TW201419820A - Network security authentication method using proximity to verify identity - Google Patents

Network security authentication method using proximity to verify identity Download PDF

Info

Publication number
TW201419820A
TW201419820A TW101140766A TW101140766A TW201419820A TW 201419820 A TW201419820 A TW 201419820A TW 101140766 A TW101140766 A TW 101140766A TW 101140766 A TW101140766 A TW 101140766A TW 201419820 A TW201419820 A TW 201419820A
Authority
TW
Taiwan
Prior art keywords
portable device
personal portable
user terminal
terminal
verification
Prior art date
Application number
TW101140766A
Other languages
Chinese (zh)
Other versions
TWI531202B (en
Inventor
Per Skygebjerg
Original Assignee
Keypasco Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Keypasco Ab filed Critical Keypasco Ab
Priority to TW101140766A priority Critical patent/TWI531202B/en
Publication of TW201419820A publication Critical patent/TW201419820A/en
Application granted granted Critical
Publication of TWI531202B publication Critical patent/TWI531202B/en

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

A network security authentication method using proximity to verify identity is applied to an authentication server and cooperatively operated with a user terminal, a personal portable device and a content provider server. The method is provided to compare the hardware scan data of the user terminal and the personal portable device with a pre-built database to determine whether the data is existed in the pre-built database, wherein both the user terminal and the personal portable device must meet the relationship of similar location operation. If not in line with the relationship of similar location operation, the authentication server determines the inspection as an abnormal operating state, and the inspection result is sent back to the content provider server or the user terminal. The present invention can reduce processing costs, and prevent a remote hacker from using fraudulent identity to carry out attacks or illegal operations. Preferably, the judgment rule of the relationship of similar location operation is such that: the user terminal and the personal portable device have the same GPS positioning location, or the user terminal and the personal portable device share the same network address, or the user terminal and the personal portable device share an identical location on a mobile communication network.

Description

藉由使用者位置檢驗身份的網路安全驗證方法 Network security verification method for verifying identity by user location

本發明是有關於一種網路身份驗證方法,特別是指一種藉由使用者位置檢驗身份的網路安全驗證方法。 The present invention relates to a network authentication method, and more particularly to a network security verification method for verifying an identity by a user location.

隨著時代進步,互聯網的普及,網路頻寬加大加上無線技術無所不在,智慧型手機、平板電腦等個人隨身設備的普及,加上雲端服務的快速發展,讓每人的生活,24小時都離不開這些現代科技。另外,信用卡在網際網路或銷售端點(Point of Sale;簡稱POS)系統被盜刷、在自動提款機(ATM)被盜領的問題層出不窮,也都是身份驗證不夠安全的結果。 With the advancement of the times, the popularity of the Internet, the increase in network bandwidth and the ubiquity of wireless technology, the popularity of personal portable devices such as smart phones and tablets, coupled with the rapid development of cloud services, allows everyone to live 24 hours. These modern technologies are inseparable. In addition, the problem of the credit card being stolen by the Internet or the Point of Sale (POS) system and the stolen Internet at the ATM is also the result of insufficient security.

但這些隨時隨地都有的現代科技,除了各種好處外,亦有其負面的影響:如果沒有安全的身份驗證,各種有價值的網上服務都很難經由網路來提供,不然要冒很大的風險及損失,例如:個人隱私、機密資料、銀行存款,或是信用卡都隨時會被盜取濫用。 But these modern technologies, wherever they are, have all the negative effects: if there is no secure authentication, all kinds of valuable online services are difficult to provide via the Internet, otherwise it will take a lot of Risks and losses, such as personal privacy, confidential information, bank deposits, or credit cards, can be stolen at any time.

幾十年來的網上驗證產品並不適合現在網際各種日新月異的產品及服務,不是安全不夠就是成本太高,使用不方便而無法全面推廣。新的思維,新的技術及產品才能符合今天及未來的需求。 The online verification products for decades have not been suitable for the ever-changing products and services of the Internet. It is not safe enough or the cost is too high, and it is not convenient to use and can not be fully promoted. New thinking, new technologies and products can meet today's and tomorrow's needs.

一般使用者進行網路內交易的對象,例如:網路內容提供者(Internet Content Provider;簡稱ICP),為了核實使用者身份的現有交易驗證技術,其缺失包括:必需發行實體的身份驗證硬體給使用者,但是也必須考慮實體的身份驗 證硬體的物料及管理成本,以及處理相關業務的人力成本;另外,以代碼及密碼之資料確認使用者身份,仍無法解決遠端的網路駭客日新月異的攻擊。 The general user conducts intra-network transactions, such as: Internet Content Provider (ICP), the existing transaction verification technology for verifying the identity of the user, the missing includes: the authentication hardware of the required distribution entity To the user, but must also consider the identity of the entity The material and management costs of the hardware and the labor costs of the related business; in addition, the identity of the user is confirmed by the code and password information, and the remote Internet hacker's ever-changing attack cannot be solved.

因此,本發明是在提供一種解決前述缺失的藉由使用者位置檢驗身份的網路安全驗證方法。 Accordingly, the present invention is directed to a network security verification method for verifying identity by a user location that addresses the aforementioned deficiencies.

本發明的網路安全驗證方法是應用於一驗證伺服器,並配合一使用終端、一個人可攜裝置及一內容提供者伺服器,該方法包括下述步驟:(a)該內容提供者伺服器要求該驗證伺服器對於該使用者查驗身份;(b)該驗證伺服器取得該使用終端及該個人可攜裝置之硬體掃描資料,且對於該使用終端及該個人可攜裝置進行定位;及(c)該驗證伺服器將該使用終端及該個人可攜裝置之硬體掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為使用者所擁有,且該使用終端及該個人可攜裝置二者需符合相近地理位置操作之關聯,若是不符合相近地理位置操作之關聯,則判斷為異常操作狀態,並將查驗結果回傳給該內容提供者伺服器或該使用終端。 The network security verification method of the present invention is applied to a verification server, and cooperates with a user terminal, a person portable device and a content provider server. The method comprises the following steps: (a) the content provider server Requiring the verification server to check the identity of the user; (b) the verification server obtains the hardware scan data of the user terminal and the personal portable device, and locates the user terminal and the personal portable device; (c) the verification server compares the hardware scan data of the user terminal and the personal portable device with a pre-built database, and determines whether there is a pre-built database to determine the user terminal and the individual. Whether the portable device is owned by the user, and the user terminal and the personal portable device need to be associated with the operation of the similar geographical location, and if the association is not in accordance with the operation of the geographical proximity, the abnormal operation state is determined, and The result of the check is passed back to the content provider server or the terminal.

本發明的網路安全驗證方法的第一實施例中,步驟(b)包括下述子步驟:由該驗證伺服器或由該內容提供者伺服器通知該使用終端執行一第一驗證程序,該第一驗證程序是對於該使用終端的複數硬體元件掃描得到的該等硬體元件之硬體元件識別碼組合的一掃描資料,及對該使用終端的定位 以得到一代表該使用終端當時所在位置的定位資料,該使用終端並傳送該第一掃描資料及該第一定位資料予該驗證伺服器,及該驗證伺服器或該內容提供者伺服器或使用者驅動該個人可攜裝置內預置軟體執行一第二驗證程序,該第二驗證程序是對於該個人可攜裝置的複數硬體元件掃描以得到一具有複數硬體元件之硬體元件識別碼組合的第二掃描資料,以及對該個人可攜裝置定位以得到一代表該個人可攜裝置當時所在位置的一第二定位資料,該個人可攜裝置並傳送該第二掃描資料及該第二定位資料予該驗證伺服器;及步驟(c)是該驗證伺服器將該使用終端及該個人可攜裝置的該第一掃描資料及該第二掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為該使用者所擁有,以及依據該第一定位資料及該第二定位資料判斷是否具有相近地理位置操作之關聯,若是不符合,則判斷為異常操作狀態,且該驗證伺服器將查驗結果回傳給該內容提供者伺服器或該使用終端。 In a first embodiment of the network security verification method of the present invention, the step (b) includes the substep of: notifying the user terminal to perform a first verification procedure by the verification server or by the content provider server, The first verification program is a scan data of the hardware component identification code combination of the hardware components scanned by the plurality of hardware components of the terminal, and the positioning of the terminal Obtaining a positioning data representing a location of the terminal at the time of use, the user terminal transmitting the first scan data and the first location data to the verification server, and the verification server or the content provider server or using Driving the preset software in the personal portable device to perform a second verification process, the second verification program is to scan a plurality of hardware components of the personal portable device to obtain a hardware component identification code having a plurality of hardware components Combining the second scan data and positioning the personal portable device to obtain a second location data representing a location of the personal portable device at the time, the personal portable device transmitting the second scan data and the second Locating the data to the verification server; and the step (c) is: the verification server compares the first scan data and the second scan data of the user terminal and the personal portable device with a pre-built database Determining whether there is a pre-built database to determine whether the user terminal and the personal portable device are owned by the user, and according to the first location The second materials is determined whether location data associated with the operation of similar location, if not, it is determined that an abnormal operating state, and the authentication server will check the results back to the server or the content provider using the terminal.

較佳的,第一實施例的相近地理位置操作之關聯的判斷規則是:該使用終端及該個人可攜裝置具有相同之GPS定位位置,或是該使用終端及該個人可攜裝置共用同一網路位址,或是該使用終端及該個人可攜裝置共用同一行動通訊網路上的位置。 Preferably, the determining rule of the associated geographical location operation of the first embodiment is that the user terminal and the personal portable device have the same GPS positioning location, or the user terminal and the personal portable device share the same network. The location of the road, or the location of the terminal and the personal portable device sharing the same mobile communication network.

本發明的網路安全驗證方法的第二實施例中,步驟(b)包括下述子步驟:由該驗證伺服器或該內容提供者伺服器通知該使用終端執行一第一驗證程序,該第一驗證程序是對於 該使用終端的複數硬體元件掃描得到的該等硬體元件之硬體元件識別碼組合的一掃描資料,及對該使用終端進行定位以得到一代表該使用終端當時所在位置的定位資料,該驗證伺服器或該內容提供者伺服器或使用者驅動該使用終端內預置軟體執行一第二驗證程序,該第二驗證程序是該使用終端判斷該個人可攜裝置是否在該使用終端的附近位置,若是,該使用終端與該個人可攜裝置建立連接,且對於該個人可攜裝置的硬體元件掃描以得到一具有一硬體元件識別碼的第二掃描資料,該使用終端並傳送該第二掃描資料予該驗證伺服器;及步驟(c)是該驗證伺服器將該使用終端及該個人可攜裝置的該第一掃描資料、該定位資料及該第二掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為該使用者所擁有,並依據該定位資料判斷是否符合相近地理位置操作之關聯。 In a second embodiment of the network security verification method of the present invention, the step (b) includes the substep of: notifying the user terminal to perform a first verification procedure by the verification server or the content provider server, the A verification procedure is for And scanning, by the plurality of hardware components of the terminal, a scan data of the hardware component identification code combination of the hardware components, and positioning the use terminal to obtain a positioning data representing a location of the use terminal at the time, The verification server or the content provider server or the user drives the preset software in the terminal to execute a second verification program, where the second verification program is that the user terminal determines whether the personal portable device is in the vicinity of the user terminal. Position, if yes, the user terminal establishes a connection with the personal portable device, and scans a hardware component of the personal portable device to obtain a second scan data having a hardware component identification code, and the use terminal transmits the The second scan data is sent to the verification server; and the step (c) is that the verification server associates the first scan data, the positioning data and the second scan data of the user terminal and the personal portable device with the pre-built The database is compared to determine whether there is a pre-built database to determine whether the user terminal and the personal portable device are the user Owned, and based on the positioning data to determine whether the association is similar to the operation of the location.

較佳的,第二實施例的相近地理位置操作之關聯的判斷規則是:該使用終端及該個人可攜裝置經由近場通訊方式彼此連接,或是該使用終端及該個人可攜裝置共用同一短距離無線網路。該使用終端藉由一第一通訊管道與該內容提供者連線,及該使用終端藉由一不同於該第一通訊管道的第二通訊管道與該驗證伺服器連線。 Preferably, the determining rule of the associated geographical location operation of the second embodiment is that the user terminal and the personal portable device are connected to each other via near field communication, or the user terminal and the personal portable device share the same Short-range wireless network. The user terminal is connected to the content provider by a first communication pipe, and the user terminal is connected to the verification server by a second communication pipe different from the first communication pipe.

本發明的網路安全驗證方法的第三實施例中,是應用於一驗證伺服器,並配合一使用終端、一個人可攜裝置及一內容提供者伺服器,該使用終端是一自動提款機或一銷售端 點,該內容提供者伺服器是提供一使用者一信用卡或一銀行卡的發卡者;該方法包括下述步驟:(a)該內容提供者伺服器要求該驗證伺服器提供該使用者之個人可攜裝置之地理位置;(b)該驗證伺服器取得該個人可攜裝置之硬體掃描資料且對於該個人可攜裝置進行定位;(c)該驗證伺服器將該個人可攜裝置之硬體掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該個人可攜裝置是否為使用者所擁有,若是,便將此地理位置交予該內容提供者伺服器;及(d)該內容提供者伺服器比較該使用終端及該個人可攜裝置二者需符合相近地理位置操作之關聯,若是不符合相近地理位置操作之關聯,則判斷為異常操作狀態,並將查驗結果回傳給該使用終端。 The third embodiment of the network security verification method of the present invention is applied to a verification server, and cooperates with a use terminal, a person portable device and a content provider server, and the use terminal is an automatic cash machine. Or a sales end Point, the content provider server is a card issuer providing a user-a credit card or a bank card; the method includes the following steps: (a) the content provider server requires the verification server to provide the user's individual The location of the portable device; (b) the authentication server obtains the hard scan data of the personal portable device and locates the personal portable device; (c) the authentication server hardens the personal portable device Comparing the volume scan data with the pre-built database to determine whether there is a pre-built database to determine whether the personal portable device is owned by the user, and if so, handing the location to the content provider And the (d) the content provider server compares the use terminal and the personal portable device with the association of the similar geographical operations, and if the association does not meet the similar geographical operation, the abnormal operation state is determined. And return the inspection result to the user terminal.

較佳的,第三實施例的相近地理位置操作之關聯的判斷規則是:該使用終端及該個人可攜裝置經由近場通訊方式彼此連接,或是該使用終端及該個人可攜裝置共用同一短距離無線網路。 Preferably, the determining rule of the associated geographical location operation of the third embodiment is that the user terminal and the personal portable device are connected to each other via near field communication, or the user terminal and the personal portable device share the same Short-range wireless network.

本發明的網路安全驗證方法之功效在於: The effect of the network security verification method of the present invention is:

1.加強交易安全:本發明採用雙重驗證技術,也就是同時驗證使用者的兩種實體裝置,配合驗證伺服器判斷使用終端及個人可攜裝置是否符合相近地理位置操作之關聯確認使用者身份,可避免遠端的網路駭客盜用身份資料的問題。 1. Strengthening transaction security: The present invention adopts a dual verification technology, that is, simultaneously verifying two types of physical devices of the user, and cooperating with the verification server to determine whether the use terminal and the personal portable device comply with the association of similar geographical operations to confirm the identity of the user. It can avoid the problem of remote hackers stealing identity data.

2.節省成本:使用者可用既有的行動裝置當作雙重驗證所所需的個人可攜裝置,因此,網路內容提供者不需發行實體的身份驗證硬體給使用者,可節省實體的身份驗證硬體 的物料及管理成本,以及處理相關業務的人力成本。 2. Cost saving: the user can use the existing mobile device as the personal portable device required for double verification. Therefore, the network content provider does not need to issue the entity's identity verification hardware to the user, which can save the entity. Authentication hardware Material and management costs, as well as labor costs for processing related businesses.

有關本發明之前述及其他技術內容、特點與功效,在以下配合參考圖式之數個較佳實施例的詳細說明中,將可清楚的呈現。在本發明被詳細描述之前,要注意的是,在以下的說明內容中,類似的元件是以相同的編號來表示。 The above and other technical features, features, and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments. Before the present invention is described in detail, it is noted that in the following description, similar elements are denoted by the same reference numerals.

參閱圖1,本發明的網路安全驗證方法是應用於一(Identity Provider;簡稱IDP)的驗證伺服器1,並配合一使用者5的使用終端11、一使用者在登入內容提供者時使用的個人可攜裝置12,及一內容提供者(ICP)伺服器3,且驗證伺服器1、使用終端11及內容提供者伺服器3藉由一通訊網路500彼此連接;此外,使用終端11與內容提供者3藉由一第一通訊管道連線,及使用終端11與驗證伺服器1藉由一不同於第一通訊管道的第二通訊管道連線,藉由第二通訊管道與第一通訊管道區隔以提高安全等級,因一般網路認證(包括身份認證及數位簽章)只用第一通訊管道,駭客亦知道如何去攻擊,本發明加上第二通訊管道,則駭客很難同時攻擊該第二通訊管道。 Referring to FIG. 1, the network security verification method of the present invention is applied to an authentication server 1 of an Identity Provider (IDP), and cooperates with a user terminal 11 of a user 5, and a user uses the content provider when logging in to the content provider. Personal portable device 12, and a content provider (ICP) server 3, and the authentication server 1, the use terminal 11 and the content provider server 3 are connected to each other by a communication network 500; The content provider 3 is connected by a first communication pipe, and the terminal 11 and the verification server 1 are connected by a second communication pipe different from the first communication pipe, and the first communication channel is communicated with the first communication pipe. The pipeline is separated to improve the security level. Because the general network authentication (including identity authentication and digital signature) only uses the first communication pipeline, the hacker also knows how to attack. The invention is combined with the second communication pipeline, and the hacker is very It is difficult to attack the second communication pipe at the same time.

需注意的是,本實施例的“相近地理位置”在此為“相當接近”的地理位置,且由驗證伺服器1按不同情況可做不同判斷,此後皆為此意義,不再重複說明。 It should be noted that the “close geographical location” in this embodiment is a “closely” geographical location, and the verification server 1 can make different judgments according to different situations, and thereafter, the meaning is not repeated.

本發明方法的原理是:首先,使用者5利用使用終端11的一瀏覽器觀看內容提供者伺服器3提供的網站資料,並輸入資料,也就是使用個人代號及密碼登入內容提供者伺 服器3。本實施例中,內容提供者伺服器3於判斷使用者5的個人代號及密碼正確後,再要求驗證伺服器1對該使用者5經由第二管道進行身份驗證。 The principle of the method of the present invention is: First, the user 5 views the website information provided by the content provider server 3 by using a browser using the terminal 11, and inputs the data, that is, uses the personal code and password to log in to the content provider. Server 3. In this embodiment, after determining that the personal code and password of the user 5 are correct, the content provider server 3 requests the authentication server 1 to perform identity verification on the user 5 via the second pipe.

接著,驗證伺服器1取得使用終端11及個人可攜裝置12之硬體掃描資料,硬體掃描資料是包括使用終端11及個人可攜裝置12的硬體元件(如:主機板、中央處理單元或傳輸介面等)的唯一識別碼,且對於使用終端11及個人可攜裝置12進行定位。 Then, the verification server 1 obtains the hardware scan data of the user terminal 11 and the personal portable device 12, and the hardware scan data includes the hardware components of the terminal 11 and the personal portable device 12 (eg, the motherboard, the central processing unit). Or a unique identification code of the transmission interface or the like, and the positioning is performed for the use terminal 11 and the personal portable device 12.

然後,驗證伺服器1將使用終端11及個人可攜裝置12之硬體掃描資料與預先建置的資料庫(圖未示)進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為該使用者所擁有,且使用終端11及個人可攜裝置12二者需符合相近地理位置操作之關聯,若是使用終端11及個人可攜裝置12二者不符合相近地理位置操作之關聯,則判斷為異常操作狀態,且將查驗結果回傳給內容提供者伺服器3或使用終端11。 Then, the verification server 1 compares the hardware scan data of the terminal 11 and the personal portable device 12 with a pre-built database (not shown) to determine whether there is a pre-built database to determine the use. Whether the terminal and the personal portable device are owned by the user, and the use terminal 11 and the personal portable device 12 are required to be in association with similar geographical operations, and if the use terminal 11 and the personal portable device 12 do not meet the requirements, The association of the similar geographical operations is judged to be an abnormal operation state, and the inspection result is transmitted back to the content provider server 3 or the use terminal 11.

需事先說明的是,如圖1所定義個人可攜裝置12的定義是屬於任一種主動裝置(Active Device),其中,主動裝置可以是(但不限於):筆記型電腦、智慧型手機或平板電腦,泛指一種可以裝設軟體程式,並且可以自行傳遞資料給驗證伺服器1的個人可攜裝置12。如圖2所定義個人可攜裝置12的定義是屬於任一種被動裝置(Passive Device)或任一種主動裝置,其中,被動裝置可以是(但不限於):傳統手機、銀行卡、信用卡或SIM卡,意指:一種無法裝設任何 軟體程式、無法自行傳遞資料給驗證伺服器1,但可以連接及傳遞資料使用終端11的個人可攜裝置12;主動裝置的定義如前述,在此不重複說明。 It should be noted that the definition of the personal portable device 12 as defined in FIG. 1 belongs to any type of active device (Active Device), wherein the active device may be (but not limited to): a notebook computer, a smart phone or a tablet. A computer, generally referred to as a personal portable device 12 that can install a software program and can transmit data to the authentication server 1 by itself. The definition of the personal portable device 12 as defined in FIG. 2 belongs to any passive device or any active device, wherein the passive device can be (but is not limited to): a traditional mobile phone, a bank card, a credit card or a SIM card. , means: one cannot install any The software program cannot transfer the data to the verification server 1 by itself, but can connect and transmit the personal portable device 12 of the data using terminal 11; the definition of the active device is as described above, and the description is not repeated here.

參閱圖1及圖3,本發明的網路安全驗證方法的第一實施例中,個人可攜裝置12是適用於本說明書中所定義的主動裝置,茲將第一實施例的步驟介紹如下。 Referring to FIG. 1 and FIG. 3, in the first embodiment of the network security verification method of the present invention, the personal portable device 12 is an active device suitable for use in the present specification, and the steps of the first embodiment are described below.

使用終端11產生一輸入資料傳輸予內容提供者伺服器3(步驟S101);例如:使用者5利用使用終端11的一瀏覽器觀看一銀行業者的內容提供者伺服器3提供的網路銀行的網站資料,並使用個人代號及密碼登入內容提供者伺服器3。然後,內容提供者伺服器3於判斷使用者5的個人代號及密碼是正確後,通知驗證伺服器1確認使用者身份(步驟S102),並經由步驟S101相同通訊管道同時驅動使用終端內事先安裝的軟體開始執行一第一驗證程序(步驟S103)。 The terminal 11 is used to generate an input data transmission to the content provider server 3 (step S101); for example, the user 5 views the online banking provided by the banker's content provider server 3 by using a browser using the terminal 11. Website information, and use the personal code and password to log in to the content provider server 3. Then, after determining that the personal code and password of the user 5 are correct, the content provider server 3 notifies the verification server 1 to confirm the identity of the user (step S102), and simultaneously drives the terminal in the same communication terminal through the same communication channel in step S101. The software starts executing a first verification procedure (step S103).

另外,驗證伺服器也通知個人可攜裝置12執行一第二驗證程序(步驟S104)。 In addition, the verification server also notifies the personal portable device 12 to execute a second verification procedure (step S104).

第一驗證程序是使用終端11安裝的掃描程式對於使用終端11的複數硬體元件掃描,且得到的該等硬體元件之硬體元件識別碼組合成一第一掃描資料,並且,對使用終端11進行定位以得到一代表使用終端11當時所在位置的一第一定位資料,使用終端11並傳送第一掃描資料及第一定位資料予該驗證伺服器1(步驟S105)。 The first verification program scans the plurality of hardware components using the terminal 11 using the scanning program installed in the terminal 11, and the obtained hardware component identification codes of the hardware components are combined into a first scan data, and the use terminal 11 is used. The positioning is performed to obtain a first positioning data representing the current location of the terminal 11, and the terminal 11 is used to transmit the first scanning data and the first positioning data to the verification server 1 (step S105).

第二驗證程序也可以是內容提供者伺服器3或該使用者驅動該個人可攜裝置12內預置軟體執行,個人可攜裝置 12安裝的掃描程式對於個人可攜裝置12的複數硬體元件掃描,且得到的該等硬體元件之硬體元件識別碼組合成一第二掃描資料,並且,對個人可攜裝置12進行定位以得到一代表個人可攜裝置12當時所在位置的一第二定位資料,個人可攜裝置12並傳送第二掃描資料及第二定位資料予驗證伺服器1(步驟S106)。 The second verification program may also be the content provider server 3 or the user drives the preset software in the personal portable device 12 to execute, the personal portable device The installed scanner scans the plurality of hardware components of the personal portable device 12, and the obtained hardware component identification codes of the hardware components are combined into a second scan data, and the personal portable device 12 is positioned. A second location data representing the location of the personal portable device 12 is obtained, and the personal portable device 12 transmits the second scan data and the second location data to the verification server 1 (step S106).

上述的個人可攜裝置12可以由三種方式:驗證伺服器1、內容提供者伺服器3或由該使用者驅動掃瞄並將資料經由第二管道送到驗證伺服器1。 The above-mentioned personal portable device 12 can be sent to the authentication server 1 via the second pipe by the authentication server 1, the content provider server 3 or by the user.

驗證伺服器1或內容提供者伺服器3驅動:例如智慧型手機由Push功能驅動個人可攜帶裝置12內預置軟體掃瞄並將資料經由第二管道送到驗證伺服器1。 The verification server 1 or the content provider server 3 is driven: for example, the smart phone drives the preset software scan in the personal portable device 12 by the Push function and sends the data to the verification server 1 via the second pipe.

使用者驅動掃瞄:例如內置軟體像一個App程式,使用者在登入同時可主動驅動驗證伺服器1內預置App程式掃瞄並將資料經由第二管道送到驗證伺服器1。 The user drives the scan: for example, the built-in software is like an app program, and the user can actively drive the preset app scan in the verification server 1 while logging in and send the data to the verification server 1 via the second pipe.

上述在使用終端11和驗證伺服器1之間的第二通訊管道(步驟S105)是有別於使用終端和內容提供者伺服器3之間的第一通訊管道(步驟S101,S103),這樣可進一步防止駭客攻擊。 The second communication pipe between the use terminal 11 and the verification server 1 (step S105) is different from the first communication pipe between the use terminal and the content provider server 3 (steps S101, S103), so that Further prevent hacking attacks.

上述在個人可攜裝置12和驗證伺服器1之間的第二通訊管道(步驟S106)是有別於個人可攜裝置12和驗證伺服器1之間的第一通訊管道(步驟S104),這樣可進一步防止駭客攻擊。 The second communication pipe between the personal portable device 12 and the authentication server 1 (step S106) is different from the first communication pipe between the personal portable device 12 and the authentication server 1 (step S104), such that Can further prevent hacking attacks.

驗證伺服器1收到前述步驟S105及步驟S106的資料後 執行步驟S107,步驟S107包括:將使用終端11的第一掃描資料及個人可攜裝置12的第二掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定使用終端11及個人可攜裝置12是否為使用者所擁有,以及依據使用終端11的第一定位資料及個人可攜裝置12的第二定位資料判斷是否相符相近地理位置操作之關聯。 After the verification server 1 receives the data of the foregoing steps S105 and S106, Step S107 is performed. The step S107 includes: comparing the first scan data of the use terminal 11 and the second scan data of the personal portable device 12 with a pre-built database to determine whether there is a pre-built database to determine whether there is a pre-built database. Whether the terminal 11 and the personal portable device 12 are owned by the user, and whether the first location data of the terminal 11 and the second location data of the personal portable device 12 are used to determine whether the association of the geographical proximity operations is consistent.

驗證伺服器1若是判斷不符合,則判斷為異常操作狀態,若是判斷符合,則判斷為正常操作狀態,且將查驗結果回傳給內容提供者伺服器3(步驟S108),本實施例中,查驗結果為正常操作狀態,代表使用者5的身份為通過驗證,因此,內容提供者伺服器3及使用終端11可以建立交易程序所需的加密連線(步驟S109),然後,內容提供者伺服器3可進行使用終端11所要求的後續操作。於其他實施例中,驗證伺服器1也可直接將查驗結果回傳給使用終端11,亦屬於本發明方法之範疇。 The verification server 1 determines that the abnormal operation state is determined if the determination is not met, and determines that the normal operation state is determined if the determination is met, and returns the inspection result to the content provider server 3 (step S108). In this embodiment, The result of the check is a normal operation state, and the identity of the user 5 is verified. Therefore, the content provider server 3 and the use terminal 11 can establish an encrypted connection required for the transaction program (step S109), and then the content provider servo The device 3 can perform subsequent operations required by the terminal 11. In other embodiments, the verification server 1 can directly return the inspection result to the user terminal 11, which is also within the scope of the method of the present invention.

第一實施例中是藉由驗證伺服器1安裝的軟體進行地理位置之關連性驗證,且其相近地理位置操作之關聯的判斷規則是:依據使用終端11及個人可攜裝置12具有相同之GPS定位位置,主要利用接收GPS衛星信號進行定位;或是共用同一網路位址(IP address),可利用HTML5規範的Wi-Fi節點的網路位址的定位技術;或是使用終端11及個人可攜裝置12共用同一行動通訊網路上的位置,行動通訊網路的定位演算法是利用無線基地台的訊號強度與無線基地台的位置去權重比例分配,估算出行動使用者的位置;以 上各種的相近地理位置的定位結果也就是代表使用終端11及個人可攜裝置12兩者都是該使用者所擁有而且位在同一地理位置,進而可當作電子簽名、網上付款等交易所需的憑證。 In the first embodiment, the verification function of the geographical location is verified by the software installed by the verification server 1, and the judgment rule of the association of the similar geographical operations is: the same GPS is used according to the use terminal 11 and the personal portable device 12. Positioning position, mainly by receiving GPS satellite signals for positioning; or sharing the same network address (IP address), using the HTML5 specification of the Wi-Fi node's network address location technology; or using the terminal 11 and the individual The portable device 12 shares the location on the same mobile communication network. The positioning algorithm of the mobile communication network is to estimate the position of the mobile user by using the signal strength of the wireless base station and the position of the wireless base station to be weighted. The positioning results of various similar geographical locations, that is, the use terminal 11 and the personal portable device 12 are both owned by the user and located in the same geographical location, and thus can be used as an electronic signature, online payment, etc. Required documents.

此外,個人可攜裝置12內安裝之軟體可設定在開機後,每隔一段時間即自動連上驗證伺服器1並將掃瞄資料及位置上傳。在使用終端11登入內容提供者伺服器3時,驗證伺服器1即可以個人可攜帶裝置12最後一次上報之位置來判斷位置是否合理做允不允許登入之依據。 In addition, the software installed in the personal portable device 12 can be set to automatically connect to the verification server 1 and upload the scan data and location at intervals after the power is turned on. When the terminal 11 is used to log in to the content provider server 3, the verification server 1 can determine whether the location is reasonably allowed to allow login based on the location of the last time the personal portable device 12 is reported.

參閱圖2及圖4,本發明的網路安全驗證方法的第二實施例中,個人可攜裝置12是前述定義的被動裝置或主動裝置,茲將第二實施例的步驟介紹如下。 Referring to FIG. 2 and FIG. 4, in the second embodiment of the network security verification method of the present invention, the personal portable device 12 is a passive device or an active device as defined above, and the steps of the second embodiment are described below.

使用終端11產生一輸入資料傳輸予內容提供者伺服器3(步驟S301);例如:使用者5利用使用終端11的一瀏覽器觀看一銀行業者的內容提供者伺服器3提供的網路銀行的網站資料,使用個人代號及密碼登入內容提供者伺服器3。然後,內容提供者伺服器3於判斷使用者5的個人代號及密碼正確後,通知驗證伺服器1確認使用者身份(步驟S302),並經由步驟S301相同通訊管道同時驅動使用終端內事先安裝的軟體開始執行一第一驗證程序(步驟S303)。 The terminal 11 is used to generate an input data transmission to the content provider server 3 (step S301); for example, the user 5 views the online banking provided by the banker's content provider server 3 by using a browser using the terminal 11. Website information, use the personal code and password to log in to the content provider server 3. Then, after determining that the personal code and password of the user 5 are correct, the content provider server 3 notifies the verification server 1 to confirm the identity of the user (step S302), and simultaneously drives the pre-installed terminal in the same terminal via the same communication channel in step S301. The software starts executing a first verification procedure (step S303).

第一驗證程序是使用終端11安裝的掃描程式對於使用終端11的複數硬體元件掃描,且得到的該等硬體元件之硬體元件識別碼組合成一第一掃描資料。 The first verification program scans the plurality of hardware components using the terminal 11 using the scanning program installed in the terminal 11, and the obtained hardware component identification codes of the hardware components are combined into a first scan data.

另外,使用終端11並於接獲內容提供者伺服器3之通 知後,對於個人可攜裝置12執行一第二驗證程序(步驟S304),第二驗證程序是使用終端11判斷個人可攜裝置12是否在使用終端11的附近位置,若是,使用終端11與個人可攜裝置12建立連接,且對於個人可攜裝置12的硬體元件掃描以得到一具有一硬體元件識別碼的第二掃描資料(步驟S305),然後,使用終端11傳送第一掃描資料及第二掃描資料予驗證伺服器1(步驟S306)。 In addition, the terminal 11 is used and the content provider server 3 is received. After that, a second verification procedure is executed for the personal portable device 12 (step S304). The second verification program is to determine whether the personal portable device 12 is in the vicinity of the use terminal 11 by using the terminal 11, and if so, using the terminal 11 and the individual The portable device 12 establishes a connection, and scans the hardware component of the personal portable device 12 to obtain a second scan data having a hardware component identification code (step S305), and then uses the terminal 11 to transmit the first scan data and The second scan data is supplied to the verification server 1 (step S306).

上述在使用終端11和驗證伺服器1之間的第二通訊管道(步驟S306)是有別於使用終端和內容提供者伺服器3之間的第一通訊管道(步驟S301,S303),這樣可進一步防止駭客攻擊。 The second communication pipe between the use terminal 11 and the verification server 1 (step S306) is different from the first communication pipe between the use terminal and the content provider server 3 (steps S301, S303), so that Further prevent hacking attacks.

驗證伺服器1將使用終端11的第一掃描資料及個人可攜裝置12的第二掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定使用終端11及個人可攜裝置12是否為使用者所擁有,以及依據使用終端11的第一定位資料及個人可攜裝置12的第二定位資料判斷是否相符相近地理位置操作之關聯(步驟S307)。 The verification server 1 compares the first scan data of the terminal 11 and the second scan data of the personal portable device 12 with a pre-built database, and determines whether there is a pre-built database to determine the use terminal 11 and Whether the personal portable device 12 is owned by the user, and whether the coincidence of the geographical proximity operation is determined according to the first positioning data of the use terminal 11 and the second positioning data of the personal portable device 12 (step S307).

驗證伺服器1若是判斷不符合,則判斷為異常操作狀態,若是判斷符合,則判斷為正常操作狀態,且將查驗結果回傳給內容提供者伺服器3(步驟S308),本實施例中,查驗結果為正常操作狀態,代表使用者5的身份為通過驗證,因此,內容提供者伺服器3及使用終端11可以建立交易程序所需的加密連線(步驟S309),然後,內容提供者伺服器3可進行使用終端11所要求的後續操作。於其他實施例中, 驗證伺服器1也可直接將查驗結果回傳給使用終端11,亦屬於本發明方法之範疇。 If the verification server 1 determines that the content is not met, it determines that the abnormal operation state is determined. If the determination is met, it determines that the operation state is normal, and returns the inspection result to the content provider server 3 (step S308). In this embodiment, The result of the check is a normal operation state, and the identity of the user 5 is authenticated. Therefore, the content provider server 3 and the use terminal 11 can establish an encrypted connection required for the transaction program (step S309), and then the content provider servo The device 3 can perform subsequent operations required by the terminal 11. In other embodiments, The verification server 1 can also directly return the inspection result to the user terminal 11, which is also within the scope of the method of the invention.

第二實施例與第一實施例的差別是:第二實施例是藉由使用終端11安裝的軟體進行地理位置之關連性驗證,且其相近地理位置操作之關聯的判斷規則是:使用終端11及個人可攜裝置12經由近場通訊方式彼此連接、共用同一短距離無線網路,其中,短距離無線網路可以是使用終端11及個人可攜裝置12經由近場通訊(NFC)方式彼此連接,或是共用同一短距離無線網路(如:藍牙通訊、Wi-Fi通訊),也就是代表使用終端11及個人可攜裝置12兩者都是位在同一地理位置,進而可當作電子簽名、網上付款等交易所需的憑證。 The difference between the second embodiment and the first embodiment is that the second embodiment is to perform the correlation verification of the geographical location by using the software installed by the terminal 11, and the judgment rule of the association of the similar geographical operations is: using the terminal 11 And the personal portable device 12 is connected to each other and shares the same short-range wireless network via near-field communication, wherein the short-range wireless network can be connected to each other via the near-field communication (NFC) using the terminal 11 and the personal portable device 12. Or sharing the same short-range wireless network (eg, Bluetooth communication, Wi-Fi communication), that is, the representative terminal 11 and the personal portable device 12 are both located in the same geographical location, and thus can be regarded as an electronic signature. , the credentials required for transactions such as online payment.

參閱圖5,本發明的網路安全驗證方法的第三實施例中,主要是應用於一供使用者操作的使用終端11、一內容提供者伺服器3,及一在登入該內容提供者伺服器3時由該使用者攜帶的個人可攜裝置12,本實施例中,該使用終端11是一自動提款機或一銷售端點,個人可攜裝置12是前述定義的被動裝置或主動裝置,內容提供者伺服器3是提供一使用者一信用卡或一銀行卡的發卡者,茲將第三實施例的步驟介紹如下。 Referring to FIG. 5, in a third embodiment of the network security verification method of the present invention, the application is mainly applied to a user terminal 11 for operation, a content provider server 3, and a login to the content provider server. In the embodiment 3, the user terminal 12 is an automatic cash dispenser or a sales terminal, and the personal portable device 12 is a passive device or an active device as defined above. The content provider server 3 is a card issuer who provides a user-a credit card or a bank card. The steps of the third embodiment are described below.

使用終端11產生一輸入資料內含使用終端11之地理位置傳輸予內容提供者伺服器3(步驟S401);例如:使用者的信用卡或銀行卡在ATM或銷售端點取款或付費,且使用個人密碼登入內容提供者伺服器3。然後,內容提供者伺服器3於判斷使用者的個人用信用卡或銀行卡及密碼正確後,通知 驗證伺服器1要求其供應該使用者之個人裝置之地理位置(步驟S402)。 The use terminal 11 generates an input data containing the geographical location of the use terminal 11 and transmits it to the content provider server 3 (step S401); for example, the user's credit card or bank card withdraws or pays at the ATM or the sales endpoint, and uses the individual. The password is logged into the content provider server 3. Then, the content provider server 3 notifies the user that the personal credit card or bank card and password are correct. The verification server 1 requests it to supply the geographical location of the user's personal device (step S402).

驗證伺服器1於接獲內容提供者伺服器3之要求後,對於個人可攜裝置12執行一驗證程序,驅動個人可攜裝置12內預置之掃瞄程式對其硬體元件掃描以得到一具有一硬體元件識別碼的一掃描資料,並且,對個人可攜裝置12進行定位以得到一代表個人可攜裝置12當時所在位置的位資料(步驟S403),個人可攜裝置12並傳送掃描資料及定位資料予驗證伺服器1(步驟S404)。驗證伺服器1將個人可攜裝置12的掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定個人可攜裝置12是否為使用者所擁有(步驟S405)。若結果是正確,驗證伺服器1便將將個人可攜裝置12的地理位置傳給內容提供者伺服器3(步驟S406)。內容提供者伺服器3便依據使用終端11的定位資料及個人可攜裝置12的定位資料判斷是否相符相近地理位置操作之關聯(步驟S407)。 After receiving the request of the content provider server 3, the verification server 1 performs a verification process on the personal portable device 12, and drives the scanning program preset in the personal portable device 12 to scan the hardware components to obtain a verification program. A scan data having a hardware component identification code, and positioning the personal portable device 12 to obtain a bit data representing the location of the personal portable device 12 at the time (step S403), and the personal portable device 12 transmits the scan The data and the location data are sent to the verification server 1 (step S404). The verification server 1 compares the scan data of the personal portable device 12 with the pre-built database, and determines whether there is a pre-built database to determine whether the personal portable device 12 is owned by the user (step S405). . If the result is correct, the verification server 1 will transmit the geographical location of the personal portable device 12 to the content provider server 3 (step S406). The content provider server 3 determines whether or not the association of the geographical proximity operations is consistent according to the location data of the terminal 11 and the location data of the personal portable device 12 (step S407).

內容提供者伺服器3若是判斷不符合,則判斷為異常操作狀態,若是判斷符合,則判斷為正常操作狀態,且將查驗結果回傳給使用終端11(步驟S408),本實施例中,查驗結果為正常操作狀態,代表使用者的身份為通過驗證,因此,內容提供者伺服器3可進行使用終端11所要求的後續操作。 If the content provider server 3 determines that the content is not met, it determines that it is in an abnormal operation state, and if it is determined to be in compliance, it determines that it is in a normal operation state, and returns the inspection result to the user terminal 11 (step S408). In this embodiment, the inspection is performed. The result is a normal operating state, and the identity of the user is verified, so the content provider server 3 can perform subsequent operations required by the terminal 11.

此外,內容提供者伺服器3藉由該相近地理位置的定位結果代表使用終端11及個人可攜裝置12兩者都是該使用者所擁有而且位在同一地理位置,進而當作使用者的電子簽名 或付款交易所需的憑證。又,個人可攜裝置12內安裝之軟體可設定在開機後,每隔一段時間即自動連上驗證伺服器1並將掃瞄資料及位置上傳,在使用終端11登入內容提供者伺服器3時,驗證伺服器1即可以個人可攜帶裝置12最後一次上報之位置來判斷位置是否合理做允不允許登入之依據。 In addition, the content provider server 3 represents that the user terminal 11 and the personal portable device 12 are both owned by the user and located in the same geographical location by the positioning result of the similar geographical location, thereby serving as the user's electronic signature Or the credentials required for a payment transaction. Moreover, the software installed in the personal portable device 12 can be set to automatically connect to the verification server 1 and upload the scan data and location at intervals, and when the user terminal 10 logs in to the content provider server 3 The verification server 1 can determine whether the location is reasonable and allows the login to be based on the location of the last time the personal portable device 12 is reported.

第一實施例中所提及的各種地理位置取得方式,當然適用於第三實施例中;相同的第二實施例中的各種近場位置判別方式也適用於第實施例中,不在此重複描述。 The various geographical location acquisition methods mentioned in the first embodiment are of course applicable to the third embodiment; the various near-field position discrimination modes in the same second embodiment are also applicable to the first embodiment, and are not repeatedly described herein. .

綜上所述,本發明網路安全驗證方法之功效在於: In summary, the effectiveness of the network security verification method of the present invention is:

1.加強交易安全:本發明採用雙重驗證技術,也就是同時驗證使用者的兩種實體裝置,驗證伺服器1藉由判斷使用終端11及個人可攜裝置12是否為該使用者所擁有且是否符合相近地理位置操作之關聯確認使用者身份,可避免遠端的網路駭客盜用身份資料的問題。 1. Strengthening transaction security: The present invention adopts a dual verification technology, that is, simultaneously verifying two types of physical devices of the user, and the verification server 1 determines whether the use terminal 11 and the personal portable device 12 are owned by the user and whether The identification of the user in accordance with the proximity of geographical operations can avoid the problem of remote hackers stealing identity data.

2.節省成本:使用者5可以使用自己本身既有的行動電話或平板電腦來當作雙重驗證所所需的個人可攜裝置12,因此,網路內容提供者就不需再發行實體的身份驗證硬體給使用者5,可節省實體的身份驗證硬體的物料及管理成本,以及處理相關業務的人力成本。 2. Cost saving: User 5 can use his own mobile phone or tablet as the personal portable device 12 required for double authentication, so the network content provider does not need to issue the identity of the entity. Verifying the hardware to the user 5 saves the material and management costs of the entity's authentication hardware and the labor costs of processing the related business.

惟以上所述者,僅為本發明之較佳實施例而已,當不能以此限定本發明實施之範圍,即大凡依本發明申請專利範圍及發明說明內容所作之簡單的等效變化與修飾,皆仍屬本發明專利涵蓋之範圍內。 The above is only the preferred embodiment of the present invention, and the scope of the invention is not limited thereto, that is, the simple equivalent changes and modifications made by the scope of the invention and the description of the invention are All remain within the scope of the invention patent.

1‧‧‧驗證伺服器 1‧‧‧Verification server

11‧‧‧使用終端 11‧‧‧Use terminal

12‧‧‧個人可攜裝置 12‧‧‧Personal portable devices

3‧‧‧內容提供者伺服器 3‧‧‧Content Provider Server

5‧‧‧使用者 5‧‧‧Users

500‧‧‧通訊網路 500‧‧‧Communication network

S101~S109‧‧‧步驟 S101~S109‧‧‧Steps

S301~S309‧‧‧步驟 S301~S309‧‧‧Steps

S401~S409‧‧‧步驟 S401~S409‧‧‧Steps

圖1是一系統方塊圖,說明本發明驗證伺服器及相關裝置之第一較佳實施例;圖2是一系統方塊圖,說明本發明驗證伺服器及相關裝置之第二較佳實施例;圖3是一流程圖,說明本發明網路安全驗證方法的第一實施例;圖4是一流程圖,說明本發明網路安全驗證方法的第二實施例;及圖5是一流程圖,說明本發明網路安全驗證方法的第三實施例。 1 is a system block diagram showing a first preferred embodiment of the verification server and related device of the present invention; FIG. 2 is a system block diagram showing a second preferred embodiment of the verification server and related device of the present invention; 3 is a flow chart illustrating a first embodiment of the network security verification method of the present invention; FIG. 4 is a flow chart illustrating a second embodiment of the network security verification method of the present invention; and FIG. A third embodiment of the network security verification method of the present invention will be described.

1‧‧‧驗證伺服器 1‧‧‧Verification server

11‧‧‧使用終端 11‧‧‧Use terminal

12‧‧‧個人可攜裝置 12‧‧‧Personal portable devices

3‧‧‧內容提供者伺服 器 3‧‧‧Content provider servo Device

5‧‧‧使用者 5‧‧‧Users

500‧‧‧通訊網路 500‧‧‧Communication network

Claims (10)

一種網路安全驗證方法,應用於一驗證伺服器,並配合一使用終端、一個人可攜裝置及一內容提供者伺服器,該方法包括下述步驟:(a)該內容提供者伺服器要求該驗證伺服器對於該使用者查驗身份;(b)該驗證伺服器取得該使用終端及該個人可攜裝置之硬體掃描資料,且對於該使用終端及該個人可攜裝置進行定位;及(c)該驗證伺服器將該使用終端及該個人可攜裝置之硬體掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為使用者所擁有,且該使用終端及該個人可攜裝置二者需符合相近地理位置操作之關聯,若是不符合相近地理位置操作之關聯,則判斷為異常操作狀態,並將查驗結果回傳給該內容提供者伺服器或該使用終端。 A network security verification method is applied to a verification server, coupled with a use terminal, a person portable device and a content provider server, the method comprising the following steps: (a) the content provider server requires the The verification server checks the identity of the user; (b) the verification server obtains the hardware scan data of the user terminal and the personal portable device, and locates the user terminal and the personal portable device; and (c The verification server compares the hardware scan data of the user terminal and the personal portable device with a pre-built database to determine whether there is a pre-built database to determine the user terminal and the personal portability Whether the device is owned by the user, and the user terminal and the personal portable device need to meet the association of similar geographical operations, and if the association does not meet the operation of the similar geographical location, the abnormal operation state is determined, and the inspection result is obtained. Returned to the content provider server or the user terminal. 依據申請專利範圍第1項所述之網路安全驗證方法,其中,步驟(b)包括下述子步驟:該內容提供者伺服器通知該使用終端執行一第一驗證程序,該第一驗證程序是對於該使用終端的複數硬體元件掃描得到的該等硬體元件之硬體元件識別碼組合的一掃描資料,及對該使用終端的定位以得到一代表該使用終端當時所在位置的定位資料,該使用終端並傳送該第一掃描資料及該第一定位資料予該驗證伺服器,及 該驗證伺服器或該內容提供者伺服器或使用者驅動該個人可攜裝置內預置軟體執行一第二驗證程序,該第二驗證程序是對於該個人可攜裝置的複數硬體元件掃描以得到一具有複數硬體元件之硬體元件識別碼組合的第二掃描資料,以及對該個人可攜裝置定位以得到一代表該個人可攜裝置當時所在位置的一第二定位資料,該個人可攜裝置並傳送該第二掃描資料及該第二定位資料予該驗證伺服器;及步驟(c)是該驗證伺服器將該使用終端及該個人可攜裝置的該第一掃描資料及該第二掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為使用者所擁有,以及依據該第一定位資料及該第二定位資料判斷是否具有相近地理位置操作之關聯,若是不符合,則判斷為異常操作狀態,且該驗證伺服器將查驗結果回傳給該內容提供者伺服器或該使用終端。 The network security verification method according to claim 1, wherein the step (b) includes the substep of: the content provider server notifying the user terminal to execute a first verification program, the first verification program Is a scan data of a hardware component identification code combination of the hardware components obtained by scanning the plurality of hardware components of the terminal, and positioning the terminal to obtain a positioning data representing a location of the terminal at the time of use. The user terminal transmits the first scan data and the first location data to the verification server, and The verification server or the content provider server or the user drives the preset software in the personal portable device to execute a second verification program, the second verification program is to scan the plurality of hardware components of the personal portable device Obtaining a second scan data of a combination of hardware component identification codes having a plurality of hardware components, and positioning the personal portable device to obtain a second location data representing a location of the personal portable device at the time, the person may Carrying the device and transmitting the second scan data and the second location data to the verification server; and step (c) is the first scan data of the user terminal and the personal portable device and the first Comparing the scanned data with the pre-built database to determine whether there is a pre-built database to determine whether the user terminal and the personal portable device are owned by the user, and according to the first positioning data and the The second positioning data determines whether there is an association of similar geographical operations, and if it does not, it determines that the abnormal operating state, and the verification server will check the knot Back to the content provider or the use of terminal servers. 依據申請專利範圍第2項所述之網路安全驗證方法,其中,相近地理位置操作之關聯的判斷規則是:該使用終端及該個人可攜裝置具有相同之GPS定位位置,或是該使用終端及該個人可攜裝置共用同一網路位址,或是該使用終端及該個人可攜裝置共用同一行動通訊網路上的位置。 According to the network security verification method described in claim 2, wherein the determining rule of the associated geographical location operation is that the user terminal and the personal portable device have the same GPS positioning position, or the using terminal And the personal portable device shares the same network address, or the user terminal and the personal portable device share the location on the same mobile communication network. 依據申請專利範圍第1項所述之網路安全驗證方法,其中,步驟(b)包括下述子步驟:該內容提供者伺服器通知該使用終端執行一第一驗證 程序,該第一驗證程序是對於該使用終端的複數硬體元件掃描得到的該等硬體元件之硬體元件識別碼組合的一掃描資料,及對該使用終端的定位以得到一代表該使用終端當時所在位置的定位資料,及該使用終端執行一第二驗證程序,該第二驗證程序是該使用終端判斷該個人可攜裝置是否在該使用終端的附近位置,若是,該使用終端與該個人可攜裝置建立連接,且對於該個人可攜裝置的硬體元件掃描以得到一具有一硬體元件識別碼的第二掃描資料,該使用終端並傳送該第二掃描資料予該驗證伺服器;及步驟(c)是該驗證伺服器將該使用終端及該個人可攜裝置的該第一掃描資料、該定位資料及該第二掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該使用終端及該個人可攜裝置是否為使用者所擁有,並依據該定位資料判斷是否符合相近地理位置操作之關聯。 The network security verification method according to claim 1, wherein the step (b) includes the substep of: the content provider server notifying the user terminal to perform a first verification a first verification program is a scan data of a hardware component identification code combination of the hardware components scanned by the plurality of hardware components of the terminal, and positioning of the use terminal to obtain a representation of the use The location information of the location of the terminal at the time, and the use terminal perform a second verification procedure, the second verification procedure is that the user terminal determines whether the personal portable device is in the vicinity of the use terminal, and if so, the use terminal and the The personal portable device establishes a connection, and scans a hardware component of the personal portable device to obtain a second scan data having a hardware component identification code, and the use terminal transmits the second scan data to the verification server And the step (c) is: the verification server compares the first scan data, the positioning data, and the second scan data of the user terminal and the personal portable device with a pre-built database to determine whether There is a pre-built database to determine whether the user terminal and the personal portable device are owned by the user, and judge according to the positioning data In line with similar geographic location associated with the operation. 依據申請專利範圍第4項所述之網路安全驗證方法,其中,相近地理位置操作之關聯的判斷規則是:該使用終端及該個人可攜裝置經由近場通訊方式彼此連接,或是該使用終端及該個人可攜裝置共用同一短距離無線網路。 According to the network security verification method of claim 4, wherein the determining rule of the associated geographical location operation is that the user terminal and the personal portable device are connected to each other via near field communication, or the use is The terminal and the personal portable device share the same short-range wireless network. 依據申請專利範圍第1至5項中的任一項所述之網路安全驗證方法,其中,該使用終端藉由一第一通訊管道與該內容提供者連線,及該使用終端藉由一不同於該第一通訊管道的第二通訊管道與該驗證伺服器連線。 The network security verification method according to any one of claims 1 to 5, wherein the user terminal is connected to the content provider by a first communication channel, and the user terminal is A second communication pipe different from the first communication pipe is connected to the verification server. 依據申請專利範圍第1至5項中的任一項所述之網路安全驗證方法,該個人可攜裝置內安裝之軟體可設定在開機後,每隔一段時間即自動連上該驗證伺服器並將掃瞄資料及位置上傳,在該使用終端登入該內容提供者伺服器時,該驗證伺服器即可以該個人可攜帶裝置最後一次上報之位置來判斷位置是否合理做允不允許登入之依據。 According to the network security verification method according to any one of claims 1 to 5, the software installed in the personal portable device can be set to automatically connect to the verification server at intervals after the power is turned on. And uploading the scan data and the location. When the user terminal logs in to the content provider server, the verification server can determine whether the location is reasonable and the login is not allowed when the personal portable device is last reported. in accordance with. 一種網路安全驗證方法,是應用於一驗證伺服器,並配合一使用終端、一個人可攜裝置及一內容提供者伺服器,該使用終端是一自動提款機或一銷售端點,該內容提供者伺服器是提供一使用者一信用卡或一銀行卡的發卡者;該方法包括下述步驟:(a)該內容提供者伺服器要求該驗證伺服器提供該使用者之個人可攜裝置之地理位置;(b)該驗證伺服器取得該個人可攜裝置之硬體掃描資料且對於該使用終端及該個人可攜裝置進行定位;(c)該驗證伺服器將該個人可攜裝置之硬體掃描資料與預先建置的資料庫進行比對,判斷是否存在預先建置的資料庫以確定該個人可攜裝置是否為使用者所擁有,若是,便將此地理位置交予該內容提供者伺服器;及(d)該內容提供者伺服器比較該使用終端及該個人可攜裝置二者需符合相近地理位置操作之關聯,若是不符合相近地理位置操作之關聯,則判斷為異常操作狀態,並將查驗結果回傳給該使用終端。 A network security verification method is applied to a verification server, and cooperates with a user terminal, a person portable device and a content provider server, and the user terminal is an automatic cash dispenser or a sales terminal, the content The provider server is a card issuer that provides a user-a credit card or a bank card; the method includes the following steps: (a) the content provider server requires the verification server to provide the user's personal portable device Geographic location; (b) the verification server obtains hardware scan data of the personal portable device and locates the use terminal and the personal portable device; (c) the verification server hardens the personal portable device Comparing the volume scan data with the pre-built database to determine whether there is a pre-built database to determine whether the personal portable device is owned by the user, and if so, handing the location to the content provider a server; and (d) the content provider server compares the use terminal and the personal portable device with an association of similar geographical operations, if the geographical proximity is not met Associated with the set operation, it is determined that an abnormal operating state, and the inspection results are passed back to the terminal used. 依據申請專利範圍第8項所述之網路安全驗證方法,其 中,該相近地理位置操作之關聯的判斷規則是:該使用終端及該個人可攜裝置經由近場通訊方式彼此連接,或是該使用終端及該個人可攜裝置共用同一短距離無線網路;該內容提供者伺服器藉由該相近地理位置的定位結果代表該使用終端及該個人可攜裝置兩者都是該使用者所擁有而且位在同一地理位置,進而當作該使用者的電子簽名或付款交易所需的憑證。 According to the network security verification method described in claim 8 of the patent application scope, The determining rule of the associated geographical location operation is: the user terminal and the personal portable device are connected to each other via near field communication, or the user terminal and the personal portable device share the same short-range wireless network; The content provider server indicates that the user terminal and the personal portable device are both owned by the user and located in the same geographical location by the positioning result of the geographical location, and then regarded as the electronic signature of the user. Or the credentials required for a payment transaction. 依據申請專利範圍第8項所述之網路安全驗證方法,其中,該個人可攜裝置內安裝之軟體可設定在開機後,每隔一段時間即自動連上該驗證伺服器並將掃瞄資料及位置上傳,在該使用終端登入該內容提供者伺服器時,該驗證伺服器即可以該個人可攜帶裝置最後一次上報之位置來判斷位置是否合理做允不允許登入之依據。 According to the network security verification method described in claim 8, wherein the software installed in the personal portable device can be set to automatically connect to the verification server and scan data at intervals after power on. And the location uploading, when the user terminal logs in to the content provider server, the verification server can determine whether the location is reasonable to allow the login to be based on the location of the last time the personal portable device is reported.
TW101140766A 2012-11-02 2012-11-02 Online authentication by proximity TWI531202B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW101140766A TWI531202B (en) 2012-11-02 2012-11-02 Online authentication by proximity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101140766A TWI531202B (en) 2012-11-02 2012-11-02 Online authentication by proximity

Publications (2)

Publication Number Publication Date
TW201419820A true TW201419820A (en) 2014-05-16
TWI531202B TWI531202B (en) 2016-04-21

Family

ID=51294544

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101140766A TWI531202B (en) 2012-11-02 2012-11-02 Online authentication by proximity

Country Status (1)

Country Link
TW (1) TWI531202B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11295307B2 (en) 2014-08-29 2022-04-05 Advanced New Technologies Co., Ltd. Method and apparatus of obtaining location information

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10757087B2 (en) 2018-01-02 2020-08-25 Winbond Electronics Corporation Secure client authentication based on conditional provisioning of code signature

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11295307B2 (en) 2014-08-29 2022-04-05 Advanced New Technologies Co., Ltd. Method and apparatus of obtaining location information
TWI763264B (en) * 2014-08-29 2022-05-01 開曼群島商創新先進技術有限公司 A method and device for obtaining location information

Also Published As

Publication number Publication date
TWI531202B (en) 2016-04-21

Similar Documents

Publication Publication Date Title
US11405781B2 (en) System and method for mobile identity protection for online user authentication
TWI792284B (en) Methods for validating online access to secure device functionality
CN105741112B (en) Network-based authentication payment device, authentication payment method and authentication payment system
AU2014353151B2 (en) Automated account provisioning
JP2018088292A (en) System and method for secure transaction process by mobile equipment
CN108804906B (en) System and method for application login
US20200265438A1 (en) Systems and methods for estimating authenticity of local network of device initiating remote transaction
KR20170041729A (en) System and method for establishing trust using secure transmission protocols
US20160381011A1 (en) Network security method and network security system
CN102088353A (en) Two-factor authentication method and system based on mobile terminal
CN103037323B (en) Based on random code verification system and the verification method thereof of mobile terminal
WO2016116890A1 (en) Method and system for establishing a secure communication tunnel
KR102116587B1 (en) Method and system using a cyber id to provide secure transactions
KR101348079B1 (en) System for digital signing using portable terminal
US20150006887A1 (en) System and method for authenticating public keys
CN112995227B (en) One-stop information service platform based on three-party credit management
EP3334086A1 (en) Online authentication method based on smart card, smart card and authentication server
CN107395600B (en) Service data verification method, service platform and mobile terminal
TW201421393A (en) System for interactive 2-D barcode transaction data transmission and validation of mobile device and method thereof
JP2017535893A (en) Payment verification method, apparatus and system
TWI531202B (en) Online authentication by proximity
KR20120071945A (en) Method and system for appling usim certificate to online infrastructure
CA3135088A1 (en) System and method for providing secure data access
KR20140046674A (en) Digital certificate system for cloud-computing environment and providing method thereof
TWI618008B (en) Transaction fee negotiation for currency remittance