WO2024005419A1 - Dispositif électronique permettant de fournir un service de chiffrement, et son procédé de fonctionnement - Google Patents

Dispositif électronique permettant de fournir un service de chiffrement, et son procédé de fonctionnement Download PDF

Info

Publication number
WO2024005419A1
WO2024005419A1 PCT/KR2023/008366 KR2023008366W WO2024005419A1 WO 2024005419 A1 WO2024005419 A1 WO 2024005419A1 KR 2023008366 W KR2023008366 W KR 2023008366W WO 2024005419 A1 WO2024005419 A1 WO 2024005419A1
Authority
WO
WIPO (PCT)
Prior art keywords
electronic device
external electronic
session key
key
data
Prior art date
Application number
PCT/KR2023/008366
Other languages
English (en)
Korean (ko)
Inventor
문의성
Original Assignee
삼성전자 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020220105026A external-priority patent/KR20240003681A/ko
Application filed by 삼성전자 주식회사 filed Critical 삼성전자 주식회사
Publication of WO2024005419A1 publication Critical patent/WO2024005419A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y10/00Economic sectors
    • G16Y10/75Information technology; Communication
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • This disclosure relates to an electronic device that provides encryption services and a method of operating the same.
  • IoT Internet of Things
  • various IoT-based services can be provided using various IoT devices.
  • Electronic devices such as smartphones can run applications for managing IoT devices.
  • IoT devices such as mobile devices or IoT devices can perform various functions using security data such as private information or cryptographic keys. If an electronic device is attacked by a malicious user while storing secure data, the secure data may be stolen.
  • IoT devices used in smart home environments can store or manage very private personal data (e.g. door lock access records or captured images), and these personal data Being hijacked can cause great anxiety and discomfort to the user.
  • many IoT devices may not have high-level security features (for example, a high assurance level storage area for storing encryption keys) to satisfy the user's needs, and thus There may be a high risk of personal data being stolen.
  • An electronic device may include a communication circuit and at least one processor operatively connected to the communication circuit.
  • the at least one processor may be configured to receive an authentication request including unique information from an external electronic device that does not support a security function through the communication circuit.
  • the at least one processor may be configured to allocate a secure storage area for the external electronic device based on the unique information.
  • the at least one processor may be configured to generate a data encryption key for the external electronic device and store it in the secure storage area.
  • the at least one processor may be configured to generate a session key for session communication with the external electronic device.
  • the at least one processor may be configured to provide an encryption and/or decryption service based on the data encryption key to the external electronic device in response to a request from the external electronic device encrypted with the session key.
  • An electronic device may include a communication interface and at least one processor operatively connected to the communication interface.
  • the at least one processor may be configured to transmit an authentication request including unique information to an external electronic device supporting a security function through the communication interface.
  • the at least one processor may be configured to receive first session key creation information from the external electronic device.
  • the at least one processor may be configured to generate a session key for session communication with the external electronic device based on the first session key generation information.
  • the at least one processor may be configured to transmit second session key generation information for verification of the session key to the external electronic device.
  • the at least one processor may be configured to use an encryption and/or decryption service provided by the external electronic device based on the session key.
  • a method of operating an electronic device may include receiving an authentication request including unique information from an external electronic device that does not support a security function.
  • the method may include allocating a secure storage area for the external electronic device based on the unique information.
  • the method may include generating a data encryption key for the external electronic device and storing it in the secure storage area.
  • the method may include generating a session key for session communication with the external electronic device.
  • the method may include providing an encryption and/or decryption service based on the data encryption key to the external electronic device in response to a request from the external electronic device encrypted with the session key.
  • a method of operating an electronic device may include transmitting an authentication request including unique information to an external electronic device that supports a security function.
  • the method may include receiving first session key creation information from the external electronic device.
  • the method may include generating a session key for session communication with the external electronic device based on the first session key generation information.
  • the method may include transmitting second session key generation information for verification of the session key to the external electronic device.
  • the method may include using an encryption and/or decryption service provided by the external electronic device based on the session key.
  • a non-transitory computer-readable storage medium storing one or more programs, wherein the one or more programs, when executed by at least one processor of an electronic device, causes the electronic device to: Receive an authentication request containing unique information from, allocate a secure storage area for the external electronic device based on the unique information, generate a data encryption key for the external electronic device and store it in the secure storage area, and , Generating a session key for session communication with the external electronic device, and providing an encryption and/or decryption service based on the data encryption key to the external electronic device in response to a request from the external electronic device encrypted with the session key. It may contain commands that configure it to do so.
  • a non-transitory computer-readable storage medium storing one or more programs, wherein the one or more programs, when executed by at least one processor of an electronic device, cause the electronic device to: Transmit an authentication request containing unique information, receive first session key generation information from the external electronic device, and generate a session key for session communication with the external electronic device based on the first session key generation information. and transmitting second session key creation information for verification of the session key to the external electronic device, and configuring to use an encryption and/or decryption service provided by the external electronic device based on the session key.
  • the one or more programs when executed by at least one processor of an electronic device, cause the electronic device to: Transmit an authentication request containing unique information, receive first session key generation information from the external electronic device, and generate a session key for session communication with the external electronic device based on the first session key generation information. and transmitting second session key creation information for verification of the session key to the external electronic device, and configuring to use an encryption and/or decryption service provided by the external electronic device based on
  • IoT internet of things
  • FIG. 2 is a block diagram of an electronic device in a network environment, according to various embodiments.
  • Figure 3 is a diagram for explaining an IoT network according to an embodiment.
  • Figure 4 is a block diagram for explaining the configuration of an electronic device according to an embodiment.
  • Figure 5 is a block diagram for explaining the configuration of an external electronic device according to an embodiment.
  • FIG. 6 is a flowchart illustrating a procedure in which an electronic device provides an encryption service according to an embodiment.
  • FIG. 7 is a flowchart illustrating a procedure in which an external electronic device provides an encryption service according to an embodiment.
  • Figure 8 shows a signal flow diagram for explaining a procedure for performing device authentication and session key generation according to one embodiment.
  • Figure 9 shows an example of a user interface screen that confirms the use of a security element in an electronic device, according to an embodiment.
  • FIG. 10 is a flowchart illustrating a procedure in which an electronic device provides an encryption service according to an embodiment.
  • FIG. 11 is a flowchart illustrating a procedure in which an external electronic device uses an encryption service according to an embodiment.
  • Figure 12 shows a signal flow diagram to explain a procedure for providing encryption services according to an embodiment.
  • Figure 13 shows a signal flow diagram to explain a procedure for providing a decryption service according to an embodiment.
  • FIG. 14 is a diagram illustrating safe storage of a password according to an embodiment.
  • FIG. 15 is a diagram illustrating safe storage of image data according to an embodiment.
  • Figure 16 shows a signal flow diagram for explaining a procedure for updating a session key according to one embodiment.
  • FIG. 17 is a signal flow diagram illustrating a procedure for generating an asymmetric key for server authentication according to an embodiment.
  • FIG. 1 illustrates an internet of things (IoT) system 100 according to various embodiments. Meanwhile, at least some of the components in FIG. 1 may be omitted, and may be implemented to include additional components not shown.
  • IoT internet of things
  • the IoT system 100 includes a plurality of electronic devices connectable to the data network 116 or 146.
  • the IoT system 100 includes a first IoT server 110, a first node 120, a voice assistance server 130, a second IoT server 140, and a second node. 150, or may include at least one of the devices 121, 122, 123, 124, 125, 136, 137, 151, 152, and 153.
  • the first IoT server 110 may include at least one of a communication interface 111, a processor 112, or a storage unit 113.
  • the second IoT server 140 may include at least one of a communication interface 141, a processor 142, or a storage unit 143.
  • “IoT server” in this document refers to a relay device (e.g., first node 120 or second node (120), for example, based on a data network (e.g., data network 116 or data network 146).
  • a data network e.g., data network 116 or data network 146.
  • One or more devices e.g., devices 121, 122, 123, 124, 125, 151, 152, 153) can be remotely controlled and/or monitored via 150) or directly without a relay device.
  • Device herein refers to a sensor, appliance, office electronic device, or It is a device for performing processes, and there are no restrictions on its type.
  • a device that receives a control command and performs an operation corresponding to the control command may be named a “target device.”
  • the IoT server may be called a central server in that it selects a target device among a plurality of devices and provides control commands.
  • the first IoT server 110 may communicate with the devices 121, 122, and 123 through the data network 116.
  • Data network 116 may refer to a network for long-distance communication, such as the Internet or a computer network (e.g., LAN or WAN), or may include a cellular network.
  • the first IoT server 110 may be connected to the data network 116 through the communication interface 111.
  • the communication interface 111 may include a communication device (or communication module) to support communication of the data network 116, and may be integrated into one component (e.g., a single chip), or may be integrated into a plurality of separate components. It can be implemented with components (e.g., multiple chips).
  • the first IoT server 110 may communicate with the devices 121, 122, and 123 through the first node 120.
  • the first node 120 may receive data from the first IoT server 110 through the data network 116 and transmit the received data to at least some of the devices 121, 122, and 123.
  • the first node 120 may receive data from at least some of the devices 121, 122, and 123, and transmit the received data to the first IoT server 110 through the data network 116.
  • the first node 120 may function as a bridge between the data network 116 and the devices 121, 122, and 123. Meanwhile, in FIG. 1, it is shown as if there is only one first node 120, but this is simply an example and there is no limit to the number.
  • a “node” in this document may be an edge computing system, or may be a hub device.
  • the first node 120 supports wired and/or wireless communication of the data network 116, and may also support wired and/or wireless communication with the devices 121, 122, and 123.
  • the first node 120 may be configured to communicate via a short-range communication network such as at least one of Bluetooth, Wi-Fi, Wi-Fi direct, Z-wave, Zig-bee, INSETEON, X10, or IrDA (infrared data association). It can be connected to devices 121, 122, and 123, but there is no limitation on the type of communication.
  • the first node 120 is placed in an environment such as a home, office, factory, building, external location, or other types of premises. (or, location). Accordingly, the devices 121, 122, and 123 may be monitored and/or controlled by the service provided by the first IoT server 110, and the devices 121, 122, and 123 may be connected to the first IoT server 110. It may not be required to have the capability of complete network communication (e.g., Internet communication) for direct connection to the IoT server 110.
  • Devices 121, 122, and 123 may include, for example, a light switch, a proximity sensor, Although it is shown as being implemented as an electronic device in a home environment, such as a temperature sensor, this is illustrative and is not limiting.
  • the first IoT server 110 may support direct communication with the devices 124 and 125.
  • direct communication may mean communication that does not go through a relay device such as the first node 120, for example, communication through a cellular communication network and/or a data network.
  • the first IoT server 110 may transmit a control command to at least some of the devices 121, 122, 123, 124, and 125.
  • control command may mean data that causes a controllable device to perform a specific operation, and the specific operation is an operation performed by the device, such as outputting information, sensing information, reporting information, It may include management of information (e.g. deletion or creation), and there is no limit to the type.
  • the processor 112 generates a control command from an external source (e.g., the voice assistant server 130, the second IoT server 140, the external system 160, or at least some of the devices 121, 122, 123, 124, and 125).
  • control command may be generated based on the obtained information.
  • the processor 112 may generate a control command based on the monitoring results of at least some of the devices 121, 122, 123, 124, and 125 satisfying specified conditions.
  • the processor 112 may control the communication interface 111 to transmit control commands to the target device.
  • the processor 112, or the processor 132, or the processor 142 is a central processing unit (CPU), a digital signal processor (DSP), an application processor (AP), a communication processor (CP), etc. It may be implemented as a combination of one or more of a general-purpose processor, a graphics-specific processor such as a graphical processing unit (GPU), a vision processing unit (VPU), or an artificial intelligence-specific processor such as a neural processing unit (NPU).
  • a general-purpose processor such as a graphical processing unit (GPU), a vision processing unit (VPU), or an artificial intelligence-specific processor such as a neural processing unit (NPU).
  • GPU graphical processing unit
  • VPU vision processing unit
  • NPU neural processing unit
  • the processor 112 may configure a web-based interface based on the API 114 or expose resources managed by the first IoT server 110 to the outside. .
  • the web-based interface may support communication between the first IoT server 110 and an external web service, for example.
  • the processor 112 may, for example, allow the external system 160 to control and/or access the devices 121, 122, and 123.
  • External system 160 may be, for example, an independent system that is not related to or part of system 100.
  • External system 160 may be, for example, an external server or a website. However, security is required for access to the devices 121, 122, and 123 from the external system 160 or the resources of the first IoT server 110.
  • the processor 112 and the automation application may expose an API endpoint (eg, a universal resource locator (URL)) based on the API 114 to the outside.
  • the first IoT server 110 may transmit a control command to the target device among the devices 121, 122, and 123.
