TWI247515B - End-to-end encryption system and method - Google Patents

End-to-end encryption system and method Download PDF

Info

Publication number
TWI247515B
TWI247515B TW92133540A TW92133540A TWI247515B TW I247515 B TWI247515 B TW I247515B TW 92133540 A TW92133540 A TW 92133540A TW 92133540 A TW92133540 A TW 92133540A TW I247515 B TWI247515 B TW I247515B
Authority
TW
Taiwan
Prior art keywords
server
encryption
key
data
mentioned
Prior art date
Application number
TW92133540A
Other languages
Chinese (zh)
Other versions
TW200518548A (en
Inventor
Yen-Lo Chen
Yuan-Wei Liu
Original Assignee
Inst Information Industry
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inst Information Industry filed Critical Inst Information Industry
Priority to TW92133540A priority Critical patent/TWI247515B/en
Publication of TW200518548A publication Critical patent/TW200518548A/en
Application granted granted Critical
Publication of TWI247515B publication Critical patent/TWI247515B/en

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides an end-to-end encryption system and method. The system comprises: a service end processing service-end format data to provide services and having decryption key and encryption key; a client end requesting the services; and a server providing an input interface. The server has a mapping rule and is coupled to the client end and the service end. The input interface is used to receive the related data of the service end. The client end obtains the encryption key and the mapping rule, and obtains the input interface from the server. The input interface receives the related data from the service end. The client end converts the related data from the service end into the data of service-end format, and then executes the encryption process to the data of service-end format to convert them into encrypted data.

Description

1247515 五、發明說明(1) 【發明所屬之技術領域】 且特別有關於 種端種網路安全機制 但挪對鳊加猎糸統及方法。 【先前技術】 利用網頁伺服器提供網頁 同時為了維護網頁服務中資已,是报普遍的應用。 用戶端之間大都會應用一加密^釗的=全,網頁伺服器和 目前最普遍的作法是在網頁;=:議不會外茂, 連線通訊層(Security Socket τ °和用戶糕之間利用安全 現安全機制。在新的應用中 Uyer,以下簡稱SSL)來實 rh # 網際網路上整合性服務是夫 來趨勢,亦即經由一個網頁 ^•“生服務疋未 網路服務。舉例來說,複數不同廠商所提供的 服務端,並將服務端所提供由網路連接複數 頁,作為使用者介面,上述加務合併於同-整合網 ^ ^ m ^ 上述架構如第1圖所示。 端心數服務端的網路服務時,由用戶 器61取得上述整合網頁。接著,使 用者將上述網路服務所需的相 頁。經由SSI德引二Λ 關資料輸入至上述整合網 資μ$制ϋ饴上述相關資料及整合網頁成為加密 的次枓:、甘、回網頁伺服器61。由於複數服務端所要處理 :貝:各有其自訂的格式,例如標記語言種類和資料結 ,頁伺服器61必須先將上述加密資料解密,而且 的資料轉換規則1上述資料中屬於各個服 、j刀 > 料轉換成對應服務端所需要的資料格式。 接著’利用各服務端和網頁伺服器之間所採用之加密1247515 V. INSTRUCTIONS (1) [Technical field to which the invention pertains] and particularly related to the kind of end-of-line network security mechanism. [Prior Art] Using a web server to provide a web page At the same time, in order to maintain the web service, it is a universal application. The metropolitan area between the client uses an encryption ^ 钊 = full, the web server and the most common practice at present is on the web page; =: no discussion, the connection communication layer (Security Socket τ ° and user cake Utilize the security security mechanism. In the new application, Uyer, hereinafter referred to as SSL, is the real rh#. The integrated service on the Internet is the trend of the husband, that is, via a web page ^• “Life service”, no network service. Said that the server provided by different vendors, and the server provides multiple pages connected by the network as a user interface, the above-mentioned services are merged into the same-integrated network ^ ^ m ^ The above architecture is shown in Figure 1. When the network service of the server is received, the integrated webpage is obtained by the user device 61. Then, the user inputs the relevant page of the network service, and inputs the information to the integrated network through the SSI. $ ϋ饴 ϋ饴 ϋ饴 ϋ饴 ϋ饴 ϋ饴 整合 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 The page server 61 must first decrypt the encrypted data, and the data conversion rule 1 of the above data belongs to each service, j knife > material converted into the data format required by the corresponding server. Then 'utilize each server and web server Encryption between devices

12475151247515

金鑰(encryption key)加密各服務端所需之轉換後資料, 再將加密後的轉換資料組成服務訊息,如簡單物件存取協 定(Simple Object Access Pr〇t〇c〇1 ,簡稱s〇Ap)訊息, 並分別傳送至各個服務端。上述服務端73 — 75在接收到上 述加密後的轉換資料後,利用其各別擁有的解密金鑰 (decryption key),將上述加密後的轉換資料 取得 轉換資料。 在習知架構中,因為網頁伺 頁所收到的資料作轉換,因此當 需的相關資料加密送出之後,資 中被解密。SSL機制是點對點(p〇 役機制,雖然能夠滿足用戶端5 1 料保後、需求’但是如果上述網路 某部分是屬於各個服務端所需的 機密資料只有對應的服務端才能 伺服器6 1是不被允許可以取得上 頁伺服器6 1解密後的機密資料也 因此,從上述用戶端51送出 的過程中,目前的系統並不能滿 一種能將用戶端的機密資料安全 決方案。 【發明内容】 有鑑於此,本發明之目的在 與方法,用以滿足從用戶端傳送 服器61必須將透過整合網 使用者將上述網路服務所 料會在上述網頁伺服器6 1 int_to-P〇int)的安全保 到網頁伺服器6 1之間的資 服務所需的相關資料其中 機密資料時,也就是上述 合法取得時,理論上網頁 述機密資料,因此經過網 會有被人竊取的風險。 機雄、資料到服務端7 3 - 7 5 足此女全要求。因此需要 保密地傳送到服務端的解 提供一種端對端加密系統 機密資料至服務端之過程The encryption key encrypts the converted data required by each server, and then combines the encrypted conversion data into a service message, such as a simple object access protocol (Simple Object Access Pr〇t〇c〇1, referred to as s〇Ap). ) messages are sent to each server separately. After receiving the encrypted converted data, the server 73-75 obtains the converted data from the encrypted converted data by using a decryption key that is separately owned by the server 73-75. In the conventional architecture, because the data received by the web page is converted, the information is decrypted after the relevant data is encrypted and sent. The SSL mechanism is peer-to-peer (p-serving mechanism, although it can meet the requirements of the user terminal 5, but if the above part of the network belongs to the confidential information required by each server, only the corresponding server can serve the server 6 1 It is not allowed to obtain the confidential information decrypted by the server 611 on the previous page. Therefore, during the process of sending from the client 51, the current system cannot be fully equipped with a confidential data solution for the client. In view of this, the purpose of the present invention is to satisfy the method of transmitting the server from the client. The user of the network must pass through the network. The above network service is expected to be in the above web server 6 1 int_to-P〇int. The security of the information stored in the web server between the server and the server is the confidential information, that is, when the above legal acquisition, the theoretical web page describes the confidential information, so there is a risk of being stolen through the network. Machine male, data to the server side 7 3 - 7 5 This is all the requirements of the woman. Therefore, the solution needs to be transmitted to the server in a confidential manner. The process of providing a kind of end-to-end encryption system confidential information to the server is provided.

1247515 五、發明說明(3) 中符合安全保密之要求 理= 對端加密系統,此 密金鑰及加密金鑰的服務端:請具有解 *提供輸入介面的飼服器。上述= 之二端、以 並耦接於上述用戶被这^、+、 < U服為具有一映射規則, 收上述服務端的相 入介面用以接 金鎗上:映射規則並從:: = = =密 面。上述輸入介面桩 %付上迷翰入介 端根據上述映射規則 ^,務端的相關資料。上述用戶 換成服務端形式資料,’然後以述服務端的相關資料轉 之服務端形式資料執行加、 2密金鑰對上述已轉換 另外,本發明提供一;m為=資料。 括用以處理服務端形式資;〇;;==中包 加密金鑰的服務端、請求上^服務並具有解畨金鑰及 入介面的伺服器。上述伺服之用戶端、以及提供輪 上述用戶端及上述服務端。映射規則’並麵接於 務端的相關資料。其中上述,入介面用以接收上述服 上述映射規則並從上述伺服二:取得上述加密金鑰、及 入介面接收上述服務端的上述輸入介面。上述輸 映射規則將已接收之上述:::。上述用戶端根據上述 ,資料,然後以上述加密::===務端 式資料執行加密程序成為=上述已轉換之服務端形 【實施方式】 在貝抖。 $ 7頁 0213-A40049TWF(Nl);A2B92610;J〇SEPH.ptd 1247515 五、發明說明(4) 本考X明即在於提供一錄嫂剩·办山·Λ 6 / 滿足從上述用戶端送:統與方法,用以 機密資料都必需是加密資;的過程中,上述 =2圖是本發明較佳實施例之端對端 圖,其中包含用戶端50、網頁 始糸、、先之不心 及绸際網跤8 η ,,、同貝门服器60、服務端70 - 72、 及肩際、料8G。經由網際網糊 50及服務端70-72之間能夠值译%自只服裔、用戶鈿 施例以網際網路8 〇作A媒介專來HY雖:然本發明較佳實 60、及服務端70-72,然而網頁伺服用知50、網頁伺服器 方式耦接用戶端50及服務端7〇_72,二=可以採用其它 域網路、或無線電話網路。第:域網路、無線區 端對端加密方法的流程_ ^交佳實施例之 說明本發明實施例之内容。 圖和第3圖’评細 服務端70-72分別處理服務端7〇_72 供不同服務’例如保險服務、付費 ^ ^之貝㈣批 服務端70-72分別配置有對應之加密、理財服務。每個 key)及解密金鑰(decryption key)'金用餘^nCryption 之間的加密機制。網頁飼服器60提供端與用戶端 網頁作為用戶端5〇之使用者的端70一72的整合 ^〜卿入介面。上述啓人網百 10用以提示適當輸入欄位並接收服務端70一 口服 所需的相關資料。在第2圖所示之實施例中,整合= 的輸入W00具有輸入欄位’用以提示使 收 端70之網路服務所需的相巧資料;輪入區m具有輸= 位,用以提示使用者並接收服務端71之網路服務所需的相 0213-A40049TWF(N1);A2B92610;JOSEPH.ptd $ 8頁 1247515 五、發明說明(5) 關資料’·輸入區102具有輸入攔位,用以提示使用者並接 收服務端72之網路服務所需的相關資料。另外,在此實施 :中’每個輸入區100、⑴、1〇2分別包含一個隱藏區 3 1 ° 1 & 1〇2a,分別儲存著對應之服務端70-72的映 二規二及:A金鑰。其中映射規則是用來表示上述輸入區 ,斤接收之網路服務資料和服務端?〇_72可正確讀取 ::間的對應關係、,例如將資料欄位轉換成延伸標 H二i的轉換規則,藉以讓服務端70 — 72可以正確讀 務端Μ执I^、路服務貝枓。另外,加密金鑰則是服 務鈿所。又置之金鑰對中的加密金鑰。 路服示’當使用者f要服務端7G —72所提供之網 述整合網頁二:Ϊ I二=先從上述網頁伺服器60取得上 二=用顯?上=:;覽,。用戶一 使用者輪入之服I述、、罔頁1 〇。接著,整合網頁1 0接收由 驟S4)。1 务端70— 72之網路服務所需的相關資料(步 關資dij 2完畢後,指示用戶端50送出上述相 得之服務端7〇-72的\ ^〇a中的一個外掛程式5〇1)根據所取 收之資料成為服務端7、n彳則轉換輸入區ι〇〇_102所接 外掛程式5〇b分別以Ββ〇~72形式負料(步驟%)。接著上述 70-72形式資料執一服,端7 〇_72的加密金鑰對上述服務端 料11〇、服務總71 =加密程序使之成為服務端70的加密資 務⑽的加密資料111、服務端72的加密資料 0213-A40049TW(N1);A2B92610;J〇seph.1247515 V. Inventive Note (3) Compliance with Security and Confidentiality Requirements = Peer Encryption System, the server of the secret key and encryption key: Please have a solution * Provide a feeding device for the input interface. The second end of the above =, coupled to the user is used by the ^, +, < U service to have a mapping rule, the incoming interface of the server is used to receive the gold gun: mapping rules from:: = = = close face. The above input interface pile % pays the entrant to the media according to the above mapping rules ^, the relevant information of the terminal. The above-mentioned user is replaced with the server-side form data, and then the server-side data is transferred to the server-side data to perform the addition and the second-key key pair. The present invention provides one; m is = data. Including the server-side form; 〇;;== the server that encrypts the key, the server that requests the service, and has the decryption key and the interface. The client of the above servo, and the user terminal of the providing wheel and the server. The mapping rules are connected to the relevant information of the server. The interface is configured to receive the mapping rule and obtain the encryption key from the server 2 and the input interface to receive the input interface. The above mapping rules will have been received above:::. The above-mentioned user terminal performs the encryption process according to the above-mentioned data and then encrypts the above-mentioned encryption::=== terminal-type data to become the above-mentioned converted service terminal shape [Embodiment] $7page 0213-A40049TWF(Nl);A2B92610;J〇SEPH.ptd 1247515 V. Description of invention (4) This test is to provide a record of the remaining 办························· The system and the method for the confidential information must be cryptographic; in the process, the above-mentioned = 2 is an end-to-end diagram of a preferred embodiment of the present invention, which includes the user terminal 50, the web page, and the first And the silk network 跤 8 η,,, with the Beller server 60, the server 70-72, and the shoulder, material 8G. Between the Internet NET paste 50 and the server 70-72 can be translated from the service only, the user 钿 以 以 以 以 以 以 以 以 以 以 以 以 以 以 H H H 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽 虽The end 70-72, however, the web server uses the knowledge 50, the web server mode is coupled to the client 50 and the server 7〇_72, and the second domain network or the wireless telephone network can be used. The following describes the flow of the end-to-end encryption method of the domain network and the wireless zone. Figure and Figure 3 'The evaluation server 70-72 handles the server 7〇_72 respectively for different services' such as insurance services, payment ^^ (4) batch server 70-72 respectively configured with corresponding encryption and wealth management services . Each key) and the decryption key 'decryption key' are used to encrypt the encryption mechanism between ^nCryption. The web page feeder 60 provides the integration of the end user and the web page as the end user 70-72 of the user terminal. The above-mentioned enlightenment network 100 is used to prompt the appropriate input field and receive the relevant information required by the server 70 for oral administration. In the embodiment shown in FIG. 2, the input W00 of the integration = has the input field 'used to prompt the data required for the network service of the receiving end 70; the rounding area m has the input = bit for The phase required for prompting the user and receiving the network service of the server 71 is 0213-A40049TWF(N1); A2B92610; JOSEPH.ptd $8 page 1247515 V. Description of the invention (5) Information "· Input area 102 has an input block The information required to prompt the user and receive the network service of the server 72. In addition, in this implementation: each of the input areas 100, (1), and 1〇2 respectively include a hidden area 3 1 ° 1 & 1〇2a, respectively storing the corresponding server end 70-72 and two: A key. The mapping rule is used to represent the above input area, and the network service data and server received by Jin? 〇_72 can correctly read: the correspondence between:, for example, the data field is converted into the conversion rule of the extension H II i, so that the server 70-72 can correctly read the terminal, the service, the service Bessie. In addition, the encryption key is the service provider. The encryption key in the key pair. The road service shows that when the user f wants the server 7G-72 to provide the webpage integration page 2: Ϊ I 2 = first obtain the above web server 60 from the second = use display? Above =:; User 1 User's turn-in service I, page 1 〇. Next, the integrated web page 10 receives the step S4). 1 The relevant information required by the Internet service of the server 70-72 (after the completion of the dij 2, the client 50 is sent a plug-in in the \〇a of the above-mentioned server 7〇-72 5 〇1) According to the received data, the server 7 and n彳 convert the input module 〇〇〇〇102 to the plug-in program 5〇b, respectively, in the form of Ββ〇~72 (step %). Then, the above 70-72 form data is executed, and the encryption key of the terminal 7 〇 _72 is used for the above-mentioned server material 11 and the service total 71 = the encryption program is made into the encrypted data 111 of the server 70 (10). End 72 encrypted data 0213-A40049TW (N1); A2B92610; J〇seph.

Ptd 第9頁 1247515 五、發明說明(6) 112、並將上述服務端70 —72的加密資料11〇 覆資料11(步驟S8)。接著,用戶端50將回覆資料^為回 Ϊ=7"2的加密資料110-112傳送回網頁伺服器叫步Ptd Page 9 1247515 V. Inventive Note (6) 112, and the encrypted data 11 of the server 70-72 is overwritten with the data 11 (step S8). Next, the client 50 transmits the reply data ^ to the encrypted data 110-112 of 7=7" 2 and returns it to the web server.

