TW201545525A - System for managing certificate and method thereof - Google Patents

System for managing certificate and method thereof Download PDF

Info

Publication number
TW201545525A
TW201545525A TW103119138A TW103119138A TW201545525A TW 201545525 A TW201545525 A TW 201545525A TW 103119138 A TW103119138 A TW 103119138A TW 103119138 A TW103119138 A TW 103119138A TW 201545525 A TW201545525 A TW 201545525A
Authority
TW
Taiwan
Prior art keywords
voucher
local
credential
gateway
proxy server
Prior art date
Application number
TW103119138A
Other languages
Chinese (zh)
Other versions
TWI551105B (en
Inventor
Hung-Yi Tu
Tzu-Ching Lien
Original Assignee
Taiwan Ca Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taiwan Ca Inc filed Critical Taiwan Ca Inc
Priority to TW103119138A priority Critical patent/TWI551105B/en
Publication of TW201545525A publication Critical patent/TW201545525A/en
Application granted granted Critical
Publication of TWI551105B publication Critical patent/TWI551105B/en

Links

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

A system for managing a certificate and a method thereof are provided. By verifying a user via a server by a certificate managing software executing on a local device, generating a status beacon based on a remote certificate information stored in the server and a local certificate information stored in the local device by the server after the user pass the verification, and helping the user to operate according to the status beacon by the certificate managing software after receiving the status beacon sent from the server, the system and the method can achieve the effect of changing from using browser to using certificate managing software executing on a local device to manager certificate.

Description

管理憑證之系統及其方法System and method for managing credentials

一種憑證管理系統及其方法,特別係指一種透過代理伺服器與閘道器管理憑證之系統及其方法。A credential management system and method thereof, in particular, a system and method for managing credentials through a proxy server and a gateway.

電子憑證,又稱為數位憑證,是一種用於電腦系統的身分識別機制。電子憑證是身份認證機構加在數位身份證上的一個簽名,這一行為表示身份認證機構已認定擁有數位身分證的使用者。電子憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開密碼匙。電子憑證的擁有人可向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。An electronic voucher, also known as a digital voucher, is an identity recognition mechanism for computer systems. The electronic voucher is a signature signed by the identity certification authority on the digital ID card. This behavior indicates that the identity certification authority has determined that the user has a digital identity card. An electronic voucher is a file or group of computer files that record the identity of the owner and a set of public keys. The owner of the electronic voucher can authenticate himself to the computer system to access or use a particular computer service.

早期因網路安全性未如現今受到重視,電腦軟體執行環境亦相對單純,加上以瀏覽器配合網頁型態所建置的系統具有使用簡易且用戶端免額外安裝軟體的優點﹐,因此,需要透過電子憑證存取或使用的電腦服務大多以網頁附掛安控外掛元件的型態提供,意即使用者在存取或使用這些服務時,是透過瀏覽器來向遠端伺服器進行憑證申請、展期及查詢等相關服務。In the early days, due to the lack of network security, the computer software execution environment is relatively simple. The system built with the browser and the web page has the advantages of easy use and no additional software installed on the client side. Therefore, Computer services that need to be accessed or used through electronic vouchers are mostly provided in the form of webpages attached to the security plug-in components, meaning that when the user accesses or uses these services, the voucher application is made to the remote server through the browser. , extensions and inquiries and other related services.

然而因近年來網路安全漸受重視,瀏覽器對於運作於其上的網頁及外掛元件之安全性要求及檢核愈益嚴苛,限制大幅增加且支援度下降,加上用者電腦執行環境日益複雜,過去可順利執行的憑證新申請、展期、查詢等相關作業因之操作失敗比率大增,反而對使用者造成困擾。However, due to the increasing importance of network security in recent years, browsers have become more and more demanding on the security requirements and checks of web pages and plug-in components operating on them. The restrictions have increased dramatically and the support has decreased. Complex, the new applications, extensions, inquiries and other related operations that have been successfully executed in the past have greatly increased the proportion of operational failures, which has caused problems for users.

綜上所述,可知先前技術中長期以來一直存在瀏覽器可能限制憑證管理作業的問題,因此有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that in the prior art, there has been a long-standing problem that the browser may restrict the credential management operation, and therefore it is necessary to propose an improved technical means to solve this problem.

有鑒於先前技術存在瀏覽器可能限制憑證管理作業的問題,本發明遂揭露一種管理憑證之系統及其方法,其中:In view of the prior art, there is a problem that a browser may limit a credential management job, and the present invention discloses a system for managing credential and a method thereof, wherein:

本發明所揭露之管理憑證之系統,至少包含:網路模組,與代理伺服器連接,代理伺服器與閘道器連接;登入模組,用以提供輸入識別資料,及用以透過網路模組及代理伺服器傳送識別資料至閘道器,使閘道器進行登入作業,並接收閘道器傳回之登入結果;憑證處理模組,用以於登入結果表示成功登入時,於本地端讀取與識別資料對應之本地憑證之本地憑證資訊,並透過網路模組及代理伺服器傳送該本地憑證資訊至該閘道器;狀態指引模組,用以透過該網路模組接收該閘道器比對該本地憑證資訊與該識別資料對應之一遠端憑證之一遠端憑證資訊後透過該代理伺服器所傳回之一狀態指引,並依據該狀態指引引導操作該憑證管理軟體。The system for managing credentials disclosed in the present invention comprises at least: a network module connected to a proxy server, a proxy server connected to the gateway; and a login module for providing input identification information and for transmitting the network The module and the proxy server transmit the identification data to the gateway, so that the gateway performs the login operation and receives the login result returned by the gateway; the voucher processing module is used to locally log in when the login result indicates successful login. The local credential information of the local voucher corresponding to the identification data is read, and the local credential information is transmitted to the gateway through the network module and the proxy server; the status guiding module is configured to receive through the network module The gateway device forwards a status indication through the proxy server to the remote credential information of the remote credential corresponding to the local credential information and the identification data, and guides the operation of the credential management according to the status guide. software.

本發明所揭露之管理憑證之方法,其步驟至少包括:連接閘道器與代理伺服器;憑證管理軟體提供輸入識別資料;憑證管理軟體透過代理伺服器傳送識別資料至閘道器,使閘道器進行登入作業;閘道器傳回登入結果給憑證管理軟體;當登入結果表示成功登入時,憑證管理軟體讀取本地端所儲存之本地憑證之本地憑證資訊,並透過代理伺服器傳送本地憑證資訊至閘道器;閘道器讀取與識別資料對應之遠端憑證之遠端憑證資訊;閘道器依據本地憑證資訊與遠端憑證資訊產生狀態指引,並透過該代理伺服器傳送該狀態指引至該憑證管理軟體;憑證管理軟體依據狀態指引引導操作。The method for managing voucher disclosed in the present invention comprises the steps of: connecting a gateway device and a proxy server; the voucher management software provides input identification data; and the voucher management software transmits the identification data to the gateway device through the proxy server to enable the gateway The login operation is performed; the gateway returns the login result to the voucher management software; when the login result indicates successful login, the voucher management software reads the local credential information of the local voucher stored at the local end, and transmits the local credential through the proxy server. Information to the gateway; the gateway reads the remote credential information of the remote credential corresponding to the identification data; the gateway generates a status guide according to the local credential information and the remote credential information, and transmits the status through the proxy server Directed to the voucher management software; the voucher management software guides the operation according to the status guide.

本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過執行於本地端的憑證管理軟體提供使用者登入,並在閘道器取得本地憑證資訊與遠端憑證資訊後,依據本地憑證資訊與遠端憑證資訊產生狀態指引以引導使用者操作憑證管理軟體,藉以解決先前技術所存在的問題,並可以達成使用獨立執行於本地端的憑證管理軟體進行憑證管理作業的技術功效。The system and method disclosed in the present invention are as above, and the difference between the prior art and the prior art is that the present invention provides user login through the credential management software executed at the local end, and obtains local credential information and remote credential information after the gateway device obtains The local credential information and the remote credential information generate status guidance to guide the user to operate the credential management software, thereby solving the problems existing in the prior art, and achieving the technical effect of performing credential management operations using the credential management software independently executed on the local end.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and embodiments of the present invention will be described in detail below with reference to the drawings and embodiments, which are sufficient to enable those skilled in the art to fully understand the technical means to which the present invention solves the technical problems, and The achievable effects of the present invention.

本發明可以讓使用者透過執行於本地端的憑證管理軟體對使用者所擁有的憑證進行管理作業,例如,申請憑證、查詢本地與伺服器上之憑證狀態、憑證展期、變更憑證密碼等管理作業,但本發明並不以此為限。本發明甚至還可以自動的將憑證匯入瀏覽器中。The invention allows the user to perform management operations on the voucher owned by the user through the voucher management software executed at the local end, for example, applying for a voucher, querying the status of the voucher on the local and the server, voucher renewal, changing the voucher password, and the like, However, the invention is not limited thereto. The invention can also automatically import credentials into the browser.

以下先以「第1圖」來說明本發明的網路架構。首先,使用者操作本地端200,本發明所提之憑證管理軟體210便執行於本地端200中,本地端200透過網路連線到金融通路100,金融通路100也透過網路與設置於憑證管理中心的憑證伺服器410連接。其中,金融通路100中至少設置了代理伺服器(Proxy Server)110、憑證註冊伺服器(RA)130、安控伺服器(Secure Server)150、閘道器(Gateway)170等裝置。Hereinafter, the network architecture of the present invention will be described with reference to "FIG. 1". First, the user operates the local terminal 200, and the voucher management software 210 of the present invention is executed in the local terminal 200. The local terminal 200 is connected to the financial channel 100 through the network, and the financial channel 100 is also configured through the network and the voucher. The credential server 410 of the management center is connected. The financial channel 100 is provided with at least a proxy server (Proxy Server) 110, a credential registration server (RA) 130, a security server (Secure Server) 150, and a gateway 170.

代理伺服器110與本地端200以及閘道器170連接。The proxy server 110 is connected to the local terminal 200 and the gateway 170.

憑證註冊伺服器130與閘道器170以及憑證伺服器410連接,負責儲存使用者的憑證與該憑證的憑證資訊,在本發明中,憑證註冊伺服器130所儲存的憑證以及憑證資訊分別被稱為「遠端憑證」與「遠端憑證資訊」。The credential registration server 130 is connected to the gateway 170 and the credential server 410, and is responsible for storing the credential of the user and the credential information of the credential. In the present invention, the credential and credential information stored by the credential registration server 130 are respectively called It is "Remote Credentials" and "Remote Credential Information".

憑證註冊伺服器130也負責透過憑證伺服器410提供與憑證相關之各項服務,例如,憑證的申請、展期、更新、註銷、查詢、下載、登記等服務,但本發明並不以此為限。The voucher registration server 130 is also responsible for providing various services related to the voucher through the credential server 410, for example, application, renewal, update, cancellation, inquiry, download, registration, etc. of the voucher, but the invention is not limited thereto. .

另外,憑證註冊伺服器130也提供登入介面,藉以使用閘道器170所提供之使用者的識別資料進行登入作業,並將登入結果傳回閘道器170。在部分的實施例中,使用者的識別資料包含帳號密碼,憑證註冊伺服器130可以檢查識別資料中的帳號是否存在,並比對與識別資料中之帳號相對應的密碼是否與識別資料中之密碼相同,若識別資料中的帳號存在且與識別資料中之帳號對應的密碼與識別資料中之密碼相同,則憑證註冊伺服器130會產生表示登入成功的登入結果,而若識別資料中的帳號不存在,或與識別資料中之帳號對應的密碼與識別資料中之密碼不同,則憑證註冊伺服器130會產生表示登入失敗的登入結果。In addition, the credential registration server 130 also provides a login interface for performing login operations using the identification data of the user provided by the gateway 170 and transmitting the login result back to the gateway 170. In some embodiments, the user's identification data includes an account password, and the voucher registration server 130 may check whether the account number in the identification data exists, and compare the password corresponding to the account number in the identification data with the identification data. If the password is the same, if the account number in the identification data exists and the password corresponding to the account number in the identification data is the same as the password in the identification data, the voucher registration server 130 generates a login result indicating that the login is successful, and if the account in the identification data is identified, If the password corresponding to the account number in the identification data does not exist, or the password in the identification data is different, the voucher registration server 130 generates a login result indicating that the login failed.

安控伺服器150與閘道器170連接,負責提供與憑證相關的安全控管機制,例如,進行簽章、驗章、以及加解密等運算,但安控伺服器150所進行之運作並不以上述為限。The security server 150 is connected to the gateway 170 and is responsible for providing security control mechanisms related to the voucher, for example, performing signature, verification, and encryption and decryption operations, but the security server 150 does not operate. Limited to the above.

閘道器170與代理伺服器110、憑證註冊伺服器130、以及安控伺服器150連接,負責儲存憑證管理軟體210的版本資訊。The gateway 170 is connected to the proxy server 110, the credential registration server 130, and the security server 150, and is responsible for storing version information of the credential management software 210.

閘道器170也負責控管使用者的登入行為。閘道器170在接收到本地端200之憑證管理軟體210所傳送的使用者的識別資料後,透過憑證註冊伺服器130所提供的登入介面進行登入作業,並透過代理伺服器110將憑證註冊伺服器130所傳回的登入結果回覆給憑證管理軟體210。其中,閘道器170回覆給憑證管理軟體210的登入結果可能表示登入成功,也可能表示登入失敗。The gateway 170 is also responsible for controlling the user's login behavior. After receiving the identification data of the user transmitted by the credential management software 210 of the local terminal 200, the gateway 170 performs a login operation through the login interface provided by the credential registration server 130, and registers the credential with the proxy server 110. The login result returned by the device 130 is replied to the credential management software 210. The login result of the gateway 170 to the credential management software 210 may indicate that the login is successful, and may also indicate that the login fails.

閘道器170還負責產生狀態指引。閘道器170會接收本地端200之憑證管理軟體210透過代理伺服器110所傳送之憑證資訊。在本發明中,本地端200也儲存有憑證以及憑證資訊,分別被稱為「本地憑證」與「本地憑證資訊」,本地端200所儲存之本地憑證與憑證註冊伺服器130所儲存之遠端憑證會對應至同一使用者的識別資料。The gateway 170 is also responsible for generating state guidelines. The gateway 170 receives the credential information transmitted by the credential management software 210 of the local terminal 200 through the proxy server 110. In the present invention, the local terminal 200 also stores credentials and credential information, which are referred to as "local credential" and "local credential information" respectively, and the local credential stored by the local end 200 and the remote end stored by the credential registration server 130. The voucher will correspond to the identification data of the same user.

閘道器170在接收到本地憑證資訊後,會透過憑證註冊伺服器130取得與本地憑證資訊對應至相同使用者之識別資料的遠端憑證資訊,並依據本地憑證資訊與遠端憑證資訊產生狀態指引。例如,閘道器170可以判斷本地憑證資訊與遠端憑證資訊是否相同,若否,閘道器170可以接著判斷本地端200之憑證管理軟體210是否在發出更新本地憑證的請求後沒有成功的將更新後的憑證儲存到本地端200,若是,則閘道器170所產生的狀態指引可以包含提示使用者下載更新後之憑證的訊息。若否,也就是本地憑證資訊與遠端憑證資訊不相同的原因並非更新後的憑證沒有儲存於本地端200,則閘道器170所產生的狀態指引通常會包含提示使用者聯絡管理人員的訊息,但本發明並不以此為限。如此,使用者便可以在本地憑證資訊與遠端憑證資訊不同時,依據閘道器170所產生的狀態指引操作憑證管理軟體210更新本地憑證或同時更新本地憑證與遠端憑證,使本地憑證資訊與遠端憑證資訊維持相同。After receiving the local credential information, the gateway 170 obtains the remote credential information corresponding to the identification information of the same user by the credential registration server 130, and generates the status according to the local credential information and the remote credential information. Guidelines. For example, the gateway 170 can determine whether the local credential information is the same as the remote credential information. If not, the gateway 170 can then determine whether the credential management software 210 of the local end 200 has not succeeded in issuing a request to update the local credential. The updated credentials are stored to the local end 200, and if so, the status indication generated by the gateway 170 can include a message prompting the user to download the updated credentials. If no, that is, the reason that the local credential information is different from the remote credential information is that the updated credential is not stored in the local end 200, the status guide generated by the gateway 170 usually includes a message prompting the user to contact the manager. However, the invention is not limited thereto. In this way, the user can operate the credential management software 210 to update the local credential or simultaneously update the local credential and the remote credential according to the status generated by the gateway 170 when the local credential information is different from the remote credential information, so that the local credential information is The same as the remote credential information.

若本地憑證資訊與遠端憑證資訊相同,閘道器170可以進一步判斷本地憑證資訊表示本地憑證之到期時間與當前時間之差是否低於預定值,也就是判斷本地憑證是否即將到期,若否,也就是本地憑證尚未到期,則閘道器170所產生的狀態指引將可以包含提供憑證密碼變更作業、提供本地憑證資訊查詢、提供遠端憑證資訊查詢等訊息,而若本地憑證即將到期,則閘道器170所產生的狀態指引除了包含本地憑證尚未到期之狀態指引所包含的訊息外,還會包含提供憑證展期作業的訊息。If the local credential information is the same as the remote credential information, the gateway 170 may further determine whether the local credential information indicates whether the difference between the expiration time of the local credential and the current time is lower than a predetermined value, that is, whether the local credential is about to expire, If no, that is, the local certificate has not expired, the status guidance generated by the gateway 170 may include providing a certificate password change operation, providing a local credential information inquiry, providing a remote credential information inquiry, and the like, and if the local credential is about to arrive In the meantime, the status guide generated by the gateway 170 includes a message for providing a voucher rollover operation in addition to the message included in the status guide that the local voucher has not expired.

另外,閘道器170可以在接收到本地端200之憑證管理軟體210透過代理伺服器110所傳送之需要展期之本地憑證的簽章後,將所接收到的簽章傳送到安控伺服器150進行驗證,並接收安控伺服器150所傳回的驗證結果。若驗證結果表示簽章通過驗證,則閘道器170可以透過憑證註冊伺服器130延長憑證的期限,藉以完成憑證展期作業。而若驗證結果表示簽章未通過驗證,則閘道器170將不會繼續進行憑證展期作業。In addition, the gateway 170 may transmit the received signature to the security server 150 after receiving the signature of the local certificate required to be renewed transmitted by the certificate management software 210 of the local terminal 200 through the proxy server 110. The verification is performed and the verification result returned by the security server 150 is received. If the verification result indicates that the signature has passed the verification, the gateway 170 may extend the time limit of the voucher through the voucher registration server 130 to complete the voucher renewal operation. If the verification result indicates that the signature has not passed the verification, the gateway 170 will not continue the voucher extension operation.

閘道器170也可以在接收到本地端200之憑證管理軟體210透過代理伺服器110所傳送之憑證申請的請求後,透過憑證註冊伺服器130申請憑證,藉以完成憑證申請作業。閘道器170還可以再接收到憑證管理軟體210透過代理伺服器110所傳送之憑證密碼變更的請求後,透過憑證註冊伺服器130變更憑證的密碼,藉以完成密碼變更作業。The gateway 170 may also, after receiving the request for the voucher application transmitted by the voucher management software 210 of the local terminal 200 through the proxy server 110, apply for a voucher through the voucher registration server 130 to complete the voucher application operation. The gateway 170 may further receive the request for the certificate password change transmitted by the voucher management software 210 through the proxy server 110, and then change the password of the voucher through the voucher registration server 130 to complete the password change operation.

此外,在部分的實施例中,本地端200與閘道器170可以直接連接,而非一定要透過代理伺服器110連接,也就是說,在本發明中,代理伺服器110並非必要。此時,上述本地端200與閘道器170之間便可以直接傳遞資料而不需透過代理伺服器110。Moreover, in some embodiments, the local end 200 and the gateway 170 may be directly connected rather than necessarily connected through the proxy server 110, that is, in the present invention, the proxy server 110 is not necessary. At this time, the data can be directly transmitted between the local terminal 200 and the gateway 170 without passing through the proxy server 110.

接著以「第2圖」本發明所提之管理憑證之系統的系統架構圖與來說明本發明的系統運作。如「第2圖」所示,本發明之系統應用於憑證管理軟體210中,其主要含有網路模組211、登入模組212、憑證處理模組213、狀態指引模組215,以及可附加的軟體更新模組217與憑證匯入模組219。Next, the system architecture of the system for managing credentials according to the present invention will be described with reference to the system architecture of the present invention. As shown in FIG. 2, the system of the present invention is applied to the voucher management software 210, which mainly includes a network module 211, a login module 212, a voucher processing module 213, a status guiding module 215, and an attachable The software update module 217 and the document import module 219.

網路模組211與代理伺服器110連接。在本發明中,網路模組211會將資料傳送到代理伺服器110,並由代理伺服器110接收資料,甚至,網路模組211與閘道器170之間傳遞的資料也都是透過代理伺服器110轉送。The network module 211 is connected to the proxy server 110. In the present invention, the network module 211 transmits the data to the proxy server 110, and the proxy server 110 receives the data. Even the data transmitted between the network module 211 and the gateway 170 is transmitted through. The proxy server 110 forwards.

登入模組212負責提供輸入識別資料,並負責透過網路模組111將被輸入的識別資料傳送到閘道器170,使閘道器170透過憑證註冊伺服器130進行登入作業,另外,登入模組212還負責透過網路模組211接收閘道器170所傳回的登入結果。The login module 212 is responsible for providing the input identification data, and is responsible for transmitting the input identification data to the gateway 170 through the network module 111, causing the gateway 170 to perform the login operation through the voucher registration server 130, and the login mode. The group 212 is also responsible for receiving the login results returned by the gateway 170 via the network module 211.

憑證處理模組213負責在登入模組212所接收到的登入結果表示成功登入時,由本地端200的儲存媒體240中讀取與登入模組212提供輸入之識別資料對應之本地憑證的本地憑證資訊。The voucher processing module 213 is responsible for reading, by the storage medium 240 of the local terminal 200, the local voucher of the local voucher corresponding to the identification data provided by the login module 212 when the login result received by the login module 212 indicates successful login. News.

憑證處理模組213也負責在登入模組212所接收到的登入結果表示成功登入時,透過網路模組211將本地憑證資訊傳送給閘道器170,使得閘道器170可以依據本地憑證資訊與遠端憑證資訊產生狀態指引。The voucher processing module 213 is also responsible for transmitting the local credential information to the gateway 170 through the network module 211 when the login result received by the login module 212 indicates successful login, so that the gateway 170 can be based on the local credential information. Status guidance with remote credential information.

憑證處理模組213可以在無法讀取到本地憑證時,透過網路模組211與代理伺服器110至閘道器170進行憑證申請作業。The voucher processing module 213 can perform a voucher application operation through the network module 211 and the proxy server 110 to the gateway 170 when the local voucher cannot be read.

憑證處理模組213還可以提供輸入本地憑證的密碼,並使用被輸入的密碼開啟本地憑證。The voucher processing module 213 can also provide a password for entering a local credential and open the local credential using the entered password.

狀態指引模組215負責透過網路模組211接收閘道器所傳回之的狀態指引,並依據該狀態指引引導操作該憑證管理軟體。例如,當狀態指引中包含提示使用者下載更新後之憑證的訊息時,狀態指引模組215可以引導使用者在憑證管理軟體210中進行憑證下載的操作,藉以更新本地憑證;當狀態指引中包含提示使用者聯絡管理人員的訊息時,狀態指引模組215可以引導使用者聯絡管理人員,藉以更新本地憑證與遠端憑證;而當狀態指引中包含提供憑證密碼變更作業、提供本地憑證資訊查詢、提供遠端憑證資訊查詢、提供憑證展期作業等訊息時,狀態指引模組215可以引導使用者在憑證管理軟體210中進行憑證密碼變更、本地憑證資訊或遠端憑證資訊查詢、憑證展期的操作。The status guiding module 215 is responsible for receiving the status indication returned by the gateway through the network module 211, and guiding the operation of the credential management software according to the status. For example, when the status guide includes a message prompting the user to download the updated credential, the status directing module 215 can guide the user to perform the credential download operation in the credential management software 210, thereby updating the local credential; when the status guide includes When the user is prompted to contact the manager's message, the status guiding module 215 can guide the user to contact the administrator to update the local credential and the remote credential; and when the status guide includes providing the credential password change operation, providing the local credential information query, The status guiding module 215 can guide the user to perform the credential password change, the local credential information or the remote credential information query, and the voucher renewing operation in the credential management software 210 when the remote credential information inquiry, the credential extension operation, and the like are provided.

軟體更新模組217可以透過網路模組211與代理伺服器110取得儲存於閘道器170中之憑證管理軟體210的版本資訊。在本發明中,閘道器170所儲存的版本資訊為憑證管理軟體210最新的版本資訊。The software update module 217 can obtain the version information of the credential management software 210 stored in the gateway 170 through the network module 211 and the proxy server 110. In the present invention, the version information stored by the gateway 170 is the latest version information of the voucher management software 210.

軟體更新模組217也可以讀取當前執行於本地端200之憑證管理軟體210的版本資訊,並比對由閘道器170取得的最新版本資訊與所讀出之當前版本資訊是否相同,若是,則軟體更新模組217將不會進行軟體更新作業。而當最新版本資訊與當前版本資訊相異時,軟體更新模組217可以透過網路模組211連線到代理伺服器110或閘道器170下載憑證管理軟體210的最新版本,並進行軟體更新作業,藉以將執行於本地端200的憑證管理軟體210更新為最新版本。The software update module 217 can also read the version information of the credential management software 210 currently executing on the local end 200, and compare whether the latest version information obtained by the gateway 170 is the same as the current version information read out, and if so, The software update module 217 will not perform the software update job. When the latest version information is different from the current version information, the software update module 217 can connect to the proxy server 110 or the gateway 170 via the network module 211 to download the latest version of the credential management software 210, and perform software update. The job is to update the credential management software 210 executed at the local end 200 to the latest version.

憑證匯入模組219可以偵測安裝於本地端200中的瀏覽器230,也可以在本地端200所儲存的本地憑證被新增、被展期、被更新、被置換等包含但不限於上述情況導致本地憑證發生變更時,將變更後的本地憑證匯入相對應的瀏覽器230。一般而言,憑證匯入模組219可以透過瀏覽器230所提供的應用程式介面(Application Programming Interface, API)將相對應的本地憑證匯入瀏覽器230,藉以提供瀏覽器230使用更新後的本地憑證。The voucher import module 219 can detect the browser 230 installed in the local end 200, and the local credential stored in the local end 200 can be added, renewed, updated, replaced, etc., but not limited to the above. When the local credential is changed, the changed local credential is imported into the corresponding browser 230. In general, the voucher import module 219 can import the corresponding local credentials into the browser 230 through the application programming interface (API) provided by the browser 230, so as to provide the browser 230 with the updated local. certificate.

其中,憑證匯入模組219可以在憑證管理軟體210被執行時偵測安裝於本地端200中的瀏覽器230,也可以在本地憑證發生變更時才偵測安裝於本地端200中的瀏覽器230,本發明並沒有特別的限制。The voucher import module 219 can detect the browser 230 installed in the local end 200 when the voucher management software 210 is executed, and can also detect the browser installed in the local end 200 when the local credential changes. 230, the present invention is not particularly limited.

接著以一個實施例來解說本發明的運作系統與方法,並請參照「第3A圖」本發明所提之管理憑證之方法的方法流程圖。在本實施例中,假設金融通路100為證券公司,但本發明並不以此為限。Next, an operational system and method of the present invention will be described with reference to an embodiment, and reference is made to the flowchart of the method for managing credentials provided by the present invention in "FIG. 3A". In the present embodiment, it is assumed that the financial channel 100 is a securities company, but the invention is not limited thereto.

在證券公司設置了代理伺服器110、憑證註冊伺服器130、安控伺服器150、閘道器170後,閘道器170會與代理伺服器110、憑證註冊伺服器130、安控伺服器150連接(步驟301)。After the proxy server 110, the credential registration server 130, the security server 150, and the gateway 170 are set up by the securities company, the gateway 170 and the proxy server 110, the credential registration server 130, and the security server 150 Connected (step 301).

在使用者操作本地端200由證券公司下載了本發明所提的憑證管理軟體210,並在本地端200執行後,憑證管理軟體210可以在本地端200上顯示操作介面,並等待使用者輸入識別資料。在本實施例中,假設憑證管理模組210的登入模組212可以提供使用者在操作介面中輸入帳號密碼等識別資料(步驟310)。After the user operates the local terminal 200, the voucher management software 210 of the present invention is downloaded by the securities company, and after being executed by the local end 200, the voucher management software 210 can display the operation interface on the local end 200 and wait for the user to input and recognize. data. In this embodiment, it is assumed that the login module 212 of the credential management module 210 can provide the user with input identification data such as an account password in the operation interface (step 310).

在憑證管理軟體210的登入模組212提供使用者輸入識別資料(步驟310)後,登入模組212可以透過網路模組211與代理伺服器110將使用者所輸入的識別資料傳送到閘道器170(步驟320)。在本實施例中,假設登入模組212會透過網路模組211將使用者所輸入的識別資料傳送到代理伺服器110,並由代理伺服器110將識別資料轉送到閘道器170。After the login module 212 of the voucher management software 210 provides the user input identification data (step 310), the login module 212 can transmit the identification data input by the user to the gateway through the network module 211 and the proxy server 110. The device 170 (step 320). In this embodiment, it is assumed that the login module 212 transmits the identification data input by the user to the proxy server 110 through the network module 211, and the proxy server 110 transfers the identification data to the gateway 170.

在閘道器170接收到由憑證管理軟體210所傳送之識別資料後,閘道器170可以透過相連接的憑證註冊伺服器130對所接收到的識別資料進行登入作業,並將完成登入作業後所產生的登入結果傳回該憑證管理軟體210(步驟330)。在本實施例中,假設閘道器170同樣會透過代理伺服器110將登入結果傳給憑證管理軟體210。After the gateway 170 receives the identification data transmitted by the voucher management software 210, the gateway 170 can perform the login operation on the received identification data through the connected voucher registration server 130, and will complete the login operation. The generated login result is passed back to the credential management software 210 (step 330). In the present embodiment, it is assumed that the gateway 170 will also transmit the login result to the voucher management software 210 via the proxy server 110.

在憑證管理軟體210的登入模組212透過憑證管理軟體210的網路模組211接收到閘道器170所傳回的登入結果後,若登入結果表示使用者所輸入的識別資料可以成功登入,則憑證管理軟體210的憑證處理模組213可以至本地端200的儲存媒體240中讀取與被使用者輸入之識別資料相對應之本地憑證的憑證資訊(本地憑證資訊),以及透過網路模組211與代理伺服器110將所讀出的本地憑證資訊傳送到閘道器170(步驟350)。在本實施例中,可以如「第3B圖」之流程所示,在憑證管理軟體210的網路模組211在接收到閘道器170所傳回的登入結果(步驟330)後,憑證管理軟體210的登入模組212可以判斷網路模組211所接收到的登入結果是否表示成功登入(步驟352),若否,則憑證管理軟體210所可以提供使用者操作的憑證管理作業會維持關閉,登入模組212會再次提供使用者輸入識別資料(步驟310)。After the login module 212 of the voucher management software 210 receives the login result returned by the gateway 170 through the network module 211 of the voucher management software 210, if the login result indicates that the identification data input by the user can be successfully registered, The voucher processing module 213 of the voucher management software 210 can read the voucher information (local credential information) of the local voucher corresponding to the identification data input by the user into the storage medium 240 of the local end 200, and through the network mode. The group 211 and the proxy server 110 transmit the read local credential information to the gateway 170 (step 350). In this embodiment, as shown in the flow of "FIG. 3B", after the network module 211 of the credential management software 210 receives the login result returned by the gateway 170 (step 330), the credential management The login module 212 of the software 210 can determine whether the login result received by the network module 211 indicates successful login (step 352). If not, the credential management software 210 can provide the user-operated credential management operation to remain closed. The login module 212 will again provide the user input identification data (step 310).

若憑證管理軟體210的登入模組212判斷憑證管理軟體210的網路模組211所接收到的登入結果表示成功登入,則憑證管理軟體210的憑證處理模組213可以接著判斷本地端200的儲存媒體240中是否存在本地憑證(步驟361),若是,則憑證處理模組213可以讀取本地憑證的憑證資訊(本地憑證資訊)(步驟356),並可以透過網路模組211與代理伺服器110將本地憑證傳送到閘道器(步驟358)。If the login module 212 of the credential management software 210 determines that the login result received by the network module 211 of the credential management software 210 indicates successful login, the credential processing module 213 of the credential management software 210 can then determine the storage of the local end 200. Whether there is a local credential in the media 240 (step 361), if so, the credential processing module 213 can read the credential information (local credential information) of the local credential (step 356), and can pass through the network module 211 and the proxy server. 110 transmits the local credentials to the gateway (step 358).

而若本地端200的儲存媒體240中不存在本地憑證,也就是本地端200中沒有儲存本地憑證,則憑證管理軟體210的狀態指引模組215將可以開啟憑證管理作業中之憑證申請的功能(此時憑證管理軟體210同樣會關閉憑證管理作業中的其他功能),藉以引導使用者進行憑證申請的操作。在使用者選擇進行憑證申請的憑證管理作業後,憑證管理軟體210的憑證處理模組213將可以提供使用者申請憑證(步驟365)。在本實施例中,假設憑證處理模組213可以提供使用者輸入憑證的密碼,並將使用者所輸入的密碼透過憑證管理軟體210的網路模組211與代理伺服器110傳送給閘道器170,藉以提供閘道器170透過憑證註冊伺服器130完成憑證申請作業。If the local credential is not stored in the storage medium 240 of the local end 200, that is, the local credential is not stored in the local end 200, the status guiding module 215 of the credential management software 210 can open the credential application in the credential management operation ( At this time, the voucher management software 210 also closes other functions in the voucher management job, thereby guiding the user to perform the voucher application operation. After the user selects the voucher management job for the voucher application, the voucher processing module 213 of the voucher management software 210 will be able to provide the user application voucher (step 365). In this embodiment, it is assumed that the voucher processing module 213 can provide a password for the user to input the voucher, and transmit the password input by the user to the gateway device through the network module 211 of the voucher management software 210 and the proxy server 110. 170, by which the gateway 170 is provided to complete the voucher application operation through the voucher registration server 130.

閘道器170在完成憑證申請作業後,可以將申請到的憑證傳給代理伺服器110。代理伺服器110可以儲存所接收到的憑證,並將所接收到的憑證傳給憑證管理軟體210,使得憑證管理軟體210的憑證處理模組213可以透過憑證管理軟體210的網路模組211接收閘道器170透過代理伺服器110所傳回的憑證。憑證處理模組213在接收到憑證後,可以將所接收到的憑證儲存到本地端200的儲存媒體240中(步驟367),如此,被儲存的憑證即會成為本地憑證,而後,憑證處理模組213可以透過網路模組211與代理伺服器110將本地憑證傳送到閘道器170(步驟358)。The gateway 170 may transmit the requested certificate to the proxy server 110 after completing the voucher application operation. The proxy server 110 can store the received credentials and transmit the received credentials to the credential management software 210, so that the credential processing module 213 of the credential management software 210 can receive the network module 211 of the credential management software 210. The gateway 170 passes the credentials returned by the proxy server 110. After receiving the voucher, the voucher processing module 213 can store the received voucher into the storage medium 240 of the local terminal 200 (step 367), so that the stored voucher becomes a local credential, and then the voucher processing module The group 213 can communicate the local credentials to the gateway 170 via the network module 211 and the proxy server 110 (step 358).

繼續回到「第3A圖」,在閘道器170接收到本地端200之憑證管理軟體210透過代理伺服器110所傳送的本地憑證資訊後,閘道器170可以透過憑證註冊伺服器130取得與所接收到之本地憑證資訊對應至同一使用者識別資料的遠端憑證資訊,並依據本地憑證資訊與遠端憑證資訊產生狀態指引,以及透過代理伺服器110將所產生的狀態指引傳送給憑證管理軟體210(步驟370)。在本實施例中,若閘道器170判斷本地憑證資訊與遠端憑證資訊不同,則閘道器170可以依據本地憑證資訊、遠端憑證資訊、甚至其他相關資訊,判斷本地憑證是否在更新請求被傳送後沒有成功的被儲存到本地端200的儲存媒體240中,若是,則閘道器170所產生的狀態指引可以包含提示下載本地憑證的訊息,而若本地憑證資訊與遠端憑證資訊不相同的原因並非更新後的本地憑證沒有正確的儲存到儲存媒體240中,則閘道器170所產生的狀態指引會包含提示聯絡管理人員的訊息。Continuing back to the "FIG. 3A", after the gateway 170 receives the local credential information transmitted by the credential management software 210 of the local terminal 200 through the proxy server 110, the gateway 170 can obtain the same through the credential registration server 130. The received local credential information corresponds to the remote credential information of the same user identification data, and generates status guidance according to the local credential information and the remote credential information, and transmits the generated status guide to the credential management through the proxy server 110. Software 210 (step 370). In this embodiment, if the gateway 170 determines that the local credential information is different from the remote credential information, the gateway 170 can determine whether the local credential is in the update request according to the local credential information, the remote credential information, or even other related information. After being transmitted, it is not successfully stored in the storage medium 240 of the local terminal 200. If so, the status indication generated by the gateway 170 may include a message prompting to download the local certificate, and if the local credential information and the remote credential information are not The same reason is not that the updated local credentials are not properly stored in the storage medium 240, and the status guide generated by the gateway 170 will contain a message prompting the contact manager.

而若閘道器170判斷本地憑證資訊與遠端憑證資訊相同,閘道器170還可以進一步判斷本地憑證是否即將到期,也就是判斷本地憑證的到期時間與當前時間的差值是否低於預定值,例如,低於一個月等。若否,也就是本地憑證尚未即將到期,則閘道器170所產生的狀態指引可以包含提供憑證管理作業中除了憑證申請與憑證展期之外的其他功能,例如,憑證查詢、密碼變更等,藉以提供使用者進行憑證管理。If the gateway 170 determines that the local credential information is the same as the remote credential information, the gateway 170 can further determine whether the local credential is about to expire, that is, whether the difference between the expiration time of the local credential and the current time is lower than or not. The predetermined value, for example, is less than one month. If not, that is, the local credentials have not yet expired, the status guidance generated by the gateway 170 may include providing functions other than the voucher application and voucher extension in the voucher management job, such as voucher inquiry, password change, and the like. To provide users with credential management.

而若本地憑證即將到期,也就是本地憑證的到期時間與當前時間的差值低於預定值,則閘道器170所產生的狀態指引可以包含提供憑證管理作業中除了憑證申請之外的其他功能,也就是憑證展期、憑證查詢、密碼變更等。And if the local credential is about to expire, that is, the difference between the expiration time of the local credential and the current time is lower than the predetermined value, the status guidance generated by the gateway 170 may include providing a voucher management job in addition to the voucher application. Other functions, that is, voucher renewal, voucher inquiry, password change, etc.

在憑證管理軟體210的狀態指引模組215透過網路模組211接收到閘道器170所傳送的狀態指引後,狀態指引模組215可以依據所接收到的狀態指引引導使用者操作憑證管理軟體210(步驟380)。After the status guiding module 215 of the credential management software 210 receives the status guidance transmitted by the gateway 170 through the network module 211, the status guiding module 215 can guide the user to operate the credential management software according to the received status guide. 210 (step 380).

在本實施例中,若狀態指引中包含提示使用者下載更新後之憑證的訊息,則狀態指引模組215可以引導使用者在憑證管理軟體210中進行憑證下載的操作,如此,在使用者操作後,網路模組211可以至閘道器170下載遠端憑證,並將所下載到的遠端憑證儲存到本地端200的儲存媒體240中成為本地憑證,藉以完成本地憑證的更新。而若狀態指引中包含提示使用者聯絡管理人員的訊息時,狀態指引模組215可以引導使用者透過電話、電子郵件或即時通訊聯絡管理人員,藉以更新本地憑證與遠端憑證,也就是同時替換本地憑證與遠端憑證。In this embodiment, if the status guide includes a message prompting the user to download the updated credential, the status directing module 215 can guide the user to perform the credential download operation in the credential management software 210, so that the user operates Afterwards, the network module 211 can download the remote credential to the gateway 170, and store the downloaded remote credential into the storage medium 240 of the local end 200 to become a local credential, thereby completing the update of the local credential. If the status guide includes a message prompting the user to contact the administrator, the status guide module 215 can guide the user to contact the administrator by telephone, email or instant messaging, thereby updating the local credential and the remote credential, that is, simultaneously replacing Local credentials and remote credentials.

而當狀態指引中包含提供憑證瀏覽作業、憑證密碼變更作業、憑證展期作業等訊息時,狀態指引模組215可以引導使用者在憑證管理軟體210中進行開啟憑證、憑證密碼變更、憑證展期的操作。當使用者進行開啟憑證的操作時,憑證處理模組213可以提供使用者輸入本地憑證的密碼,藉以開啟憑證;當使用者進行憑證密碼變更的操作時,憑證處理模組213可以提供使用者輸入本地憑證的密碼,並將使用者所輸入的密碼透過網路模組211與代理伺服器110傳送給閘道器170,藉以提供閘道器170透過憑證註冊伺服器130完成憑證密碼變更作業。When the status guide includes a message providing a voucher browsing job, a voucher password change job, a voucher rollover job, etc., the status guiding module 215 can guide the user to open the voucher, the voucher password change, and the voucher rollover operation in the voucher management software 210. . When the user performs the operation of opening the voucher, the voucher processing module 213 can provide the password for the user to input the local voucher, thereby opening the voucher; when the user performs the operation of changing the voucher password, the voucher processing module 213 can provide the user input. The password of the local credential is transmitted to the gateway 170 through the network module 211 and the proxy server 110 through the network module 211 and the proxy server 110, thereby providing the gateway 170 to complete the credential password change operation through the credential registration server 130.

而當使用者隨著狀態指引模組215的引導,進行憑證展期的操作,則憑證處理模組213可以提供使用者輸入欲展期之本地憑證的密碼,並將使用者所輸入的密碼透過網路模組211與代理伺服器110傳送給閘道器170,藉以提供閘道器170透過安控伺服器150與憑證註冊伺服器130完成憑證展期作業。之後,閘道器170可以將經過展延的期限傳給代理伺服器110。代理伺服器110可以依據所接收到之期限更新展延期限之憑證(遠端憑證)的憑證資訊(遠端憑證資訊),並將所接收到之經過展延的期限傳給憑證管理軟體210,使得憑證管理軟體210的憑證處理模組213可以透過憑證管理軟體210的網路模組211接收閘道器170透過代理伺服器110所傳回之經過展延的期限。憑證處理模組213在接收到經過展延的期限後,可以據以更新本地憑證資訊,並可以透過網路模組211讀取代理伺服器110所儲存之遠端憑證的遠端憑證資訊,同時狀態指引模組215將會關閉憑證管理軟體210中之憑證展期的功能,如此,憑證管理軟體210中,除了憑證申請以及憑證展期之外的其他憑證管理功能仍然保持開啟。When the user performs the voucher extension operation with the guidance of the state guidance module 215, the voucher processing module 213 can provide the user with a password for inputting the local certificate to be extended, and the password input by the user is transmitted through the network. The module 211 and the proxy server 110 are transmitted to the gateway 170 to provide the gateway 170 to complete the voucher renewal operation through the security server 150 and the voucher registration server 130. Thereafter, the gateway 170 can pass the extended expiration date to the proxy server 110. The proxy server 110 may update the voucher information (remote voucher information) of the voucher (remote voucher) of the extension period according to the received deadline, and transmit the received expiration date to the voucher management software 210. The voucher processing module 213 of the voucher management software 210 can receive the extended expiration date returned by the gateway 170 through the proxy server 110 through the network module 211 of the voucher management software 210. After receiving the extended expiration date, the voucher processing module 213 can update the local credential information according to the expiration period, and can read the remote credential information of the remote credential stored by the proxy server 110 through the network module 211, and simultaneously The status directing module 215 will disable the function of the voucher extension in the voucher management software 210. Thus, in the voucher management software 210, the credential management functions other than the voucher application and the voucher extension remain open.

另外,上述的實施例更可以如「第3C圖」之流程所示,憑證管理軟體210的憑證匯入模組219可以偵測安裝於本地端200的瀏覽器(步驟391),並判斷所偵測到的瀏覽器是否支援憑證的匯入,若否,則憑證匯入模組219將不會進行憑證匯入作業。而若憑證匯入模組219所偵測到之瀏覽器支援憑證匯入,則在憑證匯入模組219偵測到本地憑證變更時,例如,使用者新申請本地憑證、使用者展延本地憑證的期限、或本地憑證被使用者替換時,憑證匯入模組219可以透過所偵測到之瀏覽器提供的應用程式介面將變更後的本地憑證匯入該瀏覽器中(步驟395)。In addition, the above embodiment may further be as shown in the flow of "3C", and the voucher importing module 219 of the voucher management software 210 may detect the browser installed at the local end 200 (step 391), and determine the detected Whether the detected browser supports the import of the voucher, and if not, the voucher import module 219 will not perform the voucher import operation. If the voucher import module 219 detects the browser support voucher import, when the voucher import module 219 detects the local voucher change, for example, the user newly applies for the local credential, and the user extends the local When the term of the voucher or the local voucher is replaced by the user, the voucher import module 219 can import the changed local credential into the browser through the detected application interface provided by the browser (step 395).

此外,上述的實施例還可以如「第3D圖」之流程所示,憑證管理軟體210在本地端200上執行後,憑證管理軟體210的軟體更新模組217可以透過憑證管理軟體210的網路模組211與代理伺服器110至閘道器170取得閘道器170所儲存之最新版本資訊(步驟307),並可以讀取本地端200之儲存媒體240中所儲存之當前版本資訊。當軟體更新模組217判斷所取得之最新版本資訊與所讀取之當前本版資訊不同時,可以透過網路模組211下載憑證管理軟體210的最新版本(步驟309)。在本實施例中,假設軟體更新模組217會透過網路模組211與代理伺服器110至閘道器170中下載最新版本的憑證管理軟體210。In addition, the above embodiment may also be implemented as shown in the flow of the "3D". After the voucher management software 210 is executed on the local end 200, the software update module 217 of the voucher management software 210 can access the network of the voucher management software 210. The module 211 and the proxy server 110 to the gateway 170 obtain the latest version information stored by the gateway 170 (step 307), and can read the current version information stored in the storage medium 240 of the local terminal 200. When the software update module 217 determines that the latest version information obtained is different from the current version information read, the latest version of the credential management software 210 can be downloaded through the network module 211 (step 309). In this embodiment, it is assumed that the software update module 217 downloads the latest version of the credential management software 210 through the network module 211 and the proxy server 110 to the gateway 170.

如此,使用者便可以在本地端200執行本發明所提之憑證管理軟體210後,對使用者所擁有的憑證進行管理作業。In this way, the user can perform the management operation on the voucher owned by the user after executing the voucher management software 210 proposed by the present invention at the local end 200.

綜上所述,可知本發明與先前技術之間的差異在於具有執行於本地端的憑證管理軟體提供使用者登入後,傳送本地憑證資訊至閘道器,使閘道器在取得本地憑證資訊與遠端憑證資訊後,依據本地憑證資訊與遠端憑證資訊產生狀態指引,以引導使用者操作憑證管理軟體之技術手段,藉由此一技術手段可以解決先前技術所存在瀏覽器可能限制憑證管理作業的問題,進而達成使用獨立執行於本地端的憑證管理軟體進行憑證管理作業的技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that the voucher management software executed at the local end provides the user with the login, and transmits the local credential information to the gateway device, so that the gateway device obtains the local credential information and the far-reaching device. After the credential information is generated, the status information is generated according to the local credential information and the remote credential information, so as to guide the user to operate the credential management software, and the technical means can solve the problem that the browser existing in the prior art may restrict the credential management operation. The problem, in turn, achieves the technical effect of performing a credential management operation using the credential management software independently executed on the local end.

再者,本發明之管理憑證之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method for managing credentials of the present invention can be implemented in hardware, software or a combination of hardware and software, or can be implemented in a centralized manner in a computer system or spread over several interconnected computer systems with different components. Decentralized implementation.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。While the embodiments of the present invention have been described above, the above description is not intended to limit the scope of the invention. Any modification of the form and details of the practice of the present invention, which is a matter of ordinary skill in the art to which the present invention pertains, is a patent protection of the present invention. range. The scope of the invention is to be determined by the scope of the appended claims.

100‧‧‧金融通路
110‧‧‧代理伺服器
130‧‧‧憑證註冊伺服器
150‧‧‧安控伺服器
170‧‧‧閘道器
200‧‧‧本地端
210‧‧‧憑證管理軟體
211‧‧‧網路模組
212‧‧‧登入模組
213‧‧‧憑證處理模組
215‧‧‧狀態指引模組
217‧‧‧軟體更新模組
219‧‧‧憑證匯入模組
230‧‧‧瀏覽器
240‧‧‧儲存媒體
410‧‧‧憑證伺服器
步驟301‧‧‧連接閘道器與代理伺服器
步驟307‧‧‧憑證管理軟體透過代理伺服器取得閘道器所儲存之最新版本資訊
步驟309‧‧‧憑證管理軟體於最新版本資訊與當前版本資訊相異時,下載憑證管理軟體之最新版本
步驟310‧‧‧憑證管理軟體提供輸入識別資料
步驟320‧‧‧憑證管理軟體透過代理伺服器傳送識別資料至閘道器
步驟330‧‧‧閘道器進行登入作業,並傳回登入結果給憑證管理軟體
步驟350‧‧‧登入結果表示成功登入時,憑證管理軟體讀取本地端所儲存之本地憑證之本地憑證資訊,並透過代理伺服器傳送本地憑證資訊至閘道器
步驟352‧‧‧登入結果是否表示成功登入
步驟356‧‧‧讀取本地憑證資訊
步驟358‧‧‧傳送本地憑證資訊
步驟361‧‧‧本地憑證是否存在
步驟365‧‧‧提供申請本地憑證
步驟367‧‧‧儲存本地憑證
步驟370‧‧‧閘道器讀取與識別資料對應之遠端憑證之遠端憑證資訊,依據本地憑證資訊與遠端憑證資訊產生狀態指引,並透過代理伺服器傳送狀態指引至憑證管理軟體
步驟380‧‧‧憑證管理軟體依據狀態指引提供引導操作
步驟391‧‧‧憑證管理軟體偵測安裝於本地端之瀏覽器
步驟395‧‧‧憑證管理軟體於本地憑證變更時,將變更後之本地憑證匯入相對應之瀏覽器100‧‧‧Financial Access
110‧‧‧Proxy server
130‧‧‧Voucher registration server
150‧‧‧Security Server
170‧‧‧ gateway
200‧‧‧local
210‧‧‧Voucher management software
211‧‧‧Network Module
212‧‧‧ Login Module
213‧‧‧Voucher Processing Module
215‧‧‧Status Guidance Module
217‧‧‧Software update module
219‧‧‧Voucher Import Module
230‧‧‧ browser
240‧‧‧Storage media
410‧‧‧Voucher server step 301‧‧‧Connected gateway and proxy server Step 307‧‧‧Voucher management software obtains the latest version information stored in the gateway through the proxy server Step 309‧‧‧Voucher management software When the latest version information is different from the current version information, download the latest version of the voucher management software. Step 310‧‧‧Voucher management software provides input identification data Step 320‧‧‧Voucher management software transmits identification data to the gateway through the proxy server Step 330‧‧ ‧ The gateway performs the login operation and returns the login result to the voucher management software. Step 350‧‧‧ The login result indicates that the voucher management software reads the local credential information of the local voucher stored at the local end when the login is successful. And send the local credential information to the gateway through the proxy server. Step 352‧‧‧ Whether the login result indicates successful login Step 356‧‧‧Read local credential information Step 358‧‧‧Transfer local credential information Step 361‧‧ Local certificate Is there a step 365‧‧‧Provide the application for local credentials Step 367‧‧‧Store local credentials Step 370‧‧ ‧ The gateway reads the remote credential information of the remote credential corresponding to the identification data, generates a status guide according to the local credential information and the remote credential information, and transmits the status guide to the credential management software step through the proxy server 380‧‧‧Voucher management software provides guidance steps according to the status guide 391‧‧‧Voucher management software detection browser installed on the local side Step 395‧‧‧Voucher management software will change the local certificate when the local certificate is changed Import the corresponding browser

第1圖為本發明所提之網路架構圖。 第2圖為本發明所提之管理憑證之系統架構圖。 第3A圖為本發明所提之管理憑證之方法流程圖。 第3B圖為本發明所提之憑證管理之詳細方法流程圖。 第3C圖為本發明所提之憑證匯入瀏覽器之附加方法流程圖。 第3D圖為本發明所提之軟體更新之附加方法流程圖。Figure 1 is a diagram of the network architecture proposed by the present invention. Figure 2 is a system architecture diagram of the management certificate proposed by the present invention. FIG. 3A is a flow chart of a method for managing credentials according to the present invention. Figure 3B is a flow chart of a detailed method of credential management proposed by the present invention. FIG. 3C is a flow chart of an additional method for importing a voucher submitted by the present invention into a browser. Figure 3D is a flow chart of an additional method of software update proposed by the present invention.

步驟301‧‧‧連接閘道器與代理伺服器 Step 301‧‧‧Connected gateway and proxy server

步驟310‧‧‧憑證管理軟體提供輸入識別資料 Step 310‧‧‧Voucher management software provides input identification data

步驟320‧‧‧憑證管理軟體透過代理伺服器傳送識別資料至閘道器 Step 320‧‧‧Voucher management software transmits identification data to the gateway through the proxy server

步驟330‧‧‧閘道器進行登入作業,並傳回登入結果給憑證管理軟體 Step 330‧‧‧The gateway performs the login operation and returns the login result to the voucher management software.

步驟350‧‧‧登入結果表示成功登入時,憑證管理軟體讀取本地端所儲存之本地憑證之本地憑證資訊,並透過代理伺服器傳送本地憑證資訊至閘道器 Step 350‧‧‧ The login result indicates that when the login is successful, the credential management software reads the local credential information of the local credential stored by the local end, and transmits the local credential information to the gateway through the proxy server.

步驟370‧‧‧閘道器讀取與識別資料對應之遠端憑證之遠端憑證資訊,依據本地憑證資訊與遠端憑證資訊產生狀態指引,並透過代理伺服器傳送狀態指引至憑證管理軟體 Step 370‧‧ ‧ The gateway reads the remote credential information of the remote credential corresponding to the identification data, generates a status guide according to the local credential information and the remote credential information, and transmits the status guide to the credential management software through the proxy server

步驟380‧‧‧憑證管理軟體依據狀態指引提供引導操作 Step 380‧‧‧Voucher management software provides boot operations based on status guidelines

Claims (10)

一種管理憑證之系統,係應用於一憑證管理軟體,該系統至少包含: 一網路模組,與一代理伺服器連接,該代理伺服器與一閘道器連接; 一登入模組,用以提供輸入一識別資料,及用以透過該網路模組及該代理伺服器傳送識別資料至該閘道器,使該閘道器進行登入作業,並接收該閘道器傳回之一登入結果; 一憑證處理模組,用以於該登入結果表示成功登入時,於本地端讀取與該識別資料對應之一本地憑證之一本地憑證資訊,並透過該網路模組及該代理伺服器傳送該本地憑證資訊至該閘道器;及 一狀態指引模組,用以透過該網路模組接收該閘道器比對該本地憑證資訊與該識別資料對應之一遠端憑證之一遠端憑證資訊後透過該代理伺服器所傳回之一狀態指引,並依據該狀態指引引導操作該憑證管理軟體。A system for managing credentials is applied to a voucher management software. The system includes at least: a network module connected to a proxy server, the proxy server being connected to a gateway; and a login module for Providing an identification data for transmitting identification data to the gateway through the network module and the proxy server, causing the gateway to perform a login operation, and receiving a login result returned by the gateway a voucher processing module for reading, at the local end, one of the local voucher information corresponding to the identification data corresponding to the identification data, and using the network module and the proxy server when the login result indicates successful login Transmitting the local credential information to the gateway device; and a status directing module for receiving the gateway device through the network module than one of the remote credential corresponding to the local credential information and the identification data After the credential information is sent back to the proxy server, a status guide is sent back, and the credential management software is guided according to the status guide. 如申請專利範圍第1項所述之管理憑證之系統,其中該系統更包含一軟體更新模組,用以透過該網路模組與該代理伺服器取得該閘道器所儲存之一最新版本資訊,並於該最新版本資訊與該憑證管理軟體之一當前版本資訊相異時,透過該網路模組下載該憑證管理軟體之最新版本。The system for managing the voucher as described in claim 1, wherein the system further comprises a software update module for obtaining the latest version of the gateway stored by the network module and the proxy server. Information, and when the latest version information is different from the current version information of one of the credential management software, the latest version of the credential management software is downloaded through the network module. 如申請專利範圍第1項所述之管理憑證之系統,其中該狀態指引模組更用以於該憑證處理模組無法讀取到該本地憑證時,引導申請該本地憑證。The system for managing the voucher as described in claim 1, wherein the status guiding module is further configured to apply for the local credential when the voucher processing module cannot read the local credential. 如申請專利範圍第1項所述之管理憑證之系統,其中該憑證處理模組是提供輸入該本地憑證之密碼,並透過網路模組及該代理伺服器傳送該密碼至該閘道器,使該閘道器延展該本地憑證之期限;提供輸入該本地憑證之密碼,並開啟該本地憑證;及提供變更該本地憑證之密碼,並透過該網路模組及該代理伺服器傳送該變更後之密碼至該閘道器,使該閘道器將該本地憑證之密碼變更為該變更後之密碼。The system for managing the voucher as described in claim 1, wherein the voucher processing module provides a password for inputting the local voucher, and transmits the password to the gateway through the network module and the proxy server. Extending the deadline of the local certificate to the gateway; providing a password for entering the local certificate and opening the local certificate; and providing a password for changing the local certificate, and transmitting the change through the network module and the proxy server The subsequent password is sent to the gateway, so that the gateway changes the password of the local certificate to the changed password. 如申請專利範圍第1項所述之管理憑證之系統,其中該系統更包含一憑證匯入模組,用以偵測安裝於本地端之瀏覽器,並於該本地憑證變更時,將該變更後之本地憑證匯入相對應之一該瀏覽器。The system for managing voucher as described in claim 1, wherein the system further comprises a voucher import module for detecting a browser installed on the local end, and changing the local credential when the local credential is changed The local credentials are then imported into one of the corresponding browsers. 一種管理憑證之系統,該系統至少包含: 一代理伺服器; 一閘道器,與該代理伺服器連接;及 一憑證管理軟體,與該代理伺服器連接,用以透過該代理伺服器傳送提供輸入之一識別資料至該閘道器,使該閘道器進行登入作業以產生一登入結果,及用以於該登入結果表示成功登入時,於本地端讀取與該識別資料對應之一本地憑證之一本地憑證資訊,透過該代理伺服器傳送該本地憑證資訊至該閘道器及接收該閘道器比對該本地憑證資訊與該識別資料對應之一遠端憑證之一遠端憑證資訊後所傳回之一狀態指引,並依據該狀態指引引導操作該憑證管理軟體。A system for managing credentials, the system comprising: at least: a proxy server; a gateway connected to the proxy server; and a credential management software coupled to the proxy server for transmitting through the proxy server Inputting one of the identification data to the gateway device, causing the gateway device to perform a login operation to generate a login result, and for reading the login result to successfully log in, and reading, at the local end, one of the local data corresponding to the identification data One of the voucher local voucher information, the local voucher information is transmitted to the gateway through the proxy server and the remote voucher information of the remote voucher corresponding to the local voucher information and the identification data is received After that, one of the status guides is returned, and the credential management software is guided to operate according to the status guide. 如申請專利範圍第6項所述之管理憑證之系統,其中該憑證管理軟體更包含用以偵測安裝於本地端之瀏覽器,並於該本地憑證變更時,將該變更後之本地憑證匯入相對應之一該瀏覽器。The system for managing the voucher as described in claim 6 , wherein the voucher management software further comprises: detecting a browser installed on the local end, and when the local credential is changed, the local voucher after the change is Enter one of the browsers. 一種管理憑證之方法,該方法至少包含下列步驟: 連接一閘道器與一代理伺服器; 一憑證管理軟體提供輸入一識別資料; 該憑證管理軟體透過該代理伺服器傳送識別資料至該閘道器,使該閘道器進行登入作業; 該閘道器傳回一登入結果給該憑證管理軟體; 當該登入結果表示成功登入時,該憑證管理軟體讀取本地端所儲存之一本地憑證之一本地憑證資訊,並透過該代理伺服器傳送該本地憑證資訊至該閘道器; 該閘道器讀取與該識別資料對應之一遠端憑證之一遠端憑證資訊; 該閘道器依據該本地憑證資訊與該遠端憑證資訊產生一狀態指引,並透過該代理伺服器傳送該狀態指引至該憑證管理軟體;及 該憑證管理軟體依據該狀態指引引導操作。A method for managing credentials, the method comprising at least the steps of: connecting a gateway and a proxy server; a credential management software providing inputting an identification data; the credential management software transmitting the identification data to the gateway through the proxy server The gate device performs a login operation; the gateway device returns a login result to the voucher management software; when the login result indicates successful login, the voucher management software reads one of the local credentials stored by the local terminal. a local credential information, and transmitting the local credential information to the gateway through the proxy server; the gateway reads one of the remote credential information corresponding to the remote credential corresponding to the identification data; the gateway is based on The local credential information and the remote credential information generate a status guide, and the status guide is transmitted to the credential management software through the proxy server; and the credential management software guides the boot operation according to the status. 如申請專利範圍第8項所述之管理憑證之方法,其中該方法於該閘道器依據該本地憑證資訊與該遠端憑證資訊產生一狀態指引之步驟,更包含該閘道器依據該本地憑證資訊判斷該本地憑證之到期時間與當前時間之差是否低於預定值之步驟。The method of managing a voucher as described in claim 8 wherein the method generates a status guide according to the local credential information and the remote voucher information, and further comprises the gateway according to the local The voucher information determines whether the difference between the expiration time of the local voucher and the current time is lower than a predetermined value. 如申請專利範圍第8項所述之管理憑證之方法,其中該方法更包含該憑證管理軟體偵測安裝於本地端之瀏覽器,並於該本地憑證變更時,將該變更後之本地憑證匯入相對應之一該瀏覽器之步驟。The method for managing a voucher as described in claim 8 , wherein the method further comprises the voucher management software detecting a browser installed on the local end, and when the local voucher is changed, the local voucher after the change is Enter one of the steps in the browser.
TW103119138A 2014-05-30 2014-05-30 System for managing certificate and method thereof TWI551105B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW103119138A TWI551105B (en) 2014-05-30 2014-05-30 System for managing certificate and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW103119138A TWI551105B (en) 2014-05-30 2014-05-30 System for managing certificate and method thereof

Publications (2)

Publication Number Publication Date
TW201545525A true TW201545525A (en) 2015-12-01
TWI551105B TWI551105B (en) 2016-09-21

Family

ID=55407247

Family Applications (1)

Application Number Title Priority Date Filing Date
TW103119138A TWI551105B (en) 2014-05-30 2014-05-30 System for managing certificate and method thereof

Country Status (1)

Country Link
TW (1) TWI551105B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI694348B (en) * 2019-01-14 2020-05-21 臺灣網路認證股份有限公司 System for export and import certificate through multimedia file and method thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6324648B1 (en) * 1999-12-14 2001-11-27 Gte Service Corporation Secure gateway having user identification and password authentication
US7761703B2 (en) * 2002-03-20 2010-07-20 Research In Motion Limited System and method for checking digital certificate status
CN104025505B (en) * 2011-12-31 2018-10-16 英特尔公司 Methods, devices and systems for managing user authentication

Also Published As

Publication number Publication date
TWI551105B (en) 2016-09-21

Similar Documents

Publication Publication Date Title
US10691793B2 (en) Performance of distributed system functions using a trusted execution environment
US10305902B2 (en) Two-channel authentication proxy system capable of detecting application tampering and method therefor
US10362013B2 (en) Out of box experience application API integration
US9130926B2 (en) Authorization messaging with integral delegation data
US11556617B2 (en) Authentication translation
JP6875482B2 (en) Computer-readable storage media for legacy integration and methods and systems for using it
KR101941227B1 (en) A FIDO authentication device capable of identity confirmation or non-repudiation and the method thereof
JP6572750B2 (en) Authentication control program, authentication control device, and authentication control method
CN113474774A (en) System and method for approving a new validator
KR102017057B1 (en) Method and system for managing authentication
JP6248641B2 (en) Information processing system and authentication method
KR101210260B1 (en) OTP certification device
CN110365684B (en) Access control method and device for application cluster and electronic equipment
US20140150055A1 (en) Data reference system and application authentication method
KR20130114651A (en) Trustworthy device claims as a service
Fett et al. Analyzing the BrowserID SSO system with primary identity providers using an expressive model of the web
US8656468B2 (en) Method and system for validating authenticity of identity claims
KR101670496B1 (en) Data management method, Computer program for the same, Recording medium storing computer program for the same, and User Client for the same
JP2011221729A (en) Id linking system
JP2018022501A (en) Server system and method for controlling multiple service systems
TWI551105B (en) System for managing certificate and method thereof
KR20150030047A (en) Method and system for application authentication
KR102497440B1 (en) Method and system for providing user information management service based on decentralized identifiers
JP5702458B2 (en) Information processing apparatus, program, and information processing system
US20220321345A1 (en) Secure exchange of session tokens for claims-based tokens in an extensible system