TW201328280A - Instant communication identity authentication system and method - Google Patents
Instant communication identity authentication system and method Download PDFInfo
- Publication number
- TW201328280A TW201328280A TW100149408A TW100149408A TW201328280A TW 201328280 A TW201328280 A TW 201328280A TW 100149408 A TW100149408 A TW 100149408A TW 100149408 A TW100149408 A TW 100149408A TW 201328280 A TW201328280 A TW 201328280A
- Authority
- TW
- Taiwan
- Prior art keywords
- instant messaging
- server
- verification
- identity
- software
- Prior art date
Links
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
Description
本發明係有關於一種認證身分的系統及方法,特別是指關於即時通訊進行身分的系統及方法,不須藉由視訊、聲音等等其他管道識別身分。The present invention relates to a system and method for authenticating an identity, and more particularly to a system and method for performing identity with instant messaging, without the need to identify identity by video, voice, etc.
即時通訊的即時性與便利性受到使用者廣大的歡迎,已是現代人們溝通的重要工具,可說某種程度上取代了E-mail、電話等功能,也因此改變了人際互動的模式,我們在即時通訊上溝通時,多半已經預設信任對方就是我們所認為的人,但事實上目前各家即時通訊的認證技術多是以帳號密碼為基礎,透過電子信箱做為初始認證機制,即使是免費信箱通常亦可以使用,因此可信任的程度並不高,也容易被有心人士以類似名稱故意魚目混珠而造成安全上的漏洞。The immediacy and convenience of instant messaging have been widely welcomed by users. It has become an important tool for modern people to communicate. It can replace the functions of E-mail and telephone to some extent, thus changing the mode of interpersonal interaction. When communicating on instant messaging, most of them have already defaulted to trusting each other as people we think, but in fact, most of the authentication technologies of instant messaging are based on account passwords, through e-mail as the initial authentication mechanism, even if it is Free mailboxes can usually be used as well, so the degree of trustworthiness is not high, and it is easy for a person with a heart to deliberately use a similar name to create a security hole.
而且即時通訊系統為了隨時能夠接收其他人傳來的訊息,通常登入後即使長時間不使用也不會有登出的動作,因此也會有實體安全的顧慮,即使是正確有效的帳號密碼,也可能會被其他人利用空檔趁隙盜用即時通訊系統。Moreover, in order to receive messages from other people at any time, the instant messaging system usually does not log out even if it is not used for a long time after login, so there are also physical security concerns, even for valid and valid account passwords. It may be exploited by others to steal instant messaging systems.
綜合以上數點,雖然即時通訊是以人際溝通為發展起點,但實際上卻是缺乏與「人」實際連結的保證,例如目前即時通訊時常成為工作上討論或是開會的溝通工具,但是我們卻沒有辦法直接由即時通訊來確認對方的身分,必須是認識的朋友,才能藉由手機、視訊等等額外方式來進行身分認證。Based on the above points, although instant messaging is the starting point for interpersonal communication, it is actually a lack of guarantees for the actual connection with "people." For example, instant messaging is often a communication tool for discussion or meeting at work, but we are There is no way to confirm the identity of the other party directly by instant messaging. It must be a friend who knows, in order to carry out identity authentication by means of mobile phones, video and other additional methods.
不只是一般人際溝通需要身分確認和內容證明機制,線上機器人的服務活動更是需要這類的機制來確保服務對象及交易內容,如果無法提供身分確認與內容證明的機制,將使得即時通訊在商業、金融等等具關鍵性內容的應用上受到很大的限制。Not only does general interpersonal communication require identity verification and content certification mechanisms, but online robot service activities require such mechanisms to ensure the client and transaction content. If the mechanism for identity verification and content certification cannot be provided, it will enable instant messaging in business. The application of critical content such as finance and finance is greatly limited.
在網路世界裡,要達到確認身分的特性,資訊安全的專家都公認公開金鑰基礎建設(PKI)機制是現今在網路服務中可用來達到個人身分確認及確保不可否認性的最安全且可實現的技術。在公開金鑰基礎建設下,憑證即是身分的證明,但是目前在即時通訊的應用上,尚無實際可行之系統與方法可結合硬體金鑰載具來識別使用者身分。In the online world, to ensure identity, information security experts recognize that public key infrastructure (PKI) mechanisms are the safest and most secure way to achieve personal identity verification and ensure non-repudiation in online services today. Achievable technology. Under the public key infrastructure, the certificate is the proof of identity, but at present, there is no practical system and method for instant messaging, which can be combined with the hardware key carrier to identify the user identity.
經本案發明人經潛心研究後,終於成功研發完成本件透過即時通訊結合公開金鑰基礎建設(PKI)技術進行身分的系統及方法。After intensive research, the inventor of this case finally succeeded in researching and developing the system and method for carrying out this identity through instant messaging combined with public key infrastructure (PKI) technology.
本發明之目的在提供一種可以認證即時通訊使用者身分的系統與方法,使得任意即時通訊使用者,即使是即時通訊機器人,都可以藉此系統與方法來進行單邊、雙向乃至於多向的互相認證,使即時通訊上的溝通更有安全保障及認證。The object of the present invention is to provide a system and method for authenticating the identity of an instant messaging user, so that any instant messaging user, even an instant messaging robot, can use the system and method to perform unilateral, bidirectional or even multidirectional Mutual authentication makes communication on instant messaging more secure and certified.
可達成上述發明目的之透過即時通訊進行身分認證的系統,係採用數位簽章及驗證技術為基礎,此系統包含:兩個以上之身分驗證模組,至少其一為即時通訊客戶端而另其一為即時通訊伺服端,以及一驗證伺服器可透過安全管道與即時通訊伺服端相連。The system for achieving identity authentication through instant messaging, which is based on the above-mentioned invention, is based on a digital signature and verification technology. The system includes: two or more identity verification modules, at least one of which is an instant messaging client and another One is an instant messaging server, and a verification server can be connected to the instant messaging server through a secure channel.
身分驗證模組乃是伴隨即時通訊軟體一起使用之軟體元件,身分驗證模組具有讀取使用者憑證及操作使用者金鑰載具之功能,可製作數位簽章並透過即時通訊軟體發送。身分驗證模組亦可連結至驗證伺服器進行驗證要求,驗證伺服器可接受身分驗證模組驗證要求,進行數位簽章驗證及憑證驗證功能,並回應結果。The identity verification module is a software component that is used together with the instant messaging software. The identity verification module has the function of reading the user's credentials and operating the user's key carrier, and can make a digital signature and send it through the instant messaging software. The identity verification module can also be connected to the verification server for verification requirements. The verification server can accept the identity verification module verification requirement, perform digital signature verification and voucher verification functions, and respond to the result.
另外,本發明揭露一種透過即時通訊進行身分認證之方法,可使即時通訊伺服端在通訊過程中得以藉由驗證伺服器來認證即時通訊客戶端的身分,此處客戶端若亦能與驗證伺服器連線,則伺服端與客戶端只要互換身分即可完成雙向認證,同理可推演至多即時通訊使用者互相認證的狀況。In addition, the present invention discloses a method for identity authentication through instant messaging, which enables the instant messaging server to authenticate the identity of the instant messaging client by the authentication server during the communication process, where the client can also authenticate with the server. When the connection is made, the server and the client can complete the two-way authentication by simply swapping the identity, and the same reason can be derived for the mutual authentication of the instant messaging users.
茲配合圖式將本發明較佳實施例詳細說明如下。DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The preferred embodiments of the present invention will be described in detail below with reference to the drawings.
圖一係本發明所提供之一種可以認證即時通訊使用者身分的系統示意圖。如圖一所示,即時通訊軟體12兩端分別為客戶端與伺服端,透過即時通訊網路11相連結,客戶端與伺服端均包含身分驗證模組200。即時通訊伺服端另外和驗證伺服器100相連結。即時通訊客戶端使用者則有一金鑰載具21(如IC卡等)內含私密金鑰(Private Key),亦有一公開憑證22內含與上述私密金鑰成對之公開金鑰(Public Key)及使用者資訊。此憑證係某一憑證中心(Certificate Authority)所發,此處憑證中心必須為即時通訊伺服端所信任,故可藉此憑證來認證客戶端身分。FIG. 1 is a schematic diagram of a system for authenticating an instant messaging user identity provided by the present invention. As shown in FIG. 1 , the instant messaging software 12 is respectively connected to the client and the server through the instant messaging network 11 , and both the client and the server include the identity verification module 200 . The instant messaging server is additionally coupled to the authentication server 100. The instant messaging client user has a key carrier 21 (such as an IC card, etc.) containing a private key (Private Key), and a public certificate 22 containing a public key paired with the above-mentioned private key (Public Key) ) and user information. This certificate is issued by a Certificate Authority, where the certificate center must be trusted by the instant messaging server, so the certificate can be used to authenticate the client identity.
即時通訊軟體12在圖一中可分為客戶端與伺服端,但其本質並無不同,僅是舉例之扮演角色不同。即時通訊軟體12可透過即時通訊網路11與其他即時通訊軟體12互相通訊,並且可介接身分驗證模組200,此類即時通訊軟體包含微軟Windows Live Messenger、雅虎Yahoo Messenger、谷歌Google Talk等等。唯在本發明中,並非僅限定上述即時通訊軟體,只要是能與上述即時通訊軟體具有相同功能之軟體亦在本發明範圍以內。The instant messaging software 12 can be divided into a client and a server in Figure 1, but the nature is not different, only the role of the example is different. The instant messaging software 12 can communicate with other instant messaging software 12 via the instant messaging network 11 and can interface with the identity verification module 200. Such instant messaging software includes Microsoft Windows Live Messenger, Yahoo Messenger, Google Google Talk, and the like. In the present invention, the above-described instant messaging software is not limited, and any software having the same function as the above-described instant messaging software is also within the scope of the present invention.
身分驗證模組200在客戶端可操作金鑰載具21,進行簽章或解密等私密金鑰動作,亦可讀取憑證22,在一般IC卡上,憑證亦存放於卡片上。身分驗證模組200在伺服端則可與驗證伺服器連線,進行簽章及憑證之驗證動作,但因即時通訊軟體不一定為客戶端或伺服端,故所有身分驗證模組200都可以執行上述動作。The identity verification module 200 can operate the key carrier 21 on the client side, perform a private key operation such as signing or decryption, and can also read the voucher 22. On the general IC card, the voucher is also stored on the card. The identity verification module 200 can be connected to the verification server on the server side to perform the verification of the signature and the voucher. However, since the instant messaging software is not necessarily the client or the server, all the identity verification modules 200 can be executed. The above actions.
金鑰載具21為一特殊硬體,內含密碼學中的私密金鑰(Private Key),且無法為外界所獲知,僅能藉由該載具執行私密金鑰動作,藉此可以確保金鑰的私密性及安全性。常見的金鑰載具有IC卡片、硬體保密模組(HSM,Hardware Security Module)、可信賴運算平台(TPM,Trusted Platform Module)等等。The key carrier 21 is a special hardware, which contains a private key in the cryptography, and cannot be known to the outside world. Only the private key operation can be performed by the vehicle, thereby ensuring the gold. The privacy and security of the key. Common keys include an IC card, a hardware security module (HSM), a Trusted Platform Module (TPM), and the like.
憑證22又稱數位憑證,係指經憑證授權機構(CA,Certificate Authority)進行簽署,用來記載與確認公開金鑰和使用者資訊之數位資料。The voucher 22, also known as a digital voucher, refers to a digital certificate signed by a Certificate Authority (CA) to record and confirm the digital data of the public key and user information.
驗證伺服器100可執行密碼學運算,以確認數位簽章之有效性,並可驗證憑證22之有效性,驗證伺服器100可與即時通訊伺服端12位於同一實體機器上,或同時位於安全區域網路內,使此兩者之間的通訊不致為外界所窺見或攻擊,若是藉由網際網路連接,亦可藉由SSL或其他保密技術和身分驗證模組200建立連線。The verification server 100 can perform cryptographic operations to confirm the validity of the digital signature and can verify the validity of the certificate 22. The verification server 100 can be located on the same physical machine as the instant messaging server 12, or at the same time in the secure area. In the network, the communication between the two is not sneaked or attacked by the outside world. If the Internet connection is used, the connection may be established by the SSL or other security technology and the identity verification module 200.
即時通訊身分認證方法可參考圖二,圖二係為即時通訊之身分認證流程示意圖,其中即時通訊客戶端12與即時通訊伺服端12已藉由即時通訊網路11相連接,且即時通訊客戶端已連接金鑰載具及備妥憑證,即時通訊伺服端已與驗證伺服器連接。The instant messaging identity authentication method can be referred to FIG. 2, and FIG. 2 is a schematic diagram of the identity authentication process of the instant messaging, wherein the instant messaging client 12 and the instant messaging server 12 are connected by the instant messaging network 11, and the instant messaging client has The key carrier and the ready voucher are connected, and the instant messaging server is connected to the authentication server.
步驟01:即時通訊客服端發出通訊初始請求,透過即時通訊網路送往即時通訊伺服端。Step 01: The instant messaging client sends an initial communication request and sends it to the instant messaging server through the instant messaging network.
步驟02:即時通訊伺服端發出任意亂數或資料至即時通訊客服端,要求客戶端針對該亂數或資料簽章,此步驟乃是為了防止重送攻擊(replay attack),藉由隨機亂數或資料使惡意攻擊者不能得知之後的待簽資料為何。Step 02: The instant messaging server sends any random number or data to the instant messaging client, and asks the client to sign the random number or data. This step is to prevent replay attack, by random random number Or the information makes the malicious attacker unable to know what the data to be signed later.
步驟03:即時通訊客戶端藉由身分驗證模組操作金鑰載具,並針對伺服端要求的亂數資料及其他認證資料進行簽章動作,並讀取憑證資料。Step 03: The instant messaging client operates the key carrier by the identity verification module, and performs the signature action on the random data and other authentication data required by the server, and reads the voucher data.
步驟04:即時通訊客戶端藉由即時通訊網路傳回數位簽章暨憑證至即時通訊伺服端。Step 04: The instant messaging client sends back the digital signature and credentials to the instant messaging server via the instant messaging network.
步驟05:即時通訊伺服端轉送數位簽章暨憑證至驗證伺服器要求驗證,若即時通訊伺服端及驗證伺服器為同一機器則直接驗證該簽章及憑證正確性及合法性。Step 05: The instant messaging server forwards the digital signature and the certificate to the verification server for verification. If the instant messaging server and the verification server are the same machine, the correctness and legality of the signature and the certificate are directly verified.
步驟06:驗證伺服器將簽章及憑證正確性送回至即時通訊伺服端,即時通訊依驗證結果來確認其即時通訊客服端之身分。Step 06: The verification server sends the signature and the correctness of the voucher back to the instant messaging server, and the instant messaging confirms the identity of the instant messaging client according to the verification result.
11...即時通訊網路11. . . Instant messaging network
12...即時通訊軟體(角色分為客戶端與伺服端)12. . . Instant messaging software (character is divided into client and server)
21...金鑰載具twenty one. . . Key carrier
22...憑證twenty two. . . certificate
100...驗證伺服器100. . . Authentication server
200...身分驗證模組200. . . Identity verification module
01~06...身分認證步驟01~06. . . Identity certification step
圖一為本發明之即時通訊身分認證示意圖。FIG. 1 is a schematic diagram of instant messaging identity authentication according to the present invention.
圖二為本發明之即時通訊身分認證流程圖。FIG. 2 is a flow chart of instant messaging identity authentication according to the present invention.
11...即時通訊網路11. . . Instant messaging network
12...即時通訊軟體12. . . Instant messaging software
21...金鑰載具twenty one. . . Key carrier
22...憑證twenty two. . . certificate
100...驗證伺服器100. . . Authentication server
200...身分驗證模組200. . . Identity verification module
Claims (4)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW100149408A TW201328280A (en) | 2011-12-29 | 2011-12-29 | Instant communication identity authentication system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW100149408A TW201328280A (en) | 2011-12-29 | 2011-12-29 | Instant communication identity authentication system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
TW201328280A true TW201328280A (en) | 2013-07-01 |
Family
ID=49225357
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW100149408A TW201328280A (en) | 2011-12-29 | 2011-12-29 | Instant communication identity authentication system and method |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW201328280A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI623895B (en) * | 2017-03-13 | 2018-05-11 | 臺灣網路認證股份有限公司 | System for entrusting transaction through instant messaging and method thereof |
TWI724683B (en) * | 2019-03-29 | 2021-04-11 | 開曼群島商創新先進技術有限公司 | Computer-implemented method for managing user key pairs, system for managing user key pairs, and apparatus for managing user key pairs |
US11023620B2 (en) | 2019-03-29 | 2021-06-01 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
US11251941B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Managing cryptographic keys based on identity information |
US11251950B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Securely performing cryptographic operations |
-
2011
- 2011-12-29 TW TW100149408A patent/TW201328280A/en unknown
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI623895B (en) * | 2017-03-13 | 2018-05-11 | 臺灣網路認證股份有限公司 | System for entrusting transaction through instant messaging and method thereof |
TWI724683B (en) * | 2019-03-29 | 2021-04-11 | 開曼群島商創新先進技術有限公司 | Computer-implemented method for managing user key pairs, system for managing user key pairs, and apparatus for managing user key pairs |
US11023620B2 (en) | 2019-03-29 | 2021-06-01 | Advanced New Technologies Co., Ltd. | Cryptography chip with identity verification |
US11063749B2 (en) | 2019-03-29 | 2021-07-13 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
US11088831B2 (en) | 2019-03-29 | 2021-08-10 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
US11251941B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Managing cryptographic keys based on identity information |
US11251950B2 (en) | 2019-03-29 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Securely performing cryptographic operations |
US11258591B2 (en) | 2019-03-29 | 2022-02-22 | Advanced New Technologies Co., Ltd. | Cryptographic key management based on identity information |
CN114553439A (en) * | 2019-03-29 | 2022-05-27 | 创新先进技术有限公司 | Encryption key management based on identity information |
CN114553439B (en) * | 2019-03-29 | 2023-06-30 | 创新先进技术有限公司 | Encryption key management based on identity information |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10735407B2 (en) | System and method for temporary password management | |
CN106664208B (en) | System and method for establishing trust using secure transport protocol | |
US10075437B1 (en) | Secure authentication of a user of a device during a session with a connected server | |
US10136315B2 (en) | Password-less authentication system, method and device | |
US8438385B2 (en) | Method and apparatus for identity verification | |
EP2834730B1 (en) | Secure authentication in a multi-party system | |
US8112787B2 (en) | System and method for securing a credential via user and server verification | |
EP3208732A1 (en) | Method and system for authentication | |
US10298561B2 (en) | Providing a single session experience across multiple applications | |
US10771451B2 (en) | Mobile authentication and registration for digital certificates | |
US8769289B1 (en) | Authentication of a user accessing a protected resource using multi-channel protocol | |
US20100042848A1 (en) | Personalized I/O Device as Trusted Data Source | |
WO2019226115A1 (en) | Method and apparatus for user authentication | |
EP2514135B1 (en) | Systems and methods for authenticating a server by combining image recognition with codes | |
WO2010128451A2 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
TW201328280A (en) | Instant communication identity authentication system and method | |
CN110866754A (en) | Pure software DPVA (distributed data authentication and privacy infrastructure) identity authentication method based on dynamic password | |
JP5186648B2 (en) | System and method for facilitating secure online transactions | |
CN117336092A (en) | Client login method and device, electronic equipment and storage medium | |
CN116112242B (en) | Unified safety authentication method and system for power regulation and control system | |
KR20030042789A (en) | A trust model for an authentication of a roaming user | |
Xu et al. | Qrtoken: Unifying authentication framework to protect user online identity | |
US20230169160A1 (en) | Method and system for user authentication | |
Reddy et al. | A comparative analysis of various multifactor authentication mechanisms | |
Mumtaz et al. | Strong authentication protocol based on Java Crypto chips |