TW201427367A - PKI authentication service system and method - Google Patents
PKI authentication service system and method Download PDFInfo
- Publication number
- TW201427367A TW201427367A TW101150882A TW101150882A TW201427367A TW 201427367 A TW201427367 A TW 201427367A TW 101150882 A TW101150882 A TW 101150882A TW 101150882 A TW101150882 A TW 101150882A TW 201427367 A TW201427367 A TW 201427367A
- Authority
- TW
- Taiwan
- Prior art keywords
- pki
- client
- verification
- application system
- authentication service
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012795 verification Methods 0.000 claims abstract description 61
- 238000007689 inspection Methods 0.000 claims 2
- 238000007726 management method Methods 0.000 description 26
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Abstract
Description
本發明屬於一種認證服務系統與方法,尤其是關於一種藉由獨立出一般應用系統之公開金鑰基礎建設(Public Key Infrastructure,PKI)認證服務系統與方法。 The invention belongs to an authentication service system and method, in particular to a public key infrastructure (PKI) authentication service system and method by independently out of a general application system.
由於網路應用日益蓬勃,因此網路安全的議題將持續且愈發受到重視,而網路安全的解決方案中,目前公認強度最強的就是公開金鑰基礎建設(Public Key Infrastructure,PKI)之技術。然而一方面,對大部分非PKI專業的應用系統來說,PKI導入的門檻較高,傳統的PKI-enabled方式往往需要耗費應用系統不少的介接技術及維運資源,因此應用系統需要一個簡單的PKI-enabled管道;另一方面,密碼/破密技術及各式PKI安全裝置(例如IC卡)日新月異,一但現行所採用的PKI技術有安全疑慮,應用系統將必須有能力迅速地轉換成更先進或更高安全的PKI技術;此外,對各應用系統而言,可能需要支援各種客戶端平台(需要不同的PKI元件),以及要能處理各家CA所核發的憑證,也需要有交易存證或認證存證之能力,也可能需要依據不同憑證類別進行不同的驗證步驟,以往而言,應用程式需要自行製作或維運這些功能。綜上所述,現階段需要的是可達到上述需求之目的、功能,以利應用系統可以更簡單地更有彈性地達到上述功能,而由於以往的PKI技術是做在應用系統之中,本發明也藉由獨立出PKI系統來運用類似雲端概念的方式減輕應用系統維運PKI技術之負擔。 As network applications become more and more prosperous, the issue of network security will continue to be more and more important, and the network security solution is currently recognized as the strongest technology of Public Key Infrastructure (PKI). . On the one hand, for most non-PKI professional applications, the threshold for PKI import is high. The traditional PKI-enabled method often requires a lot of application technology and maintenance resources. Therefore, the application system needs a Simple PKI-enabled pipeline; on the other hand, password/breaking technology and various PKI security devices (such as IC cards) are changing with each passing day. Once the current PKI technology has security concerns, the application system will have the ability to quickly convert. Becoming a more advanced or higher security PKI technology; in addition, for each application system, it may be necessary to support various client platforms (requiring different PKI components), and to be able to process the certificates issued by each CA, and also need to have The ability to trade certificates or certificate deposits may also require different verification steps depending on the type of voucher. In the past, applications had to make or maintain these functions on their own. In summary, what is needed at this stage is the purpose and function that can achieve the above requirements, so that the application system can achieve the above functions more easily and flexibly, and since the previous PKI technology is implemented in the application system, The invention also relies on the independent PKI system to use the cloud-like concept to reduce the burden of the application system to transport PKI technology.
本發明的目的在於提供一種系統與方法,讓各應用系統能以更容易、更低成本的方式達到PKI-enabled,且能以彈性的方式達成各應用系統客製化的驗證需求。為達到上述目的,本發明採用如下技術方案:一種公開金鑰基礎建設(Public Key Infrastructure,PKI)認證服務系統,其包含:一客戶端元件配送模組,係與至少一客戶端連結,該客戶端元件配送模組係儲存有複數種類型之PKI元件,而該客戶端元件配送模組根據該客戶端類型配送對應之PKI元件至該客戶端,使該客戶端具備PKI作業能力(例如:簽章);一管理模組,係與至少一應用系統相連結,該管理模組判斷並選擇該應用系統所適用之驗證程序;一共通驗證模組,係與該管理模組以及至少一應用系統相連結,且該共通驗證模組更連結複數個憑證授權單位(Certificate Authority,CA),以便根據該管理模組所判斷之該驗證程序選擇適用之CA來對一待驗證簽章文件進行驗證,並產生一驗證結果以及回傳至該應用系統進行通知;以及一存證模組,係與該共通驗證模組相連結,該存證模組係儲存該驗證結果以及相關資訊。 It is an object of the present invention to provide a system and method that enables each application system to achieve PKI-enabled in an easier and lower cost manner, and to achieve a customized verification requirement for each application system in an elastic manner. To achieve the above objective, the present invention adopts the following technical solution: a public key infrastructure (PKI) authentication service system, which includes: a client component distribution module, which is linked to at least one client, the client The end component distribution module stores a plurality of types of PKI components, and the client component distribution module delivers the corresponding PKI component to the client according to the client type, so that the client has the PKI operation capability (for example, signing a management module is coupled to at least one application system, the management module determines and selects a verification program applicable to the application system; a common verification module, and the management module and at least one application system And the common verification module further connects a plurality of certificate authority (CA), so as to select an applicable CA according to the verification program determined by the management module to verify a signature file to be verified, And generating a verification result and returning the notification to the application system for notification; and a deposit module connected to the common verification module, The certificate module stores the verification result and related information.
在本發明中,其中該驗證程序包含該些應用系統之驗證需求、憑證檢驗規則以及登記該些CA之相關參數。 In the present invention, the verification program includes verification requirements of the application systems, voucher verification rules, and related parameters for registering the CAs.
在本發明中,其中該相關資訊包括進行驗證中之簽章文件以及使用者登入該應用系統之簽章紀錄。 In the present invention, the related information includes a signature file for verification and a signature record of the user logging into the application system.
在本發明中,其中更包含一PKI安全裝置,該PKI安全裝置係連結該客戶端,以便產生該待驗證簽章文件。 In the present invention, a PKI security device is further included, and the PKI security device is coupled to the client to generate the signature file to be verified.
在本發明中,其中該些CA之相關參數包含有在線證書狀態協議(Online Certificate Status Protocol,OCSP)的網頁地址(Uniform Resource Locator,URL)、憑證撤銷清單(Certificate Revocation List,CRL)的URL及其下載週期。 In the present invention, the relevant parameters of the CAs include an online certificate status protocol (Online Certificate Status Protocol (OCSP), the URL of the Uniform Resource Locator (URL), the Certificate Revocation List (CRL), and the download period.
一種公開金鑰基礎建設(Public Key Infrastructure,PKI)認證服務方法,其至少包含下列步驟:藉由一客戶端連結至一應用系統,若該客戶端未安裝該客戶端類型所對應之PKI元件,則該客戶端自動連接至一PKI認證服務系統之一客戶端元件配送模組,以找尋出對應該客戶端類型之該PKI元件並安裝於該客戶端;藉由該客戶端類型之該PKI元件操作一PKI安全裝置,以便對一文件進行簽章並產生一簽章文件,再將該簽章文件傳送至該應用系統;該應用系統接收該簽章文件後,再將該簽章文件傳送至該PKI認證服務系統之一共通驗證模組;該共通驗證模組接收該簽章文件後,藉由一管理模組連結該應用系統,並找尋出該應用系統適用之憑證授權單位(Certificate Authority,CA)及驗證程序;該共通驗證模組依據該管理模組找尋出之該應用系統適用之CA及該驗證程序來對該簽章文件進行驗證,以產生一驗證結果並傳送至該應用系統,以通知該應用系統該文件是否通過驗證;以及藉由該PKI認證服務系統之一存證模組儲存該驗證結果,以提供備份或後續用途。 A public key infrastructure (PKI) authentication service method includes at least the following steps: a client is connected to an application system, and if the client does not have a PKI component corresponding to the client type, The client is automatically connected to a client component distribution module of a PKI authentication service system to find and install the PKI component corresponding to the client type; the PKI component of the client type Operating a PKI security device to sign a document and generate a signature file, and then transmitting the signature file to the application system; after receiving the signature file, the application system transmits the signature file to the One of the PKI authentication service systems has a common verification module; after receiving the signature file, the common verification module connects the application system through a management module, and finds a certificate authority (Certificate Authority) applicable to the application system. CA) and the verification program; the common verification module searches for the signature file according to the CA and the verification program that the management module finds for the application system Verifying to generate a verification result and transmitting it to the application system to notify the application system whether the file is verified; and storing the verification result by one of the PKI authentication service system to provide backup or subsequent use .
在本發明中,其中該客戶端欲進行該PKI認證服務方法之前,須先進行下列步驟:該客戶端向該管理模組提出一註冊申請;以及該管理模組根據該註冊申請之資料,設定該應用系統所適用之CA及驗證程序,並於完成該註冊申請後,該應用系統才開放對該客戶端提供服務。 In the present invention, before the client wants to perform the PKI authentication service method, the following steps are first performed: the client submits a registration application to the management module; and the management module sets according to the information of the registration application. The CA and the verification program applicable to the application system, and after completing the registration application, the application system is open to provide services to the client.
本發明因應目前各個應用系統中之PKI技術僅對應本身應用系統進行 認證,不僅增加應用系統負擔且功能彈性不足,故本發明提出一種PKI認證服務系統與方法,綜上所述,本發明具有以下下列優勢: The present invention is applicable to the PKI technology in each application system only corresponding to the application system itself. The authentication not only increases the burden of the application system but also lacks the flexibility of the function. Therefore, the present invention proposes a PKI authentication service system and method. In summary, the present invention has the following advantages:
(1)獨立作業:本發明應用類似雲端系統之概念,將PKI認證系統獨立出來,在客戶端、應用系統端僅做發出訊息與接收結果,不須自行投入資源進行作業,減少額外的資源投入。 (1) Independent operation: The invention applies the concept similar to the cloud system, separates the PKI authentication system, and only sends out messages and receiving results on the client and application systems, without having to invest resources to carry out operations, reducing additional resources. .
(2)認證規劃彈性:透過本身管理模組,可因應不同的應用系統類型進行各種不同的CA認證與認證流程,也可因應不同的客戶端分派適用之PKI元件,以便進行PKI認證系統之操作。 (2) Certification planning flexibility: Through its own management module, various CA certification and certification processes can be performed according to different application system types, and applicable PKI components can be assigned according to different clients to perform PKI authentication system operations. .
(3)多方作業:以往PKI系統是與應用系統結合,僅可進行該應用系統認證程序,因而能力受到限制,透過本發明之PKI認證服務系統及方法,可同時對不同的客戶端以及不同的應用系統進行認證作業,大大提高相容性與作業效率。 (3) Multi-party operation: In the past, the PKI system was combined with the application system, and only the application system authentication procedure was performed, and thus the capability was limited. Through the PKI authentication service system and method of the present invention, different clients and different clients can be simultaneously The application system performs certification operations, greatly improving compatibility and operational efficiency.
綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.
為了使本發明的目的、技術方案及優點更加清楚明白,下面結合附圖及實施例,對本發明進行進一步詳細說明。應當理解,此處所描述的具體實施例僅用以解釋本發明,但並不用於限定本發明。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
以下,結合附圖對本發明進一步說明: 請參閱第1圖,係為本發明之PKI認證服務系統方塊圖。如圖所示,本發明之PKI認證服務系統1係獨立於應用系統之外,就如雲端系統之概念,而本發明之PKI認證服務系統1包含有:一客戶端元件配送模組11、一管理模組12、一共通驗證模組13以及一存證模組14。客戶端元件配送模組11係可同時連結多個客戶端來源,當多個客戶端各自需要將文件配送給所對應的應用系統並需要進行簽章認證時,客戶端會先自行判斷是否有對應其客戶端類型之PKI元件,這是由於PKI元件是提供客戶端透過應用系統連結PKI認證服務系統1內部來進行認證的主要元件,而目前市面上客戶端類型非常多樣,如Internet Explorer、Firefox或Google Chrome等,不同類型的客戶端需要不同的PKI元件來支援,所以當客戶端發現本身沒有對應的PKI元件可以使用時,客戶端會連接到PKI認證服務系統1中的客戶端元件配送模組11來擷取所需的PKI元件下載並安裝,而這些PKI元件可先被分別製作後存入客戶端元件配送模組11中,以便客戶端下載與安裝。而應用系統類型可以是PHP、ASP、ASP.net或JAVA等等。管理模組12可與多個應用系統相連結,管理模組12係判斷並選擇所連結之應用系統適用之憑證授權單位(Certificate Authority,CA)及驗證程序,當要進行認證時,就可以根據管理模組12所找尋出適用之CA及驗證程序來進行認證,其中透過管理模組12可以登記多個CA的參數,例如:CA憑證檔、在線證書狀態協議(Online Certificate Status Protocol,OCSP)的網頁地址(Uniform Resource Locator,URL)、憑證撤銷清單(Certificate Revocation List,CRL)的URL及其下載週期,另外可設定各種應用系統的驗證程序、需求,例如:應用系統信任哪些CA、驗證時採用OCSP還是CRL、依據不同憑證類別設 定其驗證步驟或需特別驗證哪些憑證欄位等等。共通驗證模組13係根據管理模組12所找尋出適用之CA及驗證程序來對一簽章文件進行相關認證,例如:檢驗文件是否被竄改、客戶的憑證是否為信任CA所核發、透過OCSP或CRL驗證憑證狀態及檢查憑證是否符合某保證等級等,最後會產生出相關的驗證結果並傳送至應用系統通知是否通過驗證。存證模組14係儲存相關驗證結果資訊以及認證過程中之簽章文件種種資訊。 Hereinafter, the present invention will be further described with reference to the accompanying drawings: Please refer to FIG. 1 , which is a block diagram of the PKI authentication service system of the present invention. As shown in the figure, the PKI authentication service system 1 of the present invention is independent of the application system, just like the concept of the cloud system, and the PKI authentication service system 1 of the present invention comprises: a client component distribution module 11 and a The management module 12, a common verification module 13 and a deposit module 14 are provided. The client component distribution module 11 can simultaneously connect multiple client sources. When multiple clients need to distribute files to the corresponding application system and need to perform signature authentication, the client will first determine whether there is a corresponding one. Its client-type PKI component, this is because the PKI component is the main component that provides the client to authenticate through the application system to connect to the PKI authentication service system 1. Currently, there are many types of clients on the market, such as Internet Explorer, Firefox or For Google Chrome, etc., different types of clients require different PKI components to support, so when the client finds that there is no corresponding PKI component available, the client will connect to the client component distribution module in the PKI authentication service system 1. 11 to extract and install the required PKI components, and these PKI components can be separately produced and stored in the client component distribution module 11 for the client to download and install. The application system type can be PHP, ASP, ASP.net or JAVA, and so on. The management module 12 can be connected to a plurality of application systems. The management module 12 determines and selects a certificate authority (CA) and a verification program applicable to the connected application system. When the authentication is to be performed, the management module 12 can The management module 12 finds the applicable CA and the verification program for authentication. The management module 12 can register parameters of multiple CAs, for example, a CA certificate file and an online certificate status protocol (OCSP). Web address (Uniform Resource Locator, URL), URL of the Certificate Revocation List (CRL) and its download cycle. In addition, you can set the verification procedures and requirements of various application systems. For example, which CAs are trusted by the application system and used during verification. OCSP or CRL, based on different credential categories Determine the verification steps or which voucher fields need to be specifically verified. The common verification module 13 performs related authentication on a signature file according to the CA and the verification program found by the management module 12, for example, whether the verification file is tampered with, whether the customer's certificate is issued by the trusted CA, and through the OCSP. Or the CRL verifies the voucher status and checks whether the voucher meets a certain guarantee level, etc., and finally produces the relevant verification result and transmits it to the application system to notify whether it has passed the verification. The deposit certificate module 14 stores information about the verification result and various information of the signature file in the authentication process.
請參閱第2圖,係為本發明之PKI認證服務系統實施方塊圖。如圖所示,第一客戶端31連結第一PKI安全裝置21,而第二客戶端32連結第二PKI安全裝置22,而第一客戶端31係欲將一文件傳送至第一應用系統41時,第一PKI安全裝置21將該文件做成第一簽章文件311後傳送至第一應用系統41,而第一應用系統41將對第一簽章文件311進行驗證。同理,第二客戶端32欲將另一份文件傳送至第二應用系統42時,第二PKI安全裝置22將該另一份文件做成第二簽章文件321後傳送至第二應用系統42,而第二應用系統42將對第二簽章文件321進行驗證。首先若第一客戶端31以及第二客戶端32並沒有安裝對應本身類型之PKI元件時,客戶端會先自動引導至PKI認證服務系統1之客戶端元件配送模組11,並自客戶端元件配送模組11中下載各自類型適用之PKI元件(標示312、322),並進行安裝,以便支援認證程序。當第一應用系統41以及第二應用系統42分別接收到第一簽章文件311以及第二簽章文件321後,第一應用系統41以及第二應用系統42分別再將第一簽章文件311以及第二簽章文件321送至PKI認證服務系統1中之共通驗證模組13,準備進行驗證。而管理模組12由於先前先登記了多個CA參數及各類驗證需求,所以管理模組13會先對第一應用 系統41以及第二應用系統42進行判別,以選擇第一應用系統41以及第二應用系統42各別所合適的CA以及驗證需求,在本實施例中,第一應用系統41適用第一憑證單位51,而第二應用系統42適用第二憑證單位52。共通驗證模組13由於和各家的憑證單位(CA)先進行連結,所以當共通驗證模組13接收到第一簽章文件311以及第二簽章文件321後,會根據管理模組12先前所選擇的憑證單位類別與憑證驗證需求、程序等,將第一簽章文件311藉由憑證單位51進行驗證及相關程序,而將第二簽章文件321藉由憑證單位52進行驗證及相關程序,最後會得到各自的驗證結果,並將第一簽章文件311以及第二簽章文件321的驗證結果分別回傳至第一應用系統41以及第二應用系統42,以告知是否通過認證,並且將該些驗證結果、該些簽章文件及認證處理歷程儲存於PKI認證服務系統1中之存證模組中14作為備份,且將來進行舉證時可提供出來做為依據。 Please refer to FIG. 2, which is a block diagram of the implementation of the PKI authentication service system of the present invention. As shown, the first client 31 is coupled to the first PKI security device 21, and the second client 32 is coupled to the second PKI security device 22, and the first client 31 is intended to transmit a file to the first application system 41. At this time, the first PKI security device 21 copies the file into the first signature file 311 and transmits it to the first application system 41, and the first application system 41 verifies the first signature file 311. Similarly, when the second client 32 wants to transfer another file to the second application system 42, the second PKI security device 22 makes the other file into the second signature file 321 and transmits the file to the second application system. 42. The second application system 42 will verify the second signature file 321 . First, if the first client 31 and the second client 32 do not have a PKI component corresponding to their own type, the client first automatically boots to the client component distribution module 11 of the PKI authentication service system 1, and the client component The distribution module 11 downloads the PKI components (indicators 312, 322) of their respective types and installs them to support the authentication process. After the first application system 41 and the second application system 42 receive the first signature file 311 and the second signature file 321 respectively, the first application system 41 and the second application system 42 respectively respectively use the first signature file 311. And the second signature file 321 is sent to the common verification module 13 in the PKI authentication service system 1 to prepare for verification. The management module 12 first registers the plurality of CA parameters and various verification requirements, so the management module 13 first applies to the first application. The system 41 and the second application system 42 perform the determination to select the CA and the verification requirements respectively suitable for the first application system 41 and the second application system 42. In the embodiment, the first application system 41 applies the first credential unit 51. And the second application system 42 applies the second credential unit 52. The common verification module 13 is connected to the certificate unit (CA) of each family. Therefore, when the common signature module 13 receives the first signature file 311 and the second signature file 321, the management module 12 The selected certificate unit category and the voucher verification requirement, the program, etc., the first signature file 311 is verified by the voucher unit 51 and related procedures, and the second signature file 321 is verified by the voucher unit 52 and related procedures. Finally, the respective verification results are obtained, and the verification results of the first signature file 311 and the second signature file 321 are respectively transmitted back to the first application system 41 and the second application system 42 to indicate whether the authentication is passed, and The verification results, the signature files, and the authentication processing history are stored in the certificate module 14 of the PKI authentication service system 1 as a backup, and can be provided as a basis for future certification.
綜上所述,為更清楚表達整個處理過程,請參閱第3圖,係為本發明之PKI認證服務方法流程圖,進行步驟如下:首先,請參閱步驟S11,已連結PKI安全裝置之客戶端先連結至應用系統,以接取應用服務,此處客戶端可為複數且可為不同類型,而各自所接取之應用系統也可採用或信任各種不同家的認證單位(CA);接著,請參閱步驟S12,客戶端自行判斷是否未安裝該客戶端類型所對應之PKI元件,若該客戶端未安裝該客戶端類型所對應之PKI元件,則進行步驟S13,客戶端會自動連接至一PKI認證服務系統之一客戶端元件配送模組,以找尋出對應該客戶端類型之PKI元件並安裝,若原本就有其支援之PKI元件,則直接進行步驟S14; 接著,請參閱步驟S14,該些客戶端各自藉由自身類型之PKI元件操作各自的PKI安全裝置,以便對欲送出之文件進行簽章並產生各別之簽章文件,再將該些簽章文件傳送至所對應的應用系統;接著,請參閱步驟S15,該些應用系統接收到各自的簽章文件後,再將簽章文件傳送至PKI認證服務系統中的共通驗證模組;接著,請參閱步驟S16,藉由一管理模組連結該些應用系統,並找尋出該些應用系統適用之憑證授權單位(CA)及驗證程序;接著,請參閱步驟S17,共通驗證模組接收該些簽章文件後,依據該管理模組找尋出之該些應用系統所適用的CA及驗證程序來對各自的簽章文件進行驗證並產生各自的驗證結果,然後傳送至各自的應用系統以便通知簽章文件是否通過驗證;接著,請參閱步驟S18,藉由PKI認證服務系統之存證模組儲存該些驗證結果、該些簽章文件及認證處理歷程作為備份,將來進行舉證時可提供出來做為依據。 In summary, in order to more clearly express the entire process, please refer to FIG. 3, which is a flowchart of the PKI authentication service method of the present invention. The steps are as follows: First, refer to step S11, the client connected to the PKI security device. First connect to the application system to access the application service, where the client can be plural and can be different types, and the application system selected by each can also adopt or trust various different certification units (CA); Referring to step S12, the client determines whether the PKI component corresponding to the client type is not installed. If the client does not install the PKI component corresponding to the client type, proceed to step S13, and the client automatically connects to the client. a client component distribution module of the PKI authentication service system to find and install the PKI component corresponding to the client type, if there is originally a PKI component supported by the PKI, then proceed directly to step S14; Next, referring to step S14, each of the clients operates their own PKI security device by their own type of PKI component, so as to sign the file to be sent and generate a separate signature file, and then sign the signatures. The file is transferred to the corresponding application system; then, refer to step S15, after receiving the respective signature files, the application files are transmitted to the common verification module in the PKI authentication service system; then, please Referring to step S16, the application system is connected by a management module, and the certificate authority (CA) and the verification program applicable to the application systems are searched; then, referring to step S17, the common verification module receives the signatures. After the chapter file, the management module finds the CA and the verification program applicable to the application systems to verify the respective signature files and generate respective verification results, and then transmits them to the respective application systems to notify the signatures. Whether the file has passed the verification; then, referring to step S18, the verification result, the signature documents and the certification are stored by the certificate module of the PKI authentication service system. Science course as a backup, it can provide evidence as the basis for future progressive.
不過,在客戶端欲進行本發明之PKI認證服務之前,須先進行如第4圖所述之步驟,以便於管理系統中具有該應用系統所適用之CA及驗證程序:首先,請參閱步驟S21,應用系統需先向管理模組提出一註冊申請;接著,請參閱步驟S22,管理模組根據該應用系統註冊申請之資料,設定該應用系統所適用之CA及驗證程序,並於完成註冊申請後,該應用系統才開放對該類客戶端提供服務。 However, before the client wants to perform the PKI authentication service of the present invention, the steps as shown in FIG. 4 must be performed to facilitate the CA and the verification program applicable to the application system in the management system: First, refer to step S21. The application system needs to first submit a registration application to the management module. Then, referring to step S22, the management module sets the CA and the verification program applicable to the application system according to the application information of the application system registration, and completes the registration application. After that, the application system is open to provide services for this type of client.
以上該僅為本發明之較佳實施例,並非用來限定本發明之實施範圍; 如果不脫離本發明之精神和範圍,對本發明進行修改或者等同替換,均應涵蓋在本發明申請專利範圍的保護範圍當中。 The above is only the preferred embodiment of the present invention, and is not intended to limit the scope of implementation of the present invention; Modifications or equivalents of the invention are intended to be included within the scope of the invention.
1‧‧‧PKI認證服務系統 1‧‧‧PKI Certification Service System
11‧‧‧客戶端元件配送模組 11‧‧‧Client component distribution module
12‧‧‧管理模組 12‧‧‧Management module
13‧‧‧共通驗證模組 13‧‧‧Common Verification Module
14‧‧‧存證模組 14‧‧‧Certificate module
21‧‧‧第一PKI安全裝置 21‧‧‧First PKI Safety Device
22‧‧‧第二PKI安全裝置 22‧‧‧Second PKI security device
31‧‧‧第一客戶端 31‧‧‧First client
311‧‧‧第一簽章文件 311‧‧‧ First signature document
312‧‧‧第一PKI元件 312‧‧‧ First PKI component
32‧‧‧第二客戶端 32‧‧‧Second client
321‧‧‧第二一簽章文件 321‧‧‧Second signature document
322‧‧‧第二PKI元件 322‧‧‧Second PKI components
41‧‧‧第一應用系統 41‧‧‧First Application System
42‧‧‧第二應用系統 42‧‧‧Second application system
51‧‧‧第一憑證單位 51‧‧‧First voucher unit
52‧‧‧第二憑證單位 52‧‧‧Second voucher unit
第1圖 係為本發明之PKI認證服務系統方塊圖;第2圖 係為本發明之PKI認證服務系統實施方塊圖;第3圖 係為本發明之PKI認證服務方法流程圖;第4圖 係為應用系統欲進行本發明之PKI認證服務方法前,需進行註冊申請之流程圖。 1 is a block diagram of a PKI authentication service system of the present invention; FIG. 2 is a block diagram of a PKI authentication service system of the present invention; FIG. 3 is a flowchart of a PKI authentication service method of the present invention; Before applying the system to the PKI authentication service method of the present invention, a flow chart of the registration application is required.
1‧‧‧PKI認證服務系統 1‧‧‧PKI Certification Service System
11‧‧‧客戶端元件配送模組 11‧‧‧Client component distribution module
12‧‧‧管理模組 12‧‧‧Management module
13‧‧‧共通驗證模組 13‧‧‧Common Verification Module
14‧‧‧存證模組 14‧‧‧Certificate module
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW101150882A TWI475865B (en) | 2012-12-28 | 2012-12-28 | PKI authentication service system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW101150882A TWI475865B (en) | 2012-12-28 | 2012-12-28 | PKI authentication service system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201427367A true TW201427367A (en) | 2014-07-01 |
| TWI475865B TWI475865B (en) | 2015-03-01 |
Family
ID=51725797
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW101150882A TWI475865B (en) | 2012-12-28 | 2012-12-28 | PKI authentication service system and method |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI475865B (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001031841A1 (en) * | 1999-10-27 | 2001-05-03 | Visa International Service Association | Method and apparatus for leveraging an existing cryptographic infrastructure |
| US20030074555A1 (en) * | 2001-10-17 | 2003-04-17 | Fahn Paul Neil | URL-based certificate in a PKI |
| TWI252664B (en) * | 2004-03-05 | 2006-04-01 | Chunghwa Telecom Co Ltd | System and method for applying network electronic certification |
| US20060168444A1 (en) * | 2005-01-21 | 2006-07-27 | International Business Machines Corporation | Generic PKI framework |
| TWI432040B (en) * | 2010-06-23 | 2014-03-21 | Ind Tech Res Inst | Authentication method, authentication and key distribution method and key distribution method |
-
2012
- 2012-12-28 TW TW101150882A patent/TWI475865B/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| TWI475865B (en) | 2015-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109067801B (en) | Identity authentication method, identity authentication device and computer readable medium | |
| AU2019203848B2 (en) | Methods and devices for protecting sensitive data of transaction activity based on smart contract in blockchain | |
| US11329995B2 (en) | Blockchain-based system, and electronic apparatus and method in the system | |
| US10642969B2 (en) | Automating internet of things security provisioning | |
| CN107967416B (en) | Copyright right-maintaining detection method, device and system | |
| US9325509B2 (en) | Determination method for cryptographic algorithm used for signature, validation server and program | |
| CN112887160B (en) | Block chain all-in-one machine, multi-node deployment method and device thereof, and storage medium | |
| US10277580B1 (en) | Multi-algorithm key generation and certificate install | |
| WO2018024061A1 (en) | Method, device and system for licensing shared digital content | |
| US8176316B2 (en) | Validation server, validation method, and program | |
| CN105701372A (en) | Block chain identity construction and verification method | |
| WO2019109943A1 (en) | Cloud platform management method and apparatus, electronic device and readable storage medium | |
| Liu et al. | Blockchain-cloud transparent data marketing: Consortium management and fairness | |
| CN110661779B (en) | Block chain network-based electronic certificate management method, system, device and medium | |
| US20160359633A1 (en) | System and method for publicly certifying data | |
| CN112749968B (en) | Service data recording method and device based on block chain | |
| US20150052585A1 (en) | Systems and Methods for Managing Digital Content Entitlements | |
| KR20140098912A (en) | A system and method for distributing allication | |
| CN113743921A (en) | Digital asset processing method, device, equipment and storage medium | |
| CN107994993B (en) | Application program detection method and device | |
| JP2012195903A (en) | Information processor, program, and access control system | |
| US20210397678A1 (en) | Right-holder terminal, user terminal, right-holder program, user program, content usage system, and content usage method | |
| CN111385096B (en) | Block chain network system, signature processing method, terminal and storage medium | |
| JP5278495B2 (en) | Device information transmission method, device information transmission device, device information transmission program | |
| US11516021B2 (en) | Information processing apparatus, communication device, and information processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |