KR20250071163A - Gateway service system and method supporting user authentication for database access control - Google Patents

Abstract

The present invention relates to a gateway service system and method supporting user authentication for database access control, and more particularly, to a gateway service system and method supporting user authentication for database access control capable of safely and effectively performing user authentication using a unique identification value even in an environment where it is difficult to identify a user terminal with network/OS information. The present invention creates an encrypted session for access control to a secured database server based on authentication information in which a client identification value, which is a unique identification value stored in advance for a user terminal, is encrypted with a server identification value randomly generated at the time of user authentication, and performs credential verification for access authority of the encrypted session using the client identification value, thereby supporting consistent and accurate user authentication even in a gateway service environment where it is difficult to identify a user terminal with network information and OS information, thereby enhancing the security and efficiency of the gateway service.

Description

{Gateway service system and method supporting user authentication for database access control}

The present invention relates to a gateway service system and method supporting user authentication for database access control, and more specifically, to a gateway service system and method supporting user authentication for database access control capable of safely and effectively performing user authentication using a unique identification value even in an environment where it is difficult to identify a user terminal using network/OS information.

The gateway service for existing database (DB) access control has become necessary for authentication procedures as the user identification unit has been expanded from terminals to individual users (organization, employee number, etc. personnel information) to prevent cases where a single database account is used on multiple terminals.

That is, gateway services for DB access control in the past identified users based on terminal properties such as IP addresses, but terminal-level identification has limitations in identifying specific users in the event of a security incident, and there is a problem that this must be left to the terminal's security elements (OS login policy, etc.). Therefore, the existing gateway service for DB access control, which has improved this, is expanding the authentication unit from terminal properties such as IP to user-level identification.

However, in this case, in an environment where multiple people use one terminal, the same need arises as when the gateway in the past expanded user properties from control by database account to control by terminal property.

Referring to Fig. 1, the gateway service system for existing DB access control can be described. As shown, it can be composed of a DB access program installed on a user terminal to access a secured DB and a DB access control gateway that performs access control for the secured DB of the DB access program.

The gateway service system for this DB access control must check whether there is a credential for each session, because the basic unit of security target control is a session. This is the same as checking whether there is a login for each URL on the web. However, the problem is that since the session is created by the DB access program, the DB access control gateway cannot force authentication to the DB access program. Therefore, the DB access control gateway must take the method of stopping the DB access program's attempt to access the secured DB and requesting authentication from the terminal. And this request unit is the session unit of the DB access program.

For this type of session-based authentication, as shown in Fig. 2, in order to suspend DB access per session and check authentication status, information used for session identification at the time of authentication (hereinafter referred to as authentication information) must be stored to enable authentication. At this time, the most basic authentication information for session identification is the terminal's network/OS (operating system) information. In other words, the network/OS information extracted from the session is found in the stored authentication information and authentication is performed.

However, the problem with this session-based authentication method is that there may be situations where the attributes (network/OS information) required to identify the authentication information stored in the session are not transmitted. This makes it difficult to verify the credentials of the connected session.

There are two main situations: when the DB protocol that configures the session is missing the attributes required to identify authentication information, and when the attributes that configure the authentication information exist but their values become unreliable due to environmental factors. For example, depending on the database, the OS user, etc. may be missing from the session configuration information, and depending on the network environment, if NAT (Network Address Translation) occurs, the session IP may change.

The reason for this problem is that the terminal agent (Client Agent) responsible for authentication on the user terminal collects information directly from the user terminal and transmits it to the gateway, while the DB access program transmits it to the gateway via TCP/IP using the DB protocol. Just as the DB access control authentication cannot be forced when the DB access program accesses the database, the session cannot be required to transmit authentication information for credential verification.

Therefore, a new authentication system and method that can perform user authentication safely and effectively even in conditions where user identification using network/OS information is difficult is required.

Korean Patent Publication No. 10-2012-0058670

The purpose of the present invention is to support stable and consistent user authentication even in an environment where it is difficult to identify a user terminal using network/OS information by creating an encryption session using a unique identification value of a user terminal in a database access control gateway service and to implement a method for authenticating the credentials of a user accessing a secured target DB through the encryption session, thereby enhancing the security of authentication information used for user authentication.

In addition, the present invention provides a safe and efficient authentication information exchange and management method between a user terminal, a database access control gateway server, and a key management server, thereby implementing a gateway service system for stable and highly secure database access control even in various network environments.

In a gateway service system supporting user authentication for database access control, which includes a user terminal configured with a database access tool and a user interface for accessing a secured database server according to an embodiment of the present invention, a DB access control gateway server performing an access control function for the secured database server, and a key management server interlocked with the DB access control gateway server, the user terminal includes a terminal agent unit for generating authentication request information for a user authentication request including a user ID and an authentication key and a pre-stored client identification value, and an ECP communication unit for transmitting the authentication request information to the DB access control gateway server and transmitting first encryption key request information including the client identification value upon successful authentication, and configuring an encryption session with the DB access control gateway server through an ECP (Encrypted Communication Proxy) protocol upon receiving an encryption key corresponding to the first encryption key request information, and transmitting an ECP packet including a database protocol packet provided by the database access tool and the client identification value through the encryption session, wherein the DB access control gateway server, upon receiving the authentication request information, transmits the user ID and the authentication key to the key management server to request authentication, and upon successful authentication, stores the server identification value provided from the key management server in the authentication request information based on the server identification value. The present invention may be characterized by including an ECP access control unit which encrypts the included client identification value to generate server-storage authentication information and transmits the encrypted information to the key management server, generates second encryption key request information for an encryption key request based on the encryption key request authentication information generated by encrypting the client identification value included in the first encryption key request information received from the ECP communication unit with the server identification value, transmits the encrypted information to the key management server, and transmits an encryption key provided from the key management server to the ECP communication unit based on whether the encryption key request authentication information and the server-storage authentication information match, creates an encryption session with the ECP communication unit through the ECP protocol based on the encryption key, determines whether access is authorized based on the client identification value included in the ECP packet received through the encryption session, and controls access of the user terminal to the secured database server based on the determination result.

As an example related to the present invention, the server identification value may be characterized by being a value randomly generated upon successful authentication by the key management server and consisting of a one-time universally unique identifier (UUID) used as a unit of encryption session.

As an example related to the present invention, the key management server may include an authentication unit that performs authentication on a user of the user terminal based on the user ID and an authentication key, an identification value generation unit that randomly generates a server identification value according to an authentication result of the authentication unit and transmits the server identification value to the ECP access control unit, an authentication information management unit that stores the server storage authentication information, and an encryption key generation unit that compares the encryption key request authentication information included in the second encryption key request information received from the ECP access control unit with the server storage authentication information, and if they match, generates an encryption key to be used for the encryption session and provides the encryption key to the ECP access control unit.

As an example related to the present invention, the ECP communication unit may be characterized in that it encrypts the database protocol packet and the client identification value with the encryption key and then transmits the ECP packet including the encrypted database protocol packet and the encrypted client identification value to the ECP access control unit, and the ECP access control unit decrypts the encrypted database protocol packet and the encrypted client identification value included in the ECP packet with the encryption key.

As an example related to the present invention, the ECP access control unit may be characterized in that it assigns the server identification value to the encryption session, encrypts the client identification value obtained from the ECP packet received through the encryption session with the server identification value to transmit, to the key management server, authentication information for credentials, and transmits, to the secured database server, the database protocol packet upon verification of credentials based on whether the authentication information for credentials matches the server storage authentication information in conjunction with the key management server.

As an example related to the present invention, the terminal agent unit may include network information and OS information about the user terminal in the authentication request information, and the ECP access control unit may assign network information and OS information included in the authentication request information to the encryption session when creating an encryption session corresponding to the authentication request information, and if the network information and OS information included in the ECP packet do not match the network information and OS information assigned to the encryption session, generate authentication information for the credential and then perform credential verification in conjunction with the key management server.

As an example related to the present invention, the ECP access control unit may be characterized by generating authentication information including a hash value generated by hashing the client identification value with the server identification value as authentication information for server storage, authentication information for requesting an encryption key, or authentication information for the credential.

As an example related to the present invention, the ECP access control unit may be characterized by transmitting authentication result information on successful authentication to the ECP communication unit when authentication is successful using the user ID and authentication key of the key management server.

A gateway service method for supporting user authentication for database access control of a gateway service system including a user terminal configured with a database access tool and a user interface for accessing a secured database server according to an embodiment of the present invention, a DB access control gateway server performing an access control function for the secured database server, and a key management server interlocked with the DB access control gateway server, comprises: a step in which a terminal agent configured in the user terminal generates authentication request information including a user ID, an authentication key, and a pre-stored client identification value; a step in which an ECP communication unit of the user terminal transmits the authentication request information to the DB access control gateway server; a step in which the DB access control gateway server transmits the user ID and the authentication key included in the authentication request information to the key management server to request authentication; a step in which the DB access control gateway server encrypts the client identification value included in the authentication request information based on the server identification value provided from the key management server upon successful authentication, generates server-storage authentication information, and transmits the encrypted client identification value included in the authentication request information to the key management server; a step in which the ECP communication unit transmits first encryption key request information including the client identification value upon successful authentication to the DB access control gateway server; and a step in which the DB access control gateway server transmits first encryption key request information including the client identification value to the DB access control gateway server upon successful authentication. The method may include: a step of encrypting an included client identification value with the server identification value to generate authentication information for a request for an encryption key, generating second encryption key request information based on the authentication information for the request for an encryption key and transmitting the same to the key management server; a step, by the DB access control gateway server, transmitting an encryption key provided from the key management server based on whether the authentication information for the request for an encryption key matches the authentication information for the server storage to the ECP communication unit; a step, by the ECP communication unit and the DB access control gateway server, generating an encryption session based on the encryption key through an ECP (Encrypted Communication Proxy) protocol; a step, by the ECP communication unit, transmitting an ECP packet including a database protocol packet provided by the database access tool and the client identification value through the encryption session; and a step, by the DB access control gateway server, determining whether access is authorized based on the client identification value included in the ECP packet received through the encryption session, and controlling access of the user terminal to the secured database server based on the determination result.

The present invention creates an encrypted session for access control to a secured database server based on authentication information in which a client identification value, which is a unique identification value stored in advance for a user terminal, is encrypted with a server identification value randomly generated at the time of user authentication, and performs credential verification for access authority to this encrypted session using the client identification value, thereby supporting consistent and accurate user authentication even in a gateway service environment in which it is difficult to identify a user terminal with network information and OS information, thereby enhancing the security and efficiency of the gateway service.

In addition, the present invention can effectively block malicious access to the client identification value and authentication information used for credentials of an encrypted session by encrypting a client identification value with a server identification value randomly generated according to user authentication to generate authentication information, and encrypting the client identification value with an encryption key generated based on the authentication information, thereby significantly enhancing the security of the gateway service for access control to the secured target database server.

Figure 1 is a configuration diagram of an existing gateway service system.
Figure 2 is an example of the operation of an existing gateway service system.
FIG. 3 is a configuration diagram of a gateway service system that supports user authentication for database access control according to an embodiment of the present invention.
FIG. 4 is an exemplary operation diagram of a gateway service system that supports user authentication for database access control according to one embodiment of the present invention.
FIG. 5 is an exemplary operation diagram of a gateway service system that supports user authentication for database access control according to another embodiment of the present invention.
FIGS. 6 and 7 are flowcharts of a gateway service method supporting user authentication for database access control of a gateway service system according to another embodiment of the present invention.

Hereinafter, detailed embodiments of the present invention will be described with reference to the drawings.

FIG. 3 is a configuration diagram of a gateway service system (hereinafter, “gateway service system”) that supports user authentication for database access control according to an embodiment of the present invention.

As described above, a gateway service system according to an embodiment of the present invention may be configured to include a user terminal (100) used by a user, a DB access control gateway server (hereinafter, “gateway server”) (200) that communicates with the user terminal (100) via a communication network, a key management server (300) that is linked to the gateway server (200), and a security target database server (hereinafter, “security target DB”) (400) that is an access target of the user terminal (100) and a security target that requires access control of the user terminal (100).

At this time, the key management server (300) can communicate with the gateway server (200) through the communication network, and the key management server (300) can be configured to be included in the gateway server (200) as a component that constitutes the gateway server (200).

Not all of the components of the gateway service system illustrated in FIG. 3 are essential components, and the gateway service system may be implemented with more components than the components illustrated in FIG. 3, or may be implemented with fewer components.

In addition, the user terminal (100) may include various terminals such as a smart phone equipped with a communication function, a portable terminal, a mobile terminal, a personal digital assistant (PDA), a portable multimedia player (PMP) terminal, a telematics terminal, a navigation terminal, a personal computer, a notebook computer, a slate PC, a tablet PC, an ultrabook, etc.

In addition, the communication network described in the present invention may include a wired/wireless communication network, and examples of such wireless communication networks include Wireless LAN (WLAN), Digital Living Network Alliance (DLNA), Wireless Broadband (Wibro), World Interoperability for Microwave Access (Wimax), Global System for Mobile communication (GSM), Code Division Multi Access (CDMA), Code Division Multi Access 2000 (CDMA2000), Enhanced Voice-Data Optimized or Enhanced Voice-Data Only (EV-DO), Wideband CDMA (WCDMA), High Speed Downlink Packet Access (HSDPA), High Speed Uplink Packet Access (HSUPA), IEEE 802.16, Long Term Evolution (LTE), Long Term Evolution-Advanced (LTE-A), Wireless Mobile Broadband Service (WMBS), 5G mobile communication service, This may include Bluetooth, LoRa (Long Range), RFID (Radio Frequency Identification), Infrared Data Association (IrDA), Ultra Wideband (UWB), ZigBee, Near Field Communication (NFC), Ultra Sound Communication (USC), Visible Light Communication (VLC), Wi-Fi, Wi-Fi Direct, etc. In addition, wired communication networks may include wired Local Area Network (LAN), wired Wide Area Network (WAN), Power Line Communication (PLC), USB communication, Ethernet, serial communication, optical/coaxial cables, etc.

In addition, the user terminal (100) may be configured to include a database access tool (database access tool) (130) for accessing the security target DB (400), a terminal agent (client agent) unit (110) for providing a user interface for receiving input information for user authentication, and an ECP communication unit (120) for communicating with the gateway server (200) through an encrypted communication channel (encrypted session) according to a preset encryption protocol.

At this time, as an example of the encryption protocol, the ECP (Encrypted Communication Proxy) protocol may be used, but is not limited thereto and various encryption protocols may be used.

In addition, the user terminal (100) may be configured to include a terminal input unit for receiving user input, a terminal storage unit for storing various types of information, a terminal display unit for displaying various types of information, a terminal communication unit for communicating with various external devices such as the gateway server (200) and a security target DB (400) through a communication network, and a terminal control unit for performing overall control functions of the user terminal (100), and the like, and the database access tool (130), the terminal agent unit (110), and the ECP communication unit (120), etc. may be configured as components constituting the terminal control unit or may be components included in the terminal control unit.

Accordingly, the database access tool (130), the terminal agent unit (110) and the ECP communication unit (120) included in the terminal control unit can communicate with various external devices including the gateway server (200) through the terminal communication unit, and the communication configuration through the terminal communication unit will be omitted below.

In addition, the gateway server (200), key management server (300), security target DB (400), etc. may be configured to include a server communication unit for communicating with various external devices through a communication network, a server storage unit for storing various types of information, a server control unit for controlling various components configured in the server including the server communication unit and the server storage unit to perform the overall control function of the server, etc.

In addition, the gateway server (200) may be configured to include an ECP access control unit (210) that performs the overall control function of the gateway server (200), and the ECP access control unit (210) may be configured as the server control unit or may be configured to be included in the server control unit, and the ECP access control unit (210) may communicate with various external devices through a communication network via the server communication unit.

At this time, the communication configuration via the server communication unit will also be omitted from the description below.

Based on the above-described configuration, the operation configuration of a gateway service system according to one embodiment of the present invention is described.

First, FIG. 4 is an exemplary operation diagram of a gateway service system according to an embodiment of the present invention. As illustrated, a user terminal (100) may be configured with a database access tool (130) for accessing a security target DB (400), a terminal agent unit (110) for providing a user interface, and an ECP communication unit (120) for performing user authentication with the gateway server (200) and creating an encrypted session in order to access the security target DB (400) through the database access tool.

At this time, the terminal agent unit (110) can display a user interface for entering a user ID and authentication key required to authenticate the user's access rights to the security target DB (400) through the terminal display unit of the user terminal (100), and can generate authentication request information including the user ID and authentication key based on the user input entered into the user interface through the terminal input unit.

In addition, the terminal agent unit (110) may collect network information and OS (operating system) information of the user terminal (100) when generating the authentication request information and include them in the authentication request information.

At this time, the network information may include the IP of the user terminal (100), the host name, the Mac address (media access control address) of the user terminal (100), the port number, etc., and the OS information may include the OS version information for the OS (Operating System) of the user terminal (100), the user's OS account information, etc.

Additionally, the terminal agent unit (110) can provide the authentication request information to the ECP communication unit (120).

Additionally, the ECP communication unit (120) can transmit the authentication request information to the gateway server (200).

In addition, the gateway server (200) may be configured to include an ECP access control unit (210) for performing accurate authentication of a user of the user terminal (100) and creating an encrypted session with the ECP communication unit (120).

The above ECP access control unit (210) can, when receiving the authentication request information, generate authentication target information including the user ID and authentication key included in the authentication request information and transmit it to the key management server (300).

In addition, the key management server (300) can perform authentication on a user based on the authentication target information, and provide authentication result information on whether authentication was successful to the ECP access control unit (210) of the gateway server (200).

In addition, the ECP access control unit (210) can generate authentication information based on the network information and OS information included in the authentication request information when user authentication is successful based on the authentication result information, transmit the authentication information to the key management server (300), and cause the authentication information to be stored in the key management server (300).

At this time, the authentication information may include the network information and OS information.

In addition, the ECP access control unit (210) can transmit the authentication result information to the ECP communication unit (120) of the user terminal (100).

In addition, the ECP communication unit (120) can transmit encryption key request information for requesting an encryption key for use in the encryption session to the ECP access control unit (210) when authentication is successful according to the authentication result information.

In addition, the ECP access control unit (210) may, upon receiving the encryption key request information, generate key generation request information for requesting the key management server (300) to generate an encryption key and decryption key based on the authentication information and transmit the generated key generation request information to the key management server (300).

In addition, the key management server (300) can generate an encryption key and a decryption key based on the authentication information when receiving the key generation request information and then provide the encryption key to the ECP access control unit (210) of the gateway server (200).

At this time, the key management server (300) can store and manage the authentication information and the decryption key in a mutually matched state.

In addition, the ECP access control unit (210) can transmit the encryption key to the ECP communication unit (120) of the user terminal (100) in response to the encryption key request information when receiving the encryption key, and create an encryption session with the ECP communication unit (120) through the ECP (Encrypted Communication Proxy) protocol.

Accordingly, the ECP communication unit (120) of the user terminal (100) can, after receiving the encryption key, encrypt the packet with the encryption key according to the ECP protocol and transmit it to the ECP access control unit (210) when a packet for accessing the security target DB (400) is generated according to user input in the database access tool (130) configured in the user terminal (100).

At this time, the ECP communication unit (120) can transmit authentication information including the network information and OS information to the ECP access control unit (210) through the encryption session.

In addition, the ECP access control unit (210) requests a decryption key from the key management server (300) based on authentication information received through the encryption session in which the encrypted packet was received when the encrypted packet is received through the encryption session, and upon receiving a decryption key corresponding to the authentication information from the key management server (300) in response to the decryption key request, the ECP access control unit (210) can decrypt the encrypted packet based on the received decryption key.

In addition, the ECP access control unit (210) can transmit the packet to the security target DB (400) through a relay session with the security target DB (400).

In this way, the gateway service system according to an embodiment of the present invention performs user authentication for configuring an encrypted session (encrypted communication channel) based on an ECP, and, based on an authentication result based on the user authentication, generates an encrypted session based on authentication information including network information and OS information collected from an OS of a user terminal (100) by a terminal agent unit (110), and then uses the authentication information as a credential verification item for the encrypted session and an audit item for the relay session, thereby enabling the user to successfully verify the credential of an access session to the secured target DB (400) without an additional authentication procedure while the authentication information is maintained.

However, in the gateway service system according to one embodiment of the present invention described above, when the user terminal (100) transmits a packet to access an external server such as a security target DB (400), if the network information for specifying the user terminal (100) is changed through a NAT (Network Address Translation) device or process or some information is missing in the OS information, a problem occurs in which the user terminal (100) provides authentication information different from the authentication information used to create the encryption session, and thus, even though the user terminal (100) has access rights to the security target DB (400), the user terminal (100) cannot be specified, and thus the authentication verification of the encryption session fails.

In addition, as described above, if user credentials for an encrypted session are verified using authentication information that includes network information and OS information, it is easy to access the encrypted session simply by stealing the authentication information, which creates a security vulnerability.

Therefore, based on the configuration of the gateway service system according to the above-mentioned Fig. 3, an operation example of a gateway service system according to another embodiment of the present invention that improves the problem of the gateway service system described in Fig. 4 is proposed as follows.

FIG. 5 is a detailed configuration diagram and an example operation diagram of a gateway service system according to another embodiment of the present invention, and FIGS. 6 and 7 are operation flowcharts of a gateway service system according to another embodiment of the present invention.

As illustrated, the user terminal (100) may be configured with a database access tool (130) for accessing the security target DB (400), a terminal agent unit (110) providing a user interface, and an ECP communication unit (120) that performs user authentication with the gateway server (200) and creates an encrypted session to access the security target DB (400) through the database access tool while interlocked with the terminal agent unit (110).

The terminal agent unit (110) configured in the user terminal (100) displays a user interface for inputting a user ID and authentication key required to authenticate the user's access rights to the security target DB (400) through the terminal display unit of the user terminal (100), and can generate authentication request information including the user ID and authentication key based on the user input entered into the user interface through the terminal input unit.

At this time, the terminal agent unit (110) may preset a client identification value corresponding to the user terminal (100) and may generate the authentication request information further including the preset client identification value for the user terminal (100) (S1).

In addition, the terminal agent unit (110) may collect network information and OS information of the user terminal (100) when generating the authentication request information and include them in the authentication request information.

At this time, the network information may include the IP of the user terminal (100), the hostname, the Mac address of the user terminal (100), the port number, etc., and the OS information may include the OS version information for the OS (Operating System) of the user terminal (100), the user's OS account information, etc.

Additionally, the terminal agent unit (110) can provide the authentication request information to the ECP communication unit (120).

Additionally, the ECP communication unit (120) can transmit the authentication request information to the gateway server (200) (S2).

In addition, the ECP access control unit (210) configured in the gateway server (200) can request authentication (user authentication) for the authentication target information by generating authentication target information including the user ID and authentication key included in the authentication request information and transmitting the authentication request information to the key management server (300) when receiving the authentication request information from the ECP communication unit (120) of the user terminal (100) (S3).

Accordingly, the key management server (300) can perform user authentication based on the user ID and authentication key included in the authentication target information when receiving the authentication target information, and transmit authentication result information on whether the authentication was successful to the ECP access control unit (210).

For example, if there is user registration information that matches the user ID and authentication key among the user registration information of multiple different users pre-stored in the key management server (300) for user authentication, the key management server (300) may determine that the authentication of the user corresponding to the authentication target information is successful and provide authentication result information on the successful authentication to the ECP access control unit (210).

In addition, the key management server (300) can generate a server identification value upon successful authentication based on the authentication target information and then provide the server identification value and authentication result information together to the ECP access control unit (210).

At this time, the key management server (300) can randomly generate a one-time server identification value when authentication is successful (when user authentication is successful), and the server identification value can be configured as a one-time universally unique identifier (UUID) used as an encryption session unit.

In addition, the ECP access control unit (210) can extract the client identification value included in the authentication request information when authentication is successful based on the authentication result information provided from the key management server (300), and encrypt the client identification value with the server identification value to generate authentication information for server storage.

At this time, the ECP access control unit (210) can generate a hash value by hashing the client identification value with the server identification value according to a preset hash algorithm, and then generate the server storage authentication information composed of or including the hash value.

In addition, the ECP access control unit (210) can transmit the server storage authentication information to the key management server (300) so that it is stored in the key management server (300) (S4).

Additionally, the ECP access control unit (210) can provide the authentication result information to the ECP communication unit (120).

In addition, the ECP communication unit (120) can receive the authentication result information, and if the authentication result according to the authentication result information is a success, generate first encryption key request information including the client identification value and transmit it to the ECP access control unit (210) (S5).

In addition, the ECP access control unit (210) can, when receiving the first encryption key request information from the ECP communication unit (120), encrypt the client identification value included in the first encryption key request information with the server identification value to generate authentication information (hereinafter, authentication information for encryption key request).

At this time, the ECP access control unit (210) can generate a hash value by hashing the client identification value included in the first encryption key request information with the server identification value according to a preset hash algorithm, and can generate authentication information for an encryption key request composed of or including the hash value.

In addition, the ECP access control unit (210) can generate second encryption key request information corresponding to the first encryption key request information based on the authentication information for the encryption key request and transmit it to the key management server (300) (S6).

At this time, the ECP access control unit (210) can generate second encryption key request information including authentication information for the encryption key request and transmit it to the key management server (300).

In addition, when receiving the second encryption key request information, the key management server (300) determines whether the encryption key request authentication information included in the second encryption key request information matches the server storage authentication information, and if there is pre-stored server storage authentication information that matches the encryption key request authentication information based on the match, the key management server (300) can generate an encryption key and transmit it to the ECP communication unit (120).

At this time, the key management server (300) can generate the encryption key based on the server storage authentication information that matches the encryption key request authentication information, and when generating the encryption key, the server storage authentication information and the encryption key can be matched with each other and stored in the server storage of the key management server (300) for management.

In the above-described configuration, for the operation configuration of the key management server (300) as described above, the key management server (300) may be configured to include an authentication unit, an identification value generation unit, an authentication information management unit, an encryption key generation unit, etc., and the authentication unit, the identification value generation unit, the authentication information management unit, the encryption key generation unit, etc. may be components that constitute the server control unit of the key management server (300).

The above authentication unit can authenticate the user of the user terminal (100) based on the user ID and authentication key, and compare the user registration information for each user pre-stored in the server storage unit included in the key management server (300) with the user ID and authentication key included in the authentication target information, and if there is user registration information including a user ID and authentication key that matches the user ID and authentication key, it can be determined that the authentication of the user corresponding to the user ID is successful.

In addition, the identification value generation unit can randomly generate a server identification value based on the authentication result of the authentication unit in conjunction with the authentication unit, and provide authentication result information on the server identification value and the authentication result of the authentication unit (authentication success or authentication failure) to the ECP access control unit (210).

In addition, the authentication information management unit can store the server storage authentication information transmitted from the ECP access control unit (210) in the server storage unit.

In addition, the encryption key generation unit can compare the encryption key request authentication information included in the second encryption key request information received from the ECP access control unit (210) with the server storage authentication information, and if they match, can generate an encryption key to be used in the encryption session and provide it to the ECP access control unit (210).

Meanwhile, the ECP access control unit (210) can transmit the encryption key to the ECP communication unit (120) upon receiving the encryption key (S7), and can create an encryption session with the ECP communication unit (120) through the ECP protocol based on the encryption key (S8).

At this time, the ECP access control unit (210) can assign the server identification value to the encryption session.

In addition, the ECP communication unit (120) can generate an ECP packet including a database protocol packet, which is a packet generated by the database access tool (130) based on user input after the encryption session is created, and the client identification value, and transmit the packet to the ECP access control unit (210) through the encryption session (S9).

At this time, the ECP communication unit (120) can encrypt the database protocol packet and the client identification value with the encryption key according to a preset encryption algorithm (or encryption/decryption algorithm) and then generate an ECP packet including the encrypted database protocol packet and the encrypted client identification value.

Additionally, the ECP communication unit (120) can transmit the ECP packet to the ECP access control unit (210).

Meanwhile, the ECP access control unit (210) determines whether the user terminal (100) has access to the security target DB (whether access is granted or whether access (connection) authority exists) based on the client identification value included in the ECP packet received through the encryption session, and can control the user terminal's (100) access to the security target DB (400) based on the determination result (S10).

At this time, the ECP access control unit (210) determines whether the user (or the user terminal (100)) has access to the security target DB (400) (whether access authority exists or not) based on the client identification value included in the ECP packet and the server identification value assigned to the encryption session, and may allow or block the user terminal's (100's) access to the security target DB (400) based on the presence or absence of the access authority.

To explain this in detail, the ECP access control unit (210) can decrypt the encrypted database protocol packet and the encrypted client identification value included in the ECP packet using the encryption key to obtain the database protocol packet and the client identification value.

At this time, the ECP access control unit (210) can decrypt the encrypted database protocol packet and the encrypted client identification value with the encryption key through a preset decryption algorithm corresponding to the encryption algorithm set in the ECP communication unit (120) (or a preset encryption/decryption algorithm that is identical to the encryption/decryption algorithm set in the ECP communication unit (120).

In addition, if the ECP access control unit (210) succeeds in decrypting the database protocol packet with the encryption key, it determines that it has access authority to the security target DB (400) and can transmit the database protocol packet to the security target DB (400).

At this time, the ECP access control unit (210) can transmit the database protocol packet to the security target DB (400) through a relay session established between the gateway server (200) and the security target DB (400).

In the above-described configuration, the encryption key may include an encryption key and a decryption key, and the ECP access control unit (210) may transmit the encryption key to the ECP communication unit (120) and set (assign) the decryption key to correspond to the encryption session.

Accordingly, the ECP communication unit (120) can encrypt the database protocol packet and the client identification value with the encryption key, and then generate and transmit an ECP packet including the encrypted database protocol packet and the encrypted client identification value.

In addition, the ECP access control unit (210) can decrypt the encrypted database protocol packet and the encrypted client identification value included in the ECP packet received through the encrypted session using a decryption key assigned to the encrypted session.

In addition, in the above-described configuration, the ECP access control unit (210) can transmit authentication information for credentials, which is encrypted with the client identification value obtained from the ECP packet using the server identification value assigned to the encryption session, to the key management server (300).

At this time, the authentication information for the credentials may be composed of a hash value obtained by hashing the client identification value obtained from the ECP packet with the server identification value through a preset hash algorithm, or may be composed including the hash value.

In addition, the ECP access control unit (210) may generate credential verification request information including authentication information for the credential to request credential verification of a user who accessed through an encrypted session and transmit it to the key management server (300).

In addition, the key management server (300) determines whether to verify the credential based on the presence of the server storage authentication information that matches the authentication information for the credential upon receiving the credential verification request information, and can provide the verification result information on whether to verify the credential (whether the credential verification is successful or whether the credential verification is complete) to the ECP access control unit (210).

At this time, the encryption key generation unit included in the key management server (300) may perform the credential verification, or a separate credential verification unit for performing the credential verification may be configured in the key management server (300).

In addition, the ECP access control unit (210) can transmit the database protocol packet to the security target DB (400) when verifying credentials (when verification is successful or when verification is completed) based on the verification result information.

In the above-described configuration, the terminal agent unit (110) may include network information and OS information for the user terminal (100) in the authentication request information.

In addition, the ECP communication unit (120) can transmit an ECP packet including network information and OS information of the user terminal (100) to the ECP access control unit (210).

In addition, the ECP access control unit (210) can assign network information and OS information included in the authentication request information to the encryption session when creating an encryption session corresponding to the authentication request information.

In addition, the ECP access control unit (210) may encrypt the client identification value obtained from the ECP packet with a server identification value to generate authentication information for the credential if (or only if) the network information and OS information included in the ECP packet do not match the network information and OS information allocated to the encryption session, and then perform credential verification in conjunction with the key management server (300).

That is, the ECP access control unit (210) uses the network information and OS information as relay session audit items and uses the client identification value to verify credentials for access rights to the security target DB (400) for the user of the user terminal (100), thereby accurately distinguishing and identifying the user of the user terminal (100) and accurately verifying whether the user has access rights to the security target DB (400).

As described above, the present invention creates an encrypted session for access control to a secured database server based on authentication information in which a client identification value, which is a unique identification value stored in advance for a user terminal (100), is encrypted with a server identification value randomly generated at the time of user authentication, and performs credential verification for access authority to this encrypted session using the client identification value, thereby supporting consistent and accurate user authentication even in a gateway service environment in which it is difficult to identify a user terminal (100) with network information and OS information, thereby enhancing the security and efficiency of the gateway service.

In addition, the present invention can effectively block malicious access to the client identification value and authentication information used for credentials of an encrypted session by encrypting a client identification value with a server identification value randomly generated according to user authentication to generate authentication information, and encrypting the client identification value with an encryption key generated based on the authentication information, thereby significantly enhancing the security of the gateway service for access control to the secured target database server.

The components described in the embodiments of the present invention may be implemented using one or more general-purpose computers or special-purpose computers, such as, for example, hardware such as a memory, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), a programmable logic unit (PLU), a microprocessor, a logic gate, software including an instruction set, or a combination thereof, or any other device capable of executing and responding to instructions.

The various devices and components described herein may be implemented by hardware circuits (e.g., CMOS-based logic circuits), firmware, software, or a combination thereof. For example, they may be implemented by utilizing transistors, logic gates, and electronic circuits in the form of various electrical structures.

The above-described contents can be modified and changed by those skilled in the art to which the present invention pertains, without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain it, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the rights of the present invention.

100: User terminal 110: Terminal agent part
120: ECP Communications Section 130: Database Access Tool
200: DB Access Control Gateway Server
210: ECP Access Control 300: Key Management Server
400: Secure target DB

Claims (9)

A gateway service system including a user terminal configured with a database access tool and a user interface for accessing a secured database server, a DB access control gateway server performing an access control function for the secured database server, and a key management server linked with the DB access control gateway server,
The user terminal includes a terminal agent unit which generates authentication request information for a user authentication request including a user ID and an authentication key and a pre-stored client identification value, and an ECP communication unit which transmits the authentication request information to the DB access control gateway server and, upon successful authentication, transmits first encryption key request information including the client identification value, and, upon receiving an encryption key corresponding to the first encryption key request information, configures an encryption session with the DB access control gateway server through an ECP (Encrypted Communication Proxy) protocol, and transmits a database protocol packet provided by the database access tool and an ECP packet including the client identification value through the encryption session.
The DB access control gateway server, upon receiving the authentication request information, transmits the user ID and authentication key to the key management server to request authentication, and upon successful authentication, encrypts the client identification value included in the authentication request information based on the server identification value provided from the key management server to generate server-storage authentication information and transmits the encrypted information to the key management server, and generates second encryption key request information for an encryption key request based on encryption key request authentication information generated by encrypting the client identification value included in the first encryption key request information received from the ECP communication unit with the server identification value and transmits the encrypted information to the key management server, and transmits the encrypted information provided from the key management server to the ECP communication unit based on whether the encryption key request authentication information and the server-storage authentication information match, and creates an encryption session with the ECP communication unit through the ECP protocol based on the encryption key, determines whether access is authorized based on the client identification value included in the ECP packet received through the encryption session, and controls access of the user terminal to the secured database server based on the determination result.
A gateway service system supporting user authentication for database access control including . In claim 1,
The above server identification value is a value randomly generated upon successful authentication by the key management server, and is characterized by being composed of a one-time universally unique identifier (UUID) used per encryption session. In claim 1,
The above key management server,
An authentication unit that performs authentication on a user of the user terminal based on the user ID and authentication key;
An identification value generation unit that randomly generates the server identification value according to the authentication result of the authentication unit and transmits the server identification value to the ECP access control unit;
An authentication information management unit that stores authentication information for the above server storage; and
An encryption key generation unit that compares the encryption key request authentication information included in the second encryption key request information received from the ECP access control unit with the server storage authentication information and, if they match, generates an encryption key to be used for the encryption session and provides it to the ECP access control unit.
A gateway service system supporting user authentication for database access control, characterized by including: In claim 1,
The ECP communication unit encrypts the database protocol packet and the client identification value with the encryption key and then transmits the ECP packet including the encrypted database protocol packet and the encrypted client identification value to the ECP access control unit.
A gateway service system supporting user authentication for database access control, characterized in that the ECP access control unit decrypts the encrypted database protocol packet and the encrypted client identification value included in the ECP packet using the encryption key. In claim 1,
A gateway service system supporting user authentication for database access control, characterized in that the ECP access control unit assigns the server identification value to the encryption session, encrypts the client identification value obtained from the ECP packet received through the encryption session with the server identification value, transmits the credential authentication information to the key management server, and transmits the database protocol packet to the secured database server when verifying the credential according to whether the credential authentication information and the server storage authentication information match in conjunction with the key management server. In claim 5,
The above terminal agent part includes network information and OS information for the user terminal in the authentication request information,
A gateway service system supporting user authentication for database access control, characterized in that the ECP access control unit, when creating an encryption session corresponding to the authentication request information, assigns network information and OS information included in the authentication request information to the encryption session, and if the network information and OS information included in the ECP packet do not match the network information and OS information assigned to the encryption session, creates authentication information for the credentials and then performs credential verification in conjunction with the key management server. In claim 5,
A gateway service system supporting user authentication for database access control, characterized in that the ECP access control unit generates authentication information including a hash value generated by hashing the client identification value with the server identification value as authentication information for server storage, authentication information for requesting the encryption key, or authentication information for the credential. In claim 1,
A gateway service system supporting user authentication for database access control, characterized in that the ECP access control unit transmits authentication result information on successful authentication to the ECP communication unit when authentication is successful using the user ID and authentication key of the key management server. A gateway service method of a gateway service system including a user terminal configured with a database access tool and a user interface for accessing a secured database server, a DB access control gateway server performing an access control function for the secured database server, and a key management server linked with the DB access control gateway server,
A step for generating authentication request information including a user ID, an authentication key, and a pre-stored client identification value by a terminal agent configured in the user terminal;
A step in which the ECP communication unit of the user terminal transmits the authentication request information to the DB access control gateway server;
A step in which the DB access control gateway server requests authentication by transmitting the user ID and authentication key included in the authentication request information to the key management server;
A step in which the DB access control gateway server, upon successful authentication, encrypts the client identification value included in the authentication request information based on the server identification value provided from the key management server, creates server-storage authentication information, and then transmits the encrypted client identification value to the key management server;
A step in which the ECP communication unit transmits first encryption key request information including the client identification value to the DB access control gateway server when authentication is successful;
A step in which the DB access control gateway server encrypts the client identification value included in the first encryption key request information with the server identification value to generate authentication information for an encryption key request, and generates second encryption key request information based on the authentication information for the encryption key request and transmits the information to the key management server;
The step of the DB access control gateway server transmitting the provided encryption key to the ECP communication unit based on whether the authentication information for requesting the encryption key matches the authentication information for storing the server from the key management server;
A step in which the ECP communication unit and the DB access control gateway server create an encrypted session through the ECP (Encrypted Communication Proxy) protocol based on the encryption key;
The step of the ECP communication unit transmitting an ECP packet including a database protocol packet provided by the database access tool and the client identification value through the encrypted session; and
A step in which the DB access control gateway server determines whether access is authorized based on the client identification value included in the ECP packet received through the encrypted session, and controls the user terminal's access to the secured database server based on the determination result.
A gateway service method supporting user authentication for database access control including .

Images