KR102854414B1 - Authentication methods and authentication systems that restrict unauthorized installation of software products - Google Patents

Abstract

The present invention relates to an authentication method and an authentication system that allow only an authenticated user to install a software product on a product use server, and more particularly, to an authentication method and an authentication system that identify a user attempting to install a software product, checks whether the user has installation authority, and restricts unauthorized installation of a software product by proceeding with the installation of the software product by an authenticated user. The authentication system comprises a client storing an installation package for installing a software product, a user terminal storing user information, and an authentication server that performs an authentication function for executing the installation package, and communicates with each other, comprising: a user information registration step in which user information of an authorized user and a unique code of a software product are registered in the authentication server; an information communication step in which the client transmits the unique code of the installation package and challenge information so that the authentication server receives them in order to install the software product on the client, and the user terminal transmits the user information; a user authority confirmation step in which the user information and unique code received by the authentication server are compared with the user information and unique code registered in the authentication server to confirm whether the user has execution authority for the corresponding installation package; When the user authority for the user information of the user terminal is confirmed, the authentication server generates an authentication code based on the challenge information and the unique code and sends it to the client for receipt; and the installation package generates a decryption key based on the authentication code, decrypts the encrypted package data configured in the installation package, and installs it on the client.

Description

Authentication methods and authentication systems that restrict unauthorized installation of software products

The present invention relates to an authentication method and an authentication system that allow only authenticated users to install a software product on a product use server, and more specifically, to an authentication method and an authentication system that identify a user attempting to install a software product, checks whether the user has installation authority, and restricts unauthorized installation of a software product by proceeding with the installation of the software product by an authenticated user.

According to the Software Property-rights Council (SPC), the unauthorized installation and use of illegal software products costs hundreds of billions of won annually in Korea alone. The damage to businesses caused by the distribution of illegal software is several times greater than the profits from legitimate sales.

While the illegal installation and use of software products occurs not only by individuals but also by businesses, preventing illegal use by individuals is more challenging than by businesses. Individuals distribute software illegally over the Internet, through platforms like P2P (Peer-to-Peer), warez, and webhard, without the consent of the copyright holder. This makes detection difficult. Furthermore, tracking down the individual who initially distributed the software is challenging. Furthermore, because the original file names are often altered during distribution, it's difficult to fundamentally block the distribution of illegally copied software.

The inherent ease of copying, a hallmark of software products, conversely presents a potential and potentially fatal flaw. Various technologies have been proposed to protect software products from illegal copying, unauthorized installation, and use. Popular methods include online authentication and offline activation using a CD key or serial number.

An example of a technology for authenticating the authenticity of a software product online is disclosed in Korean Patent Registration No. 0602107 (registered on July 10, 2006, Software Copyright Management System in a Network Environment and Method Therefor; hereinafter referred to as “Prior Art 1”). The technology disclosed in Prior Art 1 is composed of a client PC on which a specific software product is installed, a license server that receives user information from the client PC over a network and performs authentication for the software product, and the license server is described as being composed of a communication module that transmits and receives data with the client PC, a product registration module that receives a product serial number and registers the product, a product registration DB that stores the product serial number, a user authentication module that determines whether the user is a legitimate user, and a user authentication DB that stores an authorized user authentication log. That is, in the technology disclosed in prior art 1, a user accesses a license server through a network to obtain permission to install and use a software product on a client PC, and the license server determines whether the use of the software product is valid through a step-by-step comparison process such as comparing the product serial number, whether there is a conflict, whether it is executable, the IP address (Information Provider Address), and inquiries about legitimate users, and sends back to the client PC whether permission has been granted, thereby blocking illegal use and protecting the copyright of the software product.

An example of a technology for authentication using a CD-Key is disclosed in Korean Patent Publication No. 2005-0052980 (published on June 7, 2005, electronic generation method of a serial number containing an identifier of software, content, or electronic information, method for issuing a coupon with the serial number printed on it, and method for authentication using the serial number, and a computer-readable recording medium recording a program for performing these methods; hereinafter referred to as “prior art 2”). The technology disclosed in prior art 2 relates to a method for generating a serial number capable of authenticating the authenticity of a software product and performing authentication using the generated serial number. In particular, the authentication method is described as comprising a step of receiving a generated final serial number, a step of decrypting the input serial number, a step of extracting variables and solutions of specific functional formulas from the decrypted serial number, a step of checking whether the extracted variables and solutions of specific functional formulas satisfy specific functional formulas predefined between the serial number generation server and the authentication server, and a step of checking whether the extracted variables contain an identifier of a software product, contents, or electronic information. In the technology disclosed in prior art 2, authentication is performed smoothly without any online interaction between the issuer server and the content provider server, so it is not affected by the network problems that occur in the prior art or the serial number leak due to hacking, and the technology is described that reduces unnecessary fees and more firmly protects the privacy and trade secrets of the content provider because the intervention of an intermediate settlement payment server is not required.

As can be seen from the above-mentioned prior art 1 and prior art 2, a typical prior art allows a user who has obtained an encrypted software product installation package and serial number to install the software product by executing the installation package, and inputs user information (email, etc.) and product information for installation records, and transmits and stores them on a log collection server.

However, in the past, there was no way to prevent installation by unauthorized users if the installation package and serial number were leaked to users without installation authority. In addition, since log collection regarding the installation history of software products was not mandatory, it was not possible to completely suppress unauthorized installation of software products. Therefore, there was an urgent need to resolve the existing problem of unauthorized installation and use of illegally copied software products while the serial number for software product installation was exposed.

Accordingly, the present invention is intended to solve the above problem, and the problem to be solved is to provide an authentication method and an authentication system that restrict unauthorized installation of a software product so that only a user with installation authority can install the software product on a terminal or a security server.

In order to achieve the above task, the present invention,

In an authentication system configured to allow a client storing an installation package for installing a software product, a user terminal storing user information, and an authentication server performing an authentication function for executing the installation package to communicate with each other, a user information registration step in which user information of an authorized user and a unique code of a software product are registered in the authentication server;

An information communication step in which the client sends a unique code and challenge information of an installation package so that the authentication server receives them in order to install a software product on the client, and the user terminal sends user information;

A user authorization verification step for comparing the user information and unique code received by the authentication server with the user information and unique code registered in the authentication server to check whether the installation package has execution authority;

When the user authority for the user information of the user terminal is confirmed, the authentication server generates an authentication code based on the challenge information and the unique code and sends it to the client for receipt; and

A package installation step in which the above installation package generates a decryption key based on the authentication code, decrypts the encrypted package data configured in the installation package, and installs it on the client;

An authentication method for restricting unauthorized installation of a software product, characterized in that it includes:

The above invention can protect the product installation package by encrypting it so that the installation package of the software product is not leaked, and even if the installation package is leaked, the product can be installed only through authentication, thereby restricting unauthorized installation of the installation package.

In addition, the present invention can restrict execution of installation packages by unauthorized users by allowing the user to receive an authentication code for decryption only for installation packages permitted by the security server.

In addition, since the present invention requires an authentication code to be provided for decryption of an installation package in order to install a software product, it is possible to monitor the installation history of a software product to identify a software product that has been improperly executed and take immediate restrictive measures.

Figure 1 is a block diagram illustrating an example of an authentication system according to the present invention.
FIG. 2 is a drawing schematically illustrating the structure of an installation package executed using the authentication system according to the present invention.
FIG. 3 is a flowchart illustrating an example of an authentication method executed using an authentication system according to the present invention.

The terms used in the examples are selected from widely used, current terms, taking into account the functions of the present invention. However, these terms may vary depending on the intentions of those skilled in the art, precedents, the emergence of new technologies, etc. Furthermore, in certain cases, the applicant may arbitrarily select terms, in which case their meanings will be described in detail in the description of the relevant invention. Therefore, the terms used in the present invention should be defined not simply based on their names, but based on their meanings and the overall content of the present invention.

In this specification, a "part" refers to a portion that performs a specific function. A "part" may be a portion of a single body with a defined scope, or it may be an object formed by combining multiple components. The functions provided within the components and "parts" may be combined into a smaller number of components and "parts" or further separated into additional components and "parts." A "part" should be understood as a unit whose form is concretized to perform a specific function.

Below, with reference to the attached drawings, embodiments of the present invention are described in detail so that those skilled in the art can easily implement them. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein.

Hereinafter, the present invention will be described in detail based on the attached drawings.

FIG. 1 is a block diagram illustrating an example of an authentication system according to the present invention, and FIG. 2 is a drawing schematically illustrating the structure of an installation package executed using the authentication system according to the present invention.

Referring to FIGS. 1 and 2, the authentication system according to the present invention comprises a client (10), which is a computer terminal on which an encrypted installation package is decrypted and installed, a user terminal (20) that presents user information of a user with installation authority for a software product to an authentication server (30), and an authentication server (30) that verifies the installation package of a software product attempted to be installed on the client (10), determines whether the user has the authority, and provides an authentication code for decrypting the installation package.

First, the client (10) is a general computer that operates based on an OS (Operating System, 11) and configures a communication system capable of wired and wireless data communication. In addition, it configures a storage unit (12) that stores various data including an installation package. When an installation package is attempted by a user's selection on the client (10) of such a general computer structure, the installation unit (13) is activated according to the setting value of the installation binary. The installation unit (13) includes an installation package execution module (131) that handles the installation process of the installation package, and a decryption module (132) that decrypts the encrypted package data of the installation package.

The installation package of the present embodiment configures the above-mentioned installation binary, and configures the decryption/checksum data, which is data to be installed in the executable binary, and the package information data, and the data location delimiter string, which is a fixed 32-byte string data for finding the location of the encrypted package data. In addition, it configures the 32-byte file verification hash, which is data necessary for verification and decryption for decrypting the encrypted package data in the present embodiment, the 32-byte encryption verification hash, the 32-byte encryption key correction data, and the 16-byte IV (Initial Vector) correction data. In addition, it includes the total length of the 2-byte information data, which is the information of the installation package, the unique code of the installation package in the form of a 16-byte UUID (Universally Unique Identifier), the name of the installation package, each character of which is 2 bytes, the installation directory, each character of which is 2 bytes, and the installation command, each character of which is 2 bytes.

The installation package of this embodiment comprises encrypted package data containing data to be installed on a client (10). In this embodiment, the package data is compressed in a 'tar + zip' format and then encrypted. The authentication system and method according to the present invention operate to decrypt the encrypted package data used to install a software product.

The user terminal (20) is a mobile device, tablet, etc. based on an OS (21) that can be easily operated by the user, and operates so that the user can transmit his/her own user information to the authentication server (30) to prove that the user has the right to install the software product during the process of installing the software product on the client (10). To this end, the authentication information communication module (22), which is an authentication application installed on the user terminal (20), collects user information such as the user's ID/PW, biometric information, OTP, and certificate, and transmits the collected user information to the authentication server (30).

A user can create an account on the authentication server (20) and proceed with the login procedure, and during this process, user information is transmitted at the request of the authentication server (20). In addition, when the authentication information communication module (22) of the installation package receives a unique code and challenge information from the client (10) where the software product is being installed, the authentication information communication module (22) of the user terminal (20) can transmit the user information along with the unique code and challenge information to the authentication server (30).

In addition, the authentication information communication module (22) of the user terminal (20) may perform a relay function to send the authentication code to the installation package of the client (10) when receiving the authentication code from the authentication server (20). However, instead of the aforementioned relay function of the user terminal (20), the authentication server (20) may directly send the authentication code to the client (10).

The authentication server (30) is designed to run on the basis of an OS (31) like a general server, and to generate an authentication code by combining a unique code, challenge information, and user information received from a client (10) and a user terminal (20) according to a set process. In addition, the authentication server (30) sends the authentication code to the user terminal (20) or the client (10). The authentication server (30) comprises an authority information storage unit (32) that stores a unique code, a file verification hash, user information, and a security code for each software product, which are essential information of the present invention for generating an authentication code based on the unique code, challenge information, and user information; an installation history log storage unit (33) that stores the installation history of the software product; and an authentication module (34) that generates an authentication code by combining the unique code, challenge information, and user information received from the client (10) and the user terminal (20).

The following describes in detail an embodiment of an authentication method according to the present invention for each component of the authentication system described above, namely a client (10), a user terminal (20), and an authentication server (30).

FIG. 3 is a flowchart illustrating an example of an authentication method executed using an authentication system according to the present invention.

Referring to FIGS. 1 to 3, the authentication method according to the present invention includes a user information registration step (S11), an information communication step (S12), a user authority confirmation step (S13), an authentication code generation step (S14), and a package installation step (S15), and further includes an installation history information storage step (S16) that records the installation history of the corresponding software product as a log.

S11: User information registration stage

The authentication method according to the present invention is an authentication system configured to allow a client (10) storing an installation package for installing a software product, a user terminal (20) storing user information, and an authentication server (30) performing an authentication function for executing the installation package to communicate with each other, wherein, when the software product is manufactured, a unique code for each software product is registered in the authorization information storage unit (32) of the authentication server (30).

Thereafter, when purchasing a software product or when a person responsible for installing the software product is designated, the user information of the authorized user is registered as a set with the corresponding unique code in the authorization information storage unit (32) of the authentication server (30). Additionally, in order to decrypt the encrypted package data of the installation package, the file verification hash and security code, which are software product information, are also registered in the authorization information storage unit (32) of the authentication server (30).

Accordingly, since the software product can be installed on the client (10) only when the user information registered in the authentication server (30) is entered, the software product cannot be installed without permission by anyone other than the user of the registered user information.

S12: Information and Communication Stage

In order to install a software product on a client (10), the client (10) sends a unique code and challenge information of the software product so that the authentication server (30) receives it, and the user terminal (20) sends user information.

As described above, the authentication information communication module (22), which is the authentication application of the user terminal (20), collects user information through user operation and sends it to the authentication server (30). In addition, the authentication information communication module (22) of the present embodiment can receive the unique code (unique code of the software product) and challenge information of the installation package sent by the installation package execution module (131), which is the authentication application of the client (10), and send them to the authentication server (30) together with the user information. Ultimately, the user terminal (20) performs a relay function of transmitting the user information, the unique code, and the challenge information to the authentication server (30).

Meanwhile, in the present embodiment, the installation package execution module (131) installed on the client (10) outputs at least one of the unique code and challenge information as a QR code, or outputs the unique code and challenge information as text. Accordingly, the user can collect at least one of the unique code and challenge information by taking a picture of the QR code output on the client (10) using the user terminal (20), or can collect the unique code and challenge information output on the client (10) as text input through the user's keyboard operation.

Ultimately, when wired or wireless communication is possible between the client (10) and the user terminal (20), the installation package execution module (131) of the client (10) sends a unique code and challenge information via data communication, which are then received by the authentication information communication module (22) of the user terminal (20). However, even when wired or wireless communication is not possible between the client (10) and the user terminal (20), the user can check the QR code or text output by the installation package execution module (131) and input it by operating the user terminal (20), so that the authentication information communication module (22) can receive it.

As described above, the unique code and challenge information of the installation package stored in the client (10) may be transmitted to the authentication server (30) via the user terminal (20), but in addition, the installation package execution module (131) of the client (10) may directly send the unique code and challenge information to the authentication server (30). In this case, in the present embodiment, the authentication module (34) of the authentication server (30) directly sends the generated authentication code to the client (10).

For reference, when a user logs in to the authentication server (30) with his/her login account to install a software product on the client (10) and performs a procedure such as OTP or mobile authentication to confirm whether the user is a designated user, the authentication module (34) may request the installation package execution module (131) of the client (10) to receive a unique code and challenge information. In addition, when the user operates the client (10) so that the installation package execution module (131) sends a unique code and challenge information to the authentication server (30), the authentication module (34) that receives the unique code and challenge information verifies the user and sends user information request data to the user terminal (20), and the authentication information communication module (22) of the user terminal (20) may notify the user to collect user information and send it to the authentication server (30).

Even if the installation package execution module (131) directly sends the unique code and challenge information to the authentication server (30), the authentication module (34) can send the authentication code to the user terminal (20), and the authentication information communication module (22) of the user terminal (20) can send the authentication code received from the authentication server (30) to the installation unit (13) of the client (10).

Meanwhile, the authorization information storage unit (32) of the authentication server (30) stores the file verification hash and security code. In addition, in the information communication step (S12), when executing the installation package for installing a software product on the client (10), the step of comparing the file hash of the installation package and the file verification hash based on the SHA256 algorithm, the step of generating challenge information when the file hash is confirmed to be normal, and the step of sending the unique code and challenge information of the installation package are included.

As described above, the installation package execution module (131) of the client (10) sends a unique code and challenge information for software product installation. Here, the unique code corresponds to an ID for identifying the software product and is configured in the package information data of the installation package. Accordingly, the installation package execution module (131) searches for the fixed unique code of the installation package from the package information data. In contrast, the challenge information is randomly generated by the installation package execution module (131) when executing the installation package for software product installation.

To randomly generate challenge information, the installation package execution module (131) determines whether the installation package is normal. To this end, the installation package execution module (131) checks the file hash (SHA256), which is all parts of the installation package except the file verification hash, and compares the file hash calculated by performing the SHA256 - SHA256 hash algorithm with the file verification hash. If the installation package is confirmed to be normal as a result of the comparison, the challenge information, which is a random byte code of 8 bytes, is generated, and then the unique code of the installation package of 32 bytes and the challenge information of 8 bytes are sent.

S13: User Permission Verification Step

The authentication server (30) compares the received user information and unique code with the user information and unique code registered in the authentication server to check whether the installation package has execution authority.

As described above, the authentication server (30) stores a unique code for each software product, a file verification hash, user information, and a security code in the authorization information storage unit (32), so the authentication module (34) compares the user information and unique code received from the client (10) and the user terminal (20) with the user information and unique code stored in the authorization information storage unit (32). As a result of the comparison, if the user information and security code received by the authentication server (30) match the information stored in the authorization information storage unit (32), the client (10) determines that the attempt to install the software product is legitimate and proceeds to the next step.

However, if the user information and security code received by the authentication server (30) are confirmed to be inconsistent with the information stored in the authorization information storage unit (32), the installation attempt is judged to be invalid, and the subsequent steps for decrypting the encrypted package data configured in the installation package are stopped.

S15: Authentication code generation step

When user authority for user information of the user terminal (20) is confirmed, the authentication server (30) generates an authentication code based on the challenge information and a unique code and sends it to the client (10) for receipt.

In more detail, the authentication module (34) searches for the file verification hash and security code corresponding to the unique code received from the client (10) in the authority information storage unit (32). When the corresponding file verification hash and security code are searched, the authentication module (34) processes the challenge information with the MAC_SHA256 algorithm using the file verification hash as a key according to the source code for generating the authentication code, 'Authentication code = HMAC_SHA256 (file verification hash, challenge information) [0, 8] xor security code', and generates an authentication code through an XOR operation with the security code. For reference, "[0, 8]" in the above source code is a command value that restricts the use of only the first 8 bytes of the hashed 32 bytes.

The authentication module (34) sends the generated authentication code to the user terminal (20) or directly to the client (10). When the user terminal (20) receives the authentication code, the authentication information communication module (22) of the user terminal (20) sends the authentication code to the client (10).

S16: Package Installation Step

The above installation package generates a decryption key based on the authentication code received from the authentication server (30), decrypts the encrypted package data configured in the installation package, and installs it on the client (10).

In this regard, to explain in more detail, the decryption module (132) of the client (10) processes the challenge information with the MAC_SHA256 algorithm using the file verification hash as a key according to the source code for generating the security code, 'security code (8 bytes) = HMAC_SHA256 (file verification hash, challenge information) [0, 8] xor authentication code', and generates a security code through an XOR operation with the authentication code. That is, the decryption module (132) derives the security code stored in the authentication server (30) based on the authentication code received from the authentication server (30).

When the security code is verified, the decryption module (132) connects the security code and the package information data and dummy data of the installation package into a single data stream according to the source code for generating the first hash value, 'First hash value = SHA256 (security code || package information data || dummy data)', and generates the first hash value using the SHA256 algorithm. In addition, the decryption module (132) generates a decryption key through an XOR operation of the first hash value with the encryption key correction data of the installation package according to the source code for generating the decryption key, 'Decryption key = first hash value xor encryption key correction data'.

When a decryption key is generated according to the process described above, the decryption module (132) verifies the authentication code using the decryption key and generates a decryption IV (Initial Vector) for decrypting the encrypted package data.

To explain the decryption IV generation in more detail, the decryption module (132) decrypts the encrypted package data of the installation package using the CBC (Cipher Block Chaining) mode of the AES-256 encryption algorithm using the primary IV initialized to '0' and the decryption key according to the source code 'primary IV = 16 bytes 0, initial decryption data = AES256_CBC_DECRYPT(decryption key, primary IV, encrypted package data)' and generates the initial decryption data.

Afterwards, the decryption module (132) uses the decryption key as a key according to the source code 'second hash value = HMAC_SHA256 (decryption key, initial decryption data)' to generate a second hash value using the MAC_SHA256 algorithm on the initial decrypted data. The decryption module (132) compares the generated second hash value with the encryption key verification hash of the installation package, and if they do not match, the decryption process of the encrypted package data is terminated. To explain this in more detail, the fact that the second hash value and the encryption key verification hash do not match means that the decryption key generated by the decryption module (132) according to the source code using the challenge information and authentication code as variables is abnormal, and therefore, the authentication code received from the authentication server (30) is assumed to be not based on the challenge information generated by the installation package, and the decryption process is terminated.

If it is confirmed that the above second hash value and the encryption key verification hash match, the decryption module (132) generates a decryption IV through an XOR operation of the second IV with the IV correction data of the installation package according to the source code 'decryption IV = second IV xor IV correction data'. Here, the second IV is an IV variable value changed by decrypting the first IV in the CBC mode of the AES-256 encryption algorithm.

Afterwards, the decryption module (132) decrypts the encrypted package data using the decryption key and decryption IV and installs it on the client. To this end, the decryption module (132) uses the decryption key and decryption IV according to the source code 'decryption data = AES256_CBC_PKCS7Padding_DECRYPT (decryption key, decryption IV, encrypted package data)' to complete the encrypted package data into decryption data using the CBC (Cipher Block Chaining) mode of the AES-256 encryption algorithm and PKCS7 padding.

According to the process described above, the decryption module (132) of the installation package normally performs the decryption process of the encrypted package data based on the user's authority and challenge information, so that the unique software product stored in the client (10) can be installed on the client (10) only by a designated authorized user.

The authentication method according to the present invention further includes an installation history information storage step (S14) for generating and storing installation history information of a software product after the user authority confirmation step (S13). For this purpose, the authentication server (30) includes an installation history log storage unit (33) in which the installation history information is stored. To explain this in more detail, in order to install a software product on a client (10), the authentication server (30) must generate and issue an authentication code according to a request from the installation package, and therefore, the authentication module (34) generates a history related to this as installation history information and stores it in the installation history log storage unit (33). In the present embodiment, the installation history information includes the date and time of authentication code generation, a unique code of the software product to be installed, user information, etc.

Ultimately, the administrator can check the type, version, and authentication code generation date of the software product in detail through the unique code stored in the installation history information, and can also check which user installed the software product.

Using the storage data of the authority information storage unit (32) and the installation history log storage unit (33) described above, the administrator can control users attempting to install software products, register users granted installation rights, and create a list of users with restricted installation and deletion rights. Furthermore, the administrator can set the authorization period for users who can install software products. Furthermore, installation of software products that have encountered problems can be restricted.

Although the detailed description of the present invention described above has been described with reference to preferred embodiments of the present invention, it will be understood by those skilled in the art or having ordinary knowledge in the art that various modifications and changes can be made to the present invention without departing from the spirit and technical scope of the present invention as set forth in the claims to be described later.

Claims (8)

In an authentication system configured to allow a client storing an installation package for installing a software product, a user terminal storing user information, and an authentication server performing an authentication function for executing the installation package to communicate with each other, a user information registration step in which user information of an authorized user and a unique code of a software product are registered in the authentication server;
An information communication step in which the client sends a unique code and challenge information of an installation package so that the authentication server receives them in order to install a software product on the client, and the user terminal sends user information;
A user authorization verification step for comparing the user information and unique code received by the authentication server with the user information and unique code registered in the authentication server to check whether the installation package has execution authority;
When the user authority for the user information of the user terminal is confirmed, the authentication server generates an authentication code based on the challenge information and the unique code and sends it to the client for receipt; and
A package installation step in which the above installation package generates a decryption key based on the authentication code, decrypts the encrypted package data configured in the installation package, and installs it on the client;
An authentication method for restricting unauthorized installation of a software product, characterized in that it includes:
In the first paragraph,
In the above information communication step, the unique code and challenge information of the installation package are sent to the user terminal, and the user terminal sends the unique code, challenge information, and user information to the authentication server;
An authentication method that restricts unauthorized installation of software products featuring .
In the second paragraph,
In the above information communication step, the installation package outputs at least one of the unique code and challenge information as a QR code, or outputs the unique code and challenge information as text, and the user terminal collects at least one of the unique code and challenge information by taking a picture of the QR code, or by inputting text;
An authentication method that restricts unauthorized installation of software products featuring .
In the first paragraph,
In the above information communication step, the installation package directly sends a unique code and challenge information to the authentication server;
In the above authentication code generation step, the authentication server directly sends the authentication code to the client;
An authentication method that restricts unauthorized installation of software products featuring .
In the first paragraph,
The authentication server of the above authentication system further stores the file verification hash and security code;
The above information communication step includes a step of comparing a file hash of the installation package and a file verification hash based on the SHA256 algorithm when executing an installation package for installing a software product on the client, a step of generating challenge information when the file hash is confirmed to be normal, and a step of sending a unique code of the installation package and the challenge information;
An authentication method that restricts unauthorized installation of software products featuring .
In paragraph 5,
The above authentication code generation step includes a step of searching for a file verification hash and a security code corresponding to the input unique code, and a step of processing challenge information with a MAC_SHA256 algorithm using the file verification hash as a key and generating an authentication code through an XOR operation with the security code;
An authentication method that restricts unauthorized installation of software products featuring .
In paragraph 6,
The above package installation step includes a step of processing challenge information with a MAC_SHA256 algorithm using the file verification hash as a key and generating a security code through an XOR operation with an authentication code, a step of connecting the security code and package information data and dummy data of the installation package into a single data stream and generating a first hash value with a SHA256 algorithm, a step of generating a decryption key through an XOR operation of the first hash value with encryption key correction data of the installation package, a step of verifying the authentication code using the decryption key and generating a decryption IV (Initial Vector) for decrypting encrypted package data, and a step of decrypting the encrypted package data using the decryption key and the decryption IV and installing the data on a client;
An authentication method that restricts unauthorized installation of software products featuring .
In paragraph 7,
The step of generating the decrypted IV includes the steps of: decrypting the encrypted package data using the CBC (Cipher Block Chaining) mode of the AES-256 encryption algorithm using the first IV initialized to '0' and the decryption key, and generating initial decrypted data; the step of generating a second hash value of the initial decrypted data using the MAC_SHA256 algorithm using the decryption key as a key; the step of comparing the second hash value with the encryption key verification hash of the installation package and terminating the decryption process of the encrypted package data if they do not match; and the step of decrypting the first IV in the CBC mode of the AES-256 encryption algorithm and performing an XOR operation on the second IV, which is a changed IV variable value, with the IV correction data of the installation package if the second hash value and the encryption key verification hash do match, to generate the decrypted IV;
An authentication method that restricts unauthorized installation of software products featuring .