KR20160093196A - Method for Processing Two Channel Authentication by using Contactless Media - Google Patents

Abstract

The present invention relates to a two-channel authentication method using a noncontact medium, and a two-channel authentication method using a noncontact medium according to the present invention is a two-channel authentication method using a noncontact medium, which communicates with a first terminal of a user and communicates with a second terminal of a user having an NFC module A first step of receiving and storing authentication request information via a first communication network connected to a first terminal of a user and a second step of receiving and storing authentication request information by using a second communication network, (S) for authentication processing of the authentication request information at the time of program activation or activation of the second terminal and a server authentication through the program of the second terminal (S) for the authentication code (s) through the program of the second terminal to the program of the second terminal, and a third step of providing the dynamically generated authentication code Based on a result of a medium access procedure performed between a program of a terminal and a designated security server, a cipher block read from a designated storage area of a noncontact medium supporting NFC through an NFC module of the second terminal, And a fourth step of receiving authentication code (t) dynamically generated through a program of the second terminal and authentication information (t) for an authentication approval request for a second terminal authentication that drives or activates the program, A fifth step of requesting a specified decryption server for authentication means information corresponding to the cipher block, in association with validity authentication of the received authentication code (t) and integrity authentication of the authentication information (t) through the authentication information (s) A sixth step of receiving the authentication means information generated from the decryption server through the cipher block; and a sixth step of transmitting the authentication means information and the authentication information (t) And a seventh step for requesting authorization, receives an authorization authentication result from the authentication server includes an eighth step of transferring the program of the second terminal.
Meanwhile, a two-channel authentication method using a noncontact medium according to the present invention is a method executed through a program provided in a second terminal of a user having an NFC module, the method comprising: (N > 1) number of storage areas (m, 0 < m &gt;(N); a second step of receiving a first authentication key for reading the authentication code (m) recorded in the noncontact medium (N), and transmitting the first authentication key to the noncontact medium via the NFC module (M) recorded in the area (m); a step of processing the read authentication code (m) to be transferred to the security server and reading the designated storage area of the noncontact medium &Lt; N, n? M) (C) transmitting the second authentication key to the noncontact medium through the NFC module and reading the cipher block recorded in the designated storage area (n) of the noncontact medium, And a sixth step of processing the read cipher block to be transferred to the designated decryption server.

Description

[0001] The present invention relates to a two-channel authentication method using a contactless medium,

The present invention relates to a method and apparatus for requesting an authentication process from a first terminal of a user to a second terminal of a user via a second communication network when an authentication request is made through a first communication network, (N, 0? N <N) storing a designated cipher block among N (N> 1) storage areas on a Near Field Communication based noncontact medium, To the designated decryption server and processes the authentication corresponding to the authentication request of the first terminal using the authentication means generated through the decryption server.

Recently, a variety of methods have been attempted to utilize the NFC (Near Field Communication) function of a smart phone for various authentication as the smartphone is activated.

However, in the conventional NFC-based authentication using a smartphone which is in service, a method of transmitting the OTP (One Time Password) dynamically generated through the NFC card to the smart phone and transmitting the OTP to the server is used mainly -2014-0089019).

However, the conventional NFC-based authentication using a smart phone has not yet been actively activated because it can be implemented only after issuing a separate NFC card for dynamically generating an OTP or selling it to a user.

On the other hand, most users have contactless financial IC cards such as transportation cards or non-contact / combination credit cards. If the non-contact financial IC card issued to the users is tagged on the smartphone, the authentication service can be provided without issuing a separate card.

However, it is possible to easily tag the smartphone itself as a contactless financial IC card (for example, as a transportation card) to a payment terminal (e.g., bus terminal, subway terminal, etc.) It is possible to read the card, but reading the non-contact type financial IC card issued in the past has a very difficult problem in reality.

The reason for this is that in order to read a traffic card or a contactless financial IC card from a smart phone, a secure application module (SAM) in the form of a security chip must be mounted on the smartphone, and a payment terminal such as a conventional bus terminal or a subway terminal, It is possible to mount a SAM in the form of a security chip, but it is practically impossible to mount a security chip type SAM in a smartphone designed and manufactured as an individual portable communication terminal.

On the other hand, even if a smartphone does not have a SAM, a SAM processing server that performs the same function as a SAM built in a conventional terminal is implemented on the network. Thus, even if a smart phone does not include a security chip SAM, A network SAM technique has been proposed (Patent Registration No. 10-1300817).

However, the conventional network SAM technology merely implements a SAM for a built-in terminal in the form of a conventional security chip in a server on the network, and reads the encrypted card information of the contactless financial IC card through the decryption key provided by the SAM processing server, The card information read from the contactless financial IC card is directly exposed through a very simple smartphone hack when the card information read from the smart phone is decoded at any time.

An object of the present invention to overcome the above-mentioned problems is to provide a method and a system for solving the above-mentioned problem, in which a first terminal of a user requests an authentication procedure to a second terminal of a user via a second communication network, (N, 0? N <N) storing a designated cipher block among N (N> 1) storage areas on a NFC-based noncontact medium interfaced with the second terminal through the server Contact medium to a designated decryption server and processes the authentication corresponding to the authentication request of the first terminal using the authentication means generated through the decryption server, Authentication method.

A two-channel authentication method using a non-contact medium according to the present invention is a method executed by an operation server communicating with a first terminal of a user and communicating with a second terminal of a user having an NFC module, A first step of receiving and storing authentication request information via the first communication network connected to the first terminal, a second step of confirming driving or activation of a program provided to the second terminal of the user using the second communication network, (S) for authentication processing of the authentication request information and a dynamically generated authentication code (s) for server authentication through the program of the second terminal at the time of program drive or activation confirmation of the second terminal, (S) through the program of the second terminal, and a medium access procedure performed between the program of the second terminal and the designated security server For a second terminal authentication that drives or activates the program from a designated storage area of a noncontact medium supporting NFC through the NFC module of the second terminal, (T) dynamically generated through a program of the second terminal and authentication information (t) for an authentication approval request; a fourth step of receiving validity authentication of the received authentication code (t) a step of requesting authentication information corresponding to the cipher block to a designated decryption server in conjunction with the integrity authentication of the authentication information (t) through the decryption server (s) A sixth step of transmitting the authentication information and the authentication information t to the specified authentication server and requesting authentication approval; And transmitting the received program to the program of the second terminal.

According to the present invention, the second step may further include the step of performing a procedure for notifying the second terminal of the user of a push for activating or activating the program.

According to the present invention, the authentication code (s) may include an authenticable code value through a code verification procedure included in the program of the second terminal.

According to the present invention, the two-channel authentication method using the noncontact medium is a method of intervening in a data exchange process between a program of the second terminal and a designated security server, (M, 0? M &lt; N) among the N (N &gt; 1) storage areas included in the noncontact medium from the security server, Receiving a first authentication key for reading the authentication code (m) and transferring the first authentication key to the program of the second terminal; checking the authentication code (m) read from the noncontact medium through the NFC module of the second terminal And a second authentication key for reading a cryptographic block recorded in the designated storage area (n, 0? N <N, n? M) from the security server, The terminal's program To the RAM.

According to the present invention, the two-channel authentication method using the noncontact medium may intervene in a data exchange process between a program of the second terminal and a designated security server, receive an authentication value generated through the security server, And transmitting the authentication value to a program of the terminal, wherein the fourth step further includes receiving the authentication value from the program of the second terminal, and the fifth step of providing the authentication value to the decryption server Wherein the authentication value is authenticated through the decryption server, and the authentication means information can be generated using the cipher block as a result of authentication of the authentication value.

According to the present invention, the program of the second terminal comprises the steps of: receiving authentication information (s) and authentication code (s) from the operating server; and validating the validity of the received authentication code (s) And authenticating the user.

According to the present invention, the medium access procedure further comprises the steps of: the program of the second terminal reading a unique serial number from a noncontact medium supporting NFC through the NFC module of the second terminal; (M) recorded in a designated storage area (m, 0? M <N) among N (N> 1) storage areas provided in the noncontact medium, The program of the second terminal transfers the first authentication key to the noncontact medium via the NFC module and records the first authentication key in the designated storage area m of the noncontact medium (M) of the noncontact medium; and a program for causing the program of the second terminal to process the read authentication code (m) to be transmitted to the security server, N, n ≠ m) The program of the second terminal transfers the second authentication key to the noncontact medium via the NFC module to transmit the second authentication key to the designated storage area (n) of the noncontact medium And reading the recorded cipher block.

According to the present invention, the cipher block can be transmitted to a decryption server having a decryption module for the cipher block.

According to the present invention, the medium access procedure further comprises the step of the program of the second terminal receiving the authentication value generated through the security server based on the verification result of the authentication code (m) through the security server The method according to claim 1, further comprising the step of processing the authentication code to be transmitted to the decryption server when the program of the second terminal transmits the read encrypted block to the decryption server, The validity can be authenticated.

According to the present invention, the authentication information (t) may include at least one of personal information input from the user through the second terminal and secret information of a user corresponding to the authentication means information corresponding to the cipher block .

Meanwhile, a two-channel authentication method using a noncontact medium according to the present invention is a method executed through a program provided in a second terminal of a user having an NFC module, the method comprising: (N > 1) number of storage areas (m, 0 < m &gt;(N); a second step of receiving a first authentication key for reading the authentication code (m) recorded in the noncontact medium (N), and transmitting the first authentication key to the noncontact medium via the NFC module (M) recorded in the area (m); a step of processing the read authentication code (m) to be transferred to the security server and reading the designated storage area of the noncontact medium &Lt; N, n? M) (C) transmitting the second authentication key to the noncontact medium through the NFC module and reading the cipher block recorded in the designated storage area (n) of the noncontact medium, And a sixth step of processing the read cipher block to be transferred to the designated decryption server.

According to the present invention, the sixth step may transmit the cipher block to an operation server interlocked with the decryption server.

According to the present invention, in the two-channel authentication method using the noncontact medium, authentication information (s) for authentication processing from the operation server and authentication code (s) dynamically generated for server authentication through the program of the second terminal Further comprising the step of authenticating the validity of the received authentication code (s) through a designated code verification procedure, wherein the first step comprises: validating the validity of the authentication code (s) You can read unique serial numbers from contactless media that support NFC.

According to the present invention, the sixth step may further include generating authentication information (t) to be used in the authentication procedure using the cipher block and transmitting the generated authentication information to the operation server.

According to the present invention, the method further comprises dynamically generating an authentication code (t) for a second terminal authentication that drives or activates the program, wherein the step (6) To the mobile station.

According to the present invention, in the two-channel authentication method using the non-contact medium, the authentication value generated through the security server is received based on the verification result of the authentication code (m) through the security server upon receipt of the second authentication key The method of claim 1, further comprising the step of: processing the authentication value to be transmitted to the decryption server, wherein the authentication value can be authenticated through the designated decryption server.

According to the present invention, the two-channel authentication method using the noncontact medium may further include receiving and outputting an authentication approval result of the authentication approval procedure performed using the authentication means information generated through the cipher block .

According to the present invention, in a non-contact medium including a non-contact type financial IC card such as a traffic card, a non-contact / combination type credit card, or the like, from a second terminal of a user installing an NFC module at the time of an authentication request through a first communication network, There is an advantage that authentication is performed in proximity to each other.

According to the present invention, there is an advantage that the non-contact medium including the contactless financial IC card is brought close to the user's second terminal, and the cipher block read from the noncontact medium at the time of authentication is not decrypted in the second terminal.

According to the present invention, in a process of reading a cipher block from a non-contact medium and performing an authentication process by bringing a non-contact medium including a contactless type financial IC card into contact with a user's second terminal, There is an advantage that the security server and the decryption server mutually authenticate the operation and the validity of the other party to securely process the authentication.

1 is a diagram showing a configuration of a two-channel authentication system using a noncontact medium according to an embodiment of the present invention.
2 is a diagram showing a functional configuration of a second terminal and a program according to an embodiment of the present invention.
3 is a diagram illustrating a server authentication and NFC activation process using a second terminal according to an embodiment of the present invention.
4 is a diagram illustrating a process of exchanging primary information between a second terminal and a security server for accessing a non-contact medium according to an embodiment of the present invention.
5 is a diagram illustrating a process of exchanging secondary information between a second terminal and a security server for accessing a contactless medium according to an embodiment of the present invention.
6 is a diagram illustrating a process of exchanging secondary information between a second terminal and a security server for accessing a non-contact medium according to another embodiment of the present invention.
7 is a diagram illustrating a process of reading a cipher block from a non-contact medium according to an embodiment of the present invention.
8 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from a non-contact medium according to an embodiment of the present invention.
9 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from a non-contact medium according to another embodiment of the present invention.
10 is a diagram illustrating a process of performing an authentication procedure using an authentication unit generated through a cipher block according to an embodiment of the present invention.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. It should be understood, however, that the drawings and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention, and are not to be construed as limiting the present invention.

In other words, the following embodiments correspond to the preferred embodiment of the preferred embodiment of the present invention. In the following embodiments, a specific configuration (or step) is omitted, or a specific configuration (or step) (Or steps), or an embodiment that incorporates functions implemented in more than one configuration (or step) into any one configuration (or step), a particular configuration (or step) It will be apparent that the present invention is not limited to the embodiments described below. In the following embodiments, a specific configuration unit implemented on the server side is implemented on the terminal side and reference is made on the server side, or conversely, in the following embodiments, a specific configuration unit implemented on the terminal side is implemented on the server side, And all of the embodiments utilizing the same are also included in the scope of the present invention. Therefore, it should be clearly stated that various embodiments corresponding to subsets or combinations based on the following embodiments can be subdivided based on the filing date of the present invention.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The terms used below are defined in consideration of the functions of the present invention, which may vary depending on the user, intention or custom of the operator. Therefore, the definition should be based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following embodiments are merely means for effectively explaining the technical idea of the present invention to a person having ordinary skill in the art to which the present invention belongs Only.

1 is a diagram showing a configuration of a two-channel authentication system using a noncontact medium 100 according to an embodiment of the present invention.

In more detail, in FIG. 1, a first terminal 105 of a user requests an authentication procedure to a second terminal 200 of a user via a second communication network in response to an authentication request through a first communication network, (N > n < N) among the N (N &gt; 1) storage areas on the near field communication based noncontact medium 100 interfaced with the second terminal 200 through the first storage area 150, ) And processes the authentication corresponding to the authentication request of the first terminal 105 through the authentication means generated using the cipher block read from the noncontact medium 100 via the designated decryption server 160 1 is a block diagram illustrating a configuration of a system according to an exemplary embodiment of the present invention. Referring to FIG. 1, Method (e.g., some components may be omitted, Is would be able to infer the exemplary method or broken, or combined), the present invention is made, including any exemplary way in which the inference, to which the technical feature that is not limited to the exemplary method shown in the figure 1.

The present invention relates to an NFC-based authentication method, which is a method for authenticating a user, comprising: a first terminal (105) of a user requesting authentication through a first communication network; an NFC- A second terminal 200 of a user that interfaces with the noncontact medium 100 via the NFC module 205 and is connected to the second communication network and a second terminal 200 that uses the first terminal 105 of the user After confirming the authentication request and accessing the storage area n for storing the cipher block in the storage area of the contactless medium 100 interfaced with the user's second terminal 200 using the second communication network, An operation server 110 for performing an authentication approval related procedure using a cipher block read from a designated storage area n of the noncontact media 100 and a noncontact medium 200 interfaced with the second terminal 200 through a second communication network, (N) for accessing the storage area &lt; RTI ID = 0.0 &gt; A decryption server (160) for generating authentication means information corresponding to a cipher block read from the storage area (n) of the noncontact medium (100), a decryption server And an authentication server 170 for performing an authentication approval procedure using the authentication means information. The operation server 110, the security server 150, the decryption server 160, and the authentication server 170 are interworked with each other through a communication network (e.g., a dedicated line) Server.

The first terminal 105 is a collective term for terminals requesting authentication through a first communication network physically and logically distinguished from a second communication network to which the second terminal 200 having the NFC module 205 is connected, Preferably a wired terminal (e.g., a computer connected to a wired Internet, a notebook computer, etc.) connected to a wired communication network (e.g., wired Internet). However, the first terminal 105 is not limited to the wired terminal but requests authentication through a first communication network that is different from the second communication network to which the second terminal 200 having the NFC module 205 accesses It is clear that the terminal can include any terminal (for example, wireless communication terminal to IPTV, etc.).

According to an embodiment of the present invention, the first terminal 105 accesses a designated web server (for example, a shopping mall server) through a first communication network and requests authentication using the noncontact medium 100 according to the present invention. The authentication request may be directly transmitted to the operation server 110 via the first terminal 105 or may be transmitted to the operation server 110 through a separate relay agency such as a PG.

The noncontact medium 100 is a general term of a medium for interfacing with the second terminal 200 through NFC. The noncontact medium 100 preferably includes a transportation card (for example, a T money card) supporting NFC, a noncontact IC card Post-paid transportation card, credit card supporting NFC, various ID cards supporting NFC, etc.).

According to the embodiment of the present invention, the noncontact medium 100 is loaded with a chip having N storage areas, and decrypted through a decryption server 160 specified in one of the N storage areas (n) Keep a record of possible cipher blocks.

The second terminal 200 is a generic name of a terminal having an NFC module 205 connected to a second communication network physically / logically distinguished from the first communication network to which the first terminal 105 is connected and processing NFC Preferably a wireless terminal (for example, a mobile phone, a smart phone, a tablet PC, or the like) connected to a wireless communication network (e.g., a mobile communication network, a portable Internet or a wireless LAN). However, the second terminal 200 is not limited to the wireless terminal. If the terminal is connected to the second communication network, which is differentiated from the first communication network, and has the NFC module 205, Wired terminal) in the case of the present invention. Hereinafter, the features of the present invention will be described focusing on an embodiment in which the second terminal 200 is a wireless terminal such as a smart phone. The second terminal 200 communicates with the operation server 110 through the second communication network in cooperation with the noncontact medium 100 through the NFC module 205 to perform a communication (or a security server 150, a decryption server 160). The preferred embodiment of the program 210 will be described with reference to FIG.

The security server 150 operates a security module 155 for managing various authentication keys for reading the cipher block recorded in the storage area n of the contactless medium 100 interfaced with the second terminal 200 The security module 155 may include a configuration of a secure application module (SAM) implemented in a server on a network.

According to the embodiment of the first security module 155 of the present invention, the program 210 of the second terminal 200 may be transmitted via the operation server 110 or via at least one relay server And may communicate with the security server 150.

According to the embodiment of the second security module 155 of the present invention, the program 210 of the second terminal 200 sets communication information for communicating with the security server 150, And may communicate with the security server 150 by using the security server 150.

The decryption server 160 collectively refers to a server that operates a decryption module 165 that decrypts a cipher block recorded in the storage area n of the noncontact medium 100 interfaced with the second terminal 200, The decryption module 165 may include a configuration of a SAM implemented in a server on a network.

The program 210 of the second terminal 200 may be transmitted to the second terminal 200 via the operation server 110 or via at least one relay server (not shown) And can communicate with the decryption server 160.

According to the embodiment of the second decoding module 165 of the present invention, the program 210 of the second terminal 200 sets communication information for communicating with the decryption server 160, And can communicate with the decryption server 160 by using the encryption key.

According to an embodiment of the present invention, the security server 150 and the decryption server 160 may be integrated into one server or separately implemented by the respective servers. For the sake of convenience, An embodiment in which the security server 150 and the decryption server 160 are implemented as individual servers will be described.

The authentication server 170 is a server for performing an authentication procedure using the authentication means information generated through the cipher block recorded in the storage area n of the contactless medium 100 interfaced with the second terminal 200 As a generic term, it may preferably include a financial company server including at least one card issuer server, a bank server, etc. In this case, the authentication approval procedure may be performed through the financial company server. Meanwhile, the authentication server 170 may include a payment relay server (e.g., a payment agency, a VAN, etc.) linked with at least one financial company server according to an embodiment of the present invention. In this case, Server can be performed in cooperation with each other.

The operating server 110 is a collective term for a server that performs at least one designated procedure for authentication processing by communicating with the program 210 of the second terminal 200. Preferably, Communication between the security server 210 and the security server 150, the decryption server 160, and the authentication server 170 can be relayed.

According to an embodiment of the present invention, communication between the program 210 of the second terminal 200 and the operation server 110 is performed by means of a predetermined encryption / decryption method, The communication between the program 210 of the second terminal 200 and the operation server 110 (and / or the communication between the security server 150 and / or the decryption server 160) And that it is encrypted / decrypted according to the encryption / decryption method.

Referring to FIG. 1, the operation server 110 includes a first communication confirmation unit 112 for confirming communication with a first terminal 105 via a first communication network, An authentication request receiving unit 114 for receiving authentication request information transmitted through a first communication network and an authentication request storage unit 118 for storing the received authentication request information, And an authentication request responding unit (116) for processing a response to the authentication request to the authentication server (105).

When the first terminal 105 of the user accesses the web server through the first communication network and selects the authentication according to the present invention, the first communication confirmation unit 112 determines whether or not the first terminal 105, The first terminal 105 confirms the communication with the first terminal 105 via the direct path for direct communication or the relay path via the specified relaying institution.

When the first terminal 105 of the user requests the authentication according to the present invention through the first communication network, the authentication request receiving unit 114 transmits the authentication request to the designated path (for example, a direct path directly communicating with the first terminal 105, And receives the authentication request information for the authentication request from the first terminal 105 via the relay path via the designated relaying institution.

According to the first authentication requesting method of the present invention, the authentication request information is transmitted from the first terminal (105) of the user, and the authentication request receiving unit (114) 105, &lt; / RTI &gt;

According to the second authentication requesting method of the present invention, the authentication request information is requested to be transmitted to the web server through the first terminal 105 of the user, and the authentication request receiving unit 114 transmits the authentication request information to the web server Lt; RTI ID = 0.0 &gt; authentication &lt; / RTI &gt;

According to the third authentication requesting method of the present invention, the authentication request information is requested to be transmitted to the relaying institution through the first terminal 105 of the user, and the authentication request receiving unit 114 receives the authentication requesting information from the designated relaying institution Lt; RTI ID = 0.0 &gt; information &lt; / RTI &gt;

According to the fourth authentication requesting method of the present invention, the authentication request information is transmitted in a partially combined manner of the first to third authentication requesting methods, and the authentication request receiving unit 114 receives the first to second authentication request The authentication request information can be received in a manner combining the authentication request information and the authentication information. For example, some of the authentication request information may be transmitted from the first terminal 105, or some of the authentication request information may be transmitted from an intermediary.

According to the embodiment of the present invention, the authentication request information includes at least one of merchant information (e.g., information identifying an institution / company / server requesting authentication such as a merchant ID and a merchant's name), a transaction number ), An authentication result transmission URL, and an authentication cancellation response URL.

The authentication request storage unit 118 stores the authentication request information received through the authentication request receiving unit 114 in a designated storage medium and holds the authentication request information until the authentication approval result for the authentication request is confirmed or the authentication cancellation is requested .

The authentication request responding unit 116 generates at least one authentication response information for the authentication request information received through the authentication request receiving unit 114 and transmits the generated authentication response information to the first 1 &lt; / RTI &gt; Preferably, the authentication request response unit 116 provides the authentication result to the first terminal 105 or various error information generated during the procedure related to the authentication to the first terminal 105 .

Referring to FIG. 1, the operation server 110 includes a second terminal confirmation unit 120 for identifying a second terminal 200 having an NFC module 205 of a user terminal and accessing a second communication network, A second communication activation unit 122 for activating communication between the second terminal 200 and the operation server 110 through a second communication network and a second communication activation unit 122 for activating communication between the second terminal 200 and the operation server 110 via the second communication network, An authentication information generation unit 126 for generating authentication information s for authentication processing of the authentication request information, An authentication code generation unit 128 for dynamically generating an authentication code s for server authentication through the program 210 of the second terminal 200; And an information providing unit 130 for providing the authentication information s and the authentication code s to the program 210 of FIG. Meanwhile, the authentication code (s) generating unit 128 may be implemented as a separate server linked to the operation server 110, and thus the present invention is not limited thereto.

The second terminal confirmation unit 120 receives the authentication request information received through the authentication request receiving unit 114 and transmits the authentication request information to the second terminal (not shown) via the NFC module 205 of the user terminal 200).

According to the embodiment of the present invention, the second terminal check unit 120 may check the first terminal 105 of the user (e.g., at least one of the web server, the relay agency, and the operation server 110) (E.g., information assigned to the terminal 105 or address information (IP / MAC) unique to the first terminal 105) or user identification information using the first terminal 105 , The relay agency, the operation server 110, etc.) and the user's second terminal 200 information in advance, and may store and store the information. In this case, (Or user identification information using the first terminal 105) of the user via the first terminal 105 and the first terminal 105 information of the user ) Of the second terminal 200 of the user mapped to the second terminal 200 of the mapped user. Alternatively, the second terminal confirmation unit 120 can read the authentication request information received through the authentication request reception unit 114 and confirm the user's second terminal 200 information (e.g., mobile phone number, etc.).

The second communication activation unit 122 may transmit the second program to the second terminal 200 of the user through the second communication network when the second terminal 200 of the user confirms the program 210 of the second terminal 200 The program 210 of the second terminal 200 is activated or activated by sending out a push notification for activation (e.g., execution of the program 210) or activation (e.g., activation of the front side in the background) And may request the operation server 110 to request a communication connection according to the communication macro set in the program 210. Alternatively, the second communication activation unit 122 may perform a process of outputting a message for activating or activating the program 210 of the second terminal 200 to the first terminal 105, Or to activate or activate the program 210 of the computer 200. Meanwhile, the second communication activation unit 122 may be omitted according to the method of operation, and thus the present invention is not limited thereto.

The drive / activity verifying unit 124 checks whether the program 210 installed in the second terminal 200 is activated or activated through the second communication network. If the program 210 of the second terminal 200 is activated or activated and attempts to establish a communication connection with the operation server 110 according to the designated communication macro, the activation / It is possible to confirm that the program 210 of the second terminal 200 attempting to operate is activated or activated.

At a point in time before transmitting the information designated as the program 210 of the second terminal 200 through the information providing unit 130 after receiving the authentication request information through the authentication request receiving unit 114, The information (s) generation unit 126 generates authentication information (s) for authentication processing of the authentication request information. According to an embodiment of the present invention, the authentication information s may include at least one of merchant information and a transaction number.

At a point in time before transmitting the information designated as the program 210 of the second terminal 200 through the information providing unit 130 after receiving the authentication request information through the authentication request receiving unit 114, The code generation unit 128 may authenticate the validity of the operation server 110 providing the authentication information through the program 210 of the second terminal 200, (S) for performing validation and / or transaction validation of the first terminal 200 (or the program 210 of the second terminal 200). The authentication code generation unit 128 may generate a shared value (e.g., a MIN value of the second terminal 200) exchanged / shared with the program 210 of the second terminal 200 in advance / (E.g., a key value exchanged / shared), and / or a synchronization value (e.g., time, etc.) synchronized with the program 210 of the second terminal 200 into a specified code generation algorithm (s) can be dynamically generated.

The information providing unit 130 generates the authentication code s generated dynamically through the authentication code generating unit 128 and the authentication information s generated through the authentication information generating unit 126. [ And provides it to the program 210 of the second terminal 200 that has been confirmed to be driven or activated through the drive / activity verifier 124. [ The authentication information (s) and the authentication code (s) may be transmitted together, or sequentially provided in a specified order.

The program 210 of the second terminal 200 receives the authentication information (s) and the authentication code (s) from the operation server 110. Meanwhile, after the program 210 of the second terminal 200 is activated or activated, or after receiving the authentication information (s) and / or the authentication code (s), the program 210 of the second terminal 200 requests the user to input a PIN, The validity of the PIN input from the user. To this end, the program 210 of the second terminal 200 may register and manage the user's PIN in a designated storage area in advance.

When the authentication code (s) is received from the operation server 110, the program 210 of the second terminal 200 authenticates the validity of the received authentication code (s) using a designated code verification procedure . For example, the program 210 of the second terminal 200 may transmit a shared value (for example, a MIN of the second terminal 200, an exchange / (E.g., a key value, etc.) and / or a synchronization value (e.g., time, etc.) synchronized with the operating server 110 into a designated code generation algorithm (e.g., a hash algorithm) The validity of the authentication code (s) can be verified by comparing the authentication code (s) with the generated verification code (s).

When the authentication information s is received from the operation server 110, the program 210 of the second terminal 200 outputs the received authentication information s and reads from the non-contact medium 100, (T) for the authentication approval request using the cipher block.

According to the embodiment of the present invention, the program 210 of the second terminal 200 may be configured to store the personal information of the user (e.g., the first six digits of the resident registration number) and / or the secret information (e.g., , And the authentication information (t) may include personal information and / or secret information input from the user. Meanwhile, the authentication information (t) may include all or at least a part of the authentication information (s) according to the method.

When the validity of the authentication code (s) is authenticated, the program 210 of the second terminal 200 performs a procedure for reading the cipher block from the non-contact medium 100 interfaced with the second terminal 200 do. Preferably, the program 210 of the second terminal 200 performs a procedure for activating the NFC module 205 of the second terminal 200 (but may be omitted if it is activated) Contact medium 100 in proximity to the NFC module 205 of the second terminal 200 by displaying guidance information for inducing the noncontact medium 100 to approach the NFC module 205 of the terminal 200, 100).

The program 210 of the second terminal 200 may include a medium access procedure for accessing a storage area of the noncontact medium 100 to read a cipher block recorded in a designated storage area of the recognized non- And the media access procedure may be processed through communication between the security server 150 and the program 210 of the second terminal 200 interfaced with the contactless medium 100. [

According to an embodiment of the present invention, the communication between the security server 150 and the program 210 of the second terminal 200 for the medium access procedure can be processed via the operation server 110, The operation server 110 accesses the storage area of the noncontact medium 100 interfaced with the NFC module 205 of the second terminal 200 to read the cryptographic block from the noncontact medium 100 And a medium access procedure relaying unit 132 for relaying a medium access procedure between the program 210 of the second terminal 200 and the security server 150. [

The program 210 of the second terminal 200 receives a unique serial number from the noncontact medium 100 through the NFC module 205 of the second terminal 200 Number, chip serial number), and the like, and processes the unique serial number read from the noncontact medium 100 through the designated path to be transmitted to the designated security server 150. Preferably, the program 210 of the second terminal 200 transmits the read unique serial number to the operation server 110, and the media access procedure relay unit 132 of the operation server 110 transmits And may transmit the unique serial number to the security server 150. Meanwhile, the program 210 of the second terminal 200 may transmit the unique serial number to the security server 150 through the second communication network.

The security server 150 receives a designated storage area m (0? M <N) among N (N> 1) storage areas included in the noncontact medium 100 corresponding to the unique serial number from the security module 155, (M) recorded in the second terminal 200 and transmits the extracted first authentication key to the program 210 of the second terminal 200 through the designated path. Preferably, the security server 150 transmits the first authentication key to the operation server 110, and the media access procedure relay unit 132 of the operation server 110 transmits the first authentication key to the operation server 110 2 terminal 200 to the program 210 of the terminal 200. [ Meanwhile, the security server 150 may transmit the first authentication key to the program 210 of the second terminal 200 through the second communication network.

The program 210 of the second terminal 200 receiving the first authentication key transmits the first authentication key to the noncontact medium 100 through the NFC module 205 of the second terminal 200 (M) recorded in the designated storage area (m) of the noncontact medium (100). The noncontact medium 100 authenticates the first authentication key according to a designated authentication procedure and responds to the authentication code m recorded in the storage area m when the authentication is successful. The program 210 of the noncontact medium 100 reads the authentication code m recorded in the storage area m of the noncontact medium 100. [ Meanwhile, the non-contact medium 100 can respond to the issuer information (Issuer) according to the embodiment, and the program 210 of the second terminal 200 can read the issuer information of the non-contact medium 100 . In this case, the authentication code (m) and the issuer information are preferably read together.

According to the method of the present invention, the authentication code (m) is transmitted to the SAM for reading the cipher block recorded in the storage area (n) of the noncontact medium (100) (Or a chip type of the noncontact medium 100), or may be replaced with another value.

The program 210 of the second terminal 200 processes the authentication code m read from the noncontact medium 100 via the designated path to be transmitted to the security server 150. Preferably, the program 210 of the second terminal 200 transmits the read authentication code m to the operation server 110 and the media access procedure relay unit 132 of the operation server 110 May transmit the authentication code (m) to the security server 150. Meanwhile, the program 210 of the second terminal 200 may transmit the authentication code m to the security server 150 through the second communication network.

The security server 150 authenticates the validity of the authentication code m through the security module 155 and authenticates the validity of the non-contact medium 100 from the security module 155 during validity authentication of the authentication code m. The second authentication key for reading the cipher block recorded in the designated storage area (n, 0? N <N, n? M) is extracted as a second authentication key, and the program of the second terminal 200 (210). Preferably, the security server 150 transmits the second authentication key to the operation server 110, and the media access procedure relay unit 132 of the operation server 110 transmits the second authentication key to the operation server 110, 2 terminal 200 to the program 210 of the terminal 200. [ Meanwhile, the security server 150 may transmit the second authentication key to the program 210 of the second terminal 200 through the second communication network according to an embodiment of the present invention.

According to an embodiment of the present invention, the security server 150 includes a security server 150 that performs a medium access procedure for reading a cipher block from the noncontact medium 100, Generates an authentication value for validity verification between the decryption server 160 that decrypts the cipher block read from the medium 100 and transmits the authentication value to the program 210 of the second terminal 200 through the designated path It can be processed to be transmitted.

According to an embodiment of the present invention, the security server 150 may synchronize with the decryption server 160 and / or the shared value (e.g., secret key) exchanged / shared in advance / (E.g., time, random number, etc.) to a designated code generation algorithm (e.g., a hash algorithm) to generate an authentication value. In this case, the security server 150 and the decryption server 160 The validity of the authentication value can be authenticated through a code verification procedure performed by the decryption server 160 even if the authentication value is not shared. Meanwhile, the security server 150 may generate an authentication value through a random number algorithm. In this case, the security server 150 may share the authentication value with the decryption server 160 and process the authentication value.

According to the embodiment of the present invention, the authentication value is included in the one transaction block with the second authentication key and is delivered to the program 210 of the second terminal 200, Or sequential) to the program 210 of the second terminal 200. When the second authentication key and the authentication value are transmitted to the program 210 of the second terminal 200 through one transaction block, the security server 150 transmits the second authentication key and the authentication value to the operation server 210 And the media access procedure relay unit 132 of the operation server 110 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200. [ Meanwhile, the security server 150 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200 through the second communication network.

The program 210 of the second terminal 200 receiving the second authentication key transmits the second authentication key to the noncontact medium 100 through the NFC module 205 of the second terminal 200 And requests a cipher block recorded in the designated storage area (n) of the noncontact medium (100). The noncontact medium 100 authenticates the second authentication key according to a designated authentication procedure and responds to a cipher block recorded in the storage area n when the authentication is successful. 210 reads the cipher block recorded in the storage area (n) of the noncontact medium (100).

When the cipher block is read from the noncontact medium 100, the program 210 of the second terminal 200 transmits the cipher block read from the noncontact medium 100 via the designated path to the decryption server 160 Generated through the program 210 of the second terminal 200 in order to authenticate the validity of the second terminal 200 that has activated or activated the program 210 through the operation server 110, And transmits authentication code (t) and authentication information (t) for authentication approval request to the operation server (110). The read cipher block and the generated authentication code t and authentication information t may be included in one transaction block and transmitted to the operation server 110 or may be transmitted in a predetermined order or route .

Meanwhile, when the authentication value generated through the security server 150 is received by the program 210 of the second terminal 200, the program 210 of the second terminal 200 transmits the authentication value Value to be transmitted to the decryption server 160. [ The cipher block and the authentication value may be transmitted through one transaction block, or may be transmitted (or sequentially) through a specified sequence or path.

Referring to FIG. 1, the operation server 110 extracts, from a designated storage area (n) of a noncontact medium 100 supporting NFC through a NFC module 205 of the second terminal 200, Generated through the program 210 of the second terminal 200 for the authentication of the cipher block leading to the program 210 of the second terminal 200 and the authentication of the second terminal 200 driving or activating the program 210, (T) authentication unit 136 for authenticating the validity of the received authentication code t, and an authentication code (t) authentication unit 134 for authenticating the validity of the received authentication code t. (T) authentication unit 138 for authenticating the integrity of the received authentication information t, an authentication means requesting unit for requesting authentication information corresponding to the cipher block to the specified decryption server 160 140). Meanwhile, the authentication code (t) authentication unit 136 may be implemented as a separate server in cooperation with the operation server 110, and thus the present invention is not limited thereto.

When the program 210 of the second terminal 200 transmits a cipher block read from the designated storage area n of the noncontact medium 100, And receives the cipher block from the program 210. Meanwhile, when the program 210 of the second terminal 200 transmits the cipher block and the authentication value, the information receiver 134 receives the cipher block and the authentication value from the program 210 of the second terminal 200 Lt; / RTI &gt;

The program 210 of the second terminal 200 generates an authentication code t for receiving the validity of the second terminal 200 that drives or activates the program 210 through the operation server 110 The information receiving unit 134 receives the authentication code t from the program 210 of the second terminal 200. [ Preferably, the program 210 of the second terminal 200 includes a shared value (e.g., a MIN of the second terminal 200, an exchange / shared key, etc.) exchanged / shared with the operation server 110 in advance / Value), and / or a synchronization value (e.g., time, etc.) synchronized with the operating server 110 into a designated code generation algorithm (e.g., a hash algorithm).

When the authentication code t is received from the program 210 of the second terminal 200, the authentication code (t) authentication unit 136 uses the designated code verification procedure to verify the received authentication code t Authenticate the validity. For example, the authentication code (t) authentication unit 136 may generate a shared value (for example, a MIN of the second terminal 200) that is exchanged / shared with the program 210 of the second terminal 200 in advance / (E.g., an exchange / shared key value) and / or a synchronization value (e.g., time, etc.) synchronized with the program 210 of the second terminal 200 into a specified code generation algorithm (T), and verify the validity of the authentication code (t) by comparing the received authentication code (t) with the generated verification code (t).

When the authentication information t is received from the program 210 of the second terminal 200, the authentication information t authentication unit 138 transmits the authentication information t to the second terminal 200 through the information providing unit 130, And confirms whether the configuration items of the authentication information s and the configuration items of the authentication information t are compared for each item to see if they match. For example, the authentication information (t) authentication unit 138 can authenticate whether the transaction number of the authentication information (t) matches the transaction number of the authentication information (s). If the configuration items of the authentication information (t) and the authentication information (s) coincide, the authentication information (t) may be authenticated as unmodified without being up / modulated.

When the validity of the authentication code t is authenticated and / or the integrity of the authentication information t is authenticated, the authentication unit request unit 140 determines the encryption block received through the information receiver 134 To the decryption server 160 to request the authentication means information corresponding to the cipher block through the decryption module 165 of the decryption server 160. [ Meanwhile, when the authentication value is received from the program 210 of the second terminal 200, the authentication means request unit 140 transmits the authentication value to the decryption server 160, Contacted medium 100 as a result of the medium access procedure through the secure server 150. In this case,

According to the embodiment of the present invention, the cipher block is encrypted to be decrypted through a decryption key managed through the decryption module 165 of the decryption server 160, and is recorded in the storage area n of the noncontact medium 100 . The cipher block decrypts the block information recorded in the storage area n at the time when the cipher block is read through the medium access procedure through the decryption key managed through the decryption module 165 of the decryption server 160 So that the present invention is not limited thereto.

According to the method of the present invention, the cipher block includes authentication means information (e.g., credit card information, check card information, debit card information, cash card information, prepaid card information, At least one of the card information, the account information, etc.), or may include the identification information for identifying the authentication means to be used in the authentication process. Alternatively, the cipher block may include predetermined block information in addition to the authentication means information and the identification information.

The decryption server 160 identifies the cipher module that is read from the noncontact medium 100 and generates authentication means information corresponding to the cipher block through the decryption module 165. [

According to the first authentication means generation method of the present invention, when the authentication means information is encrypted in the encryption block, the decryption server 160 can generate the authentication means information by decoding the encryption block.

According to the second authentication means generation method of the present invention, when the identification information for identifying the authentication means is encrypted in the cipher block, the decryption server 160 decrypts the cipher block to check the authentication means information, (For example, a SAM storage area of the decoding module 165, a DB of a financial institution, or a safe storage medium permitted to store authentication means information) for storing authentication means information to be used for processing And the mapped authentication means information can be obtained.

According to the third authentication means generation method of the present invention, the encryption block can perform the function of the identifier mapped to the authentication means information. In this case, the decryption server 160 stores the authentication means information to be used for the authentication processing (For example, a SAM storage area of the decryption module 165, a DB of a financial institution, or a secure storage medium permitted to store authentication means information, etc.) have.

According to the fourth authentication means generation method of the present invention, the decryption server 160 decrypts the cipher block and confirms block information (or authentication information, identification information, etc., hereinafter referred to as block information for convenience) The authentication information of the specified information system corresponding to the authentication means can be generated using the block information. For example, the decryption server 160 may generate the authentication means information by substituting the hash value generated by hashing the block information into the designated information system. In this case, the authentication means information may be a function of the disposable authentication means Can be performed. Alternatively, the decryption server 160 may generate the authentication means information by substituting the partial information of the block information into the designated information system.

According to the fifth authentication means generation method of the present invention, the decryption server 160 can generate the authentication means information of the specified information system corresponding to the authentication means using the cipher block. For example, the decryption server 160 may generate the authentication means information by substituting the hash value generated by hashing the cipher block into the specified information system. In this case, the authentication means information may be a function of the disposable authentication means Can be performed. Alternatively, the decryption server 160 may generate the authentication means information by substituting some information of the cipher block into the specified information system.

Meanwhile, the decryption server 160 generates the authentication means information by combining two or more of the first to fifth authentication method generation methods, or modifies a part of the first to fifth authentication method generation methods, It is clear that the present invention is not limited thereto. That is, the present invention includes the number of all cases in which the authentication means information to be used for authentication using the cipher block is included in the right range.

The decryption server 160 transmits the authentication means information generated using the cipher block to the operation server 110 based on at least one of the first to fifth authentication method generation methods or a modification method thereof.

Meanwhile, when an authentication value is received from the operation server 110, the decryption server 160 authenticates the validity of the authentication value. Preferably, the decryption server 160 can authenticate the validity of the received authentication code (s) using a specified code verification procedure. For example, the decryption server 160 may transmit a shared value that is pre / real-time exchanged / shared with the security server 150 and / or a synchronization value synchronized with the security server 150, Hash algorithm) to generate a verification value, and compare the verification value with the verification value to verify the validity of the verification code (s). Alternatively, when the authentication value is a random number generated through the security server 150, the decryption server 160 receives the random number from the security server 150, calculates the validity of the authentication value using the shared random number Can be authenticated. Preferably, the decryption server 160 may generate the authentication means information through the cipher block when the validity of the authentication value is authenticated.

Referring to FIG. 1, the operation server 110 includes an authentication unit receiving unit 142 for receiving authentication unit information generated through the encryption block from the decryption server 160, t) to the designated authentication server 170 to request authentication approval, an authorization result reception unit 146 for receiving an authentication approval result from the authentication server 170, And an approval result transfer unit 148 for transferring the approval result to the program 210 of the second terminal 200.

When the decryption server 160 transmits the authentication means information generated through the encryption block through the decryption module 165, the authentication means receiving unit 142 receives the authentication information from the decryption server 160 through the encryption block And receives the authentication means information.

The authentication approval procedure unit 144 receives authentication information from the decryption server 160 and authentication information t (or authentication information s) received from the program 210 of the second terminal 200, (T) through the authentication means information, and the authentication server (170) transmits the authentication information (t) to the authentication server (170) via the authentication means information Perform the certification approval process for Korea. For example, when the authentication means information includes card information, and the authentication means is a financial company server, the financial institution server stores card information corresponding to the authentication means information, personal information included in the authentication information t and / Or may use the secret information to perform the authentication approval procedure to determine whether the card corresponding to the card information is effectively issued and operating. If the operation server 110 and the authentication server 170 are implemented as a server of the same company (for example, a financial company) according to another embodiment of the present invention, the authentication approval procedure unit 144 And can perform an authentication approval procedure for the authentication information (t).

The authentication server 170 generates an authentication approval result including the result of performing the authentication approval procedure and transmits the authentication approval result to the operation server 110. The authentication server 170 transmits the approval result reception unit 146 to the authentication server 170 The approval result transmitting unit 148 transmits the authentication approval result to the program 210 of the second terminal 200. [ Meanwhile, upon receiving the authentication approval result from the authentication server 170, the authentication request responding unit 116 may transmit the authentication approval result to the first terminal 105 through a designated path.

FIG. 2 is a diagram illustrating a functional configuration of a second terminal 200 and a program 210 according to an embodiment of the present invention.

More specifically, FIG. 2 illustrates an access right to the designated storage area (n) of the noncontact medium 100 interfaced through the NFC module 205 of the second terminal 200 through the specified security server 150 A program 210 for performing an authentication procedure for processing an encrypted block read from the storage area n of the noncontact media 100 to be transmitted to a designated decryption server 160 and a second terminal 200 of the second terminal 200. Those skilled in the art will be able to refer to and / or modify the FIG. 2 to deduce various implementations of the second terminal 200 function However, the present invention is not limited to the technical features of the present invention. Preferably, the second terminal 200 of FIG. 2 may include at least one of various smart phones capable of wireless communication, various tablet PCs, various PDAs, and various mobile phones.

2, the second terminal 200 includes a control unit 201, a memory unit 209, a screen output unit 202, a user input unit 203, a sound processing unit 204, an NFC module 205, A short range wireless communication unit 206, a wireless network communication unit 207, a USIM reader unit 208, and a USIM, and has a battery for power supply.

The controller 201 is a generic term for controlling the operation of the second terminal 200. The controller 201 includes at least one processor and an execution memory. Bus (BUS). According to the present invention, the control unit 201 loads at least one program code included in the second terminal 200 through the processor and loads the program code into the execution memory, and outputs the result through at least one And controls the operation of the second terminal 200. Hereinafter, the configuration of the program 210 of the present invention, which is implemented in the form of program code for convenience, will be described in the control unit 201. FIG.

The memory unit 209 is a generic name of a nonvolatile memory corresponding to a storage resource of the second terminal 200 and includes at least one program code executed through the control unit 201 and at least one And stores the data set. The memory unit 209 basically includes a system program code and a system data set corresponding to an operating system of the second terminal 200, a communication program code for processing a wireless communication connection of the second terminal 200, And at least one application program code and application data set, and the program code and data set corresponding to the program 210 of the present invention are also stored in the memory unit 209. [

The screen output unit 202 includes a screen output unit such as a liquid crystal display (LCD) and a driving module for driving the screen output unit 202. The screen output unit 202 is interlocked with the control unit 201, And outputs an operation result corresponding to the output to the screen output device.

The user input unit 203 includes at least one user input device (e.g., a button, a keypad, a touch pad, a touch screen or the like coupled to the screen output unit 202), and a drive module for driving the touch screen. And inputs a command for instructing various operations of the control unit 201 or data necessary for the operation of the control unit 201. [

The sound processing unit 204 includes a speaker, a microphone, and a driving module for driving the speaker. The sound processing unit 204 decodes sound data corresponding to a sound output from various calculation results of the control unit 201 and outputs the sound data through the speaker Or a sound signal input through the microphone, and transmits the encoded sound signal to the control unit 201.

The NFC module 205 may be a communication resource for processing one or more proximity wireless communications, such as two-way proximity wireless communication, full-duplex proximity wireless communication, and half-duplex proximity wireless communication, using a radio frequency signal as a communication medium at a close distance (e.g., , And is capable of processing proximity wireless communication according to the NFC (Near Field Communication) standard of the 13.56-MHz frequency band. Alternatively, the NFC module 205 may process the proximity wireless communication of the ISO 18000 series standard, in which case it may process the proximity wireless communication for the frequency band other than the 13.56 Mz frequency band. For example, the NFC module 205 may operate in a reader mode, a tag mode, or a bidirectional communication mode. Meanwhile, the NFC module 205 may be included in a communication resource for connecting the second terminal 200 to a communication network according to an object to be communicated in close proximity.

The wireless network communication unit 207 and the short-range wireless communication unit 206 are collectively referred to as communication resources for connecting the second terminal 200 to a designated communication network. The second terminal 200 may include a wireless communication unit 207 as a basic communication resource and may include one or more short-range wireless communication units 206.

The wireless network communication unit 207 collectively refers to a communication resource for connecting the second terminal 200 to a wireless communication network via a base station. The wireless communication unit 207 includes an antenna, an RF module, a baseband module, And a signal processing module. The control unit 201 is connected to the control unit 201 and transmits the calculation result corresponding to the wireless communication among the various calculation results of the control unit 201 through the wireless communication network or transmits the data through the wireless communication network And transmits it to the control unit 201, and performs the connection, registration, communication, and handoff procedures of the wireless communication. According to the present invention, the wireless network communication unit 207 can connect the second terminal 200 to a call network including a call channel and a data channel via an exchange, and in some cases, May be connected to a data network providing communication-based wireless network data communication (e.g., the Internet).

According to an embodiment of the present invention, the wireless network communication unit 207 is a mobile communication unit that performs at least one connection, a location registration, a call processing, a call connection, a data communication, and a handoff to a mobile communication network according to the CDMA / WCDMA / &Lt; / RTI &gt; Meanwhile, according to the intention of a person skilled in the art, the wireless network communication unit 207 may further include a portable Internet communication configuration for performing at least one of connection to the portable Internet, location registration, data communication and handoff according to the IEEE 802.16 standard, It is evident that the present invention is not limited by the wireless communication configuration provided by the wireless network communication unit 207. [ That is, the wireless network communication unit 207 is a general term for a configuration unit that connects to a wireless communication network through a cell-based base station irrespective of a frequency band of a wireless section, a type of a communication network, or a protocol.

The short-range wireless communication unit 206 connects a communication session using a radio frequency signal within a predetermined distance (for example, 10 m) as a communication medium and connects the second terminal 200 to the communication network on the basis of the short- The second terminal 200 may be connected to the communication network through at least one of Wi-Fi communication, Bluetooth communication, public wireless communication, and UWB. According to an embodiment of the present invention, the short-range wireless communication unit 206 may be integrated with or separated from the wireless network communication unit 207. According to the present invention, the short-range wireless communication unit 206 connects the second terminal 200 to a data network providing packet-based short-range wireless data communication through a wireless AP.

The USIM reader unit 208 is configured to exchange at least one data set with a universal subscriber identity module that is mounted or detached from the second terminal 200 based on the ISO / IEC 7816 standard As a generic term, the data set is exchanged in a half-duplex communication manner through an APDU (Application Protocol Data Unit).

The USIM is an SIM type card having an IC chip according to the ISO / IEC 7816 standard, and includes an input / output interface including at least one contact connected to the USIM reader unit 208, (Or processing) the program code for the IC chip in accordance with at least one command transmitted from the second terminal 200 in connection with the input / output interface, To the input / output interface.

The program 210 of the present invention is downloaded from a program providing server (for example, an Apple App Store or the like) through a data network to which the communication resource is connectable, and is stored in the memory unit 209. The downloaded program 210 operates in conjunction with the operation server 110, and may be manually operated by a user, or may be activated (or activated) automatically after user confirmation or automatically by receiving a message. Meanwhile, a separate program 210 may be in operation for activating the program 210 after user confirmation or automatically, and thus the present invention is not limited thereto.

Referring to FIG. 2, the program 210 of the second terminal 200 includes a user who uses the second terminal 200 operating the program 210 through a data network to which the communication resource is connectable, (200) that is operating the program (210) through at least one communication network connectable through a communication resource. The subscriber / authentication processing unit (215) And a terminal medium authentication unit 220 for performing a procedure for authenticating the terminal medium.

The program 210 includes communication connection macro information to access the operation server 110 via a data network connectable through the communication resource. The subscription / authentication processing unit 215 includes a screen output unit 202 (E.g., name, resident registration number, etc.) for joining the user as a member via the data network and an interface for inputting the member account through the data network, And transmits the member account to join the user as a member.

Meanwhile, the subscription of the user can be subscribed through a separate user terminal other than the second terminal 200. In order to authenticate that the subscribed user is a user using the second terminal 200 operating the program 210, the subscription / authentication processing unit 215 outputs an interface for inputting a pre-registered member account And transmits a member account inputted through the interface to the operation server 110 through the data network to join a user who uses the second terminal 200 operating the program 210 as a member have.

In the case of authenticating the subscribed user, the subscription / authentication processing unit 215 outputs an interface for inputting a pre-registered member account and / or a password, and transmits the member account and / To the operation server 110 through the network to authenticate the user using the second terminal 200 that is driving the program 210. [

The terminal medium authenticator 220 authenticates the validity of the program 210 through the at least one communication network among the data network and the telecommunication network to which the communication resource is connectable, to the operating server 110. According to the embodiment of the present invention, the process of authenticating the program 210 is performed through an arm / decryption communication process previously agreed upon between the program 210 and the operation server 110, A detailed description of the process will be omitted.

According to the first terminal medium authentication method of the present invention, the program 210 is downloaded through the program providing server in a state in which a unique key value that identifies the program is operated by the operating server 110, In this case, the terminal medium authentication unit 220 can authenticate that the program 210 is a program operated by the operation server 110 by transmitting the inherent key value to the operation server 110. [ Meanwhile, the terminal medium authentication unit 220 transmits at least one unique information, which is stored in the second terminal 200 or allocated to the communication network in the process of transmitting the unique key value to the operation server 110, The program 210 may be a program operated by the operation server 110 and may simultaneously authenticate that the program 210 is running on the second terminal 200. [

According to the second terminal medium authentication method of the present invention, after the program 210 is downloaded through the program providing server, an application identification value (for example, , The device token allocated by the APNS of the Apple company, etc.) may be allocated to the terminal 200. In this case, the terminal medium authentication unit 220 transmits the application identification value to the operation server 110, Can be authenticated as a program operated by the operating server 110. Meanwhile, the terminal medium authenticator 220 may transmit at least one unique information, which is stored in the second terminal 200 or allocated to the communication network in the process of transmitting the app identification value to the operation server 110, The program 210 may be a program operated by the operation server 110 and may simultaneously authenticate that the program 210 is running on the second terminal 200. [

According to the third terminal medium authentication method of the present invention, the program 210 defines at least one key value, a key exchange protocol and an encryption / decryption rule, and an authentication procedure for authenticating the program 210 using the key exchange protocol and encryption / The terminal medium authenticator 220 may transmit the at least one key value set in the certificate and the key value set in the certificate according to the authentication procedure defined in the certificate, Exchange protocol and the encryption / decryption rule to selectively authenticate that the program 210 is a program operated by the operation server 110. [ Meanwhile, the terminal medium authenticator 220 may use at least one unique information, which is stored in the second terminal 200 or allocated to the communication network in the course of using the certificate, to the authentication procedure, May be a program operated by the operation server 110 and may concurrently authenticate that the program 210 is running on the second terminal 200. [

According to the fourth terminal medium authentication method of the present invention, when the authentication number transmitted from the operation server 110 is received through the message exchange protocol of the communication network, the second terminal 200 transmits the received authentication number And transmits the program to the operation server 110 via the data network, thereby authenticating that the program 210 is a program operated by the operation server 110. Meanwhile, the terminal medium authentication unit 220 transmits at least one unique information, which is stored in the second terminal 200 or allocated to the communication network in the process of transmitting the authentication number to the operation server 110, So that the program 210 is simultaneously operated by the operation server 110 and that the program 210 is running on the second terminal 200. [

According to the fifth terminal medium authentication method of the present invention, the terminal medium authenticator 220 receives authentication information from the operation server 110 through an authentication method selectively combining at least one of the first through fourth terminal medium authentication methods It is possible to authenticate the validity of the program 210, and thus the present invention is not limited thereto.

Referring to FIG. 2, the program 210 of the second terminal 200 may be configured such that the program 210 is operated or activated by the operating server 110 when the program 210 is activated or activated according to a designated procedure. And a drive / activation processing unit 225 for recognizing the activation.

If the program 210 is driven or activated by push notification or the program 210 is driven or activated by a user operation through the key input unit, the drive / activation processing unit 225 may control the operation / And requests the operation server 110 to establish a communication connection to the operation server 110 through at least one communication unit of the short range wireless communication unit 206 and the wireless network communication unit 207, The program 210 may be activated or activated.

2, the program 210 of the second terminal 200 includes a receiving unit 230 for receiving authentication information (s) for authentication processing and authentication code (s) dynamically generated for server authentication, (S) authentication unit (235) for authenticating the validity of the received authentication code (s) through a designated code verification procedure. The validity of the authentication code (s) And a medium recognition unit 245 for recognizing the proximity of the noncontact medium 100 through the NFC module 205. The NFC module 205 may be a microprocessor,

After the program 210 is activated or activated, if the operation server 110 transmits the authentication information s for authentication processing and the dynamically generated authentication code s for server authentication, (S) and the authentication code (s) through at least one communication unit of the short-distance wireless communication unit 206 and the wireless network communication unit 207. [ The authentication information (s) and the authentication code (s) may be received together or separately (or sequentially) according to a specified procedure.

Meanwhile, when the authentication information (s) and the authentication code (s) are received from the operation server 110, the drive / activation processing unit 225 requests the PIN input of the user and the validity of the PIN input from the user Authentication. For this, the drive / activation processor 225 may register the PIN of the user in advance and store the PIN in the designated storage area.

When the authentication code (s) is received from the operation server 110, the authentication code (s) authentication unit 235 authenticates the validity of the received authentication code (s) using a designated code verification procedure. For example, the authentication code (s) authentication unit 235 may generate a shared value (for example, a MIN of the second terminal 200, an exchange / shared key (E.g., a value, etc.) and / or a synchronization value (e.g., time, etc.) synchronized with the operating server 110 to a designated code generation algorithm (e.g., a hash algorithm) to generate a verification code The validity of the authentication code (s) can be verified by comparing the code (s) with the generated verification code (s).

When the validity of the authentication code (s) is authenticated, the NFC activation unit 240 determines whether the NFC module 205 of the second terminal 200 is in an activated state so as to be able to interface with the noncontact medium 100. If the NFC module 205 is not activated, the NFC module 240 activates the NFC module 205 to interface with the noncontact media 100 through the NFC module 205 according to a designated procedure. .

When the NFC module 205 is activated, the medium recognition unit 245 confirms whether the noncontact medium 100 is close to the designated proximity and is interfaced through the NFC module 205. The medium recognition unit 245 displays induction information for inducing the noncontact medium 100 to approach the NFC module 205 through the screen output unit 202. The NFC module 205, Contact medium 100 that is close to the frequency reaching range.

Referring to FIG. 2, the program 210 of the second terminal 200 communicates with the security server 150 through a designated path to access a designated storage area (N) of the N storage areas included in the noncontact medium 100 n) of the noncontact medium 100 through the NFC module 205 as a result of the medium access procedure, a medium access processing unit 250 for performing a medium access procedure for reading the cipher block recorded in the non- (t) for authenticating the validity of the second terminal 200 that has driven or activated the program 210. The authentication block (t) (T) generating section 260 for generating authentication information t corresponding to the authentication information s, an authentication information t generating section 265 for generating authentication information t corresponding to the authentication information s, Block to the designated decryption server 160 and transmits the authentication code t to the operation server 110 And an authentication result processing unit 275 that has a transmission unit 270 and receives and outputs an authentication approval result of the authentication information t using the authentication means information generated using the cipher block on the designated path do.

The medium access processing unit 250 reads the unique serial number from the noncontact medium 100 through the NFC module 205 when the noncontact medium 100 near the frequency reaching range is recognized through the NFC module 205 Contacted medium 100 via the communication unit of at least one of the short-distance wireless communication unit 206 and the wireless network communication unit 207 to be transmitted to the specified security server 150. Preferably, the medium access processing unit 250 transmits the read unique serial number to the operation server 110, and the operation server 110 may transmit the unique serial number to the security server 150 . Meanwhile, the medium access processing unit 250 may transmit the unique serial number to the security server 150 through the second communication network.

The security server 150 receives from the security module 155 an authentication code that is recorded in a designated storage area (m, 0? M < N) out of N storage areas provided in the noncontact medium 100 corresponding to the unique serial number, (m) and transmits the extracted first authentication key to the program 210 of the second terminal 200 through the designated path. Preferably, the security server 150 transmits the first authentication key to the operation server 110, and the operation server 110 transmits the first authentication key to the program 210 of the second terminal 200 ). Meanwhile, the security server 150 may transmit the first authentication key to the program 210 of the second terminal 200 through the second communication network.

The medium access processing unit 250 receives the first authentication key through the communication unit of at least one of the short range wireless communication unit 206 and the wireless network communication unit 207. When the first authentication key is received, the medium access processing unit 250 transmits the first authentication key to the noncontact medium 100 through the NFC module 205, (m) recorded in the memory m. The noncontact medium 100 authenticates the first authentication key according to a specified authentication procedure and responds to the authentication code m recorded in the storage area m when the authentication is successful. (M) recorded in the storage area (m) of the noncontact medium (100). The medium access processing unit 250 may further read the issuer information recorded in the storage area m of the noncontact medium 100 according to an embodiment of the present invention. have.

The program 210 of the second terminal 200 transmits an authentication code read from the noncontact medium 100 via a specified path through at least one communication unit of the near field wireless communication unit 206 and the wireless network communication unit 207, (m) to be transmitted to the security server 150. [ Preferably, the medium access processing unit 250 transmits the read authentication code m to the operation server 110, and the operation server 110 transmits the authentication code m to the security server 150, . Meanwhile, the medium access processing unit 250 may transmit the authentication code (m) to the security server 150 via the second communication network according to an embodiment of the present invention.

The security server 150 authenticates the validity of the authentication code m through the security module 155 and authenticates the validity of the non-contact medium 100 from the security module 155 during validity authentication of the authentication code m. The second authentication key for reading the cipher block recorded in the designated storage area (n, 0? N <N, n? M) is extracted as a second authentication key, and the program of the second terminal 200 (210). Preferably, the security server 150 transmits the second authentication key to the operation server 110, and the operation server 110 transmits the second authentication key to the program 210 of the second terminal 200 ). Meanwhile, the security server 150 may transmit the second authentication key to the program 210 of the second terminal 200 through the second communication network according to an embodiment of the present invention.

According to an embodiment of the present invention, the security server 150 includes a security server 150 that performs a medium access procedure for reading a cipher block from the noncontact medium 100, Generates an authentication value for validity verification between the decryption server 160 that decrypts the cipher block read from the medium 100 and transmits the authentication value to the program 210 of the second terminal 200 through the designated path It can be processed to be transmitted.

According to an embodiment of the present invention, the security server 150 may synchronize with the decryption server 160 and / or the shared value (e.g., secret key) exchanged / shared in advance / (E.g., time, random number, etc.) to a designated code generation algorithm (e.g., a hash algorithm) to generate an authentication value. In this case, the security server 150 and the decryption server 160 The validity of the authentication value can be authenticated through a code verification procedure performed by the decryption server 160 even if the authentication value is not shared. Meanwhile, the security server 150 may generate an authentication value through a random number algorithm. In this case, the security server 150 may share the authentication value with the decryption server 160 and process the authentication value.

According to the embodiment of the present invention, the authentication value is included in the one transaction block with the second authentication key and is delivered to the program 210 of the second terminal 200, Or sequential) to the program 210 of the second terminal 200. When the second authentication key and the authentication value are transmitted to the program 210 of the second terminal 200 through one transaction block, the security server 150 transmits the second authentication key and the authentication value to the operation server 210 And the operation server 110 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200. [ Meanwhile, the security server 150 may transmit the second authentication key and the authentication value to the program 210 of the second terminal 200 through the second communication network.

The medium access processing unit 250 receives the second authentication key through the communication unit of at least one of the short-range wireless communication unit 206 and the wireless network communication unit 207. When the second authentication key is received, the medium access processing unit 250 transmits the second authentication key to the noncontact medium 100 through the NFC module 205, (n). &lt; / RTI &gt; The noncontact medium 100 authenticates the second authentication key according to a specified authentication procedure, and responds to the cipher block recorded in the storage area (n) when authentication is successful. The cipher block identification unit (255) Reads the cipher block recorded in the storage area (n) of the noncontact medium (100) through the NFC module (205) as a result of the medium access procedure performed through the medium access processing part (250).

The authentication code (t) generating unit 260 generates an authentication code (t) for authenticating the validity of the second terminal 200 that has activated or activated the program 210 through the operation server 110 . The authentication code (t) generating unit 260 may generate a shared value (for example, a MIN of the second terminal 200, a key value exchanged / shared with the operating server 110) , Etc.) and / or synchronization values (e.g., time, etc.) synchronized with the operating server 110 into a designated code generation algorithm (e.g., a hash algorithm).

The authentication information (t) generation unit 265 generates authentication information (t) for an authentication approval request using the cipher block read from the noncontact medium 100.

According to the embodiment of the present invention, the authentication information (t) generation unit 265 generates the authentication information (t) by using the personal information of the user (for example, the first six digits of the resident registration number) and / And the authentication information t may include personal information and / or secret information input from the user. Meanwhile, the authentication information (t) may include all or at least a part of the authentication information (s) according to the method.

The transmitting unit 270 transmits a cipher block that is read from the noncontact medium 100 through at least one communication unit of the short-distance wireless communication unit 206 and the wireless network communication unit 207, (T) generated by the authentication code (t) generating unit 260 and authentication information (t) for the authentication approval request to the operation server 110, Lt; / RTI &gt; The read cipher block and the generated authentication code t and authentication information t may be included in one transaction block and transmitted to the operation server 110 or may be transmitted in a predetermined order or route .

Meanwhile, when the authentication value generated through the security server 150 is received, the transmission unit 270 may process the encryption block and the authentication value to be transmitted to the decryption server 160. The cipher block and the authentication value may be transmitted through one transaction block, or may be transmitted (or sequentially) through a specified sequence or path.

The encryption block is transmitted to the decryption server 160 through a designated path, and the decryption server 160 generates authentication information corresponding to the encryption block and transfers the generated information to the operation server 110, (E.g., an authentication approval request to the authentication server 170) with respect to the authentication information t using the authentication means information generated through the encryption block, And transmits the authentication result to the program 210 of the second terminal 200. The authentication result processing unit 275 transmits the authentication result to the second terminal 200 through the communication unit of at least one of the short range wireless communication unit 206 and the wireless network communication unit 207 And receives and outputs the result.

FIG. 3 is a diagram illustrating a server authentication and NFC activation process using the second terminal 200 according to an embodiment of the present invention.

3 illustrates an example in which authentication information (s) and authentication information (s) are transmitted from the operation server 110 to the second terminal 200 of the user having the NFC module 205 when the authentication is requested through the first terminal 105 of the user The present invention shows a process of providing the code s to activate the NFC module 205 of the second terminal 200 after authenticating the operation server 110 at the second terminal 200, Those skilled in the art will appreciate that various implementations of the server authentication and NFC activation process (e.g., omitting some of the steps or changing the order) may be implemented by referring to and / However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 3, when the first terminal 105 of the user accesses a designated web server through a first communication network, selects an authentication method according to the present invention, and transmits (300) a request for authentication request information, Receives the authentication request information through the designated path (305), and stores the received authentication request information (310).

The operation server 110 confirms the second terminal 200 of the user who has performed the authentication procedure for the authentication request information and notifies the second terminal 200 of push for activating or activating the program 210 The second terminal 200 of the user receives (320) the push notification, drives or activates (325) the program 210 corresponding to the push notification according to a designated procedure, The program 210 of the second terminal 200 attempts to access the operating server 110 through the second communication network according to the designated communication macro 330, (Step 335) that the program 210 of the second terminal 200 is activated or activated based on a connection attempt of the program 210 of the first terminal 200.

If the program 210 of the second terminal 200 is activated or activated, the operation server 110 generates authentication information (s) for authentication processing of the received authentication request information (340) (S) for server authentication through the program 210 of the second terminal 200 (345) and then transmits the authentication information (s) and the authentication code (s) to the second To the program 210 of the terminal 200 (350).

The program 210 of the second terminal 200 receives the authentication information s and the authentication code s through the second communication network 355 and transmits the received authentication code s (360), thereby validating the validity of the operation server 110 that transmitted the authentication information (s). The authentication code s authenticates the validity of the operation server 110 through the program 210 of the second terminal 200. If the operation server 110 is an authentic server (= a phishing server The second terminal 200 may perform the function of verifying the second terminal 200 in the presence of the operation server 110. According to the embodiment of the present invention, the program 210 of the second terminal 200 inputs the PIN of the user at a time point during the process of receiving the authentication code (s) after driving or activating the program 210 And can perform a PIN authentication procedure for authentication.

If the validity of the authentication code (s) is not authenticated, the program 210 of the second terminal 200 transmits an error code according to the authentication failure of the authentication code (s) to the operation server 110, The operation server 110 receives the error code and performs the designated internal procedure and at the same time transmits the error code to the first terminal 105 in operation 365. The first terminal 105 receives the error code (370).

Meanwhile, if the validity of the authentication code (s) is authenticated, the program 210 of the second terminal 200 confirms activation of the NFC module 205 of the second terminal 200 (375) If the NFC module 205 is not activated, the program 210 of the second terminal 200 performs a procedure for activating the NFC module 205 (step 380). If the NFC module 205 of the second terminal 200 is activated or activated, the program 210 of the second terminal 200 may be transmitted to the second terminal 200 using the NFC module 205, As shown in FIG.

4 is a diagram illustrating a process of exchanging primary information between a second terminal 200 and a security server 150 for accessing a non-contact medium 100 according to an embodiment of the present invention.

4 illustrates a process of reading the unique serial number from the non-contact medium 100 through the NFC module 205 in the second terminal 200 of the user and transmitting the unique serial number to the security server 150, (M) recorded in the storage area (m) of the noncontact medium (100) corresponding to the unique serial number, the method comprising: providing a first authentication key for reading the authentication code Those skilled in the art will be able to refer to and / or modify the FIG. 4 to infer various implementations of the primary information exchange process (e.g., omitting some steps or changing the order) However, the present invention is not limited to the technical features of the present invention.

Referring to FIG. 4, the program 210 of the second terminal 200 is a program 210 through which the non-contact medium 100 can communicate with the second terminal 200 at a predetermined distance (for example, within 1 cm) (400). If the noncontact medium 100 is recognized, the program 210 of the second terminal 200 requests the reading of the noncontact medium 100 through the NFC module 205 (405), and the noncontact medium 100 (E.g., CSN, etc.) (410) and provides it to the second terminal (200) via NFC (415).

The program 210 of the second terminal 200 reads the unique serial number from the noncontact medium 100 through the NFC module 205 and processes the unique serial number to be transmitted to the security server 150 Thereby requesting the first authentication key for the non-contact medium 100 (425). According to the embodiment of FIG. 4, the unique serial number is transmitted to the security server 150 via the operation server 110.

The operation server 110 receives a unique serial number from the program 210 of the second terminal 200 and transmits the unique serial number to the designated security server 150 to transmit the unique serial number to the noncontact medium 100 (Step 435).

The security server 150 confirms the first authentication key for the storage area m of the noncontact medium 100 through the security module 155 in operation 440. If the first authentication key is not confirmed (for example, the noncontact medium 100 corresponding to the unique serial number is not a valid noncontact medium 100), the security server 150 transmits an error The operating server 110 receives the error code and performs the designated internal procedure and provides the error code to the second terminal 200 in operation 445. The error code is transmitted to the second terminal 200 (210) receives and outputs the error code (450).

Meanwhile, when the first authentication key is confirmed, the security server 150 transmits the first authentication key to the operation server 110 (455), and the operation server 110 receives the first authentication key The program 210 of the second terminal 200 receives the first authentication key for the noncontact medium 100 through the second communication network 465 ).

5 is a diagram illustrating a process of exchanging secondary information between the second terminal 200 and the security server 150 for accessing the contactless medium 100 according to an embodiment of the present invention.

More specifically, FIG. 5 illustrates a case where the authentication code m recorded in the storage area m of the noncontact medium 100 is read through the first authentication key from the second terminal 200 of the user, The process of authenticating the authentication code m at the security server 150 and providing the second authentication key for reading the cipher block recorded in the storage area n of the contactless medium 100 Those skilled in the art will appreciate that various modifications and variations of the method of the present invention (e.g., some steps may be omitted, or alternatively, However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 5, when the first authentication key is received through the process shown in FIG. 4, the program 210 of the second terminal 200 is transmitted to the non-contact medium 100 through the NFC module 205, The non-contact medium 100 receives the first authentication key and authenticates the validity (Step 505). If the validity of the first authentication key is not authenticated, the noncontact medium 100 responds with an error code through NFC, and the program 210 of the second terminal 200 receives an error through the NFC module 205 A code is received and output (510).

Meanwhile, if the validity of the first authentication key is authenticated, the noncontact medium 100 confirms (515) the authentication code m recorded in the storage area m corresponding to the first authentication key, To the second terminal 200 (520). The noncontact medium 100 further checks 515 the issuer information on the noncontact medium 100 based on the authentication result of the first authentication key and provides the issuer information to the second terminal 200 (520).

The program 210 of the second terminal 200 reads the authentication code m from the noncontact medium 100 through the NFC module 205 and reads the issuer information according to the method of operation (525). The program 210 of the second terminal 200 requests the second authentication key for the noncontact medium 100 by processing the authentication code m to be transmitted to the security server 150 in operation 530. According to the embodiment of FIG. 5, the authentication code m is transmitted to the security server 150 via the operation server 110. FIG.

The operation server 110 receives the authentication code m from the program 210 of the second terminal 200 and transmits the authentication code m to the designated security server 150, (540) a first authentication key for the mobile device 100.

The security server 150 authenticates the validity of the authentication code m through the security module 155 (545). If the validity of the authentication code m is not authenticated, the security server 150 transmits an error code to the operation server 110, and the operation server 110 receives an error code, The second terminal 200 provides the error code to the second terminal 200 and the program 210 of the second terminal 200 receives and outputs the error code in operation 555.

If the validity of the authentication code m is authenticated, the security server 150 confirms the second authentication key for the storage area n of the noncontact medium 100 through the security module 155 , And transmits the confirmed second authentication key to the operation server 110 (565). The operation server 110 receives the second authentication key and provides the second authentication key to the second terminal 200 in step 570 and the program 210 of the second terminal 200 transmits the non- (575) a second authentication key for the first authentication key (100).

6 is a diagram illustrating a process of exchanging secondary information between the second terminal 200 and the security server 150 for accessing the non-contact medium 100 according to another embodiment of the present invention.

6, the authentication code m recorded in the storage area m of the noncontact medium 100 is read from the second terminal 200 of the user through the first authentication key, and the authentication code m is transmitted to the security server 150 (N) for reading the cipher block recorded in the storage area (n) of the noncontact medium (100) after authenticating the authentication code (m) by the security server (150) And an authentication value, it will be understood by those skilled in the art that reference to and / or modification of FIG. 6 is applicable to various embodiments of the secondary information exchange process It is to be understood that the invention may be practiced otherwise than as specifically described herein, but it is to be understood that the invention is not to be limited to the specific embodiments thereof, Or more.

Referring to FIG. 6, when the first authentication key is received through the process shown in FIG. 4, the program 210 of the second terminal 200 is transmitted to the non-contact medium 100 through the NFC module 205, The non-contact medium 100 receives the first authentication key and authenticates the validity (Step 605). If the validity of the first authentication key is not authenticated, the noncontact medium 100 responds with an error code through NFC, and the program 210 of the second terminal 200 receives an error through the NFC module 205 And receives and outputs the code (610).

Meanwhile, when the validity of the first authentication key is authenticated, the non-contact medium 100 confirms the authentication code m recorded in the storage area m corresponding to the first authentication key 615, To the second terminal 200 (620). The noncontact medium 100 further checks the issuer information of the noncontact medium 100 based on the authentication result of the first authentication key 615 and provides the issuer information to the second terminal 200 (620).

The program 210 of the second terminal 200 reads the authentication code m from the noncontact medium 100 through the NFC module 205 and reads the issuer information according to the method of operation (625). The program 210 of the second terminal 200 requests the second authentication key for the noncontact medium 100 by processing the authentication code m to be transmitted to the security server 150 in operation 630. According to the embodiment of FIG. 6, the authentication code m is transmitted to the security server 150 via the operation server 110.

The operation server 110 receives the authentication code m from the program 210 of the second terminal 200 and transmits the authentication code m to the designated security server 150, (640) a first authentication key for the first authentication key (100).

The security server 150 authenticates the validity of the authentication code m through the security module 155 (645). If the validity of the authentication code m is not authenticated, the security server 150 transmits an error code to the operation server 110, and the operation server 110 receives an error code, The error code is provided to the second terminal 200 at step 650 and the program 210 of the second terminal 200 receives the error code and outputs the error code at step 655.

If the validity of the authentication code m is authenticated, the security server 150 checks the second authentication key for the storage area n of the noncontact medium 100 through the security module 155 (660 After generating the authentication value (665), the authentication server transmits the confirmed second authentication key and the generated authentication value to the operation server (670). The operation server 110 receives the second authentication key and the authentication value and provides the second authentication key and the authentication value to the second terminal 200 in step 675. The program 210 of the second terminal 200 transmits, And receives the second authentication key and the authentication value for the noncontact medium 100 (680).

7 is a diagram illustrating a process of reading a cipher block from the noncontact medium 100 according to an embodiment of the present invention.

7 shows a process of reading a cipher block recorded in the storage area n of the noncontact medium 100 through the second authentication key in the second terminal 200 of the user, Those skilled in the art will be able to refer to and / or modify Figure 7 to derive various implementations of the cryptographic block reading process (e.g., omitting some of the steps or changing the order) However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 7, when a second authentication key is received through the process illustrated in FIG. 5 or FIG. 6, the program 210 of the second terminal 200 is transmitted to the noncontact medium 100 through the NFC module 205, The non-contact medium 100 transmits the second authentication key to request reading of the cipher block, and the non-contact medium 100 receives the second authentication key and authenticates the validity (705). If the validity of the second authentication key is not authenticated, the noncontact medium 100 responds with an error code through the NFC, and the program 210 of the second terminal 200 receives an error through the NFC module 205 And receives and outputs the code (710).

Meanwhile, if the validity of the second authentication key is authenticated, the noncontact medium 100 identifies the cipher block recorded in the storage area n corresponding to the first authentication key (715) The program 210 of the second terminal 200 reads the cipher block from the noncontact medium 100 through the NFC module 205 (725).

FIG. 8 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from a non-contact medium 100 according to an embodiment of the present invention.

More specifically, FIG. 8 shows a cipher block read from the storage area n of the noncontact medium 100 at the second terminal 200 of the user, the authentication code t generated at the second terminal 200, (T) to the operating server 110, the decryption server 160 associated with the operating server 110 generates the authentication means information through the cipher block. Those skilled in the art will be able to refer to and / or modify this FIG. 8 to consider various implementations of the authentication procedure (e.g., omitting some steps or changing the order) However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 8, when a cipher block is read from the storage area n of the noncontact medium 100 through the process shown in FIG. 7, the program 210 of the second terminal 200 is read from the program 210, (800) to generate an authentication code (t) for authenticating the second terminal (200) in the activated or activated state of the second terminal (200) (T) (805).

The program 210 of the second terminal 200 transmits the cipher block and the authentication code t and the authentication information t to the operation server 110 through the second communication network 810, 110 receives the cipher block, the authentication code (t), and the authentication information (t) (815).

The operation server 110 authenticates the validity of the authentication code t according to a designated code verification procedure (820). If the validity of the authentication code t is not authenticated, the operation server 110 transmits an error code to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (825).

Meanwhile, when the validity of the authentication code t is authenticated, the operation server 110 transmits authentication information t (t) using the authentication information s provided to the second terminal 200 through the process shown in FIG. (830). &Lt; / RTI &gt; If the integrity of the authentication information t is not authenticated, the operation server 110 transmits an error code to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (835).

The operation server 110 requests the designated decryption server 160 for the authentication means information corresponding to the cipher block 840 and the decryption server 160 receives the cipher block 845, To generate authentication means information (850).

According to the first authentication means generation method of the present invention, when the authentication means information is encrypted in the encryption block, the decryption server 160 can generate the authentication means information by decoding the encryption block.

According to the second authentication means generation method of the present invention, when the identification information for identifying the authentication means is encrypted in the cipher block, the decryption server 160 decrypts the cipher block to check the authentication means information, (For example, a SAM storage area of the decoding module 165, a DB of a financial institution, or a safe storage medium permitted to store authentication means information) for storing authentication means information to be used for processing And the mapped authentication means information can be obtained.

According to the third authentication means generation method of the present invention, the encryption block can perform the function of the identifier mapped to the authentication means information. In this case, the decryption server 160 stores the authentication means information to be used for the authentication processing (For example, a SAM storage area of the decryption module 165, a DB of a financial institution, or a secure storage medium permitted to store authentication means information, etc.) have.

According to the fourth authentication means generation method of the present invention, the decryption server 160 decrypts the cipher block and confirms block information (or authentication information, identification information, etc., hereinafter referred to as block information for convenience) The authentication information of the specified information system corresponding to the authentication means can be generated using the block information. For example, the decryption server 160 may generate the authentication means information by substituting the hash value generated by hashing the block information into the designated information system. In this case, the authentication means information may be a function of the disposable authentication means Can be performed. Alternatively, the decryption server 160 may generate the authentication means information by substituting the partial information of the block information into the designated information system.

According to the fifth authentication means generation method of the present invention, the decryption server 160 can generate the authentication means information of the specified information system corresponding to the authentication means using the cipher block. For example, the decryption server 160 may generate the authentication means information by substituting the hash value generated by hashing the cipher block into the specified information system. In this case, the authentication means information may be a function of the disposable authentication means Can be performed. Alternatively, the decryption server 160 may generate the authentication means information by substituting some information of the cipher block into the specified information system.

Meanwhile, the decryption server 160 generates the authentication means information by combining two or more of the first to fifth authentication method generation methods, or modifies a part of the first to fifth authentication method generation methods, It is clear that the present invention is not limited thereto. That is, the present invention includes the number of all cases in which the authentication means information to be used for authentication using the cipher block is included in the right range.

If the authentication means information is not generated, the decryption server 160 transmits an error code to the operation server 110. The operation server 110 receives the error code and performs the designated internal procedure, The error code is provided to the second terminal 200 (step 855), and the program 210 of the second terminal 200 receives the error code and outputs the error code (step 860).

Meanwhile, when the authentication means information is generated using the cipher block, the decryption server 160 transmits the authentication means information to the operation server 110 (865), and the operation server 110 transmits the authentication information And the generated authentication means information is received (870).

FIG. 9 is a diagram illustrating a process of performing an authentication procedure using a cipher block read from a non-contact medium 100 according to another embodiment of the present invention.

9 shows the authentication value received from the second terminal 200 of the user through the cipher block read from the storage area n of the noncontact media 100 and the process shown in FIG. When the authentication code t generated by the authentication server 200 and the authentication information t for authentication processing are transmitted to the operation server 110, the decryption server 160 associated with the operation server 110 authenticates the authentication value t And then generating the authentication means information through the cipher block. Those skilled in the art will be able to refer and / or modify FIG. 9 to various It is to be understood that the present invention is not limited to the embodiment (s), but it is to be understood that the invention may be practiced otherwise than as specifically described herein, Technical features It is not limited.

Referring to FIG. 9, when the cipher block is read from the storage area n of the noncontact medium 100 through the process shown in FIG. 7, the program 210 of the second terminal 200 is read from the program 210, (900) for generating an authentication code (t) for authenticating the second terminal (200) in a state in which the second terminal (200) is activated or activated, and performs authentication processing based on the authentication information (T) for authentication information (905).

The program 210 of the second terminal 200 transmits the cipher block, the authentication value, the authentication code t and the authentication information t to the operation server 110 through the second communication network 910, The operation server 110 receives the cipher block, the authentication value, the authentication code (t), and the authentication information (t) (915).

The operation server 110 authenticates the validity of the authentication code t according to a designated code verification procedure (920). If the validity of the authentication code t is not authenticated, the operation server 110 transmits an error code to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (925).

Meanwhile, when the validity of the authentication code t is authenticated, the operation server 110 transmits authentication information t (t) using the authentication information s provided to the second terminal 200 through the process shown in FIG. (930). &Lt; / RTI &gt; If the integrity of the authentication information t is not authenticated, the operation server 110 transmits an error code to the second terminal 200, and the program 210 of the second terminal 200 The error code is received and output (935).

The operation server 110 provides the cryptographic block and the authentication value to the designated decryption server 160 to request the authentication means information corresponding to the cryptographic block 940. The decryption server 160 decrypts the cryptographic block, An authentication value is received (945) and the validity of the authentication value is authenticated (950). If the validity of the authentication value is not authenticated, the decryption server 160 transmits an error code to the operation server 110. The operation server 110 receives the error code and performs the designated internal procedure The error code is provided to the second terminal 200 in step 955 and the program 210 of the second terminal 200 receives the error code and outputs the error code in step 960.

Meanwhile, when the validity of the authentication value is authenticated, the decryption server 160 generates the authentication means information using the cipher block (965).

According to the first authentication means generation method of the present invention, when the authentication means information is encrypted in the encryption block, the decryption server 160 can generate the authentication means information by decoding the encryption block.

According to the second authentication means generation method of the present invention, when the identification information for identifying the authentication means is encrypted in the cipher block, the decryption server 160 decrypts the cipher block to check the authentication means information, (For example, a SAM storage area of the decoding module 165, a DB of a financial institution, or a safe storage medium permitted to store authentication means information) for storing authentication means information to be used for processing And the mapped authentication means information can be obtained.

According to the third authentication means generation method of the present invention, the encryption block can perform the function of the identifier mapped to the authentication means information. In this case, the decryption server 160 stores the authentication means information to be used for the authentication processing (For example, a SAM storage area of the decryption module 165, a DB of a financial institution, or a secure storage medium permitted to store authentication means information, etc.) have.

According to the fourth authentication means generation method of the present invention, the decryption server 160 decrypts the cipher block and confirms block information (or authentication information, identification information, etc., hereinafter referred to as block information for convenience) The authentication information of the specified information system corresponding to the authentication means can be generated using the block information. For example, the decryption server 160 may generate the authentication means information by substituting the hash value generated by hashing the block information into the designated information system. In this case, the authentication means information may be a function of the disposable authentication means Can be performed. Alternatively, the decryption server 160 may generate the authentication means information by substituting the partial information of the block information into the designated information system.

According to the fifth authentication means generation method of the present invention, the decryption server 160 can generate the authentication means information of the specified information system corresponding to the authentication means using the cipher block. For example, the decryption server 160 may generate the authentication means information by substituting the hash value generated by hashing the cipher block into the specified information system. In this case, the authentication means information may be a function of the disposable authentication means Can be performed. Alternatively, the decryption server 160 may generate the authentication means information by substituting some information of the cipher block into the specified information system.

Meanwhile, the decryption server 160 generates the authentication means information by combining two or more of the first to fifth authentication method generation methods, or modifies a part of the first to fifth authentication method generation methods, It is clear that the present invention is not limited thereto. That is, the present invention includes the number of all cases in which the authentication means information to be used for authentication using the cipher block is included in the right range.

If the authentication means information is not generated, the decryption server 160 transmits an error code to the operation server 110. The operation server 110 receives the error code and performs the designated internal procedure, The error code is provided to the second terminal 200 in step 970, and the program 210 of the second terminal 200 receives and outputs the error code in step 975.

Meanwhile, when the authentication means information is generated using the cipher block, the decryption server 160 transmits the authentication means information to the operation server 110 (980), and the operation server 110 transmits the authentication information to the operation server 110 And the generated authentication means information is received (985).

FIG. 10 is a diagram illustrating a process of performing an authentication approval procedure using an authentication unit generated through a cipher block according to an embodiment of the present invention.

In more detail, FIG. 10 illustrates a process of allowing an operation server 110 to perform an authentication approval process using authentication unit information using a cipher block through a decryption server 160, and FIG. Those skilled in the art will be able to refer to and / or modify this drawing 10 to infer various implementations of the authentication procedure (e.g., omitting some steps or changing the order) The present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 10, when the authentication means information generated using the cipher block is confirmed through the process shown in FIG. 8 or FIG. 9, the operation server 110 transmits the authentication means information generated through the cipher block, The authentication server 170 requests authentication approval 170 from the authentication server 170 using the received authentication information t shown in FIG. 8 or 9, and the authentication server 170 receives the authentication approval request 1005 ). And performs an authentication approval procedure for the authentication information (t) using the authentication means information (1010). For example, when the authentication means information includes card information, and the authentication means is a financial company server, the financial institution server stores card information corresponding to the authentication means information, personal information included in the authentication information t and / Or may use the secret information to perform the authentication approval procedure to determine whether the card corresponding to the card information is effectively issued and operating.

If the authentication approval process is completed, the authentication server 170 generates an authentication approval result for the authentication approval procedure 1015 and transmits the authorization approval result to the operation server 110 (1020) Receives the authentication approval result (1025), performs a specified internal procedure (for example, transmits an authentication approval result to the first terminal 105), and provides the authentication approval result to the second terminal 200 (Step 1030). The program 210 of the second terminal 200 receives and outputs the authentication approval result (step 1035).

100: non-contact medium 105: first terminal
110: Operation server 112: First communication confirmation unit
114: authentication request reception unit 116: authentication request response unit
118: authentication request storage unit 120: second terminal confirmation unit
122: second communication activation unit 124: drive / activity confirmation unit
126: authentication information (s) generation unit 128: authentication code (s) generation unit
130: Information providing unit 132: Medium access procedure relay unit
134: information receiving unit 136: authentication code (t)
138: authentication information (t) authentication unit 140: authentication means request unit
142: authentication means receiving section 144: authentication approval procedure section
146: Approval result reception unit 148: Approval result delivery unit
150: Security server 155: Security module
160: Decryption server 165: Decryption module
170: Authentication server 200: Second terminal
205: NFC module 210: program
215: Subscription / Authentication Processing Unit 220: Terminal Media Authentication Unit
225: drive / active processing unit 230:
235: authentication code (s) authentication unit 240: NFC activation unit
245: medium recognition unit 250: medium access processing unit
255: cipher block verification unit 260: authentication code (t) generation unit
265: authentication information (t) generating unit 270:
275: Authentication result processor

Claims (18)

CLAIMS What is claimed is: 1. A method executed via an operating server communicating with a user's first terminal and communicating with a second terminal of a user having an NFC module,
A first step of receiving and storing authentication request information via a first communication network connected to a first terminal of a user;
A second step of confirming activation or activation of a program provided in a second terminal of the user using a second communication network;
(S) for authentication processing of the authentication request information and a dynamically generated authentication code (s) for server authentication through the program of the second terminal when the second terminal is programmed or activated, A third step of providing a program of the terminal;
(NFC) through the NFC module of the second terminal based on the authentication result of the authentication code (s) through the program of the second terminal and the result of the medium access procedure performed between the program of the second terminal and the designated security server (T) dynamically generated through a program of the second terminal for a second terminal authentication that drives or activates the program and a cipher block which is read from a designated storage area of a supported non-contact medium to a program of the second terminal, And a fourth step of receiving authentication information (t) for requesting authentication approval;
A fifth step of requesting the specified decryption server for the authentication means information corresponding to the cipher block in conjunction with the validity authentication of the received authentication code t and the integrity authentication of the authentication information t through the authentication information s, ;
A sixth step of receiving authentication means information generated from the decryption server through the encryption block;
A seventh step of transmitting the authentication means information and the authentication information (t) to a specified authentication server to request authentication approval; And
And receiving the authentication approval result from the authentication server and transmitting the authentication approval result to the program of the second terminal.
2. The method according to claim 1,
Further comprising performing a procedure for notifying a second terminal of the user of a push for program activation or activation.
2. The method of claim 1, wherein the authentication code (s)
Wherein the second terminal includes a code value that can be authenticated through a code verification procedure included in a program of the second terminal.
The method according to claim 1,
Checking the unique serial number read from the noncontact medium through the NFC module of the second terminal and providing the unique serial number to the designated security server, intervening in a data exchange process between the program of the second terminal and the designated security server;
A first authentication key for reading an authentication code (m) recorded in a designated storage area (m, 0? M &lt; N) among N (N> 1) storage areas provided in the non- To a program of the second terminal;
Checking the authentication code (m) read from the noncontact medium through the NFC module of the second terminal and providing the authentication code to a designated security server;
Receiving a second authentication key for reading a cipher block recorded in the designated storage area (n, 0? N <N, n? M) from the security server and transferring the second authentication key to the program of the second terminal Wherein the two-channel authentication method using the noncontact medium is performed.
The method according to claim 1,
Further comprising the step of intervening in a data exchange process between the program of the second terminal and the designated security server to receive the authentication value generated through the security server and deliver it to the program of the second terminal,
The fourth step may further include receiving the authentication value from the program of the second terminal,
The fifth step may further include providing the authentication value to the decryption server and requesting authentication,
Wherein the authentication value is authenticated through the decryption server,
Wherein the authentication means information is generated using the cipher block as the authentication result of the authentication value.
The method according to claim 1, wherein the program of the second terminal comprises:
Receiving authentication information (s) and authentication code (s) from the operating server; And
And authenticating the validity of the received authentication code (s) through a designated code verification procedure. &Lt; Desc / Clms Page number 20 &gt;
2. The method of claim 1,
The program of the second terminal reading a unique serial number from a noncontact medium supporting NFC through an NFC module of the second terminal;
(M, 0 &lt; m < N) among N (N> 1) storage areas included in the noncontact medium, the program of the second terminal processes the read unique serial number to be transmitted to the specified security server, Receiving a first authentication key for reading the authentication code (m) recorded in the first authentication key;
The program of the second terminal transmits the first authentication key to the noncontact medium via the NFC module and reads the authentication code (m) recorded in the designated storage area (m) of the noncontact medium;
Wherein the program of the second terminal processes the read authentication code m to be transmitted to the security server and stores a cipher block recorded in a specified storage area (n, 0? N <N, n? M) Receiving a second authentication key for reading; And
And the program of the second terminal transmits the second authentication key to the noncontact medium via the NFC module and reads the cipher block recorded in the designated storage area (n) of the noncontact medium. A two-channel authentication method using a non-contact medium.
8. The method according to claim 7,
And a decryption module for decrypting the cipher block is transmitted to a decryption server having a decryption module for the cipher block.
8. The method of claim 7,
Further comprising the step of the program of the second terminal receiving the authentication value generated through the security server based on the verification result of the authentication code (m) through the security server,
Further comprising processing the program of the second terminal to transmit the authentication value to the decryption server when processing the leading encrypted block to be transmitted to the designated decryption server,
And the validity of the authentication value is authenticated through the decryption server.
The method according to claim 1, wherein the authentication information (t)
The personal information input from the user through the second terminal, and the secret information of the user corresponding to the authentication means information corresponding to the cipher block.
A method of executing a program through a program provided in a second terminal of a user having an NFC module,
A first step of reading a unique serial number from a noncontact medium supporting NFC through the NFC module;
(M (0? M <N)) among the N (N> 1) storage areas provided in the noncontact medium to transmit the read unique serial number to the designated security server A second authentication key for reading the first authentication key;
A third step of transferring the first authentication key to the noncontact medium through the NFC module and reading the authentication code (m) recorded in the designated storage area (m) of the noncontact medium;
(N, 0? N <N, n? M) to be transmitted to the security server and to read a cipher block recorded in a designated storage area of the contactless medium A fourth step of receiving the second signal;
A fifth step of transferring the second authentication key to the noncontact medium through the NFC module and reading the cipher block recorded in the designated storage area (n) of the noncontact medium; And
And a sixth step of processing the read encrypted block to be transmitted to a designated decryption server.
12. The method of claim 11,
Wherein the encryption block is transmitted to an operation server interlocked with the decryption server.
12. The method of claim 11,
Receiving authentication information (s) for authentication processing from an operation server and dynamically generated authentication code (s) for server authentication through a program of the second terminal; And
Authenticating the validity of the received authentication code (s) through a designated code verification procedure,
Wherein the first step reads a unique serial number from a noncontact medium supporting NFC through the NFC module upon validation of the authentication code (s).
14. The method as claimed in claim 13,
And generating authentication information (t) to be used in the authentication procedure using the cipher block and transmitting the authentication information (t) to the operation server.
14. The method of claim 13,
Further comprising dynamically generating an authentication code (t) for a second terminal authentication that has activated or activated the program,
Wherein the step (6) further comprises transmitting the generated authentication code (t) to the operation server.
12. The method of claim 11,
And a decryption module for decrypting the cipher block is transmitted to a decryption server having a decryption module for the cipher block.
12. The method of claim 11,
Further comprising receiving an authentication value generated through the security server based on a verification result of the authentication code (m) through the security server upon receiving the second authentication key,
The sixth step may further include processing the authentication value to be transmitted to the decryption server,
Wherein the authentication value is authenticated via the designated decryption server.
12. The method of claim 11,
Further comprising receiving and outputting an authentication approval result of the authentication approval procedure performed using the authentication means information generated through the cipher block, and outputting the authentication approval result.

Images