WO2023177013A1 - Payment system using did-based biometric authentication - Google Patents

Payment system using did-based biometric authentication Download PDF

Info

Publication number
WO2023177013A1
WO2023177013A1 PCT/KR2022/006779 KR2022006779W WO2023177013A1 WO 2023177013 A1 WO2023177013 A1 WO 2023177013A1 KR 2022006779 W KR2022006779 W KR 2022006779W WO 2023177013 A1 WO2023177013 A1 WO 2023177013A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
server
biometric information
payment
node
Prior art date
Application number
PCT/KR2022/006779
Other languages
French (fr)
Korean (ko)
Inventor
이정륜
윤태연
Original Assignee
주식회사 블록체인기술연구소
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 블록체인기술연구소 filed Critical 주식회사 블록체인기술연구소
Publication of WO2023177013A1 publication Critical patent/WO2023177013A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention relates to a payment system using DID-based biometric information authentication. More specifically, the present invention is a system that can easily perform electronic payments by registering user biometric information and using the registered user's biometric information, and using the IDH (Identity Data Hub) server configuration to perform DID inquiry and user biometric information. This is about a payment system using DID-based biometric information authentication that returns the stored location and can complement the existing system that has security vulnerabilities due to leakage of the user's biometric information.
  • IDH Identity Data Hub
  • Blockchain refers to a data distribution processing technology that distributes and stores all data subject to management by all users participating in the network. It is also called 'Distributed Ledger Technology (DLT)' or 'Public Transaction Ledger' in that the ledger containing transaction information is not held by the transaction subject or a specific institution, but is shared by all network participants.
  • DLT distributed Ledger Technology
  • Blockchain is a name given to a chain of blocks containing transaction information. This blockchain is a technology to prevent hacking such as forgery and falsification of transaction details. It sends transaction details to all users participating in the transaction and compares them for each transaction to prevent data forgery.
  • Blockchain has decentralization as its core concept, moving away from the existing financial system in which all transactions are secured and managed by financial institutions and oriented toward P2P (Peer to Peer) transactions.
  • P2P refers to a communication network that connects personal computers without a server or client, and each connected computer acts as a server and client and shares information.
  • a digital trust relationship is formed through multiple nodes sharing and verifying the same data. This environment makes it possible to implement smart contracts that can conveniently conclude and modify contracts through P2P without an intermediary.
  • biometric authentication has emerged as a new non-face-to-face transaction authentication method and is being used in ATM/POS, internet banking, and online and offline payments.
  • actions such as completing payment, accumulating points, and deducting points are performed according to the results of the verification process after authenticating the registered user's biometric information.
  • biometric information authentication process concerns the storage and management of biometric information. Leakage of authentication information such as user passwords and mobile phone numbers is recognized as a serious security threat, but leakage of biometric information is an even more serious problem. Since biometric information has unique characteristics for each individual and does not change, it is difficult to change or reissue biometric information once it has been leaked, so management of biometric information is important.
  • biometric information does not change every time, but fixed information is transmitted for each transaction, so it is vulnerable to replay attacks.
  • the technical problem that the present invention aims to solve is to encrypt and share the user's biometric information used for authentication of electronic payment between the user node and the payment server, and to generate a common symmetric key to decrypt it using the ECDH technique, so that each user Because the node's private key cannot be known to a third node, it provides a payment system using DID-based biometric information authentication that can safely protect personal information, including biometric information, of the user node.
  • Another technical problem that the present invention aims to solve is payment using DID-based biometric authentication, which can reduce the inconvenience of management and reduce security risks by reducing the number of symmetric keys that must be managed by each user node or payment server. providing a system.
  • Another technical problem that the present invention aims to solve is to protect the personal information of user nodes by using DID-based identifiers and to reduce the amount of data registered in the blockchain to efficiently utilize resources. It provides a payment system using authentication.
  • Another technical problem that the present invention aims to solve is that by storing the hashed user password in the payment server's database, there is no fear of the user password being exposed, and even if the storage location of the user's biometric data stored in the object storage is disclosed, it is legitimate. Since access is impossible without authorization, we provide a payment system using DID-based biometric information authentication that guarantees safety.
  • a payment system using DID-based biometric information authentication includes a first user node, a blockchain node, a biometric information authentication server, an IDH server, an object storage, and a payment server.
  • receiving user biometric information and transmitting it to the biometric information authentication server receiving vector data regarding the user biometric information from the biometric information authentication server, and disclosing the user's biometric information to the payment server.
  • a first user node that encrypts the vector data using a key and the private key of the first user node extracts the vector data from the user biometric information received from the first user node, and transmits it to the first user node.
  • a biometric information authentication server that receives the encrypted vector data from the first user node, registers it in the object storage, receives a return storage location where the encrypted vector data is stored in the object storage, and sets the storage location to the first user node.
  • An IDH server transmits to a user node, and transmits the DID of the payment server to the first user node, and receives and stores the user DID, HUB DID, hashed user password, and the storage location from the first user node. Includes a payment server.
  • the first user node generates the private key of the first user node in the key generation module, generates the user password in the password generation module, and uses the DApp to generate the user DID and The HUB DID for using the IDH service can be created, and a DID document related to the user DID can be registered with the blockchain node.
  • the IDH server may check whether the first user node has ownership of the user DID through JWS (JSON Web Signature) signing/verification.
  • JWS JSON Web Signature
  • a second user node after requesting an order to a service provider server, selects biometric information authentication as a payment method, inputs the user password, and then inputs the user biometric information;
  • the second user node may transmit the received user biometric information to the biometric information authentication server and receive vector data extracted from the user biometric information from the biometric information authentication server.
  • the second user node requests electronic payment by transmitting the hashed user password and the vector data to the payment server, and the payment server requests electronic payment based on the hashed user password.
  • the user DID, the HUB DID, and the storage location are secured, the payment server connects to the IDH server to receive the encrypted vector data stored in the object storage, and the payment server receives the encrypted vector data stored in the object storage.
  • electronic payment operation is performed by comparing the vector data regarding user biometric information provided by the second user node with the decrypted vector data. can be performed.
  • the user's biometric information is encrypted and shared between the user node and the payment server, and a common symmetric key to decrypt it is generated using the ECDH technique, so that the private key of each user node can be known to a third node. Because there is no such thing, personal information, including biometric information of user nodes, can be safely protected.
  • the number of symmetric keys that must be managed by each user node or payment server can be reduced to prevent management hassle and reduce security risks.
  • the personal information of user nodes can be protected and resources can be efficiently utilized by reducing the amount of data registered in the blockchain.
  • Figure 1 is a diagram showing a distributed processing system using blockchain to which the technical idea according to the present invention can be applied.
  • Figures 2 and 3 are block diagrams showing the connection of blocks used in a blockchain system.
  • FIGS 4 and 5 are block diagrams showing the configuration of a payment system using DID-based biometric information authentication and a user biometric information registration procedure according to an embodiment of the present invention.
  • Figures 6 and 7 are block diagrams showing the configuration and electronic payment operation procedure of a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
  • Figure 8 is a flowchart showing a procedure for registering user biometric information in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
  • Figure 9 is a flowchart showing the procedure of an electronic payment operation in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
  • Figure 10 is a configuration diagram of a node computing device according to an embodiment of the present invention.
  • Figure 1 is a diagram showing a distributed processing system using blockchain to which the technical idea according to the present invention can be applied.
  • a distributed processing system using blockchain is a distributed network system consisting of a plurality of nodes (110 to 170).
  • the nodes 110 to 170 constituting the distributed network 100 may be electronic devices with computing capabilities, such as computers, mobile terminals, and dedicated electronic devices.
  • the distributed network 100 can store and reference information commonly known to all participating nodes within a connected bundle of blocks called a blockchain.
  • the nodes 110 to 170 are capable of communicating with each other and can be divided into full nodes, which are responsible for storing, managing, and disseminating the blockchain, and light nodes, which can simply participate in transactions. .
  • a node When a node is mentioned without further explanation in this specification, it often refers to a full node that participates in the decentralized network 100 and performs the operation of creating, storing, or verifying the blockchain, but is not limited to this. .
  • Each block connected to the blockchain contains transaction details, that is, transactions, within a certain period of time.
  • the nodes can manage transactions by creating, storing, or verifying blockchains according to their respective roles.
  • the transaction may represent various types of transactions.
  • the transaction may correspond to a financial transaction to indicate the ownership status of virtual currency and its changes.
  • the transaction may correspond to a physical transaction to indicate the ownership status of an item and its changes.
  • the transaction may correspond to an information sharing process to represent the recording, storage, and transfer of information. Nodes that perform transactions in the distributed network 100 may have a private key and public key pair with a cryptographic relationship.
  • Figures 2 and 3 are block diagrams showing the connection of blocks used in a blockchain system.
  • the blockchain 200 is a type of distributed database of one or more sequentially connected blocks 210, 220, and 230.
  • the blockchain 200 is used to store and manage users' transaction details within the blockchain system, and each node participating in the network of the blockchain system creates a block and connects it to the blockchain 200.
  • a limited number of blocks 210, 220, and 230 are shown in Figure 2, the number of blocks that can be included in the blockchain is not limited thereto.
  • Each block included in the blockchain 200 may be configured to include a block header 211 and a block body 213.
  • the block header 211 may include the hash value of the previous block 220 to indicate the connection relationship between each block. In the process of verifying whether the blockchain 200 is valid, the connection relationship within the block header 211 is used.
  • the block body 213 may include data stored and managed in the block 210, for example, a transaction list or a transaction chain.
  • the block header 211 may include a hash 2112 of the previous block, a hash 2113 of the current block, and a nonce 2114. Additionally, the block header 211 may include a root 2115 indicating the header of the transaction list within the block.
  • the blockchain 200 may include one or more connected blocks.
  • the one or more blocks are connected based on the hash value in the block header 211.
  • the hash value 2112 of the previous block included in the block header 211 is a hash value for the previous block 220 and is the same as the current hash 2213 included in the previous block 220.
  • the one or more blocks are chained by the hash value of the previous block in each block header. Nodes participating in the decentralized network 100 verify the validity of blocks based on the hash value of the previous block included in the one or more blocks, so that a single malicious node cannot forge or alter the contents of an already created block. The action is impossible.
  • the block body 213 may include a transaction list 2131.
  • the transaction list 2131 is a list of blockchain-based transactions.
  • the transaction list 2131 may include records of financial transactions made in the blockchain-based financial system.
  • the transaction list 2131 may be expressed in the form of a tree.
  • the amount sent by user A to user B is recorded in the form of a list, and the storage length in the block is the length of the transaction included in the current block. It can be increased or decreased based on the number.
  • the block 210 may include other information 2116 other than the information included in the block header 211 and the block body 213.
  • Nodes participating in the decentralized network 100 have the same blockchain, and the same transaction is stored in the block. Blocks containing the transaction list are shared across the network, so all participants can verify them.
  • IDH Identity Data Hub
  • the present invention does not propose a method of storing the user's biometric information and payment information in a central server, but rather a method of storing biometric information encrypted with the user's key in each user's logical storage (hub instance) through DID-based IDH. do.
  • the payment system verifies the owner of the biometric information by referring to the IDH.
  • DID refers to a unique identifier that can prove your identity by CRUD (Create, Read, Update, Delete) information that can identify an individual without a central agency.
  • DID is a key value that serves as a pointer to the DID document of a blockchain transaction.
  • DID is an identifier generated based on the user's public key.
  • a DID document refers to a set of documents required for an individual to authenticate himself and prove his association with a DID.
  • the object of DID's CRUD performance is the DID document, which refers to the information required for verification when using the DID service, and the data set contains properties such as public key and authentication method.
  • DID and DID document The relationship between DID and DID document is to search DID in the blockchain and create DID document based on transaction contents, and the method of reading DID document based on DID may be different for each blockchain.
  • the payment system using DID-based biometric information authentication includes a first user node 310, a second user node 320, a blockchain node 400, a biometric information authentication server 500, and a payment server ( 600), IDH server 700, object storage 800, and resolver server 900.
  • FIGS 4 and 5 are block diagrams showing the configuration of a payment system using DID-based biometric information authentication and a user biometric information registration procedure according to an embodiment of the present invention.
  • a payment system using DID-based biometric information authentication includes a first user node 310, a blockchain node 400, a biometric information authentication server 500, a payment server 600, and an IDH server ( 700), object storage 800, and resolver server 900.
  • the method of registering user biometric information for DID-based biometric information authentication according to the present invention may be an algorithm implemented through an application.
  • the first user node 310 is a terminal device for registering user biometric information, and may be implemented as a computer capable of accessing a remote server or terminal through a network.
  • the computer may include, for example, a laptop equipped with a navigation system and a web browser, a desktop, a laptop, etc.
  • the first user node 310 is, for example, a wireless communication device that guarantees portability and mobility, and includes navigation, personal communication system (PCS), global system for mobile communications (GSM), personal digital cellular (PDC), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) ) It may include all types of handheld-based wireless communication devices such as terminals, smartphones, smartpads, and tablet PCs.
  • PCS personal communication system
  • GSM global system for mobile communications
  • PDC personal digital cellular
  • PHS Personal Handyphone System
  • PDA Personal Digital Assistant
  • IMT International Mobile Telecommunication
  • CDMA Code Division Multiple Access
  • W-CDMA Wide-Code Division Multiple Access
  • Wibro Wireless Broadband Internet
  • the first user node 310 uses DApp when registering user biometric information, generates the private key of the first user node 310 in the key generation module, and generates the user password in the password generation module. Then, the first user node 310 generates a user DID and a HUB DID for using the IDH service, and registers a DID document related to the user DID with the blockchain node 400.
  • DID is applied to enable the sender node and the receiver node to share a common symmetric key using the asymmetric key of the first user node 310.
  • DID is used as an identifier to query the public key of the first user node 310 registered in the blockchain node 400.
  • the public key of the first user node 310 is registered on a blockchain that can be accessed by an unspecified number of nodes, and the private key of the key pair corresponding to the public key is held only by a specific node. Based on this structure, the personal information of the first user node 310 can be safely shared with other nodes without separate symmetric key management by using the elliptic curve key exchange algorithm (ECDH).
  • ECDH elliptic curve key exchange algorithm
  • the first user node 310 and the payment server 600 can generate a common symmetric key according to the logic below without the need to generate a separate symmetric key.
  • the ECDH technique used in the present invention applies the Diffie-Hellman key exchange method using elliptic curve cryptography.
  • the third node can know the public keys of specific nodes, but cannot know the private keys of each node, so they exchange with each other. Therefore, the generated symmetric key cannot be known. Accordingly, personal information including biometric information of the first user node 310 can be safely protected.
  • the first user node 310 requires a symmetric key to safely share the user's biometric information (corresponding to personal information to be protected) with the payment server 600, and generates a separate symmetric key to send the user's biometric information (corresponding to personal information to be protected) to the payment server 600.
  • a public key of If encrypted using a public key of ), the number of symmetric keys that must be managed by the payment server 600 for multiple user nodes increases, causing management inconvenience and a security risk. This also becomes a problem in symmetric key management for each user node.
  • the present invention applies a key exchange algorithm to improve the convenience and strengthen security of symmetric key management, and DID can be used to query the public key of the counterpart node with which you want to transact.
  • the first user node 310 recognizes user biometric information (eg, facial recognition information) using DApp and transmits the recognized biometric information to the biometric information authentication server 500.
  • user biometric information eg, facial recognition information
  • the user's biometric information may be, for example, facial recognition information.
  • the biometric information authentication server 500 extracts and stores the user's biometric information data (hereinafter referred to as 'vector data') from the biometric information received from the first user node 310, and sends the extracted vector data to the first user. It is delivered to the DApp of node 310.
  • 'vector data' the user's biometric information data
  • the first user node 310 uses the DID of the payment server 600 to query the public key of the payment server 600, and uses the public key of the payment server 600 and the first user Using the private key of the node 310, a symmetric key is generated using the ECDH technique as described above to encrypt vector data (vector data extracted from the biometric information authentication server 500).
  • the IDH server 700 queries the DID authority of the user node with the resolver server 900 in order to register the encrypted vector data provided from the DApp of the first user node 310 in the object storage 800.
  • the database of the IDH server 700 user DIDs and HUB DIDs for a plurality of user nodes are mapped, and this mapped status is checked when querying DID authority.
  • JWS JSON Web Signature
  • the IDH server 700 registers the encrypted vector data in the object storage 800 and returns the storage location in the object storage 800.
  • the IDH server 700 delivers the returned storage location in the object storage 800 to the first user node 310.
  • the HUB DID of the first user node 310 is used as an identifier to logically distinguish individual storage within the object storage 800, and the IDH server 700 identifies the user node corresponding to the true owner of the HUB DID as a normal user node. Confirm with .
  • the payment server 600 uses the user DID and HUB DID to query the individual storage of the object storage 800 linked to the IDH server 700.
  • the reason why the IDH server 700 uses the identifier as a DID is to protect the user's personal information from the service company that operates the IDH server 700.
  • all identifiers are de-identified as DIDs to protect user personal information from malicious users.
  • the payment server 600 transmits the DID of the payment server 600 to the first user node 310, and allows the first user node 310 to query the public key of the payment server 600.
  • the payment server 600 receives the user DID, HUB DID, hashed user password, and storage location information in the object storage from the first user node 310 to enable electronic payment.
  • the payment server 600 searches the user DID from the blockchain node 400 through the resolver server 900, and the DID document mapped to the user DID is registered on the blockchain, so the payment server 600 You can search DID documents through user DID.
  • the first user node 310 can query the DID document by directly querying the node on the blockchain, but there is the inconvenience of having to process it to meet W3C standard specifications.
  • the resolver server 900 performs the role of processing blockchain data in accordance with the W3C standard, and the DID document of the DID identifier can be searched from any node through the resolver server 900.
  • the amount of data that can be registered in the blockchain is limited, and there is a need to utilize resources efficiently. Therefore, the DID document currently registered in the blockchain is raw data with optimized resource utilization, and the raw data is processed through the resolver server 900. can be processed and provided to the first user node 310.
  • Figures 6 and 7 are block diagrams showing the configuration and electronic payment operation procedure of a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
  • a payment system using DID-based biometric information authentication includes a second user node 320, a blockchain node 400, a biometric information authentication server 500, a payment server 600, and an IDH server ( 700), object storage 800, resolver server 900, and service provider server 910.
  • the electronic payment method using DID-based biometric information authentication according to the present invention may be an algorithm implemented through an application.
  • the second user node 320 corresponds to a device such as PoS or a kiosk, and the second user node 320 selects biometric information authentication as a payment method after ordering a product with the service provider server 910. Then, enter the user password and then enter the user's biometric information (for example, facial recognition information).
  • biometric information for example, facial recognition information
  • the second user node 320 transmits the inputted user's biometric information to the biometric information authentication server 500 and receives vector data related to the user's biometric information extracted from the biometric information authentication server 500.
  • the second user node 320 transmits vector data extracted from the hashed user password and user biometric information to the payment server 600 to request electronic payment.
  • the payment server 600 secures user information such as user DID, HUB DID, and storage location information in object storage based on the hashed user password, and the payment server 600 connects to the IDH server 700 to collect user biometric information. By requesting related data from the IDH server 700, encrypted vector data stored in the object storage is delivered.
  • the payment server 600 receives the user DID, HUB DID, hashed user password, and storage location information in the object storage from the first user node 310 during the user biometric information registration process, and the payment server 600 receives the hashed user password.
  • the storage location in object storage, user DID, and HUB DID are stored in the database. Since hashed user passwords, not user passwords, are stored in the database of the payment server 600, there is no fear of user passwords being exposed, and even if the storage location in the object storage is disclosed, access is impossible without proper authority, so safety is guaranteed. .
  • the payment server 600 does not have the user's personal information, but can secure viewable personal information by sharing the user's biometric information.
  • the payment server 600 searches the blockchain through the resolver server 900 to secure the public key of the first user node 310 based on the user DID, and the private key of the payment server 600 and the first user node ( 310) generates a symmetric key using the public key and decrypts the encrypted vector data.
  • the payment server 600 performs an electronic payment operation by comparing vector data regarding user biometric information provided by the second user node 320 with vector data decrypted by the payment server 600.
  • the IDH server 700 queries the DID authority of the payment server 600 through the resolver server 900 and requests the object storage 800 to receive encrypted vector data.
  • the IDH server 700 transmits encrypted vector data to the payment server 600, and the payment server 600 performs an electronic payment operation through the above-described operation.
  • the service provider server 910 receives the electronic payment approval result from the payment server 600 and provides services such as product delivery to the user.
  • Figure 8 is a flowchart showing a procedure for registering user biometric information in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
  • the first user node 310 uses DApp to generate a user password in a password generation module. And, the first user node 310 uses the user password to generate a user DID and a HUB DID for using the IDH service, registers them in the blockchain node 400, and the user's HUB DID is additionally sent to the IDH server (700). ) to register.
  • the first user node 310 recognizes the user's biometric information (for example, facial recognition information) using the DApp and transmits the recognized biometric information to the biometric information authentication server 500.
  • the biometric information authentication server 500 receives the user's biometric information from the first user node 310, extracts the vector data, hashes it, and transfers the hashed vector data to the DApp of the first user node 310. Deliver.
  • the first user node 310 requests public key inquiry of the payment server 600 through the resolver server 900.
  • the resolver server 900 retrieves the public key of the payment server 600 from the blockchain node 400 and provides it to the first user node 310.
  • the first user node 310 encrypts vector data (hashed vector data) using the public key of the payment server 600 and the private key of the first user node 310.
  • the first user node 310 requests the IDH server 700 to share the encrypted vector data with the payment server 600, and the IDH server 700 sends the encrypted vector data to the object storage 800.
  • the user DID authority is checked with the resolver server 900.
  • the IDH server 700 registers the encrypted vector data in the object storage 800 and returns the storage location in the object storage 800.
  • the IDH server 700 transmits the storage location of the object storage 800 to the first user node 310, and the first user node 310 transmits the user DID, HUB DID, and hashed user password to the payment server 600.
  • a payment system is used by transmitting storage location information within object storage.
  • Figure 9 is a flowchart showing the procedure of an electronic payment operation in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
  • the DID-based biometric information utilization procedure involves ordering a product from the second user node 320 (device such as PoS or kiosk, etc.) for electronic payment to the service provider server 910, and then selecting biometric information authentication as a payment method, After entering the user password, enter the user's biometric information (for example, facial recognition information).
  • biometric information for example, facial recognition information
  • the second user node 320 transmits the input biometric information to the biometric information authentication server 500, and the biometric information authentication server 500 extracts vector data from the received biometric information of the user and sends the extracted vector data to the biometric information authentication server 500. Transmitted to the second user node 320.
  • the second user node 320 transmits the hashed user password and vector data extracted from the user biometric information to the payment server 600 to request electronic payment.
  • the payment server 600 secures user information such as user DID, HUB DID, and storage location information in object storage based on the hashed user password, and the payment server 600 connects to the IDH server 700 to obtain user biometric information. Data regarding information is requested from the IDH server 700.
  • the IDH server 700 queries the DID authority of the payment server 600 through the resolver server 900 and requests the object storage 800 to receive encrypted vector data.
  • the IDH server 700 transmits the encrypted vector data to the payment server 600, and the payment server 600 queries the blockchain node 400 through the resolver server 900 to obtain the first user node 310. Secure the public key.
  • the payment server 600 generates a symmetric key using the private key of the payment server 600 and the public key of the first user node 310, and then decrypts the encrypted vector data.
  • the payment server 600 performs an electronic payment operation by comparing vector data related to the user's biometric information provided from the second user node 320 with vector data decrypted by the payment server 600.
  • the payment server 600 After performing an electronic payment operation, the payment server 600 transmits an approval result to the service provider server 910, and the service provider server 910 provides services such as product delivery to the user according to the approval result.
  • Figure 10 is a configuration diagram of a node computing device according to an embodiment of the present invention.
  • the computing device 1000 of the node includes a processor 1100 and a memory 1200, and the processor 1100 includes one or more cores, a graphics processing unit, and/or other components and signals. It may include a connection passage (for example, a bus, etc.) for transmitting and receiving.
  • a connection passage for example, a bus, etc.
  • the processor 1100 executes one or more instructions stored in the memory 1200, thereby executing the operation of the payment system using DID-based biometric information authentication described in relation to FIGS. 4 to 9.
  • the processor 1100 collects information about data upload/download occurring in one or more nodes by executing one or more instructions stored in memory, records the collected information in a block, and executes the information recorded in the block. Based on the information, relevant information is provided for at least one node.
  • the processor 1100 may further include RAM (Random Access Memory) and ROM (Read-Only Memory) that temporarily and/or permanently store internally processed signals (or data). . Additionally, the processor 1100 may be implemented in the form of a system on chip (SoC) including at least one of a graphics processing unit, RAM, and ROM.
  • SoC system on chip
  • the memory 1200 may store programs (one or more instructions) for processing and controlling the processor 1100. Programs stored in the memory 1200 may be divided into a plurality of modules according to their functions.
  • the operations of the system described in relation to embodiments of the present invention may be implemented directly in hardware, implemented as a software module executed by hardware, or a combination thereof.
  • the software module may be RAM (Random Access Memory), ROM (Read Only Memory), EPROM (Erasable Programmable ROM), EEPROM (Electrically Erasable Programmable ROM), Flash Memory, hard disk, removable disk, CD-ROM, or It may reside on any type of computer-readable recording medium well known in the art to which the present invention pertains.
  • the components of the present invention may be implemented as a program (or application) and stored in a medium in order to be executed in conjunction with a hardware computer.
  • Components of the invention may be implemented as software programming or software elements, and similarly, embodiments may include various algorithms implemented as combinations of data structures, processes, routines or other programming constructs, such as C, C++, , may be implemented in a programming or scripting language such as Java, assembler, etc.
  • Functional aspects may be implemented as algorithms running on one or more processors.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Strategic Management (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A payment system using DID-based biometric authentication is provided. The payment system using DID-based biometric authentication comprises a first user node, a block chain node, a biometrics authentication server, an IDH server, an object storage, and a payment server, wherein the first user node receives user biometrics so as to send same to the biometrics authentication server, receives vector data related to the user biometrics from the biometrics authentication server, and encrypts the vector data by using a public key of the payment server and a private key of the first user node.

