WO2021100907A1 - Fido-based silent authentication method, system, and program - Google Patents

Fido-based silent authentication method, system, and program Download PDF

Info

Publication number
WO2021100907A1
WO2021100907A1 PCT/KR2019/015981 KR2019015981W WO2021100907A1 WO 2021100907 A1 WO2021100907 A1 WO 2021100907A1 KR 2019015981 W KR2019015981 W KR 2019015981W WO 2021100907 A1 WO2021100907 A1 WO 2021100907A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
message
encrypted
authenticator
root key
Prior art date
Application number
PCT/KR2019/015981
Other languages
French (fr)
Korean (ko)
Inventor
이철영
조효원
지창훈
최완택
Original Assignee
(주)이더블유비엠
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)이더블유비엠 filed Critical (주)이더블유비엠
Priority to PCT/KR2019/015981 priority Critical patent/WO2021100907A1/en
Priority to KR1020227025666A priority patent/KR20220126733A/en
Publication of WO2021100907A1 publication Critical patent/WO2021100907A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/75Information technology; Communication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to a method, system, and program of FIDO (Fast Identity Online)-based silent authentication, and in more detail, a communication device (communication device It relates to a FIDO method of implicit (non-interaction) authentication method, system and program that maintains high security (confidentiality) between ).
  • FIDO Fast Identity Online
  • a communication device communication device It relates to a FIDO method of implicit (non-interaction) authentication method, system and program that maintains high security (confidentiality) between ).
  • low-power communication networks such as LoRa, NB-IoT, and SigFox, such as LPWAN (Low Power Wide Area Network)
  • LPWAN Low Power Wide Area Network
  • security authentication such as FIDO to be applied.
  • various authentications between devices of IoT Internet of Things
  • security authentication between communication devices are very important for the safety of information exchanged and devices to be controlled (controlled). For example, when it is necessary to connect a new IoT camera to the user terminal, if authentication for the new IoT camera is performed, after that, the user terminal can trust the data transmitted from the newly authenticated IoT camera.
  • devices that require authentication for access such as IoT devices or communication devices
  • simply'devices' devices that require authentication for access
  • security authentication and various other authentications may be collectively referred to as simply'authentication'.
  • a device that challenges authentication is referred to as an'authenticator' (e.g., a user terminal)
  • an'authenticator' e.g., IoT device
  • IoT device a device that authenticates by responding to an authentication request
  • the technology of the following patent documents is,'In a method of authenticating an Internet of Things (IOT) device in a user terminal, generating device information including a key and an identifier of the IOT device; Signing the device information using a certificate stored in a memory; Transmitting the signed device information and the public certificate to an authentication server; And transmitting the generated device information to the IOT device.
  • IOT Internet of Things
  • the identifier is in the form of a GUID (Globally Unique Identifier), and the key may be either a public key or a symmetric key', and'the signing of the device information uses a private key corresponding to the public certificate. It may be'to sign it.'
  • GUID Globally Unique Identifier
  • Patent Document 1 Patent Publication 10-2016-0084680
  • the present invention has been made to solve the problem of the prior art, and when authentication using user interference is impossible, unreasonable or inconvenient, the original performance of the device in repetitive authentication between devices while excluding (removing) user interference It is intended to provide a FIDO-based implicit authentication method, system, and program that can overcome difficulties in commercialization of products and systems due to user interference by increasing the speed and security (safety) level rather than reducing the value.
  • An authentication method for FIDO based implicit authentication method according to an embodiment of the present invention for achieving the aforementioned problems is based on the FIDO between the authenticator in response to the authentication requester and the authentication request that requests authentication, the authentication challenge
  • An encrypted first message is generated from the first message for authentication at the device and transmitted to the authenticator, the encrypted first message is decrypted by the authenticator to generate a second message , and the first message and the second message are When the message is the same or corresponding, it is characterized in that it is determined by authentication.
  • the first message is encrypted by a first root key in the authentication requester, and the second message is decrypted by a second root key in the authenticator.
  • the first root key is preferably generated by decrypting the original root key encrypted by the authentication requester.
  • the encrypted first root key generated from is transmitted to the authenticator, and the second root key is decrypted from the encrypted first hash value by the authenticator and using a decrypted second hash value, It is preferable that it is decrypted and generated from the encrypted first root key.
  • the second root key is allowed to be used for decryption of the encrypted first message.
  • the FIDO-based implicit authentication system for achieving the above object is an authentication system based on FIDO between an authentication requester requesting authentication and an authenticator responding to the authentication request, group certificate request groups, and the first message encryption unit for generating a first message encrypted from the first message for authentication, and the encrypted first message comprises a transmission unit for transmitting to said authentication, wherein the authentication, A first message decryption unit that decrypts the encrypted first message to generate a second message, and an authentication decision unit that determines authentication when the first message and the second message are the same or correspond to each other. It is done.
  • the FIDO-based implicit authentication program for achieving the above object, claims 1 to 5 based on FIDO between an authentication requester requesting authentication and an authenticator responding to the authentication request. It is characterized in that it is a program stored in a recording medium in which a program for executing the authentication method according to any one of claims, including an information processing device, in the authentication requester and the authenticator.
  • FIG. 1 is a block diagram showing a data processing flow in an authentication requester (authenticator, challenger) and an authenticator (responser) of an implicit authentication method according to an embodiment of the present invention.
  • FIG. 2 is a diagram illustrating the use of a root key introduced in the process of transmitting a message for authentication in an authentication requester and encryption processing of a hash value in an implicit authentication method according to an embodiment of the present invention. It is a block diagram for explaining.
  • FIG. 3 is a diagram illustrating the use of a root key introduced in a process of receiving and verifying a message for authentication in an authenticator, decrypting a hash value, and processing received message verification in an implicit authentication method according to an embodiment of the present invention. It is a block diagram for explanation.
  • FIG. 4 is a conceptual diagram for explaining a method of increasing the level of security by removing user interference and introducing a root key, proposed in the implicit authentication method according to an embodiment of the present invention.
  • FIG. 5 is a description of a case in which a device implementing an implicit authentication method according to an embodiment of the present invention is connected to a low-power communication network such as LoRa, NB-IoT, and SigFox, for example, a Low Power Wide Area Network (LPWAN) communication network.
  • LPWAN Low Power Wide Area Network
  • FIG. 6 is a conceptual diagram for explaining an existing method of device authentication requiring user interference in the conventional FIDO technology.
  • a member or module is connected to the front, rear, left, right, top and bottom of another member or module may include not only direct connection, but also a case where another third member or module is interposed and connected in the middle thereof. have.
  • a member or module that performs a certain function can be implemented by dividing the function into two or more members or modules.
  • two or more members or modules each having a function can be integrated into one It can be implemented by being integrated as a member or module.
  • some electronic function blocks may be realized by the execution of software, or may be realized in a state in which the software is implemented in hardware through an electric circuit.
  • the FIDO-based implicit authentication method is an authentication method based on FIDO between the authentication requester 10 and the authenticator 20.
  • the authentication requester (10, authenticator, challenger) is a device that requests authentication, and when authentication passes, it is a device that will receive permission for authenticated communication, that is, a new device
  • the authenticator (20, responser) is A device that responds to a request, for example, a device that has already passed authentication or a device that has authentication authority.
  • Authentication is a process of determining whether connection is possible by checking a counterpart between devices, such as between devices of IoT or between communication devices.
  • the method of the present invention consists of steps of message encryption and delivery, message decryption and authentication decision.
  • the encryption and transmission are performed by the authentication requester 10, for example, an encrypted first message 7 is generated from the first message 6 for authentication by an encryption unit (not shown), and, for example, a transmission unit The encrypted first message 7 is transmitted to the authenticator 20 by (not shown).
  • the first message 6 is previously stored in the authentication requester 10 and is, for example, a Hello message.
  • the encryption method of the message is predetermined.
  • the decryption and authentication decision is performed by the authenticator 20, for example, the encrypted first message 7 is decrypted by a decryption unit (not shown) to generate a second message 6' , for example, authentication
  • a decryption unit not shown
  • authentication is determined. Since the encrypted first message (7) is received from the authentication requester (10), and the second message (6') is generated by the decryption process, it is already provided in the authenticator (20). no.
  • the decryption method of the encrypted message is predetermined in correspondence with the encryption method of the message.
  • FIDO-based implicit authentication method As described above, in the FIDO-based implicit authentication method according to the present invention, user interference such as biometric authentication or signature of a public certificate, which are commonly required in FIDO, is not performed. Accordingly, the user's request for physical actions or biometric information is eliminated. Therefore, required device-to-device'silent' authentication and device-to-device high-speed authentication are implemented.
  • the root key 2 is introduced in the implementation of the present invention, and when the device is authenticated and registered as in FIDO, the message 6 is further encrypted, communicated, and decrypted. By making authentication decisions, we are raising the level of security.
  • the first message 6 is encrypted by the first root key 2 in the authentication requester 10, while the second message 6'is the second root in the authenticator 20. It is to be decrypted by the key 2'.
  • the first root key 2 and the second root key 2' are not the same, the encryption and decryption results cannot be matched. Therefore, in order to pass authentication, these first and second root keys 2 , 2') need to be identical to each other.
  • the root key (2, '2) referred to in the present invention is a device that attempts a'challenge' to access an external device or FIDO system for authentication, that is, a key stored in the authentication requester 10. , It is not necessary to have the device of the challenged side, that is, the authenticator 20 in advance. However, even if the root key 2'is provided in the authenticator 20 in advance, it does not depart from the scope of the present invention. Conversely, information received from the authentication requester 10 even if it is not provided in advance in the authenticator 20 It may be configured to generate the root key (2') by using. Using this root key (2, 2'), the message 6 for signing and authentication can be communicated silently between the device and the device (Device-to-Device).
  • the first root key 2 is preferably configured to be generated by decrypting the original root key 1 encrypted by the authentication requester 10.
  • the encrypted original root key 1 may be stored in advance in a secure storage device (not shown).
  • the authentication requester (10) to the authenticator 20 to the first root key (2) It may be configured such that information is sent, and the authenticator 20 can extract the second root key 2', which is the same as the first root key 2, from this information. As one such configuration, the information can be made as a result of encryption and hashing.
  • a predetermined hash processing routine for example, SHA-256 (a random value key and an encryption value seed of the root key 2) may be used.
  • a predetermined encryption processing routine for example, an Elliptic Curve Integrated Encrypt Scheme (ECIES) may be used.
  • ECIES Elliptic Curve Integrated Encrypt Scheme
  • the hash value 3 may be used for the encryption of the encrypted first root key 5 for example.
  • the second root key 2 ′ in the authenticator 20 is a decrypted second hash value formed by decrypting from the encrypted first hash value 4 ( 3' ) is preferably configured to be decrypted and generated from the encrypted first root key 5.
  • the decryption of the decrypted second hash value 3' may be performed using ECIES.
  • the encrypted first message (7) It is preferable that the second root key 2'is allowed to be used for decryption.
  • the second root key 2' is determined to be the validity of the second root key 2, that is, matched with the first root key 2, and the message is decrypted using the second root key 2'. This further strengthens security.
  • the FIDO-based implicit authentication system is an authentication system based on FIDO between the authentication requester 10 requesting authentication and the authenticator 20 responding to the authentication request.
  • the authentication requester 10 includes a first message encryption unit (not shown ) that generates an encrypted first message 7 from the first message 6 for authentication, and the encrypted first message ( 7) is configured to include a transmission unit (not shown ) for transmitting to the authenticator 20, and the authenticator 20 decrypts the encrypted first message 7 to obtain a second message 6' ) a first message decoding unit for generate (not shown) and the first message (6) and the second message (6 ') comprises the same or corresponding authentication decision unit (not shown) to determine the authentication when the It is characterized in that it is configured.
  • a program stored in a recording medium is a program stored in a recording medium in which a program for executing a method in the authentication requester and the authenticator including an information processing device is recorded, the method comprising: It is an implicit authentication method based on FIDO between an authentication requester requesting authentication and an authenticator responding to the authentication request.
  • the FIDO-based implicit authentication method, system, and program according to an embodiment of the present invention can be effectively used for LPWAN communication devices frequently used in IoT by, for example, removing user interference. .
  • the present invention can be used in the industry of FIDO-based implicit authentication methods, systems, and programs.

Abstract

A FIDO-based authentication method between an authenticator that requests authentication and a device to be authenticated in response to an authentication request is characterized by: generating an encrypted first message from a first message for authentication in the authenticator and transmitting the encrypted first message to the device to be authenticated; generating a second message by decrypting the encrypted first message in the device to be authenticated; and determining authentication when the first message and the second message are the same or correspond to each other.

Description

FIDO 기반 암묵인증방법, 시스템 및 프로그램FIDO-based implicit authentication method, system and program
본 발명은, FIDO(Fast Identity Online) 기반 암묵인증(Silent Authentication)의 방법, 시스템 및 프로그램에 관한 것으로서, 보다 상세히는, 사용자의 간섭(interaction) 요구를 배제(제거)해 주면서 통신기기(통신장치) 사이의 보안성(기밀성)을 높게 유지해 주는 FIDO 방식의 암묵(무간섭; non-interaction) 인증의 방법, 시스템 및 프로그램에 관한 것이다.The present invention relates to a method, system, and program of FIDO (Fast Identity Online)-based silent authentication, and in more detail, a communication device (communication device It relates to a FIDO method of implicit (non-interaction) authentication method, system and program that maintains high security (confidentiality) between ).
일반적으로 로라(LoRa), NB-IoT, SigFox 등 저전력 통신망, 예컨대 LPWAN(Low Power Wide Area Network)에는, FIDO 등의 보안인증이 적용되어야 할 경우가 많다.In general, low-power communication networks such as LoRa, NB-IoT, and SigFox, such as LPWAN (Low Power Wide Area Network), often require security authentication such as FIDO to be applied.
예컨대 IoT(사물인터넷)의 장치간 각종 인증, 또는 통신기기들 사이의 보안인증은, 교환되는 정보 및 조종(제어, control)되는 기기의 안전을 위해 매우 중요하다. 예컨대 사용자 단말에 새로운 IoT 카메라를 접속시켜야 하는 경우에, 이 새로운 IoT 카메라에 대한 인증이 이루어지면, 그 후에는 새로 인증된 IoT 카메라로부터 전송받은 데이터를 사용자 단말에서는 신뢰할 수 있게 된다.For example, various authentications between devices of IoT (Internet of Things), or security authentication between communication devices, are very important for the safety of information exchanged and devices to be controlled (controlled). For example, when it is necessary to connect a new IoT camera to the user terminal, if authentication for the new IoT camera is performed, after that, the user terminal can trust the data transmitted from the newly authenticated IoT camera.
이하, IoT 장치나 통신기기 등 접속을 위해 인증이 요구되는 장치들을 통칭하여 단순히 '기기'라 하는 경우가 있고, 보안인증 및 각종 기타 인증을 통칭하여 단순히 '인증(Authentication)'이라 하는 경우가 있으며, 인증을 요청(challenge)하는 기기를 '인증요청기'(authenticator)(예컨대 사용자 단말), 인증요청에 응답(response)하여 인증을 하는 기기를 '인증기'(예컨대 IoT 기기)라 하는 경우가 있다.Hereinafter, devices that require authentication for access, such as IoT devices or communication devices, may be collectively referred to as simply'devices', and security authentication and various other authentications may be collectively referred to as simply'authentication'. , In some cases, a device that challenges authentication is referred to as an'authenticator' (e.g., a user terminal), and a device that authenticates by responding to an authentication request is referred to as an'authenticator' (e.g., IoT device). have.
이 보안인증의 편의성 증대와 속도의 향상과, 안정성 또는 안전 레벨의 강화는 서로 양립하기 어려운 경우가 있다.Increasing the convenience and speed of this security authentication, and enhancing the stability or safety level are sometimes difficult to be compatible with each other.
하기 특허문헌의 기술은, '사용자 단말에서 IOT (Internet of Things) 디바이스를 인증하는 방법에 있어서, 상기 IOT 디바이스의 키 및 식별자를 포함하는 디바이스 정보를 생성하는 단계; 메모리에 저장된 공인인증서를 이용하여 상기 디바이스 정보에 서명하는 단계; 상기 서명된 디바이스 정보 및 상기 공인인증서를 인증 서버로 전송하는 단계; 및 상기 생성한 디바이스 정보를 상기 IOT 디바이스로 전송하는 단계를 포함하는, 디바이스 인증방법'을 개시하고 있다.The technology of the following patent documents is,'In a method of authenticating an Internet of Things (IOT) device in a user terminal, generating device information including a key and an identifier of the IOT device; Signing the device information using a certificate stored in a memory; Transmitting the signed device information and the public certificate to an authentication server; And transmitting the generated device information to the IOT device.
여기서 '상기 식별자는 GUID(Globally Unique Identifier) 형식이며, 상기 키는 공개키 또는 대칭키 중 어느 하나'일 수 있고, '상기 디바이스 정보에 서명하는 단계는, 상기 공인인증서에 대응하는 개인키를 이용하여 서명하는 것'일 수 있다.Here,'the identifier is in the form of a GUID (Globally Unique Identifier), and the key may be either a public key or a symmetric key', and'the signing of the device information uses a private key corresponding to the public certificate. It may be'to sign it.'
[선행기술문헌][Prior technical literature]
[특허문헌][Patent Literature]
(특허문헌 1) 특허공개 10-2016-0084680 공보(Patent Document 1) Patent Publication 10-2016-0084680
보안인증에 있어서, 인증의 편의성과 속도를 향상시키면서도, 인증의 안정성, 안전 레벨의 유지 내지 강화시키는 것은 쉽지 않다. 특히, 생체정보를 이용하는 인증 등과 같이, 인증에 있어서 높은 보안성을 위해, 지문 스캔 및 검증 등 사용자의 간섭(interaction)이 요구되는 경우가 있다.In security authentication, while improving the convenience and speed of authentication, it is not easy to maintain or reinforce the stability and safety level of authentication. In particular, there are cases where user interaction such as fingerprint scanning and verification is required for high security in authentication, such as authentication using biometric information.
그런데, 이러한 사용자의 간섭은, 기기들 사이의 보안인증의 편의성과 속도에 모두 지장을 초래하고 있다. 예컨대 지문 스캔의 경우에, 사용자가 하나하나 지문을 스캔하는 동작을 해야 하고, 지문 스캔에는 시간이 되기 때문이다. 예컨대 공인인증서의 서명도 마찬가지이다. 특허문헌의 기술에 있어서도 공인인증서를 통한 서명을 수행하고 있는데, 이처럼 인증 및 연결에 사용자의 간섭이 요구됨으로써, 편의성과 속도가 저하되고 있다.However, such user interference causes both the convenience and speed of security authentication between devices to be hindered. This is because, for example, in the case of fingerprint scanning, the user must perform an operation of scanning fingerprints one by one, and it takes time to scan the fingerprint. The same goes for the signature of a public certificate, for example. In the description of the patent document, the signature is also performed through a public certificate. As such, the user's interference is required for authentication and connection, thereby reducing convenience and speed.
특히 IoT 기기의 경우에는, 수십 내지 수만대 단위의 다수의 기기들이 운용 전에 사전적으로 인증될 필요가 있고, 운용 도중에 해킹이나 고장 등에 의해 인증에 사후적으로 문제가 발생되었을 경우에도 재차 인증이 수행돼야 할 필요가 있다. 이런 상황에서 사용자의 간섭에 의한 인증은, 매우 불편할 뿐 아니라, 인증에 시간이 소요되므로, 저속, 저효율일 수 밖에 없다는 태생적 한계가 있다. 따라서, 기기의 운용시간 및 성능에 손실을 초래한다.In particular, in the case of IoT devices, a number of devices in units of tens to tens of thousands of units need to be authenticated in advance before operation, and authentication must be performed again even if there is a post-authentication problem due to hacking or failure during operation. Needs to be. In this situation, authentication due to user interference is very inconvenient, and because authentication takes time, there is an inherent limitation in that it is inevitably low-speed and low-efficiency. Therefore, it causes a loss in operating time and performance of the device.
