Method and apparatus for user equipment to access a target device

By receiving and using the target device's certificate information for authentication, the user device can securely and efficiently access the target device, solving the problems of insecure and inefficient access processes in existing technologies.

CN122162409APending Publication Date: 2026-06-05SAMSUNG ELECTRONICS CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SAMSUNG ELECTRONICS CO LTD
Filing Date
2024-10-25
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing security systems lack effective authentication mechanisms when user devices connect to target devices, resulting in insecure and inefficient access processes.

Method used

The user equipment (UE) receives the certificate associated with the target device, including the public key of the third-party server, the status information of the target device, and the status information of the access document, executes the access process, and uses the processor to perform authentication and control of the access process.

Benefits of technology

It improves the security and efficiency of user equipment accessing target devices and reduces the time required for the access process.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122162409A_ABST
    Figure CN122162409A_ABST
Patent Text Reader

Abstract

Various embodiments of the present disclosure relate to a method and apparatus for a user equipment to access a target device. According to one embodiment of the present disclosure, a method performed by a user equipment to access a target device can include receiving, from a first server associated with the user equipment, a certificate of a third server associated with the target device, the certificate including a public key of the third server, state information of the target device, state information of an access document, and a signature of a second server that issued the access document; and performing an access procedure for the target device based on the state information of the target device and the state information of the access document included in the certificate of the third server.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] Various embodiments of this disclosure relate to methods and apparatus for user equipment to access target equipment. Background Technology

[0002] Facilities or equipment requiring security need secure systems to manage users attempting to access the premises and determine whether such access is permitted. Such systems are widely used in facilities with high security requirements, such as airports, ports, and laboratories, as well as in general facilities such as offices, residential buildings, and subways. Furthermore, these security systems can be used to define restricted areas by separating specific spaces. For example, specific areas controlled by the security system can be established, and user-related data, such as the duration of a user's stay in specific locations within the established area, can be acquired for user behavior analysis.

[0003] Meanwhile, with recent advancements in communication technology, various types of short-range communication technologies have emerged. Short-range wireless communication refers to technologies used for performing short-range communication, and includes Near Field Communication (NFC), WLAN (Wi-Fi), Zigbee, Infrared Data Association (IrDA) communication, Wi-Fi Direct (WFD) communication, Ant+ communication, ultrasonic communication, and Ultra-Wideband (UWB) communication. This type of short-range communication can be utilized through integration, combination, and / or application with technologies in various fields, such as security systems. Summary of the Invention

[0004] Various embodiments of this disclosure provide methods and apparatus for user equipment to access target equipment.

[0005] The technical problems to be solved by this disclosure are not limited to those described above, and those skilled in the art will clearly understand from the following description other technical problems not mentioned.

[0006] Solution to the problem

[0007] According to embodiments of this disclosure, a method for a user equipment to access a target device may include: receiving from a first server associated with the user equipment a certificate of a third server associated with the target device, the certificate including a public key of the third server, status information of the target device, status information of an access document, and a signature of a second server that issued the access document; and performing an access procedure for the target device based on the status information of the target device and the status information of the access document included in the certificate of the third server.

[0008] According to one embodiment of this disclosure, a user equipment for accessing the target device may include: a communication circuit; and at least one processor operatively connected to the communication circuit, wherein the at least one processor is configured to: receive from a first server associated with the user equipment a certificate of a third server associated with the target device, the certificate including a public key of the third server, status information of the target device, status information of an access document, and a signature of a second server that issued the access document; and execute an access procedure for the target device based on the status information of the target device and the status information of the access document included in the certificate of the third server.

[0009] [Beneficial effects of the invention]

[0010] According to embodiments of this disclosure, the user equipment can guarantee storage space.

[0011] Furthermore, according to embodiments of this disclosure, the time required for the access process between the reader device 109 and the user equipment 101 can be reduced.

[0012] The effects that can be obtained by this disclosure are not limited to those described above, and those skilled in the art to which this disclosure pertains will clearly understand other effects not mentioned through the following description. Attached Figure Description

[0013] Figure 1 This is a block diagram of an electronic device according to an embodiment of the present disclosure.

[0014] Figure 2 This is a diagram illustrating a system according to an embodiment of the present disclosure.

[0015] Figure 3a This is a diagram illustrating a configuration method for a user equipment to access a target device according to an embodiment of the present disclosure.

[0016] Figure 3b This is a diagram illustrating a configuration method for a user equipment to access a target device according to another embodiment of the present disclosure.

[0017] Figure 4a This is a diagram illustrating a method for a user equipment to access a target device according to an embodiment of the present disclosure.

[0018] Figure 4b This is a diagram illustrating a method for a user equipment to access a target device according to another embodiment of the present disclosure.

[0019] Figure 5 This is a diagram illustrating reader status information and access document status information according to an embodiment of the present disclosure.

[0020] Figure 6This is a diagram illustrating the payload of the 0th authentication response according to an embodiment of the present disclosure.

[0021] Figure 7a This is a diagram illustrating a method for a user equipment to access a target device when an online target device becomes an offline target device, according to an embodiment of the present disclosure.

[0022] Figure 7b This is a diagram illustrating a method for a user equipment to access a target device when an online target device becomes an offline target device, according to another embodiment of this disclosure.

[0023] Figure 8a This is a diagram illustrating a method for a user equipment to access a target device when an offline target device becomes an online target device, according to an embodiment of the present disclosure.

[0024] Figure 8b This is a diagram illustrating a method for a user equipment to access a target device when an offline target device becomes an online target device, according to another embodiment of this disclosure.

[0025] Figure 9a This is a diagram illustrating a method for updating access documents according to an embodiment of this disclosure.

[0026] Figure 9b This is a diagram illustrating a method for updating access documents according to another embodiment of this disclosure.

[0027] Figure 10 This is a diagram illustrating an operation method of a user equipment according to an embodiment of the present disclosure.

[0028] Figure 11 This is a diagram illustrating the configuration of a user equipment according to an embodiment of the present disclosure.

[0029] Figures 12 to 17 This is a diagram illustrating a method for storing certificates required for various entities according to an embodiment. Detailed Implementation

[0030] According to embodiments of this disclosure, a method for a user equipment to access a target device may include: receiving from a first server associated with the user equipment a certificate of a third server associated with the target device, the certificate including the third server's public key, the target device's status information, the access document's status information, and a signature of a second server configured to issue the access document; and performing an access procedure for the target device based on the target device's status information and the access document's status information included in the third server's certificate.

[0031] In an embodiment, executing the access process for the target device may include: receiving a 0th authentication command from the target device including the target device's temporary public key and ID; sending a 0th authentication response to the target device including the user device's temporary public key, the target device's status information, and the access document's status information; receiving a first authentication command from the target device including the target device's signature and the target device's certificate; and sending a first authentication response to the target device including a signature signed with the user device's private key.

[0032] In this embodiment, the status information of the target device may include information about whether the target device and the third server are communicating with each other.

[0033] In this embodiment, the status information of the access document may include information about whether the access document has been transmitted to a third server.

[0034] In an embodiment, the method may further include: upon receiving target device status information including information indicating that the target device is an offline device and access document status information including information indicating that the access document has not been transmitted to the third server from the first server, sending a message for requesting an access document to the second server; and receiving a response message including the access document from the second server.

[0035] In an embodiment, the method may further include: performing an access process for the target device based on an access document.

[0036] In an embodiment, the method may further include: receiving an updated access document or information required to update the access document and the ID of the target device from a second server; and updating the access document.

[0037] In an embodiment, the method may further include: upon receiving target device status information including information indicating that the target device is an online device and access document status information including information indicating that the access document has been transmitted to a third server from a first server, deleting the access document; and sending a message including information indicating that the access document has been deleted to a second server.

[0038] In an embodiment, the method may further include: performing an access process for the target device based on target device status information including information indicating that the target device is an online device and access document status information including information indicating that the access document has been transmitted to a third server.

[0039] According to embodiments of this disclosure, a user equipment for accessing a target device may include: a communication circuit; and at least one processor operatively connected to the communication circuit, wherein the at least one processor is configured to receive from a first server associated with the user equipment a certificate of a third server associated with the target device, the certificate including a public key of the third server, status information of the target device, status information of an access document, and a signature of a second server configured to issue an access document, and to perform an access procedure for the target device based on the status information of the target device and the status information of the access document, the status information being included in the certificate of the third server.

[0040] In an embodiment, at least one processor may be configured to receive a 0th authentication command from a target device including a temporary public key and an ID of the target device, send a 0th authentication response to the target device including a temporary public key of a user device, status information of the target device, and status information of an access document, receive a first authentication command from the target device including a signature of the target device and a certificate of the target device, and send a first authentication response to the target device including a signature signed with the private key of the user device.

[0041] In this embodiment, the status information of the target device may include information about whether the target device and the third server are communicating with each other.

[0042] In this embodiment, the status information of the access document may include information about whether the access document has been transmitted to a third server.

[0043] In an embodiment, at least one processor may also be configured to send a message requesting an access document to a second server and receive a response message including the access document from the second server upon receiving target device status information including information indicating that the target device is an offline device and access document status information including information indicating that the access document has not been transmitted to the third server.

[0044] In an embodiment, at least one processor may also be configured to execute an access process for a target device based on an access document.

[0045] In an embodiment, at least one processor may also be configured to receive an updated access document or information required to update the access document and the ID of the target device from a second server, and update the access document.

[0046] In an embodiment, at least one processor may also be configured to delete an access document and send a message to a second server containing information indicating that the access document has been deleted, upon receiving target device status information including information indicating that the target device is an online device and access document status information including information indicating that the access document has been transmitted to a third server from a first server.

[0047] In an embodiment, at least one processor may also be configured to execute an access process for the target device based on target device status information including information indicating that the target device is an online device and access document status information including information indicating that the access document has been transmitted to a third server.

[0048] The embodiments of this disclosure will now be described in detail with reference to the accompanying drawings.

[0049] In describing the embodiments, descriptions of technical content that is well-known in the art to which this disclosure pertains and is not directly related to this disclosure will be omitted. This is to more clearly convey the spirit of this disclosure without obscuring it through unnecessary explanation.

[0050] For the same reason, some components are exaggerated, omitted, or shown schematically in the accompanying drawings. Furthermore, the dimensions of each component do not perfectly reflect its actual size. In the drawings, identical or corresponding components are indicated by the same reference numerals.

[0051] Figure 1 It is a block diagram of electronic devices in a network environment.

[0052] Figure 1 This is a block diagram of an electronic device 101 in a network environment 100 according to an embodiment.

[0053] Reference Figure 1 In network environment 100, electronic device 101 can communicate with electronic device 102 via a first network 198 (e.g., a short-range wireless communication network), or with at least one of electronic device 104 or server 108 via a second network 199 (e.g., a long-range wireless communication network). According to an embodiment, electronic device 101 can communicate with electronic device 104 via server 108. According to an embodiment, electronic device 101 may include a processor 120, memory 130, input module 150, sound output module 155, display module 160, audio module 170, sensor module 176, interface 177, connection terminal 178, haptic module 179, camera module 180, power management module 188, battery 189, communication module 190, user identification module 196, or antenna module 197. In some embodiments, at least one component of electronic device 101 (e.g., connection terminal 178) may be omitted, or one or more other components may be added to electronic device 101. In some embodiments, some of the components (e.g., sensor module 176, camera module 180, or antenna module 197) may be integrated into a single component (e.g., display module 160).

[0054] Processor 120 may execute, for example, software (e.g., program 140) to control at least one other component (e.g., hardware or software component) of electronic device 101 coupled to processor 120, and may perform various data processing or calculations. According to one embodiment, as at least part of data processing or calculation, processor 120 may store commands or data received from another component (e.g., sensor module 176 or communication module 190) in volatile memory 132, process the commands or data stored in volatile memory 132, and store the resulting data in non-volatile memory 134. According to embodiments, processor 120 may include a main processor 121 (e.g., a central processing unit (CPU) or application processor (AP)) or an auxiliary processor 123 (e.g., a graphics processing unit, neural processing unit (NPU), image signal processor, sensor central processor, or communication processor), which may operate independently of or in conjunction with the main processor 121. For example, when electronic device 101 includes a main processor 121 and an auxiliary processor 123, the auxiliary processor 123 may be adapted to consume less power than the main processor 121, or be dedicated to a specific function. The auxiliary processor 123 may be implemented separately from the main processor 121 or as part of the main processor 121.

[0055] The auxiliary processor 123 may control at least some functions or states associated with at least one component of the electronic device 101 (e.g., display module 160, sensor module 176, or communication module 190) in place of the main processor 121 when the main processor 121 is inactive (e.g., in a sleep state), or control them together with the main processor 121 when the main processor 121 is active (e.g., executing an application). According to embodiments, the auxiliary processor 123 (e.g., an image signal processor or a communication processor) may be implemented as part of another component (e.g., camera module 180 or communication module 190) associated with the functionality of the auxiliary processor 123. According to embodiments, the auxiliary processor 123 (e.g., a neural processing unit) may include hardware structures dedicated to processing artificial intelligence models. Artificial models may be generated through machine learning. For example, this learning may be performed by the electronic device 101 itself performing artificial intelligence, or via a separate server (e.g., server 108). The learning algorithm may include, for example, supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning, but is not limited to the examples above. The artificial intelligence model may include multiple layers of artificial neural networks. Artificial neural networks can be deep neural networks (DNNs), convolutional neural networks (CNNs), recurrent neural networks (RNNs), restricted Boltzmann machines (RBMs), deep belief networks (DBNs), bidirectional recurrent deep neural networks (BRDNNs), deep Q-networks, and combinations of two or more of these, but are not limited to the examples above. Additionally or alternatively, artificial intelligence models may include software structures in addition to hardware structures.

[0056] Memory 130 may store various data used by at least one component of electronic device 101 (e.g., processor 120 or sensor module 176). The data may include, for example, input or output data of software (e.g., program 140) and associated commands. Memory 130 may include volatile memory 132 or non-volatile memory 134.

[0057] Program 140 may be stored as software in memory 130 and may include, for example, an operating system (OS) 142, middleware 144, or application 146.

[0058] Input module 150 can receive commands or data used by another component of electronic device 101 (e.g., processor 120) from outside electronic device 101 (e.g., a user). Input module 150 may include, for example, a microphone, mouse, keyboard, keys (e.g., buttons), or digital pen (e.g., stylus).

[0059] The audio output module 155 can output audio signals to the outside of the electronic device 101. The audio output module 155 may include, for example, a speaker or a receiver. The speaker can be used for general purposes, such as playing multimedia or playing records. The receiver can be used to receive incoming calls. According to an embodiment, the receiver may be implemented separately from the speaker or as part of the speaker.

[0060] Display module 160 can visually provide information to the outside of electronic device 101 (e.g., to a user). Display module 160 may include, for example, a display, a holographic device, or a projector, and control circuitry for controlling a respective one of the display, holographic device, and projector. According to an embodiment, display module 160 may include a touch sensor adapted to detect touch, or a pressure sensor adapted to measure the intensity of the force generated by touch.

[0061] Audio module 170 can convert sound into electrical signals and vice versa. According to an embodiment, audio module 170 can obtain sound via input module 150, or output sound via sound output module 155 or via an external electronic device (e.g., electronic device 102 (e.g., speaker or headphones)) directly or wirelessly coupled to electronic device 101.

[0062] Sensor module 176 can detect the operating state of electronic device 101 (e.g., power or temperature) or the environmental state outside electronic device 101 (e.g., user state), and then generate an electrical signal or data value corresponding to the detected state. According to embodiments, sensor module 176 may include, for example, a gesture sensor, gyroscope sensor, barometric pressure sensor, magnetic sensor, accelerometer, grip sensor, proximity sensor, color sensor, infrared (IR) sensor, biometric sensor, temperature sensor, humidity sensor, or illuminance sensor.

[0063] Interface 177 may support one or more specified protocols for direct or wireless coupling of electronic device 101 to external electronic device (e.g., electronic device 102). According to embodiments, interface 177 may include, for example, a High Definition Multimedia Interface (HDMI), a Universal Serial Bus (USB) interface, a Secure Digital (SD) card interface, or an audio interface.

[0064] Connection terminal 178 may include a connector via which electronic device 101 can be physically connected to an external electronic device (e.g., electronic device 102). According to an embodiment, connection terminal 178 may include, for example, an HDMI connector, a USB connector, an SD card connector, or an audio connector (e.g., a headphone connector).

[0065] The tactile module 179 can convert electrical signals into mechanical stimuli (e.g., vibration or movement) or electrical stimuli that can be recognized by a user through their tactile or kinesthetic perception. According to embodiments, the tactile module 179 may include, for example, a motor, a piezoelectric element, or an electrical stimulator.

[0066] Camera module 180 can capture still images or moving images. According to an embodiment, camera module 180 may include one or more lenses, an image sensor, an image signal processor, or a flash.

[0067] The power management module 188 manages the power supplied to the electronic device 101. According to an embodiment, the power management module 188 may be implemented as at least part of, for example, a power management integrated circuit (PMIC).

[0068] Battery 189 can provide power to at least one component of electronic device 101. According to embodiments, battery 189 may include, for example, a non-rechargeable primary battery, a rechargeable secondary battery, or a fuel cell.

[0069] Communication module 190 can support the establishment of a direct (e.g., wired) or wireless communication channel between electronic device 101 and external electronic devices (e.g., electronic device 102, electronic device 104, or server 108) and perform communication via the established communication channel. Communication module 190 may include one or more communication processors, which may operate independently of processor 120 (e.g., application processor (AP)) and support direct (e.g., wired) or wireless communication. According to embodiments, communication module 190 may include wireless communication module 192 (e.g., cellular communication module, short-range wireless communication module, or Global Navigation Satellite System (GNSS) communication module) or wired communication module 194 (e.g., local area network (LAN) communication module or power line communication (PLC) module). One of these communication modules can communicate with an external electronic device 104 via a first network 198 (e.g., a short-range communication network such as Bluetooth™, Wi-Fi Direct, or Infrared Data Association (IrDA)) or a second network 199 (e.g., a long-range communication network such as a traditional cellular network, 5G network, next-generation communication network, the Internet, or a computer network (e.g., a LAN or a wide area network (WAN))). These various types of communication modules can be incorporated into a single component (e.g., a single chip) or can be implemented as multiple components separate from each other (e.g., multiple chips). The wireless communication module 192 can use user information (e.g., an International Mobile Subscriber Identity (IMSI)) stored in the user identification module 196 to identify or authenticate the electronic device 101 in the communication network (such as the first network 198 or the second network 199).

[0070] Wireless communication module 192 can support 5G networks after 4G networks and next-generation communication technologies, such as New Radio (NR) access technology. NR access technology can support high-speed transmission of large amounts of data (enhanced mobile broadband (eMBB)), minimized terminal power consumption and multi-terminal access (massive machine-type communication (mMTC)) or ultra-reliable low-latency communication (URLLC). Wireless communication module 192 can support high-frequency bands (e.g., millimeter-wave bands) to achieve, for example, high data transmission rates. Wireless communication module 192 can support various technologies used to ensure high-frequency band performance, such as beamforming, massive MIMO, full-dimensional MIMO (FD-MIMO), array antennas, analog beamforming, or massive antennas. Wireless communication module 192 can support various requirements specified in electronic device 101, external electronic device (e.g., electronic device 104), or network system (e.g., second network 199). According to an embodiment, the wireless communication module 192 may support peak data rates (e.g., 20 Gbps or higher) for implementing eMBB, loss coverage (e.g., 164 dB or lower) for implementing mMTC, or U-plane latency (e.g., 0.5 ms or lower for each of the downlink (DL) and uplink (UL), or 1 ms or lower for round trip) for implementing URLLC.

[0071] Antenna module 197 can transmit or receive signals or power to or from the exterior of electronic device 101 (e.g., external electronic device). According to an embodiment, antenna module 197 may include an antenna comprising a radiating element, the radiating element comprising a conductive material or conductive pattern formed on a substrate (e.g., PCB). According to an embodiment, antenna module 197 may include multiple antennas (e.g., an array antenna). In this case, for example, communication module 190 may select at least one antenna from the multiple antennas suitable for a communication scheme used in a communication network (such as a first network 198 or a second network 199). Signals or power can be transmitted or received between communication module 190 and external electronic device via the selected at least one antenna. According to an embodiment, another component besides the radiating element (e.g., a radio frequency integrated circuit (RFIC)) may be additionally incorporated into antenna module 197. According to an embodiment, antenna module 197 may form a millimeter-wave antenna module. According to an embodiment, a millimeter-wave antenna module may include a printed circuit board, an RFIC disposed on or adjacent to a first surface (e.g., the lower surface) of the printed circuit board and capable of supporting a specified high frequency band (e.g., millimeter-wave band), and a plurality of antennas (e.g., array antennas) disposed on or adjacent to a second surface (e.g., the upper surface or the side surface) of the printed circuit board and capable of transmitting or receiving signals of a specified high frequency band.

[0072] At least some of the aforementioned components may be coupled to each other and transmit signals (e.g., commands or data) therebetween via peripheral communication schemes (e.g., bus, general purpose input / output (GPIO), serial peripheral interface (SPI), or mobile industry processor interface (MIPI)).

[0073] According to an embodiment, commands or data can be sent or received between electronic device 101 and external electronic device 104 via server 108 coupled to a second network 199. Each of the external electronic devices 102 or 104 can be a device of the same or different type as electronic device 101. According to an embodiment, all or some of the operations performed at electronic device 101 can be performed at one or more external electronic devices 102, 104, or 108. For example, if electronic device 101 is required to automatically or in response to a request from a user or another device to perform a function or service, electronic device 101 may perform the function or service in lieu of performing the function or service, or request one or more external electronic devices to perform at least a portion of the function or service in addition to performing the function or service. One or more external electronic devices receiving the request may perform at least a portion of the requested function or service or additional functions or services associated with the request, and transmit the execution result to electronic device 101. Electronic device 101 may provide the result as at least part of a response to the request, with or without further processing. For this purpose, cloud computing, distributed computing, mobile edge computing (MEC), or client-server computing technologies may be used, for example. Electronic device 101 can provide ultra-low latency services using, for example, distributed computing or mobile edge computing. In another embodiment, external electronic device 104 may include Internet of Things (IoT) devices. Server 108 may be an intelligent server using machine learning and / or neural networks. According to embodiments, external electronic device 104 or server 108 may be included in a second network 199. Electronic device 101 can be applied to intelligent services (e.g., smart homes, smart cities, smart cars, or healthcare) based on 5G communication technology or IoT-related technologies.

[0074] The electronic devices described in the various embodiments herein can be one of a variety of types of electronic devices. Electronic devices may include, for example, portable communication devices (e.g., smartphones), computer devices, portable multimedia devices, portable medical devices, cameras, wearable devices, or home appliances. The electronic devices according to embodiments of this disclosure are not limited to the devices described above.

[0075] It should be understood that the embodiments and the terminology used herein are not intended to limit the technical features set forth herein to the particular embodiments, and this disclosure includes various changes, equivalents, or alternatives to the corresponding embodiments. Regarding the description of the drawings, similar reference numerals may be used to designate similar or related elements. Unless the relevant context clearly indicates otherwise, the singular form of a noun corresponding to an item may include one or more of the items. As used herein, each phrase such as “A or B,” “at least one of A and B,” “at least one of A or B,” “A, B, or C,” “at least one of A, B, and C,” and “at least one of A, B, or C” may include all possible combinations of the items listed together in the corresponding one of the phrases. Terms such as “first,” “second,” “the first,” and “the second” may be used simply to distinguish the corresponding element from another element and do not limit the elements in other ways (e.g., in terms of importance or order). If an element (e.g., the first element) is referred to as being “coupled,” “coupled to,” “connected,” or “connected to” another element (e.g., the second element), whether or not it is accompanied by the terms “operationally” or “communically”, it means that the element can be coupled / connected to the other element directly (e.g., wired), wirelessly, or via a third element.

[0076] As used in the various embodiments of this disclosure, the term "module" may include a unit implemented in hardware, software, or firmware, and may be used interchangeably with other terms (e.g., "logic," "logic block," "component," or "circuit"). A "module" may be a single integrated component or its smallest unit or portion adapted to perform one or more functions. For example, according to an embodiment, a "module" may be implemented in the form of an application-specific integrated circuit (ASIC).

[0077] The various embodiments described herein can be implemented as software (e.g., program 140), which includes one or more instructions stored in a machine-readable storage medium (e.g., internal memory 136 or external memory 138). For example, a processor (e.g., processor 120) of the machine (e.g., electronic device 101) can invoke and execute at least one of the stored instructions from the storage medium. This allows the machine to operate according to the invoked at least one instruction to perform at least one function. One or more instructions may include code generated by a compiler or code executable by an interpreter. The machine-readable storage medium may be provided in the form of a non-transitory storage medium. In this document, the term "non-transitory" simply means that the storage medium is a tangible device and does not include signals (e.g., electromagnetic waves), but the term does not distinguish between a location where data is semi-permanently stored in the storage medium and a location where data is temporarily stored in the storage medium.

[0078] According to embodiments, methods according to various embodiments of this disclosure may be included in and provided in a computer program product. The computer program product may be traded as a product between a seller and a buyer. The computer program product may be distributed in the form of a machine-readable storage medium (e.g., an optical disc read-only memory (CD-ROM)), or distributed online via an app store (e.g., the Play Store™), or directly between two user devices (e.g., smartphones). If distributed online, at least a portion of the computer program product may be temporarily generated or at least temporarily stored in a machine-readable storage medium, such as the memory of a manufacturer's server, an app store's server, or a relay server.

[0079] According to various embodiments, each of the above components (e.g., a module or program) may include a single entity or multiple entities, and some of the multiple entities may be separately located in another element. According to various embodiments, one or more of the above components or operations may be omitted, or one or more other components or operations may be added. Alternatively or additionally, multiple components (e.g., modules or programs) may be integrated into a single component. In this case, according to various embodiments, the integrated component may still perform one or more functions of each of the multiple components in the same or similar manner as performed by the corresponding components of the multiple components prior to integration. According to various embodiments, operations performed by a module, program, or other element may be performed sequentially, in parallel, repeatedly, or heuristically, or one or more operations may be performed in a different order or omitted, or one or more other operations may be added.

[0080] Figure 2 This is a diagram illustrating a system according to an embodiment.

[0081] Reference Figure 2 The document discloses user equipment 101, original equipment manufacturer (OEM) server 103, credential issuer server 105, reader system issuer / platform server 107, and target device 109-1 or 109-2 to be accessed by user equipment 101.

[0082] User equipment 101 may include, but is not limited to, personalized mobile devices and may include various types of user equipment. For example, user equipment 101 may include smartphones, tablet PCs, PCs, cameras, wearable devices, etc. In embodiments, user equipment 101 may generate information for controlling and accessing target devices 109-1 or 109-2, or receive information from external devices. User equipment 101 stores endpoint public and private keys used for authentication in a secure element (SE) that serves as a secure area. In embodiments, the SE may include an applet running within the SE. In this case, the endpoint public and private keys may be stored in the applet. Furthermore, in embodiments, user equipment 101 may store information related to the device OEM server 103.

[0083] In this embodiment, user equipment 101 can perform operations to generate a digital private key for target device 109-1 or 109-2 within a predetermined distance via short-range communication. For example, when target device 109-1 or 109-2 is a gate system or lock 109-1, user 1 can attempt to access the gate system or lock 109-1 based on information stored in user equipment 101. In this case, the gate system or lock 109-1 can perform authentication for user equipment 101 and allow access based on the authentication result. User equipment 101, having been granted access, can then access the gate system or lock 109-1, allowing user 1 to open or close the lock 109-1. Furthermore, when the target device is vehicle 109-2, user 1 can attempt to access vehicle 109-2 based on information stored in user equipment 101. In this case, vehicle 109-2 can perform authentication for user equipment 101 and allow access based on the authentication result. The user equipment 101, which is allowed to access the vehicle 109-2, can then control the vehicle. For example, the user can open or close the doors, start the vehicle, and control various functions installed in the vehicle. However, this is merely an example, and the user equipment 101 is not limited to this; it can access various target devices 109-1 and 109-2.

[0084] Device OEM server 103 is a server associated with user device 101 and stores device OEM public and private keys used for authentication. In an embodiment, device OEM server 103 may be a server provided by the manufacturer of user device 101. When device OEM server 103 is a server provided by the manufacturer of user device 101, information associated with device OEM server 103 may be stored in user device 101 and shipped from the factory. However, this is merely an example, and device OEM server 103 is not limited thereto, and may be a server provided by another entity (e.g., a third party) other than the manufacturer of user device 101.

[0085] The credential issuer server 105 is a server used to issue credentials for accessing target devices 109-1 or 109-2, and stores the credential issuer public key and credential issuer private key used for authentication. In an embodiment, the credential issuer server 105 can issue an access document that includes information required to verify the signature of user equipment 101 and determine whether access is permitted.

[0086] In this embodiment, the credential issuer server 105 may be a server of a service provider that provides services using the target device. For example, when the target device 109-1 or 109-2 is a door lock attached to a hotel room door, the credential issuer server 105 may be a server operated by the hotel. In this case, the hotel can issue credentials that only allow authenticated guests to access the door lock. However, this is merely an example, and the credential issuer server 105 is not limited to this, and may be a server operated by a service provider offering various services.

[0087] The reader system issuer / platform server 107 is a server that manages the target device 109-1 or 109-2 and stores the reader system issuer public key and reader system issuer private key used for authentication. In an embodiment, the reader system issuer / platform server 107 may be a server provided by the manufacturer of the target device 109-1 or 109-2. When the reader system issuer / platform server 107 is a server provided by the manufacturer of the target device 109-1 or 109-2, the information associated with the reader system issuer / platform server 107 may be stored in the target device 109-1 or 109-2 and shipped from the factory. However, this is merely an example, and the reader system issuer / platform server 107 is not limited to this, and may be a server provided by another entity (e.g., a third party) other than the manufacturer of the target device 109-1 or 109-2.

[0088] Target device 109-1 or 109-2 is the device accessed by user equipment 101, and stores a reader public key and a reader private key for authentication. User equipment 101 can determine whether to allow user equipment 101 to access through mutual authentication. In an embodiment, target device 109-1 or 109-2 can determine whether to allow user equipment 101 to access based on an access document issued by credential issuer server 105. In this disclosure, target device 109-1 or 109-2 may also be referred to as a reader device for reading access documents.

[0089] Figure 2 The embodiments shown are merely examples, and the scope of this disclosure is not limited thereto. Figure 2 The content limitations are shown. For example, there may be content other than... Figure 1Various target devices other than target devices 109-1 and 109-2 shown, and can perform operations according to the characteristics of each target device.

[0090] The following will describe the operation method in more detail.

[0091] Figure 3a This is a diagram illustrating the configuration process of a user equipment accessing a target device according to an embodiment of the present disclosure.

[0092] Reference Figure 3a Each entity can pre-store the certificates required for the configuration process. In this embodiment, user equipment 101 can store endpoint certificate 1001-1 and device OEM certificate 1002-1. Device OEM server 103 can store credential issuer certificate 1003, and credential issuer 105 can store device OEM certificate 1002-1 and reader system issuer certificate 1005. Furthermore, reader system issuer / platform server 107 can store reader certificate 1006, and reader 109 can store credential issuer certificate 1007 and reader system issuer certificate 1007.

[0093] In operation 301-1, user equipment 101 sends endpoint certificate 1001-1 to device OEM server 103. In an embodiment, endpoint certificate 1001-1 may include an endpoint public key and a device OEM signature signed with the private key of device OEM server 103. In an embodiment, user equipment 101 may store information related to the device OEM signature prior to operation 301-1. For example, when device OEM server 103 is a server provided by the manufacturer of user equipment 101, the private key, device OEM signature, or endpoint certificate of device OEM server 103 may be stored in user equipment 101 at the time of manufacture.

[0094] The device OEM server 103, which receives the endpoint certificate from user equipment 101, can perform verification of the received endpoint certificate using its public key. When the device OEM server 103 successfully verifies the endpoint certificate, it determines that the endpoint certificate is trustworthy.

[0095] In operation 303-1, the device OEM server 103 sends a credential issuer certificate to the user equipment 101. In this embodiment, the credential issuer certificate 1003 may include a credential issuer public key and a device OEM signature signed with the private key of the device OEM server 103. Upon receiving the credential issuer certificate 1003, the user equipment 101 can verify the credential issuer certificate 1003 using the device OEM public key included in the stored device OEM certificate 1002-1.

[0096] Subsequently, in operation 305, the device OEM server 103 sends the endpoint certificate 1001-1 received from the user equipment 101 in operation 301-1 to the credential issuer server 105. The credential issuer server 105 can perform verification of the endpoint certificate 1001-1 using the device OEM public key included in the stored device OEM certificate 1004-1.

[0097] In operation 307, the credential issuing server 105 may request target device status information from the reader system issuing / platform server 107. In this embodiment, the target device status information may be referred to as reader status information 1011.

[0098] Subsequently, in operation 309, the reader system issuer / platform server 107 may send reader status information 1011 to the credential issuer server 105 in response to a request from the credential issuer server 105. In an embodiment, the reader status information 1011 may include the ID of the reader device 109 and information indicating whether the reader device 109 corresponding to that ID is an online reader connected to the reader system issuer / platform server 107 or an offline reader not connected to the reader system issuer / platform server. In this case, the indication information may be represented as a bitmap. The bit corresponding to the reader device ID may be represented as 0 in the case of an online reader and as 1 in the case of an offline reader.

[0099] In operation 311, the credential issuer server 105 may send the access document corresponding to the reader device ID, along with the reader device ID, to the reader system issuer / platform server 107. In an embodiment, the credential issuer server 105 may send the access document 1012 based on the reader status information 1011 received in operation 309. When the reader device 109 is an online reader, i.e., when the bit indicating the reader status information is 0, the credential issuer server 105 may send the access document to the reader system issuer / platform server 107. In an embodiment, the access document may include information required to verify the signature of the user equipment 101 and determine whether access is permitted.

[0100] More specifically, the credential issuing server 105 can recognize the reader status information 1011 received in operation 309, and for reader devices indicated as online readers, send the access document corresponding to the reader device's ID along with the reader device's ID. In the case of offline readers, even if the credential issuing server 105 transmits the access document to the reader system issuing / platform server 107, the reader system issuing / platform server 107 cannot transmit the access document to the reader device. Therefore, the credential issuing server 105 can transmit the access document to the reader system issuing / platform server 107 only for reader devices indicated as online readers.

[0101] Subsequently, in operation 313, the credential issuer server 105 may send the reader system issuer certificate 1005 to the device OEM server 103. In this embodiment, the reader system issuer certificate 1005 may include the reader system issuer public key, reader status information 1011, access document status information, and credential issuer signature signed with the credential issuer private key.

[0102] In an embodiment, the access document status information may include information indicating whether the access document has been transmitted to the reader system issuer / platform server 107. In this case, the indication information may be represented as a bitmap. The bit corresponding to the reader device ID may be represented as 0, for example, when the access document has been transmitted to the reader system issuer / platform server 107, and as 1 when the access document has not been transmitted. In an embodiment, during operation 313, the bit of the access document status information included in the reader system issuer certificate 1005 may be represented as 1.

[0103] In an embodiment, the reader status information 1011 may include the ID of the reader device 109 and information indicating whether the reader device 109 corresponding to the ID is an online reader that is connected online or an offline reader that is not connected online.

[0104] The device OEM server 103 that receives the reader system issuer certificate 1005 can perform verification of the reader system issuer certificate 1005 by using the credential issuer public key included in the stored credential issuer certificate 1003.

[0105] In operation 315, the device OEM server 103 may send the reader system issuer certificate 1005 received in operation 313 to the user equipment 101. In an embodiment, the reader system issuer certificate 1005 may include the reader system issuer public key, reader status information 1011, access document status information, and a credential issuer signature signed with the credential issuer private key.

[0106] User equipment 101, having received reader system issuer certificate 1005, can perform verification of reader system issuer certificate 1005 using the credential issuer public key included in credential issuer certificate 1003 received in operation 303-1. User equipment 101 can store the received reader status information 1011 and access document status information included in reader system issuer certificate 1005 in a secure element (SE). In an embodiment, the SE may include an applet running within the SE. In this case, the reader status information 1011 and access document status information may be stored in the applet.

[0107] In operation 317, user equipment 101 may transmit reader status information 1011 and access document status information stored in the SE to a rich execution environment (REE). In an embodiment, the access document status information may be processed in the REE. Thereafter, user equipment 101 may attempt to access reader device 109. In an embodiment, the REE may include frames. Furthermore, the access document status information may be processed within frames included in the REE.

[0108] Operation 341 can be performed separately from or in parallel with operations 313 through 319. In operation 341, the reader system issuer / platform server 107 can send reader certificate 1006 to reader device 109. Reader certificate 1006 may include a reader public key and may include a reader system issuer signature signed with the reader system issuer's private key. Reader device 109, upon receiving reader certificate 1006, can verify reader certificate 1006 using the reader system issuer public key included in the stored reader system issuer certificate. When reader device 109 successfully verifies reader certificate 1006, reader device 109 determines that reader certificate 1006 is trustworthy.

[0109] In operation 351, reader device 109 may request access document 1012 from reader system issuer / platform server 107 along with the reader ID. In this embodiment, when reader device 109 and user device 101 perform an access procedure, reader device 109 may request access document 1012 from reader system issuer / platform server 107. Subsequently, in operation 353, in response to this request, reader system issuer / platform server 107 may send the access document to reader device 109. The access procedure between reader device 109 and user device 101 will be described in more detail below.

[0110] In one embodiment, the reader device 109 may store a credential issuer certificate 1007. The credential issuer certificate 1007 may be used in an embodiment where the access document itself (rather than access document status information) is stored in the user device 101, and it is related to... Figure 3a The embodiments shown are different. This will be described in more detail below.

[0111] The SE (Security Area) of User Equipment 101, serving as a secure zone, is a highly secure but limited storage space. According to an embodiment, the credential issuer server 105 transmits the access document 1012 to the reader system issuer / platform server 107 instead of directly to User Equipment 101. Subsequently, the reader system issuer / platform server 107 can transmit the access document to reader device 109 upon request, allowing reader device 109 to determine whether to allow User Equipment 101 to access based on the access document. Therefore, User Equipment 101 can ensure sufficient storage space for the SE by storing access status information rather than a relatively large access document. Furthermore, reader device 109 receives the access document in advance from the reader system issuer / platform server 107, thereby reducing the time required for the access process between reader device 109 and User Equipment 101.

[0112] Figure 3b This is a diagram illustrating a configuration method for a user equipment to access a target device according to another embodiment of the present disclosure.

[0113] The main focus will be on... Figure 3a The differences between the illustrated embodiments are described in this way. Figure 3b The embodiments shown are illustrated, and redundant descriptions will be omitted.

[0114] According to Figure 3b In the configuration method of the illustrated embodiment, the credential issuer server 105 stores an instance Certificate Authority (CA) certificate, which includes the instance CA public key and a credential issuer signature signed with the credential issuer's private key. Furthermore, endpoint certificates 1001-2 and device OEM certificates 1002-2 stored in user equipment 101 may each include an endpoint public key and a device OEM public key, and each may include an instance CA signature signed with the instance CA private key. Additionally, user equipment 101 may store endpoint public keys and endpoint private keys used for authentication in a small program. (Refer to...) Figures 12 to 17 Describe in detail the methods for storing the certificates required for each entity.

[0115] according to Figure 3b The illustrated embodiment, and Figure 3a The configuration methods shown differ. In operation 301-2, the device OEM server 103 first sends the credential issuer certificate to the user device 101, and in operation 303-2, the user device 101 sends the endpoint certificate 1001-1 to the device OEM server 103. In this case, the user device 101 can communicate with the device OEM server 103 through the frame.

[0116] In addition, during operation 317, user equipment 101 can transmit reader status information 1011 and access document status information stored in the frame to the applet.

[0117] Figure 4a This is a diagram illustrating a method for a user equipment to access a target device according to an embodiment of the present disclosure.

[0118] In operation 410-1, user equipment 101 can transmit reader status information 1011 and access document status information stored in the SE to a rich execution environment (REE). In an embodiment, the SE may include an applet running in the SE. In this case, the reader status information 1011 and access document status information may be stored in the applet, and the reader status information 1011 and access document status information stored in the applet may be transmitted from the applet to the REE. In an embodiment, the reader status information 1011 and access document status information may be processed in the REE. In an embodiment, the REE may include a frame. In this case, the reader status information 1011 and access document status information may be processed in a frame included in the REE.

[0119] Subsequently, when the user equipment attempts to access the reader device 109, in operation 420-1, the reader device 109 may send the 0th authentication command (AUTH0 cmd) including the reader temporary public key (reader.ePK) and the reader ID (Reader.ID) to the user equipment 101.

[0120] In operation 430-1, user equipment 101 may receive a 0th authentication command and, based on the endpoint public key stored in the SE and / or applet, transmit the endpoint temporary public key to the REE and / or framework, and the REE and / or framework may send a 0th authentication response (AUTH0 rsp) including the endpoint temporary public key, reader status information 1011, and access document status information to reader equipment 109.

[0121] Subsequently, in operation 440, reader device 109 can request access to document 1012 from reader system issuer / platform server 107, along with the reader ID. Operation 440 can be connected with... Figure 3a Operation 351 is the same. Operation 440 can be performed after the reader device 109 receives the 0th authentication response (AUTH0 rsp).

[0122] In operation 450-1, reader device 109 may send a first authentication command (AUTH1 cmd) including reader signature (reader.signature) and reader certificate (reader_cert) to user device 101.

[0123] Subsequently, in operation 460, reader device 109 may receive an access document from reader system issuer / platform server 107 in response to the request in operation 440. Operation 460 may be connected with... Figure 3a Operation 353 is the same. Operation 460 can be performed before the reader device 109 receives the first authentication response (AUTH0 rsp).

[0124] In operation 470-1, user equipment 101 may receive a first authentication command and transmit an endpoint signature, signed with the endpoint private key stored in the SE and / or applet, to the REE and / or framework, and the REE and / or framework may send a first authentication response (AUTH1 rsp) including the endpoint signature to reader device 109. Reader device 109 may verify user equipment 101 based on the access document and the endpoint signature.

[0125] According to an embodiment, the reader device 109 receives the access document from the reader system issuer / platform server 107 in advance during the access process between the reader device 109 and the user device 101, so that a separate access document transmission process does not need to be performed between the reader device 109 and the user device 101. Therefore, the time required for a separate access document transmission between the reader device 109 and the user device 101 can be reduced.

[0126] Figure 4b This is a diagram illustrating a method for a user equipment to access a target device according to another embodiment of the present disclosure.

[0127] The main focus will be on... Figure 4a The differences between the illustrated embodiments are described in this way. Figure 4b The embodiments shown are illustrated, and redundant descriptions will be omitted.

[0128] according to Figure 4b In the illustrated embodiment, during operation 410-2, user equipment 101 can transmit reader status information 1011 and access document status information stored in the frame to the applet. In this embodiment, the reader status information 1011 and access document status information can be processed within the applet.

[0129] In operation 420-2, reader device 109 may send a 0th authentication command (AUTH0 cmd) including the reader ID (Reader.ID) to the applet of user device 101. In operation 430-2, in response to the 0th authentication command (AUTH0 cmd), the applet of user device 101 may send a 0th authentication response (AUTH0 rsp) including reader status information 1011 and access document status information to reader device 109.

[0130] In operation 450-2, reader device 109 may send a first authentication command (AUTH1 cmd) including a reader signature (reader.signature) and a reader certificate (reader_cert) to the applet of user device 101. In operation 470-2, in response to the first authentication command (AUTH1 cmd), the applet of user device 101 may send a first authentication response (AUTH1 rsp) including an endpoint public key and an endpoint signature signed with the endpoint private key to reader device 109.

[0131] Figure 5 This is a diagram illustrating reader status information and access document status information according to an embodiment of the present disclosure.

[0132] Reference numeral 501 indicates reader status information, which may be 1 bit long and may be represented as 0 in the case of an online reader and as 1 in the case of an offline reader. Reader status information may be optional.

[0133] Reference numeral 502 illustrates access document status information, which may have a length of 1 bit and may be represented as 0 when the access document is transmitted to the reader system issuer / platform server 107, and as 1 when the access document is not transmitted. Access document status information may be optional.

[0134] Figure 6 This is a diagram illustrating the payload of the 0th authentication response according to an embodiment of the present disclosure.

[0135] The payload of the 0th authentication response may include reader status information and access document status information. Reference numeral 503 illustrates the payload of the 0th authentication response and includes: a description of the reader status information and access document status information included in the payload.

[0136] Figure 7a This is a diagram illustrating a method for a user equipment to access a target device when an online target device becomes an offline target device, according to an embodiment of the present disclosure.

[0137] Reference Figure 7a This describes a method for a user device to access the reader device 109 when the reader device 109 changes from an online reader that is connected to the reader system issuer / platform server 107 to an offline reader that is not connected online for any reason.

[0138] When reader device 109 changes from an online reader connected to reader system issuer / platform server 107 to an offline reader, in operation 710, reader system issuer / platform server 107 transmits reader status information 1011 to credential issuer server 105. In an embodiment, reader status information 1011 may include the ID of reader device 109 and information indicating whether the reader device 109 corresponding to that ID is an online reader connected to reader system issuer / platform server 107 or an offline reader. In this case, the indication information may be represented as a bitmap. The bit corresponding to the reader device ID may be represented as 0, for example, in the case of an online reader and 1 in the case of an offline reader. In operation 710, since reader device 109 has changed from an online reader connected to reader system issuer / platform server 107 to an offline reader, the bit corresponding to the reader device ID may be indicated as 0.

[0139] In operation 720, the credential issuer server 105 may send reader status information 1011 (bit value changes from 0 to 1) and access document status information (bit value changes from 0 to 1) to the device OEM server 103. In an embodiment, the access document status information may include information indicating whether an access document has been transmitted to the reader system issuer / platform server 107. In this case, the indication information may be represented as a bitmap. The bit corresponding to the reader device ID may be represented as 0, for example, when the access document has been transmitted to the reader system issuer / platform server 107, and as 1 when the access document has not been transmitted.

[0140] Subsequently, in operation 730, the device OEM server 103 can send the reader status information 1011, whose bit value changes from 0 to 1, and the access document status information, whose bit value changes from 0 to 1, received in operation 720, to the user equipment 101.

[0141] In operation 740, user equipment 101 may transmit reader status information 1011, access document status information, and credential issuer public key list (credential issuer PK list) stored in SE and / or applet to rich execution environment (REE) and / or framework.

[0142] Subsequently, in operation 750, user equipment 101 may send a message to credential issuer server 105 requesting an access document, and in operation 760, may receive a response message including the access document from credential issuer server 105. In an embodiment, the access document may include information required to verify the signature of user equipment 101 and determine whether access is permitted.

[0143] Afterwards, user equipment 101 may attempt to access reader device 109 based on the access document.

[0144] According to an embodiment, when reader device 109 changes from an online reader connected to reader system issuer / platform server 107 to an offline reader, user equipment 101 can request and receive an access document from credential issuer server 105. User equipment 101 can then perform an access procedure with reader device 109 based on the access document received from credential issuer server 105.

[0145] Figure 7b This is a diagram illustrating a method for a user equipment to access a target device when an online target device becomes an offline target device, according to another embodiment of this disclosure.

[0146] The main focus will be on... Figure 7a The differences between the illustrated embodiments are described in this way. Figure 7b The embodiments shown are illustrated, and redundant descriptions will be omitted.

[0147] According to Figure 7b In the method for a user equipment to access a target device in the illustrated embodiment, the credential issuer server 105 stores an instance certificate authority (CA) certificate, which includes the instance CA public key and a credential issuer signature signed with the credential issuer's private key. Furthermore, the endpoint certificate 1001-2 and the device OEM certificate 1002-2 stored in the user equipment 101 may each include an endpoint public key and a device OEM public key, and each may include an instance CA signature signed with the instance CA private key. Additionally, the user equipment 101 may store the endpoint public key and endpoint private key used for authentication in a small program. (Refer to...) Figures 12 to 17 Describe in detail the methods for storing the certificates required for each entity.

[0148] according to Figure 7b The illustrated embodiment, and Figure 7a The methods for user equipment to access the target device differ. In operation 731, user equipment 101 may send an access document request to the device OEM server 103. Alternatively, in operation 732, instead of user equipment 101 requesting an access document from the credential issuer server 105, the device OEM server 103 may send an access document request to the credential issuer server 105.

[0149] In operation 761, the credential issuing server 105 can send the access document to the applet of the user device 101.

[0150] In this scenario, user equipment 101 can communicate with device OEM server 103 via the framework and with credential issuer server 105 via a mini-program.

[0151] Figure 8a This is a diagram illustrating a method for a user equipment to access a target device when an offline target device becomes an online target device, according to an embodiment of the present disclosure.

[0152] When reader device 109, which was previously an offline reader not connected to the reader system issuer / platform server 107, becomes an online reader, in operation 810, the reader system issuer / platform server 107 transmits reader status information 1011 to the credential issuer server 105. In an embodiment, reader status information 1011 may be transmitted along with a bit value changing from 1 to 0.

[0153] In operation 820, the credential issuer server 105 may send the access document corresponding to the reader device ID, along with the reader device ID, to the reader system issuer / platform server 107. In an embodiment, the credential issuer server 105 may send the access document 1012 based on the reader status information 1011 received in operation 810. In an embodiment, the access document may include information required to verify the signature of the user equipment 101 and determine whether access is permitted.

[0154] In addition, during operation 830, the credential issuing server 105 can send reader status information 1011 (with bit value changing from 1 to 0) and access document status information (with bit value changing from 1 to 0) to the device OEM server 103.

[0155] Subsequently, in operation 840, the device OEM server 103 can send the reader status information 1011, whose bit value changes from 0 to 1, and the access document status information, whose bit value changes from 0 to 1, received in operation 830, to the user equipment 101.

[0156] In operation 850, user equipment 101 may transmit reader status information 1011 and access document status information stored in SE and / or applet to rich execution environment (REE) and / or framework.

[0157] Subsequently, in operation 860, user equipment 101 sends a message to credential issuer server 105 including information indicating that access documents that are no longer needed have been deleted.

[0158] Operation 870 can be performed separately from or in parallel with operations 820 through 860. In operation 870, the reader system issuer / platform server 107 can send reader certificate 1006 to reader device 109. Reader certificate 1006 may include the reader's public key and may include a reader system issuer signature signed with the reader system issuer's private key. Reader device 109, upon receiving reader certificate 1006, can verify reader certificate 1006 using the reader system issuer's public key included in the stored reader system issuer certificate. When reader device 109 successfully verifies reader certificate 1006, reader certificate 1006 determines that reader certificate 1006 is trustworthy. Operation 870 can be performed separately from or in parallel with operations 820 through 860. Figure 3a The operation is the same as 341.

[0159] In operation 891-1, reader device 109 may request access document 1012 from reader system issuer / platform server 107 along with the reader ID. In this embodiment, when reader device 109 and user equipment 101 perform an access procedure, reader device 109 may request access document 1012 from reader system issuer / platform server 107. Operation 891-1 can be combined with... Figure 4a Operation 440 and Figure 3a The operation is the same as 351. Subsequently, in operation 893-1, in response to the request, the reader system issuer / platform server 107 can send the access document to the reader device 109. The access process between the reader device 109 and the user equipment 101 will be described in more detail below. Operation 893-1 can be compared with... Figure 4a Operation 460 and Figure 3a The operation is the same as 353.

[0160] In an embodiment, Figure 8a The illustrated embodiments can be Figure 7a The illustrated embodiment will then be executed. That is, Figure 8a The illustrated embodiment can be executed when the reader device 109 has changed from an online reader to an offline reader and then back to an online reader.

[0161] According to an embodiment, when reader device 109 changes from an offline reader to an online reader, user device 101 can receive access document status information from credential issuer server 105 via device OEM server 103. In this case, user device 101 can save storage space by deleting stored access documents and perform access procedures with reader device 109 based on access document status information.

[0162] Figure 8b This is a diagram illustrating a method for a user equipment to access a target device when an offline target device becomes an online target device, according to another embodiment of this disclosure.

[0163] The main focus will be on... Figure 8a The differences between the illustrated embodiments are described in this way. Figure 8b The embodiments shown are illustrated, and redundant descriptions will be omitted.

[0164] according to Figure 8b The illustrated embodiment, and Figure 8a The methods for user equipment to access the target device are different. Instead of user equipment 101 sending information indicating that the access document has been deleted to credential issuer server 105, in operation 841, user equipment 101 may send a message including information indicating that the access document has been deleted to device OEM server 103, and in operation 842, device OEM server 103 may send a message including information indicating that the access document has been deleted to credential issuer server 105.

[0165] In this scenario, user equipment 101 can communicate with device OEM server 103 via a framework and with credential issuer server 105 via a mini-program.

[0166] Figure 9a This is a diagram illustrating a method for updating access documents according to an embodiment of this disclosure.

[0167] Reference Figure 9a When an access document needs to be updated, the credential issuing server 105 can perform the update by distinguishing between when the reader device 109 is an offline reader and when the reader device 109 is an online reader.

[0168] When reader device 109 is an offline reader, user equipment 101 may store the access document in a rich execution environment (REE) and / or frame, and attempt to access reader device 109 using the stored access document. Therefore, when reader device 109 is an offline reader, in operation 910, credential issuer server 105 may send the updated access document or information required to update the access document, along with the reader ID, to user equipment 101.

[0169] When reader device 109 is an online reader, user device 101 can store reader status information and access document status information, and use the stored reader status information and access document status information to attempt to access reader device 109. In this case, reader device 109 can receive an access document from reader system issuer / platform server 107 based on the reader status information and access document status information received from user device 101, and determine whether to allow user device 101 to access based on the access document. Therefore, when reader device 109 is an online reader, in operation 920, credential issuer server 105 can send the updated access document or the information required to update the access document, along with the reader ID, to reader system issuer / platform server 107. Reader system issuer / platform server 107 can send the updated access document to reader device 109 according to the request from reader device 109.

[0170] In this embodiment, operations 910 and 920 may be selectively performed depending on the state of the reader device.

[0171] Figure 9b This is a diagram illustrating a method for updating access documents according to another embodiment of this disclosure.

[0172] The main focus will be on... Figure 9a The differences between the illustrated embodiments are described in this way. Figure 9b The embodiments shown are illustrated, and redundant descriptions will be omitted.

[0173] according to Figure 9b The illustrated embodiment, and Figure 9a The methods for updating access documents differ. In operation 910, the credential issuer server 105 can send the updated access document or the information required to update the access document, along with the reader ID, to the applet of the user equipment 101.

[0174] In this scenario, user equipment 101 can communicate with device OEM server 103 via a framework and with credential issuer server 105 via a mini-program.

[0175] Figure 10 This is a diagram illustrating an operation method of a user equipment according to an embodiment of the present disclosure.

[0176] In operation 1010, user equipment 101 may receive a certificate from a third server associated with a target device from a first server associated with the user equipment. This certificate includes the third server's public key, the target device's status information, the access document's status information, and a signature from a second server that issued the access document. More specifically, user equipment 101 may receive a reader system issuer certificate 1005, which includes the reader system issuer's public key, reader status information 1011, access document status information, and a credential issuer's signature signed with the credential issuer's private key.

[0177] In this embodiment, the status information of the target device may include information about whether the target device and the third server are communicating with each other. More specifically, the status information of the target device may include the ID of the reader device 109 that is the target device and information indicating whether the reader device 109 corresponding to the ID is an online reader connected to the reader system issuer / platform server 107 or an offline reader that is not connected online.

[0178] In this embodiment, the access document status information may include information indicating whether the access document has been transmitted to a third server. More specifically, the access document status information may include information indicating whether the access document has been transmitted to the reader system issuer / platform server 107.

[0179] In operation 1020, user equipment 101 can execute an access procedure for the target device based on the target device's status information and access document status information included in the certificate on the third server. More specifically, user equipment can perform verification of the reader system issuer certificate 1005 and execute an access procedure with the reader device 109, which is the target device, based on the reader status information 1011 and access document status information included in the reader system issuer certificate 1005.

[0180] In an embodiment, the access process between user equipment 101 and reader device 109, which is the target device, may include: receiving a No. 0 authentication command from the target device including a temporary public key and the ID of the target device; sending a No. 0 authentication response to the target device including the temporary public key of the user equipment, the status information of the target device, and the status information of the access document; receiving a first authentication command from the target device including the signature of the target device and the certificate of the target device; and sending a first authentication response to the target device including a signature signed with the private key of the user equipment.

[0181] In this embodiment, user equipment 101, upon receiving target device status information (including information indicating the target device is an offline device) and access document status information (including information indicating the access document has not been transmitted to the third server) from a first server, may send a message requesting an access document to a second server and receive a response message including the access document from the second server. In this case, user equipment 101 may perform an access procedure for the target device based on the access document. Furthermore, user equipment 101 may receive an updated access document or information required to update the access document, as well as the target device's ID, and update the access document.

[0182] In one embodiment, user equipment 101 may, upon receiving target device status information including information indicating that the target device is an online device and access document status information including information indicating that the access document has been transmitted to a third server from a first server, delete the access document and send a message including information indicating that the access document has been deleted to a second server. In this case, user equipment 101 may execute an access procedure for the target device based on the target device status information including information indicating that the target device is an online device and the access document status information including information indicating that the access document has been transmitted to a third server.

[0183] Figure 11 This is a diagram illustrating the configuration of a user equipment according to an embodiment of the present disclosure.

[0184] Reference Figure 11 User equipment 1100 may include a communication unit 1110, a memory 1120, and a processor 1130. Figure 11 User equipment 1100 can be with Figure 1 The same device as the electronic device 1100.

[0185] The communication unit 1110 can perform wireless or wired communication with other devices or networks. For this purpose, the communication unit 1110 may include a communication module that supports at least one of various wired and wireless communication methods. For example, the communication module may be in the form of a chipset or a sticker / barcode including information required for communication (e.g., a sticker including an NFC tag). Wireless communication may include at least one of, for example, cellular communication, Wi-Fi, Wi-Fi Direct, Bluetooth, Ultra Wideband (UWB), or Near Field Communication (NFC).

[0186] In an embodiment, the communication unit 1110 may include a communication module for short-range communication. For example, the communication unit 1110 may include a communication module for performing various short-range communications such as infrared communication, magnetic secure transmission (MST), and magnetic secure communication, in addition to Wi-Fi, Wi-Fi Direct, Bluetooth, and NFC as described above.

[0187] Various types of data, including programs and files such as applications, can be installed and stored in memory 1120. Processor 1130 can access the data stored in memory 1120 to use the data, or to store new data in memory 1120. In this embodiment, memory 1120 can be installed and stored with programs and data for performing access to a target device.

[0188] In an embodiment, memory 1120 may include a secure element (SE), which is a secure region configured to be physically isolated from other hardware configurations. In an embodiment, the SE may include an embedded secure element (eSE), a universal integrated circuit card (UICC), a secure digital card (SD card), etc. Furthermore, memory 120

[0189] Processor 1130 controls the overall operation of user equipment 1100 and may include at least one processor, such as a CPU or GPU. Processor 1130 may control other configurations included in user equipment 1100 to perform access to a target device. For example, processor 1130 may execute a program stored in memory 1120, read a file stored in memory 1120, or store a new file in memory 1120.

[0190] In an embodiment, processor 1130 can perform access to a target device by executing a program stored in memory 1120. More specifically, processor 1130 can be configured to receive a certificate from a first server associated with a user equipment and a third server associated with the target device. The certificate includes the third server's public key, the target device's status information, access document status information, and a signature from a second server configured to issue the access document. In an embodiment, the target device's status information may include information about whether the target device and the third server are communicating with each other. Furthermore, the access document status information may include information about whether the access document has been transmitted to the third server. Processor 1130 can execute an access procedure for the target device based on the target device's status information and the access document status information included in the third server's certificate.

[0191] In an embodiment, the processor 1130 may be configured to cause the access process between the user equipment 101 and the reader device 109, which is the target device, to include: receiving a 0th authentication command from the target device including a temporary public key and the ID of the target device; sending a 0th authentication response to the target device including the temporary public key of the user equipment, the status information of the target device, and the status information of the access document; receiving a first authentication command from the target device including the signature of the target device and the certificate of the target device; and sending a first authentication response to the target device including a signature signed with the private key of the user equipment.

[0192] In an embodiment, the processor 1130 may be configured to, upon receiving target device status information including information indicating that the target device is an offline device and access document status information including information indicating that the access document has not been transmitted to the third server, send a message requesting an access document to a second server, and receive a response message including the access document from the second server. In this case, the processor 1130 may be configured to perform an access procedure for the target device based on the access document. Furthermore, the processor 1130 may be configured to receive an updated access document or information required to update the access document, as well as the ID of the target device, and update the access document.

[0193] In an embodiment, the processor 1130 may be configured to, upon receiving target device status information including information indicating that the target device is an online device and access document status information including information indicating that the access document has been transmitted to a third server from a first server, delete the access document and send a message including information indicating that the access document has been deleted to a second server. In this case, the processor 1130 may be configured to execute an access process for the target device based on the target device status information including information indicating that the target device is an online device and the access document status information including information indicating that the access document has been transmitted to a third server.

[0194] However, the configuration of electronic device 1100 is not limited to Figure 11 The configuration shown is shown, and the electronic device 1100 may include various other configurations besides the communication unit 1110, memory 1120 and processor 1130.

[0195] Figures 12 to 17 This is a diagram illustrating a method for storing certificates required for various entities according to an embodiment.

[0196] In this embodiment, user equipment 101 may store device OEM certificate 1740 and endpoint certificate 1750. In this case, device OEM certificate 1740 and endpoint certificate 1750 may be signed using the instance CA private key, or they may be signed using the device OEM private key. Device OEM server 103 may store credential issuer certificate 1710, and credential issuer 105 may store reader system issuer certificate 1730 and instance CA certificate 1720 or device OEM certificate. In this case, both instance CA certificate 1720 and device OEM certificate may be signed using the credential issuer private key, but there may be differences in whether the signature is applied to the instance CA public key or the device OEM public key. However, instance CA certificate 1720 or device OEM certificate can perform the same function and can be used interchangeably. In addition, reader system issuer / platform server 107 may store credential issuer certificate 1760 or reader certificate. Although Figures 12 to 17Although not shown in the diagram, reader 109 can store the credential issuer certificate and the reader system issuer certificate. Figures 12 to 17 Describes a method for pre-storing the certificates required for the configuration process by each entity.

[0197] First, refer to Figure 12 User equipment 101 stores the user equipment public key (User Device.PK) and user equipment private key (User Device.SK) in the frame. Device OEM server 103 stores the device OEM private key (DeviceOEM.SK), the device OEM public key (DeviceOEM.PK), and the instance certificate authority (CA) public key (InstanceCA.PK). Credential issuer server 105 stores the credential issuer public key (Credential Issuer.PK) and credential issuer private key (Credential Issuer.SK). Reader system issuer / platform server 107 stores the reader system issuer public key (Reader System Issuer.PK) and reader system issuer private key (Reader SystemIssuer.SK).

[0198] In operation 1210, user equipment 101 can generate an instance certificate authority (CA) including an instance CA public key and an instance CA private key in a security element (SE) and / or applet that serves as a security zone, and can generate an instance CA authentication including an instance CA public key.

[0199] Subsequently, in operation 1215, user equipment 101 can generate an SE root CA (or certificate) including the SE root CA public key and SE root CA private key in the security element (SE) and / or applet that serves as a security zone, and can generate instance authentication (Instance CA attestation) by signing the instance public key with the SE root CA private key (SERootCA signature).

[0200] In operation 1220, user equipment 101 can transmit the instance CA public key to device OEM server 103, and device OEM server 103 can receive the instance CA public key and generate instance CA public key data including the instance CA public key.

[0201] In operation 1230, the credential issuer server 105 can transmit the credential issuer public key to the reader system issuer / platform server 107, and can receive the reader system issuer public key from the reader system issuer / platform server 107.

[0202] Reference Figure 13In operation 1310, device OEM server 103 can generate an instance CA certificate by signing the instance CA public key with the device OEM private key included in the device OEM server CA (Device OEM Signature). Furthermore, in operation 1320, credential issuer 105 can generate a reader system issuer certificate by signing the reader system issuer public key with the credential issuer private key (Credential Issuer Signature). Subsequently, in operation 1330, reader system issuer / platform server 107 can generate a credential issuer certificate by signing the credential issuer public key with the reader system issuer private key (Reader System Issuer Signature).

[0203] In operation 1340, device OEM server 103 may send the instance CA certificate to the secure element (SE) and / or applet of user device 101. Subsequently, in operation 1350, device OEM server 103 may send the device OEM public key to the secure element (SE) and / or applet of user device 101. In operation 1360, user device 101 may generate a device OEM certificate by signing the device OEM public key using the instance CA private key (Instance CA Signature).

[0204] Reference Figure 14 In operation 1410, the device OEM server 103 can send the device OEM public key to the credential issuer server 105, and in operation 1420, the credential issuer server 105 can generate a device OEM certificate by signing the device OEM public key with the credential issuer private key.

[0205] In addition, in operation 1430, the device OEM server 103 can send the instance CA public key to the credential issuer server 105, and in operation 1440, the credential issuer server 105 can generate an instance CA certificate by signing the instance CA public key with the credential issuer private key.

[0206] Reference Figure 15 In operation 1510, device OEM server 103 may receive a credential issuer public key from credential issuer server 105, and in operation 1520, device OEM server may generate a credential issuer certificate by signing the credential issuer public key with the device OEM private key. In operation 1510, device OEM server 103 may also receive a create endpoint API from credential issuer server 105 for generating endpoint certificates.

[0207] Reference Figure 16 In operation 1610, device OEM server 103 can generate an endpoint certificate in the SE and / or applet via a framework request from user device 101, and user device 101 can receive the request to generate an endpoint public key and an endpoint private key in the SE and / or applet. In operation 1620, user device 101 can extract the endpoint public key, and in operation 1630, user device can generate an endpoint certificate by signing the endpoint public key with the instance CA private key (Instance CA Signature).

[0208] pass Figures 12 to 17 The process allows each entity to pre-store the certificates required for configuring the process. (Refer to...) Figure 17 User equipment 101 can store the device OEM certificate 1740 and endpoint certificate 1750. Device OEM server 103 can store the credential issuer certificate 1710, and credential issuer server 105 can store the reader system issuer certificate 1730 and the device OEM certificate or instance CA certificate 1720. Additionally, reader system issuer / platform server 107 can store the reader certificate 1760. Although... Figures 12 to 17 Although not shown in the diagram, reader 109 can store the credential issuer certificate and the reader system issuer certificate.

[0209] The embodiments of this disclosure described and illustrated in the specification and drawings are merely specific examples given to facilitate explanation of the technical content of the embodiments of this disclosure and to aid in understanding the embodiments of this disclosure, and are not intended to limit the scope of the embodiments of this disclosure. That is, those skilled in the art to which this disclosure pertains will understand that other variations based on the technical concept of this disclosure can be implemented. Moreover, the various embodiments described above may be combined as necessary.

Claims

1. A method performed by a user equipment to access a target device, the method comprising: The user equipment receives a certificate from a third server associated with the target device from a first server associated with the user equipment. The certificate includes the public key of the third server, the status information of the target device, the status information of the access document, and the signature of the second server that issued the access document. as well as Based on the status information of the target device included in the certificate on the third server and the status information of the access document, an access process for the target device is executed.

2. The method according to claim 1, wherein, The execution of the access process for the target device includes: Receive a 0th authentication command from the target device, including the target device's temporary public key and ID; Send a 0th authentication response to the target device, including the temporary public key of the user equipment, the status information of the target device, and the status information of the access document; Receive a first authentication command from the target device, including the signature and certificate of the target device; and Send a first authentication response to the target device, including a signature signed with the user device's private key.

3. The method according to claim 1, wherein, The status information of the target device includes information about whether the target device and the third server are communicating with each other.

4. The method according to claim 1, wherein, The status information of the access document includes information about whether the access document has been transmitted to the third server.

5. The method according to claim 1, further comprising: Upon receiving from the first server the status information of the target device, which includes information indicating that the target device is an offline device, and the status information of the access document, which includes information indicating that the access document has not been transmitted to the third server, a message requesting the access document is sent to the second server. as well as Receive a response message including the access document from the second server.

6. The method according to claim 5, further comprising: The access process for the target device is executed based on the access document.

7. The method according to claim 5, further comprising: Receive the updated access document or information required to update the access document and the ID of the target device from the second server; as well as Update the access documentation.

8. The method according to claim 5, further comprising: Upon receiving status information of the target device, including information indicating that the target device is an online device, and status information of the access document, including information indicating that the access document has been transmitted to the third server, from the first server, the access document is deleted; as well as Send a message to the second server including information indicating that the access document has been deleted.

9. The method according to claim 8, further comprising: Based on the status information of the target device, including information indicating that the target device is an online device, and the status information of the access document, including information indicating that the access document has been transmitted to the third server, an access process for the target device is executed.

10. A user equipment for accessing a target device, the user equipment comprising: Communication circuits; as well as At least one processor operatively connected to the communication circuit. Wherein, the at least one processor is configured as follows: The user equipment receives a certificate from a third server associated with the target device from a first server associated with the user equipment. The certificate includes the public key of the third server, the status information of the target device, the status information of the access document, and the signature of the second server that issued the access document. as well as Based on the status information of the target device included in the certificate on the third server and the status information of the access document, an access process for the target device is executed.

11. The user equipment according to claim 10, wherein, The at least one processor is configured as follows: Receive a 0th authentication command from the target device, including the target device's temporary public key and ID; Send a 0th authentication response to the target device, including the temporary public key of the user equipment, the status information of the target device, and the status information of the access document; Receive a first authentication command from the target device, including the signature of the target device and the certificate of the target device; as well as Send a first authentication response to the target device, including a signature signed with the user device's private key.

12. The user equipment according to claim 10, wherein, The status information of the target device includes information about whether the target device and the third server are communicating with each other.

13. The user equipment according to claim 10, wherein, The status information of the access document includes information about whether the access document has been transmitted to the third server.

14. The user equipment according to claim 10, wherein, The at least one processor is further configured to: Upon receiving from the first server the status information of the target device, which includes information indicating that the target device is an offline device, and the status information of the access document, which includes information indicating that the access document has not been transmitted to the third server, a message for requesting the access document is sent to the second server. as well as Receive a response message including the access document from the second server.

15. The user equipment according to claim 14, wherein, The at least one processor is further configured to execute an access procedure for the target device based on the access document.