices, and / or imaging devices.
  • Input devices, and / or output devices such as display devices, printers, speakers, and / or network cards.
  • the example input / output device 24 may be included inside the computing device 12 as one component of the computing device 12, and may be connected to the computing device 12 as a separate device from the computing device 12. It may be.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de sécurité d'application ainsi qu'un système permettant de mettre en œuvre ledit procédé. Selon un mode de réalisation donné à titre d'exemple, le système de sécurité d'application comprend : un dispositif client qui télécharge une application incomplète de sécurité sur laquelle est chargé un fichier lié à la sécurité statique, entre le fichier lié à la sécurité statique et un fichier lié à la sécurité dynamique, transmet une demande de vérification pour l'application incomplète de sécurité, puis transmet une demande de fichier de sécurité pour le fichier lié à la sécurité dynamique en fonction des informations relatives à un résultat de vérification correspondant à la demande de vérification ; un serveur de vérification qui reçoit la demande de vérification du dispositif client, vérifie l'application incomplète de sécurité et transmet les informations associées au résultat de vérification au dispositif client ; et un serveur de gestion qui reçoit la demande de fichier de sécurité provenant du dispositif client, puis transmet un fichier codé lié à la sécurité dynamique au dispositif client.
PCT/KR2018/002420 2017-03-07 2018-02-28 Procédé de sécurité d'application et système de mise en œuvre associé WO2018164408A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2017-0028955 2017-03-07
KR1020170028955A KR101906484B1 (ko) 2017-03-07 2017-03-07 어플리케이션 보안 방법 및 이를 수행하기 위한 시스템

Publications (1)

Publication Number Publication Date
WO2018164408A1 true WO2018164408A1 (fr) 2018-09-13

Family

ID=63447796

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2018/002420 WO2018164408A1 (fr) 2017-03-07 2018-02-28 Procédé de sécurité d'application et système de mise en œuvre associé

Country Status (2)

Country Link
KR (1) KR101906484B1 (fr)
WO (1) WO2018164408A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102473312B1 (ko) * 2022-02-10 2022-12-05 (주)라바웨이브 유출 정보 보호 시스템 및 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010097512A (ja) * 2008-10-17 2010-04-30 Dainippon Printing Co Ltd 携帯端末のアプリケーションダウンロードシステム及び方法
KR20140073242A (ko) * 2012-12-06 2014-06-16 (주)이디커뮤니케이션즈 이중 보안 기능을 가지는 모바일 인증 시스템 및 방법
KR101409175B1 (ko) * 2013-12-16 2014-06-20 주식회사 시큐브 스마트기기의 보안파일 접근 제어 장치 및 방법
KR20140082408A (ko) * 2012-12-24 2014-07-02 숭실대학교산학협력단 어플리케이션 관리 방법 및 그 관리 장치
KR101633965B1 (ko) * 2014-01-09 2016-06-27 주식회사 이베이코리아 인터넷 환경에서의 사용자 보안 인증 시스템 및 그 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010097512A (ja) * 2008-10-17 2010-04-30 Dainippon Printing Co Ltd 携帯端末のアプリケーションダウンロードシステム及び方法
KR20140073242A (ko) * 2012-12-06 2014-06-16 (주)이디커뮤니케이션즈 이중 보안 기능을 가지는 모바일 인증 시스템 및 방법
KR20140082408A (ko) * 2012-12-24 2014-07-02 숭실대학교산학협력단 어플리케이션 관리 방법 및 그 관리 장치
KR101409175B1 (ko) * 2013-12-16 2014-06-20 주식회사 시큐브 스마트기기의 보안파일 접근 제어 장치 및 방법
KR101633965B1 (ko) * 2014-01-09 2016-06-27 주식회사 이베이코리아 인터넷 환경에서의 사용자 보안 인증 시스템 및 그 방법

Also Published As

Publication number Publication date
KR20180102387A (ko) 2018-09-17
KR101906484B1 (ko) 2018-10-10

Similar Documents

Publication Publication Date Title
WO2018030707A1 (fr) Système et procédé d'authentification, et équipement d'utilisateur, serveur d'authentification, et serveur de service pour exécuter ledit procédé
CN110765437B (zh) 将资产安全地提供给目标设备的模块
US8417964B2 (en) Software module management device and program
WO2016137307A1 (fr) Attestation par mandataire
WO2018062761A1 (fr) Procédé d'initialisation de dispositif avec fonction de sécurité renforcée et procédé de mise à jour de microprogramme de dispositif
WO2010087678A2 (fr) Système et procédé de sécurité de presse-papier
WO2020013381A1 (fr) Dispositif de portefeuille en ligne et son procédé de création et de vérification
CN112039826B (zh) 应用于小程序端的登录方法和装置,电子设备,可读介质
WO2022028289A1 (fr) Procédé et appareil de chiffrement de données, procédé et appareil de déchiffrement de données, terminal et support d'enregistrement
CN109213501B (zh) 在区块链网络中安装智能合约的方法、装置及存储介质
US10771462B2 (en) User terminal using cloud service, integrated security management server for user terminal, and integrated security management method for user terminal
JP4978896B2 (ja) 通信端末装置、サーバ端末装置、それらを用いる通信システム
US20200242235A1 (en) Virus immune computer system and method
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
CN112632573A (zh) 智能合约执行方法、装置、系统、存储介质及电子设备
CN111966422A (zh) 一种本地化插件服务方法、装置、电子设备及存储介质
WO2018016830A1 (fr) Appareil et procédé de prévention de chiffrement de fichier
WO2018164408A1 (fr) Procédé de sécurité d'application et système de mise en œuvre associé
JP7331714B2 (ja) 情報処理装置、情報処理方法及びプログラム
WO2013125883A1 (fr) Dispositif de services drm/cas et procédé utilisant le contexte de sécurité
WO2017209576A1 (fr) Appareil et procédé de commande de sauvegarde de fichier
KR20150072007A (ko) 부정조작방지 장치 접근 방법 및 그 방법을 채용한 단말 장치
JP2019016281A (ja) セキュアエレメント、コンピュータプログラム、デバイス、サーバ及びトラステッドアプリケーションのインストレーション方法
WO2023169409A1 (fr) Procédé et appareil d'invocation de modèle, et support de stockage
WO2023145240A1 (fr) Dispositif de traitement d'informations et système de traitement d'informations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18763742

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18763742

Country of ref document: EP

Kind code of ref document: A1