TWI803907B - System for confirming identity on different devices by verifying valid certification and method thereof - Google Patents

System for confirming identity on different devices by verifying valid certification and method thereof Download PDF

Info

Publication number
TWI803907B
TWI803907B TW110126374A TW110126374A TWI803907B TW I803907 B TWI803907 B TW I803907B TW 110126374 A TW110126374 A TW 110126374A TW 110126374 A TW110126374 A TW 110126374A TW I803907 B TWI803907 B TW I803907B
Authority
TW
Taiwan
Prior art keywords
client
server
verification
password
personal data
Prior art date
Application number
TW110126374A
Other languages
Chinese (zh)
Other versions
TW202305627A (en
Inventor
連子清
蔡家宏
Original Assignee
臺灣網路認證股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣網路認證股份有限公司 filed Critical 臺灣網路認證股份有限公司
Priority to TW110126374A priority Critical patent/TWI803907B/en
Publication of TW202305627A publication Critical patent/TW202305627A/en
Application granted granted Critical
Publication of TWI803907B publication Critical patent/TWI803907B/en

Links

Images

Abstract

A system for confirming identity on different devices by verifying a valid certification and a method thereof are provided. By signing personal data to generate a signature value by a first client, generating a coded message by a server after verifying the signature value, transmitting the coded message from the server to the first client, obtaining the coded message through the first client by a second client, transmitting he personal data and a token from the second client to the server based on connection information after the second client decodes the coded message for obtaining the connection information, the personal data and the token, inputting a verification password by the second client after the server confirms the token, and comparing a confirmation password inputted by the first client with the verification password to confirm user identity, the system and the method can confirm user identity via server, and can achieve the effect of using certificates to confirm users of different devices are the same one.

Description

透過驗證有效憑證在不同裝置上確認身分之系統及方法System and method for confirming identity on different devices by verifying valid credentials

一種身分驗證系統及其方法,特別係指一種透過驗證有效憑證在不同裝置上確認身分之系統及方法。An identity verification system and method thereof, in particular to a system and method for confirming identity on different devices by verifying valid certificates.

電子憑證,又稱為數位憑證,是一種用於電腦系統的身分識別機制。電子憑證是身份認證機構加在數位身份證上的一個簽名,這一行為表示身份認證機構已認定擁有數位身分證的使用者。電子憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開資料(公鑰),其中公鑰對應一組專屬於電子憑證之擁有人的私鑰。電子憑證的擁有人可透過私鑰向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。Electronic credentials, also known as digital credentials, are an identification mechanism used in computer systems. An electronic certificate is a signature added to a digital ID card by an identity authentication agency, which means that the identity authentication agency has identified the user who has a digital ID card. An electronic certificate is one or a group of computer files, which record the owner's identity information and a set of public information (public key), where the public key corresponds to a set of private keys exclusive to the owner of the electronic certificate. The owner of the electronic certificate can authenticate his identity to the computer system through the private key, so as to access or use a specific computer service.

近年來由於網路服務的普及,網路上的身分識別方式益發重要,目前在網路上進行身分識別的主要方式之一為使用電子憑證。然而,目前電子憑證的申請過程都需要進行身分確認,也就是要申請人攜帶身分證明文件親自到申請電子憑證之業務的櫃檯辦理,一旦申請人因為個人因素或是環境因素不方便親自臨櫃辦理,便無法完成電子憑證的申請,這對於電子憑證的申請人而言並不方便。In recent years, due to the popularization of network services, identification methods on the Internet have become more and more important. Currently, one of the main methods of identification on the Internet is to use electronic certificates. However, the current application process for electronic vouchers requires identity verification, that is, applicants are required to bring their identity documents to the counter of the application for electronic vouchers in person. Once the applicant is inconvenient to go to the counter for personal or environmental factors , the application for electronic vouchers cannot be completed, which is inconvenient for applicants of electronic vouchers.

綜上所述,可知先前技術中長期以來一直存在申請電子憑證需要申請人需要親自臨櫃以確認身分而造成申請人不便的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has been a problem in the prior art for a long time that the applicant needs to go to the counter to confirm the identity in order to apply for an electronic certificate, which causes inconvenience to the applicant. Therefore, it is necessary to propose an improved technical means to solve this problem.

有鑒於先前技術存在申請電子憑證需要申請人親自臨櫃以確認身分而造成申請人不便的問題,本發明遂揭露一種透過驗證有效憑證在不同裝置上確認身分之系統及方法,其中:In view of the problem in the prior art that the applicant needs to personally visit the counter to confirm the identity of the application of the electronic certificate, which causes inconvenience to the applicant, the present invention discloses a system and method for verifying the identity on different devices through the verification of valid certificates, in which:

本發明所揭露之透過驗證有效憑證在不同裝置上確認身分之系統,至少包含:第一客戶端,用以輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值;伺服器,用以接收第一客戶端所傳送之個人資料與簽章值,並驗證個人資料與簽章值,及用以於個人資料與簽章值通過驗證後,產生驗證信物,並產生包含個人資料、驗證信物、及連線資訊之編碼訊息,及傳送編碼訊息給第一客戶端;第二客戶端,用以透過第一客戶端取得編碼訊息,並解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物,及用以於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器,使伺服器比對驗證密碼與確認密碼以確認使用者身分。The system disclosed in the present invention for confirming identity on different devices by verifying valid certificates at least includes: a first client for inputting personal data and confirming passwords, and signing personal data to generate a signature value; a server, It is used to receive the personal data and signature value sent by the first client, and to verify the personal data and signature value, and to generate a verification token after the personal data and signature value are verified, and to generate a token containing personal data, Verify the coded message of the token and connection information, and send the coded message to the first client; the second client is used to obtain the coded message through the first client, and decode the coded message to send personal data and information based on the connection information Verify the token to the server, make the server confirm the verification token, and use it to enter the verification password after the verification token is confirmed by the server, and send the verification password to the server, so that the server compares the verification password with the confirmation password to confirm the user identity.

本發明所揭露之透過驗證有效憑證在不同裝置上確認身分之方法,其步驟至少包括:第一客戶端輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值;第一客戶端傳送個人資料與簽章值至伺服器,伺服器驗證個人資料與簽章值;伺服器於個人資料與簽章值通過驗證後,產生驗證信物;伺服器產生包含個人資料、驗證信物、及連線資訊之編碼訊息,並傳送編碼訊息給第一客戶端;第二客戶端透過第一客戶端取得編碼訊息;第二客戶端解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物;第二客戶端於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器;伺服器比對驗證密碼與確認密碼以確認使用者身分。The method disclosed in the present invention for confirming identity on different devices by verifying valid certificates, the steps at least include: the first client enters personal data and confirms the password, and signs the personal data to generate a signature value; the first client Send the personal data and signature value to the server, and the server verifies the personal data and signature value; the server generates a verification token after the personal data and signature value are verified; the server generates a token containing personal data, verification token, and link The encoded message of the online information, and send the encoded message to the first client; the second client obtains the encoded message through the first client; the second client decodes the encoded message to send personal data and verification tokens to the server according to the connection information , so that the server confirms the verification token; the second client enters the verification password after the verification token is confirmed by the server, and sends the verification password to the server; the server compares the verification password and the confirmation password to confirm the identity of the user.

本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過由伺服器驗證第一客戶端對個人資料簽章所產生之簽章值後產生編碼訊息並傳回第一客戶端,第二客戶端透過第一客戶端取得編碼訊息後,解碼編碼訊息以取得連線資訊、個人資料與驗證信物,並依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物,且比對第一客戶端所輸入之確認資料與第二客戶端在驗證信物通過確認後所輸入驗證密碼以確認使用者身分,藉以解決先前技術所存在的問題,並可以達成以電子憑證確認不同裝置之使用者相同的技術功效。The system and method disclosed in the present invention are as above, and the difference from the prior art is that the present invention generates an encoded message and sends it back to the first client after the server verifies the signature value generated by the personal data signature of the first client After the second client obtains the encoded message through the first client, it decodes the encoded message to obtain connection information, personal data and verification token, and sends the personal data and verification token to the server according to the connection information, so that the server can confirm Verify the token, and compare the confirmation data entered by the first client with the verification password entered by the second client after the token is verified to confirm the user's identity, so as to solve the problems existing in the prior art, and can achieve electronic Vouchers confirm the same technical performance for users of different devices.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and implementation methods of the present invention will be described in detail below in conjunction with the drawings and embodiments, the content is enough to enable anyone familiar with the relevant art to easily and fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby realizing The effect that the present invention can achieve.

本發明可以透過伺服器驗證使用者在第一客戶端上有效憑證以讓使用者所使用之第二客戶端透過伺服器確認使用者身分。其中,本發明所提之有效憑證為可以當下通過憑證驗證伺服器(Validation Authority, VA)驗證的數位憑證,包含但不限於金融憑證、自然人憑證、工商憑證等。The present invention can verify the user's valid certificate on the first client through the server so that the second client used by the user can confirm the user's identity through the server. Among them, the valid certificate mentioned in the present invention is a digital certificate that can be verified by the certificate verification server (Validation Authority, VA), including but not limited to financial certificates, natural person certificates, business certificates, etc.

本發明所提之伺服器、第一客戶端、第二客戶端都可以是計算設備。本發明所提之計算設備包含但不限於一個或多個處理模組、一條或多條記憶體模組、以及連接不同硬體元件(包括記憶體模組和處理模組)的匯流排等硬體元件。透過所包含之多個硬體元件,計算設備可以載入並執行作業系統,使作業系統在計算設備上運行,也可以執行軟體或程式。另外,計算設備也包含一個外殼,上述之各個硬體元件設置於外殼內。The server, the first client and the second client mentioned in the present invention can all be computing devices. The computing device mentioned in the present invention includes but is not limited to one or more processing modules, one or more memory modules, and hardware such as buses connecting different hardware components (including memory modules and processing modules). body element. Through the included multiple hardware components, the computing device can load and execute the operating system, so that the operating system can run on the computing device, and can also execute software or programs. In addition, the computing device also includes a casing, and the above-mentioned hardware components are arranged in the casing.

本發明所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於的工業標準架構(Industry Standard Architecture, ISA)匯流排、周邊元件互連(Peripheral Component Interconnect, PCI)匯流排、視頻電子標準協會(Video Electronics Standards Association, VESA)局域匯流排、以及串列的通用序列匯流排(Universal Serial Bus, USB)、快速周邊元件互連(PCI Express, PCI-E/PCIe)匯流排等。The bus of the computing device mentioned in the present invention can include one or more types, such as data bus (data bus), address bus (address bus), control bus (control bus), expansion function bus ( expansion bus), and/or local bus (local bus) and other types of bus. Buses for computing devices include, but are not limited to, Industry Standard Architecture (ISA) buses, Peripheral Component Interconnect (PCI) buses, Video Electronics Standards Association (VESA) boards Domain bus, and serial universal serial bus (Universal Serial Bus, USB), fast peripheral component interconnection (PCI Express, PCI-E/PCIe) bus, etc.

本發明所提之計算設備的處理模組與匯流排耦接。處理模組包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在處理模組之處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理晶片。處理模組可為中央處理器、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理模組,則計算設備所包含的處理模組都相同或類似,且透過匯流排耦接與通訊。處理模組可以解釋一個計算機指令或一連串的多個計算機指令以進行特定的運算或操作,例如,數學運算、邏輯運算、資料比對、複製/移動資料等,藉以驅動計算設備中的其他硬體元件或運行作業系統或執行各種程式及/或模組。The processing module of the computing device mentioned in the present invention is coupled to the bus bar. The processing module includes a register group or register space, which can be completely set on the processing chip of the processing module, or all or part of it is set outside the processing chip and coupled to the handle wafer via dedicated electrical connections and/or via bus bars. The processing module can be a central processing unit, a microprocessor or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processing modules, the processing modules included in the computing device are all the same or similar, and are coupled and communicated through a bus. A processing module can interpret a computer instruction or a series of multiple computer instructions to perform specific calculations or operations, such as mathematical operations, logical operations, data comparison, copying/moving data, etc., to drive other hardware in the computing device components or run the operating system or execute various programs and/or modules.

計算設備中通常也包含一個或多個晶片組(Chipset)。計算設備的處理模組可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(Integrated Circuit, IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器等,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理模組存取或使用。Computing devices usually also contain one or more chipsets (Chipsets). The processing module of the computing device can be coupled to the chip set or electrically connected to the chip set through a bus bar. The chipset is composed of one or more integrated circuits (Integrated Circuit, IC), including memory controllers and peripheral input/output (I/O) controllers, etc., that is, memory controllers and peripheral I/O controllers A circuit breaker can be contained in one integrated circuit or implemented using two or more integrated circuits. Chipsets usually provide input/output and memory management functions, and provide multiple general and/or special registers, timers, etc., wherein the above general and/or special registers and timers can be coupled or Accessed or used by one or more processing modules electrically connected to the chipset.

計算設備的處理模組也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(Static Random Access Memory, SRAM)、動態隨機存取記憶體(Dynamic Random Access Memory, DRAM)、唯讀記憶體(Read-Only Memory, ROM)、快閃記憶體(Flash memory)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟(optical disc)、隨身碟(flash drive)、記憶卡(memory card)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processing module of the computing device can also access the data in the memory module and the mass storage area installed on the computing device through the memory controller. The above-mentioned memory modules include any type of volatile memory (volatile memory) and/or non-volatile (non-volatile memory, NVRAM) memory, such as static random access memory (Static Random Access Memory, SRAM) , Dynamic Random Access Memory (Dynamic Random Access Memory, DRAM), Read-Only Memory (Read-Only Memory, ROM), Flash memory (Flash memory), etc. The above-mentioned large-capacity storage area can include any type of storage device or storage medium, such as hard disk drive, optical disc (optical disc), flash drive (flash drive), memory card (memory card), solid state hard disk (Solid State Disk) , SSD), or any other storage device, etc. That is to say, the memory controller can access data in SRAM, DRAM, flash memory, hard disk drive, and solid-state hard disk.

計算設備的處理模組也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、及GPS接收器等周邊裝置或介面連接並通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援無線區域網路(如Wi-Fi、Zigbee等)、藍牙、紅外線、近場通訊(Near-field communication, NFC)、3G/4G/5G等行動通訊網路(蜂巢式網路)或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路裝置、DSL數據機、纜線(Cable)數據機、非同步傳輸模式(Asynchronous Transfer Mode, ATM)裝置、或光纖通訊介面及/或元件等。處理模組可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠透過各種周邊裝置與介面進行資料的輸入與輸出,也能夠與具有上面描述之硬體元件的另一個計算設備進行通訊。The processing module of the computing device can also be connected and communicated with peripheral devices or interfaces such as peripheral output devices, peripheral input devices, communication interfaces, and GPS receivers through the peripheral I/O controller via the peripheral I/O bus. The peripheral input device can be any type of input device, such as keyboard, mouse, trackball, touch pad, joystick, etc., and the peripheral output device can be any type of output device, such as display, printer, etc., peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface may include a wireless communication interface and/or a wired communication interface, and the wireless communication interface may include support for a wireless local area network (such as Wi-Fi, Zigbee, etc.), Bluetooth, infrared, near-field communication (Near-field communication, NFC), 3G/4G/5G and other mobile communication network (cellular network) or other wireless data transmission protocol interface, wired communication interface can be Ethernet device, DSL modem, cable (Cable) modem, asynchronous transmission Mode (Asynchronous Transfer Mode, ATM) device, or optical fiber communication interface and/or components, etc. The processing module can periodically poll (polling) various peripheral devices and interfaces, so that the computing device can input and output data through various peripheral devices and interfaces, and can also communicate with another computing device with the hardware components described above to communicate.

以下先以「第1圖」本發明所提之透過驗證有效憑證在不同裝置上確認身分之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有第一客戶端110、伺服器120、第二客戶端130。其中,第一客戶端110與伺服器120間及伺服器120與第二客戶端130間,可以透過有線或無線網路相互傳遞資料或訊號。In the following, the system architecture of the present invention will be described by using the "Fig. 1" system structure diagram of the system architecture for verifying identity on different devices through verification of valid certificates mentioned in the present invention. As shown in FIG. 1 , the system of the present invention includes a first client 110 , a server 120 , and a second client 130 . Wherein, the first client 110 and the server 120 and between the server 120 and the second client 130 can transmit data or signals to each other through wired or wireless networks.

第一客戶端110負責輸入個人資料與確認密碼。第一客戶端110所輸入之個人資料包含使用者識別資料,其中,使用者識別資料可以是使用者的身分證號、護照號碼等,但本發明並不以此為限;確認密碼則可以由一定數量的字母、數字、符號排列產生。一般而言,第一客戶端110可以提供資料輸入介面以輸入個人資料與確認密碼。The first client 110 is responsible for inputting personal information and confirming password. The personal data input by the first client 110 includes user identification data, wherein the user identification data can be the user's ID card number, passport number, etc., but the present invention is not limited thereto; the confirmation password can be obtained by A certain number of letters, numbers, and symbol arrangements are generated. Generally speaking, the first client 110 can provide a data input interface for inputting personal data and confirming a password.

第一客戶端110也負責使用與有效憑證中之公鑰(public key)對應的私鑰(private key)對所輸入之個人資料簽章以產生與個人資料對應的簽章值。在部分的實施例中,第一客戶端110也可以將個人資料與確認密碼做為一份組合資料並對該組合資料簽章以產生簽章值。The first client 110 is also responsible for using the private key (private key) corresponding to the public key (public key) in the valid certificate to sign the input personal data to generate a signature value corresponding to the personal data. In some embodiments, the first client 110 may also use the personal data and the confirmation password as a combined data and sign the combined data to generate a signature value.

第一客戶端110也負責傳送所輸入之個人資料與確認密碼、及所產生之簽章值至伺服器120,並負責接收伺服器120所傳送的編碼訊息。本發明所提之編碼訊息為可以取得伺服器120之連線方式及伺服器120所產生之一個或多個資料的資料,可以文字、條碼、或圖形的方式呈現,但本發明並不以此為限。其中,上述之取得資料的方式包含但不限於解碼編碼訊息或依據編碼訊息連線到特定目標(如特定主機或伺服器)下載。The first client 110 is also responsible for sending the input personal data and confirmation password, and the generated signature value to the server 120 , and is responsible for receiving the coded message sent by the server 120 . The coded information mentioned in the present invention is the data that can obtain the connection method of the server 120 and one or more data generated by the server 120, and can be presented in the form of text, barcode, or graphics, but the present invention does not mean that limit. Among them, the above-mentioned methods of obtaining data include but are not limited to decoding coded messages or connecting to a specific target (such as a specific host or server) for downloading according to coded messages.

伺服器120負責接收第一客戶端110所傳送的個人資料、確認密碼、及簽章值,並負責驗證個人資料與簽章值。由於依據個人資料與相對應之簽章值進行驗證的方式已為習知,故本發明不再多加描述。The server 120 is responsible for receiving the personal data, confirmation password, and signature value sent by the first client 110, and responsible for verifying the personal data and the signature value. Since the method of verifying based on the personal data and the corresponding signature value is already known, the present invention will not further describe it.

伺服器120也負責在個人資料與簽章值通過驗證後,產生驗證信物(token)。伺服器120所產生的驗證信物包含驗證值,一般而言,驗證值是由伺服器120以一定方式產生,例如,隨機產生或使用當前的時間值產生等,但本發明並不以此為限。在部分的實施例中,驗證信物還可以包含時間戳,其中,時間戳可以表示當前時間或有效時間。The server 120 is also responsible for generating a verification token (token) after the personal data and the signature value are verified. The verification token generated by the server 120 includes a verification value. Generally speaking, the verification value is generated by the server 120 in a certain way, for example, randomly generated or generated using the current time value, etc., but the present invention is not limited thereto . In some embodiments, the verification token may also include a time stamp, where the time stamp may represent the current time or the effective time.

伺服器120也負責產生編碼訊息,並負責將所產生的編碼訊息傳送給第一客戶端110。一般而言,伺服器120可以使用習知之各種演算法產生文字、條碼、或圖形的編碼訊息。伺服器120所產生的編碼訊息可以包含伺服器120所接收到的個人資料、伺服器120所產生的驗證信物、及伺服器120的連線資訊。連線資訊包含但不限於URI/URL Scheme及/或伺服器120所提供的API。The server 120 is also responsible for generating the encoded message, and responsible for sending the generated encoded message to the first client 110 . Generally speaking, the server 120 can use various well-known algorithms to generate text, barcode, or graphic encoded messages. The coded message generated by the server 120 may include the personal data received by the server 120 , the verification token generated by the server 120 , and the connection information of the server 120 . The connection information includes but not limited to URI/URL Scheme and/or API provided by the server 120 .

在部分的實施例中,伺服器120也可以提供第一客戶端110設定與編碼訊息對應的勾稽值,並可以在接收到第二客戶端130所傳送之相同的勾稽值時,將相對應的編碼訊息傳送給第二客戶端130。In some embodiments, the server 120 can also provide the first client 110 to set the hook value corresponding to the encoded message, and when receiving the same hook value sent by the second client 130, the corresponding The encoded message is sent to the second client 130 .

伺服器120也負責儲存所產生之驗證信物與所接收到之確認密碼。一般而言,伺服器120可以將所產生之驗證信物與認證資料做為一筆資料儲存於資料對應表中。在部分的實施例中,伺服器120也可以在產生驗證信物時,也就是在個人資料與簽章值通過驗證後,產生認證資料,並可以將所產生之驗證信物、確認密碼、及認證資料做為一筆資料儲存於資料對應表中。伺服器120產生認證資料的方式可以是隨機產生或依據流水號產生,但本發明並不以此為限,凡可以產生出具有唯一值或足以在一定時間內識別出多個特定資料的方式都可以被伺服器120用來產生認證資料。The server 120 is also responsible for storing the generated verification token and the received confirmation password. Generally speaking, the server 120 can store the generated verification token and authentication data as a piece of data in the data correspondence table. In some embodiments, the server 120 can also generate authentication information when generating the authentication token, that is, after the personal data and the signature value are verified, and can use the generated authentication token, confirmation password, and authentication information It is stored as a piece of data in the data correspondence table. The way the server 120 generates authentication data can be randomly generated or based on serial numbers, but the present invention is not limited thereto. Any method that can generate unique values or is sufficient to identify multiple specific data within a certain period of time is acceptable. It can be used by the server 120 to generate authentication information.

伺服器120也負責接收第二客戶端130所傳送的個人資料與驗證信物,並確認所接收到的驗證信物。舉例來說,伺服器120可以判斷所接收到的驗證信物是否存在於資料對應表內,若是,則伺服器120可以判斷所接收到的驗證信物通過驗證,並可以確認所接收到的驗證信物,若否,也就是資料對應表中沒有相同的驗證信物,則伺服器120可以判斷所接收到的驗證信物沒有通過驗證。伺服器120也可以判斷驗證信物是否已接收,若是,則可以判斷所接收到的驗證信物沒有通過驗證,若驗證信物未曾被接收,也就是驗證信物未被記錄為已接收,則伺服器120可以將所接收到的驗證信物記錄為已接收,並依據所接收到的驗證信物是否存在於資料對應表內判斷驗證信物是否通過驗證。The server 120 is also responsible for receiving the personal data and the verification token sent by the second client 130, and confirming the received verification token. For example, the server 120 can judge whether the received verification token exists in the data correspondence table, if so, the server 120 can judge that the received verification token has passed the verification, and can confirm the received verification token, If not, that is, there is no identical verification token in the data correspondence table, the server 120 may determine that the received verification token has not passed the verification. The server 120 can also judge whether the verification token has been received, if so, it can judge that the received verification token has not passed the verification, if the verification token has not been received, that is, the verification token has not been recorded as received, then the server 120 can Record the received verification token as received, and judge whether the verification token passes the verification according to whether the received verification token exists in the data correspondence table.

在部分的實施例中,伺服器120在確認驗證信物時,還可以檢查所接收到之驗證信物的有效期限是否有效,即判斷驗證信物中之時間戳所表示之時間是否在有效時間內,例如,時間戳所表示之時間為產生驗證信物之當前時間時,伺服器120可以依據時間戳所表示之時間與當前時間的時間差是否在預定範圍內判斷驗證信物的有效期限是否有效,又如,時間戳所表示之時間為驗證信物的有效時間時,伺服器120可以依據時間戳所表示之時間是否晚於當前時間判斷驗證信物的有效期限是否有效,當驗證信物的有效期限有效時,伺服器120可以判斷所接收到的驗證信物沒有通過驗證,反之,伺服器120可以判斷所接收到的驗證信物沒有通過驗證;伺服器120也可以檢查驗證信物是否已被確認,即檢查驗證信物中之驗證值是否曾經接收過,若是,則伺服器120可以判斷所接收到的驗證信物沒有通過驗證,若否,則伺服器120可以判斷所接收到的驗證信物通過驗證。In some embodiments, when the server 120 confirms the verification token, it can also check whether the validity period of the received verification token is valid, that is, to determine whether the time indicated by the timestamp in the verification token is within the valid time, for example , when the time represented by the timestamp is the current time when the verification token is generated, the server 120 can judge whether the validity period of the verification token is valid according to whether the time difference between the time represented by the timestamp and the current time is within a predetermined range. When the time indicated by the stamp is the validity time of the verification token, the server 120 can judge whether the validity period of the verification token is valid according to whether the time represented by the time stamp is later than the current time. When the validity period of the verification token is valid, the server 120 It can be judged that the received verification token has not passed the verification, otherwise, the server 120 can judge that the received verification token has not passed the verification; the server 120 can also check whether the verification token has been confirmed, that is, check the verification value in the verification token Whether it has been received, if so, the server 120 can judge that the received verification token has not passed the verification, if not, the server 120 can judge that the received verification token has passed the verification.

伺服器120也可以在確認驗證信物後,由資料對應表中讀取與驗證信物儲存為同一筆資料的認證資料,並將所讀出之認證資料傳送到第二客戶端130。The server 120 may also read the authentication data stored as the same data as the verification token from the data correspondence table after confirming the verification token, and send the read authentication data to the second client 130 .

伺服器120也負責接收第二客戶端130所傳送的驗證密碼,並比對所接收到的驗證密碼與先前所儲存之確認密碼以確認使用者身分,及可以產生使用者之身分確認結果並將所產生之身分確認結果傳回第二客戶端130。更詳細的,伺服器120可以由資料對應表中搜尋是否存在與驗證密碼相同的確認密碼,當存在與驗證密碼相同的確認密碼時,伺服器120可以判斷第一客戶端110與第二客戶端130的使用者相同,進而確認使用者身分,反之,當資料對應表中不存在與驗證密碼相同的確認密碼時,伺服器120可以要求第二客戶端130重新傳送驗證密碼,並可以在資料對應表中不存在與驗證密碼相同之確認密碼的次數達到預定值時,判斷第一客戶端110與第二客戶端130的使用者不同。The server 120 is also responsible for receiving the verification password sent by the second client 130, and comparing the received verification password with the previously stored confirmation password to confirm the user's identity, and can generate the user's identity confirmation result and The generated identity confirmation result is sent back to the second client 130 . In more detail, the server 120 can search from the data correspondence table whether there is a confirmation password that is the same as the verification password, and when there is a confirmation password that is the same as the verification password, the server 120 can determine whether the first client 110 and the second client 130 users are the same, and then confirm the user identity, otherwise, when there is no confirmation password identical to the verification password in the data correspondence table, the server 120 can request the second client 130 to resend the verification password, and can be in the data correspondence When there is no confirmation password identical to the verification password in the table and the number of times reaches a predetermined value, it is determined that the users of the first client 110 and the second client 130 are different.

在部分的實施例中,伺服器120可以在接收驗證密碼時一併接收認證資料,並可以依據所接收到的認證資料由資料對應表中讀出確認密碼,及比對所接收到之驗證密碼及所讀出之確認密碼是否相同。In some embodiments, the server 120 can receive the authentication information when receiving the authentication password, and can read the confirmation password from the data correspondence table according to the received authentication information, and compare the received authentication password and whether the read confirmation password is the same.

第二客戶端130負責透過第一客戶端110取得伺服器120所產生的編碼訊息。更詳細的,第二客戶端130可以擷取第一客戶端110所顯示之編碼訊息、接收第一客戶端110所推播之編碼訊息、依據與第一客戶端110預先約定之勾稽值至伺服器120下載編碼訊息、透過電子郵件或即時訊息接收第一客戶端110所傳送之編碼訊息、或透過跨應用程式(cross APP)之方式接收來自第一客戶端110的編碼訊息。The second client 130 is responsible for obtaining the encoded message generated by the server 120 through the first client 110 . In more detail, the second client 130 can retrieve the coded message displayed by the first client 110, receive the coded message pushed by the first client 110, and send the The device 120 downloads the coded message, receives the coded message sent by the first client 110 through email or instant message, or receives the coded message from the first client 110 through a cross APP.

第二客戶端130也負責解碼所取得之編碼訊息以取得編碼訊息所表示的連線資訊、個人資料及驗證信物,其中,第二客戶端130可以使用與產生編碼訊息對應的解碼演算法解碼編碼訊息以取得連線資訊、個人資料及驗證信物,或第二客戶端130也可依據編碼訊息連線到特定目標下載連線資訊、個人資料及驗證信物。但第二客戶端130解碼編碼訊息之方式並不以上述為限。The second client 130 is also responsible for decoding the obtained coded message to obtain the connection information, personal data and verification token represented by the coded message, wherein the second client 130 can use the decoding algorithm corresponding to the generated coded message to decode the code message to obtain connection information, personal data and verification token, or the second client 130 can also connect to a specific target to download connection information, personal data and verification token according to the coded message. However, the manner in which the second client 130 decodes the encoded message is not limited to the above.

第二客戶端130也負責依據所取得之連線資訊將所取得之驗證信物與全部或部分的個人資料傳送至伺服器120。舉例來說,第二客戶端130可以直接依據連線資訊所包含之伺服器120的API將個人資料與驗證信物傳送給伺服器120;第二客戶端130可以依據連線資訊所包含之URL Scheme開啟特定應用程式並將伺服器120的API及個人資料與驗證信物提供給被開啟的應用程式,使得被開啟的應用程式依據伺服器120的API將全部或部分之個人資料與驗證信物傳送給伺服器120,但第二客戶端130依據連線資訊將驗證信物與個人資料傳送至伺服器120之方式並不以上述為限。The second client 130 is also responsible for sending the obtained verification token and all or part of the personal data to the server 120 according to the obtained connection information. For example, the second client 130 can directly send personal data and verification tokens to the server 120 according to the API of the server 120 included in the connection information; Open a specific application and provide the API, personal data and verification token of the server 120 to the opened application, so that the opened application sends all or part of the personal data and verification token to the server according to the API of the server 120 server 120, but the way the second client 130 transmits the verification token and personal data to the server 120 according to the connection information is not limited to the above.

第二客戶端130也負責在所取得的驗證信物通過伺服器120確認後,或可以在接收到伺服器120所傳送的認證資料後,輸入驗證密碼。一般而言,第二客戶端130可以提供密碼輸入介面以輸入驗證密碼。The second client 130 is also responsible for inputting the verification password after the obtained verification token is confirmed by the server 120 , or after receiving the verification information sent by the server 120 . Generally speaking, the second client 130 may provide a password input interface for inputting a verification password.

第二客戶端130也負責將被輸入之驗證密碼傳送至伺服器120,若第二客戶端130有接收到認證資料,則第二客戶端130也可以將認證資料與驗證密碼一同傳送至伺服器120。The second client 130 is also responsible for sending the input verification password to the server 120. If the second client 130 has received the authentication data, the second client 130 can also send the authentication data and the verification password to the server 120.

第二客戶端130也可以接收伺服器120所傳送之身分確認結果,並可以在身分確認結果表示伺服器120判斷驗證密碼與確認密碼相同時,使用所取得之個人資料與被輸入之驗證密碼向憑證伺服器(圖中未示)申請數位憑證。The second client 130 can also receive the identity confirmation result sent by the server 120, and when the identity confirmation result shows that the server 120 judges that the verification password is the same as the confirmation password, use the obtained personal information and the input verification password to send A certificate server (not shown in the figure) applies for a digital certificate.

接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之透過驗證有效憑證在不同裝置上確認身分之方法流程圖。在本實施例中,假設第一客戶端110為個人電腦或筆記型電腦、第二客戶端130為智慧型手機,但本發明並不以此為限。Next, an embodiment is used to explain the operating system and method of the present invention, and please refer to "FIG. 2A" for the flow chart of the method for verifying identity on different devices through valid certificate verification proposed by the present invention. In this embodiment, it is assumed that the first client 110 is a personal computer or a notebook computer, and the second client 130 is a smart phone, but the present invention is not limited thereto.

當使用者欲在第二客戶端130上進行身分確認以申請數位憑證時,若選擇使用本發明,則使用者可以操作已有有效之數位憑證的第一客戶端110,並在第一客戶端110上輸入個人資料與確認密碼,使得第一客戶端110對被輸入之個人資料簽章而產生簽章值(步驟210)。在本實施例中,假設使用者可以操作第一客戶端110執行瀏覽器連線到伺服器120,接著,瀏覽器可以顯示資料輸入介面以提供使用者輸入個人資料與確認密碼,並可以在使用者完成個人資料與確認密碼的輸入後,使用與數位憑證對應的私鑰對被輸入之個人資料與確認密碼簽章而產生相對應的簽章值。When the user intends to perform identity verification on the second client 130 to apply for a digital certificate, if he chooses to use the present invention, the user can operate the first client 110 that already has a valid digital certificate, and in the first client Input the personal data and confirm the password at 110 , so that the first client 110 signs the input personal data to generate a signature value (step 210 ). In this embodiment, it is assumed that the user can operate the first client 110 to perform a browser connection to the server 120, and then the browser can display a data input interface to provide the user with inputting personal information and confirming the password, and can be used After completing the input of personal information and confirmation password, the user uses the private key corresponding to the digital certificate to sign the input personal information and confirmation password to generate a corresponding signature value.

在第一客戶端110產生簽章值後,第一客戶端110可以將所輸入之個人資料與所產生的簽章值傳送到伺服器120,伺服器120可以在接收到第一客戶端110所傳送之個人資料與簽章值後,驗證所接收到的個人資料與簽章值(步驟220)。在本實施例中,假設第一客戶端110可以將個人資料、確認密碼、及對個人資料與確認密碼簽章所產生的簽章值傳送給伺服器120,伺服器120可以對個人資料、確認密碼、及簽章值進行驗證。After the first client 110 generates the signature value, the first client 110 can transmit the input personal data and the generated signature value to the server 120, and the server 120 can receive the signature value from the first client 110. After sending the personal data and signature value, verify the received personal data and signature value (step 220). In this embodiment, it is assumed that the first client 110 can send the personal data, the confirmation password, and the signature value generated by signing the personal data and the confirmation password to the server 120, and the server 120 can send the personal data, confirmation password Password, and signature value for verification.

若個人資料(、確認密碼)與簽章值沒有通過伺服器120的驗證,則伺服器120可以不產生提示訊息,並可以將所產生之提示訊息傳回第一客戶端110,使第一客戶端110顯示伺服器120所產生的提示訊息;而若個人資料(、確認密碼)與簽章值通過伺服器120的驗證,則伺服器120可以產生驗證信物(步驟231)。在本實施例中,假設伺服器120可以透過隨機的方式產生驗證信物中的驗證值,並可以在驗證信物加入表示有效期限的時間戳,同時,伺服器120也可以將所接收到之個人資料中的使用者識別資料、所接收到的確認密碼與所產生之驗證信物做為一筆資料儲存到資料對應表中。If the personal data (, confirmation password) and the signature value have not passed the verification of the server 120, then the server 120 may not generate a prompt message, and may send the generated prompt message back to the first client 110, so that the first client The terminal 110 displays the prompt message generated by the server 120; and if the personal data (and confirmation password) and the signature value are verified by the server 120, the server 120 can generate a verification token (step 231). In this embodiment, it is assumed that the server 120 can randomly generate the verification value in the verification token, and can add a time stamp indicating the validity period to the verification token. At the same time, the server 120 can also send the received personal data The user identification data, the received confirmation password and the generated verification token are stored in the data correspondence table as a piece of data.

在伺服器120產生驗證信物後,伺服器120可以產生編碼訊息,並可以將所產生之編碼訊息傳送到第一客戶端110(步驟235)。在本實施例中,假設伺服器120可以產生記錄有接收自第一客戶端110之個人資料、所產生之驗證信物、及伺服器120之連線資訊的編碼訊息,且編碼訊息以QR code呈現。After the server 120 generates the verification token, the server 120 can generate an encoded message, and can send the generated encoded message to the first client 110 (step 235 ). In this embodiment, it is assumed that the server 120 can generate a coded message that records the personal data received from the first client 110, the generated verification token, and the connection information of the server 120, and the coded message is presented in a QR code .

在第一客戶端110接收到伺服器120所傳送的編碼訊息後,第二客戶端130可以透過第一客戶端110取得伺服器120所產生的編碼訊息(步驟240)。在本實施例中,假設第一客戶端110可以透過所包含的觸控螢幕等顯示模組顯示接收自伺服器120的編碼訊息,第二客戶端130可以透過所包含的影像擷取模組(如攝影鏡頭與感光元件)擷取第一客戶端110所顯示的編碼訊息。After the first client 110 receives the encoded message sent by the server 120 , the second client 130 can obtain the encoded message generated by the server 120 through the first client 110 (step 240 ). In this embodiment, it is assumed that the first client 110 can display the coded information received from the server 120 through the included display module such as a touch screen, and the second client 130 can display the encoded information received from the server 120 through the included image capture module ( Such as a camera lens and a photosensitive element) to capture the coded information displayed by the first client 110 .

在第二客戶端130取得伺服器120所產生的編碼訊息後,第二客戶端130可以解碼所取得的編碼訊息以取得編碼訊息所包含之個人資料、驗證信物、及連線資訊,並可以依據連線資訊將驗證信物與全部或部分之個人資料傳送到伺服器120(步驟250)。在本實施例中,假設第二客戶端130可以在解碼編碼訊息後取得以URL Scheme方式記載的資料,則第二客戶端130可以依據URL Scheme中之應用程式識別標誌(identifier)取得對應之應用程式名稱並顯示如「第3A圖」之使用者介面310,當使用者點擊使用者介面310中之「開啟APP」的區塊311時,開啟相對應的應用程式,並透過第二客戶端130的作業系統將個人資料、驗證信物、連線資訊做為參數傳送給被開啟的應用程式,使得被開啟的應用程式在被第二客戶端130執行後可以依據連線資訊將個人資料中的使用者識別資料與驗證信物傳送給伺服器120。After the second client 130 obtains the encoded message generated by the server 120, the second client 130 can decode the obtained encoded message to obtain the personal data, verification token, and connection information contained in the encoded message, and can according to The connection information sends the verification token and all or part of the personal data to the server 120 (step 250). In this embodiment, assuming that the second client 130 can obtain the data recorded in URL Scheme after decoding the encoded message, the second client 130 can obtain the corresponding application according to the application identifier in the URL Scheme. The name of the program is displayed on the user interface 310 as in "Figure 3A". When the user clicks on the block 311 of "Open APP" in the user interface 310, the corresponding application program is opened, and through the second client 130 The operating system sends the personal data, verification token, and connection information as parameters to the opened application program, so that the opened application program can use the personal data according to the connection information after being executed by the second client 130. The user identification data and verification token are sent to the server 120.

在伺服器120接收到第二客戶端130所傳送的個人資料與驗證信物後,可以確認所接收到的驗證信物(步驟260)。在本實施例中,假設伺服器120可以依據所接收到之個人資料中的使用者識別資料由資料對應表中讀出被儲存為同一筆資料的驗證信物,並可以比對所讀出之驗證信物與所接收到的驗證信物是否相同,若兩驗證信物相同,則伺服器120可以確認所接收到的驗證信物有效,反之,伺服器120可以確認驗證信物無效。伺服器120也可以確認驗證信物是否被記錄為已接收,若是,則伺服器120可以確認所接收到的驗證信物無效。另外,伺服器120也可以在比對所讀出之驗證信物與所接收到的驗證信物相同後,判斷驗證信物所包含之有效期限是否早於當前時間,若是,則伺服器120可以確認驗證信物無效,若否,則伺服器120可以確認驗證信物有效,或伺服器120可以進一步判斷驗證信物中的驗證值是否曾經被驗證,也就是判斷伺服器120是否曾經接收過包含相同驗證值的驗證信物,若是,則伺服器120可以確認驗證信物無效,若否,則伺服器120可以確認驗證信物有效。After the server 120 receives the personal data and the verification token sent by the second client 130 , it can confirm the received verification token (step 260 ). In this embodiment, it is assumed that the server 120 can read the verification token stored as the same data from the data correspondence table according to the user identification data in the received personal data, and can compare the read verification tokens. Whether the token is the same as the received verification token, if the two verification tokens are the same, the server 120 can confirm that the received verification token is valid, otherwise, the server 120 can confirm that the verification token is invalid. The server 120 can also confirm whether the verification token is recorded as received, and if so, the server 120 can confirm that the received verification token is invalid. In addition, the server 120 can also determine whether the validity period contained in the verification token is earlier than the current time after comparing the read verification token with the received verification token, and if so, the server 120 can confirm the verification token Invalid, if not, then the server 120 can confirm that the verification token is valid, or the server 120 can further judge whether the verification value in the verification token has been verified, that is, determine whether the server 120 has ever received a verification token that contains the same verification value , if yes, the server 120 can confirm that the verification token is invalid; if not, the server 120 can confirm that the verification token is valid.

若伺服器120確認所接收到的驗證信物無效,則伺服器120可以產生表示驗證信物無效的確認結果訊息,並可以將所產生的確認結果訊息傳送至第二客戶端130;而若伺服器120確認驗證信物有效,則第二客戶端130可以輸入驗證密碼,並可以將所輸入的驗證密碼傳送到伺服器120(步驟270)。在本實施例中,假設伺服器120可以在確認驗證信物是否有效後產生表示驗證信物有效或無效的確認結果訊息,並可以將所產生的確認結果訊息傳送到第二客戶端130,第二客戶端130所執行之先前被開啟的應用程式可以在接收到確認結果訊息後,判斷確認結果訊息表示驗證信物無效時,顯示與確認結果訊息對應的提示訊息,或可以在判斷確認結果訊息表示驗證信物有效時,提供包含所接收到之個人資料中的使用者識別資料之密碼輸入介面320(如「第3B圖」所示)給使用者,使得使用者透過第二客戶端130將驗證密碼輸入到第二客戶端130所執行的應用程式中。If the server 120 confirms that the received verification token is invalid, the server 120 can generate a confirmation result message indicating that the verification token is invalid, and can send the generated confirmation result message to the second client 130; and if the server 120 After confirming that the verification token is valid, the second client 130 may input the verification password, and transmit the input verification password to the server 120 (step 270 ). In this embodiment, it is assumed that the server 120 can generate a confirmation result message indicating that the verification token is valid or invalid after confirming whether the verification token is valid, and can transmit the generated confirmation result message to the second client 130, the second client The previously opened application program executed by the terminal 130 may display a prompt message corresponding to the confirmation result message when it determines that the confirmation result message indicates that the verification token is invalid after receiving the confirmation result message, or may display a prompt message corresponding to the confirmation result message when the confirmation result message indicates that the verification token is invalid. When valid, provide the user with a password input interface 320 (as shown in "Figure 3B") containing the user identification data in the received personal data, so that the user can input the verification password into the In the application program executed by the second client 130 .

在伺服器120接收到第二客戶端130所傳送的驗證密碼後,伺服器120可以比對接收自第二客戶端130的驗證密碼與接收自第一客戶端110的確認密碼,並可以依據比對結果確認使用者身分(步驟280)。在本實施例中,假設伺服器120可以依據所接收到之驗證信物中的驗證值由資料對應表中讀出相對應(被儲存為同一筆資料)的確認密碼,並比對所接收到的驗證密碼與所讀出的確認密碼,當驗證密碼與確認密碼不同時,伺服器120可以產生相對應之身分確認訊息並傳送所產生之身分確認訊息給第二客戶端130(及第一客戶端110),使得第二客戶端130(與第一客戶端110)依據伺服器120所產生的身分確認訊息顯示相對應的提示訊息;而若驗證密碼與確認密碼相同,則伺服器120可以確認使用者的身分正確,也就是判斷第一客戶端110與第二客戶端130的使用者相同,伺服器120可以產生相對應的身分確認訊息,並可以將所產生之身分確認訊息傳送給第二客戶端130。After the server 120 receives the verification password sent by the second client 130, the server 120 can compare the verification password received from the second client 130 with the confirmation password received from the first client 110, and can The user identity is confirmed against the result (step 280). In this embodiment, it is assumed that the server 120 can read the corresponding confirmation password (stored as the same data) from the data correspondence table according to the verification value in the received verification token, and compare the received The verification password and the read confirmation password, when the verification password is different from the confirmation password, the server 120 can generate a corresponding identity confirmation message and send the generated identity confirmation message to the second client 130 (and the first client 110), so that the second client 130 (and the first client 110) display a corresponding prompt message according to the identity confirmation message generated by the server 120; and if the verification password is the same as the confirmation password, the server 120 can confirm the use of If the identity of the user is correct, that is, it is judged that the users of the first client 110 and the second client 130 are the same, the server 120 can generate a corresponding identity confirmation message, and can send the generated identity confirmation message to the second client End 130.

如此,透過本發明,第二客戶端130便可以經由第一客戶端110與伺服器確認使用者的身分。In this way, through the present invention, the second client 130 can confirm the identity of the user through the first client 110 and the server.

上述實施例中,在第二客戶端130接收到伺服器120所傳送的身分確認訊息後,若身分確認訊息表示使用者身分正確,則第二客戶端130可以執行使用者欲執行的作業,如「第2B圖」之流程所示,第二客戶端130可以依據所接收到之個人資料與使用者所輸入之驗證密碼向憑證伺服器申請數位憑證(步驟290)。In the above embodiment, after the second client 130 receives the identity confirmation message sent by the server 120, if the identity confirmation message indicates that the user's identity is correct, then the second client 130 can execute the operation that the user wants to perform, such as As shown in the flow of "FIG. 2B", the second client 130 can apply for a digital certificate from the certificate server according to the received personal information and the verification password input by the user (step 290).

另外,上述實施例也可以如「第2C圖」所示之流程,在伺服器120產生驗證信物(步驟231)之前或之後,伺服器120可以產生認證資料(步驟233),例如流水號。之後,伺服器120可以產生包含連線資訊、個人資料與驗證信物的編碼訊息並傳送編碼訊息到第一客戶端110(步驟235),使得第二客戶端130可以透過第一客戶端110取得編碼訊息(步驟240)。In addition, the above embodiment can also be shown in the process shown in "Fig. 2C", before or after the server 120 generates the verification token (step 231), the server 120 can generate authentication data (step 233), such as a serial number. Afterwards, the server 120 can generate a coded message including connection information, personal data and verification token and send the coded message to the first client 110 (step 235), so that the second client 130 can obtain the code through the first client 110 message (step 240).

接著,第二客戶端130並可以解碼編碼訊息以取得連線資訊、個人資料與驗證信物,及可以依據連線資訊將個人資料與驗證信物傳送到伺服器120(步驟250),進而讓伺服器120可以在確認驗證信物(步驟260)後,傳送先前所產生的認證資料到第二客戶端130(步驟265),如此,第二客戶端130可以在接收到伺服器120所傳送的認證資料後輸入驗證密碼,並可以將所輸入的驗證密碼及所接收到的認證資料傳送到伺服器120(步驟275)。Then, the second client 130 can decode the coded message to obtain connection information, personal data and verification token, and can transmit the personal data and verification token to the server 120 according to the connection information (step 250), so that the server 120 can send the previously generated authentication information to the second client 130 after confirming the verification token (step 260) (step 265), so that the second client 130 can receive the authentication information sent by the server 120 Input the verification password, and transmit the input verification password and the received authentication information to the server 120 (step 275 ).

伺服器120在接收到第二客戶端130所傳送之驗證密碼與認證資料後,可以比對接收到的認證資料是否與所傳送的認證資料相同,當兩認證資料相同時,伺服器120可以比對所接收到的驗證密碼與所讀出的確認密碼以確認使用者身分(步驟280)。After the server 120 receives the verification password and authentication information sent by the second client 130, it can compare whether the received authentication information is the same as the authentication information sent. When the two authentication information are the same, the server 120 can compare Verify the identity of the user with the received verification password and the read confirmation password (step 280 ).

綜上所述,可知本發明與先前技術之間的差異在於具有由伺服器驗證第一客戶端對個人資料簽章所產生之簽章值後產生編碼訊息並傳回第一客戶端,第二客戶端透過第一客戶端取得編碼訊息後,解碼編碼訊息以取得連線資訊、個人資料與驗證信物,並依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物,且比對第一客戶端所輸入之確認資料與第二客戶端在驗證信物通過確認後所輸入驗證密碼以確認使用者身分之技術手段,藉由此一技術手段可以來解決先前技術所存在申請電子憑證需要申請人親自臨櫃以確認身分而造成申請人不便的問題,進而達成以電子憑證確認不同裝置之使用者相同的技術功效。To sum up, it can be seen that the difference between the present invention and the prior art lies in that after the server verifies the signature value generated by the personal data signature of the first client, an encoded message is generated and sent back to the first client, and the second After the client obtains the encoded message through the first client, it decodes the encoded message to obtain connection information, personal data and verification token, and sends the personal data and verification token to the server according to the connection information, so that the server confirms the verification token, and Compare the confirmation data entered by the first client with the verification password entered by the second client after the token is verified to confirm the user's identity. This technical method can solve the problem of electronic application in the prior art. The certificate requires the applicant to personally visit the counter to confirm the identity, which causes inconvenience to the applicant, and then achieves the same technical effect of using electronic certificates to confirm users of different devices.

再者,本發明之透過驗證有效憑證在不同裝置上確認身分之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method for confirming identity on different devices by verifying valid certificates of the present invention can be implemented in hardware, software, or a combination of hardware and software, and can also be implemented in a centralized manner in a computer system or distributed with different components Implemented in a decentralized manner over several interconnected computer systems.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present invention are as above, the content described is not intended to directly limit the scope of protection of the present invention. Anyone with ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope disclosed in the present invention, makes some changes and modifications to the form and details of the implementation of the present invention, all of which belong to the patent protection of the present invention scope. The scope of patent protection of the present invention shall still be defined by the scope of the attached patent application.

110:第一客戶端 120:伺服器 130:第二客戶端 310:使用者介面 311:區塊 320:密碼輸入介面 步驟210:第一客戶端輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值 步驟220:第一客戶端傳送個人資料與簽章值至伺服器,伺服器驗證個人資料與簽章值 步驟231:伺服器於個人資料與簽章值通過驗證後產生驗證信物 步驟233:伺服器產生認證資料 步驟235:伺服器產生包含個人資料、驗證信物及連線資訊之編碼訊息,並傳送編碼訊息給第一客戶端 步驟240:第二客戶端透過第一客戶端取得編碼訊息 步驟250:第二客戶端解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器 步驟260:伺服器確認驗證信物 步驟265:伺服器傳送認證資料至第二客戶端 步驟270:第二客戶端於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器 步驟275:第二客戶端於接收到認證資料後輸入驗證密碼,並傳送驗證密碼及認證資料至伺服器 步驟280:伺服器比對驗證密碼與確認密碼以確認使用者身分 步驟290:第二客戶端於伺服器判斷驗證密碼與確認密碼相同時,使用個人資料及驗證密碼申請數位憑證 110: The first client 120: server 130: Second client 310: user interface 311: block 320: password input interface Step 210: the first client enters the personal data and confirms the password, and signs the personal data to generate a signature value Step 220: The first client sends the personal data and signature value to the server, and the server verifies the personal data and signature value Step 231: The server generates a verification token after the personal data and the signature value are verified Step 233: The server generates authentication information Step 235: The server generates a coded message including personal data, verification token and connection information, and sends the coded message to the first client Step 240: The second client obtains the encoded message through the first client Step 250: The second client decodes the encoded message to send the personal data and verification token to the server according to the connection information Step 260: The server confirms the authentication token Step 265: The server sends the authentication data to the second client Step 270: The second client enters the verification password after the verification token is confirmed by the server, and sends the verification password to the server Step 275: The second client enters the verification password after receiving the verification data, and sends the verification password and verification data to the server Step 280: The server compares the verification password and the confirmation password to confirm the user identity Step 290: When the server determines that the verification password is the same as the confirmation password, the second client uses the personal information and the verification password to apply for a digital certificate

第1圖為本發明所提之透過驗證有效憑證在不同裝置上確認身分之系統架構圖。 第2A圖為本發明所提之透過驗證有效憑證在不同裝置上確認身分之方法流程圖。 第2B圖為本發明所提之透過驗證有效憑證在不同裝置上確認身分之附加方法流程圖。 第2C圖為本發明所提之伺服器確認使用者身分之詳細方法流程圖。 第3A圖為本發明實施例所提之開啟應用程式操作畫面之示意圖。 第3B圖為本發明實施例所提之驗證密碼輸入畫面之示意圖。 Figure 1 is a system architecture diagram of the present invention for verifying identities on different devices through verification of valid certificates. FIG. 2A is a flow chart of a method for verifying identities on different devices by verifying valid credentials proposed by the present invention. FIG. 2B is a flow chart of an additional method for verifying identities on different devices by verifying valid credentials proposed by the present invention. FIG. 2C is a detailed flow chart of the method for confirming the identity of the user by the server proposed in the present invention. FIG. 3A is a schematic diagram of an operation screen for opening an application program according to an embodiment of the present invention. FIG. 3B is a schematic diagram of the verification password input screen proposed by the embodiment of the present invention.

步驟210:第一客戶端輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值 Step 210: the first client enters the personal data and confirms the password, and signs the personal data to generate a signature value

步驟220:第一客戶端傳送個人資料與簽章值至伺服器,伺服器驗證個人資料與簽章值 Step 220: The first client sends the personal data and signature value to the server, and the server verifies the personal data and signature value

步驟231:伺服器於個人資料與簽章值通過驗證後產生驗證信物 Step 231: The server generates a verification token after the personal data and the signature value are verified

步驟235:伺服器產生包含個人資料、驗證信物及連線資訊之編碼訊息,並傳送編碼訊息給第一客戶端 Step 235: The server generates a coded message including personal data, verification token and connection information, and sends the coded message to the first client

步驟240:第二客戶端透過第一客戶端取得編碼訊息 Step 240: The second client obtains the encoded message through the first client

步驟250:第二客戶端解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器 Step 250: The second client decodes the encoded message to send the personal data and verification token to the server according to the connection information

步驟260:伺服器確認驗證信物 Step 260: The server confirms the authentication token

步驟270:第二客戶端於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器 Step 270: The second client enters the verification password after the verification token is confirmed by the server, and sends the verification password to the server

步驟280:伺服器比對驗證密碼與確認密碼以確認使用者身分 Step 280: The server compares the verification password and the confirmation password to confirm the user identity

Claims (10)

一種透過驗證有效憑證在不同裝置上確認身分之系統,該系統至少包含:一第一客戶端,用以輸入一個人資料及一確認密碼,並對該個人資料簽章以產生一簽章值;一伺服器,用以接收該第一客戶端所傳送之該個人資料、該確認密碼與該簽章值,並驗證該個人資料與該簽章值,及用以於該個人資料與該簽章值通過驗證後,產生一驗證信物與一編碼訊息,及傳送該編碼訊息給該第一客戶端,其中,該編碼訊息包含該第一客戶端所輸入之該個人資料、該伺服器所產生之該驗證信物、及該伺服器之一連線資訊;及一第二客戶端,用以透過該第一客戶端取得該伺服器產生之該編碼訊息,並解碼該編碼訊息以取得該第一客戶端所輸入之該個人資料、該伺服器所產生之該驗證信物、及該伺服器之該連線資訊,及依據該連線資訊傳送該個人資料與該驗證信物至該伺服器,使該伺服器確認該驗證信物,及用以於該驗證信物通過該伺服器確認後輸入一驗證密碼,並傳送該驗證密碼至該伺服器,使該伺服器比對該驗證密碼與該確認密碼以判斷該第一客戶端與該第二客戶端之使用者是否相同。 A system for confirming identities on different devices by verifying valid certificates, the system at least includes: a first client for inputting a personal data and a confirmation password, and signing the personal data to generate a signature value; The server is used to receive the personal data, the confirmation password and the signature value sent by the first client, verify the personal data and the signature value, and use the personal data and the signature value After passing the verification, generate a verification token and a coded message, and send the coded message to the first client, wherein the coded message includes the personal data input by the first client, the verification token, and connection information of the server; and a second client, used to obtain the coded message generated by the server through the first client, and decode the coded message to obtain the first client The inputted personal data, the verification token generated by the server, and the connection information of the server, and sending the personal data and the verification token to the server according to the connection information, so that the server Confirm the verification token, and input a verification password after the verification token is confirmed by the server, and send the verification password to the server, so that the server compares the verification password with the confirmation password to determine the Whether the users of the first client and the second client are the same. 如請求項1所述之透過驗證有效憑證在不同裝置上確認身分之系統,其中該第二客戶端更用以於該伺服器判斷該驗證密碼與該確認密碼相同時,使用該個人資料及該驗證密碼申請數位憑證。 The system for verifying identities on different devices by verifying valid certificates as described in Claim 1, wherein the second client is further used to use the personal data and the Verify the password to apply for a digital certificate. 如請求項1所述之透過驗證有效憑證在不同裝置上確認身分之系統,其中該伺服器更用以於產生該驗證信物時產生並儲存一認證資料,及於 確認該驗證信物後,讀取並傳送該認證資料至該第二客戶端,該第二客戶端更用以傳送該驗證密碼及該認證資料至該伺服器,使該伺服器依據該認證資料讀出該確認密碼以比對該驗證密碼。 The system for verifying identity on different devices by verifying valid certificates as described in Claim 1, wherein the server is further used to generate and store an authentication data when generating the verification token, and in After confirming the authentication token, read and send the authentication information to the second client, and the second client is further used to send the authentication password and the authentication information to the server, so that the server can read the authentication information based on the authentication information. Output the confirmation password to compare with the verification password. 如請求項1所述之透過驗證有效憑證在不同裝置上確認身分之系統,其中該第二客戶端是擷取該第一客戶端所顯示之該編碼訊息、接收該第一客戶端所推播之該編碼訊息、依據與該第一客戶端約定之勾稽值至該伺服器下載該編碼訊息、透過電子郵件或即時訊息接收該第一客戶端所傳送之該編碼訊息、或透過跨應用程式(cross APP)之方式接收該編碼訊息以透過該第一客戶端取得該編碼訊息。 The system for confirming identities on different devices by verifying valid certificates as described in Claim 1, wherein the second client retrieves the coded message displayed by the first client and receives the push broadcast by the first client the coded message, download the coded message from the server according to the hook value agreed with the first client, receive the coded message sent by the first client via email or instant message, or pass the cross-application ( cross APP) to receive the coded message to obtain the coded message through the first client. 如請求項1所述之透過驗證有效憑證在不同裝置上確認身分之系統,其中該伺服器是確認該驗證信物是否存在、該驗證信物之有效期限是否有效、及/或該驗證信物是否已被確認以確認該驗證信物。 The system for confirming identity on different devices by verifying a valid certificate as described in Claim 1, wherein the server is to confirm whether the verification token exists, whether the validity period of the verification token is valid, and/or whether the verification token has been Confirm to confirm the verification token. 一種透過驗證有效憑證在不同裝置上確認身分之方法,該方法至少包含下列步驟:一第一客戶端輸入一個人資料及一確認密碼,並對該個人資料簽章以產生一簽章值;該第一客戶端傳送該個人資料、該確認密碼與該簽章值至一伺服器,該伺服器驗證該個人資料與該簽章值;該伺服器於該個人資料與該簽章值通過驗證後,產生一驗證信物;該伺服器產生包含該第一客戶端所輸入之該個人資料、該伺服器所產生之該驗證信物、及該伺服器之一連線資訊之一編碼訊息,並傳送該編碼訊息給該第一客戶端; 一第二客戶端透過該第一客戶端取得該伺服器產生之該編碼訊息;該第二客戶端解碼該編碼訊息以取得該第一客戶端所輸入之該個人資料、該伺服器所產生之該驗證信物、及該伺服器之該連線資訊,並依據該連線資訊傳送該個人資料與該驗證信物至該伺服器,使該伺服器確認該驗證信物;該第二客戶端於該驗證信物通過該伺服器確認後輸入一驗證密碼,並傳送該驗證密碼至該伺服器;及該伺服器比對該驗證密碼與該確認密碼以判斷該第一客戶端與該第二客戶端之使用者是否相同。 A method for confirming identities on different devices by verifying valid certificates, the method at least includes the following steps: a first client enters a personal data and a confirmation password, and signs the personal data to generate a signature value; A client sends the personal data, the confirmation password and the signature value to a server, and the server verifies the personal data and the signature value; after the personal data and the signature value are verified by the server, Generate a verification token; the server generates a coded message including the personal data input by the first client, the verification token generated by the server, and the connection information of the server, and transmits the code send a message to the first client; A second client obtains the encoded message generated by the server through the first client; the second client decodes the encoded message to obtain the personal data input by the first client, the information generated by the server The verification token, and the connection information of the server, and send the personal data and the verification token to the server according to the connection information, so that the server can confirm the verification token; Enter a verification password after the token is confirmed by the server, and send the verification password to the server; and the server compares the verification password with the confirmation password to determine the use of the first client and the second client are the same. 如請求項6所述之透過驗證有效憑證在不同裝置上確認身分之方法,其中該方法於該伺服器比對該驗證密碼與該確認密碼之步驟後,更包含該第二客戶端於該伺服器判斷該驗證密碼與該確認密碼相同時,使用該個人資料及該驗證密碼申請數位憑證之步驟。 The method for confirming identity on different devices by verifying a valid certificate as described in claim 6, wherein the method further includes the second client on the server after the step of comparing the verification password with the confirmation password at the server When the device judges that the verification password is the same as the confirmation password, use the personal information and the verification password to apply for a digital certificate. 如請求項6所述之透過驗證有效憑證在不同裝置上確認身分之方法,其中該方法於該伺服器於產生該驗證信物之步驟後,更包含伺服器產生一認證資料之步驟,且該方法於該伺服器確認該驗證信物之步驟後,更包含伺服器傳送該認證資料至該第二客戶端,該第二客戶端傳送該驗證密碼及該認證資料至該伺服器之步驟。 The method for confirming identity on different devices by verifying a valid certificate as described in Claim 6, wherein the method further includes a step for the server to generate an authentication data after the step for the server to generate the verification token, and the method After the server confirms the verification token, it further includes the server sending the verification data to the second client, and the second client sending the verification password and the verification data to the server. 如請求項6所述之透過驗證有效憑證在不同裝置上確認身分之方法,其中該第二客戶端透過該第一客戶端取得該編碼訊息之步驟為該第二客戶端擷取該第一客戶端所顯示之該編碼訊息、該第一客戶端推播該編碼訊息至該第二客戶端、該第二客戶端依據與該第一客戶端約定之勾稽值至該伺服器下 載該編碼訊息、該第一客戶端透過電子郵件或即時訊息將該編碼訊息傳送給第二客戶端、或透過跨應用程式之方式將該編碼訊息由該第一客戶端傳送到該第二客戶端。 The method for confirming identity on different devices by verifying a valid certificate as described in Claim 6, wherein the step of obtaining the coded message by the second client through the first client is for the second client to obtain the first client The coded message displayed on the terminal, the first client pushes the coded message to the second client, and the second client sends the coded message to the server according to the hook value agreed with the first client. carry the encoded message, the first client transmits the encoded message to the second client via email or instant message, or transmits the encoded message from the first client to the second client in a cross-application manner end. 如請求項6所述之透過驗證有效憑證在不同裝置上確認身分之方法,其中該伺服器確認該驗證信物之步驟為確認該驗證信物是否存在、該驗證信物之有效期限是否有效、及/或該驗證信物是否已被確認。 The method for confirming identity on different devices by verifying a valid certificate as described in claim item 6, wherein the step of confirming the verification token by the server is to confirm whether the verification token exists, whether the validity period of the verification token is valid, and/or Whether the verification token has been confirmed.
TW110126374A 2021-07-19 2021-07-19 System for confirming identity on different devices by verifying valid certification and method thereof TWI803907B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110126374A TWI803907B (en) 2021-07-19 2021-07-19 System for confirming identity on different devices by verifying valid certification and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110126374A TWI803907B (en) 2021-07-19 2021-07-19 System for confirming identity on different devices by verifying valid certification and method thereof

Publications (2)

Publication Number Publication Date
TW202305627A TW202305627A (en) 2023-02-01
TWI803907B true TWI803907B (en) 2023-06-01

Family

ID=86661354

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110126374A TWI803907B (en) 2021-07-19 2021-07-19 System for confirming identity on different devices by verifying valid certification and method thereof

Country Status (1)

Country Link
TW (1) TWI803907B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI614636B (en) * 2013-06-10 2018-02-11 Jie Chen Content verification method based on digital signature code
WO2018198036A1 (en) * 2017-04-24 2018-11-01 Just Log Me S.R.L. Authentication system and identity management without password by single-use qr code and related method
TW201905688A (en) * 2013-09-12 2019-02-01 美商波音公司 A device that authorizes operations to be performed on a target computing device
TW201935301A (en) * 2018-02-06 2019-09-01 美商Nb研究有限責任公司 System and method for securing a resource
TWM620550U (en) * 2021-07-19 2021-12-01 臺灣網路認證股份有限公司 System for verifying identity on different devices by verifying valid certificates

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI614636B (en) * 2013-06-10 2018-02-11 Jie Chen Content verification method based on digital signature code
TW201905688A (en) * 2013-09-12 2019-02-01 美商波音公司 A device that authorizes operations to be performed on a target computing device
WO2018198036A1 (en) * 2017-04-24 2018-11-01 Just Log Me S.R.L. Authentication system and identity management without password by single-use qr code and related method
TW201935301A (en) * 2018-02-06 2019-09-01 美商Nb研究有限責任公司 System and method for securing a resource
TWM620550U (en) * 2021-07-19 2021-12-01 臺灣網路認證股份有限公司 System for verifying identity on different devices by verifying valid certificates

Also Published As

Publication number Publication date
TW202305627A (en) 2023-02-01

Similar Documents

Publication Publication Date Title
US8681642B2 (en) Equipment-information transmitting apparatus, service control apparatus, equipment-information transmitting method, and computer products
US6988196B2 (en) Computer system and method for generating a digital certificate
US9667626B2 (en) Network authentication method and device for implementing the same
TWM539667U (en) System of online credentials application for network transaction via carrier
TWI644276B (en) System for opening account and applying mobile banking account online and method thereof
TW202040385A (en) System for using device identification to identify via telecommunication server and method thereof
CN102045335A (en) Terminal device, signature generation server, simple id management system, simple id management method, and program
TWM601411U (en) System for digital account application by using ATM to obtain authentication
CN104301288A (en) Method and system for online identity authentication, online transaction certification, and online certification protection
TWM594186U (en) Device and system combining online rapid authentication and public key infrastructure to identify identity
TWM620550U (en) System for verifying identity on different devices by verifying valid certificates
TWM539668U (en) System for opening account online and applying for mobile banking
TWM618726U (en) System for verifying identity on different devices based on certificates and verification data
TWM592629U (en) System to obtain appended data and execute corresponding operation when identity is confirmed
TWI803907B (en) System for confirming identity on different devices by verifying valid certification and method thereof
TWI831029B (en) System for confirming identity on different devices by verifying certification and verification code and method thereof
TWI720738B (en) System for combining architectures of fido and pki to identity user and method thereof
TWM609003U (en) System for transferring to client end to continue operation after confirming the identity on the public equipment
TWM588313U (en) System for confirming user identity through financial account information
TWM583978U (en) System of using physical carrier to store digital certificate for performing online transaction
TWI729535B (en) System for using financial account to confirm identity and method thereof
TWM586390U (en) A system for performing identity verification according to the service instruction to execute the corresponding service
TWI790495B (en) System for driving smart card by third-party device for identity verification and method thereof
TWI784339B (en) System for changing to client to continue operations after confirming identity on public device and method thereof
TWI691859B (en) System for identifying according to instruction to execute service and method thereof