[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

KR20170029944A - Apparatus for user authentication - Google Patents

Apparatus for user authentication Download PDF

Info

Publication number
KR20170029944A
KR20170029944A KR1020150127141A KR20150127141A KR20170029944A KR 20170029944 A KR20170029944 A KR 20170029944A KR 1020150127141 A KR1020150127141 A KR 1020150127141A KR 20150127141 A KR20150127141 A KR 20150127141A KR 20170029944 A KR20170029944 A KR 20170029944A
Authority
KR
South Korea
Prior art keywords
service
master
authentication key
program
user
Prior art date
Application number
KR1020150127141A
Other languages
Korean (ko)
Other versions
KR101746598B1 (en
Inventor
임용훈
Original Assignee
임용훈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 임용훈 filed Critical 임용훈
Priority to KR1020150127141A priority Critical patent/KR101746598B1/en
Priority to PCT/KR2015/009523 priority patent/WO2016039568A1/en
Publication of KR20170029944A publication Critical patent/KR20170029944A/en
Application granted granted Critical
Publication of KR101746598B1 publication Critical patent/KR101746598B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

 An apparatus for communicating with a master server and a service server according to an aspect of the present invention includes at least one processor; Memory; And a master program and a service program stored in the memory and configured to be executed by the one or more processors, wherein the master program includes a plurality of different service secret hashes using different service secret divisors input from the user, And the service program generates a service user authentication key using the selected service secret hash value and the personal secret number among the plurality of service secret hash values and stores the service user authentication key as authentication information Wherein the master program maps the unique code received from the service program to the selected service secret hash value among the plurality of service secret hash values and stores the unique code.

Description

[0001] APPARATUS FOR USER AUTHENTICATION [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to user authentication, and more particularly, to an apparatus for user authentication that realizes double security using a hash function.

Today, communication networks around the world are interconnected so that the exchange of information through the Internet is becoming common, so that the retrieval, storage and extraction of information becomes more and more active. On the other hand, the technique of recognizing a user using a specific server is used The leakage of personal information and the hacking of the network are also serious social problems. In the meantime, typical hacking activities in Korea are mainly simple intrusion, identity theft, data cut, data modification and destruction. Hacking situation in foreign countries is very serious compared to domestic ones.

In the conventional general user authentication scheme, when a user provides his / her identification information (ID) and a password to the server side, the server side stores a hash function for all user's passwords, Take a value, compare the two values, and verify that the user is a legitimate user. For reference, a hash function is a function that can be computed quickly and easily in one direction, but computes theoretically in the reverse direction.

However, in the conventional user authentication technique, if the user identification information and the password are exposed, the personal information may be exposed as well, so that the security is weak. Also, when the authentication program is copied or copied, . Also, there is a problem that security is weak because of one-dimensional authentication by ID and password.

Korean Patent Publication No. 10-2010-0101887 (2010.09.20)

The present invention has been proposed in order to solve the above-mentioned problems, and it is an object of the present invention to provide a method and system for authenticating a user who can authenticate a user by using multiple security means The purpose of the device is to provide.

According to an aspect of the present invention, there is provided an apparatus for communicating with a master server and a service server, the apparatus comprising: at least one processor; Memory; And a master program and a service program stored in the memory and configured to be executed by the one or more processors, wherein the master program includes a plurality of different service secret hashes using different service secret divisors input from the user, And the service program generates a service user authentication key using the selected service secret hash value and the personal secret number among the plurality of service secret hash values and stores the service user authentication key as authentication information Wherein the master program maps the unique code received from the service program to the selected service secret hash value among the plurality of service secret hash values and stores the unique code.

Wherein the service program receives a personal secret number and a disposable secret code issued by the service server at the time of authentication of the user, transmits the unique code to the master program to request a service secret hash value, A service secret hash value corresponding to the unique code from the program, generates a service user authentication key using the received service secret hash value and the inputted personal secret, and transmits the service user authentication key and the disposable secret Transmits an authentication request including a one-time authentication key generated using a password to the service server, and transmits an authentication response based on a comparison result between the one-time authentication key generated by the service server and the one- .

Wherein the master program generates a master device authentication key using unique information of the device and encrypts each of the plurality of service secret hash values together with the master device authentication key, and when receiving a service secret hash value request from the service program , The service secret hash value, and the master device authentication key, and then verify the decrypted master device authentication key.

The service program generates and stores a service device authentication key using unique information of the device, generates and stores a service program authentication key using the service device authentication key, the selected service secret hash value and the time stamp, , The service device authentication key and the service program authentication key are transmitted to the service server as authentication information and registered, and at the time of user authentication, a pre-authentication including the stored device authentication key and the stored service program authentication key Request to the service server. At this time, the one-time secret password may be issued when the device authentication key and the service program authentication key registered in the service server match the device authentication key and the service program authentication key included in the pre-authentication request.

Wherein the service program transmits the unique code to the master program upon authentication of the user and receives a service secret hash value corresponding to the unique code from the master program in response thereto, And generating a service user authentication key using the personal password input from the user and transmitting an authentication request including the service user authentication key to the service server, And receive the authentication response according to the comparison result of the service user authentication key included in the request.

The master program receives and stores a nickname for each of the plurality of service secret hash values, and the service program can select a service secret hash value based on the nicknames received from the master program.

The master program generates a master secret hash value using the master secret divisor input from the user, generates a master user authentication key using the private secret and the master secret hash value, And transmits the hash value to the master server and registers the hash value as the information, and when generating or changing the hash value of the service secret, the service secret hash value can be generated or changed upon successful authentication using the master user authentication key.

The master program may enable generation or modification of a service secret hash value upon successful authentication using the master user authentication key and the one-time secret password issued by the master server at the time of creating or changing the service secret hash value .

The master program generates and stores a master device authentication key using unique information of the apparatus, generates and stores a master program authentication key using the master device authentication key, the master secret hash value and the time stamp, The master device authentication key and the master program authentication key are transmitted to the master server as authentication information and registered, and when the service secret hash value is created or changed, the master device authentication key and the master program authentication key are used And may perform the final authentication using the master user authentication key.

In the present invention, when a user registers and uses different authentication information for each service server, the authentication information is stored in advance in a separate safe space so that the user can use the information for authentication only with simple input, Increase.

According to the present invention, multiple authentication is performed using a device authentication key, a program authentication key, a user authentication key, and a one-time secret password, Increase convenience.

1 is a diagram illustrating an authentication system according to an embodiment of the present invention.
FIG. 2 is a diagram showing a configuration of a user terminal of FIG. 1. FIG.
3 is a flowchart illustrating a process of registering a service secret hash value according to an embodiment of the present invention.
4 is a flowchart illustrating a process of setting authentication information for a specific service server according to an exemplary embodiment of the present invention.
5 is a flowchart illustrating a process of logging into the service server 400 after the setting process of FIG.

The foregoing and other objects, features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, in which: There will be. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail. Hereinafter, a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a diagram illustrating an authentication system according to an embodiment of the present invention, and FIG. 2 is a diagram illustrating a configuration of a user terminal of FIG.

1, the authentication system according to the present embodiment includes a user terminal 100, a master server 200, a communication network 300, and a service server 400.

The user terminal 100 may be a mobile communication terminal such as a smart phone or a personal computer. 2, the user terminal 100 includes a memory 110, a memory controller 121, one or more processors (CPUs) 122, a peripheral interface 123, an input / output (I / O) A display device 141, an input device 142, and a communication circuit 152. The display device 141, These components communicate through one or more communication buses or signal lines. The various components shown in FIG. 2 may be implemented in hardware, software, or a combination of both hardware and software, including one or more signal processing and / or application specific integrated circuits.

The memory 110 may include a high-speed random access memory and may also include one or more magnetic disk storage devices, non-volatile memory such as a flash memory device, or other non-volatile semiconductor memory device. In some embodiments, the memory 110 may include a storage device, e.g., a communication circuit 152, located remotely from the one or more processors 122, and an Internet, Intranet, Local Area Network (WLAN) , A Storage Area Network (SAN), or the like, or any suitable combination thereof, via a network (not shown). Access to the memory 110 by other components of the user terminal 100, such as the processor 122 and the peripheral interface 123, may be controlled by the memory controller 121.

The peripheral interface 123 connects the input / output peripheral device of the user terminal 100 to the processor 122 and the memory 110. The one or more processors 122 execute various software programs and / or a set of instructions stored in the memory 110 to perform various functions for the device 100 and process the data. In some embodiments, peripheral interface 123, processor 122, and memory controller 121 may be implemented on a single chip, such as chip 120. In other embodiments, they may be implemented as separate chips.

The I / O subsystem 130 provides an interface between the input / output peripheral of the user terminal 100, such as the display device 141, the input device 142, and the peripheral interface 123.

The display device 141 may be a liquid crystal display (LCD) technology or a light emitting polymer display (LPD) technology. The display device 141 may be capacitive, resistive, infrared, or the like. The touch display provides an output interface and an input interface between the terminal and the user. The touch display displays a visual output to the user. The visual output may include text, graphics, video, and combinations thereof. Some or all of the visual output may correspond to a user interface object. The touch display forms a touch sensitive surface that accommodates user input.

Processor 122 is a processor configured to perform an operation associated with user terminal 100 and to perform instructions, such as, for example, using instructions retrieved from memory 110, Reception and manipulation of data can be controlled.

In some embodiments, the software components include an operating system 111, a graphics module (instruction set) 112, a master program 113 (instruction set), and a service program 114, do.

The operating system 111 may be an embedded operating system such as, for example, Darwin, RTXC, LINUX, UNIX, OS X, WINDOWS or VxWorks, Android, Management, storage control, power management, etc.), and facilitates communication between the various hardware and software components.

Graphics module 112 includes a number of well known software components for providing and displaying graphics on display device 141. The term "graphics" includes, without limitation, text, web pages, icons (e.g., user interface targets including soft keys), digital images, video, animations, .

The communication circuit 152 transmits / receives a signal to / from the wire or wirelessly transmits / receives an electromagnetic wave. The communication circuit 152 converts electrical signals to electromagnetic waves and vice versa and communicates with the communication network, other mobile gateways, and communication devices through the electromagnetic waves. The communication circuit 152 includes, for example, an antenna system, an RF transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a CODEC chipset, a subscriber identity module And may include well-known circuits for performing such functions without limitation. The communication circuitry 152 may be any of a variety of communication networks, including the Internet, referred to as the World Wide Web (WWW), a network such as an intranet and / or a cellular telephone network, a wireless LAN and / or a metropolitan area network It can communicate with other devices by communication. The wireless communication may be implemented in a variety of communication systems such as Global System for Mobile Communications (GSM), Enhanced Data GSM Environment (EDGE), wideband code division multiple access (WCDMA), code division multiple access (CDMA), time division multiple access (TDMA) Protocol), Wi-MAX, Bluetooth, zigbee, Near Field Communication (NFC), or any other suitable communication protocol including communication protocols not yet developed at the time of the filing of the present application But not limited to, any of a plurality of communication standards, protocols, and techniques.

The master program 113 communicates with the master server 200 to register authentication information for membership in the master server 200 and then authenticates the user with the master server 200 using the authentication information . At the time of membership registration, identification information such as an ID, a name, a date of birth, an address, and a telephone number may be stored in the master server 200 as member information. Here, the authentication information includes a master device authentication key, a master program authentication key, and a master user authentication key generated using a hash algorithm. In this case, the master program authentication key and the master user authentication key are generated using the master secret hash value.

The master program 113 generates at least one service secret hash value that the user can utilize in the service server 400 and registers it in the master server 200 and also stores the hash value itself. At this time, when generating the service secret hash value, the master program 113 receives the nickname of the service secret hash value from the user and stores it together. When the user selects one of the at least one service secret hash value as the service secret hash value to be used in the service server 400, the master program 113 transmits the unique code of the service program 114 to the corresponding service secret And also registers with the master server 200 while being stored together with the hash value.

The service secret hash value is stored in the master program 113 and the master server 200 so that the service secret hash value can be restored even if the user terminal 100 is changed and the master program 113 is reinstalled.

The master program 113 authenticates the user by using the master device authentication key, the master program authentication key, and the master user authentication key when registering or changing the service secret hash value, and when the authentication is successful, Registration or change.

The service program 114 communicates with the service server 400 and provides the service of the service server 400 to the user. The service program 114 registers authentication information in the service server 400 and performs authentication of the user with the service server 400 using the authentication information. Here, the authentication information includes a service device authentication key, a service program authentication key, and a service user authentication key, which are generated using a hash algorithm. In this case, the service program authentication key and the service user authentication key are generated using the service secret hash value. The service secret hash value is selected from at least one service secret hash value managed by the master program 113.

The master server 200 stores authentication information in the database 210 and registers it. 1, the master server 200 has at least one service secret hash value and a nickname of each service secret hash value that the user can use in the service server 400 based on the ID of the user In the database 210, and also stores the authentication information together.

The master server 200 transmits the master device authentication key, the master program authentication key and the master user authentication key received from the user terminal 100 to the master device authentication key of the user registered in the database 210, , The master program authentication key, and the master user authentication key.

Alternatively, when user authentication is required, the master server 200 transmits the master device authentication key and the master program authentication key received from the user terminal 100 to the master device authentication key and master And performs pre-authentication by comparing with the program authentication key. If the pre-authentication is successful, the master server 200 issues a one-time secret password to the user. When the master server 200 receives the generated one-time authentication key using the one-time secret password and the master user authentication key from the user terminal 100, the master server 200 uses the previously registered master user authentication key and the issued one- A one-time authentication key may be generated and compared with the one-time authentication key received from the user terminal 100 to perform final authentication.

When the master server 200 receives the user identification information from the service server 400, the master server 200 identifies the user authentication information and the user using the user identification information, and transmits the authentication information to the user terminal 100, Can be performed. The master server 200 returns the authentication result to the service server 400.

The service server 400 may be an Internet web server that requires login, a server of a financial institution that provides Internet banking, a payment server that provides electronic payment, or an offline kiosk or an agent terminal of an offline consultation counter such as a financial institution Connected servers, and the like. The service server 400 performs a user authentication process by directly communicating with the service program 114 of the user terminal 100 when authentication is required for the user, Information can be transmitted and user authentication can be requested. Here, the user identification information is user identification information such as an ID stored in the master server 200.

The service server 400 transmits the service device authentication key, the service program authentication key, and the service user authentication key received from the user terminal 100 to the database 410 in a user authentication process through direct communication with the service program 114 The service device authentication key, the service program authentication key, and the service user authentication key of the previously registered user.

Alternatively, the service server 400 compares the service device authentication key and the service program authentication key received from the user terminal 100 with the service device authentication key and the service program authentication key of the user registered in the database 410 Perform pre-authentication. If the pre-authentication is successful, the service server 400 issues a one-time secret password and transmits it to the user. When the service server 400 receives the one-time authentication key generated using the service user authentication key and the disposable secret password from the user terminal 100, the service server 400 uses the previously registered service user authentication key and the issued disposable secret password And generate the one-time authentication key and compare it with the one-time authentication key received from the user terminal 100 to perform final authentication.

The service server 400 transmits the user identification information received from the user terminal 100 to the master server 200 and receives the authentication result from the master server 200 at the time of user authentication through the master server 200 . At this time, the master server 200 communicates with the master program 113 of the user terminal 100 to authenticate the user and transmit the authentication result to the service server 400 in the manner described above.

The master server 200 and the service server 400 refer to an information processing apparatus having at least a processor, a memory, and an input / output interface. The master server 200 and the service server 400 store various data and programs in a memory, and execute them through a processor to process user authentication and service provision.

Hereinafter, the secret hash value, the device authentication key, the program authentication key, the user authentication key, and the one-time authentication key will be described.

The secret hash value is generated using the secret divisor input from the user through the input device of the user terminal 100. [ Here, the secret divisor may be any one of a long string, an image file, a sound file, or a video file, but is not limited thereto and is data that only the user can know. The secret divisor associated with the master server 200 is the master secret divisor, and the secret divisor associated with the service server 400 is the service secret divisor. The result obtained by inputting the secret divisor as a seed value into the hash function is a secret hash value. The secret hash value may be stored in a binary file. The secret hash value associated with the master server 200 is the master secret hash value, and the secret hash value associated with the service server 400 is the service secret hash value.

The master program 113 uses the secret hash value, i.e., the master secret hash value, when generating the authentication information to be registered in the master server 200. [ In addition, the master program 113 generates and manages at least one secret hash value that can be used when the user uses the service of the service server 400, that is, a service secret hash value. The service secret hash value is stored in both the master program 113 and the master server 200. Even if the user terminal 100 is changed, the service secret hash value is authenticated by the master server 200, The secret hash value can be restored. When generating the service secret hash value, the master program 113 receives the nickname of each service secret hash value from the user, maps the nickname to the service secret hash value, and stores the mapped service secret hash value. Therefore, the user only needs to select a nickname when selecting one of the service secret hash values provided by the master program 113 in the service program 114. [ The master program 113 receives a unique code of the service program 114 corresponding to the service server 400 when the user selects a service secret hash value to be used when the service of the service server 400 is used. The master program 113 maps the unique code to a corresponding service secret hash value and stores the mapped private key. Accordingly, the mapping information of the service secret hash value / nickname / unique code is stored in the user terminal 100, and mapping information of the service secret hash value / nickname / unique code based on the ID of the user is stored in the master server 200 Is stored.

The master secret hash value and the service secret hash value are different from each other because the seed secret secrets are different from each other. Also, when there are multiple service secret hash values, secret secrets of each service secret hash value are also different from each other, and therefore, each service secret hash value is different. The service secret hash value is stored in synchronization with the user terminal 100 and the master server 200, but the master secret hash value is not stored in either of them. That is, the master secret hash value is generated by receiving secret secrets from the user whenever necessary.

The secret hash value may not be stored by itself, but may be encrypted and stored. When encrypting, the secret hash value can be encrypted with the device authentication key. Therefore, the master program 113 restores the encrypted secret hash value and the device authentication key when using the secret hash value, and then compares the restored device authentication key with the previously stored device authentication key . If the device authentication key does not match, the process is automatically stopped.

The device authentication key is a value generated by inputting unique information of the user terminal 100, for example, a MAC address or a universally unique identifier (UUID) of a network interface card (NIC) as a seed value in a hash function. Since the master program 113 and the service program 114 are installed in the same user terminal 100, the master device authentication key and the service device authentication key are the same.

The program authentication key is a value generated by inputting a device authentication key, a time stamp, and a secret hash value into a hash function as a seed value. The time stamp is a character string indicating the time at which the program authentication key is generated. Accordingly, the master program authentication key is generated from the master device authentication key, the time stamp, and the master secret hash value, and the service program authentication key is generated from the service device authentication key, the time stamp, and the service secret hash value. The program authorization key may be stored in programs 113 and 114 as a binary file.

The user authentication key is a value generated by inputting a secret hash value and a personal password input by the user through the input device into the hash function as a seed value. Thus, the master user authentication key is generated from the master secret hash value and the personal password, and the service user authentication key is generated from the service secret hash value and the personal password. At this time, the personal password input by the user when generating the master user authentication key and the personal password input when generating the service user authentication key may differ depending on the user's selection. The personal password may be, for example, a six-digit number. However, it is not limited thereto and may be a combination of numbers and letters. Compared with the secret divisor, the secret divisor is a long text string or an image file, but the personal password input by the user when generating the user authentication key is a certain number of digits.

Among the above-described secret hash value, device authentication key, program authentication key, and user authentication key, the device authentication key and the program authentication key are both stored in the user terminal 100 and the servers 200 and 400, Only the servers 200 and 400 are stored. The master secret hash value is generated every time the authentication of the user with the master server 200 is performed without being stored anywhere. The service secret hash value is stored in synchronization with the master program 113 and the master server 200.

The one-time secret password is a value generated in the master server 200 or the service server 400 at the time of user authentication and received at a destination designated by the user. The destination designated by the user may be the user terminal 100 or a wearable device carried by another user, or it may be an email address. However, it is not limited thereto. The one-time secret password may be received in the form of a short message (SMS) or a push message. The user can input the disposable secret password through the keypad provided in the master program 113 or the service program 114, or input it through the image.

The one-time authentication key is a value generated by inputting the one-time secret password inputted by the user and the user authentication key into the hash function as the seed value. Specifically, when the disposable secret password is issued from the server 200 or 400 to the user, the user inputs the personal password and the issued disposable secret password in the programs 113 and 114. Then, the programs 113 and 114 generate the user authentication key using the personal password, and generate the one-time authentication key using the generated user authentication key and the one-time secret password. The generated one-time authentication key is transmitted to the servers 200 and 400. The servers 200 and 400 compare the received one-time authentication key with the self-generated one-time authentication key,

There are two types of authentication success.

First, the programs 113 and 114 transmit an authentication request to the server 200, 400, including user identification information, a device authentication key, a program authentication key, and a user authentication key. The server 200, 400 stores the user identification information, the device authentication key, the program authentication key, and the user authentication key included in the authentication request in association with the previously registered user identification information, the device authentication key, the program authentication key, If they are the same, authentication succeeds.

Secondly, the programs 113 and 114 transmit a pre-authentication request including the user identification information, the device authentication key, and the program authentication key to the server 200, 400. When the user identification information, the device authentication key, and the program authentication key included in the pre-authentication request are the same as the previously registered user identification information, the device authentication key, and the program authentication key, the servers 200 and 400 transmit the one- . The one-time secret password is received at the destination designated by the user. The user inputs the one-off secret code through the keypad or the image provided in the master program 113 or the service program 114. [ The programs 113 and 114 generate a one-time authentication key by inputting the one-time secret password and the user authentication key, which are input from the user, into the hash function as a seed value, and transmit them to the servers 200 and 400. The server (200, 400) compares the received one-time authentication key with the self-generated one-time authentication key, and if it matches, the server (200, 400) The servers 200 and 400 themselves generate the one-time authentication key using the issued one-time secret password and the user's authentication key of the user.

In the above description, the user is authenticated using both the device authentication key, the program authentication key, and the user authentication key. However, the user can be authenticated using only the user authentication key, and the device authentication key and the program authentication key It can be used for authentication. In the case of using the device authentication key, it is possible to prevent authentication from being attempted by another user terminal 100 other than the predetermined user terminal 100. When the program authentication key is used, the program can be prevented from being illegally copied and used for authentication.

On the other hand, the above-described authentication method can be applied when the user sets a new service secret hash value in the master program 113 or changes a previously set service secret hash value. That is, when the authentication of the user is successful through the above-described authentication process with the master server 200, the master program 113 can set a new service secret hash value and enable the change of the existing service secret hash value .

3 is a flowchart illustrating a process of registering a service secret hash value according to an embodiment of the present invention.

3, the user executes the master program 113 in the user terminal 100 and joins the master server 200 through the master program 113 (S301). That is, the user enters an ID, a resident registration number, a password, an address, and the like into the master server 200. Then, the user selects the master secret divisor through the input device of the user terminal 100 (S303). Here, the secret divisor may be any one of a long string, an image file, a sound file, or a video file, but is not limited thereto and is data that only the user can know.

The master program 113 generates the master secret hash value by inputting the selected master secret divisor as a seed value into the hash function (S305). Then, the master program 113 generates authentication information (S307). Here, the authentication information includes a master device authentication key, a master program authentication key, and a master user authentication key. The master device authentication key is a value generated by inputting unique information of the user terminal 100, for example, a MAC address or UUID (Universally Unique Identifier) of a network interface card (NIC) as a seed value in a hash function. The master program authentication key is a value generated by inputting master device authentication key, time stamp, and master secret hash value into the hash function as a seed value. The master user authentication key is a value generated by inputting a master secret hash value and a personal password input from a user through an input device into a hash function as a seed value.

The master program 113 transfers the generated authentication information to the master server 200 and registers it (S309). The master server 200 stores authentication information based on the user's ID. Then, the master program 113 stores the master program authentication key and the master device authentication key, except for the master user authentication key, in the user terminal 100 as well.

Next, a service secret hash value to be selectively used by the plurality of service servers 400 is generated.

The user selects the service secret divisor through the input device of the user terminal 100 (S311). A service secret divider can be either a long string, an image file, a sound file, or a video file, as well as a master secret divisor. And the master secret divisor and the service secret divisor are chosen to be different. Then, the user inputs a nickname for the selected service secret divisor through the input device of the user terminal 100 (S313).

The master program 113 generates a service secret hash value by inputting the selected service secret divisor as a seed value into the hash function (S315). Then, the master program 113 transmits the created service secret hash value and the mapping information including the input nickname to the master server 200 (S319). The master server 200 stores and registers the received mapping information (S321). The master server 200 registers the mapping information based on the ID of the user.

The master program 113 asks the user to complete the setting of the service secret hash value (S323). When the setting completion input is received from the user, the setting of the service secret hash value ends (S325). On the other hand, if the user further sets the service secret hash value, the process from step S311 described above is repeated.

In this manner, the user can set a plurality of service secret hash values. Each of the service secret hash values is different in secret value by different secret numbers. Also, by differentiating the nickname of each service secret hash value, the user can easily distinguish each service secret hash value.

On the other hand, the master program 113 can encrypt each service secret hash value together with the master device authentication key, and store it in the user terminal 100 and the master server 200. In this case, when the service secret hash value is used, the service secret hash value and the master device authentication key are decrypted together, and then the master device authentication key is compared with the previously stored master device authentication key. Allow service hash values to be used.

4 is a flowchart illustrating a process of setting authentication information for a specific service server according to an exemplary embodiment of the present invention. For example, it is an example of setting login authentication using the authentication information according to the present invention, rather than login authentication using an ID / password, while registering in the service server 400. As described above, when the login authentication using the authentication information according to the present invention is set, the user does not log in with the ID / password when logging into the service server 400, and logs in using the authentication information according to the present invention .

Although not shown in FIG. 4, the user can execute the service program 114 and proceed to the service server 400. You can register by entering your ID, password, and personal information.

Referring to FIG. 4, the service program 114 requests a service secret hash value list from the master program 113 (S401). The service program 114 communicates with the master program 113 by mounting an API-based interworking module communicating with the master program 113. [

The master program 113 responds to the service program 114 with a list of service secret hash values set by the user (S403). The master program 113 may send a plurality of service secret hash value nicknames to the service program 114.

The service program 114 displays a list of a plurality of service secret hash values received from the master program 113 (S405), and selects one of a plurality of service secret hash values from the user (S407). The service program 114 transmits selection information of the selected service secret hash value, for example, a nickname and a unique code of the service program 114 to the master program 113 (S409).

The master program 113 identifies the service secret hash value in the mapping information of the service secret hash value and the nickname based on the received nickname, and adds the received unique code to the mapping information (S411). Therefore, the unique code is added to the service secret hash value selected by the user among the plurality of service secret hash values existing in the mapping information.

The master program 113 transmits the service secret hash value confirmed based on the received nickname to the service program 114 (S413). The service program 114 generates authentication information using the received service secret hash value (S415). Here, the authentication information includes a service device authentication key, a service program authentication key, and a service user authentication key. The service device authentication key is a value generated by inputting unique information of the user terminal 100, for example, a MAC address or a universally unique identifier (UUID) of a network interface card (NIC) as a seed value in a hash function. The service program authentication key is a value generated by inputting a service device authentication key, a time stamp, and a service secret hash value into a hash function as a seed value. The service user authentication key is a value generated by inputting the service secret hash value and the personal password input from the user through the input device into the hash function as the seed value.

The service program 114 transmits the generated authentication information to the service server 400 (S417). The service server 400 stores the authentication information based on the user's ID (S419). Then, the service program 114 stores the service program authentication key and the service device authentication key in the user terminal 100, excluding the service user authentication key.

5 is a flowchart illustrating a process of logging into the service server 400 after the setting process of FIG.

Referring to FIG. 5, the user executes the service program 114 in the user terminal 100, and then transmits a login request according to the present invention to the service server 400 (S501). At this time, the user can input the ID. Accordingly, the service server 400 transmits the data of the personal password input window to the service program 114, and the service program 114 displays the personal password input window (S503).

The service program 114 receives the personal password through the input device of the user terminal 100 (S505).

The service program 114 retrieves the service device authentication key and the service program authentication key stored therein (S507). At this time, the service program 114 can verify the service device authentication key. That is, the service program 114 inputs unique information of the user terminal 100, for example, a MAC address or a universally unique identifier (UUID) of a network interface card (NIC) as a seed value in a hash function, After generating the key, the key is compared with the service device authentication key stored in the internal key, and if it does not match, the process is stopped without performing the subsequent process.

The service program 114 transmits a pre-authentication request including the searched service device authentication key and the service program authentication key to the service server 400 (S509). The service server 400 compares the service device authentication key and the service program authentication key included in the pre-authentication request with the service device authentication key and the service program authentication key of the previously registered user, (S511). At this time, the service server 400 can retrieve the service device authentication key and the service program authentication key of the previously registered user using the ID of the user.

The service server 400 generates a one-time secret password (S513). One-time secret passwords consist of a certain number of digits. The service server 400 transmits the disposable secret password to the destination designated by the user. In the present embodiment, it is transmitted to the user terminal 100 (S515).

The service program 114 transmits a unique code of the service program to the master program 113 to request a service secret hash value (S517). The master program 113 retrieves a service secret hash value corresponding to the unique code from the mapping information stored in the memory using the received unique code (S519). Then, the master program 113 transmits the retrieved service secret hash value to the service program 114 (S521).

The service program 114 generates a service user authentication key using the received service secret hash value and the personal password input in step S505 (S523). That is, the service program 114 generates the service user authentication key by inputting the received service secret hash value and the personal password input in step S505 into the hash function as a seed value.

The service program 114 receives the disposable secret password received in step S515 from the user and inputs the disposable secret password and the service user authentication key generated in step S523 to the hash function as a seed value, (S525). Then, the service program 114 transmits the generated one-time authentication key to the service server 400 (S527).

The service server 400 verifies the disposable authentication key received from the user terminal 100 (S529). That is, the service server 400 generates the one-time authentication key by inputting the service user authentication key of the previously stored user and the disposable secret password generated in step S513 to the hash function, In step S527, the received one-time authentication key is compared. If it is determined as a result of the comparison, it is determined that the authentication is successful.

When the authentication is successful, the service server 400 transmits an authentication success response to the service program 114 (S531).

As described above with reference to FIG. 5, the user does not need to select the secret divisor to log in to the service server 400, and simply inputs the personal secret number and the one-time secret password issued from the service server 400, And log in to the service server 400.

In the embodiment with reference to Fig. 5, authentication of the user using the one-time secret password will be described. However, you do not need to use a one-time secret password. That is, when the personal password is input from the user in step S505, the service program 114 performs steps S517 to S521 to receive the service secret hash value from the master program 113, and subsequently transmits the service device authentication key, And transmits the key and the service user authentication key to the service server 400. The service server 400 includes a service device authentication key, a service program authentication key and a service user authentication key of a previously stored user, a service device authentication key received from the service program 114, a service program authentication key, Keys are compared with each other, and it is possible to judge that the authentication is successful when they all match.

While the specification contains many features, such features should not be construed as limiting the scope of the invention or the scope of the claims. In addition, the features described in the individual embodiments herein may be combined and implemented in a single embodiment. Conversely, various features described in the singular < Desc / Clms Page number 5 > embodiments herein may be implemented in various embodiments individually or in combination as appropriate.

Although the operations have been described in a particular order in the figures, it should be understood that such operations are performed in a particular order as shown, or that all described operations are performed to obtain a sequence of sequential orders, or a desired result . In certain circumstances, multitasking and parallel processing may be advantageous. It should also be understood that the division of various system components in the above embodiments does not require such distinction in all embodiments. The above-described program components and systems can generally be implemented as a single software product or as a package in multiple software products.

The method of the present invention as described above can be implemented by a program and stored in a computer-readable recording medium (CD-ROM, RAM, ROM, floppy disk, hard disk, magneto optical disk, etc.). Such a process can be easily carried out by those skilled in the art and will not be described in detail.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. The present invention is not limited to the drawings.

100: user terminal
200: master server
400: service server

Claims (9)

An apparatus for communicating with a master server and a service server,
One or more processors;
Memory; And
A master program and a service program stored in the memory and configured to be executed by the one or more processors,
The master program includes:
Generates and stores a plurality of different service secret hash values using different service secret powers inputted from the user,
The service program includes:
Generates a service user authentication key using the selected service secret hash value and the personal secret number among the plurality of service secret hash values, transmits the service user authentication key to the service server as authentication information,
The master program includes:
And maps the unique code received from the service program to the selected service secret hash value among the plurality of service secret hash values. The method according to claim 1,
Wherein the service program, when authenticating the user,
A personal password, and a disposable secret code issued by the service server,
Transmitting the unique code to the master program to request a service secret hash value and receiving a service secret hash value corresponding to the unique code from the master program in response thereto,
Generating a service user authentication key using the received service secret hash value and the input personal password, and transmitting the authentication request including the service user authentication key and the one-time authentication key generated using the one- And receives an authentication response according to a result of the comparison between the one-time authentication key generated by the service server and the one-time authentication key included in the authentication request. 3. The method of claim 2,
The master program includes:
Generates a master device authentication key using unique information of the device and encrypts each of the plurality of service secret hash values together with the master device authentication key,
And decrypting the service secret hash value and the master device authentication key and verifying the decrypted master device authentication key when receiving the service secret hash value request from the service program. 3. The method of claim 2,
The service program includes:
Generates and stores a service device authentication key using the unique information of the device, generates and stores a service program authentication key using the service device authentication key, the selected service secret hash value and the time stamp, Key and the service program authentication key are transmitted to the service server as authentication information and registered,
Upon authentication of the user,
Transmitting a pre-authentication request including the stored device authentication key and the stored service program authentication key to the service server,
Wherein the one-time secret code is issued when a device authentication key and a service program authentication key registered in the service server match with a device authentication key and a service program authentication key included in the pre-authentication request. The method according to claim 1,
Wherein the service program, when authenticating the user,
Transmitting the unique code to the master program and receiving a service secret hash value corresponding to the unique code from the master program in response thereto,
Generates a service user authentication key using the received service secret hash value and the personal password input by the user, transmits an authentication request including the service user authentication key to the service server, And receives an authentication response according to a comparison result of the service user authentication key and the service user authentication key included in the authentication request. 6. The method according to any one of claims 1 to 5,
The master program includes:
Stores a nickname for each of the plurality of service secret hash values,
The service program includes:
Wherein the service secret hash value is selected based on nicknames received from the master program. The method according to claim 1,
The master program includes:
Generates a master secret hash value using a master secret divisor input from a user, generates a master user authentication key using the private password and the master secret hash value, and transmits the master user authentication key as authentication information to the master server And registers,
Upon creation or modification of the service secret hash value,
And to generate or change a service secret hash value upon successful authentication using the master user authentication key. 8. The method of claim 7,
The master program, when generating or changing a service secret hash value,
And to generate or change a service secret hash value upon successful authentication using the master user authentication key and the one-time secret password issued by the master server. 8. The method of claim 7,
The master program includes:
Generates and stores a master device authentication key using unique information of the user device, generates and stores a master program authentication key using the master device authentication key, the master secret hash value and the time stamp, Key and the master program authentication key are transmitted to the master server as authentication information and registered,
Upon creation or modification of the service secret hash value,
Performs pre-authentication using the master device authentication key and the master program authentication key, and performs final authentication using the master user authentication key.
KR1020150127141A 2014-09-11 2015-09-08 Apparatus for user authentication KR101746598B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020150127141A KR101746598B1 (en) 2015-09-08 2015-09-08 Apparatus for user authentication
PCT/KR2015/009523 WO2016039568A1 (en) 2014-09-11 2015-09-10 Device and method for user authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150127141A KR101746598B1 (en) 2015-09-08 2015-09-08 Apparatus for user authentication

Publications (2)

Publication Number Publication Date
KR20170029944A true KR20170029944A (en) 2017-03-16
KR101746598B1 KR101746598B1 (en) 2017-06-13

Family

ID=58497842

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150127141A KR101746598B1 (en) 2014-09-11 2015-09-08 Apparatus for user authentication

Country Status (1)

Country Link
KR (1) KR101746598B1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100101887A (en) 2009-03-10 2010-09-20 삼성전자주식회사 Method and system for authenticating in communication system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100101887A (en) 2009-03-10 2010-09-20 삼성전자주식회사 Method and system for authenticating in communication system

Also Published As

Publication number Publication date
KR101746598B1 (en) 2017-06-13

Similar Documents

Publication Publication Date Title
EP3605997B1 (en) Method, apparatus and system for securing a mobile application
EP3257194B1 (en) Systems and methods for securely managing biometric data
CN112425114B (en) Password manager protected by public key-private key pair
US20160104154A1 (en) Securing host card emulation credentials
KR20180117715A (en) Method and system for user authentication with improved security
WO2015183497A1 (en) Cryptocurrency virtual wallet system and method
KR101416542B1 (en) Method for Apparatus for managing passcode
CN103905188B (en) Utilize the method and intelligent cipher key equipment of intelligent cipher key equipment generation dynamic password
EP3813073B1 (en) Method and system for securing sensitive information
CN106487758B (en) data security signature method, service terminal and private key backup server
KR20160131744A (en) Apparatus and method for user authentication
WO2018043466A1 (en) Data extraction system, data extraction method, registration device, and program
KR20160150097A (en) Apparatus and method for user authentication
US10911236B2 (en) Systems and methods updating cryptographic processes in white-box cryptography
TWM540310U (en) System for encryption and authentication
KR101746598B1 (en) Apparatus for user authentication
EP3236631B1 (en) Data checking device and data checking method using the same
KR20160046655A (en) Apparatus and method for user authentication using subscriber identification module
KR101571126B1 (en) Apparatus and method for user authentication
CN103514540A (en) USBKEY business realization method and system
CA2904646A1 (en) Secure authentication using dynamic passcode
KR20160122556A (en) Apparatus and method for otp authentication
KR102005543B1 (en) Apparatus and method for user authentication
JP2014212420A (en) Authentication medium, authentication terminal, authentication system, and authentication method
KR20190068851A (en) Operation method of server apparatus, operation method of terminal and server apparatus

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant