KR102004703B1 - Location-based authentication apparatus and system using geofencing - Google Patents

Abstract

Location-based encryption apparatus according to an embodiment of the present invention may include a memory for storing the geofence entry state using the information on the geofence consisting of at least one virtual zone and a processor electrically connected to the memory. Wherein the processor is configured to: (a) update the geofence entry state based on a current location situation; and (b) if the geofence entry state is determined to be an entry, based on the current location situation. Determining one of the virtual zones to generate a virtual zone-based authentication password based on a request of the user terminal.

Description

Location-based password authentication device using geofencing technology and password authentication system including the same {LOCATION-BASED AUTHENTICATION APPARATUS AND SYSTEM USING GEOFENCING}

The present invention relates to an authentication technology, and more particularly, location-based password authentication device that can be used in the user authentication process of various wired / wireless and offline services by generating an authentication password based on user's location information that is continuously changing in time and space. And a password authentication system including the same.

Security authentication technology is widely used for user authentication in the process of providing a specific service requiring security. Among them, the second authentication technology mainly used is public certificate, security card, OTP. However, the number of copies and leaks are increasing every year, and high-level hacking technologies that disable authentication systems such as memory hacking have emerged. Therefore, there is a demand for the development of security authentication technologies that provide user convenience while enhancing security.

Korean Patent Laid-Open No. 10-2005-0118457 (December 19, 2005) relates to a user location authentication system and a method of controlling the same, and acquires user identification information for identifying a corresponding user from a specific user, and obtained user identification information. And a plurality of terminals configured to transmit authentication basic data using geographic location information and time information at this time. After performing user location authentication by comparing user identification information and pre-registered user reference identification information among the authentication basic data transmitted from each terminal, the authentication completion information is configured by giving a user location authentication result to the authentication basic data. And a user location authentication server to store and store.

Korean Patent Registration No. 10-1703357 (January 31, 2017) relates to an actual location authentication system and a method of a terminal, and includes an IP address pool managed by a location authentication device in an access device and location information in which the access device is installed. Storing and managing the data in a location information database (DB); The location authentication device searches for an IP address pool and location information stored in the location information database by using an IP address and location information transmitted when an actual location authentication request of a terminal is received from an application service server. step; And a location authentication step of the location authentication device authenticating the actual location of the terminal according to the search result and transferring the authentication result and distance information to the application service server.

Korean Patent Publication No. 10-2005-0118457 (2005.12.19) Korean Patent Registration No. 10-1703357 (2017.01.31)

An embodiment of the present invention is a location-based password authentication device that can be used in the user authentication process of a variety of wired and wireless and offline services by generating an authentication password based on the location information of the user continuously changing in time and space dimensions and password authentication including the same We want to provide a system.

An embodiment of the present invention provides a location-based password authentication device and a password authentication system including the same that can be used as a secure user authentication means in a variety of wired and wireless and offline services by strengthening the security against hacking through a virtual zone-based authentication password To provide.

In example embodiments, the location-based cryptographic authentication device may include a memory configured to store a geofence entry state indicating whether an entry into a geofence constituted by at least one virtual zone and a processor electrically connected to the memory; a) updating the geofence entry state based on a current location situation; and (b) if the geofence entry state is determined to be entry, determining one of the at least one virtual zone based on the current location situation. Generating a virtual zone-based authentication password.

Step (a) may include determining the current location situation based on the base station identifier received from the base station.

The step (a) may further include determining the current location situation with the base station identifier received for the longest time in the latest time interval when the number of the received base station identifiers is plural.

Step (a) may include determining the current location situation based on a Service Set Identifier (SSID) received from a wireless access point.

Step (b) may include determining one of the at least one virtual zone by analyzing a network area identified through the received SSID.

Step (a) may include determining the current location situation based on GPS information received from a global positioning system (GPS).

Step (b) may include determining whether the latitude and longitude coordinates detected from the received GPS information is included in a predetermined set of latitude and longitude coordinates constituting the at least one virtual zone. Can be.

The step (b) may include generating an adjacent virtual zone authentication password by identifying an adjacent virtual zone when password authentication fails with the determined authentication password generated through the determined one virtual zone.

The location-based password authentication device may be performed between step (a) and step (b), and may further include checking the geofence entry state periodically or as a specific event occurs.

The location-based password authentication device is performed before the step (a), and further comprising the step of configuring the geofence based on at least one of the base station identifier of the base station, the SSID of the wireless access point and the GPS information of the user terminal; Can be.

In the configuring of the geofence, in the case of a multi-band cell based on the base station identifier, configure each of the at least one virtual zone per band, but accumulate the GPS information for each virtual zone to minimize the effect of cell coverage change. Comprising the band-specific coverage may further comprise the step of configuring the geofence.

The location-based password authentication device may be performed before step (a), and may further include providing different base codes to each of the at least one virtual zone.

In the providing of the base code, the push-pull base code providing step of checking the geofence entry state and providing the base code corresponding to the corresponding virtual zone to the user terminal at the request of the user terminal It may include.

The providing of the base code may include providing a base code of a cell broadcasting scheme that provides a different base code corresponding to each of the at least one virtual zone in association with the mobile communication company cell broadcasting server. can do.

The step (b) may include generating the virtual zone-based authentication password as a password reflecting space-time information by using the base code corresponding to the determined virtual zone and the current time as an authentication password seed of an authentication password generation algorithm. Can be.

The location-based password authentication device may be performed before the step (a), and may further include performing an integrity check on the geo-fence of the user periodically or according to occurrence of a specific event.

Among the embodiments, the location-based password authentication system is a mobile carrier cell broadcasting server for transmitting data in a cell broadcasting (cell broadcasting) method to the user terminal through a base station, a mobile carrier location information server for identifying the location of the user terminal and And a location based password authentication device configured to perform a corresponding password authentication in association with the cell broadcasting server and the mobile communication company location information server when a password authentication request associated with the user terminal is received. A geofence entry state update unit for updating a geofence entry state indicating whether a geofence including at least one virtual zone is entered based on a location situation, and the geofence entry state is determined to be an entry, and the current location state is determined. One of the at least one virtual zone on a basis Determined comprises a generator for generating an authentication password for the authentication password for the virtual zone-based.

The disclosed technique can have the following effects. However, since a specific embodiment does not mean to include all of the following effects or only the following effects, it should not be understood that the scope of the disclosed technology is limited by this.

Location-based password authentication device and a password authentication system including the same according to an embodiment of the present invention generates an authentication password based on the user's location information that is constantly changing in time and space dimensions to the user authentication process of various wired / wireless and offline services Can be used.

Location-based password authentication device and a password authentication system including the same according to an embodiment of the present invention can be used as a secure user authentication means in a variety of wired and wireless and offline services to enhance the security against hacking through a virtual zone-based authentication password have.

1 is a diagram illustrating a location-based password authentication system according to an embodiment of the present invention.
FIG. 2 is a block diagram illustrating a location-based password authentication device of FIG. 1.
3 is a block diagram illustrating functional elements of a processor in FIG. 2.
4 is a flow chart illustrating a location based cryptographic authentication procedure performed by a processor in FIG.
FIG. 5 is a diagram illustrating an embodiment of the location-based password authentication system of FIG. 1.
FIG. 6 is a flowchart illustrating an embodiment of a process of performing password authentication by the location-based password authentication device of FIG. 5.
FIG. 7 is a diagram illustrating an embodiment of a process of configuring a geofence by the location-based password authentication device of FIG. 1.
FIG. 8 is a diagram illustrating an embodiment of a process of performing secondary authentication by identifying an adjacent virtual zone when the password authentication fails in the process of performing the password authentication by the location-based password authentication device of FIG. 1.
FIG. 9 is a diagram illustrating an embodiment of a process in which a user terminal in FIG. 1 generates an authentication password through a location-based authentication agent installed in a corresponding user terminal.

Description of the present invention is only an embodiment for structural or functional description, the scope of the present invention should not be construed as limited by the embodiments described in the text. That is, since the embodiments may be variously modified and may have various forms, the scope of the present invention should be understood to include equivalents capable of realizing the technical idea. In addition, the objects or effects presented in the present invention does not mean that a specific embodiment should include all or only such effects, the scope of the present invention should not be understood as being limited thereby.

On the other hand, the meaning of the terms described in the present application should be understood as follows.

Terms such as "first" and "second" are intended to distinguish one component from another component, and the scope of rights should not be limited by these terms. For example, the first component may be named a second component, and similarly, the second component may also be named a first component.

When a component is referred to as being "connected" to another component, it should be understood that there may be other components in between, although it may be directly connected to the other component. On the other hand, when a component is referred to as being "directly connected" to another component, it should be understood that there is no other component in between. On the other hand, other expressions describing the relationship between the components, such as "between" and "immediately between" or "neighboring to" and "directly neighboring to", should be interpreted as well.

Singular expressions should be understood to include plural expressions unless the context clearly indicates otherwise, and terms such as "comprise" or "have" refer to a feature, number, step, operation, component, part, or feature thereof. It is to be understood that the combination is intended to be present and does not exclude in advance the possibility of the presence or addition of one or more other features or numbers, steps, operations, components, parts or combinations thereof.

In each step, an identification code (e.g., a, b, c, etc.) is used for convenience of description, and the identification code does not describe the order of the steps, and each step clearly indicates a specific order in context. Unless stated otherwise, they may occur out of the order noted. That is, each step may occur in the same order as specified, may be performed substantially simultaneously, or may be performed in the reverse order.

The present invention can be embodied as computer readable code on a computer readable recording medium, and the computer readable recording medium includes all kinds of recording devices in which data can be read by a computer system. . Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

All terms used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. Generally, the terms defined in the dictionary used are to be interpreted to coincide with the meanings in the context of the related art, and should not be interpreted as having ideal or excessively formal meanings unless clearly defined in the present application.

1 is a diagram illustrating a location-based password authentication system according to an embodiment of the present invention.

Referring to FIG. 1, the location-based password authentication system 100 includes a location-based password authentication device 110, a user terminal 120, an application server 130, a mobile carrier cell broadcasting server 140, and mobile carrier location information. Server 150 may be included.

The location-based password authentication device 110 corresponds to a computing device capable of generating a location context-based authentication password. Location-based password authentication device 110 may be connected to the user terminal 120, the base station, the mobile carrier cell broadcasting server 140, the mobile carrier location information server 150 and the application server 130, for example, It may be connected via a wireless mobile communication network and a wired data network. In an embodiment, the location-based password authentication device 110 may receive an authentication request associated with the user terminal 120 and generate a virtual zone-based authentication password based on the location situation of the user terminal 120. Password authentication may be performed by checking the authentication password included in the corresponding authentication request and generated in the corresponding user terminal 120 and the generated virtual zone-based authentication password.

The user terminal 120 may correspond to a computing device that may be connected to the location-based password authentication device 110 through a network, and may be implemented as, for example, a desktop, a laptop, a tablet PC, or a smartphone. In one embodiment, the user terminal 120 is location-based via a location-based authentication agent installed on the user terminal 120 for user authentication associated with a particular service transaction (eg, remittance, transfer) online or offline. By generating the authentication password of the password-based authentication device 110 or a service provider server (eg, financial institution server) associated with the specific service transaction may be requested for authentication. In one embodiment, the location-based authentication agent corresponds to an agent program, which is software that can be connected to the location-based password authentication device 110 and interoperable when installed in the user terminal 120, for example, It can be implemented as a mobile application that can run on a mobile device.

The application server 130 corresponds to a computing device capable of interworking with the user terminal 120 through a location-based authentication agent installed in the user terminal 120. All. In one embodiment, the application server 130 may provide a location-based authentication agent to the user terminal 120, and through the location-based authentication agent installed in the user terminal 120, the base code, the full list of authentication passwords and matching You can manage and encrypt tables, and set basic parameters, encryption detailed parameter settings, security policy settings, and database (DB) updates required by the location-based authentication agent.

The mobile communication company cell broadcasting server 140 corresponds to a computing device capable of transmitting data to the user terminal 120 through a base station in a cell broadcasting manner. In one embodiment, the mobile carrier cell broadcasting server 140 is a base code transmission request including a base code corresponding to each of a plurality of base stations from the location-based password authentication device 110 and the cell broadcasting server 140 When received, a corresponding base code may be provided to the user terminal 120 through each base station.

The mobile communication company location information server 150 corresponds to a computing device capable of tracking the location of the user based on a mobile phone identifier (for example, a mobile phone number) of the user terminal 120. The mobile operator location information server 150 may check the location of the user terminal 120 associated with a specific user with respect to the base station, and provide location information about the identified location to the location-based password authentication device 110 to authenticate the password. Can support

In one embodiment, the location-based password authentication system 100 may further include a service provider server, where the service provider server provides a service provider (eg, transfer, transfer) to provide a particular service (eg, transfer, transfer). For example, it corresponds to a server operated by a bank or a securities company. In one embodiment, when the service provider server receives a request for providing a specific service from the user terminal 120, the service provider server may request the user terminal 120 to input an authentication password for user authentication, and the authentication password from the user terminal 120. If received, the location-based password authentication device 110 may request password authentication for the corresponding authentication password, and may determine whether to provide the specific service according to whether the password authentication is successful.

FIG. 2 is a block diagram illustrating a location-based password authentication device of FIG. 1.

Referring to FIG. 2, the location-based cryptographic authentication device 110 may include a processor 210, a memory 220, a user input / output unit 230, and a network input / output unit 240.

The processor 210 is electrically connected to the memory 220. The processor 210 may perform the location-based password authentication procedure of FIG. 4, and store and update the result generated in the entire process of performing the procedure in the memory 220. The processor 210 may manage a memory 220 that stores data read or written during a location-based password authentication procedure, and schedules a synchronization time between volatile memory and nonvolatile memory in the memory 220. can do. The processor 210 may control overall operations of the location-based password authentication device 110, control data flow between the memory 220, the user input / output unit 230, and the network input / output unit 240, and the location. It may be implemented as a central processing unit (CPU) of the based cryptographic authentication device (110).

The memory 220 may include a secondary memory device which is implemented as a nonvolatile memory such as a solid state disk (SSD) or a hard disk drive (HDD), and is used to store all data required for the location-based password authentication device 110. And a main memory device implemented with volatile memory such as random access memory (RAM). As such, the memory 220 may be implemented as a volatile or nonvolatile memory. If the memory 220 is implemented as a nonvolatile memory, the memory 220 may be connected through a hyperlink.

The memory 220 may store a geofence entry state. Here, the geo-fence entry state indicates whether or not to enter the geo-fence 115 composed of at least one virtual zone, in one embodiment, the user terminal 120 through a location-based authentication agent installed in the user terminal 120 Can be tracked and managed in real time. In one embodiment, the memory 220 may store configuration information about each of at least one virtual zone constituting the geofence 115, and the seed of the virtual zone-based authentication password generation algorithm corresponding to each virtual zone. A base station identifier or a base code used as a terminal may be stored, and a base code generation algorithm for generating the base code may be stored.

The user input / output unit 230 includes an environment for receiving user input and an environment for outputting specific information to the user, and includes, for example, an input device and a monitor including an adapter such as a touch pad, a touch screen, or a pointing device. Or it may include an output device including an adapter such as a touch screen.

The network input / output unit 240 may include an environment for connecting to the user terminal 120 through a network, and may include, for example, an adapter for wireless local area network (LAN) communication.

3 is a block diagram illustrating functional elements of a processor in FIG. 2.

Referring to FIG. 3, the processor 210 includes a geofence manager 310, a geofence entry status updater 320, an authentication password generator 330, a password authentication performer 340, and a controller 350. can do.

The geofence manager 310 may manage the geofence 115 composed of at least one virtual zone. In one embodiment, the geofence manager 310 may configure each of at least one virtual zone based on at least one of a base station cell identifier, a wireless access point identifier, and the GPS information of the user terminal 120. Here, each of the at least one virtual zone corresponds to at least one divided area for checking whether the user terminal 120 has entered the geofence 115. For example, each of the virtual zones of the geo-fence 115 may correspond to a base station service area that can be identified by a base station identifier unit of a base station. This may correspond to a network area that can be identified, and for example, may correspond to a virtual area generated through at least two or more combinations of a base station identifier of a base station, an SSID of Wi-Fi, and Global Positioning System (GPS) information. have.

In one embodiment, the geofence manager 310 may configure a virtual zone of the geofence 115 in units of areas having the same base station identifier based on the base station identifier of the base station. In one embodiment, the base station identifier is an identifier capable of identifying each of the plurality of base stations. For example, the base station identifier corresponds to a physical cell ID (PCI) of a base station based on Long Term Evolution (LTE) or Cell Global (CGI). Identifier) or ECGI (E-UTRAN CGI), or a combination of these may correspond to a uniquely assigned identifier, and for example, the second generation, the third generation, or the like. It may correspond to an identifier of a base station based on the next generation mobile communication technology standard. For example, the geofence manager 310 may generate a geofence 115 composed of 504 virtual zones using 504 PCIs defined in the 3rd Generation Partnership Project (3GPP) LTE standard.

In another embodiment, the geofence manager 310 may configure the geofence 115 based on the SSID of the wireless access point (eg, Wi-Fi), and at least in units of network area identified through the same SSID. Each virtual zone can be configured.

In another embodiment, the geofence manager 310 may configure the geofence 115 associated with the GPS information based on latitude and longitude information on a map designated by a user or a designer. For example, the geofence manager 310 receives a virtual zone having a polygon shape based on a latitude and longitude coordinate set corresponding to vertices of a virtual polygon on a map received from the user terminal 120 and input by the user. Can be configured.

In one embodiment, the geofence manager 310 may generate each of the at least one virtual zone in the form of a polygon, for example, a hexagon of different sizes by combining GPS, mobile phone base station signal and Wi-Fi signal. Can be created in the form of.

In one embodiment, the geofence manager 310 configures each of at least one virtual zone per band in the case of multiple frequency band cells based on the base station identifier, but accumulates GPS information for each virtual zone to minimize the effect of cell coverage change. The geofence 115 can be configured by combining coverage for each frequency band. This will be described in more detail with reference to FIG. 8B.

In one embodiment, the geofence manager 310 may reconfigure the at least one virtual zone periodically or according to the occurrence of a specific event. For example, the geofence manager 310 may reconfigure the virtual zone based on a randomly selected one of the base station identifier of the base station, the SSID of the wireless access point, and the GPS information under a specific time period or under the control of an administrator.

In an embodiment, the geofence manager 310 may perform an integrity check on the geofence 115 of the user periodically or according to occurrence of a specific event. For example, when the geofence manager 310 is connected to the user terminal 120 at a specific cycle or through a location-based authentication agent, the base station base station identifier and Wi-Fi of the user terminal 120 provided from the mobile operator location information server 150 are provided. The SSID and the GPS information of the user terminal 120 may be used to determine whether the legitimate geofence 115 is used.

The geofence entry state update unit 320 updates the geofence entry state based on the current position situation. In one embodiment, the geo-fence entry status update unit 320 and the specific user terminal 120 from the authentication password generation unit 330 in the process of generating the authentication password or the transmission of the base code by the authentication password generation unit 330 The management request for the associated geo-fence entry state may be received, thereby tracking the current location of the corresponding user terminal 120 to obtain location information on the current location situation, and obtaining the obtained location information. It may be determined whether the geofence 115 has been entered as a basis. For example, the geofence entry status updater 320 tracks the current location situation from at least one of the base station identifier, SSID, and GPS information of the base station received from the user terminal 120 through the location-based authentication agent, or Track the current location of the user terminal 120 in conjunction with the mobile carrier location information server 150 based on the mobile phone number, or based on the base code received from the user terminal 120 Tracking or receiving the current location information of the user terminal 120 from the authentication password generation unit 330 interoperating with the mobile carrier location information server 150 to check whether the geofence entry and specific virtual zone information entered. have.

In one embodiment, the geofence entry status update unit 320 may determine the current location situation based on the base station identifier received from the base station. The geofence entry status updater 320 may communicate with the mobile operator location information server 150 to receive a base station identifier which is a base station cell identifier associated with the current location of the corresponding user terminal 120, and matches the received base station identifier. The presence or absence of the virtual zone may be detected to determine whether the geofence 115 has entered. For example, the geofence entry status updater 320 determines that the user terminal 120 enters a specific virtual zone matching the PCI when the user terminal 120 receives a specific PCI, which is one of 504 PCIs defined in the 3GPP LTE standard. If a specific PCI is received while another PCI is received, it may be determined that the user has left the virtual zone. In one embodiment, the geofence entry state update unit 320 may be placed in a grace period of a specific time interval in this determination process to reduce the unnecessary frequent changes for the virtual zone.

In the above embodiment, the geo-fence entry status update unit 320 may determine the current location situation with the base station identifier received for the longest time in the latest time interval when the number of received base station identifiers is plural. For example, the geofence entry state updater 320 may accumulate the time when each of the received PCIs is active and determine the virtual zone associated with the specific PCI having the longest accumulated time as the currently located virtual zone. .

In another embodiment, the geofence entry status updater 320 may determine whether to enter the geofence by determining the current location situation based on the SSID received from the wireless access point. In another embodiment, the geofence entry status updater 320 may determine the current location situation based on the GPS information received from the GPS. For example, the geofence entry status updater 320 receives GPS information through a location-based authentication agent installed in the user terminal 120, and the current position of the corresponding user terminal 120 is configured through latitude and longitude coordinate points. It may be determined which virtual zone belongs to among the degree-based virtual zones.

In one embodiment, the geofence entry state update unit 320 may check the geofence entry state periodically or according to the occurrence of a specific event. For example, when the geofence entry status updater 320 receives a base code generation request or a password authentication request associated with the user terminal 120, the geofence entry status updater 320 tracks the position of the user terminal 120 until the procedure is terminated. Geofence entry state can be continuously updated, and for example, when connected to the user terminal 120 through a location-based authentication agent installed in the user terminal 120, the user terminal 120 while the connection state is maintained. You can also keep track of the location of) to update your geofence entry status.

The authentication password generator 330 may provide different base codes to each of the at least one virtual zone in the geofence 115. The authentication password generator 330 may generate a base code based on a prestored base code generation algorithm and update the code at a specific period to limit the validity of the base code. Here, the base code can be used as a seed in the base code generation algorithm for location based cipher generation. The authentication password generator 330 may provide a base code according to the following embodiments.

In the first embodiment, the authentication password generator 330 may transmit the base code in a push-pull method based on a user request. When the user terminal 120 requests the base code to be transmitted to the authentication password generation unit 330 through the location-based authentication agent, the authentication password generation unit 330 through the geofence entry status update unit 320 according to the request. The geofence entry state of the user terminal 120 may be checked, and if the geofence entry state is confirmed, the base code corresponding to the checked virtual zone may be transmitted to the user terminal 120.

In the second embodiment, the authentication password generator 330 may transmit the base code in a cell broadcasting manner in association with the mobile communication company cell broadcasting server 140. For example, the authentication password generator 330 may periodically update different base codes corresponding to each virtual zone of the geo-fence 115 and transmit them to the mobile communication company cell broadcasting server 140, and cell broadcasting. In conjunction with the server 140, the corresponding base code may be provided through a cell base station in a cell broadcasting scheme.

In one embodiment, the authentication password generation unit 330 receives a request for retransmission of the base code according to a user request, or in the process of providing the base code in a cell broadcast manner in conjunction with the cell broadcasting server 140 When the user terminal 120 enters or leaves a specific virtual zone through the geo-fence entry state update unit 320, the base code may be retransmitted in the above-described manners. Can be prioritized.

In one embodiment, the authentication password generation unit 330 is based on the period within the specified range if a specific period associated with the base code update is set by the user terminal 120 located in the same virtual zone for a specific time interval or more It is possible to perform the update, and the update according to the period specified by the user may be given priority over cell broadcasting performed periodically.

In one embodiment, the authentication password generator 330 may adjust the specific period based on Equation 1 below to update the base code according to the corresponding period. For example, the authentication password generation unit 330 is a cumulative number of personal information leakage detection criteria specified by the designer 5 (h) (h _t = 5) and accumulated personal information leak detection for all users in the last 7 days When the number of times is 10 (times) (h _avg = 10), the base code may be updated with a period of (1/2) * t ₀ faster than the default period value t ₀ set by the designer.

[Equation 1]

(Where h _avg corresponds to the cumulative number of times a personal information leak has been detected for all users during a particular time interval, h _t corresponds to the number of personal information leakage detection criteria specified by the designer, and t ₀ is the designer Or a default period value that can be set by the user)

The authentication password generator 330 may determine one of the at least one virtual zone based on the current location situation and generate an authentication password based on the virtual zone when the entry state of the geofence is determined as the entry. When the authentication password generation unit 330 receives a password authentication request associated with a specific user terminal 120, the authentication password generation unit 330 receives the geofence entry state of the user terminal 120 in real time from the geofence entry state update unit 320. An authentication password based on a specific virtual zone in which the terminal 120 is located may be generated. In one embodiment, the authentication password generation unit 330 may determine one of the at least one virtual zone by analyzing the network area identified through the received SSID, in another embodiment, the authentication password generation unit 330 May determine whether one of the at least one virtual zone is analyzed by analyzing whether the latitude and longitude coordinates detected from the received GPS information is included in a predetermined set of latitude and longitude coordinates constituting the at least one virtual zone.

The authentication password generator 330 may generate a virtual zone-based authentication password using location information about the specific virtual zone determined based on the current location situation and an authentication password generation algorithm. In one embodiment, the authentication password generation unit 330 may be previously promised to generate the authentication password using the same algorithm as the authentication password generation algorithm in the location-based authentication agent installed in the user terminal 120.

In one embodiment, the authentication password generation unit 330 generates a virtual zone-based authentication password as a password reflecting spatial information by using the base code and user information corresponding to the corresponding virtual zone as the authentication password seed of the authentication password generation algorithm. In this case, the user information may be previously designated by the user terminal 120, may correspond to an identity for identifying the user, and may correspond to, for example, a user ID or a password specified by the user. Can be.

In another embodiment, the authentication password generation unit 330 uses the base code and the current time corresponding to the corresponding virtual zone as the authentication password seed of the authentication password generation algorithm, and uses the virtual zone-based authentication password as a password reflecting space-time information. It is possible to generate a more secure authentication password by further reflecting the current time in the base code, which can be generated and periodically varies depending on the location.

In one embodiment, the authentication password generation unit 330 may generate the adjacent virtual zone authentication password by identifying the adjacent virtual zone when the password authentication fails with the authentication password generated through the determined one virtual zone. In one embodiment, the authentication password generation unit 330 receives the information about this if the signal measurement for the PCI of the neighboring cells in addition to the PCI of the cell that the user terminal 120 is receiving for actual communication periodically 2 It can be used for the next password authentication process. In this process, the initial authentication is performed based on the virtual zone corresponding to the activated PCI of the cell currently being used, and if it fails, the second authentication is based on the adjacent virtual zones of neighboring cells. Can be sequentially performed as the second cryptographic authentication. This will be described in more detail with reference to FIG. 9.

The password authentication performing unit 340 may perform password authentication based on the generated authentication password. In one embodiment, when the authentication request associated with the user terminal 120 is received, the password authentication performing unit 340 is included in the corresponding authentication request and generated in the authentication password and the authentication password generation unit 330. The password authentication may be performed by checking the virtual zone-based authentication password generated by the virtual password. For example, when the user terminal 120 transmits the first authentication password generated according to the authentication password generation algorithm in the location-based authentication agent, the password authentication performing unit 340 tracks the current location of the user terminal 120. By using the PCI or the base code corresponding to the virtual zone at the location as a seed to generate a second authentication password through the same authentication password generation algorithm as the user terminal 120, the first authentication password and the second authentication If the password matches, it can be determined that the password authentication is successful.

The controller 350 may control the first half of the procedure by receiving a password authentication request or a base code transmission request associated with the user terminal 120, and the geofence manager 310 and the geofence entry state in the entire procedure. The data flow between the updater 320, the authentication password generator 330, and the password authentication performer 340 may be controlled.

In one embodiment, according to the functional elements of the process 210 in the location-based password authentication device 110, geofence management unit 310, geofence entry status update unit 320, authentication password generation unit 330, password Although separated into the authentication performing unit 340 and the control unit 350, in another embodiment, the geofence management unit 310, geofence entry status update unit 320, authentication password generation unit 330, password authentication performing unit The 340 and the controller 350 may be separately implemented into at least one independent computing device according to their functional elements. For example, the geofence manager 310, the geofence entry status updater 320, the authentication password generator 330, the password authentication performer 340, and the controller 350 are physically separated computing devices from each other. Each may be implemented and operated by different operators or the same operator, for example, may be implemented as an integrated computing device functionally separated from each other without being physically separated from each other and operated by the same operator.

4 is a flow chart illustrating a location based cryptographic authentication procedure performed by a processor in FIG.

In FIG. 4, the control unit 350 may receive a password authentication request associated with the user terminal 120 (step S410). In one embodiment, the control unit 350 is a geofence entry state of the user terminal 120 to the geofence entry state update unit 320 when a password authentication request is received through a location-based authentication agent installed in the user terminal 120. You can request information about

The geofence entry state update unit 320 may update the geofence entry state based on the current position situation (step S420). In one embodiment, the geofence entry state update unit 320 may update the geofence entry state in real time with respect to the corresponding user terminal 120 and provide it to the authentication password generator 330.

The authentication password generation unit 330 may determine one of the at least one virtual zone based on the current position situation and generate a virtual zone-based authentication password when the geofence entry state is determined as the entry (step S430). In one embodiment, the authentication password generation unit 330 obtains the information of the specific zone in which the user terminal 120 is located from the received geofence entry state to the base code, the current time and the corresponding user corresponding to the specific zone. By using the characteristic information specified in advance as the seed of the authentication password generation algorithm, it is possible to generate the authentication password.

The password authentication performing unit 340 may perform password authentication based on the generated authentication password (step S440). In one embodiment, the password authentication performing unit 340 may determine whether the password authentication is successful by comparing the authentication password generated in the user terminal 120 and the virtual authentication password generated by the authentication password generator 330. .

In one embodiment, the geofence management unit 310 may check the geofence entry state periodically between step S420 and S430 or according to the occurrence of a specific event, and before the step S410 the base station identifier of the base station, SSID of the wireless access point And the geofence 115 based on at least one of the GPS information. The geofence 115 may be reconfigured periodically before or after step S410 or after the occurrence of a specific event, and before step S410. Integrity checking may be performed for each of the at least one virtual zone periodically or according to occurrence of a specific event.

FIG. 5 is a diagram illustrating an embodiment of the location-based password authentication system of FIG. 1.

1 to 5, the geofence manager 310, the geofence entry status updater 320, the authentication password generator 330, and the password authentication performer 340 of the location-based password authentication device 110. The controller 350 may be implemented by being separated into the geo-fencing server 510, the LFin gateway server 520, and the LFin authentication server 530 according to its functional elements.

In one embodiment, the geofence manager 310 and the geofence entry status updater 320 of the location-based password authentication device 110 may be implemented as a geofencing server 510 in relation to its functional elements. The geo-fencing server 510 may configure and manage the geo-fence 115 composed of at least one virtual zone, and the geo-fence entry state for the specific user terminal 120 at the request of the LFin authentication server 530. Can be managed in real time.

In one embodiment, the control unit 350 of the location-based password authentication device 110 may be implemented as the LFin gateway server 520 in relation to its functional elements. In one embodiment, the LFin gateway server 520 may act as a gateway in the communication process between the LFin authentication server 530 and the user terminal 120 existing in the mobile operator network, geo geo throughout the process for password authentication The connection flow between the fencing server 510, the LFin authentication server 530, the application server 130, and the mobile operator location information server 150 may be controlled. The LFin gateway server 520 sends a password authentication request associated with the corresponding user terminal 120 received from the user terminal 120 or a service provider server associated with a specific service transaction of the user terminal 120 to the LFin authentication server 530. Password authentication may be performed through the LFin authentication server 530, and may be provided to the corresponding user terminal 120 by receiving a password authentication result from the LFin authentication server 530.

In one embodiment, the authentication password generator 330 and the password authentication performer 340 of the location-based password authentication device 110 may be implemented as the LFin authentication server 530 in relation to the functional elements. The LFin authentication server 530 is present in the mobile operator network and may be connected to the mobile communication company cell broadcasting server 750 through the corresponding network, and may communicate with the user terminal 120 through the LFin gateway server 520. . The LFin authentication server 530 may generate a different base code for each virtual zone at a specific cycle and transmit the cell code based on the cell broadcasting method through interworking with the mobile communication company's cell broadcasting server 750 and the password associated with the user terminal 120. When the authentication request is received, the location information of the corresponding user terminal 120 may be confirmed by interworking with the geo-fencing server 510 and the mobile communication company location information server 760. In addition, the LFin authentication server 530 determines a specific virtual zone corresponding to the identified location information, and generates a location password based authentication password using the base code corresponding to the corresponding virtual zone and the current time as a seed of the authentication password generation algorithm. The user may determine whether the password authentication succeeds through password authentication that compares the generated location context-based authentication password with the authentication password generated by the user terminal 120.

FIG. 6 is a flowchart illustrating an embodiment of a process of performing password authentication by the location-based password authentication device of FIG. 5.

In FIG. 6, the geo-fencing server 510 of the location-based password authentication device 110 of the location-based password authentication device 110 includes an identification number 610 based on at least one of a base station identifier of a base station, an SSID of Wi-Fi, and GPS information. Each virtual zone can be configured together.

The location-based password authentication device 110 may provide different base codes (encryption codes) to each of the virtual zones constituting the geofence 115 (FIG. 6, step 1). In one embodiment, the LFin authentication server 530 receives the base code providing request requested by the location-based authentication agent installed in the user terminal 120 through the LFin gateway server 520, the geo-fencing server 510 and the mobile carrier In conjunction with the location information server 150, the location of the user terminal 120 may be tracked and the base code corresponding to the current location may be transmitted through the LFin gateway server 520. In another embodiment, the LFin authentication server 530 interoperates with the geo-fencing server 510 and the mobile operator location information server 150 to transmit different base codes corresponding to each virtual zone to the mobile carrier cell broadcasting server 140. It can be provided through linkage with).

The user terminal 120 may receive a base code through a location-based authentication agent (Location Password App) installed in the user terminal 120, and use the received base code as a seed of the authentication password generation algorithm to authenticate the authentication password (location). Password) (step 2 of FIG. 6). For example, the user terminal 120 may receive the base code CDHDHFHE corresponding to the corresponding virtual zone through the Location password app installed in the user terminal 120 to generate a valid authentication password A0! Fr # 8O for a specific time interval. (See FIG. 9).

The user terminal 120 performs a specific transaction requiring security on or off-line such as financial transactions or important information storage, through automatic input of an authentication password by a location-based authentication agent or manual input by a user. A password authentication may be requested for the authentication password generated in association with the specific transaction (step 3 of FIG. 6). In one embodiment, the user terminal 120 may set an encryption level according to a user request with respect to the authentication password generated through the location-based authentication agent, and the LFin gateway based on the encryption algorithm corresponding to the set encryption level. The server 520 may transmit the LFin authentication server 530. For example, a user may encrypt and transmit an authentication password according to a first encryption algorithm (eg, an Advanced Encryption Standard (AES) 256 algorithm) corresponding to an encryption level of a basic security level while staying in a specific virtual zone. The authentication password may be encrypted and transmitted according to a second encryption algorithm (eg, an algorithm other than the AES 256 algorithm) corresponding to the encryption level of the higher or lower security level selected according to the user's request.

When the LFin authentication server 530 receives a password authentication request associated with the user terminal 120 through the LFin gateway server 520, the LFin authentication server 530 performs the user location check in conjunction with the mobile carrier location information server 150 and the corresponding user location. The authentication password may be generated through the corresponding virtual zone to determine whether the authentication is successful by comparing the authentication password received from the user terminal 120 (step 4 of FIG. 6). In one embodiment, the LFin authentication server 530 may be operated by each mobile operator, and the password authentication by interworking with the mobile operator location information server 150 associated with the mobile operator through the mobile carrier network. Can be done.

The LFin authentication server 530 may notify the user terminal 120 through the LFin gateway server 520 about the success or failure of the password authentication (step 5 of FIG. 6).

The location-based password authentication device 110 may perform an authentication process optimized according to a policy of a service provider (eg, a bank or a securities company) that provides a specific service (eg, a wire transfer or a transfer) or a user's option setting. Can be.

FIG. 7 is a diagram illustrating an embodiment of a process of configuring a geofence by the location-based password authentication device of FIG. 1. More specifically, FIG. 7A illustrates an embodiment in which the location-based cryptographic authentication device 110 configures the geofence 115 in consideration of overlapping coverage, and FIG. 7B illustrates between different frequency bands that may be generated at the same location. An embodiment of a process of configuring the integrated coverage to reflect the geofence 115 to minimize the coverage gap is shown.

In FIG. 7A, the geofence manager 310 of the location-based password authentication device 110 may set an area where coverage overlap occurs in a process of constructing the geofence 115 as a specific virtual zone. In downtown areas, PCI overlap may occur due to coverage overlap due to a close distance between base station cells, and a plurality of handovers may occur according to such PCI overlap, which may cause problems in the geofence building process. Accordingly, the geofence management unit 310 may accumulate and manage the access time per cell or the time when a specific PCI is activated in the mixed region, and set the mixed region as a specific virtual zone based on this to be reflected in the geofence. And manage.

In one embodiment, the geofence manager 310 may detect a cell (base station) having the most cumulative access time in association with the user terminal 120, and may manage the addition of the mixed area as a specific virtual zone. . The geofence manager 310 may manage an entry state of a specific virtual zone of the user terminal 120 by using mixed region information in the geofence management process. The geofence manager 310 may periodically measure and update a corresponding cumulative state in consideration of the possibility that the mixed situation may change due to a change in the wireless environment.

In FIG. 7B, the geo-fence manager 310 of the location-based password authentication device 110 configures each of at least one virtual zone based on PCI, but accumulates GPS information for each virtual zone to minimize the effect of cell coverage change. The geofence 115 may be configured by combining coverage for each band. In order to service a plurality of frequency bands at the same location, a plurality of Radio Units (RUs) are required. Since they use different bands, there is a possibility that a coverage gap may occur depending on the propagation characteristics of the bands. The geofence manager 310 may configure the integrated coverage to reflect the geofence in the geofence, for example, to minimize the coverage gap between different frequency bands that may occur in the same location. When the 120 receives the base code or requests the password authentication, the corresponding location information may be collected to configure a coverage that integrates multiple RUs, and may update the specific virtual zone based on this.

FIG. 8 is a diagram illustrating an embodiment of a process of performing secondary authentication by identifying an adjacent virtual zone when the password authentication fails in the process of performing the password authentication by the location-based password authentication device of FIG. 1.

In FIG. 8, the authentication password generation unit 330 of the location-based password authentication device 110 identifies a neighboring virtual zone by identifying an adjacent virtual zone when the password authentication fails with the authentication password generated through the determined one virtual zone. Can be generated. For example, after the user terminal 120 generates an authentication password in the virtual zone A cell and requests password authentication, when the user terminal 120 is moved to another virtual zone B cell according to the movement of the user, the user terminal 120 Since the authentication password generated in the present invention and the authentication password generated based on the current situation of the user terminal 120 do not match, password authentication may fail. In this case, the cryptographic authentication unit 340 may perform secondary authentication, which attempts to authenticate neighboring PCI cells around the B cell where the current user terminal 120 is located. The password authentication performing unit 340 collects information on the active PCI virtual zone where the user terminal 120 is currently located and neighboring neighbor PCI virtual zones through a location-based authentication agent installed in the user terminal 120, or In conjunction with the geofence management unit 310 and the mobile communication company location information server 150 may determine the surrounding location information based on the current location information of the user terminal 120.

In one embodiment, the password authentication performing unit 340 performs the second authentication through the neighbor virtual zone authentication passwords generated based on the neighbor PCI virtual zones, and if the authentication is successful, informs the authentication success so that the associated service is provided. If it fails, authentication may be performed by using a cell cluster unit such as a tracking area.

Although described above with reference to a preferred embodiment of the present application, those skilled in the art various modifications of the present application without departing from the spirit and scope of the invention described in the claims below And can be changed.

100: location-based password authentication system
110: location-based password authentication device
120: user terminal 130: application server
140: carrier cell broadcasting server
150: mobile carrier location information server
210: processor 220: memory
230: user input and output unit 240: network input and output unit
310: geofence management unit 320: geofence entry state update unit
330: authentication password generation unit 340: password authentication execution unit
350: control unit
510: Geofencing Server 520: LFin Gateway Server
530: LFin authentication server

Claims (17)

A memory for storing a geofence entry state indicating whether the geofence including at least one virtual zone is entered; And
A processor electrically connected with the memory,
The processor is
(a) updating the geofence entry state based on a current location situation; And
(b) if the geofence entry state is determined to be an entry, determining one of the at least one virtual zone based on the current location situation and generating a virtual zone based authentication password,
Performed before the step (a), further comprising providing a different base code to each of the at least one virtual zone,
The providing of the base code may include providing a base code of a cell broadcasting scheme that periodically updates and provides different base codes corresponding to each of the at least one virtual zone in association with a mobile communication company cell broadcasting server. Including steps
The generating of the virtual zone-based authentication password is based on Equation 1 below according to the corresponding period within a specified range when a specific period associated with the base code update is set by the user terminal located in the same virtual zone for a specific time interval or more. And updating the base code by adjusting the specific period, and prioritizing the update according to the period specified by the user over the cell broadcasting performed periodically.
[Equation 1]

(Where t corresponds to a specific period associated with the base code update. Havg corresponds to the cumulative number of times a personal leak has been detected for all users over a recent specific time interval, and ht is the privacy leak specified by the designer. Corresponds to the detection threshold, and t0 corresponds to the default period value that can be set by the designer or user.)
delete The method of claim 1, wherein step (a)
And determining the current location situation based on the base station identifier received for the longest time period in the latest time interval, when the number of the received base station identifiers is plural.
The method of claim 1, wherein step (a)
And determining the current location situation based on a service set identifier (SSID) received from a wireless access point.
The method of claim 4, wherein step (b)
And determining one of the at least one virtual zone by analyzing a network region identified through the received SSID.
The method of claim 1, wherein step (a)
And determining the current location situation based on GPS information received from a global positioning system (GPS).
The method of claim 6, wherein step (b)
And determining the one by analyzing whether or not the latitude and longitude coordinates detected from the received GPS information are included in a predetermined set of latitude and longitude coordinates constituting the at least one virtual zone. Password authentication device.
The method of claim 1, wherein step (b)
And generating an adjacent virtual zone authentication password by identifying an adjacent virtual zone when password authentication fails with the determined authentication password generated through the determined one virtual zone.
The method of claim 1,
And performing the step of (a) and (b) and checking the geofence entry state periodically or according to occurrence of a specific event.
The method of claim 1,
Location-based encryption, which is performed before step (a), further comprising configuring the geofence based on at least one of a base station identifier of a base station, an SSID of a wireless access point, and GPS information of a user terminal. Authentication device.
The method of claim 10, wherein configuring the geofence
In the case of a multi-band cell based on the base station identifier, each of the at least one virtual zone per band is configured, but the GPS information is accumulated by the virtual zones so as to minimize the effect of the cell coverage change. Location-based password authentication device further comprising the step of configuring the fence.
delete The method of claim 1, wherein providing the base code
And a push-pull basis code providing step of checking a geofence entry state and providing a base code corresponding to a corresponding virtual zone to the user terminal according to a request of a user terminal. Password-based authentication device.
delete The method of claim 1, wherein step (b)
Using the base code corresponding to the determined virtual zone and the current time as an authentication password seed of an authentication password generation algorithm, generating the virtual zone-based authentication password as a password reflecting space-time information. Password authentication device.
The method of claim 1,
The location-based password authentication device, which is performed before the step (a), further comprising performing an integrity check on the geo-fence of the user periodically or according to occurrence of a specific event.
A mobile carrier cell broadcasting server for transmitting data to a user terminal through a base station in a cell broadcasting manner;
A mobile communication company location information server for checking the location of the user terminal; And
A location-based password authentication device for performing a corresponding password authentication in cooperation with the cell broadcasting server and the mobile communication company location information server when a password authentication request associated with the user terminal is received;
The location-based password authentication device
A geofence entry state update unit for updating a geofence entry state indicating whether an entry into a geofence composed of at least one virtual zone is based on a current location situation; And
When the geofence entry state is confirmed as the entry includes an authentication password generation unit for generating one of the at least one virtual zone based on the current location situation to generate a virtual zone-based authentication password,
The authentication password generation unit adjusts the specific period based on Equation 1 below according to the corresponding period within a specified range when a specific period associated with the base code update is set by the user terminal located in the same virtual zone for a specific time interval or more. A base-based password authentication system characterized by performing an update of a base code and giving priority to an update according to a period specified by a user over cell broadcasting performed periodically.
[Equation 1]

(Where t corresponds to a specific period associated with the base code update. Havg corresponds to the cumulative number of times a personal leak has been detected for all users over a recent specific time interval, and ht is the privacy leak specified by the designer. Corresponds to the detection threshold, and t0 corresponds to the default period value that can be set by the designer or user.)

Images