TW202211056A - System and method for personal information authorization - Google Patents

System and method for personal information authorization Download PDF

Info

Publication number
TW202211056A
TW202211056A TW109131531A TW109131531A TW202211056A TW 202211056 A TW202211056 A TW 202211056A TW 109131531 A TW109131531 A TW 109131531A TW 109131531 A TW109131531 A TW 109131531A TW 202211056 A TW202211056 A TW 202211056A
Authority
TW
Taiwan
Prior art keywords
authorization
server
data
authentication
mobile
Prior art date
Application number
TW109131531A
Other languages
Chinese (zh)
Other versions
TWI742849B (en
Inventor
張繼軒
林崇頤
林晉賢
周淑羚
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109131531A priority Critical patent/TWI742849B/en
Application granted granted Critical
Publication of TWI742849B publication Critical patent/TWI742849B/en
Publication of TW202211056A publication Critical patent/TW202211056A/en

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention provides a personal information authorization system and a personal information authorization method, the main purpose of which is that the user can complete the identity authentication through the electronic device he/she holds, and use the real-time personal information authorization mechanism to restrict the personal information accessible by third-party application services. In this way, it can be ensured that the application service can only access the personal information that the user allows to provide, and prevent others from stealing the user's personal information without authorization, thereby achieving a safer, more convenient and more real-time authorization of identity information.

Description

個資授權系統及個資授權方法Personal Information Authorization System and Personal Information Authorization Method

本發明是有關於一種授權系統及授權方法,且特別是有關於一種個資授權系統及個資授權方法。The present invention relates to an authorization system and an authorization method, and in particular, to a personal asset authorization system and a personal asset authorization method.

一般而言,個人資料(簡稱為個資)泛指自然人之姓名、出生年月日、國民身分證統一編號、護照號碼、特徵、指紋、婚姻、家庭、教育、職業、病歷、醫療、基因、性生活、健康檢查、犯罪前科、聯絡方式、財務情況、社會活動及其他得以直接或間接方式識別該個人之資料。Generally speaking, personal data (referred to as personal data) generally refers to the natural person's name, date of birth, unified national identity card number, passport number, characteristics, fingerprints, marriage, family, education, occupation, medical records, medical treatment, genetics, Sex life, health check, criminal record, contact information, financial situation, social activities and other information that can directly or indirectly identify the individual.

現有授權技術下,透過電子簽章及存取權杖等技術,使用者無需將帳號及密碼提供給服務供應商,即可達成允許服務供應商存取個資提供伺服器上儲存的個資。但使用者須直接操作服務供應商的終端系統或網站,惡意之服務供應商終端可偽造授權範圍借此要求存取更多個資項目,而非僅存取其所需要的一小部分,造成個資之洩漏。Under the existing authorization technology, through technologies such as electronic signature and access token, the user does not need to provide the account number and password to the service provider, and then the service provider can allow the service provider to access the personal information stored on the server. However, the user must directly operate the terminal system or website of the service provider. Malicious service provider terminals can forge the authorization scope to request access to more data items, instead of only accessing a small part of what they need, resulting in Leakage of personal information.

有鑑於此,本發明提供一種個資授權系統及個資授權方法,其可用於解決上述技術問題。In view of this, the present invention provides a personal information authorization system and a personal information authorization method, which can be used to solve the above-mentioned technical problems.

本發明提供一種個資授權系統,其包括行動個資授權伺服器及行動認證伺服器。行動個資授權伺服器經配置以:從一應用服務伺服器接收一個資授權請求,其中個資授權請求係應用服務伺服器係因應於一使用者所要求的一特定應用服務而產生,且特定應用服務需要多個個資項目;反應於個資授權請求而回傳一個資授權票據至應用服務伺服器,其中應用服務伺服器將個資授權票據轉換為一授權圖片;反應於判定從使用者的一電子裝置接收一授權同意記錄及認證資訊,轉發授權同意記錄及認證資訊,其中授權同意記錄及認證資訊表示使用者同意提供對應於前述個資項目的多個特定個資。行動認證伺服器連接於行動個資授權伺服器,並經配置以:接收授權同意記錄及認證資訊,並驗證認證資訊;反應於判定認證資訊通過驗證,保存授權同意記錄,並透過行動個資授權伺服器提供一個資查詢指令至一個資提供伺服器,其中個資提供伺服器因應於個資查詢指令而將使用者的前述特定個資提供予行動個資授權伺服器,且行動個資授權伺服器將前述特定個資提供予應用服務伺服器,以執行特定應用服務。The present invention provides a personal information authorization system, which includes a mobile personal information authorization server and a mobile authentication server. The mobile personal data authorization server is configured to: receive a data authorization request from an application service server, wherein the personal data authorization request is generated by the application service server in response to a specific application service requested by a user, and the specific data authorization request is generated by the application service server. The application service requires a plurality of personal information items; in response to the personal information authorization request, an information authorization ticket is returned to the application service server, wherein the application service server converts the personal information authorization ticket into an authorization image; An electronic device of the device receives an authorization consent record and authentication information, and forwards the authorization consent record and authentication information, wherein the authorization consent record and authentication information indicate that the user agrees to provide a plurality of specific personal information corresponding to the aforementioned personal information items. The mobile authentication server is connected to the mobile data authorization server, and is configured to: receive the authorization consent record and authentication information, and verify the authentication information; in response to determining that the authentication information is verified, save the authorization consent record, and authorize the authorization through the mobile data The server provides a data inquiry command to a data providing server, wherein the data providing server provides the user's specific data to the mobile data authorization server in response to the data inquiry command, and the mobile data authorization server The server provides the above-mentioned specific information to the application service server to execute the specific application service.

本發明提供一種個資授權方法,適於包括一行動個資授權伺服器及一行動認證伺服器的一個資授權系統,所述方法包括:由行動個資授權伺服器從一應用服務伺服器接收一個資授權請求,其中個資授權請求係應用服務伺服器係因應於一使用者所要求的一特定應用服務而產生,且特定應用服務需要多個個資項目;由行動個資授權伺服器反應於個資授權請求而回傳一個資授權票據至應用服務伺服器,其中應用服務伺服器將個資授權票據轉換為一授權圖片;反應於判定從使用者的一電子裝置接收一授權同意記錄及認證資訊,由行動個資授權伺服器轉發授權同意記錄及認證資訊至行動認證伺服器,其中授權同意記錄及認證資訊表示使用者同意提供對應於前述個資項目的多個特定個資;以及由行動認證伺服器驗證認證資訊;反應於判定認證資訊通過驗證,由行動認證伺服器保存授權同意記錄,並透過行動個資授權伺服器提供一個資查詢指令至一個資提供伺服器,其中個資提供伺服器因應於個資查詢指令而將使用者的前述特定個資提供予行動個資授權伺服器;由行動個資授權伺服器將前述特定個資提供予應用服務伺服器,以執行特定應用服務。The present invention provides a personal information authorization method, which is suitable for a personal information authorization system including a mobile personal information authorization server and a mobile personal information authorization server. The method includes: the mobile personal information authorization server receives from an application server server. A data authorization request, wherein the data authorization request is generated by the application service server in response to a specific application service requested by a user, and the specific application service requires multiple data items; it is responded by the mobile data authorization server In response to the personal information authorization request, an information authorization ticket is returned to the application service server, wherein the application service server converts the personal information authorization ticket into an authorization image; in response to determining that an authorization consent record is received from an electronic device of the user, and Authentication information, the authorization consent record and authentication information are forwarded by the mobile personal information authorization server to the mobile authentication server, wherein the authorization consent record and the authentication information indicate that the user agrees to provide a plurality of specific information corresponding to the aforementioned personal information items; and The mobile authentication server verifies the authentication information; in response to determining that the authentication information is verified, the mobile authentication server saves the authorization and consent record, and provides an information query command to an information provision server through the mobile personal information authorization server, wherein the personal information provides The server provides the user's specific data to the mobile data authorization server in response to the data query command; the mobile data authorization server provides the above-mentioned specific data to the application service server to execute the specific application service .

請參照圖1,其是依據本發明之一實施例繪示的個資授權系統示意圖。如圖1所示,本發明的個資授權系統100包括應用服務伺服器100、電子裝置110、行動個資授權伺服器120、行動認證伺服器130及個資提供伺服器140。Please refer to FIG. 1 , which is a schematic diagram of a personal information authorization system according to an embodiment of the present invention. As shown in FIG. 1 , the personal information authorization system 100 of the present invention includes an application service server 100 , an electronic device 110 , a mobile personal information authorization server 120 , a mobile authentication server 130 and a personal information providing server 140 .

在不同的實施例中,應用服務伺服器100例如是可提供各式應用服務的伺服器,例如銀行系統(網路/臨櫃)、訂票系統等,而上述各式應用服務例如是需要使用者的一或多個個資方能使用的服務,例如借貸、訂票等,但可不限於此。為便於說明,以下將以銀行系統作為說明的實例,但其並非用以限定本發明可能的實施方式。In different embodiments, the application service server 100 is, for example, a server that can provide various application services, such as a banking system (online/check-in), a ticketing system, etc., and the above various application services, for example, need to be used Services that can be used by one or more individuals of the user, such as lending, booking tickets, etc., but not limited to this. For the convenience of description, the following will take a banking system as an example for illustration, but it is not intended to limit the possible implementation of the present invention.

在一實施例中,應用服務伺服器100可透過設置於銀行櫃檯上的使用者互動介面101(例如是觸控式螢幕等)顯示銀行所提供的各式應用服務,而使用者可直接於其中選擇所需的應用服務(下稱特定應用服務)。舉例而言,假設某使用者欲在某銀行臨櫃申請借貸服務,則其可直接於使用者互動介面101中選取借貸服務作為上述特定應用服務,而應用服務伺服器100可相應地產生個資授權請求S1,並將資料授權請求S1轉發至行動個資授權伺服器120。In one embodiment, the application service server 100 can display various application services provided by the bank through the user interactive interface 101 (eg, a touch screen, etc.) disposed on the bank counter, and the user can directly access the Select the desired application service (hereinafter referred to as a specific application service). For example, if a user wants to apply for a loan service at a bank, he can directly select the loan service as the above-mentioned specific application service in the user interaction interface 101, and the application service server 100 can generate personal information accordingly. The authorization request S1 is forwarded, and the data authorization request S1 is forwarded to the mobile data authorization server 120 .

在其他實施例中,使用者互動介面101亦可實現為銀行系統的網頁。在此情況下,使用者可於銀行的網頁介面中選擇所需的特定應用服務,而應用服務伺服器100亦可相應地產生個資授權請求S1,並將資料授權請求S1轉發至行動個資授權伺服器120,但可不限於此。In other embodiments, the user interface 101 can also be implemented as a webpage of the banking system. In this case, the user can select the desired specific application service in the bank's web interface, and the application service server 100 can also generate a personal data authorization request S1 accordingly, and forward the data authorization request S1 to the mobile personal data The authorization server 120 is not limited to this.

相應地,行動個資授權伺服器120可反應於個資授權請求S1而回傳個資授權票據S2至應用服務伺服器100。在不同的實施例中,個資授權票據S2可包括應用服務商識別代碼(例如上述銀行的代碼)、操作流水號、個資授權欄位內容、票據發行時間、簽章的至少其中之一,但可不限於此。Correspondingly, the mobile personal data authorization server 120 may return the personal data authorization ticket S2 to the application service server 100 in response to the personal data authorization request S1 . In different embodiments, the personal information authorization ticket S2 may include at least one of the identification code of the application service provider (such as the code of the above-mentioned bank), the operation serial number, the content of the personal information authorization field, the time of issuance of the ticket, and the signature, But not limited to this.

在一實施例中,在行動個資授權伺服器120接收到個資授權請求S1時,其中的個資授權請求驗證模組121可驗證應用服務伺服器100所傳送的個資授權請求S1的合法性,包括來源端驗證及個資授權請求S1之資料欄位驗證等,但不限於此。並且,在判定個資授權請求S1通過驗證之後,行動個資授權伺服器120可再相應地由其中的授權票據管理模組123發行並回傳個資授權票據S2至應用服務伺服器100,但可不限於此。In one embodiment, when the mobile personal information authorization server 120 receives the personal information authorization request S1, the personal information authorization request verification module 121 therein can verify the legality of the personal information authorization request S1 sent by the application service server 100. properties, including source-side verification and data field verification of personal information authorization request S1, etc., but not limited to this. In addition, after determining that the personal information authorization request S1 has passed the verification, the mobile personal information authorization server 120 can accordingly issue and return the personal information authorization ticket S2 to the application server 100 by the authorization ticket management module 123 therein. But not limited to this.

在一實施例中,在應用服務伺服器100接收個資授權票據S2之後,其中的授權條碼轉換模組102可將個資授權票據S2轉換為授權圖片S3,而使用者互動介面101則可用以顯示授權圖片S3。在不同的實施例中,授權圖片S3可呈現為一維條碼、二維條碼或其他可表徵個資授權票據S2的條碼圖片,但可不限於此。In one embodiment, after the application service server 100 receives the personal information authorization ticket S2, the authorization barcode conversion module 102 therein can convert the personal information authorization ticket S2 into the authorization image S3, and the user interface 101 can be used for Display the authorized image S3. In different embodiments, the authorization picture S3 can be presented as a one-dimensional barcode, a two-dimensional barcode or other barcode pictures that can characterize the personal information authorization ticket S2, but it is not limited thereto.

之後,使用者例如可透過其所持有的電子裝置110(例如是各式智慧型裝置)的授權圖片擷取模組111(例如是電子裝置110上的相機等取像模組)擷取S3授權圖片,並將授權圖片S3轉換為個資授權票據S2。After that, the user can, for example, capture S3 through the authorized image capture module 111 (for example, an image capture module such as a camera on the electronic device 110 ) of the electronic device 110 (for example, various smart devices) held by the user. Authorize the picture, and convert the authorized picture S3 into a personal information authorization note S2.

接著,電子裝置110中的授權票據驗證模組112可用以驗證個資授權票據S2,並在判定個資授權票據S2通過驗證之後,顯示上述特定應用服務所需的個資項目(例如地址、電話等)。在此情況下,電子裝置110的使用者可於電子裝置110上確認是否允許所選擇的特定應用服務取得對應於上述個資項目的特定個資。Next, the authorization ticket verification module 112 in the electronic device 110 can be used to verify the personal information authorization ticket S2, and after determining that the personal information authorization ticket S2 is verified, display the personal information items (such as address, telephone number, etc.) required by the above-mentioned specific application service. Wait). In this case, the user of the electronic device 110 can confirm on the electronic device 110 whether the selected specific application service is allowed to obtain the specific personal information corresponding to the above-mentioned personal information item.

在一實施例中,反應於判定使用者同意授權上述特定個資予特定應用服務,電子裝置110可產生授權同意記錄S4及認證資訊S5(其例如可包括對應於上述使用者的特定使用者代碼及認證時間),並以認證金鑰加密認證資訊S5。In one embodiment, in response to determining that the user agrees to authorize the above-mentioned specific individual to use the specific application service, the electronic device 110 may generate an authorization consent record S4 and authentication information S5 (which may include, for example, a specific user code corresponding to the above-mentioned user). and authentication time), and encrypt the authentication information S5 with the authentication key.

在一實施例中,在判定使用者同意授權上述特定個資予特定應用服務時,電子裝置110中的身分認證模組113可對使用者進行身分認證,例如密碼認證、指紋認證、人臉認證、或其他形式的生物特徵認證等,但不限於此。In one embodiment, when it is determined that the user agrees to authorize the above-mentioned specific individual to use the specific application service, the identity authentication module 113 in the electronic device 110 can perform identity authentication on the user, such as password authentication, fingerprint authentication, and face authentication. , or other forms of biometric authentication, etc., but not limited to this.

之後,電子裝置110可再將授權同意記錄S4及加密後的認證資訊S5發送至行動個資授權伺服器120。相應地,行動個資授權伺服器120中的個資授權管理模組122可介接行動認證伺服器130以進行認證資訊S5的驗證。亦即,個資授權管理模組122可因應於授權同意記錄S4將加密後的認證資訊S5轉發至行動認證伺服器130,以由行動認證伺服器130進行認證資訊S5的驗證。Afterwards, the electronic device 110 may send the authorization consent record S4 and the encrypted authentication information S5 to the mobile data authorization server 120 . Correspondingly, the personal information authorization management module 122 in the mobile personal information authorization server 120 can interface with the mobile authentication server 130 to verify the authentication information S5. That is, the personal information authorization management module 122 can forward the encrypted authentication information S5 to the mobile authentication server 130 according to the authorization consent record S4, so that the mobile authentication server 130 can verify the authentication information S5.

在一實施例中,行動認證伺服器130中的認證金鑰管理模組132例如可用以管理多個使用者認證代碼與多個認證金鑰之對應關係。在此情況下,在行動認證伺服器130接收加密後的認證資訊S5之後,認證金鑰管理模組132可依據上述特定使用者代碼查詢對應的認證金鑰,但可不限於此。In one embodiment, the authentication key management module 132 in the mobile authentication server 130 can be used, for example, to manage the correspondence between a plurality of user authentication codes and a plurality of authentication keys. In this case, after the mobile authentication server 130 receives the encrypted authentication information S5, the authentication key management module 132 can query the corresponding authentication key according to the above-mentioned specific user code, but it is not limited thereto.

在取得對應於上述認證金鑰之後,行動認證伺服器130中的認證資訊驗證模組131可透過此認證金鑰解密認證資訊S5,以及驗證認證資訊S5的合法性。After obtaining the corresponding authentication key, the authentication information verification module 131 in the mobile authentication server 130 can decrypt the authentication information S5 through the authentication key, and verify the validity of the authentication information S5.

在一實施例中,反應於判定認證資訊S5通過驗證,行動認證伺服器130可通知行動個資授權伺服器120的使用者同意記錄儲存模組124保存授權同意記錄S4,並透過行動個資授權伺服器120提供個資查詢指令S6至個資提供伺服器140。具體而言,行動個資授權伺服器120可透個資授權管理模組122將個資查詢指令S6轉發至個資提供伺服器140,以由個資提供伺服器140查詢上述特定個資。In one embodiment, in response to determining that the authentication information S5 is verified, the mobile authentication server 130 may notify the user of the mobile data authorization server 120 that the user agrees to the record storage module 124 to save the authorization consent record S4, and authorize the user through the mobile data authorization server 120. The server 120 provides the data query command S6 to the data providing server 140 . Specifically, the mobile personal information authorization server 120 can forward the personal information query instruction S6 to the personal information providing server 140 through the personal information authorization management module 122, so that the personal information providing server 140 can query the above-mentioned specific personal information.

在一實施例中,個資提供伺服器140例如是戶政事務所或其他儲存有使用者的各式個資的伺服器,而上述各式個資例如可儲存於個資提供伺服器140的個資資料庫142。在一實施例中,在個資提供伺服器140接收個資查詢指令S6之後,其中的個資查詢處理模組141可驗證個資查詢指令S6,並可在判定個資查詢指令S6通過驗證後,提供使用者的特定個資S7予行動個資授權伺服器120。In one embodiment, the personal information providing server 140 is, for example, a household registration office or other server that stores various personal information of the user, and the above-mentioned various personal information can be stored in the personal information providing server 140 , for example. Personal database 142 . In one embodiment, after the personal information providing server 140 receives the personal information query instruction S6, the personal information query processing module 141 therein can verify the personal information query instruction S6, and can determine that the personal information query instruction S6 passes the verification. , providing the user's specific personal information S7 to the mobile personal information authorization server 120 .

相應地,行動個資授權伺服器120可透個資授權管理模組122將個資提供伺服器140提供的特定個資S7回傳至應用服務伺服器100。Correspondingly, the mobile personal information authorization server 120 can return the specific personal information S7 provided by the personal information providing server 140 to the application service server 100 through the personal information authorization management module 122 .

之後,應用服務伺服器100即可依據行動個資授權伺服器120提供的使用者的特定個資S7(例如電子裝置110的使用者的地址、電話等)執行電子裝置110的使用者所選的特定應用服務。After that, the application service server 100 can execute the user-selected data S7 of the user of the electronic device 110 (eg, the user's address, phone number, etc.) specific application services.

請參照圖2,其是依據本發明之一實施例繪示的個資授權方法流程圖。本實施例的方法可由圖1的個資授權系統10執行,以下即搭配圖1所示的元件說明圖2各步驟的細節。Please refer to FIG. 2 , which is a flowchart of a method for authorizing personal information according to an embodiment of the present invention. The method of this embodiment can be executed by the personal information authorization system 10 in FIG. 1 , and the details of each step in FIG. 2 will be described below with the components shown in FIG. 1 .

首先,在步驟S210中,行動個資授權伺服器120可從一應用服務伺服器100接收個資授權請求S1,其中個資授權請求S1係應用服務伺服器110係因應於電子裝置110的使用者所要求的特定應用服務而產生,且特定應用服務需要多個個資項目。First, in step S210 , the mobile personal information authorization server 120 may receive a personal information authorization request S1 from an application server 100 , wherein the personal information authorization request S1 corresponds to the user of the electronic device 110 by the application server 110 The specific application service required, and the specific application service requires a plurality of individual items.

在步驟S220中,行動個資授權伺服器120可反應於個資授權請求S1而回傳個資授權票據S2至應用服務伺服器100,其中應用服務伺服器100可將個資授權票據S2轉換為授權圖片S3。In step S220, the mobile personal information authorization server 120 may respond to the personal information authorization request S1 and return the personal information authorization ticket S2 to the application server 100, wherein the application server 100 may convert the personal information authorization ticket S2 into Licensed Image S3.

在步驟S230中,反應於判定從使用者的電子裝置110接收授權同意記錄S5及認證資訊S6,行動個資授權伺服器120可因應於授權同意記錄S5而轉發認證資訊S5至行動認證伺服器130,其中授權同意記錄S5及認證資訊S6表示使用者同意提供對應於前述個資項目的多個特定個資S7。In step S230, in response to determining that the authorization consent record S5 and the authentication information S6 are received from the user's electronic device 110, the mobile data authorization server 120 may forward the authentication information S5 to the mobile authentication server 130 in response to the authorization consent record S5 , wherein the authorization consent record S5 and the authentication information S6 indicate that the user agrees to provide a plurality of specific personal information S7 corresponding to the aforementioned personal information items.

在步驟S240中,行動認證伺服器130可驗證認證資訊S6。在步驟S250中,反應於判定認證資訊S6通過驗證,行動認證伺服器130可通知行動個資授權伺服器120保存授權同意記錄S5,並透過行動個資授權伺服器120提供個資查詢指令S6至個資提供伺服器140,其中個資提供伺服器140可因應於個資查詢指令S6而將使用者的特定個資S7提供予行動個資授權伺服器120。In step S240, the mobile authentication server 130 can verify the authentication information S6. In step S250, in response to determining that the authentication information S6 is verified, the mobile authentication server 130 may notify the mobile data authorization server 120 to save the authorization consent record S5, and provide the data query command S6 to the mobile data authorization server 120 through the mobile data authorization server 120. The personal information providing server 140, wherein the personal information providing server 140 can provide the specific personal information S7 of the user to the mobile personal information authorization server 120 in response to the personal information query command S6.

在步驟S260中,行動個資授權伺服器120可將特定個資S7提供予應用服務伺服器100,以由應用服務伺服器100據以執行特定應用服務。In step S260, the mobile personal information authorization server 120 may provide the specific personal information S7 to the application service server 100, so that the application service server 100 can execute the specific application service accordingly.

圖2中各步驟的細節可參照先前實施例中的說明,於此不另贅述。The details of the steps in FIG. 2 can be referred to the descriptions in the previous embodiments, and are not described herein again.

綜上所述,本發明的個資授權系統及方法可驗證應用服務伺服器所產生之個資授權請求合法性,若通過則將依個資授權請求發行一授權票據給該應用服務伺服器。若使用者於電子裝置中確認授權,則執行使用者授權同意紀錄及認證資訊之儲存及驗證程序,最後依個資授權請求回傳個資查詢結果給應用服務伺服器。To sum up, the personal information authorization system and method of the present invention can verify the legitimacy of the personal information authorization request generated by the application service server, and issue an authorization ticket to the application service server according to the personal information authorization request. If the user confirms the authorization in the electronic device, the procedure of storing and verifying the user's authorization consent record and authentication information is executed, and finally the personal information query result is returned to the application server according to the personal information authorization request.

對於使用者而言,其僅需在於使用者互動介面上選取所需的特定應用服務之後,使用電子裝置擷取使用者互動介面後續所顯示的授權圖片即可得知上述特定應用服務需要哪些個資項目,並可據以決定是否授權特定應用服務取得上述個資項目的特定個資。換言之,使用者可依其自身意願而決定授權哪些個資供所選的特定應用服務使用,因而可避免應用服務伺服器額外取得使用者未授權的個資。藉此,可進一步保證使用者個資的安全性,並避免使用者的個資被惡意的應用服務伺服器所取得。For the user, he only needs to select the desired specific application service on the user interface, and then use the electronic device to capture the authorized image displayed on the user interface to know which specific application services are required. information items, and can decide whether to authorize a specific application service to obtain the specific personal information of the above-mentioned personal information items. In other words, the user can decide which personal information to authorize for the selected specific application service according to his or her own wishes, thereby preventing the application service server from obtaining additional personal information that is not authorized by the user. Thereby, the security of the user's personal information can be further ensured, and the user's personal information can be prevented from being obtained by a malicious application server.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed above by the embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, The protection scope of the present invention shall be determined by the scope of the appended patent application.

10:個資授權系統 100:應用服務伺服器 101:使用者互動介面 102:授權條碼轉換模組 110:電子裝置 111:授權圖片擷取模組 112:授權票據驗證模組 113:身分認證模組 120:行動個資授權伺服器 121:個資授權請求驗證模組 122:個資授權管理模組 123:授權票據管理模組 124:使用者同意記錄儲存模組 130:行動認證伺服器 131:認證資訊驗證模組 132:認證金鑰管理模組 140:個資提供伺服器 141:個資查詢處理模組 142:個資資料庫 S1:個資授權請求 S2:個資授權票據 S3:授權圖片 S4:授權同意記錄 S5:認證資訊 S6:個資查詢指令 S7:特定個資 S210~S260:步驟10: Personal Information Authorization System 100: Application service server 101: User Interface 102: Authorized barcode conversion module 110: Electronic Devices 111: Authorized image capture module 112: Authorization ticket verification module 113: Identity authentication module 120:Mobile Personal Data Authorization Server 121: Personal information authorization request verification module 122: Personal Information Authorization Management Module 123: Authorized ticket management module 124: User agrees to record storage module 130: Mobile Authentication Server 131: Authentication information verification module 132: Authentication key management module 140: Personal information providing server 141: Personal information query processing module 142: Personal Information Database S1: Personal Information Authorization Request S2: Personal Assets Authorization Note S3: Licensed Image S4: Authorization Consent Record S5: Authentication Information S6: personal information query instruction S7: specific personal information S210~S260: Steps

圖1是依據本發明之一實施例繪示的個資授權系統示意圖。 圖2是依據本發明之一實施例繪示的個資授權方法流程圖。FIG. 1 is a schematic diagram of a personal information authorization system according to an embodiment of the present invention. FIG. 2 is a flowchart of a method for authorizing personal information according to an embodiment of the present invention.

10:個資授權系統10: Personal Information Authorization System

100:應用服務伺服器100: Application service server

101:使用者互動介面101: User Interface

102:授權條碼轉換模組102: Authorized barcode conversion module

110:電子裝置110: Electronic Devices

111:授權圖片擷取模組111: Authorized image capture module

112:授權票據驗證模組112: Authorization ticket verification module

113:身分認證模組113: Identity authentication module

120:行動個資授權伺服器120:Mobile Personal Data Authorization Server

121:個資授權請求驗證模組121: Personal information authorization request verification module

122:個資授權管理模組122: Personal Information Authorization Management Module

123:授權票據管理模組123: Authorized ticket management module

124:使用者同意記錄儲存模組124: User agrees to record storage module

130:行動認證伺服器130: Mobile Authentication Server

131:認證資訊驗證模組131: Authentication information verification module

132:認證金鑰管理模組132: Authentication key management module

140:個資提供伺服器140: Personal information providing server

141:個資查詢處理模組141: Personal information query processing module

142:個資資料庫142: Personal Information Database

S1:個資授權請求S1: Personal Information Authorization Request

S2:個資授權票據S2: Personal Assets Authorization Note

S3:授權圖片S3: Licensed Image

S4:授權同意記錄S4: Authorization Consent Record

S5:認證資訊S5: Authentication Information

S6:個資查詢指令S6: personal information query instruction

S7:特定個資S7: specific personal information

Claims (12)

一種個資授權系統,包括: 一行動個資授權伺服器,其經配置以: 從一應用服務伺服器接收一個資授權請求,其中該個資授權請求係該應用服務伺服器係因應於一使用者所要求的一特定應用服務而產生,且該特定應用服務需要多個個資項目; 反應於該個資授權請求而回傳一個資授權票據至該應用服務伺服器,其中該應用服務伺服器將該個資授權票據轉換為一授權圖片; 反應於判定從該使用者的一電子裝置接收一授權同意記錄及認證資訊,因應於該授權同意記錄而轉發該認證資訊,其中該授權同意記錄及該認證資訊表示該使用者同意提供對應於該些個資項目的多個特定個資;以及 一行動認證伺服器,其連接於該行動個資授權伺服器,並經配置以: 接收該認證資訊,並驗證該認證資訊; 反應於判定該認證資訊通過驗證,通知該行動個資授權伺服器保存該授權同意記錄,並透過該行動個資授權伺服器提供一個資查詢指令至一個資提供伺服器,其中該個資提供伺服器因應於該個資查詢指令而將該使用者的該些個資提供予該行動個資授權伺服器,且該行動個資授權伺服器將該些特定個資提供予該應用服務伺服器,以執行該特定應用服務。A personal information authorization system, including: A mobile data authorization server configured to: A resource authorization request is received from an application server, wherein the resource authorization request is generated by the application server in response to a specific application service requested by a user, and the specific application service requires multiple resources project; In response to the resource authorization request, return a resource authorization ticket to the application server, wherein the application server converts the resource authorization ticket into an authorization image; In response to determining that an authorization consent record and authentication information are received from an electronic device of the user, forwarding the authentication information in response to the authorization consent record, wherein the authorization consent record and the authentication information indicate that the user agrees to provide the corresponding a number of specific personal data for these personal data items; and a mobile authentication server connected to the mobile data authorization server and configured to: receive the certification information and verify the certification information; In response to determining that the authentication information is verified, notify the mobile data authorization server to save the authorization consent record, and provide an information query command to a data provision server through the mobile data authorization server, wherein the data provision server the server provides the data of the user to the mobile data authorization server in response to the data query command, and the mobile data authorization server provides the specific data to the application server, to execute that specific application service. 如請求項1所述的系統,更包括該應用服務伺服器,其包括: 一授權條碼轉換模組,用以將該個資授權票據轉換成該授權圖片;以及 一使用者互動介面,用以顯示該授權圖片。The system according to claim 1, further comprising the application service server, which includes: an authorization barcode conversion module for converting the personal asset authorization ticket into the authorization image; and a user interface for displaying the authorized image. 如請求項1所述的系統,更包括該電子裝置,其包括: 一授權條碼擷取模組,用以擷取該授權圖片,並將該授權圖片轉換為該個資授權票據; 一授權票據驗證模組,其經配置以: 驗證該個資授權票據,並在判定該個資授權票據通過驗證之後,顯示該特定應用服務所需的該些個資項目; 反應於判定該使用者同意授權該些特定個資予該特定應用服務,產生該授權同意記錄及該認證資訊,並以一認證金鑰加密該認證資訊; 將該授權同意記錄及加密後的該認證資訊發送至該行動個資授權伺服器。The system of claim 1, further comprising the electronic device, comprising: an authorization barcode capture module for capturing the authorization image and converting the authorization image into the asset authorization ticket; An authorization ticket verification module configured to: Verifying the asset authorization ticket, and after determining that the asset authorization ticket has passed the verification, displaying the asset items required by the specific application service; In response to determining that the user agrees to authorize the specific individuals to the specific application service, generating the authorization agreement record and the authentication information, and encrypting the authentication information with an authentication key; Send the authorization consent record and the encrypted authentication information to the mobile personal information authorization server. 如請求項3所述的系統,其中該電子裝置更包括一身分認證模組,其用以在該使用者同意授權該些特定個資予該特定應用服務時對該使用者進行一身分認證。The system of claim 3, wherein the electronic device further comprises an identity authentication module for performing an identity authentication on the user when the user agrees to authorize the specific individuals to the specific application service. 如請求項1所述的系統,更包括該個資提供伺服器,其經配置以: 驗證該個資查詢指令; 反應於判定該個資查詢指令通過驗證,提供該使用者的該些特定個資予該行動個資授權伺服器。The system of claim 1, further comprising the data providing server configured to: Verify the data query instruction; In response to determining that the information query command has passed the verification, the specific personal information of the user is provided to the mobile personal information authorization server. 如請求項1所述的系統,其中該授權圖片包括一維條碼或二維條碼。The system of claim 1, wherein the authorized image includes a one-dimensional barcode or a two-dimensional barcode. 如請求項1所述的系統,其中該個資授權票據包括應用服務商識別代碼、操作流水號、個資授權欄位內容、票據發行時間、簽章的至少其中之一。The system according to claim 1, wherein the personal information authorization ticket includes at least one of the identification code of the application service provider, the operation serial number, the content of the personal information authorization field, the issuance time of the ticket, and the signature. 如請求項1所述的系統,其中該行動個資授權伺服器包括一個資授權請求驗證模組,其用以驗證該應用服務伺服器所傳送的該個資授權請求的合法性,包括來源端驗證及該個資授權請求之資料欄位驗證。The system of claim 1, wherein the mobile personal information authorization server includes an authorization request verification module, which is used for verifying the legitimacy of the personal information authorization request sent by the application service server, including the source terminal Validation and validation of the data fields of the data authorization request. 如請求項1所述的系統,其中該行動個資授權伺服器包括一個資授權管理模組,其用以介接該行動認證伺服器進行該認證資訊的驗證,以及介接該個資提供伺服器進行該些特定個資的查詢,並將該個資提供伺服器提供的該些特定個資回傳至該應用服務伺服器。The system of claim 1, wherein the mobile personal information authorization server includes an information authorization management module, which is used for interfacing with the mobile authentication server to verify the authentication information and interfacing with the data providing server The server queries the specific data, and returns the specific data provided by the data providing server to the application server. 如請求項1所述的系統,其中該行動個資授權伺服器包括一授權票據管理模組,用以依該個資授權請求的資料欄位發行該個資授權票據。The system of claim 1, wherein the mobile personal asset authorization server includes an authorization ticket management module for issuing the personal asset authorization ticket according to the data field of the personal asset authorization request. 如請求項1所述的系統,其中該認證資訊包括對應於該使用者的一特定使用者代碼及一認證時間,且該行動認證伺服器包括: 一認證金鑰管理模組,其用以管理多個使用者認證代碼與多個認證金鑰之對應關係,並於接收該認證資訊後依據該特定使用者代碼查詢對應的一認證金鑰;以及 一認證資訊驗證模組,用以透過認證金鑰解密該認證資訊,以及驗證該認證資訊的合法性。The system of claim 1, wherein the authentication information includes a specific user code and an authentication time corresponding to the user, and the mobile authentication server includes: an authentication key management module, which is used for managing the correspondence between a plurality of user authentication codes and a plurality of authentication keys, and after receiving the authentication information, inquires a corresponding authentication key according to the specific user code; and An authentication information verification module is used for decrypting the authentication information through the authentication key and verifying the legality of the authentication information. 一種個資授權方法,適於包括一行動個資授權伺服器及一行動認證伺服器的一個資授權系統,所述方法包括: 由該行動個資授權伺服器從一應用服務伺服器接收一個資授權請求,其中該個資授權請求係該應用服務伺服器係因應於一使用者所要求的一特定應用服務而產生,且該特定應用服務需要多個個資項目; 由該行動個資授權伺服器反應於該個資授權請求而回傳一個資授權票據至該應用服務伺服器,其中該應用服務伺服器將該個資授權票據轉換為一授權圖片; 反應於判定從該使用者的一電子裝置接收一授權同意記錄及認證資訊,由該行動個資授權伺服器因應於該授權同意記錄轉發該認證資訊至該行動認證伺服器,其中該授權同意記錄及該認證資訊表示該使用者同意提供對應於該些個資項目的多個特定個資; 由該行動認證伺服器驗證該認證資訊; 反應於判定該認證資訊通過驗證,通知該行動個資授權伺服器保存該授權同意記錄,並透過該行動個資授權伺服器提供一個資查詢指令至一個資提供伺服器,其中該個資提供伺服器因應於該個資查詢指令而將該使用者的該些特定個資提供予該行動個資授權伺服器;以及 由該行動個資授權伺服器將該些特定個資提供予該應用服務伺服器,以執行該特定應用服務。A personal information authorization method, suitable for an information authorization system including a mobile personal information authorization server and a mobile authentication server, the method comprising: A resource authorization request is received by the mobile data authorization server from an application service server, wherein the data authorization request is generated by the application service server in response to a specific application service requested by a user, and the A specific application service requires multiple personal items; returning an asset authorization ticket to the application service server by the mobile asset authorization server in response to the asset authorization request, wherein the application service server converts the asset authorization ticket into an authorization image; In response to determining that an authorization consent record and authentication information are received from an electronic device of the user, the mobile data authorization server forwards the authentication information to the mobile authentication server in response to the authorization consent record, wherein the authorization consent record and the authentication information indicates that the user agrees to provide a plurality of specific personal information corresponding to the personal information items; verifying the authentication information by the mobile authentication server; In response to determining that the authentication information is verified, notify the mobile data authorization server to save the authorization consent record, and provide an information query command to a data provision server through the mobile data authorization server, wherein the data provision server the device provides the specific data of the user to the mobile data authorization server in response to the data query command; and The specific data are provided by the mobile data authorization server to the application service server to execute the specific application service.
TW109131531A 2020-09-14 2020-09-14 System and method for personal information authorization TWI742849B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109131531A TWI742849B (en) 2020-09-14 2020-09-14 System and method for personal information authorization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109131531A TWI742849B (en) 2020-09-14 2020-09-14 System and method for personal information authorization

Publications (2)

Publication Number Publication Date
TWI742849B TWI742849B (en) 2021-10-11
TW202211056A true TW202211056A (en) 2022-03-16

Family

ID=80782499

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109131531A TWI742849B (en) 2020-09-14 2020-09-14 System and method for personal information authorization

Country Status (1)

Country Link
TW (1) TWI742849B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8738027B2 (en) * 2011-02-07 2014-05-27 Qualcomm Incorporated Methods and apparatus for identifying and authorizing location servers and location services
CN105323064B (en) * 2014-07-01 2018-07-10 柯呈翰 In on line add instant file dynamic labels, encrypted system and method
EP3430829B1 (en) * 2016-03-17 2023-01-04 Apple Inc. Managing program credentials on electronic devices
TWI647942B (en) * 2017-12-28 2019-01-11 中華電信股份有限公司 A system and method for accessing and authenticating an electronic certificate
TWM601411U (en) * 2020-06-23 2020-09-11 國泰世華商業銀行股份有限公司 System for digital account application by using ATM to obtain authentication

Also Published As

Publication number Publication date
TWI742849B (en) 2021-10-11

Similar Documents

Publication Publication Date Title
US11956243B2 (en) Unified identity verification
US11750617B2 (en) Identity authentication and information exchange system and method
US11991175B2 (en) User authentication based on device identifier further identifying software agent
US9608982B2 (en) Identity validation system and associated methods
EP2605567B1 (en) Methods and systems for increasing the security of network-based transactions
US20120191615A1 (en) Secure Credit Transactions
CN115271731A (en) System and method for secure processing of electronic identities
US11843599B2 (en) Systems, methods, and non-transitory computer-readable media for secure biometrically-enhanced data exchanges and data storage
JP6538872B2 (en) Common identification data replacement system and method
JP2016181242A (en) System and method for enabling multi-party and multi-level authorization for accessing confidential information
US11521720B2 (en) User medical record transport using mobile identification credential
US11580559B2 (en) Official vetting using composite trust value of multiple confidence levels based on linked mobile identification credentials
US20140082748A1 (en) User information management apparatus and user information management method
JP6566454B2 (en) Authentication method, authentication apparatus, computer program, and system manufacturing method
US20140365366A1 (en) System and device for receiving authentication credentials using a secure remote verification terminal
US11182777B2 (en) Systems and methods using a primary account number to represent identity attributes
US20210110357A1 (en) Digital notarization intermediary system
JP2020102741A (en) Authentication system, authentication method, and authentication program
TWI742849B (en) System and method for personal information authorization
JP2002229956A (en) Biometrics certification system, biometrics certification autority, service provision server, biometrics certification method and program, and service provision method and program
US20200204377A1 (en) Digital notarization station that uses a biometric identification service
US11823092B2 (en) Coordination platform for generating and managing authority tokens
JP2023006478A (en) Information processing device, user terminal, user medium, authentication method, authenticated method, and computer program
FR3081239A1 (en) SYSTEM AND METHOD FOR AUTHENTICATION USING A SINGLE-USE TIME-LIMITED TIME TOKEN
KR20180120017A (en) Finacial system and method managing security medium thereof