WO2019132214A1 - Procédé et système d'authentification de mot de passe hybride - Google Patents

Procédé et système d'authentification de mot de passe hybride Download PDF

Info

Publication number
WO2019132214A1
WO2019132214A1 PCT/KR2018/012842 KR2018012842W WO2019132214A1 WO 2019132214 A1 WO2019132214 A1 WO 2019132214A1 KR 2018012842 W KR2018012842 W KR 2018012842W WO 2019132214 A1 WO2019132214 A1 WO 2019132214A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
password
terminal
information
code value
Prior art date
Application number
PCT/KR2018/012842
Other languages
English (en)
Korean (ko)
Inventor
박영경
Original Assignee
주식회사 엘핀
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 엘핀 filed Critical 주식회사 엘핀
Publication of WO2019132214A1 publication Critical patent/WO2019132214A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the disclosed technique relates to a method and system for generating a hybrid password based on a specific location and time and thereby performing authentication.
  • the authentication method using a universal password uses a method of adding additional authentication such as a mobile phone authentication, but there is still a possibility to suffer from the same method as snooping.
  • the disclosed technique is to provide a method and system for generating a hybrid password based on a specific location and time and thereby performing authentication for a user for a predetermined time.
  • a communication system including a plurality of authentication terminals, each of which is disposed in each of a plurality of base stations and transmits authentication information to terminals located within a communication radius of a base station in which the base stations are located, A smart terminal for generating a password on the basis of a code value included in the authentication information and the terminal information of the terminal, and transmitting the password before the expiration time included in the authentication information passes, And an authentication server that receives location information on the deployed base station and receives the password from the smart terminal to verify validity of the password.
  • Embodiments of the disclosed technique may have effects that include the following advantages. It should be understood, however, that the scope of the disclosed technology is not to be construed as limited thereby, since the embodiments of the disclosed technology are not meant to include all such embodiments.
  • the hybrid password authentication method and system have the effect of securely authenticating a user by generating a hybrid password temporarily valid only in a specific space.
  • 1 is a flowchart of a hybrid password authentication method according to an embodiment of the disclosed technique.
  • FIG. 2 is a block diagram of a hybrid password authentication system according to an embodiment of the disclosed technique.
  • FIG 3 is a diagram of a smart terminal receiving authentication information from an authentication terminal located at a base station in accordance with an embodiment of the disclosed technique.
  • FIG. 4 is a diagram illustrating an authentication server for preventing duplication of code values using a data list according to an embodiment of the disclosed technology.
  • first, second, A, B, etc. may be used to describe various components, but the components are not limited by the terms, but may be used to distinguish one component from another .
  • the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.
  • / or < / RTI &gt includes any combination of a plurality of related listed items or any of a plurality of related listed items.
  • each of the constituent units described below may additionally perform some or all of the functions of other constituent units in addition to the main functions of the constituent units themselves, and that some of the main functions, And may be carried out in a dedicated manner. Accordingly, the presence or absence of each component described in this specification should be interpreted as a function.
  • the hybrid password authentication method includes the following steps.
  • the smart terminal 220 receives the authentication information 211 from the authentication terminal 210 disposed in the first base station including the current position among the plurality of base stations in the communication radius.
  • each base station is provided with authentication terminals for communicating with the smart terminal.
  • the smart terminal which is out of the communication radius can not receive the authentication information 211 transmitted from the authentication terminal 210 and can not receive the authentication including the code value ABE from the authentication terminal 210 of the base station covering its position Information can be received. That is, the authentication terminals installed in each base station may broadcast their authentication information with a communication radius equal to the communication radius of the base station as in conventional cell broadcasting.
  • the smart terminal 220 includes a mobile terminal capable of freely moving the communication radius of various base stations, as well as a terminal that can be used in a fixed state within a communication radius of a specific base station such as a PC or a notebook.
  • the authentication information 211 broadcasted by the authentication terminal 210 includes a code value 211a and a validity time 211b.
  • the code value 211a is information on which the authentication terminals generate the same rule or the same type of value, and transmit the generated value to the smart terminal. It is a principle that each authentication terminal generates a unique code value that does not overlap with each other.
  • the validity time 211b indicates a time when the generated code value is in a valid state. For example, if the validity time is set to 1 hour, since the generated code value becomes meaningless data after one hour or more, a new code value is generated with reference to each offset 212 thereof. Therefore, each authentication terminal changes its code value based on the valid time.
  • the smart terminal 220 generates a password 222 based on the code value 211a included in the authentication information and the terminal information 221 of the smart terminal 220 using the application communicating with the authentication terminal 210.
  • the code value 211a included in the authentication information 211 is used in generating the password 222.
  • the code value 211a is used not only in the code value 211a but also in the smart terminal 220 receiving the code value 211a, And generates a password 222 by combining the terminal information 221 with the terminal information 221.
  • the terminal information 221 indicates information unique to the smart terminal 220. For example, it may be wake-up information, a serial number, or personal information or bio information of a terminal user.
  • a password may be encrypted by encrypting the terminal information with a code value, or by mixing two values according to a certain rule, and then applying a hash function. Can be generated.
  • the smart terminal 220 has installed an application communicating with the authentication terminal 210 in advance. It is possible to generate the password 222 using the terminal information 221 and the code value 211a by using the password generation algorithm of the application.
  • the smart terminal 220 transmits the password 222 to the authentication terminal 210 before the valid time 211b included in the authentication information 211 is displayed.
  • the authentication information 211 includes not only the code value 211a but also the valid time 211b, and the system 200 determines that the password is valid only for the password processed before the valid time 211b passes
  • the application installed in the smart terminal 220 automatically transmits the password 222 to the authentication terminal 210 that has provided the authentication information before the validity time 211b passes.
  • step 140 the authentication terminal 210 transmits the password 222 received from the smart terminal 220 and the location information 213 of the base station of which the authentication terminal 210 is located, to the authentication server 230.
  • the base station in which the authentication terminal 210 is located is referred to as a first base station.
  • the smart terminals 220 located within the communication radius of the base station can receive the authentication information 211. At this time, it is necessary to confirm whether the smart terminal 220 actually exists in the area. For example, the hacker may falsely manipulate the GPS information of the terminal or arbitrarily change other location-based information to be located within the communication radius of the first base station, so that the authentication terminal 210 determines whether the smart terminal 220 is actually located in the field
  • the server 222 itself receives the password 222 from the smart terminal 220, not the server.
  • the password 222 received from the smart terminal 220 and the location information 213 of the first base station are transmitted to the authentication server 230 to support the reliability of the password.
  • the authentication server 230 receives the password 222 and the location information 213 from the authentication terminal 210 disposed in the first base station. And verifies the validity of the received password (222). In one embodiment, if the code value 211a included in the received password 222 matches the code value 211a generated by the authentication terminal 210 that transmitted the position information 213, the password 222 is valid .
  • the authentication server 230 may communicate with the authentication terminal 210 in a wired or wireless manner and may receive the authentication information 211 generated by the authentication terminal 210 in advance.
  • the authentication server 230 can verify whether the user of the smart terminal 220 is a legitimate user through the authentication terminal 210. [ If the authentication fails, a message can be sent to it to restart the procedure or to block access for authentication.
  • the authentication server 230 can communicate with a plurality of authentication terminals disposed in each base station by wire or wireless, and can monitor the authentication information generated by each authentication terminal, and if necessary, It is possible to change the information directly.
  • the authentication server 230 wirelessly communicates with the authentication terminals located in the plurality of base stations, and can set the code values included in the authentication information for each of the authentication terminals to unique values that do not overlap with each other have. That is, the initial code value of the authentication information generated by the authentication terminal can be generated and transmitted so that the authentication servers do not overlap each other. The subsequent code value is changed according to the valid time and offset of each authentication terminal.
  • the authentication server periodically grasps such information through the data list, thereby preventing code values from being duplicated.
  • the authentication server 230 may communicate with wired or wireless authentication terminals disposed in a plurality of base stations, and may set the valid time included in the authentication information for each of the authentication terminals to the same cycle . That is, since each of the authentication terminals generates the authentication information including the unique code value, if the validity time is set to the same, it is possible for each authentication terminal to generate its own code value which is not duplicated at a time.
  • the authentication server 230 may communicate wired or wirelessly with the authentication terminals disposed in the plurality of base stations to record the authentication information received from the authentication terminals, store the data list 231, It is possible to search duplicate code values by comparing the authentication information recorded in the data list 231 according to the preset cycle.
  • the code value 401 of the authentication terminal A01 is ABC and that after the validity time 1 hour, the code value of the authentication terminal B02 is changed to DEF according to the offset, There may be a situation in which they have the same code value for two hours and for one hour.
  • the authentication server 230 sends a control signal to the corresponding authentication terminal so as to change the code value and the validity time of the at least one authentication terminal that generated the duplicated code value to an arbitrary value Lt; / RTI > That is, the authentication server 230 can change the code value and effective time of A01 to an arbitrary value or change the code value and effective time of B02 to an arbitrary value.
  • the authentication server 230 confirms that the code value is duplicated in the received authentication information according to the order of receiving the authentication information, the authentication server 230 transmits a control signal to the authentication terminal that has transmitted the authentication information, Can be changed.
  • the hybrid password authentication system 200 includes an authentication terminal 210, a smart terminal 220, and an authentication server 230.
  • the authentication terminal 210 broadcasts a code value 211a in an area which is disposed in each of a plurality of base stations and which is the same as the communication radius of the base station in which the base station is located.
  • a code value 211a may be transmitted to a smart terminal 220 located within a communication radius, such as transmitting a message in a cell broadcasting manner.
  • the smart terminal 220 generates a password 222 based on the code value 211a and the terminal information 221 thereof using an application communicating with the authentication terminal 210 and broadcasts the password 222 together with the code value 211a And transmits the password 222 before the validity time 211b is displayed.
  • the terminal information such as the wicket information may be encrypted with a code value or the code value may be encrypted with terminal information to generate a password.
  • the password generation technique can be variously generated by applying various conventional password generation techniques.
  • the authentication server 230 receives the location information 213 from the authentication terminal 210 and receives the password 222 from the smart terminal 220. 1, the authentication terminal 210 receives and transmits the password 222 of the smart terminal 220. Since the smart terminal 222 is also a terminal having a built-in communication function, The password 222 can be transmitted. Of course, it would be appropriate to transmit the password 222 after the authentication server 230 is connected in advance or the authentication server 230 is requested to transmit the password 222.
  • the smart terminal 220 receives the location information 213 together with the authentication information 211 from the authentication terminal 210. That is, the authentication server 230 directly performs communication with the authentication server 230, and transmits the password generated by the authentication server 230 and the location information 213 received from the authentication terminal 210 together.
  • the location information 213 is information indicating the location of the base station where the authentication terminal 210 is located. For example, it may be a coordinate point of the base station or an ID value of the base station.
  • the location information 213 is information for verifying whether the password 222 received from the smart terminal 220 is valid or not.
  • the code value 211a used for generating the password 222 for example, If it matches the one generated by the terminal 210, it can be verified that the password 222 is valid.
  • the authentication server 230 communicates with a plurality of authentication terminals by wire or wireless before receiving the password 222 from the smart terminal 220 and receives the respective authentication information, It is possible to verify whether the password 222 is generated by receiving the authentication information 211 from the authentication terminal 210 of the base station covering the point where the smart terminal 220 actually exists. Therefore, it is possible to verify whether the password 222 is generated by the normal access, and furthermore, it is possible to cope with the place and time when the password 222 can be utilized, even if it is leaked to the outside.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente invention concerne un procédé et un système d'authentification de mot de passe hybride, le procédé comprenant les étapes dans lesquelles : un terminal intelligent reçoit des informations d'authentification d'un terminal d'authentification disposé au niveau d'une première station de base comprenant une position actuelle à portée de communication parmi une pluralité de stations de base ; le terminal intelligent génère un mot de passe sur la base de ses informations de terminal et d'une valeur de code comprise dans les informations d'authentification à l'aide d'une application communiquant avec le terminal d'authentification ; le terminal intelligent transmet le mot de passe au terminal d'authentification avant l'écoulement d'une période de validation comprise dans les informations d'authentification ; le terminal d'authentification transmet le mot de passe et les informations de position concernant la première station de base à un serveur d'authentification ; et le serveur d'authentification reçoit le mot de passe et les informations de position pour vérifier si le mot de passe est valide. Par conséquent, en ne générant un mot de passe hybride valide temporairement que dans un espace spécifique, il est possible d'empêcher le risque d'exposition de mot de passe et d'authentifier de manière sécurisée un utilisateur.
PCT/KR2018/012842 2017-12-28 2018-10-26 Procédé et système d'authentification de mot de passe hybride WO2019132214A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020170182089A KR102088523B1 (ko) 2017-12-28 2017-12-28 하이브리드 패스워드 인증 방법 및 시스템
KR10-2017-0182089 2017-12-28

Publications (1)

Publication Number Publication Date
WO2019132214A1 true WO2019132214A1 (fr) 2019-07-04

Family

ID=67063963

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2018/012842 WO2019132214A1 (fr) 2017-12-28 2018-10-26 Procédé et système d'authentification de mot de passe hybride

Country Status (2)

Country Link
KR (1) KR102088523B1 (fr)
WO (1) WO2019132214A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050053967A (ko) * 2003-12-03 2005-06-10 소프트포럼 주식회사 시간 동기 기반 일회용 비밀번호를 이용한 인증시스템 및인증방법
KR20060129925A (ko) * 2005-06-13 2006-12-18 가부시키가이샤 히타치세이사쿠쇼 인증 시스템, 무선 통신 단말기 및 무선 기지국
KR20140106360A (ko) * 2013-02-26 2014-09-03 (주)이스톰 Otp 인증 시스템 및 방법
US8949949B1 (en) * 2014-02-11 2015-02-03 Level 3 Communications, Llc Network element authentication in communication networks
KR20160055872A (ko) * 2013-11-13 2016-05-18 알리바바 그룹 홀딩 리미티드 네트워크를 통한 위치 기반 데이터 통신을 위한 방법 및 시스템

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101355405B1 (ko) * 2007-09-10 2014-01-24 에스케이텔레콤 주식회사 이동통신단말의 인증방법
KR100963924B1 (ko) * 2007-10-08 2010-06-17 주식회사 신한은행 무선 일회용 인증 위치 확인 방법 및 시스템과 이를 위한휴대폰 및 기록매체
KR101615686B1 (ko) * 2009-07-10 2016-04-26 주식회사 비즈모델라인 위치 기반 모바일 오티피 제공 방법

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050053967A (ko) * 2003-12-03 2005-06-10 소프트포럼 주식회사 시간 동기 기반 일회용 비밀번호를 이용한 인증시스템 및인증방법
KR20060129925A (ko) * 2005-06-13 2006-12-18 가부시키가이샤 히타치세이사쿠쇼 인증 시스템, 무선 통신 단말기 및 무선 기지국
KR20140106360A (ko) * 2013-02-26 2014-09-03 (주)이스톰 Otp 인증 시스템 및 방법
KR20160055872A (ko) * 2013-11-13 2016-05-18 알리바바 그룹 홀딩 리미티드 네트워크를 통한 위치 기반 데이터 통신을 위한 방법 및 시스템
US8949949B1 (en) * 2014-02-11 2015-02-03 Level 3 Communications, Llc Network element authentication in communication networks

Also Published As

Publication number Publication date
KR102088523B1 (ko) 2020-03-12
KR20190079964A (ko) 2019-07-08

Similar Documents

Publication Publication Date Title
CN110678770B (zh) 定位信息验证
US8150372B2 (en) Method and system for distributing data within a group of mobile units
CN105516103B (zh) 绑定智能家电设备的方法、装置和系统
CN103597799B (zh) 服务访问认证方法和系统
CN108471610B (zh) 蓝牙连接控制系统
KR100847145B1 (ko) 불법 액세스 포인트 검출 방법
CN109618344B (zh) 一种无线监控设备的安全连接方法及装置
CN102318386A (zh) 向网络的基于服务的认证
WO2012126634A1 (fr) Authentification dans un système de communication
CN110300400B (zh) 一种签到方法、装置、电子设备及存储介质
CN111092820B (zh) 一种设备节点认证方法、装置和系统
KR20160131572A (ko) 이동 통신 시스템에서 결제 관련 정보 인증 방법 및 장치
CN106559785B (zh) 认证方法、设备和系统以及接入设备和终端
KR20160143333A (ko) 이중 채널을 이용한 이중 인증 방법
CN110073681B (zh) 用于物联网设备的方法、装置和计算机可读介质
CN103686651A (zh) 一种基于紧急呼叫的认证方法、设备和系统
CN110621016A (zh) 一种用户身份保护方法、用户终端和基站
CN110730447B (zh) 一种用户身份保护方法、用户终端和核心网
CN105430649A (zh) Wifi接入方法及设备
JP6101088B2 (ja) 状態変化通知方法、加入者認証装置、状態変化検出装置及び移動通信システム
WO2019132214A1 (fr) Procédé et système d'authentification de mot de passe hybride
CN108702705B (zh) 一种信息传输方法及设备
KR102279293B1 (ko) 비암호화 채널 탐지 방법 및 장치
KR101425275B1 (ko) 무선 액세스 포인트와 통신을 수행하는 단말장치 및 이의 통신 제어 방법
CN106714175B (zh) 一种防伪造wifi接入点的验证方法及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18894282

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18894282

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 05.02.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18894282

Country of ref document: EP

Kind code of ref document: A1