KR100877593B1 - Authentication security method using randomly mapped variable password - Google Patents

Abstract

The present invention relates to a security solution for solving problems caused by hacking or leaking of account numbers or transfer passwords in various authentication procedures performed on mobile and other various media, including authentication procedures performed on the web, in particular, Internet banking and mobile banking. will be.

To this end, the present invention is to create an asymmetric random variable in the server regardless of the procedure of granting a separate security card or certificate, and to strengthen the security according to the authentication by giving a variable password to the client, Only the client's password is stored at connection time, but no fixed password is assigned.When a session is connected, the value generated by the 1: N asymmetric algorithm is transmitted to the client through one-way communication using a hash function, and the security string is sent to the server. By extracting the input value from the security string in the server and processing it, it protects the information manipulation through retransmission attack or script insertion, and enables the secure communication by preventing the leakage of customer information or password due to server hacking.

Random keywords, variable passwords, key mapping, keyboard security, mobile banking, asymmetric character values

Description

The security method for authentication which using of random password}

1 is a schematic diagram showing the configuration of a password input field for a conventional authentication procedure.

2 is a schematic diagram of an image of a conventional authentication method using a security card.

Figure 3 is a block diagram showing the overall structure of a security system according to the present invention.

Figure 4a is a schematic diagram showing an embodiment of a password input field implemented in the present invention.

4B is a schematic diagram showing a state in which the password input field of FIG. 4A is changed randomly.

5 is a schematic view showing an embodiment of the configuration of a screen of an overall web page.

6A is a schematic diagram illustrating a keypad of a mobile used as a password input field in an embodiment of the present invention.

FIG. 6B is a schematic diagram illustrating an embodiment in which the specification of FIG. 6A is implemented in mobile authentication; FIG.

Figure 7 is a schematic diagram showing an embodiment of the configuration of a web page screen applied to the Internet banking according to another embodiment of the present invention.

8 is a conceptual diagram illustrating an example of a method in which the actual transmission data is transmitted in a random (asymmetric) manner when pressing the account number or password implemented in accordance with the present invention.

9 is a diagram illustrating a security authentication procedure using a security card input unit that is conventionally used by other organizations.

The present invention relates to password security, and the conventional keyboard security solution that inputs the same password every time when Internet banking or online withdrawal and withdrawal causes a problem that client authentication information is exposed by real-time hacking, and therefore, the server side (Internet banking). In case of banks, there is a problem in that it consumes a lot of manpower and high cost to maintain the network security system due to problems such as compensation for damages.

In addition, it is not inconvenient for the customer to use the customer password (or authentication unique number) from the authentication center or the server every time, or to apply for a new one, which delays the work schedule and generates unnecessary access time to the server, resulting in overall processor performance. It only causes a drop and inconvenience to the user, which is excluded. In addition, keyboard security products downloaded in the ActiveX form are causing difficulties in the overall processor performance such as installation failures occurring during installation and collisions between security products, and user inconvenience, which is very difficult.

Referring to the general password authentication procedure, as shown in FIG. 1, the user (client) accesses the corresponding website, inputs the password set or granted by the user in the password input field by the authentication procedure, and such information is encrypted to the server side. It is a process that the authentication information is transmitted to the client through the comparison procedure with the information stored in the server and decrypted again.

In some cases, such as Internet banking, as shown in FIG. 2, the security card with a date code (number) is input to the client in advance, and the authentication procedure specific to the client is performed according to a specific algorithm in the authentication procedure. You are asked to enter the code number of the date, and the authentication process is configured by checking it once more on the server.

However, if the password is hacked on the network, the former authentication procedure is difficult to ensure that the authorized client is no longer secured since the initiation of the authentication procedure regarding security is difficult, and the latter authentication procedure is the number of the security card every time. There is a problem in that it is necessary to be aware of this or possess the card itself, and if the security card is leaked or lost, the security is unclear as in the above, and there is a problem of temporary interruption of service use and inconvenience due to reissuance.

The present invention has been made in order to solve the above problems, when connecting to the website to establish a session relationship, the number that is recognized by the client without inputting the password number fixedly fixed during Internet banking or transfer transaction (password By inputting a character value mapped to) and transmitting it, a fixed password is prevented from being illegally reused due to hacking such as unauthorized filtering or protocol analysis of a transmitted packet.

In other words, the character values represented on the website are rearranged randomly according to each session, and the code transmitted (including special characters) changes every time, so that only the code that is statically mapped to the password possessed by the client is negated. It is one of the objectives to make it impossible to use at the source.

In addition, another object of the present invention is to strengthen the security according to the authentication by assigning a variable password to the client regardless of the procedure of granting a separate security card or certificate, the server has a password and mapping when connecting the session Generates random variables, sends them as client encryption and hash value, and inputs characters mapped to password every time in client, and the value is encrypted as hash value and authenticated by server again. An object of the present invention is to provide an authentication security method using a variable password that is randomly mapped to securely communicate with a hack.

According to the present invention, an authentication security solution based on a randomly mapped variable password according to the present invention for achieving the above object is provided with a variable password to a client regardless of whether a separate security card or certificate is provided. By strengthening the security, the server only stores the client's password in the session, and does not assign a fixed password, thereby reducing the cost of maintaining the security system due to the leakage of customer information or the storage of the password due to server hacking. In addition, the server generates a random variable that maps to the password when the session is connected, sends it as a client encryption and hash value, and enters a character that maps to the password each time on the client, and the value is encrypted as a hash value. Intermediate because of authentication It is an authentication security method using a random password that is randomly mapped to communicate with an attack, script manipulation, retransmission, and any hacking.

(Example)

Hereinafter, described in more detail by the accompanying drawings as follows.

1 is a schematic diagram showing the configuration of a password input field for a conventional authentication procedure, and FIG. 2 is a schematic diagram of an image of a conventional authentication method using a security card. As shown in the figure, a password input field used for a conventional internet banking, etc. The configuration consists of a text field for the entry and an event button for confirmation and transmission.This configuration eventually inputs and confirms the unique authentication code (or password) applied or granted by the client in the password input field. The corresponding information is transmitted to the authentication server by the operation of clicking the (or the transmission) button, and the authentication server determines whether or not there is authentication through a process of verifying this.

As such, the client's unique authentication code (password) is exposed on the network without any filtering, and if the packet containing the unique authentication code information is copied or robbed due to illegal access such as hacking, it is exposed to the risk of illegal reuse. (The procedure by the certificate is omitted since it is a prior art step).

3 is a block diagram showing the overall structure of a security system according to the present invention. As shown in the figure, a random value of a server is called by a client when a web page (URL) having a password input field is called by the client. A key is generated by a random key generator that generates a key, and the key is linked with a mapped character value according to an array of numbers from 0 to 9, and the array of numbers is a corresponding character. It is an array of numbers according to the code. In the present invention, the character value to be mapped is generated as a random (asymmetric) character value. By doing so, it is possible to prevent hacking by giving a random (asymmetric) character value from various infiltration hacking attacks. For example, when a session is connected, a character value is generated using a 1: N asymmetric algorithm, which makes the character value randomly (asymmetrically) concatenated to the number 1 equal to 1 = 0ae53c, ... A technique for preventing the leakage of information about intrusions. This will be described in more detail with reference to the drawings illustrated in FIGS. 7 to 8 to be described later.

Of course, it may be considered that the key is added with information about the current session with the client.

When random array information is transmitted from the server to the client through the numeric array, the character relocation is performed on the calling web page of the client, which forms a character linking to a fixed number item on the web page. 4A is a schematic diagram showing an embodiment of a password input field implemented according to the present invention, and a character value arranged as the page is updated is variable, and FIG. 4B is a schematic diagram showing a state in which a password input field is changed randomly. It is shown.

In addition, Figure 6a and 6b shows a case in which such a text value is input through the keypad of the mobile phone, and then the transmission and authentication procedures are the same. FIG. 6A is a schematic diagram showing a keypad of a mobile used as a password input field in an embodiment of the present invention, and FIG. 6B is a schematic diagram showing an embodiment in which the specification of FIG. 6A is implemented in mobile authentication.

If this is displayed step by step:

When a web page (URL) with a password input field is called by the client

Generating a character value respectively mapped to a number (0-9) value randomly at the server;

Generating a key having mapping information on the generated character value and the numeric value;

Providing the client with a character value that is randomly mapped according to the numeric value by the server;

Inputting, by the client, a character value corresponding to its authentication number (number) to the server;

And comparing the transmitted character value with a key and transmitting whether to authenticate.

Here, it is preferable that a key generated for each web page update by a random key generator includes information on a character value corresponding to a number and corresponding session information.

The key analyzer preferably has a function of comparing and analyzing a mapping code value of a character with respect to a number recorded in a key generated by an initial random key generator.

In addition, the authentication security method using the variable password is preferably applied to not only a web page, but also a mobile authentication medium.

That is, every time the password input window is loaded, the character values of the key on the lock are rearranged randomly. The character values are randomly rearranged every time the password is input. When the character value input by the client is encrypted and transmitted to the server, the server decrypts and compares the mapping information value to a key generated by the random key generator to transmit the authentication information to the client. Here, it is preferable that the input character value is changed so as to have a random (asymmetric) value in the numeric code of the keypad.

Figure 5 is a schematic diagram showing an embodiment of the configuration of the screen of the overall web page, which shows the configuration of the web page applied to the Internet banking according to the present invention to be loaded instead of entering the same password every time when Internet banking Whenever you enter a character value randomly transmitted from the server corresponding to the password, you get only a meaningless character value when you hack it, so you can build the original security system.

7 is a schematic diagram showing an embodiment of the configuration of a web page screen applied to the Internet banking according to another embodiment of the present invention, the user is random (asymmetric) using a deposit account number inputter provided on the web page You can enter the character value to perform the authentication procedure.

8 is a conceptual diagram illustrating an example of a method in which actual transmission data is transmitted in a random (asymmetric) manner when an account number or a password implemented according to the present invention is pressed.

As shown in Fig. 8, when the number of the account number selected by the user corresponds to " 1 ", the selected password is entered as " Q ", and the actual transmitted data is " AzDf37 " Exemplifies the case of "7eccb50889f5". As described above, it is a feature of the present invention that a password and actual transmission data selected and transmitted each time are converted into a random (asymmetric) manner and transmitted according to the selected account number.

By doing so, even when the user's account number or password is exposed by hacking or the like, the actual transmitted data and the session processing key are converted into a random (asymmetric) method and thus can be a strong hacking suppression measure.

9 is a diagram illustrating a security authentication procedure using a security card input device that is conventionally used by other organizations. Referring to FIG. 9, the authentication method used in the related art can be analyzed more clearly as follows.

As shown in the figure, a security card number input device in the form of a keypad is used for the purpose of reinforcing the security of the security card currently being used, and the E2E application module is operated by Active-X.

However, when reviewing the contents of the web page, JavaScript-related encryption is not applied at all. In addition, the numeric array of the keypad was able to check the movement at random.

At this time, when the image is clicked, the number is exposed to the source. For example, (<TD> <A f_keyin (8)

         href = "javascript: void (0);"> <IMG src = "securitycard.files / numberinput_num8.gif"> </A> </ TD>)

It was confirmed that appears.

   Therefore, this conventional method has a big problem that encryption or security at the client is completely unprotected.

On the other hand, the present invention solves the above problems and has the following advantages. The comparison is shown in the table below.

The present invention Prior art Active-X not used Active-X enabled Server-centric E2E application Keyboard security E2E applied (soft camp) Encrypt one more level to enter text Enter only numbers Client source not published Unprotected client source (JavaScript, HTML code, etc.) Dynamically implemented by setting all function names to hash values (non-inferred) Function name is fixed (it can be easily inferred) No dysfunction Security function does not work in case of malfunction (eg ActiveX not installed) Prevents personal information leakage by key hooking when entering a string Possible personal information leakage during key hooking Applicable to other platforms (mobile banking, etc.) Not possible on other platforms

The authentication security method using a randomly mapped variable password according to the present invention is applicable to not only an account password but also a transfer password, a mobile banking password authentication, and can be applied to any medium used in other authentication methods.

Here, the server-side key value authentication procedure for the mapped input character value of the transmitted client is performed by a separate key analyzer. The key algorithm configuration algorithm is a number generated by an initial random key generator. Comparing and analyzing the mapping code of the character to.

The authentication security method using a randomly mapped variable password of the present invention may be applied to the E2E (End to End) encryption technique, and the customer password and input by changing the character value every time through the random key generation and analysis in the server and Increased security effect is a useful invention that can secure low level keyboard security vulnerabilities and fundamentally solve the loss caused by hacking password.

In addition, it is a useful invention that can solve various problems and problems that occur when installing a keyboard security product provided in the ActiveX form, and more thoroughly eliminate the loss caused by hacking password.

As described above, the present invention has been described in detail only with respect to the specific examples described, but it is natural that the implementation image of the webpage within the technical scope of the present invention can be modified and rearranged and modified, and the appended claims Being belonging to will be apparent to those skilled in the art in the same realm of substantial constitution and function.

Claims (4)

In authentication and security solutions requiring mobile banking, Internet banking or membership authentication; When a web page (URL) with a password input field is called by the client Generating a character value each mapped to a random number (0-9) in the server; (random key generator) Generating a key having mapping information on the generated character value and the numeric value; Providing the client with a character value that is randomly mapped according to the numeric value by the server; Inputting, by the client, a random (asymmetric) character value corresponding to its authentication number (number) to the server; Comparing the transmitted random (asymmetric) character value by the key (Key) and transmitting whether the authentication; (Key analyzer) Authentication security method using a randomly mapped variable password, characterized in that consisting of. The method of claim 1; A randomly generated variable password characterized in that a key generated for each web page update by a random key generator includes information on a character value corresponding to a number and corresponding session information. Authentication security method by. The method of claim 1; The key analyzer is a randomly mapped variable password authentication method characterized by comparing and analyzing the mapping code value of the character to the number recorded in the key generated by the initial random key generator. . The method according to any one of claims 1 to 3, The authentication security method using the variable password is applied to not only a web page, but also a mobile authentication medium. The authentication security method using a randomly mapped variable password.

Images