TWI647942B - A system and method for accessing and authenticating an electronic certificate - Google Patents

A system and method for accessing and authenticating an electronic certificate Download PDF

Info

Publication number
TWI647942B
TWI647942B TW106146248A TW106146248A TWI647942B TW I647942 B TWI647942 B TW I647942B TW 106146248 A TW106146248 A TW 106146248A TW 106146248 A TW106146248 A TW 106146248A TW I647942 B TWI647942 B TW I647942B
Authority
TW
Taiwan
Prior art keywords
module
authentication
user
card
credential
Prior art date
Application number
TW106146248A
Other languages
Chinese (zh)
Other versions
TW201931816A (en
Inventor
王傳陞
洪丞甫
謝秉諺
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW106146248A priority Critical patent/TWI647942B/en
Application granted granted Critical
Publication of TWI647942B publication Critical patent/TWI647942B/en
Publication of TW201931816A publication Critical patent/TW201931816A/en

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本發明係揭露一種電子證件認證授權存取系統及方法。該方法包括:透過一應用服務模組向一瀏覽器發起一電子證件的資料存取授權之請求;透過一客戶端應用程式接收由瀏覽器所提供之請求以呼叫一卡片存取模組,並由卡片存取模組進行認證;當電子證件認證完成後,透過一憑證管理裝置取得已選擇的一授權權限的資料欄位並存放於應用服務模組之一憑證區;透過一客戶端連線模組在憑證區下載一憑證及授權權限的資料欄位;將憑證交由一憑證驗證模組驗證,以令應用服務模組讀取電子證件內使用者的個人資料。 The present invention discloses an electronic document authentication and authorization access system and method. The method includes: initiating, by an application service module, a request for data access authorization of an electronic document to a browser; receiving a request provided by the browser through a client application to call a card access module, and The card access module performs authentication; after the electronic certificate authentication is completed, the data field of the selected authorized authority is obtained through a voucher management device and stored in one of the application service modules; and is connected through a client. The module downloads a data field of the voucher and the authorized authority in the credential area; the voucher is verified by a voucher verification module, so that the application service module reads the personal data of the user in the electronic certificate.

Description

電子證件認證授權存取系統及方法 Electronic document authentication and authorization access system and method

本案關於一種認證授權存取技術,更具體地,關於電子證件認證授權存取系統及方法。 The present invention relates to an authentication and authorization access technology, and more particularly to an electronic certificate authentication and authorization access system and method.

智慧卡(Smart card)即是一種晶片卡,為在一可攜式塑膠卡片上內嵌一積體電路晶片。卡片包含微處理器、I/O介面以及記憶體,可儲存各式卡片資訊,並依其儲存資訊之用途不同可區分為身分證、健保卡、駕照、信用卡、電子票證、交通票證等,其中,具有身分認證功能、或卡片內含有個人資料的智慧卡即可稱為電子證件。 A smart card is a type of chip card in which an integrated circuit chip is embedded in a portable plastic card. The card includes a microprocessor, an I/O interface, and a memory, and can store various types of card information, and can be classified into an identity card, a health insurance card, a driver's license, a credit card, an electronic ticket, a transportation ticket, etc. according to the purpose of storing the information. A smart card with identity authentication or personal information in the card can be called an electronic certificate.

於現有的電子證件架構下,若有第三方服務提供者之服務提供裝置,需要使用者透過電子證件進行身分認證,常需要一個統一的認證服務伺服器,認證流程較為複雜,所需花費的時間亦較高。若該服務提供裝置需要存取電子證件內的資料,使用者通常僅能無條件的相信該服務提供裝置。惡意之服務提供裝置可讀取電子證件的全部資料,而非其所需要的一小部分,造成使用者資訊之洩漏。 Under the existing e-Certificate structure, if there is a service provider for a third-party service provider, the user needs to be authenticated by e-mail. A unified authentication service server is often required, and the authentication process is complicated and takes time. Also higher. If the service providing device needs to access the data in the electronic certificate, the user can only trust the service providing device unconditionally. A malicious service provider can read all the information of an electronic document, rather than a small part of it, causing leakage of user information.

習知技術中有針對電子身分證認證,需要一個eID統 一認證服務系統,同時無法授權僅特定資料給服務提供裝置。 In the prior art, there is an authentication for the electronic identity card, which requires an eID system. An authentication service system cannot authorize only specific information to the service provider.

又習知技術中有透過瀏覽器獲取電子身分證中的各個人資料訊息,並傳送到一個統一的認證服務器來完成身分認證,再將認證結果傳回給瀏覽器,然後提供給認證發起的應用程序。此技術無法做資料管控,還必須架設統一的認證服務器,並每次認證時進行連線認證。 In the prior art, the information of each person in the electronic identity card is obtained through a browser, and transmitted to a unified authentication server to complete the identity authentication, and then the authentication result is transmitted back to the browser, and then provided to the application initiated by the authentication. program. This technology cannot be used for data management and control. It must also set up a unified authentication server and perform connection authentication every time it is authenticated.

此外,習知技術中可令客戶端直接對服務提供裝置連線完成認證,然而服務提供裝置仍需要在後端裝置對一個統一的eID第三方認證平台進行連線認證。同時,此技術雖可於認證時保護個人身分及隱私信息,但仍無法做到資料存取授權。若服務提供裝置需要部份電子證件內的個人資訊時,此技術無法提供支援。 In addition, in the prior art, the client can directly authenticate the service provider device, but the service provider still needs to perform connection authentication on the unified eID third-party authentication platform at the back-end device. At the same time, although this technology can protect personal identity and privacy information during authentication, it still cannot obtain data access authorization. This technology cannot provide support if the service provider requires personal information from some electronic documents.

再者,習知技術中需要透過一個統一的識別提供者(Identity Provider)取得授權存取電子證件,且其資料授權存取無法由使用者即時地減少授權之資料。 Moreover, in the prior art, an authorized identification provider (Identity Provider) is required to obtain an authorized access to the electronic certificate, and the data authorization access cannot immediately reduce the authorized data by the user.

由此可見,上述習知方式仍有諸多缺失,實非一良善之設計,而亟待加以改良。 It can be seen that there are still many shortcomings in the above-mentioned conventional methods, which is not a good design, but needs to be improved.

本發明提供一種電子證件認證授權存取系統及方法,其目的為在服務提供裝置及使用者裝置,提供一種可信任的身分授權及資料授權存取技術,防範有心人士或駭客偽造身分欺騙服務提供裝置,或是服務提供裝置於未授權的情況下竊取使用者資料。同時,可於客戶端透過電子證件與應用服務模組進行認證,並且提供使用者授權機 制。於使用者裝置進行資料存取授權時,使用者亦可限制被存取之電子證件資料,能夠確保應用服務模組僅能存取使用者所允許提供之個人資料。 The present invention provides an electronic document authentication and authorization access system and method, the purpose of which is to provide a trusted identity authorization and data authorization access technology in a service providing device and a user device, thereby preventing a person or a hacker from forging identity fraud services. Providing a device or a service providing device to steal user data without authorization. At the same time, the client can be authenticated through the electronic certificate and the application service module, and the user authorization machine is provided. system. When the user device performs data access authorization, the user can also restrict the accessed electronic document data, and can ensure that the application service module can only access the personal data allowed by the user.

因此,根據上述之目的,本發明提供一種電子證件認證授權存取系統,包含:具有應用服務模組之服務提供裝置,該應用服務模組係對瀏覽器發起使用者的身份認證請求並提供可選擇的使用者的認證資料項目的資料欄位,且應用服務模組具有一憑證區,用以儲存授權權限的資料欄位;憑證管理裝置,依據已選擇的該使用者的認證資料項目授予相對應之授權權限的資料欄位;以及具有客戶端應用程式之使用者裝置,該客戶端應用程式係用以於接收由該瀏覽器所提供之對使用者的身份認證請求後,呼叫客戶端應用程式之一卡片存取模組,俾由卡片存取模組依據一電子證件的規定執行該使用者之電子證件的認證,以於電子證件的認證完成後,由客戶端應用程式下載憑證區所發出的憑證及儲存在憑證區的授權權限的資料欄位後,透過該卡片存取模組將該憑證交由客戶端應用程式之一憑證驗證模組進行認證,以令該應用服務模組透過卡片存取模組所依據該授權權限的資料欄位讀取儲存在電子證件內的使用者的個人資料。 Therefore, in accordance with the above purposes, the present invention provides an electronic document authentication and authorization access system, comprising: a service providing device having an application service module, wherein the application service module initiates a user identity authentication request to the browser and provides The data field of the selected user's authentication data item, and the application service module has a voucher area for storing the data field of the authorization authority; the voucher management device grants the phase according to the selected user's authentication data item a data field corresponding to the authorized authority; and a user device having a client application for calling the client application after receiving the identity authentication request provided by the browser for the user a card access module of the program, wherein the card access module performs authentication of the user's electronic certificate according to an electronic certificate, so that after the authentication of the electronic document is completed, the client application downloads the certificate area After the issued voucher and the data field of the authorized authority stored in the voucher area, the card access module is used to The certificate verification module is authenticated by one of the client applications, so that the application service module reads the user's personal data stored in the electronic document through the data field of the authorization authority through the card access module. .

此外,根據上述之目的,本發明另提供一種電子證件認證授權存取方法,包含:透過一應用服務模組向一瀏覽器發起一電子證件的資料存取授權之請求;透過一客戶端應用程式接收由該瀏覽器所提供之該請求以呼叫一卡片存 取模組,再由卡片存取模組依據電子證件的規定進行認證;當電子證件認證完成後,透過一憑證管理裝置取得已選擇的一授權權限的資料欄位並存放於應用服務模組之一憑證區;透過一客戶端連線模組在憑證區下載一憑證及授權權限的資料欄位;以及透過與客戶端連線模組連線的卡片存取模組將憑證交由一憑證驗證模組驗證,以令該應用服務模組透過卡片存取模組所依據授權權限的資料欄位讀取儲存在電子證件內使用者的個人資料。 In addition, the present invention further provides an electronic document authentication and authorization access method, comprising: initiating a request for data access authorization of an electronic document to a browser through an application service module; through a client application Receiving the request provided by the browser to call a card to save The module is taken, and then the card access module is authenticated according to the provisions of the electronic certificate; after the electronic certificate authentication is completed, the data field of the selected authorized authority is obtained through a voucher management device and stored in the application service module. a credential area; downloading a credential and authorization authority data field in the credential area through a client connection module; and submitting the voucher to a credential verification through a card access module connected to the client connection module The module verification is performed to enable the application service module to read the personal data of the user stored in the electronic certificate through the data field of the authorization authority according to the card access module.

因此,本發明之技術優勢在於:本發明所提供一種毋須電子證件統一認證服務系統亦可信任的身分授權及資料授權存取技術。而且,本發明在服務提供裝置及使用者裝置提供一種可信任的身分授權及資料授權存取技術。同時,本發明提供一種資料部分授權的存取技術,利用晶片卡管控搭配使用者互動,可由使用者調整減少每次授權的資料。 Therefore, the technical advantage of the present invention is that the present invention provides an identity authorization and data authorization access technology that can be trusted by the unified authentication service system of the electronic certificate. Moreover, the present invention provides a trusted identity authorization and data authorization access technology in the service providing device and the user device. At the same time, the present invention provides a data part authorization access technology, which uses the chip card management to match the user interaction, and the user can adjust the data for each authorization.

10‧‧‧電子證件認證授權存取系統 10‧‧‧Electronic Document Certification Authorization Access System

100‧‧‧使用者裝置 100‧‧‧User device

101、210、310‧‧‧瀏覽器 101, 210, 310‧‧‧ browser

102、230、330‧‧‧客戶端應用程式 102, 230, 330‧‧‧ client applications

103‧‧‧服務提供裝置 103‧‧‧Service providing device

104、220、320‧‧‧應用服務模組 104, 220, 320‧‧‧ Application Service Module

105、321‧‧‧憑證區 105, 321‧‧ ‧ certificate area

106‧‧‧憑證管理裝置 106‧‧‧Voucher management device

107‧‧‧網際網路 107‧‧‧Internet

108、211、311‧‧‧網頁支援模組 108, 211, 311‧‧‧ Web Support Module

231、331‧‧‧客戶端連線模組 231,331‧‧‧Client connection module

232、332‧‧‧卡片存取模組 232, 332‧‧‧ card access module

333‧‧‧憑證驗證模組 333‧‧‧Voucher verification module

S21至S26、S31至S39‧‧‧步驟 Steps S21 to S26, S31 to S39‧‧

本案揭露之具體實施例將搭配下列圖式詳述,這些說明顯示在下列圖式:第1圖為本發明之電子證件認證授權存取系統之系統方塊圖;第2圖為本發明之電子證件認證流程圖;以及第3圖為本發明之電子證件認證授權存取流程圖。 The specific embodiments disclosed in the present disclosure will be described in detail with reference to the following drawings, which are shown in the following drawings: FIG. 1 is a system block diagram of an electronic certificate authentication and authorization access system of the present invention; FIG. 2 is an electronic certificate of the present invention. The authentication flow chart; and the third figure is a flow chart of the electronic certificate authentication and authorization access of the present invention.

如第1圖所示,係為本發明之電子證件認證授權存取 系統10之系統方塊圖,該系統10主要由使用者端之使用者裝置100與服務提供者之服務提供裝置103所組成,其中使用者裝置100包含瀏覽器101與客戶端應用程式102;而服務提供裝置103主要則是提供應用服務模組104。使用者透過瀏覽器101來存取應用服務模組104,當應用服務模組104要求使用者透過電子證件(如身分證、健保卡、駕照、信用卡之一者)進行身份認證,或是要求存取使用者個人資料時,瀏覽器101將會利用網頁支援模組108轉傳應用服務模組104之需求至客戶端應用程式102,當客戶端應用程式102收到來自瀏覽器101之需求時,則會提示使用者提供電子證件,例如:將電子證件置放於讀卡機(未繪示)中,或是於行動裝置(如手機)上透過近場通訊(NFC)功能來感應電子證件等。客戶端應用程式102將因應所收到之需求種類而進行相對應之操作。 As shown in Figure 1, it is the electronic certificate authentication authorization access of the present invention. A system block diagram of the system 10, the system 10 is mainly composed of a user device 100 at the user end and a service provider device 103 of the service provider, wherein the user device 100 includes the browser 101 and the client application 102; The providing device 103 mainly provides the application service module 104. The user accesses the application service module 104 through the browser 101. When the application service module 104 requires the user to authenticate the identity through an electronic certificate (such as an identity card, a health insurance card, a driver's license, or a credit card), or ask for When the user profile is taken, the browser 101 will use the webpage support module 108 to transfer the request of the application service module 104 to the client application 102. When the client application 102 receives the request from the browser 101, The user will be prompted to provide an electronic certificate, such as placing the electronic document in a card reader (not shown), or sensing the electronic document through a near field communication (NFC) function on a mobile device (such as a mobile phone). . The client application 102 will perform the corresponding operations in response to the type of demand received.

若是應用服務模組104要求使用者進行身份認證時,此類型之需求大多出現於登入應用服務、簽署電子文件等場景,此時客戶端應用程式102將會提示使用者輸入個人識別碼(PIN)或是利用生物辨識方式(如:指紋、臉部辨識等)來存取電子證件並進行簽章動作,完成後再將簽章資料回傳,而應用服務模組104可以透過驗證簽章資料來確認遠裝置使用者身份之真偽。 If the application service module 104 requires the user to perform identity authentication, most of the requirements of this type appear in the scenario of logging in the application service, signing the electronic file, etc., at this time, the client application 102 will prompt the user to input a personal identification number (PIN). Or use biometric methods (such as fingerprints, face recognition, etc.) to access the electronic certificate and perform the signature action. After the completion, the signature data is returned, and the application service module 104 can verify the signature data. Confirm the authenticity of the remote device user identity.

當應用服務模組104需要存取使用者的電子證件內之資料時,必須先完成以下兩項前置作業:(1)應用服務模組104必須條列出所需之使用者的資料項目,並向位於憑證 管理中心之憑證管理裝置106申請核發應用服務專屬之授權憑證,當憑證管理裝置106審核完成並核發之後,專屬於應用服務模組104之授權憑證內容將會規範應用服務模組104所能讀取之資料項目,此授權憑證將存放於應用服務模組104中的憑證區105。(2)在核發使用者之電子證件之前,都必須先植入憑證管理裝置106之應用服務根憑證(root certificate)。 When the application service module 104 needs to access the data in the user's electronic certificate, the following two pre-operations must be completed: (1) The application service module 104 must list the required user data items. And located in the voucher The certificate management device 106 of the management center applies for issuing the authorization certificate exclusive to the application service. After the verification and verification by the certificate management device 106, the content of the authorization certificate specific to the application service module 104 will be read by the application service module 104. The authorization item will be stored in the credential area 105 in the application service module 104. (2) The application service root certificate of the credential management device 106 must be implanted before the electronic certificate of the user is issued.

上述兩項前置作業之目的,主要是為了讓客戶端應用程式102可於使用者裝置100能夠直接透過憑證鏈(certificate chain)之方式,藉由已植入於電子證件中的根憑證來驗證應用服務模組104所提供的授權憑證之真實性與合法性。客戶端應用程式102將會根據授權憑證中的資料項目規範來檢驗應用服務模組104之存取權限,並且提示使用者關於應用服務模組104所指定存取之資料項目,例如:出生年月日、電話、居住地址等。使用者可拒絕授權其中部份的個人資料,僅保留剩下的資料供讀取。唯有當使用者同意存取之後,客戶端應用程式102方能從電子證件中讀取已被授權存取的個人資料,讀取完成後再將該個人資料回傳至瀏覽器101,進而傳遞給應用服務模組104使用。此類型之相關應用未來能夠使用在個人資料表單代填、年齡檢驗、在地居民專屬服務等類型之場景。 The purpose of the above two pre-operations is mainly to enable the client application 102 to be verified by the user device 100 directly through the certificate chain by using the root certificate already embedded in the electronic certificate. The authenticity and legality of the authorization credentials provided by the application service module 104. The client application 102 will verify the access rights of the application service module 104 according to the data item specification in the authorization voucher, and prompt the user to access the data items specified by the application service module 104, for example, the date of birth. Day, phone, residential address, etc. The user can refuse to authorize some of the personal data, leaving only the remaining data for reading. Only after the user agrees to access, the client application 102 can read the personal data that has been authorized to be accessed from the electronic certificate, and then return the personal data to the browser 101 after the reading is completed, thereby transmitting Used by the application service module 104. Related applications of this type can be used in the future in the form of personal data form filling, age checking, and local resident-specific services.

第2圖為本發明之電子證件認證流程圖。 Figure 2 is a flow chart of the authentication of the electronic certificate of the present invention.

在步驟S21中,當應用服務模組220需要使用客戶端電子證件以認證使用者時,應用服務模組220須向瀏覽器 210發起認證請求。 In step S21, when the application service module 220 needs to use the client electronic certificate to authenticate the user, the application service module 220 must be directed to the browser. 210 initiates an authentication request.

在步驟S22中,令瀏覽器210使用網頁支援模組211透過網際網路107(如第1圖所示)對客戶端應用程式230建立連線,若客戶端應用程式230並非處於啟動狀態,網頁支援模組211會將其啟動後再進行連線。當客戶端應用程式230啟動後,客戶端連線模組231即會連線網頁支援模組211。當客戶端連線模組231收到認證請求時,會提示使用者認證的請求,以及認證對應的應用服務及電子證件。 In step S22, the browser 210 is configured to use the webpage support module 211 to establish a connection to the client application 230 via the internetwork 107 (as shown in FIG. 1). If the client application 230 is not in the startup state, the webpage is The support module 211 will start up and then connect. When the client application 230 is launched, the client connection module 231 will connect to the webpage support module 211. When the client connection module 231 receives the authentication request, the user is prompted for the authentication request, and the corresponding application service and the electronic certificate are authenticated.

在步驟S23中,當使用者同意並插入或感應電子證件後,客戶端應用程式230會呼叫卡片存取模組232,並依電子證件的不同執行各電子證件規定之認證,例如使用者輸入個人識別碼(PIN)或是利用生物辨識方式取得簽章回傳。電子證件認證完成後,其認證結果交由卡片存取模組232。 In step S23, after the user agrees and inserts or senses the electronic document, the client application 230 calls the card access module 232 and performs authentication according to the electronic certificate, such as the user inputting the individual. The identification code (PIN) or biometric identification is used to obtain the signature back. After the electronic certificate authentication is completed, the authentication result is passed to the card access module 232.

在步驟S24中,透過卡片存取模組232將認證結果傳送給客戶端連線模組231。 In step S24, the authentication result is transmitted to the client connection module 231 through the card access module 232.

在步驟S25中,透過客戶端連線模組231將認證結果傳送網頁支援模組211。 In step S25, the authentication result is transmitted to the web page support module 211 via the client connection module 231.

在步驟S26中,透過網頁支援模組211將認證結果傳送應用服務模組220,至此完成整個認證程序。 In step S26, the authentication result is transmitted to the application service module 220 via the web page support module 211, and the entire authentication procedure is completed.

第3圖為本發明之電子證件認證授權存取流程圖。 Figure 3 is a flow chart of the electronic certificate authentication and authorization access of the present invention.

若應用服務模組320欲存取特定電子證件之內容資料,應如前述事先取得授權憑證並存放於憑證區321,也就是應用服務模組320,能陳列供可選擇的使用者的認證 資料項目的資料欄位,之後,憑證管理裝置106(如第1圖所示),依據已選擇的使用者的認證資料項目的資料欄位授予相對應的授權權限,並將該授權權限儲存至憑證區321。 If the application service module 320 wants to access the content data of the specific electronic certificate, the authorization certificate should be obtained in advance and stored in the voucher area 321, that is, the application service module 320, which can display the authentication for the selectable user. The data field of the data item, after which the voucher management device 106 (as shown in FIG. 1) grants the corresponding authorization authority according to the data field of the selected user's authentication data item, and stores the authorization authority to Document area 321.

在步驟S31中,當應用服務模組320需要存取客戶端電子證件之內容資料時,應用服務模組320應向瀏覽器310發起電子證件資料存取授權請求,其中授權請求之內容需包含應用服務模組320所擁有之憑證區321之連結。 In step S31, when the application service module 320 needs to access the content data of the client electronic certificate, the application service module 320 should initiate an electronic document data access authorization request to the browser 310, wherein the content of the authorization request needs to include the application. The connection of the credential area 321 owned by the service module 320.

在步驟S32中,瀏覽器310將利用網頁支援模組311透過網際網路107(如第1圖所示)連線於客戶端應用程式330以進行溝通,若客戶端應用程式330並非啟動狀態,網頁支援模組311會將其啟動後再進行連線。客戶端應用程式330啟動後,將執行客戶端連線模組331。客戶端連線模組331將提供連線服務,令網頁支援模組311與其建立連線。 In step S32, the browser 310 connects the webpage support module 311 to the client application 330 via the Internet 107 (as shown in FIG. 1) for communication. If the client application 330 is not activated, The web page support module 311 will start up and then connect. After the client application 330 is launched, the client connection module 331 will be executed. The client connection module 331 will provide a connection service to enable the webpage support module 311 to establish a connection with it.

在步驟S33中,當客戶端連線模組331收到資料授權與存取請求(須包含對應之憑證區連結)時,客戶端連線模組331將發起網際網路107(如第1圖所示)連線,對憑證區321下載憑證。若無對應之憑證則會拒絕請求。 In step S33, when the client connection module 331 receives the data authorization and access request (which must include the corresponding credential area link), the client connection module 331 will initiate the Internet 107 (as shown in FIG. 1). Connected to the voucher area 321 to download the voucher. If there is no corresponding certificate, the request will be rejected.

在步驟S34中,卡片存取模組332透過客戶端連線模組331取得來自憑證區321的憑證。 In step S34, the card access module 332 obtains the credentials from the credential area 321 via the client connection module 331.

在步驟S35中,卡片存取模組332將憑證交由憑證驗證模組333進行驗證,憑證驗證模組333首先會驗證憑證是否在有效期限內以及是否未被廢止,若此驗證成功,則根據憑證提示使用者應用服務欲讀取的資料欄位。使用者 可拒絕或減少被讀取的資料欄位。當使用者同意並插入或感應電子證件後,卡片存取模組332對電子證件提供此憑證,並依照使用者同意提供或已選擇的資料欄位執行資料存取指令。電子證件根據前述植入之應用服務根憑證驗證憑證鏈。若憑證鏈被驗證成功,電子證件接受此憑證內欲讀取的資料項目,則資料存取指令才能正確的讀取電子證件。若憑證鏈被驗證失敗,則在讀到需授權的資料欄位時,仍會被電子證件拒絕存取。 In step S35, the card access module 332 passes the certificate to the voucher verification module 333 for verification. The voucher verification module 333 first verifies whether the voucher is within the validity period and whether it is not retired. If the verification is successful, then The credential prompts the user to apply the data field that the service wants to read. user The data field being read can be rejected or reduced. After the user agrees and inserts or senses the electronic credential, the card access module 332 provides the credential to the electronic credential and executes the data access instruction in accordance with the data field provided or selected by the user. The electronic certificate verifies the credential chain according to the aforementioned application service root certificate. If the voucher chain is successfully verified and the electronic document accepts the data item to be read in the voucher, the data access instruction can correctly read the electronic document. If the credential chain fails to be verified, it will still be denied access by the e-document when reading the data field to be authorized.

在步驟S36中,透過憑證驗證模組333將電子證件的回覆結果傳送至卡片存取模組332。 In step S36, the reply result of the electronic certificate is transmitted to the card access module 332 through the voucher verification module 333.

在步驟S37中,透過卡片存取模組332將電子證件的回覆結果傳送至客戶端連線模組331。 In step S37, the reply result of the electronic certificate is transmitted to the client connection module 331 through the card access module 332.

在步驟S38中,透過客戶端連線模組331將電子證件的回覆結果傳送至網頁支援模組311。 In step S38, the reply result of the electronic certificate is transmitted to the webpage support module 311 via the client connection module 331.

在步驟S39中,透過網頁支援模組311將電子證件的回覆結果傳送至應用服務模組320,至此完成整個資料授權與存取程序。 In step S39, the reply result of the electronic document is transmitted to the application service module 320 through the webpage support module 311, and the entire data authorization and access procedure is completed.

相比於習用之第三方服務提供裝置對使用者的電子證件進行認證的缺失,本發明提供此一種客戶端電子證件認證授權存取系統及方法,可於客戶端透過電子證件與應用服務進行認證,並且提供使用者授權機制,能夠確保應用服務僅能存取使用者所允許提供之個人資料,可套用電子證件與多卡合一之製卡產業,如:晶片身分證、市民卡。同時,本發明具有的技術優勢為:(1)認證及授權中不需要 透過一個統一的認證服務系統協助,使用者裝置僅需要對服務提供裝置連線;(2)資料存取授權於使用者電子證件裝置,服務提供裝置以憑證決定可存取的資料欄位;(3)使用者可於每次授權中決定要提供的資料。 Compared with the lack of authentication of the user's electronic certificate by the third-party service providing device, the present invention provides the client electronic certificate authentication and authorization access system and method, which can be authenticated by the client through the electronic certificate and the application service. And provide a user authorization mechanism to ensure that the application service can only access the personal data allowed by the user, and can apply the electronic card and multi-card card-making industry, such as a chip identification card and a citizen card. At the same time, the technical advantages of the present invention are as follows: (1) No need for authentication and authorization Through a unified authentication service system, the user device only needs to connect to the service providing device; (2) the data access is authorized to the user's electronic ID device, and the service providing device determines the accessible data field by using the voucher; 3) The user can decide on the information to be provided in each authorization.

上述實施形態僅例示性說明本揭露之原理、特點及其功效,並非用以限制本揭露之可實施範疇,任何熟習此項技藝之人士均可在不違背本揭露之精神及範疇下,對上述實施形態進行修飾與改變。任何運用本揭露所揭示內容而完成之等效改變及修飾,均仍應為申請專利範圍所涵蓋。因此,本揭露之權利保護範圍應如申請專利範圍所列。 The above-described embodiments are merely illustrative of the principles, features, and functions of the present disclosure, and are not intended to limit the scope of the present disclosure. Any person skilled in the art can practice the above without departing from the spirit and scope of the disclosure. The embodiment is modified and changed. Any equivalent changes and modifications made by the disclosure of this disclosure should still be covered by the scope of the patent application. Therefore, the scope of protection of the present disclosure should be as set forth in the scope of the patent application.

Claims (11)

一種電子證件認證授權存取系統,包含:一具有一應用服務模組之服務提供裝置,該應用服務模組係對一瀏覽器發起一認證請求並提供可選擇的使用者的認證資料項目的資料欄位,且該應用服務模組具有一憑證區,用以儲存授權權限的資料欄位;一憑證管理裝置,依據已選擇的該使用者的認證資料項目授予相對應之該授權權限的資料欄位;以及一具有一客戶端應用程式之使用者裝置,該客戶端應用程式係用以於接收由該瀏覽器所提供之對該認證請求後,呼叫該客戶端應用程式之一卡片存取模組,俾由該卡片存取模組執行該使用者之電子證件的認證,而毋須由一認證服務系統執行該電子證件的認證,以於該電子證件的認證完成後,由該客戶端應用程式下載該憑證區所發出的憑證及儲存在該憑證區的該授權權限的資料欄位後,透過該卡片存取模組將該憑證交由該客戶端應用程式之一憑證驗證模組進行認證,以令該應用服務模組透過該卡片存取模組所依據該授權權限的資料欄位讀取儲存在該電子證件內的該使用者的個人資料。 An electronic document authentication and authorization access system includes: a service providing device having an application service module, wherein the application service module initiates an authentication request to a browser and provides information of a selectable user's authentication data item a field, and the application service module has a voucher area for storing the data field of the authorization authority; and a voucher management device, according to the selected authentication data item of the user, the corresponding data column of the authorization authority is granted And a user device having a client application for receiving a card access mode of the client application after receiving the authentication request provided by the browser The group access module performs authentication of the user's electronic certificate without performing authentication of the electronic certificate by an authentication service system, so that after the authentication of the electronic document is completed, the client application is After downloading the certificate issued by the credential area and the data field of the authorized authority stored in the credential area, the card access module The certificate is authenticated by one of the client application credential verification modules, so that the application service module reads the stored in the electronic certificate through the data field of the authorization authority of the card access module. User's profile. 如申請專利範圍第1項所述之系統,其中,可選擇的該使用者的認證資料項目包含該使用者的身份字號、該使用者的姓名、該使用者的手機電話號碼之一或其組合。 The system of claim 1, wherein the user's authentication data item includes the user's identity font number, the user's name, the user's mobile phone number, or a combination thereof. . 如申請專利範圍第1項所述之系統,其中,該瀏覽器包 含一網頁支援模組,用以透過一網際網路分別與該應用服務模組及該客戶端應用程式之一客戶端連線模組進行資料傳輸。 The system of claim 1, wherein the browser package The webpage support module is configured to transmit data to the application service module and the client connection module of the client application through an internet. 如申請專利範圍第3項所述之系統,其中,該卡片存取模組透過該客戶端連線模組進行資料傳輸。 The system of claim 3, wherein the card access module transmits data through the client connection module. 如申請專利範圍第1項所述之系統,其中,該憑證管理裝置將應用服務根憑證(root certificate)植入該電子證件以驗證該授權權限的真實性與合法性。 The system of claim 1, wherein the credential management device embeds an application root certificate into the electronic credential to verify the authenticity and legality of the authorization authority. 如申請專利範圍第1項所述之系統,其中,該電子證件為身分證、健保卡、駕照、信用卡之一者。 The system of claim 1, wherein the electronic document is one of an identity card, a health insurance card, a driver's license, and a credit card. 如申請專利範圍第1項所述之系統,其中,該應用服務模組接收該認證請求後,該客戶端應用程式將提示該使用者輸入個人識別碼(PIN)或利用生物辨識方式以進行該使用者的身份認證。 The system of claim 1, wherein after the application service module receives the authentication request, the client application prompts the user to input a personal identification number (PIN) or utilizes a biometric method to perform the User identity authentication. 一種電子證件認證授權存取方法,包含:透過一應用服務模組向一瀏覽器發起一電子證件的資料存取授權之請求;透過一客戶端應用程式接收由該瀏覽器所提供之該請求以呼叫一卡片存取模組,再由該卡片存取模組進行該電子證件的認證,而毋須由一認證服務系統執行該電子證件的認證;當該電子證件認證完成後,透過一憑證管理裝置取得已選擇的一授權權限的資料欄位並存放於該應用服務模組之一憑證區; 透過一客戶端連線模組在該憑證區下載一憑證及該授權權限的資料欄位;以及透過與該客戶端連線模組連線的該卡片存取模組將該憑證交由一憑證驗證模組驗證,以令該應用服務模組透過該卡片存取模組所依據該授權權限的資料欄位讀取儲存在該電子證件內使用者的個人資料。 An electronic document authentication and authorization access method includes: initiating, by an application service module, a request for data access authorization of an electronic document to a browser; receiving, by a client application, the request provided by the browser Calling a card access module, and then the card access module performs authentication of the electronic certificate without performing authentication of the electronic certificate by an authentication service system; when the electronic certificate is authenticated, through a voucher management device Obtaining a data field of the selected authorization authority and storing it in one of the application service modules; Downloading a credential and a data field of the authorized authority in the credential area through a client connection module; and submitting the credential to the credential through the card access module connected to the client connection module The verification module verifies that the application service module reads the personal data of the user stored in the electronic certificate through the data field of the authorization authority according to the card access module. 如申請專利範圍第8項所述之方法,其中,該卡片存取模組對該電子證件進行認證包含該使用者輸入個人識別碼(PIN)或是利用生物辨識方式。 The method of claim 8, wherein the card access module authenticating the electronic certificate comprises the user entering a personal identification number (PIN) or using a biometric method. 如申請專利範圍第8項所述之方法,其中,該憑證管理裝置將應用服務根憑證植入該電子證件以驗證該授權權限的真實性與合法性。 The method of claim 8, wherein the credential management device embeds the application service root credential into the electronic credential to verify the authenticity and legality of the authorization authority. 如申請專利範圍第8項所述之方法,其中,該電子證件為身分證、健保卡、駕照、信用卡之一者。 The method of claim 8, wherein the electronic document is one of an identity card, a health insurance card, a driver's license, and a credit card.
TW106146248A 2017-12-28 2017-12-28 A system and method for accessing and authenticating an electronic certificate TWI647942B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106146248A TWI647942B (en) 2017-12-28 2017-12-28 A system and method for accessing and authenticating an electronic certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106146248A TWI647942B (en) 2017-12-28 2017-12-28 A system and method for accessing and authenticating an electronic certificate

Publications (2)

Publication Number Publication Date
TWI647942B true TWI647942B (en) 2019-01-11
TW201931816A TW201931816A (en) 2019-08-01

Family

ID=65804168

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106146248A TWI647942B (en) 2017-12-28 2017-12-28 A system and method for accessing and authenticating an electronic certificate

Country Status (1)

Country Link
TW (1) TWI647942B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI742849B (en) * 2020-09-14 2021-10-11 中華電信股份有限公司 System and method for personal information authorization

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101458853A (en) * 2007-12-11 2009-06-17 结行信息技术(上海)有限公司 On-line POS system and smart card on-line payment method
TW201015941A (en) * 2008-10-03 2010-04-16 Chunghwa Telecom Co Ltd Network user identify verification system and method
US20100217980A1 (en) * 2007-01-10 2010-08-26 Kddi Corporation Communication Control System, Mobile Communication Terminal and Computer Program
TWI499269B (en) * 2013-02-04 2015-09-01 Delta Networks Xiamen Ltd Authentication and authorization method and system
US20170034168A1 (en) * 2014-09-16 2017-02-02 Nok Nok Labs, Inc. System and method for integrating an authentication service within a network architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100217980A1 (en) * 2007-01-10 2010-08-26 Kddi Corporation Communication Control System, Mobile Communication Terminal and Computer Program
CN101458853A (en) * 2007-12-11 2009-06-17 结行信息技术(上海)有限公司 On-line POS system and smart card on-line payment method
TW201015941A (en) * 2008-10-03 2010-04-16 Chunghwa Telecom Co Ltd Network user identify verification system and method
TWI499269B (en) * 2013-02-04 2015-09-01 Delta Networks Xiamen Ltd Authentication and authorization method and system
US20170034168A1 (en) * 2014-09-16 2017-02-02 Nok Nok Labs, Inc. System and method for integrating an authentication service within a network architecture

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI742849B (en) * 2020-09-14 2021-10-11 中華電信股份有限公司 System and method for personal information authorization

Also Published As

Publication number Publication date
TW201931816A (en) 2019-08-01

Similar Documents

Publication Publication Date Title
US11405380B2 (en) Systems and methods for using imaging to authenticate online users
TWI667585B (en) Method and device for safety authentication based on biological characteristics
US10142324B2 (en) Method for reading attributes from an ID token
AU2010272570B2 (en) Method for reading attributes from an ID token
US9413753B2 (en) Method for generating a soft token, computer program product and service computer system
US9647840B2 (en) Method for producing a soft token, computer program product and service computer system
US10432620B2 (en) Biometric authentication
US9596089B2 (en) Method for generating a certificate
KR101523825B1 (en) Method for producing a soft token
JP5688028B2 (en) Method and token for managing one operation for an application that is or will be supported by a token
US8438620B2 (en) Portable device for clearing access
KR101125088B1 (en) System and Method for Authenticating User, Server for Authenticating User and Recording Medium
JP5277888B2 (en) Application issuing system, apparatus and method
TWI647942B (en) A system and method for accessing and authenticating an electronic certificate
US20230237172A1 (en) Data broker
US20220391908A1 (en) Systems, methods, and non-transitory computer-readable media for authentication and authorization of payment request
KR20110029032A (en) Method for processing issue public certificate of attestation, terminal and recording medium
TW202117631A (en) Method for verifying financial service access privilege using different computer sequences and system thereof
TWM598987U (en) System for verifying financial service access privilege using different computer sequences
JP2006215699A (en) Authentication apparatus, authentication system, authentication support system and function card
EP3163486A1 (en) A method to grant delegate access to a service
KR101083210B1 (en) System and Method for Managing Public Certificate of Attestation with Unlawfulness Usage Prevention Application and Recording Medium
US20240046252A1 (en) Device and systems for provisioning and verifying tokens with strong identity and strong authentication
KR20110029038A (en) System and method for managing public certificate of attestation and recording medium
WO2024097761A1 (en) A method, an apparatus and a system for securing interactions between users and computer-based applications