  • the description of the communication interface 141, the processor 142, the API 144 of the storage unit 143, and the database 145 of the second IoT server 140 are described in detail in the communication of the first IoT server 110. It may be substantially the same as the description of the interface 111, the processor 112, the API 114 of the storage unit 113, and the database 115.
  • the description of the second node 150 may be substantially the same as the description of the first node 120.
  • the second IoT server 140 may transmit a control command to a target device among the devices 151, 152, and 153.
  • the first IoT server 110 and the second IoT server 140 may be operated by the same service provider in one embodiment, but may be operated by different service providers in another embodiment.
  • the voice assistant server 130 may transmit and receive data with the first IoT server 110 through the data network 116.
  • the voice assistant server 130 may include at least one of a communication interface 131, a processor 132, and a storage unit 133.
  • the communication interface 131 may communicate with the smart phone 136 or the AI speaker 137 through a data network (not shown) and/or a cellular network (not shown).
  • the smart phone 136 or the AI speaker 137 may include a microphone, acquire a user voice, convert it into a voice signal, and transmit the voice signal to the voice assistant server 130.
  • the processor 132 may receive a voice signal from the smart phone 136 or the AI speaker 137 through the communication interface 131.
  • the processor 132 may process the received voice signal based on the stored model 134.
  • the processor 132 may generate (or confirm) a control command using the processing result based on information stored in the database 135.
  • the storage units 113, 133, and 143 include flash memory type, hard disk type, multimedia card micro type, and card type memory (e.g. SD or It may include at least one type of non-transitory storage medium among memory, magnetic memory, magnetic disk, and optical disk, and there is no limit to its type.
  • At least one device communicating with the first IoT server 110 may be a smartphone (e.g., electronic device 201 of FIG. 2) in a network environment. .
  • FIG. 2 is a block diagram of an electronic device 201 in a network environment 200, according to various embodiments.
  • the electronic device 201 communicates with the electronic device 202 through the first network 298 (e.g., a short-range wireless communication network) or through the second network 299. It is possible to communicate with at least one of the electronic device 204 or the server 208 through (e.g., a long-distance wireless communication network). According to one embodiment, the electronic device 201 may communicate with the electronic device 204 through the server 208.
  • the first network 298 e.g., a short-range wireless communication network
  • the server 208 e.g., a long-distance wireless communication network
  • the electronic device 201 includes a processor 220, a memory 230, an input module 250, an audio output module 255, a display module 260, an audio module 270, and a sensor module ( 276), interface 277, connection terminal 278, haptic module 279, camera module 280, power management module 288, battery 289, communication module 290, subscriber identification module 296 , or may include an antenna module 297.
  • at least one of these components eg, the connection terminal 278) may be omitted, or one or more other components may be added to the electronic device 201.
  • some of these components e.g., sensor module 276, camera module 280, or antenna module 297) are integrated into one component (e.g., display module 260). It can be.
  • Processor 220 executes software (e.g., program 240) to operate at least one other component (e.g., hardware or software component) of electronic device 201 connected to processor 220. It can be controlled and various data processing or calculations can be performed. According to one embodiment, as at least part of the data processing or computation, the processor 220 stores instructions or data received from another component (e.g., the sensor module 276 or the communication module 290) in the volatile memory 232. The commands or data stored in the volatile memory 232 can be processed, and the resulting data can be stored in the non-volatile memory 234.
  • software e.g., program 240
  • the processor 220 stores instructions or data received from another component (e.g., the sensor module 276 or the communication module 290) in the volatile memory 232.
  • the commands or data stored in the volatile memory 232 can be processed, and the resulting data can be stored in the non-volatile memory 234.
  • the processor 220 includes a main processor 221 (e.g., a central processing unit or an application processor) or an auxiliary processor 223 that can operate independently or together (e.g., a graphics processing unit, a neural network processing unit ( It may include a neural processing unit (NPU), an image signal processor, a sensor hub processor, or a communication processor).
  • a main processor 221 e.g., a central processing unit or an application processor
  • auxiliary processor 223 e.g., a graphics processing unit, a neural network processing unit ( It may include a neural processing unit (NPU), an image signal processor, a sensor hub processor, or a communication processor.
  • the electronic device 201 includes a main processor 221 and a auxiliary processor 223, the auxiliary processor 223 may be set to use lower power than the main processor 221 or be specialized for a designated function. You can.
  • the auxiliary processor 223 may be implemented separately from the main processor 221 or as part of it.
  • the auxiliary processor 223 may, for example, act on behalf of the main processor 221 while the main processor 221 is in an inactive (e.g., sleep) state, or while the main processor 221 is in an active (e.g., application execution) state. ), together with the main processor 221, at least one of the components of the electronic device 201 (e.g., the display module 260, the sensor module 276, or the communication module 290) At least some of the functions or states related to can be controlled.
  • coprocessor 223 e.g., image signal processor or communication processor
  • may be implemented as part of another functionally related component e.g., camera module 280 or communication module 290. there is.
  • the auxiliary processor 223 may include a hardware structure specialized for processing artificial intelligence models.
  • Artificial intelligence models can be created through machine learning. For example, such learning may be performed in the electronic device 201 itself on which the artificial intelligence model is performed, or may be performed through a separate server (e.g., server 208).
  • Learning algorithms may include, for example, supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning, but It is not limited.
  • An artificial intelligence model may include multiple artificial neural network layers.
  • Artificial neural networks include deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), restricted boltzmann machine (RBM), belief deep network (DBN), bidirectional recurrent deep neural network (BRDNN), It may be one of deep Q-networks or a combination of two or more of the above, but is not limited to the examples described above.
  • artificial intelligence models may additionally or alternatively include software structures.
  • the memory 230 may store various data used by at least one component (eg, the processor 220 or the sensor module 276) of the electronic device 201. Data may include, for example, input data or output data for software (e.g., program 240) and instructions related thereto.
  • Memory 230 may include volatile memory 232 or non-volatile memory 234.
  • the program 240 may be stored as software in the memory 230 and may include, for example, an operating system 242, middleware 244, or application 246.
  • the input module 250 may receive commands or data to be used in a component of the electronic device 201 (e.g., the processor 220) from outside the electronic device 201 (e.g., a user).
  • the input module 250 may include, for example, a microphone, mouse, keyboard, keys (eg, buttons), or digital pen (eg, stylus pen).
  • the sound output module 255 may output sound signals to the outside of the electronic device 201.
  • the sound output module 255 may include, for example, a speaker or a receiver. Speakers can be used for general purposes such as multimedia playback or recording playback.
  • the receiver can be used to receive incoming calls. According to one embodiment, the receiver may be implemented separately from the speaker or as part of it.
  • the display module 260 can visually provide information to the outside of the electronic device 201 (eg, a user).
  • the display module 260 may include, for example, a display, a hologram device, or a projector, and a control circuit for controlling the device.
  • the display module 260 may include a touch sensor configured to detect a touch, or a pressure sensor configured to measure the intensity of force generated by the touch.
  • the audio module 270 can convert sound into an electrical signal or, conversely, convert an electrical signal into sound. According to one embodiment, the audio module 270 acquires sound through the input module 250, the sound output module 255, or an external electronic device (e.g., directly or wirelessly connected to the electronic device 201). Sound may be output through an electronic device 202 (e.g., speaker or headphone).
  • an electronic device 202 e.g., speaker or headphone
  • the sensor module 276 detects the operating state (e.g., power or temperature) of the electronic device 201 or the external environmental state (e.g., user state) and generates an electrical signal or data value corresponding to the detected state. can do.
  • the sensor module 276 includes, for example, a gesture sensor, a gyro sensor, an air pressure sensor, a magnetic sensor, an acceleration sensor, a grip sensor, a proximity sensor, a color sensor, an IR (infrared) sensor, a biometric sensor, It may include a temperature sensor, humidity sensor, or light sensor.
  • the interface 277 may support one or more designated protocols that can be used to connect the electronic device 201 directly or wirelessly with an external electronic device (eg, the electronic device 202).
  • the interface 277 may include, for example, a high definition multimedia interface (HDMI), a universal serial bus (USB) interface, an SD card interface, or an audio interface.
  • HDMI high definition multimedia interface
  • USB universal serial bus
  • SD card interface Secure Digital Card
  • the connection terminal 278 may include a connector through which the electronic device 201 can be physically connected to an external electronic device (eg, the electronic device 202).
  • the connection terminal 278 may include, for example, an HDMI connector, a USB connector, an SD card connector, or an audio connector (eg, a headphone connector).
  • the haptic module 279 can convert electrical signals into mechanical stimulation (e.g., vibration or movement) or electrical stimulation that the user can perceive through tactile or kinesthetic senses.
  • the haptic module 279 may include, for example, a motor, a piezoelectric element, or an electrical stimulation device.
  • the camera module 280 can capture still images and moving images.
  • the camera module 280 may include one or more lenses, image sensors, image signal processors, or flashes.
  • the power management module 288 can manage power supplied to the electronic device 201.
  • the power management module 288 may be implemented as at least a part of, for example, a power management integrated circuit (PMIC).
  • PMIC power management integrated circuit
  • Battery 289 may supply power to at least one component of electronic device 201.
  • the battery 289 may include, for example, a non-rechargeable primary battery, a rechargeable secondary battery, or a fuel cell.
  • Communication module 290 provides a direct (e.g., wired) communication channel or wireless communication channel between electronic device 201 and an external electronic device (e.g., electronic device 202, electronic device 204, or server 208). It can support establishment and communication through established communication channels. Communication module 290 operates independently of processor 220 (e.g., an application processor) and may include one or more communication processors that support direct (e.g., wired) communication or wireless communication.
  • processor 220 e.g., an application processor
  • the communication module 290 is a wireless communication module 292 (e.g., a cellular communication module, a short-range wireless communication module, or a global navigation satellite system (GNSS) communication module) or a wired communication module 294 (e.g., : LAN (local area network) communication module, or power line communication module) may be included.
  • a wireless communication module 292 e.g., a cellular communication module, a short-range wireless communication module, or a global navigation satellite system (GNSS) communication module
  • GNSS global navigation satellite system
  • a wired communication module 294 e.g., : LAN (local area network) communication module, or power line communication module
  • the corresponding communication module is a first network 298 (e.g., a short-range communication network such as Bluetooth, wireless fidelity (WiFi) direct, or infrared data association (IrDA)) or a second network 299 (e.g., legacy It may communicate with an external electronic device 204 through a telecommunication network such as a cellular network, a 5G network, a next-generation communication network, the Internet, or a computer network (e.g., LAN or WAN).
  • a telecommunication network such as a cellular network, a 5G network, a next-generation communication network, the Internet, or a computer network (e.g., LAN or WAN).
  • a telecommunication network such as a cellular network, a 5G network, a next-generation communication network, the Internet, or a computer network (e.g., LAN or WAN).
  • a telecommunication network such as a cellular network, a 5G network, a next-generation communication network
  • the wireless communication module 292 uses subscriber information (e.g., International Mobile Subscriber Identifier (IMSI)) stored in the subscriber identification module 296 within a communication network such as the first network 298 or the second network 299.
  • subscriber information e.g., International Mobile Subscriber Identifier (IMSI)
  • IMSI International Mobile Subscriber Identifier
  • the wireless communication module 292 may support 5G networks after 4G networks and next-generation communication technologies, for example, NR access technology (new radio access technology).
  • NR access technology provides high-speed transmission of high-capacity data (eMBB (enhanced mobile broadband)), minimization of terminal power and access to multiple terminals (mMTC (massive machine type communications)), or high reliability and low latency (URLLC (ultra-reliable and low latency). -latency communications)) can be supported.
  • the wireless communication module 292 may support high frequency bands (e.g., mmWave bands), for example, to achieve high data rates.
  • the wireless communication module 292 uses various technologies to secure performance in high frequency bands, for example, beamforming, massive array multiple-input and multiple-output (MIMO), and full-dimensional multiplexing. It can support technologies such as input/output (FD-MIMO: full dimensional MIMO), array antenna, analog beam-forming, or large scale antenna.
  • the wireless communication module 292 may support various requirements specified in the electronic device 201, an external electronic device (e.g., electronic device 204), or a network system (e.g., second network 299).
  • the wireless communication module 292 supports Peak data rate (e.g., 20 Gbps or more) for realizing eMBB, loss coverage (e.g., 164 dB or less) for realizing mmTC, or U-plane latency (e.g., 164 dB or less) for realizing URLLC.
  • Peak data rate e.g., 20 Gbps or more
  • loss coverage e.g., 164 dB or less
  • U-plane latency e.g., 164 dB or less
  • the antenna module 297 may transmit or receive signals or power to or from the outside (e.g., an external electronic device).
  • the antenna module 297 may include an antenna including a radiator made of a conductor or a conductive pattern formed on a substrate (eg, PCB).
  • the antenna module 297 may include a plurality of antennas (eg, an array antenna). In this case, at least one antenna suitable for a communication method used in a communication network such as the first network 298 or the second network 299 is, for example, connected to the plurality of antennas by the communication module 290. can be selected. Signals or power may be transmitted or received between the communication module 290 and an external electronic device through the at least one selected antenna.
  • other components eg, radio frequency integrated circuit (RFIC) may be additionally formed as part of the antenna module 297.
  • RFIC radio frequency integrated circuit
  • the antenna module 297 may form a mmWave antenna module.
  • a mmWave antenna module includes: a printed circuit board, an RFIC disposed on or adjacent to a first side (e.g., bottom side) of the printed circuit board and capable of supporting a designated high frequency band (e.g., mmWave band); And a plurality of antennas (e.g., array antennas) disposed on or adjacent to the second side (e.g., top or side) of the printed circuit board and capable of transmitting or receiving signals in the designated high frequency band. can do.
  • a mmWave antenna module includes: a printed circuit board, an RFIC disposed on or adjacent to a first side (e.g., bottom side) of the printed circuit board and capable of supporting a designated high frequency band (e.g., mmWave band); And a plurality of antennas (e.g., array antennas) disposed on or adjacent to the second side (e.g., top or side)
  • peripheral devices e.g., bus, general purpose input and output (GPIO), serial peripheral interface (SPI), or mobile industry processor interface (MIPI)
  • signal e.g. commands or data
  • commands or data may be transmitted or received between the electronic device 201 and the external electronic device 204 through the server 208 connected to the second network 299.
  • Each of the external electronic devices 202 or 204 may be of the same or different type as the electronic device 201.
  • all or part of the operations performed in the electronic device 201 may be executed in one or more of the external electronic devices 202, 204, or 208.
  • the electronic device 201 may perform the function or service instead of executing the function or service on its own.
  • one or more external electronic devices may be requested to perform at least part of the function or service.
  • One or more external electronic devices that have received the request may execute at least part of the requested function or service, or an additional function or service related to the request, and transmit the result of the execution to the electronic device 201.
  • the electronic device 201 may process the result as is or additionally and provide it as at least part of a response to the request.
  • cloud computing distributed computing, mobile edge computing (MEC), or client-server computing technology can be used.
  • the electronic device 201 may provide an ultra-low latency service using, for example, distributed computing or mobile edge computing.
  • the external electronic device 204 may include an Internet of Things (IoT) device.
  • Server 208 may be an intelligent server using machine learning and/or neural networks.
  • the external electronic device 204 or server 208 may be included in the second network 299.
  • the electronic device 201 may be applied to intelligent services (e.g., smart home, smart city, smart car, or healthcare) based on 5G communication technology and IoT-related technology.
  • Figure 3 is a diagram for explaining an IoT network according to an embodiment.
  • the IoT network 300 supports an electronic device 201 capable of communicating with the server 310 through network communication (e.g., the Internet), and IoT technology and supports network communication (e.g., the Internet). ) at least one external electronic device 320 capable of communicating with the server 310 or the electronic device 201 (e.g., a television 320a, a refrigerator 320b, a washing machine 320d, a light 320e) , or a controlled device such as CCTV 320b.
  • the external electronic device 320 may communicate with the electronic device 201 and/or the server 310 through a hub device (not shown).
  • the electronic device 201 is configured via the server 310, via a hub device (not shown), via long-range wireless communication (e.g., second network 299), or short-range wireless communication (e.g., For example, it is possible to communicate with the external electronic device 320 through the first network 298).
  • long-range wireless communication e.g., second network 299
  • short-range wireless communication e.g., For example, it is possible to communicate with the external electronic device 320 through the first network 298).
  • the external electronic device 320 may be controlled (e.g., report status and/or execute a specific function) by a remote command (e.g., a control command of the electronic device 201 or the server 310). and, for example, may include at least one of a television, an air conditioner, a refrigerator, a washing machine, a lighting device, a security camera, a sensor, or a window treatment.
  • the external electronic device 320 may communicate directly with the electronic device 201 (for example, without going through the server 310 or a hub device).
  • the external electronic device 320 is connected to the electronic device 201 via long-range wireless communication (e.g., second network 299) or short-range wireless communication (e.g., first network 298).
  • the external electronic device 320 connects to the server 310 via long-range wireless communication (e.g., the second network 299) or using short-range wireless communication (e.g., the first network 298). It may be configured to communicate with.
  • long-range wireless communication e.g., the second network 299
  • short-range wireless communication e.g., the first network 298
  • the electronic device 201 checks the status of the external electronic device 320 that the user will use for the IoT control service, or controls the external electronic device 320 (for example, reads personal information or specifies A control command instructing to execute a function can be transmitted.
  • the electronic device 201 can discover the external electronic device 320 and authenticate the discovered external electronic device 320.
  • the external electronic device 320 may be registered with the server 310 to be associated with a user account.
  • the electronic device 201 can monitor and control the external electronic device 320 registered in the server 310 using the user account.
  • the electronic device 201 may be a personal electronic device, such as a smart phone, tablet, or wearable device, or an electronic device that includes a display and a user interface, such as a television or control console.
  • the electronic device 201 supports a security function (eg, security element 420) of a designated high security level and may perform encryption and/or decryption of data.
  • the external electronic device 320 may be configured not to support a required level of security function (e.g., a security element), and may provide encryption and/or decryption services through the security function of the electronic device 201. Available.
  • Figure 4 is a block diagram for explaining the configuration of an electronic device according to an embodiment.
  • an electronic device may include an application processor (AP) 410 and a security element (SE) 420.
  • the application processor 410 and the security element 420 may be included in at least one processor 220 of the electronic device 201.
  • the application processor 410 may execute an application (eg, a client application) capable of controlling at least one external electronic device 320.
  • the application processor 410 may communicate with the external electronic device 320 through execution of the client application.
  • the secure element 420 may be implemented as a system on chip that includes a secure storage area 422 (e.g., internal memory).
  • the secure storage area 422 may be a unique storage space included in the secure element 420.
  • the security element 420 may perform attack security, secure key generation, and/or secure storage functions, such that even if the application processor 410 is hacked, the data therein (e.g., within the secure storage area 422) may be protected. It can provide a strong security mechanism to safely protect data.
  • the security element 420 is at least EAL 6 or higher (EAL 6) among the seven evaluation assurance levels (EALs) defined to standardize the assurance level of information security products in the common criteria (CC).
  • EAL 6 evaluation assurance levels
  • a security level of EAL 6 augmented (EAL6+) may be provided.
  • the security element 420 of EAL 6 or higher may provide a higher level of security functionality compared to a hardware security module (HSM) of EAL 4, a virtual private network (VPN) of EAL 3, or a trusted execution environment (TEE) of EAL 2. You can.
  • HSM hardware security module
  • VPN virtual private network
  • TEE trusted execution environment
  • the security element 420 generates a data encryption key (D_key) 424 to be used for encryption or decryption for the external electronic device 320, and sets the data encryption key 424 to a specified security level ( For example, it can be safely stored in the secure storage area 422 with EAL 6 or higher).
  • the application processor 410 may transmit data requiring encryption or decryption of the external electronic device 320 and a request for encryption or decryption to the security element 420.
  • the security element 420 encrypts or decrypts the data using the data encryption key 424 in response to the request, and then sends the resulting data (e.g., encrypted data or decrypted data) to the application processor 410. It can be provided to the external electronic device 320 through .
  • the data encryption key 424 is used for encryption or decryption inside the security element 420, and is safely stored in the secure storage area 422 of the security element 420 without being leaked to the outside of the security element 420. It can be.
  • the secure storage area 422 may further store key-related information (key_info) 426 to be used for secure communication with the external electronic device 320.
  • the key-related information 426 may include at least a secret key among the asymmetric key pair for the external electronic device 320 to use for server authentication.
  • the security element 420 may generate the asymmetric key pair and provide one of the asymmetric key pair, for example, a public key, to the external electronic device 320.
  • the external electronic device 320 can obtain authentication to use the cloud service with the server 310 using the public key.
  • the key-related information 426 may further include the other one of the asymmetric key pair, for example, the public key.
  • the public key may be included in the session key-related information 426 and safely stored in the secure storage area 422, or may be stored in another storage area of the electronic device 201.
  • the external electronic device 320 may be registered with the electronic device 201 to initiate communication with the electronic device 201. In one embodiment, when the external electronic device 320 is first installed or booted (or powered on), or when the external electronic device 320 communicates with the electronic device 201 for the first time, the external electronic device 320 may be registered in the electronic device 201. In one embodiment, the registration procedure for the external electronic device 320 includes an operation by the electronic device 201 to authenticate (or identify) the external electronic device 320, and unique information (e.g., a serial number) of the external electronic device 320.
  • unique information e.g., a serial number
  • An operation of storing a serial number (SN) or MAC (media access control) address) in a memory e.g., memory 230
  • security data e.g., a session key
  • It may include at least one of the operations of generating a data encryption key 428) and/or a data encryption key 424).
  • the electronic device 201 when the external electronic device 320 is registered with the electronic device 201, the electronic device 201 generates a session key 428 for communication with the external electronic device 320 through the security element 420. can be created.
  • the session key 428 may be generated at the request of the external electronic device 320 every time the external electronic device 320 boots.
  • session key 428 may be used to ensure secure end-to-end communication between external electronic device 320 and secure element 420.
  • session key 428 may be stored within secure storage area 422 of secure element 420.
  • the session key 428 may have a designated lifetime, and may be deleted (or deactivated) by the security element 420 when the lifetime has elapsed.
  • the session key 428 stored in the secure storage area 422 of the secure element 420 may be deleted (or deactivated). .
  • the application processor 410 may execute a client application to control the external electronic device 320.
  • the application processor 410 may support communication between the external electronic device 320 and the security element 420.
  • the application processor 410 may receive data and a request for encryption or decryption (hereinafter referred to as encryption/decryption) from the external electronic device 320, and transmit the data and request to the security element 420. there is.
  • the application processor 410 sends a message (for example, a request message) received from the external electronic device 320 to an application protocol data unit (APDU) for communication between the external electronic device 320 and the security element 420. ) format and transmit it to the security element 420, or the APDU received from the security element 420 can be converted into a message in a format that the external electronic device 320 can understand and transmit it to the external electronic device 320. .
  • APDU application protocol data unit
  • Figure 5 is a block diagram for explaining the configuration of an external electronic device according to an embodiment.
  • an external electronic device (e.g., external electronic device 320) includes a processor 510, a communication interface 520, a memory 530, and a native function unit 540.
  • the unique function unit 540 is hardware and/or software that performs the unique function of the external electronic device 320 (for example, a television reception circuit, a motor control module of a washing machine, or a CCTV filming module) under the control of the processor 510.
  • processor 510 may include processing circuitry that communicates with electronic device 201 (e.g., application processor 410) and/or server 310 through communication interface 520.
  • the communication interface 520 uses a communication method (e.g., the first network 298) such as at least one of Bluetooth, Wi-Fi, Wi-Fi direct, Z-wave, Zig-bee, or IrDA. You can communicate with the electronic device 201 using.
  • the communication interface 520 may communicate with the server 310 using a communication method such as at least one of Wi-Fi or a cellular network (eg, the second network 299).
  • the processor 510 may register with the electronic device 201 by sending the authentication request through the communication interface 520 when it first communicates with the electronic device 201 after power-on or booting. In one embodiment, the processor 510 may request generation of a data encryption key (e.g., data encryption key 424) by transmitting an authentication request to the electronic device 201 through the communication interface 520.
  • a data encryption key e.g., data encryption key 424
  • the processor 510 may transmit data requiring encryption and an encryption request to the electronic device 201, and in response, receive data encrypted by a data encryption key from the electronic device 201. You can receive it. In one embodiment, the processor 510 may transmit data requiring decryption and a decryption request to the electronic device 201, and may receive data decrypted using a data encryption key from the electronic device 201 in response. .
  • processor 510 may share the same session key (e.g., session key 428) with electronic device 201 when registered with electronic device 201.
  • the processor 510 may encrypt a message containing data and an encryption/decryption request using a session key and transmit it to the electronic device 201.
  • the processor 510 may decrypt a message received from the electronic device 201 using a session key to obtain encrypted/decrypted data.
  • the session key may be stored in memory 530 (e.g., volatile memory) for a specified validity time, when the specified validity time elapses or when the external electronic device 320 is powered off or booted. It may be erased (or deactivated) from memory 530 (e.g., volatile memory).
  • FIG. 6 is a flowchart illustrating a procedure in which an electronic device provides an encryption service according to an embodiment. At least one of the operations described later may be executed by a processor (eg, processor 220) of the electronic device 201. According to embodiments, at least one of the operations described below may be omitted, modified, or changed in order.
  • processor eg, processor 220
  • the electronic device 201 may receive an authentication request from the external electronic device 320.
  • the authentication request may include unique information (eg, serial number or MAC address) of the external electronic device 320.
  • the authentication request may include an indicator indicating that the external electronic device 320 requests encryption/decryption service by the security element 420.
  • the electronic device 201 eg, the processor 220
  • the electronic device 201 may allocate a secure storage area (eg, the secure storage area 422) for the external electronic device 320.
  • the electronic device 201 e.g., the processor 220
  • secure storage area 422 may be some storage space within the non-volatile memory of secure element 420.
  • secure element 420 may provide a security level of EAL 6 or higher for secure storage area 422.
  • the electronic device 201 e.g., the processor 220
  • the electronic device 201 receives a user input (e.g., user input 910 of FIG. 9) that allows the external electronic device 320 to utilize the secure element 420.
  • a user input e.g., user input 910 of FIG. 9
  • operations 610, 615, 620, and 645 may be executed.
  • the electronic device 201 (e.g., processor 220) generates a data encryption key (e.g., data encryption key 424) for the external electronic device 320 and uses the data encryption key as the security key. It can be stored in the storage area 422.
  • the electronic device 201 e.g., the processor 220
  • may generate a session key (e.g., the session key 428) to be used for session communication with the external electronic device 320.
  • the session key may be an encryption key used to encrypt messages on a communication session with the external electronic device 320.
  • operation 620 may include at least one of operation 625, operation 630, operation 635, or operation 640.
  • the electronic device 201 (e.g., the processor 220) generates first session key generation information (e.g., at least one random number) for device authentication of the external electronic device 320.
  • a public key (including at least one of a public key (PK) or a certificate) may be transmitted to the external electronic device 320.
  • the electronic device 201 (e.g., the processor 220) receives second session key generation information (e.g., at least one random number value, or at least one public key) from the external electronic device 320 that has successfully authenticated the device. includes at least one of the keys).
  • the electronic device 201 may generate a session key for session communication with the external electronic device 320 based on the second session key generation information.
  • the session key may be generated using a public key included in the second session key generation information, and may be verified by a random number value included in the second session key generation information.
  • the external electronic device 320 may generate and store the same session key based on the first session key generation information.
  • the electronic device 201 eg, the processor 220
  • the session key verification information may include at least one random number encrypted by the session key.
  • the external electronic device 320 may confirm that the external electronic device 320 shares the same session key as the electronic device 201 based on the session key verification information.
  • the electronic device 201 performs encryption and encryption based on the data encryption key in response to a request (e.g., encryption request or decryption request) from the external electronic device encrypted with the session key.
  • a decryption service may be provided to the external electronic device 320.
  • the encryption service may include receiving data and encryption requests and transmitting encrypted data according to the procedure of FIG. 12.
  • the decryption service may include receiving data and a decryption request and transmitting the decrypted data according to the procedure of FIG. 13.
  • FIG. 7 is a flowchart illustrating a procedure in which an external electronic device provides an encryption service according to an embodiment. At least one of the operations described later may be executed by a processor (eg, processor 220) of the external electronic device 320. According to embodiments, at least one of the operations described below may be omitted, modified, or changed in order.
  • processor eg, processor 220
  • the external electronic device 320 may transmit an authentication request to the electronic device 201.
  • the authentication request may be transmitted when the external electronic device 320 is powered on or booted, or when the external electronic device 320 determines that encrypted communication is necessary, and unique information (e.g., For example, a serial number) may be included.
  • the authentication request may include an indicator indicating that the external electronic device 320 requests encryption/decryption service by the security element 420.
  • the external electronic device 320 eg, processor 510) may generate a session key to be used for session communication with the electronic device 201.
  • operation 710 may include at least one of operation 715, operation 720, operation 725, operation 730, operation 735, or operation 740.
  • operation 710 may include at least operations 715, 730, and 735.
  • the external electronic device 320 receives first session key generation information (e.g., at least one random number) for device authentication of the external electronic device 320 from the electronic device 201. value, at least one public key, or a certificate).
  • the external electronic device 320 may transmit a verification request for device authentication of the external electronic device 320 to the server 310.
  • the verification request may include unique information (eg, serial number) for identifying the external electronic device 320.
  • the external electronic device 320 receives a verification key from the server 310 and verifies the certificate in the first session key generation information using the verification key to successfully verify the device. You can.
  • the external electronic device 320 may generate a session key using the public key in the first session key generation information.
  • the external electronic device 320 e.g., processor 510) generates second session key generation information (e.g., including at least one of at least one random number value or at least one public key). It can be transmitted to the device 201.
  • the external electronic device 320 e.g., processor 510) receives session key verification information (e.g., including at least one random number value) from the electronic device 201 and Based on this, it can be confirmed that the electronic device 201 shares the same session key as the external electronic device 320.
  • the external electronic device 320 may use the encryption service and/or decryption service of the electronic device 201 based on the session key.
  • the encryption service may include sending data and encryption requests and receiving encrypted data according to the procedure of FIG. 12.
  • the decryption service may include transmitting data and a decryption request and receiving decrypted data according to the procedure of FIG. 13.
  • Figure 8 shows a signal flow diagram (sequence diagram) to explain a procedure for performing device authentication and session key generation according to an embodiment. At least some of the operations described below may be omitted, modified, or changed in order.
  • the external electronic device 320 provides unique information (e.g., serial number (SN)) of the external electronic device 320 to the electronic device 201 (e.g., the application processor 410). ) can be transmitted.
  • the authentication request is made when the external electronic device 320 first initiates communication with the electronic device 201 (for example, when the external electronic device 320 is powered on or booted). It may be transmitted through a communication session established between the device 320 and the application processor 410. In one embodiment, the external electronic device 320 may transmit the authentication request to use the encryption/decryption service provided by the session element 420 of the electronic device 201.
  • the application processor 410 of the electronic device 201 may identify the external electronic device 320 using the serial number included in the authentication request and store the serial number.
  • the application processor 410 sends a message (e.g., an image and text of the external electronic device 320) indicating that the external electronic device 320 is registered based on the serial number to a display module (e.g., a display module). It can be output through module 260).
  • the user can directly authenticate the external electronic device 320 by checking the message.
  • the application processor 410 may store the serial number in response to receiving a user input accepting registration of the external electronic device 320.
  • the application processor 410 may transmit unique information for the external electronic device 320, including the serial number, to the server 310.
  • Server 310 may store the serial number.
  • the application processor 410 may transmit an allocation request for the external electronic device 320 to the secure element 420.
  • the allocation request may include information (eg, serial number) identifying the external electronic device 320.
  • the application processor 410 may transmit the allocation request in response to a user input (e.g., user input 910 in FIG. 9) allowing the external electronic device 3200 to utilize the secure element 420. there is.
  • the security element 420 of the electronic device 201 allocates a unique secure storage area (e.g., secure storage area 422) for the external electronic device 320 within the internal memory in response to the allocation request. can do.
  • the security element 420 generates a data encryption key (e.g., data encryption key 424) for the external electronic device 320 and stores the generated data encryption key in the secure storage area 422.
  • the data encryption key may include an advanced encryption standard (AES) key used for data encryption/decryption.
  • AES is a symmetric key algorithm that can be used equally for encryption and decryption, and the AES key can be used for both encryption and decryption.
  • the security element 420 may transmit first session key generation information for device authentication of the external electronic device 320 to the application processor 410.
  • the first session key creation information may be delivered in the format of an APDU.
  • the security element 420 includes a certificate ('CERT'), a key pair according to the elliptic curve key agreement algorithm (ECKA) (e.g., an ephemeral secret key (eSK) and an ephemeral public key (ePK)), and RSA ( Generating at least one of a key pair (e.g.
  • ePK)') including the first random number value and the ePK and the CERT may be encrypted by the SK to generate the first session key generation information.
  • the first session key creation information may include an encrypted digital signature and an encrypted CERT ('Sign (rand
  • the application processor 410 may transmit the first session key creation information ('Sign (rand
  • the external electronic device 320 may transmit a verification request including unique information (eg, serial number) of the external electronic device 320 to the server 310.
  • the server 310 may verify the external electronic device 320 by confirming that the serial number obtained in operation 804-1 matches the serial number included in the unique information.
  • the server 310 may transmit a verification key for the certificate to the external electronic device 320.
  • the external electronic device 320 verifies that the certificate and the digital signature are normal using the verification key and generates a session key for session communication with the secure element 420.
  • the external electronic device 320 generates a key pair (e.g., eSK' and ePK') according to ECKA, and creates a session key based on eSK' and ePK obtained through the first session key generation information.
  • eSK' eSK' + ePK
  • SSK can be created by appending or adding ePK to eSK'.
  • the SSK may be generated through a designated key derivation function with eSK' and ePK as input.
  • the external electronic device 320 may transmit second session key creation information to the application processor 410 of the electronic device 201.
  • the external electronic device 320 generates a second random number value ('rand2'), and combines the first random number value ('rand') obtained from the first session key generation information with the second random number value.
  • Encrypted random number information ('Enc (SSK, rand
  • the external electronic device 320 may generate the second session key generation information including the encrypted random number information and the ePK'.
  • the application processor 410 may convert the second session key creation information ('Enc (SSK, rand
  • the security element 420 may generate a session key (eg, session key 428) based on the second session key generation information.
  • the security element 420 decrypts the encrypted random number information ('Enc (SSK, rand
  • the security element 420 encrypts the second random number value with the session key to generate session key verification information ('Enc (SSK, rand2)') including the encrypted second random number value,
  • the session key verification information may be transmitted to the application processor 410 in the format of an APDU.
  • the application processor 410 may transmit the session key verification information ('Enc (SSK, rand2)') to the external electronic device 320.
  • the external electronic device 320 may confirm that the session key generated in operation 820 is the same as the session key generated in the security element 420 based on the session key verification information. In one embodiment, the external electronic device 320 decrypts the session key verification information using the session key to obtain the second random number value, and the second random number value is equal to the second random number value transmitted in operation 822. The session key can be verified by confirming that it is identical.
  • the security element 420 can store a data encryption key (for example, an AES key) for the external electronic device 320 in the secure storage area 422, and the security element 420 and the external electronic device 320 may share the same session key ('SSK').
  • Figure 9 shows an example of a user interface screen that confirms the use of a security element in an electronic device, according to an embodiment.
  • the electronic device 201 receives, for example, an authentication request in operation 802 from the external electronic device 320, and the external electronic device 320 uses the security element.
  • a message may be displayed asking permission to use (e.g., 'Do you want to allow IoT devices to utilize your SE?'). If a user input 910 allowing use of the security element 420 is received, the electronic device 201 (eg, the application processor 410) may proceed with operations following operation 806.
  • FIG. 10 is a flowchart illustrating a procedure in which an electronic device provides an encryption service according to an embodiment. At least one of the operations described later may be executed by a processor (eg, processor 220) of the electronic device 201. According to embodiments, at least one of the operations described below may be omitted, modified, or changed in order.
  • processor 220 e.g., processor 220
  • the electronic device 201 may receive a first encrypted message from the external electronic device 320 and proceed to operation 1010.
  • the first encryption message may be received together with at least one of unique information about the external electronic device 320 or information indicating that encryption has been applied.
  • the electronic device 201 e.g., processor 220
  • performs the first encryption using a session key e.g., session key 428, (e.g., the session key SSK generated in operation 826).
  • ⁇ data and encryption request ⁇ included in the first encrypted message can be obtained.
  • the data may include personal information (e.g., password) and/or personal data (e.g., video captured within a home network or door lock access record) for which the external electronic device 320 requests encryption. You can.
  • the electronic device 201 retrieves a data encryption key (e.g., data encryption key 424) stored in the secure storage area 422 within the secure element 420 (e.g. The data may be encrypted using the AES key generated in operation 810 to generate encrypted data.
  • a data encryption key e.g., data encryption key 424
  • the data may be encrypted using the AES key generated in operation 810 to generate encrypted data.
  • the electronic device 201 e.g., processor 220
  • the electronic device 201 eg, processor 220
  • FIG. 11 is a flowchart illustrating a procedure in which an external electronic device uses an encryption service according to an embodiment. At least one of the operations described later may be executed by a processor (eg, processor 510) of the external electronic device 320. According to embodiments, at least one of the operations described below may be omitted, modified, or changed in order.
  • a processor eg, processor 510 of the external electronic device 320. According to embodiments, at least one of the operations described below may be omitted, modified, or changed in order.
  • the external electronic device 320 may identify that data requiring encryption exists and proceed to operation 1110.
  • the data may include personal information or personal data such as passwords.
  • the external electronic device 320 receives a newly set password for controlling the external electronic device 320 from the user, it proceeds to operation 1110 to encrypt and store the password. You can proceed.
  • the external electronic device 320 e.g., processor 510) proceeds to operation 1110 to encrypt and store personal data such as captured image data or door lock access records according to a user request or a specified cycle. You can.
  • the external electronic device 320 sends data requiring encryption (e.g., the password or the image data) and an encryption request with a session key (e.g., session key 428).
  • the first encrypted message may be generated by encryption using (for example, the session key SSK generated in operation 820).
  • the first encrypted message may include ⁇ data and encryption request ⁇ encrypted with the session key.
  • the external electronic device 320 eg, processor 510) may transmit the first encrypted message to the electronic device 201.
  • the first encrypted message may be transmitted along with at least one of unique information about the external electronic device 320 or information indicating that encryption has been applied.
  • the external electronic device 320 may receive a second encrypted message from the electronic device 201.
  • the external electronic device 320 e.g., processor 510) decrypts the second encrypted message using the session key to obtain ⁇ encrypted data ⁇ included in the second encrypted message.
  • the second encrypted message may include data encrypted by a data encryption key (e.g., data encryption key 424) (e.g., the AES key generated in operation 810), corresponding to the data transmitted in operation 1115. You can.
  • the second encrypted message may be received in response to the first encrypted message.
  • the external electronic device 320 may recognize that the second encrypted message includes encrypted data corresponding to the original data transmitted through the first encrypted message. .
  • the obtained encrypted data may be safely stored in the memory (eg, memory 530) of the external electronic device 320.
  • the external electronic device 320 eg, processor 510) may store the encrypted data and delete the original data.
  • Figure 12 shows a signal flow diagram to explain a procedure for providing encryption services according to an embodiment. At least some of the operations described below may be omitted, modified, or changed in order.
  • the external electronic device 320 may detect that data requiring encryption (eg, password or personal data) is generated. In one embodiment, the external electronic device 320 may determine that encryption of data is necessary periodically, when a specified condition is satisfied, or in response to a user input, and proceed to operation 1204. In operation 1204, the external electronic device 320 sends the data requiring encryption and an encryption request related to the data using a session key (e.g., session key 428) (e.g., the session key SSK generated in operation 820).
  • the first encrypted message ('Enc (SSK, Data
  • the external electronic device 320 may transmit the first encryption message ('Enc (SSK, Data
  • the first encrypted message may be transmitted along with unique information of the external electronic device 320.
  • the application processor 410 may convert the first encrypted message (and unique information) into an APDU format and transmit it to the security element 420.
  • the security element 420 uses a pre-stored session key for the external electronic device 320 (e.g., the session key SSK generated in operation 826) (e.g., the session key 428) to By decoding the encrypted message, ⁇ data and encryption request ⁇ included in the first encrypted message can be obtained.
  • the secure element 420 generates a data encryption key (e.g., data encryption key 424) stored in the secure storage area 422 (e.g., the AES key generated in operation 810) in response to the encryption request.
  • encrypted data By encrypting the data, encrypted data ('Enc (AES, Data)') can be created.
  • the security element 420 may encrypt the encrypted data using a session key to generate a second encrypted message ('Enc (SSK, Enc (AES, Data))'.
  • the security element 420 may transmit the second encrypted message to the application processor 410 in the format of an APDU.
  • the application processor 410 may transmit the second encrypted message to the external electronic device 320.
  • the external electronic device 320 can obtain encrypted data ('Enc (AES, Data)') included in the second encrypted message by decrypting the second encrypted message using the session key. there is.
  • the external electronic device 320 may store the obtained encrypted data in the memory 530.
  • the external electronic device 320 eg, processor 510) may store the encrypted data and delete the original data transmitted in operation 1206.
  • the procedure for providing a decryption service by the electronic device 201 to the external electronic device 320 may be similar to FIG. 10, and the external electronic device 320 uses the decryption service through the electronic device 201.
  • the procedure may be similar to Figure 11.
  • FIG. 13 For a detailed description of the operations performed by the electronic device 201 and the external electronic device 320, refer to FIG. 13 below.
  • Figure 13 shows a signal flow diagram to explain a procedure for providing a decryption service according to an embodiment. At least some of the operations described below may be omitted, modified, or changed in order.
  • the external electronic device 320 may detect that decryption of the encrypted data ('E(D)') is necessary. In one embodiment, the external electronic device 320 may proceed to operation 1304 to use the encrypted data (for example, to confirm a password or play video data). In operation 1304, the external electronic device 320 encrypts the encrypted data and the decryption request related to the encrypted data using a session key (e.g., session key 428) (e.g., the session key SSK generated in operation 820). Thus, the first encrypted message ('Enc (SSK, E(D)
  • a session key e.g., session key 428, (e.g., the session key SSK generated in operation 820.
  • the first encrypted message ('Enc (SSK, E(D)
  • the external electronic device 320 may transmit the first encryption message ('Enc (SSK, E(D)
  • the first encrypted message may be transmitted along with unique information of the external electronic device 320.
  • the application processor 410 may transmit the first encrypted message (and unique information) to the security element 420 in the format of an APDU.
  • the security element 420 uses a pre-stored session key for the external electronic device 320 (e.g., the session key SSK generated in operation 826) (e.g., the session key 428) to By decoding the encrypted message, ⁇ encrypted data and decryption request ⁇ included in the first encrypted message can be obtained.
  • the secure element 420 generates a data encryption key (e.g., data encryption key 424) stored in the secure storage area 422 (e.g., the AES key generated in operation 810) in response to the decryption request.
  • Original data ('Data') can be generated by decrypting the encrypted data using .
  • the security element 420 may encrypt the original data using a session key to generate a second encrypted message ('Enc (SSK, Data)').
  • the security element 420 may transmit the second encrypted message to the application processor 410 in the format of an APDU.
  • the application processor 410 may transmit the second encrypted message to the external electronic device 320.
  • the external electronic device 320 can obtain original data ('Data') included in the second encrypted message by decrypting the second encrypted message using the session key.
  • the external electronic device 320 may at least temporarily store the acquired original data in the memory 530 or use it, for example, to confirm a password or play an image.
  • the external electronic device 320 eg, processor 510) may delete the original data for security purposes after using the original data.
  • FIG. 14 is a diagram illustrating safe storage of a password according to an embodiment.
  • the external electronic device 320 may receive a password 1410 set for controlling the external electronic device 320 from the user.
  • the password 1410 may include a string entered by the user (for example, "FDF778523 --) along with the string "PASSWORD", and therefore there is a risk of it being stolen by an attacker.
  • the external electronic device 320 may transmit the password 1410 along with an encryption request to the electronic device 201 and receive the encrypted password 1420 as a corresponding response.
  • the encrypted password 1420 is an encrypted string generated using a data encryption key (e.g., data encryption key 424) (e.g., an AES key) by the security element 420 of the electronic device 201 ( For example, it may include "0008E0A"), and the data encryption key is not leaked outside of the security element 420. Even if an attacker steals the encrypted password (1420), the original string (for example, the password (1410)) cannot be known.
  • the external electronic device 320 may store the encrypted password 1420 and delete the original password 1410.
  • the external electronic device 320 when decryption of the encrypted password 1420 is required to authenticate a user who wishes to control the external electronic device 320, the external electronic device 320 sends the encrypted password 1420 electronically along with a decryption request. It can be transmitted to the device 201, and the original password 1410 decrypted using the data encryption key by the security element 420 can be received in response. After authenticating the user using the original password 1410, the external electronic device 320 may delete the original password 1410 and continue to store only the encrypted password 1420.
  • FIG. 15 is a diagram illustrating safe storage of image data according to an embodiment.
  • the external electronic device 320 can capture images within the home network through a security camera and generate image data 1510. According to a designated period or user request, the external electronic device 320 may transmit the video data 1510 to the electronic device 201 along with an encryption request, and receive encrypted video data 1520 in response. there is. Encrypted image data 1520 may be generated by the security element 420 of the electronic device 201 using a data encryption key (eg, data encryption key 424) (eg, AES key). The external electronic device 320 may store the encrypted image data 1520 and delete the original image data 1510.
  • a data encryption key eg, data encryption key 424) (eg, AES key).
  • the external electronic device 320 may store the encrypted image data 1520 and delete the original image data 1510.
  • encrypted video data 1520 cannot be played normally without decryption.
  • the external electronic device 320 transmits the encrypted video data 1520 to the electronic device 201 along with a decryption request, and sends a security element in response.
  • Original image data 1510 decrypted using a data encryption key can be received at 420.
  • the external electronic device 320 can play the original video data 1510, delete the original video data 1510 after playback is completed or a specified time after playback is completed, and continue to only encrypt the video data 1520. You can save it.
  • Figure 16 shows a signal flow diagram for explaining a procedure for updating a session key according to an embodiment. At least some of the operations described below may be omitted, modified, or changed in order.
  • the external electronic device 320 in operation 1602, the external electronic device 320 generates a session key (e.g., session key 428) for the electronic device 201 (e.g., the session key generated in operation 820). It may be determined that a need exists and proceed to operation 1604. In one embodiment, the external electronic device 320 starts counting the specified validity time when generating each session key, deletes the previous session key when the validity time elapses, and then operates 1604 to generate a new session key. You can proceed with . In one embodiment, each session key may be stored in a volatile memory (not shown) of the external electronic device 320, and the external electronic device 320 performs operation 1604 to generate a new session key when the external electronic device 320 is powered on or booted. You can proceed with .
  • a session key e.g., session key 428, for the electronic device 201 (e.g., the session key generated in operation 820). It may be determined that a need exists and proceed to operation 1604. In one embodiment, the external electronic device 320
  • the external electronic device 320 transmits to the electronic device 201 (e.g., the application processor 410) a session key request containing unique information (e.g., a serial number) of the external electronic device 320. You can.
  • the application processor 410 determines that the external electronic device 320 has already been registered based on the unique information (for example, the data encryption key of the external electronic device 320 is stored in the security element 420). ), the external electronic device 320 can be authenticated.
  • the application processor 410 may transmit a session key request for the external electronic device 320 to the secure element 420.
  • the allocation request may include information (eg, serial number) identifying the external electronic device 320.
  • the security element 420 may generate first session key generation information for device authentication of the external electronic device 320.
  • the secure element 420 is configured to include a certificate ('CERT'), a key pair according to ECKA (e.g. eSK and ePK), a key pair according to RSA (e.g. SK and PK), or a first random number value.
  • the first session key creation information may include an encrypted digital signature and an encrypted CERT ('Sign (rand
  • the security element 420 may transmit the first session key creation information ('Sign (rand
  • the application processor 410 may transmit the first session key creation information ('Sign (rand
  • the external electronic device 320 may transmit a verification request including unique information (eg, serial number) of the external electronic device 320 to the server 310.
  • the server 310 identifies and verifies the external electronic device 320 using the unique information and transmits a verification key for the certificate to the external electronic device 320.
  • the external electronic device 320 may use the verification key to verify that the certificate and the digital signature are normal and generate a session key for session communication with the secure element 420.
  • the session key may be stored in the memory 530 (eg, volatile memory) of the external electronic device 320 for a designated validity period.
  • the external electronic device 320 may transmit second session key creation information to the application processor 410 of the electronic device 201.
  • the external electronic device 320 generates a second random number value ('rand2'), and combines the first random number value ('rand') obtained from the first session key generation information with the second random number value.
  • Encrypted random number information ('Enc (SSK, rand
  • the external electronic device 320 may generate the second session key generation information including the encrypted random number information and the ePK'.
  • the application processor 410 may convert the second session key creation information ('Enc (SSK, rand
  • the security element 420 may generate a session key (eg, session key 428) based on the second session key generation information.
  • the session key may be stored in a storage area (eg, secure storage area 422) of the electronic device 201 for a designated validity period.
  • the security element 420 may provide an encryption and/or decryption service to the external electronic device 320 using the session key, for example, as in the procedures of FIGS. 12 and/or 13 .
  • FIG. 17 is a signal flow diagram illustrating a procedure for generating an asymmetric key for server authentication according to an embodiment. At least some of the operations described below may be omitted, modified, or changed in order.
  • the external electronic device 320 may determine to generate an asymmetric key to be used to obtain server authentication and proceed to operation 1704.
  • a server e.g., server 310
  • the external electronic device 320 may use an asymmetric key to obtain authentication of the server 310. can be used.
  • the external electronic device 320 encrypts the asymmetric key request ('Asym key Request') by a session key (e.g., session key 428) (e.g., the session key SSK generated in operation 820)
  • the first encrypted message ('Enc (SSK, Asym key Request)') can be generated.
  • the external electronic device 320 may transmit the first encrypted message ('Enc (SSK, Asym key Request)') to the application processor 410 of the electronic device 201.
  • the first encrypted message may be transmitted along with unique information of the external electronic device 320.
  • the application processor 410 may convert the first encrypted message (and unique information) into an APDU format and transmit it to the security element 420.
  • the security element 420 uses a pre-stored session key for the external electronic device 320 (e.g., the session key SSK generated in operation 826) (e.g., the session key 428) to By decoding the encrypted message, ⁇ asymmetric key request ⁇ included in the first encrypted message can be obtained.
  • the secure element 420 may generate an asymmetric key pair (e.g., SK and PK) in response to the asymmetric key request.
  • the security element 420 may generate the asymmetric key pair in a manner according to open secure socket layer (SSL).
  • SSL open secure socket layer
  • the security element 420 may store the SK in the secure storage area 422 and encrypt the PK with the session key to generate a second encrypted message ('Enc (SSK, PK)').
  • the security element 420 may transmit the second encrypted message to the application processor 410 in the format of an APDU.
  • the application processor 410 may transmit the second encrypted message to the external electronic device 320.
  • the external electronic device 320 can obtain the PK included in the second encrypted message by decrypting the second encrypted message using the session key.
  • the external electronic device 320 may perform an authentication procedure with the server 310 based on the PK.
  • the server 310 may generate the same asymmetric key pair using the same key generation algorithm used in the external electronic device 320 and authenticate the external electronic device 320 using the SK of the asymmetric key pair. there is.
  • the authentication procedure involves the external electronic device 320 transmitting the PK to the server 310 to create a cloud registry in the server 310 and storing the device information of the external electronic device 320 and the PK in the cloud.
  • JWT JSON Web token
  • an asymmetric key (eg, SK and PK) required for authentication of the external electronic device 320 can be generated in the security element 420 and the SK can be safely stored.
  • the disclosed embodiments utilize the security element 420 mounted on the electronic device 201 for an external electronic device not equipped with a security element (e.g., the external electronic device 320) to achieve high security level encryption/ Decryption service can be provided.
  • a security element e.g., the external electronic device 320
  • the data encryption key used to safely protect data and prevent leakage of personal information in an external electronic device 320 that can be implemented as an IoT device in a home network is stored in the security element 420 of the electronic device 201. It can be used and stored safely.
  • the electronic device 201 may include a communication circuit 290 and at least one processor 220 operatively connected to the communication circuit.
  • the at least one processor may be configured to receive an authentication request including unique information from an external electronic device 320 that does not support a security function through the communication circuit.
  • the at least one processor may be configured to allocate a secure storage area for the external electronic device based on the unique information.
  • the at least one processor may be configured to generate a data encryption key for the external electronic device and store it in the secure storage area.
  • the at least one processor may be configured to generate a session key for session communication with the external electronic device.
  • the at least one processor may be configured to provide an encryption and/or decryption service based on the data encryption key to the external electronic device in response to a request from the external electronic device encrypted with the session key.
  • the session key has a designated validity time and may be stored in volatile memory within the electronic device.
  • the at least one processor includes an application processor (AP) 410 that communicates with the external electronic device, and the secure storage that communicates with the external electronic device through the application processor and provides a specified security level. area, and may include a security element (SE) 420 configured to generate the data encryption key for the external electronic device and store the data encryption key within the secure storage area.
  • AP application processor
  • SE security element
  • the at least one processor may be configured to receive a first encryption message including data and an encryption request from the external electronic device through the communication circuit.
  • the at least one processor may be configured to obtain the data and the encryption request by decrypting the first encrypted message using the session key by the security element.
  • the at least one processor may be configured to generate encrypted data by encrypting the data using the data encryption key by the security element.
  • the at least one processor may be configured to encrypt the encrypted data using the session key by the security element to generate a second encrypted message including the encrypted data.
  • the at least one processor may be configured to transmit the second encrypted message to the external electronic device through the communication circuit.
  • the at least one processor may be configured to generate at least one of a certificate, a first key pair, a second key pair, or a first random number value for device authentication of the external electronic device.
  • the at least one processor may be configured to encrypt the digital signature including the random value and the first public key of the first key pair and the certificate with a private key of the second key pair.
  • the at least one processor may be configured to transmit first session key generation information including the encrypted digital signature and the encrypted certificate to the external electronic device.
  • the at least one processor may be configured to receive second session key generation information including encrypted random number information and a second public key from the external electronic device.
  • the at least one processor may be configured to generate the session key based on the private key of the first key pair and the second public key.
  • the at least one processor may be configured to obtain the first random number value and the second random number value by decrypting the encrypted random number information using the session key.
  • the at least one processor may be configured to encrypt the second random number value using the session key.
  • the at least one processor may be configured to transmit session key verification information including the encrypted second random number value to the external electronic device.
  • the at least one processor may be configured to receive a session key request from the external electronic device.
  • the at least one processor may be configured to generate a new session key in response to the session key request.
  • the at least one processor may be configured to receive a first encryption message including an asymmetric key request from the external electronic device.
  • the at least one processor may be configured to obtain the asymmetric key request by decrypting the first encrypted message using the session key.
  • the at least one processor may be configured to generate an asymmetric key pair including a private key and a public key for server authentication in response to the asymmetric key request.
  • the at least one processor may be configured to generate a second encrypted message by encrypting the public key with the session key.
  • the at least one processor may be configured to transmit the second encrypted message to the external electronic device.
  • the electronic device 320 may include a communication interface 520 and at least one processor 510 operatively connected to the communication interface.
  • the at least one processor may be configured to transmit an authentication request including unique information to an external electronic device 201 supporting a security function through the communication interface.
  • the at least one processor may be configured to receive first session key creation information from the external electronic device.
  • the at least one processor may be configured to generate a session key for session communication with the external electronic device based on the first session key generation information.
  • the at least one processor may be configured to transmit second session key generation information for verification of the session key to the external electronic device.
  • the at least one processor may be configured to use an encryption and/or decryption service provided by the external electronic device based on the session key.
  • the session key has a designated validity time and may be stored in volatile memory within the electronic device.
  • the at least one processor may be configured to detect the occurrence of data requiring encryption.
  • the at least one processor may be configured to generate a first encrypted message by encrypting the data and the encryption request using the session key.
  • the at least one processor may be configured to transmit the first encrypted message to the external electronic device through the communication interface.
  • the at least one processor may be configured to receive a second encrypted message from the external electronic device.
  • the at least one processor may be configured to decrypt the second encrypted message using the session key to obtain encrypted data corresponding to the data.
  • a method of operating the electronic device 201 may include an operation 605 of receiving an authentication request including unique information from an external electronic device 320 that does not support the security function.
  • the method may include an operation 615 of allocating a secure storage area for the external electronic device based on the unique information.
  • the method may include an operation 615 of generating a data encryption key for the external electronic device and storing it in the secure storage area.
  • the method may include an operation 620 of generating a session key for session communication with the external electronic device.
  • the method may include an operation 645 of providing an encryption and/or decryption service based on the data encryption key to the external electronic device in response to a request from the external electronic device encrypted with the session key.
  • the session key has a designated validity time and may be stored in volatile memory within the electronic device.
  • the electronic device includes an application processor (AP) that communicates with the external electronic device, and the secure storage area that communicates with the external electronic device through the application processor and provides a specified security level, and a security element (SE) configured to generate the data encryption key for the external electronic device and store the data encryption key in the secure storage area.
  • AP application processor
  • SE security element
  • the operation of providing the encryption service includes receiving a first encryption message including data and an encryption request from the external electronic device (1005), and using the session key by the security element to An operation (1010) of decrypting a first encryption message to obtain the data and the encryption request, and an operation (1015) of encrypting the data using the data encryption key by the security element to generate encrypted data, An operation of encrypting the encrypted data using the session key by the security element to generate a second encrypted message including encrypted data (1020), and transmitting the second encrypted message to the external electronic device ( 1025).
  • the operation 620 of generating the session key includes generating at least one of a certificate for device authentication of the external electronic device, a first key pair, a second key pair, or a first random number value; , encrypting the digital signature including the random value and the first public key of the first key pair and the certificate with the private key of the second key pair, and encrypting the encrypted digital signature and the encrypted certificate. Transmitting first session key generation information including encrypted random number information and a second public key from the external electronic device; Generating the session key based on the secret key of one key pair and the second public key, and obtaining the first random number value and the second random number value by decrypting the encrypted random number information using the session key. It may include an operation of encrypting the second random number value using the session key, and an operation of transmitting session key verification information including the encrypted second random number value to the external electronic device.
  • the method may include operations 1604 and 1608 of receiving a session key request from the external electronic device.
  • the method may include an operation 1610 of generating a new session key in response to the session key request.
  • the method may include operations 1706 and 1708 of receiving a first encryption message including an asymmetric key request from the external electronic device.
  • the method may include an operation 1710 of obtaining the asymmetric key request by decrypting the first encrypted message using the session key.
  • the method may include an operation 1712 of generating an asymmetric key pair including a private key and a public key for server authentication in response to the asymmetric key request.
  • the method may include an operation 1714 of encrypting the public key with the session key to generate a second encrypted message.
  • the method may include operations 1716 and 1718 of transmitting the second encrypted message to the external electronic device.
  • a method of operating the electronic device 320 may include an operation 705 of transmitting an authentication request including unique information to an external electronic device 201 that supports a security function.
  • the method may include an operation 715 of receiving first session key creation information from the external electronic device.
  • the method may include an operation 730 of generating a session key for session communication with the external electronic device based on the first session key generation information.
  • the method may include an operation 735 of transmitting second session key generation information for verification of the session key to the external electronic device.
  • the method may include an operation 745 of using an encryption and/or decryption service provided by the external electronic device based on the session key.
  • the session key has a designated validity time and may be stored in volatile memory within the electronic device.
  • the operation of using the encryption service includes an operation of detecting the occurrence of data requiring encryption (1105), and an operation of generating a first encryption message by encrypting the data and the encryption request using the session key (1110). ), an operation 1115 of transmitting the first encrypted message to the external electronic device, an operation 1120 of receiving a second encrypted message from the external electronic device, and the second encryption using the session key. It may include an operation 1125 of decrypting the message and obtaining encrypted data corresponding to the data.
  • Electronic devices may be of various types.
  • Electronic devices may include, for example, portable communication devices (e.g., smartphones), computer devices, portable multimedia devices, portable medical devices, cameras, wearable devices, or home appliances.
  • Electronic devices according to embodiments of this document are not limited to the above-described devices.
  • first, second, or first or second may be used simply to distinguish one component from another, and to refer to that component in other respects (e.g., importance or order) is not limited.
  • One (e.g., first) component is said to be “coupled” or “connected” to another (e.g., second) component, with or without the terms “functionally” or “communicatively.”
  • any of the components can be connected to the other components directly (e.g. wired), wirelessly, or through a third component.
  • module used in various embodiments of this document may include a unit implemented in hardware, software, or firmware, and is interchangeable with terms such as logic, logic block, component, or circuit, for example. It can be used as A module may be an integrated part or a minimum unit of the parts or a part thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • Various embodiments of the present document are one or more instructions stored in a storage medium (e.g., built-in memory 236 or external memory 238) that can be read by a machine (e.g., electronic device 201). It may be implemented as software (e.g., program 240) including these.
  • a processor e.g., processor 220 of a device (e.g., electronic device 201) may call at least one command among one or more commands stored from a storage medium and execute it. This allows the device to be operated to perform at least one function according to the at least one instruction called.
  • the one or more instructions may include code generated by a compiler or code that can be executed by an interpreter.
  • a storage medium that can be read by a device may be provided in the form of a non-transitory storage medium.
  • 'non-transitory' only means that the storage medium is a tangible device and does not contain signals (e.g. electromagnetic waves), and this term refers to cases where data is semi-permanently stored in the storage medium. There is no distinction between temporary storage cases.
  • Computer program products are commodities and can be traded between sellers and buyers.
  • the computer program product may be distributed in the form of a machine-readable storage medium (e.g. compact disc read only memory (CD-ROM)) or via an application store (e.g. Play Store TM ) or on two user devices (e.g. It can be distributed (e.g. downloaded or uploaded) directly between smart phones) or online.
  • a machine-readable storage medium e.g. compact disc read only memory (CD-ROM)
  • an application store e.g. Play Store TM
  • two user devices e.g. It can be distributed (e.g. downloaded or uploaded) directly between smart phones) or online.
  • at least a portion of the computer program product may be at least temporarily stored or temporarily created in a machine-readable storage medium, such as the memory of a manufacturer's server, an application store's server, or a relay server.
  • each component (e.g., module or program) of the above-described components may include a single or plural entity, and some of the plurality of entities may be separately placed in other components. there is.
  • one or more of the components or operations described above may be omitted, or one or more other components or operations may be added.
  • multiple components eg, modules or programs
  • the integrated component may perform one or more functions of each component of the plurality of components in the same or similar manner as those performed by the corresponding component of the plurality of components prior to the integration. .
  • operations performed by a module, program, or other component may be executed sequentially, in parallel, iteratively, or heuristically, or one or more of the operations may be executed in a different order, or omitted. Alternatively, one or more other operations may be added.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Business, Economics & Management (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Accounting & Taxation (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

L'invention concerne un dispositif électronique comprenant un circuit de communication et au moins un processeur connecté fonctionnellement au circuit de communication. Le ou les processeurs peuvent être configurés pour : recevoir, d'un dispositif électronique externe qui ne prend pas en charge une fonction de sécurité, une demande d'authentification comprenant des informations uniques par le biais du circuit de communication ; attribuer, d'après les informations uniques, une zone de stockage de sécurité pour le dispositif électronique externe ; générer une clé de chiffrement de données pour le dispositif électronique externe, puis stocker la clé de chiffrement de données dans la zone de stockage de sécurité ; générer une clé de session pour une communication de session avec le dispositif électronique externe ; et en réponse à une demande provenant du dispositif électronique externe chiffré avec la clé de session, fournir un service de chiffrement et/ou de déchiffrement d'après la clé de chiffrement de données au dispositif électronique externe.
PCT/KR2023/008366 2022-07-01 2023-06-16 Dispositif électronique permettant de fournir un service de chiffrement, et son procédé de fonctionnement WO2024005419A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR20220081504 2022-07-01
KR10-2022-0081504 2022-07-01
KR10-2022-0105026 2022-08-22
KR1020220105026A KR20240003681A (ko) 2022-07-01 2022-08-22 암호화 서비스를 제공하는 전자 장치 및 그 동작 방법

Publications (1)

Publication Number Publication Date
WO2024005419A1 true WO2024005419A1 (fr) 2024-01-04

Family

ID=89381001

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2023/008366 WO2024005419A1 (fr) 2022-07-01 2023-06-16 Dispositif électronique permettant de fournir un service de chiffrement, et son procédé de fonctionnement

Country Status (1)

Country Link
WO (1) WO2024005419A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150064600A (ko) * 2013-12-03 2015-06-11 에스케이텔레콤 주식회사 M2m 클라우드 스토리지 서비스 제공방법 및 장치
KR20150129824A (ko) * 2013-03-14 2015-11-20 퀄컴 인코포레이티드 키 복원 공격들을 좌절시키기 위한 대책으로서 송신기-수신기 페어링을 위한 마스터 키 암호화 기능들
KR20170084875A (ko) * 2016-01-13 2017-07-21 삼성전자주식회사 전자 장치, 그의 통신 방법 및 암호화 방법
KR20180130203A (ko) * 2017-05-29 2018-12-07 한국전자통신연구원 사물인터넷 디바이스 인증 장치 및 방법
KR20210069473A (ko) * 2019-12-03 2021-06-11 삼성전자주식회사 사용자에 대한 인증을 통해 유저 데이터에 대한 권한을 부여하는 시큐리티 프로세서 및 이를 포함하는 컴퓨팅 시스템

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150129824A (ko) * 2013-03-14 2015-11-20 퀄컴 인코포레이티드 키 복원 공격들을 좌절시키기 위한 대책으로서 송신기-수신기 페어링을 위한 마스터 키 암호화 기능들
KR20150064600A (ko) * 2013-12-03 2015-06-11 에스케이텔레콤 주식회사 M2m 클라우드 스토리지 서비스 제공방법 및 장치
KR20170084875A (ko) * 2016-01-13 2017-07-21 삼성전자주식회사 전자 장치, 그의 통신 방법 및 암호화 방법
KR20180130203A (ko) * 2017-05-29 2018-12-07 한국전자통신연구원 사물인터넷 디바이스 인증 장치 및 방법
KR20210069473A (ko) * 2019-12-03 2021-06-11 삼성전자주식회사 사용자에 대한 인증을 통해 유저 데이터에 대한 권한을 부여하는 시큐리티 프로세서 및 이를 포함하는 컴퓨팅 시스템

Similar Documents

Publication Publication Date Title
WO2020171538A1 (fr) Dispositif électronique et procédé de fourniture de service de signature numérique de chaîne de blocs utilisant ce dernier
WO2019164339A1 (fr) Dispositif électronique et procédé de partage de données d'écran
WO2019172641A1 (fr) Dispositif électronique et procédé associé de gestion de clé électronique
WO2020184987A1 (fr) Dispositif électronique comprenant un circuit intégré sécurisé
WO2020091525A1 (fr) Procédé de paiement à l'aide d'une authentification biométrique et dispositif électronique associé
WO2019098790A1 (fr) Dispositif électronique et procédé de transmission et de réception de données d'après un système d'exploitation de sécurité dans un dispositif électronique
WO2022154272A1 (fr) Dispositif iot et procédé d'intégration d'un dispositif iot dans un serveur
WO2021060745A1 (fr) Dispositif électronique pour la mise à jour d'un microprogramme à l'aide d'un circuit intégré de sécurité et son procédé de fonctionnement
KR102643372B1 (ko) 장치를 탐색하는 전자 장치 및 그 방법
WO2022114857A1 (fr) Dispositif électronique qui partage des données en utilisant un réseau de chaîne de blocs, et son procédé de fonctionnement
WO2022010134A1 (fr) Procédé de chiffrement de message et dispositif électronique
WO2020149555A1 (fr) Dispositif électronique de sélection de clé à utiliser pour le chiffrement sur la base de la quantité d'informations de données à chiffrer, et procédé de fonctionnement de dispositif électronique
WO2023038466A1 (fr) Dispositif électronique pour générer une transaction dans un réseau à chaîne de blocs, et son procédé de fonctionnement
WO2022145768A1 (fr) Dispositif électronique effectuant une communication sans fil avec un dispositif accessoire et son procédé de fonctionnement
WO2024005419A1 (fr) Dispositif électronique permettant de fournir un service de chiffrement, et son procédé de fonctionnement
WO2022146026A1 (fr) Procédé de traitement de données protégées et dispositif électronique le prenant en charge
WO2019164204A1 (fr) Dispositif électronique et son procédé de fonctionnement
WO2021085954A1 (fr) Dispositif électronique pour garantir l'intégrité d'informations intrinsèques de dispositif électronique, et son procédé de fonctionnement
WO2022182102A1 (fr) Procédé de mise en œuvre d'une authentification d'utilisateur et dispositif de mise en œuvre associé
WO2021025322A1 (fr) Dispositif électronique d'activation d'une application à travers un compte clé, et système le comprenant
WO2020171466A1 (fr) Dispositif électronique et procédé d'authentification dans le dispositif électronique
WO2022139468A1 (fr) Dispositif électronique de partage d'id et de mot de passe, procédé de fonctionnement associé, et serveur
WO2024039235A1 (fr) Dispositif électronique et procédé pour effectuer une authentification d'utilisateur sur un dispositif électronique
WO2023038222A1 (fr) Dispositif électronique permettant de protéger des informations biologiques d'un utilisateur
WO2024049141A1 (fr) Dispositif électronique pour stocker des données chiffrées dans une mémoire non volatile et procédé s'y rapportant

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23831779

Country of ref document: EP

Kind code of ref document: A1