TW200539045A - Data storage application, IC card, fingerprint scanner authentication hardware and process flow method - Google Patents

Abstract

This invention relates to a data storage application, IC card, fingerprint scanner authentication hardware and process flow method, where an IC card device and a fingerprint scanner are installed to a flash memory (thumb drive) compatible to a computer USB interface. While serving as an authenticating hardware, the authenticating hardware is first placed in a card reader and authenticates a user identification via fingerprint recognition center. An ICCID and a GLD built-in the IC card are then used as a further authentication. This invention can serve as an effective way for controlling webpage providers (such as audio track suppliers) with respect to documents having copyrights or IP rights.

Description

200539045 V. Description of the invention π) [Technical field to which the invention belongs] The present invention relates to a data storage application, an IC card, and a fingerprint scanner authentication hardware and process method, especially a method using an IC card and a fingerprint scanner to The authentication mechanism refers to the authentication process of data storage and application as a legal login medium. [Previous technology] Here is an example to illustrate the current situation of intellectual property rights on the Internet. At present, there are many websites for downloading singer songs Μ P 3 on the Internet, and the P 2 P (Peer ο Peer peer-to-peer transmission, a technology application mode) method is used for users to upload, download, and share MP3 files automatically. The search function makes it easy for netizens to search and share each other ’s files. Generally speaking, this type of MP3 industry has established a cooperation model with the record industry to find a balance point, and the MP3 industry provides the latest information on various types of music. For members to browse, I hope this will drive the buying interest of the record industry, but as more and more members of the MP3 industry, the number of MP3 files uploaded by netizens has exploded, and all members can upload MP3 files for free download. MP3 providers provide The software platform emphasized that the intellectual property rights of the software platform belonged to the MP3 software industry due to the number of members reaching the software platform, and then received a monthly fee for the use of the software. The rights of recording industry owners who have legal copyright and intellectual property rights have been severely lost, resulting in recordings Long-term downturn in the sector, thereby affecting the creators of power and confidence. Furthermore, it is extended to discuss that the passwords adopted by the membership system on general knowledge websites are user-defined or system-provided passwords.

Page 5 200539045 V. Description of the invention (2) Information information is encrypted on the web server. In order to prevent the leakage of communication Internet information, there are programs and logics for researching and designing encryption technology. I hope it can be technically related to Hackers are relatively resistant, but in the current situation, they cannot be completely prevented.

The entrance to the website to review the confidential information of members is the member login system, and the current website member login mode only directly logs in the user name and password on the web page. If the two match, you can enter the member function page of the website. Use the information of the logged-in user to perform actions that a legitimate member can perform, and even query some relevant confidential data of the user, as well as transaction records; but today ’s general application web server (AP Server)

As far as the encoding technology is concerned, it is impossible to ensure that it cannot be cracked by hackers by doing password encoding and decoding on the application website server (AP Server). This year, in order to facilitate the use and the need to access the Internet anytime, anywhere, users can conveniently use different computers or other equipment to access the Internet in many places, and due to the current technology, it is difficult to set user permissions and classification systems. , Such as using the library's public computer to access the Internet, or Internet cafes, due to the large number of users using the same machine, it is easy to forget their username and password in the login screen and forget to delete It was stolen by the next user or used by some hackers to crack and misappropriate its confidential information after being used by some hackers to carry out illegal transactions, resulting in the loss of users. The current network security loopholes are full of, especially among them: < < Hackers use the Dictionary Attack method to crack user passwords and impersonate users

Page 6 200539045 V. Description of the invention (3) Identity >> is the most common. Generally everyone knows that signing in to the computer system by entering the user ID and password is the simplest, but also the most insecure way. . The reasons are as follows: 1. Most people choose a password based on convenience of memory. Few people choose a password that is randomly arranged and mixed with English letters and numbers. The well-known cryptographer D a n i e 1 K 1 e i η claims that with a general dictionary attack, 40% of the passwords on a computer can be easily cracked. Many password cracking software designed by students, system experts, and hackers are distributed on the Internet, providing tools for hackers inside and outside the enterprise. 2. Today's information systems are becoming more and more complicated. As a result of the interconnection of many heterogeneous systems, users must enter their passwords again when they sign in to different computer systems due to the requirements of each operating system. According to statistics from experts, only a few people can remember three different passwords with eight characters in length. The conclusion is that most people will write down their passwords for this reason and place them where they find them safe and convenient. Obviously, this provides a channel for hacking inside and outside the enterprise. 3. Even if the user has not committed the above two mistakes, it is clear that the password is in clear text before being transmitted from the user side to the server. Form exists. The hacker can intercept the password via the Internet or any point on the LAN, and then impersonate the user (R e p 1 a y) to start illegally invading the system. Many people think that by renting a dedicated line, they can be protected from hackers. This concept is wrong. Even dedicated lines are exchanged through a public switching system, which is more convenient for hackers to invade the system. Because once the dedicated line is established,

Page 7 200539045 V. Description of the Invention (4) The route through which the data flows does not change often. In this way, hackers are more able to concentrate resources and focus on intercepting data flowing on fixed lines. Furthermore: < " A hacker can also intercept unencrypted data in peer-to-peer transmission and tamper with it ". On the Internet, the communication protocol used is TCP / IP. Before two computers can transmit data, three-way handing shaking must be completed before a connection can be established and data can be transmitted. The hidden problems gave them a good chance of hacking. The reasons are as follows: 1. The data of both parties is transmitted through the public Internet, and the data transmitted || exists in the form of plain text. Any computer connected to the Internet can monitor the data on the Internet (Snifing). As a result, personal privacy, property, and corporate secrets are completely exposed on the Internet, and there is no privacy or confidentiality at all. 2.Sometimes in order to fully grasp the connection established above and impersonate the original user to access resources and services on the remote host, they will also impersonate the host and return a lot of useless data to the host. The user attempts to paralyze the computing power (Denial of Service; DoS) of the client computer system. In this way, the hacker can not only impersonate the original user to access resources and services on the remote host, and arbitrarily publish, tamper or delete data, so that the system administrator on the host cannot detect it. What is more serious is that hackers tampered with the data in such a way that it could not be traced, making it difficult for the original user to clear himself without being able to confirm the source of the information (user identity). Furthermore:

Page 8 200539045 V. Description of the invention (5) If the user uses the (Internet) IP network (Broadcast on a PC to filter the questions, but gives the information that is lost), the reasons are as follows: 1. For all Why is the area network connected to the area color, generous 2. Worse, it is illegal or sold out to the competition after signing off the official document. Based on the above, the importance of Taiwan ’s operator travel and the use of public computers to access the Internet in public places are Connect to an external network through this public area network (LAN). On the LAN (Ethernet-based s) as an example, all data (packets) flow to the area network in a broadcast ing manner. All PCs on the road. Because each network interface card is dropped, it is not a packet sent to itself. The hidden question is another great opportunity for hackers to invade. &Lt; &lt; Intercept uploading on the LAN Packets are transmitted to some PCs in the area by broadcasting, and exist in plain text. Therefore, any PC on the network can play the role of a sniffer (Sniffer) to peek at other people's data. Yes, once someone's password is intercepted, they are likely to be manually checked into the system to do something unauthorized. For example, signing, changing accounting books, disseminating false information, stealing R & D materials, opponents, and so on. The current network security vulnerabilities and the chaos on the edge of intellectual property rights provided by MP3 software on the network relatively reflect the substantial progress and urgent need of the present invention. [Summary of the Invention] &lt; <Technical Problem to be Solved >>

Page 9 200539045 V. Explanation of the invention (6) The present invention uses a web server to act, and the common place use code is left behind to log on to some simple and confidential information, and further, it is effective to issue (Peer to P to make it legal. The main problem is that Decoder (AP Serv is unable to ensure public computer, recording screen and illegal operation of operating system using IC card and right to control, in eer) way, the copyright of property rights determines the current network security loopholes, and it is in er) The password encoding and decoding on the program can not be cracked by hackers, and if the user negligently deletes his user name and password, it can be easily cracked by hacking backdoor programs and so on. The misappropriation of its machine, so that the loss of the user is missing. The way of fingerprint scanner's authentication hardware to avoid the current chaotic phenomenon of P 2 P on the Internet, wandering the edge of intellectual property law, and the great loss of intellectual property rights owners &lt; &lt; technical means to solve the problem 〉〉 The main idea of the present invention is that the current network security loopholes are full, and the user is inadequately protected against the use of his private data on the Internet. Therefore, he has devoted himself to researching the use of an IC card and fingerprint scanner to match an authentication hardware. The CA identity authentication server (security control mechanism) and global fingerprint identification system cooperate to achieve the five major information security requirements that are required to enhance the secure transmission of electronic data networks. To improve the secure transmission of electronic data networks, the following five information security requirements must be met: (1) Confidentiality of data: to ensure that data messages are not peeped or stolen by third parties to protect data transmission

11 »1 Page 10 200539045 V. Description of the invention (7) The privacy of input data can be achieved by data encryption. (2) Data integrity (I n t e g r i t y) ·· Ensure that data transmission data messages have not been tampered with, to ensure the correctness of data transmission content, which can be protected by digital signatures or data encryption. (3) Source identification (Authentication) ·· Confirm the source of the data transmission message to prevent the data transmission message from being counterfeited. It can be prevented by digital signatures or data encryption. (4) Non-repudiation · Sending and receiving messages to prevent users from later denying that they have transmitted data. This can be achieved through digital signatures and a public key infrastructure. || (5) Access Control: | Control the access to data according to the identity of the user. In addition, according to the identity of the user, the execution authority of the function of the security control module can be determined. Furthermore, the present invention uses an IC card and a fingerprint scanner to authenticate the hardware for effective authorization control, and performs a special encoding and decoding action on the stored file to make it more confidential for data access, Security and mobility and uniqueness (only legal users can use their stored files) to avoid the current peer-to-peer transmission of P2P (Peer to Peer) methods on the Internet, wandering the chaos on the edge of the intellectual property law, making legitimate works The problem of huge losses of property rights, intellectual property rights owners. The technical feature of the present invention is to use the IC card device to match the fingerprint _ scanner device on the flash memory (USB flash drive) generally compatible with the USB interface of the computer, as authentication hardware, this authentication hardware First put into an IC card reading device (Reader), which first gets a fingerprint through a fingerprint scanner and passes the global finger

Page 11 200539045 V. Description of the invention (8) The authentication of the pattern recognition center is passed, and then an identity verification code ICCID and an international verification code GLN are built into an IC card to verify identity verification, and its authentication hardware can be installed in general Compatible with computer USB interface or PS2 slot or on hardware with wireless communication, infrared transmission, etc. The user uses this authentication hardware to allow the fingerprint scanner to connect the user's fingerprint to the global network fingerprint recognition center (or other fingerprint recognition center) through the network transmission, and the fingerprint recognition center can check it by real-time comparison. The identity of the user, after one or more successful comparisons, is one of the authentication hardware authentication success (Ser ve r Resu 1 t). If the fingerprint comparison result is wrong, the system will also inform the user When the hardware authentication fails and the qualification for customs clearance registration is lost, it is the first step of the authentication process, and then the user name (Username) and password (Password) are registered by the network. Then the 1C card will first pass it through the internal program. The login process leads to the CA identity authentication server to perform the encryption and decryption operations. The ICCID password is decrypted through a special process, and then it is compared with the c A identity authentication database, which corresponds to the ICCID password and is authorized to pass (Validate = Y) After EKI, the KI is decrypted first, and a random random value (Random) is generated and the result encrypted by KI is stored in the database of the CA identity authentication server. The encrypted result is It is one of the successful means of authentication hardware authentication (Server Resu 11), and can be used to record the number of times the user has logged in using this authentication hardware, to confirm the legality of the authentication hardware and whether the password I CC ID is available. After the hardware authentication is passed, the CA identity authentication server will send the random random values (R and 〇m) back to the jc card when the IC card receives it. After this random value (Random), the IC card embedded program will first decrypt the built-in ICCID password to obtain a KI value &lt; &lt; here

Page 12 200539045 V. Description of the invention (9) The KI value has not been verified as authorized authentication hardware. The auditing power and comparison power are on the CA identity authentication server. The value (R and 〇m) is encrypted to generate a 1 c card authentication (C 1 ient Result), which is used by the general application website server (AP Server) to perform the third step authentication process and the CA identity authentication server Device for cross-comparison; and if the ICCID password built into the IC card on the authentication hardware is not authorized in the comparison result (V a 1 idate = N does not open the card), the system will inform the user of the hardware authentication Failure and disqualification from customs clearance. If the authentication process in the second step is successful, the authentication program of the general application website server (APS erver) will first receive the ICCID password on the IC card, the Client Result of the 1C card authentication, and the user name entered by the user ( Username) and typed password. At this time, the general application web server (AP Server) will first check whether the username and password are broken through its own database, and check the usage. Whether the valid use period of the user has expired, if the comparison is correct, the ICCID password and the 1C card authentication (Client Result) are returned to the CA identity authentication server for cross-comparison, and the ICC ID password is first decrypted through a special process. And compare it with the CA identity authentication database to find the corresponding ICCID password and authorized (Validate = Y) authentication hardware authentication success (Server R esu 1 t), then compare the authentication hardware Whether the server authentication result (Server Result) is consistent with the 1C card authentication (Client R esu 1 t). If it matches, the third step authentication is passed. Pay off than to determine who is legally registered, you can login through membership in a lawful entry permissions, continue to the next step of the import and CA Identity Web Page

Page 13 200539045 V. Description of the invention (10) The server R esu 1 t encrypted and decrypted on the authentication server is cleared, so that the user can generate a new Server Result and store it temporarily when the next login, if the comparison result is not If they match, the general application website server (APS erver) is notified that the authentication hardware ICCID password is incorrect, the authentication fails, and the qualification for customs clearance registration is lost. The file downloaded by the user will perform a special editing operation through the embedded program of the IC card. When the user wants to open the downloaded file, the user must also perform the decoding operation of the file through the IC card authentication hardware. To open the file, so that it can have more confidentiality, security, mobility and uniqueness of data access (only legal users can use the stored files). However, if the user's login process data is intercepted by the hacker during the transmission process, the only random data it can intercept is the random value generated by the CA identity authentication server during the encryption process, and this random Random value (Ran d om) is a variable random number. The value generated each time the user logs in to the authentication is different, so hackers still cannot use their random value to make a valid login at the next login. &amp; The invention's data storage application authentication process, IC card and fingerprint concealer authentication hardware, form a user (U ser), application website server (APS erver), CA identity authentication server (security control end) The ring-shaped architecture, its authentication security control mechanism and procedures only automatically guide and perform encryption and decryption through the IC card embedded program on the authentication hardware and the internal program of the CA identity server, and its fingerprint recognition center only recognizes the fingerprint data and authenticates it. Confirm the identity of the user. For the user and the application server (AP Server),

Page 14 200539045 V. Description of the invention (11) language will not cause its own troubles. Its easy integration and strong combination will make its application wider and deeper. The application website server (APS erver) only needs to add a corresponding small piece of program to its login page (L ogi η P age), which can greatly improve the service security provided by the server and increase the security control mechanism for the user. , Which has great prospects for its own development; while the user (ϋ ser) brings his own private key as a legitimate use, its hardware presentation is like the use of ordinary access keys, and its use The mode is more acceptable to ordinary users, and will not be used for encryption and decryption technology products. Because the use process is too complicated, for the user who only accepts the final result (U ser), it will be multifunctional and high value. The added value of the IC card is 0, and the IC card used in the present invention is mainly burned into the chip in the form of firmware, and has the advantage of large storage capacity. It is not common for people to make and edit it by themselves. The function of anti-counterfeiting and cracking prevention is strong, which can effectively prevent the trouble of malicious misappropriation, and cooperate with the target application server (AP Server) and CA identity authentication server. The results of mutual encryption and cross-comparison at the device end can more effectively allow users to swim in a secure network environment, and can appreciate the beauty that technology brings to human convenience.

In addition, the IC card and fingerprint scanner designed with the present invention can effectively control the traffic and establish a classification system and management authority for the application server (AP Server) operator. The future is very broad. In addition, the flash memory in the device with a 1C card and a 1C card reader (Reader) will not allow data to be stored only on a fixed hard disk.

Page 15 200539045 5. In the description of the invention (12), it has more confidentiality, security and mobility and uniqueness of data access. As a legitimate use, its hardware presentation is like the use of ordinary access keys. , Its use mode is more acceptable to the general user, not as commonly used for encryption and decryption technology products, because the use of procedures is too complicated, for ordinary people due to inconvenience, and give up the use of related encryption and decryption functions, and erase technology for human The beauty of convenience. Furthermore, another added value of the authentication hardware using the IC card and fingerprint scanner used in the present invention is like an individual's private key, which can also protect a stand-alone system when it is not connected to the Internet. When using a public computer, such as a computer in an office or a computer in a school computer classroom, you can also use the present invention to set the read permissions of personal files, and its unlocking method can only be unlocked successfully through the present invention. In this way, you can easily and securely protect the privacy of personal data. You can even lock the use rights of peripheral hardware and prohibit people who do not have the use rights. According to the foregoing, the present invention can ensure the security of the user's login authentication on the website through the above-mentioned several encryption and decryption and encoding protection actions, and avoid the leakage of the user's private information, and the CA identity authentication server can be more suitable for Website operators control traffic, manage permissions, and establish a rating system to provide a more secure network environment. What's more, for those who are willing to provide services in the network environment, the mechanism has been established to make their services more reliable. The value of feedback further provides high-quality services in the online environment, and makes online transactions more consistent with the ® Fair Trade Principle. And use the IC card and fingerprint scanner to authenticate the hardware for effective authorization control, and use a special encoding and decoding action on the stored file to make

Page 16 200539045 V. Description of the invention (13) More confidentiality, security and mobility of data access and uniqueness (only legal users can use the files stored by it) to avoid peer-to-peer transmission on the current network P 2 P (Peer ο Peer) method, wandering the chaos on the edge of the law of intellectual property rights, makes the problem that the owner of legal copyright and intellectual property rights will not cause great losses. &lt; &lt; Effects of the prior art &gt; &gt; The data storage application, IC card, fingerprint identification authentication hardware and process method of the present invention are all performed by the user connected to the WebServer website via a browser to perform related operations, and the authentication The program sends each request information to the certificate server system and fingerprint identification center. The user's certificate confirmation and related functions can be performed very easily, and the web server-side authentication program system of the web server is simple to install, making it easier to implement in applications. Compared with the existing method applied to the general application website server (APS erver) user login system, the present invention uses an IC card to store the user's private authentication data and an identity check password ICCID, and also uses a fingerprint scan The scanner obtains the fingerprint and verifies the authentication through the fingerprint recognition center. Then the 1C card and the fingerprint scanner are installed on the flash memory (USB flash drive) generally compatible with the USB interface of the computer as the authentication hardware. The authentication program is on the general application website server (AP Server) side and an external authentication program is on the output software. When a user uses this authentication hardware to log on to his user name and password on the Internet, it is protected by encryption and decryption through several channels. Actions to ensure the security of user login authentication on the website, and to prevent the leakage of user's private information, and to properly control traffic,

Page 17 200539045 V. Description of the invention (14) Manage authority and establish a hierarchical system, and provide a more secure network environment. In addition, the certified hardware with 1C card reading device (Reader) can also be used as a storage medium without causing the data to be stored in a single computer's fixed hard disk, and the stored file can be made a special Encoding and decoding operations, making it more confidential, secure, mobile and unique in data access (only legitimate users can use their stored files). [Embodiment] The following description of the embodiment of the present invention will be made clearer with reference to the drawings. The first diagram is a flowchart of the steps of the present invention. The diagram includes five main steps: a, b, c, d, and e: Step a: The user uses the device as a combination of an IC card and a fingerprint scanner. The device is inserted into a 1C card reading device (Reader). At this time, the user first sends the fingerprint through the fingerprint scanner to the fingerprint recognition center via the Internet. The user is authenticated through the fingerprint recognition center and designated After passing the verification within the number of comparisons, the first-level authentication will be passed; Step b: After passing the lower-level authentication of fingerprint identification, the user will be required to log in, enter the Username and Password to enter the designated fields, and press Login key; Step c: Use the IC card embedded program to guide its login process to the CA identity authentication server, and pass the ICCID password built in the 1C card to the CA identity authentication server, and pass the CA identity authentication server Special program to determine whether the IC card on the authentication hardware is legal and the audit authority. If it is correct, it is on the CA identity authentication server.

Page 18

200539045 V. Description of the invention (15) Record the number of logins on the database, generate a certificate of successful authentication (Server R esu 1 t), and return the random random value (Random) generated in the decoding process to 1C card; Step d · After the previous steps are correct, the IC card uses the IC card embedded program to obtain the random random value (Random) to decode the built-in ICCID password, and generates an IC card authentication by virtue of (C 1 ient Resu 11), and directs its registration process to the application server (AP Server), and passes the ICCID password and IC card authentication (Client Result), and the user enters the information to the application server (APS) erver) for the application web server (AP

Server) according to its database to determine whether the information entered by the user is correct and query the availability date; Step e: After the previous steps are correct, the application server (AP Server) will accept the accepted code and the ^^ password and "With card authentication," 丨 ^^ 别 丨 "is transmitted to the CA identity authentication server for decryption again to confirm the correctness of the authentication hardware and user information. The above steps are described in detail as follows:

Step a means that the user places the fingerprint of the finger directly on the scanner part of the fingerprint scanner for scanning, and then encrypts the scanned fingerprint and sends the packet to the fingerprint recognition center. The fingerprint recognition center will The received fingerprints are further compared to see if the user ’s identity is correct. If it is wrong, it will be returned with a sealed packet to notify the error message to let the user know that the user must rescan the fingerprint and then send the encrypted packet to the fingerprint identification. Center authentication. The number of certificate passes can be limited to increase its security. If it is confirmed that the identity is correct, it can enter the next step. This is the first authentication process.

Page 19, 200539045 5. Description of the invention (16) Step b refers to: The user uses an IC card to build an identity verification code ICCID and an international verification code GLN, and places the IC card into an IC card reading device (R eader), and is installed on flash memory (USB flash drive) that is generally compatible with the USB interface of a computer, as authentication hardware, and use this authentication hardware to log in to its user name (Username) and password (Password). Then press the log button (Log i η) 〇 Step c means: after the user enters his username (Username) and password (Pssw 〇rd), the IC card embedded program first guides its registration process to the CA The identity authentication server performs encryption and decryption operations, and first decrypts the value of the ICCID password through a special process, and then compares it with the CA identity authentication database, corresponding to the ICCID password and authorized to pass (Validate = Y) the EKI, and then decrypts it first. KI is obtained, and a random random value (Random) is generated and the result encrypted by KI is stored in the database of the CA identity authentication server. The encrypted result is the basis for the success of the authentication hardware authentication (Serve r Result), and can be used to record the number of times the user has logged in using this authentication hardware, to confirm the legality of the authentication hardware and whether the password ICCID has the right to log in to the website, and how much permission is granted. After the body authentication is passed, the CA identity authentication server will send the random value generated back to the 1C card as a KEY, which is used by the general application website server (AP Server) to pass the second step authentication process. Cross-comparison with the CA identity authentication server; if the ICCID password set in the IC card on the authentication hardware is not authorized in the comparison result (V a 1 i da te = N does not open the card), the system will Notify the user that the hardware authentication failed and lost the qualification for customs registration. This is the second step of recognition. 200539045 V. Description of the invention (17) Step d means that the second step of the authentication process is successful. The general application web server (AP Se r ve r) will first receive the identity of the CA on the IC card. The KEY value, ICCID password, the user name (Username) and the password (Password) input by the user sent by the authentication server, and then the process is directed to the general application website server (APS erver) for comparison and use The user name (Username) and password (Password) are correct, and check whether the effective use period of the user has expired. Step e means that if the comparison is correct in step d, the KEY value and the ICC ID password are returned to the CA identity authentication server for encryption and decryption. The ICCID password value is first decrypted through a special process and compared with it. The CA identity authentication database corresponds to the ICCID password and authorized EKI, and then uses the KEY value to decrypt the EKI value. The comparison is consistent with the Server Result. If they match, the third step authentication is passed. After cross-comparison is determined to be a legal registrant, then the member login portal can be imported with legal use rights, continue to import the next Web Page, and clear the Server Result encrypted and decrypted on the CA identity authentication server, so that users can download During the second login, a new Server Result can be generated and temporarily stored. If the comparison result does not match, the general application website server (AP Server) is notified that the authentication hardware ICCID password is wrong, the authentication fails, and the qualification for customs clearance registration is lost. The third step is the certification process. The second figure is a schematic diagram of the IC card authentication entity process of the present invention. The figure shows the process guidance of the actual authentication operation of the present invention. In addition to the fingerprint authentication method, the user has successfully passed 5 routes from login to formal authentication. Please refer to the circle. It is shown that the route 1 is that the user uses an authentication hardware device IC card 10 to log on.

Page 21 200539045 V. Description of the invention (18) Enter the Member Login window of the Web Server server 30 web page Member Login window, the user 'press the login key (L 〇 gi η) after entering the Username and Password, at this time in the IC card The embedded program will first direct its registration process to the CA authentication server 20, and secretly pass the ICCID code built in the IC card to the CA authentication server 20 for encryption and decryption. At this time, the c A identity is performed. The authentication process 1 (Wins ○ ck) of the authentication server 20, in the authentication process (Wins 〇ck), first decrypts the value of the ICCID password through a special process, and uses it to compare with the CA identity authentication database. After the ECC corresponding to the ICCID password and authorized (Validated), the KI is decrypted first, and a random

Random value (Random) and encrypted with KI stored in the CA authentication server

In the database, the encrypted result is the result of the authentication hardware authentication (Server Resul t), and can be used to record the number of times the user has logged in using this authentication hardware, to confirm the legality of the authentication hardware and Does the password ICCID have the right to log in to the website, and how much permission is granted, after the hardware authentication is completed, then the route 2 is triggered to send the random random value (Random) generated by the CA identity authentication server back to 1C Card, when the 1C card receives this random value (Random), the 1C card embedded program will first decrypt the built-in ICCID password to obtain a 1 (1 value <&lt; the KI value here has not been reviewed. Whether it is authorized authentication hardware, the auditing right and comparison right are in the CA identity authentication server, and then encrypted with the random random value (R and 〇m) received to generate an IC card authentication. (C 1 ient Result), used for cross-comparison with the CA identity authentication server during the third step authentication process of the general application website server (AP Server); if the IC card on the authentication hardware is built in I CC ID dark In comparison results unauthorized

Page 22

200539045 V. Description of the invention (19) If the right is passed (V a 1 i d a t e 2 N has not opened the card), the system will inform the user that the hardware authentication failed and lose the customs registration information. And if the authentication process of the second step is successful, then the routing 3-general application website server (APS erver) will first receive the ICCID password on the IC card, and rely on the IC card authentication (C 1 ient R esu 11), The user enters the user name (Username) and the typed password (Password). At this time, the general application web server (AP Server) first compares the user name and password (Password) through its own database. Whether it is correct and check whether the user's effective use period has expired. If the comparison is correct, then touch the routing 4 to perform the authentication process 2 and return the ICCID password and IC card authentication by (C 1 ient R esu 1 t). The CA identity authentication server performs cross-comparison. The ICCID password is first decrypted through a special process, and the CA identity authentication database is compared to find the corresponding ICCID password and authorized (Validate = Y) authentication hardware. After successful server authentication (Server Re suit), compare whether the authentication hardware authentication successful (Server Result) and the 1C card authentication (Client Result) ) Yes, if they match, then the third step of authentication is passed and route 5 is touched. If the user is determined to be a legal registrant through cross-comparison, then they can pass the member login portal with legitimate use rights and continue to import the next Web Page and Clear the Server Result encrypted and decrypted on the CA identity authentication server. This is the last step. Route 8. If the comparison result does not match, the general application website server (AP Server) authentication hardware ICCID password is incorrect. Authentication failed, disqualification from customs registration. The third diagram is a schematic diagram of the physical process of downloading an archive according to the present invention.

Page 23 200539045 V. Description of the invention (20) The schematic diagram of the second figure, which clearly shows the process guidance of the actual operation process of downloading the file of the present invention, from user login to formal login. Routes, of which route 2 is the authentication mechanism (see Figure 2). The fourth figure is the flowchart of the file opening steps of the present invention. 'It can be clearly seen from the figure that when the user wants to open the encoded broadcast', the original certified hardware must be inserted into the computer's USB connector or the USB of another player. In the connector, when the MP3 playback software or application software is turned on, after the fingerprint recognition authentication is passed, the IC card embedded program will first transmit the built-in 1 CC 1 D password to the external authentication program or has an authentication in itself The coded MP3 playback software or application software first decodes and judges the authenticity of the authentication hardware (step. 1), and then sends the authentication result back to the MP3 playback software or application software <step · 2>. If the authentication passes the authentication, the hardware is legal, then the IC card embedded program will decode the file to be opened &lt; step.3 &gt;, and the MP3 playback software or application software will be used to open the decoded file using <step · 4 &gt;, If the authentication hardware authentication fails, an error message is generated to inform the user that the authentication hardware I cc ID is incorrect and the authentication fails.

The fifth figure is a schematic diagram of the file opening entity process of the present invention, which is a schematic diagram of the fourth one. From the figure, it can be clearly seen that the process guidance of the present invention's open paging entity process is operated by the user. Plug into the computer's USB connector or other player's USB connector, when opening MP3 playback software or application software, there are 5 routes to the correct open file. Among them, Route 2 is the external authentication program or it already exists in itself. The MP3 playback software or application software of the authentication code is first decoded and the correctness of the authentication hardware is determined.

Page 24 200539045 V. Description of the invention (21) Accuracy.

In summary, the data storage application authentication process and IC card authentication hardware provided by the present invention can replace the existing application website server (APS erver) login mode, which uses an IC card to build an identity verification password ICCID and an international verification code GLN, and the IC card device is installed on flash memory (USB flash drive) that is generally compatible with the USB interface of the computer, as authentication hardware, when users use this authentication hardware to perform registration actions Through a number of channels of encryption and decryption and a cross-comparison system between the destination and the authentication server, it can effectively confirm the legitimacy of the user and effectively control the traffic; in addition, the authentication hardware with the IC card used in the present invention is used. Another added value of the system is like an individual's private key. It has the advantages of high protection and high security. It has a wide range of applications and high security features. It is an unprecedented design. In addition, the invention can provide copyright property rights. Files or intellectual property rights of the website pages (such as the record industry) for effective authorization control, which can avoid the current peer-to-peer transmission on the Internet 2 P (Peer ο Peer) method, for netizens to upload, download, and share files with copyright or intellectual property rights (such as the singer ’s MP 3). The serious loss of rights and interests of legitimate business owners (owners of copyright property rights and intellectual property rights) is a design that is urgently needed today, and indeed meets the requirements for the application of invention patents. People's livelihood benefits the country and the people, and I really feel virtuous. Only the methods, techniques, diagrams, programs, or control methods described above are only one of the preferred embodiments of the present invention; for example, all equivalent changes or modifications or extraction of some functions made according to the patented technology of the present invention are similar

Page 25 200539045 V. Description of the invention (22) The production of Jieying is still within the scope of the patent right of the present invention; the scope of implementation of the present invention cannot be limited accordingly.

Page 26 200539045 Brief description of the drawings The first picture is the second picture of the invention The third picture is the invention The fourth picture is the invention The fourth picture is the invention The fifth picture is the [element symbol description] 10 Certification Hardware 2 0 CA identity authentication server 30 application website server steps flow chart; IC card authentication entity flow diagram; download file entity flow diagram; file opening flow chart; open file entity flow diagram; server

Claims (1)

200539045 VI. Scope of Patent Application 1. A data storage application, IC card, fingerprint recognition and authentication hardware and process method, the main characteristics are that a fingerprint scanner is used to obtain fingerprints and passed the certification of the Global Fingerprint Identification Center. The IC card has a built-in identity verification code ICCID and an international verification code GLN. This IC card is placed in an IC card reading device (Reader), and the two devices are installed on a computer-compatible hardware. The authentication hardware mainly includes the following steps: Step a: The user uses a device that is a combination of an IC card and a fingerprint scanner, and inserts the device into a 1C card reader (Reader). At this time, the user first The fingerprint is scanned by the fingerprint scanner and sent to the fingerprint recognition center through the Internet. The user identity is authenticated through the fingerprint recognition center. After passing the specified number of comparisons, the user passes the first-level authentication. Step b: When passed After the lower level of fingerprint recognition, you will be asked to log in to the member, enter your username and password to enter the designated field, and press login (Log in); Step c: Use the 1C card embedded program to direct its registration process to the CA authentication server, and pass the ICCID password built in the 1C card to the CA authentication server. The program to determine whether the IC card on the authentication hardware is legal and the audit authority. This is the second-level authentication. If it is correct, the number of logins is recorded on the database of the CA identity authentication server. Serre R esu 11), and return the random random value (Random) generated in the decoding process to the IC card; Step d: After the previous steps are correct, the 1C card will use the 1C card embedded program to obtain the random random value (Random ) Is used to decode the built-in ICCID password, and generate an IC card authentication (C 1 ient R esu 11), and register the process Page 28 200539045 VI. The scope of patent application leads to the application website server (APS erver), and the ICCID password and IC card authentication rely on (C 1 ient R esu 1 t), and the user input information is transmitted to the application website. Feeder (APS erver), let the application website feeder (APS erver) determine whether the information entered by the user is correct according to its database, and query the period of use; Step d: After the previous steps are correct, the application web server (AP) Server) will pass the accepted ICCID password and IC card authentication (C 1 ient R esu 1 t) to the CA identity authentication server for decryption again to confirm the correctness of the authentication hardware and user information. 2. The data storage application, IC card, fingerprint identification and authentication hardware and process method described in item 1 of the scope of patent application, wherein the authentication hardware of the device's IC card and fingerprint scanner can be a USB interface. body. 3 · The data storage application, IC card, fingerprint identification and authentication hardware and process method described in item 1 of the scope of patent application, where the device's IC card and fingerprint scanner's authentication hardware can be a wireless USB interface. Hardware. 4. The data storage application, IC card, fingerprint identification and authentication hardware and process method described in item 1 of the scope of patent application, wherein the authentication hardware of the device's IC card can be a flash memory. 5. The data storage application, 1C card, fingerprint recognition and authentication hardware and process method described in item 1 of the scope of patent application, wherein the fingerprint scanner is a C C D fingerprint scan cat. 6. The data storage application, IC card, fingerprint recognition and authentication hardware and process method described in item 1 of the scope of patent application, where the fingerprint scanner is a ^ COMS fingerprint scanner. Page 29, 200539045 6. Scope of patent application 7. The data storage application, IC card, fingerprint identification and authentication hardware and process method described in item 1 of the scope of patent application, where the fingerprint scanner is a COMS capacitive fingerprint scanner Device. 8. The data storage application, IC card, fingerprint recognition and authentication hardware and process method described in item 1 of the scope of patent application, wherein the fingerprint scanner is a CO MS resistive fingerprint scanner.