반면에 무작정 사용자의 간섭이 없는 인증을 채택하는 경우에는, 예컨대 생체인증이나 공인인증서 서명 등과 같이 사용자의 확인을 거치지 않으므로 편의성이 증대되지만, 해킹이나 인증도용, 인증오류의 가능성이 커져서, 인증의 안정성이나 안전 레벨의 저하가 우려된다.On the other hand, in the case of adopting authentication without user intervention, for example, biometric authentication or digital certificate signing, the user's confirmation is not required, so the convenience is increased, but the possibility of hacking, authentication theft, and authentication errors increases, so the stability of authentication. However, there is a concern about a decrease in safety level.
본 발명은, 상기 종래기술의 문제를 해소하기 위해 이루어진 것으로서, 사용자의 간섭을 이용하는 인증이 불가능, 불합리하거나 불편한 경우, 사용자의 간섭을 배제(제거)하면서도, 기기간의 반복적 인증에 있어서 기기의 원래 성능을 저하시키지 않고, 오히려 속도 및 보안(안전) 레벨을 높여서, 사용자 간섭으로 인한 제품 및 시스템의 상용화 상의 어려움을 극복할 수 있는, FIDO 기반 암묵인증 방법, 시스템 및 프로그램을 제공하고자 하는 것이다. The present invention has been made to solve the problem of the prior art, and when authentication using user interference is impossible, unreasonable or inconvenient, the original performance of the device in repetitive authentication between devices while excluding (removing) user interference It is intended to provide a FIDO-based implicit authentication method, system, and program that can overcome difficulties in commercialization of products and systems due to user interference by increasing the speed and security (safety) level rather than reducing the value.
상기 과제를 달성하기 위한 본 발명의 일실시예에 따른 FIDO 기반 암묵인증 방법은, 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 인증방법으로서, 상기 인증요청기에서 인증을 위한 제1 메시지로부터 암호화된 제1 메시지가 생성되어 상기 인증기로 전송되고, 상기 인증기에서 상기 암호화된 제1 메시지가 복호화되어 제2 메시지가 생성되며, 상기 제1 메시지와 제2 메시지가 동일 또는 대응되는 경우에 인증으로 결정됨을 특징으로 한다.An authentication method according to FIDO based implicit authentication method according to an embodiment of the present invention for achieving the aforementioned problems is based on the FIDO between the authenticator in response to the authentication requester and the authentication request that requests authentication, the authentication challenge An encrypted first message is generated from the first message for authentication at the device and transmitted to the authenticator, the encrypted first message is decrypted by the authenticator to generate a second message , and the first message and the second message are When the message is the same or corresponding, it is characterized in that it is determined by authentication.
여기서, 상기 제1 메시지는 상기 인증요청기 내의 제1 루트키에 의해 암호화되고, 상기 제2 메시지는 상기 인증기 내의 제2 루트키에 의해 복호화됨이 바람직하다.Here, it is preferable that the first message is encrypted by a first root key in the authentication requester, and the second message is decrypted by a second root key in the authenticator.
그리고 상기 제1 루트키는 상기 인증요청기에서 암호화된 원본 루트키를 복호화하여 생성됨이 바람직하다.In addition, the first root key is preferably generated by decrypting the original root key encrypted by the authentication requester.
그리고 상기 암호화된 제1 메시지와 함께, 상기 인증요청기에서, 상기 제1 루트키의 제1 해시값으로부터 생성된 암호화된 제1 해시값과, 상기 제1 해시값을 이용하여 상기 제1 루트키로부터 생성된 암호화된 제1 루트키가, 상기 인증기에 전송되고, 상기 제2 루트키는, 상기 인증기에서, 상기 암호화된 제1 해시값으로부터 복호화되어 형성된 복호화된 제2 해시값을 이용하여, 상기 암호화된 제1 루트키로부터 복호화되어 생성됨이 바람직하다.And the encrypted first with the first message, from the authentication requester, the first and first hash encrypted first hash value generated from the value of the root key, the first key, the first route by using the hash value, The encrypted first root key generated from is transmitted to the authenticator, and the second root key is decrypted from the encrypted first hash value by the authenticator and using a decrypted second hash value, It is preferable that it is decrypted and generated from the encrypted first root key.
여기서, 상기 제2 루트키로부터 생성된 해시된 제2 해시값이 상기 복호화된 제2 해시값과 일치하면, 상기 암호화된 제1 메시지의 복호화에 상기 제2 루트키가 이용되도록 허용됨이 바람직하다. Here, if the hashed second hash value generated from the second root key matches the decrypted second hash value, it is preferable that the second root key is allowed to be used for decryption of the encrypted first message.
한편, 상기 과제를 달성하기 위한 본 발명의 일실시예에 따른 FIDO 기반 암묵인증 시스템은, 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 인증시스템으로서, 상기 인증요청기는, 인증을 위한 제1 메시지로부터 암호화된 제1 메시지를 생성하는 제1 메시지 암호화부와, 상기 암호화된 제1 메시지를 상기 인증기에 전송하는 전송부를 포함하여 구성되고, 상기 인증기는, 상기 암호화된 제1 메시지를 복호화하여 제2 메시지를 생성하는 제1 메시지 복호화부와, 상기 제1 메시지와 제2 메시지가 동일 또는 대응되는 경우에 인증으로 결정하는 인증결정부를 포함하여 구성됨을 특징으로 한다.On the other hand, the FIDO-based implicit authentication system according to an embodiment of the present invention for achieving the above object is an authentication system based on FIDO between an authentication requester requesting authentication and an authenticator responding to the authentication request, group certificate request groups, and the first message encryption unit for generating a first message encrypted from the first message for authentication, and the encrypted first message comprises a transmission unit for transmitting to said authentication, wherein the authentication, A first message decryption unit that decrypts the encrypted first message to generate a second message, and an authentication decision unit that determines authentication when the first message and the second message are the same or correspond to each other. It is done.
한편, 상기 과제를 달성하기 위한 본 발명의 일실시예에 따른 FIDO 기반 암묵인증 프로그램은, 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 청구항 1 내지 청구항 5 중 어느 한 항에 기재된 인증방법을 정보처리기기를 포함하여 이루어지는 상기 인증요청기와 인증기에서 실행시키기 위한 프로그램을 기록한 기록매체에 저장된 프로그램임을 특징으로 한다.On the other hand, the FIDO-based implicit authentication program according to an embodiment of the present invention for achieving the above object, claims 1 to 5 based on FIDO between an authentication requester requesting authentication and an authenticator responding to the authentication request. It is characterized in that it is a program stored in a recording medium in which a program for executing the authentication method according to any one of claims, including an information processing device, in the authentication requester and the authenticator.
본 발명에 의하면, 사용자의 간섭을 이용하는 인증이 불가능, 불합리하거나 불편한 경우, 사용자의 간섭을 배제(제거)하면서도, 기기간의 반복적 인증에 있어서 기기의 원래 성능을 저하시키지 않고, 오히려 속도 및 보안(안전) 레벨을 높여서, 사용자 간섭으로 인한 제품 및 시스템의 상용화 상의 어려움을 극복할 수 있는, FIDO 기반 암묵인증 방법, 시스템 및 프로그램이 제공된다.According to the present invention, when authentication using user interference is impossible, unreasonable, or inconvenient, user interference is excluded (removed), and the original performance of the device is not degraded in repetitive authentication between devices, but rather speed and security (safety ) By raising the level, a FIDO-based implicit authentication method, system, and program that can overcome difficulties in commercialization of products and systems due to user interference are provided.
도 1은, 본 발명의 일실시예에 따른 암묵 인증방법의 인증요청기(authenticator, challenger) 및 인증기(responser)에서의 데이터 처리 흐름을 함께 나타내는 블럭도이다.1 is a block diagram showing a data processing flow in an authentication requester (authenticator, challenger) and an authenticator (responser) of an implicit authentication method according to an embodiment of the present invention.
도 2는, 본 발명의 일실시예에 따른 암묵 인증방법에 있어서, 인증요청기에서 인증을 위한 메시지를 전송하는 과정에 도입된 루트키(Root Key)의 사용과 해시(Hash)값의 암호화 처리에 대한 설명을 위한 블럭도이다.2 is a diagram illustrating the use of a root key introduced in the process of transmitting a message for authentication in an authentication requester and encryption processing of a hash value in an implicit authentication method according to an embodiment of the present invention. It is a block diagram for explaining.
도 3은, 본 발명의 일실시예에 따른 암묵 인증방법에 있어서, 인증기에서 인증을 위한 메시지를 수신하고 검증하는 과정에 도입된 루트키의 사용과 해시값의 복호화 및 수신 메시지 검증 처리에 대한 설명을 위한 블럭도이다.3 is a diagram illustrating the use of a root key introduced in a process of receiving and verifying a message for authentication in an authenticator, decrypting a hash value, and processing received message verification in an implicit authentication method according to an embodiment of the present invention. It is a block diagram for explanation.
도 4는, 본 발명의 일실시예에 따른 암묵 인증방법에서 제안된, 사용자의 간섭을 제거하고 루트키를 도입하여 보안의 레벨을 오히려 높인 방식에 대한 설명을 위한 개념도이다.4 is a conceptual diagram for explaining a method of increasing the level of security by removing user interference and introducing a root key, proposed in the implicit authentication method according to an embodiment of the present invention.
도 5는, 본 발명의 일실시예에 따른 암묵 인증방법이 구현된 기기가 로라(LoRa), NB-IoT, SigFox 등 저전력 통신망, 예컨대 LPWAN(Low Power Wide Area Network) 통신망에 연결된 경우에 대한 설명을 위한 개념도이다.FIG. 5 is a description of a case in which a device implementing an implicit authentication method according to an embodiment of the present invention is connected to a low-power communication network such as LoRa, NB-IoT, and SigFox, for example, a Low Power Wide Area Network (LPWAN) communication network. It is a conceptual diagram for
도 6은, 종래의 FIDO 기술에서 사용자의 간섭을 요구하는 기기 인증의 기존 방식에 대한 설명을 위한 개념도이다.6 is a conceptual diagram for explaining an existing method of device authentication requiring user interference in the conventional FIDO technology.
이하, 첨부된 도면을 참조하여 본 발명의 바람직한 실시예를 상세히 설명한다. 본 발명의 이점 및 특징, 그리고 그들을 달성하는 방법은 첨부되는 도면과 함께 상세하게 후술되어 있는 실시예들을 참조하면 명확해질 것이다. 그러나 본 발명은 이하에서 개시되는 실시예들에 한정되는 것이 아니라, 서로 다른 다양한 형태로 구현될 수 있고, 단지 본 실시예들은 본 발명의 개시가 완전하도록 하고, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 발명의 범주를 완전하게 알려주기 위해 제공되는 것이며, 본 발명은 청구항의 범주에 의해 정의될 뿐이다. 명세서 전체에 걸쳐 동일 참조 부호는 동일 구성 요소를 지칭한다.Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Advantages and features of the present invention, and a method of achieving them will become apparent with reference to the embodiments described below in detail together with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in a variety of different forms, and only these embodiments allow the disclosure of the present invention to be complete, and are common in the technical field to which the present invention pertains. It is provided to fully inform the knowledgeable person of the scope of the invention, and the invention is only defined by the scope of the claims. The same reference numerals refer to the same elements throughout the specification.
다른 정의가 없다면, 본 명세서에서 사용되는 모든 용어(기술 및 과학적 용어를 포함)는 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 공통적으로 이해될 수 있는 의미로 사용될 수 있을 것이다. 또 일반적으로 사용되는 사전에 정의되어 있는 용어들은, 명백하게 특별히 정의되지 않는 한, 이상적으로 또는 과도하게 해석되지 않는다.Unless otherwise defined, all terms (including technical and scientific terms) used in the present specification may be used with meanings that can be commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not interpreted ideally or excessively unless explicitly defined specifically.
또한, 어떤 부재나 모듈이 다른 부재나 모듈의 전후좌우 상하에 연결된다 함은, 직접 연결되는 것 뿐 아니라, 그 중간에 다른 제3의 부재나 모듈이 끼워져서 개재되어 연결되는 경우를 포함할 수 있다. 그리고 어떤 기능을 수행하는 부재나 모듈은, 그 기능을 분할하여 2 이상의 여러 부재나 모듈로 나뉘어 구현될 수 있고, 반대로, 각각 기능을 가지는 2 이상의 여러 부재나 모듈은, 그 기능을 통합하여 하나의 부재나 모듈로 통합되어 구현될 수 있다. 그리고 어떤 전자적 기능블럭은, 소프트웨어의 실행에 의해 실현되어도 좋고, 그 소프트웨어가 전기회로를 통해 하드웨어로 구현된 상태로 실현되어도 좋다.In addition, that a member or module is connected to the front, rear, left, right, top and bottom of another member or module may include not only direct connection, but also a case where another third member or module is interposed and connected in the middle thereof. have. And a member or module that performs a certain function can be implemented by dividing the function into two or more members or modules. Conversely, two or more members or modules each having a function can be integrated into one It can be implemented by being integrated as a member or module. Further, some electronic function blocks may be realized by the execution of software, or may be realized in a state in which the software is implemented in hardware through an electric circuit.
<암묵 인증방법><Patent authentication method>
본 발명의 일실시예에 따른 FIDO 기반 암묵인증방법은, 인증요청기(10)인증기 (20) 사이의 FIDO를 기반으로 하는 인증방법이다. 상기 인증요청기 (10, authenticator, challenger)는, 인증을 요청하는 기기이고, 인증을 통과하면 인증된 통신의 허락을 받게 될 기기, 즉 신규기기이며, 상기 인증기(20, responser)는, 인증요청에 응답하는 기기, 예컨대 이미 인증에 통과된 기기나 인증권한을 가지는 기기이다. 인증은, 기기간, 예컨대 IoT의 기기들 사이나 통신기기들 사이에서, 상대방을 확인하여 접속가능한지를 결정하는 과정이다.The FIDO-based implicit authentication method according to an embodiment of the present invention is an authentication method based on FIDO between the authentication requester 10 and the authenticator 20. The authentication requester (10, authenticator, challenger) is a device that requests authentication, and when authentication passes, it is a device that will receive permission for authenticated communication, that is, a new device, and the authenticator (20, responser) is A device that responds to a request, for example, a device that has already passed authentication or a device that has authentication authority. Authentication is a process of determining whether connection is possible by checking a counterpart between devices, such as between devices of IoT or between communication devices.
본 발명의 방법은, 메시지 암호화 및 전달, 메시지 복호화 및 인증결정의 단계들로 이루어진다.The method of the present invention consists of steps of message encryption and delivery, message decryption and authentication decision.
상기 암호화 및 전달은 상기 인증요청기(10)에서 수행되며, 예컨대 암호화부(미도시)에 의해 인증을 위한 제1 메시지(6)로부터 암호화된 제1 메시지(7)가 생성되고, 예컨대 전송부(미도시)에 의해 상기 암호화된 제1 메시지(7)가 상기 인증기(20)로 전송된다. 상기 제1 메시지(6)는, 미리 상기 인증요청기(10) 내에 저장되어 있고, 예컨대 헬로(Hello) 메시지이다. 메시지의 암호화 방식은 미리 정해져 있다.The encryption and transmission are performed by the authentication requester 10, for example, an encrypted first message 7 is generated from the first message 6 for authentication by an encryption unit (not shown), and, for example, a transmission unit The encrypted first message 7 is transmitted to the authenticator 20 by (not shown). The first message 6 is previously stored in the authentication requester 10 and is, for example, a Hello message. The encryption method of the message is predetermined.
상기 복호화 및 인증결정은 상기 인증기(20)에서 수행되며, 예컨대 복호화부(미도시)에 의해 상기 암호화된 제1 메시지(7)가 복호화되어 제2 메시지(6')가 생성되고, 예컨대 인증결정부(미도시)에 의해 상기 제1 메시지(6)와 제2 메시지(6')가 동일 또는 대응되는 경우에 인증으로 결정된다. 상기 암호화된 제1 메시지(7)는 상기 인증요청기(10)로부터 받은 것이고, 상기 제2 메시지(6')는 복호화처리에 의해 생성된 것이므로, 상기 인증기(20) 내에 미리 구비되어 있는 것이 아니다. 암호화된 메시지의 복호화 방식은, 상기 메시지의 암호화 방식과 대응되어 미리 정해져 있다.The decryption and authentication decision is performed by the authenticator 20, for example, the encrypted first message 7 is decrypted by a decryption unit (not shown) to generate a second message 6' , for example, authentication When the first message 6 and the second message 6'are the same or correspond to each other by the determination unit (not shown), authentication is determined. Since the encrypted first message (7) is received from the authentication requester (10), and the second message (6') is generated by the decryption process, it is already provided in the authenticator (20). no. The decryption method of the encrypted message is predetermined in correspondence with the encryption method of the message.
이처럼, 본 발명에 의한 FIDO 기반 암묵인증방법에 있어서는, FIDO 등에서 흔히 요구되는 생체인증이나 공인인증서 서명 등의 사용자 간섭이 수행되지 않는다. 따라서, 사용자의 물리적 행위나 생체정보 등의 요청이 제거된다. 따라서, 요구되는 장치간 '암묵(무간섭)(Silent)' 인증 및 장치간 고속인증이 구현된다. As described above, in the FIDO-based implicit authentication method according to the present invention, user interference such as biometric authentication or signature of a public certificate, which are commonly required in FIDO, is not performed. Accordingly, the user's request for physical actions or biometric information is eliminated. Therefore, required device-to-device'silent' authentication and device-to-device high-speed authentication are implemented.
그러면서도 IoT에서의 보안의 레벨을 높이기 위해, 본 발명의 구현에 있어서 루트키(2)를 도입하여, FIDO 등에서와 같이 장치의 인증 및 등록시, 메시지(6)를 한 단계 더 암호화고 통신하여 복호화하고 인증결정을 하여, 보안의 레벨을 높이고 있다.At the same time, in order to increase the level of security in IoT, the root key 2 is introduced in the implementation of the present invention, and when the device is authenticated and registered as in FIDO, the message 6 is further encrypted, communicated, and decrypted. By making authentication decisions, we are raising the level of security.
즉, 상기 제1 메시지(6)는 상기 인증요청기(10) 내의 제1 루트키(2)에 의해 암호화되는 한편, 상기 제2 메시지(6')는 상기 인증기(20) 내의 제2 루트키(2')에 의해 복호화되도록 되어 있다. 여기서 상기 제1 루트키(2)와 제2 루트키(2')는, 동일한 것이 아니면, 암호화와 복호화의 결과가 일치할 수 없으므로, 인증에 통과하기 위해서는 이들 제1, 제2 루트키(2, 2')는 서로 동일할 필요가 있다.That is, the first message 6 is encrypted by the first root key 2 in the authentication requester 10, while the second message 6'is the second root in the authenticator 20. It is to be decrypted by the key 2'. Here, if the first root key 2 and the second root key 2'are not the same, the encryption and decryption results cannot be matched. Therefore, in order to pass authentication, these first and second root keys 2 , 2') need to be identical to each other.
본 발명에서 언급하는 루트키(2, '2)란, 인증을 위해 상대 기기 또는 FIDO 시스템에 접근하는 '도전(Challenge)'을 시도하는 장치, 즉 인증요청기(10)에 저장되어 있는 키이고, 도전을 받는 쪽의 기기, 즉 인증기(20)가 반드시 미리 가지고 있을 필요가 없다. 다만, 인증기(20)에 루트키(2')가 미리 구비되어 있더라도 본 발명의 범주를 벗어나는 것은 아니고, 반대로 인증기(20)에 미리 구비되어 있지 않더라도, 인증요청기(10)로부터 받은 정보를 이용하여 루트키(2')가 생성되도록 구성될 수도 있다. 이 루트키(2, 2')를 이용하여, 서명 및 인증을 위한 메시지(6)는, 장치와 장치간 (Device-to-Device)에 조용하게(Silently) 통신될 수 있다.The root key (2, '2) referred to in the present invention is a device that attempts a'challenge' to access an external device or FIDO system for authentication, that is, a key stored in the authentication requester 10. , It is not necessary to have the device of the challenged side, that is, the authenticator 20 in advance. However, even if the root key 2'is provided in the authenticator 20 in advance, it does not depart from the scope of the present invention. Conversely, information received from the authentication requester 10 even if it is not provided in advance in the authenticator 20 It may be configured to generate the root key (2') by using. Using this root key (2, 2'), the message 6 for signing and authentication can be communicated silently between the device and the device (Device-to-Device).
본 발명에 있어서 루트키(2, 2')를 이용한 인증이 완료되고 나면, 그 이후로 장치와 장치 사이에 성립된 채널에서의 추후 암호화 및 복호화는, 이 루트키(2, 2')를 이용하여 시행할 수 있으므로, 보안 통신채널(Secure Connection Line)로 인식할 수 있다.In the present invention, after authentication using the root key (2, 2') is completed, subsequent encryption and decryption in the channel established between the device and the device is performed using this root key (2, 2'). Since it can be implemented, it can be recognized as a secure communication channel (Secure Connection Line).
그리고 특히 상기 제1 루트키(2)는 상기 인증요청기(10)에서 암호화된 원본 루트키(1)를 복호화하여 생성되도록 구성됨이 바람직하다. 이를 위해, 상기 암호화된 원본 루트키(1)는, 보안 저장장치(미도시) 내에 미리 저장되어 있어도 좋다.In particular, the first root key 2 is preferably configured to be generated by decrypting the original root key 1 encrypted by the authentication requester 10. To this end, the encrypted original root key 1 may be stored in advance in a secure storage device (not shown).
이렇게 보안 저장장치 내에 미리 암호화된 상태로 원본 루트키(1)가 저장되어 있으므로, 해킹이 이루어지더라도 루트키(1)가 노출되기 어렵고, 노출되더라도 해독 불가능하므로 안전하다.In this way, since the original root key 1 is stored in a pre-encrypted state in the secure storage device, it is difficult to expose the root key 1 even if hacking occurs, and it is safe because it is impossible to decrypt even if it is exposed.
그리고, 상기 인증기(20) 내에 제2 루트키(2')를 미리 구비하도록 하지 않도록 하는 구성으로서, 상기 인증요청기(10)에서 상기 인증기(20)에 제1 루트키(2)에 관한 정보를 보내고, 상기 인증기(20)는 이 정보로부터 상기 제1 루트키(2)와 동일한 제2 루트키(2')를 추출해 낼 수 있도록 구성하여도 좋다. 그러한 구성의 하나로서, 상기 정보는 암호화와 해시처리 결과로 이루어지도록 할 수 있다.In addition, as a configuration not to be provided with a second root key (2') in the authenticator 20 in advance, the authentication requester (10) to the authenticator 20 to the first root key (2) It may be configured such that information is sent, and the authenticator 20 can extract the second root key 2', which is the same as the first root key 2, from this information. As one such configuration, the information can be made as a result of encryption and hashing.
즉, 도 1 및 도 2와 같이, 상기 인증요청기(10)에서 상기 인증기(20)에 상기 암호화된 제1 메시지(7)와 함께, 상기 제1 루트키(2)의 제1 해시값(3)으로부터 생성된 암호화된 제1 해시값(4)과, 상기 제1 해시값(3)을 이용하여 상기 제1 루트키(2)로부터 생성된 암호화된 제1 루트키(5)가, 전송되도록 구성될 수 있다. That is, as shown in FIGS. 1 and 2, the first hash value of the first root key 2 together with the encrypted first message 7 in the authenticator 20 in the authentication requester 10 (3) An encrypted first hash value (4) generated from, and an encrypted first root key (5) generated from the first root key (2) using the first hash value (3), It can be configured to be transmitted.
여기서, 상기 제1 해시값(3)의 해시 처리에는, 미리 정해진 해시 처리루틴, 예컨대 SHA-256(랜덤 값의 키와 루트키(2)의 암호화값 시드)을 이용하도록 이루어질 수 있다. 그리고 상기 암호화된 제1 해시값(4)의 암호화에는, 미리 정해진 암호화 처리루틴, 예컨대 ECIES(Elliptic Curve Integrated Encrypt Scheme)를 이용하도록 이루어질 수 있다. 그리고 상기 암호화된 제1 루트키(5)의 암호화에는, 예컨대 상기 해시값(3)을 이용하도록 이루어질 수 있다.Here, in the hash processing of the first hash value 3, a predetermined hash processing routine, for example, SHA-256 (a random value key and an encryption value seed of the root key 2) may be used. In addition, for the encryption of the encrypted first hash value 4, a predetermined encryption processing routine, for example, an Elliptic Curve Integrated Encrypt Scheme (ECIES) may be used. In addition, for the encryption of the encrypted first root key 5, for example, the hash value 3 may be used.
이 경우, 도 1 및 도 3과 같이, 상기 인증기(20)에서 상기 제2 루트키(2')는, 상기 암호화된 제1 해시값(4)으로부터 복호화되어 형성된 복호화된 제2 해시값(3')을 이용하여, 상기 암호화된 제1 루트키(5)로부터 복호화되어 생성되도록 구성됨이 바람직하다.In this case, as shown in FIGS. 1 and 3, the second root key 2 ′ in the authenticator 20 is a decrypted second hash value formed by decrypting from the encrypted first hash value 4 ( 3' ) is preferably configured to be decrypted and generated from the encrypted first root key 5.
여기서, 상기 복호화된 제2 해시값(3')의 복호화는, ECIES를 이용하도록 이루어질 수 있다.Here, the decryption of the decrypted second hash value 3'may be performed using ECIES.
이처럼 인증기(20) 내에 미리 루트키가 구비되어 있지 않더라도, 인증요청기(10)로부터 전송받은 암호화된 제1 루트키(5)와 암호화된 제1 해시값(4)을 이용하여, 루트키(2')의 생성이 가능하므로, 인증요청기(10)와 인증기(20) 사이에 미리 설정된 암호화 및 복호화 방식, 해시 방식 뿐아니라 암복호화 및 해시에 이용되는 데이터도 일치됨을 확인하여 인증할 수 있으므로, 보안이 더욱 철저해진다.In this way, even if the root key is not provided in the authenticator 20 in advance, using the encrypted first root key 5 and the encrypted first hash value 4 transmitted from the authentication requester 10, the root key Since it is possible to generate (2'), authentication is performed by confirming that not only the encryption and decryption method and the hash method set in advance between the authentication requester 10 and the authenticator 20, but also the data used for encryption and decryption and hash are identical. So the security becomes more thorough.
한편, 상기 제2 루트키(2')로부터 생성된 해시된 제2 해시값(3'')이 상기 복호화된 제2 해시값(3')과 일치하면, 상기 암호화된 제1 메시지(7)의 복호화에 상기 제2 루트키(2')가 이용되도록 허용됨이 바람직하다. On the other hand, if the hashed second hash value (3'') generated from the second root key (2') matches the decrypted second hash value (3'), the encrypted first message (7) It is preferable that the second root key 2'is allowed to be used for decryption.
이 구성에 의하면, 암호화된 해시값의 복호화에 의한 결과값(3')과, 이와 다른 루트로 암호화된 루트키의 복호화 후의 해시에 의한 결과값(3'')가 서로 일치한다는 매우 우연성 낮은 조건을 만족하는 경우에만 비로소 제2 루트키(2')의 정당성, 즉 제1 루트키(2)와의 일치로 판단하고, 이 제2 루트키(2')를 이용한 메시지의 복호화를 진행하는 것이다. 이로써 보안이 더욱 강화된다.According to this configuration, it is a very unlikely condition that the result value (3') by decryption of the encrypted hash value and the result value (3') by the hash after decryption of the root key encrypted with a different route coincide with each other. Only when is satisfied, the second root key 2'is determined to be the validity of the second root key 2, that is, matched with the first root key 2, and the message is decrypted using the second root key 2'. This further strengthens security.
<FIDO 기반 암묵인증시스템><FIDO-based implicit authentication system>
한편, 본 발명의 일실시예에 따른 FIDO 기반 암묵인증 시스템은, 인증을 요청하는 인증요청기(10)와 인증요청에 응답하는 인증기 (20) 사이의 FIDO를 기반으로 하는 인증시스템이다.Meanwhile, the FIDO-based implicit authentication system according to an embodiment of the present invention is an authentication system based on FIDO between the authentication requester 10 requesting authentication and the authenticator 20 responding to the authentication request.
여기서, 상기 인증요청기(10)는, 인증을 위한 제1 메시지(6)로부터 암호화된 제1 메시지(7)를 생성하는 제1 메시지 암호화부(미도시)와, 상기 암호화된 제1 메시지(7)를 상기 인증기(20)에 전송하는 전송부(미도시)를 포함하여 구성되고, 상기 인증기(20)는, 상기 암호화된 제1 메시지(7)를 복호화하여 제2 메시지(6')를 생성하는 제1 메시지 복호화부(미도시)와, 상기 제1 메시지(6)와 제2 메시지(6')가 동일 또는 대응되는 경우에 인증으로 결정하는 인증결정부(미도시)를 포함하여 구성됨을 특징으로 한다.Here, the authentication requester 10 includes a first message encryption unit (not shown ) that generates an encrypted first message 7 from the first message 6 for authentication, and the encrypted first message ( 7) is configured to include a transmission unit (not shown ) for transmitting to the authenticator 20, and the authenticator 20 decrypts the encrypted first message 7 to obtain a second message 6' ) a first message decoding unit for generate (not shown) and the first message (6) and the second message (6 ') comprises the same or corresponding authentication decision unit (not shown) to determine the authentication when the It is characterized in that it is configured.
<기록매체에 저장된 프로그램><Program stored in the recording medium>
그리고, 본 발명의 일실시예에 따른 기록매체에 저장된 프로그램은, 방법을 정보처리기기를 포함하여 이루어지는 상기 인증요청기와 인증기에서 실행시키기 위한 프로그램을 기록한 기록매체에 저장된 프로그램으로서, 상기 방법은, 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 암묵 인증방법이다.In addition, a program stored in a recording medium according to an embodiment of the present invention is a program stored in a recording medium in which a program for executing a method in the authentication requester and the authenticator including an information processing device is recorded, the method comprising: It is an implicit authentication method based on FIDO between an authentication requester requesting authentication and an authenticator responding to the authentication request.
도 5와 같이, 본 발명의 일실시예에 따른 FIDO 기반 암묵인증 방법, 시스템 및 프로그램은, 예컨대 사용자의 간섭(interaction)을 제거하는 방식으로 IoT에서 빈번히 쓰이는 LPWAN 통신기기들에 효율적으로 사용할 수 있다.As shown in FIG. 5, the FIDO-based implicit authentication method, system, and program according to an embodiment of the present invention can be effectively used for LPWAN communication devices frequently used in IoT by, for example, removing user interference. .
이상 첨부된 도면을 참조하여 본 발명의 실시예들을 설명하였지만, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자는 본 발명이 그 기술적 사상이나 필수적인 특징을 변경하지 않고서 다른 구체적인 형태로 실시될 수 있다는 것을 이해할 수 있을 것이다. 그러므로 이상에서 기술한 실시예들은 모든 면에서 예시적인 것이며 한정적이 아닌 것으로 이해해야만 한다.Although the embodiments of the present invention have been described with reference to the accompanying drawings, those of ordinary skill in the art to which the present invention pertains can be implemented in other specific forms without changing the technical spirit or essential features. You will be able to understand. Therefore, it should be understood that the embodiments described above are illustrative and non-limiting in all respects.
본 발명은, FIDO 기반 암묵인증방법, 시스템 및 프로그램의 산업에 이용될 수 있다.The present invention can be used in the industry of FIDO-based implicit authentication methods, systems, and programs.
[부호의 설명][Explanation of code]
1: 암호화된 원본 루트키1: original encrypted root key
2: 복호화된 제1 루트키 2': 복호화된 제2 루트키2: decrypted first root key 2': decrypted second root key
3: 제1 해시값 3', 3'': 제2 해시값3: first hash value 3', 3'': second hash value
4, 4': 암호화된 제1 해시값4, 4': encrypted first hash value
5, 5': 암호화된 제1 루트키5, 5': encrypted first root key
6: 원본 제1 메시지 6': 복호화된 제2 메시지6: Original first message 6': decrypted second message
7, 7': 암호화된 제1 메시지7, 7': encrypted first message

Claims (7)

  1. 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 인증방법으로서, As an authentication method based on FIDO between an authentication requester requesting authentication and an authenticator responding to an authentication request,
    상기 인증요청기에서 인증을 위한 제1 메시지로부터 암호화된 제1 메시지가 생성되어 상기 인증기로 전송되고, An encrypted first message is generated from the first message for authentication in the authentication requester and transmitted to the authenticator,
    상기 인증기에서 상기 암호화된 제1 메시지가 복호화되어 제2 메시지가 생성되며, The encrypted first message is decrypted in the authenticator to generate a second message,
    상기 제1 메시지와 제2 메시지가 동일 또는 대응되는 경우에 인증으로 결정됨When the first message and the second message are the same or correspond to each other, authentication is determined
    을 특징으로 하는 FIDO 기반 암묵인증방법.FIDO-based implicit authentication method, characterized in that.
  2. 청구항 1에 있어서, The method according to claim 1,
    상기 제1 메시지는 상기 인증요청기 내의 제1 루트키에 의해 암호화되고, The first message is encrypted by the first root key in the authentication requester,
    상기 제2 메시지는 상기 인증기 내의 제2 루트키에 의해 복호화됨The second message is decrypted by the second root key in the authenticator.
    을 특징으로 하는 FIDO 기반 암묵인증방법.FIDO-based implicit authentication method, characterized in that.
  3. 청구항 2에 있어서, The method according to claim 2,
    상기 제1 루트키는 상기 인증요청기에서 암호화된 원본 루트키를 복호화하여 생성됨The first root key is generated by decrypting the original root key encrypted by the authentication requester.
    을 특징으로 하는 FIDO 기반 암묵인증방법.FIDO-based implicit authentication method, characterized in that.
  4. 청구항 2에 있어서, The method according to claim 2,
    상기 암호화된 제1 메시지와 함께, 상기 인증요청기에서, 상기 제1 루트키의 제1 해시값으로부터 생성된 암호화된 제1 해시값과, 상기 제1 해시값을 이용하여 상기 제1 루트키로부터 생성된 암호화된 제1 루트키가, 상기 인증기에 전송되고, Together with the encrypted first message, from the authentication requester, the first from the first encrypted first hash value generated from a hash value of the root key, the key, the first route using the first hash value, The generated encrypted first root key is transmitted to the authenticator,
    상기 제2 루트키는, 상기 인증기에서, 상기 암호화된 제1 해시값으로부터 복호화되어 형성된 복호화된 제2 해시값을 이용하여, 상기 암호화된 제1 루트키로부터 복호화되어 생성됨 The second root key is generated by decrypting from the encrypted first root key using a decrypted second hash value formed by decrypting from the encrypted first hash value by the authenticator.
    을 특징으로 하는 FIDO 기반 암묵인증방법.FIDO-based implicit authentication method, characterized in that.
  5. 청구항 4에 있어서, The method of claim 4,
    상기 제2 루트키로부터 생성된 해시된 제2 해시값이 상기 복호화된 제2 해시값과 일치하면, 상기 암호화된 제1 메시지의 복호화에 상기 제2 루트키가 이용되도록 허용됨 If the hashed second hash value generated from the second root key matches the decrypted second hash value, the second root key is allowed to be used for decryption of the encrypted first message.
    을 특징으로 하는 FIDO 기반 암묵인증방법.FIDO-based implicit authentication method, characterized in that.
  6. 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 인증시스템으로서, As an authentication system based on FIDO between an authentication requester requesting authentication and an authenticator responding to an authentication request,
    상기 인증요청기는, The authentication requester,
    인증을 위한 제1 메시지로부터 암호화된 제1 메시지를 생성하는 제1 메시지 암호화부와, A first message encryption unit for generating an encrypted first message from the first message for authentication,
    상기 암호화된 제1 메시지를 상기 인증기에 전송하는 전송부 Transmission unit for transmitting the encrypted first message to the authenticator
    를 포함하여 구성되고, Consisting of including,
    상기 인증기는, The authenticator,
    상기 암호화된 제1 메시지를 복호화하여 제2 메시지를 생성하는 제1 메시지 복호화부와, A first message decryption unit that decrypts the encrypted first message to generate a second message,
    상기 제1 메시지와 제2 메시지가 동일 또는 대응되는 경우에 인증으로 결정하는 인증결정부 An authentication decision unit that determines as authentication when the first message and the second message are the same or correspond to each other
    를 포함하여 구성됨Consisting of
    을 특징으로 하는 FIDO 기반 암묵인증시스템.FIDO-based implicit authentication system, characterized in that.
  7. 인증을 요청하는 인증요청기와 인증요청에 응답하는 인증기 사이의 FIDO를 기반으로 하는 청구항 1 내지 청구항 5 중 어느 한 항에 기재된 인증방법을 정보처리기기를 포함하여 이루어지는 상기 인증요청기와 인증기에서 실행시키기 위한 프로그램을 기록한 기록매체에 저장된 프로그램.Claim that the authentication based on the FIDO between the authenticator in response to the authentication requester and the authentication request to request 1 to claim 5 in including the authentication method for the information processing device according to any one from the authentication challenge group authenticator comprising A program stored in a recording medium that records a program to be executed.
PCT/KR2019/015981 2019-11-20 2019-11-20 Fido-based silent authentication method, system, and program WO2021100907A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/KR2019/015981 WO2021100907A1 (en) 2019-11-20 2019-11-20 Fido-based silent authentication method, system, and program
KR1020227025666A KR20220126733A (en) 2019-11-20 2019-11-20 FIDO-based implicit authentication method, system and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2019/015981 WO2021100907A1 (en) 2019-11-20 2019-11-20 Fido-based silent authentication method, system, and program

Publications (1)

Publication Number Publication Date
WO2021100907A1 true WO2021100907A1 (en) 2021-05-27

Family

ID=75980594

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2019/015981 WO2021100907A1 (en) 2019-11-20 2019-11-20 Fido-based silent authentication method, system, and program

Country Status (2)

Country Link
KR (1) KR20220126733A (en)
WO (1) WO2021100907A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160149699A1 (en) * 2011-05-14 2016-05-26 Bitcasa, Inc. Cloud file system
KR20160123336A (en) * 2014-02-20 2016-10-25 자일링크스 인코포레이티드 Authentication using public keys and session keys
KR20180069669A (en) * 2016-12-15 2018-06-25 한국인터넷진흥원 System for non-password secure biometric digital signagure
KR101991775B1 (en) * 2018-12-18 2019-06-21 (주)엘에스시스텍 Method for data encryption and decryption based on fpga
KR20200008186A (en) * 2018-07-16 2020-01-28 (주)이더블유비엠 Method, system and program of silent authentication based on fido

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160084680A (en) 2015-01-06 2016-07-14 주식회사 케이티 Method for authenticating iot device, method for executing iot device authentication, user device and authentication server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160149699A1 (en) * 2011-05-14 2016-05-26 Bitcasa, Inc. Cloud file system
KR20160123336A (en) * 2014-02-20 2016-10-25 자일링크스 인코포레이티드 Authentication using public keys and session keys
KR20180069669A (en) * 2016-12-15 2018-06-25 한국인터넷진흥원 System for non-password secure biometric digital signagure
KR20200008186A (en) * 2018-07-16 2020-01-28 (주)이더블유비엠 Method, system and program of silent authentication based on fido
KR101991775B1 (en) * 2018-12-18 2019-06-21 (주)엘에스시스텍 Method for data encryption and decryption based on fpga

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ALFRED J. MENEZES: "HANDBOOK OF APPLIED CRYPTOGRAPHY", 1996, CRC PRESS, pages: 401 - 405 *

Also Published As

Publication number Publication date
KR20220126733A (en) 2022-09-16

Similar Documents

Publication Publication Date Title
US11743726B2 (en) Access method and system of internet of things equipment based on 5G, and storage medium
Kurachi et al. CaCAN-centralized authentication system in CAN (controller area network)
US6128742A (en) Method of authentication based on intersection of password sets
Palaniswamy et al. An efficient authentication scheme for intra-vehicular controller area network
WO2017111383A1 (en) Biometric data-based authentication device, control server linked to same, and biometric data-based login method for same
WO2014003362A1 (en) Otp-based authentication system and method
US8028166B2 (en) Versatile secure and non-secure messaging
KR20090061915A (en) Method and apparatus for deterrence of secure communication using one time password
WO2020138525A1 (en) Method for distributed authentication of device in internet-of-things blockchain environment, and system for distributed authentication of device using same
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
CN110401640B (en) Trusted connection method based on trusted computing dual-system architecture
WO2019125041A1 (en) Authentication system using separation, then distributed storage of personal information using blockchain
WO2015178597A1 (en) System and method for updating secret key using puf
WO2018186543A1 (en) Data encryption method and system using device authentication key
CN115277168A (en) Method, device and system for accessing server
CN113726733B (en) Encryption intelligent contract privacy protection method based on trusted execution environment
WO2021206289A1 (en) User authentication method, device and program
US8452968B2 (en) Systems, methods, apparatus, and computer readable media for intercepting and modifying HMAC signed messages
CN111224784B (en) Role separation distributed authentication and authorization method based on hardware trusted root
WO2021100907A1 (en) Fido-based silent authentication method, system, and program
WO2018004042A1 (en) Mutual verification system and method for executing same
KR102192477B1 (en) Method, system and program of silent authentication instead of fido-based authentication
WO2022060156A1 (en) Method, apparatus, and program for updating firmware of authenticator
WO2022055301A1 (en) On-boarding method, apparatus, and program for group authenticator
CN111682936B (en) Kerberos authentication method based on physical unclonable function

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19953644

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 20227025666

Country of ref document: KR

Kind code of ref document: A

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 19.09.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 19953644

Country of ref document: EP

Kind code of ref document: A1