KR101914416B1 - System for providing security service based on cloud computing - Google Patents

Abstract

The present invention relates to a cloud service-based security service providing system that enables a cloud service to be used safely and conveniently based on an improved security function. The system includes a plurality of terminals using a cloud service, A cloud service device for providing a service, the cloud service device comprising: a cloud service module for providing a cloud service; An access security module that restricts services according to access management security information for controlling access according to personal attribute information for evaluating user's trustworthiness according to user's personal attributes and a user's role; And an encryption module for encrypting and storing the user data in a database.

Description

TECHNICAL FIELD [0001] The present invention relates to a security service providing system based on cloud computing,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a security service providing system, and more particularly, to a security service providing system based on cloud computing that enables a cloud service to be used safely and conveniently based on an improved security function.

2. Description of the Related Art Communication terminals are manufactured in a portable form and are used in a wide variety of fields due to their ease of use and portability. Recently, such communication terminals have been developed in the form of smart phones equipped with various user functions to provide convenience and amusement.

With the spread of such smart phones, users have a large number of terminals, and accordingly, they are interested in sharing data stored in each terminal. In addition, the widespread adoption of smart phones has created an effect of increasing interest in sharing data among users. Recently, the cloud service has been attracting attention for service support for such data sharing.

Cloud service is a service that uses IT technology to provide IT resources as a service. It can borrow and use IT resources as much as necessary, expand and reduce in real time according to the load of the service, and pay only as much as it uses. Therefore, in a cloud computing environment, a service provider integrates servers distributed in various places into a virtualization technology, thereby providing services required by users.

In the cloud computing environment, security issues that can protect assets from security threats such as external hacking attacks are highlighted as the most important issue. Especially, in recent years, personal information is stored using a cloud service, and personal information is frequently leaked. Accordingly, there is a need to search for a more stable cloud service support that enables service users to appropriately share desired data without fear of leakage of personal information.

On the other hand, in devices such as smart phones, as an alternative to the weakness of the method of inputting a password and a personal identification number (PIN) for user authentication, authentication of human body information using physical information such as fingerprint or iris, Based proprietary authentication.

Patent No. 10-1709276 Patent No. 10-1403626

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above problems, and it is an object of the present invention to provide a cloud computing-based security service providing system which can use a cloud service safely and conveniently based on an improved security function .

According to an aspect of the present invention, there is provided a cloud computing-based security service providing system including a plurality of terminals using a cloud service and a cloud service device providing a predetermined cloud service to the plurality of terminals,

The cloud service apparatus includes:

A cloud service module providing cloud service;

An access security module that restricts services according to access management security information for controlling access according to personal attribute information for evaluating user's trustworthiness according to user's personal attributes and a user's role; And

And an encryption module for encrypting the user data and storing the encrypted user data in a database.

In addition, the personal attribute information includes the fields of Table 1, where ID is a user identifier, AI (authentication info) indicates synchronization with the authentication module, Time is a time when a user requests a cloud service , And an authentication information percent (AIP) indicates a rate of authentication probability given by the user from the authentication module.

[Table 1]

Here, the AIP is determined based on the iris template previously registered together with the user ID.

The access management security information includes the fields of Table 2, where ID is a user identifier, Grade is a permission level of a user, Time is a time when a user requests a cloud service, info) indicates permission information of the user, and DI (device info) indicates information of the user terminal.

[Table 2]

The encryption module may further include:

A conversion module for generating four strings by dividing the received string by the number of four characters, arranging the four strings in order from the first row to the fourth row, and converting the four strings into a 4X4 matrix;

A rearrangement module for rearranging the strings belonging to the i-th (i is a natural number) row in the 4 × 4 matrix to the i-th column;

A replacement module for replacing each element with another element in the rearranged 4X4 matrix;

An exchange module for exchanging first and last rows in the replaced 4X4 matrix, exchanging the first and last columns, and exchanging diagonal corresponding elements among the unchanged elements in the replaced 4X4 matrix; .

The replacement module is also characterized in that each element is replaced with another element using a plurality of cryptographic keys in the rearranged 4X4 matrix.

As described above, according to the cloud computing-based security service providing system according to the present invention, the present invention provides a security service providing system for controlling access according to personal attribute information and a role of a user, Access control By limiting the service according to the security information, it is possible to use the cloud service safely and conveniently based on the improved security function.

In addition, there is an additional effect of protecting the asset from security threats such as an external hacking attack by encrypting and storing the user data in the database.

1 is a block diagram schematically illustrating a configuration of a cloud computing-based security service providing system according to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of a terminal according to an exemplary embodiment of the present invention.
3 is a block diagram showing the configuration of the cloud service apparatus of FIG. 1 in more detail.
4 is a block diagram showing the configuration of the encryption module of FIG. 3 in more detail.
5 to 8 are diagrams illustrating an encryption process by the encryption module of FIG.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The idea and its core composition and function are not limited.

Also, when an element is described as being "connected", "comprising", or "composed" to another element, the element may be directly connected or connected to the other element, It is to be understood that other components may be " connected ", " comprising "

Further, in the present invention, different reference numerals are assigned to the same components even in different drawings for easy understanding.

FIG. 1 is a block diagram schematically illustrating a configuration of a cloud computing-based security service providing system according to an embodiment of the present invention. FIG. 2 is a block diagram illustrating a configuration of a terminal according to an embodiment of the present invention in more detail. 3 is a detailed block diagram of the cloud service apparatus of FIG. 1, FIG. 4 is a detailed block diagram of the configuration of the encryption module of FIG. 3, and FIGS. Fig.

Referring to FIG. 1, a cloud computing-based security service providing system 10 of the present invention includes one or more terminals 101, 102, and 103 using a cloud service, a plurality of terminals 101, 102, And a cloud service apparatus 200 providing a predetermined cloud service.

 The cloud service apparatus 200 may be configured to allow access for use of the cloud service of one or more terminals 101, 102, 103, but may include a personal attribute for assessing the user's trustworthiness, Depending on the information and the role of the user, it can support limiting the service according to access management security information to control access.

The configuration of the plurality of terminals 101, 102, and 103 and the cloud service apparatus 200 and their respective roles will be described in more detail with reference to FIG. 2 and FIG.

2, the terminal 101 of the present invention includes a communication unit 110, an input unit 120, an audio processing unit 130, a display unit 140, a storage unit 150, a camera unit 160, 170).

The communication unit 110 may support the formation of a communication channel for connection with the cloud service device 200. In practice, a network system may be provided between the cloud service device 200 and the terminal 101 to support the cloud service. This network system is a configuration for forming a communication channel between the terminal 101 and the cloud service apparatus 200. When the communication unit 110 of the terminal 101 is provided in the form of a mobile communication module, .

Meanwhile, the communication unit 110 may be configured not only as a wireless communication module but also as a communication module for supporting a wired communication mode, and accordingly, the network system may also include communication network devices for supporting the communication mode. For example, the communication unit 110 may be configured with one or more communication modules supporting various communication methods such as 2G, 3G, and 4G, such as WCDMA and OFDMA, as well as communication modules supporting communication methods such as CDMA and GSM have.

The input unit 120 may be formed of a key button or the like. When the terminal 101 is manufactured as a full-touch screen, the input unit 120 may include a side key or a separate hot key. Also, it may include a key map displayed on a touch screen of the terminal 101. The input unit 120 may include a plurality of input keys and function keys for receiving numeric or character information and setting various functions. In particular, the input unit 120 may generate various input signals for connection to the cloud service device 200 according to user control.

For example, the input unit 120 may generate an input signal for inputting and accessing the address information of the cloud service device 200, an ID and a password input signal according to the request of the cloud service device 200, if necessary, .

The audio processing unit 130 may include a speaker SPK for outputting various audio data generated during the operation of the terminal 101 and a microphone MIC for audio data collection. In particular, the audio processing unit 130 of the present invention can support various audio data output related to the connection with the cloud service device 200. For example, the audio processing unit 130 outputs a guide sound or effect sound for performing the basic authentication information checking process of the cloud service device 200, and outputs a guidance sound or effect sound for performing the connection completion process with the cloud service device 200 .

The display unit 140 displays various types of menus of the terminal 101 as well as information input by the user or information provided to the user. That is, the display unit 140 can provide various screens such as a standby screen, a menu screen, a message creation screen, a call screen, a terminal end screen, a terminal boot screen, and the like according to use of the terminal 101. The display unit 140 may be formed in the form of a flat panel display panel such as a liquid crystal display (OLED) or an organic light emitting diode (OLED). The display unit 140 may be manufactured in a structure including a display panel and a touch panel according to a manufacturing method.

The storage unit 150 stores an application program necessary for the functional operation according to the embodiment of the present invention, a screen image to be output to the display unit 140, and the like. The storage unit 150 may store a key map or a menu map for operating the touch screen when the display unit 140 is configured as a touch screen. Here, the key map and the menu map may be various types. The storage unit 150 may include an operating system (OS) for booting the terminal 101, operation of each of the above-described configurations, various user functions such as a user function for supporting the call function of the terminal 101, An MP3 user function for playing back other sound sources, an image output function for playing back pictures and the like, and an application program for supporting a video playback function, respectively.

In particular, the storage unit 150 of the present invention may store a browser 151 for connection to the cloud service apparatus 200. The terminal 151 may provide an icon or a menu item for activating the browser 151. When the item is selected, the browser 151 is loaded into the controller 160 and performs a function for accessing the cloud service apparatus 200 Support.

The camera unit 160 serves as a functional unit for acquiring images, and functions as a functional unit for imaging an iris of a user in the present invention. The camera unit 160 may be a CCD camera, for example. According to a preferred embodiment, the camera unit 110 may include an infrared filter for filtering visible light or ultraviolet light other than infrared light.

The controller 170 controls the overall operation of each component.

3, the cloud service apparatus 200 of the present invention may include a cloud service module 210, an access security module 220, an encryption module 230, and an authentication module 240.

The cloud service module 210 is a part for providing a cloud service. For example, the cloud service module 210 includes an application module supporting a service repository necessary for building a personal or enterprise platform system, a database module storing user data, User modules, security policy modules that manage and control security policies, and so on.

The access security module 220 restricts the service according to the personal attribute information for evaluating the reliability of the user according to the user's personal attributes and the access management security information for controlling the access according to the role of the user.

The personal attribute information includes the fields of Table 1 below.

[Table 1]

Here, the ID is a user identifier, the authentication information AI indicates whether or not the authentication information is synchronized with the authentication module 240 (1 if the authentication is normal, 0 when the authentication is abnormal), Time is the time when the user requested the cloud service, The AIP (authentication information percent) is a rate of authentication probability given by the user from the authentication module 240, and this value serves to restrict an abnormal user's access in the cloud environment.

Preferably, the AIP can be determined based on an iris template pre-registered with the user ID. As a result of performing the authentication using the iris template, the value is 100% when completely matched, and the user's access is not limited. If it is not fully matched, it may be 0%, and user access may be restricted. If the irreversible factors of the iris recognition occur due to the user side or environmental factors (diffuse reflection), the matching probability may be degraded, and in such a case, the user's access may be limited to some extent.

The iris template acquires the iris image of the user by the camera unit 160 of the terminal 101, converts the iris image into an iris template, and authenticates the user. Of course, in the process of converting an iris image into an iris template, it is possible to check and correct the iris size, living body, color of the iris image, and the like in order to acquire an iris image having a specific condition.

It is preferable that such an iris template is stored in an individual server after divided and encrypted. In other words, the deception of the iris template, which is personal information stored in the server by the hacker, is a very serious issue that can break the foundation of the biometrics industry. Therefore, the iris template must be divided and stored securely on the server after encryption.

It is also safe that the divided iridium tramplets should not be combined into one. For this purpose, a pre-registered iris template divided and stored in each server is matched with an authentication divided iris template corresponding to the iris template, and a process of passing only the partial result value to the integration server is performed.

In the integrated server, that is, the cloud service apparatus 200, a partial result value received from each server is integrated to generate a final result value.

In other words, in order to minimize the overhead and service delay through the personal attribute information table, the present invention checks the authority and the trust level of the user every time the user accesses, and synchronizes with the authentication module 240 The reliability of the user is evaluated.

The access management security information includes the fields of Table 2 below.

[Table 2]

Here, ID is the identifier of the user, Grade is the permission level of the user, Time is the time when the user requested the cloud service, PI (permission info) indicates the permission information of the user, DI (device info) It represents the information of the terminal.

That is, the access management security information indicates a field of information checked by the administrator to control access according to the role of the user.

The encryption module 230 encrypts user data in a cloud environment and stores the encrypted user data in a database.

The encryption module 230 receives plain text. For example, the received plain text may be a string such as "sagedatabestcomp".

The encryption module 230 performs an encryption operation on the received character string to output a cipher text. These ciphertexts are stored in a database (not shown).

Referring to FIG. 4, the encryption module 230 includes a conversion module 231, a rearrangement module 233, a replacement module 235, and a switching module 237.

The conversion module 231 divides the received character string into four character strings to generate four strings. For example, when the received string is " sagedatabestcomp ", the conversion module 231 divides the " sagedatabestcomp " into four numbers of characters and stores the four plural strings, i.e., " sage ", " data & Create "comp". According to the embodiment, when the number of characters of the received character string does not reach 16, the number of characters of the character string can be reduced to 16 by inserting special characters (#, *, /, or?

That is, as shown in FIG. 5, the conversion module 231 arranges the four strings in the order of the first row to the fourth row and converts them into the 4X4 matrix M1.

The rearrangement module 233 rearranges the strings belonging to the i-th row (i is a natural number) in the 4X4 matrix converted by the conversion module 231 as the i-th column as shown in Fig. In FIG. 6, the first matrix M1 means a matrix before being transformed by the rearrangement module 233, and the second matrix M2 means a matrix after being transformed by the rearrangement module 233. 6, the rearrangement module 233 rearranges the string (e.g., " sage ") belonging to the first row in the first matrix M1 from the second matrix M2 to the first column Rearrange. The rearrangement module 233 rearranges the string (e.g., " data ") belonging to the second row in the first matrix M1 from the second matrix M2 to the second column (e.g., " data ").

The replacement module 235 replaces each element in the second matrix M2 with another element as shown in FIG. The replacement module 235 replaces each element with another element using the following equation.

[Equation 1]

a [i] '= (((s1 + a [i]) * Mod 26 + s2 Mod 26

Here, a [i] represents the character order value of each element in the second matrix M2, a [i] 'represents the character order value of each element in the third matrix M3, i is a natural number, s1 , S2 denotes a cryptographic key, and Mod denotes a function for obtaining the remaining values.

Preferably, the encryption keys s1 and s2 are generated as random numbers. According to the embodiment, the cipher keys s1 and s2 can be rearranged into respective columns for security enhancement. In FIG. 7, the matrices S1 and S2 represent cryptographic key values generated by random numbers.

When i is 1, the character of a [1] in the second matrix M2 is 's'. When i is 16, the letter of a [16] in the second matrix M2 is 'm'. When the letter 'a' is the zeroth in alphabetical order, the letter 's' is the 18th alphabetical order. The number in the matrix S1 of the first cryptographic key s1 corresponding to a [1] in the second matrix M2 is '1'. the number is '1' in the matrix S2 of the second cryptographic key s2 corresponding to a [1]. The number in the matrix S1 of the first cryptographic key s1 corresponding to a [16] in the second matrix M2 is '0'. The number in the matrix S2 of the second cryptographic key s2 corresponding to a [16] in the second matrix M2 is '5'.

The value of a [1] of the first element 's' in the second matrix M2 is 18 and the value of the matrix S1 of the first cryptographic key s1 corresponding to a [1] in the second matrix M2 is 18, , The sum of the two numbers is (18 + 1) = 19. 19 is divided by 26 is 7, and the number is 1 in the matrix S2 of the second cryptographic key s2 corresponding to a [1], so that the sum of the two numbers is (7 + 1) = 8. The remainder of dividing 8 by 26 is 2. Therefore a [1] '= 2. When the letter 'a' is the zeroth in alphabetical order, the second alphabetic character is 'c'. The replacement module 15 therefore replaces the first element, the letter 's', in the second matrix M2 with the other element 'c' in the third matrix M3. Since the number of alphabets is 26, the remaining value is obtained by dividing by 26. However, in the case of a number or a special character, another number may be used instead of the number 26.

The exchange module 237 exchanges the first row ("ccbg") and the last row ("iblf") in the replaced third matrix M3 as shown in FIG. 8, fmcg "). Exchange module 17 interchanges the elements (" cicb ") corresponding to the diagonally opposite elements (" cicb ") in the replaced 4X4 matrix. The exchanged character strings are the same as the fourth matrix M4.

Meanwhile, the terminals 101, 102, and 103 may further include various additional modules according to their providing modes. That is, each of the terminals 101, 102, and 103 may be a local communication module for local communication in the case of a communication terminal, an interface for data transmission / reception by the wired communication method or the wireless communication method of the terminals 101, 102, An Internet communication module that performs an Internet function by communicating with the Internet, and a digital broadcasting module that performs a digital broadcasting reception and playback function. These components can not be enumerated because of a wide variety of variations depending on the convergence trend of the digital device, but it is also possible that components having the same level as the above-mentioned components are further included in the device have. Also, it is needless to say that the terminals 101, 102, and 103 of the present invention may be excluded from the specific configurations in the above configuration or may be replaced with other configurations depending on the provision mode. Which will be readily apparent to those skilled in the art.

Also, the terminals 101, 102 and 103 according to the embodiment of the present invention may include all types of devices having a trusted platform installed therein. For example, the terminals 101, 102, and 103 may include all mobile communication terminals operating based on communication protocols corresponding to various communication systems, Player, a digital broadcasting player, a PDA (Personal Digital Assistant), a music player (for example, an MP3 player), a portable game terminal, a smart phone, a notebook, a handheld PC, And an application device therefor.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. However, it is not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention may be practiced without departing from the spirit of the invention disclosed herein.

200: a cloud service device 210: a cloud service module
220 Access security module 230: Encryption module
240: Authentication module

Claims (6)

A cloud computing-based security service providing system, comprising: a plurality of terminals using a cloud service; and a cloud service device providing a predetermined cloud service to the plurality of terminals,
The cloud service apparatus includes:
A cloud service module providing cloud service;
An access security module that restricts services according to access management security information for controlling access according to personal attribute information for evaluating user's trustworthiness according to user's personal attributes and a user's role; And
A cryptographic module for encrypting user data and storing it in a database,
The personal attribute information includes fields of Table 1, where ID is a user identifier, AI (authentication info) indicates whether or not to synchronize with the authentication module, Time is a time when a user requests a cloud service, The AIP (authentication info percent) indicates the authentication probability ratio given by the user from the authentication module,
The access management security information includes the fields of Table 2, where ID is a user's identifier, Grade indicates a user's permission level, Time is a time when a user requests a cloud service, DI (device info) represents the information of the user terminal,
The AIP is determined based on the iris template previously registered together with the user ID. Here, the iris template is the data obtained by converting the iris image, and the previously registered iris template is divided and encrypted and stored in the individual server, And the access by the user may be restricted if the authentication is not completely matched as a result of performing the authentication using the iris template.
[Table 1]

[Table 2]

delete delete delete The method according to claim 1,
The encryption module includes:
A conversion module for generating four strings by dividing the received string by the number of four characters, arranging the four strings in order from the first row to the fourth row, and converting the four strings into a 4X4 matrix;
A rearrangement module for rearranging the strings belonging to the i-th (i is a natural number) row in the 4 × 4 matrix to the i-th column;
A replacement module for replacing each element with another element in the rearranged 4X4 matrix;
An exchange module for exchanging first and last rows in the replaced 4X4 matrix, exchanging the first and last columns, and exchanging diagonal corresponding elements among the unchanged elements in the replaced 4X4 matrix; And a security service providing system based on cloud computing.
6. The method of claim 5,
Wherein the replacement module replaces each element with another element using a plurality of cryptographic keys in a rearranged 4X4 matrix.

Images