TW202006604A - System and method of financial services certification - Google Patents

Abstract

The present invention is a financial services certification system and method of providing the same, the financial services certification system includes: client terminal information security module, storing in client terminal, the client terminal further including client terminal control module; wherein the client terminal information security module connect to client terminal control module to input bio feature, certifying the identity of client, and, financial service module, storing in near-end or far-end connecting to client terminal control module for processing execution and application of financial services.

Description

Financial service verification system and method

The present invention relates to a financial service verification system and method. More specifically, it is a system and method for generating encryption and decryption keys by using biological characteristic values to ensure the security of financial service information.

E-commerce, benefited from the National Science Foundation (NSF) in 1995, will be developed by the Cold War period, after the Internet used for military intelligence was opened to civilian use, accelerated its networked application . Since about 2000, in the Hypertext Transfer Protocol Secure (HTTPS), the security technology for encrypting HTTP with the SSL protocol has matured, and after the security of e-commerce has been highly guaranteed, the online store has been used. E-currency payment methods such as online financial institutions, the vigorous development of the way to complete the transaction of goods or services through the Internet, and also directly enable eBay, paypal, Amazon and other companies to catch up with the e-commerce boom, due to the convenience and speed of online transactions And rise.

In the prior art, e-commerce uses a pair of accounts and passwords to log in to the e-commerce business system by selecting a pair of accounts and passwords for the user to confirm the identity, and select the desired business service. One-time password (OTP) is sent by email or phone message for users to confirm the validity of the business service. The so-called one-time password, as the name implies, is a password that only works for a certain number of transactions (usually 1 time) or within a certain period of time. After a predetermined number of transactions or time, it loses its effectiveness, so that even if the password is human The stolen, it is not for the purpose of continuing to expand the leakage of information.

The principle of the one-time password operation is that both parties who want to communicate: Bob and Alice use the same randomly generated one-time encryption key to encrypt the communication text to be transmitted, and then encrypt the encryption The letters in the key are mixed with the letters in the communication text according to certain regulations. One way is to assign letters to numbers (such as A=0; B=1; C=2; D=3;...Z=25), and then combine the numbers represented by the letters on the encryption key with Corresponding numbers in the communication text are added, and then the remaining number is obtained after dividing by the number of letters in the language to complete the encryption, for example: the communication text is: {forinstance}={A}={5, 14, 17, 8, 13, 18, 19, 0, 13, 2, 4}; the encryption key is: {masklnsfldf}={B}={12, 0, 18, 10, 11, 13, 18, 5, 11, 3, 5 } Then ({A}+{B}) mod 26={17,14,9,18,24,5,11,5,24,5,9}, that is, the encrypted text after completion is {rogsyflfyfg}, if you want to To decrypt, just reverse the operation.

The above method of encrypting the communication text with a one-time password, although its security was in the "Bell Labs Technical Journal" in 1949, is Claude. Love Wood. Claude Elwood Shannon confirmed that there are still prerequisites to achieve its security, that is, its encryption key must be kept very secret from Mallory, a third party who is not a party to the communication. However, according to the operation method of the existing business system, most of Bob and Alice have not agreed on the method of generating encrypted text before the communication. The compromise method is that the business system sends the one-time password to the email or phone message. On the user side, during this process emails or phone text messages are extremely easy to be intercepted by Mallory, which makes the one-time passwords appear to have security holes in e-commerce. Therefore, in 2016, the National Institute of Standards and Technology (National Institute of Standards and Technology) of Standards and Technology (NIST) recommends that this method of identity verification be excluded from future identity verification standards.

In addition, from the perspective of the user's actual operation, the existing method of logging into the business system with a pair of account passwords is actually quite safe and convenient. The reason is that the current e-commerce is due to the booming relationship. For security reasons, it is not recommended that users use passwords that are too short or too easy to remember (such as birthday, school number, mobile phone number, license plate number, etc.), which causes users to easily forget account passwords that are not commonly used, or It is difficult to manage between account passwords corresponding to multiple business systems. Therefore, in order to avoid forgetting the account password, most users generally record it in a physical or digital notebook, so that Mallory can easily obtain the user's account and password through repeated attempts (Trial and Error). Or a notepad that accidentally loses the password of the recorded account, so that an illegal third party can pick it up and have a chance to create a security loophole, so that the general public still recognizes the convenience and speed of e-commerce, but it still has There are doubts, especially for the major financial institutions, some financial commodities, such as stocks, warrants, futures, options, etc., if the information security is cracked, the value of the loss may be as high as tens or even thousands Wan, the responsibilities and legal issues involved are not ordinary circumstances and can be taken lightly.

Therefore, in view of the shortcomings of the aforementioned conventional technologies, at present, financial institutions urgently need a way of taking into account the user's convenience and high security, which is not easy for third parties to steal or The invention of tampering with transaction data.

In view of the shortcomings of the aforementioned conventional technology, one object of the present invention is to improve the practical operation of the aforementioned one-time password in e-commerce, and it is easy to use the transaction information of both parties of the transaction to an unknown third party who has nothing to do with the transaction. The shortcomings of stealing or tampering; in addition, another object of the present invention is to improve the inconvenience to users caused by the lengthy account password in the conventional technology, and it is easy to be stolen by a third party, or even a short account password The shortcomings that may be easily guessed, and the technical solution proposed by the present invention can achieve the effect of improving safety and convenience.

The invention provides a financial service verification system, which includes: a user terminal, the user terminal further includes a user terminal control module; a biometric input module coupled to the user terminal control module to input biometrics; The security module is coupled to the input module of the user terminal and verifies the identity based on the input biometrics; the server terminal further includes a server control module; and a financial service module coupled to the server control module , The implementation and application of financial services.

According to the content of the present invention, the above-mentioned server further includes a server-side security module, coupled to the above-mentioned client-side security module, to authenticate the client to log in to the financial service verification system.

According to the content of the present invention, the client-side security module further includes a client-side key unit, which generates a verification message to verify the identity according to the input first feature value of the biometrics.

According to the content of the present invention, the client security module further includes a client security code unit, which stores a plurality of client security codes corresponding to financial services.

According to the content of the present invention, the financial service module further includes a financial service management unit that stores and manages the types of financial services. According to an embodiment of the present invention, the financial service may be owned by the financial institution itself or provided by an external financial institution.

The present invention provides a financial service verification method, which includes: inputting biometrics from a biometric input module; the user-side security module extracts the first biometrics from the biometrics, and calculates between the first and second characteristics To determine whether the two are greater than a preset value to verify the user's identity; the client security module sends a verification message to the server; and, the financial service module executes the requested financial service.

According to the content of the present invention, the method further includes selecting the financial service to be performed with the user terminal control module.

According to the content of the present invention, the method further includes the server-side security module verifying the verification message to confirm whether the client is legal.

According to the content of the present invention, the method further includes the client-side security module verifying the digital signature transmitted by the server-side security module to verify the identity of the client and the server.

According to the content of the present invention, the method further includes verifying the biometrics input by the user terminal before executing the financial service to confirm whether the financial service is executed.

The above is used to illustrate the purpose, technical means and achievable effects of the present invention. Those familiar with this technology in the related arts can more clearly understand the present invention through the following examples and accompanying drawings and patent application. invention.

100‧‧‧Financial Service Verification System

110‧‧‧Client

111‧‧‧Biometric input module

113‧‧‧Client control module

115‧‧‧Client Security Module

115a‧‧‧Client key unit

115c‧‧‧Client security code unit

130‧‧‧Servo

131‧‧‧Servo control module

133‧‧‧Servo-side security module

133a‧‧‧server key unit

135‧‧‧Financial Service Module

135a‧‧‧Financial Service Management Unit

300A‧‧‧The first map

300B‧‧‧The second map

410‧‧‧The first feature set

420‧‧‧Second feature set

430‧‧‧ feature set comparison

510‧‧‧ First characteristic value

530‧‧‧Second characteristic value

551‧‧‧Client security code

571‧‧‧ Financial Services

700‧‧‧ Financial service verification method

S1-S13‧‧‧Method flow

The detailed description of the present invention and the schematic diagrams of the embodiments as described below should make the present invention more fully understood; however, it should be understood that this is only a reference for understanding the application of the present invention and does not limit the present invention to a specific implementation Cases.

FIG. 1 shows the system architecture of the financial service verification system proposed by the present invention.

FIG. 2A further illustrates the system architecture of the client-side security module in the present invention.

FIG. 2B further illustrates the system architecture of the server-side security module in the present invention.

FIG. 2C further illustrates the system architecture of the financial service module in the present invention.

FIG. 3A shows how to use the biometrics of a human face for identity verification in an embodiment of the present invention.

FIG. 3B shows how to use the biometrics of a human face for identity verification in an embodiment of the present invention.

FIG. 4A illustrates how to extract the first feature value in the present invention.

FIG. 4B illustrates the source of the second feature value in the present invention.

FIG. 4C illustrates the comparison method of the first feature value and the second feature value in an embodiment of the present invention.

Figure 5 illustrates the identity verification method of the present invention.

Fig. 6 illustrates the way in which the client and the server encrypt and decrypt the transmitted text.

FIG. 7 illustrates the method flow of the financial service verification method proposed by the present invention.

The present invention will be described in detail with preferred embodiments and viewpoints. The following description provides specific implementation details of the present invention so that readers can thoroughly understand the implementation of these embodiments. However, those skilled in the art should understand that the present invention can also be implemented without these details. In addition, the present invention can also be applied and implemented by other specific embodiments. The details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention. . The present invention will be described in terms of preferred embodiments and viewpoints. Such descriptions explain the structure of the present invention, and are used only for illustration rather than to limit the patent scope of the present invention. The terms used in the following description will be interpreted in the broadest reasonable manner, even if they are used in conjunction with the detailed description of a specific embodiment of the present invention.

According to the shortcomings of the aforementioned conventional technology, the financial service verification system (100) proposed by the present invention specifically achieves the performance of inputting the user's own through the biometric input module (111) included in the user terminal (110) It has biological characteristics for the financial service verification system (100) to verify the user's identity, to improve the conventional technology, a pair of account passwords are easily forgotten or guessed by malicious third parties when verifying their identities At the same time, the key contained in a higher security client security module (115) improves the traditional way of sending one-time passwords that are easily intercepted by third parties by email or telephone text message Disadvantages to achieve the purpose of the present invention.

Referring to FIG. 1, the present invention provides a financial service verification system (100), which includes: a user terminal (110), the user terminal (110) further includes a user terminal control module (113); a biometric input module (113) 111), coupled to the above-mentioned user-side control module (113) to input biometrics; the user-side information security module (115), coupled to the user-side control module (113), and verifying the identity according to the input biometrics; The server (130), the server (130) further includes a server control module (131); and a financial service module (135), which is coupled to the server control module (131) and the client security module Group (115), which provides the execution and application of financial services. In an embodiment of the invention, the financial service module (135) can be stored at the near end or the far end. According to the content of the present invention, the client control module (113) and the server control module (131) generally include a processor, memory, temporary memory, display device, network communication module, and operation Systems and applications, etc., are connected to each other in a generally known manner to provide functions such as operation and management coordination of the financial service verification system (100). Based on the above, they are generally known architectures, so they are not repeated here.

According to an embodiment of the present invention, the biometric input module (111) may be, but not limited to, a face recognition camera, an iris scanning camera, a fingerprint scanner, and a voiceprint scanning microphone. Please refer to FIG. 3A and FIG. 3B, which is one of the embodiments of the present invention for identity verification using a face map. In this embodiment, the user inputs the first map (300A) in the biometric input module (111) and compares it with the second map (300B) stored in the user-side security module (115) to verify the user identity of. In a preferred embodiment of the present invention, the client-side security module (115) first converts the biological features of the first atlas (300A) into a numerical, first feature value (510) that can be expressed in a multi-dimensional space ), please refer to FIG. 4A, the coordinate axes X ₁ , X ₂ , X ₃ , X ₄ , X ₅ ... X _n , which can correspond to the horizontal axis, vertical axis of the first map and the relative brightness of the red light, Relative brightness of blue light, relative intensity of green light and other related parameters are compared with the second feature value (530) represented by multi-dimensional space and stored in the user-side security module (115) in FIG. 4B. And the calculation of the correlation coefficient α. If the above correlation coefficient α is greater than a preset value K, the user terminal security module (115) determines that the user's identity is indeed the user himself; otherwise, if the correlation coefficient α is smaller than the preset value K, the client terminal The security module (115) determines that the identity verification fails.

According to an embodiment of the present invention, the above-mentioned image comparison method may be a Hausdorff Distance algorithm, which is characterized by a lower signal-to-noise ratio when the target is blocked. , Or when the image is shaking, it can still have a good matching accuracy. Please refer to FIG. 4C, which first performs dimension reduction calculation on the first feature value (510) and the first feature value (530) respectively, and then performs the first feature set (410) and the second feature set (420) corresponding to them respectively. Overlay comparison, as shown in feature set comparison (430), by calculating each corresponding data point in feature set comparison (430), to calculate the data point of the first feature set (410), relative to the first The distance between the data points of the two feature sets, and the result calculates a correlation coefficient α, so that the matching degree of the first map (300A) and the second map (300B) can be compared. According to another embodiment of the present invention, the above-described Hessdorf distance algorithm can also be applied to biometric identification based on image comparison, such as fingerprints and irises.

According to the content of the invention, the client security module (115) further includes a client security code unit (115c), which stores several corresponding client security codes (551) according to different financial services, and the client security code (551) ) Contains a pair of account and password. Please refer to FIG. 5, the plurality of client security codes (551) correspond to the second feature value (530), that is, the user must enter the first feature value (510) through the biometric input module (111) Compare with the second feature value (530) to verify the user's identity to activate the corresponding client security code (551) and financial service (571), in order to achieve the present invention, the user input biometrics to replace the conventional technology directly The purpose of using account and password to verify identity. In addition, its financial services (571) are not limited to financial institutions themselves, or may be provided by external financial institutions.

According to the present invention, the client security module (115) further includes a client key unit (115a), which generates a one-way server based on the comparison result of the first feature value (510) and the second feature value (530) (130) Verify the client (110), and the encrypted verification message. In the embodiments of the present invention, the means used for encryption and decryption may be a symmetric key, an asymmetric key, or a mixture of the above.

According to an embodiment of the present invention, please refer to FIG. 6, which uses an asymmetric algorithm as a technical means of encryption and decryption. In the asymmetric key, a complete key is composed of a public key (Public Key) and a private key (Private Key), the method is as follows: when the client (110) wants to identify with the server (130) During verification, the server (130) sends the public key it holds to the client (110); when the client (110) receives the public key given by the server (130), the verification message to be transmitted is The public key of the server (130) is encrypted and sent to the server (130); the server (130) then uses the private key to decrypt the verification message encrypted with the public key. The public key of the server (130) can only encrypt the verification message, but cannot decrypt the verification message. If you want to decrypt, you must use the private key of the server (130) to complete. The advantage of this approach is that when the authentication message of the client (110) is sent to the server (130), even if it is intercepted by a malicious third party, because the private key is only held by the server (130), The third party does not hold the private key of the server (110), and the third party cannot use the public key published by the server (110) to reversely derive the corresponding private key, so the third party cannot decrypt The authentication messages of the client (110) and the server (130) achieve the purpose of communication security.

According to an embodiment of the present invention, the public and private keys respectively owned by the client (110) and the server (130) can be composed of a client key unit (115a) and a server key unit (133a), based on the public key Infrastructure (Public Key Infrastructure, PKI, or PKI mechanism). The PKI mechanism has the following characteristics:

1. Concealment of the message: Since the private key mentioned above has not been transmitted from the beginning to the end, it is physically impossible for the third party to know during the encryption and decryption process.

2. Message integrity: Since the above-mentioned public and private key generation mechanisms are generated in pairs, whether the server (130) verifies the identity of the client (110) or reverses the client (110) during the process of encrypting and decrypting the verification message The identity of the server (130) needs to be decrypted with the private key, so the verification message will not be tampered with illegally.

3. Identity recognition: the paired public and private keys can only be generated for the client-side key unit (115a) or the server-side key unit (133a), and the verification message cannot be generated in a false name.

4. Non-repudiation of transactions: Based on the above-mentioned identification, completed transactions cannot be denied.

According to the content of the present invention, the method for generating the public and private keys in the PKI mechanism may be, but not limited to, RSA algorithm, EIGamal algorithm, Elliptic curve cryptography (ECC). In one embodiment of the present invention, it is an elliptic curve cryptography (ECC), which has the advantage that the pair of public and private keys encrypted with an elliptic curve is smaller than other methods, and its minimum key length It only needs 160 bits, and the key length generated by other algorithms needs to be 512 bits or more. When the transmission size of the verification message has certain requirements, it can still work with a shorter key length. Provide equal or higher security. The principle of its operation is based on a defined finite mathematical space (the finite mathematical space can be represented by a binary cubic equation and contains one point of infinity), and it is easy to add, subtract, and multiply each element of the finite mathematical space, But it is difficult to divide. At the same time, no matter whether any operation is performed on each element in the limited mathematical space, the final operation result still belongs to the mathematical nature of the elements contained in the limited mathematical space. The encrypted verification information prevents the third party from simply The division operation of obtains the content of the verification message, so as to achieve the purpose of concealment, message integrity, identity recognition and non-repudiation of the transaction during the transmission process of the verification message.

According to the present invention, the server (130) further includes a server-side security module (133), coupled to the client-side security module (115), and authenticates the user according to the verification message transmitted by the client (110) End (110) identity. In an embodiment of the invention, when the server-side security module (133) receives the verification message and confirms the identity of the client (110), it responds with a digital signature that also indicates the server (130) To the client (110) to complete the mutual identity verification of the server (130) and the client (110) to achieve the purpose of enhancing the aforementioned message concealment, message integrity, identity recognition, and transaction non-repudiation.

According to the content of the present invention, the financial service module (135) is coupled to the server control module (131). After the server control module (131) confirms that the server (130) and the client (110) verify each other's identity correctly Then, the financial service module (135) starts to execute and apply for the financial service (571) required by the client (110). In an embodiment of the invention, the financial service management unit (135a) contained in the financial service module (135) stores a plurality of different types of financial services (571), which may be, but not limited to, various types of financial-related E-commerce, including transaction transfer, currency transaction, service inquiry, deposit insurance business, credit loan, fund stock business, trust application and financial commodity transaction, etc., and users can choose a sum or a number through the user terminal control module (113) The financial service (571) category that I intend to perform is to invent the financial service verification system (100) to improve the efficiency of security and convenience. In another embodiment of the present invention, the financial service (571) may be owned by the financial institution itself or provided by an external financial institution.

To improve the shortcomings of the conventional technology, please refer to FIG. 7, the present invention proposes a financial service verification method (700), which includes: in the process (S1), the biometric input module (111) inputs biometrics; and In the process (S2), the user-side security module (115) extracts the above-mentioned biological characteristics to the first feature value (510), and calculates the first feature value (510) and the second feature value (530) in the process (S3) To determine whether the two are greater than a preset value K to verify the user's identity. When the correlation coefficient is less than K, it means that the first map (300A) and the second map (300B) may be different, so The execution process (S4) is required to re-enter the biometrics, or the process is ended directly, otherwise, the process (S6) is executed, and the client security module (115) sends an encrypted verification message to the server (130); and, Process (S13), the financial service module (135) executes the applied financial service (571).

According to an embodiment of the present invention, the biometrics input by the biometrics input module (111) may be, but not limited to, facial features, iris features, fingerprint features, and voiceprint features. According to one aspect of the present invention, the comparison method of the first feature value (510) and the second feature value (530) extracted from the image based on facial features, iris features, fingerprint features, etc. can be the Hessdorf distance calculation law.

According to the content of the present invention, the method further includes a process (S5), which uses the client control module (113) to select the financial service (571) to be performed. In an embodiment of the present invention, the types of the financial services (571) are stored in the financial service management unit (135a), which can be, but not limited to, various types of e-commerce related to finance, including transaction transfer, currency transactions, and service inquiries , Savings insurance business, credit loan, fund stock business, trust application and financial commodity trading, etc.

According to the present invention, the method further includes a process (S7). The server-side security module (133) verifies the encrypted verification message to confirm whether the client (110) is legal. The encryption method of the verification message may be, but not limited to, RSA algorithm, EIGamal algorithm, elliptic curve cryptography (ECC), and so on. In the embodiment of the present invention, when the verification of the client (110) in the process (S7) fails or is illegal, the process (S8) is executed to execute the process (S6) again or end the financial service verification method (700); otherwise, Then the flow (S9) is executed.

According to the content of the invention, in the process (S9), when the identity of the client (110) is successfully verified in the process (S7), the server-side security module (133) transmits a digital signature to the client (110), and The client security module (115) verifies the digital signature to achieve the purpose of mutually verifying whether the client (110) and the server (130) are legal. In an embodiment of the present invention, if the verification operation fails and the process (S10) is executed, the process (S9) is executed again or the financial service verification method (700) is ended, otherwise, the process (S11) is executed.

According to the content of the present invention, the method further includes a process (S11). Before executing the financial service (571), the biometrics input by the user terminal (110) are verified again to confirm whether the financial service (571) is executed, the process (S11) ) Is to prevent users from accidentally touching financial services (571), or to prevent users from executing financial services (571) without fully understanding the financial services (571), causing misunderstandings between financial institutions and users, and In the user terminal (110), enter the biometrics again to ensure that the financial service (571) applied is indeed the user. The verification method is the same as the process (S1)-process (S3). According to an embodiment of the present invention, when the process (S11) confirmation fails, the process (S12) is executed, the process (S11) is executed again, or the process financial service verification method (700) is ended, otherwise, the process (S13) is executed, The financial service module (135) immediately begins to execute the applied financial service (571).

100‧‧‧Financial Service Verification System

110‧‧‧Client

111‧‧‧Biometric input module

113‧‧‧Client control module

115‧‧‧Client Security Module

130‧‧‧Servo

131‧‧‧Servo control module

133‧‧‧Servo-side security module

135‧‧‧Financial Service Module

Claims (12)

A financial service verification system includes: a client-side security module stored in a client, the client includes a client-side control module; wherein the client-side security module is coupled to the client-side control module, A biometric input module can input at least one biometric to verify the user's identity; and, a financial service module, stored at the near-end or far-end, coupled to the client control module to provide at least one financial service Implementation and application. The financial service verification system according to claim 1, further comprising a server, the server includes a server-side security module, coupled to the client-side security module, based on the encrypted data transmitted by the client A verification message to verify the identity of the client. According to the financial service verification system described in claim 2, when the server-side security module receives the verification message, it responds with an encrypted digital signature to the client, so that the server and the client have to communicate with each other Verify identidy. According to the financial service verification system of claim 1, the client security module further includes a client security code unit, and stores at least one client security code corresponding to the at least one financial service. According to the financial service verification system of claim 1, the at least one biometric feature may be a facial feature, an iris feature, a fingerprint feature, a voiceprint feature, or a combination of the above. As in the financial service verification system described in claim 2 or 3, the encryption method may be a symmetric key, an asymmetric key, or a combination of the above. A financial service verification method includes the following processes: a biometric input module inputs at least one biometric feature; a user information security module extracts the at least one biometric feature from a first feature value, and calculates the first feature value and Whether a correlation coefficient of a second eigenvalue is greater than a preset value; and if the correlation coefficient is greater than the preset value, the client security module sends an encrypted verification message through a financial service module Perform at least one financial service. The financial service verification method described in claim 7 further includes a server-side security module verifying the verification message; and, the client-side security module verifies that a digital signature transmitted by a server-side security module is encrypted Chapter to verify the identity of a client and a server. The financial service verification method according to claim 7, further comprising a user terminal selecting the at least one financial service to be performed through a user terminal control module. The financial service verification method as described in claim 9, further includes selecting the at least one financial service, inputting the at least one biometric feature from the biometric input module again, and comparing the first Whether the correlation coefficient between a feature value and the second feature value is greater than the preset value to verify the identity of the user terminal. According to the financial service verification method of claim 7, the at least one biometric feature may be a facial feature, an iris feature, a fingerprint feature, a voiceprint feature, or a combination of the above. As in the financial service verification method described in claim 8, the encryption method may be a symmetric key, an asymmetric key, or a combination of the above.

Images