201105082 六、發明說明: 【發明所屬之技術領域】 本發明是有闕於-種認證方法,特別是指—伺服端對一 進行身份認證的方法’藉以讓使用者取得該伺服端 或另一系統的使用權限或進行網路交易。 【先前技術】201105082 VI. Description of the Invention: [Technical Field of the Invention] The present invention is related to an authentication method, in particular, a method for performing identity authentication on a server side, so that a user can obtain the server or another system. Use rights or conduct online transactions. [Prior Art]
*傳統密碼由於簡單,—直是電腦使用上最基本的身份認 也方式過也因為傳統密碼簡單因此容易被窺視、猜測 或以木馬程式、網路釣魚…等手法破解。 ,所以針對上述問題,習知提出各種不同的身份安全技 術例如ΡΚΙ、ΟΤΡ..·等身份認證方法來進一步媒保使用者 與系統的安全性。這些習知的認證方法皆有其優點與特色, 惟仍存有兩項主要的缺m戶端須使用額外的電子裝 例如晶片卡與讀卡機、密碼產生器等才能進行身份認 使用Η檻較高且操作*方便’ *利於f及;2部分認證 技術在安全上仍有漏洞,例如OTP無法防止網路釣魚。= 此習知的身份認證方法仍不能完全防止各種網路攻擊、。 有鑑於此,提供一種創新的身份認證方法,以簡單且低 成本的方式解決網路認證的安全問題,確實有其必要。 【發明内容】 因此,本發明之目的,即在提供一種簡單、低成本、 易於操作,且成解決系統及使用者網路身份安全問題之身 份認證方法及其裝置。 為達到上述目的’本發明之身份認證方法可應用在一 201105082 ::子裝置需要對一第二電子裝置進行 方法係令該第—電子裝置產生1碼表,並將該譯 碼表提供給該第二電子裝置, 項琿碼表由m行χ η列個第 一種^號組成,其中m行由m個不同的第二種符號標示, 11列由η個不同的第三種符號標示;當該第二電子裝置向該 認證端請求認證時,該第一電子裝置由m個第二種符號及 η個第二種符號中挑選並組成p组詢問碼送至該第二電子 m Μ組詢問碼包含至少n第二種符號及一 第三種符號組成的符號碼’且根據該譯碼表,各組符號碼 係對應於該等第-種符號其中之一;該第二電子裝置由收 到的該Ρ組詢㈣中選取q組制碼,並根據該譯碼表, 回傳對應於該q組詢問碼的q組回答碼給該第—電子裝 置;該第子裝置判斷收到的肖q組回答碼是否存在^ 該P組詢問碼所對應的p組第一種符號中,若是,則判定 該第二電子裝置通過認證,其中m、n、p>2,q>1。 此外,本發明實現上述方法之一種身份認證裝置,用 以與一使用者端通訊以對使用者端進行身份認證,該身份 認證裝置包括一通訊單元、一譯碼表管理單元及一身份認 證單元。該通訊單元與該使用者端進行通訊,該譯碼表管 理單元根據該使用者端之申請,提供一譯碼表給該使用者 端,該譯碼表係由m行xn列個第一種符號組成,且爪行 係由.m個不同的第一種符號標示,η列係由η個不同的第 二種符號標示。該身份認證單元在收到該使用者端傳來一 身分認證請求時’由該m個第二種符號及該^個第三種符 201105082 號中挑選並組成P組詢問碼,透過該通訊單元送至該使用 者端,其中每組詢問碼包含至少一組由—第二種符號及一 第三種符號組成的符號碼,且根據該譯碼表,各組符號碼 係對應於一第一種符號;該身份認證單元並判斷該使用者 端回傳的q組回答碼是否存在於該p組詢問碼所對應的p 組第一種符號中,若是,則判定該使用者端通過認證,其 中 m、η、p>2,q>l 〇 較佳地,該第一種符號是英文字母,且該第二種符號 及苐二種符號是阿拉伯數字。 本發明藉由預先提供譯碼表給使用者端,並於每次使 用者進行身份認證時,即由伺服端產生當次使用之多組詢 問碼傳送給使用者端,讓使用者端回傳從中選取之數個詢 問碼根據譯碼表所轉換成的回答碼,再由伺服端對回傳之 回答碼進行驗證,藉此,達到低成本、易於操作並解決系 統及使用者網路身份安全的效果。 【實施方式】 有關本發明之前述及其他技術内容、特點與功效,在以 下配合參考圖式之一個較佳實施例的詳細說明中,將可清楚 的呈現。 參閱圖1及圖2,是本發明身份認證方法的一較佳實施 例,本實施例之方法是應用在一透過一通訊網路(本實施例 是以網際網路300為例)與一使用者端2〇〇連線的伺服端 500,該伺服端500可對身份認證裝置ι〇〇使用者端2〇〇進 行身份認證,讓使用者在通過身份認證後可以取得伺服端 201105082 500之網路資源的使用權限或與伺服端500進行網路交易 等。本實施例之伺服端500包括一連接網際網路300的網路 系統400及一連接在網路系統400後端的身份認證裝置 100。 本實施例之網路系統400可以是任何服務提供者、資訊 提供者、遊戲平台、網路商店...等透過網際網路300提供資 源或服務的裝置或系統,且身份認證裝置100與網路系統 400可以是各自獨立且相互連結的兩個裝置,也可以身份認 證裝置100整合在一起。使用者端200通常是一個人電腦或 者是其它可以連上網際網路的任何習知電子裝置,例如具有 行動上網功能的PDA或行動電話等。 當然身份認證裝置100也不一定要設在網路系統400 的後端或是與網路系統400整合在一起,身份認證裝置100 也可以是一單獨連接至網際網路300的認證平台,網路系統 400可以藉由與身份認證裝置100事先的協議,在使用者端 200向網路系統400發出身份認證請求時,透過網際網路300 要求身份認證裝置100對連上網路系統400的使用者端200 進行身份認證。 為了實現身份認證的功能,本實施例之身份認證裝置 100主要包括一應用程式介面(API)ll,一譯碼表管理單元 12及一身份認證單元13。 應用程式介面(API) 11是一軟體模組,用以與網路系統 400溝通,以與網路系統400之間進行認證資訊的傳輸,因 此應用程式介面會在網路系統400端產生一輸出/入介面(圖 201105082 未示)’以做為身份認證裝置100與網路系統400之間的溝 通介面。當使用者連上網路系統400時,該輸出/入介面可 供使用者輸入資料或指令給身份認證裝置1〇〇。 另外,網路系統400除具備必要的功能外,其中還設有 一處理單元40與一通訊單元41,處理單元4〇執行應用程 式介面11提供的應用程式,以在網路系統4〇〇端產生該輸 出/入介面。通訊單元41與處理單元4〇連接,它是一網路 通訊介面,主要用以連上網際網路3〇〇以與使用者端2〇〇*The traditional password is simple, it is the most basic identity of the computer. It is also because the traditional password is simple, so it is easy to be peeped, guessed, or cracked by Trojan horse, phishing... Therefore, in response to the above problems, various identity security technologies such as ΡΚΙ, ΟΤΡ, etc. are proposed to further mediate the security of users and systems. These conventional authentication methods have their own advantages and features, but there are still two major missing accounts that require additional electronic devices such as chip cards and card readers, password generators, etc. for identity recognition. Higher and easy to operate * * Conducive to f and; 2 part of the authentication technology still has loopholes in security, such as OTP can not prevent phishing. = This well-known authentication method still does not completely prevent various network attacks. In view of this, it is indeed necessary to provide an innovative authentication method that solves the security problem of network authentication in a simple and low-cost manner. SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide an authentication method and apparatus for solving the problems of system and user network identity security that are simple, low-cost, and easy to operate. In order to achieve the above object, the identity authentication method of the present invention can be applied to a 201105082: a sub-device needs to perform a method on a second electronic device to cause the first electronic device to generate a code table, and provide the decoding table to the The second electronic device, the item weight table is composed of m rows η η column first type ^ number, wherein m rows are marked by m different second symbols, and 11 columns are marked by n different third symbols; When the second electronic device requests authentication from the authentication end, the first electronic device selects and forms a p group query code from the m second symbols and the n second symbols to send to the second electronic m group. The interrogation code includes at least n second symbols and a symbol code consisting of a third symbol, and according to the decoding table, each group of symbol codes corresponds to one of the first symbols; the second electronic device is Receiving the q group code in the received group query (4), and according to the decoding table, returning the q group answer code corresponding to the q group query code to the first electronic device; the first child device determines to receive Whether the answer code of the Xiao q group exists ^ The first group of the p group corresponding to the P group query code In the symbol, if yes, it is determined that the second electronic device is authenticated, wherein m, n, p > 2, q > In addition, the present invention implements an identity authentication apparatus for communicating with a user end to perform identity authentication on a user end, the identity authentication apparatus including a communication unit, a decoding table management unit, and an identity authentication unit. . The communication unit communicates with the user end, and the decoding table management unit provides a decoding table to the user end according to the application of the user end, and the decoding table is composed of m rows and xn columns. The symbol is composed, and the claw line is indicated by .m different first symbols, and the n column is indicated by n different second symbols. The identity authentication unit selects and forms a P group query code from the m second symbols and the third third symbol 201105082 when receiving the identity authentication request from the user end, through the communication unit Sent to the user end, wherein each group of interrogation codes includes at least one set of symbol codes consisting of a second symbol and a third symbol, and according to the decoding table, each group of symbol codes corresponds to a first The identity authentication unit determines whether the q-group answer code returned by the user end exists in the first symbol of the p-group corresponding to the p-group query code, and if yes, determines that the user end passes the authentication, Wherein m, η, p > 2, q > l 〇 Preferably, the first symbol is an English letter, and the second symbol and the second symbol are Arabic numerals. The invention provides a decoding table to the user end in advance, and each time the user performs identity authentication, the server generates a plurality of groups of query codes for use at the time to be transmitted to the user end, so that the user end returns. The plurality of inquiry codes selected from the verification code are converted according to the answer code converted by the decoding table, and then the response code of the backhaul is verified by the server, thereby achieving low cost, easy operation, and solving system and user network identity security. Effect. The above and other technical contents, features and effects of the present invention will be apparent from the following detailed description of the preferred embodiments of the drawings. Referring to FIG. 1 and FIG. 2, a preferred embodiment of the identity authentication method of the present invention is applied to a user through a communication network (this embodiment uses the Internet 300 as an example) and a user. The server end 500 is connected to the server 500, and the server 500 can authenticate the identity authentication device ι〇〇 user terminal 2, so that the user can obtain the network of the server terminal 201105082 500 after passing the identity authentication. The use rights of resources or network transactions with the server 500, and the like. The server 500 of the present embodiment includes a network system 400 connected to the Internet 300 and an identity authentication device 100 connected to the back end of the network system 400. The network system 400 of this embodiment may be any device or system that provides resources or services through the Internet 300, such as any service provider, information provider, game platform, online store, etc., and the identity authentication device 100 and the network The road system 400 can be two devices that are each independently and interconnected, or the identity authentication device 100 can be integrated. The client 200 is typically a personal computer or any other conventional electronic device that can be connected to the Internet, such as a PDA with a mobile Internet function or a mobile phone. Of course, the identity authentication device 100 does not have to be located at the back end of the network system 400 or integrated with the network system 400. The identity authentication device 100 can also be an authentication platform that is separately connected to the Internet 300. The system 400 can request the identity authentication device 100 to connect to the user end of the network system 400 through the Internet 300 when the user terminal 200 sends an identity authentication request to the network system 400 by the prior agreement with the identity authentication device 100. 200 for identity authentication. In order to realize the function of the identity authentication, the identity authentication apparatus 100 of the embodiment mainly includes an application program interface (API) 11, a decoding table management unit 12 and an identity authentication unit 13. The application interface (API) 11 is a software module for communicating with the network system 400 to transmit authentication information with the network system 400, so that the application interface generates an output on the network system 400 side. The input interface (not shown in FIG. 201105082) is used as a communication interface between the identity authentication device 100 and the network system 400. When the user connects to the network system 400, the output/input interface can be used by the user to input data or instructions to the identity authentication device. In addition, the network system 400 has a processing unit 40 and a communication unit 41 in addition to the necessary functions, and the processing unit 4 executes an application provided by the application interface 11 to generate the network system 4 terminal. The output/input interface. The communication unit 41 is connected to the processing unit 4A. It is a network communication interface, which is mainly used to connect to the Internet 3 to communicate with the user.
進行通§fl。因此,使用者端200當然也會設有一連接網際網 路300的通訊單元21。 如圖2之步驟S1所示,譯碼表管理單元12主要用以 提供如圖3所示之給不同使用者端2〇〇使用的複數個不同且 唯一的譯碼表30,並管理各譯碼表3〇的使用狀態。因此, 為滿足資料存取及管理之需要’每一唯一的譯碼表3〇分別 對應到如圖4所示的-譯碼表檔案,該檔案内容至少包括以 下攔位:譯碼表的,,名稱”、每一譯碼表的唯一,,序號”、譯碼 表的大小、使用”狀態’’及變更,,日期,,等。 且如圖2之步驟S2所示,當使用者為了存取網路系統 _而向網路系統_要求提供身份認證的方法時,網路系 統400會透過處理單元40向身份認證裝£ 1〇〇要求提供一 進行認證用的譯碼表30給使用者端2〇〇。 每一譯碼表30具有由1〇 每一格位令填入一第一種 小寫字母、阿拉伯數字或 如圖3所示,在本實施例中 行X 10列分隔出的100個格位 符號’第一種符號可以是英文大 201105082 其它連續但不重覆的符號等。在本實施例中,第一種符號是 以小寫英文字母為例,並由26個小寫英文字母中任取2〇 個相異的字母’以每個字母填人5次的方式,依序且隨機地 將這20個字母填入譯碼表30的100個格位中。且表格的橫 向(列)格值纟10個不同的第二種符號標示,表格的縱向格 位⑻由H)個不同的第三種符號標示,且第二種符號及第 三種符號在本實施例中可以S英文大、小寫字母、阿拉伯數 字或其它連續但不重覆的符號等,在本實_中,第二種符 號及第三種符號皆簡拉伯數字G〜9為例,且被依序標示 在譯碼表3G的各行及各列中。因此,譯碼表3()的某一列盘 某一行的交集會對應到譯碼表3〇之某—袼位的英文字母。 大量的譯碼表30可被譯碼表管理單元12預先產生此 時未被申請的譯碼表30之譯碼表播案中之”狀態,,搁位被填 入數字”Γ,,以表示初始狀態。且為方便使用及避免資料外 茂’使用者端200之使用者須事先申請譯碼表%,且為方 便使用,本實施例通常將譯碼纟3〇印製於一如信用卡大小 的卡片上,並以透㈣塗料覆蓋,#使用者要制時再予 以刮除。當身份認證裝置100根據使用者端申請,以郵 寄或其它方式提供譯碼表卡片給使用者端200之使用者 時,身份認證裝置_之譯碼表管理單元12會對應更新該 譯碼表檔案中之狀態欄位為數字,,1”(表示已被使用者申 請)。 當然譯碼表30也可以由譯碼表管理單元12根據使 端200之申請而即時產生。 $ 201105082 使用者拿到譯碼表卡片後需連上網路系統400,並透過 身份認證裝置100之應用程式介面U提供的輸出/入介面, 進入身份認證裝置100的一整錄晝面(圖未示),將譯碼表3〇 上的序號輸入身份認證裝置100,使更改對應之譯碼表檔案 中的狀態欄位為數字”2”(表示已被啟用),以於譯碼表完成 啟用登錄後,才能正常使用。藉此,可以確保在使用譯碼表 卡片之前,若發現卡片資料已外洩(例如覆蓋之塗料已被刮 除),可申請將該張譯碼表卡片作廢,並將對應之譯碼表檔 案中的狀態欄位更改為數字,,4”(表示作廢),以保障認證安 傳送給使用者端200。Pass §fl. Therefore, the user terminal 200 of course also has a communication unit 21 connected to the internet gateway 300. As shown in step S1 of FIG. 2, the decoding table management unit 12 is mainly configured to provide a plurality of different and unique decoding tables 30 for different user terminals as shown in FIG. 3, and manage the translations. The usage status of the code table 3〇. Therefore, in order to meet the needs of data access and management, each unique decoding table 3 corresponds to a decoding table file as shown in FIG. 4, and the file content includes at least the following blocks: a decoding table, , the name ", the uniqueness of each decoding table, the serial number", the size of the decoding table, the use of the "status" and changes, dates, etc. and as shown in step S2 of Figure 2, when the user When accessing the network system _ while the network system is required to provide the method of identity authentication, the network system 400 requests the identity authentication device to provide a decoding table 30 for authentication through the processing unit 40. Each of the decoding tables 30 has a first lowercase letter, an Arabic numeral, or as shown in FIG. 3, which is separated by a row X 10 in this embodiment. 100 grid symbols 'The first symbol can be English 201105082 other continuous but not repeated symbols, etc. In this embodiment, the first symbol is a lowercase English alphabet, and 26 lowercase English letters Take 2 different letters in the middle of the letter 'fill in each letter In the way of 5 times, the 20 letters are sequentially and randomly filled into the 100 grids of the decoding table 30. The horizontal (column) value of the table is 纟10 different second symbols, the table The vertical position (8) is indicated by H) different third symbols, and the second symbol and the third symbol can be S English large and small letters, Arabic numerals or other continuous but not repeated in this embodiment. Symbols, etc., in this real _, the second symbol and the third symbol are Simplified Labrador numbers G to 9 as an example, and are sequentially labeled in each row and each column of the decoding table 3G. Therefore, decoding The intersection of a certain row of a certain column of Table 3() corresponds to the English letter of a certain one of the decoding table 3. A large number of decoding tables 30 can be pre-generated by the decoding table management unit 12 at this time. In the decoding table of the decoding table 30, the "state, the position is filled with the number" Γ, to indicate the initial state. And for the convenience of use and avoiding the data, the user of the user terminal 200 must Applying the decoding table % in advance, and for convenience of use, this embodiment usually prints the code 纟3〇 in one letter. The card-sized card is covered with a transparent coating, and the user is scraped off when the user wants to manufacture. When the identity authentication device 100 requests the user terminal, the card is provided to the user terminal 200 by mail or other means. When the user is in use, the identity table management unit 12 of the identity authentication device _ correspondingly updates the status field in the file of the decoding table to a number, 1" (indicating that the user has applied for). Of course, the decoding table 30 can also be generated immediately by the decoding table management unit 12 in accordance with the application of the terminal 200. $201105082 After the user obtains the decoding card, the user needs to connect to the network system 400 and enter the entire recording interface of the identity authentication device 100 through the output/input interface provided by the application interface U of the identity authentication device 100. Show), input the serial number on the decoding table 3〇 into the identity authentication device 100, so that the status field in the corresponding decoding table file is changed to the number “2” (indicating that it has been enabled), so that the decoding table is enabled. After logging in, it can be used normally. In this way, it can be ensured that if the card data has been leaked before the use of the decoding table card (for example, the covered paint has been scraped off), the card can be applied for invalidation, and the corresponding decoding table file is deleted. The status field in the field is changed to a number, 4" (indicating invalid), to ensure that the authentication is transmitted to the user terminal 200.
當然,除了上述印製譯碼表卡片給使用者的方式之外, 亦可以透過安全的加密方法,將譯碼表加密後透過應用程式 介面11及網路系統400之處理單元4〇和通訊單元41直接Of course, in addition to the above manner of printing the decoding card to the user, the decoding table can be encrypted and transmitted through the application interface 11 and the processing unit 4 and the communication unit of the network system 400 through a secure encryption method. 41 direct
在本實施例中,是以每組詢問碼包含 虹符號碼包含兩個財,其中一個數 201105082 子疋由代表譯碼表之橫向(列)格位的0〜9數字中挑選出,另 個數子疋由代表課碼表之縱向(行)格位的〇〜9數字中挑 出。 、 例如詢問碼2791包含(27)及(91)兩組符號碼,(27)這組 符號碼中的”2”是指譯碼表中的第2列,”7”是指譯碼表中的 第7行,(91)同理;因此,根據圖5譯碼表之對應關係每 組°旬問碼可以被轉換成所對應的一組回答碼,即兩個小寫英 文字母,例如根據譯碼表,詢問碼(27)(91)可被對應轉換 成”pc”這組回答碼。 且由於詢問碼的數量越多,認證的安全性會相對增加, 因此,本實施例之身份認證單元產生20組詢問碼給使用者 端200,其内容例如圖6所示,並暫存在身份認證單元13 中。 如步驟S5 ’身份認證單元13隨後將該20組詢問碼透 過應用程式介面11及網路系統400之通訊單元41傳送給使 用者端200。當使用者端200之通訊單元21收到這2〇組詢 問碼時’會傳給處理單元22,使將2〇組詢問碼送至顯示單 元23顯示。 同時如步驟S6及圖7所示’處理單元22產生一回焚 碼輸入畫面70’要求使用者透過使用者端2〇〇之一輸入單 元24由該20組詢問碼中挑選q組(q>2,本實施例以q=4 為例)詢問碼,例如使用者選擇2791、7728、5105及8643 四組詢問碼’使用者並根據譯碼表30,透過輪入單元24在 回答碼輸入晝面70中輸入對應的回答碼後,如步驟S7,處 10 201105082 理單元22將該4組回答碼經由通訊單元21及網際網路3〇〇 回傳給網路系統400’之後網路系統4〇〇將收到之4組回答 碼透過輸ib/人介®及應隸式介面31傳給身份認證裝置 100之身份認證單元13。 當然,上述選擇詢問碼的作業亦可由使用者端2〇〇之處 理單元22中預先載人的__應用程式來執行,該應用程式可 根據預設的挑選數量(例如q=4),由2G組詢問碼中隨機挑選 4組詢問碼’並自動對照預存的譯碼表3(),將該4組詢問碼 轉換成4組回答碼後自動回傳給身份認證裝置1〇〇,以完全 免除人為的操作,而更易於被使用者接受及使用。 由於本實施例之2〇組詢問碼中,只有4個會被挑選並 轉換成回答碼,因此可以產生p(2〇,4)=U6,種回答碼, 、二回答碼就像’’煙幕彈’’,對被回傳的4個回答碼產生遮蔽 的效果。因此,假設骇客截取每次認證程序的詢問碼與回答 碼’亦很難藉由分析此等資料,反推求出使用者的譯碼表, 最多僅能取得譯碼表内的2〇個英文字母。 再者,由於本實施例之回答碼係由兩個小寫英文字母組 ^對般人而言,其樣本數為26x26=676個;對駭客而 。其樣本數則為20χ2〇=40〇個。因此,假設在(”本實施 例之2 0個詢問碼經譯碼表譯碼後皆不相同,且⑺駭客取得 譯碼表内的20個英文字母’而且(3)由使用者端回傳之" 回答碼皆不相同的情況下,則·· 常人猜中回答碼的機 676 675 674 673 lJ80,〇〇〇 201105082 駭客猜中回答碼的機率 20 19 18 17 1 400 399 398 397 ~ 216,870 由於駭客猜中回答碼的機率極低,因此本發明顯然具有 足夠的安全性。而本發明之有關安全性的兩個變數,即詢問 碼與回答碼的數目則可配合實務的需求彈性調整。 接著,如步驟S8,當身份認證裝置100之身份認證單 元13收到使用者端200回傳之4組回答碼時,身份認證單 元1 3根據譯碼表30,將暫存之20組詢問碼轉換成對應的 20組回答碼(20組第一種符號),即:0963今(hh), 3257 + (of) , 7728 + (br) , 1482 今(gj) , 0219 + (nx), 2791 + (pc),4325 + (nf),2882今(rj),4513今(jc),3862 + (nf), 1093 + (uu),6475今(di),7356 + (jl),8643 + (cn),8380->(gl), 6910 + (cu) ,5105 + (sg),4637 今(uh),9026~>(ad), 9458今(vv),然後判斷該4組回答碼是否全部存在於該20 組回答碼中,並如步驟S9,經由網路系統400回傳認證結 果給使用者端200,因此,若該4組回答碼全部存在於該20 組回答碼中,則認證成功,身份認證裝置100將允許使用者 端200取得網路系統400的使用權限或與網路系統400進行 網路交易,若否,則拒絕使用者端200使用網路系統400 或與網路系統400進行網路相關交易。 當然,除了上述做法,身份認證單元13也可在送出20 組詢問碼給使用者端的當時,就先根據譯碼表30將該20 組詢問碼轉換成對應的回答碼並暫存;如此,當身份認證單 元13 —收到使用者端200回傳的回答碼時,就可立即進行 12 201105082 回答碼的比對。 綜上所述’本實_之身份認證方法藉由譯碼表、詢問 碼及回答碼H預先提供譯碼表給❹者端,並於每次 使用者進<了身份認證時,即由词服端編輯產生當次使用之多 組詢問碼,並傳送至使用者端之顯示螢幕顯示,讓使用者^ 使用者端之處理單元)從巾選取數個詢問碼並對照譯瑪表轉 換成對應的且當次有效的多個回答碼,再回傳至舰端進行 驗證’糟此’達到簡單、低成本、易於操作,以及足夠安全 之身份認證效果。 I1隹以上所述者,僅為本發明之較佳實施例而已當不能 以此限定本發明實施之範圍,即大凡依本發明中請專利範= 及發明說明内容所作之簡單的等效變化與修飾,皆仍屬本發 明專利涵蓋之範圍内。 【圖式簡單說明】 圖1是本發明身份認證裝置的一較佳實施例的電路 塊圓; 圖2是本發明身份認證方法的一較佳實施例之流程圖; 圖3是本實施例之譯碼表示意圖; 圖4是本實施例之譯碼表檔案内容示意圖; 圖5是本實施例根據譯碼表轉換詢問碼為回欠 明例; 圖6是本實施例之伺服端所編輯產生之多組詢問 意圖;及 圖7是本實施例之使用者端產生的回答碼輸入晝面示意圖。 13 201105082 【主要元件符號說明】 11 應用程式介面 13 身份認證單元 22、40 處理單元 24 輸入單元 41 通訊單元 100身份認證裝置 300網際網路 500伺服端 12 譯碼表管理單元 21 通訊單元 23 顯示單元 3 0 譯瑪表 70 回答碼輸入畫面 200使用者端 400 網路系統 S1〜S9 流程步驟In this embodiment, each group of interrogation codes includes a rainbow symbol code including two chips, and one of the numbers 201105082 is selected from 0 to 9 digits representing the horizontal (column) position of the decoding table, and the other is selected. The number is selected from the 〇~9 numbers representing the vertical (row) position of the codebook. For example, the inquiry code 2791 includes (27) and (91) two sets of symbol codes, (27) "2" in the set of symbol codes refers to the second column in the decoding table, and "7" refers to the decoding table. Line 7 (91) is the same; therefore, according to the correspondence between the decoding tables of Figure 5, each group of codes can be converted into a corresponding set of answer codes, that is, two lowercase English letters, for example, according to translation The code table, the inquiry code (27) (91) can be correspondingly converted into the "pc" group of answer codes. And because the number of the query codes is increased, the security of the authentication is relatively increased. Therefore, the identity authentication unit of the embodiment generates 20 sets of query codes to the user terminal 200, and the content thereof is as shown in FIG. 6, and the identity authentication is temporarily stored. In unit 13. The identity authentication unit 13 then transmits the 20 sets of interrogation codes to the user terminal 200 through the application interface 11 and the communication unit 41 of the network system 400, as in step S5'. When the communication unit 21 of the user terminal 200 receives the 2 〇 group inquiry code, it is transmitted to the processing unit 22, so that the 2 〇 group inquiry code is sent to the display unit 23 for display. At the same time, as shown in step S6 and FIG. 7, the processing unit 22 generates a re-burning code input screen 70', and asks the user to select q groups from the 20 group of interrogation codes through the input unit 24 of the user terminal 2 (q>. 2. In this embodiment, q=4 is taken as an example of the inquiry code. For example, the user selects 2791, 7728, 5105, and 8643 four sets of inquiry codes 'users and inputs the answer code through the rounding unit 24 according to the decoding table 30. After the corresponding answer code is input in the face 70, in step S7, the unit 10 transmits the four sets of answer codes to the network system 400' via the communication unit 21 and the Internet 3, and then the network system 4 The four sets of answer codes received by the user are transmitted to the identity authentication unit 13 of the identity authentication device 100 through the input ib/person® and the linguistic interface 31. Of course, the above operation of selecting the inquiry code can also be performed by the pre-loaded __ application in the processing unit 22 of the user terminal 2, and the application can be based on the preset number of selections (for example, q=4). The 4G group query code randomly selects 4 groups of query codes' and automatically compares the pre-stored decoding table 3(), and converts the 4 groups of query codes into 4 groups of answer codes, and then automatically returns them to the identity authentication device 1〇〇, to completely It is exempt from human operation and is more easily accepted and used by users. Since only 4 of the 2〇 group query codes in this embodiment are selected and converted into an answer code, p(2〇, 4)=U6, the answer code, and the second answer code are like ''small bullets'. '', the effect of obscuring the four answer codes returned. Therefore, assuming that the hacker intercepts the inquiry code and the answer code of each authentication procedure, it is difficult to analyze the data and inversely find the user's decoding table. At most, only 2 of the decoding tables can be obtained. English alphabet. Furthermore, since the answer code of this embodiment is composed of two lowercase English alphabets, the number of samples is 26x26=676; for hackers. The number of samples is 20χ2〇=40〇. Therefore, it is assumed that the 20 query codes in the present embodiment are different after being decoded by the decoding table, and (7) the hacker obtains 20 English letters in the decoding table and (3) is returned by the user. If the answer code is different, then the person who guesses the answer code is 676 675 674 673 lJ80, 〇〇〇201105082 The probability of answering the code in the hacker guess 20 19 18 17 1 400 399 398 397 ~ 216,870 Since the probability of answering the code in the hacker is extremely low, the present invention obviously has sufficient security. The two variables related to security of the present invention, that is, the number of interrogation codes and answer codes can be matched with the practical requirements. Then, in step S8, when the identity authentication unit 13 of the identity authentication device 100 receives the four sets of reply codes returned by the user terminal 200, the identity authentication unit 13 stores the temporary storage 20 according to the decoding table 30. The group query code is converted into the corresponding 20 sets of answer codes (20 sets of the first symbols), namely: 0963 today (hh), 3257 + (of), 7728 + (br), 1482 (gj), 0219 + (nx ), 2791 + (pc), 4325 + (nf), 2882 (rj), 4513 (jc), 3862 + (nf), 10 93 + (uu), 6475 (di), 7356 + (jl), 8643 + (cn), 8380-> (gl), 6910 + (cu), 5105 + (sg), 4637 (uh), 9026~>(ad), 9458 now (vv), and then judge whether the four sets of answer codes all exist in the 20 sets of answer codes, and return the authentication result to the user end via the network system 400 according to step S9. 200. Therefore, if all the four sets of answer codes are present in the 20 sets of answer codes, the authentication is successful, and the identity authentication apparatus 100 will allow the user terminal 200 to obtain the use rights of the network system 400 or network with the network system 400. The transaction, if not, rejects the user 200 to use the network system 400 or network related transactions with the network system 400. Of course, in addition to the above, the identity authentication unit 13 can also send 20 sets of query codes to the user. At the time of the end, the 20 sets of interrogation codes are first converted into corresponding answer codes according to the decoding table 30 and temporarily stored; thus, when the identity authentication unit 13 receives the reply code sent back by the user end 200, it can immediately Perform an alignment of 12 201105082 answer codes. In summary, the 'real _ identity authentication method by decoding table The inquiry code and the answer code H provide the decoding table to the terminal in advance, and each time the user enters the identity authentication, the word service side edits the multiple inquiry codes used in the current use and transmits them to the use. The display of the display of the user side allows the user ^ the processing unit of the user terminal to select several inquiry codes from the towel and convert them into corresponding corresponding and frequently valid multiple answer codes, and then transmit them to the ship terminal. Verifying 'bad' is simple, low-cost, easy to operate, and secure enough for authentication. The above descriptions of the present invention are merely preferred embodiments of the present invention, and the scope of the present invention is not limited thereto, that is, the simple equivalent changes made by the invention in accordance with the invention and the description of the invention are Modifications are still within the scope of the invention. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a circuit block circle of a preferred embodiment of the identity authentication device of the present invention; FIG. 2 is a flow chart of a preferred embodiment of the identity authentication method of the present invention; FIG. 4 is a schematic diagram of the contents of the decoding table file in the embodiment; FIG. 5 is a schematic diagram of the conversion of the inquiry code according to the decoding table in the embodiment; FIG. 6 is an example of editing by the server of the embodiment. The plurality of sets of query intents; and FIG. 7 is a schematic diagram of the answer code input generated by the user end of the embodiment. 13 201105082 [Key component symbol description] 11 Application interface 13 Identity authentication unit 22, 40 Processing unit 24 Input unit 41 Communication unit 100 Identity authentication device 300 Internet 500 server 12 Decoding table management unit 21 Communication unit 23 Display unit 3 0 Translation Table 70 Answer Code Input Screen 200 User End 400 Network System S1~S9 Process Steps
1414