TW202127289A - Method for cross-platform authorizing access to resources and authorization system thereof - Google Patents

Method for cross-platform authorizing access to resources and authorization system thereof Download PDF

Info

Publication number
TW202127289A
TW202127289A TW109100894A TW109100894A TW202127289A TW 202127289 A TW202127289 A TW 202127289A TW 109100894 A TW109100894 A TW 109100894A TW 109100894 A TW109100894 A TW 109100894A TW 202127289 A TW202127289 A TW 202127289A
Authority
TW
Taiwan
Prior art keywords
resource
access
authorization
module
request
Prior art date
Application number
TW109100894A
Other languages
Chinese (zh)
Other versions
TWI778319B (en
Inventor
李嘉銘
雋偉 方
Original Assignee
玉山商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 玉山商業銀行股份有限公司 filed Critical 玉山商業銀行股份有限公司
Priority to TW109100894A priority Critical patent/TWI778319B/en
Publication of TW202127289A publication Critical patent/TW202127289A/en
Application granted granted Critical
Publication of TWI778319B publication Critical patent/TWI778319B/en

Links

Images

Abstract

A method for cross-platform authorizing access to resources and an authorization system thereof are provided. The system provides an agent module that can receive a resource access request from a resource owner and issues an authorization request to an authorization module. The authorization module can therefore obtain an identification code and a resource item requested by the resource owner. After authenticating the resource owner, the authorization module generates an access token associated with the resource item. An authentication code algorithm is performed onto the resource item and the access token for generating an authentication code. The access token, the resource item and the authentication code are transmitted to the agent module and a resource module. The resource module then provides information for accessing the resource item to the resource owner after confirming the authentication code. .

Description

跨平台授權存取資源方法及授權存取系統Cross-platform authorized access resource method and authorized access system

本發明涉及一種授權驗證的系統,特別是一種將部分授權程序轉移到資源方以轉移授權伺服器工作的跨平台授權存取資源方法及授權存取系統。The invention relates to an authorization verification system, in particular to a cross-platform authorization access resource method and authorization access system for transferring part of authorization programs to a resource party to transfer the work of an authorization server.

隨著網路與資訊科技的成熟,並產生許多的應用,同時,網路資訊安全為當中最重要的議題之一,安全驗證一般可倚賴設備與設備之間的加解密技術,以防止資料被竄改,以及倚賴使用者本身的識別資料確保存取者的身份無誤,例如傳統常見的帳號與密碼、生物識別技術,以及可通過使用者個人裝置提供安全認證的機制。With the maturity of the Internet and information technology, many applications have emerged. At the same time, network information security is one of the most important issues. Security verification generally relies on encryption and decryption technology between devices to prevent data from being compromised. Tampering and relying on the user's own identification data to ensure that the identity of the accessor is correct, such as traditional accounts and passwords, biometric technology, and mechanisms that can provide security authentication through the user's personal device.

當網路上的應用愈來愈複雜,依據需求,許多現行技術也提出更為安全的驗證與授權流程,例如網路金融服務就需要更為安全的交易程序,常見為提出公正第三方的授權與認證技術,例如一種開放授權(OAuth、OAuth2)協定。As the applications on the Internet become more and more complex, many existing technologies also propose safer verification and authorization procedures based on demand. For example, Internet financial services require more secure transaction procedures, and it is common to propose a fair third-party authorization and authorization process. Authentication technology, such as an open authorization (OAuth, OAuth2) protocol.

開放授權(OAuth/OAuth2.0)是一個開放標準,允許使用者通過第三方授權機制存取特定網路資源,其中使用憑證或一次式密碼(token),並不同於傳統帳號與密碼的安全措施。利用這類憑證還可以管制被授權使用者存取特定範圍內的網路資源,如影片、照片、文件等,所述開放授權(OAuth/OAuth2.0)即讓使用者可以授權第三方網站存取使用者在特定位置(網站)的特定資源。Open authorization (OAuth/OAuth2.0) is an open standard that allows users to access specific network resources through a third-party authorization mechanism, which uses certificates or one-time passwords (token), which are different from traditional account and password security measures . Using this type of certificate can also control authorized users to access network resources within a specific range, such as videos, photos, documents, etc. The open authorization (OAuth/OAuth2.0) allows users to authorize third-party websites to save Take the user's specific resources at a specific location (website).

值得一提的是,所述OAuth2.0授權協定可以解決資源可能分散在多個伺服器上產生的授權問題,使用者可以在通過一次驗證後,能夠在多個伺服器進行授權,多個伺服器僅須確認請求資訊中所攜帶的存取憑證為合法後,即能完成第三方授權而准許存取資源。舉例來說,Facebook™、Google™等的身份驗證機制常被各種應用所使用,可稱為Open ID,這些應用倚賴Facebook、Google的身份驗證結果,讓使用者可以使用Facebook、Google等帳號登入各種應用,一旦通過身份驗證,即可存取各種網路資源。It is worth mentioning that the OAuth2.0 authorization protocol can solve the authorization problem that resources may be scattered on multiple servers. Users can authorize on multiple servers after one authentication. Only after confirming that the access certificate carried in the request information is legal, the device can complete the third-party authorization and grant access to the resource. For example, the authentication mechanisms of Facebook™, Google™, etc. are often used by various applications, which can be called Open ID. These applications rely on the authentication results of Facebook and Google, allowing users to log in to various applications using Facebook, Google, and other accounts. Once the application is authenticated, it can access various network resources.

有鑑於現行開放授權的機制可能造成主要授權伺服器需要處理大量的授權需求,造成效能不彰或是整體負載沈重的問題,揭露書提出一種跨平台授權存取資源方法以及一種授權存取系統,其目的之一是解決習知跨平台(如跨過多個單位、金融機構)授權技術中驗證方擔負大量驗證計算的問題,所揭示的方法將其中驗證程序延伸至可由資源方的相關主機執行部分的驗證程序。In view of the current open authorization mechanism that may cause the main authorization server to deal with a large number of authorization requirements, resulting in poor performance or heavy overall load, the disclosure proposes a cross-platform authorization access method and an authorization access system. One of its purposes is to solve the problem that the verifier is responsible for a large number of verification calculations in the conventional cross-platform (such as across multiple units, financial institutions) authorization technology. The disclosed method extends the verification procedure to the part that can be executed by the relevant host of the resource party. Verification procedures.

根據實施例之一,跨平台授權存取資源方法運行於一授權存取系統,在此授權存取系統中,提出一代理存取模組,由代理存取模組自一資源擁有者接收資源存取請求,請求中包括了要請求的資源項目以及資源擁有者的識別代碼。之後,代理存取模組將根據資源存取請求產生一授權請求,並傳送至授權模組,授權模組可根據此授權請求得出資源擁有者的識別代碼,再與此資源擁有者進行身份驗證。According to one of the embodiments, the method for cross-platform authorized access to resources runs in an authorized access system. In this authorized access system, a proxy access module is proposed, and the proxy access module receives resources from a resource owner Access request, the request includes the resource item to be requested and the identification code of the resource owner. After that, the proxy access module will generate an authorization request based on the resource access request and send it to the authorization module. The authorization module can obtain the identification code of the resource owner based on the authorization request, and then identify the resource owner verify.

當完成身份驗證後,授權模組將產生對應所請求的資源項目的存取代碼,並將資源項目與存取代碼形成一驗證資料,之後傳送驗證資料至所述代理存取模組以及一資源模組,此時,代理存取模組也傳送資源存取請求至資源模組,經資源模組檢查自授權模組接收的驗證資料無誤後,可根據所得到的資源存取請求提供資源擁有者一資源取得資訊。After the identity verification is completed, the authorization module will generate an access code corresponding to the requested resource item, and the resource item and the access code will form a verification data, and then send the verification data to the proxy access module and a resource Module. At this time, the proxy access module also sends a resource access request to the resource module. After the resource module checks that the authentication data received from the authorization module is correct, it can provide resource ownership based on the obtained resource access request A resource to obtain information.

優選地,授權模組將資源項目與存取代碼演算形成的驗證資料可為進行一押碼演算,之後形成一押碼值,這個押碼值可提供資源模組驗證資料是否未被竄改,一旦確認無誤後,即根據資源存取請求提供資源擁有者取得所述資源項目的資訊,例如下載資源項目或資訊的連結。Preferably, the authentication data formed by the authorization module's calculation of the resource item and the access code can be a bet calculation, and then a bet value is formed. This bet value can provide the resource module to verify whether the data has not been tampered with. After confirming that it is correct, the resource owner will be provided with information about the resource item, such as a link to download the resource item or information, according to the resource access request.

進一步地,所述代理存取模組接收資源存取請求時,可以代理存取模組的一代理識別碼及一金鑰進行數位簽章後產生授權請求,再經加密後傳送到授權模組。Further, when the proxy access module receives the resource access request, it can generate an authorization request after digital signature with a proxy identification code and a key of the proxy access module, and then send it to the authorization module after being encrypted .

進一步地,授權模組可以根據資源擁有者的識別代碼,查詢得出資源擁有者的通信方法,以根據此通信方法與資源擁有者完成身份驗證。Further, the authorization module can query and obtain the communication method of the resource owner according to the identification code of the resource owner, so as to complete identity verification with the resource owner according to the communication method.

根據授權存取系統的實施例,系統主要元件為資源模組,可通過網路提供資源擁有者自己或授權他人存取各種資源項目的服務,設有授權模組,可通過網路提供存取資源模組中各種資源項目的使用者認證與授權服務,以及一代理存取模組,能通過網路提供資源擁有者自己或授權他人存取資源模組中各種資源項目的代理服務。According to the embodiment of the authorization access system, the main component of the system is the resource module, which can provide the resource owner or authorize others to access various resource items through the network. There is an authorization module that can provide access through the network. User authentication and authorization services for various resource items in the resource module, as well as a proxy access module, can provide proxy services for resource owners themselves or authorized others to access various resource items in the resource module through the network.

進一步地,所述代理存取模組可為提供使用者請求存取資源項目的代理伺服器;授權模組可為負責授權存取資源的授權伺服器;以及資源模組可為提供各種資源項目的資源伺服器。Further, the proxy access module may be a proxy server that provides users requesting access to resource items; the authorization module may be an authorization server that is responsible for authorizing access to resources; and the resource module may provide various resource items Resource server.

為使能更進一步瞭解本發明的特徵及技術內容,請參閱以下有關本發明的詳細說明與圖式,然而所提供的圖式僅用於提供參考與說明,並非用來對本發明加以限制。In order to further understand the features and technical content of the present invention, please refer to the following detailed description and drawings about the present invention. However, the provided drawings are only for reference and description, and are not used to limit the present invention.

以下是通過特定的具體實施例來說明本發明的實施方式,本領域技術人員可由本說明書所公開的內容瞭解本發明的優點與效果。本發明可通過其他不同的具體實施例加以施行或應用,本說明書中的各項細節也可基於不同觀點與應用,在不悖離本發明的構思下進行各種修改與變更。另外,本發明的附圖僅為簡單示意說明,並非依實際尺寸的描繪,事先聲明。以下的實施方式將進一步詳細說明本發明的相關技術內容,但所公開的內容並非用以限制本發明的保護範圍。The following are specific specific examples to illustrate the implementation of the present invention. Those skilled in the art can understand the advantages and effects of the present invention from the content disclosed in this specification. The present invention can be implemented or applied through other different specific embodiments, and various details in this specification can also be based on different viewpoints and applications, and various modifications and changes can be made without departing from the concept of the present invention. In addition, the drawings of the present invention are merely schematic illustrations, and are not drawn according to actual dimensions, and are stated in advance. The following embodiments will further describe the related technical content of the present invention in detail, but the disclosed content is not intended to limit the protection scope of the present invention.

應當可以理解的是,雖然本文中可能會使用到“第一”、“第二”、“第三”等術語來描述各種元件或者信號,但這些元件或者信號不應受這些術語的限制。這些術語主要是用以區分一元件與另一元件,或者一信號與另一信號。另外,本文中所使用的術語“或”,應視實際情況可能包括相關聯的列出項目中的任一個或者多個的組合。It should be understood that although terms such as "first", "second", and "third" may be used herein to describe various elements or signals, these elements or signals should not be limited by these terms. These terms are mainly used to distinguish one element from another, or one signal from another signal. In addition, the term "or" used in this document may include any one or a combination of more of the associated listed items depending on the actual situation.

揭露書公開一種跨平台授權存取資源方法與授權存取系統,所提出的方法與系統要解決的問題之一是,在習知跨平台(如跨過多個單位、金融機構)授權技術中,負責授權的一方擔負多方驗證的工作,因此也負責大量驗證計算的工作,如此會造成系統因為運算負擔大而影響到效能,而揭露書所提出的跨平台授權存取資源方法的目的之一為將驗證程序延伸至其他單位,如可由提供資源的相關主機執行驗證程序。The disclosure discloses a cross-platform authorized access resource method and authorized access system. One of the problems that the proposed method and system must solve is that in the conventional cross-platform (such as across multiple units, financial institutions) authorization technology, The party responsible for the authorization is responsible for multi-party verification, and therefore is also responsible for a large number of verification calculations. This will cause the system to be affected by the heavy calculation burden. One of the purposes of the cross-platform authorization access to resources method proposed in the disclosure is Extend the verification procedure to other units, for example, the verification procedure can be executed by the relevant host that provides the resources.

在運行跨平台授權存取資源方法的授權存取系統中,根據說明書記載之實施例,如圖1所示授權存取系統的系統架構,其中顯示主要的代理伺服器10、授權伺服器12以及資源伺服器14可為相互獨立而以網路相互連線的伺服主機,或是各種主機中的功能模組,而其中運行功能亦可為運行在各種現行伺服系統中的功能模組,例如可為運行為金融機構、政府機構或是私人企業中各種伺服器中的模組,實際實施時並不限於特定方式。In the authorization access system running the cross-platform authorization access resource method, according to the embodiment described in the specification, the system architecture of the authorization access system is shown in FIG. 1, which shows the main proxy server 10, authorization server 12, and The resource server 14 can be independent and network-connected server hosts, or functional modules in various hosts, and the running functions can also be functional modules running in various current server systems, for example, To operate as a module in various servers in financial institutions, government agencies, or private enterprises, the actual implementation is not limited to a specific method.

在此授權存取系統架構下,使用者可操作執行於使用者裝置101的網頁瀏覽器、特定應用程式,或是執行於個人行動裝置中的行動應用程式(如APP)連線一代理伺服器(agent/client server)10,代理伺服器10可通過網路提供一或多個資源擁有者自己或授權他人存取資源伺服器14中各種資源項目的代理服務,這是一個系統提出的第三方服務伺服器(或運行於特定伺服器的軟體模組),讓使用者可以利用網頁或是特定應用程式中的使用者介面輸入自資源伺服器(resource server)14所要取得的資源項目,形成一個資源存取請求。所述資源伺服器14為通過網路提供一或多個資源擁有者自己(或授權他人)存取各種資源項目的服務,其中設有資源資料庫140,其中儲存了各種可存取資源,資源都關聯特定使用者的識別碼(user ID),例如為一些關於個人隱私、敏感資料、安全性等級高的一些檔案文件等資源項目。Under this authorized access system architecture, the user can operate the web browser, specific applications running on the user device 101, or the mobile applications running on the personal mobile device (such as APP) to connect to a proxy server (Agent/client server) 10. The proxy server 10 can provide one or more resource owners themselves or authorized others to access various resource items in the resource server 14 through the Internet. This is a third party proposed by the system. The service server (or a software module running on a specific server) allows users to use a web page or a user interface in a specific application to input the resource items to be obtained from the resource server 14 to form a Resource access request. The resource server 14 provides services for one or more resource owners to access various resource items by themselves (or authorized by others) through the network. A resource database 140 is provided in which various accessible resources are stored. They are all associated with a specific user's identification code (user ID), such as some resource items such as personal privacy, sensitive information, and some files with high security levels.

之後,代理伺服器10根據資源存取請求中記載的事項,如欲取得的資源項目以及資源擁有者的識別代碼,形成一授權請求,再將此授權請求傳送到授權伺服器12。此授權伺服器12同樣可為運行於特定伺服主機中的軟體模組,可通過網路提供使用者存取所述資源伺服器14中各種資源項目的使用者認證與授權服務。授權伺服器12設有一使用者資料庫120,因此可以根據資源存取請求中記載的資源擁有者的識別代碼查詢得出資源擁有者的通信方式,因此可以通過此通信方式驗證提出資源存取的資源擁有者。After that, the proxy server 10 forms an authorization request according to the items recorded in the resource access request, such as the resource item to be obtained and the identification code of the resource owner, and then transmits the authorization request to the authorization server 12. The authorization server 12 can also be a software module running in a specific server host, and can provide user authentication and authorization services for users to access various resource items in the resource server 14 through the network. The authorization server 12 is provided with a user database 120. Therefore, the resource owner’s communication method can be obtained by querying the resource owner’s identification code recorded in the resource access request. Therefore, the resource owner’s communication method can be verified through this communication method. Resource owner.

舉例來說,授權伺服器12(或相關功能模組)通過查詢得出的通信方法向資源擁有者發出一身份確認請求,要求資源擁有者通過網站、應用程式,或特定來往信息進行身份驗證的請求,所提出約定的驗證資料例如密碼、使用者裝置101(如行動裝置)的設備資訊、資源擁有者的生物特徵、使用者裝置101產生的一次式密碼,或由授權模組產生經簡訊或推播傳送至使用者裝置101的一次式密碼(OTP),再由授權伺服器12驗證資源擁有者的使用者裝置101所產生的一次式密碼。For example, the authorization server 12 (or related functional modules) sends an identity confirmation request to the resource owner through the communication method obtained by the query, requesting the resource owner to verify the identity through the website, application, or specific communication information. Request, the specified authentication data such as password, device information of user device 101 (such as mobile device), biometrics of the resource owner, one-time password generated by user device 101, or SMS or SMS generated by the authorization module The one-time password (OTP) sent to the user device 101 is pushed, and the authorization server 12 verifies the one-time password generated by the user device 101 of the resource owner.

當完成資源擁有者的身份驗證後,授權伺服器12將產生對應所請求之資源項目的一存取代碼,並將所述資源項目與此存取代碼形成一驗證資料,提供資源伺服器14驗證資料無誤後,可以產生連結於所請求資源的連結,此連結為連結至資源資料庫140中特定資源項目的位址,提供給發出請求的資源擁有者或是經過授權的他人。After completing the identity verification of the resource owner, the authorization server 12 will generate an access code corresponding to the requested resource item, and the resource item and the access code will form a verification data to provide the resource server 14 for verification After the data is correct, a link to the requested resource can be generated. This link is a link to the address of a specific resource item in the resource database 140, which is provided to the requesting resource owner or authorized others.

根據所述授權存取系統實施例,所述代理伺服器10、授權伺服器12與資源伺服器14可為各自獨立運行的伺服器、運行於特定伺服器中的軟體模組,或是依照需求分別為運行在特定伺服主機的軟體模組或是獨立伺服器。在所述系統架構下,使用者可以通過授權伺服器12實現跨平台授權存取特定資源伺服器14中的資源項目,其中代理伺服器10更是為提供多個終端使用者此授權存取服務的中繼伺服器。According to the embodiment of the authorization access system, the proxy server 10, the authorization server 12, and the resource server 14 can be independently running servers, software modules running on specific servers, or as required They are software modules running on a specific server host or independent servers. Under the system architecture, users can implement cross-platform authorization to access resource items in a specific resource server 14 through the authorization server 12. The proxy server 10 is to provide multiple end users with this authorization access service. Relay server.

圖2顯示運行於授權存取系統的跨平台授權存取資源方法的實施例流程圖,流程中描述的代理存取模組、授權模組與資源模組可為運行於特定伺服器中的軟體模組,亦可為獨立運行的伺服器。Figure 2 shows a flow chart of an embodiment of a cross-platform authorization access resource method running in an authorization access system. The proxy access module, authorization module, and resource module described in the process can be software running on a specific server The module can also be a stand-alone server.

一開始,如步驟S201,由代理存取模組接收使用者發出的資源存取請求,代理存取模組可從資源存取請求得出請求內容,包括資源項目與資源擁有者之識別代碼(user ID),接著通過代理存取模組本身之識別代碼(client ID)及預先與授權模組交換之金鑰進行簽章,以此產生授權請求,還可繼續以授權模組提供的公鑰進行加密,傳送授權請求至授權模組(步驟S203)。Initially, in step S201, the proxy access module receives the resource access request sent by the user, and the proxy access module can obtain the request content from the resource access request, including the resource item and the identification code of the resource owner ( user ID), and then sign the authentication code (client ID) of the proxy access module and the key exchanged with the authorization module in advance to generate an authorization request, and continue to use the public key provided by the authorization module Encryption is performed, and the authorization request is sent to the authorization module (step S203).

當授權模組接授權請求後,如步驟S205,授權模組將根據其中的資源擁有者的識別代碼比對使用者資料庫後得出資源擁有者的通信方法,能根據此方式與資源擁有者執行身份驗證。一旦確認資源擁有者的身份後,如步驟S207,授權模組產生對應所請求之資源項目的存取代碼(access code),這是作為驗證的資訊之一,授權模組可將資源項目與此存取代碼演算後形成一驗證資料。After the authorization module receives the authorization request, in step S205, the authorization module compares the user database according to the identification code of the resource owner to obtain the communication method of the resource owner, and can communicate with the resource owner according to this method. Perform authentication. Once the identity of the resource owner is confirmed, in step S207, the authorization module generates an access code corresponding to the requested resource item. This is one of the information to be verified. The authorization module can associate the resource item with this After the access code is calculated, a verification data is formed.

根據一實施例,所述產生驗證資料的方法之一如執行一押碼演算(authentication code algorithm),這個押碼演算過程為將資源項目與存取代碼進行明文拆解、運算,以得出一押碼值。所述押碼演算技術的目的是提供傳輸的資料不會被非經授權的第三者竄改或破壞的機制,例如,演算在金融產業中所提出的一種訊息驗證碼(Message Authentication Code,MAC),或可採用雜湊演算(hash algorithm)演算雜湊值、加密或數位簽章(digital signature)等技術,用於往來機構之間的訊息驗證,保護金融訊息的正確性。According to an embodiment, one of the methods for generating authentication data is to perform an authentication code algorithm. This authentication code algorithm is a process of disassembling and calculating the resource item and the access code in plain text to obtain an authentication code algorithm. Betting value. The purpose of the described code calculation technique is to provide a mechanism that the transmitted data will not be tampered with or destroyed by an unauthorized third party, for example, calculation of a message authentication code (MAC) proposed in the financial industry , Or can use hash algorithm (hash algorithm) to calculate the hash value, encryption or digital signature (digital signature) and other technologies, used for the verification of the information between the exchanges, to protect the correctness of the financial information.

接著,在步驟S209中,授權模組傳送存取代碼、資源項目與押碼值至代理存取模組以及資源模組,此時,如步驟S211,資源模組取得資源擁有者的資訊,可以由代理存取模組傳送了包括資源擁有者資訊的資源存取請求至資源模組,或由授權模組取得,如步驟S213,一旦資源模組檢查押碼值無誤後,表示授權模組傳送內容無誤,可提供此資源擁有者一資源取得資訊。Then, in step S209, the authorization module transmits the access code, resource item, and pledge value to the proxy access module and the resource module. At this time, in step S211, the resource module obtains the resource owner's information. The proxy access module sends a resource access request including the resource owner information to the resource module, or obtains it from the authorization module, as in step S213. Once the resource module checks that the pledged value is correct, it means that the authorization module sends The content is correct, and can provide the resource owner with a resource to obtain information.

在所述流程中的身份驗證程序,可參考圖3所示跨平台授權存取資源方法中執行身份驗證的實施例流程圖。For the identity verification procedure in the flow, refer to the flowchart of the embodiment of performing identity verification in the cross-platform authorization access to resources method shown in FIG. 3.

在授權模組執行身份驗證之前,同樣地,流程仍由代理存取模組接收自資源擁有者或授權他人所產生的資源存取請求開始(步驟S301),代理存取模組以其代理識別碼及金鑰進行數位簽章後,產生授權請求(步驟S303),再將此授權請求經加密後傳送至授權模組(步驟S305),由授權模組根據數位簽章驗證此授權請求(步驟S307),經授權模組解密並根據數位簽章得出資源擁有者的識別代碼(步驟S309),同時也能經過查詢使用者資料庫得出資源擁有者的通信方式,以與資源擁有者執行身份驗證(步驟S311),例如通過傳統密碼或是一次式密碼驗證身份。Before the authorization module performs identity verification, similarly, the process is still started by the proxy access module receiving the resource access request generated by the resource owner or authorized others (step S301), and the proxy access module uses its proxy to identify After the code and key are digitally signed, an authorization request is generated (step S303), and the authorization request is encrypted and sent to the authorization module (step S305), and the authorization module verifies the authorization request according to the digital signature (step S305). S307), the authorized module decrypts and obtains the identification code of the resource owner based on the digital signature (step S309). At the same time, the communication method of the resource owner can be obtained by querying the user database to execute with the resource owner Identity verification (step S311), for example, identity verification through a traditional password or a one-time password.

之後,一旦授權模組成功驗證資源擁有者身份後,產生存取代碼,可將資源項目與此存取代碼演算後形成一驗證資料,驗證資料並傳送到資源模組,當資源模組檢查自授權模組接收的驗證資料無誤後,可根據代理存取模組傳送的資源存取請求,也驗證來自代理存取模組的資源存取請求,最後提供資源擁有者一資源取得資訊。After that, once the authorization module successfully verifies the identity of the resource owner, an access code is generated. The resource item and the access code can be calculated to form a verification data, and the verification data is sent to the resource module. When the resource module checks from After the authentication data received by the authorization module is correct, it can verify the resource access request from the proxy access module according to the resource access request sent by the proxy access module, and finally provide the resource owner with resource acquisition information.

圖4顯示運行於多方(使用者裝置41、代理存取模組42、授權模組43以及資源模組44)之間的跨平台授權存取資源方法的實施例流程圖。FIG. 4 shows a flowchart of an embodiment of a method for cross-platform authorization to access resources running between multiple parties (user device 41, proxy access module 42, authorization module 43, and resource module 44).

流程由使用者裝置41發出資源存取請求至代理存取模組42(步驟S401)開始,資源存取請求主要記載了使用者通過網頁或應用程式輸入的資源擁有者的識別代碼以及欲存取的資源項目。The process starts by sending a resource access request from the user device 41 to the proxy access module 42 (step S401). The resource access request mainly records the identification code of the resource owner entered by the user through the web page or application and the desired access Resource items.

之後,由代理存取模組42根據資源存取請求,加入代理存取模組42本身的識別代碼及預先與授權模組43交換之金鑰進行簽章,產生授權請求(步驟S403),並傳送到授權模組43,由授權模組從中得到資源擁有者的識別代碼(步驟S405),因此可以查詢得出當初註冊所登錄的通信方式,如電子郵件、電話號碼或推播信息等,以此能與資源擁有者進行身份驗證,包括向使用者裝置41(或轉發至特定裝置)發出身份確認請求(步驟S407),並由使用者裝置41(或特定裝置)接收身份確認資料(步驟S409),以此驗證資源擁有者身份(步驟S411)。如果身份驗證失敗,授權模組43將向發出請求的使用者裝置41發出驗證失敗信息(步驟S413)。After that, the proxy access module 42 adds the identification code of the proxy access module 42 and the key exchanged with the authorization module 43 in advance to sign according to the resource access request, and generates an authorization request (step S403), and It is sent to the authorization module 43, and the authorization module obtains the identification code of the resource owner from it (step S405). Therefore, the communication method that was originally registered and logged in, such as email, phone number, or push information, can be queried to This can perform identity verification with the resource owner, including sending an identity confirmation request to the user device 41 (or forwarding to a specific device) (step S407), and the user device 41 (or a specific device) receiving identity confirmation data (step S409) ) To verify the identity of the resource owner (step S411). If the identity verification fails, the authorization module 43 will send a verification failure message to the requesting user device 41 (step S413).

當授權模組43與資源擁有者完成身份驗證後,產生對應所請求之資源項目的存取代碼,並將資源項目與存取代碼進行押碼演算以產生一押碼值(步驟S411),所述押碼值、資源項目(關聯資源擁有者)與存取代碼形成驗證資料。After the authorization module 43 and the resource owner have completed identity verification, it generates an access code corresponding to the requested resource item, and performs a code calculation on the resource item and the access code to generate a bet value (step S411), so The pledge code value, resource item (associated resource owner) and access code form verification data.

之後,將驗證資料(存取代碼、資源項目、押碼值)傳送到資源模組44(步驟S415),同時,也將驗證資料傳送到代理存取模組42(步驟S417)。After that, the verification data (access code, resource item, bet value) is sent to the resource module 44 (step S415), and at the same time, the verification data is also sent to the proxy access module 42 (step S417).

代理存取模組42接收到驗證資料後,可以傳送最初接收到的資源存取請求給資源模組44,使得資源模組44取得資源擁有者的資訊,或者資源模組44仍可由授權模組43傳送的資料(如驗證資料)中取得資源擁有者的資訊(步驟S419),這時,驗證自授權模組43傳送的驗證資料中的押碼值(步驟S421)。在押碼驗證的技術中,主要是因為雙方(授權模組43與資源模組44)協議使用一個押碼函數。當其中一方建立信息,並將信息與相關金鑰輸入押碼函數,得出押碼值,之後將信息與關聯的押碼值傳送給給另一方,另一方接收後,可以用協議的金鑰與信息輸入本身具有的押碼函數,也演算出一個押碼值,對照所接收的押碼值,若相符合,即表示所接收的信息並未被竄改。After receiving the authentication data, the proxy access module 42 can send the resource access request initially received to the resource module 44, so that the resource module 44 obtains the information of the resource owner, or the resource module 44 can still be authorized by the module The information of the resource owner is obtained from the data (such as verification data) sent by 43 (step S419). At this time, the pledge value in the verification data sent by the authorization module 43 is verified (step S421). In the technology of betting verification, it is mainly because the two parties (authorization module 43 and resource module 44) agree to use a betting function. When one of the parties establishes the information and inputs the information and the related key into the betting function to obtain the betting value, then the information and the associated betting value are transmitted to the other party, and the other party can use the key of the agreement after receiving it It also calculates a bet value with the bet function of the information input itself, and compares it with the received bet value. If it matches, it means that the received information has not been tampered with.

一旦確認信息無誤,即提供使用者裝置41(或特定裝置)一個資源取得資訊(步驟S423),讓使用者可以根據其中資訊取得資料項目(步驟S425),這個項目可以為一資料檔案清單,由資源模組44提供的資源取得資訊包括下載資料檔案的一連結,或是特定資訊的連結。Once the information is confirmed to be correct, the user device 41 (or a specific device) is provided with a resource acquisition information (step S423), so that the user can obtain a data item based on the information (step S425). This item can be a list of data files. The resource acquisition information provided by the resource module 44 includes a link to download a data file or a link to specific information.

綜上所述,根據跨平台授權存取資源方法與實現此方法的系統實施例的描述,可以提供使用者跨平台取得資源的服務,所述資源模組如傳統銀行、政府單位等握有使用者(資源擁有者)的個人隱私資料與具有安全需求的敏感資料,當使用者需要取得這些資訊作為他用,或是想要把資料攜去到別的位置,所述方法可以讓第三方在安全無虞的條件下獲得授權而取得使用者的資料,而不受限於握有自己資料的平台。這類服務例如開放銀行(open banking)的第三方服務,所述方法可以提供第三方取得金融方面的資料,如個人帳戶的明細、餘額、交易歷史等;例如有第三方系統要求認證身份,可以通過此方法讓第三方服務經過授權取得個人識別資料。如此,使得第三方可以通過所述方法與授權存取系統達成跨平台存取個人敏感性資料與達到資料可攜等的目的。To sum up, according to the description of the cross-platform authorization access to resources method and the system embodiment for implementing this method, it is possible to provide users with cross-platform access to resources. The resource modules such as traditional banks, government units, etc. can be used The personal privacy data of the user (resource owner) and sensitive data with security requirements. When the user needs to obtain this information for other purposes, or wants to take the data to another location, the method can allow a third party to Obtaining authorization to obtain user data under safe and secure conditions, without being restricted to the platform holding its own data. Such services are, for example, open banking third-party services. The method can provide third-party access to financial information, such as personal account details, balance, transaction history, etc.; for example, if a third-party system requires identity verification, you can Through this method, third-party services are authorized to obtain personally identifiable information. In this way, a third party can use the method and authorized access system to achieve cross-platform access to personal sensitive data and achieve data portability.

以上所公開的內容僅為本發明的優選可行實施例,並非因此侷限本發明的申請專利範圍,所以凡是運用本發明說明書及圖式內容所做的等效技術變化,均包含於本發明的申請專利範圍內。The content disclosed above is only the preferred and feasible embodiments of the present invention, and does not limit the scope of the patent application of the present invention. Therefore, all equivalent technical changes made using the description and schematic content of the present invention are included in the application of the present invention. Within the scope of the patent.

101:使用者裝置 10:代理伺服器 12:授權伺服器 120:使用者資料庫 14:資源伺服器 140:資源資料庫 41:使用者裝置 42:代理存取模組 43:授權模組 44:資源模組 S201~S213步驟:跨平台授權存取資源方法流程 S301~S311步驟:跨平台授權存取資源方法中驗證身份流程 S401~S425步驟:跨平台授權存取資源方法流程101: User device 10: Proxy server 12: License server 120: User database 14: Resource server 140: Resource Database 41: User device 42: Proxy access module 43: Authorized Module 44: Resource Module Steps S201~S213: Cross-platform authorization access to resources method process Steps S301~S311: Identity verification process in the method of cross-platform authorization access to resources Steps S401~S425: Cross-platform authorization access to resources method process

圖1顯示運行跨平台授權存取資源方法的授權存取系統的系統架構實施例圖;Figure 1 shows an embodiment diagram of the system architecture of an authorized access system running a cross-platform authorized access resource method;

圖2顯示運行跨平台授權存取資源方法的實施例流程圖;Figure 2 shows a flowchart of an embodiment of running a cross-platform authorization access to resources method;

圖3顯示跨平台授權存取資源方法中執行身份驗證的實施例流程圖;以及Figure 3 shows a flowchart of an embodiment of performing identity verification in a method for authorizing access to resources across platforms; and

圖4顯示運行於多方的跨平台授權存取資源方法的實施例流程圖。Figure 4 shows a flow chart of an embodiment of a method for cross-platform authorization to access resources running on multiple parties.

101:使用者裝置101: User device

10:代理伺服器10: Proxy server

12:授權伺服器12: License server

120:使用者資料庫120: User database

14:資源伺服器14: Resource server

140:資源資料庫140: Resource Database

Claims (14)

一種跨平台授權存取資源方法,包括: 提出一代理存取模組,由該代理存取模組自一資源擁有者接收一資源存取請求,其中包括請求之一資源項目以及該資源擁有者的一識別代碼; 該代理存取模組根據該資源存取請求產生一授權請求,並傳送至一授權模組; 該授權模組根據該授權請求得出該資源擁有者的該識別代碼,與該資源擁有者完成身份驗證後,產生對應所請求之該資源項目的一存取代碼,並將該資源項目與該存取代碼形成一驗證資料; 該授權模組傳送該驗證資料至該代理存取模組以及一資源模組;以及 經該資源模組檢查自該授權模組接收的該驗證資料無誤後,根據該資源存取請求提供該資源擁有者一資源取得資訊。A method for cross-platform authorization to access resources, including: A proxy access module is proposed. The proxy access module receives a resource access request from a resource owner, which includes the request for a resource item and an identification code of the resource owner; The proxy access module generates an authorization request according to the resource access request, and sends it to an authorization module; The authorization module obtains the identification code of the resource owner according to the authorization request, and after completing identity verification with the resource owner, generates an access code corresponding to the requested resource item, and combines the resource item with the resource item The access code forms a verification data; The authorization module transmits the verification data to the proxy access module and a resource module; and After the resource module checks that the verification data received from the authorization module is correct, provide the resource owner with resource acquisition information according to the resource access request. 如請求項1所述的跨平台授權存取資源方法,其中,於形成該驗證資料的步驟中,包括對該資源項目與該存取代碼進行一押碼演算,形成一押碼值,該押碼值、該資源項目與該存取代碼形成該驗證資料,該資源模組即接著驗證該押碼值。The method for authorizing access to resources across platforms according to claim 1, wherein the step of forming the verification data includes performing a bet calculation on the resource item and the access code to form a bet value, and the bet The code value, the resource item, and the access code form the verification data, and the resource module then verifies the bet value. 如請求項2所述的跨平台授權存取資源方法,其中該押碼演算為演算一訊息驗證碼、雜湊值、加密或數位簽章。The method for authorizing access to resources across platforms as described in claim 2, wherein the betting calculation is calculating a message verification code, hash value, encryption or digital signature. 如請求項3所述的跨平台授權存取資源方法,其中,於該代理存取模組接收該資源存取請求時,以該代理存取模組的一代理識別碼及一金鑰進行該數位簽章後產生該授權請求,該授權請求經加密後傳送至該授權模組。The cross-platform authorization resource access method according to claim 3, wherein when the proxy access module receives the resource access request, the proxy access module uses a proxy identification code and a key to perform the The authorization request is generated after the digital signature, and the authorization request is encrypted and sent to the authorization module. 如請求項4所述的跨平台授權存取資源方法,其中,於該授權模組接收經加密的該授權請求,根據該數位簽章驗證該授權請求,再從中得出關於該資源存取請求的該資源擁有者的該識別代碼,並經比對一使用者資料庫後得出該資源擁有者的一通信方法,以根據該通信方法與該資源擁有者完成身份驗證。The method for cross-platform authorization access to resources according to claim 4, wherein the authorization module receives the encrypted authorization request, verifies the authorization request according to the digital signature, and then obtains information about the resource access request The identification code of the resource owner is compared with a user database to obtain a communication method of the resource owner, so as to complete identity verification with the resource owner according to the communication method. 如請求項5所述的跨平台授權存取資源方法,其中該授權模組通過該通信方法向該資源擁有者發出一身份確認請求,為要求該資源擁有者通過一網站、一應用程式或一信息進行身份驗證的請求,約定的驗證資料包括一密碼、一設備資訊、一生物特徵、由一使用者裝置產生的一次式密碼,或由該授權模組產生經簡訊或推播傳送至該資源擁有者的使用者裝置所產生的一次式密碼。The cross-platform authorization method for accessing resources according to claim 5, wherein the authorization module sends an identity confirmation request to the resource owner through the communication method, in order to request the resource owner to use a website, an application or an Information is a request for identity verification. The agreed verification data includes a password, a device information, a biometric feature, a one-time password generated by a user device, or generated by the authorization module and sent to the resource via a text message or push broadcast One-time password generated by the owner's user device. 如請求項1至6中任一項所述的跨平台授權存取資源方法,其中該資源項目為一資料檔案清單,由該資源模組提供的該資源取得資訊包括下載資料檔案或資訊的一連結。For example, the cross-platform authorization access resource method described in any one of request items 1 to 6, wherein the resource item is a list of data files, and the resource acquisition information provided by the resource module includes downloading data files or a list of information link. 一種授權存取系統,包括: 一資源模組,通過網路提供一或多個資源擁有者自己或授權他人存取各種資源項目的服務; 一授權模組,通過網路提供存取該資源模組中各種資源項目的使用者認證與授權服務; 一代理存取模組,通過網路提供該一或多個資源擁有者自己或授權他人存取該資源模組中各種資源項目的代理服務; 其中該授權存取系統執行一跨平台授權存取資源方法,包括: 該代理存取模組自其中之一資源擁有者接收一資源存取請求,其中包括請求之一資源項目以及該資源擁有者的一識別代碼; 該代理存取模組根據該資源存取請求產生一授權請求; 該代理存取模組傳送該授權請求至該授權模組; 該授權模組根據該授權請求得出該資源擁有者的該識別代碼,與該資源擁有者完成身份驗證後,產生對應所請求之該資源項目的一存取代碼,並將該資源項目與該存取代碼形成一驗證資料; 該授權模組傳送該驗證資料至該代理存取模組以及該資源模組;以及 經該資源模組檢查自該授權模組接收的該驗證資料無誤後,根據該資源存取請求提供該資源擁有者一資源取得資訊。An authorized access system, including: A resource module, which provides services for one or more resource owners or authorized others to access various resource items through the network; An authorization module that provides user authentication and authorization services for accessing various resource items in the resource module through the network; A proxy access module, which provides proxy services for the one or more resource owners themselves or authorized others to access various resource items in the resource module through the network; The authorized access system executes a cross-platform authorized access resource method, including: The proxy access module receives a resource access request from one of the resource owners, which includes the requested resource item and an identification code of the resource owner; The proxy access module generates an authorization request according to the resource access request; The proxy access module transmits the authorization request to the authorization module; The authorization module obtains the identification code of the resource owner according to the authorization request, and after completing identity verification with the resource owner, generates an access code corresponding to the requested resource item, and combines the resource item with the resource item The access code forms a verification data; The authorization module transmits the verification data to the proxy access module and the resource module; and After the resource module checks that the verification data received from the authorization module is correct, provide the resource owner with resource acquisition information according to the resource access request. 如請求項8所述的授權存取系統,其中,於形成該驗證資料的步驟中,包括對該資源項目與該存取代碼進行一押碼演算,形成一押碼值,該押碼值、該資源項目與該存取代碼形成該驗證資料,該資源模組即接著驗證該押碼值。The authorized access system according to claim 8, wherein the step of forming the verification data includes performing a betting calculation on the resource item and the access code to form a betting value, the betting value, The resource item and the access code form the verification data, and the resource module then verifies the bet value. 如請求項9所述的授權存取系統,其中該押碼演算為演算一訊息驗證碼、雜湊值、加密或數位簽章。The authorization access system according to claim 9, wherein the bet code calculation is calculated as a message verification code, hash value, encryption or digital signature. 如請求項10所述的授權存取系統,其中該代理存取模組為一提供該使用者請求存取該資源項目的一代理伺服器;該授權模組為一負責授權存取資源的一授權伺服器;以及該資源模組為提供各種資源項目的一資源伺服器。The authorization access system according to claim 10, wherein the proxy access module is a proxy server that provides the user requesting access to the resource item; the authorization module is a proxy server responsible for authorizing access to the resource Authorization server; and the resource module is a resource server that provides various resource items. 如請求項10所述的授權存取系統,其中,於該授權模組接收經加密的該授權請求,根據該數位簽章驗證該授權請求,再從中得出關於該資源存取請求的該資源擁有者的該識別代碼,並經比對一使用者資料庫後得出該資源擁有者的一通信方法,以根據該通信方法與該資源擁有者完成身份驗證。The authorized access system according to claim 10, wherein the encrypted authorization request is received in the authorization module, the authorization request is verified according to the digital signature, and the resource related to the resource access request is obtained therefrom The identification code of the owner is compared with a user database to obtain a communication method of the resource owner, so as to complete identity verification with the resource owner according to the communication method. 如請求項12所述的授權存取系統,其中該授權模組通過該通信方法向該資源擁有者發出一身份確認請求,為要求該資源擁有者通過一網站、一應用程式或一信息進行身份驗證的請求,約定的驗證資料包括一密碼、一設備資訊、一生物特徵、由一使用者裝置產生的一次式密碼,或由該授權模組產生經簡訊或推播傳送至該資源擁有者的使用者裝置所產生的一次式密碼。The authorization access system according to claim 12, wherein the authorization module sends an identity confirmation request to the resource owner through the communication method, in order to request the resource owner to identify through a website, an application or a message A request for verification. The agreed verification data includes a password, a device information, a biometric feature, a one-time password generated by a user device, or a message generated by the authorization module and sent to the resource owner via a text message or push broadcast The one-time password generated by the user device. 如請求項8至13中任一項所述的授權存取系統,其中該資源項目為一資料檔案清單,由該資源模組提供的該資源取得資訊包括下載資料檔案或資訊的一連結。For example, the authorized access system according to any one of request items 8 to 13, wherein the resource item is a data file list, and the resource acquisition information provided by the resource module includes a link to download the data file or information.
TW109100894A 2020-01-10 2020-01-10 Method for cross-platform authorizing access to resources and authorization system thereof TWI778319B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109100894A TWI778319B (en) 2020-01-10 2020-01-10 Method for cross-platform authorizing access to resources and authorization system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109100894A TWI778319B (en) 2020-01-10 2020-01-10 Method for cross-platform authorizing access to resources and authorization system thereof

Publications (2)

Publication Number Publication Date
TW202127289A true TW202127289A (en) 2021-07-16
TWI778319B TWI778319B (en) 2022-09-21

Family

ID=77908818

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109100894A TWI778319B (en) 2020-01-10 2020-01-10 Method for cross-platform authorizing access to resources and authorization system thereof

Country Status (1)

Country Link
TW (1) TWI778319B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5865992B2 (en) * 2011-03-23 2016-02-17 インターデイジタル パテント ホールディングス インコーポレイテッド System and method for securing network communications
US11107071B2 (en) * 2016-02-01 2021-08-31 Apple Inc. Validating online access to secure device functionality
TWM595792U (en) * 2020-01-10 2020-05-21 玉山商業銀行股份有限公司 Authorization system for cross-platform authorizing access to resources

Also Published As

Publication number Publication date
TWI778319B (en) 2022-09-21

Similar Documents

Publication Publication Date Title
US11558381B2 (en) Out-of-band authentication based on secure channel to trusted execution environment on client device
TWI667585B (en) Method and device for safety authentication based on biological characteristics
US20220255920A1 (en) System and method for proximity-based authentication
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
JP6586446B2 (en) Method for confirming identification information of user of communication terminal and related system
WO2017000829A1 (en) Method for checking security based on biological features, client and server
CN113302894B (en) Secure account access
US11556617B2 (en) Authentication translation
TWM595792U (en) Authorization system for cross-platform authorizing access to resources
CN110990827A (en) Identity information verification method, server and storage medium
JP2017519412A (en) Enhanced security for authentication device registration
CN112425114A (en) Password manager protected by public-private key pair
TWM623435U (en) System for verifying client identity and transaction services using multiple security levels
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
GB2554082B (en) User sign-in and authentication without passwords
JP2017152880A (en) Authentication system, key processing coordination method, and key processing coordination program
KR20220167366A (en) Cross authentication method and system between online service server and client
US20140250499A1 (en) Password based security method, systems and devices
US20230198751A1 (en) Authentication and validation procedure for improved security in communications systems
JP5186648B2 (en) System and method for facilitating secure online transactions
JP2022520226A (en) One-click login procedure
KR102284876B1 (en) System and method for federated authentication based on biometrics
KR102288445B1 (en) On-boarding method, apparatus and program of authentication module for organization
TWI778319B (en) Method for cross-platform authorizing access to resources and authorization system thereof
US20220417020A1 (en) Information processing device, information processing method, and non-transitory computer readable storage medium

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent