TW202240438A - System, device and method for checking password incorrect times through server to complete corresponding operation - Google Patents

System, device and method for checking password incorrect times through server to complete corresponding operation Download PDF

Info

Publication number
TW202240438A
TW202240438A TW110113404A TW110113404A TW202240438A TW 202240438 A TW202240438 A TW 202240438A TW 110113404 A TW110113404 A TW 110113404A TW 110113404 A TW110113404 A TW 110113404A TW 202240438 A TW202240438 A TW 202240438A
Authority
TW
Taiwan
Prior art keywords
certificate
password
client
data
service server
Prior art date
Application number
TW110113404A
Other languages
Chinese (zh)
Other versions
TWI824239B (en
Inventor
周克遠
曹瑋桓
Original Assignee
臺灣網路認證股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣網路認證股份有限公司 filed Critical 臺灣網路認證股份有限公司
Priority to TW110113404A priority Critical patent/TWI824239B/en
Publication of TW202240438A publication Critical patent/TW202240438A/en
Application granted granted Critical
Publication of TWI824239B publication Critical patent/TWI824239B/en

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Lock And Its Accessories (AREA)

Abstract

A system, a device and a method for checking password incorrect times through a server to complete a corresponding operation are provided. By determining a password transmitted from a client passes validation by the server, generating an error message based on an incorrect times of inputting password when the password is not passed validation, and performing an operation in correspondence with the error message, the system and the method can manage re-try times of password effectively, and can achieve the effect of improving security of using certificate.

Description

透過伺服器檢核密碼錯誤次數以完成作業之系統、裝置及方法System, device and method for checking the number of wrong passwords by the server to complete the operation

一種密碼錯誤次數判斷系統、裝置及其方法,特別係指一種透過伺服器檢核密碼錯誤次數以完成作業之系統、裝置及方法。A system, device and method for judging the number of wrong passwords, especially a system, device and method for checking the number of wrong passwords by a server to complete operations.

電子憑證,又稱為數位憑證,是一種用於電腦系統的身分識別機制。電子憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開金鑰。電子憑證的擁有人可向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。Electronic credentials, also known as digital credentials, are an identification mechanism used in computer systems. An electronic certificate is a computer file or a group of files, which record the owner's identity information and a set of public keys. The owner of the electronic certificate can authenticate his identity to the computer system to access or use a specific computer service.

數位憑證所包含的公開金鑰會與一個私密金鑰對應。一般而言,數位憑證與相對應之私密金鑰會以一定的格式被記載在憑證檔案中,且包含數位憑證與私密金鑰的憑證檔案通常需要先經過加密後才可以被儲存在電腦系統中。也就是說,必須先使用憑證密碼解密憑證檔案後,才可以依據憑證檔案的格式由憑證檔案中取得數位憑證及/或私密金鑰。The public key contained in the digital certificate will correspond to a private key. Generally speaking, the digital certificate and the corresponding private key will be recorded in the certificate file in a certain format, and the certificate file containing the digital certificate and the private key usually needs to be encrypted before it can be stored in the computer system . That is to say, the certificate file must be decrypted with the certificate password first, and then the digital certificate and/or private key can be obtained from the certificate file according to the format of the certificate file.

然而,目前部分使用數位憑證的應用程式可能沒有設定憑證密碼的輸入次數,也就是說,有心人士在取得包含他人之數位憑證的憑證檔案後,可以不斷的嘗試以不同的字串開啟憑證檔案,直到猜到憑證密碼為止。事實上,雖然存在有限制密碼輸入次數的應用程式,但這些應用程式也只是將當前的錯誤次數記錄在本地端,有心人士可以在開始進行密碼嘗試前先備份記錄錯誤次數的檔案,並在密碼錯誤次數達到一定值後將備份的檔案蓋回,如此便可以輕易地變更記錄在本地端的資料使得應用程式無法確實得知憑證檔案的密碼嘗試次數。However, at present, some applications that use digital certificates may not set the number of times to enter the certificate password. That is to say, after obtaining the certificate file containing other people's digital certificates, you can keep trying to open the certificate file with different strings. until the credential password is guessed. In fact, although there are applications that limit the number of password input times, these applications only record the current number of errors on the local side. Those who are interested can back up the file that records the number of errors before starting to try the password. After the number of errors reaches a certain value, the backup file will be overwritten, so that the data recorded on the local side can be easily changed so that the application program cannot know the number of password attempts of the credential file.

綜上所述,可知先前技術中長期以來一直存在憑證密碼可以被不斷嘗試的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has been a problem that the credential password can be tried continuously in the prior art for a long time, so it is necessary to propose an improved technical means to solve this problem.

有鑒於先前技術存在憑證密碼可以被不斷嘗試的問題,本發明遂揭露一種透過伺服器檢核密碼錯誤次數以繼續作業系統、裝置及方法,其中:In view of the problem that the certificate password can be tried continuously in the prior art, the present invention discloses a system, device and method for continuing to operate by checking the number of password errors by the server, wherein:

本發明所揭露之透過伺服器檢核密碼錯誤次數以完成作業之系統,至少包含:客戶端,用以取得登入資料,登入資料包含帳號資料及憑證密碼;服務伺服器,用以接收登入資料,並判斷憑證密碼未通過驗證時,累計錯誤次數,並依據錯誤次數產生相對應之錯誤訊息,及傳送錯誤訊息至客戶端,使客戶端執行與該錯誤訊息對應之作業,及用以判斷憑證密碼通過驗證時,產生並傳送許可訊息至客戶端,客戶端於接收到許可訊息後,使用憑證密碼解密憑證檔案以取得憑證資料,並使用憑證資料執行目標作業。The system disclosed in the present invention, which checks the number of password errors by the server to complete the operation, at least includes: a client, used to obtain login information, the login information includes account information and certificate password; a service server, used to receive the login information, And when it is judged that the certificate password has not passed the verification, the number of errors is accumulated, and the corresponding error message is generated according to the number of errors, and the error message is sent to the client, so that the client executes the operation corresponding to the error message, and used to judge the certificate password When the verification is passed, a permission message is generated and sent to the client. After receiving the permission message, the client uses the certificate password to decrypt the certificate file to obtain the certificate data, and uses the certificate data to execute the target operation.

本發明所揭露之透過伺服器檢核密碼錯誤次數以完成作業之裝置,至少包含:輸入模組,取得包含帳號資料及憑證密碼之登入資料;通訊模組,用以傳送登入資料至服務伺服器,及用以接收服務伺服器所傳回之錯誤訊息或許可訊息;憑證模組,用以於通訊模組接收到許可訊息時,使用憑證密碼解密憑證檔案以取得憑證資料;執行模組,用以於通訊模組接收到錯誤訊息時,執行與錯誤訊息對應之作業,及用以使用憑證資料執行目標作業。The device disclosed by the present invention for checking the number of wrong passwords by the server to complete the operation at least includes: an input module for obtaining login data including account information and certificate password; a communication module for sending the login data to the service server , and used to receive the error message or permission message returned by the service server; the certificate module is used to decrypt the certificate file using the certificate password to obtain the certificate data when the communication module receives the permission message; the execution module is used to When the communication module receives an error message, execute the operation corresponding to the error message, and use the certificate data to execute the target operation.

本發明所揭露之透過伺服器檢核密碼錯誤次數以完成作業之方法,其步驟至少包括:客戶端取得登入資料,並傳送登入資料至服務伺服器,登入資料包含帳號資料及憑證密碼;服務伺服器判斷憑證密碼未通過驗證時,累計錯誤次數,並依據錯誤次數產生相對應之錯誤訊息,及傳送錯誤訊息至客戶端,使客戶端執行與錯誤訊息對應之作業;服務伺服器判斷憑證密碼通過驗證時,產生並傳送許可訊息至客戶端,客戶端於接收到許可訊息後,使用憑證密碼解密憑證檔案以取得憑證資料,並使用憑證資料執行目標作業。The method disclosed by the present invention for checking the number of password errors by the server to complete the operation, the steps at least include: the client obtains the login data, and sends the login data to the service server, the login data includes account information and certificate password; the service server When the server judges that the certificate password has not passed the verification, it accumulates the number of errors, generates a corresponding error message according to the number of errors, and sends the error message to the client, so that the client executes the operation corresponding to the error message; the service server judges that the certificate password passes During verification, a permission message is generated and sent to the client. After receiving the permission message, the client uses the certificate password to decrypt the certificate file to obtain the certificate data, and uses the certificate data to execute the target operation.

本發明所揭露之系統、裝置與方法如上,與先前技術之間的差異在於本發明透過客戶端將憑證密碼傳送到服務伺服器,服務伺服器判斷憑證密碼是否通過驗證,並可以依據憑證密碼之錯誤次數產生對應的錯誤訊息,使得客戶端依據錯誤訊息執行對應作業,藉以解決先前技術所存在的問題,並可以達成提高使用數位憑證之安全性的技術功效。The system, device and method disclosed in the present invention are as above, and the difference between the present invention and the prior art is that the present invention transmits the certificate password to the service server through the client, and the service server judges whether the certificate password has passed the verification, and can The corresponding error message is generated by the number of errors, so that the client performs corresponding operations according to the error message, so as to solve the problems existing in the prior art, and achieve the technical effect of improving the security of using digital certificates.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and implementation methods of the present invention will be described in detail below in conjunction with the drawings and embodiments, the content is enough to enable anyone familiar with the relevant art to easily and fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby realizing The effect that the present invention can achieve.

本發明可以在使用者輸入憑證密碼後,由服務伺服器依據憑證密碼是否正確產生相對應之許可訊息或錯誤訊息,客戶端可以在服務伺服器傳回許可訊息時選擇使用憑證密碼解密憑證檔案,及可以在服務伺服器傳回錯誤訊息時提示使用者再次輸入憑證密碼或拒絕服務使用者。In the present invention, after the user enters the certificate password, the service server can generate a corresponding permission message or error message according to whether the certificate password is correct, and the client can choose to use the certificate password to decrypt the certificate file when the service server returns the permission message. And when the service server returns an error message, it can prompt the user to re-enter the certificate password or refuse to serve the user.

以下先以「第1圖」本發明所提之透過伺服器檢核密碼錯誤次數以完成作業之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有客戶端110、服務伺服器120,及可附加的憑證伺服器140。其中,客戶端110與服務伺服器120之間可以透過有線或無線網路連接,藉以傳遞資料或訊號給對方。The system operation of the present invention will be described below with "Fig. 1", a system architecture diagram of the present invention that checks the number of password errors to complete the operation. As shown in "FIG. 1", the system of the present invention includes a client 110, a service server 120, and an optional certificate server 140. Wherein, the client 110 and the service server 120 can be connected through a wired or wireless network, so as to transmit data or signals to each other.

客戶端110負責將登入資料傳送給服務伺服器120,並依據服務伺服器所傳回的訊息執行對應的之作業。在部分的實施例中,客戶端110更可以包含輸入模組111、憑證模組112、通訊模組114、執行模組115,及可附加的運算模組113。The client 110 is responsible for sending the login data to the service server 120, and executes corresponding operations according to the message returned by the service server. In some embodiments, the client 110 may further include an input module 111 , a credential module 112 , a communication module 114 , an execution module 115 , and an additional computing module 113 .

輸入模組111可以選擇欲使用的數位憑證,也負責取得登入資料,並負責將所取得的登入資料傳送給服務伺服器120。一般而言,輸入模組111可以顯示使用者介面以提供輸入登入資料。輸入模組111所取得之登入資料包含帳號資料及憑證密碼。其中,帳號資料包含但不限於身分證號及/或預先在服務伺服器120上註冊的帳號。The input module 111 can select the digital certificate to be used, is also responsible for obtaining the login information, and is responsible for sending the obtained login information to the service server 120 . In general, the input module 111 can display a user interface for inputting login information. The login information obtained by the input module 111 includes account information and certificate password. Wherein, the account information includes but not limited to the ID card number and/or the account number pre-registered on the service server 120 .

憑證模組112可以產生金鑰對(在本發明中以公開金鑰與私密金鑰表示金鑰對所包含的兩把金鑰),並可以產生包含公開金鑰的憑證簽署請求(Certificate Signing Request, CSR)。The certificate module 112 can generate a key pair (in the present invention, public key and private key are used to represent the two keys included in the key pair), and can generate a certificate signing request (Certificate Signing Request) containing the public key. , CSR).

憑證模組112也可以使用預定格式產生包含通訊模組114所接收到之與憑證簽署請求對應的數位憑證及包含所產生之私密金鑰的憑證檔案。一般而言,憑證模組112在產生憑證檔案時,會將憑證檔案的內容以輸入模組111所取得之登入資料中的憑證密碼加密,也就是說,客戶端110可以對包含以預定格式結合之數位憑證與私密金鑰的資料加密以產生憑證檔案。其中,上述預定格式為用來記載數位憑證與私密金鑰的檔案格式,例如PFX、PEM檔案格式等,但本發明並不以此為限。The credential module 112 can also use a predetermined format to generate a credential file containing the digital certificate corresponding to the credential signing request received by the communication module 114 and the generated private key. Generally speaking, when the credential module 112 generates the credential file, it will encrypt the content of the credential file with the credential password in the login data obtained by the input module 111, that is, the client 110 can combine the content of the credential file in a predetermined format Encrypt the data of the digital certificate and the private key to generate a certificate file. Wherein, the aforementioned predetermined format is a file format for recording digital certificates and private keys, such as PFX, PEM file format, etc., but the present invention is not limited thereto.

憑證模組112並負責在通訊模組114接收到許可訊息時,使用輸入模組111所取得之登入資料中的憑證密碼解密所產生之相對應的憑證檔案,並可以在解密憑證檔案後取得憑證資料。要說明的是,憑證檔案可以包含數位憑證及與數位憑證(所包含之公開金鑰)對應的私密金鑰,憑證模組112可以由數位憑證中取得憑證資料。其中,憑證資料通常是數位憑證所包含的一個或多個資料,例如憑證擁有者識別資料(包含但不限於身分證號、護照號碼等)、憑證序號、憑證有效期限等,但本發明並不以此為限,例如,憑證資料也可以是數位憑證所包含的所有資料(即憑證資料可以是數位憑證)。The certificate module 112 is also responsible for decrypting the corresponding certificate file generated by using the certificate password in the login data obtained by the input module 111 when the communication module 114 receives the permission message, and can obtain the certificate after decrypting the certificate file material. It should be noted that the certificate file may include a digital certificate and a private key corresponding to the digital certificate (the included public key), and the certificate module 112 may obtain the certificate data from the digital certificate. Among them, the certificate data is usually one or more data included in the digital certificate, such as certificate owner identification data (including but not limited to ID card number, passport number, etc.), certificate serial number, certificate validity period, etc., but the present invention does not As a limit, for example, the certificate data can also be all the data included in the digital certificate (that is, the certificate data can be a digital certificate).

憑證模組112也可以在通訊模組114所接收的錯誤訊息表示廢止憑證時進行憑證刪除作業,舉例來說,憑證模組112可以刪除被輸入模組111選擇的憑證檔案,也可以由錯誤訊息中取得刪除資訊,並可以將刪除資訊所對應的憑證檔案刪除,其中,刪除資訊可以包含憑證檔案的儲存路徑與檔案名稱,或可以包含憑證檔案所包含之數位憑證的憑證序號等足以使執行模組115辨識出需要被刪除之憑證檔案的資料,但本發明並不以此為限。The credential module 112 can also delete the credential when the error message received by the communication module 114 indicates that the credential is revoked. For example, the credential module 112 can delete the credential file selected by the input module 111. The deletion information can be obtained from and the certificate file corresponding to the deletion information can be deleted. The deletion information can include the storage path and file name of the certificate file, or the certificate serial number of the digital certificate contained in the certificate file, etc., which is enough to make the execution model Group 115 identifies the data of the credential file that needs to be deleted, but the invention is not limited thereto.

在部分的實施例中,憑證模組112除了進行憑證刪除作業外,還可以進行憑證廢止作業,更詳細的,憑證模組112可以產生並透過通訊模組114傳送憑證廢止請求至憑證伺服器140,藉以完成憑證廢止作業。其中,憑證廢止請求包含足以使憑證伺服器140辨識出需要被刪除之數位憑證的資料,例如數位憑證的憑證序號等,但本發明亦不以此為限。In some embodiments, the certificate module 112 can perform the certificate revocation operation in addition to the certificate deletion operation. More specifically, the certificate module 112 can generate and send a certificate revocation request to the certificate server 140 through the communication module 114 , so as to complete the certificate revocation operation. Wherein, the certificate revocation request includes information sufficient for the certificate server 140 to identify the digital certificate that needs to be deleted, such as the certificate serial number of the digital certificate, but the present invention is not limited thereto.

運算模組113可以依據輸入模組111所取得之登入資料中的憑證密碼產生驗證資料。更詳細的,運算模組113可以將完整或部分的憑證密碼作為驗證資料,也可以對憑證密碼進行特定運算而產生驗證資料。其中,特定運算為可以產生與憑證密碼為一對一之運算值且無法由運算值推得憑證密碼的運算,例如雜湊運算等,或為對憑證密碼所包含之各位元的位置重新排列的運算,但本發明並不以此為限。The computing module 113 can generate verification data according to the credential password in the login data obtained by the input module 111 . In more detail, the operation module 113 can use the complete or partial certificate password as the verification data, or perform specific operations on the certificate password to generate the verification data. Among them, the specific operation is an operation that can generate a one-to-one operation value with the certificate password and cannot be deduced from the operation value, such as a hash operation, or an operation that rearranges the positions of the bits contained in the certificate password , but the present invention is not limited thereto.

通訊模組114可以將憑證模組112所產生的憑證簽署請求傳送給憑證伺服器140,藉以向憑證伺服器140申請數位憑證,例如,通訊模組114可以直接將憑證簽署請求傳送給憑證伺服器140,也可以將憑證簽署請求傳送給服務伺服器120,藉以透過服務伺服器120間接將憑證簽署請求傳送給憑證伺服器140。The communication module 114 can send the certificate signing request generated by the certificate module 112 to the certificate server 140, so as to apply for a digital certificate from the certificate server 140, for example, the communication module 114 can directly send the certificate signing request to the certificate server 140 , may also send the certificate signing request to the service server 120 , so as to indirectly send the certificate signing request to the certificate server 140 through the service server 120 .

通訊模組114也可以接收憑證伺服器140所產生的數位憑證。一般而言,通訊模組114可以與將憑證簽署請求傳送給憑證伺服器140之相同方式接收數位憑證,例如,通訊模組114可以直接接收憑證伺服器140所傳回的數位憑證,也可以透過服務伺服器120接收憑證伺服器140所傳回的數位憑證,也就是接收服務伺服器120所轉送的數位憑證。The communication module 114 can also receive the digital certificate generated by the certificate server 140 . Generally speaking, the communication module 114 can receive the digital certificate in the same way as sending the certificate signing request to the certificate server 140. For example, the communication module 114 can directly receive the digital certificate sent back by the certificate server 140, or can pass The service server 120 receives the digital certificate sent back by the certificate server 140 , that is, receives the digital certificate forwarded by the service server 120 .

通訊模組114也可以將輸入模組111所取得之登入資料中的帳號資料、及憑證模組112由通訊模組114所接收到之數位憑證中取得的憑證資料傳送給服務伺服器120。在部分的實施例中,通訊模組114也可以將運算模組113所產生之驗證資料連同帳號資料與憑證資料傳送給服務伺服器120。The communication module 114 can also send the account data in the login data obtained by the input module 111 and the certificate data obtained by the certificate module 112 from the digital certificate received by the communication module 114 to the service server 120 . In some embodiments, the communication module 114 can also transmit the verification data generated by the computing module 113 together with account data and certificate data to the service server 120 .

通訊模組114也負責接收服務伺服器120所傳送的許可訊息及錯誤訊息。在部分的實施例中,通訊模組114也可以接收服務伺服器120所傳送的安全密碼。The communication module 114 is also responsible for receiving permission messages and error messages sent by the service server 120 . In some embodiments, the communication module 114 can also receive the security code sent by the service server 120 .

通訊模組114也可以將輸入模組111所取得之帳號資料、憑證模組112所取得之憑證資料、及執行模組115所產生之簽章值傳送到服務伺服器120。The communication module 114 can also transmit the account data obtained by the input module 111 , the certificate data obtained by the certificate module 112 , and the signature value generated by the execution module 115 to the service server 120 .

通訊模組114也可以接收服務伺服器120所傳送的關聯資料。本發明所提之關聯資料為能夠表示輸入模組111所輸入之帳號資料的擁有者身分的資料,包含但不限於帳號資料之擁有者的身分識別資料(包含但不限於身分證號、護照號碼等)或帳號資料之擁有者對服務伺服器120所使用之數位憑證的憑證序號等,但本發明並不以此為限。一般而言,關聯資料為帳號資料之擁有者在服務伺服器120上註冊帳號資料時被提供。The communication module 114 can also receive related data sent by the service server 120 . The associated data mentioned in the present invention is data that can represent the identity of the owner of the account data input by the input module 111, including but not limited to the identity identification data of the owner of the account data (including but not limited to ID number, passport number etc.) or the certificate serial number of the digital certificate used by the owner of the account data to the service server 120, but the present invention is not limited thereto. Generally speaking, the associated information is provided when the owner of the account information registers the account information on the service server 120 .

執行模組115負責使用憑證模組112由憑證檔案中取出之憑證資料完成對應目標作業。執行模組115所執行的目標作業通常包含簽章,例如登入服務伺服器120或與服務伺服器120交易等,更詳細的,當目標作業為登入服務伺服器120時,執行模組115可以使用憑證模組112解密憑證檔案取得之私密金鑰產生簽章值,使通訊模組114可以傳送帳號資料、憑證資料及簽章值至服務伺服器120,藉以登入服務伺服器120。其中,執行模組115可以使用憑證模組112所取得之私密金鑰對帳號資料及/或憑證資料簽章以產生簽章值,也可以使用私密金鑰對許可訊息所包含之特定資料簽章以產生簽章值。而當目標作業為與服務伺服器120交易時,客戶端110可以使用私密金鑰對交易資料簽章以產生簽章值,並可以將交易資料、數位憑證(或憑證資料)、及簽章值傳送至服務伺服器120,藉以完成與服務伺服器120之間的交易。The execution module 115 is responsible for using the voucher data extracted from the voucher file by the voucher module 112 to complete the corresponding target operation. The target operation performed by the execution module 115 usually includes a signature, such as logging into the service server 120 or trading with the service server 120, etc. In more detail, when the target operation is to log into the service server 120, the execution module 115 can use The certificate module 112 decrypts the private key obtained from the certificate file to generate a signature value, so that the communication module 114 can send the account data, certificate data and signature value to the service server 120 to log into the service server 120 . Wherein, the execution module 115 can use the private key obtained by the certificate module 112 to sign the account data and/or the certificate data to generate a signature value, and can also use the private key to sign the specific data contained in the license message to generate a signature value. And when the target operation is to trade with the service server 120, the client 110 can use the private key to sign the transaction data to generate a signature value, and can use the transaction data, digital certificate (or certificate data), and signature value Send to the service server 120, so as to complete the transaction with the service server 120.

執行模組115也可以使用通訊模組114所接收到之安全密碼加密憑證模組112所產生的憑證檔案以產生經過二次加密的憑證檔案(在本發明中亦以「加密檔案」表示),使得加密檔案取代憑證檔案;執行模組115也可以在通訊模組114接收到許可訊息時,使用安全密碼解密所產生之加密檔案以將加密檔案還原為可以使用憑證密碼解密的憑證檔案。若許可訊息中除了安全密碼之外,還包含替代密碼時,執行模組115還可以在憑證模組112解密憑證檔案後,將替代密碼作為新的安全密碼,並使用替代密碼再次加密憑證檔案而產生取代憑證檔案的加密檔案。The execution module 115 can also use the secure password received by the communication module 114 to encrypt the credential file generated by the credential module 112 to generate a secondary encrypted credential file (also represented by "encrypted file" in the present invention), Make the encrypted file replace the credential file; the execution module 115 can also use the security password to decrypt the generated encrypted file when the communication module 114 receives the permission message, so as to restore the encrypted file to a credential file that can be decrypted using the credential password. If the permission message includes a replacement password in addition to the security password, the execution module 115 can also use the replacement password as a new security password after the certificate module 112 decrypts the certificate file, and use the replacement password to encrypt the certificate file again. Generate an encrypted file that replaces the credential file.

執行模組115也負責在通訊模組114接收到錯誤訊息時,執行與錯誤訊息對應的作業。例如,當錯誤訊息表示密碼錯誤時,執行模組115可以進行提示作業,更詳細的,執行模組115可以產生提示訊息,並顯示提示訊息以提示使用者再次輸入登入資料,但本發明並不以此為限。其中,提示訊息可以是與錯誤訊息對應及/或可以包含錯誤訊息所包含之全部或部分的內容,例如,提示訊息可以包含錯誤訊息中所記載的密碼錯誤次數等。The execution module 115 is also responsible for executing the operation corresponding to the error message when the communication module 114 receives the error message. For example, when the error message indicates that the password is wrong, the execution module 115 can perform a prompt operation. More specifically, the execution module 115 can generate a prompt message and display the prompt message to prompt the user to input the login information again, but the present invention does not This is the limit. Wherein, the prompt message may correspond to the error message and/or may include all or part of the content contained in the error message. For example, the prompt message may include the number of password errors recorded in the error message.

執行模組115也可以判斷憑證模組112解密憑證檔案後取得的憑證資料是否與通訊模組114所接收到的關聯資料相符。舉例來說,當關聯資料包含身分識別資料及/或憑證序號時,執行模組115可以判斷憑證資料中之擁有者身分證號/憑證序號是否與關聯資料所包含的身分證號及/或憑證序號相同。The execution module 115 can also determine whether the credential data obtained by the credential module 112 after decrypting the credential file is consistent with the associated data received by the communication module 114 . For example, when the associated data includes identification data and/or certificate serial number, the execution module 115 can determine whether the owner's ID number/certificate serial number in the certificate data is consistent with the ID number and/or certificate number included in the associated data. The serial numbers are the same.

服務伺服器120負責判斷客戶端110所取得的憑證密碼是否通過驗證,並負責在憑證密碼沒有通過驗證時累計錯誤次數,及負責依據憑證密碼是否通過驗證及累計之錯誤次數產生相對應的結果訊息。其中,服務伺服器120更可以包含傳輸模組121、處理模組122、登入模組123。The service server 120 is responsible for judging whether the certificate password obtained by the client 110 has passed the verification, and is responsible for accumulating the number of errors when the certificate password has not passed the verification, and is responsible for generating a corresponding result message based on whether the certificate password has passed the verification and the accumulated number of errors . Wherein, the service server 120 may further include a transmission module 121 , a processing module 122 , and a login module 123 .

傳輸模組121負責接收客戶端110所取得的登入資料,也負責接收客戶端110所取得的帳號資料、憑證資料及/或驗證資料。傳輸模組121也負責傳送處理模組122所產生的錯誤訊息或許可訊息到客戶端110。The transmission module 121 is responsible for receiving the login information obtained by the client 110 , and is also responsible for receiving the account information, credential information and/or verification information obtained by the client 110 . The transmission module 121 is also responsible for transmitting error messages or permission messages generated by the processing module 122 to the client 110 .

傳輸模組121也可以接收客戶端110所產生的憑證簽署請求,並可以將所接收到的憑證簽署請求轉送到憑證伺服器140,及可以接收憑證伺服器140所傳回的數位憑證,並可以將所接收到的數位憑證轉送給客戶端110。傳輸模組121也可以將處理模組122所產生的憑證廢止請求傳送給憑證伺服器140以完成憑證廢止作業。The transmission module 121 can also receive the certificate signing request generated by the client 110, and can forward the received certificate signing request to the certificate server 140, and can receive the digital certificate returned by the certificate server 140, and can The received digital certificate is forwarded to the client 110 . The transmission module 121 can also transmit the certificate revocation request generated by the processing module 122 to the certificate server 140 to complete the certificate revocation operation.

傳輸模組121也可以將處理模組122所產生的安全密碼傳送給客戶端110。一般而言,傳輸模組121可以在轉送接收自憑證伺服器140的數位憑證時,一併將安全密碼傳送到客戶端110,但本發明並不以此為限。The transmission module 121 can also transmit the security password generated by the processing module 122 to the client 110 . Generally speaking, the transmission module 121 can transmit the security password to the client 110 when transmitting the digital certificate received from the certificate server 140 , but the present invention is not limited thereto.

處理模組122可以將傳輸模組121所接收到之帳號資料、憑證資料與驗證資料作為一筆記錄儲存,也可以由傳輸模組121所接收到之數位憑證中取得憑證資料,並將傳輸模組121所接收到之帳號資料與驗證資料及所取得之憑證資料作為一筆記錄儲存。在部分的實施例中,若傳輸模組121所接收到之驗證資料並非由客戶端110進行特定運算產生,而是完整或部分的憑證密碼,則處理模組122可以對驗證資料進行特定運算,並以運算所產生之資料作為新的驗證資料。The processing module 122 can store the account data, certificate data and verification data received by the transmission module 121 as a record, or obtain the certificate data from the digital certificate received by the transmission module 121, and transfer the data to the transmission module 121 The received account information, verification information and obtained certificate information are stored as a record. In some embodiments, if the verification data received by the transmission module 121 is not generated by specific operations performed by the client 110, but is a complete or partial certificate password, the processing module 122 can perform specific operations on the verification data, And use the data generated by the calculation as the new verification data.

處理模組122也負責判斷傳輸模組121所接收到的憑證密碼是否通過驗證。一般而言,處理模組122可以依據傳輸模組121所接收到的帳號資料讀取相對應的驗證資料,並可以對憑證密碼進行特定運算以產生相對應的運算值,及可以比對所產生之運算值及所讀出之驗證資料。當運算值與驗證資料相同時,處理模組122可以判斷憑證密碼通過驗證,而當運算值與驗證資料不同時,處理模組122可以判斷憑證密碼未通過驗證。The processing module 122 is also responsible for judging whether the credential password received by the transmission module 121 passes the verification. Generally speaking, the processing module 122 can read the corresponding verification information according to the account information received by the transmission module 121, and can perform specific operations on the certificate password to generate corresponding operation values, and can compare the generated The calculated value and the verification data read out. When the calculated value is the same as the verification data, the processing module 122 can determine that the certificate password has passed the verification, and when the calculated value is different from the verification data, the processing module 122 can judge that the certificate password has not passed the verification.

處理模組122也負責在判斷傳輸模組121所接收到的憑證密碼未通過驗證時,累計與傳輸模組121所接收到之帳號資料對應的錯誤次數,並負責產生與累計之錯誤次數相對應的錯誤訊息。更詳細的,處理模組122可以判斷所累計之錯誤次數是否達到預定的門檻值。若累計的錯誤次數沒有達到門檻值,則處理模組122可以產生表示密碼錯誤的錯誤訊息,而若錯誤次數達到門檻值,則處理模組122可以產生表示廢止憑證的錯誤訊息,並可以產生憑證廢止請求以進行憑證廢止作業。在部分的實施例中,錯誤訊息可以包含錯誤次數。The processing module 122 is also responsible for accumulating the number of errors corresponding to the account information received by the transmission module 121 when it is judged that the credential password received by the transmission module 121 has not passed the verification, and is responsible for generating an error corresponding to the accumulated number of errors. error message for . More specifically, the processing module 122 can determine whether the accumulated error times reach a predetermined threshold. If the accumulated number of errors does not reach the threshold value, the processing module 122 can generate an error message indicating that the password is wrong, and if the number of errors reaches the threshold value, the processing module 122 can generate an error message indicating that the certificate is revoked, and can generate a certificate Revocation request for credential revocation. In some embodiments, the error message may include an error count.

處理模組122也負責在判斷傳輸模組121所接收到的憑證密碼通過驗證時,產生許可訊息。處理模組122可以依據傳輸模組121所接收到的帳號資料由預先儲存的記錄中讀出對應的安全密碼,並可以在產生許可訊息時,產生包含所讀出的安全密碼的許可訊息中。在部分的實施例中,處理模組122更可以在讀取安全密碼時,產生新的安全密碼(在本發明中也被稱為「替代密碼」),並在預先儲存之記錄中將與傳輸模組121所接收到之帳號資料對應的安全密碼更新為替代密碼,也可以產生包含所讀出之安全密碼與新產生之替代密碼的許可訊息。The processing module 122 is also responsible for generating a permission message when judging that the certificate password received by the transmission module 121 is verified. The processing module 122 can read the corresponding security password from the pre-stored record according to the account data received by the transmission module 121, and can generate a permission message including the read security password when generating the permission message. In some embodiments, the processing module 122 can generate a new security password (also referred to as a "replacement password" in the present invention) when reading the security password, and transfer it to the pre-stored record. The security password corresponding to the account information received by the module 121 is updated to a replacement password, and a permission message including the read security password and the newly generated replacement password can also be generated.

處理模組122也可以依據傳輸模組121所接收到之登入資料中的帳號資料由預先儲存的記錄中讀出相對應的憑證資料,並可以將所讀出之憑證資料作為關聯資料,及產生包含關聯資料的許可訊息。在部分的實施例中,處理模組122可以將關聯資料加入與客戶端110連線的SESSION中,藉以使傳輸模組121在傳送許可訊息到客戶端110時,一併將關聯資料傳送到客戶端110。The processing module 122 can also read out the corresponding credential data from the pre-stored record according to the account data in the login data received by the transmission module 121, and can use the read credential data as associated data, and generate License message containing associated data. In some embodiments, the processing module 122 can add the related data to the SESSION connected with the client 110, so that the transmission module 121 can send the related data to the client when sending the permission message to the client 110 terminal 110.

登入模組123可以使用傳輸模組121所接收到之帳號資料及憑證資料選擇是否允許登入客戶端110。例如,登入模組123可以在判斷所接收到之帳號資料與憑證資料已被登錄時,也就是存在一筆資料包含帳號資料與憑證資料時,允許客戶端110登入服務伺服器120;登入模組123也可以在判斷所接收到之帳號資料與憑證資料未被登錄或不存在相對應之帳號資料與憑證資料時,拒絕(不允許)客戶端110登入服務伺服器120。The login module 123 can use the account information and credential information received by the transmission module 121 to select whether to allow the login to the client 110 . For example, the login module 123 may allow the client 110 to log into the service server 120 when it is judged that the received account data and certificate data have been logged in, that is, when there is a piece of data including the account data and certificate data; the login module 123 It is also possible to refuse (not allow) the client 110 to log in to the service server 120 when it is determined that the received account information and credential data have not been registered or there is no corresponding account data and credential data.

登入模組123也可以依據傳輸模組121所接收到的帳號資料、憑證資料及簽章值選擇是否允許客戶端110登入服務伺服器120。更詳細的,登入模組123在判斷帳號資料與憑證資料已被登錄時,還可以依據憑證資料取得相對應之數位憑證所包含的公開金鑰,並使用公開金鑰驗證簽章值,若簽章值通過驗證,則登入模組123才允許客戶端110登入服務伺服器120;而若簽章值沒有通過驗證,則登入模組123不允許客戶端110登入服務伺服器120。The login module 123 can also select whether to allow the client 110 to log in to the service server 120 according to the account information, certificate information and signature value received by the transmission module 121 . In more detail, when the login module 123 judges that the account data and certificate data have been logged in, it can also obtain the public key contained in the corresponding digital certificate according to the certificate data, and use the public key to verify the signature value. The login module 123 allows the client 110 to log in to the service server 120 if the signature value is verified; and if the signature value is not verified, the login module 123 does not allow the client 110 to log in to the service server 120 .

憑證伺服器140可以接收客戶端110或服務伺服器120所傳送的憑證簽署請求,並可以將與所接收到之憑證簽署請求對應的數位憑證傳送到發出憑證簽署請求的客戶端110或服務伺服器120。The certificate server 140 can receive the certificate signing request sent by the client 110 or the service server 120, and can transmit the digital certificate corresponding to the received certificate signing request to the client 110 or the service server that issued the certificate signing request 120.

憑證伺服器140可以是憑證簽署伺服器(CA),此時,憑證伺服器140可以依據所接收到之憑證簽署請求產生對應的數位憑證;憑證伺服器140也可以是憑證註冊伺服器(RA),如此,憑證伺服器140可以將所接收到的憑證簽署請求傳送給憑證簽署伺服器並接收憑證簽署伺服器所傳回的數位憑證。The certificate server 140 can be a certificate signing server (CA). At this time, the certificate server 140 can generate a corresponding digital certificate according to the received certificate signing request; the certificate server 140 can also be a certificate registration server (RA) In this way, the certificate server 140 may transmit the received certificate signing request to the certificate signing server and receive the digital certificate returned by the certificate signing server.

憑證伺服器140也可以接收客戶端110或服務伺服器120所傳送的憑證廢止請求,並可以取消與憑證廢止請求所表示的數位憑證。The certificate server 140 can also receive the certificate revocation request sent by the client 110 or the service server 120, and can cancel the digital certificate indicated by the certificate revocation request.

接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之透過伺服器檢核密碼錯誤次數以完成作業之方法流程圖。在本實施例中,假設服務伺服器120為金融服務伺服器,但本發明並不以此為限。Next, an embodiment is used to illustrate the operating system and method of the present invention, and please refer to "Fig. 2A" for the flow chart of the method for checking the number of password errors by the server to complete the operation proposed by the present invention. In this embodiment, it is assumed that the service server 120 is a financial service server, but the present invention is not limited thereto.

首先,若使用者沒有數位憑證,則使用者可以操作客戶端110向憑證伺服器140申請使用者的數位憑證。在本實施例中,假設如「第2B圖」所示之流程,使用者可以操作客戶端110連線到服務伺服器120,並可以在客戶端110與服務伺服器120連線後,操作客戶端110申請數位憑證,如此,客戶端110的輸入模組111可以提供輸入介面給使用者輸入帳號資料與憑證密碼(登入資料),客戶端110的運算模組113可以產生輸入模組111所輸入之憑證密碼的雜湊值,客戶端110的憑證模組112可以產生包含公開金鑰與私密金鑰的金鑰對,並使用公開金鑰產生憑證簽署請求,客戶端110的通訊模組114可以將輸入模組111所輸入之帳號資料、運算模組113所產生之憑證密碼的雜湊值與憑證模組112所產生的憑證簽署請求傳送給服務伺服器120,藉以透過服務伺服器120向憑證伺服器140申請數位憑證(步驟201)。First, if the user does not have a digital certificate, the user can operate the client 110 to apply for the user's digital certificate from the certificate server 140 . In this embodiment, assuming the process shown in "Figure 2B", the user can operate the client 110 to connect to the service server 120, and after the client 110 is connected to the service server 120, the user can operate the client The terminal 110 applies for a digital certificate. In this way, the input module 111 of the client 110 can provide an input interface for the user to input account information and certificate password (login information), and the computing module 113 of the client 110 can generate the input module 111. The hash value of the certificate password, the certificate module 112 of the client 110 can generate a key pair including the public key and the private key, and use the public key to generate a certificate signing request, and the communication module 114 of the client 110 can send The account data input by the input module 111, the hash value of the certificate password generated by the operation module 113 and the certificate signing request generated by the certificate module 112 are sent to the service server 120, so as to send the certificate server to the certificate server through the service server 120 140 Apply for a digital certificate (step 201).

服務伺服器120的傳輸模組121在接收到客戶端110所傳送的帳號資料、憑證密碼之雜湊值與憑證簽署請求後,可以將所接收到的憑證簽署請求轉送給憑證伺服器140,使得憑證伺服器140依據憑證簽署請求簽發數位憑證,傳輸模組121並可以接收憑證伺服器140所傳回之客戶端110的數位憑證,而後,服務伺服器120的處理模組122可以由傳輸模組121所接收到之數位憑證中取出憑證資料(步驟205),例如憑證序號。After the transmission module 121 of the service server 120 receives the account information, the hash value of the certificate password and the certificate signing request transmitted by the client 110, it can forward the received certificate signing request to the certificate server 140, so that the certificate The server 140 issues a digital certificate according to the certificate signing request, and the transmission module 121 can receive the digital certificate of the client 110 sent back by the certificate server 140, and then, the processing module 122 of the service server 120 can be transmitted by the transmission module 121 The voucher information is extracted from the received digital voucher (step 205), such as the voucher serial number.

接著,服務伺服器120的處理模組122可以由將服務伺服器120的傳輸模組121所接收到之帳號資料、憑證密碼的雜湊值、及所取出的憑證序號儲存為一筆記錄,服務伺服器120的傳輸模組121可以將接收自憑證伺服器140的數位憑證轉送回客戶端110(步驟207)。Next, the processing module 122 of the service server 120 can store the account data received by the transmission module 121 of the service server 120, the hash value of the certificate password, and the serial number of the certificate taken out as a record, and the service server The transmission module 121 of 120 can transmit the digital certificate received from the certificate server 140 back to the client 110 (step 207 ).

客戶端110的通訊模組114在接收到服務伺服器120所傳送的數位憑證後,客戶端110的憑證模組112可以將通訊模組114所接收到之數位憑證與所產生之金鑰對中的私密金鑰以客戶端110的輸入模組111所輸入的憑證密碼加密,藉以產生包含數位憑證與私密金鑰的憑證檔案並儲存所產生的憑證檔案。After the communication module 114 of the client 110 receives the digital certificate sent by the service server 120, the certificate module 112 of the client 110 can pair the digital certificate received by the communication module 114 with the generated key The private key is encrypted with the certificate password input by the input module 111 of the client 110, so as to generate a certificate file including the digital certificate and the private key and store the generated certificate file.

回到「第2A圖」,當客戶端110的使用者需要登入服務伺服器120以使用服務伺服器120所提供的服務時,客戶端110的輸入模組111可以透過所提供之使用者介面取得使用者所輸入之包含帳號資料與憑證密碼的登入資料,客戶端110的通訊模組114可以將輸入模組111所取得之登入資料傳送到服務伺服器120(步驟220)。Returning to "Fig. 2A", when the user of the client 110 needs to log in to the service server 120 to use the services provided by the service server 120, the input module 111 of the client 110 can be obtained through the provided user interface. The communication module 114 of the client 110 can transmit the login information obtained by the input module 111 to the service server 120 for the login information including the account information and the certificate password input by the user (step 220 ).

在服務伺服器120的傳輸模組121接收到客戶端110所傳送的登入資料後,服務伺服器120的處理模組122可以判斷傳輸模組121所接收到之登入資料所包含的憑證密碼是否通過驗證(步驟230)。在本實施例中,假設處理模組122可以由客戶端110透過服務伺服器120向憑證伺服器140申請數位憑證之過程中所儲存之記錄中讀取與傳輸模組121所接收到的帳號資料對應之憑證密碼的雜湊值(驗證資料),並可以對憑證密碼進行雜湊運算以產生相對應的運算值,及可以比對所產生之運算值及所讀取到之驗證資料,並可以依據運算值與驗證資料是否相同判斷憑證密碼是否通過驗證。After the transmission module 121 of the service server 120 receives the login data sent by the client 110, the processing module 122 of the service server 120 can determine whether the certificate password contained in the login data received by the transmission module 121 is passed. Verify (step 230). In this embodiment, it is assumed that the processing module 122 can read and transmit the account information received by the module 121 from the record stored in the process of applying for a digital certificate from the client 110 through the service server 120 to the certificate server 140 The hash value (verification data) of the corresponding certificate password, and the hash operation can be performed on the certificate password to generate the corresponding calculation value, and the generated calculation value can be compared with the verification data read, and can be based on the calculation Whether the value is the same as the verification data determines whether the credential password is verified.

若服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之憑證密碼沒有通過驗證,則可以如「第2C圖」之流程所示,處理模組122可以累計與傳輸模組121所接收到之帳號資料對應的錯誤次數(步驟241),並可以進一步判斷所累計的錯誤次數是否達到門檻值(步驟243),若否,處理模組122可以產生表示密碼錯誤的錯誤訊息,且傳輸模組121可以將處理模組122所產生的錯誤訊息傳送給客戶端110(步驟245),使得客戶端110的通訊模組114在接收到錯誤訊息後,客戶端110的執行模組115可以依據通訊模組114所接收到的錯誤訊息提示使用者再次輸入登入資料,通訊模組114並可以將使用者再次輸入的登入資料傳送給服務伺服器120(步驟220);若是,也就是與服務伺服器120的傳輸模組121所接收到之帳號資料對應的錯誤次數達到門檻值,服務伺服器120的處理模組122可以產生表示廢止憑證的錯誤訊息,且傳輸模組121可以將處理模組122所產生的錯誤訊息傳送給客戶端110(步驟247),客戶端110的通訊模組114在接收到表示廢止憑證的錯誤訊息後,客戶端110的憑證模組112可以依據通訊模組114所接收到之錯誤訊息中所包含的相關資料將包含對應的數位憑證的憑證檔案刪除(步驟295)。其中,服務伺服器120的處理模組122可以由預先建立的記錄中讀出與傳輸模組121所接收到之帳號資料相對應的憑證序號(憑證資料),並可以產生包含所讀出之憑證序號的錯誤訊息,使得客戶端110的憑證模組112可以找出包含與錯誤訊息中之憑證序號對應的數位憑證之憑證檔案,並刪除所找出的憑證檔案。If the processing module 122 of the service server 120 judges that the certificate password received by the transmission module 121 of the service server 120 has not passed the verification, then as shown in the flow of "Fig. 2C", the processing module 122 can accumulate and The number of errors corresponding to the account data received by the transmission module 121 (step 241), and can further determine whether the accumulated number of errors reaches the threshold (step 243), if not, the processing module 122 can generate a message indicating that the password is wrong error message, and the transmission module 121 can transmit the error message generated by the processing module 122 to the client 110 (step 245), so that after the communication module 114 of the client 110 receives the error message, the execution of the client 110 The module 115 can prompt the user to re-enter the login information according to the error message received by the communication module 114, and the communication module 114 can also send the login information re-entered by the user to the service server 120 (step 220); if so, That is, when the number of errors corresponding to the account information received by the transmission module 121 of the service server 120 reaches the threshold value, the processing module 122 of the service server 120 can generate an error message indicating that the certificate is revoked, and the transmission module 121 can Send the error message generated by the processing module 122 to the client 110 (step 247). The relevant information included in the error message received by the module 114 deletes the certificate file containing the corresponding digital certificate (step 295 ). Wherein, the processing module 122 of the service server 120 can read out the certificate serial number (certificate data) corresponding to the account data received by the transmission module 121 from the pre-established record, and can generate The error message of the serial number enables the certificate module 112 of the client 110 to find the certificate file containing the digital certificate corresponding to the certificate serial number in the error message, and delete the found certificate file.

再次回到「第2A圖」,在服務伺服器120的處理模組122判斷登入資料所包含的憑證密碼是否通過驗證(步驟230)時,若服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之憑證密碼通過驗證,則處理模組122可以產生許可訊息,傳輸模組121可以將處理模組122所產生的許可訊息傳回客戶端110(步驟250)。Returning to "Fig. 2A" again, when the processing module 122 of the service server 120 judges whether the certificate password included in the login data has passed the verification (step 230), if the processing module 122 of the service server 120 judges that the service server If the credential password received by the transmission module 121 of 120 is verified, the processing module 122 can generate a permission message, and the transmission module 121 can send the permission message generated by the processing module 122 back to the client 110 (step 250 ).

客戶端110的通訊模組114在接收到服務伺服器120所傳送的許可訊息後,客戶端110的憑證模組112可以使用所取得之登入資料中的憑證密碼取得憑證資料(步驟270)。在本實施例中,假設憑證模組112可以使用憑證密碼解密憑證檔案,並取出憑證檔案中的數位憑證,及由數位憑證出取出憑證序號作為憑證資料。After the communication module 114 of the client 110 receives the permission message sent by the service server 120 , the credential module 112 of the client 110 can use the credential password in the obtained login data to obtain credential data (step 270 ). In this embodiment, it is assumed that the certificate module 112 can use the certificate password to decrypt the certificate file, and take out the digital certificate in the certificate file, and take out the certificate serial number from the digital certificate as the certificate data.

在客戶端110的憑證模組112取得憑證資料後,客戶端110的通訊模組114可以將憑證模組112所取得之憑證資料及客戶端110的輸入模組111所取得之登入資料中的帳號資料傳送給服務伺服器120,藉以登入服務伺服器120(步驟290)。在本實施例中,假設服務伺服器120的傳輸模組121在接收到帳號資料與憑證資料後,服務伺服器120的登入模組123可以依據傳輸模組121所接收到之帳號資料及憑證資料是否已被登入而選擇是否允許客戶端110登入服務伺服器120。例如,存在一筆註冊資料包含帳號資料與憑證資料時,登入模組123可以允許客戶端110登入服務伺服器120;反之,登入模組123可以拒絕(不允許)客戶端110登入服務伺服器120。After the credential module 112 of the client 110 obtains the credential data, the communication module 114 of the client 110 can use the credential data obtained by the credential module 112 and the account number in the login data obtained by the input module 111 of the client 110 The data is sent to the service server 120, so as to log into the service server 120 (step 290). In this embodiment, it is assumed that after the transmission module 121 of the service server 120 receives the account data and certificate data, the login module 123 of the service server 120 can use the account data and certificate data received by the transmission module 121 Whether it has been logged in selects whether to allow the client 110 to log in to the service server 120 . For example, when there is a piece of registration information including account information and certificate information, the login module 123 can allow the client 110 to log in to the service server 120;

如此,透過本發明,服務伺服器120可以判斷客戶端110之使用者所輸入之憑證密碼是否正確,並在憑證密碼錯誤時累計錯誤次數,使得可以依據服務伺服器累計的錯誤次數選擇是否繼續讓使用者輸入憑證密碼。In this way, through the present invention, the service server 120 can judge whether the certificate password input by the user of the client 110 is correct, and accumulate the number of errors when the certificate password is wrong, so that it is possible to choose whether to continue to accept according to the accumulated number of errors of the service server. The user enters the credential password.

上述實施例中,也可以如「第2D圖」之流程所示,在服務伺服器120的傳輸模組121接收到憑證伺服器140所傳回的數位憑證(步驟205)後,服務伺服器120的處理模組122可以產生安全密碼,例如,處理模組122可以使用進階加密標準(Advanced Encryption Standard, AES)產生安全密碼,服務伺服器120的傳輸模組121可以將處理模組122所產生的安全密碼連同接收自憑證伺服器140的數位憑證一同傳送到客戶端110(步驟209)。In the above-mentioned embodiment, as shown in the flow of "Figure 2D", after the transmission module 121 of the service server 120 receives the digital certificate returned by the certificate server 140 (step 205), the service server 120 The processing module 122 of the service server 120 can generate a security password, for example, the processing module 122 can use the Advanced Encryption Standard (Advanced Encryption Standard, AES) to generate a security password, and the transmission module 121 of the service server 120 can generate the security password generated by the processing module 122 The security password of is sent to the client 110 together with the digital certificate received from the certificate server 140 (step 209 ).

在客戶端110的通訊模組114接收到服務伺服器120所傳送的數位憑證與安全密碼後,客戶端110的憑證模組112可以將數位憑證與所產生之金鑰對中的私密金鑰以憑證密碼使用進階加密標準加密,藉以產生憑證檔案,跟著,客戶端110的執行模組115可以使用通訊模組114所接收到的安全密碼加密憑證檔案,藉以產生加密檔案(步驟210),同時,客戶端110的執行模組115也可以儲存安全密碼。After the communication module 114 of the client 110 receives the digital certificate and security password sent by the service server 120, the certificate module 112 of the client 110 can use the digital certificate and the private key in the generated key pair as The credential password is encrypted using Advanced Encryption Standard to generate a credential file. Next, the execution module 115 of the client 110 can use the secure password received by the communication module 114 to encrypt the credential file to generate an encrypted file (step 210 ). , the execution module 115 of the client 110 can also store the security password.

如此,在服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之登入資料中的憑證密碼通過驗證(步驟230)後,服務伺服器120的處理模組122產生給客戶端110的許可訊息(步驟250)時,處理模組122也可以由預先建立的記錄中讀取與登入資料中之帳號資料對應的安全密碼(步驟253)並產生包含所讀出之安全密碼的許可訊息,且服務伺服器120的傳輸模組121也可以將包含安全密碼的許可訊息傳送給客戶端110(步驟255)。In this way, after the processing module 122 of the service server 120 determines that the certificate password in the login data received by the transmission module 121 of the service server 120 has passed the verification (step 230), the processing module 122 of the service server 120 generates When sending a permission message to the client 110 (step 250), the processing module 122 can also read the security password corresponding to the account data in the login data from the pre-established record (step 253) and generate a password containing the read security password. password, and the transmission module 121 of the service server 120 may also transmit the permission message including the security password to the client 110 (step 255 ).

在客戶端110的通訊模組114接收到服務伺服器120所傳送的許可訊息後,客戶端110的執行模組115可以使用通訊模組114所接收到之許可訊息中的安全密碼解密先前所產生的加密檔案以還原憑證檔案(步驟260),跟著,客戶端110的憑證模組112可以使用憑證密碼解密執行模組115所還原的憑證檔案以取得憑證資料(步驟270)。After the communication module 114 of the client 110 receives the permission message sent by the service server 120, the execution module 115 of the client 110 can use the security code in the permission message received by the communication module 114 to decrypt the previously generated Then, the certificate module 112 of the client 110 can use the certificate password to decrypt the certificate file restored by the execution module 115 to obtain the certificate data (step 270 ).

更進一步的,在服務伺服器120的處理模組122產生給客戶端110的許可訊息(步驟250)時,處理模組122可以由預先建立的記錄中讀取與登入資料中之帳號資料對應的安全密碼(步驟253)並產生替代密碼,同時將預先建立的記錄中與登入資料中之帳號資料對應的安全密碼更換為替代密碼,使得替代密碼成為新的安全密碼,接著,處理模組122可以產生包含原先的安全密碼及新產生之替代密碼的許可訊息(步驟255)。如此,在服務伺服器120的傳輸模組121將包含處理模組122所產生之許可訊息傳送給客戶端110,使客戶端110的通訊模組114接收到服務伺服器120所傳送的許可訊息後,客戶端110的執行模組115可以使用通訊模組114所接收到之許可訊息中之原先的安全密碼解密先前所產生的加密檔案以還原憑證檔案(步驟260),客戶端110的憑證模組112可以使用憑證密碼解密執行模組115所還原的憑證檔案以取得憑證資料(步驟270)。而在憑證模組112取得憑證資料後,執行模組115可以使用許可訊息中之替代密碼再次加密憑證檔案以產生新的加密檔案,如此,並可以透過在客戶端110每一次存取憑證檔案後都更換不同的安全密碼,可以避免安全密碼被竊取的可能,更進一步的提高憑證檔案的安全性。Furthermore, when the processing module 122 of the service server 120 generates a permission message to the client 110 (step 250), the processing module 122 can read the account data corresponding to the login data from the pre-established record. secure password (step 253) and generate a substitute password, and replace the secure password corresponding to the account information in the login data in the pre-established record with the substitute password, so that the substitute password becomes a new secure password, and then, the processing module 122 can A permission message containing the original security code and the newly generated replacement code is generated (step 255). In this way, the transmission module 121 of the service server 120 transmits the license message generated by the processing module 122 to the client 110, so that the communication module 114 of the client 110 receives the license message sent by the service server 120 , the execution module 115 of the client 110 can use the original security password in the permission message received by the communication module 114 to decrypt the previously generated encrypted file to restore the certificate file (step 260), the certificate module of the client 110 112 may use the certificate password to decrypt the certificate file restored by the execution module 115 to obtain the certificate data (step 270 ). After the certificate module 112 obtains the certificate data, the execution module 115 can use the substitution password in the permission message to encrypt the certificate file again to generate a new encrypted file. Different security passwords can be changed to avoid the possibility of the security password being stolen, and further improve the security of the credential file.

另外,上述實施例中,在服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之登入資料所包含的憑證密碼通過驗證(步驟230)後,處理模組122產生並傳送許可訊息到客戶端110(步驟250)時,可以如「第2E圖」之流程所示,處理模組122可以由預先儲存的記錄中讀取與登入資料中的帳號資料相對應的憑證資料,例如帳號資料之擁有者的身分證號或帳號資料之擁有者所使用的憑證序號等,並可以將所讀出的憑證資料作為關聯資料(步驟251),且傳輸模組121可以將關聯資料與許可訊息一併傳送到客戶端110(步驟259)。其中,處理模組122可以將關聯資料加入與客戶端110連線的SESSION中,使傳輸模組121在傳送許可訊息時,以SESSION的方式將關聯資料連同許可訊息一起傳送到客戶端110。In addition, in the above-mentioned embodiment, after the processing module 122 of the service server 120 judges that the certificate password contained in the login data received by the transmission module 121 of the service server 120 has passed the verification (step 230), the processing module 122 When generating and sending the permission message to the client 110 (step 250), as shown in the flow of "FIG. 2E", the processing module 122 can read the account data corresponding to the login data from the pre-stored records. Credential data, such as the ID card number of the owner of the account data or the certificate serial number used by the owner of the account data, etc., and the read certificate data can be used as associated data (step 251), and the transmission module 121 can send The associated data is sent to the client 110 together with the permission message (step 259). Wherein, the processing module 122 can add the relevant data into the SESSION connected with the client 110, so that the transmission module 121 transmits the relevant data together with the permission message to the client 110 in the form of SESSION when transmitting the permission message.

如此,在客戶端110的通訊模組114接收到服務伺服器120所傳送的許可訊息與關聯資料,且客戶端110的憑證模組112使用客戶端110的輸入模組111所取得之登入資料中的憑證密碼取得憑證資料(步驟270)後,客戶端110的執行模組115可以判斷憑證模組112所取得的憑證資料是否與通訊模組114所接收到的關聯資料相符(步驟280),例如判斷憑證資料中之擁有者身分證號/憑證序號是否與關聯資料中的對應資料相同。若否,則執行模組115可以產生並顯示表示身分確認失敗的錯誤訊息(步驟285)以提示客戶端110的使用者,而若執行模組115判斷憑證資料與關聯資料相符,客戶端110的通訊模組114才可以將憑證模組112所取得之憑證資料及客戶端110的輸入模組111所取得之登入資料中的帳號資料傳送給服務伺服器120,藉以登入服務伺服器120(步驟290)。In this way, the communication module 114 of the client 110 receives the permission message and related data sent by the service server 120, and the credential module 112 of the client 110 uses the login data obtained by the input module 111 of the client 110 After obtaining the credential data (step 270), the execution module 115 of the client 110 can judge whether the credential data obtained by the credential module 112 is consistent with the associated data received by the communication module 114 (step 280), for example Determine whether the owner's ID number/certificate serial number in the certificate data is the same as the corresponding data in the associated data. If not, the execution module 115 can generate and display an error message indicating that the identity verification failed (step 285) to prompt the user of the client 110, and if the execution module 115 judges that the credential data is consistent with the associated data, the client 110 The communication module 114 can send the account data in the certificate data obtained by the certificate module 112 and the login data obtained by the input module 111 of the client 110 to the service server 120, so as to log in to the service server 120 (step 290 ).

綜上所述,可知本發明與先前技術之間的差異在於具有透過客戶端將憑證密碼傳送到服務伺服器,服務伺服器判斷憑證密碼是否通過驗證,並可以依據憑證密碼之錯誤次數產生對應的錯誤訊息,使得客戶端依據錯誤訊息執行對應作業之技術手段,藉由此一技術手段可以來解決先前技術所存在憑證密碼可以被不斷嘗試的問題,進而達成提高使用數位憑證之安全性的技術功效。To sum up, it can be seen that the difference between the present invention and the prior art lies in that the certificate password is transmitted to the service server through the client, and the service server judges whether the certificate password has passed the verification, and can generate corresponding information based on the number of errors in the certificate password. The error message is a technical means that enables the client to execute the corresponding operation according to the error message. This technical means can solve the problem that the certificate password in the previous technology can be tried continuously, and then achieve the technical effect of improving the security of using digital certificates. .

再者,本發明之透過伺服器檢核密碼錯誤次數以完成作業之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of the present invention to complete the operation by checking the number of password errors by the server can be implemented in hardware, software, or a combination of hardware and software, and can also be implemented in a computer system in a centralized manner or with different components A decentralized implementation spread across several interconnected computer systems.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present invention are as above, the content described is not intended to directly limit the scope of protection of the present invention. Anyone with ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope disclosed in the present invention, makes some changes and modifications to the form and details of the implementation of the present invention, all of which belong to the patent protection of the present invention scope. The scope of patent protection of the present invention shall still be defined by the scope of the attached patent application.

110:客戶端 111:輸入模組 112:憑證模組 113:運算模組 114:通訊模組 115:執行模組 120:服務伺服器 121:傳輸模組 122:處理模組 123:登入模組 140:憑證伺服器 步驟201:客戶端向憑證伺服器申請數位憑證 步驟205:服務伺服器接收憑證伺服器所產生之數位憑證,並由數位憑證中取出憑證資料 步驟207:服務伺服器傳送數位憑證至客戶端 步驟209:服務伺服器產生安全密碼,並傳送安全密碼至客戶端 步驟210:客戶端使用安全密碼加密憑證檔案以產生加密檔案 步驟220:客戶端取得並傳送帳號資料及憑證密碼至服務伺服器 步驟230:服務伺服器判斷憑證密碼是否通過驗證 步驟240:服務伺服器累計錯誤次數,並依據錯誤次數產生錯誤訊息,及傳送錯誤訊息至客戶端 步驟241:服務伺服器累計錯誤次數 步驟243:服務伺服器判斷錯誤次數是否超過門檻值 步驟245:服務伺服器產生表示密碼錯誤之錯誤訊息,並傳送錯誤訊息至客戶端 步驟247:服務伺服器產生並傳送表示廢止憑證之錯誤訊息至客戶端 步驟250:服務伺服器產生並傳送許可訊息至客戶端 步驟251:服務伺服器讀取關聯資料 步驟253:服務伺服器讀取安全密碼 步驟255:服務伺服器產生包含安全密碼之許可訊息,並傳送許可訊息至客戶端 步驟259:服務伺服器傳送許可訊息與關聯資料至客戶端 步驟260:客戶端使用安全密碼解密加密檔案以還原憑證檔案 步驟270:客戶端使用憑證密碼解密憑證檔案以取得憑證資料 步驟280:客戶端判斷憑證資料與關聯資料是否相符 步驟285:客戶端產生並顯示表示身分確認失敗之錯誤訊息 步驟290:客戶端依據憑證資料執行目標作業 步驟295:客戶端依據錯誤訊息刪除包含對應數位憑證之憑證檔案 110: client 111: Input module 112: Credential module 113: Operation module 114: Communication module 115:Execution module 120: service server 121: Transmission module 122: Processing module 123: Login module 140: Credential Server Step 201: The client applies for a digital certificate to the certificate server Step 205: The service server receives the digital certificate generated by the certificate server, and takes out the certificate data from the digital certificate Step 207: The service server sends the digital certificate to the client Step 209: The service server generates a security password and sends the security password to the client Step 210: The client encrypts the credential file with a secure password to generate an encrypted file Step 220: The client obtains and sends the account information and certificate password to the service server Step 230: the service server judges whether the certificate password is verified Step 240: The service server accumulates the number of errors, generates an error message according to the number of errors, and sends the error message to the client Step 241: Serving server accumulative error times Step 243: the service server determines whether the number of errors exceeds the threshold Step 245: The service server generates an error message indicating that the password is wrong, and sends the error message to the client Step 247: The service server generates and sends an error message indicating revoked certificate to the client Step 250: The service server generates and sends a permission message to the client Step 251: the service server reads the associated data Step 253: The service server reads the security code Step 255: The service server generates a permission message including a security password, and sends the permission message to the client Step 259: The service server sends the permission message and associated data to the client Step 260: The client uses the secure password to decrypt the encrypted file to restore the credential file Step 270: The client uses the certificate password to decrypt the certificate file to obtain the certificate data Step 280: The client judges whether the credential information matches the associated information Step 285: The client generates and displays an error message indicating identity verification failure Step 290: the client executes the target operation according to the credential data Step 295: The client deletes the certificate file containing the corresponding digital certificate according to the error message

第1圖為本發明所提之透過伺服器檢核密碼錯誤次數以繼續作業系統之架構圖。 第2A圖為本發明所提之透過伺服器檢核密碼錯誤次數以完成作業之方法流程圖。 第2B圖為本發明所提之服務伺服器取得數位憑證相關資料之方法流程圖。 第2C圖為本發明所提之密碼錯誤處理過程之流程圖。 第2D圖為本發明所提之使用安全密碼加解密憑證檔案之方法流程圖。 第2E圖為本發明所提之使用關聯資料確認使用者身分之方法流程圖。 Figure 1 is a structural diagram of the system proposed by the present invention to check the number of wrong passwords by the server to continue the operation. FIG. 2A is a flow chart of the method for checking the number of wrong passwords by the server to complete the operation proposed by the present invention. FIG. 2B is a flow chart of the method for the service server of the present invention to obtain digital certificate-related information. FIG. 2C is a flow chart of the password error handling process proposed by the present invention. FIG. 2D is a flow chart of a method for encrypting and decrypting a credential file using a secure password according to the present invention. FIG. 2E is a flow chart of the method for confirming the user's identity using associated data proposed by the present invention.

步驟220:客戶端取得並傳送帳號資料及憑證密碼至服務伺服器 Step 220: The client obtains and sends the account information and certificate password to the service server

步驟230:服務伺服器判斷憑證密碼是否通過驗證 Step 230: the service server judges whether the certificate password is verified

步驟240:服務伺服器累計錯誤次數,並依據錯誤次數產生錯誤訊息,及傳送錯誤訊息至客戶端 Step 240: The service server accumulates the number of errors, generates an error message according to the number of errors, and sends the error message to the client

步驟250:服務伺服器產生並傳送許可訊息至客戶端 Step 250: The service server generates and sends a permission message to the client

步驟270:客戶端使用憑證密碼解密憑證檔案以取得憑證資料 Step 270: The client uses the certificate password to decrypt the certificate file to obtain the certificate data

步驟290:客戶端憑證資料執行目標作業 Step 290: Execute the target operation with the client credential data

Claims (10)

一種透過伺服器檢核密碼錯誤次數以完成作業之方法,該方法至少包含下列步驟: 一客戶端取得一登入資料,並傳送該登入資料至一服務伺服器,該登入資料包含一帳號資料及一憑證密碼; 該服務伺服器判斷該憑證密碼未通過驗證時,累計一錯誤次數,並依據該錯誤次數產生相對應之一錯誤訊息,及傳送該錯誤訊息至該客戶端,使該客戶端執行與該錯誤訊息對應之作業;及 該服務伺服器判斷該憑證密碼通過驗證時,產生並傳送一許可訊息至該客戶端,該客戶端於接收到該許可訊息後,使用該憑證密碼解密一憑證檔案以取得一憑證資料,並使用該憑證資料執行目標作業。 A method for completing an operation by checking the number of wrong passwords by a server, the method at least includes the following steps: A client obtains a login data and sends the login data to a service server, the login data includes an account information and a certificate password; When the service server judges that the certificate password has not passed the verification, it accumulates an error number, generates an error message corresponding to the error number, and sends the error message to the client, so that the client executes the error message. corresponding work; and When the service server determines that the certificate password is verified, it generates and sends a permission message to the client. After receiving the permission message, the client uses the certificate password to decrypt a certificate file to obtain a certificate data, and uses The credential data performs the target operation. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該服務伺服器依據該錯誤次數產生相對應之該錯誤訊息之步驟為該服務伺服器於該錯誤次數達到一門檻值時產生表示廢止憑證之該錯誤訊息,並於該錯誤次數未達該門檻值時產生表示密碼錯誤之該錯誤訊息,及該客戶端執行與該錯誤訊息對應之作業為該客戶端依據表示廢止憑證之該錯誤訊息刪除包含對應數位憑證之憑證檔案,或依據表示密碼錯誤之該錯誤訊息顯示錯誤提示。The method for checking the number of password errors by the server to complete the operation as described in claim 1, wherein the step for the service server to generate the corresponding error message according to the number of errors is that the service server reaches one when the number of errors reaches one When the threshold value is reached, the error message indicating that the certificate is revoked is generated, and when the number of errors does not reach the threshold value, the error message indicating that the password is wrong is generated, and the client executes the operation corresponding to the error message as the basis for the client to indicate The error message of revoking the certificate deletes the certificate file containing the corresponding digital certificate, or displays an error message based on the error message indicating that the password is wrong. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該方法於該客戶端取得該登入資料之步驟前,更包含接收該服務伺服器所產生之一安全密碼,並使用該安全密碼加密該憑證檔案以產生一加密檔案,且該方法於該客戶端使用該憑證密碼解碼該憑證檔案以取得該憑證資料之步驟前,更包含該客戶端使用該許可訊息所包含之該安全密碼解密該加密檔案以還原該憑證檔案之步驟。The method for checking the number of password errors by the server to complete the operation as described in claim 1, wherein the method further includes receiving a security password generated by the service server before the client obtains the login data, and use the security password to encrypt the certificate file to generate an encrypted file, and the method further includes the client using the permission message contained in the certificate file before the client uses the certificate password to decode the certificate file to obtain the certificate data. The step of decrypting the encrypted file with the security password to restore the certificate file. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該方法於該客戶端傳送該登入資料至該服務服務伺服器之步驟前,更包含該客戶端連線至一憑證伺服器申請一數位憑證後,產生包含該數位憑證之該憑證檔案並傳送該數位憑證之相關資料及該憑證密碼至該服務服務伺服器之步驟,或包含該客戶端透過該服務服務伺服器至該憑證伺服器申請該數位憑證,使該服務服務伺服器取得該數位憑證之相關資料及該憑證密碼,並將該數位憑證傳送該客戶端,該客戶端產生包含該數位憑證之該憑證檔案之步驟。The method for checking the number of password errors by the server to complete the operation as described in claim 1, wherein the method further includes the client connecting to the service server before the client sends the login data to the service server. After a certificate server applies for a digital certificate, it generates the certificate file containing the digital certificate and transmits the relevant information of the digital certificate and the certificate password to the service server, or includes the client through the service server The server applies for the digital certificate to the certificate server, so that the service server obtains the relevant information of the digital certificate and the certificate password, and transmits the digital certificate to the client, and the client generates the certificate including the digital certificate File steps. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該服務伺服器產生並傳送該許可訊息至該客戶端之步驟,更包含該服務伺服器依據該帳號資料讀取一關聯資料,並將該關聯資料傳送至該客戶端之步驟,且該方法於該客戶端使用該憑證密碼解密該憑證檔案以取得該憑證資料之步驟前,更包含該客戶端判斷該憑證資料是否該關聯資料相符之步驟。The method for checking the number of password errors by the server to complete the operation as described in claim 1, wherein the step of the service server generating and sending the permission message to the client further includes the service server reading according to the account information The step of obtaining an associated data and sending the associated data to the client, and the method further includes the client judging the certificate before the client uses the certificate password to decrypt the certificate file to obtain the certificate data. Steps to check whether the data matches the associated data. 一種透過伺服器檢核密碼錯誤次數以完成作業之系統,該系統至少包含: 一客戶端,用以取得一登入資料,該登入資料包含一帳號資料及一憑證密碼;及 一服務伺服器,用以接收該登入資料,並判斷該憑證密碼未通過驗證時,累計一錯誤次數,並依據該錯誤次數產生相對應之一錯誤訊息,及傳送該錯誤訊息至該客戶端,使該客戶端執行與該錯誤訊息對應之作業,及用以判斷該憑證密碼通過驗證時,產生並傳送一許可訊息至該客戶端,該客戶端於接收到該許可訊息後,使用該憑證密碼解密一憑證檔案以取得一憑證資料,並使用該憑證資料執行一目標作業。 A system that checks the number of wrong passwords by the server to complete the operation, the system includes at least: A client, used to obtain a login information, the login information includes an account information and a certificate password; and a service server, used to receive the login data, and when judging that the certificate password has not passed the verification, accumulate an error count, generate a corresponding error message according to the error count, and send the error message to the client, Make the client execute the operation corresponding to the error message, and when it is used to judge that the certificate password is verified, generate and send a permission message to the client, and the client uses the certificate password after receiving the permission message Decrypt a credential file to obtain credential data, and use the credential data to execute a target operation. 如請求項6所述之透過伺服器檢核密碼錯誤次數以完成作業之系統,其中該服務伺服器是於該錯誤次數達到一門檻值時產生表示廢止憑證之該錯誤訊息,並於該錯誤次數未達該門檻值時產生表示密碼錯誤之該錯誤訊息,該客戶端是依據表示廢止憑證之該錯誤訊息刪除包含對應數位憑證之該憑證檔案,或依據表示密碼錯誤之該錯誤訊息顯示錯誤提示。The system for completing operations by checking the number of password errors by the server as described in claim 6, wherein the service server generates the error message indicating that the certificate is revoked when the number of errors reaches a threshold value, and when the number of errors reaches a threshold, If the error message indicating that the password is wrong is generated when the threshold is not reached, the client deletes the certificate file containing the corresponding digital certificate based on the error message indicating that the certificate is revoked, or displays an error message based on the error message indicating that the password is incorrect. 如請求項6所述之透過伺服器檢核密碼錯誤次數以完成作業之系統,其中該服務伺服器更用以產生一安全密碼,並傳送該安全密碼至該客戶端,及用以產生包含該安全密碼之該許可訊息,該客戶端更用以使用該安全密碼加密該憑證檔案以產生該加密檔案,及用以於接收到該許可訊息時,使用該安全密碼解密加密檔案以產生該憑證檔案。As described in claim 6, the system for checking the number of password errors by the server to complete the operation, wherein the service server is further used to generate a security password, and send the security password to the client, and to generate the password including the The permission message of the security password, the client is further used to use the security password to encrypt the certificate file to generate the encrypted file, and when receiving the permission message, use the security password to decrypt the encrypted file to generate the certificate file . 如請求項6所述之透過伺服器檢核密碼錯誤次數以完成作業之系統,其中該服務伺服器更用以依據該帳號資料讀取一關聯資料,並將該許可訊息及該關聯資料傳送至該客戶端,且該客戶端更用以於接收到該許可訊息時,判斷該憑證資料與該關聯資料相符,並於該憑證資料與該關聯資料相符時,傳送該憑證資料及該帳號資料至該服務伺服器。As described in claim 6, the system for completing operations by checking the number of incorrect passwords by the server, wherein the service server is further used to read a related data based on the account data, and send the permission message and the related data to The client, and the client is further used to determine that the credential data matches the associated data when receiving the permission message, and when the credential data matches the associated data, send the credential data and the account information to The service server. 一種透過伺服器檢核密碼錯誤次數以完成作業之裝置,該裝置至少包含: 一輸入模組,取得一登入資料,該登入資料包含一帳號資料及一憑證密碼; 一通訊模組,用以傳送該登入資料至一服務伺服器,及用以接收該服務伺服器所傳回之一錯誤訊息或一許可訊息; 一憑證模組,用以於該通訊模組接收到該許可訊息時,使用該憑證密碼解密一憑證檔案以取得一憑證資料;及 一執行模組,用以於該通訊模組接收到該錯誤訊息時,執行與該錯誤訊息對應之作業,及用以使用該憑證資料執行目標作業。 A device that checks the number of incorrect passwords by the server to complete the operation, the device at least includes: an input module to obtain a login data, the login data includes an account information and a certificate password; A communication module, used to send the login data to a service server, and to receive an error message or a permission message returned by the service server; a certificate module, used to use the certificate password to decrypt a certificate file to obtain a certificate data when the communication module receives the permission message; and An execution module, used for executing the operation corresponding to the error message when the communication module receives the error message, and for executing the target operation using the certificate data.
TW110113404A 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation TWI824239B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110113404A TWI824239B (en) 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110113404A TWI824239B (en) 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation

Publications (2)

Publication Number Publication Date
TW202240438A true TW202240438A (en) 2022-10-16
TWI824239B TWI824239B (en) 2023-12-01

Family

ID=85460447

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110113404A TWI824239B (en) 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation

Country Status (1)

Country Link
TW (1) TWI824239B (en)

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991600B (en) * 2015-02-25 2019-06-21 阿里巴巴集团控股有限公司 Identity identifying method, device, server and terminal
TW201824129A (en) * 2016-12-29 2018-07-01 臺灣中小企業銀行股份有限公司 System for applying for certificate online through carrier for transaction and method thereof

Also Published As

Publication number Publication date
TWI824239B (en) 2023-12-01

Similar Documents

Publication Publication Date Title
CN109067801B (en) Identity authentication method, identity authentication device and computer readable medium
US20190140844A1 (en) Identity-linked authentication through a user certificate system
KR101863953B1 (en) System and method for providing electronic signature service
US8583928B2 (en) Portable security transaction protocol
US10567370B2 (en) Certificate authority
JP5432999B2 (en) Encryption key distribution system
US8130961B2 (en) Method and system for client-server mutual authentication using event-based OTP
US8082446B1 (en) System and method for non-repudiation within a public key infrastructure
US9185111B2 (en) Cryptographic authentication techniques for mobile devices
CN106571951B (en) Audit log obtaining method, system and device
WO2019109097A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
KR101452708B1 (en) CE device management server, method for issuing DRM key using CE device management server, and computer readable medium
US20110293098A1 (en) Key recovery mechanism
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
US11483146B2 (en) Technique for protecting a cryptographic key by means of a user password
CN114697040B (en) Electronic signature method and system based on symmetric key
EP1653387A1 (en) Password exposure elimination in Attribute Certificate issuing
CN113868684A (en) Signature method, device, server, medium and signature system
CN114154125A (en) Certificateless identity authentication scheme of blockchain under cloud computing environment
JP2004248220A (en) Public key certificate issuing apparatus, public key certificate recording medium, certification terminal equipment, public key certificate issuing method, and program
KR101933090B1 (en) System and method for providing electronic signature service
TWI824239B (en) System, device and method for checking password incorrect times through server to complete corresponding operation
US11797392B2 (en) Backup and recovery of private information on edge devices onto surrogate edge devices
TWI698113B (en) Identification method and systerm of electronic device
WO2021019783A1 (en) Proprietor identity confirmation system, terminal, and proprietor identity confirmation method