Description

DID 기반의 생체정보 인증을 이용한 결제 시스템Payment system using DID-based biometric authentication
본 발명은 DID 기반의 생체정보 인증을 이용한 결제 시스템에 관한 것이다. 더욱 상세하게는, 본 발명은 사용자 생체정보 등록 및 등록된 사용자의 생체정보를 이용하여 간편하게 전자결제를 수행할 수 있는 시스템으로서, IDH(Identity Data Hub) 서버 구성을 이용하여 DID 조회 및 사용자 생체정보가 저장된 위치를 반환하는 방식으로 활용하며, 사용자의 생체정보가 유출되어 보안상 취약점을 갖는 기존의 시스템을 보완할 수 있는 DID 기반의 생체정보 인증을 이용한 결제 시스템에 관한 것이다. The present invention relates to a payment system using DID-based biometric information authentication. More specifically, the present invention is a system that can easily perform electronic payments by registering user biometric information and using the registered user's biometric information, and using the IDH (Identity Data Hub) server configuration to perform DID inquiry and user biometric information. This is about a payment system using DID-based biometric information authentication that returns the stored location and can complement the existing system that has security vulnerabilities due to leakage of the user's biometric information.
블록체인(Block Chain)은 네트워크에 참여하는 모든 사용자가 관리 대상이 되는 모든 데이터를 분산하여 저장하는 데이터 분산처리기술을 의미한다. 거래 정보가 담긴 원장을 거래 주체나 특정 기관에서 보유하는 것이 아니라 네트워크 참여자 모두가 나누어 가지는 기술이라는 점에서 '분산원장기술(DLT:Distributed Ledger Technology)' 또는 '공공거래장부'라고도 한다. 블록체인은 거래 내용이 담긴 블록(Block)을 사슬처럼 연결(chain)한 것이라 하여 붙여진 명칭이다. 이러한 블록체인은 거래 내용의 위변조와 같은 해킹을 막기 위한 기술이며, 거래에 참여하는 모든 사용자에게 거래 내역을 보내 주며 거래 때마다 이를 대조해 데이터 위조를 막는 방식을 사용한다. Blockchain refers to a data distribution processing technology that distributes and stores all data subject to management by all users participating in the network. It is also called 'Distributed Ledger Technology (DLT)' or 'Public Transaction Ledger' in that the ledger containing transaction information is not held by the transaction subject or a specific institution, but is shared by all network participants. Blockchain is a name given to a chain of blocks containing transaction information. This blockchain is a technology to prevent hacking such as forgery and falsification of transaction details. It sends transaction details to all users participating in the transaction and compares them for each transaction to prevent data forgery.
블록체인은 금융기관에서 모든 거래를 담보하고 관리하는 기존의 금융 시스템에서 벗어나 P2P(Peer to Peer;개인 대 개인) 거래를 지향하는, 탈중앙화를 핵심 개념으로 한다. P2P란 서버나 클라이언트 없이 개인 컴퓨터 사이를 연결하는 통신망을 말하며, 연결된 각각의 컴퓨터가 서버이자 클라이언트 역할을 하며 정보를 공유하는 방식이다. 다수의 노드가 같은 데이터를 공유하고 검증하는 방식을 통해 디지털 상에 신뢰관계를 형성하게 된다. 이러한 환경은 중개자 없이 P2P로 편리하게 계약을 체결하고 수정할 수 있는 스마트 컨트랙트를 실현 가능하게 한다.Blockchain has decentralization as its core concept, moving away from the existing financial system in which all transactions are secured and managed by financial institutions and oriented toward P2P (Peer to Peer) transactions. P2P refers to a communication network that connects personal computers without a server or client, and each connected computer acts as a server and client and shares information. A digital trust relationship is formed through multiple nodes sharing and verifying the same data. This environment makes it possible to implement smart contracts that can conveniently conclude and modify contracts through P2P without an intermediary.
기존 금융 시스템에서는 금융회사들이 중앙 서버에 거래 기록을 보관해 온 반면, P2P 방식을 기반으로 하는 블록체인에서는 거래 정보를 블록에 담아 차례대로 연결하고 이를 모든 참여자가 공유한다.In the existing financial system, financial companies have stored transaction records on a central server, whereas in a blockchain based on the P2P method, transaction information is stored in blocks, linked in turn, and shared by all participants.
현재에는 생체정보(Biometrics)를 이용한 본인 인증서비스가 다양한 분야에서 이용되고 있다. 생체정보 인증기술의 발전에 따라 인증을 넘어 신용카드나 스마트폰 없이 생체정보만으로 물건을 구매할 수 있는 바이오 페이(Bio-Pay) 기술이 등장했다. 금융 서비스에서 생체정보 인증이 새로운 비대면 거래 인증방법으로 부각되어 ATM/POS, 인터넷 뱅킹, 온 오프라인 결제에서 활용되고 있다.Currently, identity authentication services using biometrics are used in various fields. With the development of biometric information authentication technology, Bio-Pay technology has emerged, which goes beyond authentication and allows you to purchase goods using only biometric information without a credit card or smartphone. In financial services, biometric authentication has emerged as a new non-face-to-face transaction authentication method and is being used in ATM/POS, internet banking, and online and offline payments.
생체정보 인증을 통한 거래 시스템은 등록된 사용자의 생체정보 인증 후 검증 프로세스의 결과에 따라 결제 완료, 포인트 적립, 포인트 차감 등의 행위가 이루어진다. In a transaction system using biometric information authentication, actions such as completing payment, accumulating points, and deducting points are performed according to the results of the verification process after authenticating the registered user's biometric information.
하지만 생체정보 인증 프로세스의 주요 취약점 중 하나는 생체정보의 저장 및 관리에 대한 것이다. 사용자 패스워드, 휴대폰번호와 같은 인증 정보의 유출도 심각한 보안 위협으로 인식되지만, 생체정보의 유출은 더욱 심각한 문제가 된다. 생체정보는 개인마다 고유한 특징을 가지고 있으며 변하지 않기 때문에 한번 유출된 생체정보는 변경 및 재발급이 어려우므로 생체정보의 관리가 중요하다. However, one of the major vulnerabilities of the biometric information authentication process concerns the storage and management of biometric information. Leakage of authentication information such as user passwords and mobile phone numbers is recognized as a serious security threat, but leakage of biometric information is an even more serious problem. Since biometric information has unique characteristics for each individual and does not change, it is difficult to change or reissue biometric information once it has been leaked, so management of biometric information is important.
또한, 생체정보는 매번 변경되는게 아니라 고정된 정보를 매 거래 시 마다 전송하기 때문에 재전송 공격(Replay Attack)에 취약한 문제점이 있다.In addition, biometric information does not change every time, but fixed information is transmitted for each transaction, so it is vulnerable to replay attacks.
본 발명이 해결하고자 하는 기술적 과제는, 전자결제의 인증을 위해 이용하는 사용자의 생체정보를 사용자 노드와 결제서버 사이에 암호화하여 공유하고, 이를 복호화하기 위한 공통의 대칭키를 ECDH 기법으로 생성함으로써 각 사용자 노드의 개인키를 제3의 노드에서 알 수 없기 때문에 사용자 노드의 생체정보를 포함한 개인정보를 안전하게 보호할 수 있는 DID 기반의 생체정보 인증을 이용한 결제 시스템을 제공하는 것이다. The technical problem that the present invention aims to solve is to encrypt and share the user's biometric information used for authentication of electronic payment between the user node and the payment server, and to generate a common symmetric key to decrypt it using the ECDH technique, so that each user Because the node's private key cannot be known to a third node, it provides a payment system using DID-based biometric information authentication that can safely protect personal information, including biometric information, of the user node.
본 발명이 해결하고자 하는 다른 기술적 과제는, 각 사용자 노드 또는 결제서버에서 관리해야 하는 대칭키의 수를 줄여 관리의 번거로움을 방지하고 보안상의 위험성을 줄일 수 있는 DID 기반의 생체정보 인증을 이용한 결제 시스템을 제공하는 것이다. Another technical problem that the present invention aims to solve is payment using DID-based biometric authentication, which can reduce the inconvenience of management and reduce security risks by reducing the number of symmetric keys that must be managed by each user node or payment server. providing a system.
본 발명이 해결하고자 하는 또 다른 기술적 과제는, DID 기반의 식별자를 이용함으로써 사용자 노드의 개인정보를 보호하고, 블록체인에 등록되는 데이터의 양을 줄여 자원을 효율적으로 활용할 수 있는 DID 기반의 생체정보 인증을 이용한 결제 시스템을 제공하는 것이다. Another technical problem that the present invention aims to solve is to protect the personal information of user nodes by using DID-based identifiers and to reduce the amount of data registered in the blockchain to efficiently utilize resources. It provides a payment system using authentication.
본 발명이 해결하고자 하는 또 다른 기술적 과제는, 결제서버의 데이터베이스에 해시된 사용자 패스워드를 저장함으로써 사용자 패스워드가 노출될 염려가 없고, 오브젝트 스토리지 내 저장되는 사용자의 생체정보 데이터의 저장위치가 공개되어도 정당한 권한이 없으면 접근 자체가 불가능하므로 안전성이 보장되는 DID 기반의 생체정보 인증을 이용한 결제 시스템을 제공하는 것이다. Another technical problem that the present invention aims to solve is that by storing the hashed user password in the payment server's database, there is no fear of the user password being exposed, and even if the storage location of the user's biometric data stored in the object storage is disclosed, it is legitimate. Since access is impossible without authorization, we provide a payment system using DID-based biometric information authentication that guarantees safety.
다만, 본 발명이 해결하고자 하는 기술적 과제들은 상기 과제들로 한정되는 것이 아니며, 본 발명의 기술적 사상 및 영역으로부터 벗어나지 않는 범위에서 다양하게 확장될 수 있다.However, the technical problems to be solved by the present invention are not limited to the above problems, and may be expanded in various ways without departing from the technical spirit and scope of the present invention.
상기 과제를 해결하기 위한 본 발명의 일 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템은, 제1 사용자 노드, 블록체인 노드, 생체정보 인증서버, IDH 서버, 오브젝트 스토리지, 및 결제서버를 포함하는 생체정보 인증을 이용한 결제 시스템에 있어서, 사용자 생체정보를 입력받아 상기 생체정보 인증서버로 전달하고, 상기 생체정보 인증서버로부터 상기 사용자 생체정보에 관한 벡터 데이터를 전달받고, 상기 결제서버의 공개키와 상기 제1 사용자 노드의 개인키를 이용하여 상기 벡터 데이터를 암호화 하는 제1 사용자 노드, 상기 제1 사용자 노드로부터 전달받은 상기 사용자 생체정보로부터 상기 벡터 데이터를 추출하여 상기 제1 사용자 노드로 전달하는 생체정보 인증서버, 상기 제1 사용자 노드로부터 상기 암호화된 벡터 데이터를 전달받아 상기 오브젝트 스토리지에 등록하고, 상기 오브젝트 스토리지 내 상기 암호화된 벡터 데이터가 저장된 저장위치를 반환받고, 상기 저장위치를 상기 제1 사용자 노드로 전달하는 IDH 서버, 및 상기 제1 사용자 노드로 상기 결제서버의 DID를 전달하고, 상기 제1 사용자 노드로부터 사용자 DID, HUB DID, 해시된 사용자 패스워드, 및 상기 저장위치를 전달받아 저장하는 결제서버를 포함한다. A payment system using DID-based biometric information authentication according to an embodiment of the present invention to solve the above problem includes a first user node, a blockchain node, a biometric information authentication server, an IDH server, an object storage, and a payment server. In the payment system using biometric information authentication, receiving user biometric information and transmitting it to the biometric information authentication server, receiving vector data regarding the user biometric information from the biometric information authentication server, and disclosing the user's biometric information to the payment server. A first user node that encrypts the vector data using a key and the private key of the first user node, extracts the vector data from the user biometric information received from the first user node, and transmits it to the first user node. A biometric information authentication server that receives the encrypted vector data from the first user node, registers it in the object storage, receives a return storage location where the encrypted vector data is stored in the object storage, and sets the storage location to the first user node. 1 An IDH server transmits to a user node, and transmits the DID of the payment server to the first user node, and receives and stores the user DID, HUB DID, hashed user password, and the storage location from the first user node. Includes a payment server.
본 발명에 따른 몇몇 실시예에서, 상기 제1 사용자 노드는, 키 생성 모듈에서 상기 제1 사용자 노드의 개인키를 생성하고, 패스워드 생성모듈에서 사용자 패스워드를 생성하고, DApp을 이용하여 상기 사용자 DID와 IDH 서비스 이용을 위한 상기 HUB DID를 생성하고, 상기 블록체인 노드로 상기 사용자 DID와 관련된 DID 문서를 등록할 수 있다. In some embodiments according to the present invention, the first user node generates the private key of the first user node in the key generation module, generates the user password in the password generation module, and uses the DApp to generate the user DID and The HUB DID for using the IDH service can be created, and a DID document related to the user DID can be registered with the blockchain node.
본 발명에 따른 몇몇 실시예에서, 상기 IDH 서버는, 상기 제1 사용자 노드에 대해 JWS(JSON Web Signature) 서명/검증을 통해 상기 사용자 DID의 소유권을 갖는지 검사할 수 있다. In some embodiments according to the present invention, the IDH server may check whether the first user node has ownership of the user DID through JWS (JSON Web Signature) signing/verification.
본 발명에 따른 몇몇 실시예에서, 서비스 제공자 서버로 주문 요청 후 결제수단으로서 생체정보 인증을 선택하고, 상기 사용자 패스워드를 입력한 후 상기 사용자 생체정보를 입력하는 제2 사용자 노드;를 더 포함하고, 상기 제2 사용자 노드는, 입력받은 상기 사용자 생체정보를 상기 생체정보 인증서버로 전송하고, 상기 사용자 생체정보로부터 추출한 벡터 데이터를 상기 생체정보 인증서버에서 전달받을 수 있다. In some embodiments according to the present invention, after requesting an order to a service provider server, a second user node selects biometric information authentication as a payment method, inputs the user password, and then inputs the user biometric information; The second user node may transmit the received user biometric information to the biometric information authentication server and receive vector data extracted from the user biometric information from the biometric information authentication server.
본 발명에 따른 몇몇 실시예에서, 상기 제2 사용자 노드는, 상기 해시된 사용자 패스워드 및 상기 벡터 데이터를 상기 결제서버로 전달하여 전자결제를 요청하고, 상기 결제서버는 상기 해시된 사용자 패스워드를 기반으로 상기 사용자 DID, 상기 HUB DID, 및 상기 저장위치를 확보하고, 상기 결제서버는 상기 IDH 서버에 접속하여 상기 오브젝트 스토리지 내에 저장된 상기 암호화된 벡터 데이터를 전달받고, 상기 결제서버는 상기 제1 사용자 노드의 공개키와 상기 결제서버의 개인키를 이용하여 상기 암호화된 벡터 데이터를 복호화 한 후, 상기 제2 사용자 노드로부터 입력받아 제공된 사용자 생체정보에 관한 벡터 데이터와 상기 복호화 한 벡터 데이터를 비교하여 전자결제 동작을 수행할 수 있다. In some embodiments according to the present invention, the second user node requests electronic payment by transmitting the hashed user password and the vector data to the payment server, and the payment server requests electronic payment based on the hashed user password. The user DID, the HUB DID, and the storage location are secured, the payment server connects to the IDH server to receive the encrypted vector data stored in the object storage, and the payment server receives the encrypted vector data stored in the object storage. After decrypting the encrypted vector data using the public key and the private key of the payment server, electronic payment operation is performed by comparing the vector data regarding user biometric information provided by the second user node with the decrypted vector data. can be performed.
본 발명의 기타 구체적인 사항들은 상세한 설명 및 도면들에 포함되어 있다.Other specific details of the invention are included in the detailed description and drawings.
본 발명에 따르면, 사용자의 생체정보를 사용자 노드와 결제서버 사이에 암호화하여 공유하고, 이를 복호화하기 위한 공통의 대칭키를 ECDH 기법으로 생성함으로써 각 사용자 노드의 개인키를 제3의 노드에서 알 수 없기 때문에 사용자 노드의 생체정보를 포함한 개인정보를 안전하게 보호할 수 있다. According to the present invention, the user's biometric information is encrypted and shared between the user node and the payment server, and a common symmetric key to decrypt it is generated using the ECDH technique, so that the private key of each user node can be known to a third node. Because there is no such thing, personal information, including biometric information of user nodes, can be safely protected.
또한, 본 발명에 따르면, 각 사용자 노드 또는 결제서버에서 관리해야 하는 대칭키의 수를 줄여 관리의 번거로움을 방지하고 보안상의 위험성을 줄일 수 있다. Additionally, according to the present invention, the number of symmetric keys that must be managed by each user node or payment server can be reduced to prevent management hassle and reduce security risks.
또한, 본 발명에 따르면, DID 기반의 식별자를 이용함으로써 사용자 노드의 개인정보를 보호하고, 블록체인에 등록되는 데이터의 양을 줄여 자원을 효율적으로 활용할 수 있다. In addition, according to the present invention, by using a DID-based identifier, the personal information of user nodes can be protected and resources can be efficiently utilized by reducing the amount of data registered in the blockchain.
또한, 본 발명에 따르면, 결제서버의 데이터베이스에는 해시된 사용자 패스워드를 저장함으로써 사용자 패스워드가 노출될 염려가 없다. Additionally, according to the present invention, there is no fear of the user password being exposed by storing the hashed user password in the payment server's database.
또한, 본 발명에 따르면, 오브젝트 스토리지 내 저장되는 사용자의 생체정보 데이터의 저장위치가 공개되어도 정당한 권한이 없으면 접근 자체가 불가능하므로 안전성이 보장될 수 있다. Additionally, according to the present invention, even if the storage location of the user's biometric data stored in the object storage is made public, access itself is impossible without proper authority, so safety can be guaranteed.
다만, 본 발명의 효과는 상기 효과들로 한정되는 것이 아니며, 본 발명의 기술적 사상 및 영역으로부터 벗어나지 않는 범위에서 다양하게 확장될 수 있다.However, the effects of the present invention are not limited to the above effects, and may be expanded in various ways without departing from the technical spirit and scope of the present invention.
도 1은 본 발명에 따른 기술적 사상이 적용될 수 있는 블록체인을 이용한 분산처리 시스템을 도시한 도면이다.Figure 1 is a diagram showing a distributed processing system using blockchain to which the technical idea according to the present invention can be applied.
도 2 및 도 3은 블록체인 시스템에서 이용되는 블록의 연결을 도시한 블록도이다.Figures 2 and 3 are block diagrams showing the connection of blocks used in a blockchain system.
도 4 및 도 5는 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템의 구성 및 사용자 생체정보 등록 절차를 도시한 블록도이다. Figures 4 and 5 are block diagrams showing the configuration of a payment system using DID-based biometric information authentication and a user biometric information registration procedure according to an embodiment of the present invention.
도 6 및 도 7은 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템의 구성 및 전자결제 동작 절차를 도시한 블록도이다. Figures 6 and 7 are block diagrams showing the configuration and electronic payment operation procedure of a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
도 8은 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템에서 사용자 생체정보를 등록하는 절차를 나타낸 흐름도이다. Figure 8 is a flowchart showing a procedure for registering user biometric information in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
도 9는 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템에서 전자결제 동작의 절차를 나타낸 흐름도이다. Figure 9 is a flowchart showing the procedure of an electronic payment operation in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
도 10은 본 발명의 실시예에 따른 노드의 컴퓨팅 장치의 구성도이다.Figure 10 is a configuration diagram of a node computing device according to an embodiment of the present invention.
본 발명의 이점 및 특징, 그리고 그것들을 달성하는 방법은 첨부되는 도면과 함께 상세하게 후술되어 있는 실시예들을 참조하면 명확해질 것이다. 그러나, 본 발명은 이하에서 개시되는 실시예들에 한정되는 것이 아니라 서로 다른 다양한 형태로 구현될 것이며, 단지 본 실시예들은 본 발명의 개시가 완전하도록 하며, 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 발명의 범주를 완전하게 알려주기 위해 제공되는 것이며, 본 발명은 청구항의 범주에 의해 정의될 뿐이다. The advantages and features of the present invention and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below and will be implemented in various different forms, but the present embodiments only serve to ensure that the disclosure of the present invention is complete and are within the scope of common knowledge in the technical field to which the present invention pertains. It is provided to fully inform those who have the scope of the invention, and the present invention is only defined by the scope of the claims.
본 명세서에서 사용된 용어는 실시예들을 설명하기 위한 것이며, 본 발명을 제한하고자 하는 것은 아니다. 본 명세서에서, 단수형은 문구에서 특별히 언급하지 않는 한 복수형도 포함한다. 명세서에서 사용되는 "포함한다(comprises)" 및/또는 "포함하는(comprising)"은 언급된 구성요소, 단계, 동작 및/또는 소자는 하나 이상의 다른 구성요소, 단계, 동작 및/또는 소자의 존재 또는 추가를 배제하지 않는다.The terminology used herein is for describing embodiments and is not intended to limit the invention. As used herein, singular forms also include plural forms, unless specifically stated otherwise in the context. As used herein, “comprises” and/or “comprising” refers to the presence of one or more other components, steps, operations and/or elements. or does not rule out addition.
다른 정의가 없다면, 본 명세서에서 사용되는 모든 용어(기술 및 과학적 용어를 포함)는 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 공통적으로 이해될 수 있는 의미로 사용될 수 있을 것이다. 또한, 일반적으로 사용되는 사전에 정의되어 있는 용어들은 명백하게 특별히 정의되어 있지 않는 한 이상적으로 또는 과도하게 해석되지 않는다.Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings that can be commonly understood by those skilled in the art to which the present invention pertains. Additionally, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless clearly specifically defined.
이하, 첨부한 도면들을 참조하여, 본 발명의 바람직한 실시예들을 보다 상세하게 설명하고자 한다. 도면 상의 동일한 구성요소에 대해서는 동일한 참조 부호를 사용하고 동일한 구성요소에 대해서 중복된 설명은 생략한다.Hereinafter, preferred embodiments of the present invention will be described in more detail with reference to the attached drawings. The same reference numerals are used for the same components in the drawings, and duplicate descriptions for the same components are omitted.
이하에서는 본 발명의 개념이 적용될 수 있는 블록체인을 이용한 분산처리 시스템에 관해 먼저 설명하기로 한다. Below, we will first describe a distributed processing system using blockchain to which the concept of the present invention can be applied.
도 1은 본 발명에 따른 기술적 사상이 적용될 수 있는 블록체인을 이용한 분산처리 시스템을 도시한 도면이다.Figure 1 is a diagram showing a distributed processing system using blockchain to which the technical idea according to the present invention can be applied.
도 1을 참조하면 블록체인을 이용한 분산처리 시스템은 복수의 노드들(110~170)로 이루어진 분산형 네트워크(distributed network) 시스템이다. 상기 분산형 네트워크(100)를 구성하는 노드들(110~170)은 컴퓨터, 이동 단말기, 전용 전자 장치 등 연산 능력이 있는 전자 장치일 수 있다.Referring to Figure 1, a distributed processing system using blockchain is a distributed network system consisting of a plurality of nodes (110 to 170). The nodes 110 to 170 constituting the distributed network 100 may be electronic devices with computing capabilities, such as computers, mobile terminals, and dedicated electronic devices.
일반적으로 분산형 네트워크(100)는 블록체인이라 불리는 블록(block)의 연결 묶음 내에 모든 참여 노드에 공통으로 알려진 정보를 저장하고 참조할 수 있다. 상기 노드들(110~170)은 상호간 통신이 가능하며 블록체인을 저장, 관리 및 전파를 담당하는 완전 노드(full node)와 단순하게 트랜잭션에만 참여할 수 있는 간이 노드(light node)로 구분될 수 있다. 본 명세서에서 별다른 설명 없이 노드에 대하여 언급되는 경우, 이는 분산형 네트워크(100)에 참여하며 블록체인을 생성, 저장 또는 검증하는 동작을 수행하는 완전 노드를 지칭하는 경우가 많으나, 이에 한정되는 것은 아니다. In general, the distributed network 100 can store and reference information commonly known to all participating nodes within a connected bundle of blocks called a blockchain. The nodes 110 to 170 are capable of communicating with each other and can be divided into full nodes, which are responsible for storing, managing, and disseminating the blockchain, and light nodes, which can simply participate in transactions. . When a node is mentioned without further explanation in this specification, it often refers to a full node that participates in the decentralized network 100 and performs the operation of creating, storing, or verifying the blockchain, but is not limited to this. .
상기 블록체인에 연결되어 있는 각 블록들은 일정 기간 내의 거래 내역, 즉 트랜잭션(transaction)들을 포함한다. 상기 노드들은 각각 역할에 따라 블록체인을 생성, 저장 또는 검증함으로써 트랜잭션들을 관리할 수 있다.Each block connected to the blockchain contains transaction details, that is, transactions, within a certain period of time. The nodes can manage transactions by creating, storing, or verifying blockchains according to their respective roles.
실시 형태에 따라 상기 트랜잭션은 다양한 형태의 거래를 나타낼 수 있다. 일 실시예에서 상기 트랜잭션은 가상화폐의 소유 상태 및 그 변동을 나타내기 위한 금융 거래에 해당할 수 있다. 다른 실시예에서 상기 트랜잭션은 물건의 소유 상태 및 그 변동을 나타내기 위한 실물 거래에 해당할 수 있다. 또 다른 실시예에서 상기 트랜잭션은 정보의 기록, 저장 및 이송을 나타내기 위한 정보 공유 과정에 해당할 수 있다. 상기 분산형 네트워크(100)에서 거래를 수행하는 노드들은 각각의 암호학적 연관관계가 있는 개인키(private key) 및 공개키(public key) 쌍을 가질 수 있다.Depending on the embodiment, the transaction may represent various types of transactions. In one embodiment, the transaction may correspond to a financial transaction to indicate the ownership status of virtual currency and its changes. In another embodiment, the transaction may correspond to a physical transaction to indicate the ownership status of an item and its changes. In another embodiment, the transaction may correspond to an information sharing process to represent the recording, storage, and transfer of information. Nodes that perform transactions in the distributed network 100 may have a private key and public key pair with a cryptographic relationship.
도 2 및 도 3은 블록체인 시스템에서 이용되는 블록의 연결을 도시한 블록도이다.Figures 2 and 3 are block diagrams showing the connection of blocks used in a blockchain system.
도 2를 참조하면 블록체인(200)은 순차적으로 연결된 하나 이상의 블록들(210, 220, 230)의 분산 데이터베이스의 일종이다. 상기 블록체인(200)은 블록체인 시스템 내 사용자의 거래 내역을 저장하고 관리하기 위해 사용되며, 상기 블록체인 시스템의 네트워크에 참여하는 각 노드가 블록을 생성하여 상기 블록체인(200)에 연결한다. 도 2에는 제한된 수의 블록들(210, 220, 230)이 도시되어 있으나 블록체인에 포함될 수 있는 블록의 수는 이에 제한되지 아니한다.Referring to FIG. 2, the blockchain 200 is a type of distributed database of one or more sequentially connected blocks 210, 220, and 230. The blockchain 200 is used to store and manage users' transaction details within the blockchain system, and each node participating in the network of the blockchain system creates a block and connects it to the blockchain 200. Although a limited number of blocks 210, 220, and 230 are shown in Figure 2, the number of blocks that can be included in the blockchain is not limited thereto.
상기 블록체인(200)에 포함된 각 블록은 블록 헤더(211)와 블록 바디(213)를 포함하도록 구성될 수 있다. 상기 블록 헤더(211)는 각 블록들간의 연결 관계를 나타내기 위하여 이전 블록(220)의 해시 값을 포함할 수 있다. 상기 블록체인(200)이 유효한지 검증하는 과정에서 상기 블록 헤더(211) 내의 연결 관계가 사용된다. 상기 블록 바디(213)는 상기 블록(210)에 저장되고 관리되는 데이터, 예를 들어 트랜잭션 리스트 또는 트랜잭션 체인을 포함할 수 있다.Each block included in the blockchain 200 may be configured to include a block header 211 and a block body 213. The block header 211 may include the hash value of the previous block 220 to indicate the connection relationship between each block. In the process of verifying whether the blockchain 200 is valid, the connection relationship within the block header 211 is used. The block body 213 may include data stored and managed in the block 210, for example, a transaction list or a transaction chain.
도 3을 참조하면, 상기 블록 헤더(211)는 이전 블록의 해시(2112), 현재 블록의 해시(2113), 넌스(Nonce)(2114)를 포함할 수 있다. 또한, 상기 블록 헤더(211)는 블록 내의 트랜잭션 리스트의 헤더를 나타내는 루트(2115)를 포함할 수 있다.Referring to FIG. 3, the block header 211 may include a hash 2112 of the previous block, a hash 2113 of the current block, and a nonce 2114. Additionally, the block header 211 may include a root 2115 indicating the header of the transaction list within the block.
전술된 바와 같이, 상기 블록체인(200)은 연결된 하나 이상의 블록들을 포함할 수 있다. 상기 하나 이상의 블록들은 상기 블록 헤더(211) 내의 해시 값에 기초하여 연결된다. 상기 블록 헤더(211)에 포함된 이전 블록의 해시 값(2112)은 직전 블록(220)에 대한 해시 값으로서 직전 블록(220)에 포함된 현재 해시(2213)와 동일한 값이다. 상기 하나 이상의 블록들은 각 블록 헤더 내의 이전 블록의 해시 값에 의하여 연쇄적으로 연결된다. 상기 분산형 네트워크(100)에 참여하는 노드들은 상기 하나 이상의 블록들에 포함된 이전 블록의 해시 값에 기반하여 블록의 유효성을 검증하므로 악의적인 단일 노드가 이미 생성된 블록의 내용을 위조 또는 변조하는 행위가 불가능하다.As described above, the blockchain 200 may include one or more connected blocks. The one or more blocks are connected based on the hash value in the block header 211. The hash value 2112 of the previous block included in the block header 211 is a hash value for the previous block 220 and is the same as the current hash 2213 included in the previous block 220. The one or more blocks are chained by the hash value of the previous block in each block header. Nodes participating in the decentralized network 100 verify the validity of blocks based on the hash value of the previous block included in the one or more blocks, so that a single malicious node cannot forge or alter the contents of an already created block. The action is impossible.
상기 블록 바디(213)는 트랜잭션 리스트(2131)를 포함할 수 있다. 상기 트랜잭션 리스트(2131)는 블록체인 기반의 거래의 목록이다. 예를 들면, 상기 트랜잭션 리스트(2131)는 상기 블록체인 기반의 금융 시스템에서 이루어진 금융 거래에 대한 기록을 포함할 수 있다. 상기 트랜잭션 리스트(2131)는 트리(tree) 형태로 표현될 수 있으며, 예를 들어, 사용자 A가 사용자 B에게 전송한 금액을 목록 형태로 기록하며, 블록 내의 저장 길이는 현재 블록에 포함된 트랜잭션의 수에 기초하여 증감될 수 있다.The block body 213 may include a transaction list 2131. The transaction list 2131 is a list of blockchain-based transactions. For example, the transaction list 2131 may include records of financial transactions made in the blockchain-based financial system. The transaction list 2131 may be expressed in the form of a tree. For example, the amount sent by user A to user B is recorded in the form of a list, and the storage length in the block is the length of the transaction included in the current block. It can be increased or decreased based on the number.
그리고, 블록(210)은 블록 헤더(211)와 블록 바디(213)에 포함된 정보 이외의 기타 정보(2116)를 포함할 수 있다. Additionally, the block 210 may include other information 2116 other than the information included in the block header 211 and the block body 213.
분산형 네트워크(100)에 참여하는 노드들은 동일한 블록체인을 가지며, 블록에는 동일한 트랜잭션이 저장된다. 트랜잭션 목록이 포함된 블록이 네트워크에 공유되므로 모든 참여자가 검증할 수 있다.Nodes participating in the decentralized network 100 have the same blockchain, and the same transaction is stored in the block. Blocks containing the transaction list are shared across the network, so all participants can verify them.
본 발명에서는 상술한 생체정보 인증을 이용한 결제 시스템에서 개개인의 생체정보의 유출에 따른 문제점 및 인증을 위한 생체정보의 반복 전송에 따른 재전송 공격(Replay Attack)에 취약한 문제점을 해소하기 위해, DID 기반의 접근 통제 스토리지(이하에서는 IDH(Identity Data Hub)로 명명하기로 한다)를 제안하고자 한다. In the present invention, in order to solve the problems caused by the leakage of individual biometric information in the payment system using biometric information authentication described above and the problem of vulnerability to replay attacks due to repeated transmission of biometric information for authentication, DID-based We would like to propose access control storage (hereinafter referred to as IDH (Identity Data Hub)).
즉, 본 발명에서는 사용자의 생체정보 및 결제정보를 중앙서버에 저장하는 방안이 아니라 DID 기반의 IDH를 통해 각 사용자의 논리적 스토리지(허브 인스턴스)에 사용자의 키로 암호화된 생체정보를 저장하는 방안을 제안한다. 생체정보를 필요로 하는 경우에는 결제 시스템이 IDH를 참조해 생체정보의 소유자임을 검증하게 된다. In other words, the present invention does not propose a method of storing the user's biometric information and payment information in a central server, but rather a method of storing biometric information encrypted with the user's key in each user's logical storage (hub instance) through DID-based IDH. do. When biometric information is required, the payment system verifies the owner of the biometric information by referring to the IDH.
이하에서는 우선, DID와 DID 문서에 대한 개념에 대해 설명하기로 한다. Below, we will first explain the concept of DID and DID document.
DID란, 중앙기관 없이 사용자를 중심으로 개인을 식별할 수 있는 정보를 CRUD(Create, Read, Update, Delete)하여 본인임을 증명할 수 있는 유일한 식별자를 의미한다. DID는 하나의 키 값으로 블록체인 트랜잭션의 DID 문서를 가리키는 포인터 역할을 수행한다. 특히, DID는 사용자의 공개키를 기반으로 생성된 식별자이다. DID refers to a unique identifier that can prove your identity by CRUD (Create, Read, Update, Delete) information that can identify an individual without a central agency. DID is a key value that serves as a pointer to the DID document of a blockchain transaction. In particular, DID is an identifier generated based on the user's public key.
DID 문서란, 개인이 자신을 인증하고 DID와 연관성을 증명하는데 필요한 집합을 의미한다. DID의 CRUD 수행 대상이 DID 문서이며, DID 서비스 이용 시 검증하는데 필요한 정보들을 의미하며 데이터 집합에는 공개키, 인증 방법 등의 속성들이 존재한다. A DID document refers to a set of documents required for an individual to authenticate himself and prove his association with a DID. The object of DID's CRUD performance is the DID document, which refers to the information required for verification when using the DID service, and the data set contains properties such as public key and authentication method.
DID와 DID 문서의 연관관계는 DID를 블록체인에서 검색하여 트랜잭션 내용을 기반으로 DID 문서를 생성하는 것이며, DID를 기반으로 DID 문서를 읽어오는 방식은 블록체인마다 상이할 수 있다. The relationship between DID and DID document is to search DID in the blockchain and create DID document based on transaction contents, and the method of reading DID document based on DID may be different for each blockchain.
본 발명에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템은, 제1 사용자 노드(310), 제2 사용자 노드(320), 블록체인 노드(400), 생체정보 인증서버(500), 결제서버(600), IDH 서버(700), 오브젝트 스토리지(800), 리졸버 서버(900) 사이의 유기적인 관계에 의한 동작으로 작동된다. The payment system using DID-based biometric information authentication according to the present invention includes a first user node 310, a second user node 320, a blockchain node 400, a biometric information authentication server 500, and a payment server ( 600), IDH server 700, object storage 800, and resolver server 900.
이하에서는 도면을 참조하여 본 발명에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템의 구성과 동작 절차에 대해 설명하기로 한다. Hereinafter, the configuration and operation procedures of the payment system using DID-based biometric information authentication according to the present invention will be described with reference to the drawings.
도 4 및 도 5는 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템의 구성 및 사용자 생체정보 등록 절차를 도시한 블록도이다. Figures 4 and 5 are block diagrams showing the configuration of a payment system using DID-based biometric information authentication and a user biometric information registration procedure according to an embodiment of the present invention.
본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템은 제1 사용자 노드(310), 블록체인 노드(400), 생체정보 인증서버(500), 결제서버(600), IDH 서버(700), 오브젝트 스토리지(800), 리졸버 서버(900)를 포함한다. 본 발명에 따른 DID 기반의 생체정보 인증을 위한 사용자 생체정보 등록 방법은 어플리케이션을 통해 구현되는 알고리즘일 수 있다. A payment system using DID-based biometric information authentication according to an embodiment of the present invention includes a first user node 310, a blockchain node 400, a biometric information authentication server 500, a payment server 600, and an IDH server ( 700), object storage 800, and resolver server 900. The method of registering user biometric information for DID-based biometric information authentication according to the present invention may be an algorithm implemented through an application.
본 발명의 구성요소 중 제1 사용자 노드(310)는 사용자 생체정보 등록을 위한 단말 장치로서, 네트워크를 통하여 원격지의 서버나 단말에 접속할 수 있는 컴퓨터로 구현될 수 있다. 여기서, 컴퓨터는 예를 들어, 네비게이션, 웹 브라우저(WEB Browser)가 탑재된 노트북, 데스크톱(Desktop), 랩톱(Laptop) 등을 포함할 수 있다. Among the components of the present invention, the first user node 310 is a terminal device for registering user biometric information, and may be implemented as a computer capable of accessing a remote server or terminal through a network. Here, the computer may include, for example, a laptop equipped with a navigation system and a web browser, a desktop, a laptop, etc.
또한, 제1 사용자 노드(310)는 예를 들어, 휴대성과 이동성이 보장되는 무선 통신 장치로서, 네비게이션, PCS(Personal Communication System), GSM(Global System for Mobile communications), PDC(Personal Digital Cellular), PHS(Personal Handyphone System), PDA(Personal Digital Assistant), IMT(International Mobile Telecommunication)-2000, CDMA(Code Division Multiple Access)-2000, W-CDMA(W-Code Division Multiple Access), Wibro(Wireless Broadband Internet) 단말, 스마트폰(smartphone), 스마트 패드(smartpad), 타블렛 PC(Tablet PC) 등과 같은 모든 종류의 핸드헬드(Handheld) 기반의 무선 통신 장치를 포함할 수 있다.In addition, the first user node 310 is, for example, a wireless communication device that guarantees portability and mobility, and includes navigation, personal communication system (PCS), global system for mobile communications (GSM), personal digital cellular (PDC), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet) ) It may include all types of handheld-based wireless communication devices such as terminals, smartphones, smartpads, and tablet PCs.
제1 사용자 노드(310)는 사용자 생체정보 등록 시에 DApp을 이용하여, 키 생성 모듈에서 제1 사용자 노드(310)의 개인키를 생성하고, 패스워드 생성모듈에서 사용자 패스워드를 생성한다. 그리고, 제1 사용자 노드(310)는 사용자 DID와 IDH 서비스 이용을 위한 HUB DID를 생성하며, 블록체인 노드(400)로 사용자 DID와 관련된 DID 문서를 등록한다. The first user node 310 uses DApp when registering user biometric information, generates the private key of the first user node 310 in the key generation module, and generates the user password in the password generation module. Then, the first user node 310 generates a user DID and a HUB DID for using the IDH service, and registers a DID document related to the user DID with the blockchain node 400.
본 발명에서는 제1 사용자 노드(310)의 비대칭키를 이용하여 송신자 노드와 수신자 노드가 공통의 대칭키를 공유하도록 하기 위하여 DID가 적용된다. DID는 블록체인 노드(400)에 등록된 제1 사용자 노드(310)의 공개키를 조회하기 위한 식별자로 사용된다. 제1 사용자 노드(310)의 공개키는 불특정 다수의 노드에서 접근할 수 있는 블록체인 상에 등록하고, 해당 공개키에 대응되는 키 페어의 개인키는 특정 노드에서만 갖고 있다. 이러한 구조를 기반으로 타원곡선상의 키 교환 알고리즘(ECDH)를 이용하여 별도의 대칭키 관리 없이 제1 사용자 노드(310)의 개인정보를 안전하게 다른 노드에게 공유할 수 있다. In the present invention, DID is applied to enable the sender node and the receiver node to share a common symmetric key using the asymmetric key of the first user node 310. DID is used as an identifier to query the public key of the first user node 310 registered in the blockchain node 400. The public key of the first user node 310 is registered on a blockchain that can be accessed by an unspecified number of nodes, and the private key of the key pair corresponding to the public key is held only by a specific node. Based on this structure, the personal information of the first user node 310 can be safely shared with other nodes without separate symmetric key management by using the elliptic curve key exchange algorithm (ECDH).
본 발명에서는 제1 사용자 노드(310)와 결제서버(600)는 별도의 대칭키를 생성할 필요 없이 아래의 로직에 따라 공통의 대칭키를 생성할 수 있다. In the present invention, the first user node 310 and the payment server 600 can generate a common symmetric key according to the logic below without the need to generate a separate symmetric key.
공통의 대칭키 : 특정 사용자 노드의 개인키 결제서버의 공개키 == 결제서버의 개인키 특정 사용자 노드의 공개키 Common symmetric key: Private key of a specific user node Public key of the payment server == Private key of the payment server Public key of a specific user node
본 발명에서 이용되는 ECDH 기법은 타원곡선 암호를 이용한 디피-헬먼 키 교환 방식을 적용하는 것으로서 제3의 노드는 특정한 노드들의 공개키는 알 수 있으나, 각 노드의 개인키를 알 수 없기 때문에 서로 교환하여 생성된 대칭키에 대해 알 수 없다. 이에 따라, 제1 사용자 노드(310)의 생체정보를 포함한 개인정보를 안전하게 보호할 수 있다. The ECDH technique used in the present invention applies the Diffie-Hellman key exchange method using elliptic curve cryptography. The third node can know the public keys of specific nodes, but cannot know the private keys of each node, so they exchange with each other. Therefore, the generated symmetric key cannot be known. Accordingly, personal information including biometric information of the first user node 310 can be safely protected.
제1 사용자 노드(310)는 사용자의 생체정보(보호되어야 할 개인정보에 해당함)를 결제서버(600)에 안전하게 공유하기 위해 대칭키를 필요로 하며, 별도의 대칭키를 생성하여 결제서버(600)의 공개키를 이용해 암호화한다면 다수의 사용자 노드들에 대해 결제서버(600)에서 관리해야 하는 대칭키의 수가 증가하여 관리의 번거로움이 있으면서 보안상의 위험성이 존재한다. 이는 각각의 사용자 노드에 대해서도 마찬가지로 대칭키 관리의 문제점이 된다. 이를 해소하기 위해 본 발명에서는 키 교환 알고리즘을 적용하여 대칭키 관리의 편의성 향상 및 보안성을 강화하였으며, 거래하고자 하는 상대방 노드의 공개키 조회를 위해 DID가 사용될 수 있다. The first user node 310 requires a symmetric key to safely share the user's biometric information (corresponding to personal information to be protected) with the payment server 600, and generates a separate symmetric key to send the user's biometric information (corresponding to personal information to be protected) to the payment server 600. If encrypted using a public key of ), the number of symmetric keys that must be managed by the payment server 600 for multiple user nodes increases, causing management inconvenience and a security risk. This also becomes a problem in symmetric key management for each user node. To solve this problem, the present invention applies a key exchange algorithm to improve the convenience and strengthen security of symmetric key management, and DID can be used to query the public key of the counterpart node with which you want to transact.
제1 사용자 노드(310)는 DApp을 이용하여 사용자 생체정보(예를 들어, 안면 인식 정보)를 인식하고, 인식된 생체정보를 생체정보 인증서버(500)로 전달한다. 여기에서, 사용자의 생체정보는 예를 들어, 안면 인식 정보일 수 있다. The first user node 310 recognizes user biometric information (eg, facial recognition information) using DApp and transmits the recognized biometric information to the biometric information authentication server 500. Here, the user's biometric information may be, for example, facial recognition information.
생체정보 인증서버(500)는 제1 사용자 노드(310)로부터 전달받은 생체정보로부터 사용자의 생체정보 데이터(이하에서는 '벡터 데이터'를 의미한다)를 추출하여 저장하고, 추출한 벡터 데이터를 제1 사용자 노드(310)의 DApp으로 전달한다. The biometric information authentication server 500 extracts and stores the user's biometric information data (hereinafter referred to as 'vector data') from the biometric information received from the first user node 310, and sends the extracted vector data to the first user. It is delivered to the DApp of node 310.
이때, 제1 사용자 노드(310)는 사용자 생체정보 등록 시에 결제서버(600)의 DID를 이용하여 결제서버(600)의 공개키를 조회하고, 결제서버(600)의 공개키와 제1 사용자 노드(310)의 개인키를 이용하여 상술한 바에 따라 ECDH 기법으로 대칭키를 생성하여 벡터 데이터(생체정보 인증서버(500)에서 추출한 벡터 데이터)를 암호화 한다. At this time, when registering user biometric information, the first user node 310 uses the DID of the payment server 600 to query the public key of the payment server 600, and uses the public key of the payment server 600 and the first user Using the private key of the node 310, a symmetric key is generated using the ECDH technique as described above to encrypt vector data (vector data extracted from the biometric information authentication server 500).
IDH 서버(700)는 제1 사용자 노드(310)의 DApp으로부터 제공받은 암호화된 벡터 데이터를 오브젝트 스토리지(800)에 등록하기 위해 리졸버 서버(900)로 사용자 노드의 DID 권한을 조회한다. IDH 서버(700)의 데이터베이스에는 복수의 사용자 노드에 관한 사용자 DID와 HUB DID가 매핑되어 있으며, DID 권한 조회 시에는 이러한 매핑된 상태를 체크한다. The IDH server 700 queries the DID authority of the user node with the resolver server 900 in order to register the encrypted vector data provided from the DApp of the first user node 310 in the object storage 800. In the database of the IDH server 700, user DIDs and HUB DIDs for a plurality of user nodes are mapped, and this mapped status is checked when querying DID authority.
그리고, IDH 서버(700)에 등록된 사용자 노드에서 암호화된 벡터 데이터를 등록하고자 하는 경우, 사용자 DID의 소유권을 갖고 있는지 검사할 필요가 있는데 이는 JWS(JSON Web Signature) 서명/검증을 통해 이루어지며, 리졸버 서버(900)를 통해 제1 사용자 노드(310)의 공개키를 블록체인 상에서 조회하여 전자서명을 검증한다. In addition, if you want to register encrypted vector data in a user node registered on the IDH server 700, it is necessary to check whether you have ownership of the user DID, and this is done through JWS (JSON Web Signature) signing/verification. The electronic signature is verified by looking up the public key of the first user node 310 on the blockchain through the resolver server 900.
IDH 서버(700)는 암호화된 벡터 데이터를 오브젝트 스토리지(800)에 등록하고, 오브젝트 스토리지(800) 내 저장위치를 반환받는다. IDH 서버(700)는 반환받은 오브젝트 스토리지(800)내 저장위치를 제1 사용자 노드(310)로 전달한다.The IDH server 700 registers the encrypted vector data in the object storage 800 and returns the storage location in the object storage 800. The IDH server 700 delivers the returned storage location in the object storage 800 to the first user node 310.
제1 사용자 노드(310)의 HUB DID는 오브젝트 스토리지(800) 내에 개별적인 스토리지를 논리적으로 구분하기 위한 식별자로서 이용되며, IDH 서버(700)는 HUB DID의 진정 소유자에 해당하는 사용자 노드를 정상 사용자 노드로 확인한다. The HUB DID of the first user node 310 is used as an identifier to logically distinguish individual storage within the object storage 800, and the IDH server 700 identifies the user node corresponding to the true owner of the HUB DID as a normal user node. Confirm with .
그리고, 결제서버(600)는 IDH 서버(700)에 연계된 오브젝트 스토리지(800)의 개별적인 스토리지를 조회하기 위해 사용자 DID 및 HUB DID를 이용하게 된다. And, the payment server 600 uses the user DID and HUB DID to query the individual storage of the object storage 800 linked to the IDH server 700.
IDH 서버(700)에서 식별자를 DID로 이용하는 이유는 IDH 서버(700)를 운영하는 서비스 업체로부터 사용자의 개인정보를 보호하기 위함이다. 또한, IDH 서버(700)에 연계된 데이터베이스가 탈취될 가능성을 고려하여 모든 식별자를 DID로 비식별화 처리하여 악의적인 사용자로부터 사용자 개인정보를 보호하기 위함이다. The reason why the IDH server 700 uses the identifier as a DID is to protect the user's personal information from the service company that operates the IDH server 700. In addition, considering the possibility that the database linked to the IDH server 700 may be stolen, all identifiers are de-identified as DIDs to protect user personal information from malicious users.
결제서버(600)는 제1 사용자 노드(310)로 결제서버(600)의 DID를 전달하고, 제1 사용자 노드(310)가 결제서버(600)의 공개키를 조회할 수 있도록 한다. 또한, 결제서버(600)는 제1 사용자 노드(310)로부터 사용자 DID, HUB DID, 해시된 사용자 패스워드, 오브젝트 스토리지 내 저장위치 정보를 전달받아 전자결제를 이용할 수 있도록 한다. 후속 과정에서 결제서버(600)는 리졸버 서버(900)를 통해 사용자 DID를 블록체인 노드(400)로부터 조회하며, 사용자 DID에 매핑된 DID 문서가 블록체인 상에 등록되어 있어, 결제서버(600)는 사용자 DID를 통해 DID 문서를 조회 가능하다. The payment server 600 transmits the DID of the payment server 600 to the first user node 310, and allows the first user node 310 to query the public key of the payment server 600. In addition, the payment server 600 receives the user DID, HUB DID, hashed user password, and storage location information in the object storage from the first user node 310 to enable electronic payment. In the subsequent process, the payment server 600 searches the user DID from the blockchain node 400 through the resolver server 900, and the DID document mapped to the user DID is registered on the blockchain, so the payment server 600 You can search DID documents through user DID.
제1 사용자 노드(310)는 블록체인 상의 노드에 직접 조회하여 DID 문서를 조회할 수 있으나 W3C표준 규격에 맞게 가공해야하는 번거로움이 있다. W3C표준에 맞게 블록체인 데이터를 가공해주는 역할을 리졸버 서버(900)가 수행하며, 리졸버 서버(900)를 통해 어느 노드에서나 DID 식별자의 DID 문서를 조회할 수 있다. 블록체인에 등록할 수 있는 데이터의 양은 한정적이며, 자원을 효율적으로 활용할 필요성이 있어 현재 블록체인에 등록되어 있는 DID 문서는 자원 활용성을 최적화한 Raw 데이터이고, 리졸버 서버(900)를 통해 Raw 데이터를 가공하여 제1 사용자 노드(310)로 제공할 수 있다. The first user node 310 can query the DID document by directly querying the node on the blockchain, but there is the inconvenience of having to process it to meet W3C standard specifications. The resolver server 900 performs the role of processing blockchain data in accordance with the W3C standard, and the DID document of the DID identifier can be searched from any node through the resolver server 900. The amount of data that can be registered in the blockchain is limited, and there is a need to utilize resources efficiently. Therefore, the DID document currently registered in the blockchain is raw data with optimized resource utilization, and the raw data is processed through the resolver server 900. can be processed and provided to the first user node 310.
도 6 및 도 7은 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템의 구성 및 전자결제 동작 절차를 도시한 블록도이다. Figures 6 and 7 are block diagrams showing the configuration and electronic payment operation procedure of a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템은 제2 사용자 노드(320), 블록체인 노드(400), 생체정보 인증서버(500), 결제서버(600), IDH 서버(700), 오브젝트 스토리지(800), 리졸버 서버(900), 서비스 제공자 서버(910)를 포함한다. 본 발명에 따른 DID 기반의 생체정보 인증을 이용한 전자결제 방법은 어플리케이션을 통해 구현되는 알고리즘일 수 있다. A payment system using DID-based biometric information authentication according to an embodiment of the present invention includes a second user node 320, a blockchain node 400, a biometric information authentication server 500, a payment server 600, and an IDH server ( 700), object storage 800, resolver server 900, and service provider server 910. The electronic payment method using DID-based biometric information authentication according to the present invention may be an algorithm implemented through an application.
본 발명의 구성요소 중 제2 사용자 노드(320)는 PoS 또는 키오스크 등과 같은 장치에 해당하며, 제2 사용자 노드(320)는 서비스 제공자 서버(910)로 상품 주문 후 결제수단으로서 생체정보 인증을 선택하고, 사용자 패스워드를 입력한 후 사용자의 생체정보(예를 들어, 안면 인식 정보)를 입력한다.Among the components of the present invention, the second user node 320 corresponds to a device such as PoS or a kiosk, and the second user node 320 selects biometric information authentication as a payment method after ordering a product with the service provider server 910. Then, enter the user password and then enter the user's biometric information (for example, facial recognition information).
제2 사용자 노드(320)는 입력받은 사용자의 생체정보를 생체정보 인증서버(500)로 전송하고, 생체정보 인증서버(500)에서 추출한 사용자 생체정보에 관한 벡터 데이터를 전달받는다. The second user node 320 transmits the inputted user's biometric information to the biometric information authentication server 500 and receives vector data related to the user's biometric information extracted from the biometric information authentication server 500.
제2 사용자 노드(320)는 해시된 사용자 패스워드 및 사용자 생체정보로부터 추출된 벡터 데이터를 결제서버(600)로 전달하여 전자결제를 요청한다. The second user node 320 transmits vector data extracted from the hashed user password and user biometric information to the payment server 600 to request electronic payment.
결제서버(600)는 해시된 사용자 패스워드를 기반으로 사용자 DID, HUB DID, 오브젝트 스토리지 내 저장위치 정보 등 사용자 정보를 확보하고, 결제서버(600)는 IDH 서버(700)에 접속하여 사용자 생체정보에 관한 데이터를 IDH 서버(700)에 대해 요청하여 오브젝트 스토리지 내에 저장된 암호화된 벡터 데이터를 전달받는다. The payment server 600 secures user information such as user DID, HUB DID, and storage location information in object storage based on the hashed user password, and the payment server 600 connects to the IDH server 700 to collect user biometric information. By requesting related data from the IDH server 700, encrypted vector data stored in the object storage is delivered.
결제서버(600)는 사용자 생체정보 등록 과정에서 제1 사용자 노드(310)로부터 사용자 DID, HUB DID, 해시된 사용자 패스워드, 오브젝트 스토리지 내 저장위치 정보를 전달 받으며, 결제서버(600)는 해시된 사용자 패스워드를 pk값으로 사용하여 오브젝트 스토리지 내 저장위치, 사용자 DID, HUB DID를 데이터베이스 내에 저장해둔다. 결제서버(600)의 데이터베이스에는 사용자 패스워드가 아닌 해시된 사용자 패스워드가 저장되어 있으므로 사용자 패스워드가 노출될 염려가 없고, 오브젝트 스토리지 내 저장위치가 공개되어도 정당한 권한이 없으면 접근 자체가 불가능하므로 안전성이 보장된다. 또한, 사용자 DID 또는 HUB DID는 해당 사용자 노드의 소유자 또는 IDH 서버(700) 내 저장위치를 설명하는 것이므로 공개되어도 무관한 정보이다. 따라서, 결제서버(600)는 사용자의 개인정보가 없지만 사용자의 생체정보를 공유받음으로써 조회가능한 개인정보들을 확보할 수 있다. The payment server 600 receives the user DID, HUB DID, hashed user password, and storage location information in the object storage from the first user node 310 during the user biometric information registration process, and the payment server 600 receives the hashed user password. Using the password as the pk value, the storage location in object storage, user DID, and HUB DID are stored in the database. Since hashed user passwords, not user passwords, are stored in the database of the payment server 600, there is no fear of user passwords being exposed, and even if the storage location in the object storage is disclosed, access is impossible without proper authority, so safety is guaranteed. . Additionally, since the user DID or HUB DID describes the owner of the user node or the storage location in the IDH server 700, it is information that is irrelevant even if disclosed. Accordingly, the payment server 600 does not have the user's personal information, but can secure viewable personal information by sharing the user's biometric information.
결제서버(600)는 리졸버 서버(900)를 통해 블록체인을 조회하여 사용자 DID기반으로 제1 사용자 노드(310)의 공개키를 확보하고, 결제서버(600)의 개인키와 제1 사용자 노드(310)의 공개키를 이용하여 대칭키를 생성하고 암호화된 벡터 데이터를 복호화 한다.The payment server 600 searches the blockchain through the resolver server 900 to secure the public key of the first user node 310 based on the user DID, and the private key of the payment server 600 and the first user node ( 310) generates a symmetric key using the public key and decrypts the encrypted vector data.
결제서버(600)는 제2 사용자 노드(320)로부터 입력받아 제공된 사용자 생체정보에 관한 벡터 데이터와 결제서버(600)에서 복호화한 벡터 데이터를 서로 비교하여 전자결제 동작을 수행한다.The payment server 600 performs an electronic payment operation by comparing vector data regarding user biometric information provided by the second user node 320 with vector data decrypted by the payment server 600.
IDH 서버(700)는 리졸버 서버(900)를 통해 결제서버(600)의 DID 권한을 조회하고, 오브젝트 스토리지(800)에 요청하여 암호화된 벡터 데이터를 제공받는다. The IDH server 700 queries the DID authority of the payment server 600 through the resolver server 900 and requests the object storage 800 to receive encrypted vector data.
IDH 서버(700)는 결제서버(600)로 암호화된 벡터 데이터를 전달하며, 결제서버(600)에서는 상술한 동작을 통해 전자결제 동작을 수행한다. The IDH server 700 transmits encrypted vector data to the payment server 600, and the payment server 600 performs an electronic payment operation through the above-described operation.
서비스 제공자 서버(910)는 결제서버(600)로부터 전자결제 승인결과를 제공받고, 사용자에게 상품배송 등 서비스를 제공한다. The service provider server 910 receives the electronic payment approval result from the payment server 600 and provides services such as product delivery to the user.
도 8은 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템에서 사용자 생체정보를 등록하는 절차를 나타낸 흐름도이다. Figure 8 is a flowchart showing a procedure for registering user biometric information in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
DID 기반의 생체정보 등록 절차는, 제1 사용자 노드(310)에서 DApp을 이용하여 패스워드 생성모듈에서 사용자 패스워드를 생성한다. 그리고, 제1 사용자 노드(310)는 사용자 패스워드를 이용하여 사용자 DID와 IDH 서비스 이용을 위한 HUB DID를 생성하며, 이들을 블록체인 노드(400)에 등록하고, 사용자의 HUB DID는 추가적으로 IDH 서버(700)에 등록한다. In the DID-based biometric information registration procedure, the first user node 310 uses DApp to generate a user password in a password generation module. And, the first user node 310 uses the user password to generate a user DID and a HUB DID for using the IDH service, registers them in the blockchain node 400, and the user's HUB DID is additionally sent to the IDH server (700). ) to register.
그리고, 제1 사용자 노드(310)는 DApp을 이용하여 사용자의 생체정보(예를 들어, 안면 인식 정보)를 인식하고, 인식된 생체정보를 생체정보 인증서버(500)로 전달한다. 생체정보 인증서버(500)는 제1 사용자 노드(310)로부터 사용자의 생체정보를 전송받은 후 벡터 데이터를 추출하여 해싱(hashing) 후, 해시된 벡터 데이터를 제1 사용자 노드(310)의 DApp으로 전달한다. Then, the first user node 310 recognizes the user's biometric information (for example, facial recognition information) using the DApp and transmits the recognized biometric information to the biometric information authentication server 500. The biometric information authentication server 500 receives the user's biometric information from the first user node 310, extracts the vector data, hashes it, and transfers the hashed vector data to the DApp of the first user node 310. Deliver.
결제 시스템을 이용하기 위해서, 제1 사용자 노드(310)는 리졸버 서버(900)를 통해 결제서버(600)의 공개키 조회를 요청한다. 리졸버 서버(900)는 블록체인 노드(400)에서 결제서버(600)의 공개키를 조회하고, 이를 제1 사용자 노드(310)로 제공한다. 제1 사용자 노드(310)는 결제서버(600)의 공개키와 제1 사용자 노드(310)의 개인키를 이용하여 벡터 데이터(해시된 벡터 데이터)를 암호화 한다. In order to use the payment system, the first user node 310 requests public key inquiry of the payment server 600 through the resolver server 900. The resolver server 900 retrieves the public key of the payment server 600 from the blockchain node 400 and provides it to the first user node 310. The first user node 310 encrypts vector data (hashed vector data) using the public key of the payment server 600 and the private key of the first user node 310.
그리고, 제1 사용자 노드(310)는 암호화된 벡터 데이터를 결제서버(600)로 공유하기 위하여 IDH 서버(700)로 요청하고, IDH 서버(700)는 암호화된 벡터 데이터를 오브젝트 스토리지(800)에 등록하기 위해 리졸버 서버(900)로 사용자 DID 권한을 조회한다. IDH 서버(700)는 암호화된 벡터 데이터를 오브젝트 스토리지(800)에 등록하고, 오브젝트 스토리지(800) 내 저장위치를 반환 받는다. Then, the first user node 310 requests the IDH server 700 to share the encrypted vector data with the payment server 600, and the IDH server 700 sends the encrypted vector data to the object storage 800. To register, the user DID authority is checked with the resolver server 900. The IDH server 700 registers the encrypted vector data in the object storage 800 and returns the storage location in the object storage 800.
IDH 서버(700)는 제1 사용자 노드(310)로 오브젝트 스토리지(800)의 저장위치를 전달하고, 제1 사용자 노드(310)는 결제서버(600)로 사용자 DID, HUB DID, 해시된 사용자 패스워드, 오브젝트 스토리지 내 저장위치 정보를 전달하여 결제 시스템을 이용한다. The IDH server 700 transmits the storage location of the object storage 800 to the first user node 310, and the first user node 310 transmits the user DID, HUB DID, and hashed user password to the payment server 600. , A payment system is used by transmitting storage location information within object storage.
도 9는 본 발명의 실시예에 따른 DID 기반의 생체정보 인증을 이용한 결제 시스템에서 전자결제 동작의 절차를 나타낸 흐름도이다. Figure 9 is a flowchart showing the procedure of an electronic payment operation in a payment system using DID-based biometric information authentication according to an embodiment of the present invention.
DID 기반의 생체정보 활용 절차는, 전자결제를 위한 제2 사용자 노드(320)(PoS 또는 키오스크 등과 같은 장치)에서 서비스 제공자 서버(910)로 상품 주문 후, 결제수단으로서 생체정보 인증을 선택하고, 사용자 패스워드를 입력한 후 사용자의 생체정보(예를 들어, 안면 인식 정보)를 입력한다.The DID-based biometric information utilization procedure involves ordering a product from the second user node 320 (device such as PoS or kiosk, etc.) for electronic payment to the service provider server 910, and then selecting biometric information authentication as a payment method, After entering the user password, enter the user's biometric information (for example, facial recognition information).
제2 사용자 노드(320)는 입력받은 생체정보를 생체정보 인증서버(500)로 전송하고, 생체정보 인증서버(500)에서는 전달받은 사용자의 생체정보로부터 벡터 데이터를 추출하고, 추출된 벡터 데이터를 제2 사용자 노드(320)로 전송한다. The second user node 320 transmits the input biometric information to the biometric information authentication server 500, and the biometric information authentication server 500 extracts vector data from the received biometric information of the user and sends the extracted vector data to the biometric information authentication server 500. Transmitted to the second user node 320.
이어서, 제2 사용자 노드(320)는 해시된 사용자 패스워드 및 사용자 생체정보로부터 추출된 벡터 데이터를 결제서버(600)로 전달하여 전자결제를 요청한다. Next, the second user node 320 transmits the hashed user password and vector data extracted from the user biometric information to the payment server 600 to request electronic payment.
이때, 결제서버(600)는 해시된 사용자 패스워드를 기반으로 사용자 DID, HUB DID, 오브젝트 스토리지 내 저장위치 정보 등 사용자 정보를 확보하고, 결제서버(600)는 IDH 서버(700)에 접속하여 사용자 생체정보에 관한 데이터를 IDH 서버(700)에 대해 요청한다. At this time, the payment server 600 secures user information such as user DID, HUB DID, and storage location information in object storage based on the hashed user password, and the payment server 600 connects to the IDH server 700 to obtain user biometric information. Data regarding information is requested from the IDH server 700.
그리고, IDH 서버(700)는 리졸버 서버(900)를 통해 결제서버(600)의 DID 권한을 조회하고, 오브젝트 스토리지(800)에 요청하여 암호화된 벡터 데이터를 제공받는다. IDH 서버(700)는 결제서버(600)로 암호화된 벡터 데이터를 전달하고, 결제서버(600)는 리졸버 서버(900)를 통해 블록체인 노드(400)를 조회하여 제1 사용자 노드(310)의 공개키를 확보한다. Then, the IDH server 700 queries the DID authority of the payment server 600 through the resolver server 900 and requests the object storage 800 to receive encrypted vector data. The IDH server 700 transmits the encrypted vector data to the payment server 600, and the payment server 600 queries the blockchain node 400 through the resolver server 900 to obtain the first user node 310. Secure the public key.
결제서버(600)는 결제서버(600)의 개인키와 제1 사용자 노드(310)의 공개키를 이용하여 대칭키를 생성 후, 암호화된 벡터 데이터를 복호화 한다. 결제서버(600)는 제2 사용자 노드(320)로부터 제공받은 사용자 생체정보에 관한 벡터 데이터와 결제서버(600)에서 복호화한 벡터 데이터를 서로 비교하여 전자결제 동작을 수행한다.The payment server 600 generates a symmetric key using the private key of the payment server 600 and the public key of the first user node 310, and then decrypts the encrypted vector data. The payment server 600 performs an electronic payment operation by comparing vector data related to the user's biometric information provided from the second user node 320 with vector data decrypted by the payment server 600.
결제서버(600)는 전자결제 동작 수행 후 서비스 제공자 서버(910)로 승인결과를 전송하고, 서비스 제공자 서버(910)는 상기 승인결과에 따라 사용자에게 상품배송 등 서비스를 제공한다. After performing an electronic payment operation, the payment server 600 transmits an approval result to the service provider server 910, and the service provider server 910 provides services such as product delivery to the user according to the approval result.
도 10은 본 발명의 실시예에 따른 노드의 컴퓨팅 장치의 구성도이다.Figure 10 is a configuration diagram of a node computing device according to an embodiment of the present invention.
본 발명의 실시예에 따른 노드의 컴퓨팅 장치(1000)는 프로세서(1100)와 메모리(1200)를 포함하고, 프로세서(1100)는 하나 이상의 코어(core) 및 그래픽 처리부 및/또는 다른 구성요소와 신호를 송수신하는 연결 통로(예를 들어, 버스(bus) 등)를 포함할 수 있다.The computing device 1000 of the node according to an embodiment of the present invention includes a processor 1100 and a memory 1200, and the processor 1100 includes one or more cores, a graphics processing unit, and/or other components and signals. It may include a connection passage (for example, a bus, etc.) for transmitting and receiving.
일 실시예에 따른 프로세서(1100)는 메모리(1200)에 저장된 하나 이상의 인스트럭션을 실행함으로써, 도 4 내지 도 9와 관련하여 설명된 DID 기반의 생체정보 인증을 이용한 결제 시스템의 동작을 실행한다. The processor 1100 according to one embodiment executes one or more instructions stored in the memory 1200, thereby executing the operation of the payment system using DID-based biometric information authentication described in relation to FIGS. 4 to 9.
예를 들어, 프로세서(1100)는 메모리에 저장된 하나 이상의 인스트럭션을 실행함으로써 하나 이상의 노드에서 발생되는 데이터 업로드/다운로드에 관한 정보들을 수집하고, 상기 수집된 정보들을 블록에 기록하고, 상기 블록에 기록된 정보에 기초하여, 적어도 하나의 노드에 대해 관련 정보를 제공한다. For example, the processor 1100 collects information about data upload/download occurring in one or more nodes by executing one or more instructions stored in memory, records the collected information in a block, and executes the information recorded in the block. Based on the information, relevant information is provided for at least one node.
한편, 프로세서(1100)는 내부에서 처리되는 신호(또는, 데이터)를 일시적 및/또는 영구적으로 저장하는 램(RAM: Random Access Memory) 및 롬(ROM: Read-Only Memory)을 더 포함할 수 있다. 또한, 프로세서(1100)는 그래픽 처리부, 램 및 롬 중 적어도 하나를 포함하는 시스템온칩(SoC: system on chip) 형태로 구현될 수 있다. Meanwhile, the processor 1100 may further include RAM (Random Access Memory) and ROM (Read-Only Memory) that temporarily and/or permanently store internally processed signals (or data). . Additionally, the processor 1100 may be implemented in the form of a system on chip (SoC) including at least one of a graphics processing unit, RAM, and ROM.
메모리(1200)에는 프로세서(1100)의 처리 및 제어를 위한 프로그램들(하나 이상의 인스트럭션들)을 저장할 수 있다. 메모리(1200)에 저장된 프로그램들은 기능에 따라 복수 개의 모듈들로 구분될 수 있다.The memory 1200 may store programs (one or more instructions) for processing and controlling the processor 1100. Programs stored in the memory 1200 may be divided into a plurality of modules according to their functions.
본 발명의 실시예와 관련하여 설명된 시스템의 동작들은 하드웨어로 직접 구현되거나, 하드웨어에 의해 실행되는 소프트웨어 모듈로 구현되거나, 또는 이들의 결합에 의해 구현될 수 있다. 소프트웨어 모듈은 RAM(Random Access Memory), ROM(Read Only Memory), EPROM(Erasable Programmable ROM), EEPROM(Electrically Erasable Programmable ROM), 플래시 메모리(Flash Memory), 하드 디스크, 착탈형 디스크, CD-ROM, 또는 본 발명이 속하는 기술 분야에서 잘 알려진 임의의 형태의 컴퓨터 판독가능 기록매체에 상주할 수도 있다.The operations of the system described in relation to embodiments of the present invention may be implemented directly in hardware, implemented as a software module executed by hardware, or a combination thereof. The software module may be RAM (Random Access Memory), ROM (Read Only Memory), EPROM (Erasable Programmable ROM), EEPROM (Electrically Erasable Programmable ROM), Flash Memory, hard disk, removable disk, CD-ROM, or It may reside on any type of computer-readable recording medium well known in the art to which the present invention pertains.
본 발명의 구성 요소들은 하드웨어인 컴퓨터와 결합되어 실행되기 위해 프로그램(또는 어플리케이션)으로 구현되어 매체에 저장될 수 있다. 본 발명의 구성 요소들은 소프트웨어 프로그래밍 또는 소프트웨어 요소들로 실행될 수 있으며, 이와 유사하게, 실시 예는 데이터 구조, 프로세스들, 루틴들 또는 다른 프로그래밍 구성들의 조합으로 구현되는 다양한 알고리즘을 포함하여, C, C++, 자바(Java), 어셈블러(assembler) 등과 같은 프로그래밍 또는 스크립팅 언어로 구현될 수 있다. 기능적인 측면들은 하나 이상의 프로세서들에서 실행되는 알고리즘으로 구현될 수 있다.The components of the present invention may be implemented as a program (or application) and stored in a medium in order to be executed in conjunction with a hardware computer. Components of the invention may be implemented as software programming or software elements, and similarly, embodiments may include various algorithms implemented as combinations of data structures, processes, routines or other programming constructs, such as C, C++, , may be implemented in a programming or scripting language such as Java, assembler, etc. Functional aspects may be implemented as algorithms running on one or more processors.
전술된 실시예들은 모든 면에서 예시적인 것이며 한정적인 것이 아닌 것으로 이해되어야 하며, 본 발명의 범위는 전술된 상세한 설명보다는 후술될 청구범위에 의해 나타내어질 것이다. 그리고 이 청구범위의 의미 및 범위는 물론, 그 등가개념으로부터 도출되는 모든 변경 및 변형 가능한 형태가 본 발명의 범위에 포함되는 것으로 해석되어야 한다.The above-described embodiments should be understood in all respects as illustrative and not restrictive, and the scope of the present invention will be indicated by the claims below rather than the detailed description above. In addition, the meaning and scope of this claim, as well as all changes and modifications derived from the equivalent concept, should be construed as being included in the scope of the present invention.

Claims (5)

  1. 제1 사용자 노드, 블록체인 노드, 생체정보 인증서버, IDH 서버, 오브젝트 스토리지, 및 결제서버를 포함하는 생체정보 인증을 이용한 결제 시스템에 있어서, In a payment system using biometric information authentication including a first user node, a blockchain node, a biometric information authentication server, an IDH server, an object storage, and a payment server,
    사용자 생체정보를 입력받아 상기 생체정보 인증서버로 전달하고, 상기 생체정보 인증서버로부터 상기 사용자 생체정보에 관한 벡터 데이터를 전달받고, 상기 결제서버의 공개키와 상기 제1 사용자 노드의 개인키를 이용하여 상기 벡터 데이터를 암호화 하는 제1 사용자 노드;Receive user biometric information and transmit it to the biometric information authentication server, receive vector data regarding the user biometric information from the biometric information authentication server, and use the public key of the payment server and the private key of the first user node. a first user node that encrypts the vector data;
    상기 제1 사용자 노드로부터 전달받은 상기 사용자 생체정보로부터 상기 벡터 데이터를 추출하여 상기 제1 사용자 노드로 전달하는 생체정보 인증서버;a biometric information authentication server that extracts the vector data from the user biometric information received from the first user node and transmits it to the first user node;
    상기 제1 사용자 노드로부터 상기 암호화된 벡터 데이터를 전달받아 상기 오브젝트 스토리지에 등록하고, 상기 오브젝트 스토리지 내 상기 암호화된 벡터 데이터가 저장된 저장위치를 반환받고, 상기 저장위치를 상기 제1 사용자 노드로 전달하는 IDH 서버; 및Receiving the encrypted vector data from the first user node, registering it in the object storage, receiving a return storage location where the encrypted vector data is stored in the object storage, and transmitting the storage location to the first user node IDH server; and
    상기 제1 사용자 노드로 상기 결제서버의 DID를 전달하고, 상기 제1 사용자 노드로부터 사용자 DID, HUB DID, 해시된 사용자 패스워드, 및 상기 저장위치를 전달받아 저장하는 결제서버;를 포함하는, DID 기반의 생체정보 인증을 이용한 결제 시스템.DID-based, including; a payment server that delivers the DID of the payment server to the first user node, and receives and stores the user DID, HUB DID, hashed user password, and storage location from the first user node; Payment system using biometric authentication.
  2. 제 1항에 있어서, According to clause 1,
    상기 제1 사용자 노드는, The first user node is,
    키 생성 모듈에서 상기 제1 사용자 노드의 개인키를 생성하고, 패스워드 생성모듈에서 사용자 패스워드를 생성하고, DApp을 이용하여 상기 사용자 DID와 IDH 서비스 이용을 위한 상기 HUB DID를 생성하고,Generate the private key of the first user node in the key generation module, generate a user password in the password generation module, and generate the user DID and the HUB DID for using the IDH service using DApp,
    상기 블록체인 노드로 상기 사용자 DID와 관련된 DID 문서를 등록하는, DID 기반의 생체정보 인증을 이용한 결제 시스템.A payment system using DID-based biometric information authentication that registers a DID document related to the user DID with the blockchain node.
  3. 제 2항에 있어서, According to clause 2,
    상기 IDH 서버는, 상기 제1 사용자 노드에 대해 JWS(JSON Web Signature) 서명/검증을 통해 상기 사용자 DID의 소유권을 갖는지 검사하는, DID 기반의 생체정보 인증을 이용한 결제 시스템.The IDH server is a payment system using DID-based biometric information authentication that checks whether the first user node has ownership of the user DID through JWS (JSON Web Signature) signature/verification.
  4. 제 1항에 있어서, According to clause 1,
    서비스 제공자 서버로 주문 요청 후 결제수단으로서 생체정보 인증을 선택하고, 상기 사용자 패스워드를 입력한 후 상기 사용자 생체정보를 입력하는 제2 사용자 노드;를 더 포함하고, After requesting an order from the service provider server, a second user node selects biometric information authentication as a payment method, inputs the user password, and then inputs the user biometric information; further comprising;
    상기 제2 사용자 노드는,The second user node is,
    입력받은 상기 사용자 생체정보를 상기 생체정보 인증서버로 전송하고, 상기 사용자 생체정보로부터 추출한 벡터 데이터를 상기 생체정보 인증서버에서 전달받는, DID 기반의 생체정보 인증을 이용한 결제 시스템.A payment system using DID-based biometric information authentication that transmits the inputted user biometric information to the biometric information authentication server and receives vector data extracted from the user biometric information from the biometric information authentication server.
  5. 제 4항에 있어서, According to clause 4,
    상기 제2 사용자 노드는, 상기 해시된 사용자 패스워드 및 상기 벡터 데이터를 상기 결제서버로 전달하여 전자결제를 요청하고, The second user node transmits the hashed user password and the vector data to the payment server to request electronic payment,
    상기 결제서버는 상기 해시된 사용자 패스워드를 기반으로 상기 사용자 DID, 상기 HUB DID, 및 상기 저장위치를 확보하고, The payment server secures the user DID, the HUB DID, and the storage location based on the hashed user password,
    상기 결제서버는 상기 IDH 서버에 접속하여 상기 오브젝트 스토리지 내에 저장된 상기 암호화된 벡터 데이터를 전달받고, The payment server connects to the IDH server and receives the encrypted vector data stored in the object storage,
    상기 결제서버는 상기 제1 사용자 노드의 공개키와 상기 결제서버의 개인키를 이용하여 상기 암호화된 벡터 데이터를 복호화 한 후, 상기 제2 사용자 노드로부터 입력받아 제공된 사용자 생체정보에 관한 벡터 데이터와 상기 복호화 한 벡터 데이터를 비교하여 전자결제 동작을 수행하는, DID 기반의 생체정보 인증을 이용한 결제 시스템.The payment server decrypts the encrypted vector data using the public key of the first user node and the private key of the payment server, and then collects the vector data on the user biometric information provided by the second user node and the A payment system using DID-based biometric information authentication that performs electronic payment operations by comparing decrypted vector data.
PCT/KR2022/006779 2022-03-16 2022-05-11 Payment system using did-based biometric authentication WO2023177013A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020220033044A KR20230135482A (en) 2022-03-16 2022-03-16 The payment system using biometric information authentication based on DID
KR10-2022-0033044 2022-03-16

Publications (1)

Publication Number Publication Date
WO2023177013A1 true WO2023177013A1 (en) 2023-09-21

Family

ID=88023510

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/006779 WO2023177013A1 (en) 2022-03-16 2022-05-11 Payment system using did-based biometric authentication

Country Status (2)

Country Link
KR (1) KR20230135482A (en)
WO (1) WO2023177013A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019125069A1 (en) * 2017-12-21 2019-06-27 바스아이디 랩 재팬 컴퍼니 리미티드 Authentication system using separation, then combination of personal information using blockchain
KR20210058608A (en) * 2019-11-13 2021-05-24 주식회사 유니허브랩 History management method, apparatus and program for preventing fake using blockchain

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101936758B1 (en) 2018-06-08 2019-01-11 주식회사 미탭스플러스 Encryption apparatus and method for integrity of information inquiry history

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019125069A1 (en) * 2017-12-21 2019-06-27 바스아이디 랩 재팬 컴퍼니 리미티드 Authentication system using separation, then combination of personal information using blockchain
KR20210058608A (en) * 2019-11-13 2021-05-24 주식회사 유니허브랩 History management method, apparatus and program for preventing fake using blockchain

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Decentralized Identity - A look into Decentralized Identity (DID)", ANAR SOLUTIONS, 28 July 2019 (2019-07-28), XP093092681, Retrieved from the Internet <URL:https://anarsolutions.com/decentralized-identity/> [retrieved on 20231018] *
ANONYMOUS: "Identity Hubs ", MICROSOFT, 2 June 2020 (2020-06-02), pages 1 - 8, XP093092686, Retrieved from the Internet <URL:https://didproject.azurewebsites.net/docs/hub-overview.html> [retrieved on 20231018] *
KIM HO-YOON, KUN-HEE HAN , SEUNG-SOO SHIN: "A Model for Self-Authentication Based on Decentralized Identifier", JOURNAL OF CONVERGENCE FOR INFORMATION TECHNOLOGY, vol. 11, no. 11, 28 November 2021 (2021-11-28), pages 66 - 74, XP093092675, ISSN: 2586-4440, DOI: 10.22156/CS4SMB.2021.11.11.066 *

Also Published As

Publication number Publication date
KR20230135482A (en) 2023-09-25

Similar Documents

Publication Publication Date Title
KR102044747B1 (en) Method for providing user authentication service based on blockchain
US11314891B2 (en) Method and system for managing access to personal data by means of a smart contract
CN108418680B (en) Block chain key recovery method and medium based on secure multi-party computing technology
KR20190075793A (en) Authentication System for Providing Instant Access Using Block Chain
JP2021523650A (en) Systems, methods, devices and terminals for secure blockchain transactions and subnetworks
US7775427B2 (en) System and method for binding a smartcard and a smartcard reader
US8245292B2 (en) Multi-factor authentication using a smartcard
WO2020073513A1 (en) Blockchain-based user authentication method and terminal device
WO2017057899A1 (en) Integrated authentication system for authentication using single-use random numbers
JP2009510644A (en) Method and configuration for secure authentication
EP3867849B1 (en) Secure digital wallet processing system
WO2020005034A1 (en) Multi-signature security account control system
Li et al. A hash based remote user authentication and authenticated key agreement scheme for the integrated EPR information system
WO2022177204A1 (en) Did-based decentralized system for storing and sharing user data
KR101923943B1 (en) System and method for remitting crypto currency with enhanced security
WO2019125041A1 (en) Authentication system using separation, then distributed storage of personal information using blockchain
Li et al. A blockchain-based credible and secure education experience data management scheme supporting for searchable encryption
WO2019125069A1 (en) Authentication system using separation, then combination of personal information using blockchain
WO2019125081A1 (en) System for granting one-time access rights using blockchain
CN112446050B (en) Business data processing method and device applied to block chain system
KR20210004842A (en) Method for providing virtual asset service based on dicentralized identity and virtual asset service providing server using them
WO2023177013A1 (en) Payment system using did-based biometric authentication
WO2023095967A1 (en) Remote-interaction large document access system in which blockchain-based did service, ipfs-based data sharing technology and private key distributed storage technology are combined
WO2024025030A1 (en) System for proving ownership of private signature through nft issuance for private signature data
TWM585941U (en) Account data processing system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22932380

Country of ref document: EP

Kind code of ref document: A1