QR code-based authentication device and method
The QR code-based authentication method verifies device legitimacy and network connection through IP address matching and biometric authentication, effectively preventing phishing and active phishing attacks, ensuring secure user authentication without inputting personal information.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- ELECTRONICS & TELECOMM RES INST
- Filing Date
- 2025-12-23
- Publication Date
- 2026-07-08
AI Technical Summary
Existing QR code-based authentication methods are vulnerable to phishing attacks, particularly active phishing attacks, as they do not verify the legitimacy of the device accessing the authentication system, risking personal information theft and unauthorized access.
A QR code-based authentication method that utilizes a mobile device to authenticate a user's PC by verifying the identity of the device through public and private IP addresses, biometric recognition, and certificate-based authentication, ensuring the mobile device and PC are on the same network, and using a multi-stage authentication process to prevent phishing and active phishing attacks.
Prevents phishing and active phishing attacks by confirming the legitimacy of the device and network connection, safeguarding personal information and user certificates, even in public environments, without requiring users to input personal information.
Smart Images

Figure 2026115007000001_ABST
Abstract
Description
Technical Field
[0001] The described embodiments relate to a technique for preventing attacker phishing in user authentication based on QR codes.
Background Art
[0002] A QR code is one type of two-dimensional barcode and was created to be recognized faster than existing two-dimensional barcodes. Each corner of a QR code contains a square marker for recognition so that it can be recognized without distortion regardless of the direction and inclination when using a scanner. Binary data consisting of black dots and a white background is inserted between them. The amount of data that can be inserted varies depending on the interval between the markers of the QR code. When inserting the maximum amount, up to 7,089 digits or about 4,296 ASCII characters can be inserted.
[0003] Since it can represent ASCII characters, it is used in many fields other than the initial invention's use for inserting product codes.
[0004] However, the information of the issuer is not essential and not required in the QR code itself. Since general QR codes also do not contain the issuer's information and digital signature, it is necessary to confirm whether the correct QR code is being recognized during the process of recognizing a QR code. If a QR code containing a phishing site address is recognized, there is a risk of personal information theft. If an incorrect QR code is read and communication is established during an e-commerce transaction process, there is a risk that money may be sent to the wrong party.
[0005] On the other hand, phishing is a method of fraudulently obtaining confidential information such as passwords and credit card information by pretending to be a message sent by a trustworthy person or company via email or text.
[0006] A phishing site is used to imitate a normal site and steal users' login information and personal information.
[0007] A man-in-the-middle (MITM) attack is an attack that intercepts communication between two parties. The attacker intercepts the communication between the two parties and steals or forges / alters information. Such man-in-the-middle attacks can be countered with certificate-based authentication and key sharing. For example, in a public key infrastructure (PKI), mutual authentication is performed using certificates authenticated by a certificate authority (CA), and then the keys necessary for communication are shared through key sharing. After that, communication is encrypted using the shared keys.
[0008] Active phishing is an attack that combines phishing and man-in-the-middle attacks. For example, when an attacker directs a user to a phishing site, they connect to the original site and display its information instead. Subsequently, the user provides login information, and the attacker can authenticate the user using the provided information, successfully displaying the screen after authentication is complete. At this time, the authentication completion information indicates that authentication has been performed, the user has been verified, and the process will proceed to the next step. The attacker can obtain the authentication completion information even if they do not possess all of the login information (ID, password, etc.). [Overview of the Initiative] [Problems that the invention aims to solve]
[0009] The described embodiment aims to authenticate on a PC using a user certificate stored on a mobile device via a QR code.
[0010] The described examples aim to prevent the leakage of personal information even when a user's PC is in an environment where there is a concern about the leakage of personal information, such as a PC in a public place.
[0011] The described examples are intended to prevent phishing attacks that attempt to steal personal information and active phishing attacks that attempt to steal authentication credentials. [Means for solving the problem]
[0012] The QR code-based authentication method according to the embodiment includes the steps of: when user authentication is requested via the user's computer, the server sends data necessary for generating a QR code to the user's computer; when the user's computer generates and outputs a QR code, the user's mobile device recognizes the QR code; and when the user's mobile device requests authentication using the QR code recognition information, the server performs user authentication. The user's computer includes a web browser and an application program module, and can perform user authentication by verifying the identity of the public IP addresses of the user's mobile device, the web browser, and the application program module.
[0013] At this time, the step of sending the data necessary for generating the QR code to the user's computer may include the steps of performing bidirectional authentication and first key sharing between the server and the application program module using the server's certificate and the application program module's certificate, upon receiving a user authentication request from the server via a web browser, and the steps of the server determining authentication failure depending on whether the public IP addresses of the web browser and the application program module are identical.
[0014] At this time, the step of sending the data necessary for generating the QR code to the user computer may further include the step of receiving the private IP and subnet mask of the application program module encrypted using the first key, and then sending the data necessary for generating the QR code encrypted using the first key to the application program module.
[0015] In this case, the step of recognizing the QR code may include the step of generating the QR code using the data necessary for generating the QR code received from the server by the application program module and outputting it to the user's computer screen, and the step of recognizing the QR code via an application pre-installed on the user's mobile device.
[0016] In this case, the user authentication step may include a step in which the server receives an authentication request from the user's mobile device using QR code recognition information, and determines whether the public IP address of the web browser and the public IP address of the user's mobile device are the same or not, thereby determining whether authentication fails.
[0017] In this case, the user authentication step may further include the steps of: the server performing one-way authentication to the user's mobile device using its own certificate and sharing a second key with the user's mobile device upon successful authentication; the server sending the private IP and subnet mask of the application program module encrypted using the second key to the user's mobile device; the user's mobile device sending the private IP and subnet mask of the user's mobile device encrypted using the second key to the server; and the server transmitting the private IP and subnet mask of the user's mobile device encrypted using the first key to the application program module.
[0018] At this time, the user authentication step may further include a step of determining whether authentication fails by verifying whether the private IPs of the user's mobile device and the application program module match the actual private IPs using the private IPs and subnet masks received by each device via internal network communication.
[0019] At this time, the user authentication step may further include the steps of: preparing user authentication by biometric recognition of the user after the user mobile receives an authentication success confirmation message from the application program module; performing user authentication with the server using the user certificate; and the server performing authentication upon receiving a user authentication request using the certificate from the user mobile and sending the result of whether the authentication was successful or not to the web browser.
[0020] The server according to the embodiment includes a memory in which at least one program is stored and a processor that executes the program. The program performs the steps of sending data necessary for generating a QR code to the user computer when a user authentication request is received via the user computer, and performing user authentication when an authentication request is received from the user mobile using QR code recognition information. The user computer includes a web browser and an application program module. The program can perform user authentication by verifying the identity of the public IP of the user mobile, the web browser, and the application program module.
[0021] At this time, in the step of sending the data necessary for generating a QR code to the user's computer, the program can receive a user authentication request via a web browser, perform bidirectional authentication and first key sharing between the server and the application program module using the server's certificate and the application program module's certificate, and determine authentication failure depending on whether the public IP addresses of the web browser and the application program module are the same.
[0022] At this time, in the step of sending the data necessary for generating a QR code to the user computer, the program can receive the private IP and subnet mask of the application program module encrypted using the first key, and then send the data necessary for generating a QR code encrypted using the first key to the application program module.
[0023] At this point, in the user authentication step, the program can determine whether authentication fails based on whether the public IP address of the web browser and the public IP address of the user's mobile device are the same, based on the authentication request received from the user's mobile device using QR code recognition information.
[0024] At this time, in the user authentication step, the program performs one-way authentication to the user's mobile device using the server's certificate, shares a second key with the user's mobile device upon successful authentication, sends the application program module's private IP and subnet mask encrypted using the second key to the user's mobile device in the user authentication step, and receives the user's mobile device's private IP and subnet mask encrypted using the second key from the user's mobile device, thereby enabling the application program module to transmit the user's mobile device's private IP and subnet mask.
[0025] At this time, in the user authentication step, the program can perform authentication by receiving a user authentication request using a certificate from the user's mobile device and send the result of whether the authentication was successful or not to the web browser.
[0026] The user mobile according to the embodiment includes a memory in which at least one program is recorded and a processor that executes the program. The program requests user authentication from the server using a QR code output to a user computer connected to the same router. The user computer includes a web browser and an application program module, and the user authentication may be performed based on confirmation of the identity of the public IPs of the web browser and the application program module.
[0027] At this time, the QR code is generated using data necessary for generating the QR code received by the application program module from the server. The program recognizes the QR code and requests authentication from the server, and by successfully authenticating, it can share a second key with the server through one-way authentication using the server's certificate.
[0028] At this time, the program receives the private IP and subnet mask of the application program module encrypted using the second key from the server, and after sending the private IP and subnet mask of the user mobile encrypted using the second key to the server, it can determine authentication failure according to whether the private IPs of the application program modules match through internal network communication.
[0029] At this time, the program can obtain a user certificate through user biometric recognition by receiving an authentication success confirmation completion message from the application program module, and perform user authentication on the server using the user certificate.
[0030] The user computer according to the embodiment includes a memory in which an application program module is stored and a processor that executes the application program module. The application program module performs bidirectional authentication and shares a first key with the server using the server's certificate and its own certificate, then sends its private IP address and subnet mask to the server, and generates and outputs a QR code using the data necessary for generating a QR code encrypted by the server using the first key.
[0031] At this time, the application program module receives the user's mobile device's private IP address and subnet mask, encrypted using the first key, from the server. By using the private IP addresses and subnet masks received by the user's mobile device and the internal network communication, the module can verify whether the private IP addresses match the actual ones and determine whether authentication should fail. [Effects of the Invention]
[0032] The described examples can prevent phishing attacks that attempt to steal personal information and active phishing attacks that attempt to steal authentication credentials.
[0033] Existing authentication methods operate under the assumption that the user has connected to a legitimate site. In other words, user vigilance was required to prevent phishing attacks. Even if a user connects to a phishing site, the authentication method of the present invention can prevent phishing attacks. The authentication method of the present invention utilizes the fact that mobile devices and PCs are on the same network to provide a function that prevents not only general phishing attacks but also active phishing attacks (using VPNs).
[0034] Furthermore, the described examples do not involve entering the user's personal information (ID, password, etc.) into the user's PC.
[0035] In other words, even if a user's PC is in an environment where there is a concern about the leakage of personal information, such as a public place, the leakage of personal information can be prevented.
[0036] Furthermore, the user's PC does not access the user certificate stored on the mobile device. This prevents the leakage of user certificates in environments such as public PCs.
[0037] In conclusion, since the user certificate is used on the mobile device and not accessed on the PC, the leakage of the user certificate can be prevented even if authentication is performed on a PC infected with malicious code.
[0038] Furthermore, the described examples allow users to use the system conveniently. In particular, the entire authentication process is completed simply by the user performing the authentication request, QR code recognition, and biometric recognition.
[0039] Furthermore, the described examples allow for the use of authentication methods that implement modules and module certificates in existing environments. For example, personal keys can be stored in a dedicated space for the module using the TPM and the OS, and these keys can be used for signing. Therefore, using module certificates allows the server to verify whether the module is forged or not.
[0040] Furthermore, the described embodiments allow the method to be applied to a variety of environments that utilize certificate authentication. In other words, the embodiments do not limit the type of certificate. In any environment where a certificate server manages certificates, the module and module certificate can be introduced to apply the authentication method of the present invention.
[0041] Furthermore, the described embodiment allows for the verification of the private IP addresses of the mobile device and the module, thereby confirming whether the module and the mobile device are on the same network, and thus confirming the physical location of the devices. [Brief explanation of the drawing]
[0042] [Figure 1] This diagram shows how an attacker can create a VPN environment. [Figure 2] This diagram shows how an attacker can create a VPN environment. [Figure 3] This is a schematic diagram of a QR code-based authentication system to which the embodiment is applied. [Figure 4] This is a flowchart illustrating in detail the QR code-based authentication method used in the example. [Figure 5] This figure shows the configuration of a computer system according to an example. [Modes for carrying out the invention]
[0043] The advantages and features of the present invention, and methods for achieving them, will become clear with reference to the embodiments described below in detail, along with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, and can be realized in a variety of different forms. These embodiments are provided merely to complete the disclosure of the present invention and to fully inform those who are ordinary skill in the art to which the present invention pertains, and the present invention is defined solely by the scope of the claims. Throughout the specification, the same reference numerals refer to the same components.
[0044] Although terms such as "first" or "second" may be used to describe a variety of components, such components are not limited by such terminology. Such terms can simply be used to distinguish one component from another. Therefore, the first component referred to below may be the second component within the technical concept of the present invention.
[0045] The terms used herein are for illustrative purposes only and are not intended to limit the invention. In this specification, the singular form includes the plural form unless otherwise specified in the text. As used in this specification, “comprises” or “comprising” means that the components or steps mentioned do not exclude the presence or addition of one or more other components or steps.
[0046] Unless otherwise defined, all terms used herein should be interpreted in a way that is commonly understood by a person of ordinary skill in the art to which the present invention pertains. Furthermore, terms defined in commonly used dictionaries should not be interpreted ideally or excessively unless explicitly defined otherwise.
[0047] The present invention provides a method for obtaining authentication completion information from a computer after a user has authenticated without transferring their mobile user certificate to a computer, and provides a technology that provides an active phishing prevention function. Before describing the present invention in detail, computer and internet-related technologies and authentication-related technologies will be described.
[0048] 1) Computer and Internet-related technologies i) QR code A QR code is a type of two-dimensional barcode designed to be recognized faster than existing two-dimensional barcodes. To ensure distortion-free recognition regardless of the scanner's orientation or angle, each QR code contains a rectangular marker for recognition, with binary data consisting of black dots and a white background placed between them. The amount of data that can be stored varies depending on the spacing between the markers; at its maximum, it can hold up to approximately 7,089 numbers or 4,296 ASCII characters.
[0049] Because it can represent ASCII characters, it is used in many fields beyond its initial invention for entering product codes.
[0050] However, the QR code itself does not require the issuer's information, and general QR codes do not include the issuer's information or a digital signature. Therefore, it is necessary to verify whether the correct QR code has been recognized during the QR code recognition process. If a QR code containing a phishing site address is recognized, there is a risk of personal information being stolen. Furthermore, if an incorrect QR code is read and communication is established during the e-commerce process, there is a risk of sending money to the wrong recipient.
[0051] (b) TPM A Trusted Platform Module (TPM) is a secure cryptographic key storage device in digital terminals that is inaccessible from the outside. The TPM is either a separate chip on the circuit board, not a general storage device, or it is integrated into the CPU, and access to the TPM is only possible with separate instructions that differ from those for general storage devices. The TPM generally provides functions such as cryptographic key generation (symmetric key, personal key, public key), public key extraction, encryption using the private key, digital signature generation using the personal key, and digital signature verification using the public key, without exposing the private key (symmetric key and personal key).
[0052] When the TPM and OS are managed in conjunction, the OS can use the TPM to configure a secure encryption device, and can provide each program driven by the OS with its own unique encryption key storage space and encryption functionality.
[0053] By encrypting and managing data via a TPM, it becomes impossible to obtain plaintext data or forge digital signatures unless the entire device containing the TPM is seized.
[0054] H) Network The Network Layer Model is a model that structures the data transmission process by dividing it into layers. Two methods for dividing the layers are the OSI model and the TCP / IP model; here, we will explain using the OSI model as the basis. The lowest physical layer defines how electrical, wireless, and optical signals are handled. The second layer, the data link layer, handles data transmission between physically adjacent devices, using MAC addresses (Media Access Control Addresses) assigned to each device as sender and receiver. Generally, networks that can communicate using only MAC addresses are called the "same network." The third layer, the network layer, handles communication between other networks, using IP addresses as sender and receiver. In the network layer, a subnet mask or CIDR (classless Inter-Domain Routing) can be used instead of the MAC address-based determination of whether or not they are on the same network. Once it is confirmed that they are on the same network, communication is possible with all directly and indirectly connected devices by combining the MAC addresses from the second layer.
[0055] The fourth layer, the transmission layer, deals with the procedures for sending and receiving data during communication between devices, with TCP or UDP being typical examples. The fifth, session layer, and the sixth, presentation layer, work together with the transmission layer to help transmit data organically, and the TLS protocol is a representative protocol that combines these layers to establish secure communication.
[0056] The final, seventh application program layer is the layer that handles the data that the software actually exchanges, and is generally the layer where internet data, commonly known as HTTP, travels.
[0057] A widely used router (or internet sharer) is provided for the purpose of allowing multiple devices on the same network to share a single public IP address assigned at the third layer. Devices within a single router share the same subnet mask and are each assigned a private IP address, enabling communication. When communicating between IPs within the same network, the other party's private IP address is displayed as is. When communicating with an external network outside the network, the other party sees your public IP address, not your private IP address.
[0058] (ii) VPN A VPN (Virtual Private Network) is a function used to make a device on another network appear as if it were on the same network. A typical VPN can be configured by a network administrator to activate the VPN function via a router, allowing authorized external users to join.
[0059] Figures 1 and 2 illustrate the methods an attacker uses to create a VPN environment.
[0060] Referring to Figure 1, although attacker 41 is outside router 10, it is assigned a private IP address by router 10 through the VPN function and can communicate with mobile device 20 and PC 30 using that private IP address.
[0061] Mobile 20, PC 30, and attacker 42 all share the same public IP address. In such an environment, attacker 42 would have to attack router 10, making it nearly impossible for an active phishing attack to create the environment shown in Figure 1.
[0062] If an attacker creates such an environment through a method other than active phishing, they can more easily steal users' personal information than through an active phishing attack. For this reason, this invention does not consider VPN environments in the form shown in Figure 1.
[0063] The VPN environment that can be used in an active phishing attack is shown in Figure 2. This is the case when a software router 11 is installed on PC30, and a private IP address is assigned from this router 11.
[0064] Since the software router 11 only needs to be lured to download and install from a phishing site, an attacker can easily create a VPN environment like the one shown in Figure 2. In the environment shown in Figure 2, the public IP addresses of mobile device 20, PC 30, and attacker 40 are the same.
[0065] However, since the router 11 that assigned a private IP address to attacker 40 (the router installed on the PC) and the router 10 that assigned private IP addresses to mobile 20 and PC 30 are different, it is impossible for attacker 40 to communicate with mobile 20 or attacker 40 with PC 30 using private IP addresses.
[0066] 2) Authentication-related technologies i) User Authentication User authentication is the process of verifying the identity of the other party in a transaction. In a network environment, it involves establishing the validity of an identity claim between the parties (people, processes, clients, servers, devices, etc.) during a single session. Establishing validity means confirming that the user's identity is valid and trustworthy through the authentication procedure.
[0067] (b) PKI Public Key Infrastructure (PKI) is an authentication mechanism that uses public key cryptography. Participants are issued digital certificates through trusted Certificate Authorities (CAs), which they can use for certificate authentication. Certificates generally follow the X.509 format and include the owner's public key and name. The CA then digitally signs the contents of such certificates and adds this signature to the end of the certificate before issuing it. Within a PKI, all participants share a trusted root CA certificate. Generally, CAs have certificates issued by the root CA, and general participants have certificates issued by CAs.
[0068] In such a PKI, all participants have a certificate chain starting with a root certificate authority. If participants trust each other's root certificate authorities, then they can also trust each other's digital signatures. Generally, PKI is widely used in SSL / TLS, which verifies that each party is a legitimate participant in network communications.
[0069] In South Korea, the government operates GPKI, a Public Key Infrastructure (PKI) that has legal force in the public sector, and NPKI, a joint certificate system that can be used in the private sector. The root certification authority for both PKIs is the Ministry of the Interior and Safety.
[0070] H) Mobile Easy Authentication Simple authentication is a method of performing user authentication easily and quickly via a trusted device. In South Korea, most mobile devices require identity verification during the USIM issuance process. After identity verification is complete, a personal key is securely stored in the device and can be used for encryption, decryption, and digital signatures via the device's biometric authentication. When user authentication is required while using the internet or an application, this stored personal key can be used to complete the authentication process using only biometric authentication via mobile simple authentication. In South Korea, mobile simple authentication mostly takes two forms: sending a one-time token via phone number, or completing authentication using certificates issued by various authentication authorities that are pre-stored on the mobile device. In the latter case, QR codes may also be used in the process of transmitting the information necessary for digital signatures.
[0071] 3) Types of attacks i) Fishing Phishing is a method of illegally obtaining sensitive information, such as passwords and credit card details, by impersonating messages sent via email or text message as if they were from a trusted person or company.
[0072] Phishing sites are used to steal users' login information and personal data by mimicking legitimate websites.
[0073] (b) Man-in-the-middle attack A man-in-the-middle (MITM) attack is an attack that intercepts communication between two parties. The attacker intercepts the communication between the two parties and steals or forges / alters information. Such man-in-the-middle attacks can be countered with certificate-based authentication and key sharing. In a PKI, mutual authentication is performed using certificates authenticated by a CA, and then the keys necessary for communication are shared through key sharing. From then on, communication is encrypted using the shared keys.
[0074] H) Active Fishing Active phishing is an attack that combines phishing and man-in-the-middle attacks. For example, when an attacker directs a user to a phishing site, they connect to the original site and display its information instead. Subsequently, the user provides login information, and the attacker can authenticate the user using the provided login information and successfully display the screen after authentication is complete. At this time, the authentication completion information is information that authentication has been performed, the user has been verified, and the process will proceed to the next step. The attacker can obtain the authentication completion information even if they do not possess all of the login information (ID, password, etc.).
[0075] Therefore, in this embodiment, we propose a QR code-based authentication technology to prevent phishing attacks that attempt to steal personal information and active phishing attacks that attempt to steal authentication credentials.
[0076] Figure 3 is a schematic diagram of a QR code-based authentication system to which the embodiment is applied.
[0077] Referring to Figure 3, the QR code-based authentication system to which this embodiment applies may include a user mobile device 110 (hereinafter referred to as "mobile"), a user computer (PC) 120, and a server 130.
[0078] User mobile device 110, user PC 120, and server 130 are each issued user certificates, module certificates, and server certificates in advance by a certificate server (not shown), and the certificate server can manage these.
[0079] However, in the embodiments described later, a detailed explanation of the certificate validity verification procedure via the certificate server will be omitted.
[0080] Mobile 110 is a device for which a user certificate has been issued in advance from a certificate server, allowing the user to be authenticated.
[0081] Therefore, Mobile 110 securely stores user certificates and personal keys using passwords or biometric authentication, and can use passwords or biometric authentication for signing.
[0082] Furthermore, it is assumed that the mobile device 110 must have an application program pre-installed that has the necessary functions for the authentication process, and that the installed application program has not been tampered with.
[0083] User PC 120 may include a web browser 122 (hereinafter referred to as "WEB") and an application program module 121 (hereinafter referred to as "module").
[0084] Here, WEB122 can refer to the internet browser of user PC120 attempting to obtain authentication completion information from server130.
[0085] Furthermore, module 121 is an application program on the user PC 120 that is attempting to authenticate, and may be pre-installed before authentication.
[0086] Such a module 121 requires a storage space accessible only to the module in order to store personal keys, and a module certificate can be issued in advance via a certificate server during module installation. An example of a storage space accessible only to the module is a TPM (Traffic Processing Module).
[0087] At this point, we assume that module 121, like the application program installed on mobile 110, has not been altered.
[0088] Server 130 may also be a device that manages the site to which a user attempts to connect and authenticate.
[0089] Such a server 130 communicates with the mobile device 110, the user PC 120's WEB 122, and module 121, and performs user authentication using a user certificate.
[0090] At this time, server 130 must also have previously received a server certificate from the certificate server.
[0091] QR code-based authentication in the aforementioned system may be performed using the following procedure.
[0092] First, when user authentication is requested via user PC 120 (S210), server 130 sends the data necessary for generating a QR code to user PC 120 (S220).
[0093] Then, the user PC 120 generates and outputs a QR code, and the mobile device 110 recognizes the QR code (S230).
[0094] Subsequently, upon receiving an authentication request from the mobile device 110 using QR code recognition information, the server 130 performs user authentication (S240) and then sends an authentication completion message to the user PC 120 (S250).
[0095] In this case, phishing attacks can be prevented by using existing QR code authentication methods and not entering personal information as in the example. However, active phishing attacks cannot be prevented for the following reasons.
[0096] First, as in step S210, the user clicks an authentication request button for authentication using a QR code on a phishing site connected via WEB122. The attacker ignores the authentication request made by the user and requests authentication from server 130 on the attacker's PC.
[0097] Subsequently, the attacker's PC displays the user a QR code generated based on the requested information. This deceives the user into believing that the server 130 is sending the QR code, as shown in step S220 in Figure 3.
[0098] The user then recognizes the QR code, similar to S230 in Figure 3, and completes user authentication, similar to S240.
[0099] Then, since the attacker PC has requested authentication, server 130 performs step S250 shown in Figure 3, sending authentication completion information to the attacker PC, which is not user PC 120.
[0100] In other words, as mentioned above, existing authentication methods using QR codes may prevent phishing attacks, but they cannot prevent active phishing.
[0101] Therefore, in this embodiment, we propose a QR code-based authentication device and method that can prevent active phishing.
[0102] In this example, since users will no longer need to enter personal information on WEB122, phishing attacks can be prevented.
[0103] Furthermore, in order to prevent active phishing attacks, it is necessary to be able to verify whether the PC communicating with server 130 is a user PC 120 or an attacker PC.
[0104] However, it is very difficult for a user who is unaware that they have connected to a phishing site to confirm this, so in this embodiment, this is confirmed through a multi-stage authentication process.
[0105] Furthermore, according to the embodiment, the mobile device 110 and the user PC 120 must be on the same network. This means that the mobile device 110 and the user PC 120 are connected to the same router.
[0106] As a result, the public IP addresses of mobile device 110 and user PC 120 are the same, and within the router, mobile device 110 and user PC 120 can receive private IP addresses corresponding to their respective MAC addresses.
[0107] External devices connected via VPN or similar protocols cannot communicate with devices inside the router using private IP addresses. If an attacker attempts an active phishing attack via a phishing site, the attacker's PC and user PC 120 must be on different networks.
[0108] In other words, if the attacker's PC and user PC 120 are on the same network, it means the attacker is in close proximity to the user. In this case, personal information can be obtained using a simpler method than a phishing attack, so in this embodiment, we assume that the attacker's PC and user PC 120 are on different networks.
[0109] In other words, in this embodiment, active phishing attacks can be prevented by confirming that the mobile device 110 and the user PC 120 are on the same network.
[0110] If the attacker's PC and user PC 120 are on different networks, then the attacker's PC and mobile device 110 are also on different networks.
[0111] Furthermore, when attempting an active phishing attack, the web and module communicating with server 130 are those of the attacker's PC, not user PC 120. Unless the attacker uses a VPN to change their public IP address to match that of user PC 120, the public IP address of the attacker's PC connected to server 130 should be different from the public IP address of mobile 110.
[0112] Therefore, in this embodiment, it is confirmed whether the public IP addresses of mobile 110, WEB 122, and module 121 are the same, thereby preventing such cases.
[0113] If the attacker uses a VPN to change their public IP address to be the same as that of user PC 120, the public IP address of the attacker's PC connected to server 130 will be the same as that of mobile 110. Therefore, the process of verifying whether the public IP addresses of mobile 110, WEB 122, and module 121 are the same is skipped.
[0114] However, since the attacker's PC is on a different network from user PC 120, the active phishing attack can be prevented for the following reasons:
[0115] 1. If the module on the attacker's PC passes authentication using the module's certificate, then the module has not been forged or altered. 2. The private IP address transmitted by the attacker's PC module is a private IP address on a different network than Mobile 110. 3. The private IP addresses transmitted by the module and mobile device are sent during the certificate-based authentication process, making it impossible for attackers to forge or alter them. 4. Since the mobile device and the attacker's PC are on different networks, communication using private IP addresses is not possible. 5. The mobile device and the module verify via internal communication whether their private IP addresses match, using the private IP addresses of the module and the mobile device transmitted from server 130.
[0116] This checks whether the mobile device and the module are on the same network, and can also detect active phishing attacks using VPNs.
[0117] Figure 4 is a flowchart illustrating in detail the QR code-based authentication method according to an example.
[0118] Referring to Figure 4, the QR code-based authentication method according to the embodiment can broadly include the steps of: when user authentication is requested via the user PC 120, the server 130 sends data necessary for generating a QR code to the user PC 120; when the user PC 120 generates and outputs a QR code, the mobile device 110 recognizes the QR code; and when the mobile device 110 requests authentication using the QR code recognition information, the server 130 performs user authentication.
[0119] At this time, user authentication can be performed by verifying the identity of the public IP addresses of Mobile 110, Web 122, and Module 121.
[0120] First, a user authentication request is sent to the server 130 via WEB 122 (S310), enabling bidirectional authentication and first key sharing between the server 130 and module 121 using the certificate of the server 130 and the certificate of module 121 (S320).
[0121] At this time, the user requests authentication (such as logging in) on S310.
[0122] Then, in S320, if authentication fails, the authentication procedure is terminated.
[0123] Subsequently, server 130 determines whether authentication has failed based on whether the public IP addresses of WEB122 and module 121 are the same (S330). In other words, server 130 checks whether the public IP addresses of WEB122 and module 121 obtained in S310 and S320 are the same. If the public IP addresses are not the same, it sends the authentication failure result to WEB122 and terminates the authentication procedure.
[0124] Next, module 121 and server 130 use the first key shared in S320 to send and receive data between them (S340).
[0125] Specifically, module 121 sends its private IP address and subnet mask, encrypted using the first key, to server 130, and server 130 sends the data necessary for generating a QR code, encrypted using the first key, to module 121.
[0126] Module 121 generates a QR code using the data necessary for generating a QR code received from server 130 and outputs it to the screen (S350).
[0127] Then, mobile device 110 recognizes the QR code displayed on the user PC 120's screen (S360) and requests authentication from server 130 (S370).
[0128] In this case, QR code recognition may be performed via an application pre-installed on the mobile device 110.
[0129] When server 130 receives an authentication request from mobile 110 using QR code recognition information, it determines whether authentication fails based on whether the public IP address of WEB 122 and the public IP address of mobile 110 are the same (S380). In other words, server 130 checks whether the public IP addresses of WEB 122 and mobile 110 obtained in steps S310 and S370 are the same.
[0130] At this point, successful authentication means that the public IP addresses of WEB122, module121, and mobile110 are all the same.
[0131] If the public IP addresses of WEB122 and mobile110 are different, server130 sends the authentication failure result to WEB122 and terminates the authentication procedure.
[0132] Next, server 130 performs one-way authentication to mobile 110 using its own certificate, and if authentication is successful, it shares the second key with mobile 110 (S390). If authentication fails at this point, the authentication procedure is terminated.
[0133] Subsequently, the server 130 and mobile 110 send and receive encrypted data using the second key (S400).
[0134] Specifically, mobile 110 sends its private IP address and subnet mask, encrypted using the second key, to server 130. Server 130 then sends the private IP address and subnet mask of module 121, encrypted using the second key obtained in S340, to mobile 110. At the same time, server 130 transmits the private IP address and subnet mask of mobile 110, encrypted using the first key, to module 121.
[0135] The mobile device 110 and the application program module 121 use the private IP addresses and subnet masks they each received via internal network communication to verify whether their respective private IP addresses match the actual ones, and determine whether authentication has failed (S420). Module 121 then sends a verification completion message to the mobile device 110 (S430).
[0136] At this point, if the private IP addresses of mobile device 110 and module 121 do not match, the authentication process will terminate.
[0137] Mobile 110 obtains a user certificate via biometric recognition of the user upon receiving a message from module 121 confirming successful authentication (S440). If biometric recognition fails at this time, the authentication procedure is terminated.
[0138] Subsequently, mobile device 110 performs user authentication with server 130 using the acquired user certificate (S450).
[0139] Server 130 receives a user authentication request using a certificate from mobile 110, performs authentication, and sends the result of whether the authentication was successful or not to WEB 122 (S460).
[0140] If user authentication fails at this point, the authentication failure result is sent to WEB122, and the authentication process is terminated.
[0141] The aforementioned authentication procedure is terminated when authentication fails. Server 130, module 121, and mobile 110 can, if necessary, send the authentication failure result to WEB 122, server 130, module 121, and mobile 110, display an authentication failure message to the user, and terminate the authentication procedure.
[0142] Figure 5 shows the configuration of a computer system according to an embodiment.
[0143] At least one of the user mobile device 110, user PC 120, and server 130 in the embodiment can be implemented in a computer system 1000 such as a computer-readable recording medium.
[0144] The computer system 1000 may include one or more processors 1010 communicating with each other via a bus 1020, a memory 1030, a user interface input device 1040, a user interface output device 1050, and storage 1060. The computer system 1000 may further include a network interface 1070 connected to a network 1080. The processors 1010 may be central processing units or semiconductor devices that execute programs or processing instructions stored in the memory 1030 or storage 1060. The memory 1030 and storage 1060 may be storage media including at least one of the following: volatile media, non-volatile media, separable media, non-separable media, communication media, or information transmission media. For example, the memory 1030 may include ROM 1031 and RAM 1032.
[0145] Although embodiments of the present invention have been described above with reference to the attached drawings, those with ordinary skill in the art to which the present invention pertains will understand that the present invention can be implemented in other specific forms without altering its technical idea or essential features. Therefore, the embodiments described above should be understood to be illustrative and not limiting in all respects.
Claims
1. When user authentication via the user's computer is requested, the server sends the data necessary for generating a QR code to the user's computer. The user's computer generates and outputs a QR code, which the user's mobile device then recognizes. The process involves a user requesting authentication from the user's mobile device using QR code recognition information, which prompts the server to perform user authentication. Includes, The user computer is Includes a web browser and application program modules, A QR code-based authentication method that verifies the identity of the user's mobile device, web browser, and application program module's public IP address to perform user authentication.
2. The step of sending the data necessary for generating the QR code to the user's computer is: The process involves a user authentication request being sent to the server via a web browser, followed by the use of the server's certificate and the application program module's certificate to perform bidirectional authentication and share a first key between the server and the application program module. The server determines authentication failure based on whether the public IP addresses of the web browser and application program module are identical. A QR code-based authentication method according to claim 1, including the following:
3. The step of sending the data necessary for generating the QR code to the user's computer is: The QR code-based authentication method according to claim 2, further comprising the step of receiving the private IP and subnet mask of the application program module encrypted using the first key, and transmitting data necessary for generating a QR code encrypted using the first key to the application program module.
4. The step of recognizing the QR code is: The application program module generates a QR code using the data necessary for generating a QR code received from the server and outputs it to the user's computer screen. The steps include: recognizing the QR code via an application pre-installed on the user's mobile device; and A QR code-based authentication method according to claim 1, including the following:
5. The steps for user authentication are: A QR code-based authentication method according to claim 1, comprising the step of determining whether authentication fails based on whether the public IP address of the web browser and the public IP address of the user's mobile device are the same, when the server receives an authentication request from the user's mobile device using QR code recognition information.
6. The steps for user authentication are: The server performs one-way authentication to the user's mobile device using its own certificate, and upon successful authentication, shares the second key with the user's mobile device. The server sends the private IP address and subnet mask of the application program module, encrypted using a second key, to the user's mobile device. The user's mobile device sends its private IP address and subnet mask, encrypted using a second key, to the server. The server transmits the user's mobile private IP and subnet mask, encrypted using a first key, to the application program module. The QR code-based authentication method according to claim 5, further comprising:
7. The steps for user authentication are: The QR code-based authentication method according to claim 6, further comprising the step of determining whether authentication fails by using the private IP and subnet mask received by the user mobile and the application program module, respectively, via internal network communication, to verify whether their respective private IPs actually match.
8. The steps for user authentication are: The user's mobile device receives an authentication success confirmation message from the application program module, and the user obtains a user certificate through biometric recognition. The steps include: performing user authentication on the server using a user certificate, The server performs authentication when it receives a user authentication request using a certificate from the user's mobile device, and sends the result of whether the authentication was successful or not to the web browser. The QR code-based authentication method according to claim 7, further comprising:
9. Memory containing at least one program, The processor that executes the program and Includes, The program is The process involves sending data necessary for generating a QR code to the user's computer in response to a user authentication request via the user's computer, and The system performs a user authentication step when an authentication request is received from the user's mobile device using QR code recognition information. The user computer is Includes a web browser and application program modules, The program is A server that performs user authentication by verifying the identity of the public IP addresses of the user's mobile device, web browser, and application program module.
10. The program is In the step of sending the data necessary for generating a QR code to the user's computer, a user authentication request is made via a web browser, and bidirectional authentication and first key sharing are performed between the server and the application program module using the server's certificate and the application program module's certificate, The server according to claim 9, which determines authentication failure based on whether the public IP addresses of the web browser and the application program module are identical.
11. The program is The server according to claim 10, wherein in the step of transmitting data necessary for generating a QR code to a user computer, the server transmits data necessary for generating a QR code encrypted using the first key to the application program module by receiving the private IP and subnet mask of the application program module encrypted using the first key.
12. The program is The server according to claim 10, wherein, in the step of performing user authentication, an authentication request is received from the user's mobile device using QR code recognition information, and authentication failure is determined based on whether the public IP address of the web browser and the public IP address of the user's mobile device are the same.
13. The program is The server according to claim 12, wherein in the step of performing user authentication, the server performs one-way authentication to the user's mobile using the server's certificate, shares a second key with the user's mobile upon successful authentication, transmits the private IP and subnet mask of the application program module encrypted using the second key to the user's mobile in the step of performing user authentication, and transmits the private IP and subnet mask of the user's mobile encrypted using the first key to the application program module upon receiving the private IP and subnet mask of the user's mobile encrypted using the second key from the user's mobile.
14. The program is The server according to claim 13, wherein, in the step of performing user authentication, authentication is performed when a user authentication request using a certificate is received from the user's mobile device, and the result of whether or not the authentication was successful is sent to the web browser.
15. Memory containing at least one program, The processor that executes the program and Includes, The program is The user computer connected to the same router uses the QR code output to request user authentication from the server. The user computer is Includes a web browser and application program modules, User authentication is, User mobile verification is performed after the identity of the public IP address of the web browser and application program module has been verified.
16. The QR code is, The application program module generates the QR code using the data necessary for generating the QR code received from the server. The program is The user mobile device according to claim 15, which recognizes a QR code, requests authentication from the server, and shares a second key with the server through one-way authentication using the server's certificate.
17. The program is The user mobile according to claim 16, which receives the private IP and subnet mask of an application program module encrypted using a second key from the server, sends the private IP and subnet mask of a user mobile encrypted using the second key to the server, and then determines authentication failure via internal network communication depending on whether the private IP of the application program module matches.
18. The program is The user mobile device according to claim 17, which obtains a user certificate by biometric recognition of the user upon receiving an authentication success confirmation completion message from the application program module, and performs user authentication on the server using the user certificate.
19. Memory containing application program modules, A processor that runs application program modules and Includes, The application program module is A user computer that performs bidirectional authentication and shares the first key with the server using the server's certificate and its own certificate, then sends its private IP address and subnet mask to the server, and generates and outputs a QR code using the data necessary for generating an encrypted QR code from the server using the first key.
20. The application program module is The user computer according to claim 19, which receives the private IP and subnet mask of the user's mobile device encrypted using a first key from the server, and then verifies whether the private IPs of the user's mobile device and the user's mobile device, respectively, received via internal network communication, match the actual private IPs, thereby determining whether authentication should fail.