KR20140015744A - Cloud type operating method for certificate - Google Patents

Abstract

The present invention relates to a method for operating a cloud type certificate, and a method for operating a cloud type certificate according to the present invention, the method for operating a cloud type certificate executed by a server, the method comprising: storing a certificate issued to a user in a designated storage medium; And a second step of storing designation identification information identifying N (N≥1) terminals that can use the stored certificate; and N, in which the terminal used by the user is designated and identified by the designation identification information. A third step of authenticating whether the terminal is the nth (1 ≦ n ≦ N) terminal among the designated terminals, and when the terminal of the user is authenticated as the designated nth terminal, the user's certificate stored in the storage medium is stored in the nth terminal. A fourth step of processing to be used through.

Description

Cloud Type Operating Method for Certificate

According to the present invention, after storing a certificate issued to a user in a designated storage medium on a network, the terminal used by the user can process a user's certificate stored in the storage medium through a communication network as a certificate provided in the terminal. .

In order to use banking transactions in a non-face-to-face manner using a communication network, or to use payment settlement over a certain amount, a certificate processing using an accredited certificate issued to a user must be accompanied.

In order to process the certificate as described above, the user's certificate is stored in the user's terminal processing the non-face-to-face transaction, or the user's portable media (eg, USB memory, IC card, HSM, floppy disk) capable of interworking with the user's terminal. Etc.) should be stored in the user's certificate.

However, most users do not process non-face-to-face transactions using only one specific terminal. Any terminal used by the user can be used for non-face-to-face transactions. However, storing the user's certificate in all the terminals available to the user causes security problems. Of course, the user's certificate may be stored in the user's portable medium, and the user's certificate may be extracted from the portable medium whenever the certificate is required. However, the portable medium of the user may not be interoperable with all the terminals used by the user. In other words, except for a terminal having a module interoperable with the portable medium of the user, a terminal stored in the portable medium of the user cannot extract and write the certificate.

An object of the present invention for solving the above problems is to store a certificate issued to a user in a designated storage medium, and to identify and register N (N≥1) terminals that can use the stored certificate, the user When the user terminal is requested to use the stored certificate from the terminal to be used, the terminal of the user is authenticated whether it is an n (1≤n≤N) terminal among the N terminals designated and registered, and the terminal of the user is the nth terminal In the case of being authenticated to provide a cloud type certificate management method for processing to use the stored certificate device through the n-th terminal of the user.

According to an aspect of the present invention, there is provided a method of operating a cloud type certificate, the method of operating a cloud type certificate executed by a server, comprising: a first step of storing a certificate issued to a user in a designated storage medium; A second step of storing designation target identification information identifying < RTI ID = 0.0 > ≥1) < / RTI > terminals, and n (1≤n≤N) of the N designated terminals whose terminal used by the user is identified and identified by the designation target identification information. A third step of authenticating whether the terminal is a terminal, and a fourth step of processing the user's certificate stored in the storage medium to be used through the n-th terminal when the terminal of the user is authenticated to the designated n-th terminal. .

According to the present invention, the first step may further include performing an identity authentication procedure for the user who has received the certificate stored in the storage medium, and is issued to the user when the identity authentication of the user is processed. The stored certificate may be stored in the storage medium.

According to the present invention, the first step is to receive a certificate issued to the user from the certificate server that issued the certificate to the user to store in the storage medium, or to provide a certificate issued to the user from the user's terminal It may include at least one of receiving and storing in the storage medium.

According to the present invention, the certificate stored in the storage medium may include the entire configuration of the certificate issued to the user, or may include a partial configuration of the certificate issued to the user. On the other hand, when some components are included in a certificate stored in the storage medium, the remaining components except for some of the stored certificates are stored in the N designated terminals or store the certificates to be used through the N designated terminals. It can be stored in a user-owned portable medium.

According to the invention, the storage medium for storing the certificate, the storage medium operated by the issuer of the certificate, the storage medium operated by the registration authority of the certificate, the storage medium provided in the server, the network accessible from the server It may include at least one of the storage medium on the.

According to the present invention, the second step may further include a step of performing a user authentication procedure on whether a user who has issued the certificate designates and registers a terminal to which the certificate is to be used.

According to the present invention, the second step may further include acquiring user identification information for uniquely authenticating the user who has issued the certificate, wherein the N designated identification information are mapped to the user identification information and stored. Can be.

According to the present invention, the designation target identification information includes information stored in a read / write memory of a designated terminal, information stored in an IC chip provided in a designated terminal, information recorded in a read-only memory of a designated terminal, and hardware of the designated terminal. At least one of information assigned to a component, communication identification information of a specified terminal, information generated from a specified terminal, information input from a specified terminal, information identifying a program included in a specified terminal, and information dynamically generated through a designated code generation module It may be made of one or a combination of two or more.

According to the present invention, the cloud-based certificate management method, M (M≥M) that can be used as identification information of each terminal on the basis of at least one of a type, a communication network, and a platform that can be registered as a terminal to be used for the certificate. The method further includes the step of setting the designation target identification information conditions for designating 1 designation information, wherein the second step includes m (1≤ 1) among M designation information meeting the designation target identification information conditions of the registered terminal. Designation target identification information including m ≦ M) designation information can be obtained.

According to the present invention, in the second step, when designating and registering a terminal of a user connected for terminal designation registration as an available terminal, designation target identification including one or more designation information designated from the terminal of the user. Receiving the information, or from the management server that manages the terminal of the user from the receiving target identification information including one or more designated information specified in the terminal of the user, at least one or a combination of two or more of the terminal of the user The method may further include acquiring designation target identification information designating the terminal to which the stored certificate is to be used.

According to the present invention, in the second step, when designating and registering another terminal available to the user as a terminal that can be used in addition to the terminal of the user connected for terminal designation registration, the certificate from the terminal of the user. Receive designation target identification information including one or more designation information specified in the target terminal registered as an available terminal, or one or more designation designated from the target terminal based on terminal information on the target terminal provided from the user's terminal. Received by the user through at least one or a combination of two or more of receiving the designation target identification information including the information, or receiving one or more designation target identification information assigned to the target terminal from the management server managing the target terminal It is possible that the stored certificate is It is may further comprise the step of obtaining the specified target identification information for specifying the terminal.

According to the present invention, the third step includes a user identity authentication procedure of whether a user who has issued the certificate requests the stored certificate, and a user who knows whether a user who has registered the N terminals requests the stored certificate. The method may further include performing at least one identity verification procedure.

According to the present invention, in the third step, when the user identification information uniquely authenticating the user is mapped and stored with the designated target identification information, the user identification information received from the terminal of the user is compared with the stored user identification information. The method may further include authenticating the user.

According to the present invention, the third step may include receiving, from the terminal of the user, designation target identification information matching one or more designation information included in the stored designation target identification information; The method may further include authenticating the terminal of the user as the designated n-th terminal by comparing the stored designated object identification information.

According to the present invention, the third step includes m (1≤m≤M) designation information used to designate and identify the terminal of the user among M (M≥1) designation information available as designation target identification information. Confirming a configuration of the designation target identification information including; receiving designation target identification information including the m designation information from the user's terminal; and receiving the designated designation identification information and the stored designation target identification. The method may further include authenticating the terminal of the user as the designated n-th terminal by comparing the information.

According to the present invention, the designation target identification information includes two or more designation information fixed to the designated terminal, and when some of the two or more information fixed to the designated terminal are authenticated and the other part is not authenticated, The method may further include performing a discard procedure or a re-registration procedure for the designated target identification information.

According to the present invention, the fourth step may provide the stored user's certificate to the n-th terminal.

According to the present invention, the fourth step is characterized by providing a part of the configuration of the certificate issued to the user to the n-th terminal, the n-th terminal, the remaining configuration except for a part of the configuration of the certificate provided It may be provided, or the remaining configuration of the certificate provided in the user-owned portable media may be available. Meanwhile, some components of the certificate may be the same for N designated terminals or different for each of N designated terminals, and the remaining components of the certificate may be the same for N specified terminals or N specified terminals. Each terminal may be different from each other.

According to the present invention, the fourth step may be performed for the certificate processing of the n-th terminal through the stored user's certificate.

According to the present invention, if a terminal used by a user for a non-face-to-face transaction is connected to a communication network, the certificate processing for the face-to-face transaction can be performed using the user's certificate stored in a designated storage medium on the network through the terminal anytime, anywhere. There is an advantage to becoming.

1 is a diagram illustrating a configuration of a cloud type certificate management system according to the present invention.
2 is a diagram illustrating a functional configuration of an application provided in a terminal of a user according to an embodiment of the present invention.
3 is a diagram illustrating a process of registering a certificate in a cloud type certificate operation according to the present invention.
4 is a diagram illustrating a process of specifying and registering a terminal that can use a certificate in a cloud type certificate operation according to the present invention.
5 is a diagram illustrating a process of registering a user who can use a certificate in a cloud type certificate operation according to the present invention.
6 is a diagram illustrating a process of checking / extracting a certificate registered to a storage medium in a cloud type certificate operation according to the present invention.
7 or 8 is a diagram illustrating a process of using a certificate in a cloud method according to an embodiment of the present invention.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. It should be understood, however, that the drawings and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention, and are not to be construed as limiting the present invention. For example, it is possible that a configuration provided on the server side is implemented on the terminal side, or conversely, a configuration portion provided on the terminal side is implemented on the server side.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The terms used below are defined in consideration of the functions of the present invention, which may vary depending on the user, intention or custom of the operator. Therefore, the definition should be based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following embodiments are merely means for effectively explaining the technical idea of the present invention to a person having ordinary skill in the art to which the present invention belongs Only.

1 is a diagram illustrating a cloud type certificate management system configuration according to the present invention.

In more detail, in FIG. 1, after storing a certificate issued to a user in a designated storage medium 115 on a network, the terminal 200 used by the user may use a certificate stored in the storage medium 115 through a communication network. As illustrated in FIG. 1, a person having ordinary skill in the art to which the present invention pertains may refer to and / or modify the present invention in various ways to implement the cloud type certificate management system. It may be inferred that the implementation is omitted, subdivided, or combined), but the present invention includes all the implementation methods inferred, the technical features are limited only by the implementation method shown in FIG. Not. Preferably, the method described through the drawings of the present invention will be described the characteristics of the present invention with a configuration in which a terminal that can use the certificate stored in the storage medium 115 is designated in advance. However, the technical features of the present invention are not limited thereto, and the security features of the user authentication process may be maintained when the certificate is stored in the storage medium 115 and when the stored certificate is used. It is to be understood that the configuration for designating a terminal that can use the certificate can be omitted, and it is apparent that the present invention includes all implementation methods which are implemented by omitting or modifying some configurations of the present invention.

The cloud-based certificate management system of the present invention stores one or more terminals 200 used by a user who has issued a certificate, and stores the certificate issued to the user in a designated storage medium 115, and the terminal 200 used by the user. When requesting to use a certificate stored in the storage medium 115 through the communication network, the certificate stored in the storage medium 115 is used through the terminal 200 of the user according to the user's request. It is configured to include an operation server 100. The operation server 100 may be implemented in the form of at least one or a combination of two or more servers according to the implementation method, may be built on the operator side of operating the certificate of the cloud method, issuing issued the certificate Any server that exists on the network, including an institution, a registrar of the certificate (for example, a financial institution, etc.), and various affiliated organizations (for example, a financial settlement agency, etc.) may be formed in any form. In addition, according to the business conditions and related laws at the time of carrying out the present invention, it is found that some components of the operation server 100 may be built on the operator side, and some components may be rescued from the issuer, the registrar, or the affiliated organization. It is a bar. In addition, the drawings and description of the present invention is described by showing the operation of the cloud-type certificate of the present invention in one operation server 100, when the operation server 100 is implemented in more than one server form the two or more Among the servers, the server 2 actually processes a specific process, but for this purpose, the terminal or the server 1 also causes the terminal or the server 1 to cause a specific process of the server 2 or a process related thereto. It is to be noted that the term "process to be" can be used.

The terminal 200 used by the user is a generic term for all terminals that the user can use for registering or using a certificate as well as a terminal owned by the user. Preferably, the terminal 200 includes a personal computer, a laptop, and the like used by the user. The terminal 200 may include a wireless terminal 200 including a user's mobile phone, a smartphone, a tablet PC, and the like. However, the terminal 200 of the user is not limited to the above-described wired terminal 200 and the wireless terminal 200, but the payment terminal 200 (for example, POS, CAT, etc.) connected to the communication network, the financial terminal 200 (For example, CD, ATM), call terminal 200 (eg, landline, wireless telephone, VoIP phone), consumer terminal 200, etc. It can be evident that it can include all kinds of terminals.

According to an embodiment of the present invention, the user terminal 200 may be equipped with one or more programs for registering or using the certificate. The program is implemented in the form of an application operating in the operating system of the user terminal 200 is mounted on the terminal 200 of the user, or an application program (eg, a browser, provided in the user terminal 200) A banking program, a payment program, etc.) may be mounted on the user's terminal 200 in the form of a plug-in program (eg, ActiveX). On the other hand, when the user terminal 200 is connected to the operation server 100 through a browser, the operation server 100 is a program for registering or using the certificate on the page provided to the user terminal 200 Code (eg, JavaScript, etc.) may be inserted and provided to the user's terminal 200. In this case, even if a separate program is not mounted on the user's terminal 200

The operation server 100 is a generic term for at least one server or a combination of two or more servers operating a cloud type certificate according to the present invention targeting a terminal 200 of one or more users using a communication network. A procedure for storing a certificate in a designated storage medium 115, a procedure for storing identification object identification information for designating and identifying N (N≥1) terminals 200 that can use the stored certificate, and a terminal used by the user. A procedure for authenticating whether the 200 is an n (1 ≦ n ≦ N) terminal 200 among the N designated terminals 200 identified and designated by the designation target identification information, and the terminal 200 of the user When the user is authenticated with the designated n-th terminal 200, the user's certificate stored in the storage medium 115 is processed through the n-th terminal 200. If the primary server 100 is composed of two or more server combinations, it is apparent that the procedure may be performed in conjunction with each other in each server. In addition, the user terminal 200 and the operation server 100 is a security protocol (eg, encryption / decryption method, key exchange algorithm, etc.) of the level that can be used through the communication network is set, the detailed description thereof is omitted for convenience. Let's do it.

Referring to FIG. 1, the operation server 100 may include an identity authentication procedure 120 that performs an identity authentication procedure for a user who has been issued a certificate to be stored in a designated storage medium 115, and the storage medium 115. A certificate acquisition unit 105 for acquiring the user's certificate to be stored in the) and the certificate storage unit 110 for storing the obtained user's certificate in the designated storage medium 115.

When the terminal 200 of the user who accesses the operation server 100 is requested to register a certificate issued to the user to the designated storage medium 115, the identity authentication procedure unit 120 may perform one or more operations on the user. Perform identity verification process. Preferably, the user authentication for the user, ID / PW to receive and authenticate the ID / PW for the user from the terminal 200 of the user when the user is registered as a member of the operation server 100 Authentication, Internet real name authentication to receive the personal information including the user's name and resident registration number from the user's terminal 200 and provide it to a real name authentication server (not shown) to authenticate the real name of the user, the user's terminal From 200, communication means information (e.g., communication company information, phone number, device identification information, etc.) of a subscription communication network (e.g., mobile communication network, telephone network, VoIP network, etc.) subscribed to by the user is received. Communication subscriber authentication for providing the communication means information to the communication company server (not shown) of the subscribing communication network to authenticate the subscriber's name for the user, Card company server that receives the card identification information (for example, card company information and card number, etc.) for the card issued to the user by the card company from the horse 200 and issues the card with the personal information and the card identification information of the user. The card holder to authenticate the card holder of the card and receive account identification information (for example, bank information and account number) corresponding to the user's account opened in the bank from the terminal 200 of the user. The user's personal information and account identification information is provided to a bank server (not shown) where the account is opened, account holder authentication and authentication number for authenticating the account holder of the account are generated and sent to the user's wireless terminal. Input to the terminal 200 (wherein, the user's terminal 200, the authentication number is input, as well as the wireless terminal receiving the authentication number of the Wireless terminal occupancy authentication for comparing and authenticating the authentication number received by the user, including the terminal 200 used by the user other than the front terminal, and the terminal of the user when the certificate issued to the user exists in the terminal 200 of the user. At least one or two or more personal authentication specified by the operation server 100 may be included among the certificate authentication using a certificate (eg, a public certificate previously issued to a user) provided in the 200. However, the authentication process of the present invention is not limited only to the above-described method, and any method may be applied as long as it is a method capable of authenticating a user's identity through a communication network, and the authentication of the present invention is the above-described method. In addition, all forms of identity verification that can authenticate the user's identity (eg, identity verification using ARS, face-to-face identity verification using identification card, identity verification through image (face) recognition, identity verification using biometric information, etc.) It is clear that it includes

According to the embodiment of the present invention, the identity verification procedure unit 120 has i (i≥1) identity authentication methods for processing identity verification for a user who has issued a certificate. In step 120, the i-identification process set in the above-described order is performed to process identity authentication for the user who issued the certificate.

The certificate obtaining unit 105 obtains a user's certificate to be stored in the designated storage medium 115. The certificate of the user is the original of a certificate issued to the user by the certificate issuer, or a copy of a certificate issued to the user by the certificate issuer, or copied after being issued to the user by the certificate issuer. It may include at least one copy of the certificate.

According to the first certificate obtaining method of the present invention, the certificate obtaining unit 105 may obtain a certificate issued to the user from a certificate server provided in the certificate issuer that issued the certificate to the user. Preferably, the user applies for certificate issuance to the certificate issuing authority, and the certificate issuing information for the certificate issued to the user from the terminal 200 of the user as the certificate issuance approval (or issuance) from the certificate issuing authority. When receiving (for example, various types of information delivered to a user who will issue a certificate by a certificate issuing authority), the certificate obtaining unit 105 may obtain a certificate issued to the user from the certificate server based on the certificate issuing information. have.

According to the second certificate acquisition method of the present invention, the certificate acquisition unit 105 may obtain a certificate issued to the user from the institution server provided in the management agency that stores or manages a copy of the certificate issued to the user. have. Preferably, a copy of a certificate issued to the user may be stored in an institution server of a management institution including a registrar processing an application for issuing the certificate or a financial institution processing various authentications through the user's certificate. The certificate obtaining unit 105 may obtain a certificate issued to the user from an institution server managing a copy of the certificate of the user.

According to the third certificate acquisition method of the present invention, the certificate acquisition unit 105 may obtain the user's certificate in the form of copying or transferring the certificate issued to the user from the user's terminal 200. Preferably, a memory (for example, a hard disk provided in a computer, a nonvolatile memory provided in the wireless terminal 200, etc.) provided in the terminal 200 of the user or a user who can interoperate with the terminal 200 of the user. Certificates issued to the user may be stored in various portable media (eg, USB memory, IC card, HSM, floppy disk, etc.), and the certificate acquiring unit 105 may be provided from the terminal 200 of the user. A certificate stored in the memory of 200 or various portable media can be obtained according to a designated certificate copy / move procedure.

On the other hand, if the obtained user's certificate is not obtained from the certificate server, the certificate acquisition unit 105 is the same as the certificate issued to the user in the certificate issuing authority through the certificate server of the obtained user's certificate You can verify that it is a certificate. Preferably, the certificate acquiring unit 105 provides the obtained certificate to the certificate server to verify the validity of the certificate or to provide the certificate server with a hash value hashing a certificate file corresponding to the certificate. The validity of the certificate may be verified or the hash value of the original certificate issued to the user may be received from the certificate server, and then the validity of the certificate may be verified by comparing with the hash value of the obtained certificate. The fact that the user's certificate is verified means that the obtained certificate is the same certificate as the original certificate issued to the user and there is no forgery or forgery or damage of the certificate.

When the user's certificate is obtained, the certificate storage unit 110 stores the obtained user's certificate in the designated storage medium 115. The storage medium 115 in which the certificate is stored is a generic term for a storage medium that is secure enough to store a user's certificate on a network. The storage medium 115 is operated by an issuer of the certificate according to an implementation method. At least one of a storage medium 115 operated by the registration authority of the certificate, a storage medium 115 provided in the operation server 100, and a storage medium 115 on a network accessible from the operation server 100. Can be. FIG. 1 will be described with reference to the storage medium 115 is provided in the operation server 100 for convenience.

According to an embodiment of the present invention, the user's certificate stored in the storage medium 115 includes the entire configuration of the certificate issued to the user, or all of the components stored in the certificate issued to the user. It is possible. Preferably, the partial configuration of the certificate may include t (1≤t <T) configuration items among T (T≥1) configuration items constituting a certificate file corresponding to the user's certificate. have. Alternatively, the partial configuration of the certificate may include some configuration values of t configuration items among the T configuration items constituting the certificate file. For example, when a configuration value of a specific configuration item among the T configuration items constituting the certificate file is “123456789”, some components of the certificate may be “12345” or “13579” among the configuration values “123456789”. It can contain some configuration values, such as

Meanwhile, when some components are included in the certificate stored in the storage medium 115, the remaining components except for some of the stored certificates are stored in the N designated terminals 200 using the certificate, or the N designated components. It may be stored in a user-owned portable medium (eg, USB memory, IC card, HSM, floppy disk, etc.) that stores a certificate to be authenticated through the terminal 200.

According to an embodiment of the present invention, the user's certificate stored in the storage medium 115 may be mapped and stored with user identification information that uniquely identifies who the certificate is being issued to.

Referring to FIG. 1, the operation server 100 performs an identity authentication procedure unit 120 that performs a user identity authentication procedure on whether a user who has issued the certificate designates and registers a terminal 200 in which the certificate is to be used. And an identification information acquisition unit 125 for acquiring designation target identification information for designating and identifying the terminal 200 capable of using the stored certificate, and N (N≥1) obtained by the identification information acquisition unit 125. An identification information storage unit 130 for storing the N identification information identification information for the two designated terminals (200). If the terminal 200 that can use the certificate is not identified and registered according to the embodiment of the present invention, the identification information acquisition unit 125 and the identification information storage unit 130 may be omitted.

Before, during and after the user's certificate is stored in the designated storage medium 115, a procedure of designating and registering the terminal 200 that can use the certificate stored in the storage medium 115 is performed. In order for the user authentication procedure unit 120 to interoperate with the terminal 200 of the user connected to the operation server 100 to register the designated terminal 200 that can use the certificate, the user who issued the certificate has the certificate. Perform one or more user identity authentication procedures for specifying and registering the terminal 200 to be used. Preferably, the user authentication for the user is at least specified by the operating server 100 among ID / PW authentication, Internet real name authentication, communication subscriber authentication, card holder authentication, account holder authentication, wireless terminal occupancy authentication, certificate authentication As described above, one or more identity authentication may be included, and various forms of identity authentication may be performed in addition to the above-described scheme.

According to an embodiment of the present invention, the identity authentication procedure unit 120 is configured to process user identity authentication for whether the user who has issued the certificate designates and registers the terminal 200 in which the certificate is to be used. 1) identity authentication schemes are set, and the identity verification procedure unit 120 performs the j identity verification procedures according to a specified order, and the user who issued the certificate is the terminal 200 to which the certificate is to be used. User authentication for whether or not to specify the registration process. When the registration procedure of the certificate issued to the user and the terminal designation registration procedure are linked and processed in a batch, the user authentication procedure for the user may be performed only once. However, the terminal designation registration procedure of the present invention may be repeatedly performed within a specified limit, and in this case, user identity authentication for the terminal designation registration procedure may be performed.

The identification information acquisition unit 125 obtains designation target identification information for designating and identifying the terminal 200 that can use the certificate stored in the storage medium 115 designated by the certificate storage unit 110. Preferably, the designated object identification information includes information stored in a read / write memory of the designated terminal 200, information stored in an IC chip provided in the designated terminal 200, and designated terminal 200. Information recorded in the read-only memory of the information, information assigned to the hardware components of the terminal 200 to be registered, the communication identification information of the terminal 200 to be registered, information generated by the terminal 200 to be registered, designation At least one of the information input from the terminal 200 to be registered, information identifying a program included in the terminal 200 to be registered, and information dynamically generated through the designated code generation module may be formed.

The information stored in the read / write memory of the designated terminal 200 is stored in a hard disk, a nonvolatile read / write memory of the designated terminal 200, and uniquely identifies the designated terminal 200. A generic term for identifying information, preferably various key values stored in the memory, identification values of a program associated with (or designated) the use of the certificate, values generated and stored by the program, received and stored from a communication network through the program. A value, a unique value of the program (e.g., a program serial number, a token assigned to the program, etc.), an operating system specific value (e.g., a serial number of the operating system, etc.), a value stored by the operating system, a user's certificate stored in the memory, Write down some of the remaining components, card information, account information, and financial information of the user certificate stored in the storage medium 115 FIG. 1 may also include specific information.

The information stored in the IC chip provided in the designated terminal 200 is mounted on or detached from the designated terminal 200 (eg, USIM, financial IC chip, security element (SE), etc.) A generic term for information uniquely identifying the terminal 200 to be designated and registered through the IC chip, and preferably, a unique code of the IC chip, a chip serial number, an applet identification code provided in the IC chip, and It may include at least one of the key value stored in the IC chip, the user's certificate stored in the IC chip, the remaining part of the user certificate stored in the storage medium 115, card information, account information, financial information have.

The information recorded in the read-only memory of the designated terminal 200 is a generic term for information stored in a ROM included in the designated terminal 200 or a ROM of a hardware component constituting the terminal 200. Preferably, it may include at least one designation information of various key values, unique codes, identification codes, serial numbers stored in the memory.

The information allocated to the hardware component of the terminal 200 to be designated and registered is a generic term for information allocated to the hardware component by the manufacturer of the hardware component constituting the terminal 200 to be designated and registered. Unique code assigned to the CPU constituting the designated terminal 200, unique code assigned to the motherboard, unique code assigned to the memory, unique code assigned to the hard disk, unique code assigned to the nonvolatile memory, communication It may include at least one designation information of a unique code (eg, MAC address, etc.) provided in the module, a unique code assigned to the input module, a unique code assigned to the output module (eg, display).

The communication identification information of the designated terminal 200 is a generic term for information allocated to the terminal 200 to access the communication network of the designated terminal 200, and preferably the terminal 200 connects. Including at least one of an IP address, a MAC address, a telephone number, etc. according to the type / protocol of the communication network, as well as specifying at least one of a network ID, a system ID, and a subscriber identification value registered in the communication network to which the terminal 200 is connected. May contain information.

The information generated by the designated terminal 200 is a generic term of information dynamically generated by a program included in the designated terminal 200, and is preferably dynamically generated by the designated terminal 200. At least one disposable code and various key values, as well as processing the dynamically generated disposable code or various key values (for example, text, image, 1 / 2-dimensional barcode, sound, multimedia, etc.) or It may include at least one designation information among the information that is processed (for example, encryption) using the dynamically generated one-time code or various key values.

The information input from the terminal 200 to be designated and registered is a generic term of information inputted through an input module provided to the terminal 200 to be designated and registered. Preferably, the input information is a key based on a user's memory. At least one designation information may be included among input information (for example, a password, a PIN, etc.) and information input by a key in a state displayed on another terminal or a medium.

Information for identifying a program included in the designated registration terminal 200 is essential for identifying the program provided in the designated registration terminal 200 or the designated registration terminal 200 in connection with the use of the certificate. A general term of information for identifying a program, which is preferably an identification value of the program, a value generated by the program, a value received from a communication network through the program, a unique value of the program (eg, a serial number of the program). , Tokens assigned to the program, etc.).

The information dynamically generated through the designated code generation module is stored in the code generation module included in the designated terminal 200, or the code generation module provided in an external device or a server associated with the designated registered terminal 200. A general term for the information dynamically generated by the controller, preferably, the disposable code dynamically generated through the designated code generation module and various key values include at least one designated information. Of course, the dynamically generated disposable code or various key values are processed. Processing other information (eg, encryption, etc.) using designated information (for example, text, image, 1 / 2-dimensional barcode, sound, multimedia, etc.) or the dynamically generated disposable code or various key values. At least one piece of designation information may be included. On the other hand, when the designated code generation module exists outside of the designated registration terminal 200, the designated information dynamically generated by the code generation module is received by the designated registration terminal 200 through a communication network, or NFC The terminal 200 may be received through the designated registered terminal 200 or may be recognized (eg, 1 / 2-dimensional barcode recognition) as the designated registered terminal 200 through a camera provided in the designated registered terminal 200. have.

However, the designation information constituting the designation target identification information of the present invention is not limited to the designation information described above, and any designation information can be designated as long as the designation information can designate and identify the terminal 200 to be designated and designated. It may be included in, it will be apparent that the designation target identification information of the present invention includes all the designation information that can designate and identify the terminal 200 to be designated and registered.

According to an embodiment of the present invention, the identification information obtaining unit 125 is based on at least one of the type, communication network, and platform of each terminal 200 that can be registered as the terminal 200 to which the certificate is to be used. Designation target identification information conditions for designating M (M≥1) designation information available as designation target identification information may be set. In this case, the designation target identification information condition of the registered terminal 200 Designation target identification information including m (1 ≦ m ≦ M) designation information can be obtained from the corresponding M designation information.

According to the first terminal designation registration method of the present invention, the terminal 200 of the user connected for terminal designation registration may be designated and registered as the terminal 200 that can use the certificate. In this case, the identification information obtaining unit 125 receives designation target identification information including one or more designation information designated from the terminal 200 of the user who is connected for the terminal designation registration, or receives the terminal 200 of the user. The stored certificate of the user's terminal 200 through at least one or two or more combinations of receiving identification information including one or more designated information specified in the terminal 200 of the user from the management server to manage Can obtain designation target identification information including m designation information that can be designated to the terminal 200 to be used.

According to the second terminal designation registration method of the present invention, in addition to the terminal 200 of the user connected for terminal designation registration, other terminals 200 available to the user can be designated and registered as the terminal 200 available for the certificate. Can be. In this case, the identification information acquiring unit 125 may specify designation target identification information including one or more designation information specified in the target terminal 200 registered as the terminal 200 that can use the certificate from the user's terminal 200. Receives, or receives designation target identification information including one or more designation information specified from the target terminal 200 on the basis of the terminal information on the target terminal 200 provided from the user terminal 200, or Receiving one or more designated target identification information specified in the target terminal 200 from the management server managing the target terminal 200, the other terminal 200 available to the user through at least one or two or more combinations Designation target identification information including m designation information that can be designated to the terminal 200 to be used for the stored certificate may be obtained.

On the other hand, the identification information acquisition unit 125 verifies whether the acquired designated target identification information includes designation information for uniquely designating and identifying the designated terminal 200. Preferably, the identification information obtaining unit 125 is stored in the other designated object identification information pre-stored with respect to one or more pieces of information that is fixedly maintained in the designated terminal 200 among the m specified information including the designated object identification information. By performing the overlapping inspection for each of the designated information items included, it is possible to verify whether the acquired designated target identification information can uniquely identify and identify the designated registered terminal 200. For example, when the acquired designated object identification information includes the MAC address of the terminal 200 to be designated and registered, the MAC address should not be duplicated with the MAC address included in other previously designated object identification information.

If designation target identification information for designating and identifying the terminal 200 that can use the stored certificate is obtained, the identification information storage unit 130 stores the designation target identification information obtained by the identification information acquisition unit 125. . Preferably, the identification information obtaining unit 125 may obtain N designation target identification information for designating and identifying N terminals 200, and the identification information storing unit 130 may obtain the identification information obtaining unit 125. N specified target identification information for the N designated terminals 200 obtained by the &quot;

According to the exemplary embodiment of the present invention, the N pieces of identification information may be directly mapped to the certificate and stored in the storage medium 115 in which the user's certificate is stored, or other than the storage medium 115 in which the certificate is stored. Can be stored in another database. If the N designation identification information is stored in a database other than the storage medium 115 in which the certificate is stored, the N designation identification information is indirectly associated with a certificate stored in the storage medium 115 through a designated identifier. It is preferable to map.

On the other hand, the identification information acquisition unit 125 may obtain user identification information that uniquely authenticates the user who issued the certificate at any time before, during, or after the point in time at which the designated target identification information is obtained. The user identification information is a general term for information uniquely identifying a user who has issued a certificate stored in the storage medium 115 and / or a user who has designated and registered a terminal 200 in which the stored certificate is to be used, and simultaneously authenticates the user. As a result of the user identity authentication procedure performed by the identity verification process unit 120, the user identification information registration process that includes the information used for the identity verification, or linked to or separately processed with the user identity authentication process It may include user information (eg, ID / PW) received from the user's terminal 200 through. Alternatively, one or more pieces of designation information constituting the designation target identification information may be used as the user identification information.

Meanwhile, the identification information acquisition unit 125 identifies the same person as the user who has obtained the certificate stored in the storage medium 115, or identifies the same person as the user who designates and registers the terminal 200. Verify that it identifies Preferably, the identification information acquisition unit 125 confirms the user name corresponding to the user identification information, the confirmed user name is the same as the issuer name of the certificate stored in the storage medium 115, or the terminal It is possible to verify whether 200 is identified with the same person as the name of the user who has designated and registered. If the user identification information is obtained as a result of the identity verification procedure for the user, validation of the user identification information can be omitted.

When the user identification information for uniquely authenticating the user is obtained by the identification information acquisition unit 125, the identification information storage unit 130 obtains N designated identification information obtained by the identification information acquisition unit 125. Map and store the user identification information.

According to the exemplary embodiment of the present invention, the N designated identification information and the user identification information are stored in the storage medium 115 in which the user's certificate is stored and mapped directly with the certificate, or the storage medium in which the certificate is stored. It may be mapped to and stored in a database other than 115. If the N designation identification information and the user identification information are stored in a database other than the storage medium 115 in which the certificate is stored, the N designation identification information or the user identification information is stored in the storage medium through the designated identifier. It is desirable to map indirectly to the certificate stored at 115).

Meanwhile, when the terminal designation registration is omitted according to another exemplary embodiment of the present invention, the identification information acquisition unit 125 may obtain user identification information for authenticating the user. In this case, the user identification information may be As described above, the user's certificate may be mapped directly or indirectly.

As described above, a certificate issued to a user is stored in a designated storage medium 115, and at least one of designation target identification information for N designated terminals 200 to which the certificate is to be used, and user identification information for authenticating the user. Since the identification information is mapped and stored indirectly or indirectly with the certificate, preparation for using the certificate stored in the storage medium 115 in a cloud manner is completed.

Referring to FIG. 1, the operation server 100 receives request information for requesting a certificate stored in the storage medium 115 from the user's terminal 200 to be used in the user's terminal 200. The receiver 135 further includes an identity authentication procedure 120 that performs an identity authentication procedure for the user requesting the use of the certificate, or user identification information uniquely authenticating the user identifies the designated object. When stored mapped to the information, the user authentication unit 140 for authenticating the user requesting the use of the certificate through the user identification information may be further provided.

The user accesses the operation server 100 through the terminal 200 used by the user and requests a certificate stored in the storage medium 115 to be used in the terminal 200 of the user. The request information receiving unit 135 ) Receives request information for requesting a certificate stored in the storage medium 115 to be used in the user's terminal 200 from the user's terminal 200. Here, the request information may include one or more pieces of configuration information (eg, user identification information, certificate usage method, purpose, object, related server, etc.) required for requesting a certificate stored in the storage medium 115. In some implementations, the terminal 200 of the user designated and identified through the designation target identification information may be interpreted as request information for requesting the user to use the certificate.

If the user identification information for authenticating the user is stored by the identification information storage unit 130, the user authentication unit 140 is user identification information included in the request information receiving unit 135 (or separate communication By comparing and authenticating (or authenticating the predicted result after the verification operation) the user identification information received from the user's terminal 200 and the stored user identification information through a connection, the user requesting the use of the stored certificate is authenticated.

On the other hand, if the user identification information for uniquely authenticating the user by the identification information storage unit 130 is not stored, or the designation target identification information for the terminal 200 that can use the stored certificate is not stored, the person The authentication procedure unit 120 performs a user authentication process on whether the user who has issued the certificate requests the stored certificate and a user authentication process on whether the user who has registered the N terminals 200 requests the stored certificate. Perform at least one identity verification procedure. Preferably, the user authentication for the user is at least specified by the operating server 100 among ID / PW authentication, Internet real name authentication, communication subscriber authentication, card holder authentication, account holder authentication, wireless terminal occupancy authentication, certificate authentication As described above, one or more identity authentication may be included, and various forms of identity authentication may be performed in addition to the above-described scheme.

According to the embodiment of the present invention, the identity authentication procedure unit 120 determines whether the user who issued the certificate requests the stored certificate, or whether the user who registered the N terminals 200 requests the stored certificate. There are k (k≥1) identity authentication methods for processing the user identity authentication for the user, and the identity authentication procedure unit 120 may perform the k identity authentication procedures according to the specified order.

Referring to FIG. 1, the operation server 100 may include nth (1 ≦ n) of N designated terminals 200 in which the terminal 200 of the user who requested the use of the certificate is designated and identified by the designation target identification information. ≤N) designated target authentication unit 145 for authenticating whether the terminal 200 and the user stored in the storage medium 115 when the terminal 200 of the user is authenticated with the designated n-th terminal 200. It is provided with a certificate processing unit 150 for processing so that the certificate is used through the n-th terminal (200).

The designation target authentication unit 145 receives designation target identification information including one or more designation information specified in the terminal 200 from the terminal 200 of the user who requested the use of the certificate, and receives the designated designation identification information. By comparing the identification information with N designation target identification information for N designated terminals 200 stored by the identification information storage unit 130, the terminal 200 of the user who requested the use of the certificate is identified by the designation identification information. It authenticates whether it is the nth terminal 200 corresponding to any one of N designated terminal 200 currently designated and identified. Preferably, the designation target identification information received from the user's terminal 200 includes designation information stored in the user's terminal 200, designation information generated by the user's terminal 200, and the user's terminal 200. ) Includes one or more pieces of designation information inputted from the designation information.

According to the embodiment of the present invention, the designation target authentication unit 145 designates the designation including m designation information used to designate and identify the terminal 200 of the user among M designation information available as designation target identification information. After confirming the configuration of the object identification information, and receives the designation target identification information including the m designation information from the user's terminal 200, the identification information storage unit 130 receives the designated designation identification information; By comparing the N designation target identification information for the N designation terminals 200 stored by the N, the N designation terminals 200 in which the terminal 200 of the user who requested the use of the certificate is designated and identified by the designation identification information. It can be authenticated whether the n-th terminal 200 corresponding to any one of).

According to the embodiment of the present invention, the designation target identification information may include two or more designation information fixed to the designated terminal 200. In this case, the designation target authentication unit 145 may specify the designated terminal 200. Determine whether some of the at least two pieces of information fixed to the authentication is authenticated and some others are not authenticated, and if some of the two or more pieces of information fixed to the designated terminal 200 is authenticated and the remaining part is not authenticated, Disposal or re-registration procedures may be performed. That is, if some of two or more pieces of information fixed to the designated terminal 200 are authenticated and some of the information is not authenticated, the terminal 200 includes a program or an operating system included in the designated terminal 200, a hardware component, and the like. ) Designation information for designating and identifying) is changed, and therefore, the designation target authentication unit 145 may perform a revocation procedure or a re-registration procedure for the designation target identification information. Meanwhile, the designation target identification information may include at least one designation information input or generated by the designated terminal 200. In this case, the designation target authentication unit 145 may not authenticate the input or generated information. In this case, an error regarding the designated terminal identification is generated. Alternatively, the designation target identification information may include designation information fixed to the designated terminal 200. In this case, the designation target authentication unit 145 authenticates all designation information fixed to the designated terminal 200. If not, an error for the designated terminal identification may be generated.

If the terminal 200 of the user requesting the use of the certificate is authenticated as the n-th terminal 200 capable of using the certificate, the certificate processing unit 150 stores the user's certificate stored in the storage medium 115 in the n-th terminal. Process to be used through the terminal 200. In the present invention, the processing of using the certificate stored through the designated n-th terminal 200 may be performed by providing the user's certificate stored in the storage medium 115 to the designated n-th terminal 200 to provide the n-th terminal 200. The operation server 100 (or the server provided with the certificate processing unit 150) and the operation (or task) to be processed using the certificate in the n-th terminal 200. Denotes at least one or a combination of two of the processing on behalf of the n-th terminal 200.

According to the first certificate using method of the present invention, the certificate processing unit 150 provides the stored user's certificate to the designated n-th terminal 200, the n-th terminal 200 receives the user's certificate The received certificate is used (eg, user authentication, encryption / decryption, digital signature, etc.) for various certificate use targets including financial transactions and payment using the certificate of the n-th terminal 200.

In the first certificate using method, the certificate processing unit 150 provides the entire configuration of the stored user certificate to the designated n-th terminal 200 or provides a partial configuration of the stored user certificate to the n-th terminal 200. It is possible to provide (However, even when providing a partial configuration of the certificate to the n-th terminal 200, it is possible to store the entire configuration of the certificate in the storage medium 115).

If the certificate processing unit 150 provides a partial configuration of the stored user certificate to the designated n-th terminal 200, the n-th terminal 200 is provided with the remaining configuration except for the partial configuration of the provided certificate. Or the remaining configuration of the certificate provided in the portable media owned by the user is available, and after combining the partial configuration of the received certificate with the remaining configuration, the entire configuration of the certificate is generated. The entire configuration of the certificate can be used to process various certificates. On the other hand, when the certificate processing unit 150 provides a partial configuration of the stored user certificate to the designated terminal 200, the partial configuration of the provided certificate is the same or N specified for the N specified terminal 200 It is possible to be different for each terminal 200, wherein the remaining configuration of the certificate provided on the designated terminal 200 side is the same for the N specified terminal 200 in response to the received some configuration, or It is possible to be different for each of the N specified terminal (200).

According to the embodiment of the present invention, the certificate provided to the designated n-th terminal 200 is preferably set to a specified usage restriction. Preferably, the certificate provided to the n-th terminal 200 may be temporarily stored in the n-th terminal 200. That is, the certificate provided to the n-th terminal 200 may be automatically expired when the power supply of the n-th terminal 200 is cut off by being stored in the volatile memory of the n-th terminal 200. Alternatively, the certificate provided to the n-th terminal 200 may be set to limit the number of times of single use or within a specified number of times. That is, the certificate provided to the n-th terminal 200 may be used only a specified number regardless of the form stored in the n-th terminal 200, and then automatically extinguished (for example, an auto-extinguish code in the certificate file). Or the certificate function may be automatically stopped. Alternatively, the certificate provided to the n-th terminal 200 may be set to limit an expiration date. That is, the certificate provided to the n-th terminal 200 may be used only for a limited expiration date such as several minutes to several hours, or one to one week, and then automatically expired or the certificate function may be automatically stopped. have.

Meanwhile, in the first certificate using method, the certificate processor 150 may process the certificate into a structure usable by the n-th terminal 200 and provide it to the n-th terminal 200. That is, even if the user's certificate stored in the storage medium 115 is an original having the same configuration information as the time of issuance of the certificate, the file structure of the certificate file including the configuration information is stored in the n-th terminal 200. It may be processed into a usable file structure or may be processed into a usable form through a program provided in the n-th terminal 200. In addition, when a usage limit specified in a certificate provided to the n-th terminal 200 is set, some of configuration information (eg, a certificate expiration date and the like) of the certificate is changed according to the usage limit, or the usage limit is changed. The data set or executable code (for example, auto-destruction script code, etc.) to be set may be attached to the certificate.

According to an embodiment of the present invention, in the first certificate using method, the certificate processing unit 150 mounts the storage medium 115 storing the certificate as a virtual storage area available to the n-th terminal 200 ( Mounting), in this case, the n-th terminal 200 may use the certificate stored in the storage medium 115 as a certificate provided in the n-th terminal 200.

According to the second certificate using method of the present invention, the certificate processing unit 150 may substitute for the certificate processing of the n-th terminal 200 through the stored user's certificate. In this case, the substitute certificate processing may be performed for all certificate processing (eg, certificate-based user authentication, encryption / decryption, digital signature, etc.) that can use the certificate in the n-th terminal 200.

In the second certificate using method, the certificate processing unit 150 receives data to be certificated from the designated n-th terminal 200 and processes a certificate (for example, certificate-based) on the received data using the stored certificate. After performing a user authentication procedure, an encryption / decryption procedure, an electronic signature procedure, and the like, the certificated data is transferred to a designated target device (eg, the n-th terminal 200 or the n-th terminal 200). To the authentication server (not shown) to receive. According to the exemplary embodiment of the present invention, the certificate processing unit 150 receives target device identification information for identifying a target device to which the certificated data is to be transmitted from the n-th terminal 200, and receives the received target device identification information. The certificated data may be transferred to the. If the target device is fixed, the target device identification information may not be received.

According to an embodiment of the present invention, in the second certificate using method, the certificate processor 150 may use the storage medium 115 and the certificate processor 150 for storing the certificate in association with the n-th terminal 200. Mount the virtual external device, and in this case, the n-th terminal 200 processes the certificate processing to be performed by the n-th terminal 200 through the mounted virtual device. Can be used as

2 is a diagram illustrating a functional configuration of an application 215 provided in a user terminal 200 according to an embodiment of the present invention.

In more detail, FIG. 2 illustrates a program provided in the user's wireless terminal 200 in the form of an application for certificate registration and use according to the present invention when the user's terminal 200 is the wireless terminal 200. As a function configuration, a person of ordinary skill in the art to which the present invention pertains may refer to the function of the application 215 provided in the various terminals 200 used by the user by referring to and / or modifying the drawing 2. Various implementation methods may be inferred, but the present invention includes all the implementation methods inferred above, and the technical features are not limited to the implementation method shown in FIG.

2, the wireless terminal 200 includes a control unit 201, a memory unit 213, a screen output unit 202, a key input unit 203, a sound output unit 204, a sound input unit 205, A camera module 206, a wireless network communication module 209, a short range wireless communication module 208, an NFC module 210, a positioning module 211, a USIM reader 212 and a USIM, And a battery 207 for the battery.

The control unit 201 is a general term for controlling the operation of the wireless terminal 200. The control unit 201 includes at least one processor and an execution memory, BUS). According to the present invention, the control unit 201 loads and executes at least one program code included in the wireless terminal 200 through the processor into the execution memory, and calculates at least one result through the bus. By transmitting to the negative to control the operation of the wireless terminal 200. Hereinafter, for convenience, the configuration of the application 215 for certificate registration and use according to the present invention will be described in the controller 201.

The memory unit 213 is a generic term for a nonvolatile memory corresponding to a storage resource included in the wireless terminal 200, and includes at least one program code executed through the control unit 201 and at least used by the program code. Store and maintain one data set. The memory unit 213 basically includes a system program code and a system data set corresponding to the operating system of the wireless terminal 200, a communication program code and a communication data set for processing a wireless communication connection of the wireless terminal 200, The program code and data set corresponding to the application 215 of the present invention are also stored in the memory unit 213. [

The screen output unit 202 is composed of a screen output device (for example, a liquid crystal display (LCD) device) corresponding to an output resource provided in the wireless terminal 200 and a screen output module for driving the screen output device. 201 and a bus, and outputs the calculation result corresponding to the screen output among the various calculation results of the control unit 201 to the screen output device.

The key input unit 203 comprises a key input device (or a touch screen device coupled to the screen output unit 202) corresponding to an input resource provided in the wireless terminal 200 and a key input module for driving the key input device And inputs a command for instructing various operations of the control unit 201 or data necessary for the operation of the control unit 201 by a bus connection with the control unit 201. [

The sound output unit 204 includes a speaker corresponding to an output resource provided in the wireless terminal 200 and a sound module for driving the speaker, and is connected to the control unit 201 by a bus so that the control unit 201 The operation result corresponding to the sound output is output from the various operation results of the through the speaker. The sound module decodes sound data to be output through the speaker and converts the sound data into a sound signal.

The sound input unit 205 includes a microphone corresponding to an input resource provided in the wireless terminal 200 and a sound module for driving the microphone, and transmits sound data input through the microphone to the controller 201. do. The sound module encodes and encodes a sound signal input through the microphone.

The camera unit 206 is a generic term for camera resources included in the wireless terminal 200. The camera unit 206 includes an optical unit, a charge coupled device (CCD), and a camera module for driving the camera unit, and is input to the CCD through the optical unit. Acquire bitmap data. The bitmap data may include both still image data and moving image data.

The wireless network communication module 209 and the short-range wireless communication module 208 are communication resources provided in the wireless terminal 200. The wireless network communication module 209 accesses a wireless communication network through a base station, The wireless communication module 208 connects to a short range communication device or a wireless AP located in a short distance.

The wireless network communication module 209 is a general term for a communication configuration for connecting the wireless terminal 200 to the wireless terminal 200 and includes an antenna, an RF module, a baseband module, and a signal processing module for transmitting and receiving a radio frequency signal of a specific frequency band And is connected to the control unit 201 through a bus so as to transmit calculation results corresponding to wireless communication among various calculation results of the control unit 201 through wireless communication or receive data through wireless communication To the control unit 201, and maintains connection, registration, communication, and handoff procedures of the wireless communication. According to the present invention, the wireless network communication module 209 can connect the wireless terminal 200 to a telephone communication network including a telephone communication channel and a data channel via the exchange, and in some cases, To a data network that provides wireless network data communication based on packet communications.

According to an embodiment of the present invention, the wireless network communication module 209 is a mobile communication module that performs at least one of connection to a mobile communication network, location registration, call processing, call connection, data communication, and handoff according to a CDMA / WCDMA standard . Meanwhile, the wireless network communication module 209 according to the intention of a person skilled in the art may further include a portable internet communication configuration for performing at least one of connection to the portable Internet, location registration, data communication and handoff according to the IEEE 802.16 standard, It is clear that the present invention is not limited by the wireless communication configuration provided by the wireless network communication module 209.

The short-range wireless communication module 208 is a short-range communication module for connecting a communication session using a radio frequency signal as a communication medium within a predetermined distance, and preferably includes at least one of Wi-Fi communication, Bluetooth communication, . According to an embodiment of the present invention, the short range wireless communication module 208 may be integrated with the wireless network communication module 209. According to the present invention, the short-range wireless communication module 208 connects the wireless terminal 200 to a data network providing packet-based short-range wireless data communication through a wireless AP.

The NFC module 210 is a generic term for NFC resources provided in the wireless terminal 200. The NFC module 210 is a proximity that transmits data between terminals at a proximity distance of about 10 cm according to a NFC (Near Field Communication) standard using a 13.56 Mz frequency band. It is configured to include a communication module. The NFC module may be integrated with the short range wireless communication module 208 or may be implemented as a separate communication module. According to the intention of the person skilled in the art, the NFC module 210 can provide proximity communication of other frequency bands (for example, 900 MHz band) supported by the ISO 18000 series standard in addition to the 13.56 Mz frequency band, No. Meanwhile, the NFC module 210 may be included in a communication resource provided in the wireless terminal 200 according to a target to which the NFC module 210 communicates in close proximity.

The positioning module 211 is a generic term for positioning resources provided in the wireless terminal 200, and is composed of a GPS positioning module for positioning a moving position of the wireless terminal 200, and at least three orbiting the earth's orbit. Receiving satellite signals transmitted from more than one GPS satellite to calculate the movement position information of the wireless terminal 200. According to another embodiment of the present invention, the position location module 211 is connected to at least two base stations (or connection points) (Or an arrival angle) between the mobile terminal 200 and the mobile terminal 200. The terrestrial positioning module may be configured to determine a position of the mobile terminal 200 in a terrestrial positioning system.

The USIM reader 212 is a generic term of a configuration for exchanging at least one data set with a universal subscriber identity module that is mounted or detached from the mobile station 200 based on the ISO / IEC 7816 standard , And the data set is exchanged in a half duplex communication manner through an APDU (Application Protocol Data Unit).

The USIM is a SIM type card having an IC chip according to the ISO / IEC 7816 standard, an input / output interface including at least one contact point connected to the USIM reader unit 212, and at least one IC chip program code. And an IC chip memory for storing a data set, and a program code for the IC chip or extracting (or processing) the data set according to at least one command transmitted from the wireless terminal 200 connected to the input / output interface. It includes a processor for transmitting to the input and output interface.

The application 215 of the present invention is downloaded from a program providing server (eg, Apple's App Store, etc.) through a data network to which the communication resource is accessible, and stored in the memory unit 213. The downloaded application 215 operates in conjunction with the operation server 100 and may be manually driven by a user, or may be automatically driven (or activated) after user confirmation or by receipt of a message. On the other hand, a separate program may be running in advance to activate the application 215 after user confirmation or automatically, and thus the present invention is not limited thereto.

Referring to FIG. 2, the application 215 accesses the operation server 100 through a data network to which the communication resource is accessible, thereby registering the user as a member or registering / authenticating the user's membership. And an application authentication unit 225 for authenticating the validity of the application 215 through at least one communication network to which the communication resource can be connected. A component (not shown) configured to perform server-side operations corresponding to the operations of the authenticator 220 and the application authenticator 225 is provided.

The application 215 has communication connection macro information for accessing the operation server 100 through a data network to which the communication resource is accessible, and the member registration / authentication unit 220 is the screen output unit 202. Outputs user interface (e.g., name, social security number, etc.) and a member account for inputting a member account through the data network, and inputs user information input through the interface to the operation server 100 through the data network; Send the member account to join the user as a member.

Meanwhile, membership of the user may be subscribed through a separate user terminal 200 in addition to the wireless terminal 200. Therefore, when the user is already registered as a member, or as a member through the terminal 200 of the user, the member registration / authentication unit 220 outputs an interface for inputting the member account of the user, The member account input through the interface is transmitted to the operation server 100 through the data network to authenticate whether the user is a member.

The application authenticator 225 authenticates the validity of the application 215 to the operation server 100 through at least one communication network of a data network and a telephone call network to which the communication resource is accessible. According to an embodiment of the present invention, the process of authenticating the validity of the application 215 is performed by a predetermined encryption / decryption communication process between the application 215 and the operation server 100, and for convenience, the encryption / decryption. Detailed description of the process will be omitted.

According to the first application authentication method of the present invention, the application 215 is downloaded through the program providing server with a unique key value that can be identified as an application operated by the operation server 100 is set. In this case, the application authenticator 225 may transmit the unique key value to the operation server 100, thereby authenticating that the application 215 is an application operated by the operation server 100. On the other hand, the application authentication unit 225 and at least one unique information stored in the wireless terminal 200 or assigned to the communication network in the process of transmitting the unique key value to the operating server 100 and the unique key value; By transmitting together, it is possible to simultaneously authenticate that the application 215 is an application operated by the operation server 100 and that the application 215 is running in the wireless terminal 200.

According to the second application authentication method of the present invention, the application 215 is downloaded through the program providing server after the application identification value (for example, uniquely identifying the application 215 on the data network according to a predetermined procedure) Device tokens assigned by Apple's APNS, etc.). In this case, the application authentication unit 225 transmits the app identification value to the operation server 100, thereby allowing the application 215 to execute the application. It can be authenticated that the application is operated by the operation server 100. On the other hand, the application authentication unit 225 and at least one unique information stored in the wireless terminal 200 or assigned to the communication network in the process of transmitting the app identification value to the operating server 100 and the app identification value; By transmitting together, it is possible to simultaneously authenticate that the application 215 is an application operated by the operation server 100 and that the application 215 is running in the wireless terminal 200.

According to the third application authentication method of the present invention, the application 215 has at least one key value, a key exchange protocol and an encryption / decryption rule are set, and an authentication procedure for authenticating the application 215 using the same is defined. The application may be downloaded through the program providing server with a certificate mounted therein. In this case, the application authentication unit 225 may perform at least one key value and key exchange protocol set in the certificate according to the authentication procedure defined in the certificate. And selectively use an encryption / decryption rule to authenticate that the application 215 is an application operated by the operation server 100. Meanwhile, the application authenticator 225 further uses the at least one unique information stored in the wireless terminal 200 or allocated to the communication network in the authentication procedure in the process of using the certificate, thereby allowing the application 215 to perform the authentication. At the same time as the application that is operated by the operation server 100 can be authenticated that the application 215 is running in the wireless terminal 200.

According to the fourth application authentication method of the present invention, the wireless terminal 200 receives the authentication number sent from the operation server 100 through the message exchange protocol of the telephone call network, the received authentication number is By receiving an input and transmitting the data to the operation server 100 through the data network, the application 215 may be authenticated that the application is operated by the operation server 100. Meanwhile, the application authentication unit 225 transmits at least one unique information stored in the wireless terminal 200 or assigned to a communication network together with the authentication number in the process of transmitting the authentication number to the operation server 100. As a result, the application 215 may be an application operated by the operation server 100, and at the same time, the application 215 may be authenticated that the application is running in the wireless terminal 200.

According to a fifth application authentication method of the present invention, the application authentication unit 225 may be configured to execute the application (from the operation server 100 through an authentication method by selectively combining one or more of the first to fourth application authentication methods). It is possible to authenticate the validity of 215, whereby the present invention is not limited.

Referring to FIG. 2, the application 215 includes an identity authentication processing unit 230 that processes identity authentication for the user in association with the identity authentication procedure unit 120 of the operation server 100.

The identity authentication processing unit 230 is a component that performs a terminal-side operation for one or more identity authentication procedures performed by the identity authentication procedure unit 120 of the operation server 100 in accordance with the order specified for the user's identity authentication Collectively, one or more identity authentication procedures may be performed, preferably ID / PW authentication, Internet real name authentication, communication subscriber authentication, cardholder authentication, account holder authentication, wireless terminal occupancy authentication, certificate authentication.

The identity verification processor 230 performs an operation of authenticating the identity of the user in at least one of a certificate registration, a terminal designation registration, and a certificate use process.

Referring to FIG. 2, the application 215 obtains a certificate issued to a user through the certificate acquisition unit 105 of the operation server 100, and stores the certificate storage unit 110 of the operation server 100. It is provided with a certificate registration unit 235 for processing so that the user's certificate is stored in the designated storage medium 115 through.

The certificate registration unit 235 processes the user's certificate to be stored in the designated storage medium 115 through the certificate acquisition unit 105 of the operation server 100 is obtained.

When the user's certificate is obtained through the certificate server according to the first certificate acquisition method of the present invention, the certificate registration unit 235 is the certificate acquisition unit 105 of the operation server 100 through the certificate server By transmitting certificate issuance information necessary to obtain a user's certificate to the operation server 100, the user's certificate to be stored in the designated storage medium 115 through the certificate acquisition unit 105 of the operation server 100 is Can be processed to be acquired.

When the user's certificate is obtained through the designated institution server according to the second certificate acquisition method of the present invention, the certificate registration unit 235 operates the identification information for uniquely identifying the user and the institution information for operating the institution server. By transmitting to the server 100, it can be processed so that the user's certificate to be stored in the designated storage medium 115 is obtained through the certificate acquisition unit 105 of the operation server 100.

According to the third certificate obtaining method of the present invention, if the user's certificate is provided in the terminal 200 or is being used in the user's terminal 200, the certificate registration unit 235 is the wireless terminal 200 Extract the certificate stored in the memory unit 213 (or the IC chip including the USIM) or stored in the portable medium of the user, and transfer the extracted certificate according to a designated certificate copy / transfer procedure. By performing the operation of transmitting to), it can be processed so that the user's certificate to be stored in the designated storage medium 115 is obtained through the certificate acquisition unit 105 of the operating server 100.

Certificates obtained through at least one of the first to third certificate acquisition methods are stored in the designated storage medium 115.

On the other hand, the certificate registration unit 235 may receive the remaining partial configuration of the certificate stored in the storage medium 115 from the operation server 100 and store it in the memory unit 213 or IC chip, the remaining part of the certificate The configuration constitutes the entire configuration of the certificate that can be used as the designated identification information or in combination with some configuration of the certificate received from the operation server 100 at the time when the certificate stored in the storage medium 115 is used. It is used to

Referring to FIG. 2, the application 215 may be connected to the wireless terminal 200 (or other terminal available to the user other than the wireless terminal 200) through the identification information obtaining unit 125 of the operation server 100. And a terminal designation processor 240 for processing such that the designation target identification information for the 200) is obtained and stored through the identification information storage unit 130 of the operation server 100.

The terminal designation processor 240 may include information stored in the memory unit 213, information stored in an IC chip including the USIM, information recorded in a read-only memory of the wireless terminal 200, and the wireless terminal 200. Information assigned to a hardware component of the wireless terminal 200, communication identification information of the wireless terminal 200, information generated by the wireless terminal 200, information input through a key input unit 203, and identification of the application 215. Acquiring at least one piece of specified information including at least one of at least one piece of information and at least one of dynamically generated information through a designated code generation module, and operating the designated object identification information including the obtained m pieces of specified information through a communication network. By providing to the server 100, the designated object identification information is processed through the identification information acquisition unit 125 of the operation server 100.

According to an exemplary embodiment of the present invention, designation target identification information for the wireless terminal 200 includes designation information stored in the wireless terminal 200, designation information generated in the wireless terminal 200, and the wireless terminal 200. It comprises one or more of the designated information input from the specified information, the terminal designation processing unit 240 to configure the designation target identification information, the various resources provided in the wireless terminal 200 (eg, storage resources, Output resources, input resources, camera resources, communication resources, NFC resources, location resources, etc.) to obtain the use rights and obtains the m specified information to be included in the designation target identification information of the wireless terminal 200 through this. For example, the terminal designation processor 240 obtains specific designation information to be included in the designation target identification information from various resources provided in the wireless terminal 200, or designates using the information obtained from the various resources. You can create assignment information.

Referring to FIG. 2, the application 215 may be configured such that the wireless terminal 200 may use N certificates that are stored in the storage medium 115 through the designated target authentication unit 145 of the operation server 100. A certificate stored in the designated storage medium 115 is linked to a designated terminal authentication unit 245 for authenticating to the n-th terminal 200 among the designated terminals 200 and the certificate processing unit 150 of the operation server 100. It is provided with a certificate using unit 250 for processing so that the used certificate processing.

When the certificate processing using the user's certificate is to be performed through the certificate using unit 250, the designated terminal authentication unit 245 is stored in the IC chip including the information stored in the memory unit 213, the USIM. Information, information recorded in a read-only memory of the wireless terminal 200, information assigned to a hardware component of the wireless terminal 200, communication identification information of the wireless terminal 200, the wireless terminal 200 M specified information in which at least one or two or more of information generated in the above, information input through the key input unit 203, information identifying the application 215, and dynamically generated information through a designated code generation module are combined. Acquiring and providing the designated object identification information including the obtained m specified information to the operation server 100 through a communication network, the designated object authentication unit 145 of the operation server 100 through the The terminal 200 processes the certificate stored in the storage medium 115 to be authenticated to the nth terminal 200 among the N designated terminals 200 available.

According to the exemplary embodiment of the present invention, designation target identification information for authenticating the wireless terminal 200 to the n-th terminal 200 includes designation information stored in the wireless terminal 200 and designation generated by the wireless terminal 200. Information, one or more designated information among the designated information input from the wireless terminal 200, and the designated terminal authentication unit 245 is provided in the wireless terminal 200 to configure the designated target identification information. M to obtain use rights of various resources (eg, storage resources, output resources, input resources, camera resources, communication resources, NFC resources, positioning resources, etc.) and to be included in the designated target identification information of the wireless terminal 200 through these. Obtain the specified information. For example, the designated terminal authentication unit 245 obtains specific designation information to be included in the designation target identification information from various resources provided in the radio terminal 200 or by using information obtained from the various resources. Specific specific information can be created.

If the wireless terminal 200 is authenticated to the n-th terminal 200 that can use the user's certificate stored in the storage medium 115 through the designated terminal authentication unit 245, the certificate using unit 250 is the The certificate processing unit 150 of the operation server 100 receives a user's certificate stored in the storage medium 115, or the certificate processing unit 150 transmits data to the certificate processing unit 150 of the operation server 100.

When the user's certificate stored in the storage medium 115 is received through the certificate processing unit 150 of the operation server 100 according to the first certificate using method of the present invention, the certificate using unit 250 receives the received certificate. The stored user's certificate in a designated storage area (e.g., volatile memory area, non-volatile memory area, etc.), and data corresponding to the object of certificate processing using the user's certificate (e.g., financial transaction information, payment information, etc.) ), The certificate processing procedure for the data is performed using various keys (eg, the user's public key, private key, etc.) included in the certificate. The certificate using unit 250 transmits the certificated data to a designated authentication server through a communication network.

When the certificate processing unit 150 of the operation server 100 substitutes the certificate processing for the certificate processing target data according to the second certificate using method of the present invention, the certificate using unit 250 may convert the certificate of the user. Check the data (eg, financial transaction information, payment information, etc.) corresponding to the subject of the certificate processing used, and transmits the data to the operation server 100 through a communication network. If the certificated data is designated to be received by the wireless terminal 200, the certificate using unit 250 may determine the user's data stored in the storage medium 115 from the certificate processing unit 150 of the operation server 100. After receiving the certificated data through a certificate, the certificated data is transmitted to a designated authentication server through a communication network. Meanwhile, the certificate processing unit 150 of the operation server 100 may directly transmit the certificated data to the designated authentication server, whereby the present invention is not limited thereto.

3 is a diagram illustrating a process of registering a certificate in a cloud type certificate operation according to the present invention.

More specifically, Figure 3 illustrates an embodiment of a process for registering a certificate issued to the user by the certificate issuer to the designated storage medium 115 on the network after the user authentication for the user. Those skilled in the art may refer to and / or modify this drawing 3 to infer various implementation methods (e.g., some steps may be omitted or the order may be changed) for the certificate registration process. Although there will be, the present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG.

Referring to FIG. 3, the user terminal 200 accesses the operation server 100 through a communication network and requests a certificate issuing authority to register a certificate issued to the user to a designated storage medium 115 on a network (300). In response thereto, the operation server 100 checks the i identity authentication methods available in the user's terminal 200 (305), and the i identity verification procedure in connection with the user's terminal 200. Is performed in the specified order (310).

If the user authentication of the user is not processed, the operation server 100 provides the user authentication error to the terminal 200 of the user and outputs (315). On the other hand, when the user authentication of the user is processed, the operation server 100 obtains the user's certificate to be stored in the designated storage medium 115 (320). The user's certificate to be stored in the designated storage medium 115 is obtained from a certificate server provided in the certificate issuer that issued the user's certificate according to the first certificate obtaining method described in FIG. Copying a certificate that is obtained from an institution server of a management authority managing a certificate issued to the user according to a second certificate obtaining method (320) or used by the terminal 200 of the user according to a third certificate obtaining method. It may be obtained in the manner of moving (320).

If the user's certificate to be stored in the designated storage medium 115 is not obtained, the operation server 100 provides a certificate acquisition error to the user's terminal 200 and outputs the error (325). Meanwhile, when a user's certificate to be stored in the designated storage medium 115 is obtained, the operation server 100 verifies the validity of the obtained user's certificate (330).

If the validity of the obtained user's certificate is verified, the operation server 100 stores the obtained user's certificate in the designated storage medium 115 (340).

4 is a diagram illustrating a process of designating and registering a terminal 200 that can use a certificate in a cloud type certificate operation according to the present invention.

In more detail, FIG. 4 illustrates an embodiment of a process of previously designating and registering N terminals 200 that can use a user's certificate stored in the storage medium 115 through the process illustrated in FIG. 3. As those skilled in the art to which the present invention pertains, various implementation methods (for example, some steps may be omitted or changed in order) of the terminal designation registration process by referring to and / or modifying the drawing 4. Implementation method) may be inferred, but the present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG. Meanwhile, the process shown in FIG. 4 may be performed before the process of FIG. In addition, if the terminal 200 that can use the certificate is not designated and registered in advance, the process illustrated in FIG. 4 may be omitted.

Referring to FIG. 4, the user's terminal 200 may use the user's certificate stored in the storage medium 115 through the process illustrated in FIG. 3 for itself (or other various terminals 200 available to the user). Request the designated registration to the terminal 200 (400), the corresponding operation server 100 checks j identity authentication methods available in the terminal 200 of the user (405), the terminal of the user In operation 410, the j identity authentication procedures are performed in association with the specified order. On the other hand, if the Figure 4 is carried out together with the process of Figure 3, the user identification is already performed in Figure 3 can be omitted.

If the user authentication of the user is not processed, the operation server 100 provides a user authentication error to the user terminal 200 to output (415). On the other hand, when the user authentication of the user is processed, the operation server 100 checks the m specified information corresponding to the designation target identification information for the terminal 200 to be designated and registered by the user's terminal 200 ( In operation 425, the terminal 200 of the user requests designation target identification information including m designation information about the terminal 200 to be designated and registered (425).

After the user's terminal 200 obtains through one or more of extracting, generating, or receiving designation target identification information including m designation information about the terminal 200 to be designated and registered (430). In operation 435, designation target identification information including the obtained m designated information is transmitted to the operation server 100.

The operation server 100 receives the designation target identification information including the m designation information (440), and validates at least one of the m designation information included in the designation target identification information (445). ).

If the received designation target identification information is not verified, the operation server 100 outputs the designation target identification information error to the user's terminal 200 (450). On the other hand, if the received designated object identification information is verified, the operation server 100 directly or indirectly with the user's certificate stored in the designated storage medium 115 through the process shown in FIG. Map and store (455).

5 is a diagram illustrating a process of registering a user who can use a certificate in a cloud type certificate operation according to the present invention.

In more detail, FIG. 5 illustrates an embodiment of a process of identifying and registering a user who has registered a certificate through the process shown in FIG. 3 or a user who has designated and registered the terminal 200 through the process shown in FIG. As shown in the drawings, a person of ordinary skill in the art to which the present invention pertains may refer to and / or modify this drawing 5 to implement various methods for the user registration process (e.g., some steps may be omitted or sequenced). It can be inferred that the modified implementation method), but the present invention includes all the implementation methods inferred above, the technical features are not limited only to the implementation method shown in FIG. In particular, FIG. 5 is for simplifying or automating authentication of a user in the process of using a certificate stored in the storage medium 115. If the user's identity authentication procedure is used in the process of using the certificate, FIG. May be omitted.

Referring to FIG. 5, in the process illustrated in FIG. 3 or FIG. 4, the operation server 100 may uniquely authenticate a user corresponding to a certificate stored in the storage medium 115 to the terminal 200 of the user. Requesting the identification information (500), and correspondingly the terminal 200 of the user determines the user identification information for authenticating the user and transmits to the operation server 100 (505), the operation server 100 ) Obtains user identification information uniquely authenticating the user from the user's terminal 200 (510). Meanwhile, the user identification information may be obtained from information used in the user identity authentication process as a result of the user authentication process for the user performed in the process illustrated in FIG. 3 or FIG. 4 (510).

The operation server 100 verifies the validity of the obtained user identification information (515). If the validity of the user identification information is not verified, the operation server 100 is the terminal 200 of the user. In operation 520, an error regarding the user identification information is provided and output. On the other hand, if the validity of the user identification information is verified, the operation server 100 through the process shown in Figure 3 the designated target identification information and the user identification information registered through the process shown in Figure 4 The user's certificate stored in the storage medium 115 is mapped and stored directly or indirectly (525).

6 is a diagram illustrating a process of checking / extracting a certificate registered in the storage medium 115 in a cloud type certificate operation according to the present invention.

In more detail, FIG. 6 illustrates an embodiment of a process of checking or extracting a certificate stored in the storage medium 115 through the process illustrated in FIG. 3 to use the certificate in a cloud method. Those skilled in the art may refer to and / or modify this drawing 6 to implement various methods for the certificate verification / extraction process (eg, some steps may be omitted or the order may be changed). Although it can be inferred, the present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG. Meanwhile, the process shown in FIG. 6 may be performed before the process of FIG. In addition, if the terminal 200 that can use the certificate is not designated and registered in advance, the process illustrated in FIG. 6 may be omitted.

Referring to FIG. 6, the user terminal 200 requests the operation server 100 to use a certificate stored in the storage medium 115 through the process illustrated in FIG. 3 (600), and correspondingly, The server 100 checks k identity authentication methods available in the user's terminal 200 (605), and performs the k identity authentication procedures in a specified order in association with the user's terminal 200. 610. Meanwhile, when user identification information is registered through the process illustrated in FIG. 5, the operation server 100 may authenticate the user through the registered user identification information (615).

If the user authentication of the user is not processed or the user authentication through the user identification information is not processed, the operation server 100 outputs the authentication error for the user to the terminal 200 of the user and outputs it. (620). Meanwhile, when the user authentication of the user is processed or the user authentication through the user identification information is processed, the operation server 100 authenticates the terminal 200 of the user who requested the use of the certificate to the designated terminal 200. In operation 625, the M designation information is checked (625), and the terminal 200 of the user requests the designation target identification information including the m designation information (630).

The terminal 200 of the user extracts, generates, or receives the designation target identification information including the requested m designation information through one or more of obtaining (635), and then, the obtained m designations The designated target identification information including the information is transmitted to the operation server 100 (640).

The operation server 100 obtains designation target identification information including the m designation information (645), and designates the designated designation target identification information and the acquired designation target identification information obtained through the process shown in FIG. In comparison, the user's terminal 200 is authenticated to the designated nth terminal 200 through the process shown in FIG. 4 (650).

If the terminal 200 of the user is not authenticated with the designated registered n-th terminal 200, the operation server 100 provides an error of designation for the terminal 200 of the user and outputs the error 655. , If necessary, discard the designation target identification information of the user terminal 200, or apply the process illustrated in FIG. 4 to re-register the user terminal 200 as the designation target. have. On the other hand, if the user terminal 200 is authenticated with the designated registered n-th terminal 200, the operation server 100 of the user mapped directly or indirectly to the designated target identification information from the designated storage medium 115 Verify or extract the certificate (660). Meanwhile, according to the embodiment of the present invention, the user's terminal 200 stores the user's certificate stored in the storage medium 115 from the operation server 100 as the user's certificate stored in the storage medium 115 is confirmed. It can be confirmed that the available state (665).

7 is a diagram illustrating a process of using a certificate in a cloud method according to an embodiment of the present invention.

In more detail, FIG. 7 illustrates an embodiment of a process of providing a user's certificate stored in a designated storage medium 115 to a user's terminal 200 to be used, and in the technical field to which the present invention pertains. Those skilled in the art may refer to and / or modify this drawing 7 to infer various implementation methods (e.g., some steps may be omitted or the order may be changed) for the certificate usage process. The present invention includes all the implementation methods inferred, and the technical features are not limited only to the implementation method shown in FIG. Meanwhile, the process shown in FIG. 7 may be performed before the process of FIG. 3. In addition, if the terminal 200 that can use the certificate is not designated and registered in advance, the process illustrated in FIG. 7 may be omitted.

Referring to FIG. 7, when the user's certificate stored in the storage medium 115 is extracted through the process illustrated in FIG. 6, the operation server 100 is assigned to the user's certificate extracted from the storage medium 115. After setting the usage restriction (700), the user's certificate is provided to the n-th terminal 200 of the authenticated user through the process shown in Figure 6 (705), and corresponding to the n-th terminal of the user In operation 710, the user's certificate received from the storage medium 115 is received through the communication network and maintained according to the usage restriction set in the certificate.

Then, the n-th terminal 200 of the user checks the certificate processing target data (715), and the certificate processing procedure (for example, user authentication, encryption / decryption, digital signature) for the data through the retained user's certificate Etc.) (720).

If the certificate processing for the data is completed, the n-th terminal 200 of the user transmits the certificated data to a designated authentication server (725), and correspondingly, the authentication server transmits the certificated data. Received (730), and authenticates (e.g., user authentication, encryption / decryption, digital signature verification, etc.) the certificated data through the certificate issued to the user (735).

If the certificated data is authenticated, the authentication server processes the requested service from the terminal 200 of the user using the authenticated data to be provided (740), and the service using the authenticated data is It may be provided through a separate service providing server (for example, a bank server, a card company server, etc.) interlocking with the authentication server.

8 is a diagram illustrating a process of using a certificate in a cloud method according to another exemplary embodiment of the present invention.

In more detail, Figure 8 illustrates an embodiment of a process for performing a certificate processing to be performed in the user's terminal 200 through the user's certificate stored in the designated storage medium 115, the present invention Those skilled in the art may refer to and / or modify this drawing 8 to infer various implementation methods (e.g., some steps may be omitted or the order may be changed) for the certificate usage process. However, the present invention includes all the implementation methods inferred above, the technical features are not limited only to the implementation method shown in FIG. Meanwhile, the process illustrated in FIG. 8 may be performed before the process of FIG. 3. In addition, if the terminal 200 that can use the certificate is not designated and registered in advance, the process illustrated in FIG. 8 may be omitted.

Referring to FIG. 8, when it is confirmed that the user's certificate stored in the storage medium 115 is available through the process illustrated in FIG. 6, the n-th terminal 200 of the user checks the certificate processing target data ( 800, requesting that the certificate processing using the user's certificate stored in the storage medium 115 is performed by transmitting the certificate processing target data to the operation server 100 (805), and correspondingly, the operation server 100. ) Receives the certificate processing target data from the user's n-th terminal 200 (810), and the certificate processing procedure (for example, the user for the received data through the user's certificate stored in the storage medium 115) Authentication, encryption / decryption, digital signature, etc.) on behalf of the server (815).

If the certificate processing for the data is completed, the operation server 100 transfers the certificated data to the designated target device (820). Preferably, the certificated data may be delivered to the n-th terminal 200 of the user, in which case the terminal 200 of the user receives the certificated data through the user's certificate (825) In operation 830, the certificated data may be transmitted to a designated authentication server. Alternatively, the certificated data may be directly transmitted to the authentication server.

The authentication server receives the certificated data through the user's certificate from the terminal 200 or the operation server 100 of the user (835), and authenticates the certificated data through the certificate issued to the user (Eg, user authentication, encryption / decryption, digital signature verification, etc.) (840).

If the certificated data is authenticated, the authentication server processes the requested service from the terminal 200 of the user using the authenticated data to be provided (845), and the service using the authenticated data is It may be provided through a separate service providing server (for example, a bank server, a card company server, etc.) interlocking with the authentication server.

100: operation server 105: certificate acquisition unit
110: certificate storage unit 115: storage medium
120: identity authentication procedure 125: identification information acquisition unit
130: identification information storage unit 135: request information receiving unit
140: user authentication unit 145: target authentication unit
150: certificate processing unit 200: terminal

Claims (21)

In the cloud type certificate operation method executed by the server,
A first step of storing a certificate issued to a user in a designated storage medium;
A second step of storing designation target identification information for designating and identifying N (N≥1) terminals that can use the stored certificate;
A third step of authenticating whether the terminal used by the user is an nth (1 ≦ n ≦ N) terminal among N designated terminals designated and identified by the designated object identification information; And
And a fourth step of processing a user's certificate stored in the storage medium to be used through the n-th terminal when the user's terminal is authenticated as the designated n-th terminal.
2. The method according to claim 1,
The method may further include performing an identity authentication procedure for a user who has received a certificate stored in the storage medium.
And storing the certificate issued to the user in the storage medium when the user authentication of the user is processed.
2. The method according to claim 1,
Receive the certificate issued to the user from the certificate server that issued the certificate to the user and store in the storage medium,
And receiving at least one certificate issued to the user from the terminal of the user and storing the certificate in the storage medium.
The method of claim 1, wherein the certificate stored in the storage medium,
Includes the entire configuration of the certificate issued to the user, or
Cloud type certificate operating method characterized in that it comprises a partial configuration of the certificate issued to the user.
5. The method of claim 4,
If the certificate stored in the storage medium includes some configuration,
Except for some components of the stored certificate,
Stored in the N designated terminals, or
And storing the certificate to be used through the N designated terminals.
The storage medium of claim 1, wherein the storage medium storing the certificate comprises:
A storage medium operated by the issuer of the certificate;
A storage medium operated by the registrar of the certificate;
A storage medium provided in the server,
At least one of a storage medium on a network accessible from the server.
2. The method according to claim 1,
And performing a user authentication procedure on whether the user who has issued the certificate designates and registers a terminal to which the certificate is to be used.
2. The method according to claim 1,
Obtaining user identification information for uniquely authenticating the user who has issued the certificate;
The N designation target identification information is mapped to the user identification information and stored, characterized in that the cloud type certificate management method.
The method of claim 1, wherein the identification target identification information,
Information stored in the read / write memory of the designated terminal, information stored in the IC chip provided in the designated terminal, information recorded in the read-only memory of the designated terminal, information assigned to the hardware components of the designated terminal, and communication identification information of the designated terminal Cloud, characterized in that consisting of at least one or a combination of two or more information generated by the specified terminal, information input from the specified terminal, information identifying a program provided in the designated terminal, information dynamically generated through the designated code generation module How the certificate works.
The method of claim 1,
Designation target identification information condition for designating M (M≥1) designation information available as designation target identification information of each terminal on the basis of at least one of the types, communication networks, and platforms that can be registered as terminals to which the certificate is to be used. Further comprises the step of setting up,
The second step is a cloud, characterized in that to obtain the designation target identification information including m (1≤m≤M) of the specified information from the M designation information that meets the designation target identification information conditions of the terminal registered; How the certificate works.
2. The method according to claim 1,
When the terminal of the user who is connected for terminal designation registration is registered and registered as an available terminal,
Receive designation target identification information including one or more designation information designated from the user's terminal,
Receiving designation target identification information including one or more designation information specified in the terminal of the user from the management server for managing the terminal of the user,
And acquiring designation target identification information designating the terminal of the user as a terminal to be used for the stored certificate through at least one or two or more combinations thereof.
2. The method according to claim 1,
When the terminal designates and registers another terminal available to the user as an available terminal in addition to the terminal of the user connected for terminal designation registration,
Receiving, from the terminal of the user, designated object identification information including one or more designated information specified in the target terminal registered as a terminal that can use the certificate;
Receive designation target identification information including one or more designation information designated from the target terminal on the basis of the terminal information on the target terminal provided from the terminal of the user,
Receiving one or more designation target identification information designated to the target terminal from a management server managing the target terminal,
And acquiring designation target identification information designating a terminal available to the user as a terminal to which the stored certificate is to be used through at least one or two or more combinations thereof.
2. The method according to claim 1,
At least one identity authentication procedure of the user authentication process for whether the user who has issued the certificate requests the stored certificate and the user authentication process for whether the user who has registered the N terminals requests the stored certificate. Cloud-type certificate operating method characterized in that it further comprises the step of performing.
2. The method according to claim 1,
If the user identification information uniquely authenticating the user is mapped and stored with the designated target identification information, authenticating the user by comparing the user identification information received from the terminal of the user with the stored user identification information; Cloud type certificate operating method characterized in that made.
2. The method according to claim 1,
Receiving, from the terminal of the user, designation target identification information matching one or more designation information included in the stored designation target identification information; And
And comparing the received designation target identification information with the stored designation target identification information to authenticate the terminal of the user as the designated n-th terminal.
2. The method according to claim 1,
Identifying the configuration of the designation target identification information including m (1≤m≤M) designation information used for designating and identifying the terminal of the user among the M (M≥1) designation information available as designation target identification information; step;
Receiving identification object identification information including the m identification information from the terminal of the user; And
And comparing the received designation target identification information with the stored designation target identification information to authenticate the terminal of the user with the designated n-th terminal.
The method of claim 1,
The designation target identification information includes two or more designation information fixed to the designated terminal.
And performing a discarding procedure or a re-registration procedure for the designated target identification information when some of the at least two pieces of information fixed to the designated terminal are authenticated and some are not authenticated. How a certificate works.
The method as claimed in claim 1,
Cloud-based certificate management method, characterized in that for providing the stored user's certificate to the n-th terminal.
The method as claimed in claim 1,
It provides a part of the configuration of the certificate issued to the user to the n-th terminal,
The n-th terminal has a remaining configuration except for a partial configuration of the provided certificate, or the cloud-based certificate management method, characterized in that the remaining configuration of the certificate provided in the user-owned portable media can be used.
20. The method of claim 19,
Some components of the certificate,
The same for N designated terminals, or
It is characterized by different for each of the N specified terminal,
The remaining configuration of the certificate,
The same for N designated terminals, or
Cloud-based certificate management method characterized in that different for each of the N specified terminal.
The method as claimed in claim 1,
Cloud-based certificate management method characterized in that for the certificate processing of the n-th terminal through the stored user's certificate.

Images