KR101952641B1 - Location based multi-channel login authentication method in a cloud environments - Google Patents

Abstract

The present invention relates to a location-based multi-channel login authentication method in a cloud environment. According to the present invention, a location-based multi-channel login authentication method in a cloud environment comprises: a first step of encrypting the recombined identification information; a second step of storing the private key and the verification key, respectively; a third step of encrypting reconnected access authentication information; a fourth step of storing a connection authentication private key and a connection authentication verification key, respectively; a fifth step of generating a second message abbreviated value; a sixth step of obtaining an encrypted connection authentication digital signature value; a seventh step of extracting and storing an one-time authentication code and a restoration code, respectively; an eighth step of restoring a connection authentication digital signature value; and ninth step of verifying the integrity of the digital signature and the Windows logon. As described above, improving the security and minimizing the change of the existing system are possible.

Description

[0001] LOCATION BASED MULTI-CHANNEL LOGIN AUTHENTICATION METHOD IN A CLOUD ENVIRONMENTS IN A CLOUD [

The present invention relates to a location-based multi-channel login authentication method in a cloud environment, and more particularly, to a location-based multi-channel login authentication method in a cloud environment in which a user can log- Channel login authentication method.

In the PinTech market and cloud service, which are represented by credit card simple settlement using the Internet environment and smartphone, there are traditional authentication means such as ID, PWD, public certificate, standalone OTP (One Time Password), browser and web application server ), E2E (End to End) encryption between servers, cryptographic communication method between servers, security protocol for secure transmission between objects, and connection technology between various devices in object internet environment are developed in terms of security, convenience and scalability Is required.

First, in terms of security, information transmission between devices in the Internet environment of objects should be transmitted through various technologies such as wire, wireless and short-range wireless communication. In terms of convenience, various transmission techniques such as client-server, (Bluethoth, NFC, etc.) are evolving, but the technology is confusing to users due to equipment dependency and forced adoption of protocols by market-leading companies. In terms of scalability, it is not dependent on a specific protocol or data structure, and it is necessary to develop a product capable of applying security and authentication functions to various information.

One of the technologies that have changed the most in our daily lives is mobile technology centering on smartphones.

The reason why smart phones have had a tremendous impact on our lives in phones and text-only phones is that with the development of hardware and communication technologies such as CPU, people are increasingly engaged in producing, storing, sharing and consuming content It is the development of a cloud service that makes it easy to do.

Such a cloud service has advantages as an environment that can be accessed anytime and anywhere, but the authentication technology for accessing the resource is only an authentication using an ID and a password to access the local computer.

Recently, there has been a tendency of strengthening of authentication methods using official certificates and OTP, but these secured technologies have problems such as ease of use, inconvenience of roaming, and additional purchase of additional authentication media, And development of safe technology is needed.

In addition, certified products using Bluetooth have been released in the form of authentication to a local computer from abroad, but the development of related products is insufficient because the authentication means is not diversified in Korea.

The existing cloud authentication technology is mostly replaced by OTP, public certificate and biometric authentication to replace security weakness of ID and password.

The technology that provides the background of the present invention is disclosed in Korean Patent Laid-Open Publication No. 10-2014-0110614 (published on September 17, 2014).

The present invention provides a location-based multi-channel login authentication method in a cloud environment that enables remote login to a PC using a smartphone of a user based on transaction signing authentication.

According to an aspect of the present invention, there is provided a location-based multi-channel login authentication method using a location-based multi-channel login authentication system in a cloud environment, the method comprising: A first step of reassembling the identification information by using a preset recombination algorithm and encrypting the recombined identification information by a first symmetric key cryptography method; Dividing the encrypted identification information into a private key and a verification key, encrypting the private key with a second symmetric key cryptography method to store the encrypted private key in the first terminal, dividing the verification key into N pieces, A second step of storing the authentication information in the authentication server; Wherein the first terminal reflects the private key to the connection authentication information input from the user and reassembles the connection authentication information using the recombination algorithm and encrypts the reconfigured connection authentication information with the first symmetric key cryptosystem, step; Divides the encrypted connection authentication information into a connection authentication private key and a connection authentication verification key, encrypts the connection authentication private key with the second symmetric key cryptography method, stores the encrypted connection authentication private key in the first terminal A fourth step of dividing the connection authentication verification key into N and storing the division into N authentication servers; The first terminal extracts the encrypted connection authentication private key and decrypts it with a second symmetric key, unidirectionally encrypts the current position information of the first terminal received from the first terminal and the operating system information received from the authentication server A fifth step of generating a first message abbreviated value, concatenating the decrypted first authentication key with the decrypted connection authentication private key, and then generating a second message abbreviated value by unidirectional encryption; A sixth step of concatenating the second short message abbreviated value with the decrypted connection authentication private key and the first message abbreviated value, and then encrypting the short message collapse value with a third symmetric key cryptography method to obtain an encrypted access authentication digital signature value; The acquired connection authentication digital signature value is reassembled using the reassembly algorithm, the disposable authentication code and the restoration code are extracted using the reassembled connection authentication digital signature value, respectively, and the disposable authentication code is transmitted to the destination terminal or the second terminal And storing the restoration code in the authentication server; An eighth step of receiving the disposable authentication code from the target terminal or the second terminal, extracting a restoration code from the authentication server, and restoring the reassembled access authentication digital signature value; And restoring the restored connection authentication digital signature value to the encrypted connection authentication digital signature value by decrypting and parsing the decrypted connection authentication digital signature value using the third symmetric key, thereby decrypting the encrypted first message reduction value, the second message reduction value, And verifying the integrity of the electronic signature and the Windows logon by restoring each of the authentication private keys.

Wherein the second step divides the encrypted identification information into a private key and a verification key using a predetermined partitioning algorithm, and the fourth step is a step of dividing the encrypted connection authentication information by the predetermined division algorithm, Key and the connection authentication verification key, the verification key and the connection authentication verification key are divided into at least one block and distributed to the N authentication servers, respectively, and information stored in at least one or more authentication servers is extracted Wherein the first symmetric key cryptosystem is one of a SEED algorithm, an ARIA algorithm, and an AES algorithm, wherein the verification key and the access authentication verification key are combined and restored when the combined authentication verification key is combined, The second symmetric key cryptosystem is a method of encrypting using a single encryption algorithm, A simple authentication means including at least one of a pattern, a pattern, an NFC, and biometrics. The environment information including at least one of authentication value, device information, app information, and service information is used as an input value to induce a symmetric key And a method of encrypting using a symmetric key derived from the encryption key, or a method of encrypting using a key exchange algorithm.

The recombination algorithm calculates the block unit recombination length based on the entire input string length using the following equation, and sequentially multiplies the calculated number of characters of the block unit recombination length from the first character of the entire input string sequentially Performs block unit recombination, placing it at the back of the string,

It is possible to determine the character unit recombination method using the following equation and perform the character unit recombination according to the determined method.

Here, M is the block unit recombination length, L is the total input string length, S is the result summed after converting the characters to integers using ANSI code, L2 is the character unit recombination length, D is the character unit It is a decision variable of recombination method.

The recombination algorithm is a method of recombining the entire input strings in which the block unit recombination has been performed in the reverse order if the character unit recombination system is an even number recombination system, and if the block unit recombination length (M) (M) of the block unit recombination length (M), if the length of the grouped recombination length (M) is less than a half of the length (P) (M) is less than a half of the total input string length (P), and the length of the total input string length (L) is less than the block unit recombination length (M) (L2), wherein the re-combination is performed on the basis of a character string corresponding to twice the character-based recombination length (L2) Length (L2) as it may be grouped in order to turn back the recombinant sequence of the grouped character string.

Wherein the identification information input from the user further includes at least one of application server information, authentication server information, and authentication policy, including user information, user identification information, object identification information, and device information, The authentication information may include an access authentication credential, an authentication control policy.

The operating system information may include a hard disk serial number, a computer name, and an IP address of the second terminal.

In the seventh step, the reconfigured connection authentication digital signature value is divided into an authentication code, which is extraction information, and a restoration code, which is information remaining, using an N-division method, and the authentication code is converted into a disposable authentication code according to a predetermined conversion method Transmits the converted one-time authentication code to the target terminal or the second terminal, and stores the restoration code in the authentication server.

The eighth step includes receiving the disposable authentication code from the target terminal or the second terminal, restoring the disposable authentication code to the authentication code using the predetermined conversion method, extracting a restoration code from the authentication server, The authentication digital signature value can be restored by injecting the authentication code.

And a second symmetric key generation unit operable to generate a second symmetric key by combining the first signature shortening value generated by unidirectionally encrypting the operating system information transmitted to the target terminal with the first simplified message shortening value decrypted and parsed by the third symmetric key, Encrypts the second-1 message shortened value generated by one-way encryption after concatenating the restored first message reduction value and the restored connection authentication private key, and decrypts and parses the second-1 message shortened value with the third symmetric key, And verify the integrity of the access authentication private key by comparing the second message abbreviated value.

Storing the first message digest value, the second message digest value, the connection authentication private key, and the operating system information restored by decoding and parsing with the third symmetric key in the target terminal, comparing the target terminal with the operating system information And decrypts the decrypted encrypted identification information by merging the decrypted and decrypted private key with the verification key distributed to the N authentication servers and decrypts the decrypted encrypted identification information with the first symmetric key And further verifying the digital signature and the window login by comparing the identification information obtained by removing the random number and the identification information stored in the destination terminal after the reconstructed identification information is rearranged by the predetermined method, And a tenth step of further verifying the digital signature using the information constituting the identification information.

As described above, according to the present invention, it is possible to perform multiple authentication based on information owned by a service provider by providing a password by replacing and authenticating a password through information virtualization and restoring after authentication, thereby improving security , The existing password authentication source is used as it is, so that the change of the existing system can be minimized.

According to another aspect of the present invention, there is provided an authentication technology capable of automatically logging into an operating system without user input, thereby preventing a password from being exposed when accessing a local computer, not leaving authentication information in a public computer when accessing a remote computer, It is possible to delegate the access authority temporarily to a target who wants to access his / her computer, thereby improving security and providing user convenience.

Also, according to the present invention, the plug-in technology of the non-ActiveX (non-ActiveX) implementation technology of the transaction signing authentication product provides the convenience by automating the login of the website and the game and provides the security by virtualizing the authentication information can do.

Further, according to the present invention, it is possible to reduce the maintenance cost of the password management of the security officer by providing the developer and the administrator who wants to access the server to access the account of the server without exposing the original password of the account , Server account management is possible by controlling and managing access control by server, protocol, and command unit. Developers and administrators can use BYOD (Bring Your Own Deep) And can be extended to enhance security through user accountability that maps 1: 1 users accessing the real server.

1 is a block diagram illustrating a location-based multi-channel login authentication system in a cloud environment according to an embodiment of the present invention.
FIG. 2 is a flowchart illustrating an operation flow of a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention.
3 to 5 are views for explaining a reconfiguration process using a reconfiguration algorithm of a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention.
6 to 8 are views for explaining a verification key and a connection authentication verification key division process in a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In this process, the thicknesses of the lines and the sizes of the components shown in the drawings may be exaggerated for clarity and convenience of explanation.

Further, the terms described below are defined in consideration of the functions of the present invention, which may vary depending on the intention or custom of the user, the operator. Therefore, definitions of these terms should be made based on the contents throughout this specification.

First, a location-based multi-channel login authentication system in a cloud environment according to an embodiment of the present invention will be described with reference to FIG.

1 is a block diagram illustrating a location-based multi-channel login authentication system in a cloud environment according to an embodiment of the present invention.

1, a location-based multi-channel login authentication system in a cloud environment according to an embodiment of the present invention includes a first terminal 100, an authentication server 200, and an aimed terminal 300, The terminal 100 may be a personal portable mobile communication terminal such as a smart phone, the destination terminal 300 may be a client server for signing an electronic transaction, and the second terminal 400 may be a PC, but the present invention is not limited thereto.

First, the first terminal 100 receives identification information including at least one of application server information, authentication server information, and authentication policy including user information, user identification information, object identification information, and device information from a user , And random numbers are combined to divide the encrypted identification information through the encryption process into a private key and a verification key, respectively.

The first terminal 100 encrypts the private key to store the encrypted private key, divides the verification key into N pieces, and divides the verification key into each of the authentication servers 200. [

The first terminal 100 receives connection authentication information including a connection authentication credential, an authentication control policy, and extension object information from a user, receives encrypted authentication information through an encryption process by reflecting the private key, Private key and connection authentication verification key, respectively.

Then, the first terminal 100 encrypts the connection authentication private key to store the encrypted connection authentication private key, divides the connection authentication verification key into N pieces, and transmits the division result to each of the authentication servers 200. [

Also, the first terminal 100 extracts the one-time authentication code and the restoration code using the encrypted connection authentication private key, the current location information of the first terminal 100, and the operating system information received from the authentication server 200 , Transmits the disposable authentication code to the destination terminal 300 or the second terminal 400, and transmits the restoration code to the authentication server 200.

The authentication server 200 stores the verification key, the connection authentication verification key, and the restoration code received from the first terminal 100, respectively.

The destination terminal 300 receives the disposable authentication code, extracts the restoration code from the authentication server 200, restores the reconfigured access authentication digital signature value, and restores the encrypted access authentication digital signature value to verify the integrity.

The destination terminal 300 further verifies the digital signature by comparing with the operating system information or verifies the digital signature by comparing the authentication information stored in the destination terminal 300 or by using the information constituting the identification information, You can also verify the signature further.

Hereinafter, a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention will be described with reference to FIG. 2 through FIG.

FIG. 2 is a flowchart illustrating an operation flow of a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention, and a specific operation of the present invention will be described with reference to FIG.

The embodiment of the present invention is characterized by including a step (A) of generating a private key and a verification key for an electronic signature, a connection authentication private key and an access authentication verification key generating step (B) for automatic login, an electronic signature value generating step (C) Signature verification and window login authentication step (D).

First, the private key and verification key generation step (A) for digital signature uses a preset recombination algorithm to reflect the random number generated from the first terminal 100 to the identification information inputted from the user by the first terminal 100 The identification information is reassembled and the recombined identification information is encrypted by the first symmetric key cryptosystem (S210).

At this time, the identification information input from the user may include at least one of the application server information, the authentication server information, and the authentication policy, including user information, user identification information, object identification information, and device information.

More specifically, user identification information such as a mobile phone number, a user ID, user identification information such as a social security number (SSN), object identification information such as a computer name, an IP address, a hard disk serial number, And receives authentication information including application server information such as a URL and an application server server code, authentication server information such as a URL and an authentication server server code, an authentication policy including an expiration date, May be input.

Also, the recombination algorithm is performed by block unit recombination and character unit recombination. First, the block unit recombination determines the block unit recombination size (M) based on the entire input string. Then, the entire input string is rearranged into blocks of block size reconfigurable size (M) and blocks of remaining size (L-M) in a range.

Next, the character unit recombination determines the character unit recombination size (L2) based on the values (M and P) for the block unit recombination size (M) calculation. Then, the character unit recombination method (even recombination, odd recombination) is determined based on the block unit recombination size (M).

At this time, in the case of the even-numbered character unit recombination, the character-unit rearrangement is performed in the reverse order of the whole unit of the block unit recombination.

In the case of the odd-mode character unit recombination, the character-unit rearrangement is performed in the range of the character string twice the size of the block unit recombination size among the whole character string of the block unit recombination.

However, if the reconstructed block size M is less than one-half of the total input string length L, the reconstruction is performed on the basis of a string corresponding to twice the block-based recombination length M, And sequentially rearranges by the recombination length M to rearrange the order of the grouped strings. If the block unit recombination length M is less than 1/2 of the entire input string length L, the length of the character unit recombination length L2, which is the length obtained by subtracting the block unit recombination length M from the total input string length L, Recombination is performed based on a string corresponding to twice the length, and the sequence of the grouped strings is rearranged and rearranged by sequentially grouping the first string by the length of the unit-based recombination length (L2).

3 to 5 are views for explaining a reconfiguration process using a reconfiguration algorithm of a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention.

FIG. 3 illustrates the case of even-numbered character unit recombination. Referring to FIG. 3, the case of even-numbered character unit recombination will be described in detail. First, block unit recombination is performed using the following equation The block unit recombination length M is calculated based on the string length L and the characters of the block unit recombination length M calculated from the first character of the entire input string are sequentially arranged at the rear of the entire input string .

Here, M is the block unit recombination length, L is the total input string length, S is the result summed after converting the characters to integers using ANSI code, L2 is the character unit recombination length, D is the character unit It is a decision variable of recombination method.

For example, as shown in FIG. 3, when the entire input string is A to P and the total input string length (L) is 16, each character is converted into an integer using the ANSI code, 776.

Therefore, since the block unit recombination length M is (776% (16/2)) + (8/2) = 4, four blocks corresponding to the block unit recombination length M are sequentially Place it at the end of the entire input string.

Then, the character unit recombination method is determined using the following expression (2), and the character unit recombination is performed according to the determined method.

Here, M is the block unit recombination length, L is the total input string length, S is the result summed after converting the characters to integers using ANSI code, L2 is the character unit recombination length, D is the character unit It is a decision variable of recombination method.

Therefore, the character-based recombination decision variable (D) is 4% 2 = 0, so character-unit rearrangement is performed in the reverse order of the whole character string of the block unit recombination according to the even-number recombination method.

FIG. 4 illustrates the case of odd-mode character unit recombination (where M <P). Referring to FIG. 4, the odd-number character unit recombination will be described in more detail. First, Type character unit recombination.

For example, as shown in FIG. 4, when the entire input string is A to O, Q and the total input string length (L) is 16, each character is converted to an integer using the ANSI code, ) Becomes 777.

Therefore, since the block unit recombination length M is (777% (16/2)) + (8/2) = 5, the five blocks corresponding to the block unit recombination length M are sequentially Place it at the end of the entire input string.

Then, the character unit recombination method is determined using the above equation (2), and the character unit recombination is performed according to the determined method. The character unit recombination method determination variable D is 5% 2 = 1, Perform character-based rearrangement. At this time, since the block unit recombination length M is smaller than 1/2 of the total input string length L, the recombination is performed on the basis of 10 strings which are twice the block unit recombination length M, G, H, I, J) and the second group (K, L, M, N, O) by grouping them into two groups sequentially by the block unit recombination length (M) Recombination is performed.

5, the case of odd-mode character unit recombination (where M > P) is exemplified. Referring to FIG. 5, the case of odd-mode character unit recombination will be described in more detail. First, This is performed in the same manner as in the case of even-numbered character unit recombination.

For example, as shown in FIG. 5, when the entire input string is A to O, U and the total input string length (L) is 16, each character is converted to an integer using an ANSI code, ) Becomes 781.

Therefore, since the block unit recombination length M is (781% (16/2)) + (8/2) = 9, 9 blocks corresponding to the block unit recombination length M are sequentially Place it at the end of the entire input string.

Next, the character unit recombination method is determined using the above equation (2), and the character unit recombination is performed according to the determined method. Since the character unit recombination method determination variable D is 9% 2 = 1, Perform character-based rearrangement. At this time, since the block unit recombination length M is larger than 1/2 of the entire input string length L, the character unit recombination length L 2, which is the length obtained by subtracting the block unit recombination length M from the entire input string length L, (J, K, L, M, N, and N) are grouped into two groups sequentially from the first character string to the character unit recombination length (L2) O, U) and the second group (A, B, C, D, E, F, and G).

The first symmetric key cryptosystem may be applied by a method of encrypting using the encryption algorithm of the SEED algorithm, the ARIA algorithm, and the AES algorithm.

In step S210, the encrypted identification information is divided into the private key and the verification key, the private key is encrypted by the second symmetric key cryptography method to store the encrypted private key, the N authentication servers 200 , Each of the authentication servers 200 stores a corresponding verification key (S220).

At this time, the verification key is divided into at least one block and distributedly stored in the N authentication servers 200. When the information stored in the at least one authentication server 200 is extracted and combined, And stored.

Also, the second symmetric key cryptosystem includes at least any one or more of simple authentication means authentication value, device information, app information and service information of at least one of PIN (PIN) number, pattern, NFC and biometrics A symmetric key is derived from the environment information as the input value, and the encryption is performed using the derived symmetric key, or a method of encrypting using the key exchange algorithm may be applied.

In addition, the first terminal 100 divides the encrypted identification information into a private key and a verification key using a predetermined partitioning algorithm. At this time, .

6 to 8 are views for explaining a verification key division process of a location-based multi-channel login authentication method in a cloud environment according to an embodiment of the present invention.

6 is a table showing block overlay counts O according to the minimum number of merge counts K versus the number of authentication servers 200. As shown in FIG.

A method of dividing the verification key and storing it in each authentication server 200 will be described with reference to FIG. First, the verification key is divided into division numbers (D). At this time, the number of divisions D is equal to the number N of the authentication servers 200 or a multiple of 2 of the number N of the authentication servers 200. Next, the character value to be allocated to each division verification code block is determined based on the verification key and the division key, and the length of the division verification code block is determined based on the division length. Then, the number of overlaps (O = N-K) is calculated from the minimum merge number K and the number of authentication servers 200, that is, the number of distributions. In this case, the number of overlaps (O) is the number of the near division verification code blocks excluding the verification code block itself divided by the division number (D).

For example, as shown in FIG. 6, when the minimum number of merging K is 1, the entire division verification code block is allocated to the authentication server 200. When the number of overlaps O is 0, one division verification code block is allocated to one distribution server (N number of distributions (N) = minimum number of merging (K)). In this case, the number of overlaps (0) is zero. The verification code blocks divided into the number of divisions D are sequentially allocated to the N authentication servers 200. [ The division verification code block allocated to the authentication server 200 is added to the division verification code block and allocated to the authentication server 200. [

FIG. 7 shows a case where there are five authentication servers 200, and FIG. 8 shows a case where three authentication servers 200 are used.

Referring to FIGS. 7 and 8, the K of N partitions will be described in more detail. N in FIGS. 7 and 8 denotes the number of the authentication servers 200, and K denotes the number of N authentication servers 200 O denotes the number of verification code blocks to be overlapped when the divided verification code blocks are distributed to N authentication servers 200 and allocated. Therefore, the verification key combination and the number of blocks stored in the respective authentication servers 200 are different according to K and N. [

In the case where there are five authentication servers 200, the blocks are distributedly stored in the respective authentication servers 200 as shown in FIG. 7 according to the respective minimum merging counts K, and at least one block stored in each authentication server 200 When the information stored in the authentication server 200 is extracted and combined, it is preferable that the blocks are overlapped and stored so that the verification key is restored. Similarly, when there are three authentication servers 200, the blocks are distributedly stored in the respective authentication servers 200 as shown in FIG. 8 according to the minimum number of merging Ks.

Next, the connection authentication private key and the connection authentication verification key generation step (B) for automatic login are performed by reflecting the private key stored in step S220 in the connection authentication information input from the user by the first terminal 100, The reconfigured and reassembled connection authentication information is encrypted using the first symmetric key cryptosystem using the one recombination algorithm (S230).

At this time, the connection authentication information input from the user includes an authentication control policy including an ID, a connection authentication credential including a password, delegation permission, automatic logout, GPS information, location-based information such as NFC information, And may include extension target information including a password.

Then, in step S230, the encrypted connection authentication information is divided into the connection authentication private key and the connection authentication verification key, and the connection authentication private key is encrypted by the second symmetric key cryptography method to transmit the encrypted connection authentication private key to the first terminal 100, and divides the connection authentication verification key into N pieces as in the above-described method and stores them in the N authentication servers 200 (S240).

The digital signature value generation step (C) first extracts the encrypted authentication private key from the first terminal 100, decrypts the decrypted private key with the second symmetric key, and transmits the digital signature value to the first terminal 100 received from the first terminal 100, Directional encryption of the current location information of the authentication server 200 and the operating system information received from the authentication server 200 to create a first message reduction value, concatenate the decryption result with the decrypted connection authentication private key, and unidirectionally encrypt the second message reduction key to generate a second message reduction value ).

At this time, the operating system information may include the hard disk serial number, the computer name, and the IP address of the second terminal 400.

The first terminal 100 concatenates the second message digest value with the decrypted connection authentication private key and the first message digest value, and then encrypts the second message digest value with the third symmetric key cryptography method to obtain the encrypted connection authentication digital signature value ( S260).

The access authentication digital signature value acquired after acquiring the access authentication digital signature value is reassembled using the above-described recombination algorithm, the disposable authentication code and the restoration code are extracted using the reassembled access authentication digital signature value, respectively, To the destination terminal 300 or to the second terminal 400 using short-range communication, and stores the restored code in the authentication server 200 (S270).

More specifically, the reconnected access authentication digital signature value is divided into an authentication code, which is extraction information, and a restoration code, which is information remaining, using an N-division method. At this time, the authentication code is converted into a disposable token- Transmits the converted disposable authentication code to the destination terminal 300 or inputs the converted disposable authentication code to the second terminal 400, and stores the restored code in the authentication server 200.

At this time, the predetermined conversion method is to convert according to the authentication code policy (letter, number, special character), and generates a random number, converts it into a matched value, converts it into a one-time authentication code, generates a conversion method definition, It can be used for restoring the authentication code.

Finally, the digital signature verification and the window login authentication step (D) can be verified through integrity verification, non-repudiation, user authentication and validation of digital signature and window logon. 2 terminal 400 from the means selected by the user, extracts the restoration code from the authentication server 200, extracts the reconstructed access authentication digital signature value &lt; RTI ID = 0.0 &gt; (S280).

More specifically, the received one-time authentication code is restored to the authentication code using the conversion method definition, the restoration code is extracted from the authentication server 200, the restored authentication code is injected into the restoration code, and the re- Restore.

The access authentication digital signature value restored in step S280 is rearranged to be restored to the encrypted access authentication digital signature value, and decrypted and parsed by the third symmetric key to generate the encrypted first message digest value, the second message digest value, Respectively.

At this time, the reverse recombination is performed in the reverse order of the recombination algorithm.

Then, it decrypts and parses the operating system information transmitted to the destination terminal 300 by one-way encryption and the generated first-message shortening value and the third symmetric key, compares the restored first message shortening value, Encrypts the second-message shortened value generated by one-way encryption after concatenating the restored first message abbreviated value and the restored connection authentication private key, and decrypts and parses the second- The message collapse value is compared to verify the integrity of the connection authentication private key (S290).

That is, the integrity verification is to verify whether the original text has been changed in the process of encrypting, decrypting and transmitting the connection authentication private key and the connection authentication verification key.

Therefore, if the first message shortened value and the first message shortened value are the same, it is verified that the transmitted original digital signature is not changed in the transmission process, and if the second message shortened value and the second- If it is the same, it verifies that the private key and the verification key have not been changed in the process of being transmitted.

In addition, the first message digest value decrypted and parsed with the third symmetric key, the second simplified message digest value, and the connection authentication private key are restored to the destination terminal 300, and the destination terminal 300 compares with the operating system information To further verify non-repudiation.

Also, the decrypted and decrypted private key is decrypted with the first symmetric key by merging the decrypted and parsed private key with the third symmetric key, and the access authentication verification key distributed and stored in the N authentication servers 200, The restored and reconstructed identification information is rearranged in a predetermined manner, and then the identification information obtained by removing the random number is compared with the operating system information included in the identification information transmitted to the destination terminal 300 to further verify the digital signature through user authentication It is possible.

Further, the electronic signature may be further verified using the information constituting the identification information (S300).

As described above, according to the location-based multi-channel login authentication method in the cloud environment according to the embodiment of the present invention, a password is replaced and authenticated through information virtualization, and a password is provided through restoration after authentication. It is possible to perform multiple authentication based on information, thereby improving the security and using the existing password authentication source as it is, the change of the existing system can be minimized.

In addition, according to the embodiment of the present invention, by providing an authentication technology that can automatically log into the operating system without user input, it is possible to block the exposure of the password when accessing the local computer, It is possible to delegate access authority to a person who wants to access his / her computer temporarily, thereby improving security and providing user convenience.

Further, according to the embodiment of the present invention, it is possible to provide convenience by automating login of a website and a game through a plug-in technology, which is an ActiveX non-ActiveX (non-ActiveX) implementation technology of a transaction signature authentication product, You can provide sex.

Further, according to the embodiment of the present invention, it is possible to provide a function of allowing developers and administrators who want to access the server to access the account of the server without exposing the original password of the account, It is possible to manage server account by controlling and managing access control by server, protocol and command unit. Developers and administrators can use BYOD (Bring Your Own Deed) It can be cost-effective and can be extended to improve security through user accountability that maps 1: 1 user access to real servers.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the scope of the invention as defined by the appended claims. will be. Therefore, the true scope of the present invention should be determined by the technical idea of the following claims.

100: first terminal 200: authentication server
300: Destination terminal 400: Second terminal

Claims (10)

In a location-based multi-channel login authentication method using a location-based multi-channel login authentication system in a cloud environment,
The first terminal reflects the random number generated from the first terminal in the identification information input from the user, reassembles the identification information using a preset recombination algorithm, and encrypts the recombined identification information in the first symmetric key cryptosystem Stage 1;
Dividing the encrypted identification information into a private key and a verification key, encrypting the private key with a second symmetric key cryptography method to store the encrypted private key in the first terminal, dividing the verification key into N pieces, A second step of storing the authentication information in the authentication server;
Wherein the first terminal reflects the private key to the connection authentication information input from the user and reassembles the connection authentication information using the recombination algorithm and encrypts the reconfigured connection authentication information with the first symmetric key cryptosystem, step;
Divides the encrypted connection authentication information into a connection authentication private key and a connection authentication verification key, encrypts the connection authentication private key with the second symmetric key cryptography method, stores the encrypted connection authentication private key in the first terminal A fourth step of dividing the connection authentication verification key into N and storing the division into N authentication servers;
The first terminal extracts the encrypted connection authentication private key and decrypts it with a second symmetric key, unidirectionally encrypts the current position information of the first terminal received from the first terminal and the operating system information received from the authentication server A fifth step of generating a first message abbreviated value, concatenating the decrypted first authentication key with the decrypted connection authentication private key, and then generating a second message abbreviated value by unidirectional encryption;
A sixth step of concatenating the second short message abbreviated value with the decrypted connection authentication private key and the first message abbreviated value, and then encrypting the short message collapse value with a third symmetric key cryptography method to obtain an encrypted access authentication digital signature value;
The acquired connection authentication digital signature value is reassembled using the reassembly algorithm, the disposable authentication code and the restoration code are extracted using the reassembled connection authentication digital signature value, respectively, and the disposable authentication code is transmitted to the destination terminal or the second terminal And storing the restoration code in the authentication server;
An eighth step of receiving the disposable authentication code from the target terminal or the second terminal, extracting a restoration code from the authentication server, and restoring the reassembled access authentication digital signature value; And
Decrypts the decrypted connection authentication digital signature value with the third symmetric key by decrypting the decrypted connection authentication digital signature value, decrypts and parses the decrypted connection authentication digital signature value using the third symmetric key, decrypts the decrypted first message decryption value, And verifying the integrity of the electronic signature and the Windows logon by restoring each private key. The method according to claim 1,
The second step comprises:
Dividing the encrypted identification information into a private key and a verification key using a predetermined partitioning algorithm,
In the fourth step,
Dividing the encrypted connection authentication information into the connection authentication private key and the connection authentication verification key using a predetermined partitioning algorithm,
Wherein the verification key and the connection authentication verification key are divided into at least one block and distributedly stored in each of the N authentication servers. When the information stored in the at least one authentication server is extracted and combined, the verification key and the access authentication verification The blocks are superimposed and stored so that the key is restored,
Wherein the first symmetric key cryptosystem comprises:
(ARED) algorithm, and an AES (Algorithm) algorithm,
The second symmetric key cryptosystem comprises:
An environment information including at least one of a simple authentication means authentication value, device information, app information, and service information including at least one of a PIN number, a pattern, an NFC, and biometrics as an input value A method of encrypting a symmetric key using a derived symmetric key, or a method of encrypting using a key exchange algorithm. The method according to claim 1,
The recombination algorithm includes:
The block unit recombination length is calculated on the basis of the entire input string length using the following equation and the characters of the calculated block unit recombination length from the first character of the entire input string are sequentially placed at the back of the entire input string Performing block unit recombination to be placed,

A multi-channel login authentication method for determining a character unit recombination method using the following equation and performing character unit recombination according to a determined method:

Here, M is the block unit recombination length, L is the total input string length, S is the result summed after converting the characters to integers using ANSI code, L2 is the character unit recombination length, D is the character unit It is a decision variable of recombination method. The method of claim 3,
The recombination algorithm includes:
When the character unit recombination method is an even number recombination method, the entire input strings in which the block unit recombination is performed are rearranged in the reverse order,
In the case of the odd-numbered recombination method, if the block unit recombination length M is less than half (P) of the total input string length, the recombination is performed based on a string corresponding to twice the block unit recombination length M, Sequentially rearranging the first string by the block unit recombination length (M), rearranging and rearranging the order of the grouped strings,
Wherein when the block unit recombination length M is equal to or greater than a half P of the entire input string length, the length of the character unit recombination length L2, which is a length obtained by subtracting the block unit recombination length M from the entire input string length L, And reassembling the remainder of the remainder of the remainder of the remainder of the remainder of the remainder of the remainder of the remainder. The method according to claim 1,
The identification information input from the user is,
And further includes at least one of application server information, authentication server information, and an authentication policy, wherein the application server information includes user information, user identification information, object identification information, and device information,
The access authentication information input from the user is,
A multi-channel login authentication method including an access authentication credential and an authentication control policy. The method according to claim 1,
Wherein the operating system information includes a hard disk serial number, a computer name, and an IP address of the second terminal. The method according to claim 6,
In the seventh step,
Dividing the reconfigured connection authentication digital signature value into an authentication code which is extraction information and a restoration code which is information remaining by using an N-division method, the authentication code is converted into a one-time authentication code according to a predetermined conversion method, Transmitting a code to the target terminal or the second terminal, and storing the restoration code in an authentication server. 8. The method of claim 7,
In the eighth step,
Receiving the disposable authentication code from the target terminal or the second terminal, restoring the disposable authentication code to the authentication code using the predetermined conversion method, extracting the restoration code from the authentication server, and injecting the restored authentication code into the restoration code And restores the reconnected authentication digital signature value. The method according to claim 1,
In the ninth step,
And a second symmetric key generation unit operable to generate a second symmetric key by combining the first signature shortening value generated by unidirectionally encrypting the operating system information transmitted to the target terminal with the first simplified message shortening value decrypted and parsed by the third symmetric key, To verify the integrity,
A second message reduction value generated by unidirectionally encrypting the restored first message reduction value and the restored connection authentication private key, and a second message reduction value generated by decoding and parsing the second message reduction value using the third symmetric key, To verify the integrity of the connection authentication private key. The method according to claim 1,
Storing the first message digest value, the second message digest value, the connection authentication private key, and the operating system information restored by decoding and parsing with the third symmetric key in the target terminal, comparing the target terminal with the operating system information To further validate the electronic signature and the Windows login,
Decrypting the decrypted and decrypted private key with the third symmetric key and decrypting the decrypted decrypted identification information by merging the decrypted private key and the verification key distributed to the N authentication servers with the first symmetric key to recover the decrypted identification information, The digital signature and the window login are further verified by comparing the identification information from which the random number is removed after the identification information has been rearranged in a predetermined manner and the identification information stored in the destination terminal,
Further comprising a tenth step of verifying the electronic signature using the information constituting the identification information.

Images