TWI803907B - System for confirming identity on different devices by verifying valid certification and method thereof - Google Patents
System for confirming identity on different devices by verifying valid certification and method thereof Download PDFInfo
- Publication number
- TWI803907B TWI803907B TW110126374A TW110126374A TWI803907B TW I803907 B TWI803907 B TW I803907B TW 110126374 A TW110126374 A TW 110126374A TW 110126374 A TW110126374 A TW 110126374A TW I803907 B TWI803907 B TW I803907B
- Authority
- TW
- Taiwan
- Prior art keywords
- client
- server
- verification
- password
- personal data
- Prior art date
Links
Images
Abstract
Description
一種身分驗證系統及其方法,特別係指一種透過驗證有效憑證在不同裝置上確認身分之系統及方法。An identity verification system and method thereof, in particular to a system and method for confirming identity on different devices by verifying valid certificates.
電子憑證,又稱為數位憑證,是一種用於電腦系統的身分識別機制。電子憑證是身份認證機構加在數位身份證上的一個簽名,這一行為表示身份認證機構已認定擁有數位身分證的使用者。電子憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開資料(公鑰),其中公鑰對應一組專屬於電子憑證之擁有人的私鑰。電子憑證的擁有人可透過私鑰向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。Electronic credentials, also known as digital credentials, are an identification mechanism used in computer systems. An electronic certificate is a signature added to a digital ID card by an identity authentication agency, which means that the identity authentication agency has identified the user who has a digital ID card. An electronic certificate is one or a group of computer files, which record the owner's identity information and a set of public information (public key), where the public key corresponds to a set of private keys exclusive to the owner of the electronic certificate. The owner of the electronic certificate can authenticate his identity to the computer system through the private key, so as to access or use a specific computer service.
近年來由於網路服務的普及,網路上的身分識別方式益發重要,目前在網路上進行身分識別的主要方式之一為使用電子憑證。然而,目前電子憑證的申請過程都需要進行身分確認,也就是要申請人攜帶身分證明文件親自到申請電子憑證之業務的櫃檯辦理,一旦申請人因為個人因素或是環境因素不方便親自臨櫃辦理,便無法完成電子憑證的申請,這對於電子憑證的申請人而言並不方便。In recent years, due to the popularization of network services, identification methods on the Internet have become more and more important. Currently, one of the main methods of identification on the Internet is to use electronic certificates. However, the current application process for electronic vouchers requires identity verification, that is, applicants are required to bring their identity documents to the counter of the application for electronic vouchers in person. Once the applicant is inconvenient to go to the counter for personal or environmental factors , the application for electronic vouchers cannot be completed, which is inconvenient for applicants of electronic vouchers.
綜上所述,可知先前技術中長期以來一直存在申請電子憑證需要申請人需要親自臨櫃以確認身分而造成申請人不便的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has been a problem in the prior art for a long time that the applicant needs to go to the counter to confirm the identity in order to apply for an electronic certificate, which causes inconvenience to the applicant. Therefore, it is necessary to propose an improved technical means to solve this problem.
有鑒於先前技術存在申請電子憑證需要申請人親自臨櫃以確認身分而造成申請人不便的問題,本發明遂揭露一種透過驗證有效憑證在不同裝置上確認身分之系統及方法,其中:In view of the problem in the prior art that the applicant needs to personally visit the counter to confirm the identity of the application of the electronic certificate, which causes inconvenience to the applicant, the present invention discloses a system and method for verifying the identity on different devices through the verification of valid certificates, in which:
本發明所揭露之透過驗證有效憑證在不同裝置上確認身分之系統,至少包含:第一客戶端,用以輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值;伺服器,用以接收第一客戶端所傳送之個人資料與簽章值,並驗證個人資料與簽章值,及用以於個人資料與簽章值通過驗證後,產生驗證信物,並產生包含個人資料、驗證信物、及連線資訊之編碼訊息,及傳送編碼訊息給第一客戶端;第二客戶端,用以透過第一客戶端取得編碼訊息,並解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物,及用以於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器,使伺服器比對驗證密碼與確認密碼以確認使用者身分。The system disclosed in the present invention for confirming identity on different devices by verifying valid certificates at least includes: a first client for inputting personal data and confirming passwords, and signing personal data to generate a signature value; a server, It is used to receive the personal data and signature value sent by the first client, and to verify the personal data and signature value, and to generate a verification token after the personal data and signature value are verified, and to generate a token containing personal data, Verify the coded message of the token and connection information, and send the coded message to the first client; the second client is used to obtain the coded message through the first client, and decode the coded message to send personal data and information based on the connection information Verify the token to the server, make the server confirm the verification token, and use it to enter the verification password after the verification token is confirmed by the server, and send the verification password to the server, so that the server compares the verification password with the confirmation password to confirm the user identity.
本發明所揭露之透過驗證有效憑證在不同裝置上確認身分之方法,其步驟至少包括:第一客戶端輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值;第一客戶端傳送個人資料與簽章值至伺服器,伺服器驗證個人資料與簽章值;伺服器於個人資料與簽章值通過驗證後,產生驗證信物;伺服器產生包含個人資料、驗證信物、及連線資訊之編碼訊息,並傳送編碼訊息給第一客戶端;第二客戶端透過第一客戶端取得編碼訊息;第二客戶端解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物;第二客戶端於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器;伺服器比對驗證密碼與確認密碼以確認使用者身分。The method disclosed in the present invention for confirming identity on different devices by verifying valid certificates, the steps at least include: the first client enters personal data and confirms the password, and signs the personal data to generate a signature value; the first client Send the personal data and signature value to the server, and the server verifies the personal data and signature value; the server generates a verification token after the personal data and signature value are verified; the server generates a token containing personal data, verification token, and link The encoded message of the online information, and send the encoded message to the first client; the second client obtains the encoded message through the first client; the second client decodes the encoded message to send personal data and verification tokens to the server according to the connection information , so that the server confirms the verification token; the second client enters the verification password after the verification token is confirmed by the server, and sends the verification password to the server; the server compares the verification password and the confirmation password to confirm the identity of the user.
本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過由伺服器驗證第一客戶端對個人資料簽章所產生之簽章值後產生編碼訊息並傳回第一客戶端,第二客戶端透過第一客戶端取得編碼訊息後,解碼編碼訊息以取得連線資訊、個人資料與驗證信物,並依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物,且比對第一客戶端所輸入之確認資料與第二客戶端在驗證信物通過確認後所輸入驗證密碼以確認使用者身分,藉以解決先前技術所存在的問題,並可以達成以電子憑證確認不同裝置之使用者相同的技術功效。The system and method disclosed in the present invention are as above, and the difference from the prior art is that the present invention generates an encoded message and sends it back to the first client after the server verifies the signature value generated by the personal data signature of the first client After the second client obtains the encoded message through the first client, it decodes the encoded message to obtain connection information, personal data and verification token, and sends the personal data and verification token to the server according to the connection information, so that the server can confirm Verify the token, and compare the confirmation data entered by the first client with the verification password entered by the second client after the token is verified to confirm the user's identity, so as to solve the problems existing in the prior art, and can achieve electronic Vouchers confirm the same technical performance for users of different devices.
以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and implementation methods of the present invention will be described in detail below in conjunction with the drawings and embodiments, the content is enough to enable anyone familiar with the relevant art to easily and fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby realizing The effect that the present invention can achieve.
本發明可以透過伺服器驗證使用者在第一客戶端上有效憑證以讓使用者所使用之第二客戶端透過伺服器確認使用者身分。其中,本發明所提之有效憑證為可以當下通過憑證驗證伺服器(Validation Authority, VA)驗證的數位憑證,包含但不限於金融憑證、自然人憑證、工商憑證等。The present invention can verify the user's valid certificate on the first client through the server so that the second client used by the user can confirm the user's identity through the server. Among them, the valid certificate mentioned in the present invention is a digital certificate that can be verified by the certificate verification server (Validation Authority, VA), including but not limited to financial certificates, natural person certificates, business certificates, etc.
本發明所提之伺服器、第一客戶端、第二客戶端都可以是計算設備。本發明所提之計算設備包含但不限於一個或多個處理模組、一條或多條記憶體模組、以及連接不同硬體元件(包括記憶體模組和處理模組)的匯流排等硬體元件。透過所包含之多個硬體元件,計算設備可以載入並執行作業系統,使作業系統在計算設備上運行,也可以執行軟體或程式。另外,計算設備也包含一個外殼,上述之各個硬體元件設置於外殼內。The server, the first client and the second client mentioned in the present invention can all be computing devices. The computing device mentioned in the present invention includes but is not limited to one or more processing modules, one or more memory modules, and hardware such as buses connecting different hardware components (including memory modules and processing modules). body element. Through the included multiple hardware components, the computing device can load and execute the operating system, so that the operating system can run on the computing device, and can also execute software or programs. In addition, the computing device also includes a casing, and the above-mentioned hardware components are arranged in the casing.
本發明所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於的工業標準架構(Industry Standard Architecture, ISA)匯流排、周邊元件互連(Peripheral Component Interconnect, PCI)匯流排、視頻電子標準協會(Video Electronics Standards Association, VESA)局域匯流排、以及串列的通用序列匯流排(Universal Serial Bus, USB)、快速周邊元件互連(PCI Express, PCI-E/PCIe)匯流排等。The bus of the computing device mentioned in the present invention can include one or more types, such as data bus (data bus), address bus (address bus), control bus (control bus), expansion function bus ( expansion bus), and/or local bus (local bus) and other types of bus. Buses for computing devices include, but are not limited to, Industry Standard Architecture (ISA) buses, Peripheral Component Interconnect (PCI) buses, Video Electronics Standards Association (VESA) boards Domain bus, and serial universal serial bus (Universal Serial Bus, USB), fast peripheral component interconnection (PCI Express, PCI-E/PCIe) bus, etc.
本發明所提之計算設備的處理模組與匯流排耦接。處理模組包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在處理模組之處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理晶片。處理模組可為中央處理器、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理模組,則計算設備所包含的處理模組都相同或類似,且透過匯流排耦接與通訊。處理模組可以解釋一個計算機指令或一連串的多個計算機指令以進行特定的運算或操作,例如,數學運算、邏輯運算、資料比對、複製/移動資料等,藉以驅動計算設備中的其他硬體元件或運行作業系統或執行各種程式及/或模組。The processing module of the computing device mentioned in the present invention is coupled to the bus bar. The processing module includes a register group or register space, which can be completely set on the processing chip of the processing module, or all or part of it is set outside the processing chip and coupled to the handle wafer via dedicated electrical connections and/or via bus bars. The processing module can be a central processing unit, a microprocessor or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processing modules, the processing modules included in the computing device are all the same or similar, and are coupled and communicated through a bus. A processing module can interpret a computer instruction or a series of multiple computer instructions to perform specific calculations or operations, such as mathematical operations, logical operations, data comparison, copying/moving data, etc., to drive other hardware in the computing device components or run the operating system or execute various programs and/or modules.
計算設備中通常也包含一個或多個晶片組(Chipset)。計算設備的處理模組可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(Integrated Circuit, IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器等,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理模組存取或使用。Computing devices usually also contain one or more chipsets (Chipsets). The processing module of the computing device can be coupled to the chip set or electrically connected to the chip set through a bus bar. The chipset is composed of one or more integrated circuits (Integrated Circuit, IC), including memory controllers and peripheral input/output (I/O) controllers, etc., that is, memory controllers and peripheral I/O controllers A circuit breaker can be contained in one integrated circuit or implemented using two or more integrated circuits. Chipsets usually provide input/output and memory management functions, and provide multiple general and/or special registers, timers, etc., wherein the above general and/or special registers and timers can be coupled or Accessed or used by one or more processing modules electrically connected to the chipset.
計算設備的處理模組也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(Static Random Access Memory, SRAM)、動態隨機存取記憶體(Dynamic Random Access Memory, DRAM)、唯讀記憶體(Read-Only Memory, ROM)、快閃記憶體(Flash memory)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟(optical disc)、隨身碟(flash drive)、記憶卡(memory card)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processing module of the computing device can also access the data in the memory module and the mass storage area installed on the computing device through the memory controller. The above-mentioned memory modules include any type of volatile memory (volatile memory) and/or non-volatile (non-volatile memory, NVRAM) memory, such as static random access memory (Static Random Access Memory, SRAM) , Dynamic Random Access Memory (Dynamic Random Access Memory, DRAM), Read-Only Memory (Read-Only Memory, ROM), Flash memory (Flash memory), etc. The above-mentioned large-capacity storage area can include any type of storage device or storage medium, such as hard disk drive, optical disc (optical disc), flash drive (flash drive), memory card (memory card), solid state hard disk (Solid State Disk) , SSD), or any other storage device, etc. That is to say, the memory controller can access data in SRAM, DRAM, flash memory, hard disk drive, and solid-state hard disk.
計算設備的處理模組也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、及GPS接收器等周邊裝置或介面連接並通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援無線區域網路(如Wi-Fi、Zigbee等)、藍牙、紅外線、近場通訊(Near-field communication, NFC)、3G/4G/5G等行動通訊網路(蜂巢式網路)或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路裝置、DSL數據機、纜線(Cable)數據機、非同步傳輸模式(Asynchronous Transfer Mode, ATM)裝置、或光纖通訊介面及/或元件等。處理模組可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠透過各種周邊裝置與介面進行資料的輸入與輸出,也能夠與具有上面描述之硬體元件的另一個計算設備進行通訊。The processing module of the computing device can also be connected and communicated with peripheral devices or interfaces such as peripheral output devices, peripheral input devices, communication interfaces, and GPS receivers through the peripheral I/O controller via the peripheral I/O bus. The peripheral input device can be any type of input device, such as keyboard, mouse, trackball, touch pad, joystick, etc., and the peripheral output device can be any type of output device, such as display, printer, etc., peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface may include a wireless communication interface and/or a wired communication interface, and the wireless communication interface may include support for a wireless local area network (such as Wi-Fi, Zigbee, etc.), Bluetooth, infrared, near-field communication (Near-field communication, NFC), 3G/4G/5G and other mobile communication network (cellular network) or other wireless data transmission protocol interface, wired communication interface can be Ethernet device, DSL modem, cable (Cable) modem, asynchronous transmission Mode (Asynchronous Transfer Mode, ATM) device, or optical fiber communication interface and/or components, etc. The processing module can periodically poll (polling) various peripheral devices and interfaces, so that the computing device can input and output data through various peripheral devices and interfaces, and can also communicate with another computing device with the hardware components described above to communicate.
以下先以「第1圖」本發明所提之透過驗證有效憑證在不同裝置上確認身分之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有第一客戶端110、伺服器120、第二客戶端130。其中,第一客戶端110與伺服器120間及伺服器120與第二客戶端130間,可以透過有線或無線網路相互傳遞資料或訊號。In the following, the system architecture of the present invention will be described by using the "Fig. 1" system structure diagram of the system architecture for verifying identity on different devices through verification of valid certificates mentioned in the present invention. As shown in FIG. 1 , the system of the present invention includes a
第一客戶端110負責輸入個人資料與確認密碼。第一客戶端110所輸入之個人資料包含使用者識別資料,其中,使用者識別資料可以是使用者的身分證號、護照號碼等,但本發明並不以此為限;確認密碼則可以由一定數量的字母、數字、符號排列產生。一般而言,第一客戶端110可以提供資料輸入介面以輸入個人資料與確認密碼。The
第一客戶端110也負責使用與有效憑證中之公鑰(public key)對應的私鑰(private key)對所輸入之個人資料簽章以產生與個人資料對應的簽章值。在部分的實施例中,第一客戶端110也可以將個人資料與確認密碼做為一份組合資料並對該組合資料簽章以產生簽章值。The
第一客戶端110也負責傳送所輸入之個人資料與確認密碼、及所產生之簽章值至伺服器120,並負責接收伺服器120所傳送的編碼訊息。本發明所提之編碼訊息為可以取得伺服器120之連線方式及伺服器120所產生之一個或多個資料的資料,可以文字、條碼、或圖形的方式呈現,但本發明並不以此為限。其中,上述之取得資料的方式包含但不限於解碼編碼訊息或依據編碼訊息連線到特定目標(如特定主機或伺服器)下載。The
伺服器120負責接收第一客戶端110所傳送的個人資料、確認密碼、及簽章值,並負責驗證個人資料與簽章值。由於依據個人資料與相對應之簽章值進行驗證的方式已為習知,故本發明不再多加描述。The
伺服器120也負責在個人資料與簽章值通過驗證後,產生驗證信物(token)。伺服器120所產生的驗證信物包含驗證值,一般而言,驗證值是由伺服器120以一定方式產生,例如,隨機產生或使用當前的時間值產生等,但本發明並不以此為限。在部分的實施例中,驗證信物還可以包含時間戳,其中,時間戳可以表示當前時間或有效時間。The
伺服器120也負責產生編碼訊息,並負責將所產生的編碼訊息傳送給第一客戶端110。一般而言,伺服器120可以使用習知之各種演算法產生文字、條碼、或圖形的編碼訊息。伺服器120所產生的編碼訊息可以包含伺服器120所接收到的個人資料、伺服器120所產生的驗證信物、及伺服器120的連線資訊。連線資訊包含但不限於URI/URL Scheme及/或伺服器120所提供的API。The
在部分的實施例中,伺服器120也可以提供第一客戶端110設定與編碼訊息對應的勾稽值,並可以在接收到第二客戶端130所傳送之相同的勾稽值時,將相對應的編碼訊息傳送給第二客戶端130。In some embodiments, the
伺服器120也負責儲存所產生之驗證信物與所接收到之確認密碼。一般而言,伺服器120可以將所產生之驗證信物與認證資料做為一筆資料儲存於資料對應表中。在部分的實施例中,伺服器120也可以在產生驗證信物時,也就是在個人資料與簽章值通過驗證後,產生認證資料,並可以將所產生之驗證信物、確認密碼、及認證資料做為一筆資料儲存於資料對應表中。伺服器120產生認證資料的方式可以是隨機產生或依據流水號產生,但本發明並不以此為限,凡可以產生出具有唯一值或足以在一定時間內識別出多個特定資料的方式都可以被伺服器120用來產生認證資料。The
伺服器120也負責接收第二客戶端130所傳送的個人資料與驗證信物,並確認所接收到的驗證信物。舉例來說,伺服器120可以判斷所接收到的驗證信物是否存在於資料對應表內,若是,則伺服器120可以判斷所接收到的驗證信物通過驗證,並可以確認所接收到的驗證信物,若否,也就是資料對應表中沒有相同的驗證信物,則伺服器120可以判斷所接收到的驗證信物沒有通過驗證。伺服器120也可以判斷驗證信物是否已接收,若是,則可以判斷所接收到的驗證信物沒有通過驗證,若驗證信物未曾被接收,也就是驗證信物未被記錄為已接收,則伺服器120可以將所接收到的驗證信物記錄為已接收,並依據所接收到的驗證信物是否存在於資料對應表內判斷驗證信物是否通過驗證。The
在部分的實施例中,伺服器120在確認驗證信物時,還可以檢查所接收到之驗證信物的有效期限是否有效,即判斷驗證信物中之時間戳所表示之時間是否在有效時間內,例如,時間戳所表示之時間為產生驗證信物之當前時間時,伺服器120可以依據時間戳所表示之時間與當前時間的時間差是否在預定範圍內判斷驗證信物的有效期限是否有效,又如,時間戳所表示之時間為驗證信物的有效時間時,伺服器120可以依據時間戳所表示之時間是否晚於當前時間判斷驗證信物的有效期限是否有效,當驗證信物的有效期限有效時,伺服器120可以判斷所接收到的驗證信物沒有通過驗證,反之,伺服器120可以判斷所接收到的驗證信物沒有通過驗證;伺服器120也可以檢查驗證信物是否已被確認,即檢查驗證信物中之驗證值是否曾經接收過,若是,則伺服器120可以判斷所接收到的驗證信物沒有通過驗證,若否,則伺服器120可以判斷所接收到的驗證信物通過驗證。In some embodiments, when the
伺服器120也可以在確認驗證信物後,由資料對應表中讀取與驗證信物儲存為同一筆資料的認證資料,並將所讀出之認證資料傳送到第二客戶端130。The
伺服器120也負責接收第二客戶端130所傳送的驗證密碼,並比對所接收到的驗證密碼與先前所儲存之確認密碼以確認使用者身分,及可以產生使用者之身分確認結果並將所產生之身分確認結果傳回第二客戶端130。更詳細的,伺服器120可以由資料對應表中搜尋是否存在與驗證密碼相同的確認密碼,當存在與驗證密碼相同的確認密碼時,伺服器120可以判斷第一客戶端110與第二客戶端130的使用者相同,進而確認使用者身分,反之,當資料對應表中不存在與驗證密碼相同的確認密碼時,伺服器120可以要求第二客戶端130重新傳送驗證密碼,並可以在資料對應表中不存在與驗證密碼相同之確認密碼的次數達到預定值時,判斷第一客戶端110與第二客戶端130的使用者不同。The
在部分的實施例中,伺服器120可以在接收驗證密碼時一併接收認證資料,並可以依據所接收到的認證資料由資料對應表中讀出確認密碼,及比對所接收到之驗證密碼及所讀出之確認密碼是否相同。In some embodiments, the
第二客戶端130負責透過第一客戶端110取得伺服器120所產生的編碼訊息。更詳細的,第二客戶端130可以擷取第一客戶端110所顯示之編碼訊息、接收第一客戶端110所推播之編碼訊息、依據與第一客戶端110預先約定之勾稽值至伺服器120下載編碼訊息、透過電子郵件或即時訊息接收第一客戶端110所傳送之編碼訊息、或透過跨應用程式(cross APP)之方式接收來自第一客戶端110的編碼訊息。The
第二客戶端130也負責解碼所取得之編碼訊息以取得編碼訊息所表示的連線資訊、個人資料及驗證信物,其中,第二客戶端130可以使用與產生編碼訊息對應的解碼演算法解碼編碼訊息以取得連線資訊、個人資料及驗證信物,或第二客戶端130也可依據編碼訊息連線到特定目標下載連線資訊、個人資料及驗證信物。但第二客戶端130解碼編碼訊息之方式並不以上述為限。The
第二客戶端130也負責依據所取得之連線資訊將所取得之驗證信物與全部或部分的個人資料傳送至伺服器120。舉例來說,第二客戶端130可以直接依據連線資訊所包含之伺服器120的API將個人資料與驗證信物傳送給伺服器120;第二客戶端130可以依據連線資訊所包含之URL Scheme開啟特定應用程式並將伺服器120的API及個人資料與驗證信物提供給被開啟的應用程式,使得被開啟的應用程式依據伺服器120的API將全部或部分之個人資料與驗證信物傳送給伺服器120,但第二客戶端130依據連線資訊將驗證信物與個人資料傳送至伺服器120之方式並不以上述為限。The
第二客戶端130也負責在所取得的驗證信物通過伺服器120確認後,或可以在接收到伺服器120所傳送的認證資料後,輸入驗證密碼。一般而言,第二客戶端130可以提供密碼輸入介面以輸入驗證密碼。The
第二客戶端130也負責將被輸入之驗證密碼傳送至伺服器120,若第二客戶端130有接收到認證資料,則第二客戶端130也可以將認證資料與驗證密碼一同傳送至伺服器120。The
第二客戶端130也可以接收伺服器120所傳送之身分確認結果,並可以在身分確認結果表示伺服器120判斷驗證密碼與確認密碼相同時,使用所取得之個人資料與被輸入之驗證密碼向憑證伺服器(圖中未示)申請數位憑證。The
接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之透過驗證有效憑證在不同裝置上確認身分之方法流程圖。在本實施例中,假設第一客戶端110為個人電腦或筆記型電腦、第二客戶端130為智慧型手機,但本發明並不以此為限。Next, an embodiment is used to explain the operating system and method of the present invention, and please refer to "FIG. 2A" for the flow chart of the method for verifying identity on different devices through valid certificate verification proposed by the present invention. In this embodiment, it is assumed that the
當使用者欲在第二客戶端130上進行身分確認以申請數位憑證時,若選擇使用本發明,則使用者可以操作已有有效之數位憑證的第一客戶端110,並在第一客戶端110上輸入個人資料與確認密碼,使得第一客戶端110對被輸入之個人資料簽章而產生簽章值(步驟210)。在本實施例中,假設使用者可以操作第一客戶端110執行瀏覽器連線到伺服器120,接著,瀏覽器可以顯示資料輸入介面以提供使用者輸入個人資料與確認密碼,並可以在使用者完成個人資料與確認密碼的輸入後,使用與數位憑證對應的私鑰對被輸入之個人資料與確認密碼簽章而產生相對應的簽章值。When the user intends to perform identity verification on the
在第一客戶端110產生簽章值後,第一客戶端110可以將所輸入之個人資料與所產生的簽章值傳送到伺服器120,伺服器120可以在接收到第一客戶端110所傳送之個人資料與簽章值後,驗證所接收到的個人資料與簽章值(步驟220)。在本實施例中,假設第一客戶端110可以將個人資料、確認密碼、及對個人資料與確認密碼簽章所產生的簽章值傳送給伺服器120,伺服器120可以對個人資料、確認密碼、及簽章值進行驗證。After the
若個人資料(、確認密碼)與簽章值沒有通過伺服器120的驗證,則伺服器120可以不產生提示訊息,並可以將所產生之提示訊息傳回第一客戶端110,使第一客戶端110顯示伺服器120所產生的提示訊息;而若個人資料(、確認密碼)與簽章值通過伺服器120的驗證,則伺服器120可以產生驗證信物(步驟231)。在本實施例中,假設伺服器120可以透過隨機的方式產生驗證信物中的驗證值,並可以在驗證信物加入表示有效期限的時間戳,同時,伺服器120也可以將所接收到之個人資料中的使用者識別資料、所接收到的確認密碼與所產生之驗證信物做為一筆資料儲存到資料對應表中。If the personal data (, confirmation password) and the signature value have not passed the verification of the
在伺服器120產生驗證信物後,伺服器120可以產生編碼訊息,並可以將所產生之編碼訊息傳送到第一客戶端110(步驟235)。在本實施例中,假設伺服器120可以產生記錄有接收自第一客戶端110之個人資料、所產生之驗證信物、及伺服器120之連線資訊的編碼訊息,且編碼訊息以QR code呈現。After the
在第一客戶端110接收到伺服器120所傳送的編碼訊息後,第二客戶端130可以透過第一客戶端110取得伺服器120所產生的編碼訊息(步驟240)。在本實施例中,假設第一客戶端110可以透過所包含的觸控螢幕等顯示模組顯示接收自伺服器120的編碼訊息,第二客戶端130可以透過所包含的影像擷取模組(如攝影鏡頭與感光元件)擷取第一客戶端110所顯示的編碼訊息。After the
在第二客戶端130取得伺服器120所產生的編碼訊息後,第二客戶端130可以解碼所取得的編碼訊息以取得編碼訊息所包含之個人資料、驗證信物、及連線資訊,並可以依據連線資訊將驗證信物與全部或部分之個人資料傳送到伺服器120(步驟250)。在本實施例中,假設第二客戶端130可以在解碼編碼訊息後取得以URL Scheme方式記載的資料,則第二客戶端130可以依據URL Scheme中之應用程式識別標誌(identifier)取得對應之應用程式名稱並顯示如「第3A圖」之使用者介面310,當使用者點擊使用者介面310中之「開啟APP」的區塊311時,開啟相對應的應用程式,並透過第二客戶端130的作業系統將個人資料、驗證信物、連線資訊做為參數傳送給被開啟的應用程式,使得被開啟的應用程式在被第二客戶端130執行後可以依據連線資訊將個人資料中的使用者識別資料與驗證信物傳送給伺服器120。After the
在伺服器120接收到第二客戶端130所傳送的個人資料與驗證信物後,可以確認所接收到的驗證信物(步驟260)。在本實施例中,假設伺服器120可以依據所接收到之個人資料中的使用者識別資料由資料對應表中讀出被儲存為同一筆資料的驗證信物,並可以比對所讀出之驗證信物與所接收到的驗證信物是否相同,若兩驗證信物相同,則伺服器120可以確認所接收到的驗證信物有效,反之,伺服器120可以確認驗證信物無效。伺服器120也可以確認驗證信物是否被記錄為已接收,若是,則伺服器120可以確認所接收到的驗證信物無效。另外,伺服器120也可以在比對所讀出之驗證信物與所接收到的驗證信物相同後,判斷驗證信物所包含之有效期限是否早於當前時間,若是,則伺服器120可以確認驗證信物無效,若否,則伺服器120可以確認驗證信物有效,或伺服器120可以進一步判斷驗證信物中的驗證值是否曾經被驗證,也就是判斷伺服器120是否曾經接收過包含相同驗證值的驗證信物,若是,則伺服器120可以確認驗證信物無效,若否,則伺服器120可以確認驗證信物有效。After the
若伺服器120確認所接收到的驗證信物無效,則伺服器120可以產生表示驗證信物無效的確認結果訊息,並可以將所產生的確認結果訊息傳送至第二客戶端130;而若伺服器120確認驗證信物有效,則第二客戶端130可以輸入驗證密碼,並可以將所輸入的驗證密碼傳送到伺服器120(步驟270)。在本實施例中,假設伺服器120可以在確認驗證信物是否有效後產生表示驗證信物有效或無效的確認結果訊息,並可以將所產生的確認結果訊息傳送到第二客戶端130,第二客戶端130所執行之先前被開啟的應用程式可以在接收到確認結果訊息後,判斷確認結果訊息表示驗證信物無效時,顯示與確認結果訊息對應的提示訊息,或可以在判斷確認結果訊息表示驗證信物有效時,提供包含所接收到之個人資料中的使用者識別資料之密碼輸入介面320(如「第3B圖」所示)給使用者,使得使用者透過第二客戶端130將驗證密碼輸入到第二客戶端130所執行的應用程式中。If the
在伺服器120接收到第二客戶端130所傳送的驗證密碼後,伺服器120可以比對接收自第二客戶端130的驗證密碼與接收自第一客戶端110的確認密碼,並可以依據比對結果確認使用者身分(步驟280)。在本實施例中,假設伺服器120可以依據所接收到之驗證信物中的驗證值由資料對應表中讀出相對應(被儲存為同一筆資料)的確認密碼,並比對所接收到的驗證密碼與所讀出的確認密碼,當驗證密碼與確認密碼不同時,伺服器120可以產生相對應之身分確認訊息並傳送所產生之身分確認訊息給第二客戶端130(及第一客戶端110),使得第二客戶端130(與第一客戶端110)依據伺服器120所產生的身分確認訊息顯示相對應的提示訊息;而若驗證密碼與確認密碼相同,則伺服器120可以確認使用者的身分正確,也就是判斷第一客戶端110與第二客戶端130的使用者相同,伺服器120可以產生相對應的身分確認訊息,並可以將所產生之身分確認訊息傳送給第二客戶端130。After the
如此,透過本發明,第二客戶端130便可以經由第一客戶端110與伺服器確認使用者的身分。In this way, through the present invention, the
上述實施例中,在第二客戶端130接收到伺服器120所傳送的身分確認訊息後,若身分確認訊息表示使用者身分正確,則第二客戶端130可以執行使用者欲執行的作業,如「第2B圖」之流程所示,第二客戶端130可以依據所接收到之個人資料與使用者所輸入之驗證密碼向憑證伺服器申請數位憑證(步驟290)。In the above embodiment, after the
另外,上述實施例也可以如「第2C圖」所示之流程,在伺服器120產生驗證信物(步驟231)之前或之後,伺服器120可以產生認證資料(步驟233),例如流水號。之後,伺服器120可以產生包含連線資訊、個人資料與驗證信物的編碼訊息並傳送編碼訊息到第一客戶端110(步驟235),使得第二客戶端130可以透過第一客戶端110取得編碼訊息(步驟240)。In addition, the above embodiment can also be shown in the process shown in "Fig. 2C", before or after the
接著,第二客戶端130並可以解碼編碼訊息以取得連線資訊、個人資料與驗證信物,及可以依據連線資訊將個人資料與驗證信物傳送到伺服器120(步驟250),進而讓伺服器120可以在確認驗證信物(步驟260)後,傳送先前所產生的認證資料到第二客戶端130(步驟265),如此,第二客戶端130可以在接收到伺服器120所傳送的認證資料後輸入驗證密碼,並可以將所輸入的驗證密碼及所接收到的認證資料傳送到伺服器120(步驟275)。Then, the
伺服器120在接收到第二客戶端130所傳送之驗證密碼與認證資料後,可以比對接收到的認證資料是否與所傳送的認證資料相同,當兩認證資料相同時,伺服器120可以比對所接收到的驗證密碼與所讀出的確認密碼以確認使用者身分(步驟280)。After the
綜上所述,可知本發明與先前技術之間的差異在於具有由伺服器驗證第一客戶端對個人資料簽章所產生之簽章值後產生編碼訊息並傳回第一客戶端,第二客戶端透過第一客戶端取得編碼訊息後,解碼編碼訊息以取得連線資訊、個人資料與驗證信物,並依據連線資訊傳送個人資料與驗證信物至伺服器,使伺服器確認驗證信物,且比對第一客戶端所輸入之確認資料與第二客戶端在驗證信物通過確認後所輸入驗證密碼以確認使用者身分之技術手段,藉由此一技術手段可以來解決先前技術所存在申請電子憑證需要申請人親自臨櫃以確認身分而造成申請人不便的問題,進而達成以電子憑證確認不同裝置之使用者相同的技術功效。To sum up, it can be seen that the difference between the present invention and the prior art lies in that after the server verifies the signature value generated by the personal data signature of the first client, an encoded message is generated and sent back to the first client, and the second After the client obtains the encoded message through the first client, it decodes the encoded message to obtain connection information, personal data and verification token, and sends the personal data and verification token to the server according to the connection information, so that the server confirms the verification token, and Compare the confirmation data entered by the first client with the verification password entered by the second client after the token is verified to confirm the user's identity. This technical method can solve the problem of electronic application in the prior art. The certificate requires the applicant to personally visit the counter to confirm the identity, which causes inconvenience to the applicant, and then achieves the same technical effect of using electronic certificates to confirm users of different devices.
再者,本發明之透過驗證有效憑證在不同裝置上確認身分之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method for confirming identity on different devices by verifying valid certificates of the present invention can be implemented in hardware, software, or a combination of hardware and software, and can also be implemented in a centralized manner in a computer system or distributed with different components Implemented in a decentralized manner over several interconnected computer systems.
雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present invention are as above, the content described is not intended to directly limit the scope of protection of the present invention. Anyone with ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope disclosed in the present invention, makes some changes and modifications to the form and details of the implementation of the present invention, all of which belong to the patent protection of the present invention scope. The scope of patent protection of the present invention shall still be defined by the scope of the attached patent application.
110:第一客戶端 120:伺服器 130:第二客戶端 310:使用者介面 311:區塊 320:密碼輸入介面 步驟210:第一客戶端輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值 步驟220:第一客戶端傳送個人資料與簽章值至伺服器,伺服器驗證個人資料與簽章值 步驟231:伺服器於個人資料與簽章值通過驗證後產生驗證信物 步驟233:伺服器產生認證資料 步驟235:伺服器產生包含個人資料、驗證信物及連線資訊之編碼訊息,並傳送編碼訊息給第一客戶端 步驟240:第二客戶端透過第一客戶端取得編碼訊息 步驟250:第二客戶端解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器 步驟260:伺服器確認驗證信物 步驟265:伺服器傳送認證資料至第二客戶端 步驟270:第二客戶端於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器 步驟275:第二客戶端於接收到認證資料後輸入驗證密碼,並傳送驗證密碼及認證資料至伺服器 步驟280:伺服器比對驗證密碼與確認密碼以確認使用者身分 步驟290:第二客戶端於伺服器判斷驗證密碼與確認密碼相同時,使用個人資料及驗證密碼申請數位憑證 110: The first client 120: server 130: Second client 310: user interface 311: block 320: password input interface Step 210: the first client enters the personal data and confirms the password, and signs the personal data to generate a signature value Step 220: The first client sends the personal data and signature value to the server, and the server verifies the personal data and signature value Step 231: The server generates a verification token after the personal data and the signature value are verified Step 233: The server generates authentication information Step 235: The server generates a coded message including personal data, verification token and connection information, and sends the coded message to the first client Step 240: The second client obtains the encoded message through the first client Step 250: The second client decodes the encoded message to send the personal data and verification token to the server according to the connection information Step 260: The server confirms the authentication token Step 265: The server sends the authentication data to the second client Step 270: The second client enters the verification password after the verification token is confirmed by the server, and sends the verification password to the server Step 275: The second client enters the verification password after receiving the verification data, and sends the verification password and verification data to the server Step 280: The server compares the verification password and the confirmation password to confirm the user identity Step 290: When the server determines that the verification password is the same as the confirmation password, the second client uses the personal information and the verification password to apply for a digital certificate
第1圖為本發明所提之透過驗證有效憑證在不同裝置上確認身分之系統架構圖。 第2A圖為本發明所提之透過驗證有效憑證在不同裝置上確認身分之方法流程圖。 第2B圖為本發明所提之透過驗證有效憑證在不同裝置上確認身分之附加方法流程圖。 第2C圖為本發明所提之伺服器確認使用者身分之詳細方法流程圖。 第3A圖為本發明實施例所提之開啟應用程式操作畫面之示意圖。 第3B圖為本發明實施例所提之驗證密碼輸入畫面之示意圖。 Figure 1 is a system architecture diagram of the present invention for verifying identities on different devices through verification of valid certificates. FIG. 2A is a flow chart of a method for verifying identities on different devices by verifying valid credentials proposed by the present invention. FIG. 2B is a flow chart of an additional method for verifying identities on different devices by verifying valid credentials proposed by the present invention. FIG. 2C is a detailed flow chart of the method for confirming the identity of the user by the server proposed in the present invention. FIG. 3A is a schematic diagram of an operation screen for opening an application program according to an embodiment of the present invention. FIG. 3B is a schematic diagram of the verification password input screen proposed by the embodiment of the present invention.
步驟210:第一客戶端輸入個人資料及確認密碼,並對個人資料簽章以產生簽章值 Step 210: the first client enters the personal data and confirms the password, and signs the personal data to generate a signature value
步驟220:第一客戶端傳送個人資料與簽章值至伺服器,伺服器驗證個人資料與簽章值 Step 220: The first client sends the personal data and signature value to the server, and the server verifies the personal data and signature value
步驟231:伺服器於個人資料與簽章值通過驗證後產生驗證信物 Step 231: The server generates a verification token after the personal data and the signature value are verified
步驟235:伺服器產生包含個人資料、驗證信物及連線資訊之編碼訊息,並傳送編碼訊息給第一客戶端 Step 235: The server generates a coded message including personal data, verification token and connection information, and sends the coded message to the first client
步驟240:第二客戶端透過第一客戶端取得編碼訊息 Step 240: The second client obtains the encoded message through the first client
步驟250:第二客戶端解碼編碼訊息以依據連線資訊傳送個人資料與驗證信物至伺服器 Step 250: The second client decodes the encoded message to send the personal data and verification token to the server according to the connection information
步驟260:伺服器確認驗證信物 Step 260: The server confirms the authentication token
步驟270:第二客戶端於驗證信物通過伺服器確認後輸入驗證密碼,並傳送驗證密碼至伺服器 Step 270: The second client enters the verification password after the verification token is confirmed by the server, and sends the verification password to the server
步驟280:伺服器比對驗證密碼與確認密碼以確認使用者身分 Step 280: The server compares the verification password and the confirmation password to confirm the user identity
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110126374A TWI803907B (en) | 2021-07-19 | 2021-07-19 | System for confirming identity on different devices by verifying valid certification and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW110126374A TWI803907B (en) | 2021-07-19 | 2021-07-19 | System for confirming identity on different devices by verifying valid certification and method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TW202305627A TW202305627A (en) | 2023-02-01 |
TWI803907B true TWI803907B (en) | 2023-06-01 |
Family
ID=86661354
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW110126374A TWI803907B (en) | 2021-07-19 | 2021-07-19 | System for confirming identity on different devices by verifying valid certification and method thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI803907B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI614636B (en) * | 2013-06-10 | 2018-02-11 | Jie Chen | Content verification method based on digital signature code |
WO2018198036A1 (en) * | 2017-04-24 | 2018-11-01 | Just Log Me S.R.L. | Authentication system and identity management without password by single-use qr code and related method |
TW201905688A (en) * | 2013-09-12 | 2019-02-01 | 美商波音公司 | A device that authorizes operations to be performed on a target computing device |
TW201935301A (en) * | 2018-02-06 | 2019-09-01 | 美商Nb研究有限責任公司 | System and method for securing a resource |
TWM620550U (en) * | 2021-07-19 | 2021-12-01 | 臺灣網路認證股份有限公司 | System for verifying identity on different devices by verifying valid certificates |
-
2021
- 2021-07-19 TW TW110126374A patent/TWI803907B/en active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI614636B (en) * | 2013-06-10 | 2018-02-11 | Jie Chen | Content verification method based on digital signature code |
TW201905688A (en) * | 2013-09-12 | 2019-02-01 | 美商波音公司 | A device that authorizes operations to be performed on a target computing device |
WO2018198036A1 (en) * | 2017-04-24 | 2018-11-01 | Just Log Me S.R.L. | Authentication system and identity management without password by single-use qr code and related method |
TW201935301A (en) * | 2018-02-06 | 2019-09-01 | 美商Nb研究有限責任公司 | System and method for securing a resource |
TWM620550U (en) * | 2021-07-19 | 2021-12-01 | 臺灣網路認證股份有限公司 | System for verifying identity on different devices by verifying valid certificates |
Also Published As
Publication number | Publication date |
---|---|
TW202305627A (en) | 2023-02-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8681642B2 (en) | Equipment-information transmitting apparatus, service control apparatus, equipment-information transmitting method, and computer products | |
US6988196B2 (en) | Computer system and method for generating a digital certificate | |
US9667626B2 (en) | Network authentication method and device for implementing the same | |
TWM539667U (en) | System of online credentials application for network transaction via carrier | |
TWI644276B (en) | System for opening account and applying mobile banking account online and method thereof | |
TW202040385A (en) | System for using device identification to identify via telecommunication server and method thereof | |
CN102045335A (en) | Terminal device, signature generation server, simple id management system, simple id management method, and program | |
TWM601411U (en) | System for digital account application by using ATM to obtain authentication | |
CN104301288A (en) | Method and system for online identity authentication, online transaction certification, and online certification protection | |
TWM594186U (en) | Device and system combining online rapid authentication and public key infrastructure to identify identity | |
TWM620550U (en) | System for verifying identity on different devices by verifying valid certificates | |
TWM539668U (en) | System for opening account online and applying for mobile banking | |
TWM618726U (en) | System for verifying identity on different devices based on certificates and verification data | |
TWM592629U (en) | System to obtain appended data and execute corresponding operation when identity is confirmed | |
TWI803907B (en) | System for confirming identity on different devices by verifying valid certification and method thereof | |
TWI831029B (en) | System for confirming identity on different devices by verifying certification and verification code and method thereof | |
TWI720738B (en) | System for combining architectures of fido and pki to identity user and method thereof | |
TWM609003U (en) | System for transferring to client end to continue operation after confirming the identity on the public equipment | |
TWM588313U (en) | System for confirming user identity through financial account information | |
TWM583978U (en) | System of using physical carrier to store digital certificate for performing online transaction | |
TWI729535B (en) | System for using financial account to confirm identity and method thereof | |
TWM586390U (en) | A system for performing identity verification according to the service instruction to execute the corresponding service | |
TWI790495B (en) | System for driving smart card by third-party device for identity verification and method thereof | |
TWI784339B (en) | System for changing to client to continue operations after confirming identity on public device and method thereof | |
TWI691859B (en) | System for identifying according to instruction to execute service and method thereof |