KR102391952B1 - System, device or method for encryption distributed processing - Google Patents

Abstract

The present invention is to propose a cryptographic distributed processing system, the system comprising: a client server; main server; user terminal; distributed processing server; and a plurality of distributed servers, and since the key or encryption password is divided and stored, and the division method of the key and the encryption password is not known, it is very difficult to obtain the complete key or encryption password, and the complete key or encryption password is obtained Even so, since the decryption module is owned only by the client server, an encryption or decryption method that cannot be decrypted by a subject other than the client server is provided.

Description

Encryption distributed processing system, device or method therefor {System, device or method for encryption distributed processing}

The present invention relates to an encryption distributed processing system, apparatus, or method therefor, and relates to encryption and distributed processing or storage of a password.

Due to the development of the Internet or mobile services, most people use the Internet to access numerous online services such as government agencies, educational institutions, medical institutions, telecommunication companies, financial companies, portals, social network services (SNS), games, and shopping. use

Accordingly, a user who wants to use such a service must either sign up for a member by entering personal information including his or her real name, or authenticate that he or she is a registered user by entering user identification information (ID) and password. In addition, user authentication is possible only when such user information, ie, ID and password, must be stored for each subject of the online service.

However, the storage of the user's information for each subject of the online service, ie, centralization, is exposed to the risk of information leakage. That is, if only one of the subjects of the online service is hacked, illegal or malicious access is possible not only to the corresponding online service but also to other online services.

To this end, it is intended to propose an encryption distribution system, apparatus or method for encrypting and distributing user information to remove the risk of hacking.

The present invention intends to propose a cryptographic distribution system, apparatus or method for removing the risk of leakage of user information.

The problems to be solved to be achieved in the present invention are not limited to the problems to be solved, and other problems not mentioned may be clearly understood by those of ordinary skill in the art to which the present invention belongs from the description below. There will be.

In an encryption distributed processing system according to an embodiment of the present invention, the system includes: a client server that generates a key, and transmits the generated key and password, and user identification information to a main server; receiving the key, the password, and the user identification information from the client server, encrypting the password with the received key using an encryption module, dividing each of the key and the encrypted password into at least two, at least one The first block including the split key, at least one split encryption password and the user identification information is transmitted to the user terminal, and the second block including the remaining split key, the remaining split encryption password and the user identification information is a distributed processing server the main server that transmits to; a user terminal that receives the first block from the main server, and stores the split key and split encryption password included in the first block after RSA (Rivest Shamir Adleman) encryption; and receiving the second block from the main server, and applying the division key and division encryption password included in the second block to a predetermined number of subs. It may include a distributed processing server that distributes processing in blocks and stores them in one or more distributed servers.

Additionally or alternatively, the client server may delete the key and password after sending the key and password to the main server.

Additionally or alternatively, the main server may remove the partition key and the partition encryption password after transmitting the first block and the second block.

Additionally or alternatively, the main server may partition the key and the encryption password using one of preset partitioning schemes.

Additionally or alternatively, the preset partitioning method may include setting for at least one of the number or size of partitions, a configuration of partitions, and an order between the partitioned key and the encryption password.

Additionally or alternatively, the distributed processing server may divide each of the division key and division encryption password included in the second block into a predetermined number or a predetermined size.

Additionally or alternatively, the user terminal may allocate the first identification information based on the user identification information to the division key and division encryption password included in the first block by using a predetermined function.

Additionally or alternatively, the distributed processing server may allocate second identification information based on the user identification information to the division key and division encryption password included in the second block by using a predetermined function.

Additionally or alternatively, the second identification information may be different from the first identification information.

In an encryption distributed processing system according to another embodiment of the present invention, the system includes: a client server requesting delivery of an encryption password; a main server receiving a transmission request of the encrypted password from the client server and requesting transmission of the encrypted password to a user terminal and a plurality of distributed servers or a distributed processing server managing the plurality of distributed servers; a user terminal for transmitting a first block including an RSA-encrypted first division key and a first division encryption password to the main server in response to a transmission request of the encrypted password; According to the transmission request of the encryption password, the sub-blocks of the second block including the second division key and the second division encryption password distributed to the plurality of distributed servers are recovered and combined to obtain a second block and a distributed processing server that transmits the second block to the main server, wherein the main server RSA-decrypts the RSA-encrypted first block to obtain a first partition key and a first partition encryption password, and the first combining the division key and the second division key, combining the first division encryption password and the second division encryption password, to obtain a key and an encryption password, and using the obtained key and the obtained encryption password to the client transmitted to the server, and the client server may use a decryption module to decrypt the obtained encrypted password with the obtained key.

In the encryption distribution processing method according to another embodiment of the present invention, the method comprises the steps of generating a key, receiving the generated key and password, and user identification information; encrypting the password with the received key using an encryption module, and dividing each of the key and the encrypted password into two; and a first block including the first partition key, the first partition encryption password and the user identification information is transmitted to the user terminal, and a second block including the second partition key, the second partition encryption password and the user identification information transmits to a distributed processing server, wherein the first partition key and the first partition encryption password included in the first block are stored in the user terminal after RSA (Rivest Shamir Adleman) encryption, and the second block The second division key and the second division encryption password included in a predetermined number of sub It may be distributed in blocks and stored in one or more distributed servers managed by the distributed processing server.

In a distributed encryption processing method according to another embodiment of the present invention, the method comprising: receiving a transmission request of an encryption password from a client server; requesting delivery of an encryption password to a user terminal and a plurality of distributed servers or a distributed processing server managing the plurality of distributed servers; In response to the request for transmission of the encrypted password, a first block including the RSA-encrypted first division key and the first division encryption password is received, and the second division key and the second division encryption are distributed to the plurality of distributed servers. receiving a second block including a password; and RSA-decrypting the RSA-encrypted first block to obtain a first division key and a first division encryption password, combining the first division key and the second division key, the first division encryption password and the second division key combining the two-part encryption password to obtain a key and an encryption password, and transmitting the obtained key and the obtained encryption password to the client server, wherein the encrypted password transmitted to the client server is sent to a decryption module It can be decrypted using the obtained key.

In addition, according to another embodiment of the present invention, a computer program stored in a computer readable medium for performing the above-described method is proposed.

The above problem solving methods are only some of the embodiments of the present invention, and various embodiments in which the technical features of the present invention are reflected are based on the detailed description of the present invention to be described below by those of ordinary skill in the art can be derived and understood as

According to the present invention, there is an effect that the key and password can be safely stored.

More specifically, according to the present invention, since the key and password are divided and stored in several places, the complete key or encrypted password is obtained as long as the divided key or divided encryption password is not leaked from all places where the key and password are divided and stored. This is impossible.

The effects obtainable in the present invention are not limited to the above-mentioned effects, and other effects not mentioned may be clearly understood by those of ordinary skill in the art to which the present invention belongs from the following description. will be.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included as a part of the detailed description to help the understanding of the present invention, provide embodiments of the present invention, and together with the detailed description, explain the technical spirit of the present invention.
1 is a block diagram of an encryption distributed processing system according to the present invention.
2 shows a flowchart of an encryption process according to the present invention.
3 is a flowchart of a decoding process according to the present invention.

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. However, the present invention is not limited to the embodiments described herein and may be implemented in various other forms. The terminology used herein is for the purpose of helping the understanding of the embodiments, and is not intended to limit the scope of the present invention. Also, singular forms used hereinafter include plural forms unless the phrases clearly indicate the opposite.

1 shows a structural diagram of a cryptographic distributed processing system 1 according to the present invention.

The encryption distributed processing system 1 according to the present invention may include a client server 10 , a main server 20 , a user terminal 30 , a distributed processing server 40 , and one or more distributed servers 50 .

First, the encryption process will be described. The encryption process may be initiated through the user's attempt to store the password.

The client server 10 may detect the user's attempt to store the password. Accordingly, the client server 10 may generate a key promised with the main server 20 . Alternatively, the key promised with the main server 20 may be given to the client server 10 in advance. The promised key may have a predetermined size and may be generated through a random number generation function.

The client server 10 may use or have a decryption module. The decryption module is for decrypting user information or an encrypted password among them (hereinafter referred to as “encrypted password”). When the promised key and encryption password are input, the (decrypted) password can be output. . Here, the decryption module has a corresponding or symmetric relationship with the encryption module used or possessed by the main server 20, and the password encrypted using the promised key and the encryption module is decrypted using the promised key and the decryption module. It is possible.

The client server 10 and the main server 20 may transmit and receive information, data, or messages through application programming interface (API) communication. A one-time token is required for API communication between the client server 10 and the main server 20 . The client server 10 requests a token value from the main server 20 with the key value issued in advance, and the main server 20 compares the previously issued key value with the server IP address of the client server 10, You can control communication.

The client server 10 may transmit the promised key, (user) password, and user identification information (ID) to the main server 20 . At this time, the client server 10 does not store the promised key, password, and user identification information. That is, after the client server 10 transmits the promised key, password, and user identification information to the main server 20 , the promised key, password and user identification information are stored in the client server 10 or the client server 10 . It can be deleted from storage, etc. This is to remove the possibility of information leakage, such as a key or password, from the client server 10, and in the end, the security of the key and password is strengthened.

The main server 20 may receive the promised key, (user) password, and user identification information from the client server 10 . The main server 20 may use or retain an encryption module corresponding to or symmetrical to a decryption module used or possessed by the client server 10 . The main server 20 may encrypt the password with the promised key using the encryption module. Accordingly, an encryption password can be generated. Also, when encryption of the password is completed, the password received from the client server 10 may no longer exist in the main server 20 .

Then, the main server 20 may divide each of the promised key and the encryption password using one of the preset division methods. The preset division method for division of the promised key and the encryption password (including division of the password prior to encryption) includes a setting or It may include setting and the like. A specific division method according to the number or size of division, configuration and order, etc. will be described in more detail.

The main server 20 may divide each of the promised key and the encryption password into a predetermined number or divide to have a predetermined size. That is, the main server 20 can divide the promised key into N pieces and divide the encryption password into M pieces (N and M are each an integer of 2 or more, and may be the same or different).

For example, the main server 20 may divide each of the promised key and the encryption password into two. That is, the main server 20 may divide the promised key into a first division key and a second division key, and divide the encryption password into a first division encryption password and a second division encryption password. The encryption password is divided into several components in the system of the present invention to be stored or stored, so that even if some of the system components are hacked, the promised key or password cannot be recovered or decrypted.

For example, when the promised key consists of 64 characters (ie, a character string) and the promised key is divided into two, the main server 20 stores 32 characters from the highest digit (leftmost character) of the promised key. The character may be divided by the first division key, and the remaining 32 characters may be divided by the second division key.

Partitioning for the encryption password may also be performed in the same manner as partitioning for the promised key described above. For example, if the encrypted password consists of a 200-digit character string and the encrypted password is divided into two, the main server 20 uses 100 characters from the highest digit of the encrypted password as the first divided encryption password and the remaining 100 characters. It can be divided into 2 division keys.

The table below shows an example of the result of dividing the key and password in the same way when the key and password each have 18 characters.

key and password Key: abcdefghi123456789
Encryption password: abcdefghi123456789 first split key abcdefghi first encryption password abcdefghi 2nd split key 123456789 second encryption password 123456789

Alternatively, when the promised key consists of a 64-digit character string, the main server 20 sets the highest digit character and 32 characters selected by skipping one character therefrom as the first division key and the remaining characters as the second division key. It can be split (that is, a combination or combination of even-numbered characters out of 64 characters is split with one split key, and a combination or combination of odd-numbered characters is split with the other split key).

When the encrypted password consists of a 200-digit character string, the main server 20 divides the highest digit character and 100 characters selected by skipping one character therefrom as the first division encryption password, and divides the remaining 100 characters into the second division It can be divided into an encryption password (that is, a combination or combination of even-numbered characters among 200 characters is divided into one divided encryption password, and a combination or combination of odd-numbered characters is divided into the other divided encryption password).

The table below shows an example of the result of dividing the key and password in the same way when the key and password each have 18 characters.

key and password Key: abcdefghi123456789
Encryption password: abcdefghi123456789 first split key acegi2468 first encryption password acegi2468 2nd split key bdfh13579 second encryption password bdfh13579

In Tables 1 and 2, examples in which the key and the password are partitioned in the same way are described, but the key and the password may be partitioned in different ways. For example, the key may be partitioned in the manner illustrated in Table 1, and the password may be partitioned in the manner illustrated in Table 2.

In addition, if the number or degree (N, M) by which the promised key and the encryption password are divided is set to 3 or more, the division method may be further diversified. For example, if the promised key consists of a 64-character string and should be divided into three, select 64-digit characters while cyclically shifting one from the highest digit to divide it into three split keys. method can be used. If the number to be divided is not a divisor (ie, not divisible) of the total number of digits of the promised key or encryption password, the length or size of each division key or division encryption password may not be equal to each other.

Also, the number or degree (N, M) by which the promised key and the encryption password described above are divided may be different from each other.

For example, the promised key is divided into two (the first division key and the second division key), but the encryption password may be divided into three (the first division encryption password, the second division encryption password, and the third division encryption password) . Even in this case, the division method may refer to the above-mentioned bar.

If this partitioning method is unknown, even if the partition key and partition encryption password are obtained, the complete promised key and encryption password cannot be recovered.

On the other hand, since the split key or split encryption password is transmitted to the user terminal 30 and the distributed processing server 40, the mutual order of the split key or split encryption password may also be important. For example, when the promised key consists of a 64-digit character string, the relative positions of the first split key to be delivered to the user terminal 30 and the second split key to be delivered to the distributed processing server 40, that is, the order is the main server It may vary according to the division method in (20).

In the examples of Tables 1 and 2 described above, a predetermined number of characters or even-numbered characters from the highest (leftmost) character in the entire string of the promised key are referred to as the first split key for transmitting to the user terminal 30 . and referred to as the second split key for transmitting the remaining characters to the distributed processing server 40, this order may be reversed. That is, a predetermined number of characters or even-numbered characters from the highest (leftmost) character in the entire string of the promised key is referred to as a first split key that transmits to the distributed processing server 40, and the remaining characters are used by the user It may be referred to as a second split key transmitted to the terminal 30 .

As the number or degree of division of the promised key or encryption password increases, various mutual orders are possible. When the promised key is divided into a preset number (eg, 3), or the size of the partition key to be transmitted to the user terminal 30 is set to a partial ratio (eg, 1/3) of the entire string of the promised key In this case, when the first partitioning key, the second partitioning key, and the third partitioning key are partitioned according to the partitioning configuration described above, it can be determined which partitioning key is assigned or transmitted to the user terminal 30 or the distributed processing server 40 . there is. For example, if only one third of the entire string of the promised key has to be transmitted to the user terminal 30 , the main server 20 determines to transmit any one of the three split keys to the user terminal 30 , and the rest It may be decided to transmit the split key to the distributed processing server 40 .

The description of the order described for the split key may also be applied to the encryption password or the splitting of the password.

If this mutual order is unknown, even if the partition key and the partition encryption password are obtained, the complete promised key and encryption password cannot be recovered.

Accordingly, the main server 20 must store or recognize the number or size of the selected partitions, the configuration of partitions, or the order of the partitioned keys or encryption passwords (or passwords) to each other, and the number or size of the partitions selected and the configuration of partitions Alternatively, a security measure is required, such as the order of the partitioned key or encryption password (or password) is also encrypted. The number or size of partitions used in the encryption process, the configuration of partitions, or the sequence between the partitioned keys or encrypted passwords (or passwords) are determined by the main server 20 when the encrypted distributed password is called later. Processed or stored keys and cryptographic passwords are collected, which are then needed to construct or combine the complete key and cryptographic password.

In summary, the promised key or encryption password may be partitioned by one of the preset schemes. That is, the promised key or encryption password may be divided into a predetermined size or number, and the predetermined size or number may be different for the promised key and the encryption password. In addition, the divided configuration of the promised key or the encrypted password may also be made according to a predetermined configuration, and the mutual order of the divided key or the divided encryption password may also be determined according to the predetermined sequence.

Meanwhile, before encrypting the password using the encryption module, the main server 20 may divide the password using one of various preset methods. Here, the various preset methods may include all of the methods (ie, the number or size of divisions, division configuration, mutual order, etc.) described in relation to the process of dividing the previously promised key or encryption password.

After that, the main server 20 may encrypt the password divided by the promised key using an encryption module. In this way, the encryption process can be performed by the number or degree to which the password is divided. Since the promised key may also be divided, the main server 20 may partition the promised key simultaneously with, before, or after the division of the password using one of various preset methods. Here, various preset methods may include the method described above in relation to the process of dividing the encrypted password. Even at this time, when the encryption of the divided password is completed, the password received from the client server 10 may no longer exist in the main server 20 .

The main server 20 may transmit the divided promised key (ie, divided key) and the divided encryption password (ie, divided encryption password) to the user terminal 30 and the distributed processing server 40 together with user identification information. there is. When the main server 20 divides the promised key into N and divides the encryption password into M pieces or divides the password into M pieces and then encrypts the password, at least one of the N split keys and at least one of the M split encryption passwords It may be transmitted to the user terminal 30 , and the remaining division key and division encryption password may be transmitted to the distributed processing server 40 .

At this time, the main server 20 does not store the key, password, division key, division encryption password and user identification information. That is, after the main server 20 transmits the split key, the split encryption password, and the user identification information to the user terminal 30 and the distributed processing server 40 , the split key (including the key received from the client server 10 ) , by removing or deleting the split encryption password (including the password received from the client server 10) and user identification information, the password, split key (client server ( 10)), split encryption passwords, and user identification information can no longer exist. This is to remove the possibility of information leakage, such as a key, password, split key, or split encryption password, from the main server 20, and eventually, the security of the key and password is strengthened.

The user terminal 30 may receive from the main server 20 at least one of N split keys, at least one of M split encryption passwords, and user identification information. Hereinafter, for simplicity of explanation, an information unit including at least one of N split keys, at least one of M split encryption passwords, and user identification information will be referred to as a “first block”. The user terminal 30 may use or have a Rivest Shamir Adleman (RSA) encryption module. Correspondingly, the main server 20 may use or have an RSA decryption module. The main server 20 and the user terminal 30 may share an RSA encryption key and an RSA key for decryption with each other.

The user terminal 30 may RSA-encrypt the received first block using the RSA encryption module. When RSA encryption is completed, the first block received from the main server 20 may no longer exist in the user terminal 30 . Then, the user terminal 30 may store the RSA-encrypted first block locally.

The RSA-encrypted first block may not include user identification information directly, but may include user identification information in a manner indicating user identification information. For example, user identification information may be included as a file name obtained by RSA-encrypting the division key and division encryption password in the first block. In this case, the file name may be assigned with information different from the user identification information received from the main server 20 or a different value. That is, the user terminal 30 may generate the first identification information using a separate function for encoding the user identification information, and allocate the first identification information to the first block.

The distributed processing server 40 may receive, from the main server 20 , the remaining division key and the remaining division encryption password that are not transmitted to the user terminal 30 together with user identification information. Hereinafter, for simplicity of explanation, an information unit including the remaining division key that is not transmitted to the user terminal 30, the remaining division encryption password, and user identification information will be referred to as a “second block”. The distributed processing server 40 receives the second block and sends the second block to a predetermined number of sub It can be stored in one or more distributed servers 50 by distributing processing in blocks. Through the distributed processing process, the second block can be divided into K sub-blocks (where K is an integer greater than or equal to 2, which is a preset number), or can be divided into a plurality of sub-blocks of preset sizes. there is. Each sub-block may be configured to include a part of the split key included in the second block and a part of the split encryption password included in the second block. In this case, the user identification information may be stored as a file name of each sub-block. That is, the distributed processing server 40 generates the second identification information using a separate function for encoding the user identification information received from the main server 20, and applies the second identification information to the second block or each sub-block. can be assigned The second identification information allocated to each sub-block may have different independent values. For the correlation between the second identification information and the user identification information, the distributed processing server 40 is configured to recognize or identify. When distributed processing is performed, the distributed processing server 40 may remove or delete the second block received from the main server 20 so that the second block no longer exists.

In addition, for distributed processing, the distributed processing server 40 or the distributed server 50 may use a Hadoop system.

As described above, the key and the encrypted password are divided and stored in the user terminal 30 and the distributed server 50 . Accordingly, both the user terminal 30 and the distributed server 50 must acquire the user's split key and split encryption password to obtain the user's complete key and encrypted password. In addition, even when all division keys and division encryption passwords are obtained, reconstructing the complete key and encryption password according to the above-described various division sizes (number), division configuration, and mutual order of division keys or division encryption passwords is related to division. Without information it is impossible. In addition, since the decryption module for decrypting the encrypted password exists only in the client server 10, decryption is possible only when the client server 10 has the complete key and the encrypted password. Therefore, even if subjects other than the client server 10 obtain the complete key and encryption password, decryption is impossible. Therefore, according to the present invention, there is an effect that a strong security system can be built in relation to the password of the key.

A decoding process according to the present invention will be described.

The decryption process may be initiated according to the user's password call.

The client server 10 may detect the user's password call. Since the client server 10 has deleted all of the key, password, and user identification information received in the encryption process, it no longer has the password. Accordingly, the client server 10 may transmit a transmission request of the encrypted password to the main server 20 . The transmission request may include user identification information, so that it is possible to identify whom the encrypted password is being transmitted for.

The main server 20 may receive the transmission request of the encrypted password. The main server 20 does not further have the key and password and user identification information received in the encryption process, or the split key and the split encryption password. Accordingly, the main server 20 may transmit a request for transmission of the encrypted password to the user terminal 30 and the distributed processing server 40 .

The user terminal 30 may transmit the locally stored RSA-encrypted first block to the main server 20 according to the received encryption password transmission request. At this time, the user terminal 30 may extract user identification information from the RSA-encrypted first block, and when transmitting the RSA-encrypted first block to the main server 20, the extracted user identification information may be transmitted together. there is. In addition, after transmitting the RSA-encrypted first block to the main server 20, the user terminal 30 removes or deletes the RSA-encrypted first block, and the user terminal 30 or the user terminal 30 ) in the storage, etc., the RSA-encrypted first block may no longer exist.

The distributed processing server 40 may transmit an encryption password transmission request to one or more distributed servers 50 according to the received encryption password transmission request. Correspondingly, each distributed server 50 may transmit a sub-block of the second block to the distributed processing server 40 . Then, the distributed processing server 40 may obtain the second block again by combining the sub-blocks of the recovered second block, and may transmit the second block to the main server 20 . At this time, the distributed processing server 40 may extract user identification information based on the second identification information from the second block or each sub-block, and when transmitting the second block to the main server 20 , the extracted user Identification information can be transmitted together. In addition, after transmitting the second block or each sub-block, the distributed processing server 40 or each distributed server 50 removes or deletes the second block or each sub-block to communicate with the distributed processing server 40 The second block or each sub-block may no longer exist in each distributed server 50 .

Also, the main server 20 may check whether the user identification information included in the delivery request from the client server 10 matches the user identification information received from the user terminal 30 . Also, the main server 20 may check whether the user identification information included in the delivery request from the client server 10 matches the user identification information received from the distributed processing server 40 . Naturally, it must be confirmed that the user identification information received from the user terminal 30 and the distributed processing server 40 is the same as the user identification information included in the delivery request from the client server 10, so that the process to be described later will continue. can

The main server 20 may decrypt the RSA-encrypted first block received from the user terminal 30 using the RSA decryption module. Accordingly, the first block may be obtained from the main server 20 . When the decryption of the RSA-encrypted first block is completed, the RSA-encrypted first block may no longer exist in the main server 20 .

Thereafter, the main server 20 may combine the first block and the second block received from the distributed processing server 40 with each other. The first block includes at least one partition key and at least one partition encryption password, and the second block includes the remaining partition key and the remainder partition encryption password. However, as described above, since the main server 20 divided the first block and the second block using one of various methods in the encryption process, the main server 20 uses the divided method to divide the first block. and the second block, more specifically, combining the partitioning key included in the first block and the partitioning key included in the second block, and generating the partitioned encryption password included in the first block and the partitioned encryption password included in the second block. can be combined Accordingly, the complete key and encryption password are obtained from the main server 20 . Even so, since the main server 20 does not have an encryption module, it cannot decrypt the encrypted password. The main server 20 may transmit the obtained key and encryption password to the client server 10 . In addition, after the main server 20 transmits the acquired key and the encrypted password to the client server 10, the key, the encrypted password, and the first block and the second block no longer exist in the main server 20. does not That is, the main server 20 may remove or delete the key and the encryption password.

The client server 10 may decrypt the received encrypted password using the received key. Accordingly, a password is obtained from the client server 10 , and the client server 10 may return the password to the user. Also, after returning the password to the user, the client server 10 may delete the key and the encryption password received from the main server 20 .

2 is a flowchart of an encryption process related to encryption distribution processing according to the present invention. The process shown in FIG. 2 may be performed by the main server 20 .

The main server 20 may receive the key, password, and user identification information from the client server 10 (S210). This step may be initiated upon the user's attempt to store the password.

The main server 20 encrypts the password using the received key (S220), in which case an encryption module may be used. As described above, the encryption module corresponds to the decryption module possessed or used by the client server 10, and the encryption module may encrypt the password using the key, and the decryption module may decrypt the encrypted password. An encryption password may be obtained as a result of encryption.

The main server 20 may divide each of the key and the encryption password (S230). As the partitioning method, one of the various partitioning methods described above may be used. A plurality of split keys and a plurality of split encryption passwords can be obtained through the splitting of the key and the splitting of the encryption password.

The main server 20 may transmit some of the split key and the split encryption password to the user terminal 30 and the rest to the distributed processing server 40 (S240).

The partial split key and part split encryption password (hereinafter, “first block”) transmitted to the user terminal 30 are stored after RSA encryption in the user terminal 30 , and the remaining split keys transmitted to the distributed processing server 40 . and the split encryption password (hereinafter, “second block”) may be stored in one or more distributed servers 50 after being distributed in the distributed processing server 40 .

Through this, the encryption distributed processing system 1 can safely encrypt the key and password and then distribute and store the encrypted key and password.

The following table illustrates a state in which the first block is RSA-encrypted and stored in the user terminal 30 .

plain text {
KEY:abcdefghi,
PASSWORD:abcdefghi
} RSA 10011001 1010100 10101 10101010 1010101 101010 010110 101010 01011 010101 01010

In addition, the user terminal 30 may locally store the first block as follows. Here, the user identification information is test@tes.com .

IDX: test@tes.com 10011001 1010100 10101 10101010 1010101 101010 010110 101010 01011 010101 01010

For an encryption process not described with reference to FIG. 2 , reference will be made to the description described with reference to FIG. 1 .

3 is a flowchart showing a decryption process related to encryption distributed processing according to the present invention. The process shown in FIG. 3 may be performed by the main server 20 .

The main server 20 may receive an encrypted password transmission request from the client server 10 (S310). This step may be initiated according to the user's password recall attempt.

The main server 20 may transmit an encrypted password transmission request to the user terminal 30 and the distributed processing server 40 in response to the received encrypted password transmission request (S320).

The main server 20 may receive a block including a split key, a split encryption password, and user identification information from the user terminal 30 and the distributed processing server 40 in response to the encrypted password transmission request (S330).

After that, the main server 20 may process the received encryption block, combine the split keys in the processed encryption block with each other, and combine the split encryption password with each other to obtain a key and an encryption password (S340). In more detail, the main server 20 performs RSA decryption on the RSA encryption first block composed of the RSA encryption division key and the RSA division encryption password received from the user terminal 30, and performs RSA decryption with a partial key and partial division encryption. A first block composed of a password can be obtained. Then, the main server 20 combines the partial key and partial encryption password of the first block with the remaining division key and the remaining division encryption password received from the distributed processing server 40, that is, the second block, and an encryption password. The combination of the partition keys and the combination of the partition encryption password should be performed corresponding to the partitioning method described above.

The main server 20 may transmit the obtained key and encryption password to the client server 10 (S350). The encrypted password transmitted to the client server 10 may be decrypted using the transmitted key. Through this, the client server 10 may obtain the password and return it to the user.

For a decoding process not described with reference to FIG. 3 , reference will be made to the description described with reference to FIG. 1 .

In the above specification, the "system" and its components (client server 10, main server 20, user terminal 30, distributed processing server 40, distributed server 50, etc.) refer to the method or procedure Although it has been described as performing, etc., the "system" and components belonging thereto are only names, and the scope of rights is not subordinated thereto. That is, the method or procedure may be performed not only as a system but also as an apparatus, and the method or method may be performed by software for distributed encryption processing or a code readable by a computer or other machine, apparatus, etc. .

In addition, as another aspect of the present invention, the above-described proposal or operation of the invention is performed by a "computer" (a comprehensive concept including a system on chip (SoC) or (micro) processor, etc.) Code that can be implemented, implemented or executed, or a computer-readable storage medium storing or including the code, or a computer program product, etc. a computer-readable storage medium including a computer program product or a computer program product.

The detailed description of the preferred embodiments of the present invention disclosed as described above is provided to enable any person skilled in the art to make and practice the present invention. Although the above has been described with reference to preferred embodiments of the present invention, it will be understood by those skilled in the art that various modifications and changes can be made to the present invention described in the claims below. Accordingly, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (14)

In the cryptographic distributed processing system,
A client that generates a key, transmits the generated key and password, and user identification information to the main server, and deletes the key and password after transmitting the key and password to the main server server;
Receives the key, the password, and the user identification information from the client server, encrypts the password with the received key using an encryption module, and divides each of the key and the encrypted password using one of a preset partitioning method However, the method for dividing the key and the method for dividing the password are divided into at least two using different methods, and the method includes at least one division key, at least one division encryption password, and the user identification information. After transmitting 1 block to the user terminal, transmitting the second block including the remaining division key, the remaining division encryption password and the user identification information to the distributed processing server, and transmitting the first block and the second block, a main server for removing the division key and division encryption password;
Receives the first block from the main server, assigns first identification information based on the user identification information to the first block using a predetermined function, and a division key and division encryption password included in the first block RSA (Rivest Shamir Adleman) encryption and then storing the user terminal; and
Receive the second block from the main server, assign second identification information different from the first identification information based on the user identification information to the second block using a predetermined function, and include in the second block Each of the divided key and division encryption password is divided into a predetermined number or a predetermined size, and the divided division key and division encryption password are divided into a predetermined number of subs. It includes a distributed processing server that distributes processing in blocks and stores them in one or more distributed servers,
The preset partitioning method includes setting at least one of the number or size of partitions, a configuration of partitions, and an order between a partitioned key and an encryption password,
The division key and division encryption password transmitted to the user terminal and the distributed processing server are determined according to the preset division method,
The system, wherein the predetermined number of sub-blocks are assigned different independent values of identification information. delete delete delete delete delete delete delete delete In the cryptographic distributed processing system,
a client server that transmits a request for transmission of an encrypted password, including user identification information;
a main server that receives the transmission request of the encrypted password from the client server and transmits the transmission request of the encrypted password to a user terminal and a plurality of distributed servers or a distributed processing server managing the plurality of distributed servers;
In response to the request for transmission of the encrypted password, a first block including the RSA-encrypted first division key and the first division encryption password to which the first identification information based on the user identification information is allocated using a predetermined function is transferred to the main block a user terminal that transmits to a server and deletes the first block after transmitting the first block;
A second split key distributed and processed in the plurality of distributed servers to which second identification information different from the first identification information based on the user identification information is allocated using a predetermined function in response to a request for transmission of the encrypted password; and After recovering a predetermined number of sub-blocks of the second block including the second division encryption password, combining them to obtain a second block, transmitting the obtained second block to the main server, and transmitting the second block; After including a distributed processing server that deletes the second block,
Here, the first division key and the second division key are obtained by dividing a key using a first division method among preset division methods, and the first division encryption password and the second division encryption password are the The password is obtained by dividing the password by using a second preset partitioning method among the preset partitioning methods, wherein the first preset partitioning method and the second preset partitioning method are different from each other;
The main server is:
RSA-decrypts the RSA-encrypted first block to obtain a first division key and a first division encryption password, and combines the first division key and the second division key based on the first preset division method; By combining the first divided encryption password and the second divided encryption password based on the second preset division method, a key and an encryption password are obtained, and the obtained key and the obtained encryption password are transmitted to the client server. After transmitting and transmitting the obtained key and the obtained encrypted password, the obtained key and the obtained encrypted password are deleted;
The client server decrypts the obtained encrypted password with the obtained key using a decryption module,
The preset partitioning method includes setting at least one of the number or size of partitions, a configuration of partitions, and an order between the partitioned key and the encryption password,
The division key and division encryption password transmitted to the user terminal and the distributed processing server are determined according to the preset division method,
The system, wherein the predetermined number of sub-blocks are assigned different independent values of identification information. In the encryption distributed processing method,
generating a key, receiving the generated key and password, and user identification information;
encrypting the password with the received key using an encryption module, and using one of the preset division methods for each of the key and the encrypted password, a method for dividing the key and a method for dividing the password dividing into at least two using different methods; and
The first block including the first division key, the first division encryption password, and the user identification information is transmitted to the user terminal, and the second block including the remaining division key, the remaining division encryption password and the user identification information is distributed processing transmitting to a server, and after transmitting the first block and the second block, deleting the partition key and the encryption password;
The first block is allocated first identification information based on the user identification information using a predetermined function, and the first division key and the first division encryption password included in the first block are RSA (Rivest Shamir Adleman) encryption After being stored in the user terminal,
The second block is allocated second identification information different from the first identification information based on the user identification information using a predetermined function, and each of the remaining division keys and the remaining division encryption passwords included in the second block is determined in advance. After being divided into a number or a predetermined size, the divided division key and division encryption password are divided into a predetermined number of subs. It is distributed in blocks and stored in one or more distributed servers managed by the distributed processing server,
The preset partitioning method includes setting at least one of the number or size of partitions, a configuration of partitions, and an order between the partitioned key and the encryption password,
The division key and division encryption password transmitted to the user terminal and the distributed processing server are determined according to the preset division method,
The method, wherein the predetermined number of sub-blocks are allocated identification information of different independent values. In the encryption distributed processing method,
receiving a transmission request of an encrypted password from a client server including user identification information;
transmitting an encryption password transmission request to a user terminal and a plurality of distributed servers or a distributed processing server managing the plurality of distributed servers;
In response to the transmission request of the encrypted password, the first block including the RSA-encrypted first division key and the first division encryption password to which the first identification information based on the user identification information is allocated using a predetermined function, The second division key and the second division key received from the user terminal and distributed to the plurality of distributed servers to which second identification information different from the first identification information based on the user identification information is assigned using a predetermined function Receiving a second block obtained by combining and recovering a predetermined number of sub-blocks of a second block including an encryption password from the distributed processing server, After the first block is transmitted from the user terminal, the user terminal is deleted from and the second block is deleted from the distributed processing server after being transmitted from the distributed processing server; and
Here, the first division key and the second division key are obtained by dividing a key using a first division method among preset division methods, and the first division encryption password and the second division encryption password are the The password is obtained by dividing the password by using a second preset partitioning method among the preset partitioning methods, wherein the first preset partitioning method and the second preset partitioning method are different from each other;
RSA-decrypts the RSA-encrypted first block to obtain a first division key and a first division encryption password, and combines the first division key and the second division key based on the first preset division method; By combining the first divided encryption password and the second divided encryption password based on the second preset division method, a key and an encryption password are obtained, and the obtained key and the obtained encryption password are transmitted to the client server. and after transmitting the obtained key and the obtained encrypted password, deleting the obtained key and the obtained encrypted password,
The encrypted password transmitted to the client server is decrypted with the obtained key using a decryption module,
The preset partitioning method includes setting at least one of the number or size of partitions, a configuration of partitions, and an order between the partitioned key and the encryption password,
The division key and division encryption password transmitted to the user terminal and the distributed processing server are determined according to the preset division method,
The method, wherein the predetermined number of sub-blocks are allocated identification information of different independent values. A computer program stored on a computer readable medium for performing the method according to claim 11 . A computer program stored on a computer readable medium for performing the method according to claim 12 .

Images