當網頁伺服器60接收到回覆資料丨丨及其 110-11 2時,由於沒有服務端70- 72的解密今輪τ^ A 成料11 °_ 112解密,所以直接將服務端70:加密不資曰 枓110組成服務訊息12〇並傳送到服務端7〇(步驟S1 二 服務端71的加密資料丨丨丨組成服務訊息丨21並傳送到服端 71(步驟S14),將服務端72的加密資料112組成服務訊拿、 1 2 2並傳送到服務端7 2 (步驟s 1 6 )。 〜 當服務端70接收到加密資料11〇時 金牛鎗二密資,:執行解密程序伽 旛诚7Ί裕t Γη 枓1執行解密程序成為服 務=1形式資料(步驟S15) ; #服務端?2接收到加 =時^由服務端72的解密金繪對加密資料112執行 為服務端72形式資料(步驟S17)。服務端7〇_72再分 1处ί ^述服務端70-72形式資料以提供對應服務。 敏人_百3明較佳實施例的端對端加密系統中,雖然是以 將用以分段加密用戶端和服務端之間傳遞訊息 鑰和映射規則,但是並非用以限定本發明,在實 L ir ’用戶端亦可以透過其他管道取得所需的加密金 鑰和映射規則,而不透過整合網頁1〇取得。When the web server 60 receives the reply data and its 110-11 2, since there is no decryption of the server 70-72, the current round τ^A is decrypted, so the server 70 is directly encrypted. The resource 110 forms a service message 12〇 and transmits it to the server 7〇 (step S1, the encrypted data of the server 71, constitutes the service message 21 and transmits it to the server 71 (step S14), and the server 72 The encrypted data 112 constitutes a service message, and is transmitted to the server 7 2 (step s 1 6 ). ~ When the server 70 receives the encrypted data 11 金, the 牛牛枪二密资,: execute the decryption program 伽幡诚7Ί裕t Γη 枓1 executes the decryption process to become the service=1 form data (step S15); #服务端2 receives the addition==^ is decrypted by the server 72 to perform the encryption data 112 as the server 72 form data (Step S17). The server 7〇_72 is further divided into one location to describe the server 70-72 form data to provide a corresponding service. Min Min _ Bai 3 Ming preferred embodiment of the end-to-end encryption system, although To use the segmentation encryption between the client and the server to pass the message key and mapping rules, but To limit the invention, also can obtain the required encryption keys and mapping rules through other channels in real-L ir 'end user, through the integration of acquired pages without 1〇.

0213-A40049TWF(N1);A2B92610;J OSEPH.p t d 第10頁 1247515 五、發明說明(7) 另外,在本發明較佳實施例的端對端加密系統申,應 用於服,端和用戶端之間的加密/解密金鑰對可以採用非〜 對稱加密系統(aSymmetric的公開金鎗機 制(publlc key infrastructure,以下簡稱ρκΙ)、對稱金 鑰(^ymmetric key)、或應用以上二者組合的系統。在ρκι 的情況中,上述服務端7〇_72的加密金鑰為公開金鑰 (puM1C key),而上述解密金鑰為私有金鑰(private 。在應用對稱金鑰的情況中,服務端几―72的上述加 解密金鑰皆為服務端7〇 — 72的私有金鑰,在此情 ' 口、罔頁1 〇並不適合作為傳遞加密金鑰的途徑。用戶 =5。0必須經由其它安全的方式取得服務端7〇一72的私有金 λ 一 ί Ϊ :以上二者組合的情況中,服務端70 一 72的上述 服務端7〇 —72的公開金鑰,服務端70-72的上\ ϊϊί 的私有金鑰。並且上述用戶 服務端70-72形式資料成為服務端7 2 ^ ΐ務端7G-72的公開金鑰加密上述對稱Λ 上述服務端70的加密資料和以服務端 稱金鑰。 的對稱金鑰組成加密資料Π η 4金输加密後 .ΒΒ ^ 在貝枓11 0。上述服務端71的加齋杳輕 2 " 端71的公開金鑰加密後的對稱金鑰組成加密次’、姐 111。上述服務端72的加密資料和 在貝料 加密後的對稱金錄組成加密服務心的公開金鑰 在上述解密程序中,服務端7〇_72分別以其具有的私 1247515 五、發明說明(8) 有金輪對加密後 70-72再以取得之料稱金鑰解密以取得對稱金鑰。服務端 料。 f稱金鑰解密服務端70-72的上述加密資 持二者Ϊ=!5二π:頁伺服器60之間可以利用SSL來維 器60具有網頁伺服。在此情況中’上述網頁甸服 述用戶端50將上、十f 金鑰及網頁伺服器解密金鑰。上 前,上述用戶端3密資料傳送至上述網頁祠服器6〇之 70-72的上述加密二=頁/司服器加密金,加密服務端 頁伺服器60接收到、上辻』為再加密資當上述網 以網頁伺服写再加密資料時,上述網頁伺服器60 資料110-112"。金鑰將上述再加密資料解密為上述加密 端可K認施例亦可加入簽侧,讓服務 以刺用6 』者之身伤。例如,在用戶端中,使用者可 料進行簽章:ί^ΡΚΐΛ私有金鑰對網路服務之相關資 、矣 序’並將簽章資料組合於加密資料中一併傳 可以訇1f。服務端在解密出網路服務之相關資料後,則 :二利用使用者之公開金錄進行驗證,以確認使用者身 供盆士述ί務端70 —72並非限定於提供網頁服務,可以提 二於匕ϋ貝λ服務’或應用程式。上述網頁伺服器60為提 二雨=”面給用戶端輸出資料並傳送至服務端7〇一72的媒 ^並非限定於網頁伺服器’可以是其它飼服器。上述輸 入”面不限於網頁。服務端70一72的上述映射規則及加密0213-A40049TWF(N1); A2B92610; J OSEPH.ptd Page 10 1247515 V. Inventive Description (7) In addition, the end-to-end encryption system of the preferred embodiment of the present invention is applied to the service, the end and the user end. The encryption/decryption key pair may be a non-symmetric encryption system (a public resource mechanism (publlc key infrastructure, hereinafter referred to as ρκΙ), a symmetric key (^ymmetric key), or a combination of the two. In the case of ρκι, the encryption key of the server 7〇_72 is the public key (puM1C key), and the decryption key is the private key (private. In the case of applying the symmetric key, the server The above-mentioned encryption and decryption keys of “72” are the private keys of the server 7〇—72. In this case, the port and the page 1 are not suitable as a way to pass the encryption key. The user=5.0 must pass other security. The way to obtain the private key of the server 7〇72 is: in the case of the combination of the above two, the public key of the server 7-72 of the server 70-72, the upper end of the server 70-72 \ ϊϊί's private key. And on The user server 70-72 form data becomes the server 7 2 ^ The server 7G-72 public key encryption The above symmetry Λ The encrypted data of the server 70 and the symmetric key of the server are used to form the encrypted data. Π η 4 gold input encryption. ΒΒ ^ In Bellow 11 0. The above-mentioned server 71 adds the fast 2 " the symmetric key of the terminal 71 is encrypted to form the encryption key ', sister 111. The above service The encrypted data of the terminal 72 and the symmetric golden record encrypted in the bead material constitute the public key of the encryption service heart. In the above decryption procedure, the server 7〇_72 has its own private 1247515. 5. The invention description (8) After the golden wheel is encrypted, 70-72 decrypts the obtained key to obtain the symmetric key. The service end material f. The above-mentioned encryption resource of the key decryption server 70-72 is Ϊ=!5 2π: The page server 60 can utilize SSL to have the webpage server 60. In this case, the above-mentioned webpage will be used to decrypt the key, and the above-mentioned user will be decrypted. The end 3 secret data is transmitted to the above-mentioned webpage server 70-72 of the above The second page = page / server device encryption gold, the encryption server page server 60 receives, uploads the message for re-encryption. When the above network uses the web server to write and re-encrypt the data, the above-mentioned web server 60 data 110-112" The key decrypts the above-mentioned re-encrypted data into the above-mentioned encrypted end, and the application can also be added to the side of the sign, so that the service can be injured by the stab. For example, in the user end, the user can sign the signature. : ί ^ ΡΚΐΛ private key to the network service related resources, order 'and the signature data combined in the encrypted data can be 訇 1f. After decrypting the relevant information of the network service, the server: 2 uses the user's public account to verify, in order to confirm that the user is in the service of the banker 70-72 is not limited to providing web services, can mention Two in the mussel λ service' or application. The web server 60 is configured to output data to the client and transmit the data to the server 7 to 72. The web server is not limited to the web server 'may be other feeding devices. The above input is not limited to the web page. . The above mapping rules and encryption of the server 70-72

