TW201947434A - Application login method - Google Patents

Application login method Download PDF

Info

Publication number
TW201947434A
TW201947434A TW107115111A TW107115111A TW201947434A TW 201947434 A TW201947434 A TW 201947434A TW 107115111 A TW107115111 A TW 107115111A TW 107115111 A TW107115111 A TW 107115111A TW 201947434 A TW201947434 A TW 201947434A
Authority
TW
Taiwan
Prior art keywords
token
mobile device
application
stage
cloud server
Prior art date
Application number
TW107115111A
Other languages
Chinese (zh)
Inventor
林翰飛
張佑瑋
蔡孟諺
Original Assignee
玉山商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 玉山商業銀行股份有限公司 filed Critical 玉山商業銀行股份有限公司
Priority to TW107115111A priority Critical patent/TW201947434A/en
Publication of TW201947434A publication Critical patent/TW201947434A/en

Links

Landscapes

  • Telephonic Communication Services (AREA)

Abstract

An application login method includes: an APP in a first login status transmitting a first token and a user account to a cloud server; the cloud server transmitting the update first token back to a mobile device when judging the successful login to a fist stage operation status; the APP in a second login status transmitting the decrypted first token, the decrypted user account, and a second stage login password to the cloud server; the cloud server allowing the APP to keep in a second stage operation status in a predetermined condition when judging the successful login to the second stage operation status. Using the login method not only enables two stage login and quick login feature, but also has higher security.

Description

應用程式的登入方法Application login method

本發明是有關於一種登入方法,特別是指一種行動裝置上的應用程式(APP)的登入方法。The invention relates to a login method, in particular to a login method of an application program (APP) on a mobile device.

隨著行動裝置(如智慧型手機)的普及,且其性能的日趨強大,各種企業相關的應用程式(APP)也大量地增加。尤其在金融業(如銀行)所提供的應用程式方面,不僅需要考量使用者體驗的問題,更需要注重金融法規所要求的客戶隱私與安全性。因此,如何提供一種兼具安全與使用者體驗的應用程式的登入方法,便成為一個重要的課題。With the popularization of mobile devices (such as smart phones) and their increasingly powerful performance, various enterprise-related applications (APPs) have also increased significantly. Especially in the applications provided by the financial industry (such as banks), it is necessary not only to consider the issue of user experience, but also to pay attention to customer privacy and security required by financial regulations. Therefore, how to provide an application login method with both security and user experience has become an important issue.

因此,本發明的目的,即在提供一種具有兩階段且快速登入之特性的應用程式的登入方法。Therefore, an object of the present invention is to provide a login method for an application program with a two-stage and fast login feature.

於是,本發明應用程式的登入方法,適用於一行動裝置及一雲端伺服器,並包含步驟(a)~(d)。Therefore, the method for logging in the application of the present invention is applicable to a mobile device and a cloud server, and includes steps (a) to (d).

於步驟(a),藉由該行動裝置執行一應用程式在一第一階段登入狀態,該行動裝置將解密後的一第一符記(Token)及一使用者帳號傳送至該雲端伺服器,並將該第一符記銷毀。In step (a), the mobile device executes an application in a first-stage login state, and the mobile device transmits a decrypted first token and a user account to the cloud server, And destroy the first token.

於步驟(b),藉由該雲端伺服器根據一對照表,在判斷該第一符記及該使用者帳號相符合時,進而判斷該應用程式成功登入一第一階段運作狀態,且將新產生的該第一符記回傳至該行動裝置,並更新該對照表。In step (b), when the cloud server determines that the first token and the user account match according to a comparison table, it further determines that the application successfully logs in to a first-stage operation state, and updates the new operation status. The generated first token is returned to the mobile device, and the comparison table is updated.

於步驟(c),藉由該行動裝置執行該應用程式在一第二階段登入狀態,該行動裝置將解密後的該第一符記與該使用者帳號,及一第二階段密碼傳送至該雲端伺服器。In step (c), the mobile device executes the application in a second-stage login state, and the mobile device transmits the decrypted first token and the user account, and a second-stage password to the Cloud server.

於步驟(d),藉由該雲端伺服器根據該對照表,在判斷該第一符記、該使用者帳號、及該第二階段密碼相符合時,進而判斷該應用程式成功登入一第二階段運作狀態,且允許該應用程式在一預定條件下保持在該第二階段運作狀態。In step (d), when the cloud server judges that the first token, the user account, and the second-stage password match according to the comparison table, it further determines that the application successfully logs in a second Phase operation status, and allows the application to remain in the second phase operation status under a predetermined condition.

在一些實施態樣中,該應用程式的登入方法還適用於一推播伺服器,並還包含步驟(e)~(f)。In some implementations, the application login method is also applicable to a push server, and further includes steps (e) to (f).

於步驟(e),當該行動裝置執行該應用程式時,接收來自該推播伺服器的一裝置符記(Device Token)。In step (e), when the mobile device executes the application program, a device token (Device Token) is received from the push server.

於步驟(f),當該行動裝置接收該雲端伺服器所新產生的該第一符記(Token)時,該行動裝置根據該裝置符記對該第一符記執行加密,以儲存在一鑰匙鏈資料(KeyChain),並將舊的該第一符記銷毀。In step (f), when the mobile device receives the first token newly generated by the cloud server, the mobile device encrypts the first token according to the device token to store the first token Keychain information (KeyChain), and destroy the old first sign.

在一些實施態樣中,其中,在步驟(f)中,該行動裝置將該裝置符記(Device Token)輸入一預定的雜湊函數(Hash)產生一鑰匙名稱資料(KeyName),並將該裝置符記以安全雜湊演算法(SHA)產生一金鑰,再以該金鑰對該第一符記(Token)作進階加密標準(AES)的加密,而產生一加密後第一符記(EnToken),最後將該鑰匙名稱資料及該加密後第一符記,儲存在該鑰匙鏈資料(KeyChain)。In some implementation aspects, in step (f), the mobile device enters the device token into a predetermined hash function (Hash) to generate a key name data (KeyName), and the device The token uses a secure hash algorithm (SHA) to generate a key, and then uses the key to encrypt the first token (Advanced Encryption Standard (AES)) to generate an encrypted first token ( EnToken), and finally store the key name data and the encrypted first token in the KeyChain.

在一些實施態樣中,其中,在步驟(a)中,該行動裝置還將該裝置符記(Device Token)輸入該預定的雜湊函數(Hash)產生該鑰匙名稱資料(KeyName),並從該鑰匙鏈資料(KeyChain)中,讀取對應該鑰匙名稱資料的該加密後第一符記(EnToken)。In some implementation aspects, in step (a), the mobile device further enters the device token into the predetermined hash function (Hash) to generate the key name data (KeyName), and from the In the keychain data (KeyChain), the encrypted first token (EnToken) corresponding to the key name data is read.

該行動裝置還將該裝置符記以安全雜湊演算法(SHA)產生該金鑰,再以該金鑰對該加密後第一符記(EnToken)作進階加密標準(AES)的解密,以產生解密的該第一符記(Token)。The mobile device also generates the key with the device token using a secure hash algorithm (SHA), and then uses the key to decrypt the encrypted first token (EnToken) with Advanced Encryption Standard (AES) to The decrypted first token is generated.

在另一些實施態樣中,該應用程式的登入方法還包含步驟(g),藉由該行動裝置執行該應用程式在一第一階段註冊狀態,該行動裝置將一第一階段申請訊息傳送至該雲端伺服器,以獲得該雲端伺服器所產生的一第一階段認證碼,並再將該第一階段認證碼、該使用者帳號、及一使用者密碼傳送至該雲端伺服器,當該雲端伺服器確認該第一階段認證碼正確時,將該使用者帳號及該使用者密碼儲存至該對照表,且判斷該應用程式註冊成功。In other implementation aspects, the application login method further includes step (g). The mobile device executes the application in a first-stage registration state, and the mobile device sends a first-stage application message to The cloud server obtains a first-stage authentication code generated by the cloud server, and then transmits the first-stage authentication code, the user account, and a user password to the cloud server. When the cloud server confirms that the first-stage authentication code is correct, it stores the user account and the user password into the comparison table, and determines that the application registration is successful.

在一些實施態樣中,該應用程式的登入方法還包含步驟(h),當該行動裝置執行該應用程式且第一次在該第一階段登入狀態,該行動裝置將該使用者帳號及該使用者密碼傳送至該雲端伺服器,當該雲端伺服器根據該對照表,判斷該使用者帳號及該使用者密碼相符合時,產生該第一符記(Token)且回傳至該行動裝置。In some implementation aspects, the application login method further includes step (h). When the mobile device executes the application and logs in to the first stage for the first time, the mobile device stores the user account and the user account. The user password is transmitted to the cloud server. When the cloud server determines that the user account and the user password match according to the comparison table, the first token is generated and returned to the mobile device. .

在另一些實施態樣中,該應用程式的登入方法還適用於一企業伺服器,該企業伺服器儲存相關於一使用者的一身分識別碼及一手機號碼。該應用程式的登入方法還包含步驟(i)。In other implementations, the application login method is also applicable to an enterprise server, which stores an identification code and a mobile phone number associated with a user. The application login method further includes step (i).

於步驟(i),藉由該行動裝置執行該應用程式在一第二階段建立密碼狀態,該行動裝置將一第二階段申請訊息傳送至該雲端伺服器,以獲得該雲端伺服器所產生的一第二階段認證碼,並再將該第二階段密碼、該第二階段認證碼、該第一符記(Token)、及加密後的該身分識別碼與該手機號碼傳送至該雲端伺服器。In step (i), the mobile device executes the application to establish a password state in the second phase, and the mobile device sends a second phase application message to the cloud server to obtain the cloud server generated A second-stage authentication code, and then transmitting the second-stage password, the second-stage authentication code, the first token (Token), and the encrypted identity identification code and the mobile phone number to the cloud server .

該雲端伺服器在接收到該第二階段密碼、該第二階段認證碼及該第一符記時,將加密後的該身分識別碼與該手機號碼不作儲存而直接傳送至該企業伺服器,該企業伺服器判斷該身分識別碼與該手機號碼相符合時,產生一虛擬識別碼並回傳至該雲端伺服器,以儲存在該對照表,並對應該使用者帳號、該第一符記、該第二階段密碼、及該裝置符記(Device Token)。When receiving the second-stage password, the second-stage authentication code, and the first token, the cloud server directly transmits the encrypted identity identification code and the mobile phone number to the enterprise server without storing, When the enterprise server judges that the identification code matches the mobile phone number, it generates a virtual identification code and sends it back to the cloud server to store it in the comparison table, and corresponds to the user account and the first token. , The second-stage password, and the device token.

在另一些實施態樣中,該應用程式的登入方法還包含步驟(j),藉由該行動裝置對該使用者帳號以RSA加密演算法作加密後再儲存。In other implementation aspects, the application login method further includes step (j), using the mobile device to encrypt the user account with an RSA encryption algorithm before storing.

在另一些實施態樣中,其中,在步驟(d)中,該預定條件是該應用程式的閒置時間小於一預設時間,或該應用程式未登出該第二階段運作狀態。In other embodiments, in step (d), the predetermined condition is that the idle time of the application is less than a preset time, or the application is not logged out of the second-stage operation state.

本發明的功效在於:藉由該雲端伺服器在該行動裝置的該應用程式每次成功登入該第一階段運作狀態時,將新產生的該第一符記回傳至該行動裝置,並將舊的第一符記銷毀。使得該行動裝置將新的該第一符記重新加密作為下次快速登入的依據,且該雲端伺服器未儲存對應該行動裝置的一使用者的身分識別資料,而能實現兩階段登入及快速登入的特性,並兼具更高的安全性。The effect of the present invention is that each time the application of the mobile device successfully logs in to the first-phase operating state, the cloud server returns the newly generated first token to the mobile device, and Destroy the old first sign. This enables the mobile device to re-encrypt the new first token as the basis for the next quick login, and the cloud server does not store the identity information of a user corresponding to the mobile device, and can achieve two-phase login and fast Sign-in features and higher security.

在本發明被詳細描述之前,應當注意在以下的說明內容中,類似的元件是以相同的編號來表示。Before the present invention is described in detail, it should be noted that in the following description, similar elements are represented by the same numbers.

參閱圖1,本發明應用程式的登入方法,適用於一行動裝置1、一雲端伺服器2、一企業伺服器3、及一推播伺服器4。在本實施例中,該行動裝置1是一智慧型手機,該企業伺服器3是一銀行內的至少一個伺服器,且該銀行內的伺服器可以是多數,例如是一資訊處的伺服器及一信用卡處的伺服器。該雲端伺服器2是該銀行在雲端架設的伺服器,如亞馬遜公司提供的AWS,該推播伺服器4例如是由Google公司或Apple公司所提供,但都不以此為限。Referring to FIG. 1, a method for logging in an application of the present invention is applicable to a mobile device 1, a cloud server 2, an enterprise server 3, and a push server 4. In this embodiment, the mobile device 1 is a smart phone, the enterprise server 3 is at least one server in a bank, and the server in the bank may be a majority, such as a server at an information office. And a credit card server. The cloud server 2 is a server set up by the bank in the cloud, such as AWS provided by Amazon. The push server 4 is provided by, for example, Google or Apple, but is not limited thereto.

參閱圖1與圖2,該應用程式的登入方法包含步驟S1~S10。Referring to FIG. 1 and FIG. 2, the application login method includes steps S1 to S10.

於步驟S1,當該行動裝置1每次執行該銀行所提供的一應用程式(APP)時,接收來自該推播伺服器4的一裝置符記(Device Token)。該雲端伺服器2是根據該行動裝置1的一識別碼(如智慧型手機的硬體序號),及該應用程式被安裝在該行動裝置1時,產生該裝置符記。也就是說,即使同一台智慧型手機每次重新安裝該應用程式時,該雲端伺服器2都會產生不同的裝置符記。In step S1, each time the mobile device 1 executes an application (APP) provided by the bank, it receives a Device Token from the push server 4. The cloud server 2 generates a device token according to an identification code of the mobile device 1 (such as a hardware serial number of a smart phone) and when the application is installed on the mobile device 1. That is, even if the same smartphone is re-installed each time, the cloud server 2 will generate a different device token.

於步驟S2,該行動裝置1執行該應用程式在一第一階段註冊狀態時,該行動裝置1將一第一階段申請訊息傳送至該雲端伺服器2,以獲得該雲端伺服器2所產生的一第一階段認證碼,並再將該第一階段認證碼,及相關於一使用者的一使用者帳號(Account)與一使用者密碼傳送至該雲端伺服器2。當該雲端伺服器2確認該第一階段認證碼正確時,將該使用者帳號及該使用者密碼儲存至一對照表,且判斷該應用程式註冊成功。此時,該行動裝置1並未儲存該使用者帳號及該使用者密碼。In step S2, when the mobile device 1 executes the application in a first-stage registration state, the mobile device 1 sends a first-stage application message to the cloud server 2 to obtain the cloud server 2 generated A first-stage authentication code, and the first-stage authentication code, and a user account (Account) and a user password related to a user are transmitted to the cloud server 2. When the cloud server 2 confirms that the first-stage authentication code is correct, the user account and the user password are stored in a comparison table, and it is determined that the application registration is successful. At this time, the mobile device 1 does not store the user account and the user password.

在本實施例中,該行動裝置1以該使用者提供的一電子郵件(Email)地址,傳送該第一階段申請訊息,該雲端伺服器2也將該第一階段認證碼傳送至該電子郵件址。該使用者以該電子郵件地址作為該使用者帳號,且自行設定與輸入該使用者密碼。In this embodiment, the mobile device 1 transmits the first-stage application message using an email address provided by the user, and the cloud server 2 also transmits the first-stage authentication code to the email. site. The user uses the email address as the user account, and sets and inputs the user password by himself.

於步驟S3,當該行動裝置1執行該應用程式且第一次在 一第一階段登入狀態時,該使用者藉由該行動裝置1輸入,以將該使用者帳號(Account)及該使用者密碼傳送至該雲端伺服器2。當該雲端伺服器2根據該對照表,判斷該使用者帳號及該使用者密碼相符合時,產生一第一符記(Token)且將該第一符記回傳至該行動裝置1。此時,該行動裝置1並未儲存該使用者帳號及該使用者密碼。In step S3, when the mobile device 1 executes the application and logs in to the first stage for the first time, the user inputs through the mobile device 1 to set the user account (Account) and the user. The password is sent to the cloud server 2. When the cloud server 2 determines that the user account and the user password match according to the comparison table, a first token is generated and the first token is transmitted back to the mobile device 1. At this time, the mobile device 1 does not store the user account and the user password.

於步驟S4,藉由該行動裝置1對該使用者帳號(Account)以RSA加密演算法作加密後再儲存。在本實施例中,該行動裝置1將加密後的該使用者帳號儲存於的該行動裝置1的一儲存單元的一檔案中。此時,該行動裝置1有儲存該使用者帳號,但未儲存該使用者密碼。In step S4, the mobile device 1 encrypts the user account (Account) with an RSA encryption algorithm and then stores the encrypted account. In this embodiment, the mobile device 1 stores the encrypted user account in a file of a storage unit of the mobile device 1. At this time, the mobile device 1 stores the user account, but does not store the user password.

於步驟S5,當該行動裝置1接收該雲端伺服器2所產生的該第一符記(Token)時,該行動裝置1根據該裝置符記(Device Token)對該第一符記執行加密,以儲存成一鑰匙鏈資料(KeyChain)。In step S5, when the mobile device 1 receives the first token (Token) generated by the cloud server 2, the mobile device 1 performs encryption on the first token according to the device token, To save as a keychain data (KeyChain).

更詳細地說,該行動裝置1將該裝置符記(Device Token)輸入一預定的雜湊函數(Hash)產生一鑰匙名稱資料(KeyName),並將該裝置符記以安全雜湊演算法(SHA)產生一金鑰,再以該金鑰對該第一符記(Token)作進階加密標準(Advanced Encryption Standard;AES)的加密,而產生一加密後第一符記(EnToken),最後將該鑰匙名稱資料及該加密後第一符記,儲存在該鑰匙鏈資料(KeyChain)。In more detail, the mobile device 1 enters the device token into a predetermined hash function (Hash) to generate a key name data (KeyName), and uses the device token with a secure hash algorithm (SHA) Generate a key, and then use the key to encrypt the first token (Advanced Encryption Standard; AES), generate an encrypted first token (EnToken), and finally The key name data and the encrypted first token are stored in the KeyChain.

在本實施例中,該行動裝置1是以安全雜湊演算法的SHA-256對該裝置符記加密,以產生該金鑰,且以進階加密標準(AES)的AES-128作加密,產生該加密後第一符記。此時,該行動裝置1並未儲存該使用者密碼,但有儲存該加密後第一符記。In this embodiment, the mobile device 1 encrypts the device token with a secure hash algorithm SHA-256 to generate the key, and uses AES-128 of the Advanced Encryption Standard (AES) for encryption to generate The first token after encryption. At this time, the mobile device 1 does not store the user password, but does store the encrypted first token.

在執行步驟S6之前,該使用者需要先在該銀行申辦一預定的金融服務,在本實施例中,該金融服務是一信用卡,且該信用卡處的伺服器有儲存相關於該使用者的一身分識別碼(如身分證字號)及一手機號碼(如該智慧型手機所使用的門號)。Before executing step S6, the user needs to apply for a predetermined financial service at the bank. In this embodiment, the financial service is a credit card, and the server at the credit card has a store related to the user. An identification code (such as an ID card number) and a mobile phone number (such as the door number used by the smart phone).

於步驟S6,該行動裝置1執行該應用程式在一第二階段建立密碼狀態時,該行動裝置1將一第二階段申請訊息傳送至該雲端伺服器2,以獲得該雲端伺服器2所產生的一第二階段認證碼,並再將一第二階段密碼、該第二階段認證碼、解密後的該第一符記(Token)、及加密後的該身分識別碼與該手機號碼傳送至該雲端伺服器2。In step S6, when the mobile device 1 executes the application to establish the password state in the second phase, the mobile device 1 sends a second phase application message to the cloud server 2 to obtain the cloud server 2 generated A second-stage authentication code, and then transmit a second-stage password, the second-stage authentication code, the first token after decryption, the encrypted identity identification code, and the mobile phone number to The cloud server 2.

在本實施例中,該第二階段申請訊息包括該行動裝置1的該手機號碼(如該智慧型手機所使用的門號),該雲端伺服器2將包含該第二階段認證碼的一簡訊,回傳至該行動裝置1。該使用者利用該行動裝置1自行設定與輸入該第二階段密碼。In this embodiment, the second-stage application message includes the mobile phone number of the mobile device 1 (such as the door number used by the smart phone), and the cloud server 2 will include a text message of the second-stage authentication code. , Return to the mobile device 1. The user uses the mobile device 1 to set and enter the second-stage password by himself.

該行動裝置1將該裝置符記(Device Token)輸入該預定的雜湊函數(Hash)產生該鑰匙名稱資料(KeyName),並從該鑰匙鏈資料(KeyChain)中,讀取對應該鑰匙名稱資料的該加密後第一符記(EnToken)。該行動裝置1再將該裝置符記以安全雜湊演算法(SHA)產生該金鑰,再以該金鑰對該加密後第一符記作進階加密標準(AES)的解密,以產生解密的該第一符記(Token)。The mobile device 1 enters the device token into the predetermined hash function (Hash) to generate the key name data (KeyName), and reads the key name data corresponding to the key name data from the key chain data (KeyChain). This encrypted first token (EnToken). The mobile device 1 generates the key by marking the device with a secure hash algorithm (SHA), and then uses the key to decrypt the encrypted first symbol as an advanced encryption standard (AES) to generate decryption. The first token (Token).

該行動裝置1還將該裝置符記以安全雜湊演算法(SHA)產生該金鑰,再以該金鑰對該加密後第一符記(EnToken)作進階加密標準(AES)的解密,以產生解密的該第一符記(Token)。The mobile device 1 also generates the key with the device token using a secure hash algorithm (SHA), and then uses the key to decrypt the encrypted first token (EnToken) using the Advanced Encryption Standard (AES), To generate the decrypted first token.

該行動裝置1將該身分識別碼(如身分證字號)與該手機號碼(如該智慧型手機所使用的門號)以RSA加密演算法作加密後,再與該使用者輸入的該第二階段認證碼及解密後的該第一符記,共同傳送至該雲端伺服器2。The mobile device 1 encrypts the identity identification code (such as an identity card number) and the mobile phone number (such as a door number used by the smart phone) with an RSA encryption algorithm, and then encrypts the identity code with the second user input The phase authentication code and the decrypted first token are transmitted to the cloud server 2 together.

該雲端伺服器2在接收到該第二階段密碼、該第二階段認證碼及該第一符記時,將加密後的該身分識別碼與該手機號碼不作儲存而直接傳送至該企業伺服器3。該企業伺服器3判斷該身分識別碼與該手機號碼相符合時,產生一虛擬識別碼(ARID)並回傳至該雲端伺服器2,以儲存在該對照表。此時,該對照表儲存有對應該使用者的該使用者帳號、該第一符記、該第二階段密碼、該裝置符記、該虛擬識別碼、及該使用者密碼,也就是說,該雲端伺服器2並未儲存足以辨識該使用者的真正身分的隱私資料,且該行動裝置1並未儲存該使用者密碼。When the cloud server 2 receives the second-stage password, the second-stage authentication code, and the first token, it transmits the encrypted identity identification code and the mobile phone number to the enterprise server without storing them. 3. When the enterprise server 3 determines that the identification code matches the mobile phone number, it generates a virtual identification code (ARID) and sends it back to the cloud server 2 for storage in the comparison table. At this time, the comparison table stores the user account, the first token, the second-stage password, the device token, the virtual identification code, and the user password corresponding to the user, that is, The cloud server 2 does not store privacy data sufficient to identify the user's true identity, and the mobile device 1 does not store the user password.

於步驟S7,該行動裝置1再次(即不是第一次)執行該應用程式在該第一階段登入狀態時,該行動裝置1將解密後的該第一符記(Token)及解密後的該使用者帳號(Account)傳送至該雲端伺服器2。在本實施例中,該行動裝置1的讀取該儲存單元的該檔案中的加密後的該使用者帳號,並以RSA加密演算法作解密後,獲得該使用者帳號。In step S7, when the mobile device 1 executes the application in the first-stage login state again (ie, not for the first time), the mobile device 1 decrypts the first token and the decrypted first token. The user account (Account) is transmitted to the cloud server 2. In this embodiment, the mobile device 1 reads the encrypted user account in the file of the storage unit and decrypts it using an RSA encryption algorithm to obtain the user account.

同樣地,該行動裝置1將該裝置符記(Device Token)輸入該預定的雜湊函數(Hash)產生該鑰匙名稱資料(KeyName),並從該鑰匙鏈資料(KeyChain)中,讀取對應該鑰匙名稱資料的該加密後第一符記(EnToken)。該行動裝置1再將該裝置符記以安全雜湊演算法(SHA)產生該金鑰,再以該金鑰對該加密後第一符記作進階加密標準(AES)的解密,以產生解密的該第一符記(Token)。Similarly, the mobile device 1 enters the device token into the predetermined hash function (Hash) to generate the key name data (KeyName), and reads the corresponding key from the key chain data (KeyChain). The encrypted first token (EnToken) of the name data. The mobile device 1 generates the key by marking the device with a secure hash algorithm (SHA), and then uses the key to decrypt the encrypted first symbol as an advanced encryption standard (AES) to generate decryption. The first token (Token).

於步驟S8,該雲端伺服器2根據該對照表,在判斷該第一符記(Token)及該使用者帳號(Account)相符合時,進而判斷該應用程式成功登入一第一階段運作狀態,且將新產生的該第一符記回傳至該行動裝置1,並更新該對照表的該第一符記為新的第一符記。該行動裝置1接收到新的該第一符記時,與步驟S5相同,該行動裝置1根據該裝置符記(Device Token)對該第一符記執行加密,以儲存在該鑰匙鏈資料(KeyChain)。此外,該行動裝置1將舊的該第一符記銷毀,也就是說,無法再使用舊的該第一符記作快速登入。At step S8, the cloud server 2 judges that the first token (Token) and the user account (Account) match according to the comparison table, and then determines that the application successfully logs in to a first-stage operation state. The newly generated first token is returned to the mobile device 1, and the first token of the lookup table is updated as the new first token. When the mobile device 1 receives the new first token, it is the same as step S5. The mobile device 1 performs encryption on the first token according to the device token to store the first token in the keychain data ( KeyChain). In addition, the mobile device 1 destroys the old first token, that is, the old first token can no longer be used for quick login.

於步驟S9,該行動裝置1執行該應用程式在一第二階段登入狀態時,該行動裝置1將解密後的該第一符記(Token)與該使用者帳號(Account),及該第二階段密碼傳送至該雲端伺服器2。In step S9, when the mobile device 1 executes the application in a second-stage login state, the mobile device 1 decrypts the first token (Token) and the user account (Account) after decryption, and the second The phase password is transmitted to the cloud server 2.

於步驟S10,該雲端伺服器2根據該對照表,在判斷該第一符記(Token)、該使用者帳號(Account)、及該第二階段密碼相符合時,進而判斷該應用程式成功登入一第二階段運作狀態,且允許該應用程式在一預定條件下保持在該第二階段運作狀態。在本實施例中,該預定條件是該應用程式的閒置時間小於一預設時間(如15分鐘),或該應用程式未登出該第二階段運作狀態。At step S10, the cloud server 2 determines that the application successfully logs in when it determines that the first token, the user account, and the second-stage password match. A second-stage operating state, and the application is allowed to remain in the second-stage operating state under a predetermined condition. In this embodiment, the predetermined condition is that the idle time of the application is less than a preset time (for example, 15 minutes), or the application is not logged out of the second-stage operation state.

另外要特別補充說明的是:該行動裝置1在每次將該第一符記(Token)傳送至該雲端伺服器2後,就立即刪除其記憶體所暫時儲存的經由解密所獲得的該第一符記,也就是說,將舊的第一符記銷毀,無法再作為快速登入使用,以提高整個系統的安全性。再者,該行動裝置1雖然並未儲存該使用者密碼,但藉由加密與解密該第一符記,且由該雲端伺服器2取得更新的該第一符記的方式,不但能實現快速登入的特性,又能兼顧整體的安全性。In addition, it should be particularly added that each time the mobile device 1 sends the first token to the cloud server 2, the mobile device 1 immediately deletes the first obtained by decryption, which is temporarily stored in its memory. One sign, that is, the old first sign is destroyed and can no longer be used as a quick login to improve the security of the entire system. In addition, although the user password is not stored in the mobile device 1, the first token is encrypted and decrypted, and the updated first token is obtained by the cloud server 2. The characteristics of login can also take into account the overall security.

此外,該行動裝置1的該應用程式可以執行在該第一階段運作狀態與該第二階段運作狀態,使得該銀行可以針對不同的使用者,提供不同權限的服務,例如,未申請該銀行的信用卡的使用者藉由該應用程式在該第一階段運作狀態,可以獲得相關於該銀行且經由該推播伺服器4所傳送的推播訊息。已具備該銀行的信用卡的使用者藉由該應用程式在該第二階段運作狀態,可以獲得對應該使用者的相關服務(如虛擬資產),且該雲端伺服器2並未儲存足以辨識該使用者的真正身分的隱私資料。In addition, the application of the mobile device 1 can execute the operating state in the first stage and the operating state in the second stage, so that the bank can provide services with different permissions for different users, for example, without applying for the bank's The user of the credit card can obtain the push message related to the bank and transmitted through the push server 4 by using the application in the first stage. Users who already have the bank's credit card can use the application to operate in the second phase, and can obtain relevant services (such as virtual assets) corresponding to the user, and the cloud server 2 does not store enough to identify the use Information about the true identity of the individual.

綜上所述,藉由該雲端伺服器2在該行動裝置1的該應用程式每次成功登入該第一階段運作狀態時,將新產生的該第一符記回傳至該行動裝置1。使得該行動裝置1將新的該第一符記重新加密作為下次快速登入的依據,並將舊的第一符記銷毀,且該雲端伺服器2未儲存對應該行動裝置1的該使用者的身分識別資料,而能實現兩階段登入及快速登入的特性,並兼具更高的安全性,故確實能達成本發明的目的。In summary, the cloud server 2 returns the newly generated first token to the mobile device 1 each time the application of the mobile device 1 successfully logs in to the first-phase operating state. Make the mobile device 1 re-encrypt the new first token as the basis for the next quick login, and destroy the old first token, and the cloud server 2 does not store the user corresponding to the mobile device 1 Identity identification data, and can achieve the characteristics of two-stage login and fast login, and have higher security, so it can indeed achieve the purpose of cost invention.

惟以上所述者,僅為本發明的實施例而已,當不能以此限定本發明實施的範圍,凡是依本發明申請專利範圍及專利說明書內容所作的簡單的等效變化與修飾,皆仍屬本發明專利涵蓋的範圍內。However, the above are only examples of the present invention. When the scope of implementation of the present invention cannot be limited by this, any simple equivalent changes and modifications made according to the scope of the patent application and the contents of the patent specification of the present invention are still Within the scope of the invention patent.

1‧‧‧行動裝置1‧‧‧ mobile device

2‧‧‧雲端伺服器2‧‧‧ Cloud Server

3‧‧‧企業伺服器3‧‧‧ Enterprise Server

4‧‧‧推播伺服器4‧‧‧ Push server

S1~S10‧‧‧步驟 S1 ~ S10‧‧‧step

本發明的其他的特徵及功效,將於參照圖式的實施方式中清楚地呈現,其中: 圖1是一個方塊圖,說明本發明應用程式的登入方法所適用的相關裝置;及。 圖2是一個流程圖,說明本發明應用程式的登入方法的一個實施例。Other features and effects of the present invention will be clearly presented in the embodiment with reference to the drawings, in which: FIG. 1 is a block diagram illustrating related devices to which the application login method of the present invention is applicable; and FIG. 2 is a flowchart illustrating an embodiment of a method for logging in to an application of the present invention.

Claims (9)

一種應用程式的登入方法,適用於一行動裝置及一雲端伺服器,並包含下列步驟: (a)藉由該行動裝置執行一應用程式在一第一階段登入狀態,該行動裝置將解密後的一第一符記(Token)及一使用者帳號傳送至該雲端伺服器; (b)藉由該雲端伺服器根據一對照表,在判斷該第一符記及該使用者帳號相符合時,進而判斷該應用程式成功登入一第一階段運作狀態,且將新產生的該第一符記回傳至該行動裝置,並更新該對照表; (c)藉由該行動裝置執行該應用程式在一第二階段登入狀態,該行動裝置將解密後的該第一符記與該使用者帳號,及一第二階段密碼傳送至該雲端伺服器;及 (d)藉由該雲端伺服器根據該對照表,在判斷該第一符記、該使用者帳號、及該第二階段密碼相符合時,進而判斷該應用程式成功登入一第二階段運作狀態,且允許該應用程式在一預定條件下保持在該第二階段運作狀態。An application login method is applicable to a mobile device and a cloud server, and includes the following steps: (a) The mobile device executes an application in a first-stage login state, and the mobile device decrypts the A first token (Token) and a user account are transmitted to the cloud server; (b) when the cloud server judges that the first token and the user account match according to a comparison table, Furthermore, it is determined that the application successfully logs into a first-stage operating state, and the newly generated first token is returned to the mobile device, and the comparison table is updated; (c) the mobile device executes the application in the A second-stage login state, the mobile device sends the decrypted first token and the user account, and a second-stage password to the cloud server; and (d) the cloud server according to the A comparison table, when determining that the first token, the user account, and the second-stage password match, further determines that the application successfully logs in to a second-stage operating state, and allows the application to be scheduled The operating member held in the state of the second stage. 如請求項1所述的應用程式的登入方法,還適用於一推播伺服器,並還包含下列步驟: (e)當該行動裝置執行該應用程式時,接收來自該推播伺服器的一裝置符記(Device Token);及 (f)當該行動裝置接收該雲端伺服器所新產生的該第一符記(Token)時,該行動裝置根據該裝置符記對該第一符記執行加密,以儲存在一鑰匙鏈資料(KeyChain)。The method for logging in to the application program as described in claim 1, is also applicable to a push server, and further includes the following steps: (e) When the mobile device executes the application program, it receives a request from the push server. Device token; and (f) when the mobile device receives the first token newly generated by the cloud server, the mobile device executes the first token according to the device token Encrypted to store in a KeyChain. 如請求項2所述的應用程式的登入方法,其中,在步驟(f)中,該行動裝置將該裝置符記(Device Token)輸入一預定的雜湊函數(Hash)產生一鑰匙名稱資料(KeyName),並將該裝置符記以安全雜湊演算法(SHA)產生一金鑰,再以該金鑰對該第一符記(Token)作進階加密標準(AES)的加密,而產生一加密後第一符記(EnToken),最後將該鑰匙名稱資料及該加密後第一符記,儲存在該鑰匙鏈資料(KeyChain)。The method for logging in to an application program according to claim 2, wherein, in step (f), the mobile device enters the device token into a predetermined hash function (Hash) to generate a key name data (KeyName ), And the device token generates a key with a secure hash algorithm (SHA), and then uses the key to encrypt the first token (Advanced Encryption Standard (AES)) to generate an encryption After the first token (EnToken), the key name data and the encrypted first token are stored in the keychain data (KeyChain). 如請求項3所述的應用程式的登入方法,其中,在步驟(a)中, 該行動裝置還將該裝置符記(Device Token)輸入該預定的雜湊函數(Hash)產生該鑰匙名稱資料(KeyName),並從該鑰匙鏈資料(KeyChain)中,讀取對應該鑰匙名稱資料的該加密後第一符記(EnToken), 該行動裝置還將該裝置符記以安全雜湊演算法(SHA)產生該金鑰,再以該金鑰對該加密後第一符記(EnToken)作進階加密標準(AES)的解密,以產生解密的該第一符記(Token)。The application login method according to claim 3, wherein, in step (a), the mobile device further enters the device token into the predetermined hash function (Hash) to generate the key name data ( KeyName), and read the encrypted first token (EnToken) corresponding to the key name data from the KeyChain, and the mobile device also signs the device with a secure hash algorithm (SHA) Generate the key, and then use the key to decrypt the encrypted first token (EnToken) by Advanced Encryption Standard (AES) to generate the decrypted first token (Token). 如請求項1所述的應用程式的登入方法,還包含下列步驟: (g)藉由該行動裝置執行該應用程式在一第一階段註冊狀態,該行動裝置將一第一階段申請訊息傳送至該雲端伺服器,以獲得該雲端伺服器所產生的一第一階段認證碼,並再將該第一階段認證碼、該使用者帳號、及一使用者密碼傳送至該雲端伺服器,當該雲端伺服器確認該第一階段認證碼正確時,將該使用者帳號及該使用者密碼儲存至該對照表,且判斷該應用程式註冊成功。The method for logging in the application as described in claim 1, further comprising the following steps: (g) The mobile device executes the application in a first-stage registration state, and the mobile device sends a first-stage application message to The cloud server obtains a first-stage authentication code generated by the cloud server, and then transmits the first-stage authentication code, the user account, and a user password to the cloud server. When the cloud server confirms that the first-stage authentication code is correct, it stores the user account and the user password into the comparison table, and determines that the application registration is successful. 如請求項5所述的應用程式的登入方法,還包含下列步驟: (h)當該行動裝置執行該應用程式且第一次在該第一階段登入狀態,該行動裝置將該使用者帳號及該使用者密碼傳送至該雲端伺服器,當該雲端伺服器根據該對照表,判斷該使用者帳號及該使用者密碼相符合時,產生該第一符記(Token)且回傳至該行動裝置。The method for logging in the application as described in claim 5, further comprising the following steps: (h) When the mobile device executes the application and logs in to the first stage for the first time, the mobile device changes the user account and The user password is transmitted to the cloud server. When the cloud server determines that the user account and the user password match according to the comparison table, the first token is generated and returned to the action. Device. 如請求項1所述的應用程式的登入方法,還適用於一企業伺服器,儲存相關於一使用者的一身分識別碼及一手機號碼,該應用程式的登入方法還包含下列步驟: (i)藉由該行動裝置執行該應用程式在一第二階段建立密碼狀態,該行動裝置將一第二階段申請訊息傳送至該雲端伺服器,以獲得該雲端伺服器所產生的一第二階段認證碼,並再將該第二階段密碼、該第二階段認證碼、該第一符記(Token)、及加密後的該身分識別碼與該手機號碼傳送至該雲端伺服器, 該雲端伺服器在接收到該第二階段密碼、該第二階段認證碼、及該第一符記時,將加密後的該身分識別碼與該手機號碼不作儲存而直接傳送至該企業伺服器,該企業伺服器判斷該身分識別碼與該手機號碼相符合時,產生一虛擬識別碼並回傳至該雲端伺服器,以儲存在該對照表,並對應該使用者帳號、該第一符記、該第二階段密碼、及該裝置符記(Device Token)。The method for logging in the application as described in claim 1, is also applicable to an enterprise server, storing an identification code and a mobile phone number related to a user, and the method for logging in the application further includes the following steps: (i ) The mobile device executes the application to establish a password state in a second phase, and the mobile device sends a second phase application message to the cloud server to obtain a second phase certificate generated by the cloud server Code, and then send the second-stage password, the second-stage authentication code, the first token (Token), and the encrypted identity identification code and the mobile phone number to the cloud server, the cloud server When receiving the second-stage password, the second-stage authentication code, and the first token, the encrypted identity identification code and the mobile phone number are directly transmitted to the enterprise server without storing, and the enterprise server When the device judges that the identity identification code is consistent with the mobile phone number, it generates a virtual identification code and sends it back to the cloud server for storage in the comparison table, and corresponds to the user account, the The first token, the second-stage password, and the device token. 如請求項1所述的應用程式的登入方法,還包含步驟(j),藉由該行動裝置對該使用者帳號以RSA加密演算法作加密後再儲存。The method for logging in to an application as described in claim 1, further comprising step (j), using the mobile device to encrypt the user account with an RSA encryption algorithm before storing. 如請求項1所述的應用程式的登入方法,其中,在步驟(d)中,該預定條件是該應用程式的閒置時間小於一預設時間,或該應用程式未登出該第二階段運作狀態。The method for logging in an application as described in claim 1, wherein in step (d), the predetermined condition is that the idle time of the application is less than a preset time, or the application does not log out of the second-stage operation status.
TW107115111A 2018-05-03 2018-05-03 Application login method TW201947434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107115111A TW201947434A (en) 2018-05-03 2018-05-03 Application login method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107115111A TW201947434A (en) 2018-05-03 2018-05-03 Application login method

Publications (1)

Publication Number Publication Date
TW201947434A true TW201947434A (en) 2019-12-16

Family

ID=69583021

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107115111A TW201947434A (en) 2018-05-03 2018-05-03 Application login method

Country Status (1)

Country Link
TW (1) TW201947434A (en)

Similar Documents

Publication Publication Date Title
US10595201B2 (en) Secure short message service (SMS) communications
CN109862041B (en) Digital identity authentication method, equipment, device, system and storage medium
US10250613B2 (en) Data access method based on cloud computing platform, and user terminal
US8495383B2 (en) Method for the secure storing of program state data in an electronic device
US11831753B2 (en) Secure distributed key management system
CN107920052B (en) Encryption method and intelligent device
CN111787530A (en) Block chain digital identity management method based on SIM card
TW201820818A (en) Method and device for configuring terminal master key
JP2022518061A (en) Methods, Computer Program Products, and Equipment for Transferring Ownership of Digital Assets
CN109412812A (en) Data safe processing system, method, apparatus and storage medium
CN110677382A (en) Data security processing method, device, computer system and storage medium
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN111178884A (en) Information processing method, device, equipment and readable storage medium
US20100031045A1 (en) Methods and system and computer medium for loading a set of keys
EP3292654B1 (en) A security approach for storing credentials for offline use and copy-protected vault content in devices
CN108234126B (en) System and method for remote account opening
CN115150193A (en) Method and system for encrypting sensitive information in data transmission and readable storage medium
TW201947434A (en) Application login method
TW201947496A (en) Instant credit card dividend drawing system
Bardis et al. Design and development of a secure military communication based on AES prototype crypto algorithm and advanced key management scheme
Oliveira Dynamic QR codes for Ticketing Systems
KR101611214B1 (en) Banking system, card payment request and approval method for banking system
WO2024026428A1 (en) Digital identity allocation, assignment, and management
US20170012973A1 (en) Trust framework for secured digital interactions between entities