TWM623207U - identity authentication system - Google Patents

identity authentication system Download PDF

Info

Publication number
TWM623207U
TWM623207U TW110209730U TW110209730U TWM623207U TW M623207 U TWM623207 U TW M623207U TW 110209730 U TW110209730 U TW 110209730U TW 110209730 U TW110209730 U TW 110209730U TW M623207 U TWM623207 U TW M623207U
Authority
TW
Taiwan
Prior art keywords
verification code
identity authentication
module
information
biometric information
Prior art date
Application number
TW110209730U
Other languages
Chinese (zh)
Inventor
陳柏穎
Original Assignee
偉康科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 偉康科技股份有限公司 filed Critical 偉康科技股份有限公司
Priority to TW110209730U priority Critical patent/TWM623207U/en
Publication of TWM623207U publication Critical patent/TWM623207U/en

Links

Images

Landscapes

  • Collating Specific Patterns (AREA)

Abstract

本創作提供一種身份認證系統,包括有第一裝置以及一第二裝置。該第一裝置內儲存有一第一驗證碼,當該第一裝置接收對使用者進行認證的一請求指令時,該第一裝置根據使用者具有的一生物資訊進行比對,當比對成功之後,根據該第一驗證碼輸出一簽章資訊。該第二裝置與該第一裝置訊號連接,該第二裝置具有相應於該第一驗證碼的一第二驗證碼,該第二裝置接收該簽章資訊,並根據該第二驗證碼對該簽章資訊進行身份認證,並將身分認證的結果回傳給該第一裝置。 This creation provides an identity authentication system, which includes a first device and a second device. A first verification code is stored in the first device. When the first device receives a request command to authenticate the user, the first device performs comparison according to a biometric information possessed by the user. After the comparison is successful , and output a signature information according to the first verification code. The second device is signally connected to the first device, the second device has a second verification code corresponding to the first verification code, the second device receives the signature information, and sends the verification code according to the second verification code. The signature information is used for identity authentication, and the result of the identity authentication is sent back to the first device.

Description

身份認證系統 identity authentication system

本創作為一種認證系統,特別是指一種利用非對稱公私鑰與生物辨識技術的高安全強度身份認證系統。 This creation is an authentication system, especially a high-security-intensity identity authentication system using asymmetric public and private keys and biometric identification technology.

現今常使用的身份認證技術包括有傳統密碼認證、生物辨識以及雙因子認證等三種認證方式。其中,在傳統密碼的驗證架構中,用戶與伺服器”雙方”都知道帳號與密碼以驗證,在這樣的架構下,風險將集中在伺服器端。企業網站一旦被攻破,可能就造成幾百萬以上的帳號密碼外洩。 The commonly used authentication technologies include traditional password authentication, biometric authentication, and two-factor authentication. Among them, in the traditional password verification architecture, both the user and the server "both" know the account and password for verification. Under this architecture, the risk will be concentrated on the server side. Once a corporate website is compromised, it may result in the leakage of millions of account passwords.

而在生物辨識的認證方式中,則是利用感測器結取使用者的生物特徵,例如:指紋或者是瞳孔等獨一無二特徵,進行識別與認證。在雙因子認證中,除了密碼外,第二因子認證大多採用簡訊或電話語音方式進行。然而,簡訊或電話語音通訊在未經加密的情況下仍有可能被駭客攔截,所以在比較注重資安的國家,例如:美國國家標準技術研究所(National Institute of Standards and Technology,NIST),在其數位身份認證指南(Digital authentication Guideline)中就已經建議企業不要再透過電信系統、包含簡訊和電話語音的方式,執行二次驗證,要把這種驗證方式,排除在未來的進階身份驗證標準之外。 In the biometric authentication method, the sensor is used to obtain the user's biometric features, such as unique features such as fingerprints or pupils, for identification and authentication. In two-factor authentication, in addition to passwords, the second-factor authentication is mostly carried out by text message or telephone voice. However, text messages or telephone voice communications may still be intercepted by hackers without encryption, so in countries that pay more attention to information security, such as the National Institute of Standards and Technology (NIST), In its Digital Authentication Guideline, it has been suggested that enterprises should no longer perform secondary verification through the telecommunication system, including SMS and telephone voice, and exclude this verification method from future advanced authentication. beyond the standard.

綜合上述,因此需要一種身份認證系統來解決習用技術之問題。 In view of the above, there is a need for an identity authentication system to solve the problems of conventional technologies.

本創作係關於高安全強度無密碼使用生物辨識機制的身份認證系統, 在本創作的系統中,身分驗證是在裝置端進行,搭配非對稱公鑰私鑰架構,伺服器端只保存相對應的公鑰,不存在任何密鑰,而私鑰只保存在裝置端。在這樣的架構下,風險將分散在裝置端,而不是集中在伺服器端。透過本創作的方式,可以解決過去企業網站一旦被攻破,可能就造成幾百萬以上的帳號密碼外洩的問題。由於本創作的身份認證伺服系統中的伺服器不保管任何的密鑰,也就杜絕了此一威脅發生的可能性,即便伺服器被攻破,也只是不能登入,但身分不會被竊取。若是駭客要針對用戶裝置一個個進行入侵,也會變得相當麻煩。 This creation is about an identity authentication system with high security strength and no password using biometric identification mechanism. In the system of this creation, the authentication is performed on the device side, with an asymmetric public key-private key structure, the server side only stores the corresponding public key, there is no key, and the private key is only stored on the device side. Under such an architecture, risk will be spread out on the device side, rather than concentrated on the server side. Through the method of this creation, it can solve the problem that in the past, once the enterprise website is breached, it may cause the leakage of more than millions of account passwords. Since the server in the identity authentication server system of this creation does not keep any keys, the possibility of this threat is eliminated. Even if the server is compromised, it is only impossible to log in, but the identity will not be stolen. It will also become quite troublesome if hackers want to infiltrate user devices one by one.

本創作係有關一種利用非對稱公私鑰與生物辨識技術的高安全強度身份認證系統,身份認證利用行動裝置的生物辨識硬體確認身份後,經由非對稱公私鑰技術,將對應的身份憑證進行加密簽章,傳送給認證伺服器進行身份認證。 This creation relates to a high-security identity authentication system using asymmetric public and private keys and biometric technology. After identity authentication uses the biometric hardware of the mobile device to confirm the identity, the corresponding identity certificate is encrypted through the asymmetric public and private key technology. The signature is sent to the authentication server for identity authentication.

本創作可透過伺服器端監控多個行動裝置的身份認證歷史紀錄,加以分析並做出後續個別身份認證的決策,伺服器端也可針對不同的行動裝置,管控個別使用者可以經由哪些生物辨識機制(如人臉,指紋或聲音)確認身份。 This creation can monitor the identity authentication history records of multiple mobile devices through the server, analyze and make subsequent individual identity authentication decisions. The server can also control which biometric identifications individual users can use for different mobile devices. Mechanisms (such as face, fingerprint or voice) confirm identity.

在一實施例中,本創作提供一種身份認證系統,包括有第一裝置以及一第二裝置。該第一裝置內儲存有一第一驗證碼,當該第一裝置接收對使用者進行認證的一請求指令時,該第一裝置根據使用者具有的一生物資訊進行比對,當比對成功之後,根據該第一驗證碼輸出一簽章資訊。該第二裝置與該第一裝置訊號連接,該第二裝置具有相應於該第一驗證碼的一第二驗證碼,該第二裝置接收該簽章資訊,並根據該第二驗證碼對該簽章資訊進行身份認證,並將身分認證的結果回傳給該第一裝置。 In one embodiment, the present invention provides an identity authentication system including a first device and a second device. A first verification code is stored in the first device. When the first device receives a request command to authenticate the user, the first device performs comparison according to a biometric information possessed by the user. After the comparison is successful , and output a signature information according to the first verification code. The second device is signally connected to the first device, the second device has a second verification code corresponding to the first verification code, the second device receives the signature information, and sends the verification code according to the second verification code. The signature information is used for identity authentication, and the result of the identity authentication is sent back to the first device.

在一實施例中,本創作提供一種身份認證系統,包括有一認證模组、一客戶端模組以及一解密模組。該認證模組接收一請求指令以啟動一生物資訊 辨識程序,該認證模組內儲存有一第一驗證碼,該認證模組取得使用者具有的一生物資訊,並根據該生物資訊進行比對,當比對成功之後,認證模組根據該第一驗證碼產生一簽章資訊。該客戶端模組與該認證模組資訊連接,該客戶端模組用以產生該請求指令,以及接收該簽章資訊,並且輸出該簽章資訊。該解密模組與該客戶端模組訊號連接,該解密模組具有一第二驗證碼,該解密模組接收該簽章資訊,並根據該第二驗證碼對該簽章資訊進行身份認證,並將身分認證的結果回傳給該客戶端模組。 In one embodiment, the present creation provides an identity authentication system including an authentication module, a client module and a decryption module. The authentication module receives a request command to activate a biometric In the identification process, a first verification code is stored in the authentication module, the authentication module obtains a biometric information possessed by the user, and compares according to the biometric information, when the comparison is successful, the authentication module according to the first The verification code generates a signature information. The client module is connected with the authentication module information, and the client module is used for generating the request command, receiving the signature information, and outputting the signature information. The decryption module is signal-connected with the client module, the decryption module has a second verification code, the decryption module receives the signature information, and performs identity authentication on the signature information according to the second verification code, And return the result of identity authentication to the client module.

在一實施例中,該認證模組以及該客戶端模組設置在一第一裝置,該解密模組設置於與該第一裝置相異的一第二裝置,該第一與該第二裝置藉由一網路進行通訊。其中,該第一裝置為行動裝置,該第二裝置為一網路伺服器。 In one embodiment, the authentication module and the client module are set in a first device, the decryption module is set in a second device different from the first device, the first and the second device Communicate over a network. Wherein, the first device is a mobile device, and the second device is a network server.

在一實施例中,該認證模組更與一生物資訊單元電性連接,該生物資訊單元用以取得關於該使用者的該生物資訊。其中,該第一驗證碼與該第二驗證碼為經由一演算法產生配對的資訊。 In one embodiment, the authentication module is further electrically connected with a biometric information unit, and the biometric information unit is used for obtaining the biometric information about the user. Wherein, the first verification code and the second verification code are paired information generated by an algorithm.

2、2a:身份認證系統 2. 2a: Identity authentication system

20、20a:第一裝置 20, 20a: The first device

200:運算處理單元 200: Operation processing unit

200a:第一運算處理單元 200a: the first arithmetic processing unit

201~203:生物資訊單元 201~203: Biological Information Unit

21、21a:第二裝置 21, 21a: Second device

210:第二運算處理單元 210: The second arithmetic processing unit

22:認證模組 22: Authentication module

23:客戶端模組 23: Client Mods

24:解密模組 24: Decryption module

25:生物資訊單元 25: Bioinformatics Unit

90:第一驗證碼 90: The first verification code

91:第二驗證碼 91:Second verification code

圖1為本創作身份認證系統之一實施例示意圖。 FIG. 1 is a schematic diagram of an embodiment of an authoring identity authentication system.

圖2為本創作身份認證系統之另一實施例示意圖。 FIG. 2 is a schematic diagram of another embodiment of an authoring identity authentication system.

在下文將參考隨附圖式,可更充分地描述各種例示性實施例,在隨附圖式中展示一些例示性實施例。然而,本創作概念可能以許多不同形式來體現,且不應解釋為限於本文中所闡述之例示性實施例。確切而言,提供此等例示性實施例使得本創作將為詳盡且完整,且將向熟習此項技術者 充分傳達本創作概念的範疇。類似數字始終指示類似元件。以下將以多種實施例配合圖式來說明所述身份認證系統,然而,下述實施例並非用以限制本創作。 Various illustrative embodiments may be described more fully hereinafter with reference to the accompanying drawings, in which some illustrative embodiments are shown. However, the inventive concepts may be embodied in many different forms and should not be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that this writing will be thorough and complete, and will appeal to those skilled in the art Fully convey the scope of this creative concept. Similar numbers always indicate similar elements. The identity authentication system will be described below with various embodiments in conjunction with the drawings, however, the following embodiments are not intended to limit the present invention.

請參閱圖1所示,該圖為本創作身份認證系統之一實施例方塊示意圖。本系統中的身份認證系統2,包括有一第一裝置20以及一第二裝置21。該第一裝置20,在一實施例中,可以為行動裝置,例如:智慧型手機、平板電腦等,但不以此為限,例如:筆記型電腦或桌上型電腦等亦可以做為該第一裝置20的實施例。該第二裝置21,在一實施例中,具有運算處理能力的伺服器,透過有線或無線網路與第一裝置20進行通訊。 Please refer to FIG. 1 , which is a schematic block diagram of an embodiment of a creative identity authentication system. The identity authentication system 2 in this system includes a first device 20 and a second device 21 . The first device 20, in one embodiment, may be a mobile device, such as a smart phone, a tablet computer, etc., but not limited thereto, for example, a notebook computer or a desktop computer, etc. can also be used as the Embodiment of the first device 20 . The second device 21, in one embodiment, is a server with computing processing capability that communicates with the first device 20 through a wired or wireless network.

第一裝置20內儲存有一第一驗證碼90,其係為一私鑰。在本實施例中,第一裝置20內具有運算處理能力的運算處理單元200,其係用以進行相關程式邏輯的演算。當該第一裝置20接收對使用者進行認證的一請求指令時,運算處理單元200接收請求指令,運算處理單元200會根據使用者具有的一生物資訊進行比對。要說明的是,請求指令的產生的方式,在一實施例中,可以為藉由第一裝置20啟動特定的APP或者是應用程式時,特定APP或應用程式或發出該請求指令對使用者身份進行認證。 The first device 20 stores a first verification code 90, which is a private key. In the present embodiment, the first device 20 has an arithmetic processing unit 200 with an arithmetic processing capability, which is used to perform computation of related program logic. When the first device 20 receives a request command for authenticating the user, the arithmetic processing unit 200 receives the request command, and the arithmetic processing unit 200 performs comparison according to a biological information possessed by the user. It should be noted that, in an embodiment, the method of generating the request command may be that when a specific APP or an application is activated by the first device 20, the specific APP or application may issue the request command to identify the user. Authenticate.

在生物資訊的一實施例中,第一裝置20可以透過內嵌或外接的生物資訊單元201~203,其中生物資訊單元201為指紋感測器、生物資訊單元202為聲音擷取器,生物資訊單元203是影像擷取裝置203,用以擷取使用者的瞳孔、特定五官、或人臉形貌等資訊做為該生物資訊。要說明的是,生物資訊單元201~203可以根據需求設置在第一裝置20內,只要至少一種即可實施。 In an embodiment of biometric information, the first device 20 can pass embedded or external biometric information units 201-203, wherein the biometric information unit 201 is a fingerprint sensor, the biometric information unit 202 is a sound capture device, and the biometric information unit 202 is a The unit 203 is an image capturing device 203 for capturing information such as pupils, specific facial features, or facial features of the user as the biological information. It should be noted that, the biological information units 201 to 203 may be set in the first device 20 according to requirements, and at least one of them can be implemented.

當進行身份認證時,需要藉由該第一驗證碼90來進行,以下以私鑰作為該第一驗證碼的實施例,使用者要取用私鑰時,必須先經過第一裝 置20取得使用者的生物特徵,並進行驗證成功後,才能取出私鑰進行簽章。因此,在本實施例中,第一裝置20由內嵌或外接的生物資訊單元201~203裝置進行身份確認,當利用生物資訊確認成功之後,運算處理單元200根據該第一驗證碼90輸出一簽章資訊;反之如果比對失敗,則不允許使用者進行操作。產生簽章資訊之後,第一裝置20將簽章資訊輸出給遠端的第二裝置21,進行認證。 When performing identity authentication, it needs to use the first verification code 90. The following embodiment uses the private key as the first verification code. When the user wants to obtain the private key, he must first go through the first verification code. Set 20 to obtain the user's biometric characteristics, and after the verification is successful, the private key can be taken out for signature. Therefore, in this embodiment, the first device 20 is identified by the embedded or external biometric information units 201 - 203 . When the biometric information is used to confirm the identity successfully, the arithmetic processing unit 200 outputs an output according to the first verification code 90 . Signature information; otherwise, if the comparison fails, the user is not allowed to operate. After the signature information is generated, the first device 20 outputs the signature information to the remote second device 21 for authentication.

該第二裝置21與該第一裝置20訊號連接,該第二裝置21具有第二運算處理單元210以及相應於該第一驗證碼90的一第二驗證碼91。本實施例中,第二驗證碼91為一公鑰,其與遠端第一裝置20內的第一驗證碼90(私鑰)皆為透過演算法,例如:確定性隨機比特生成器(deterministic random bit generator,DRBG)演算法,產生成組配對的密碼。該第二裝置21接收該簽章資訊,其第二運算處理單元210根據該第二驗證碼91對該簽章資訊進行身份認證,亦即利用保存於第二裝置內的公鑰對簽章資訊進行解密。由於該第二驗證碼91與該第一驗證碼90相互匹配,因此於該身分認證程序中,第二裝置21以該第二驗證碼91來驗證接收到的簽章資訊是否為對應該第一驗證碼90的簽章資訊。 The second device 21 is signally connected to the first device 20 , and the second device 21 has a second arithmetic processing unit 210 and a second verification code 91 corresponding to the first verification code 90 . In this embodiment, the second verification code 91 is a public key, and both the first verification code 90 (private key) in the remote first device 20 is through an algorithm, such as a deterministic random bit generator (deterministic random bit generator). random bit generator, DRBG) algorithm, which generates paired passwords in groups. The second device 21 receives the signature information, and the second arithmetic processing unit 210 performs identity authentication on the signature information according to the second verification code 91, that is, uses the public key stored in the second device to verify the signature information to decrypt. Since the second verification code 91 and the first verification code 90 match each other, in the identity authentication procedure, the second device 21 uses the second verification code 91 to verify whether the received signature information corresponds to the first verification code The signature information of verification code 90.

要說明的是,公私鑰在演算法中有一項特性為使用私鑰對資料進行簽章,此時使用當初匹配的公鑰可以驗證資料是否為對應私鑰的簽章資訊。例如:在一實施例中,有資料abc使用私鑰進行簽章,產出ABC的簽章資訊,此時將abc和ABC使用公鑰來驗證簽章資訊ABC是否為abc透過私鑰所形成的簽章資訊。若是,則可以確認abc資料是經由私鑰的使用者確認過後簽章。所以在簽章完成後,第一裝置20將上述產生的簽章資訊ABC與原始資料abc傳回給第二裝置21,以便第二裝置21使用當初註冊公鑰進行驗證是否為當初的所有人。驗證完畢之後,第二裝置21會將驗證結果回傳給第一裝 置20。 It should be noted that a feature of the public and private keys in the algorithm is to use the private key to sign the data. At this time, the matching public key can be used to verify whether the data is the signature information of the corresponding private key. For example: in one embodiment, there is data abc that uses the private key to sign and generate the signature information of ABC. At this time, abc and ABC use the public key to verify whether the signature information ABC is formed by abc through the private key Signature information. If so, it can be confirmed that the abc data is signed by the user of the private key after confirmation. Therefore, after the signature is completed, the first device 20 returns the generated signature information ABC and the original data abc to the second device 21 so that the second device 21 can use the original registered public key to verify whether it is the original owner. After the verification is completed, the second device 21 will return the verification result to the first device Set 20.

要說明的是,第二裝置21更具有進階的管理功能,例如:在一實施例中,透過第二裝置21監控多個第一裝置20的身份認證歷史紀錄,加以分析並做出後續個別身份認證的決策。在另一實施例中,第二裝置可以針對個別行動裝置,管控個別使用者可以經由哪些生物辨識機制(如人臉,指紋或聲音)確認身份。 It should be noted that the second device 21 has advanced management functions. For example, in one embodiment, the identity authentication history records of the plurality of first devices 20 are monitored through the second device 21 , and then analyzed to make subsequent individual records. Authentication decisions. In another embodiment, the second device can control which biometric identification mechanisms (such as face, fingerprint or voice) individual users can use to confirm their identity for individual mobile devices.

請參閱圖2所示,該圖為本創作之身份認證系統另一實施例示意圖。在本實施例中,該身份認證系統2a,包括有一認證模組(Authenticator)22、一客戶端模組23以及一解密模組24。該認證模組22以及客戶端模組23設置於一第一裝置20a內。要說明的是,該第一裝置20a內具有一第一運算處理單元200a,用以執行軟體或韌體程式。在一實施例中,該認證模組22以及客戶端模組23為可被第一運算處理單元200a執行的軟體模組所構成。該第一裝置20a可以為行動裝置,例如:智慧型手機、平板電腦等,但不以此為限,例如:筆記型電腦或桌上型電腦等亦可以做為該第一裝置20a的實施例。該解密模組24設置於一第二裝置21a內。該第二裝置21a內具有一個或多個的第二運算處理單元210,該解密模組24為第二運算處理單元210可以執行的軟體模組。該第二裝置21a,在一實施例中,具有運算處理能力的伺服器,透過有線或無線網路與第一裝置20a進行通訊。 Please refer to FIG. 2 , which is a schematic diagram of another embodiment of the created identity authentication system. In this embodiment, the identity authentication system 2 a includes an authenticator 22 , a client module 23 and a decryption module 24 . The authentication module 22 and the client module 23 are arranged in a first device 20a. It should be noted that the first device 20a has a first arithmetic processing unit 200a for executing software or firmware programs. In one embodiment, the authentication module 22 and the client module 23 are constituted by software modules executable by the first arithmetic processing unit 200a. The first device 20a can be a mobile device, such as a smart phone, a tablet computer, etc., but not limited thereto, such as a notebook computer or a desktop computer, etc., can also be used as an embodiment of the first device 20a . The decryption module 24 is disposed in a second device 21a. The second device 21 a has one or more second arithmetic processing units 210 , and the decryption module 24 is a software module executable by the second arithmetic processing unit 210 . The second device 21a, in one embodiment, a server with computing processing capability communicates with the first device 20a through a wired or wireless network.

該第一裝置20a內嵌或外接有一生物資訊單元25,用以擷取使用者的一生物資訊。該生物資訊單元25可以為指紋感測器、聲音擷取器或者是影像擷取裝置擷取使用者的瞳孔、特定五官、或人臉形貌等資訊做為該生物資訊。【0023】該第一裝置20a內安裝有應用程式或者是APP,使用者執行了應用程式或APP之後,會產生認證使用者身份的需求。客戶端模組接收到該需求之後,會產生請求指令發送給認證模組22。 A biological information unit 25 is embedded or externally connected to the first device 20a for capturing a biological information of the user. The biometric information unit 25 can be a fingerprint sensor, a voice capture device or an image capture device to capture information such as the user's pupils, specific facial features, or facial features as the biometric information. [0023] An application program or an APP is installed in the first device 20a. After the user executes the application program or the APP, a requirement for authenticating the user's identity is generated. After the client module receives the request, it will generate a request instruction and send it to the authentication module 22 .

該認證模組22接收請求指令之後,會啟動一生物資訊辨識程序,通知生物資訊單元25對使用者取得生物資訊,以對使用者進行身份確認。該認證模組22內儲存有一第一驗證碼90(本實施例為私鑰),該認證模組22取得使用者具有的該生物資訊,並根據該生物資訊進行比對,當比對成功之後,認證模組22使用保存於認證模組22中的私鑰,針對使用者對應身份憑證進行簽章,以產生簽章資訊。 After receiving the request command, the authentication module 22 will start a biometric information identification program, and notify the biometric information unit 25 to obtain the biometric information from the user, so as to confirm the user's identity. The authentication module 22 stores a first verification code 90 (a private key in this embodiment), and the authentication module 22 obtains the biometric information possessed by the user, and compares it according to the biometric information. , the authentication module 22 uses the private key stored in the authentication module 22 to sign the user's corresponding identity certificate to generate signature information.

簽章資訊回傳給客戶端模組23,客戶端模組23再藉由網路將簽章資訊傳給在遠端的第二裝置21a,並要求第二裝置21a進行身份認證的請求。第二裝置21a在收到簽章資訊後經由保存於第二裝置內的第二驗證碼91對簽章資訊進行解密,確認身份後將身份認證結果傳回給第一裝置20a的客戶端模組23,以完成身份認證程序。本實施例中,第二驗證碼91為一公鑰,其與遠端第一裝置20a內的第一驗證碼90(私鑰)皆為透過演算法,例如:確定性隨機比特生成器(deterministic random bit generator,DRBG)演算法,產生成組配對的密碼。該第二裝置21a接收該簽章資訊,並根據該第二驗證碼91對該簽章資訊進行身份認證,亦即利用保存於第二裝置21a內的公鑰對簽章資訊進行解密。由於該第二驗證碼91與該第一驗證碼90相互匹配,因此於該身分認證程序中,第二裝置21a以該第二驗證碼91來驗證接收到的簽章資訊是否為對應該第一驗證碼90的簽章資訊。認證之後,再將認證結果回傳給第一裝置20a,完成身份認證的程序。 The signature information is returned to the client module 23, and the client module 23 then transmits the signature information to the remote second device 21a through the network, and requests the second device 21a to perform an identity authentication request. After receiving the signature information, the second device 21a decrypts the signature information through the second verification code 91 stored in the second device, and after confirming the identity, sends the identity authentication result back to the client module of the first device 20a 23, to complete the identity verification procedure. In this embodiment, the second verification code 91 is a public key, which and the first verification code 90 (private key) in the remote first device 20a are both through an algorithm, such as a deterministic random bit generator (deterministic random bit generator). random bit generator, DRBG) algorithm, which generates paired passwords in groups. The second device 21a receives the signature information, and performs identity authentication on the signature information according to the second verification code 91, that is, decrypts the signature information using the public key stored in the second device 21a. Since the second verification code 91 and the first verification code 90 match each other, in the identity authentication procedure, the second device 21a uses the second verification code 91 to verify whether the received signature information corresponds to the first verification code The signature information of verification code 90. After authentication, the authentication result is sent back to the first device 20a to complete the identity authentication procedure.

綜合上述,在本創作的認證系統中,身分驗證是在近端進行,搭配非對稱公鑰私鑰架構,遠端的伺服器端只保存相對應的公鑰,不存在任何私鑰,而私鑰只保存在近端的裝置內。在這樣的架構下,風險將分散在裝置端,而不是集中在伺服器端。透過本創作的方式,可以解決過去企業網站一旦被攻破,可能就造成幾百萬以上的帳號密碼外洩的問題。由於本創 作的身份認證伺服系統中的伺服器不保管任何的密鑰,也就杜絕了此一威脅發生的可能性,即便伺服器被攻破,也只是不能登入,但身分不會被竊取。 Based on the above, in the authentication system of this creation, identity verification is carried out at the near end, with an asymmetric public key and private key architecture, the remote server end only saves the corresponding public key, there is no private key, and the private key The key is only stored in the near-end device. Under such an architecture, risk will be spread out on the device side, rather than concentrated on the server side. Through the method of this creation, it can solve the problem that in the past, once the enterprise website is breached, it may cause the leakage of more than millions of account passwords. Due to the original The server in the established identity authentication server system does not keep any keys, which eliminates the possibility of this threat. Even if the server is compromised, it is only impossible to log in, but the identity will not be stolen.

以上所述,乃僅記載本創作為呈現解決問題所採用的技術手段之較佳實施方式或實施例而已,並非用來限定本創作專利實施之範圍。即凡與本創作專利申請範圍文義相符,或依本創作專利範圍所做的均等變化與修飾,皆為本創作專利範圍所涵蓋。 The above-mentioned descriptions merely describe the preferred implementations or examples of the technical means adopted by the present invention to solve the problem, and are not intended to limit the scope of the patented implementation of the present invention. That is to say, all the equivalent changes and modifications that are consistent with the scope of the application for this patent for creation, or are equivalent to changes and modifications made in accordance with the scope of this patent for creation, are covered by the scope of this patent for creation.

2:身份認證系統 2: Identity authentication system

20:第一裝置 20: The first device

200:運算處理單元 200: Operation processing unit

201~203:生物資訊單元 201~203: Biological Information Unit

21:第二裝置 21: Second device

90:第一驗證碼 90: The first verification code

91:第二驗證碼 91:Second verification code

Claims (9)

一種身份認證系統,包括:一第一裝置,內儲存有一第一驗證碼,當該第一裝置接收對使用者進行認證的一請求指令時,該第一裝置根據使用者具有的一生物資訊進行比對,當比對成功之後,根據該第一驗證碼輸出一簽章資訊;以及一第二裝置,與該第一裝置訊號連接,該第二裝置具有相應於該第一驗證碼的一第二驗證碼,該第二裝置接收該簽章資訊,並根據該第二驗證碼對該簽章資訊進行身份認證,並將身分認證的結果回傳給該第一裝置。 An identity authentication system, comprising: a first device with a first verification code stored therein, when the first device receives a request command for authenticating a user, the first device executes a process according to a biometric information possessed by the user Comparing, when the comparison is successful, outputting a signature information according to the first verification code; and a second device signally connected to the first device, the second device having a first verification code corresponding to the first verification code Two verification codes, the second device receives the signature information, performs identity authentication on the signature information according to the second verification code, and returns the identity authentication result to the first device. 如請求項1所述之身份認證系統,其中該第一裝置更連接有一生物資訊單元,該生物資訊單元用以取得關於該使用者的該生物資訊。 The identity authentication system of claim 1, wherein the first device is further connected with a biometric information unit, and the biometric information unit is used to obtain the biometric information about the user. 如請求項1所述之身份認證系統,其中該第一驗證碼與該第二驗證碼為經由一演算法產生配對的資訊 The identity authentication system of claim 1, wherein the first verification code and the second verification code are paired information generated by an algorithm 如請求項1所述之身份認證系統,其中該第一裝置為行動裝置,該第二裝置為一伺服器。 The identity authentication system of claim 1, wherein the first device is a mobile device, and the second device is a server. 一種身份認證系統,包括:一第一裝置,其內具有一第一運算處理單元用以執行一認證模組以及一客戶端模組,其中:該認證模組,接收一請求指令以啟動一生物資訊辨識程序,該認證模組內儲存有一第一驗證碼,該認證模組取得使用者具有的一生物資訊,並根據該生物資訊進行比對,當比對成功之後,該認證模組根據該第一驗證碼輸出一簽章資;該客戶端模組,與該認證模組資訊連接,該客戶端模組用以產生該請求指令,以及接收並輸出該簽章資訊;以及 一第二裝置,具有一第二運算處理單元,該第二運算處理單元執行一解密模組,該解密模組與該客戶端模組訊號連接,該解密模組具有一第二驗證碼,該解密模組接收該簽章資訊,並根據該第二驗證碼對該簽章資訊進行身份認證,並將身分認證的結果回傳給該客戶端模組。 An identity authentication system, comprising: a first device, which has a first arithmetic processing unit for executing an authentication module and a client module, wherein: the authentication module receives a request instruction to activate a biological Information identification program, the authentication module stores a first verification code, the authentication module obtains a biometric information possessed by the user, and compares according to the biometric information, when the comparison is successful, the authentication module according to the The first verification code outputs a signature information; the client module is connected with the authentication module information, and the client module is used for generating the request command, and receiving and outputting the signature information; and A second device has a second arithmetic processing unit, the second arithmetic processing unit executes a decryption module, the decryption module is signal-connected with the client module, the decryption module has a second verification code, the The decryption module receives the signature information, performs identity authentication on the signature information according to the second verification code, and returns the identity authentication result to the client module. 如請求項5所述之身份認證系統,其中該第一裝置為行動裝置,該第二裝置為一伺服器。 The identity authentication system of claim 5, wherein the first device is a mobile device, and the second device is a server. 如請求項6所述之身份認證系統,該伺服器端針對每一行動裝置,管控該認證模組取得使用者具有的該生物資訊的類型。 According to the identity authentication system of claim 6, the server side controls, for each mobile device, the type of the biometric information that the authentication module obtains from the user. 如請求項5所述之身份認證系統,其中該認證模組更與一生物資訊單元電性連接,該生物資訊單元用以取得關於該使用者的該生物資訊。 The identity authentication system of claim 5, wherein the authentication module is further electrically connected with a biometric information unit, and the biometric information unit is used for obtaining the biometric information about the user. 如請求項5所述之身份認證系統,其中該第一驗證碼與該第二驗證碼為經由一演算法產生配對的資訊。 The identity authentication system of claim 5, wherein the first verification code and the second verification code are paired information generated by an algorithm.
TW110209730U 2021-08-18 2021-08-18 identity authentication system TWM623207U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110209730U TWM623207U (en) 2021-08-18 2021-08-18 identity authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110209730U TWM623207U (en) 2021-08-18 2021-08-18 identity authentication system

Publications (1)

Publication Number Publication Date
TWM623207U true TWM623207U (en) 2022-02-11

Family

ID=81324296

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110209730U TWM623207U (en) 2021-08-18 2021-08-18 identity authentication system

Country Status (1)

Country Link
TW (1) TWM623207U (en)

Similar Documents

Publication Publication Date Title
WO2020182151A1 (en) Methods for splitting and recovering key, program product, storage medium, and system
CN106330850B (en) Security verification method based on biological characteristics, client and server
US9654468B2 (en) System and method for secure remote biometric authentication
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
WO2017177435A1 (en) Identity authentication method, terminal and server
US10848304B2 (en) Public-private key pair protected password manager
TW201914256A (en) Identity verification method and device, electronic equipment
US10810585B2 (en) Systems and methods for authenticating users in connection with mobile operations
US20070226512A1 (en) Architectures for Privacy Protection of Biometric Templates
WO2015188424A1 (en) Key storage device and method for using same
CN107864124B (en) Terminal information security protection method, terminal and Bluetooth lock
CN108900296B (en) Secret key storage method based on biological feature identification
WO2014141263A1 (en) Asymmetric otp authentication system
US20190311100A1 (en) System and methods for securing security processes with biometric data
KR20180087543A (en) Key management method and fido authenticator software authenticator
US20140250499A1 (en) Password based security method, systems and devices
US20230291565A1 (en) Data recovery for a computing device
KR102068041B1 (en) Appratus and method of user authentication and digital signature using user's biometrics
US11502840B2 (en) Password management system and method
WO2023022584A1 (en) System and method for decentralising digital identification
TWM623207U (en) identity authentication system
CN113486320B (en) Enterprise electronic signature management and control method and device, storage medium and terminal equipment
Kumari et al. Hacking resistance protocol for securing passwords using personal device
TWI746504B (en) Method and device for realizing synchronization of session identification
Prasad A Comparative Study of Passwordless Authentication