KR20110128371A - Mobile Client Security Authentication System and Central Control System and Its Operation Method - Google Patents

Abstract

The present invention provides a security authentication system for authenticating a mobile client (hereinafter referred to as a "client"), a user, an application program, and the like, and a management system for integrating and managing a mobile client, such as a smartphone, PDA, and laptop, to access a predetermined wireless network. As a method of operation,
In more detail, the security authentication system is composed of a VPN management device (120a), a connection management device (120b), a security management device (120c), an application management device (120d), the VPN management device (120a) is defined in advance Only applications with a predetermined security code allow access, and applications that do not have a predetermined security code or have different security codes cannot access the internal network through a VPN. In addition, through the VPN management device ON / OFF, you can conveniently use the internal network and the Internet.
The access management device 120b is responsible for transmitting the event information generated from the terminal to the central control system via the VPN gateway.
The security management device 120c receives an administrator authentication code from the central control system, releases the client lock function, generates an encryption key (mOTK, mobile OneTime Key) which is updated by a predetermined time unit, and can be used in an enterprise wireless communication network. Encrypt and save SSID DB. It performs a function to verify the safety of the AP and access wireless communication network. The use of terminal media (cameras, MICs, communication devices, I / O devices) is controlled by the authority granted centrally.
The application management apparatus 120d stores a data in a secure area or calls a stored data. If the VPN does not operate or does not satisfy certain requirements, the data in the secure area is not visible.

Description

Mobile Authentication System and Central Control System, and the method of operating them for Mobile clients}

The present invention relates to mobile client authentication connected to a predetermined wireless network, and more particularly, to manage and authenticate an enterprise application program in a mobile client in a secure area of a memory, and to generate an encryption key that is periodically changed when accessing an internal communication network. The present invention relates to a security authentication system for communicating, receiving an administrator authentication code, and releasing a mobile client lockout function and a method of operating the system.

Mobile devices such as smartphones, PDAs, and laptops use TCP / IP, HTTP, and other Internet protocols using wireless networks such as 3G, Wibro, and WiFi, so they are more vulnerable to security than wired and are always exposed to hacking and other risks. . In general, the smartphone has a built-in WiFi function to connect to the network using the SSID of the wireless AP, 3G, Bluetooth, etc. can be used. In order to use vulnerable wireless network safely, WPA2 is used to perform encrypted communication, and RADIUS authentication and VPN communication are used to realize more secure communication environment. In the case of such authentication, authentication is performed using predetermined user and terminal information registered in advance.

In case of general client, password-based lock function is provided to prevent others from viewing the client's internal information without permission. In some cases, the password may be locked or data initialized after a certain number of times. The smartphone management system provides a remote delete function and a terminal management function in case of loss, and provides a function to control a camera microphone, a communication device, etc. in the smartphone, thereby reinforcing security functions.

However, wireless security vulnerabilities make it difficult for companies to use smartphones with confidence. When accessing the corporate internal network using a wireless terminal infected with malware, the internal network is in great confusion and danger.If the access ID or password information is leaked by the AP phishing impersonating the same SSID in the enterprise, The costs and equipment invested in the process will not only be useless but also cause significant damage to the enterprise.

Therefore, while eliminating the vulnerability of the wireless security according to the prior art, there is an urgent solution for providing a more secure and convenient secure access authentication.

[Document 1] Application No. 10-2005-0120539 A method and apparatus for protecting user information for a mobile communication terminal and a computer-readable recording medium storing a program for implementing the same [Document 2] Application No. 10-2009-7020967 Systems and methods for controlling service access on a wireless communication device [Document 3] Application No. 10-2005-0072632 Method and apparatus for securing security for local network access from remote [Document 4] Application No. 10-2004-0052217 A computer-readable recording medium recording a method for controlling access to a user computer and a program for executing the same [Document 5] Application number 10-2005-0023327 Network management system and network management server interworking with authentication server

The present invention has been made to improve the prior art as described above, the user inputs the authentication information (electronic employee ID, fingerprint recognition, RFID, PKI, password, etc.) to the client terminal to transmit to the authentication system, the authentication system is registered Terminal authentication and user authentication by checking the received authentication information (terminal unique number SN, terminal user's personal code HID, usage period, TimeStamp, hash value, etc.) to complete client local authentication, and use a plurality of information used in the internal communication network. By providing system SSO access authentication service, it aims to improve security and increase company productivity.

An object of the present invention is to add an application authentication function to the existing unique VPN function to strictly limit the use of the internal communication network of the application program used in the wireless client terminal to prevent the spread of malicious code to the internal network and to provide wireless client terminal and network equipment Cross-authentication prevents malicious hacking by phishing with the same SSID, preventing internal information from leaking.

In addition, the present invention is to secure the wireless client terminal data by setting a secure area in the mobile client storage device, and the data analysis is impossible even if the data is stolen by a hacker or malicious code or the terminal is stolen, and when the remote management function is granted It aims to minimize the battery consumption of the smartphone to eliminate inconvenience on using the smartphone and achieve the desired security objectives.

In order to achieve the above object and to solve the above-mentioned problems of the prior art, the present invention provides a VPN management device (120a) and the connection management device (120b) for transmitting the information generated from the terminal, and enhanced the existing VPN function, authentication function and The security management system 120c in charge of the control function, the application management device 120d in charge of the application management is composed of a security authentication system 121 and the central control system 400 for integrated management.

The VPN management device 120a performs encrypted communication with the VPN Gateway 122 by IPsec or SSL VPN communication, but provides an option selection function to automatically bypass the VPN encryption function during voice communication, and the VPN management device 120a. ) On / Off function is provided in UI environment, and when connected to internal communication network, VPN management device is automatically turned on to connect. In case of VPN ON, only the authenticated application can pass through the VPN management device with the security code predefined by the internal protocol. When the VPN function is inactive, the application equipped with the security code connects the corporate internal communication network and the business system after running the VPN through a predetermined code defined in the VPN module. By turning off the VPN management device, access to the internal IT network may be blocked and the Internet may be accessed using an external public network.

The connection management device 120b is responsible for transmitting the information generated from the client to the center and checking the terminal status.

When connecting to a mobile server in the company's internal communication network in 3G, Wibro, WiFi, etc., or if the password fails more than a certain number of times, the client can query the terminal control status from the central control system. In case of failure, the lock function is provided and the lock function is released by receiving the authentication code for unlocking the lock function sent by the administrator.

In addition, the operation method of the security management device (120c) is a database 410 that records more than three pieces of information about the user, such as terminal information consisting of a personal code such as company number, social security number and terminal serial number and MAC for IP communication Keep it;

Data is extracted by adding a personal code 411d, a terminal unique number 411c, a MAC 411b, a TimeStamp 411f that is changed in a predetermined period unit, and a Salt value allocated to a predetermined size, and the extracted data is hashed. Generate or update the mobile user authentication information (mOTK, mobile One Time Key) to encrypt using.

 If the passwords match during the mOTK generation process, the mOTK information generated by starting the VPN management apparatus 120a is transmitted to the central control system 400 through the VPN gateway, and the central control system corresponds to whether the transmitted information and the user information correspond. Determine the validity of the authentication information,

The client checks whether the required program is installed, the program properties and the authorization table assigned to the individual by using the received authentication information, and grants the client permission to use WiFi, Bluetooth, Wibro, Camera, Mic and other input / output devices. .

In the method of the two-way authentication between the wireless AP and the mobile client,

When the mobile clients 102 and 103 register a cipher text or an image in advance with the central control system 400 and want to access the wireless AP 109 using the SSID previously registered in the mobile client, the central control system 400 preliminarily The cipher text or the image registered in the transmission to the mobile client (102, 103), the mobile client uses a two-way authentication scheme to perform the VPN authentication procedure after verifying the suitability of the network by decrypting the received cipher text.

In addition, the application management device (120d) Application authentication is performed according to whether a security code is installed in a certain rule, and there is a function to control only authorized applications to communicate through a VPN.

Encrypts certain areas of the mobile client's memory (hereinafter referred to as 'security area', 521) with block encryption algorithms such as AES and ARIA, implements the security area so that files are invisible, and temporarily releases the security area setting during VPN operation. to provide.

Data transmitted for work is stored in the security areas 521 and 541 and the stored data is called and used.

According to the present invention, a user inputs authentication information into a client terminal and transmits the authentication information to a central control system, and authenticates access to an intranet and a plurality of servers connected to the intranet through the central control system, thereby providing a faster and more efficient connection authentication service. To improve the productivity of the enterprise.

According to the present invention, a terminal that is not always turned on, such as a notebook PC or a PC, is authenticated by the central control system to access the intranet and the plurality of servers connected to the intranet, thereby performing a booting operation of an operating system. Information security incidents can be prevented in advance.

As described above, although the present invention has been described by way of limited embodiments and drawings, the present invention is not limited to the above-described embodiments, which can be variously modified and modified by those skilled in the art to which the present invention pertains. Modifications are possible. Accordingly, the spirit of the present invention should be understood only by the claims set forth below, and all equivalent or equivalent modifications thereof will belong to the scope of the present invention.

1 is a view for explaining the encryption communication and authentication of the wireless communication system according to the prior art.
2 is a diagram illustrating a configuration of a mobile system according to an exemplary embodiment of the present invention.
3 is a block diagram illustrating a security authentication system device structure and operation method according to the present invention.
4 is a flowchart illustrating a method of operating an authentication system for providing an authentication service in an internal wireless communication network according to the present invention.
5 is a flowchart illustrating a method of operating an authentication system for providing an authentication service in an external mobile communication network according to the present invention.
6 is a block diagram of an internal module showing an operation method between each module of the central control system according to the present invention.
7 is a diagram illustrating an example of a memory structure of a smartphone according to an embodiment of the present invention.
8 is a diagram illustrating an example of a database according to an embodiment of the present invention.
9 is a diagram illustrating an example of an authority management table according to an embodiment of the present invention.
10 is a flowchart illustrating a method of operating a central control system for providing an authentication service according to the present invention.

1 is a view illustrating encryption communication and authentication of a wireless communication system according to a conventional prior art. Encryption of existing wireless communication is encrypted communication through a VPN gateway and a VPN gateway of a wireless terminal such as a smartphone, a PDA, a notebook computer, and a PC. Was provided, and authentication of the terminal and the user was provided through the authentication server.

Referring to FIG. 2, the mobile system configuration diagram 100 according to the present invention includes an internal wireless communication network and an information providing system. The internal wireless communication network can communicate with Internet protocols such as TCP / IP (Transmission Control Protocol / Internet Protocol) or HTTP (HypertexT Transfer Protocol) via WiFi, 3G, Bluetooth, and the like. One or more servers 105 and one or more client terminals 101 may be connected to the communication network 107. In order to access the mobile server 105, the client terminal 101 transmits authentication information to the central control system 400 to perform connection authentication.

For example, the client terminal 101 transmits authentication information to the central control system 400 to access the server 105. Accordingly, the central control system 400 maintains a database 410 that records predetermined user information input from the user in advance, and determines whether the authentication information is valid. To this end, the authentication information may be one or more of a mobile one time key (mOTK), a public key infrastructure, a smart card, RFID tag information, or biometric information. When the authentication information is generated in the client, the VPN is started and the generated information is transmitted. The VPNGateway 122 determines whether the transmitted information corresponds to the user information and determines whether to connect to the VPN to determine the VPN connection. Will be sent to.

For example, when the authentication information has a public key infrastructure, the client terminal 101 encrypts the authentication information through the public key and transmits the authentication information to the central control system 400. The private key corresponding to the public key stored in the client terminal 101 is recorded in the database of the central control system 400 as the user information. The central control system 400 receives the encrypted authentication information from the client terminal 101, decrypts the encrypted authentication information using the private key corresponding to the public key stored in the client terminal with reference to the database. Verify the validity of the authentication information.

As another example, when the authentication information is a smart card of the user of the client terminal 101, the central control system 400 confirms whether the authentication information and the user information match, thereby authenticating the connection of the client terminal 101. can do. As another example, when the authentication information is biometric information collected through a predetermined biometric module, the central control system 400 may include biometric information recorded in a database and biometric information input from the client terminal 101. It is possible to authenticate the connection of the client terminal 101 by checking whether the correspondence.

If the authentication information received from the client terminal 101 is legitimate, the central control system 400 performs the wireless communication network access authentication through the authentication information, and when connected to the wireless communication network, is connected to the wireless communication network. Connection authentication is performed to the mobile server 105 of the intranet. Through this series of authentication processes, the client terminal 101 can use the mobile server and information or resources through the intranet.

3 is a VPN management device (120a) for strengthening the existing VPN function and the connection management device (120b) for transmitting information generated from the terminal, a security management device (120c) for the authentication function and the control function as described, the application It consists of a security authentication system 121 is composed of an application management device (120d) in charge of the management and the central control system (400) for integrated management.

If the client essential program installation and program properties according to an embodiment of the present invention is checked and the central requirements are not pre-defined, VPN authentication is not allowed, thereby preventing access to the internal wireless communication network. Authorize each user to use WiFi, Bluetooth, Wibro, Camera, Mic and other I / O devices. In case of outputting related contents connected with output device, it has the function to save and transmit user, time, output location, title of printout and part of contents as log.

For example, when the authentication information has an mOTK structure, the client terminal 101 generates authentication information in the following manner.

  Creation method: mOTK = hash (Personal Code + Terminal Code + MAC + T / S + Salt)

     * Personal code (input number when generated with company number, week number, ID, etc.)

     * Terminal code (Serial Number, etc.)

     MAC address

     * T / S (Time Stamp, automatically generated every 1-2 hours)

The mOTK periodically generated by the terminal is transmitted to the central control system 400 through the activated VPN management device.

When a mobile terminal such as a smartphone is unlocked and connected to a 3G or internal wireless communication network, the mobile terminal checks whether it is lost. If the password for the lock function is wrong more than a specified number of times, the security management device 120c installed in the wireless terminal is stored. By checking whether or not the loss is obtained from the central control system (400). If it is confirmed that the terminal is lost, the stored data is processed by a predetermined procedure.

When the mobile client has been permanently locked more than a predetermined number of times, the user reports and the administrator sends the authentication code for unlocking the lock through a predetermined procedure.

4 and 5, an example of the flow of security authentication according to the present invention will be described in connection with the corporate internal network via WiFi and 3G when the client terminal is connected in WiFi, the client terminal via the wireless AP The authentication information is transmitted to the central control system, and the central control apparatus performs authentication after determining the validity of the authentication information. After successful authentication, an encryption session such as AES is performed between the wireless client terminal and the wireless AP. It sends ID and password information to VPN Gateway for VPN communication, and the VPN Gateway queries the central control system for the information. After authentication is performed with a valid ID and password, encrypted tunneling is generated between the wireless client terminal and the VPN gateway. At this time, the encryption algorithm may utilize ARIA, AES, and the like. After the VPN tunneling is created, the wireless terminal client notifies the management device that the connection is established, and is connected to the mobile server for internal business use to ensure secure communication. As an example of the present invention, when connected in 3G, after the connection request and approval with the carrier can maintain the same security authentication flow as in the case of WiFi can perform the internal business.

Referring to FIG. 7, a security area for encrypting a memory of a client of the present invention and giving a stealth attribute will be described. Generally, a smartphone inserts a processor 510, commonly referred to as a CPU, a random access memory (520) capable of reading and writing memory, a ROM (read only memory 530) used only as a reading area, and a memory card. It consists of a mass storage device 540 that can be used as a mass storage device.

According to an example of the present invention, the application management device 120d encrypts a predetermined area of the RAM 520 to grant a stealth attribute, and temporarily releases the stealth function during the VPN operation to store data transmitted for the work in the security area. By calling the stored data and using it, it is possible to prevent the leakage of internal information due to malware, loss and hacking.

A predetermined space of the client internal memory 520 and the external memory 540 is set as the security areas 521 and 541 according to an embodiment of the present invention, and the allocated memory space is generated as one security file. Security files are mounted through identification and authentication and appear in the form of folders in Windows Explorer, and the mounted security zones can be accessed by applications in the same way as general folders. In addition, files stored in the security area are encrypted by block encryption algorithms such as AES and ARIA, and are unmounted so that they cannot be accessed. As an example of the identification and authentication method, there is a case of operating a VPN or performing a predefined task, and temporarily removing the stealth function through identification and authentication to store the data transmitted for the business in the security area. Application and enterprise data can be automatically stored in the security domain.

The security authentication system is configured to activate a non-operational VPN and automatically bypass the VPN function during voice communication when attempting to access the intra-company information system 105 by executing an application in the client.

When the security authentication system is turned off, the information communication network in the enterprise can be blocked and connected to the public network. At this time, the security zones 521 and 541 disappear automatically.

Referring to FIG. 8, the MAC information 411b, the terminal code 411c, and the personal code 411d corresponding to the mOTK stored in the client terminal 101 are recorded in the database 410 of the central control system as the user information. have. The central control system 400 receives the encrypted authentication information from the client terminal 101 and verifies the validity of the authentication information by generating and comparing the mOTK based on the current time information with the database 410.

Referring to FIG. 10, when power is supplied to the client terminal 101, the user may perform local authentication on the client terminal 101 by inputting authentication information on the client terminal 101. . Such local authentication may be performed in an agent module installed in the wireless client terminal 101 such as a PC or a notebook, and the agent module may be operated before the operating system loading installed in the client terminal 101 so as to be local to the user. It is designed to perform authentication.

The connection management apparatus 120b of the client terminal 101 which has performed the local authentication transmits the authentication information to the central control system 400 to perform connection authentication for the intranet and the server 105 as described above. The central control system 400 reviewing the validity of the authentication information transmits predetermined connection authentication result data to the client terminal 101, and the security management device 120c of the client terminal 101 transmits the connection authentication result data. As a result, the operating system is controlled to load. As described above, in order to transmit authentication information to the central control system 400 and to receive connection authentication result data of the central control system 400, the client terminal 101 communicates with the central control system 400. And a security authentication system 121.

Through this network connection, the procedure of the method described above can be performed. The apparatus and tools described above are well known to those skilled in the computer hardware and software arts.

Although specific embodiments of the present invention have been described so far, various modifications are possible without departing from the scope of the present invention.

Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined not only by the scope of the following claims, but also by those equivalent to the scope of the claims.

100: wireless network diagram 101: mobile client
102: mobile client (internal network) 103: mobile client (external network)
105a: mobile server 105b: internal information system
107: internal wireless communication network 108: wireless access point
109: mobile communication network base station 121: security authentication system
121a: VPN management device 121b: access management device
121c: security management device 121d: application management device
122: VPN Gateway 400: Central Control System
402: authentication information management unit 403: user authentication control unit
404: transmission unit 410: database
411b: MAC information 411c: Terminal code
411d: personal code (number 4) 411g: hash value
510: mobile client processor 520: internal memory
521: internal memory security area 530: ROM
540: external memory 541: external memory security area
550: input and output interface 560: network interface

Claims (12)

A method of bi-directional authentication between a wireless AP and a mobile client, wherein the mobile client registers a cipher text or an image with the central control system in advance and uses the SSID registered in the mobile client to access the AP, and the central control system of the network to which the AP is connected. Sending a pre-registered cipher text or image to the mobile client,
The mobile client decrypts the received cipher text to verify the suitability of the network and then performs a VPN authentication procedure.
In the procedure and method for authenticating a client terminal connected to a predetermined internal wireless communication network,
When a client application wants to communicate using a VPN, a method of operating a security authentication system having a structure in which a VPN management device authenticates an application in which a predefined security code is inserted.
The method according to claim 2
Option to select whether to bypass VPN encryption / decryption during voice communication, and how to run VPN management device when running application with security code when VPN function is inactive.
When a wireless client using 3G, Wibro, WiFi, or the like accesses a mobile server or fails a predetermined number of passwords, the client terminal requests and confirms status information such as whether the terminal is lost to the central control system.
The method of claim 4,
A method of operating a security authentication system in which a lock function is released by providing a lock function of a mobile client when receiving a password more than a predetermined number of times and receiving authentication information for unlocking function transmitted from a central management device.
Maintaining a database (HID, SN. MAC) that records information about the user, such as personal code (HID), such as social security number, and unique terminal code (SN) and MAC for IP communication, Security authentication system including a mobile client that uses the hash value (mOTK) generated by a certain period (hours, days, weeks) as authentication information after creating a hash value after adding TimeStamp and Salt value.
The method according to claim 6
If the passwords match during the mOTK generation process, the VPN management device is started to transmit the generated mOTK information to the central control system through the VPN gateway, and the central control system determines whether the transmitted information corresponds to the user information, and the authentication is performed. Method of operation of security authentication system to judge the validity of information.
The mobile client includes a step of receiving authentication and media control authority setting value from the central control system, and if the security requirements such as the installation of the mandatory designation program and normal operation in the mobile client are satisfied,
It includes the functions of checking the media control authority granted to the mobile client or user, granting the mobile client permission to use WiFi, Bluetooth, Wibro, Camera, Mic and other I / O devices, and transmitting the application results back to the central control system. Operation method of security authentication system
A method of encrypting the memory security area of a client with a block cipher algorithm and granting the security area so that the file stored in the memory is not visible and the method of operating the security authentication system to temporarily release the security area when certain requirements such as VPN operation are satisfied.
The method according to claim 9
A method of operating a security authentication system that stores data transmitted for work in a secure area on memory and calls stored data when certain requirements are met.
If the mobile client is connected to the output device via wired or wireless connection and outputs the related contents, it saves and sends the user, time, output location, title and contents of the output as a log, and automatically saves the related log in case of transmission failure. Operation method of security authentication system to retransmit when state is restored
The client terminal includes an agent module for performing communication for connection authentication with the central control system before operating the operating system, and the agent module receives the connection authentication result data from the user authentication controller to operate the client terminal. A method of operating a central control system, characterized in that to control the booting (system) is performed.

Images