TWI475866B - An authentication method of a chain structure - Google Patents

An authentication method of a chain structure Download PDF

Info

Publication number
TWI475866B
TWI475866B TW101106954A TW101106954A TWI475866B TW I475866 B TWI475866 B TW I475866B TW 101106954 A TW101106954 A TW 101106954A TW 101106954 A TW101106954 A TW 101106954A TW I475866 B TWI475866 B TW I475866B
Authority
TW
Taiwan
Prior art keywords
code
request
data
inquiry
challenge
Prior art date
Application number
TW101106954A
Other languages
Chinese (zh)
Other versions
TW201338493A (en
Inventor
Tzone Lih Hwang
Original Assignee
Univ Nat Cheng Kung
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Univ Nat Cheng Kung filed Critical Univ Nat Cheng Kung
Priority to TW101106954A priority Critical patent/TWI475866B/en
Publication of TW201338493A publication Critical patent/TW201338493A/en
Application granted granted Critical
Publication of TWI475866B publication Critical patent/TWI475866B/en

Links

Landscapes

  • Storage Device Security (AREA)

Description

鏈架構之認證方法Chain architecture authentication method

本發明係關於一種認證方法,尤其是一種應用於鏈型架構的網路型態,而且,需要進行認證的雙方係由第三方產生認證所需資料的認證方法。The present invention relates to an authentication method, and more particularly to a network type applied to a chain architecture, and the parties that need to perform authentication are authentication methods for generating data required for authentication by a third party.

按,在雲端運算(cloud computing)、車載通訊(vehicle-carried communication)或行動通訊(mobile communication)等結合網路的應用領域中,當一請求端(例如:手持式裝置或電腦等)需要向一服務端(例如:基地台或伺服器等)請求提供服務(例如:資料傳輸等)時,則該請求端與該服務端需進行身分認證作業(authentication),例如:採用習知直接認證或間接認證方法,待該請求端的身分通過認證後,方能取得所需服務。According to the application field of cloud computing, vehicle-carried communication or mobile communication, when a requester (for example, a handheld device or a computer) needs to When a server (for example, a base station or a server, etc.) requests to provide a service (for example, data transmission, etc.), the requesting end and the server end need to perform an authentication operation, for example, using a conventional direct authentication or Indirect authentication method, after the identity of the requesting end is authenticated, the required service can be obtained.

舉例而言,在雲端運算環境中,Google、Yahoo、Twitter或Facebook等社群服務網站(website)大多支援OAuth或OpenID協定,作為使用者的權限授權(Authorization)或身分認證(Authentication)之依據。以OAuth協定為例,係由一使用者(User)先於一服務供應端(Service Provider)申請帳號及密碼,當該使用者想要在一客戶端(Client)存取該使用者存放於該服務供應端的資源(例如:名片、使用偏好或通訊錄等)時,係由該客戶端向該服務供應端請求發出一請求令牌(Request Token),待該服務供應端驗證該客戶端的身份後,授與該臨時令牌給該客戶端,該客戶端獲得該臨時令牌後,將該使用者引導至該服務供應端的授權網頁(web)請求授權,並將該臨時令牌及該客戶端的回傳位置(Return URL)發送給該服務供應端,待該使用者在該服務供應端的網頁上輸入帳號及密碼,授權該客戶端所請求的資源成功後,該服務供應端再引導該使用者返回該客戶端的網頁,此時,該客戶端可依據該臨時令牌而自該服務供應端請求獲取一存取令牌(Access Token),該服務供應端根據該臨時令牌及該使用者的授權情況授與該存取令牌給該客戶端,該客戶端即可使用該訪問令牌存取該使用者存放於該服務供應端的資源。因此,OAuth協定可以讓該使用者在保護密碼的條件下,授權該客戶端向該服務供應端查詢其個人資料。For example, in a cloud computing environment, most community service websites such as Google, Yahoo, Twitter, or Facebook support OAuth or OpenID protocols as the basis for user authorization or authentication. Taking the OAuth protocol as an example, a user (User) applies for an account and a password before a service provider. When the user wants to access the user at a client, the user is stored in the OUSER protocol. When the resource of the service provider (for example, a business card, a preference, or an address book, etc.) is requested by the client to issue a request token (Request Token), after the service provider verifies the identity of the client, Granting the temporary token to the client, after obtaining the temporary token, the client directs the user to the authorization page (web) of the service provider to request authorization, and the temporary token and the client The return URL is sent to the service provider. After the user enters an account and password on the webpage of the service provider, and the resource requested by the client is authorized, the service provider redirects the user. Returning the webpage of the client, the client may request an access token from the service provider according to the temporary token, and the service provider according to the temporary token and the The user grants the access token to the client, and the client can use the access token to access the resource stored by the user on the service provider. Therefore, the OAuth protocol allows the user to authorize the client to query the service provider for his or her personal data under the protection of the password.

惟,由於OAuth協定的認證及授權程序過於繁瑣,不僅導致認證及授權程序的效能不高,且其運算成本居高不下。However, due to the cumbersome authentication and authorization procedures of the OAuth protocol, not only the authentication and authorization procedures are not efficient, but also the computational cost is high.

另,以OpenID協定為例,一使用者(End User)只需預先於一身份提供端(identity provider,IdP)的網頁(例如:http://www.openid-provider.org)註冊一標識(Identifier)及一密碼,例如:該標識為alice.openid-provider.org、密碼為123,則該使用者欲存取一個支援OpenID協定之依賴端(Relying Party,RP)的資料時,即可輸入該標識,而該依賴端會引導該使用者返回該身份提供端的登入網頁,待該使用者輸入密碼後,該依賴端再引導該使用者返回該依賴端的使用網頁。因此,OpenID協定可以讓該使用者採用同一組標示及密碼登入所有支援OpenID協定之依賴端。In addition, taking the OpenID protocol as an example, an End User only needs to register an identifier (for example, http://www.openid-provider.org) in advance with an identity provider (IdP) webpage (for example: http://www.openid-provider.org). Identifier) and a password, for example, the identifier is alice.openid-provider.org, and the password is 123. When the user wants to access a data supporting the OpenID protocol (Relying Party, RP), the user can input The identifier, and the relying end guides the user to return the login webpage of the identity provider. After the user inputs the password, the relying end redirects the user to return the use webpage of the relying end. Therefore, the OpenID protocol allows the user to log in to all the dependencies that support the OpenID protocol using the same set of identifiers and passwords.

惟,由於不同業者所供應的身份提供端存在不同程度的資安漏洞,因此,當該身份提供端與該依賴端進行該使用者的身分權限認證過程中,可能會遭遇攻擊、攔截、竊聽或欺騙等資安威脅,而使該使用者的權益受損。However, because there are different levels of security loopholes in the identity providers provided by different vendors, when the identity provider and the relying party perform identity authentication of the user, they may be attacked, intercepted, eavesdropped or Deception and other security threats, and the rights of the user are damaged.

另一方面,由於該使用者必須先通過該身份提供端的認證,才能取得該依賴端所提供的服務,倘若該身份提供端因為恐怖攻擊或商業利益等因素,而無故拒絕通過該使用者的身分認證,將會造成該使用者無法取得所需的服務,進而降低使用者的信賴度及使用率。On the other hand, since the user must first authenticate with the identity provider, the service provided by the relying end can be obtained, and if the identity provider refuses to pass the identity of the user for any reason due to terrorist attacks or commercial interests. Certification will result in the user not being able to obtain the required services, thereby reducing the user's trust and usage.

綜上所述,習知認證方法在使用(例如:應用於鏈架構之網路型態)時,分別會造成效能低、成本高、安全性不足及壟斷服務等疑慮,在實際使用時更衍生諸多限制與缺點,確有不便之處,亟需進一步改良,提升其實用性。In summary, when the traditional authentication method is used (for example, the network type applied to the chain architecture), it will cause doubts such as low performance, high cost, insufficient security, and monopoly services, and will be derived in actual use. Many limitations and shortcomings are inconvenient, and further improvements are needed to enhance their practicality.

本發明的目的乃改良上述之缺點,以提供一種鏈架構之認證方法,將認證雙方所需的認證資料經由第三方集中產生,而提高效能及降低成本。The object of the present invention is to improve the above-mentioned shortcomings, and to provide a chain structure authentication method, which integrates the authentication materials required by the certification parties through a third party to improve performance and reduce costs.

本發明之次一目的,係提供一種鏈架構之認證方法,認證雙方係以共享金鑰加/解密傳輸資料,而提高資料的安全性。A second object of the present invention is to provide a chain architecture authentication method, in which both parties authenticate and transmit data by using a shared key to improve data security.

本發明之另一目的,係提供一種鏈架構之認證方法,將認證雙方的身分資料及認證資料經由第三方集中控管,而避免服務遭到壟斷。Another object of the present invention is to provide a method for authenticating a chain architecture, which centrally controls the identity information and authentication materials of both parties through the third party, thereby avoiding monopolization of services.

本發明全文所述之「耦接」(coupling),係指二硬體模組(hardware module)之間藉由實體線路電性連接、無線通訊或其組合方式相互傳遞資料;或者,二軟體模組(software module)或軟體物件(software object)之間藉由資料存取或交換等方式相互傳遞資料,用以進行身分認證之相關運算,其詳細運作情形係本發明所屬技術領域中具有通常知識者可以理解。The term "coupling" as used throughout the present invention refers to the transfer of data between two hardware modules by physical line electrical connection, wireless communication, or a combination thereof; or two software modules A software module or a software object transfers data to each other by means of data access or exchange for performing related operations of identity authentication, and the detailed operation thereof is common knowledge in the technical field to which the present invention pertains. Can understand.

本發明全文所述之「鏈接」(linking),係指二硬體模組之間相互耦接形成鏈狀(Chain),其詳細運作情形係本發明所屬技術領域中具有通常知識者可以理解。"Linking" as used throughout the present invention means that two hardware modules are coupled to each other to form a chain. The detailed operation of the present invention is understood by those skilled in the art to which the present invention pertains.

本發明全文所述之「請求端」(Request End),係指雲端運算、車載通訊或行動通訊等結合網路的領域中,供使用者發出認證請求之設備(以下簡稱請求設備),例如:電腦(Computer)、車上機(On Board Unit,OBU)或手持式裝置(Mobile Phone)等構成之系統,請求端可以由單一個請求設備構成,其詳細運作情形係本發明所屬技術領域中具有通常知識者可以理解。The "Request End" as used throughout the present invention refers to a device (hereinafter referred to as a requesting device) for a user to issue an authentication request in a field of combining computing, telematics, or mobile communication, such as: A system composed of a computer, an On Board Unit (OBU), or a mobile device, and the requesting end may be constituted by a single requesting device, and the detailed operation thereof is in the technical field of the present invention. Usually the knowledge person can understand.

本發明全文所述之「詢問端」(Inquiry End),係指雲端運算、車載通訊或行動通訊等結合網路的領域中,需要認證使用者身份之設備(以下簡稱詢問設備),例如:伺服器(Server)、路側機(Road Side Unit,RSU)或基地台(Base Station)等構成之系統,詢問端可以由單一個詢問設備構成,也可以由數個詢問設備相互鏈接而成,其詳細運作情形係本發明所屬技術領域中具有通常知識者可以理解。The "inquiry end" as used throughout the present invention refers to a device that requires authentication of a user (hereinafter referred to as an inquiry device) in the field of cloud computing, in-vehicle communication, or mobile communication, such as a servo. A system consisting of a server, a roadside unit (RSU), or a base station. The interrogation end can be composed of a single interrogating device, or can be linked by several interrogating devices. The operational situation is understood by those of ordinary skill in the art to which the present invention pertains.

本發明全文所述之「查探端」(Check End),係指雲端運算、車載通訊或行動通訊等結合網路的領域中,需要協同認證使用者身份之設備(以下簡稱查探設備),例如:伺服器(Server)、路側機(Road Side Unit,RSU)或訪問者位置暫存系統(Visitor Location Register,VLR)等構成之系統,查探端可以由單一個查探設備構成,也可以由數個查探設備相互鏈接而成,其詳細運作情形係本發明所屬技術領域中具有通常知識者可以理解。The "Check End" as described in the full text of the present invention refers to a device that needs to cooperate to authenticate a user identity (hereinafter referred to as a search device) in the field of combining cloud computing, in-vehicle communication, or mobile communication. For example, a server (Server), a Road Side Unit (RSU), or a Visitor Location Register (VLR) system, the probe end can be composed of a single search device, or It is formed by linking several search devices to each other, and the detailed operation of the present invention can be understood by those having ordinary knowledge in the technical field to which the present invention pertains.

本發明全文所述之「回應端」(Response End),係指雲端運算、車載通訊或行動通訊等結合網路的領域中,可以保管身分資料及產生認證資料之設備(以下簡稱回應設備),例如:認證伺服器(Authentication Server,AS)、服務提供者(Service Provider,SP)或歸屬者位置暫存系統(Home Location Register,HLR)等構成之系統,回應端可以由單一個回應設備構成,其詳細運作情形係本發明所屬技術領域中具有通常知識者可以理解。The "Response End" in the context of the present invention refers to a device (hereinafter referred to as a response device) that can store identity data and generate authentication data in a field of combining cloud computing, in-vehicle communication, or mobile communication. For example, an authentication server (AS), a service provider (SP), or a home location register (HLR) system, the response end can be composed of a single response device. The detailed operation of the present invention can be understood by those of ordinary skill in the art to which the present invention pertains.

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端傳送一請求身分碼至一詢問端;一詢問步驟,係由該詢問端傳送該請求身分碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼,而產生一請求資料,再依據該回應端與該詢問端共享之金鑰加密該請求資料及該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該詢問端與該回應端共享之金鑰解密該詢問資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該回應端共享之金鑰解密該請求資料,並傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同。A method for authenticating a chain architecture includes: a request step of transmitting a request identity code to a query terminal by a requesting terminal; and an inquiry step of transmitting the request identity code and a query identity code to the query terminal a response step; the response step is confirmed by the responding end that the request identity code and the query identity code are correct. After an authentication code is generated, the authentication code is first encrypted according to the key shared by the responding end and the requesting end, and Generating a request data, and encrypting the request data and the authentication code according to the key shared by the responding end and the querying end, generating an inquiry data, and transmitting the query data to the querying end; a notification step is performed by the The interrogating end decrypts the query data according to the key shared by the interrogating end and the responding end, and transmits the request data to the requesting end; and an authentication step is performed by the requesting end according to the gold shared by the requesting end and the responding end. The key decrypts the request data, and transmits the authentication code to the inquiry end, and the inquiry end confirms whether the authentication code and the authentication code of the inquiry data are the same.

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端產生一請求挑戰碼,並傳送該請求挑戰碼及一請求身分碼至一詢問端;一詢問步驟,係由該詢問端產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生一請求資料,再依據該回應端與該詢問端共享之金鑰加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該詢問端與該回應端共享之金鑰解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該回應端共享之金鑰解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同。A method for authenticating a chain architecture includes: a requesting step of generating a request challenge code by a requesting end, and transmitting the request challenge code and a request identity code to a query end; an inquiry step is performed by the query end Generating a challenge challenge code, and transmitting the request challenge code, the request identity code, the challenge challenge code, and an inquiry identity code to a response terminal; and a response step, the response terminal confirms the request identity code and the inquiry identity The code is correct. After an authentication code is generated, the authentication code and the request challenge code are encrypted according to the key shared by the responding end and the requesting end, and a request data is generated, and then the responding end is shared with the querying end according to the response end. The key encrypts the request data, the authentication code, the request challenge code and the challenge challenge code, generates an inquiry data, and transmits the inquiry data to the inquiry end; a notification step is performed by the inquiry end according to the inquiry end Decrypting the inquiry data with the key shared by the responding end, and after confirming that the inquiry challenge code of the inquiry data is correct, transmitting the request data to the requesting end; and an authentication step Decrypting the request data by the requesting end according to the key shared by the requesting end and the responding end. After confirming that the requesting challenge code of the requesting data is correct, the authentication code is transmitted to the querying end, and the interrogating end confirms the The authentication code is the same as the authentication code of the inquiry data.

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端傳送一請求身分碼至一詢問端;一詢問步驟,係由該詢問端傳送該請求身分碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,依據該回應端與該詢問端共享之金鑰加密該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端先依據該回應端與該詢問端共享之金鑰解密該詢問資料,再依據該詢問端與該請求端共享之金鑰加密該認證碼,而產生一請求資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該詢問端與該請求端共享之金鑰解密該請求資料,並傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同。A method for authenticating a chain architecture includes: a request step of transmitting a request identity code to a query terminal by a requesting terminal; and an inquiry step of transmitting the request identity code and a query identity code to the query terminal a response step, wherein the responding end confirms that the request identity code and the query identity code are correct. After an authentication code is generated, the authentication code is encrypted according to the key shared by the responding end and the querying end, and the authentication code is generated. Querying the information and transmitting the inquiry data to the inquiry end; in a notification step, the inquiry end first decrypts the inquiry data according to the key shared by the response end and the inquiry end, and then according to the inquiry end and the request end The shared key encrypts the authentication code, generates a request data, and transmits the request data to the requesting end; and an authentication step, the requesting end decrypts the request by the requesting end according to the key shared by the querying end and the requesting end And transmitting the authentication code to the inquiry end, and the inquiry end confirms whether the authentication code is the same as the authentication code of the inquiry data.

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端產生一請求挑戰碼,並傳送該請求挑戰碼及一請求身分碼至一詢問端;一詢問步驟,係由該詢問端產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,依據該回應端與該詢問端共享之金鑰加密該認證碼、該詢問挑戰碼及該請求挑戰碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端先依據該詢問端與該回應端共享之金鑰解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,再依據該詢問端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生一請求資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該詢問端共享之金鑰解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同。A method for authenticating a chain architecture includes: a requesting step of generating a request challenge code by a requesting end, and transmitting the request challenge code and a request identity code to a query end; an inquiry step is performed by the query end Generating a challenge challenge code, and transmitting the request challenge code, the request identity code, the challenge challenge code, and an inquiry identity code to a response terminal; and a response step, the response terminal confirms the request identity code and the inquiry identity The code is correct. After an authentication code is generated, the authentication code, the challenge challenge code and the request challenge code are encrypted according to the key shared by the responding end and the querying end, and an inquiry data is generated, and the inquiry data is transmitted to the code. The inquiry end; the notification step is performed by the inquiry end first decrypting the inquiry data according to the key shared by the inquiry end and the response end, and after confirming that the inquiry challenge code of the inquiry data is correct, according to the inquiry end and the request End-shared key encrypts the authentication code and the request challenge code, generates a request data, and transmits the request data to the requesting end; and an authentication step is performed by the The requesting end decrypts the request data according to the key shared by the requesting end and the interrogating end. After confirming that the requesting challenge code of the requesting data is correct, the authentication code is transmitted to the interrogating end, and the interrogating end confirms the authentication code and the Ask if the authentication code of the data is the same.

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端傳送一請求身分碼至一詢問端;一詢問步驟,係由該詢問端傳送該請求身分碼及一詢問身分碼至一查探端;一查探步驟,係由該查探端傳送該請求身分碼、該詢問身分碼及一查探身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼、該詢問身分碼及該查探身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼,而產生一請求資料,再依據該回應端與該查探端共享之金鑰加密該請求資料及該認證碼,而產生一查探資料,並傳送該查探資料至該查探端;一傳遞步驟,係由該查探端先依據該回應端與該查探端共享之金鑰解密該查探資料,再依據該查探端與該詢問端共享之金鑰加密該請求資料及該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該查探端與該詢問端共享之金鑰解密該詢問資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該回應端與該請求端共享之金鑰解密該請求資料,並傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同。A method for authenticating a chain architecture includes: a request step of transmitting a request identity code to a query terminal by a requesting terminal; and an inquiry step of transmitting the request identity code and a query identity code to the query terminal The detecting end transmits a request identity code, the inquiry identity code and a search identity code to a response terminal, and a response step confirms the request identity code by the response terminal The inquiry identity code and the inspection identity code are correct. After an authentication code is generated, the authentication code is first encrypted according to the key shared by the response end and the requesting end, and a request data is generated, and then according to the response end. The probe shared by the probe end encrypts the request data and the authentication code, and generates a probe data, and transmits the probe data to the probe terminal; and a delivery step is performed by the probe terminal according to the response The key shared by the search end decrypts the search data, and then encrypts the request data and the authentication code according to the key shared by the search end and the inquiry end, generates an inquiry data, and transmits the inquiry data. To the inquiry a notification step, the inquiry end decrypts the inquiry data according to the key shared by the inquiry end and the inquiry end, and transmits the request data to the requesting end; and an authentication step is performed by the requesting end The responding party decrypts the request data with the key shared by the requesting end, and transmits the authentication code to the querying end, and the interrogating end confirms whether the authentication code and the authentication code of the query data are the same.

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端產生一請求挑戰碼,並傳送該請求挑戰碼及一請求身分碼至一詢問端;一詢問步驟,係由該詢問端產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及一詢問身分碼至一查探端;一查探步驟,係由該查探端產生一查探挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼、該詢問身分碼及該查探挑戰碼及一查探身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼、該詢問身分碼及該查探身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生一請求資料,再依據該回應端與該查探端共享之金鑰加密該請求資料、該認證碼、該請求挑戰碼、該詢問挑戰碼及該查探挑戰碼,而產生一查探資料,並傳送該查探資料至該查探端;一傳遞步驟,係由該查探端先依據該查探端與該回應端共享之金鑰解密該查探資料,待確認該查探資料之查探挑戰碼無誤後,再依據該查探端與該詢問端共享之金鑰加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該詢問端與該查探端共享之金鑰解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該回應端共享之金鑰解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同。A method for authenticating a chain architecture includes: a requesting step of generating a request challenge code by a requesting end, and transmitting the request challenge code and a request identity code to a query end; an inquiry step is performed by the query end Generating a challenge challenge code, and transmitting the request challenge code, the request identity code, the challenge challenge code, and a query identity code to a probe terminal; and a query step, the probe terminal generates a probe challenge code And transmitting the request challenge code, the request identity code, the challenge challenge code, the query identity code and the search challenge code and a search identity code to a response end; a response step is confirmed by the response terminal The request identity code, the query identity code, and the query identity code are correct. After an authentication code is generated, the authentication code and the request challenge code are encrypted according to the key shared by the responding end and the requesting end, and a request is generated. And generating, according to the key shared by the responding end and the detecting end, the request data, the authentication code, the request challenge code, the query challenge code, and the search challenge code, to generate a search data, and Sending the search data to the detecting end; in a transmitting step, the detecting end first decrypts the detecting data according to the key shared by the detecting end and the responding end, and confirms the detecting of the detecting data After the challenge code is correct, the request data, the authentication code, the request challenge code and the challenge challenge code are encrypted according to the key shared by the probe end and the query end, and an inquiry data is generated, and the inquiry data is transmitted to The inquiry end is a notification step, wherein the inquiry end decrypts the inquiry data according to the key shared by the inquiry end and the inquiry end, and after the inquiry challenge code of the inquiry data is confirmed to be correct, the request data is transmitted to the request. And an authentication step of decrypting the request data by the requesting end according to the key shared by the requesting end and the responding end, and after confirming that the requesting challenge code of the requested data is correct, transmitting the authentication code to the querying end, It is confirmed by the interrogating end whether the authentication code and the authentication code of the inquiry data are the same.

為讓本發明之上述及其他目的、特徵及優點能更明顯易懂,下文特舉本發明之較佳實施例,並配合所附圖式,作詳細說明如下:請參閱第1圖所示,其係本發明鏈架構之認證方法第一實施例的系統架構圖,包含一請求端(Request End)1、一詢問端(Inquiry End)2及一回應端(Response End)3,該詢問端2耦接該請求端1及該回應端3,其中,該回應端3與該詢問端2共同擁有一金鑰K(3,2),用以加/解密該回應端3與該詢問端2之間傳遞的資料;該回應端3與該請求端1共同擁有一金鑰K(3,1),用以加/解密該回應端3經由該詢問端2傳遞至該請求端1的資料。因此,該請求端1、該詢問端2及該回應端3共同形成一風鈴鏈架構(Wind-Bell Chain Structure)。其中,若該詢問端2係由數個詢問設備相互鏈接而成,則位於二末端的詢問設備分別耦接該請求端1及該回應端3,且該回應端3與各詢問設備分別共同擁有不同的金鑰。為方便後續說明,僅以一個詢問設備作為該詢問端2,並耦接該請求端1及該回應端3作為實施態樣,惟不以此為限。The above and other objects, features and advantages of the present invention will become more <RTIgt; The system architecture diagram of the first embodiment of the authentication method of the chain architecture of the present invention includes a request end 1, an inquiry end 2 and a response end 3, and the interrogation end 2 The requesting end 1 and the responding end 3 are coupled, wherein the responding end 3 and the interrogating end 2 share a key K (3, 2) for adding/decrypting the responding end 3 and the interrogating end 2 The data transmitted between the responder 3 and the requester 1 has a key K (3, 1) for adding/decrypting the data transmitted by the responder 3 to the requester 1 via the interrogator 2. Therefore, the requesting end 1, the interrogating end 2 and the responding end 3 together form a Wind-Bell Chain Structure. The interrogating device at the two ends is coupled to the requesting end 1 and the responding end 3, respectively, and the responding end 3 and the interrogating device are respectively owned by the interrogating device respectively. Different keys. For the convenience of the following description, only one interrogating device is used as the interrogating terminal 2, and the requesting end 1 and the responding end 3 are coupled as an implementation manner, but not limited thereto.

請參閱第2圖所示,其係本發明鏈架構之認證方法第一實施例的運作流程圖,其中,該鏈架構之認證方法係依序進行一請求步驟S1、一詢問步驟S2、一回應步驟S3、一通知步驟S4及一認證步驟S5。在本實施例中,可以採用單向或雙向認證流程進行該請求步驟S1、詢問步驟S2、回應步驟S3、通知步驟S4及認證步驟S5,分別如後所述:該請求步驟S1,係可選擇進行單向認證流程,由該請求端1傳送一請求身分碼至該詢問端2,以進行單向認證流程。或者,選擇進行雙向認證流程,由該請求端1產生一請求挑戰碼,再將該請求挑戰碼及該請求身分碼傳送至該詢問端2,以進行雙向認證流程。其中,該請求身分碼為該請求端1事先向該回應端3註冊時,由該回應端3核發給該請求端1之通用唯一識別碼;該請求挑戰碼可以選為隨機產生之亂數、隨時間產生之時戳或依序產生之序號等。在本實施例中,當該請求端1請求該詢問端2進行認證作業時,例如:該請求端1欲請求該詢問端2提供服務之前,該請求端1必須先通過身分認證,因此,該請求端1可以傳送該請求身分碼至該詢問端2,作為請求該詢問端2進行認證作業之依據,當該詢問端2收到該請求身分碼後,即可得知該請求端1欲進行身分認證作業;或者,該請求端1可以一併傳送該請求挑戰碼及該請求身分碼至該詢問端2,其中,該請求端1可以儲存該請求挑戰碼,並依據該請求挑戰碼是否正確地傳回,供該請求端1確認其接收資料的有效性。Referring to FIG. 2, it is an operational flowchart of the first embodiment of the authentication method of the chain architecture of the present invention, wherein the authentication method of the chain architecture sequentially performs a request step S1, an inquiry step S2, and a response. Step S3, a notification step S4 and an authentication step S5. In this embodiment, the request step S1, the query step S2, the response step S3, the notification step S4, and the authentication step S5 may be performed by using a one-way or two-way authentication process, as described later: the request step S1 is selectable. A one-way authentication process is performed, and the requesting end 1 transmits a request identity code to the interrogating end 2 to perform a one-way authentication process. Alternatively, the two-way authentication process is selected, and the requesting terminal 1 generates a request challenge code, and then transmits the request challenge code and the request identity code to the query terminal 2 to perform a two-way authentication process. The request identity code is a universal unique identifier sent by the responding end 3 to the requesting end 1 when the requesting end 1 registers with the responding end 3 in advance; the request challenge code can be selected as a randomly generated random number, A time stamp generated in time or a serial number generated in sequence. In this embodiment, when the requesting end 1 requests the interrogating end 2 to perform an authentication operation, for example, before the requesting end 1 requests the interrogating end 2 to provide a service, the requesting end 1 must first pass the identity authentication, and therefore, the requesting end 1 The requesting end 1 can transmit the request identity code to the interrogating end 2 as a basis for requesting the interrogating end 2 to perform an authentication operation. When the interrogating end 2 receives the requesting identity code, it can know that the requesting end 1 wants to perform The identity authentication operation; or the requesting end 1 can transmit the request challenge code and the request identity code to the interrogation end 2, wherein the requesting end 1 can store the request challenge code, and according to the request, the challenge code is correct. The ground is returned for the requester 1 to confirm the validity of the data it receives.

該詢問步驟S2,係可選擇進行單向認證流程,由該詢問端2傳送該請求身分碼及一詢問身分碼至該回應端3。或者,選擇進行雙向認證流程,由該詢問端2產生一詢問挑戰碼,並傳送該請求挑戰碼、請求身分碼、詢問挑戰碼及詢問身分碼至該回應端3。其中,該詢問身分碼為該詢問端2事先向該回應端3註冊時,由該回應端3核發給該詢問端2之通用唯一識別碼;該詢問挑戰碼可以選為隨機產生之亂數、隨時間產生之時戳或依序產生之序號等。在本實施例中,該詢問端2收到該請求端1所傳送的請求身分碼後,即得知該請求端1請求該詢問端2進行認證作業,接著,該詢問端2將會進一步請求該回應端3協助進行認證作業,進而傳送該請求身分碼及該詢問身分碼至該回應端3,作為請求該回應端3協助認證作業之依據;另一方面,倘若該請求端1傳送該請求身分碼及請求挑戰碼至該詢問端2,則該詢問端2可以先儲存該請求挑戰碼,再產生該詢問挑戰碼,作為該詢問端2確認其接收資料是否有效之依據,接著,該詢問端2傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及該詢問身分碼至該回應端3。In the inquiry step S2, the one-way authentication process can be selected, and the requesting end 2 transmits the request identity code and a query identity code to the responding end 3. Alternatively, the two-way authentication process is selected, and the inquiry challenge 2 generates a challenge challenge code, and transmits the request challenge code, the request identity code, the challenge challenge code, and the inquiry identity code to the response terminal 3. Wherein, the inquiry identity code is a universal unique identification code sent by the response terminal 3 to the inquiry terminal 2 when the inquiry terminal 2 registers with the response terminal 3 in advance; the challenge challenge code can be selected as a randomly generated random number, A time stamp generated in time or a serial number generated in sequence. In this embodiment, after receiving the request identity code transmitted by the requesting end 1, the interrogating end 2 knows that the requesting end 1 requests the interrogating end 2 to perform an authentication operation, and then the interrogating end 2 will further request The responding end 3 assists in the authentication operation, and then transmits the request identity code and the inquiry identity code to the responding end 3 as a basis for requesting the responding end 3 to assist the authentication operation; on the other hand, if the requesting end 1 transmits the request The challenge code and the request challenge code are sent to the query terminal 2, and the query terminal 2 may first store the request challenge code, and then generate the challenge challenge code as a basis for the inquiry terminal 2 to confirm whether the received data is valid, and then the query The terminal 2 transmits the request challenge code, the request identity code, the challenge challenge code and the challenge identity code to the responding terminal 3.

此外,若該詢問端2係以數個詢問設備相互鏈接而成,則在該詢問步驟S2中,各詢問設備可將其詢問身分碼與收到的請求身分碼及詢問身分碼(或包含該請求挑戰碼及詢問挑戰碼)傳送至下一個詢問設備,最後,由耦接該回應端3之詢問設備傳送該請求身分碼及詢問身分碼(或包含該請求挑戰碼及詢問挑戰碼)至該回應端3,而將本發明第一實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2 is linked by a plurality of interrogating devices, in the inquiry step S2, each interrogating device may query the identity code and the received request identity code and the inquiry identity code (or include the Requesting the challenge code and the challenge challenge code) to transmit to the next inquiry device, and finally, transmitting the request identity code and the inquiry identity code (or including the request challenge code and the challenge challenge code) to the inquiry device coupled to the response terminal 3 to the In response to the terminal 3, the first embodiment of the present invention is applied to the authentication process of the multi-party authentication, which can be understood by those having ordinary knowledge in the technical field to which the present invention pertains, and is not described herein.

該回應步驟S3,係可選擇進行單向認證流程,由該回應端3確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,先依據該回應端3與該請求端1共享之金鑰K(3,1)加密該認證碼,而產生一請求資料,再依據該回應端3與該詢問端2共享之金鑰K(3,2)加密該請求資料及該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端2。或者,選擇進行雙向認證流程,由該回應端3確認該請求身分碼及該詢問身分碼無誤,待產生該認證碼後,先依據該回應端3與該請求端1共享之金鑰K(3,1)加密該認證碼及該請求挑戰碼,而產生該請求資料,再依據該回應端3與該詢問端2共享之金鑰K(3,2)加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生該詢問資料,並傳送該詢問資料至該詢問端2。其中,該認證碼可選為通訊金鑰(session key)、簽章(signature)、許可證(ticket)或憑證(credential)等形式。在本實施例中,該回應端3可以事先接受該請求端1及該詢問端2進行註冊,並儲存該請求端1及該詢問端2之身分認證資料,例如:該請求身分碼及該詢問身分碼,待該回應端3收到該詢問端2所傳送的資料(例如:請求身分碼及該詢問身分碼)後,即得知該詢問端2請求該回應端3協助進行認證作業,此時,該回應端3將會確認該詢問身分碼及請求身分碼是否有效,例如:確認該詢問身分碼及請求身分碼是否已事先儲存,用以辨識該詢問端2及該請求端1之身分是否為合法身分。In response to step S3, the one-way authentication process may be selected, and the responding end 3 confirms that the request identity code and the query identity code are correct. After an authentication code is generated, the responding terminal 3 is first shared with the requesting end 1 according to the responding end 3. The key K(3,1) encrypts the authentication code, generates a request data, and encrypts the request data and the authentication code according to the key K(3, 2) shared by the responding end 3 and the interrogating end 2, An inquiry data is generated, and the inquiry data is transmitted to the inquiry terminal 2. Alternatively, the two-way authentication process is selected, and the responding end 3 confirms that the request identity code and the query identity code are correct. After the authentication code is generated, the key K shared by the responding end 3 and the requesting end 1 is first used. 1) encrypting the authentication code and the request challenge code, generating the request data, and encrypting the request data, the authentication code, and the key according to the key K(3, 2) shared by the responding end 3 and the interrogating end 2 The challenge code and the challenge challenge code are requested, and the inquiry data is generated, and the inquiry data is transmitted to the inquiry terminal 2. The authentication code may be in the form of a session key, a signature, a ticket, or a credential. In this embodiment, the responding end 3 can accept the requesting end 1 and the interrogating end 2 to register in advance, and store the identity authentication data of the requesting end 1 and the interrogating end 2, for example, the request identity code and the query. The identity code, after the response terminal 3 receives the information transmitted by the inquiry terminal 2 (for example, the request identity code and the inquiry identity code), it is known that the inquiry terminal 2 requests the response terminal 3 to assist in the authentication operation. The responding end 3 will confirm whether the inquiry identity code and the request identity code are valid, for example, confirming whether the inquiry identity code and the request identity code have been stored in advance for identifying the identity of the inquiry terminal 2 and the requester 1 Whether it is a legal identity.

其中,若該詢問端2及該請求端1之身分皆為合法身分,則該回應端3將會產生該認證碼,供該詢問端2及該請求端1進行後續認證作業。由於該認證碼必須先傳送至該詢問端2,再由該詢問端2傳送至該請求端1,為避免該認證碼遭到惡意攻擊者(例如:駭客,Hacker)的攻擊、攔截、竊聽或欺騙等,因此,該回應端3先依據該回應端3與該請求端1共享之金鑰K(3,1)加密該認證碼,而產生該請求資料,作為提供該請求端1進行認證過程所需的資料,該請求資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(1)所示:If the identity of the interrogating end 2 and the requesting end 1 are both legal, the responding end 3 will generate the authentication code for the interrogating end 2 and the requesting end 1 to perform subsequent authentication operations. Since the authentication code must be transmitted to the interrogating end 2, and then transmitted by the interrogating end 2 to the requesting end 1, in order to prevent the authentication code from being attacked, intercepted, and eavesdropped by a malicious attacker (for example, a hacker, Hacker) Or spoofing, etc., therefore, the responding end 3 first encrypts the authentication code according to the key K(3,1) shared by the responding end 3 and the requesting end 1, and generates the request data as the requesting end 1 for authentication. The information required for the process, the request data can be formed by means of data encryption by a key, as shown in the following formula (1):

D1=EK(3,1) (R) (1)D1=E K(3,1) (R) (1)

其中,D1為該請求資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3,1)為該回應端3與該請求端1共享之金鑰;R為該認證碼。Wherein D1 is the request data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3, 1) is a key shared by the responding end 3 with the requesting end 1; R is the authentication code.

接著,該回應端3再依據該回應端3與該詢問端2共享之金鑰K(3,2)加密該請求資料及該認證碼,而產生該詢問資料,作為提供該詢問端2進行認證過程所需的資料,該詢問資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(2)所示:Then, the responding end 3 encrypts the request data and the authentication code according to the key K (3, 2) shared by the responding end 3 and the interrogating end 2, and generates the query data to provide the query end 2 for authentication. The information required for the process can be formed by means of data encryption by a conventional key, as shown in the following formula (2):

D2=EK(3,2) (R,D1) (2)D2=E K(3,2) (R,D1) (2)

其中,D2為該詢問資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3,2)為該回應端3與該詢問端2共享之金鑰;R為該認證碼;D1為該請求資料。之後,再由該回應端3將該詢問資料傳送至該詢問端2,由於該認證碼及該請求資料皆採用該回應端3與該詢問端2共享之金鑰進行加密,因此,可以確保該認證碼及該請求資料在傳輸過程的安全性。Wherein D2 is the query data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3, 2) is a key shared by the responding end 3 and the interrogating end 2; R is the authentication Code; D1 is the request data. Then, the responding end 3 transmits the query data to the interrogating end 2, since the authentication code and the request data are encrypted by using the key shared by the responding end 3 and the interrogating end 2, therefore, the The authentication code and the security of the request data during the transmission process.

此外,由於該請求挑戰碼及詢問挑戰碼可分別供該請求端1及該詢問端2確認資料正確性,因此,該回應端3還可以將該請求挑戰碼及詢問挑戰碼個別傳送至該請求端1及該詢問端2,而且,該認證碼必須先傳送至該詢問端2,再由該詢問端2傳送至該請求端1,為確保該回應端3所傳送的認證碼、請求挑戰碼及詢問挑戰碼的資料安全性,因此,該回應端3先依據該回應端3與該請求端1共享之金鑰K(3,1)加密該認證碼及該請求挑戰碼,而產生該請求資料,作為提供該請求端1進行認證過程所需的資料,該請求資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(3)所示:In addition, since the request challenge code and the challenge challenge code can respectively confirm the correctness of the data by the requesting end 1 and the interrogating end 2, the responding end 3 can also separately transmit the request challenge code and the challenge challenge code to the request. End 1 and the interrogating end 2, and the authentication code must first be transmitted to the interrogating end 2, and then transmitted by the interrogating end 2 to the requesting end 1 to ensure the authentication code and request challenge code transmitted by the responding end 3. And querying the data security of the challenge code. Therefore, the responding end 3 first encrypts the authentication code and the request challenge code according to the key K (3, 1) shared by the responding end 3 and the requesting end 1 to generate the request. The data is used as information for providing the requesting end 1 for the authentication process, and the request data can be formed by using a data encryption method by a key, as shown in the following formula (3):

D3=EK(3,1) (R,C1 ) (3)D3=E K(3,1) (R,C 1 ) (3)

其中,D3為該請求資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3,1)為該回應端3與該請求端1共享之金鑰;R為該認證碼;C1 為該請求挑戰碼。Wherein D3 is the request data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3, 1) is a key shared by the responding end 3 with the requesting end 1; R is the authentication Code; C 1 is the request challenge code.

接著,該回應端3再依據該回應端3與該詢問端2共享之金鑰K(3,2)加密該請求資料、認證碼、請求挑戰碼及詢問挑戰碼,而產生該詢問資料,作為提供該詢問端2進行認證過程所需的資料,該詢問資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(4)所示:Then, the responding end 3 encrypts the request data, the authentication code, the request challenge code, and the challenge challenge code according to the key K(3, 2) shared by the responding end 3 and the interrogating end 2, and generates the query data as Providing the information required by the inquiry terminal 2 for the authentication process, the inquiry data can be formed by using a data encryption method by a key, as shown in the following formula (4):

D4=EK(3,2) (D3,R,C1 ,C2 ) (4) D4 = E K (3,2) ( D3, R, C 1, C 2) (4)

其中,D4為該詢問資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3,2)為該回應端3與該詢問端2共享之金鑰;D3為該請求資料;R為該認證碼;C1 為該請求挑戰碼;C2 為該詢問挑戰碼。之後,再由該回應端3將該詢問資料傳送至該詢問端2。Wherein D4 is the query data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3, 2) is a key shared by the responding end 3 and the interrogating end 2; D3 is the request Data; R is the authentication code; C 1 is the request challenge code; C 2 is the challenge challenge code. Thereafter, the response data is transmitted by the responding end 3 to the interrogating terminal 2.

該通知步驟S4,係可選擇進行單向認證流程,由該詢問端2依據該回應端3與該詢問端2共享之金鑰K(3,2)解密該詢問資料,並傳送該請求資料至該請求端1。或者,選擇進行雙向認證流程,由該詢問端2依據該回應端3與該詢問端2共享之金鑰K(3,2)解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,傳送該請求資料至該請求端1。在本實施例中,當該詢問端2收到該回應端3所傳送的詢問資料後,即可利用該回應端3與該詢問端2共享之金鑰K(3,2)解密該詢問資料,其解密方式為該回應端3所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該詢問資料被解密後,該詢問端2即可取得該詢問資料所包含的認證碼及請求資料,若該詢問資料包含請求挑戰碼及詢問挑戰碼,則該詢問端2將會確認該詢問資料的有效性,例如:僅比對該詢問資料所包含的詢問挑戰碼與該詢問端2傳送至該回應端3的詢問挑戰碼是否相同;或者,除此之外,一併比對該詢問資料所包含的請求挑戰碼與該請求端1傳送至該詢問端2的請求挑戰碼是否相同,以增加資料有效性的確認強度。若該詢問資料為有效資料,則待該詢問端2儲存該認證碼後,即可將該詢問資料所包含的請求資料進一步傳送至該請求端1,供該請求端1進行後續認證過程。In the notification step S4, the one-way authentication process may be selected, and the inquiry terminal 2 decrypts the inquiry data according to the key K(3, 2) shared by the response terminal 3 and the inquiry terminal 2, and transmits the request data to The request side is 1. Alternatively, the two-way authentication process is selected, and the interrogating end 2 decrypts the query data according to the key K(3, 2) shared by the responding end 3 and the interrogating end 2, and after the inquiry challenge code of the query data is confirmed to be correct, The request data is transmitted to the requesting end 1. In this embodiment, after the interrogating end 2 receives the inquiry data transmitted by the responding end 3, the interrogation data can be decrypted by using the key K(3, 2) shared by the responding end 3 and the interrogating end 2 The decryption mode is the corresponding decryption mode of the encryption mode used by the responding end 3, which is well understood by those skilled in the art and will not be described here. After the inquiry data is decrypted, the inquiry terminal 2 can obtain the authentication code and the request data included in the inquiry data, and if the inquiry data includes the request challenge code and the challenge challenge code, the inquiry terminal 2 will confirm the inquiry. The validity of the data, for example: only if the inquiry challenge code included in the inquiry data is the same as the inquiry challenge code transmitted by the inquiry terminal 2 to the response terminal 3; or, in addition, the inquiry is compared The request challenge code included in the data is the same as the request challenge code transmitted by the requester 1 to the interrogator 2 to increase the strength of the confirmation of the validity of the data. If the inquiry data is valid data, after the inquiry terminal 2 stores the authentication code, the request data included in the inquiry data may be further transmitted to the requesting end 1 for the requesting end 1 to perform a subsequent authentication process.

此外,若該詢問端2係以數個詢問設備相互鏈接而成,則在該通知步驟S4中,各詢問設備可將該詢問資料直接傳送至下一個詢問設備;或者,確認該詢問資料的有效性後,再傳送該詢問資料,在此並不設限。最後,由耦接該請求端1之詢問設備解密該詢問資料,並傳送該請求資料至該請求端1,而將本發明第一實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2 is formed by linking a plurality of interrogating devices to each other, in the notifying step S4, each interrogating device may directly transmit the interrogation data to the next interrogating device; or confirm that the interrogation data is valid. After the sex, the inquiry data is transmitted again, and there is no limit here. Finally, the inquiry device coupled to the requesting end 1 decrypts the inquiry data, and transmits the request data to the requesting end 1, and applies the first embodiment of the present invention to the authentication process of the multi-party authentication, which belongs to the technology of the present invention. Those who have the usual knowledge in the field can understand it and will not repeat them here.

該認證步驟S5,係可選擇進行單向認證流程,由該請求端1依據該回應端3與該請求端1共享之金鑰K(3,1)解密該請求資料,並傳送該認證碼至該詢問端2,由該詢問端2確認該認證碼與該詢問資料之認證碼是否相同。或者,選擇進行雙向認證流程,由該請求端1依據該回應端3與該請求端1共享之金鑰K(3,1)解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端2,由該詢問端2確認該認證碼與該詢問資料之認證碼是否相同。在本實施例中,當該請求端1收到該詢問端2所傳送的請求資料後,即可利用該回應端3與該請求端1共享之金鑰K(3,1)解密該請求資料,其解密方式為該回應端3所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該請求資料被解密後,該請求端1即可取得該請求資料所包含的認證碼,若該請求資料包含請求挑戰碼,則該請求端1可以確認該請求資料所包含的請求挑戰碼與該請求端1傳送至該詢問端2的請求挑戰碼為相同,確保該請求資料為有效資料,接著,由該請求端1將該請求資料所包含的認證碼傳送至該詢問端2後,即可由該詢問端2確認該請求端1所傳送的認證碼是否為有效的認證碼,例如:比對該請求端1所傳送的認證碼與該詢問端2先前儲存的認證碼兩者是否相同,若比對結果為「相同」,則該請求端1所傳送的認證碼為有效的認證碼,該詢問端2將認為該請求端1的身分已通過認證,因此,可進一步進行認證通過後的作業,例如:由該詢問端2提供服務給該請求端1等。In the authentication step S5, the one-way authentication process may be selected, and the requesting end 1 decrypts the request data according to the key K(3, 1) shared by the responding end 3 and the requesting end 1, and transmits the authentication code to The interrogating end 2, by the interrogating end 2, confirms whether the authentication code is identical to the authentication code of the interrogation data. Alternatively, the two-way authentication process is selected, and the requesting end 1 decrypts the request data according to the key K(3,1) shared by the responding end 3 and the requesting end 1. After the request challenge code of the request data is confirmed to be correct, The authentication code is transmitted to the interrogating end 2, and the interrogating end 2 confirms whether the authentication code is identical to the authentication code of the interrogation data. In this embodiment, after the requesting end 1 receives the request data transmitted by the interrogating end 2, the requesting end 3 can decrypt the requested data by using the key K(3, 1) shared by the responding end 3 and the requesting end 1. The decryption mode is the corresponding decryption mode of the encryption mode used by the responding end 3, which is well understood by those skilled in the art and will not be described here. After the request data is decrypted, the requesting end 1 can obtain the authentication code included in the request data, and if the request data includes the request challenge code, the requesting end 1 can confirm the request challenge code included in the request data. The request challenge code transmitted by the requesting end 1 to the interrogating end 2 is the same, ensuring that the requesting material is valid data, and then the requesting end 1 transmits the authentication code included in the requesting data to the interrogating end 2, that is, It can be confirmed by the interrogating terminal 2 whether the authentication code transmitted by the requesting end 1 is a valid authentication code, for example, whether the authentication code transmitted by the requesting end 1 and the authentication code previously stored by the interrogating end 2 are the same. If the comparison result is "identical", the authentication code transmitted by the requesting end 1 is a valid authentication code, and the interrogating end 2 will consider that the identity of the requesting end 1 has passed the authentication. Therefore, the authentication can be further performed after the authentication is passed. The job, for example, is provided by the interrogator 2 to the requester 1 and the like.

此外,若該詢問端2係以數個詢問設備相互鏈接而成,則在該認證步驟S5中,各詢問設備可將該請求資料傳送至下一個詢問設備,最後,由需要認證該請求端1之詢問設備(例如:提供服務給該請求端1之詢問設備等)確認該請求端1所傳送的認證碼是否為有效的認證碼,而將本發明第一實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2 is linked by a plurality of interrogating devices, in the authentication step S5, each interrogating device can transmit the request data to the next interrogating device, and finally, the requesting end 1 needs to be authenticated. The inquiry device (for example, the inquiry device providing the service to the requesting end 1 or the like) confirms whether the authentication code transmitted by the requesting end 1 is a valid authentication code, and applies the first embodiment of the present invention to the authentication process of the multi-party authentication. It is understood by those of ordinary skill in the art to which the present invention pertains, and is not described herein.

藉此,本發明鏈架構之認證方法第一實施例之認證流程僅需以上述請求步驟S1、詢問步驟S2、回應步驟S3、通知步驟S4及認證步驟S5即可完成該請求端1的身分認證,大幅簡化習知認證流程;再者,該詢問端2及請求端1可藉由該詢問挑戰碼/請求挑戰碼確認資料的有效性;而且,該回應端3傳輸至該詢問端2及請求端1的資料還可以藉由該金鑰K(3,2)及K(3,1)進行加/解密,以提高資料傳輸的安全性。Therefore, the authentication process of the first embodiment of the authentication method of the chain architecture of the present invention only needs the request step S1, the query step S2, the response step S3, the notification step S4, and the authentication step S5 to complete the identity authentication of the requester 1 Further, the conventional authentication process is greatly simplified; further, the interrogating end 2 and the requesting end 1 can confirm the validity of the data by the query challenge code/request challenge code; and the responder 3 transmits to the interrogating end 2 and the request The data of the end 1 can also be encrypted/decrypted by the keys K(3, 2) and K(3, 1) to improve the security of data transmission.

請參閱第3圖所示,其係本發明鏈架構之認證方法第二實施例的系統架構圖,包含一請求端1’、一詢問端2’及一回應端3’,該詢問端2’耦接該請求端1’及該回應端3’,其中,該回應端3’與該詢問端2’共同擁有一金鑰K(3’,2’),用以加/解密該回應端3’與該詢問端2’之間傳遞的資料;該詢問端2’與該請求端1’共同擁有一金鑰K(2’,1’),用以加/解密該回應端3’經由該詢問端2’傳遞至該請求端1’的資料。因此,該請求端1’、該詢問端2’及該回應端3’共同形成一鞦韆鏈架構(Swing Chain Structure)。其中,若該詢問端2’係由數個詢問設備相互鏈接而成,則位於耦接二末端的詢問設備分別耦接該請求端1’及該回應端3’,任二相互耦接之詢問設備分別共同擁有不同金鑰。為方便後續說明,僅以一個詢問設備作為該詢問端2’,並耦接該請求端1’及該回應端3’作為實施態樣,惟不以此為限。Referring to FIG. 3, it is a system architecture diagram of a second embodiment of the authentication method of the chain architecture of the present invention, comprising a requesting end 1', a querying end 2' and a responding end 3', the interrogating end 2' The requesting end 1' and the responding end 3' are coupled, wherein the responding end 3' and the interrogating end 2' jointly have a key K(3', 2') for adding/decrypting the responding end 3 'The data passed between the interrogating end 2'; the interrogating end 2' and the requesting end 1' jointly have a key K(2', 1') for adding/decrypting the responding end 3' via The data sent by the interrogating end 2' to the requesting end 1'. Therefore, the requesting end 1', the interrogating end 2' and the responding end 3' together form a Swing Chain Structure. If the interrogating end 2' is linked by a plurality of interrogating devices, the interrogating devices at the two ends of the coupling are coupled to the requesting end 1' and the responding end 3', respectively. Devices have different keys together. For the convenience of the following description, only one interrogating device is used as the interrogating end 2', and the requesting end 1' and the responding end 3' are coupled to the embodiment, but not limited thereto.

請再參閱第2圖所示,其係本發明鏈架構之認證方法第二實施例的運作流程圖,其中,該鏈架構之認證方法係依序進行一請求步驟S1’、一詢問步驟S2’、一回應步驟S3’、一通知步驟S4’及一認證步驟S5’。在本實施例中,可以採用單向或雙向認證流程進行該請求步驟S1’、詢問步驟S2’、回應步驟S3’、通知步驟S4’及認證步驟S5’,分別如後所述:Please refer to FIG. 2 , which is an operational flowchart of the second embodiment of the authentication method of the chain architecture of the present invention, wherein the authentication method of the chain architecture sequentially performs a request step S1 ′ and an inquiry step S2 ′. A response step S3', a notification step S4', and an authentication step S5'. In the present embodiment, the request step S1', the inquiry step S2', the response step S3', the notification step S4', and the authentication step S5' may be performed using a one-way or two-way authentication flow, as will be described later:

該請求步驟S1’,係可選擇進行單向認證流程,由該請求端1’傳送該請求身分碼至該詢問端2’,以進行單向認證流程。或者,選擇進行雙向認證流程,由該請求端1’產生該請求挑戰碼,並傳送該請求挑戰碼及該請求身分碼至該詢問端2’,以進行雙向認證流程。其中,該請求身分碼為該請求端1’事先向該回應端3’註冊時,由該回應端3’核發給該請求端1’之通用唯一識別碼。在本實施例中,該請求步驟S1’與該第一實施例之請求步驟S1大致相同,在此容不贅述。The requesting step S1' is optional to perform a one-way authentication process, and the requesting end 1' transmits the request identity code to the interrogating end 2' for performing a one-way authentication process. Alternatively, the two-way authentication process is selected, the request challenge code is generated by the requesting end 1', and the request challenge code and the request identity code are transmitted to the interrogating end 2' to perform a two-way authentication process. The request identity code is a universal unique identifier that is sent by the responding end 3' to the requesting end 1' when the requesting end 1' registers with the responding end 3'. In the present embodiment, the requesting step S1' is substantially the same as the requesting step S1 of the first embodiment, and details are not described herein.

該詢問步驟S2’,係可選擇進行單向認證流程,由該詢問端2’傳送該請求身分碼及該詢問身分碼至該回應端3’。或者,選擇進行雙向認證流程,由該詢問端2’產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及該詢問身分碼至該回應端3’。其中,該詢問身分碼為該詢問端2’事先向該回應端3’註冊時,由該回應端3’核發給該詢問端2’之通用唯一識別碼。在本實施例中,該詢問步驟S2’與該第一實施例之詢問步驟S2大致相同,在此容不贅述。The inquiry step S2' is optional to perform a one-way authentication process by which the request identity code and the challenge identity code are transmitted to the response terminal 3'. Alternatively, a two-way authentication process is selected, a challenge challenge code is generated by the interrogation terminal 2', and the request challenge code, the request identity code, the challenge challenge code, and the challenge identity code are transmitted to the response terminal 3'. The inquiry identity code is the universal unique identification code issued by the response terminal 3' to the inquiry terminal 2' when the inquiry terminal 2' registers with the response terminal 3' in advance. In the present embodiment, the inquiry step S2' is substantially the same as the inquiry step S2 of the first embodiment, and details are not described herein.

此外,若該詢問端2’係以數個詢問設備相互鏈接而成,則在該詢問步驟S2’中,各詢問設備可將其詢問身分碼與收到的請求身分碼及詢問身分碼(或包含該請求挑戰碼及詢問挑戰碼)傳送至下一個詢問設備,最後,由耦接該回應端3’之詢問設備傳送該請求身分碼及數個詢問身分碼至該回應端3’,而將本發明第二實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2' is formed by linking a plurality of interrogating devices, in the inquiry step S2', each interrogating device may query the identity code and the received request identity code and the inquiry identity code (or Transmitting the request challenge code and the challenge challenge code to the next inquiry device, and finally, transmitting the request identity code and the plurality of inquiry identity codes to the response terminal 3' by the inquiry device coupled to the response terminal 3', The second embodiment of the present invention is applied to the authentication process of the multi-party authentication, which can be understood by those having ordinary knowledge in the technical field to which the present invention pertains, and is not described herein.

該回應步驟S3’,係可選擇進行單向認證流程,由該回應端3’確認該請求身分碼及該詢問身分碼無誤,待產生該認證碼後,依據該回應端3’與該詢問端2’共享之金鑰K(3’,2’)加密該認證碼,而產生該詢問資料,並傳送該詢問資料至該詢問端2’。或者,選擇進行雙向認證流程,由該回應端3’確認該請求身分碼及該詢問身分碼無誤,待產生該認證碼後,依據該回應端3’與該詢問端2’共享之金鑰K(3’,2’)加密該認證碼、該詢問挑戰碼及該請求挑戰碼,而產生該詢問資料,並傳送該詢問資料至該詢問端2’。In response to step S3', the one-way authentication process may be selected, and the responding end 3' confirms that the request identity code and the query identity code are correct. After the authentication code is generated, according to the responding end 3' and the interrogating end 2' The shared key K(3', 2') encrypts the authentication code, generates the inquiry data, and transmits the inquiry data to the inquiry terminal 2'. Alternatively, selecting a two-way authentication process, the responding end 3' confirms that the request identity code and the query identity code are correct, and after the authentication code is generated, according to the key K shared by the responding end 3' and the interrogating end 2' (3', 2') encrypting the authentication code, the challenge challenge code, and the request challenge code, generating the inquiry material, and transmitting the inquiry data to the inquiry terminal 2'.

其中,該認證碼與該第一實施例之認證碼大致相同,在此容不贅述。在本實施例中,該回應端3’可以事先接受該請求端1’及該詢問端2’進行註冊,並儲存該請求端1’及該詢問端2’之身分認證資料,例如:該請求身分碼及該詢問身分碼,待該回應端3’收到該詢問端2’所傳送的請求身分碼及該詢問身分碼後,即得知該詢問端2’請求該回應端3’協助進行認證作業,此時,該回應端3’將會確認該詢問身分碼及請求身分碼是否有效,用以辨識該詢問端2’及該請求端1’之身分是否為合法身分。The authentication code is substantially the same as the authentication code of the first embodiment, and details are not described herein. In this embodiment, the responding end 3' can accept the requesting end 1' and the interrogating end 2' to register in advance, and store the identity authentication information of the requesting end 1' and the interrogating end 2', for example: the request The identity code and the inquiry identity code, after the response terminal 3' receives the request identity code transmitted by the inquiry terminal 2' and the inquiry identity code, it is learned that the inquiry terminal 2' requests the response terminal 3' to assist The authentication operation, at this time, the responding end 3' will confirm whether the inquiry identity code and the request identity code are valid, to identify whether the identity of the inquiry terminal 2' and the requesting terminal 1' is a legal identity.

其中,若該詢問端2’及該請求端1’之身分皆為合法身分,則該回應端3’將會產生該認證碼,供該詢問端2’及該請求端1’進行後續認證作業。由於該認證碼必須傳送至該詢問端2’,為避免該認證碼遭到惡意攻擊者的攻擊、攔截、竊聽或欺騙等,因此,該回應端3先依據該回應端3’與該詢問端2’共享之金鑰K(3’,2’)加密該認證碼,而產生該詢問資料,作為提供該詢問端2’進行認證過程所需的資料,該詢問資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(5)所示:If the identity of the interrogating end 2' and the requesting end 1' are both legal, the responding end 3' will generate the authentication code for the interrogating end 2' and the requesting end 1' to perform subsequent authentication operations. . Since the authentication code must be transmitted to the interrogating end 2', in order to prevent the authentication code from being attacked, intercepted, eavesdropped or deceived by a malicious attacker, the responding end 3 first depends on the responding end 3' and the interrogating end. 2' The shared key K(3', 2') encrypts the authentication code, and generates the inquiry data as the information required to provide the inquiry terminal 2' for the authentication process, and the inquiry data can be learned by the conventional use of gold. The key is formed by means of data encryption, as shown in the following formula (5):

D5=EK(3',2') (R) (5)D5=E K(3',2') (R) (5)

其中,D5為該詢問資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3’,2’)為該回應端3’與該詢問端2’共享之金鑰;R為該認證碼。之後,再由該回應端3’將該詢問資料傳送至該詢問端2’,由於該認證碼分別採用該回應端3’與該詢問端2’共享之金鑰進行加密,因此,可以確保該認證碼在傳輸過程的安全性。Wherein D5 is the query data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; and K(3', 2') is a key shared by the responding end 3' and the interrogating end 2'; R is the authentication code. Then, the responding end 3' transmits the query data to the interrogating end 2', since the authentication code is encrypted by using the key shared by the responding end 3' and the interrogating end 2', thereby ensuring the The security of the authentication code during the transmission process.

此外,由於該請求挑戰碼及詢問挑戰碼係分別供該請求端1’及該詢問端2’確認資料正確性,因此,該回應端3’還可以將該請求挑戰碼及詢問挑戰碼傳送至該詢問端2’及該請求端1’,其中,該認證碼必須先傳送至該詢問端2’,再由該詢問端2’傳送至該請求端1’,為確保該回應端3’所傳送的認證碼、請求挑戰碼及詢問挑戰碼的資料安全性,因此,該回應端3’會依據該回應端3’與該詢問端2’共享之金鑰K(3’,2’)加密該認證碼、該詢問挑戰碼及該請求挑戰碼,而產生該詢問資料,作為提供該詢問端2’進行認證過程所需的資料,該詢問資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(6)所示:In addition, since the request challenge code and the challenge challenge code are respectively used by the requesting end 1' and the interrogating end 2' to confirm the correctness of the data, the responding end 3' can also transmit the request challenge code and the challenge challenge code to The interrogating end 2' and the requesting end 1', wherein the authentication code must first be transmitted to the interrogating end 2', and then transmitted by the interrogating end 2' to the requesting end 1', to ensure that the responding end 3' The transmitted authentication code, the request challenge code, and the data security of the challenge code are requested. Therefore, the responder 3' encrypts according to the key K(3', 2') shared by the responder 3' and the challenger 2'. The authentication code, the challenge challenge code and the request challenge code are generated, and the inquiry data is generated as information required for providing the inquiry terminal 2' to perform an authentication process, and the inquiry data may be encrypted by using a key to learn data by using a key. The mode is formed as shown in the following formula (6):

D6=EK(3',2') (R,C1' ,C2' ) (6)D6=E K(3',2') (R,C 1' ,C 2' ) (6)

其中,D6為該詢問資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3’,2’)為該回應端3’與該詢問端2’共享之金鑰;R為該認證碼;C1’ 為該請求挑戰碼;C2’ 為該詢問挑戰碼。之後,再由該回應端3’將該詢問資料傳送至該詢問端2’。Wherein D6 is the query data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; and K(3', 2') is a key shared by the responding end 3' and the interrogating end 2'; R is the authentication code; C 1 'is the request challenge code; C 2 ' is the challenge challenge code. Thereafter, the response data is transmitted by the responding end 3' to the interrogating end 2'.

該通知步驟S4’,係可選擇進行單向認證流程,由該詢問端2’先依據該回應端3’與該詢問端2’共享之金鑰K(3’,2’)解密該詢問資料,再依據該詢問端2’與該請求端1’共享之金鑰K(2’,1’)加密該認證碼,而產生一請求資料,並傳送該請求資料至該請求端1’。或者,選擇進行雙向認證流程,由該詢問端2’先依據該回應端3’與該詢問端2’共享之金鑰K(3’,2’)解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,再依據該詢問端2’與該請求端1’共享之金鑰K(2’,1’)加密該認證碼及請求挑戰碼,而產生該請求資料,並傳送該請求資料至該請求端1’。在本實施例中,當該詢問端2’收到該回應端3’所傳送的詢問資料後,即可利用該回應端3’與該詢問端2’共享之金鑰K(3’,2’)解密該詢問資料,其解密方式為該回應端3’所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該詢問資料被解密後,該詢問端2即可取得該詢問資料所包含的認證碼。In the notification step S4', the one-way authentication process may be selected, and the querying end 2' first decrypts the query data according to the key K(3', 2') shared by the responding end 3' and the interrogating end 2'. And encrypting the authentication code according to the key K' (2', 1') shared by the interrogating end 2' with the requesting end 1', generating a request data, and transmitting the request data to the requesting end 1'. Alternatively, the two-way authentication process is selected, and the querying end 2' first decrypts the query data according to the key K(3', 2') shared by the responding end 3' and the interrogating end 2', and the inquiry data is to be confirmed. After the challenge code is correct, the authentication code and the challenge code are encrypted according to the key K' (2', 1') shared by the inquiry end 2' with the requesting end 1', and the request data is generated, and the request is transmitted. Data to the requester 1'. In this embodiment, after the interrogating end 2' receives the inquiry data transmitted by the responding end 3', the key K(3', 2 shared by the responding end 3' and the interrogating end 2' can be utilized. ') Decrypt the query data, and the decryption mode is the corresponding decryption mode of the encryption mode used by the responding end 3', which is well understood by those skilled in the art and will not be described here. When the inquiry data is decrypted, the inquiry terminal 2 can obtain the authentication code included in the inquiry data.

接著,為避免該認證碼傳輸至該請求端1’的過程中遭到惡意攻擊者的攻擊、攔截、竊聽或欺騙等,因此,該詢問端2’會依據該詢問端2’與該請求端1’共享之金鑰K(2’,1’)加密該認證碼,而產生該請求資料,作為提供該請求端1’進行認證過程所需的資料,該請求資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(7)所示:Then, in order to avoid the attack, interception, eavesdropping or spoofing by the malicious attacker during the transmission of the authentication code to the requesting end 1', the interrogating end 2' will follow the interrogating end 2' and the requesting end. 1' The shared key K(2', 1') encrypts the authentication code, and generates the request data as information required to provide the requesting end 1' to perform the authentication process, and the request data can be learned by the conventional use of gold. The key is formed by means of data encryption, as shown in the following formula (7):

D7=EK(2',1') (R) (7)D7=E K(2',1') (R) (7)

其中,D7為該請求資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(2’,1’)為該詢問端2’與該請求端1’共享之金鑰;R為該認證碼。之後,再由該詢問端2’將該請求資料傳送至該請求端1’,藉此,可確保該認證碼在傳輸過程的安全性。Wherein D7 is the request data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; and K(2', 1') is a key shared by the interrogating end 2' and the requesting end 1'; R is the authentication code. Thereafter, the request data is transmitted from the interrogating end 2' to the requesting end 1', whereby the security of the authentication code during the transmission process can be ensured.

再者,若該詢問資料包含請求挑戰碼,則在該詢問端2’確認該詢問資料為有效後,該詢問端2’還可以先依據該詢問端2’與該請求端1’共享之金鑰K(2’,1’)加密該認證碼及請求挑戰碼,而產生該請求資料,作為提供該請求端1’進行認證過程所需的資料,該請求資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(8)所示:Furthermore, if the inquiry data includes the request challenge code, after the inquiry end 2' confirms that the inquiry data is valid, the inquiry end 2' may firstly share the gold with the request end 1' according to the inquiry end 2'. The key K(2', 1') encrypts the authentication code and requests the challenge code, and generates the request data as information required to provide the requesting end 1' to perform the authentication process, and the request data may be learned by using a key. The method of data encryption is formed as shown in the following formula (8):

D8=EK(2',1') (R,C1' ) (8)D8=E K(2',1') (R,C 1' ) (8)

其中,D8為該請求資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(2’,1’)為該詢問端2’與該請求端1’共享之金鑰;R為該認證碼;C1’ 為該請求挑戰碼。之後,再由該詢問端2’將該請求資料傳送至該請求端1’。Wherein D8 is the request data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; and K(2', 1') is a key shared by the interrogating end 2' and the requesting end 1'; R is the authentication code; C 1 ' is the request challenge code. Thereafter, the request data is transmitted to the requesting end 1' by the interrogating end 2'.

除此之外,若該詢問端2’係以數個詢問設備相互鏈接而成,則在該通知步驟S4’中,各詢問設備可將該詢問資料直接傳送至下一個詢問設備;或者,確認該詢問資料的有效性後,再傳送該詢問資料,在此並不設限。最後,由耦接該請求端1’之詢問設備解密該詢問資料,並傳送該請求資料至該請求端1’,而將本發明第二實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2' is formed by linking a plurality of interrogating devices, in the notifying step S4', each interrogating device may directly transmit the query data to the next interrogating device; or, confirm After the validity of the inquiry data, the inquiry data is transmitted again, and there is no limit here. Finally, the interrogation device coupled to the requesting end 1' decrypts the query data and transmits the request data to the requesting end 1', and the second embodiment of the present invention is applied to the authentication process of the multi-party authentication, which is the present invention Those skilled in the art can understand that it is not described here.

該認證步驟S5’,係可選擇進行單向認證流程,由該請求端1’依據該詢問端2’與該請求端1’共享之金鑰K(2’,1’)解密該請求資料,並傳送該認證碼至該詢問端2’,由該詢問端2’確認該認證碼與該詢問資料之認證碼是否相同。或者,選擇進行雙向認證流程,由該請求端1’依據該詢問端2’與該請求端1’共享之金鑰K(2’,1’)解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端2’,由該詢問端2’確認該認證碼與該詢問資料之認證碼是否相同。在本實施例中,當該請求端1’收到該詢問端2’所傳送的請求資料後,即可利用該詢問端2’與該請求端1’共享之金鑰K(2’,1’)解密該請求資料,其解密方式為該詢問端2’所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該請求資料被解密後,若該請求資料包含請求挑戰碼,則在確認該請求資料為有效後,該請求端1’即可將該請求資料所包含的認證碼傳送至該詢問端2’,由該詢問端2’確認該請求端1’所傳送的認證碼是否為有效的認證碼,作為認證該請求端1’之身分的依據。In the authentication step S5', the one-way authentication process may be selected, and the requesting end 1' decrypts the request data according to the key K(2', 1') shared by the interrogating end 2' and the requesting end 1'. And transmitting the authentication code to the query terminal 2', and the inquiry terminal 2' confirms whether the authentication code and the authentication code of the inquiry data are the same. Alternatively, the two-way authentication process is selected, and the requesting end 1' decrypts the request data according to the key K(2', 1') shared by the interrogating end 2' and the requesting end 1', and the request for confirming the request data is confirmed. After the challenge code is correct, the authentication code is transmitted to the inquiry terminal 2', and the inquiry terminal 2' confirms whether the authentication code and the authentication code of the inquiry data are the same. In this embodiment, after the requesting end 1' receives the request data transmitted by the interrogating end 2', the requesting end 2' can be utilized to share the key K(2', 1 with the requesting end 1'. ') Decrypt the request data, and the decryption mode is the corresponding decryption mode of the encryption mode used by the query terminal 2', which is well understood by those skilled in the art and will not be described here. After the request data is decrypted, if the request data includes the request challenge code, after confirming that the request data is valid, the requesting end 1' may transmit the authentication code included in the request data to the query terminal 2' The inquiry end 2' confirms whether the authentication code transmitted by the requesting end 1' is a valid authentication code as a basis for authenticating the identity of the requesting end 1'.

此外,若該詢問端2’係以數個詢問設備相互鏈接而成,則在該認證步驟S5’中,各詢問設備可將該請求資料傳送至下一個詢問設備,最後,由需要認證該請求端1’之詢問設備(例如:提供服務給該請求端1’之詢問設備等)確認該請求端1’所傳送的認證碼是否為有效的認證碼,而將本發明第二實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2' is formed by linking a plurality of interrogating devices to each other, in the authentication step S5', each interrogating device can transmit the request data to the next interrogating device, and finally, the request needs to be authenticated. The interrogating device of the terminal 1' (for example, the inquiry device providing the service to the requesting end 1', etc.) confirms whether the authentication code transmitted by the requesting end 1' is a valid authentication code, and applies the second embodiment of the present invention. The authentication process of the multi-party authentication can be understood by those having ordinary knowledge in the technical field to which the present invention pertains, and is not described herein.

藉此,本發明鏈架構之認證方法第二實施例之認證流程僅需以上述請求步驟S1’、詢問步驟S2’、回應步驟S3’、通知步驟S4’及認證步驟S5’即可完成該請求端1’的身分認證;再者,該詢問端2’及請求端1’還可以藉由該詢問挑戰碼及請求挑戰碼確認資料的有效性;此外,該回應端3’傳輸至該詢問端2’及請求端1’的資料還可以藉由該金鑰K(3’,2’)及K(2’,1’)進行加/解密,以提高資料傳輸的安全性。Therefore, the authentication process of the second embodiment of the authentication method of the chain architecture of the present invention only needs to complete the request by the request step S1', the query step S2', the response step S3', the notification step S4', and the authentication step S5'. Identity authentication of the terminal 1'; further, the query terminal 2' and the requesting terminal 1' can also confirm the validity of the data by using the challenge challenge code and requesting the challenge code; in addition, the response terminal 3' transmits to the query terminal The data of 2' and requester 1' can also be encrypted/decrypted by the keys K(3', 2') and K(2', 1') to improve the security of data transmission.

請參閱第4圖所示,其係本發明鏈架構之認證方法第三實施例的系統架構圖,包含一請求端1”、一詢問端2a、一查探端2b及一回應端3”,該詢問端2a耦接該請求端1”,該查探端2b耦接該詢問端2a及該回應端3”,其中,該回應端3”與該請求端1”共同擁有一金鑰K(3”,1”),用以加/解密該回應端3”經由該詢問端2a及該查探端2b傳遞至該請求端1”的資料;該回應端3”與該查探端2b共同擁有一金鑰K(3”,2b),用以加/解密該回應端3”與該查探端2b之間傳遞的資料;該查探端2b與該詢問端2a共同擁有一金鑰K(2b,2a),用以加/解密該查探端2b與該詢問端2a之間傳遞的資料。因此,該請求端1”、該詢問端2a、該查探端2b及該回應端3”共同形成一混合鏈架構(Hybrid Chain Structure)。其中,若該詢問端2a係由數個詢問設備相互鏈接而成,則位於耦接二末端的詢問設備分別耦接該請求端1”及該查探端2b;若該查探端2b係由數個查探設備相互鏈接而成,則位於耦接二末端的查探設備分別耦接該詢問端2a及該回應端3”;其金鑰共享形式可以為本發明之風鈴鏈及鞦韆鏈的任一組合形式,例如:該回應端3”與不同詢問設備分別共享不同金鑰,或該回應端3”與不同查探設備分別共享不同金鑰,或任二相互鏈接之詢問設備共享不同金鑰,或任二相互鏈接之查探設備共享不同金鑰等,惟不以此為限。為方便後續說明,僅以一個詢問設備作為詢問端2a,耦接該請求端1”及一個查探端2b,並以一個查探設備作為該查探端2b,耦接該詢問端2a及該回應端3”作為實施態樣,惟不以此為限。Referring to FIG. 4, it is a system architecture diagram of a third embodiment of the authentication method of the chain architecture of the present invention, including a requesting end 1", a querying end 2a, a detecting end 2b and a responding end 3", The interrogating end 2a is coupled to the requesting end 1", and the detecting end 2b is coupled to the interrogating end 2a and the responding end 3", wherein the responding end 3" and the requesting end 1" jointly own a key K ( 3", 1") for adding/decrypting the data of the responding end 3" to the requesting end 1" via the interrogating end 2a and the detecting end 2b; the responding end 3" is shared with the detecting end 2b There is a key K (3", 2b) for adding/decrypting the data transmitted between the responding end 3" and the detecting end 2b; the detecting end 2b and the interrogating end 2a jointly own a key K (2b, 2a) for encrypting/decrypting the data transmitted between the probe terminal 2b and the query terminal 2a. Therefore, the request terminal 1", the query terminal 2a, the probe terminal 2b, and the response terminal 3 "Hybrid Chain Structure" is formed together, wherein if the interrogating end 2a is interconnected by a plurality of interrogating devices, the interrogating devices at the two coupled ends are respectively coupled to the request 1" and the detecting end 2b; if the detecting end 2b is connected by a plurality of detecting devices, the detecting devices located at the two ends of the coupling are respectively coupled to the interrogating end 2a and the responding end 3" The key sharing form may be any combination of the wind chime chain and the swing chain of the present invention, for example, the responding end 3" shares different keys with different interrogating devices, or the responding end 3" and different detecting devices Different keys are shared separately, or any two interlinked query devices share different keys, or any two mutually linked search devices share different keys, etc., but not limited thereto. For the convenience of subsequent explanation, only one inquiry is provided. As the interrogating end 2a, the device is coupled to the requesting end 1" and a detecting end 2b, and a detecting device is used as the detecting end 2b, and the interrogating end 2a and the responding end 3" are coupled as an implementation manner. However, it is not limited to this.

請參閱第5圖所示,其係本發明鏈架構之認證方法第三實施例的運作流程圖,其中,該鏈架構之認證方法係依序進行一請求步驟S1”、一詢問步驟S2a、一查探步驟S2b、一回應步驟S3a、一傳遞步驟S3b、一通知步驟S4”及一認證步驟S5”。在本實施例中,可以採用單向或雙向認證流程進行該請求步驟S1”、詢問步驟S2a、查探步驟S2b、回應步驟S3a、傳遞步驟S3b、通知步驟S4”及認證步驟S5”,分別如後所述:Referring to FIG. 5, it is an operational flowchart of the third embodiment of the authentication method of the chain architecture of the present invention, wherein the authentication method of the chain architecture sequentially performs a request step S1", an inquiry step S2a, and a Step S2b, a response step S3a, a delivery step S3b, a notification step S4", and an authentication step S5". In this embodiment, the request step S1" may be performed using a one-way or two-way authentication procedure, and the inquiry step S2a, inquiry step S2b, response step S3a, delivery step S3b, notification step S4", and authentication step S5", respectively, as follows:

該請求步驟S1”,係可選擇進行單向認證流程,由該請求端1”傳送一請求身分碼至該詢問端2a。或者,選擇進行雙向認證流程,由該請求端1”產生一請求挑戰碼,並傳送該請求挑戰碼及該請求身分碼至該詢問端2a。其中,該請求身分碼為該請求端1”事先向該回應端3”註冊時,由該回應端3”核發給該請求端1”之通用唯一識別碼。在本實施例中,該請求步驟S1”與該第一實施例之請求步驟S1大致相同,在此容不贅述。The requesting step S1" is optional to perform a one-way authentication process, and the requesting end 1" transmits a request identity code to the interrogating end 2a. Alternatively, selecting a two-way authentication process, the requesting end 1" generates a request challenge code, and transmitting the request challenge code and the request identity code to the interrogating end 2a. wherein the request identity code is the requesting end 1" When registering with the responding terminal 3", the responding terminal 3" issues a universal unique identifier to the requesting terminal 1". In the present embodiment, the requesting step S1" is substantially similar to the requesting step S1 of the first embodiment. The same, I will not repeat them here.

該詢問步驟S2a,係可選擇進行單向認證流程,由該詢問端2a傳送該請求身分碼及一詢問身分碼至該查探端2b。或者,選擇進行雙向認證流程,由該詢問端2a產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及該詢問身分碼至該查探端2b。其中,該詢問身分碼為該詢問端2a事先向該回應端3”註冊時,由該回應端3”核發給該詢問端2a之通用唯一識別碼。在本實施例中,當該詢問端2a收到該請求端1”所傳送的請求身分碼後,該詢問端2a將會進一步請求該查探端2b協助進行認證作業,因而傳送該請求身分碼及詢問身分碼至該查探端2b,或者,傳送該請求挑戰碼、請求身分碼、詢問挑戰碼、詢問身分碼至該查探端2b,作為該詢問端2a請求該查探端2b協助認證作業之依據。In the inquiry step S2a, the one-way authentication process can be selected, and the requesting end 2a transmits the request identity code and an inquiry identity code to the detecting end 2b. Alternatively, the two-way authentication process is selected, and the challenge challenge code is generated by the query terminal 2a, and the request challenge code, the request identity code, the challenge challenge code, and the challenge identity code are transmitted to the probe terminal 2b. The inquiry identity code is a universal unique identification code issued by the response terminal 3a to the inquiry terminal 2a when the inquiry terminal 2a registers with the response terminal 3" in advance. In this embodiment, after the interrogating end 2a receives the request identity code transmitted by the requesting end 1", the interrogating end 2a will further request the detecting end 2b to assist in the authentication operation, thereby transmitting the request identity code. And inquiring the identity code to the probe terminal 2b, or transmitting the request challenge code, requesting the identity code, querying the challenge code, and asking the identity code to the probe terminal 2b, as the query terminal 2a requests the probe terminal 2b to assist the authentication. The basis of the operation.

此外,若該詢問端2a係以數個詢問設備相互鏈接而成,則在該詢問步驟S2a中,各詢問設備可將其詢問身分碼與收到的請求身分碼及詢問身分碼(或包含該請求挑戰碼及詢問挑戰碼)傳送至下一個詢問設備,最後,由耦接該查探端2b之詢問設備傳送該請求身分碼及詢問身分碼(或包含該請求挑戰碼及詢問挑戰碼)至該查探端2b,而將本發明第三實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2a is linked by a plurality of interrogating devices, in the inquiry step S2a, each interrogating device may query the identity code and the received request identity code and the inquiry identity code (or include the same) Requesting the challenge code and querying the challenge code) to transmit to the next interrogation device, and finally, transmitting the request identity code and the inquiry identity code (or including the request challenge code and the challenge challenge code) to the interrogation device coupled to the probe terminal 2b to The Detecting End 2b, and the third embodiment of the present invention is applied to the authentication process of the multi-party authentication, which can be understood by those having ordinary knowledge in the technical field to which the present invention pertains, and is not described herein.

該查探步驟S2b,係可選擇進行單向認證流程,由該查探端2b傳送該請求身分碼、該詢問身分碼及一查探身分碼至一回應端3”。或者,選擇進行雙向認證流程,由該查探端2b產生一查探挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼、該詢問身分碼、該查探挑戰碼及該查探身分碼至該回應端3”。其中,該查探身分碼為該查探端2b事先向該回應端3”註冊時,由該回應端3”核發給該查探端2b之通用唯一識別碼。在本實施例中,當該查探端2b收到該詢問端2a所傳送的請求身分碼及該詢問身分碼後,該查探端2b將會進一步請求該回應端3”協助進行認證作業,因而傳送該請求身分碼、詢問身分碼及查探身分碼至該回應端3”;或者,傳送該請求挑戰碼、請求身分碼、詢問挑戰碼、詢問身分碼、查探挑戰碼及查探身分碼至該回應端3”,作為該查探端2b請求該回應端3”協助認證作業之依據。In the detecting step S2b, the one-way authentication process may be selected, and the requesting end 2b transmits the request identity code, the query identity code and a search identity code to a responding end 3". Alternatively, the two-way authentication is selected. a process, a probe challenge code is generated by the probe terminal 2b, and the request challenge code, the request identity code, the challenge challenge code, the query identity code, the query challenge code, and the search identity code are transmitted to the Response 3". The check identity code is a universal unique identifier sent by the responder 3b to the probe terminal 2b when the probe terminal 2b registers with the responder 3" in advance. In this embodiment, after the probe terminal 2b receives the request identity code and the challenge identity code transmitted by the query terminal 2a, the probe terminal 2b further requests the response terminal 3" to assist in the authentication operation. Thus transmitting the request identity code, asking for the identity code and checking the identity code to the responding end 3"; or transmitting the request challenge code, requesting the identity code, asking for the challenge code, asking for the identity code, searching for the challenge code, and checking the identity The code is sent to the responding end 3" as the basis for the requesting end 2b to request the responding end 3" to assist the authentication operation.

此外,若該查探端2b係以數個查探設備相互鏈接而成,則在該查探步驟S2b中,各查探設備可將其查探身分碼與收到的請求身分碼、詢問身分碼及查探身分碼(或包含該請求挑戰碼、詢問挑戰碼及查探挑戰碼)傳送至下一個查探設備,最後,由耦接該回應端3”之查探設備傳送該請求身分碼、詢問身分碼及查探身分碼(或包含該請求挑戰碼、詢問挑戰碼及查探挑戰碼)至該回應端3”,而將本發明第三實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the detecting end 2b is formed by linking a plurality of detecting devices to each other, in the detecting step S2b, each detecting device can check the identity code and the received request identity code and query the identity. The code and the search identity code (or the request challenge code, the challenge challenge code and the search challenge code) are transmitted to the next search device, and finally, the request identity code is transmitted by the search device coupled to the responder 3" Invoking the identity code and the search identity code (or including the request challenge code, the challenge challenge code and the challenge challenge code) to the response terminal 3", and applying the third embodiment of the present invention to the authentication process of the multi-party authentication, It will be understood by those of ordinary skill in the art to which the present invention pertains, and is not described herein.

該回應步驟S3a,係可選擇進行單向認證流程,由該回應端3”確認該請求身分碼、該詢問身分碼及該查探身分碼無誤,待產生該認證碼後,先依據該回應端3”與該請求端1”共享之金鑰K(3”,1”)加密該認證碼,而產生一請求資料,再依據該回應端3”與該查探端2b共享之金鑰K(3”,2b)加密該請求資料及該認證碼,而產生一查探資料,並傳送該查探資料至該查探端2b。或者,選擇進行雙向認證流程,由該回應端3”確認該請求身分碼、該詢問身分碼及該查探身分碼無誤,待產生一認證碼後,先依據該回應端3”與該請求端1”共享之金鑰K(3”,1”)加密該認證碼及該請求挑戰碼,而產生該請求資料,再依據該回應端3”與該查探端2b共享之金鑰K(3”,2b)加密該請求資料、該認證碼、該請求挑戰碼、該詢問挑戰碼及該查探挑戰碼,而產生該查探資料,並傳送該查探資料至該查探端2b。在本實施例中,該回應端3”可以事先接受該請求端1”、該詢問端2a及該查探端2b進行註冊,並儲存該請求端1”、該詢問端2a及該查探端2b之身分認證資料,例如:該請求身分碼、詢問身分碼及查探身分碼,待該回應端3”收到該查探端2b所傳送的該請求身分碼、詢問身分碼及查探身分碼後,即得知該查探端2b請求該回應端3”協助進行認證作業,此時,該回應端3”將會確認該請求身分碼、詢問身分碼及查探身分碼是否有效,例如:確認該請求身分碼、詢問身分碼及查探身分碼是否已事先儲存,用以辨識該請求端1”、該詢問端2a及該查探端2b之身分是否為合法身分。In the response step S3a, the one-way authentication process may be selected, and the responding end 3" confirms that the request identity code, the query identity code, and the search identity code are correct. After the authentication code is generated, the response end is firstly determined. 3" The key K(3", 1") shared with the requesting end 1" encrypts the authentication code, and generates a request data, and then according to the responding end 3", the key K shared with the detecting end 2b ( 3", 2b) encrypting the request data and the authentication code to generate a probe data, and transmitting the probe data to the probe terminal 2b. Alternatively, selecting a two-way authentication process, the response terminal 3" confirms the The request identity code, the inquiry identity code, and the inquiry identity code are correct. After an authentication code is generated, the key is first encrypted according to the key K(3", 1") shared by the responding end 3" and the requesting end 1". The authentication code and the request challenge code are generated, and the request data is generated, and the request data, the authentication code, and the request challenge are encrypted according to the key K(3", 2b shared by the responding end 3" and the detecting end 2b. The code, the challenge challenge code and the search challenge code, generate the search data, and transmit the search data To the search end 2b. In this embodiment, the responding end 3" can accept the requesting end 1", the interrogating end 2a and the detecting end 2b to register in advance, and store the requesting end 1", the interrogating end 2a and the detecting end. 2b identity authentication data, for example: the request identity code, the inquiry identity code and the search identity code, and the response terminal 3" receives the request identity code, the inquiry identity code and the search identity transmitted by the probe terminal 2b. After the code, it is known that the probe terminal 2b requests the responder 3" to assist in the authentication operation. At this time, the responder 3" will confirm whether the request identity code, the inquiry identity code and the search identity code are valid, for example, Confirming whether the request identity code, the inquiry identity code, and the search identity code have been stored in advance to identify whether the identity of the requester 1", the inquiry terminal 2a, and the inquiry terminal 2b are legal.

其中,若該請求端1”、該詢問端2a及該查探端2b之身分皆為合法身分,則該回應端3”將會產生該認證碼,供該請求端1”、該詢問端2a及該查探端2b進行後續認證作業。此外,由於該認證碼必須先傳送至該查探端2b,再經由該詢問端2a傳送至該請求端1,為避免該認證碼遭到惡意攻擊,因此,該回應端3”先依據該回應端3”與該請求端1”共享之金鑰K(3”,1”)加密該認證碼,而產生該請求資料,作為提供該請求端1”進行認證過程所需的資料,該請求資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(9)所示:If the identity of the requesting end 1", the interrogating end 2a, and the detecting end 2b are all legal, the responding end 3" will generate the authentication code for the requesting end 1", the interrogating end 2a And the detecting end 2b performs a subsequent authentication operation. In addition, since the authentication code must be transmitted to the detecting end 2b and then transmitted to the requesting end 1 via the interrogating end 2a, in order to prevent the authentication code from being maliciously attacked, Therefore, the responding end 3" first encrypts the authentication code according to the key K(3", 1") shared by the responding end 3" with the requesting end 1", and generates the request data as the requesting end 1" The information required for the authentication process can be formed by using a data encryption method by a conventional key, as shown in the following formula (9):

D9=EK(3",1") (R) (9)D9=E K(3",1") (R) (9)

其中,D9為該請求資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3”,1”)為該回應端3”與該請求端1”共享之金鑰;R為該認證碼。Wherein D9 is the request data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3", 1") is a key shared by the responding end 3" and the requesting end 1"; R is the authentication code.

接著,該回應端3”再依據該回應端3”與該查探端2b共享之金鑰K(3”,2b)加密該請求資料及該認證碼,而產生該查探資料,作為提供該查探端2b進行認證過程所需的資料,該查探資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(10)所示:Then, the responding end 3" encrypts the request data and the authentication code according to the key K(3", 2b) shared by the responding end 3" and the detecting end 2b, and generates the detecting data as the providing The search end 2b performs the information required for the authentication process, and the search data can be formed by using a data encryption method by a conventional key, as shown in the following formula (10):

D10=EK(3",2b) (Ra ,D9) (10)D10=E K(3",2b) (R a ,D9) (10)

其中,D10為該查探資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3”,2b)為該回應端3”與該查探端2b共享之金鑰;Ra 為該認證碼;D9為該請求資料。之後,再由該回應端3”將該查探資料傳送至該查探端2b,由於該認證碼及該請求資料皆採用該回應端3”與該查探端2b共享之金鑰進行加密,因此,可以確保該認證碼及該請求資料在傳輸過程的安全性。Wherein D10 is the search data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3", 2b) is a key shared by the responder 3" and the probe end 2b; R a is the authentication code; D9 is the request data. Then, the probe data is transmitted to the probe terminal 2b by the responder 3", since the authentication code and the request data are encrypted by using the key shared by the responder 3" and the probe terminal 2b. Therefore, it is possible to ensure the security of the authentication code and the requested data during the transmission process.

此外,該回應端3”還可以先依據該回應端3”與該請求端1”共享之金鑰K(3”,1”)加密該認證碼及該請求挑戰碼,而產生該請求資料,作為提供該請求端1”進行認證過程所需的資料,該請求資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(11)所示:In addition, the responding end 3" may first encrypt the authentication code and the request challenge code according to the key K(3", 1") shared by the responding end 3" and the requesting end 1", and generate the request data. As the information required to provide the requesting end 1" for the authentication process, the request data may be formed by using a data encryption method by a key, as shown in the following formula (11):

D11=EK(3",1") (R,C1" ) (11)D11=E K(3",1") (R,C 1" ) (11)

其中,D11為該請求資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3”,1”)為該回應端3”與該請求端1”共享之金鑰;R為該認證碼;C1” 為該請求挑戰碼。Wherein D11 is the request data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3", 1") is a key shared by the responding end 3" and the requesting end 1"; R is the authentication code; C 1" is the request challenge code.

接著,該回應端3”再依據該回應端3”與該查探端2b共享之金鑰K(3”,2b)加密該請求資料、認證碼、請求挑戰碼、詢問挑戰碼及查探挑戰碼,而產生該查探資料,作為提供該查探端2b進行認證過程所需的資料,該查探資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(12)所示:Then, the responding end 3" encrypts the request data, the authentication code, the request challenge code, the challenge challenge code, and the search challenge according to the key K(3", 2b) shared by the responder 3" with the probe terminal 2b. And generating the search data as the data required for the authentication process 2b to perform the authentication process, and the search data may be formed by using a data encryption method by a key, as shown in the following formula (12). :

D12=EK(3",2b) (D11,R,C1" ,C2a ,C2b ) (12)D12=E K(3",2b) (D11,R,C 1" ,C 2a ,C 2b ) (12)

其中,D12為該查探資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(3”,2b)為該回應端3”與該查探端2b共享之金鑰;D11為該請求資料;R為該認證碼;C1” 為該請求挑戰碼;C2a 為該詢問挑戰碼;C2b 為該查探挑戰碼。之後,再由該回應端3”將該查探資料傳送至該查探端2b。Wherein D12 is the search data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(3", 2b) is a key shared by the responder 3" and the probe terminal 2b; D11 is the request data; R is the authentication code; C1 " is the request challenge code; C2a is the challenge challenge code; C2b is the search challenge code. Then, the response terminal 3" is used for the check The probe data is transmitted to the probe terminal 2b.

該傳遞步驟S3b,係可選擇進行單向認證流程,由該查探端2b先依據該回應端3”與該查探端2b共享之金鑰K(3”,2b)解密該查探資料,再依據該查探端2b與該詢問端2a共享之金鑰K(2b,2a)加密該請求資料及該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端2a。或者,選擇進行雙向認證流程,由該查探端2b先依據該回應端3”與該查探端2b共享之金鑰K(3”,2b)解密該查探資料,待確認該查探資料之查探挑戰碼無誤後,再依據該查探端2b與該詢問端2a共享之金鑰K(2b,2a)加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生該詢問資料,並傳送該詢問資料至該詢問端2a。在本實施例中,當該查探端2b收到該回應端3”所傳送的查探資料後,即可利用該回應端3”與該查探端2b共享之金鑰K(3”,2b)解密該查探資料,其解密方式為該回應端3”所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該查探資料被解密後,該查探端2b即可取得該查探資料所包含的認證碼及請求資料,而且,該查探端2b可以儲存該認證碼備查。In the transmitting step S3b, the one-way authentication process may be selected, and the detecting end 2b first decrypts the detecting data according to the key K(3", 2b) shared by the responding end 3" and the detecting end 2b. The request data and the authentication code are encrypted according to the key K (2b, 2a) shared by the query terminal 2b and the interrogating end 2a, and an inquiry data is generated, and the inquiry data is transmitted to the interrogation end 2a. Alternatively, the two-way authentication process is selected, and the querying end 2b first decrypts the search data according to the key K(3", 2b) shared by the responding end 3" and the detecting end 2b, and the detecting data is to be confirmed. After the challenge code is correct, the request data, the authentication code, the request challenge code and the challenge challenge code are encrypted according to the key K(2b, 2a) shared by the probe terminal 2b and the query terminal 2a. The inquiry data is generated, and the inquiry data is transmitted to the inquiry terminal 2a. In this embodiment, after the probe terminal 2b receives the probe data transmitted by the response terminal 3", the response key 3" can be utilized to share the key K(3) with the probe terminal 2b. 2b) Decrypting the search data, the decryption mode is the corresponding decryption mode of the encryption method used by the respondent 3", which is well understood by those skilled in the art and will not be described here. After the search data is decrypted, the search terminal 2b can obtain the authentication code and the request data included in the search data, and the search terminal 2b can store the authentication code for reference.

接著,該查探端2b進一步依據該查探端2b與該詢問端2a共享之金鑰K(2b,2a)加密該請求資料及該認證碼,而產生該詢問資料,作為提供該詢問端2a進行認證過程所需的資料,該詢問資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(13)所示:Then, the probe terminal 2b further encrypts the request data and the authentication code according to the key K (2b, 2a) shared by the probe terminal 2b and the query terminal 2a, and generates the query data as the query terminal 2a. The information required for the authentication process can be formed by using a data encryption method by a conventional key, as shown in the following formula (13):

D13=EK(2b,2a) (R,D9) (13)D13=E K(2b,2a) (R,D9) (13)

其中,D13為該詢問資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(2b,2a)為該查探端2b與該詢問端2a共享之金鑰;R為該認證碼;D9為該請求資料。之後,再由該查探端2b將該詢問資料傳送至該詢問端2a,由於該認證碼及該請求資料皆採用該查探端2b與該詢問端2a共享之金鑰進行加密,因此,可以確保該認證碼及該請求資料在傳輸過程的安全性。Wherein D1 is the query data; E is an encryption function, such as a symmetric encryption algorithm such as DES or 3DES; K(2b, 2a) is a key shared by the probe terminal 2b and the interrogation end 2a; R is the Authentication code; D9 is the request data. Then, the query data is transmitted to the query terminal 2a by the probe terminal 2b. Since the authentication code and the request data are encrypted by using the key shared by the probe terminal 2b and the query terminal 2a, Ensure that the authentication code and the requested data are secure during the transmission process.

再者,該查探端2b還可以依據該查探端2b與該詢問端2a共享之金鑰K(2b,2a)加密該請求資料、認證碼、請求挑戰碼及詢問挑戰碼,而產生該詢問資料,作為提供該詢問端2a進行認證過程所需的資料,該詢問資料可以採用習知藉由金鑰進行資料加密之方式形成,如下式(14)所示:Furthermore, the probe terminal 2b may further encrypt the request data, the authentication code, the request challenge code, and the challenge challenge code according to the key K(2b, 2a) shared by the probe terminal 2b and the query terminal 2a. The inquiry data is used as the information required to provide the inquiry terminal 2a for the authentication process, and the inquiry data can be formed by using a data encryption method by a key, as shown in the following formula (14):

D14=EK(2b,2a) (D11,R,C1" ,C2a ) (14)D14=E K(2b,2a) (D11,R,C 1" ,C 2a ) (14)

其中,D14為該詢問資料;E為加密函數,例如:DES或3DES等對稱式加密演算法;K(2b,2a)為該查探端2b與該詢問端2a共享之金鑰;D11為該請求資料;R為該認證碼;C1” 為該請求挑戰碼;C2a 為該詢問挑戰碼。之後,再由該查探端2b將該詢問資料傳送至該詢問端2a。Wherein, D14 is the query data; E is an encryption function, for example, a symmetric encryption algorithm such as DES or 3DES; K(2b, 2a) is a key shared by the probe terminal 2b and the query terminal 2a; D11 is the key Requesting the data; R is the authentication code; C1 " is the request challenge code; C2a is the challenge challenge code. Thereafter, the query data is transmitted to the interrogation end 2a by the probe terminal 2b.

此外,若該查探端2b係以數個查探設備相互鏈接而成,則在該傳遞步驟S3b中,各查探設備可將該查探資料直接傳送至下一個查探設備;或者,確認該查探資料的有效性後,再傳送該查探資料,在此並不設限。最後,由耦接該詢問端2a之查探設備解密該查探資料,產生及傳送該詢問資料至該詢問端2a,而將本發明第三實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the detecting end 2b is formed by linking a plurality of detecting devices to each other, in the transmitting step S3b, each detecting device may directly transmit the detecting data to the next detecting device; or, confirm After the validity of the investigation data, the inspection data is transmitted again, and there is no limit here. Finally, the search device coupled to the interrogating end 2a decrypts the search data, generates and transmits the query data to the interrogating end 2a, and applies the third embodiment of the present invention to the authentication process of the multi-party authentication. It will be understood by those of ordinary skill in the art that the invention is not described herein.

該通知步驟S4”,係可選擇進行單向認證流程,由該詢問端2a依據該查探端2b與該詢問端2a共享之金鑰K(2b,2a)解密該詢問資料,並傳送該請求資料至該請求端1”。或者,選擇進行雙向認證流程,由該詢問端2a依據該查探端2b與該詢問端2a共享之金鑰K(2b,2a)解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,傳送該請求資料至該請求端1”。詳言之,當該詢問端2a收到該查探端2b所傳送的詢問資料後,即可利用該查探端2b與該詢問端2a共享之金鑰K(2b,2a)解密該詢問資料,其解密方式為該查探端2b所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該詢問資料被解密後,該詢問端2a即可取得該詢問資料所包含的認證碼及請求資料,若該詢問資料包含請求挑戰碼及詢問挑戰碼,則可確認該詢問資料為有效,再儲存該認證碼備查後,即可將該詢問資料所包含的請求資料進一步傳送至該請求端1”,供該請求端1”進行後續認證過程。The notification step S4" is optional to perform a one-way authentication process, and the interrogating end 2a decrypts the query data according to the key K(2b, 2a) shared by the interrogating end 2b and the interrogating end 2a, and transmits the request. Data to the requester 1". Alternatively, the process of performing the two-way authentication process is performed, and the querying end 2a decrypts the query data according to the key K(2b, 2a) shared by the querying end 2b and the interrogating end 2a, and the inquiry challenge code of the inquiry data is confirmed to be correct. And transmitting the request data to the requesting end 1". In detail, when the interrogating end 2a receives the inquiry data transmitted by the detecting end 2b, the detecting end 2b can be shared with the interrogating end 2a by using the detecting end 2b. The key K(2b, 2a) decrypts the query data, and the decryption mode is the corresponding decryption mode of the encryption mode used by the search terminal 2b, which is well understood by those skilled in the art, and is not described here. After the data is decrypted, the inquiry end 2a can obtain the authentication code and the request data included in the inquiry data. If the inquiry data includes the request challenge code and the challenge challenge code, the inquiry data can be confirmed to be valid, and the authentication is stored. After the code is checked, the request data included in the inquiry data can be further transmitted to the requesting end 1" for the requesting end 1" to perform the subsequent authentication process.

此外,若該詢問端2a係以數個詢問設備相互鏈接而成,則在該通知步驟S4”中,各詢問設備可將該詢問資料直接傳送至下一個詢問設備;或者,確認該詢問資料的有效性後,再傳送該詢問資料,在此並不設限。最後,由耦接該請求端1”之詢問設備解密該詢問資料,並傳送該請求資料至該請求端1”,而將本發明第三實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2a is linked by a plurality of interrogating devices, in the notifying step S4", each interrogating device may directly transmit the query data to the next interrogating device; or, confirm the inquiry data. After the validity, the inquiry data is transmitted again, and there is no limitation here. Finally, the inquiry data coupled to the requesting end 1" decrypts the inquiry data, and transmits the request data to the requesting end 1", and The third embodiment of the present invention is applied to the authentication process of the multi-party authentication, which can be understood by those having ordinary knowledge in the technical field to which the present invention pertains, and is not described herein.

該認證步驟S5”,係可選擇進行單向認證流程,由該請求端1”依據該回應端3”與該請求端1”共享之金鑰K(3”,1”)解密該請求資料,並傳送該認證碼至該詢問端2a,由該詢問端2a確認該認證碼與該詢問資料之認證碼是否相同。或者,選擇進行雙向認證流程,由該請求端1”依據該回應端3”與該請求端1”共享之金鑰K(3”,1”)解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端2a,由該詢問端2a確認該認證碼與該詢問資料之認證碼是否相同。詳言之,當該請求端1”收到該詢問端2a所傳送的請求資料後,即可利用該回應端3”與該請求端1”共享之金鑰K(3”,1”)解密該請求資料,其解密方式為該回應端3所採用加密方式之對應解密方式,其係熟知該項技藝者可以理解,在此容不贅述。當該請求資料被解密後,該請求端1”即可取得該請求資料所包含的認證碼,若該請求資料包含請求挑戰碼,則可確認該請求資料的有效性後,再將該認證碼傳送至該詢問端2a,由該詢問端2a比對該請求端1”所傳送的認證碼與該詢問端2a先前儲存的認證碼兩者是否相同,若比對結果為「相同」,則該詢問端2將認為該請求端1的身分已通過認證,因此,可進一步進行認證通過後的作業。The authentication step S5" is optional to perform a one-way authentication process, and the requesting end 1" decrypts the requested data according to the key K(3", 1") shared by the responding end 3" with the requesting end 1". And transmitting the authentication code to the inquiry terminal 2a, and the inquiry terminal 2a confirms whether the authentication code and the authentication code of the inquiry data are the same. Alternatively, the two-way authentication process is selected, and the requesting end 1" decrypts the request data according to the key K(3", 1") shared by the responding end 3" with the requesting end 1", and the request for confirming the request data is confirmed. After the challenge code is correct, the authentication code is transmitted to the interrogating end 2a, and the interrogating end 2a confirms whether the authentication code is identical to the authentication code of the query data. In detail, when the requesting end 1" receives the interrogating end 2a After the transmitted request data, the request data can be decrypted by using the key K(3", 1") shared by the responding end 3" and the requesting end 1", and the decryption mode is the encryption mode adopted by the responding end 3. The corresponding decryption method is well understood by those skilled in the art and will not be described here. After the request data is decrypted, the requesting end 1" can obtain the authentication code included in the request data, and if the request data includes the request challenge code, the validity of the requested data can be confirmed, and then the authentication code is Transmitted to the interrogating end 2a, the interrogating end 2a is the same as the authentication code transmitted by the requesting end 1" and the authentication code previously stored by the interrogating end 2a. If the comparison result is "identical", then the The inquiry terminal 2 will consider that the identity of the requester 1 has been authenticated, and therefore, the job after the authentication is passed can be further performed.

此外,若該詢問端2a係以數個詢問設備相互鏈接而成,則在該認證步驟S5”中,各詢問設備可將該請求資料傳送至下一個詢問設備,最後,由需要認證該請求端1”之詢問設備(例如:提供服務給該請求端1”之詢問設備等)確認該請求端1”所傳送的認證碼是否為有效的認證碼,而將本發明第三實施例應用於多方認證的認證流程,其係本發明所屬技術領域中具有通常知識者可以理解,在此容不贅述。In addition, if the interrogating end 2a is linked by a plurality of interrogating devices, in the authentication step S5", each interrogating device can transmit the request data to the next interrogating device, and finally, the requesting end needs to be authenticated. The inquiry device of 1" (for example, the inquiry device providing the service to the requester 1), etc.) confirms whether the authentication code transmitted by the requester 1" is a valid authentication code, and applies the third embodiment of the present invention to multiple parties. The authentication process of the authentication is understood by those having ordinary knowledge in the technical field to which the present invention pertains, and is not described herein.

藉此,本發明鏈架構之認證方法第三實施例之認證流程可擴充為多方認證,並結合本發明第一實施例及第二實施例的優點之外,還可以藉由該請求挑戰碼、詢問挑戰碼及查探挑戰碼確認資料的正確性,並藉由該金鑰K(3”,1”)、K(3”,2b)及K(2b,2a)進行加/解密,以提高資料傳輸的安全性。Therefore, the authentication process of the third embodiment of the authentication method of the chain architecture of the present invention can be extended to multi-party authentication, and in combination with the advantages of the first embodiment and the second embodiment of the present invention, the request challenge code, Ask the challenge code and check the challenge code to confirm the correctness of the data, and add/decrypt the keys K(3", 1"), K(3", 2b) and K(2b, 2a) to improve The security of data transmission.

藉由前揭之技術手段,本發明所揭示之鏈架構之認證方法的主要特點列舉如下:藉由該回應端產生該認證碼,供該請求端、詢問端及查探端進行後續認證作業,該詢問端僅需將由該回應端或查探端收到的資料中取得該認證碼,並儲存備查,待收到該請求端所傳送的資料後,即可從中取得該請求端傳送的認證碼,藉由確認該請求端傳送的認證碼與儲存備查之認證碼是否相同,即可認定該請求端是否通過認證。換言之,認證雙方(即該請求端及詢問端)所需的認證資料(即該認證碼)係經由第三方(即回應端)集中產生,認證雙方僅需藉由認證資料是否相同,不需進行繁複的認證程序,即可完成認證,即使在認證雙方位於不同領域及網路環境的情形下,亦可有效率的完成認證。因此,使用者可以透過該請求端,在雲端運算、車載通訊或行動通訊等結合網路的應用領域中,以效能高及成本低的方式完成認證,是為本發明之功效。The main features of the authentication method of the chain architecture disclosed by the present invention are as follows: The authentication code is generated by the responding end, and the requesting end, the interrogating end and the detecting end perform subsequent authentication operations. The interrogating end only needs to obtain the authentication code from the data received by the responding end or the inquiring end, and store the check code. After receiving the data transmitted by the requesting end, the authentication code transmitted by the requesting end can be obtained therefrom. By confirming whether the authentication code transmitted by the requesting end is the same as the authentication code stored in the standby, it is determined whether the requesting end passes the authentication. In other words, the authentication materials (ie, the authentication code) required by the authentication parties (ie, the requesting end and the interrogating end) are generated centrally by the third party (ie, the responding end), and the authentication parties only need to verify whether the authentication materials are the same or not. The complicated certification process can complete the certification, and the certification can be completed efficiently even if the two parties are in different fields and network environments. Therefore, the user can perform authentication in a high-performance and low-cost manner in the application field of cloud computing, in-vehicle communication, or mobile communication through the request side, which is an effect of the present invention.

再者,該回應端與請求端、該請求端與詢問端、該詢問端與回應端、該回應端與查探端或該查探端與詢問端之間皆可存有共享金鑰,可以採用共享金鑰對傳輸資料(例如:認證碼)進行加/解密,而提高資料的安全性。而且,接收認證資料的一方(例如:查探端、詢問端或請求端)還可以送出挑戰碼,當收到傳輸資料時,可藉由挑戰碼是否正確無誤地回傳,而確認該傳輸資料是否為有效資料。因此,本發明採用共享金鑰及挑戰碼的雙重安全機制,可有效確保資料的安全性及有效性,以避免資料在認證過程遭遇攻擊、攔截、竊聽或欺騙等資安威脅,而讓使用者的權益受損,此乃本發明之功效。Furthermore, the response end and the requesting end, the requesting end and the interrogating end, the interrogating end and the responding end, the responding end and the detecting end or the detecting end and the interrogating end may each have a shared key, and The shared key is used to encrypt/decrypt the transmission data (for example, the authentication code) to improve the security of the data. Moreover, the party receiving the authentication data (for example, the inquiring terminal, the interrogating end or the requesting end) can also send the challenge code, and when the transmission data is received, the transmission data can be confirmed by whether the challenge code is correctly returned or not. Whether it is valid information. Therefore, the present invention adopts a dual security mechanism of shared key and challenge code, which can effectively ensure the security and effectiveness of data, so as to avoid data security threats such as attack, interception, eavesdropping or fraud during the authentication process, and let the user The rights of the invention are impaired, which is the effect of the present invention.

另外,藉由該回應端集中確認該請求端、詢問端及查探端的身分,而且,該回應端可由具公正性及獨立性的機關集中控管,避免產生身分遭竄改或服務被壟斷的情形;而且,若該請求端已具備通過身分認證的要件,而該詢問端無故拒絕通過認證,則該請求端可依據該回應端進行身份確認時的紀錄提出證明,進而提高使用者對認證過程的信賴度。In addition, the respondent centrally confirms the identity of the requesting end, the interrogating end and the inquiring end, and the responding end can be centrally controlled by an organ with impartiality and independence to avoid the situation in which the identity is tampered with or the service is monopolized. Moreover, if the requesting end has the requirement for identity authentication, and the interrogating end refuses to pass the authentication without any reason, the requesting end can prove the record according to the identity end of the responding end, thereby improving the user's authentication process. Reliability.

綜上所述,本發明鏈架構之認證方法可以簡化該請求端及詢問端之間的認證過程,並排除習知認證方法所造成的「效能低」、「成本高」、「安全性不足」及「壟斷服務」等疑慮,繼而提高使用者對認證過程的信賴度,此即本發明鏈架構之認證方法的諸多增進功效。In summary, the authentication method of the chain architecture of the present invention can simplify the authentication process between the requesting end and the interrogating end, and eliminate the "low performance", "high cost", and "insufficient security" caused by the conventional authentication method. And other doubts such as "monopoly services", which in turn increase the user's trust in the authentication process, which is the many enhancements of the authentication method of the chain architecture of the present invention.

雖然本發明已利用上述較佳實施例揭示,然其並非用以限定本發明,任何熟習此技藝者在不脫離本發明之精神和範圍之內,相對上述實施例進行各種更動與修改仍屬本發明所保護之技術範疇,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。While the invention has been described in connection with the preferred embodiments described above, it is not intended to limit the scope of the invention. The technical scope of the invention is protected, and therefore the scope of the invention is defined by the scope of the appended claims.

[本發明][this invention]

1,1’,1”...請求端1,1’,1”...request side

2,2’,2a...詢問端2,2’,2a. . . Interrogation

2b...查探端2b. . . Checkpoint

3,3’,3”...回應端3,3’,3”...response

K(3,1)...金鑰K(3,1). . . Key

K(3,2)...金鑰K(3,2). . . Key

K(3’,2’)...金鑰K(3’, 2’). . . Key

K(2’,1’)...金鑰K(2',1’). . . Key

K(3”,1”)...金鑰K(3", 1"). . . Key

K(3”,2b)...金鑰K(3", 2b)...key

K(2b,2a)...金鑰K(2b, 2a). . . Key

S1,S1’,S1”...請求步驟S1, S1', S1"... request step

S2,S2’,S2a...詢問步驟S2, S2', S2a. . . Inquiry step

S2b...查探步驟S2b. . . Exploration step

S3,S3’,S3a...回應步驟S3, S3', S3a. . . Response step

S3b...傳遞步驟S3b. . . Passing step

S4,S4’,S4”...通知步驟S4, S4', S4"... notification step

S5,S5’,S5”...認證步驟S5, S5', S5"... authentication steps

第1圖:本發明鏈架構之認證方法第一實施例的系統架構圖。Figure 1 is a system architecture diagram of a first embodiment of the authentication method of the chain architecture of the present invention.

第2圖:本發明鏈架構之認證方法第一及第二實施例的運作流程圖。Figure 2 is a flow chart showing the operation of the first and second embodiments of the authentication method of the chain architecture of the present invention.

第3圖:本發明之鏈架構之認證方法第二實施例的系統架構圖。Figure 3 is a diagram showing the system architecture of the second embodiment of the authentication method of the chain architecture of the present invention.

第4圖:本發明之鏈架構之認證方法第三實施例的系統架構圖。Figure 4 is a diagram showing the system architecture of the third embodiment of the authentication method of the chain architecture of the present invention.

第5圖:本發明鏈架構之認證方法第三實施例的運作流程圖。Figure 5 is a flow chart showing the operation of the third embodiment of the authentication method of the chain architecture of the present invention.

S1,S1’...請求步驟S1, S1’. . . Request step

S2,S2’...詢問步驟S2, S2’. . . Inquiry step

S3,S3’...回應步驟S3, S3’. . . Response step

S4,S4’...通知步驟S4, S4’. . . Notification step

S5,S5’...認證步驟S5, S5’. . . Certification step

Claims (14)

一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端傳送一請求身分碼至一詢問端;一詢問步驟,係由該詢問端傳送該請求身分碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼,而產生一請求資料,再依據該回應端與該詢問端共享之金鑰加密該請求資料及該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該詢問端與該回應端共享之金鑰解密該詢問資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該回應端共享之金鑰解密該請求資料,並傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同;其中,該請求端、該詢問端及該回應端共同形成一風鈴鏈架構。 A method for authenticating a chain architecture includes: a request step of transmitting a request identity code to a query terminal by a requesting terminal; and an inquiry step of transmitting the request identity code and a query identity code to the query terminal a response step; the response step is confirmed by the responding end that the request identity code and the query identity code are correct. After an authentication code is generated, the authentication code is first encrypted according to the key shared by the responding end and the requesting end, and Generating a request data, and encrypting the request data and the authentication code according to the key shared by the responding end and the querying end, generating an inquiry data, and transmitting the query data to the querying end; a notification step is performed by the The interrogating end decrypts the query data according to the key shared by the interrogating end and the responding end, and transmits the request data to the requesting end; and an authentication step is performed by the requesting end according to the gold shared by the requesting end and the responding end. Decrypting the request data, and transmitting the authentication code to the querying end, the inquiry end confirming whether the authentication code is the same as the authentication code of the query data; wherein the requesting end, End of the inquiry and response to end together form a chain of chimes architecture. 一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端產生一請求挑戰碼,並傳送該請求挑戰碼及一請求身分碼至一詢問端; 一詢問步驟,係由該詢問端產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生一請求資料,再依據該回應端與該詢問端共享之金鑰加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該詢問端與該回應端共享之金鑰解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該回應端共享之金鑰解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同;其中,該請求端、該詢問端及該回應端共同形成一風鈴鏈架構。 A method for authenticating a chain architecture includes: a requesting step of generating a request challenge code by a requesting end, and transmitting the request challenge code and a request identity code to a query end; An inquiry step is to generate a query challenge code by the query end, and transmit the request challenge code, the request identity code, the challenge challenge code, and a query identity code to a response end; a response step is performed by the response end Confirming that the request identity code and the query identity code are correct. After an authentication code is generated, the authentication code and the request challenge code are encrypted according to the key shared by the responding end and the requesting end, and a request data is generated, and then The responding end encrypts the request data, the authentication code, the request challenge code and the challenge challenge code with the key shared by the responding end, generates an inquiry data, and transmits the inquiry data to the inquiry end; a notification step, Decrypting the query data by the interrogating end according to the key shared by the interrogating end and the responding end, and after confirming that the query challenge code of the query data is correct, transmitting the request data to the requesting end; and an authentication step is performed by The requesting end decrypts the request data according to the key shared by the requesting end and the responding end, and after confirming that the requesting challenge code of the requested data is correct, transmitting the authentication code to the Q. end, the inquiry confirmed by the end of the authentication code authentication code is the same as the data of inquiry; wherein the request end, and the end of the inquiry in response to the end together form a chain of chimes architecture. 一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端傳送一請求身分碼至一詢問端;一詢問步驟,係由該詢問端傳送該請求身分碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問 身分碼無誤,待產生一認證碼後,依據該回應端與該詢問端共享之金鑰加密該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端先依據該回應端與該詢問端共享之金鑰解密該詢問資料,再依據該詢問端與該請求端共享之金鑰加密該認證碼,而產生一請求資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該詢問端與該請求端共享之金鑰解密該請求資料,並傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同;其中,該請求端、該詢問端及該回應端共同形成一鞦韆鏈架構。 A method for authenticating a chain architecture includes: a request step of transmitting a request identity code to a query terminal by a requesting terminal; and an inquiry step of transmitting the request identity code and a query identity code to the query terminal a response step; the response step confirms the request identity code and the query by the responder The identity code is correct. After an authentication code is generated, the authentication code is encrypted according to the key shared by the responding end and the interrogating end, and an inquiry data is generated, and the inquiry data is transmitted to the inquiry end; The interrogating end first decrypts the query data according to the key shared by the responding end and the interrogating end, and then encrypts the authentication code according to the key shared by the interrogating end and the requesting end, generates a request data, and transmits the request data. To the requesting end; and an authentication step, the requesting end decrypts the request data according to the key shared by the querying end and the requesting end, and transmits the authentication code to the querying end, and the querying end confirms the authentication code Whether the authentication code of the inquiry data is the same; wherein the requesting end, the interrogating end and the responding end together form an autumn chain structure. 一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端產生一請求挑戰碼,並傳送該請求挑戰碼及一請求身分碼至一詢問端;一詢問步驟,係由該詢問端產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及一詢問身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼及該詢問身分碼無誤,待產生一認證碼後,依據該回應端與該詢問端共享之金鑰加密該認證碼、該詢問挑戰碼及該請求挑戰碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端先依據該詢問端與該回應端 共享之金鑰解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,再依據該詢問端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生一請求資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該詢問端共享之金鑰解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同;其中,該請求端、該詢問端及該回應端共同形成一鞦韆鏈架構。 A method for authenticating a chain architecture includes: a requesting step of generating a request challenge code by a requesting end, and transmitting the request challenge code and a request identity code to a query end; an inquiry step is performed by the query end Generating a challenge challenge code, and transmitting the request challenge code, the request identity code, the challenge challenge code, and an inquiry identity code to a response terminal; and a response step, the response terminal confirms the request identity code and the inquiry identity The code is correct. After an authentication code is generated, the authentication code, the challenge challenge code and the request challenge code are encrypted according to the key shared by the responding end and the querying end, and an inquiry data is generated, and the inquiry data is transmitted to the code. An interrogating end; a notification step is performed by the interrogating end according to the interrogating end and the responding end The shared key decrypts the inquiry data, and after confirming that the inquiry challenge code of the inquiry data is correct, the request code is generated by encrypting the authentication code and the request challenge code according to the key shared by the inquiry end and the requesting end, And transmitting the request data to the requesting end; and an authentication step, the requesting end decrypts the request data according to the key shared by the requesting end and the querying end, and after the request challenge code of the requesting data is confirmed to be correct, transmitting The authentication code is sent to the inquiry end, and the inquiry end confirms whether the authentication code and the authentication code of the inquiry data are the same; wherein the requesting end, the interrogating end and the responding end together form an autumn chain structure. 一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端傳送一請求身分碼至一詢問端;一詢問步驟,係由該詢問端傳送該請求身分碼及一詢問身分碼至一查探端;一查探步驟,係由該查探端傳送該請求身分碼、該詢問身分碼及一查探身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼、該詢問身分碼及該查探身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼,而產生一請求資料,再依據該回應端與該查探端共享之金鑰加密該請求資料及該認證碼,而產生一查探資料,並傳送該查探資料至該查探端;一傳遞步驟,係由該查探端先依據該回應端與該查探端共享之金鑰解密該查探資料,再依據該查探端與該詢問 端共享之金鑰加密該請求資料及該認證碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該查探端與該詢問端共享之金鑰解密該詢問資料,並傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該回應端與該請求端共享之金鑰解密該請求資料,並傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同;其中,該請求端、該詢問端、該查探端及該回應端共同形成一混合鏈架構。 A method for authenticating a chain architecture includes: a request step of transmitting a request identity code to a query terminal by a requesting terminal; and an inquiry step of transmitting the request identity code and a query identity code to the query terminal The detecting end transmits a request identity code, the inquiry identity code and a search identity code to a response terminal, and a response step confirms the request identity code by the response terminal The inquiry identity code and the inspection identity code are correct. After an authentication code is generated, the authentication code is first encrypted according to the key shared by the response end and the requesting end, and a request data is generated, and then according to the response end. The probe shared by the probe end encrypts the request data and the authentication code, and generates a probe data, and transmits the probe data to the probe terminal; and a delivery step is performed by the probe terminal according to the response The key shared by the terminal and the probe end decrypts the search data, and then according to the query end and the query The terminal shared key encrypts the request data and the authentication code, and generates an inquiry data, and transmits the inquiry data to the inquiry end; a notification step is shared by the inquiry end according to the inquiry end and the inquiry end The key decrypts the query data, and transmits the request data to the requesting end; and an authentication step, the requesting end decrypts the request data according to the key shared by the responding end and the requesting end, and transmits the authentication code to The interrogating end confirms whether the authentication code and the authentication code of the query data are the same; wherein the requesting end, the interrogating end, the detecting end and the responding end together form a hybrid chain architecture. 一種鏈架構之認證方法,係包含:一請求步驟,係由一請求端產生一請求挑戰碼,並傳送該請求挑戰碼及一請求身分碼至一詢問端;一詢問步驟,係由該詢問端產生一詢問挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼及一詢問身分碼至一查探端;一查探步驟,係由該查探端產生一查探挑戰碼,並傳送該請求挑戰碼、該請求身分碼、該詢問挑戰碼、該詢問身分碼及該查探挑戰碼及一查探身分碼至一回應端;一回應步驟,係由該回應端確認該請求身分碼、該詢問身分碼及該查探身分碼無誤,待產生一認證碼後,先依據該回應端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生一請求資料,再依據該回應端與該查探端共享之金鑰加密該請求資料、該認證碼、該請求 挑戰碼、該詢問挑戰碼及該查探挑戰碼,而產生一查探資料,並傳送該查探資料至該查探端;一傳遞步驟,係由該查探端先依據該查探端與該回應端共享之金鑰解密該查探資料,待確認該查探資料之查探挑戰碼無誤後,再依據該查探端與該詢問端共享之金鑰加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生一詢問資料,並傳送該詢問資料至該詢問端;一通知步驟,係由該詢問端依據該詢問端與該查探端共享之金鑰解密該詢問資料,待確認該詢問資料之詢問挑戰碼無誤後,傳送該請求資料至該請求端;及一認證步驟,係由該請求端依據該請求端與該回應端共享之金鑰解密該請求資料,待確認該請求資料之請求挑戰碼無誤後,傳送該認證碼至該詢問端,由該詢問端確認該認證碼與該詢問資料之認證碼是否相同;其中,該請求端、該詢問端、該查探端及該回應端共同形成一混合鏈架構。 A method for authenticating a chain architecture includes: a requesting step of generating a request challenge code by a requesting end, and transmitting the request challenge code and a request identity code to a query end; an inquiry step is performed by the query end Generating a challenge challenge code, and transmitting the request challenge code, the request identity code, the challenge challenge code, and a query identity code to a probe terminal; and a query step, the probe terminal generates a probe challenge code And transmitting the request challenge code, the request identity code, the challenge challenge code, the query identity code and the search challenge code and a search identity code to a response end; a response step is confirmed by the response terminal The request identity code, the query identity code, and the query identity code are correct. After an authentication code is generated, the authentication code and the request challenge code are encrypted according to the key shared by the responding end and the requesting end, and a request is generated. Data, and encrypting the request data, the authentication code, and the request according to the key shared by the responding end and the detecting end The challenge code, the challenge challenge code and the search challenge code, generate a search data, and transmit the search data to the search end; a transfer step is performed by the search terminal according to the search end The key shared by the responding end decrypts the search data, and after confirming that the search challenge code of the search data is correct, the request data, the authentication code, and the authentication code are encrypted according to the key shared by the search end and the query end. The request challenge code and the challenge challenge code are generated to generate an inquiry data, and the inquiry data is transmitted to the inquiry end; a notification step is performed by the inquiry end according to the key shared by the inquiry end and the inquiry end Querying the data, after confirming that the inquiry challenge code of the inquiry data is correct, transmitting the request data to the requesting end; and an authentication step, the requesting end decrypting the request data by the requesting end according to the key shared by the requesting end and the responding end After the request challenge data of the request data is confirmed to be correct, the authentication code is transmitted to the inquiry end, and the inquiry end confirms whether the authentication code and the authentication code of the inquiry data are the same; wherein the request end, the inquiry End, which identify the end and the end respond together to form a mixed chain architecture. 如申請專利範圍第2項所述之鏈架構之認證方法,其中該通知步驟,係由該詢問端確認該詢問資料之詢問挑戰碼及請求挑戰碼無誤後,再傳送該請求資料至該請求端。 The method for authenticating a chain architecture as described in claim 2, wherein the step of notifying is performed by the interrogating end confirming that the query challenge code and the request challenge code of the query data are correct, and then transmitting the request data to the requesting end. . 如申請專利範圍第4項所述之鏈架構之認證方法,其中該通知步驟,係由該詢問端確認該詢問資料之詢問挑戰碼及請求挑戰碼無誤後,先依據該詢問端與該請求端共享之金鑰加密該認證碼及該請求挑戰碼,而產生該請求 資料,再傳送該請求資料至該請求端。 The method for authenticating a chain architecture according to claim 4, wherein the step of notifying is performed by the interrogating end after the inquiry challenge code and the request challenge code of the inquiry data are correct, according to the inquiry end and the request end. The shared key encrypts the authentication code and the request challenge code to generate the request Data, and then transmit the request data to the requesting end. 如申請專利範圍第6項所述之鏈架構之認證方法,其中該傳遞步驟,係由該查探端確認該查探資料之查探挑戰碼、詢問挑戰碼及請求挑戰碼無誤後,先依據該查探端與該詢問端共享之金鑰加密該請求資料、該認證碼、該請求挑戰碼及該詢問挑戰碼,而產生該詢問資料,再傳送該詢問資料至該詢問端。 The method for authenticating a chain structure as described in claim 6 wherein the step of transmitting is performed by the inquiring terminal after confirming that the search challenge code, the challenge challenge code, and the request challenge code are correct. The probe share the key shared with the interrogating end to encrypt the request data, the authentication code, the request challenge code and the challenge challenge code, and generate the query data, and then transmit the query data to the query end. 如申請專利範圍第6項所述之鏈架構之認證方法,其中通知步驟,係由該詢問端確認該詢問資料之詢問挑戰碼及請求挑戰碼無誤後,再傳送該請求資料至該請求端。 For example, in the method for authenticating the chain structure described in claim 6, wherein the step of notifying the inquiry challenge code and the request challenge code of the inquiry data is confirmed by the inquiry end, and then transmitting the request data to the requesting end. 如申請專利範圍第2、4或6項所述之鏈架構之認證方法,其中該請求挑戰碼為隨機產生之亂數、隨時間產生之時戳或依序產生之序號。 The method for authenticating a chain architecture as described in claim 2, 4 or 6, wherein the request challenge code is a randomly generated random number, a time stamp generated over time, or a sequence number sequentially generated. 如申請專利範圍第2、4或6項所述之鏈架構之認證方法,其中該詢問挑戰碼為隨機產生之亂數、隨時間產生之時戳或依序產生之序號。 The authentication method of the chain architecture as described in claim 2, 4 or 6, wherein the challenge challenge code is a randomly generated random number, a time stamp generated over time, or a sequence number sequentially generated. 如申請專利範圍第6項所述之鏈架構之認證方法,其中該查探挑戰碼為隨機產生之亂數、隨時間產生之時戳或依序產生之序號。 The method for authenticating a chain architecture as described in claim 6, wherein the challenge challenge code is a randomly generated random number, a time stamp generated over time, or a sequence number sequentially generated. 如申請專利範圍第1、2、3、4、5或6項所述之鏈架構之認證方法,其中該認證碼為通訊金鑰、簽章、許可證或憑證。The authentication method of the chain architecture as described in claim 1, 2, 3, 4, 5 or 6, wherein the authentication code is a communication key, a signature, a license or a voucher.
TW101106954A 2012-03-02 2012-03-02 An authentication method of a chain structure TWI475866B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW101106954A TWI475866B (en) 2012-03-02 2012-03-02 An authentication method of a chain structure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101106954A TWI475866B (en) 2012-03-02 2012-03-02 An authentication method of a chain structure

Publications (2)

Publication Number Publication Date
TW201338493A TW201338493A (en) 2013-09-16
TWI475866B true TWI475866B (en) 2015-03-01

Family

ID=49628095

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101106954A TWI475866B (en) 2012-03-02 2012-03-02 An authentication method of a chain structure

Country Status (1)

Country Link
TW (1) TWI475866B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7831827B2 (en) * 2002-12-02 2010-11-09 Silverbrook Research Pty Ltd Authenticated communication between multiple entities
TW201134176A (en) * 2010-03-19 2011-10-01 Network Security Technology Co A method of mutual authentication combining variable password system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7831827B2 (en) * 2002-12-02 2010-11-09 Silverbrook Research Pty Ltd Authenticated communication between multiple entities
TW201134176A (en) * 2010-03-19 2011-10-01 Network Security Technology Co A method of mutual authentication combining variable password system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
簡嘉齡,碩士論文"金鑰恢復系統之研究與實作",2007/06/27. *

Also Published As

Publication number Publication date
TW201338493A (en) 2013-09-16

Similar Documents

Publication Publication Date Title
US20220255931A1 (en) Domain unrestricted mobile initiated login
US11876807B2 (en) Secure online access control to prevent identification information misuse
US8132722B2 (en) System and method for binding a smartcard and a smartcard reader
CN105850073B (en) Information system access authentication method and device
US8112787B2 (en) System and method for securing a credential via user and server verification
US8245292B2 (en) Multi-factor authentication using a smartcard
US8812851B2 (en) Method for reading an attribute from an ID token
US20090187980A1 (en) Method of authenticating, authorizing, encrypting and decrypting via mobile service
CN117579281A (en) Method and system for ownership verification using blockchain
CN105577612B (en) Identity authentication method, third-party server, merchant server and user terminal
CN102577301A (en) Method and apparatus for trusted authentication and logon
US20110213959A1 (en) Methods, apparatuses, system and related computer program product for privacy-enhanced identity management
CN107454077A (en) A kind of single-point logging method based on IKI ID authentications
CN104767740A (en) User platform credible authentication and access method
KR20200016506A (en) Method for Establishing Anonymous Digital Identity
JP5537129B2 (en) Authentication system, authentication method and program
JP7226457B2 (en) TOKEN PROTECTION METHOD, AUTHORIZATION SYSTEM, APPARATUS AND PROGRAM RECORDING MEDIUM
US20120290483A1 (en) Methods, systems and nodes for authorizing a securized exchange between a user and a provider site
TWI469613B (en) A cloud computing authentication system and method
WO2022140469A1 (en) Domain unrestricted mobile initiated login
TWI475866B (en) An authentication method of a chain structure
KR101936941B1 (en) Electronic approval system, method, and program using biometric authentication
CN113472561A (en) Block chain data processing method and equipment thereof
CN114003892A (en) Credible authentication method, safety authentication equipment and user terminal
CN117082516A (en) Secure communication method, identity authentication device, storage medium and vehicle

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees