TWI675579B - Network authentication system and method - Google Patents
Network authentication system and method Download PDFInfo
- Publication number
- TWI675579B TWI675579B TW106133931A TW106133931A TWI675579B TW I675579 B TWI675579 B TW I675579B TW 106133931 A TW106133931 A TW 106133931A TW 106133931 A TW106133931 A TW 106133931A TW I675579 B TWI675579 B TW I675579B
- Authority
- TW
- Taiwan
- Prior art keywords
- password
- terminal device
- verification
- user
- user terminal
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
本發明提供一種網路身份驗證系統與方法,該系統包含:一用戶終端裝置與一驗證伺服器,其中該用戶終端裝置生成用戶識別碼、終端密碼、第一密碼與第二密碼,並加密演算而獲得雲端密碼,而將用戶識別碼、雲端密碼與該第一密碼註冊於驗證伺服器,該用戶終端裝置因應一身份確認請求而經過兩次加密運算後發出用戶識別碼與一次性有效驗證碼給驗證伺服器。該驗證伺服器接收驗證碼後經過至少兩次解密運算後才進行比對以獲得身份驗證結果。本發明系統與方法藉由用戶端與雲端所存密碼資料不同步,避免其中一方密碼外洩而影響用戶身份驗證的安全性。 The invention provides a network identity verification system and method. The system includes: a user terminal device and an authentication server, wherein the user terminal device generates a user identification code, a terminal password, a first password, and a second password, and encrypts the calculation. To obtain a cloud password, and register the user identification code, the cloud password, and the first password on the authentication server, the user terminal device issues a user identification code and a one-time valid verification code after two encryption operations in response to an identity confirmation request. To the authentication server. After receiving the verification code, the verification server performs a comparison after at least two decryption operations to obtain an identity verification result. In the system and method of the present invention, the password information stored in the cloud is not synchronized between the client and the client to prevent the leakage of one of the passwords and affect the security of user authentication.
Description
本發明是關於一種網路身份驗證系統與方法,特別是,本發明是一種實施於用戶端與伺服端/雲端之間的網路身份驗證系統與方法。 The invention relates to a network identity verification system and method. In particular, the invention relates to a network identity verification system and method implemented between a client and a server / cloud.
網際網路的普及使得用戶端與伺服端或雲端之間的交易日趨頻繁。依先前技術,用戶端首次註冊伺服端或雲端時,通常初始設定需要輸入個人帳號、密碼,乃至於用戶的個人資料,如身份證號與出生年月日。伺服端或雲端將用戶端首次註冊所做初始設定加以儲存,作為該用戶端日後向伺服端或雲端提出登入請求時,基於帳號、密碼乃至於用戶的個人資料,向用戶端驗證其身份。 The popularity of the Internet has made transactions between clients and servers or the cloud more frequent. According to the previous technology, when a client first registers with a server or the cloud for the first time, it is usually required to enter a personal account, password, and even the user's personal information, such as an ID number and date of birth. The server or the cloud stores the initial settings made by the client for the first time registration. When the client makes a login request to the server or the cloud in the future, the identity is verified to the client based on the account number, password, and even the user's personal data.
為了提高伺服端或雲端與用戶端之間交易的安全性,部分伺服端或雲端要求用戶端必須要以實體憑證(如自然人憑證)及其讀卡機設備作為註冊程序的要求,並且在日後的登入程序以自然人憑證作為用戶端的身份驗證。 In order to improve the security of the transaction between the server or the cloud and the client, some servers or the cloud require that the client must use the physical certificate (such as a natural person certificate) and its card reader device as a requirement for the registration process. The login process uses natural person credentials as the client's authentication.
然而,伺服端或雲端因被駭客入侵而導致用戶個人資料外洩的情形也時有所聞,這將導致伺服端或雲端單方核對帳號、密碼乃至於用戶的個人資料亦無法即時驗證登入者的真實身份。此外,雖以實體憑證及 其讀卡機設備作為註冊與登入程序的要求,可提高交易的安全性,卻也造成用戶端登入作業的限制與複雜的操作程序。 However, there are also cases where the user's personal data is leaked due to hacking on the server or the cloud. This will cause the server or the cloud to unilaterally verify the account, password, and even the user's personal data. Real identity. In addition, although the use of physical credentials and its card reader device as the requirements for registration and login procedures can improve transaction security, it also results in restrictions on client login operations and complicated operating procedures.
本發明的目的之一在於提供一種基於用戶端以終端密碼的加密與伺服端/雲端以雲端密碼的解密之網路身份驗證系統與方法。 One of the objectives of the present invention is to provide a network identity verification system and method based on a client-side encryption with a terminal password and a server-side / cloud-based decryption with a cloud password.
本發明的目的之一在於提供一種使用於用戶端以終端密碼生成一次性有效密碼登入伺服端/雲端之網路身份驗證系統與方法。 An object of the present invention is to provide a network identity verification system and method for a client to generate a one-time valid password with a terminal password to log in to a server / cloud.
本發明的目的之一在於提供一種使用於伺服端/雲端以雲端密碼解密一次性有效密碼驗證用戶端身份之網路身份驗證系統與方法。 One of the objectives of the present invention is to provide a network identity verification system and method for use in a server / cloud to decrypt a one-time valid password to verify the identity of a client using a cloud password.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證系統,包含:一用戶終端裝置,生成一用戶識別碼、一終端密碼、一第一密碼與一第二密碼,並加密演算該終端密碼與該第二密碼而獲得一雲端密碼,且因應一身份確認請求而發出一確認回覆請求,該確認回覆請求至少包含:該用戶識別碼、一第三密碼與一驗證碼;以及一驗證伺服器,儲存該用戶識別碼,以及對應該用戶識別碼的該雲端密碼與該第一密碼,並接收該用戶終端裝置發出的該確認回覆請求,而進行以下的運算以獲得一驗證結果:解密演算該第一密碼與該第三密碼而獲得該第二密碼;解密演算該雲端密碼與該第二密碼而獲得該終端密碼;加密演算該終端密碼、該第一密碼與一一次性有效序號而獲得一運算碼;以及比對該驗證碼與該運算碼,以獲得該驗證結果。 In order to achieve one of the above-mentioned objects of the present invention, the present invention proposes a network identity verification system including: a user terminal device, generating a user identification code, a terminal password, a first password and a second password, and encrypting calculations A cloud password is obtained from the terminal password and the second password, and a confirmation reply request is issued in response to an identity confirmation request. The confirmation reply request includes at least: the user identification code, a third password, and a verification code; and The verification server stores the user identification code, the cloud password and the first password corresponding to the user identification code, and receives the confirmation reply request from the user terminal device, and performs the following operations to obtain a verification result: Decrypting the first password and the third password to obtain the second password; Decrypting the cloud password and the second password to obtain the terminal password; Encrypting the terminal password, the first password, and a one-time valid Obtain an operation code; and compare the verification code with the operation code to obtain the verification result.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證方法,包含:在一用戶終端裝置,生成一用戶識別碼、一終端密碼、一第一密碼與一第二密碼,並加密演算該終端密碼與該第二密碼而獲得一雲端密碼,且因應一身份確認請求而發出一確認回覆請求,該確認回覆請求至少包含:該用戶識別碼、一第三密碼與一驗證碼;該用戶終端裝置發出一註冊請求,基於該用戶識別碼,將對應該用戶識別碼的該雲端密碼與該第一密碼註冊到一驗證伺服器;以及在該驗證伺服器,因應該用戶終端裝置發出的該確認回覆請求,而進行以下的運算以獲得一驗證結果:解密演算該第一密碼與該第三密碼而獲得該第二密碼;解密演算該雲端密碼與該第二密碼而獲得該終端密碼;加密演算該終端密碼、該第一密碼與一一次性有效序號而獲得一運算碼;以及比對該驗證碼與該運算碼,以獲得該驗證結果。 In order to achieve one of the above objectives of the present invention, the present invention proposes a network identity verification method, which includes: generating a user identification code, a terminal password, a first password, and a second password at a user terminal device, and encrypting the same A cloud password is obtained by calculating the terminal password and the second password, and a confirmation reply request is issued in response to an identity confirmation request. The confirmation reply request includes at least: the user identification code, a third password, and a verification code; the The user terminal device issues a registration request to register the cloud password and the first password corresponding to the user identification code to a verification server based on the user identification code; and the verification server responds to the The confirmation responds to the request and performs the following operations to obtain a verification result: decrypting the first password and the third password to obtain the second password; decrypting the cloud password and the second password to obtain the terminal password; Encrypt the terminal password, the first password and a one-time valid serial number to obtain an operation code; Code and the operation code, to obtain the verification result.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證系統,包含:一驗證伺服器,經由一網路而與一用戶終端裝置通訊,該驗證伺服器包含:一用戶資料庫,儲存一用戶識別碼,以及對應該用戶識別碼的一雲端密碼與一第一密碼;一回覆模組,接收該用戶終端裝置發出的一確認回覆請求,據以獲得一驗證結果,其中該確認回覆請求至少包含:該用戶識別碼、一第三密碼與一驗證碼;以及一加解密模組,進行以下的運算:根據一第二解密演算法,運算該第一密碼與該第三密碼而獲得一第二密碼;根據一第一解密演算法,運算該雲端密碼與該第二密碼而獲得一終端密碼;以及根據一第三加密演算法,運算該終端密碼、該第一密碼與一一次性有效序號而獲得一運算碼;其中,比對該驗證碼與該運算碼,以 獲得該驗證結果。 In order to achieve one of the above-mentioned objects of the present invention, the present invention proposes a network identity verification system including: an authentication server, which communicates with a user terminal device via a network, the authentication server includes: a user database, Storing a user identification code, a cloud password and a first password corresponding to the user identification code; a reply module, receiving a confirmation reply request from the user terminal device, and obtaining a verification result, wherein the confirmation reply The request includes at least: the user identification code, a third password, and a verification code; and an encryption and decryption module that performs the following operations: obtained by calculating the first password and the third password according to a second decryption algorithm A second password; calculating the cloud password and the second password to obtain a terminal password according to a first decryption algorithm; and calculating a terminal password, the first password and one time according to a third encryption algorithm An operational code is obtained by valid serial number; wherein, the verification code is compared with the operation code to obtain the verification result.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證方法,使用於一驗證伺服器,該驗證伺服器經由一網路而與一用戶終端裝置通訊,該網路身份驗證方法包含:註冊一用戶識別碼,以及對應該用戶識別碼的一雲端密碼與一第一密碼於一用戶資料庫;以及回應該用戶終端裝置發出的一確認回覆請求,據以獲得一驗證結果,其中該確認回覆請求至少包含:該用戶識別碼、一第三密碼與一驗證碼;其中,獲得該驗證結果,包含以下的運算:根據一第二解密演算法,運算該第一密碼與該第三密碼而獲得一第二密碼;根據一第一解密演算法,運算該雲端密碼與該第二密碼而獲得一終端密碼;根據一第三加密演算法,運算該終端密碼、該第一密碼與一一次性有效序號而獲得一運算碼;以及比對該驗證碼與該運算碼,而獲得該驗證結果。 In order to achieve one of the foregoing objectives of the present invention, the present invention provides a network identity verification method for use in an authentication server. The verification server communicates with a user terminal device via a network. The network identity verification method includes : Registering a user identification code, and a cloud password and a first password corresponding to the user identification code in a user database; and responding to a confirmation reply request from the user terminal device to obtain a verification result, wherein The confirmation reply request includes at least: the user identification code, a third password, and a verification code; wherein obtaining the verification result includes the following operation: calculating the first password and the third password according to a second decryption algorithm A second password is obtained; a cloud password and the second password are calculated according to a first decryption algorithm to obtain a terminal password; a third encryption algorithm is used to calculate the terminal password, the first password, and one by one Obtain an operation code with a secondary valid serial number; and compare the verification code with the operation code to obtain the verification result.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證系統,包含:一用戶終端裝置,經由一網路而與一驗證伺服器通訊,該用戶終端裝置包含:一密碼生成模組,生成一用戶識別碼、一終端密碼、一第一密碼與一第二密碼,並根據一第一加密演算法,運算該終端密碼與該第二密碼而獲得一雲端密碼;一登入/註冊模組,發出一註冊請求,基於該用戶識別碼,將對應該用戶識別碼的該雲端密碼與該第一密碼註冊到該驗證伺服器;一請求/回覆模組,因應一身份確認請求而發出一確認回覆請求給該驗證伺服器,致使該驗證伺服器發出一驗證結果;以及一加密模組,因應該身份確認請求,進行以下的運算:獲得一一次性有效序號;根據一第二加密演算法,運算該第一密碼與該第二密碼而獲得一第三密碼;以及 根據一第三加密演算法,運算該終端密碼、該第一密碼與該一次性有效序號而獲得一驗證碼;其中,該確認回覆請求至少包含:該用戶識別碼、該第三密碼與該驗證碼。 In order to achieve one of the above objectives of the present invention, the present invention proposes a network identity verification system including: a user terminal device, which communicates with an authentication server via a network, the user terminal device includes: a password generation module To generate a user identification code, a terminal password, a first password, and a second password, and calculate the terminal password and the second password to obtain a cloud password according to a first encryption algorithm; a login / registration mode Group, issuing a registration request, and registering the cloud password and the first password corresponding to the user identification code to the authentication server based on the user identification code; a request / reply module, in response to an identity confirmation request, issues a A confirmation reply request is sent to the verification server, causing the verification server to issue a verification result; and an encryption module, in response to the identity confirmation request, performs the following operations: obtaining a one-time valid serial number; according to a second encryption algorithm Method to calculate the first password and the second password to obtain a third password; and to calculate the terminal password according to a third encryption algorithm The first password is valid and the sequence number to obtain a one-time authentication code; wherein the acknowledgment reply to the request at least comprising: the user identification code, the third code with the codes.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證方法,使用於一用戶終端裝置,該用戶終端裝置經由一網路而與一驗證伺服器通訊,該網路身份驗證方法包含:生成一用戶識別碼、一終端密碼、一第一密碼與一第二密碼,並根據一第一加密演算法,運算該終端密碼與該第二密碼而獲得一雲端密碼;基於該用戶識別碼,將對應該用戶識別碼的該雲端密碼與該第一密碼註冊到該驗證伺服器的一用戶資料庫;以及因應一身份確認請求,進行以下的運算:獲得一一次性有效序號;根據一第二加密演算法,運算該第一密碼與該第二密碼而獲得一第三密碼;根據一第三加密演算法,運算該終端密碼、該第一密碼與該一次性有效序號而獲得一驗證碼;以及發出一確認回覆請求,至少將該用戶識別碼、該第三密碼與該驗證碼發送給該驗證伺服器,致使該驗證伺服器發出一驗證結果。 In order to achieve one of the above objectives of the present invention, the present invention proposes a network identity verification method for use in a user terminal device. The user terminal device communicates with an authentication server via a network. The network identity verification method includes : Generating a user identification code, a terminal password, a first password, and a second password, and computing the terminal password and the second password to obtain a cloud password according to a first encryption algorithm; based on the user identification code , Registering the cloud password and the first password corresponding to the user identification code to a user database of the authentication server; and in response to an identity confirmation request, performing the following operations: obtaining a one-time valid serial number; according to a A second encryption algorithm calculates the first password and the second password to obtain a third password; and according to a third encryption algorithm, calculates the terminal password, the first password, and the one-time valid serial number to obtain a verification And sending a confirmation reply request, at least sending the user identification code, the third password, and the verification code to the verification server, so that The authentication server sends a verification result.
為實現本發明之上述目的之一,本發明提出一種網路身份驗證方法,包含:儲存一用戶識別碼,以及對應該用戶識別碼的一雲端密碼與一第一密碼於一用戶資料庫,其中該雲端密碼是根據一第一加密演算法,運算一終端密碼與一第二密碼而獲得;以及因應一確認回覆請求,以接收該用戶識別碼、一第三密碼與一一次性有效驗證碼,並進行以下步驟:根據一第二解密演算法,運算該第一密碼與該第三密碼而獲得該第二密碼;根據一第一解密演算法,運算該雲端密碼與該第二密碼而獲得該終端密碼;根據一第三加密演算法,運算該終端密碼、該第一密碼與一一次性 有效序號而獲得一運算碼;以及比對該一次性有效驗證碼與該運算碼是否相同。 In order to achieve one of the foregoing objectives of the present invention, the present invention proposes a network identity verification method, including: storing a user identification code, and a cloud password and a first password corresponding to the user identification code in a user database, wherein The cloud password is obtained by computing a terminal password and a second password according to a first encryption algorithm; and in response to a confirmation response request, to receive the user identification code, a third password, and a one-time valid verification code And perform the following steps: calculating the first password and the third password to obtain the second password according to a second decryption algorithm; obtaining the second password by calculating the cloud password and the second password according to a first decryption algorithm The terminal password; calculating a terminal code, the first password, and a one-time valid serial number to obtain an operation code according to a third encryption algorithm; and comparing whether the one-time valid verification code is the same as the operation code.
根據本發明所實施的網路身份驗證系統與方法,用戶終端在進行身份驗證時,作業環境無須實體憑證(如:自然人驗證)及其相關讀取設備,而直接利用用戶現有的行動終端裝置即可執行網路身份驗證,具有低成本;且基於行動終端裝置的便利性即可隨時隨地執行身份驗證,而不需受限特定場地,具有高移動性;行動終端裝置所安裝的應用程式(App)基於單一作動操作程序,可使行動終端裝置快速完成整個身份驗證過程,具有高便利性。 According to the network identity verification system and method implemented by the present invention, when a user terminal performs identity verification, the operating environment does not need physical credentials (such as natural person verification) and its related reading equipment, and directly utilizes the user's existing mobile terminal device, ie Can perform network authentication with low cost; and can perform authentication anytime and anywhere based on the convenience of mobile terminal devices, without the need to restrict specific venues, and has high mobility; applications installed on mobile terminal devices (Apps Based on a single operating procedure, the mobile terminal device can quickly complete the entire identity verification process with high convenience.
此外,基於以下特點,即便驗證伺服器或行動終端裝置的資料被盜取,也不影響用戶身份驗證的安全性,具有高安全性:(i)本發明系統與方法在用戶端與驗證伺服端係分別儲存終端密碼與加密該終端密碼而獲得的雲端密碼,兩者資料不同步。(ii)本發明系統與方法生成第二密碼僅儲存於用戶端,而不儲存於驗證伺服端,而於執行身份驗證時,該第二密碼才從用戶端加密並傳送至驗證伺服端,作為雲端密碼解密之用,因此即便驗證伺服端的雲端密碼或用戶端的終端密碼被盜取,但若無該第二密碼仍然無法執行身份驗證。(iii)本發明系統與方法利用一次性有效序號,使每次進行身份驗證時驗證碼皆不同,無法重複使用,且不先儲存於用戶端或驗證伺服端,而為了執行身份驗證時才產生獲得一次性有效序號來生成驗證碼,才傳送至驗證伺服端進行身份驗證的比對。(iv)本發明系統與方法在用戶端經過兩次加密運算後才發出確認回覆請求給驗證伺服端,而在驗證伺服端經過兩次解密運算與一次加密運算後才進行比對以獲得驗證 結果。(v)本發明系統與方法在驗證伺服端進行身份驗證比對時,係比對在用戶端經過一次加密運算過的驗證碼與在驗證伺服端經過加解密運算過的運算碼,而非直接比對未加密且同時儲存於用戶端或驗證伺服端的密碼。(vi)本發明系統與方法於身份驗證完畢後,用戶端與驗證伺服端皆會更新第一密碼,使每次身份驗證程序使用不同的第一密碼進行運算。 In addition, based on the following characteristics, even if the data of the authentication server or mobile terminal device is stolen, it does not affect the security of user identity verification and has high security: (i) The system and method of the present invention are on the client side and the authentication server side. Store the terminal password and the cloud password obtained by encrypting the terminal password separately. The data of the two are not synchronized. (ii) The second password generated by the system and method of the present invention is stored only on the client side, and not on the authentication server side, and when the identity verification is performed, the second password is encrypted from the client side and transmitted to the authentication server side as The cloud password is used for decryption, so even if the cloud password of the authentication server or the terminal password of the client is stolen, the identity verification cannot be performed without the second password. (iii) The system and method of the present invention utilizes a one-time valid serial number, so that the verification code is different each time the identity verification is performed, cannot be reused, and is not stored in the client or the verification server first, and is generated only when the identity verification is performed. Obtain a one-time valid serial number to generate a verification code, and then send it to the verification server for identity verification. (iv) The system and method of the present invention send a confirmation reply request to the verification server only after the user terminal has performed two encryption operations, and the verification server performs a comparison after two decryption operations and one encryption operation to obtain the verification result. . (v) When the system and method of the present invention performs identity verification comparison on the verification server side, it compares the verification code that has been encrypted once on the user side with the operation code that has been encrypted and decrypted on the verification server side, rather than directly Compare passwords that are not encrypted and stored on the client or authentication server. (vi) After the system and method of the present invention complete the identity verification, the client and the authentication server both update the first password, so that each identity verification procedure uses a different first password for calculation.
10‧‧‧驗證伺服器 10‧‧‧ authentication server
11‧‧‧用戶資料庫 11‧‧‧User Database
12‧‧‧登入/註冊模組 12‧‧‧Login / Register Module
13‧‧‧加解密模組 13‧‧‧Encryption and decryption module
14‧‧‧回覆模組 14‧‧‧ Reply Module
20‧‧‧用戶終端裝置 20‧‧‧User terminal device
21‧‧‧應用程式 21‧‧‧ Apps
22‧‧‧登入/註冊模組 22‧‧‧Login / Register Module
23‧‧‧密碼生成模組 23‧‧‧Password generation module
24‧‧‧加密模組 24‧‧‧ Encryption Module
25‧‧‧請求/回覆模組 25‧‧‧Request / Reply Module
30‧‧‧網站伺服器 30‧‧‧Web Server
100、200、300‧‧‧網路身份驗證方法 100, 200, 300‧‧‧ Network authentication methods
101~104、201~206、301~309‧‧‧步驟 101 ~ 104, 201 ~ 206, 301 ~ 309‧‧‧ steps
第一A圖是本發明的一種網路身份驗證系統的架構圖。 FIG. 1A is a structural diagram of a network authentication system according to the present invention.
第一B圖是本發明的另一種網路身份驗證系統的架構圖。 FIG. 1B is a structural diagram of another network authentication system according to the present invention.
第二圖是本發明系統的用戶終端裝置的方塊圖。 The second figure is a block diagram of a user terminal device of the system of the present invention.
第三圖是本發明系統的驗證伺服器的方塊圖。 The third figure is a block diagram of the authentication server of the system of the present invention.
第四圖是本發明網路身份驗證方法的流程圖。 The fourth figure is a flowchart of the network identity verification method of the present invention.
第五圖是本發明網路身份驗證方法使用於用戶終端裝置的流程圖。 The fifth figure is a flowchart of the network identity verification method used in the user terminal device of the present invention.
第六圖是本發明網路身份驗證方法使用於驗證伺服器的流程圖。 The sixth figure is a flowchart of the network identity verification method used in the present invention for the verification server.
第七A圖是如第一A圖所示本發明系統的訊息傳送圖。 The seventh diagram A is a message transmission diagram of the system of the present invention as shown in the first diagram A.
第七B圖是如第一B圖所示本發明系統的訊息傳送圖。 The seventh diagram B is a message transmission diagram of the system of the present invention as shown in the first diagram B.
首先請參考第一A圖,係顯示本發明的一種網路身份驗證系統的架構圖。在本發明的此一實施例中,一種網路身份驗證系統包含:一用戶終端裝置20與一驗證伺服器10,其中該用戶終端裝置20較佳地為一行 動通訊裝置。該用戶終端裝置20安裝一應用程式(App),以連線該驗證伺服器10。該用戶終端裝置20的應用程式將生成一組關聯密碼,該組關聯密碼包含一用戶識別碼user_id、一終端密碼key_A、一第一密碼key_B與一第二密碼Hide_no,並加密演算而獲得一雲端密碼key_A’。該用戶終端裝置20向該驗證伺服器10發出一註冊請求,將該用戶識別碼user_id、該雲端密碼key_A’與該第一密碼key_B註冊於驗證伺服器10,作為身份驗證之用。該驗證伺服器10基於該用戶識別碼user_id,將對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B儲存於一用戶資料庫11,其中該用戶識別碼user_id較佳地為一手機門號或一手機的國際移動設備識別碼(International Mobile Equipment Identity number,IMEI)或一唯一的序號。 First, please refer to FIG. 1A, which is a structural diagram of a network authentication system according to the present invention. In this embodiment of the invention, a network identity verification system includes: a user terminal device 20 and an authentication server 10, wherein the user terminal device 20 is preferably a mobile communication device. An application (App) is installed on the user terminal device 20 to connect to the authentication server 10. The application program of the user terminal device 20 will generate a set of associated passwords. The set of associated passwords includes a user identification code user_id, a terminal password key_A, a first password key_B, and a second password Hide_no, and an encryption calculation is performed to obtain a cloud Password key_A '. The user terminal device 20 sends a registration request to the authentication server 10, and registers the user identification code user_id, the cloud password key_A ', and the first password key_B to the authentication server 10 for identity verification. The authentication server 10 stores the cloud password key_A 'and the first password key_B corresponding to the user identification code user_id in a user database 11 based on the user identification code user_id, wherein the user identification code user_id is preferably a A mobile phone door number or an international mobile equipment identity number (IMEI) of a mobile phone or a unique serial number.
請一併參考第七A圖,顯示如第一A圖所示本發明系統的訊息傳送圖。用戶終端裝置20安裝應用程式後,在註冊程序中發出註冊請求給驗證伺服器10,以傳送一組身份驗證用的密碼,俾使驗證伺服器10儲存該組密碼於用戶資料庫11。當用戶終端裝置20或用戶端個人電腦欲登入一網站伺服器30時,該用戶終端裝置20向該網站伺服器30發出一登入請求,而該網站伺服器30的登入作業因應該登入請求而發出一身份確認請求給用戶終端裝置20與驗證伺服器10。該用戶終端裝置20收到該網站伺服器30提出的身份確認請求後,在單一作動程序中經過兩次加密運算後產生一一次性有效驗證碼AC,才基於用戶識別碼user_id發出一確認回覆請求將身份驗證用的密碼傳給該驗證伺服器10。此外,該驗證伺服器10收到該網站伺服器30提出的身份確認請求後,於驗證程序會等待該用戶終端裝置20發出該確認回覆請求,以接收該一次性有效驗證碼AC,並在驗證程序中經過兩次 解密運算與一次加密運算後才進行比對以獲得一驗證結果。該驗證伺服器10基於該用戶識別碼user_id將該驗證結果回覆給發出身份確認請求的該網站伺服器30,俾使該網站伺服器30的登入作業據以決定是否接受用戶終端裝置20或用戶端個人電腦登入。 Please refer to FIG. 7A together for a message transmission diagram of the system of the present invention as shown in FIG. After the user terminal device 20 installs the application program, it sends a registration request to the authentication server 10 in the registration process to transmit a set of authentication passwords, so that the authentication server 10 stores the set of passwords in the user database 11. When the user terminal device 20 or the client personal computer wants to log in to a website server 30, the user terminal device 20 issues a login request to the website server 30, and the login operation of the website server 30 is issued in response to the login request An identity confirmation request is sent to the user terminal device 20 and the authentication server 10. After receiving the identity confirmation request from the website server 30, the user terminal device 20 generates a one-time valid verification code AC after two encryption operations in a single operation procedure, and then issues a confirmation response based on the user identification code user_id. A password for authentication is requested to be transmitted to the authentication server 10. In addition, after the verification server 10 receives the identity confirmation request from the web server 30, the verification procedure waits for the confirmation response request from the user terminal device 20 to receive the one-time valid verification code AC and verify After two decryption operations and one encryption operation in the program, the comparison is performed to obtain a verification result. Based on the user identification code user_id, the authentication server 10 returns the authentication result to the website server 30 that sends an identity confirmation request, so as to determine whether to accept the user terminal device 20 or the client based on the login operation of the website server 30. PC login.
請參考第一B圖,係顯示本發明的另一種網路身份驗證系統的架構圖。在本發明的此一實施例中,一種網路身份驗證系統包含:一用戶終端裝置20與一驗證伺服器10,其中該用戶終端裝置20較佳地為一行動通訊裝置。該用戶終端裝置20安裝一應用程式(App),以連線該驗證伺服器10。該用戶終端裝置20的應用程式將生成一組關聯密碼,該組關聯密碼包含一用戶識別碼user_id、一終端密碼key_A、一第一密碼key_B與一第二密碼Hide_no,並加密演算而獲得一雲端密碼key_A’。該用戶終端裝置20向該驗證伺服器10發出一註冊請求,將該用戶識別碼user_id、該雲端密碼key_A’與該第一密碼key_B註冊於驗證伺服器10,作為身份驗證之用。該驗證伺服器10基於該用戶識別碼user_id,將對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B儲存於一用戶資料庫11,其中該用戶識別碼user_id較佳地為一手機門號或一手機的國際移動設備識別碼(International Mobile Equipment Identity number,IMEI)或一唯一的序號。 Please refer to FIG. 1B, which is a structural diagram showing another network authentication system of the present invention. In this embodiment of the invention, a network identity verification system includes: a user terminal device 20 and an authentication server 10, wherein the user terminal device 20 is preferably a mobile communication device. An application (App) is installed on the user terminal device 20 to connect to the authentication server 10. The application program of the user terminal device 20 will generate a set of associated passwords. The set of associated passwords includes a user identification code user_id, a terminal password key_A, a first password key_B, and a second password Hide_no, and an encryption calculation is performed to obtain a cloud. Password key_A '. The user terminal device 20 sends a registration request to the authentication server 10, and registers the user identification code user_id, the cloud password key_A ', and the first password key_B to the authentication server 10 for identity verification. The authentication server 10 stores the cloud password key_A 'and the first password key_B corresponding to the user identification code user_id in a user database 11 based on the user identification code user_id, wherein the user identification code user_id is preferably a A mobile phone door number or an international mobile equipment identity number (IMEI) of a mobile phone or a unique serial number.
請一併參考第七B圖,顯示如第一B圖所示本發明系統的訊息傳送圖。用戶終端裝置20安裝應用程式後,在註冊程序中發出註冊請求給驗證伺服器10,以傳送一組身份驗證用的密碼,俾使驗證伺服器10儲存該組密碼於用戶資料庫11。當用戶終端裝置20或用戶端個人電腦欲登入該驗證伺服器10時,該用戶終端裝置20向該驗證伺服器10發出一登入請求, 而該驗證伺服器10的登入作業因應該登入請求而發出一身份確認請求給用戶終端裝置20。該用戶終端裝置20收到該驗證伺服器10提出的身份確認請求後,在單一作動程序中經過兩次加密運算後產生一一次性有效驗證碼AC,才基於用戶識別碼user_id發出一確認回覆請求將身份驗證用的密碼傳給該驗證伺服器10。該驗證伺服器10的驗證程序因應該用戶終端裝置20發出該確認回覆請求,以接收該一次性有效驗證碼AC,並在驗證程序中經過兩次解密運算與一次加密運算後才進行比對以獲得一驗證結果。該驗證伺服器10基於該驗證結果以決定是否接受用戶終端裝置20或用戶端個人電腦登入。 Please refer to FIG. 7B together for a message transmission diagram of the system of the present invention as shown in FIG. 1B. After the user terminal device 20 installs the application program, it sends a registration request to the authentication server 10 in the registration process to transmit a set of authentication passwords, so that the authentication server 10 stores the set of passwords in the user database 11. When the user terminal device 20 or the client personal computer wants to log in to the authentication server 10, the user terminal device 20 issues a login request to the authentication server 10, and the login operation of the authentication server 10 is issued in response to the login request An identity confirmation request is issued to the user terminal device 20. After receiving the identity verification request from the verification server 10, the user terminal device 20 generates a one-time valid verification code AC after two encryption operations in a single operation procedure, and then issues a confirmation response based on the user identification code user_id. A password for authentication is requested to be transmitted to the authentication server 10. The verification program of the verification server 10 responds to the confirmation response request sent by the user terminal device 20 to receive the one-time valid verification code AC, and then performs two decryption operations and one encryption operation in the verification program to perform comparison. Obtain a verification result. The authentication server 10 determines whether to accept the login of the user terminal device 20 or the client personal computer based on the verification result.
在第一B圖所示的不同實施例中,該用戶終端裝置20向該驗證伺服器10發出一登入請求後,便可發出確認回覆請求給驗證伺服器10進行身份驗證,無需在發出登入請求後等待驗證伺服器10發出身份確認請求才執行確認回覆請求。 In the different embodiment shown in FIG. 1B, after the user terminal device 20 sends a login request to the authentication server 10, it can send a confirmation reply request to the authentication server 10 for identity verification, without issuing a login request. It waits for the identity confirmation request from the verification server 10 before executing the confirmation reply request.
在上述的實施例中,身分確認請求是一個促使用戶終端裝置20發出一回覆確認請求給該驗證伺服器10用之命令。在第一A圖所示的實施例中,該網站伺服器30提出的身份確認請求應包含用戶識別碼user_id。因為該驗證伺服器10收到用戶終端裝置20基於用戶識別碼user_id所發出的回覆確認請求時,要將該用戶識別碼user_id的驗證結果,回覆給發出該身分確認請求的網站伺服器。 In the above embodiment, the identity confirmation request is a command for prompting the user terminal device 20 to issue a reply confirmation request to the authentication server 10. In the embodiment shown in FIG. 1A, the identity confirmation request submitted by the web server 30 should include a user identification code user_id. Because the verification server 10 receives the reply confirmation request sent by the user terminal device 20 based on the user identification code user_id, it needs to reply the verification result of the user identification code user_id to the web server that issued the identity confirmation request.
請參考第二圖,顯示本發明系統的用戶終端裝置的方塊圖。本發明系統的用戶終端裝置20較佳地為一智慧型手機,如蘋果的iPhone手機或三星的Galaxy手機。用戶終端裝置20下載安裝一應用程式21,該應用程式 21將使用戶終端裝置20成為網路身份驗證的必要設備。用戶終端裝置20執行該應用程式21以實現以下模組:一登入/註冊模組22、一密碼生成模組23、一加密模組24與一請求/回覆模組25。該登入/註冊模組22使該用戶終端裝置20與預設的驗證伺服器10建立通訊連線。當用戶終端裝置20首次通訊連線驗證伺服器10時,該登入/註冊模組22會進入一註冊程序而發出一註冊請求給驗證伺服器10,並在該註冊程序中,由密碼生成模組23生成一組關聯密碼並加以儲存,該組關聯密碼包含一用戶識別碼user_id、一終端密碼Key_A、一第一密碼Key_B與一第二密碼Hide_no;由加密模組24根據一第一加密演算法或一第一加密演算函式Fn11運算該終端密碼Key_A與該第二密碼Hide_no而獲得一雲端密碼Key_A’,即Key_A’=Fn11{Key_A,Hide_no}。該註冊請求基於該用戶識別碼user_id,將對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B註冊到該驗證伺服器10。 Referring to the second figure, a block diagram of a user terminal device of the system of the present invention is shown. The user terminal device 20 of the system of the present invention is preferably a smart phone, such as Apple's iPhone or Samsung's Galaxy. The user terminal device 20 downloads and installs an application program 21 which will make the user terminal device 20 a necessary device for network authentication. The user terminal device 20 executes the application program 21 to implement the following modules: a login / registration module 22, a password generation module 23, an encryption module 24, and a request / reply module 25. The login / registration module 22 enables the user terminal device 20 to establish a communication connection with a preset authentication server 10. When the user terminal device 20 communicates with the authentication server 10 for the first time, the login / registration module 22 enters a registration procedure and issues a registration request to the authentication server 10, and a password generation module is used in the registration procedure. 23 Generate and store a set of associated passwords. The set of associated passwords includes a user identification code user_id, a terminal password Key_A, a first password Key_B, and a second password Hide_no; the encryption module 24 according to a first encryption algorithm Or, a first encryption algorithm Fn11 calculates the terminal password Key_A and the second password Hide_no to obtain a cloud password Key_A ', that is, Key_A' = Fn11 {Key_A, Hide_no}. The registration request is based on the user identification code user_id, and registers the cloud password key_A 'and the first password key_B corresponding to the user identification code user_id to the authentication server 10.
在第一A圖與第一B圖所示的實施例中,該用戶終端裝置20要登入一網站伺服器30或一驗證伺服器10時,該登入/註冊模組22使該用戶終端裝置20與網站伺服器30或驗證伺服器10建立通訊連線後,發出一登入請求,該登入請求包含使用者所設的帳號與密碼。之後,請求/回覆模組25將接收到一身份確認請求,以決定是否執行單一作動程序,如第五圖所示。因應身份確認請求,加密模組24經過兩次加密演算獲得一第三密碼Key_B’與一一次性有效驗證碼AC,該請求/回覆模組25發出一確認回覆請求給驗證伺服器10,以傳送至少包含該用戶識別碼user_id、該第三密碼Key_B’與該一次性有效驗證碼AC,俾使驗證伺服器10進行用戶的網路身份驗證。 In the embodiment shown in FIGS. 1A and 1B, when the user terminal device 20 logs in to a web server 30 or an authentication server 10, the login / registration module 22 enables the user terminal device 20 After establishing a communication connection with the web server 30 or the authentication server 10, a login request is issued, and the login request includes the account and password set by the user. After that, the request / reply module 25 will receive an identity confirmation request to decide whether to execute a single action procedure, as shown in the fifth figure. In response to the identity confirmation request, the encryption module 24 obtains a third password Key_B 'and a one-time valid verification code AC after two encryption calculations. The request / reply module 25 sends a confirmation reply request to the verification server 10 to The transmission includes at least the user identification code user_id, the third password Key_B ', and the one-time valid verification code AC, so that the verification server 10 performs the user's network identity verification.
請參考第三圖,顯示本發明系統的驗證伺服器的方塊圖。本 發明系統的驗證伺服器10包含一用戶資料庫11,該用戶資料庫11儲存從該用戶終端裝置20所註冊的用戶識別碼user_id,以及對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B。驗證伺服器10執行應用軟體以實現以下模組:一登入/註冊模組12、一加解密模組13與一回覆模組14。該登入/註冊模組12因應該用戶終端裝置20發出的註冊請求,將接收到的用戶識別碼user_id,以及對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B儲存至該用戶資料庫11。 Please refer to the third figure, which shows a block diagram of the authentication server of the system of the present invention. The authentication server 10 of the system of the present invention includes a user database 11 which stores a user identification code user_id registered from the user terminal device 20, and the cloud password key_A 'and the cloud password corresponding to the user identification code user_id. The first password key_B. The authentication server 10 executes application software to implement the following modules: a login / registration module 12, an encryption / decryption module 13 and a reply module 14. The login / registration module 12 stores the received user identification code user_id and the cloud password key_A 'and the first password key_B corresponding to the user identification user_id in response to a registration request issued by the user terminal device 20. Database 11.
在第一A圖所示的實施例中,當用戶終端裝置20或用戶端個人電腦欲登入一網站伺服器30時,該網站伺服器30因應登入請求而發出一身份確認請求給用戶終端裝置20與驗證伺服器10。該回覆模組14將接收到該身份確認請求,將等待接收用戶終端裝置20發出的確認回覆請求,以進行如第六圖所示身份驗證程序,加解密模組13經過兩次解密運算與一次加密運算後才比對獲得驗證結果,該回覆模組14並將驗證結果回覆給發出身份確認請求的該網站伺服器30,俾使該網站伺服器30據以決定是否接受用戶終端裝置20或用戶端個人電腦登入。 In the embodiment shown in FIG. 1A, when the user terminal device 20 or the client personal computer wants to log in to a web server 30, the web server 30 sends an identity confirmation request to the user terminal device 20 in response to the login request. With authentication server 10. The reply module 14 will receive the identity confirmation request and will wait to receive the confirmation reply request from the user terminal device 20 to perform the identity verification procedure as shown in the sixth figure. The encryption and decryption module 13 undergoes two decryption operations and one After the encryption operation is performed, the verification result is compared. The reply module 14 returns the verification result to the website server 30 that sends the identity confirmation request, so that the website server 30 can decide whether to accept the user terminal device 20 or the user. On a personal computer.
在第一B圖所示的實施例中,當用戶終端裝置20或用戶端個人電腦欲登入驗證伺服器10時,該驗證伺服器10的登入/註冊模組12因應登入請求而發出一身份確認請求給用戶終端裝置20。該回覆模組14將等待接收用戶終端裝置20發出的確認回覆請求,以進行如第六圖所示身份驗證程序,加解密模組13經過兩次解密運算與一次加密運算後才比對獲得驗證結果。該驗證伺服器10基於該驗證結果以決定是否接受用戶終端裝置20或用戶端個人電腦登入。 In the embodiment shown in FIG. 1B, when the user terminal device 20 or the client personal computer wants to log in to the authentication server 10, the login / registration module 12 of the authentication server 10 issues an identity confirmation in response to the login request. Requested to the user terminal device 20. The reply module 14 will wait to receive a confirmation reply request from the user terminal device 20 to perform the identity verification procedure as shown in the sixth figure. The encryption / decryption module 13 will be verified after two decryption operations and one encryption operation. result. The authentication server 10 determines whether to accept the login of the user terminal device 20 or the client personal computer based on the verification result.
請參考第四圖,顯示本發明網路身份驗證方法的流程圖。在第一A圖與第一B圖所示的實施例中,本發明網路身份驗證系統所使用的網路身份驗證方法100,包含:步驟101,用戶終端裝置20安裝一應用程式(APP)產生一組關連密碼,包含一用戶識別碼user_id、一終端密碼key_A、一第一密碼key_B與一第二密碼Hide_no,並註冊至驗證伺服器10,使該用戶資料庫11儲存從該用戶終端裝置20所註冊的用戶識別碼user_id,以及對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B。 Please refer to the fourth figure, which shows a flowchart of the network authentication method of the present invention. In the embodiment shown in FIG. 1A and FIG. 1B, the network authentication method 100 used in the network authentication system of the present invention includes: Step 101, a user terminal device 20 installs an application program (APP) Generate a set of related passwords, including a user identification code user_id, a terminal password key_A, a first password key_B and a second password Hide_no, and register them to the authentication server 10, so that the user database 11 is stored from the user terminal device 20 The registered user identification code user_id, and the cloud password key_A 'and the first password key_B corresponding to the user identification code user_id.
步驟102,用戶終端裝置20發出一登入請求後,用戶終端裝置20會接收來自網站伺服器30回應該登入請求所發出的身分確認請求,如第一A圖所示,或接收來自驗證伺服器10回應該登入請求所發出的身分確認請求,如第一B圖所示。步驟103,用戶終端裝置20因應身分確認請求,而執行如第五圖所示單一作動程序向驗證伺服器10發出一確認回覆請求,以傳送至少包含該用戶識別碼user_id、該第三密碼Key_B’與該一次性有效驗證碼AC,俾使驗證伺服器10進行用戶的網路身份驗證。最後步驟104,驗證伺服器10因應該確認回覆請求,而執行如第六圖所示身份驗證程序後,因應身份確認請求以回應驗證結果。 In step 102, after the user terminal device 20 issues a login request, the user terminal device 20 will receive an identity confirmation request from the web server 30 in response to the login request, as shown in the first diagram A, or from the authentication server 10 The identity confirmation request issued in response to the login request is shown in the first figure B. Step 103: In response to the identity confirmation request, the user terminal device 20 executes a single operation procedure as shown in the fifth figure to issue a confirmation response request to the verification server 10 to transmit at least the user identification code user_id and the third password Key_B '. With the one-time valid verification code AC, the verification server 10 is caused to perform user network identity verification. In the last step 104, the verification server 10 responds to the verification result in response to the identity verification request after executing the identity verification procedure as shown in FIG. 6 due to the confirmation reply request.
請參考第五圖,顯示本發明網路身份驗證方法使用於用戶終端裝置的流程圖。在本發明的實施例中,當用戶終端裝置20因應來自第一A圖所示網站伺服器30或來自第一B圖所示驗證伺服器10發出的身分確認請求,將促使該用戶終端裝置20所執行的應用程式使用如第五圖所示一種網路身份驗證方法200,包含以下步驟:步驟201,請求/回覆模組25接收來自第一A圖所示網站伺服器30或來自第一B圖所示驗證伺服器10發出的身分確 認請求,該身分確認請求可以包含或不包含用戶識別碼user_id。步驟202,請求/回覆模組25判斷使用者是否由用戶終端裝置20的人機介面下達執行單一作動程序,若是,執行步驟203;若否,等待使用者下達指令,若超過一預設時間未下達指令或使用者下達不執行,則請求/回覆模組25回應身分確認請求發出未確認身份的訊息。 Please refer to the fifth figure, which shows a flow chart of the network authentication method of the present invention applied to a user terminal device. In the embodiment of the present invention, when the user terminal device 20 responds to the identity confirmation request from the website server 30 shown in FIG. 1A or from the verification server 10 shown in FIG. 1B, the user terminal device 20 will be prompted. The executed application uses a network authentication method 200 as shown in the fifth figure, which includes the following steps: Step 201, the request / reply module 25 receives from the web server 30 shown in the first A or from the first B The figure shows an identity confirmation request issued by the verification server 10, and the identity confirmation request may or may not include a user identification code user_id. In step 202, the request / reply module 25 determines whether the user is instructed to execute a single operation procedure by the human-machine interface of the user terminal device 20. If so, execute step 203; if not, wait for the user to issue an instruction. If the order is issued or the user does not execute, the request / reply module 25 sends an unidentified message in response to the identity confirmation request.
單一作動程序包含步驟203至步驟206。在本發明的不同實施例中,步驟202的判斷,使用者可藉由操作用戶終端裝置20所提供的人機介面來下達執行單一作動程序,該人機介面可以是觸控螢幕顯示的虛擬按鍵,或手機的Home鍵,或指紋辨識感測介面(例如:Touch ID),或人臉辨識感測介面(例如:Face ID),或虹膜辨識感測介面,或聲紋辨識感測介面等,以偵測使用者的單一作動的操作。 The single operation procedure includes steps 203 to 206. In different embodiments of the present invention, in step 202, the user can execute a single operation procedure by operating a human-machine interface provided by the user terminal device 20, and the human-machine interface may be a virtual key displayed on a touch screen. , Or the home button of a mobile phone, or a fingerprint recognition sensing interface (such as Touch ID), or a face recognition sensing interface (such as Face ID), or an iris recognition sensing interface, or a voiceprint recognition sensing interface, etc. To detect a single action by the user.
繼續參考第五圖,在步驟203,請求/回覆模組25根據用戶識別碼user_id找出對應的終端密碼key_A、第一密碼Key_B與第二密碼Hide_no。接著步驟204,由加密模組24根據一第二加密演算法或一第二加密演算函式Fn21運算該第一密碼Key_B與該第二密碼Hide_no而獲得一第三密碼Key_B’,即Key_B’=Fn21{Key_B,Hide_no}。接著步驟205,由加密模組24基於一一次性有效序號X,根據一第三加密演算法或一第三加密演算函式Fn3運算該終端密碼key_A、該第一密碼Key_B與該一次性有效序號X而獲得一一次性有效驗證碼AC,即AC=Fn3{key_A,Key_B,X},其中該一次性有效序號X為一隨機值或一與時間有關的序號。最後,在步驟206,請求/回覆模組25回應身分確認請求以發出一確認回覆請求,至少將該用戶識別碼user_id、該第三密碼Key_B’與該驗證碼AC傳送給該驗證伺服器10。在本發 明的不同實施例中,該第一加密演算法Fn11該第二加密演算法Fn21可以相同或不相同。 With continued reference to the fifth figure, in step 203, the request / reply module 25 finds the corresponding terminal password key_A, the first password Key_B, and the second password Hide_no according to the user identification code user_id. Then in step 204, the encryption module 24 calculates the first password Key_B and the second password Hide_no according to a second encryption algorithm or a second encryption algorithm function Fn21 to obtain a third password Key_B ', that is, Key_B' = Fn21 {Key_B, Hide_no}. Then, in step 205, the encryption module 24 calculates the terminal password key_A, the first password Key_B, and the one-time valid code based on a one-time valid serial number X and according to a third encryption algorithm or a third encryption algorithm function Fn3. The serial number X is obtained by a one-time valid verification code AC, that is, AC = Fn3 {key_A, Key_B, X}, where the one-time valid serial number X is a random value or a time-related serial number. Finally, in step 206, the request / reply module 25 responds to the identity confirmation request to issue a confirmation reply request, and transmits at least the user identification code user_id, the third password Key_B ', and the verification code AC to the verification server 10. In different embodiments of the present invention, the first encryption algorithm Fn11 and the second encryption algorithm Fn21 may be the same or different.
此外,在本發明的不同實施例中,加密模組24獲得該一次性有效序號X的方式有所不同,而決定請求/回覆模組25發出的確認回覆請求是否傳送該一次性有效序號X。例如:在因應身分確認請求所執行的單一作動程序中,由密碼生成模組23生成該一次性有效序號X以提供給加密模組24運算出該一次性有效驗證碼AC,請求/回覆模組25發出的確認回覆請求將傳送該一次性有效序號X給該驗證伺服器10;在第一A圖所示的實施例中,由網站伺服器30因應該用戶終端裝置20發出的登入請求而生成該一次性有效序號X,再透過網站伺服器30發出身份確認請求時,傳送該一次性有效序號X給該用戶終端裝置20及該驗證伺服器10,使該用戶終端裝置20的請求/回覆模組25透過接收身份確認請求,而獲得該一次性有效序號X以提供給加密模組24運算出該一次性有效驗證碼AC,請求/回覆模組25發出的確認回覆請求則無需傳送該一次性有效序號X給該驗證伺服器10;在第一B圖所示的實施例中,由該驗證伺服器10因應該用戶終端裝置20發出的登入請求而生成該一次性有效序號X,再透過該驗證伺服器10發出身份確認請求時,傳送該一次性有效序號X給該用戶終端裝置20,使該用戶終端裝置20的請求/回覆模組25透過接收身份確認請求,而獲得該一次性有效序號X以提供給加密模組24運算出該一次性有效驗證碼AC,請求/回覆模組25發出的確認回覆請求則無需傳送該一次性有效序號X給該驗證伺服器10。 In addition, in different embodiments of the present invention, the encryption module 24 obtains the one-time valid serial number X in different ways, and determines whether the confirmation / reply request sent by the request / reply module 25 transmits the one-time valid serial number X. For example, in a single action procedure performed in response to an identity confirmation request, the one-time valid serial number X is generated by the password generation module 23 to be provided to the encryption module 24 to calculate the one-time valid verification code AC, and a request / reply module The confirmation reply request issued by 25 will transmit the one-time valid serial number X to the authentication server 10; in the embodiment shown in the first figure A, the website server 30 generates the response to the login request issued by the user terminal device 20 The one-time valid serial number X is sent to the user terminal device 20 and the authentication server 10 when the identity confirmation request is sent through the web server 30, so that the request / reply mode of the user terminal device 20 is made. The group 25 obtains the one-time valid serial number X by receiving the identity confirmation request to provide the encryption module 24 to calculate the one-time valid verification code AC. The confirmation / reply request sent by the request / reply module 25 does not need to transmit the one-time confirmation. A valid serial number X is given to the authentication server 10; in the embodiment shown in FIG. 1B, the authentication server 10 is generated in response to a login request issued by the user terminal device 20. When the one-time valid serial number X is sent through the authentication server 10 to confirm the identity, the one-time valid serial number X is transmitted to the user terminal device 20, so that the request / reply module 25 of the user terminal device 20 receives the identity through Confirm the request, and obtain the one-time valid serial number X to provide the encryption module 24 to calculate the one-time valid verification code AC. The confirmation / reply request issued by the request / reply module 25 does not need to send the one-time valid serial number X to the Authentication server 10.
在本發明第五圖所示的進一步實施例中,在步驟206之後,本發明方法200進一步包含:由密碼生成模組23生成一新的第一密碼key_B 以取代原本的第一密碼key_B,並將該新的第一密碼key_B傳送給該驗證伺服器10以取代原本註冊的第一密碼key_B,或者請求/回覆模組25接收由該驗證伺服器10所生成一新的第一密碼key_B,以取代該用戶終端裝置20原本的第一密碼key_B。 In a further embodiment shown in the fifth figure of the present invention, after step 206, the method 200 of the present invention further includes: generating a new first password key_B by the password generation module 23 to replace the original first password key_B, and Send the new first password key_B to the authentication server 10 to replace the originally registered first password key_B, or the request / reply module 25 receives a new first password key_B generated by the authentication server 10 to Replaces the original first password key_B of the user terminal device 20.
請參考第六圖,顯示本發明網路身份驗證方法使用於驗證伺服器的流程圖。在本發明第一A圖所示的實施例中,當驗證伺服器10因應來自網站伺服器30發出的身分確認請求,將促使該驗證伺服器10所執行的應用軟體使用如第六圖所示一種網路身份驗證方法300,包含以下步驟:步驟301,回覆模組14接收來自網站伺服器30發出的身分確認請求,該身分確認請求包含用戶識別碼user_id。步驟302,回覆模組14判斷是否收到用戶終端裝置20發出的確認回覆請求,若是,執行步驟303;若否,等待用戶終端裝置20發出的確認回覆請求,若超過一預設時間未收到該確認回覆請求,則回覆模組14回應身分確認請求發出未確認身份的訊息。 Please refer to FIG. 6, which shows a flowchart of the network authentication method used in the present invention for the authentication server. In the embodiment shown in FIG. 1A of the present invention, when the authentication server 10 responds to an identity confirmation request from the web server 30, the application software executed by the authentication server 10 is caused to use as shown in FIG. A network identity verification method 300 includes the following steps: Step 301: The reply module 14 receives an identity confirmation request from the web server 30, and the identity confirmation request includes a user identification code user_id. In step 302, the reply module 14 determines whether a confirmation reply request from the user terminal device 20 is received, and if yes, executes step 303; In response to the confirmation reply request, the reply module 14 sends an unidentified message in response to the identity confirmation request.
繼續參考第六圖,在步驟303,回覆模組14收到用戶終端裝置20發出的確認回覆請求,而獲得該用戶識別碼user_id、該第三密碼Key_B’、該一次性有效序號X與該驗證碼AC,其中該一次性有效序號X在該用戶終端裝置20生成。在本發明的不同實施例中,該一次性有效序號X若由網站伺服器30生成並透過身分確認請求傳送給該驗證伺服器10,則用戶終端裝置20的確認回覆請求就無須包含該一次性有效序號X,或者該一次性有效序號X若由該驗證伺服器10生成並透過身分確認請求傳送給該用戶終端裝置20運算出該一次性有效驗證碼AC,則用戶終端裝置20的確認回覆請求亦無須包含該一次性有效序號X。 Continuing to refer to the sixth figure, in step 303, the reply module 14 receives the confirmation reply request from the user terminal device 20, and obtains the user identification code user_id, the third password Key_B ', the one-time valid serial number X, and the verification. Code AC, where the one-time valid serial number X is generated in the user terminal device 20. In different embodiments of the present invention, if the one-time valid serial number X is generated by the web server 30 and transmitted to the verification server 10 through the identity confirmation request, the confirmation response request of the user terminal device 20 need not include the one-time response The valid serial number X, or if the one-time valid serial number X is generated by the verification server 10 and transmitted to the user terminal device 20 through the identity confirmation request to calculate the one-time valid verification code AC, the user terminal device 20's confirmation reply request It is also not necessary to include the one-time valid serial number X.
繼續參考第六圖,在步驟304,回覆模組14根據該用戶識別碼user_id從該用戶資料庫11尋找對應該用戶識別碼user_id的該雲端密碼key_A’與該第一密碼key_B。接著步驟305,由加解密模組13根據一第二解密演算法或一第二解密演算函式Fn22運算該第三密碼Key_B’與該第一密碼Key_B而獲得一第二密碼Hide_no,即Hide_no=Fn22{Key_B’,Key_B}。接著步驟306,由加解密模組13根據一第一解密演算法或一第一解密演算函式Fn12運算該雲端密碼key_A’與該第二密碼Hide_no而獲得一終端密碼key_A,即key_A=Fn12{key_A’,Hide_no}。接著步驟307,由加解密模組13根據該第三加密演算法或該第三加密演算函式Fn3運算該終端密碼key_A、該第一密碼Key_B與該一次性有效序號X而獲得一運算碼AC’,即AC’=Fn3{key_A,Key_B,X}。接著步驟308,回覆模組14比對步驟307所獲得的運算碼AC’與用戶終端裝置20所傳送的驗證碼AC,以獲得一驗證結果。若該驗證結果顯示運算碼AC’與驗證碼AC相同,表示用戶通過身份驗證,即該用戶終端裝置20儲存的該第一密碼Key_B與該驗證伺服器10的用戶資料庫11所存對應該用戶識別碼user_id的該第一密碼Key_B相同。反之,若該驗證結果顯示運算碼AC’與驗證碼AC不相同,表示用戶沒通過身份驗證。最後,步驟309,回覆模組14因應身分確認請求回覆步驟308所獲得的驗證結果給網站伺服器30,俾使該網站伺服器30據以決定是否接受用戶終端裝置20或用戶端個人電腦登入。 With continued reference to the sixth figure, in step 304, the reply module 14 searches the user database 11 for the cloud password key_A 'and the first password key_B corresponding to the user identification code user_id from the user database 11. Then in step 305, the encryption / decryption module 13 calculates the third password Key_B 'and the first password Key_B according to a second decryption algorithm or a second decryption calculation function Fn22 to obtain a second password Hide_no, that is, Hide_no = Fn22 {Key_B ', Key_B}. Then in step 306, the encryption / decryption module 13 calculates the cloud password key_A 'and the second password Hide_no according to a first decryption algorithm or a first decryption calculation function Fn12 to obtain a terminal password key_A, that is, key_A = Fn12 { key_A ', Hide_no}. Then in step 307, the encryption / decryption module 13 calculates the terminal password key_A, the first password Key_B, and the one-time valid serial number X to obtain an operation code AC according to the third encryption algorithm or the third encryption algorithm function Fn3. ', That is AC' = Fn3 {key_A, Key_B, X}. Following step 308, the reply module 14 compares the operation code AC 'obtained in step 307 with the verification code AC transmitted by the user terminal device 20 to obtain a verification result. If the verification result shows that the operation code AC 'is the same as the verification code AC, it means that the user is authenticated, that is, the first password Key_B stored in the user terminal device 20 and the user database 11 stored in the verification server 10 correspond to the user identification. The first password Key_B of the code user_id is the same. Conversely, if the verification result shows that the operation code AC 'is different from the verification code AC, it means that the user has not passed the identity verification. Finally, in step 309, the reply module 14 responds to the verification result obtained in step 308 to the web server 30 in response to the identity confirmation request, so that the web server 30 can decide whether to accept the login of the user terminal device 20 or the client personal computer.
繼續第六圖,在本發明第一B圖所示的實施例中,當由驗證伺服器10發出的身分確認請求給用戶終端裝置20時,該驗證伺服器10所執行的應用軟體在使用如第六圖所示網路身份驗證方法300,無須執行步驟 301,且在步驟309,登入/註冊模組12則依據步驟308所獲得的驗證結果,據以決定是否接受用戶終端裝置20或用戶端個人電腦登入。 Continuing the sixth figure, in the embodiment shown in the first figure B of the present invention, when the identity confirmation request sent by the verification server 10 is sent to the user terminal device 20, the application software executed by the verification server 10 is using the software such as The network authentication method 300 shown in the sixth figure does not need to perform step 301, and in step 309, the login / registration module 12 determines whether to accept the user terminal device 20 or the client terminal according to the verification result obtained in step 308. PC login.
在本發明第六圖所示的進一步實施例中,在步驟309之後,本發明方法300進一步包含:回覆模組14生成一新的第一密碼key_B,以取代用戶資料庫11所存對應該用戶識別碼user_id的原本的第一密碼key_B,並將該新的第一密碼key_B傳送給該用戶終端裝置20以取代原本的第一密碼key_B,或者回覆模組14接收由該用戶終端裝置20生成一新的第一密碼key_B以取代用戶資料庫11所存對應該用戶識別碼user_id的原本的第一密碼key_B。 In a further embodiment shown in the sixth figure of the present invention, after step 309, the method 300 of the present invention further includes: the reply module 14 generates a new first password key_B to replace the corresponding user identification stored in the user database 11 The original first password key_B of the code user_id, and transmits the new first password key_B to the user terminal device 20 to replace the original first password key_B, or the reply module 14 receives a new password generated by the user terminal device 20 The first password key_B corresponding to the original password key_B stored in the user database 11 corresponding to the user identification code user_id.
Claims (20)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106133931A TWI675579B (en) | 2017-09-30 | 2017-09-30 | Network authentication system and method |
| CN201811128588.3A CN109600354A (en) | 2017-09-30 | 2018-09-27 | Network identity validation System and method for |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106133931A TWI675579B (en) | 2017-09-30 | 2017-09-30 | Network authentication system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201916631A TW201916631A (en) | 2019-04-16 |
| TWI675579B true TWI675579B (en) | 2019-10-21 |
Family
ID=65957082
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106133931A TWI675579B (en) | 2017-09-30 | 2017-09-30 | Network authentication system and method |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109600354A (en) |
| TW (1) | TWI675579B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933673B (en) * | 2019-10-12 | 2023-10-24 | 国网浙江省电力有限公司信息通信分公司 | Access authentication method of IMS network |
| CN113472728B (en) * | 2020-03-31 | 2022-05-27 | 阿里巴巴集团控股有限公司 | Communication method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW201034423A (en) * | 2009-03-10 | 2010-09-16 | Univ Chang Gung | User authentication technology and system using one-time password composed of a repeatable first password and a non-repeatable password |
| TWI390937B (en) * | 2004-10-28 | 2013-03-21 | Ibm | Method, system, and storage medium for eliminating password exposure when requesting third party attribute certificates |
| TW201351313A (en) * | 2012-04-17 | 2013-12-16 | Taiwan Dev & Construction Co | Method of authenticating an electronic tag for a RFID tag item processing system and device and system thereof |
| TW201601083A (en) * | 2014-06-24 | 2016-01-01 | Beijing Anxunben Science & Technology Co Ltd | One-time password generation method and device, authentication method and authentication system |
| TWM540310U (en) * | 2016-08-17 | 2017-04-21 | 兆豐國際商業銀行股份有限公司 | System for encryption and authentication |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192926B (en) * | 2006-11-28 | 2011-03-30 | 北京握奇数据系统有限公司 | Account protection method and system |
| CN101123495A (en) * | 2007-09-07 | 2008-02-13 | 农革 | A data encryption, decryption system and method |
| CN101202631A (en) * | 2007-12-21 | 2008-06-18 | 任少华 | System and method for identification authentication based on cipher key and timestamp |
| CN102457491B (en) * | 2010-10-20 | 2015-04-08 | 北京大学 | Dynamic identity authenticating method and system |
| CN102195983B (en) * | 2011-05-12 | 2015-08-19 | 深圳Tcl新技术有限公司 | network terminal encryption authentication method and server |
| CN103974248B (en) * | 2013-01-24 | 2018-10-12 | 中国移动通信集团公司 | Terminal security guard method in ability open system, apparatus and system |
| US20140281564A1 (en) * | 2013-03-13 | 2014-09-18 | Kabushiki Kaisha Toshiba | Method of authenticating access to memory device |
| JP2016532936A (en) * | 2013-07-05 | 2016-10-20 | リン,チュン−ユ | Network identification authentication using communication device identification code |
| CN105553926A (en) * | 2015-06-30 | 2016-05-04 | 宇龙计算机通信科技(深圳)有限公司 | Authentication method, server, and terminal |
-
2017
- 2017-09-30 TW TW106133931A patent/TWI675579B/en active
-
2018
- 2018-09-27 CN CN201811128588.3A patent/CN109600354A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI390937B (en) * | 2004-10-28 | 2013-03-21 | Ibm | Method, system, and storage medium for eliminating password exposure when requesting third party attribute certificates |
| TW201034423A (en) * | 2009-03-10 | 2010-09-16 | Univ Chang Gung | User authentication technology and system using one-time password composed of a repeatable first password and a non-repeatable password |
| TW201351313A (en) * | 2012-04-17 | 2013-12-16 | Taiwan Dev & Construction Co | Method of authenticating an electronic tag for a RFID tag item processing system and device and system thereof |
| TW201601083A (en) * | 2014-06-24 | 2016-01-01 | Beijing Anxunben Science & Technology Co Ltd | One-time password generation method and device, authentication method and authentication system |
| TWM540310U (en) * | 2016-08-17 | 2017-04-21 | 兆豐國際商業銀行股份有限公司 | System for encryption and authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201916631A (en) | 2019-04-16 |
| CN109600354A (en) | 2019-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220191016A1 (en) | Methods, apparatuses, and computer program products for frictionless electronic signature management | |
| TWI707244B (en) | Block chain cross-chain authentication method, system, server and readable storage medium | |
| EP3319292B1 (en) | Methods, client and server for checking security based on biometric features | |
| CN107113315B (en) | Identity authentication method, terminal and server | |
| CN106575326B (en) | System and method for implementing one-time passwords using asymmetric encryption | |
| US11539690B2 (en) | Authentication system, authentication method, and application providing method | |
| US20150195280A1 (en) | Authentication system and authentication method | |
| KR20160099922A (en) | Method, apparatus and computer program for issuing user certificate and verifying user | |
| CN105553926A (en) | Authentication method, server, and terminal | |
| EP3206329B1 (en) | Security check method, device, terminal and server | |
| US20200196143A1 (en) | Public key-based service authentication method and system | |
| WO2015188424A1 (en) | Key storage device and method for using same | |
| US20200382305A1 (en) | Systems and methods for enhanced mobile device authentication | |
| CN111327629B (en) | Identity verification method, client and server | |
| CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
| CN111901303A (en) | Device authentication method and apparatus, storage medium, and electronic apparatus | |
| CN110838919B (en) | Communication method, storage method, operation method and device | |
| JP6378424B1 (en) | User authentication method with enhanced integrity and security | |
| TWI675579B (en) | Network authentication system and method | |
| KR101206854B1 (en) | Authentication system and method based by unique identifier | |
| US20220337401A1 (en) | Electronic device for performing authentication on basis of cloud server and control method therefor | |
| KR102561689B1 (en) | Apparatus and method for registering biometric information, apparatus and method for biometric authentication | |
| KR20170099339A (en) | System and method for providing security membership and login hosting service | |
| KR101879842B1 (en) | User authentication method and system using one time password | |
| CN114257410B (en) | Identity authentication method and device based on digital certificate and computer equipment |