1247515 五、發明說明(9) 金鑰不一定要由網頁1 0提供,可以由用戶端5 0在不同時間 取得。 雖然本發明已以較佳實施例揭露如上,然其並非用以 限定本發明,任何熟習此技藝者,在不脫離本發明之精神 和範圍内,當可作各種之更動與潤飾,因此本發明之保護 範圍當視後附之申請專利範圍所界定者為準。1247515 V. Description of the invention (9) The key does not have to be provided by the web page 10, and can be obtained by the client terminal 50 at different times. While the present invention has been described above by way of a preferred embodiment, it is not intended to limit the invention, and the present invention may be modified and modified without departing from the spirit and scope of the invention. The scope of protection is subject to the definition of the scope of the patent application.

0213-A40049TWF(N1);A2B92610;JOSEPH.ptd 第13頁 1247515 圖式簡單說明 第1圖顯示習知技術中整合服務系統架構之方塊圖; 第2圖表示本發明較佳實施例中端對端加密系統架構 之方塊圖, 第3圖表示本發明較佳實施例之端對端加密方法的流 程圖。 【符號說明】 I 0〜網頁; 11〜回覆資料; 50,51〜用戶端; 50a〜瀏覽器; 5 0 b〜外掛程式; 6 0,6 1〜網頁伺服器; 7 0 - 7 5〜服務端; 8 0〜網際網路; 100-102〜輸入區; 100a-102a〜隱藏區; 110〜服務端70的加密資料; II 1〜服務端71的加密資料; 11 2〜服務端72的加密資料; 1 2 0 - 1 2 2〜服務訊息。0213-A40049TWF(N1);A2B92610;JOSEPH.ptd Page 13 1247515 BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram showing an integrated service system architecture in a prior art; FIG. 2 is a cross-sectional view showing a preferred embodiment of the present invention. A block diagram of an encryption system architecture, and FIG. 3 is a flow chart showing an end-to-end encryption method in accordance with a preferred embodiment of the present invention. [Symbol description] I 0~page; 11~ reply data; 50, 51~user; 50a~browser; 5 0 b~ plugin; 6 0,6 1~web server; 7 0 - 7 5~ service 8 0~Internet; 100-102~ input area; 100a-102a~Hidden area; 110~ encrypted data of server 70; II 1~ encrypted data of server 71; 11 2~ encryption of server 72 Information; 1 2 0 - 1 2 2~ Service Message.

0213-A40049TWF(N1);A2B92610;JOSEPH.ptd 第14頁0213-A40049TWF(N1);A2B92610;JOSEPH.ptd第14页

Claims (1)

12475151247515 統,包括 至少 應之一加 一用 一伺 一輸入介 路服務的 則,用以 資料至上 其中 並從上述 其中 其中 相關資料 一服務端 密金鑰及 戶端,用 服器,輕 面至上述 相關資料 指示上述 述服務端 上述用戶 4司服器取 上述輸入 上述用戶 轉換成一 加密系 ’用以 一解密 μ請求 接於上 用戶端 之至少 輸入介 之形式 端取得 得上述 介面接 端根據 服務端 提供一網路服務,並且配置有對 金錄; 上述網 述用戶 ,上述 路服務;以及 端及上述服務端,並提供 輸入介面具有接收上述網 一輸入區,並且具有一映射規 面所接收之上述網路服務的相關 資料的對應關係; 上述加密金鑰及上述映射規則, 輸入介面; 收上述網路服務的相關資料; 上述映射規則將上述網路服務的 形式資料;以及 其中上述用戶端以上述加密金鑰對上述服務端形式資 料執行加密程序成為加密資料。 2·如申請專利範圍第1項所述的端對端加密系統,其 中,上述用戶端將上述加密資料傳送至上述伺服器。 3 ·如申請專利範圍第2項所述的端對端加密系統,其 中’當上述伺服器接收到上述加密資料時,上述伺服器將 上述加密資料傳送至上述服務端。 4:如申請專利範圍第3項所述的端對端加密系統,其 中’當上述服務端接收到上述加密資料時,上述服務端以 上述解密金鑰對上述加密資料執行解密程序。System, including at least one plus one for one input and one input channel service, for the data to be above and from the above related information, a server secret key and the terminal, using the server, lightly to the above The related information indicates that the above-mentioned user 4 server uses the above-mentioned input to convert the user into an encryption system for requesting a decryption μ request to connect to at least the input interface of the upper user terminal to obtain the interface interface according to the server end. Providing a network service, and configuring a pair of records; the above-mentioned network user, the above-mentioned road service; and the terminal and the server, and providing an input interface having receiving the input area of the network, and having a mapping plane received Corresponding relationship of the above-mentioned network service related information; the above-mentioned encryption key and the above mapping rule, input interface; receiving relevant information of the above network service; the above mapping rule will be the form information of the above network service; and wherein the above-mentioned user terminal The above encryption key performs an encryption process on the server-side form data. Data encryption. 2. The end-to-end encryption system according to claim 1, wherein the client transmits the encrypted data to the server. 3. The end-to-end encryption system according to claim 2, wherein the server transmits the encrypted data to the server when the server receives the encrypted data. 4: The end-to-end encryption system according to claim 3, wherein when the server receives the encrypted data, the server performs a decryption process on the encrypted data by using the decryption key. 1247515 六、申請專利範圍 其 網 中,5上所述的端對端加密系統 頁。 服器為一網頁伺服器,且上述輸入介面為 6 $申請專利範圍第5項所述 7上”^上述服務端的上述加:金力鑰“統,其 中,上、=Γ ί利範圍第5項所述的端對端加密系統,a 經由2 知經由一瀏覽器顯示上述網頁,上辻、糾/、 ;行轉換上述資料及上述加密程Ϊ 中,上述::圍f1項所述的端對端加密系統,其 以戶加密資料傳送至上述I:: 密成為再加密資料一 ^加也金鑰對上述加密資料執行加 時,Γ 當上述伺服器接收到上述再加密資料 解密成為上述加密資料。 鑰將上述再加密資料執行 中上9述力述的端對端加密系統,其 之公開金鍮和私有金鑰被金錄係分別為一公開金鍮機制 1 〇 · 一種端對端加密方半,抽y 一士人^人 端、一用卢炉釦一 # Ββ 法執仃於包含至少一服務 -網路服務而整合:上:^罔路系統中,上述服務端提供 得上述用?端所=-輸入介面,* 金鑰係由上述服務端所=和一解"、金矯,其中上述解密 第16頁 0213-A40049TWF(N1);A2B92610;JOSEPH.ptd 1247515 六、申請專利範圍 $ =服器提供包含上述網路服務之上述輸入介面至 端’其中上述輸入介面具有一映射規則,用以指 迷輸入介面所垃盼夕 u ^___. ^ Ha ^ ^ 上述 丹甲上述輸入介面具有一映射規則,·用以指 示:^二雨入面所接收之上述網路服務的相關資料至上述 服務知之形式資料的對應關係; 務的ίΐί:7端中’彡過上述輸入介面接收上述網路服 袼的t 5 ί:戶端中,利用上述映射規則,將上述網路服 貝枓轉換成一服務端形式資料;以及 # $資i ^,戶端中,利用上述加密金鑰,將上述服務端 形式貝枓加密為一加密資料。 甘由申%專利範圍第1 〇項所述的端對端加密方法, ^端傳送ϊί,加密程序之後,將上述加密資料從上述用 戶^傅运至上述伺服器。 立中12.在如值申英請專利範圍第u項所述的端對端加密方法, 加密資料步驟之後,將上述加密資料從 上迷佝服為傳送至上述服務端。 a中,在|IL 81第12項所述的端對端加密方法, i:服= 密資料至上述服務端的步驛之後,在 程序。而 以上述解密金鑰對上述加密資料執行解密 立中14.上如/Λ專Λ範圍第10項所述的端對端加密方法, 網;。4伺服器為一網頁伺服器’且上述輪入介面為一 is.如申請專利範圍第14項所述的端野端加密方法,1247515 VI. Patent Application Scope In the network, the end-to-end encryption system page described in 5. The server is a web server, and the input interface is 6 $7, and the above-mentioned service of the above-mentioned server is added to the above-mentioned "golden key" system, wherein, the upper, the = Γ ί profit range is 5 The end-to-end encryption system described in the item, a is configured to display the webpage via a browser via a browser, and to convert the data and the encryption process in the above-mentioned encryption process, the above: The peer encryption system transmits the encrypted data to the above I:: the secret is re-encrypted data, and the key is added to the encrypted data, Γ when the server receives the re-encrypted data and decrypts into the encryption data. The key re-encrypts the above-mentioned re-encrypted data to perform the end-to-end encryption system described in the above description. The public key and the private key are separately disclosed as a public accounting mechanism. 〇· An end-to-end encryption method , pumping y a person ^ person end, a use of the furnace deduction one # Ββ law is bound to include at least one service - network services and integration: on: ^ 罔 road system, the above server provides the above use? End == input interface, * key is determined by the above server = and a solution ", gold correction, which decryption page 16 0213-A40049TWF (N1); A2B92610; JOSEPH.ptd 1247515 VI, the scope of patent application $ = The server provides the above input interface to the above network service. The above input mask has a mapping rule for referring to the input interface. u ^___. ^ Ha ^ ^ The above input interface of Dan A There is a mapping rule, which is used to indicate: (2) the correspondence between the related information of the above-mentioned network service received by the two rains to the form information of the above-mentioned service knowledge; ΐ ΐ : : : : : : : : : : : : : : : : 上述 上述 上述The network service t 5 ί: in the terminal, the above mapping rule is used to convert the above-mentioned network service to a server-side data; and ##资i ^, in the terminal, using the above-mentioned encryption key, The above server form is encrypted as an encrypted data. The end-to-end encryption method described in the first paragraph of the patent scope of the patent, the end of the transmission method, after the encryption program, the encrypted data is transported from the user to the server. Lizhong 12. In the end-to-end encryption method described in item wu of the patent application scope, after the step of encrypting data, the encrypted data is transmitted from the above to the server. a, in the end-to-end encryption method described in Item 12 of |IL 81, i: service = confidential data to the step of the above server, in the program. And decrypting the encrypted data by using the above decryption key. 14. The end-to-end encryption method described in item 10 of the scope of the specification, the network; 4, the server is a web server' and the above-mentioned wheeling interface is one. As described in claim 14, the end field encryption method is 0213 -A40049TWF(Ν1);Α2Β92610;J OSEPH.p t d 第17頁 1247515 申請專利範圍 其中,上述網頁包含上述服務端的上述加密金鑰。 1 6 ·如申請專利範圍第丨4項所述的端對端加密方法, 其中,上述用戶端經由一瀏覽器顯示上述網頁,上述瀏覽 器經由一外掛程式執行轉換上述資料及上述加密程序。 1 7 ·如申請專利範圍第丨〇項所述的端對端加密方法, 其中,上述伺服器具有一伺服器加密金鑰及一伺服器解密 f输’上述用戶端將上述加密資料傳送至上述伺服器之 前’ ^述用戶端以上述伺服器加密金鑰對上述加密資料執 行加密成為再加密加資料;當上述伺服器接收到上述再加 密資料時’上述伺服器以伺服器解密金鑰將上述再加密資 料執行解密成為上述加密資料。 、 1 8 ·如申請專利範圍第丨〇項所述的端對端加密方法, 其中上述加密金鑰和解密金鑰係為一公開金鑰機制之公 金錄和私有金鑰。 幵 1 9 · 一種端對端加密方法,其執行於一伺服器,上述 伺服器透過一網路,耦接用以提供一網路服務之服務端以 及要求上述網路服務之用戶端,其包括下列步驟: 提供一輸入介面至上述用戶端,上述輸入介面包含接 收上述網路服務的相關資料之一輸入區; —吹接收來自上述用戶端之一回覆資料,其包含至少一加 氆為料’上述加密資料係上述網路服務的相關資料利用一 加後金鑰進行加密所產生,上述加密金鑰對應之解密金鑰 係存放於上述服務端,其中上述加密資料中所包含之上 網路服務的相關資料係符合上述服務端之讀取格式;0213 -A40049TWF(Ν1);Α2Β92610;J OSEPH.p t d Page 17 1247515 Patent Application Scope The above web page contains the above-mentioned encryption key of the above server. The end-to-end encryption method as described in claim 4, wherein the user terminal displays the webpage via a browser, and the browser performs conversion of the data and the encryption program via a plug-in. The end-to-end encryption method as described in claim 2, wherein the server has a server encryption key and a server decryption f. The client transmits the encrypted data to the above. Before the server, the client encrypts the encrypted data with the server encryption key to re-encrypt and add data; when the server receives the re-encrypted data, the server decrypts the key by using the server. The re-encrypted data is decrypted to become the encrypted data. The method of claim 20, wherein the encryption key and the decryption key are a public key and a private key of a public key mechanism.幵1 9 · An end-to-end encryption method, which is executed on a server, the server is coupled to a server for providing a network service and a client requesting the network service through a network, including The following steps: providing an input interface to the user terminal, the input interface includes an input area for receiving related information of the network service; - blowing receiving a reply data from one of the user terminals, which includes at least one twisting material The encrypted data is generated by encrypting the related data of the network service by using a plus key, and the decryption key corresponding to the encrypted key is stored in the server, wherein the encrypted data includes the network service. The relevant data is in accordance with the reading format of the above server; 0213-A40049TWF(N1);A2B92610;JOSEPH.ptd 第18頁0213-A40049TWF(N1); A2B92610; JOSEPH.ptd Page 18 !247515 六、申請專利範圍 抽離出上述回覆資料中之上述加密資料;以及 傳送抽離出之上述加密資料裏對應之上述服務端。 复2 〇 ·如申請專利範圍第1 9項所述之端對端加密方法, " 上述輸入介面更包含上述加密金鑰。 其21 ·如申請專利範圍第19項所述之端對端加密方法, 金綸输和解密*餘係為'公開金餘機制之公開 复中2卜2申請專利範圍第19項所述之端對端加密方法, 〆、τ上迷輸入介面係為一網頁。 其2 3 ·、如申請專利範圍第丨g項所述之端對端加密方法, 力:密,料係由伺服器與客戶端之間的加密機制所 、’且在抽離步驟之前更包括一步驟: 資料伺服器與客戶端之間的加密機制對上述回覆 2 4 · 一種端對端加密方沐 篡執行於— 上,其包括下列步驟: 其肖戶端設備 -服務端所二供:,器之-輸入介面’上述輸入介面包含 ί Ξ 2 Ϊ 路服務之一輸人區; 資料; 述輸入"面,取得對應於上述網路服務之相關 合上』:務:ΐΐ::☆述網路服務的相關資料轉換為符 加密21 一 Τ:ΐ:於上述網路服務之相關資料進行 口役貝呌’上述加密金鑰對應之解密金鑰係存 第19 I 〇213.A40049TO(Nl);^B9261〇;J〇SEpH>ptd 1247515 六、申請專利範圍 放於上述服務端;以及 傳送包含上述加密資料之一回覆資料至上述伺服器。 25 ·如申請專利範圍第24項所述之端對端加密方法, 其中上述輸入介面更包含上述加密金鑰。 2 6 ·如申請專利範圍第2 4項所述之端對端加密方法, 其中上述加密金鑰和解密金鑰係為一公開金鑰機制之公開 金餘和私有金鑰。 2 7 ·如申請專利範圍第2 4項所述之端對端加密方法, 其中上述輸入介面係為一網頁。 28 ·如申請專利範圍第24項所述之端對端加密方法, 在傳送步驟之前更包括一步驟: 利用上述伺服器與客戶端之間的加密機制,對上述回 覆資料進行加密。 29 ·如申請專利範圍第24項所述之端對端加密方法, 其中上述輸入介面係包含上述映射規則。!247515 VI. Application for Patent Scope The above-mentioned encrypted data in the above-mentioned reply data is extracted; and the above-mentioned server corresponding to the encrypted data extracted and sent out is transmitted. Complex 2 〇 · As described in the end-to-end encryption method described in claim 19, " The above input interface further includes the above encryption key. 21 · The end-to-end encryption method described in item 19 of the patent application scope, the Jinlun transmission and decryption* are the end of the public disclosure of the public payment mechanism 2 2 2 patent application scope For the peer encryption method, the input interface of 〆 and τ is a web page. The end-to-end encryption method described in item 丨g of the patent application scope, force: confidential, is the encryption mechanism between the server and the client, and includes before the extraction step One step: the encryption mechanism between the data server and the client performs the above reply to the above-mentioned reply. 4 · An end-to-end encryption method is performed on the above, and the following steps are included: , the input interface of the device's input interface contains one of the input areas of the ί Ϊ 2 Ϊ road service; data; the input "face, the corresponding connection to the above network service is obtained: ΐΐ::☆ The data related to the network service is converted into a character encryption. 21 Τ: ΐ: The affiliation of the above-mentioned network service is carried out. The decryption key corresponding to the above-mentioned encryption key is the 19 I 〇 213.A40049TO ( Nl);^B9261〇;J〇SEpH>ptd 1247515 6. The patent application scope is placed on the above server; and a reply data containing one of the above encrypted data is transmitted to the above server. The end-to-end encryption method according to claim 24, wherein the input interface further comprises the above encryption key. The end-to-end encryption method as described in claim 24, wherein the encryption key and the decryption key are a public key and a private key of a public key mechanism. The end-to-end encryption method as described in claim 24, wherein the input interface is a web page. 28. The end-to-end encryption method as described in claim 24, further comprising the step of: prior to the transmitting step, encrypting the reply data by using an encryption mechanism between the server and the client. The end-to-end encryption method according to claim 24, wherein the input interface includes the above mapping rule. 0213-A40049TWF(N1);A2B92610;JOSEPH.ptd 第 20 頁0213-A40049TWF(N1); A2B92610; JOSEPH.ptd Page 20
TW92133540A 2003-11-28 2003-11-28 End-to-end encryption system and method TWI247515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW92133540A TWI247515B (en) 2003-11-28 2003-11-28 End-to-end encryption system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW92133540A TWI247515B (en) 2003-11-28 2003-11-28 End-to-end encryption system and method

Publications (2)

Publication Number Publication Date
TW200518548A TW200518548A (en) 2005-06-01
TWI247515B true TWI247515B (en) 2006-01-11

Family

ID=37399889

Family Applications (1)

Application Number Title Priority Date Filing Date
TW92133540A TWI247515B (en) 2003-11-28 2003-11-28 End-to-end encryption system and method

Country Status (1)

Country Link
TW (1) TWI247515B (en)

Also Published As

Publication number Publication date
TW200518548A (en) 2005-06-01

Similar Documents

Publication Publication Date Title
TWI700916B (en) Method and device for providing and obtaining safety identity information
EP3547600B1 (en) Method for issuing quantum key chip, application method, issuing platform and system
CN102176709B (en) Method and device with privacy protection function for data sharing and publishing
KR100520116B1 (en) A method for discributing the key to mutual nodes to code a key on mobile ad-hoc network and network device using thereof
US6826395B2 (en) System and method for secure trading mechanism combining wireless communication and wired communication
US8824674B2 (en) Information distribution system and program for the same
WO2017024934A1 (en) Electronic signing method, device and signing server
CN101247232B (en) Encryption technique method based on digital signature in data communication transmission
US20210329462A1 (en) Method and device to establish a wireless secure link while maintaining privacy against tracking
CA2518025A1 (en) Secure e-mail messaging system
TWI231132B (en) System and method for secure electronic commerce trading
JP2002503354A (en) How to manage access to devices
JP2002374239A (en) Method for cryptographing information
EP2942899A1 (en) Information processing method, trust server and cloud server
US20050209975A1 (en) System, method and computer program product for conducting a secure transaction via a network
JP2003124926A5 (en)
US8520840B2 (en) System, method and computer product for PKI (public key infrastructure) enabled data transactions in wireless devices connected to the internet
TWI247515B (en) End-to-end encryption system and method
US20220311605A1 (en) Sensitive Data Management System
CN104243291A (en) Instant messaging method and system thereof capable of guaranteeing safety of user communication content
JPH1021302A (en) User's information collecting system
KR20180080655A (en) System and method for rsa dispersed key managing with card
US20210056624A1 (en) Secure communication framework for crypto-exchange services using asymmetric and symmetric encryption
KR20020006985A (en) Certification service method in two different certifying system using certification gate way
JP4482635B2 (en) Information protection method

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees