TWI698823B - System for verifying user identity when processing digital signature and method thereof - Google Patents

System for verifying user identity when processing digital signature and method thereof Download PDF

Info

Publication number
TWI698823B
TWI698823B TW107140100A TW107140100A TWI698823B TW I698823 B TWI698823 B TW I698823B TW 107140100 A TW107140100 A TW 107140100A TW 107140100 A TW107140100 A TW 107140100A TW I698823 B TWI698823 B TW I698823B
Authority
TW
Taiwan
Prior art keywords
user
identity
password
private key
module
Prior art date
Application number
TW107140100A
Other languages
Chinese (zh)
Other versions
TW202018626A (en
Inventor
蔡家宏
林志能
連子清
Original Assignee
臺灣網路認證股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣網路認證股份有限公司 filed Critical 臺灣網路認證股份有限公司
Priority to TW107140100A priority Critical patent/TWI698823B/en
Publication of TW202018626A publication Critical patent/TW202018626A/en
Application granted granted Critical
Publication of TWI698823B publication Critical patent/TWI698823B/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A system for verifying user identity when processing digital signature and a method thereof are provided. By verifying user’s identity when determining a private key corresponding to a certificate without password is encrypted by a default password, and decrypting the private key by the default password if the user’s identity is approved, the system and the method can confirm user identity when certificate without password is used for digital signature, and can achieve the effect of no need to remember password of certificate.

Description

於簽章時驗證使用者身分之系統及方法System and method for verifying user identity when signing

一種簽章系統及方法,特別係指一種於簽章時驗證使用者身分之系統及方法。A signing system and method, in particular, a system and method for verifying the identity of a user when signing.

數位簽章(Digital Signature)是一種對資料使用金鑰加密的技術,更詳細的,數位簽章是以數學演算法或其他方式使用金鑰對資料進行運算後所產生資料,而非指將簽名掃描成數位圖像,也不是使用觸控板輸入的簽名。一套數位簽章通常定義兩種互補的運算,一個用於簽章,另一個用於驗證。經過數位簽章之資料的完整性是很容易驗證的,而且經過數位簽章的資料具有不可否認性,因此,數位簽章可以辨識及確認電子文件之簽署人的身分以及電子文件的真偽。Digital Signature is a technology that uses a key to encrypt data. In more detail, a digital signature is a mathematical algorithm or other method that uses a key to calculate the data generated by the data, not a signature Scanning into a digital image is not a signature entered using the touchpad. A set of digital signatures usually defines two complementary operations, one for signature and the other for verification. The integrity of the digitally signed data is easy to verify, and the digitally signed data is undeniable. Therefore, the digital signature can identify and confirm the identity of the signatory of the electronic document and the authenticity of the electronic document.

由於數位簽章具有不可否認性,因此常在網路交易中被使用。使用了數位簽章的網路交易在交易過程中具有使用者帳號的驗證以及憑證密碼的確認兩道安全措施。一般而言,儲存數位憑證的裝置也會一併儲存與數位憑證中所包含之公鑰相對應的私鑰,且該裝置會將私鑰經過相對應之數位憑證的憑證密碼加密後儲存。當需要進行數位簽章作業時,使用者需要輸入相對應之數位憑證的憑證密碼,該裝置才能解密私鑰,並使用解密後的私鑰進行數位簽章。Because digital signatures are undeniable, they are often used in online transactions. Online transactions that use digital signatures have two security measures in the transaction process: user account verification and certificate password confirmation. Generally speaking, the device storing the digital certificate will also store the private key corresponding to the public key contained in the digital certificate, and the device will store the private key after being encrypted with the certificate password of the corresponding digital certificate. When a digital signature operation is required, the user needs to enter the certificate password of the corresponding digital certificate so that the device can decrypt the private key and use the decrypted private key for digital signature.

但在部份的情況中,使用者並沒有設定數位憑證的憑證密碼,例如使用者認為已經有驗證使用者帳號的程序,所以使用者認為不需要額外設定數位憑證的憑證密碼,以避免忘記憑證密碼。在此情況下,數位憑證通常會被儲存數位憑證的裝置以預設密碼加密,如此,在進行數位簽章時,儲存數位憑證的裝置也會直接以預設密碼解密數位憑證。也就是說,一旦使用者帳號密碼被他人取得,取得使用者帳號密碼的他人即可以冒用使用者的身分完成網路交易。However, in some cases, the user does not set the certificate password of the digital certificate. For example, the user thinks that there is already a process of verifying the user account, so the user thinks that there is no need to set the certificate password of the digital certificate to avoid forgetting the certificate password. In this case, the digital certificate is usually encrypted with a default password by the device storing the digital certificate. In this way, when the digital signature is performed, the device storing the digital certificate will also directly decrypt the digital certificate with the default password. In other words, once the user account password is obtained by others, the other person who obtains the user account password can fraudulently use the user's identity to complete online transactions.

綜上所述,可知先前技術中長期以來一直存在使用者沒有設定憑證之憑證密碼時與憑證對應之私鑰將直接被用來進行數位簽章的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be known that the private key corresponding to the certificate will be directly used for digital signature when the user has not set the certificate password of the certificate for a long time in the prior art. Therefore, it is necessary to propose improved technical means to Solve this problem.

有鑒於先前技術存在使用者沒有設定憑證之憑證密碼時與憑證對應之私鑰將直接被用來進行數位簽章的問題,本發明遂揭露一種於簽章時驗證使用者身分之系統及方法,其中:In view of the problem in the prior art that the private key corresponding to the certificate will be directly used for digital signing when the user does not set the certificate password of the certificate, the present invention discloses a system and method for verifying the user's identity when signing. among them:

本發明所揭露之於簽章時驗證使用者身分之系統,至少包含:憑證選擇模組,用以提供選擇目標憑證;金鑰存取模組,用以判斷與目標憑證對應之私鑰是否被指定密碼或預設密碼加密;輸入模組,用以於私鑰被指定密碼加密時,提供輸入指定密碼;身份驗證模組,用以於私鑰被預設密碼加密時,驗證使用者身分;解密模組,用以使用指定密碼解密私鑰,及用以於使用者身分通過驗證時,使用預設密碼解密私鑰;簽章模組,用以使用私鑰簽章。The system for verifying the identity of a user when signing a seal disclosed in the present invention at least includes: a certificate selection module for providing a selected target certificate; a key access module for determining whether the private key corresponding to the target certificate is Specify password or default password encryption; input module used to provide input specified password when private key is encrypted by specified password; identity verification module used to verify user identity when private key is encrypted by default password; The decryption module is used to decrypt the private key with the specified password, and used to decrypt the private key with the default password when the user's identity is verified; the signing module is used to sign the seal with the private key.

本發明所揭露之於簽章時驗證使用者身分之方法,其步驟至少包括:提供選擇目標憑證;判斷與目標憑證對應之私鑰被指定密碼加密時,提供輸入指定密碼,並使用指定密碼解密私鑰後,使用私鑰簽章;判斷私鑰被預設密碼加密時,驗證使用者身分,並於使用者身分通過驗證時,使用預設密碼解密私鑰,並使用私鑰簽章。The method for verifying the user's identity at the time of signing disclosed in the present invention includes at least the steps of: providing a selected target certificate; when judging that the private key corresponding to the target certificate is encrypted by a designated password, providing the designated password and using the designated password to decrypt After the private key, use the private key to sign; when it is determined that the private key is encrypted by the preset password, verify the user's identity, and when the user's identity is verified, use the preset password to decrypt the private key and use the private key to sign.

本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過在判斷與被選擇之目標憑證對應的私鑰被預設密碼加密時,驗證使用者身分,並在使用者身分通過驗證時,使用預設密碼解密私鑰,藉以解決先前技術所存在的問題,並可以達成使用者只需記憶手機解鎖密碼不需額外記憶憑證密碼的技術功效。The system and method disclosed in the present invention are as above. The difference between the present invention and the prior art is that the present invention verifies the user's identity when determining that the private key corresponding to the selected target certificate is encrypted by a preset password, and confirms the user identity. When the authentication is passed, the private key is decrypted with the preset password, so as to solve the problems of the previous technology, and can achieve the technical effect that the user only needs to memorize the mobile phone unlocking password without needing to memorize the certificate password.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The following will describe the features and implementation of the present invention in detail with the drawings and embodiments. The content is sufficient to enable anyone familiar with the relevant art to easily and fully understand the technical means used by the present invention to solve the technical problems and implement them accordingly. The achievable effect of the present invention.

本發明可以在計算設備所執行之應用程式使用與被選擇之目標憑證相對應的私鑰進行簽章時,強制使用者進行輸入行為以確認使用者允許進行簽章作業。The present invention can force the user to perform an input action to confirm that the user is allowed to perform the signing operation when the application program executed by the computing device uses the private key corresponding to the selected target certificate to sign.

本發明所提之計算設備包含但不限於一個或多個處理器、一個或多個記憶體模組、以及連接不同元件(包括記憶體模組和處理器)的匯流排等元件,例如,計算設備可以是手機、平板、導航裝置、多媒體播放機、電子書閱讀機、電子辭典、掌上型電動玩具等。透過所包含之多個元件,計算設備可以載入並執行包含應用程式100的作業系統,使作業系統在計算設備上運行。The computing device mentioned in the present invention includes, but is not limited to, one or more processors, one or more memory modules, and components such as a bus connecting different components (including memory modules and processors), such as computing The equipment can be a mobile phone, a tablet, a navigation device, a multimedia player, an e-book reader, an electronic dictionary, a handheld electric toy, etc. Through the included multiple components, the computing device can load and execute the operating system including the application program 100, so that the operating system runs on the computing device.

本發明所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於並列的工業標準架構(ISA)匯流排、周邊元件互連(PCI)匯流排、視頻電子標準協會(VESA)局域匯流排、以及串列的通用序列匯流排(USB)、快速周邊元件互連(PCI-E)匯流排等。The bus of the computing device mentioned in the present invention may include one or more types, for example, including data bus, address bus, control bus, and extended function bus ( expansion bus), and/or local bus (local bus). The bus of computing equipment includes, but is not limited to, parallel industry standard architecture (ISA) bus, peripheral component interconnect (PCI) bus, Video Electronics Standards Association (VESA) local bus, and serial universal serial bus (USB), PCI-E bus, etc.

本發明所提之計算設備的處理器與匯流排耦接。處理器包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在做為處理器的處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理器。處理器可為處理單元、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理器,則計算設備所包含的處理器都相同或類似,且透過匯流排耦接與通訊。The processor of the computing device provided by the present invention is coupled with the bus. The processor contains a register group or register space. The register group or register space can be completely set on the processing chip used as the processor, or all or part of it can be set outside the processing chip And it is coupled to the processor via a dedicated electrical connection and/or via a bus. The processor may be a processing unit, a microprocessor, or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processors, the processors included in the computing device are all the same or similar, and they are coupled and communicated through a bus.

計算設備的處理器可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理器存取或使用。The processor of the computing device can be coupled to the chipset or electrically connected to the chipset through a bus. The chipset is composed of one or more integrated circuits (ICs), including a memory controller and peripheral input/output (I/O) controllers, that is, the memory controller and peripheral input/output controllers can be included in In an integrated circuit, two or more integrated circuits can also be used. Chipsets usually provide I/O and memory management functions, as well as multiple general-purpose and/or special-purpose registers, timers, etc., among which the aforementioned general-purpose and/or special-purpose registers and timers can be coupled or One or more processors electrically connected to the chipset are accessed or used.

計算設備的處理器也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、快閃記憶體(Flash)、唯讀記憶體(ROM)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟、磁帶機、隨身碟(快閃記憶體)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processor of the computing device can also access the data in the memory module and mass storage area installed on the computing device through the memory controller. The above-mentioned memory modules include any type of volatile memory (volatile memory) and/or non-volatile memory (NVRAM), such as static random access memory (SRAM), dynamic random access Memory (DRAM), flash memory (Flash), read-only memory (ROM), etc. The aforementioned mass storage area can include any type of storage device or storage medium, such as hard disk drives, optical discs, tape drives, flash drives (flash memory), solid state disks (Solid State Disk, SSD), or any Other storage devices, etc. In other words, the memory controller can access data in static random access memory, dynamic random access memory, flash memory, hard disk drives, and solid state drives.

計算設備的處理器也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、以及GPS接收器等周邊裝置或介面通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援Wi-Fi、Zigbee等無線區域網路、藍牙、紅外線、近場通訊(NFC)、3G/4G/5G等行動通訊網路或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路設備、非同步傳輸模式(ATM)設備、DSL數據機、纜線(Cable)數據機等。處理器可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠進行資料的輸入與輸出,也能夠與具有上述描述之元件的另一個計算設備進行通訊。The processor of the computing device can also communicate with peripheral output devices, peripheral input devices, communication interfaces, and GPS receivers and other peripheral devices or interfaces through the peripheral I/O bus through the peripheral I/O controller. The peripheral input device can be any type of input device, such as a keyboard, mouse, trackball, touchpad, joystick, etc. The peripheral output device can be any type of output device, such as a display, a printer, etc., a peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface can include a wireless communication interface and/or a wired communication interface. The wireless communication interface can include a mobile communication network that supports Wi-Fi, Zigbee and other wireless local area networks, Bluetooth, infrared, near field communication (NFC), 3G/4G/5G, etc. The wired communication interface can be Ethernet equipment, asynchronous transmission mode (ATM) equipment, DSL modem, cable modem, etc. The processor can periodically poll various peripheral devices and interfaces, so that the computing device can input and output data, and can also communicate with another computing device having the above-described components.

以下先以「第1圖」本發明所提之於簽章時驗證使用者身分之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有憑證選擇模組110、金鑰存取模組120、輸入模組130、身份驗證模組150、解密模組170、簽章模組180,以及可以附加的單位判斷模組160。在部分的實施例中,上述各模組可以在計算設備10執行應用程式100後產生,但本發明並不以此為限。Hereinafter, the system architecture diagram of verifying the user's identity at the time of signing mentioned in the "Figure 1" of the present invention is used to illustrate the system operation of the present invention. As shown in "Figure 1", the system of the present invention includes a certificate selection module 110, a key access module 120, an input module 130, an identity verification module 150, a decryption module 170, and a signature module 180. And a unit judgment module 160 that can be added. In some embodiments, the aforementioned modules may be generated after the computing device 10 executes the application program 100, but the present invention is not limited thereto.

憑證選擇模組110負責提供選擇目標憑證。一般而言,應用程式100包含資料庫(圖中未示),資料庫中儲存一個或多個憑證以及與各個憑證對應的私鑰,憑證選擇模組110可以透過周邊輸出裝置列出資料庫所儲存之憑證並透過輸入模組130提供選擇被列出之憑證,被選擇的憑證即為目標憑證,但憑證選擇模組110提供選擇目標憑證的方式並不以上述為限。The certificate selection module 110 is responsible for providing the selected target certificate. Generally speaking, the application 100 includes a database (not shown in the figure). The database stores one or more certificates and the private key corresponding to each certificate. The certificate selection module 110 can list the database locations through peripheral output devices. The stored certificate is provided and the listed certificate is selected through the input module 130. The selected certificate is the target certificate, but the method provided by the certificate selection module 110 to select the target certificate is not limited to the above.

金鑰存取模組120負責判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰是否被指定密碼或預設密碼加密。舉例來說,金鑰存取模組120可以依據資料庫中所記錄之與被選擇之目標憑證對應的資料判斷與被選擇之目標憑證對應之私鑰的加密方式,但本發明並不以此為限。The key access module 120 is responsible for determining whether the private key corresponding to the target certificate selected by the certificate selection module 110 is encrypted by a designated password or a preset password. For example, the key access module 120 can determine the encryption method of the private key corresponding to the selected target certificate according to the data recorded in the database corresponding to the selected target certificate, but the present invention does not use this method. Is limited.

其中,指定密碼是使用者所設定的密碼,通常是在申請憑證時所設定的密碼,或是使用者自行對所申請到之憑證進行變更的密碼,但本發明並不以此為限;預設密碼則是應用程式100用來加密與沒有被指定密碼加密之憑證對應的私鑰的密碼,通常為執行應用程式100之裝置的裝置識別碼等裝置識別資料,但預設密碼亦不以上述為限。Wherein, the designated password is the password set by the user, usually the password set when applying for the certificate, or the password used by the user to change the applied certificate, but the present invention is not limited to this; The set password is the password used by the application 100 to encrypt the private key corresponding to the certificate that is not encrypted by the specified password. It is usually the device identification data such as the device ID of the device running the application 100, but the default password is not based on the above Is limited.

輸入模組130負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被指定密碼加密時,提供輸入指定密碼。輸入模組130可以呼叫執行應用程式100之作業系統所提供的輸入應用程式介面(API)以提供輸入指定密碼,也可以透過周邊輸出裝置顯示特定的按鍵並透過周邊輸入裝置提供輸入指定密碼,本發明並沒有特別的限制。The input module 130 is responsible for providing the input of the specified password when the key access module 120 determines that the private key corresponding to the target certificate selected by the certificate selection module 110 is encrypted by the specified password. The input module 130 can call the input application program interface (API) provided by the operating system running the application 100 to provide input of a designated password, or it can display specific keys through peripheral output devices and provide input of designated passwords through peripheral input devices. The invention is not particularly limited.

輸入模組130也可以透過周邊輸入裝置提供輸入生物特徵,例如輸入指紋或擷取包含人臉的影像等,但本發明所提之生物特徵並不以上述為限;輸入模組130也可以透過周邊輸入裝置提供輸入計算設備10的螢幕解鎖密碼。The input module 130 can also provide input biometrics through peripheral input devices, such as inputting fingerprints or capturing images containing human faces, etc., but the biometrics mentioned in the present invention are not limited to the above; the input module 130 can also use The peripheral input device provides a screen unlocking password for inputting the computing device 10.

身份驗證模組150負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被預設密碼加密時,驗證使用者身分。在部分的實施例中,身份驗證模組150可以透過輸入模組130提供輸入的生物特徵驗證使用者身分,例如,身份驗證模組150可以呼叫執行應用程式100之作業系統所提供之擷取生物特徵的應用程式介面擷取生物特徵,並使用生物特徵辨識技術對所擷取的生物特徵進行辨識以驗證使用者身分。The identity verification module 150 is responsible for verifying the user's identity when the key access module 120 determines that the private key corresponding to the target certificate selected by the certificate selection module 110 is encrypted by a preset password. In some embodiments, the identity verification module 150 can provide biometrics to verify the user's identity through the input module 130. For example, the identity verification module 150 can call the biometric capture provided by the operating system running the application 100 The feature application program interface captures biometrics, and uses biometric identification technology to identify the captured biometrics to verify user identity.

在另一部份的實施例中,身份驗證模組150也可以透過螢幕解鎖密碼驗證使用者身分。例如,身份驗證模組150可以要求透過輸入模組130輸入螢幕解鎖密碼,並透過執行應用程式100之作業系統確認被輸入的螢幕解鎖密碼是否正確以驗證使用者身分;身份驗證模組150也可以呼叫螢幕解鎖應用程式介面以提供輸入螢幕解鎖密碼,並透過螢幕解鎖應用程式介面判斷被輸入的螢幕解鎖密碼是否正確以驗證使用者身分;身份驗證模組150也可以關閉螢幕等待使用者開啟螢幕並完成螢幕解鎖回到應用程式100以確認使用者身分等。但身份驗證模組150驗證使用者身分的方式並不以上述為限。In another part of the embodiment, the identity verification module 150 can also verify the user's identity through the screen unlock password. For example, the identity verification module 150 can request the input module 130 to input the screen unlock password, and confirm whether the entered screen unlock password is correct through the operating system of the application 100 to verify the user identity; the identity verification module 150 can also Call the screen unlock application interface to provide the input screen unlock password, and use the screen unlock application interface to determine whether the entered screen unlock password is correct to verify the user's identity; the authentication module 150 can also close the screen and wait for the user to open the screen and Complete the screen unlock and return to the application 100 to confirm the user's identity, etc. However, the method for the identity verification module 150 to verify the user's identity is not limited to the above.

另外,身份驗證模組150也可以在設定使用螢幕解鎖密碼驗證使用者身分時,判斷螢幕解鎖密碼是否已被設定,若螢幕解鎖密碼尚未被設定,則身份驗證模組150可以顯示提示以要求先設定螢幕解鎖密碼。也就是說,若身份驗證模組150將使用螢幕解鎖密碼驗證使用者身分,則身份驗證模組150將會先確認螢幕解鎖密碼已被設定。In addition, the identity verification module 150 can also determine whether the screen unlock password has been set when the screen unlock password is used to verify the identity of the user. If the screen unlock password has not been set, the identity verification module 150 can display a prompt to request first Set a screen unlock password. That is, if the identity verification module 150 will use the screen unlock password to verify the user's identity, the identity verification module 150 will first confirm that the screen unlock password has been set.

單位判斷模組160可以判斷被憑證選擇模組110所選擇之目標憑證的發放單位與簽章呼叫單位是否相同。舉例來說,單位判斷模組160可以由被選擇的目標憑證中讀取出目標憑證之發放單位的發放單位訊息,並比對所讀出之發放單位訊息以及簽章呼叫單位的呼叫單位訊息,藉以判斷被選擇之目標憑證的發放單位與簽章呼叫單位是否相同。其中,上述之發放單位訊息可以是發放單位的識別碼或名稱等,相似的,上述之呼叫單位訊息可以是簽章呼叫單位的識別碼或名稱。但單位判斷模組160判斷被選擇之目標憑證的發放單位與簽章呼叫單位是否相同之方式並不以上述為限。The unit judgment module 160 can judge whether the issuing unit of the target certificate selected by the certificate selection module 110 is the same as the signing and calling unit. For example, the unit judgment module 160 can read the issuing unit information of the issuing unit of the target certificate from the selected target certificate, and compare the read issuing unit information and the calling unit information of the signed calling unit. It is used to determine whether the issuing unit of the selected target certificate is the same as the signing and calling unit. Wherein, the above-mentioned issuing unit information can be the identification code or name of the issuing unit, and similarly, the above-mentioned calling unit information can be the identification code or name of the signing and calling unit. However, the way that the unit judgment module 160 judges whether the issuing unit of the selected target certificate is the same as the signing and calling unit is not limited to the above.

另外,簽章呼叫單位為欲進行簽章之程式或網頁等對象的提供者,例如,欲進行簽章之對象為與應用程式100執行於相同裝置上之其他應用程式,則簽章呼叫單位即為提供該其他應用程式之人、公司、團體、或組織;相似的,若欲進行簽章之對象為應用程式100之內嵌瀏覽器所開啟之網頁,則簽章呼叫單位即為包含應用程式100所開啟之網頁之網站的擁有者、公司、團體、或組織。In addition, the signature calling unit is the provider of the program or web page to be signed. For example, if the target to be signed is another application running on the same device as the application 100, the signing calling unit is For the person, company, group, or organization that provides the other application; similarly, if the object to be signed is a webpage opened by the embedded browser of the application 100, the signing calling unit is the containing application The owner, company, group, or organization of the website of 100 opened pages.

解密模組170負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被指定密碼加密時,使用輸入模組130提供輸入的指定密碼解密與被選擇之目標憑證對應的私鑰;解密模組170也負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被預設密碼加密,且使用者身分通過身份驗證模組150的驗證時,使用預設密碼解密與被選擇之目標憑證對應的私鑰。The decryption module 170 is responsible for when the key access module 120 determines that the private key corresponding to the target certificate selected by the certificate selection module 110 is encrypted with a specified password, decrypts and is encrypted with the specified password provided by the input module 130 The private key corresponding to the selected target certificate; the decryption module 170 is also responsible for determining in the key access module 120 that the private key corresponding to the target certificate selected by the certificate selection module 110 is encrypted by the default password, and the user When the identity is verified by the identity verification module 150, a preset password is used to decrypt the private key corresponding to the selected target certificate.

解密模組170也可以在單位判斷模組160判斷被憑證選擇模組110所選擇之目標憑證的發放單位與簽章呼叫單位相同時,直接使用預設密碼解密被選擇之私鑰。也就是說,在部分的實施例中,當金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被預設密碼加密,且單位判斷模組160判斷被選擇之目標憑證的發放單位與簽章呼叫單位相同時,解密模組170可以使用預設密碼解密與被選擇之目標憑證對應的私鑰;而當金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被預設密碼加密,同時單位判斷模組160判斷被選擇之目標憑證的發放單位與簽章呼叫單位不同,且使用者身分通過身份驗證模組150的驗證時,解密模組170同樣可以使用預設密碼解密與被選擇之目標憑證對應的私鑰。The decryption module 170 may also directly use the preset password to decrypt the selected private key when the unit determination module 160 determines that the issuing unit of the target certificate selected by the certificate selection module 110 is the same as the signing and calling unit. That is, in some embodiments, when the key access module 120 determines that the private key corresponding to the selected target certificate is encrypted by a preset password, and the unit determination module 160 determines the value of the selected target certificate When the issuing unit is the same as the signing and calling unit, the decryption module 170 can use the preset password to decrypt the private key corresponding to the selected target certificate; and when the key access module 120 determines that the key corresponds to the selected target certificate The private key is encrypted by the preset password, and the unit judgment module 160 judges that the issuing unit of the selected target certificate is different from the signing and calling unit, and the user identity is verified by the identity verification module 150, the decryption module 170 can also Use the preset password to decrypt the private key corresponding to the selected target certificate.

簽章模組180負責使用解密模組170解密後的私鑰對簽章呼叫單位所提供的資料進行簽章。The signing module 180 is responsible for using the private key decrypted by the decryption module 170 to sign the data provided by the signing calling unit.

接著以第一實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之於簽章時驗證使用者身分之方法流程圖。Next, the first embodiment is used to explain the operating system and method of the present invention, and please refer to the flowchart of the method of verifying the user's identity when signing the seal in "Figure 2A" of the present invention.

在本實施例中,假設使用者在計算設備10上執行證券公司所提供之證券下單應用程式,並在證券下單應用程式中下單時,若證券下單應用程式需要進行簽章作業,則證券下單應用程式可以呼叫應用程式100,此時,簽章呼叫單位為提供證券下單應用程式的證券公司。但本實施例並不以此為限,例如,使用者也可以使用應用程式100之內嵌瀏覽器開啟證券公司所提供之下單網頁進行下單。In this embodiment, it is assumed that the user executes the securities order application program provided by the securities company on the computing device 10 and places an order in the securities order application program. If the securities order application program needs to perform a signature operation, Then the securities order application program can call the application program 100. At this time, the signature calling unit is the securities company that provides the securities order application program. However, this embodiment is not limited to this. For example, the user can also use the embedded browser of the application 100 to open the order page provided by the securities company to place an order.

在使用者操作證券下單應用程式,使得證券下單應用程式呼叫應用程式100後,憑證選擇模組110可以提供選擇目標憑證(步驟210)。在本實施例中,假設憑證選擇模組110可以顯示應用程式100之資料庫中所記錄之所有憑證的清單,藉以提供使用者由清單中選擇目標憑證。After the user operates the securities order application program so that the securities order application program calls the application program 100, the certificate selection module 110 may provide a selection target certificate (step 210). In this embodiment, it is assumed that the certificate selection module 110 can display a list of all certificates recorded in the database of the application 100, so as to provide the user to select a target certificate from the list.

在憑證選擇模組110提供選擇目標憑證(步驟210)後,金鑰存取模組120可以判斷與憑證選擇模組110提供選擇之目標憑證相對應的私鑰是否被指定密碼加密(步驟222)。After the certificate selection module 110 provides the selected target certificate (step 210), the key access module 120 can determine whether the private key corresponding to the selected target certificate provided by the certificate selection module 110 is encrypted by the specified password (step 222) .

若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被指定密碼加密,則輸入模組130可以提供輸入指定密碼(步驟230)。在本實施例中,假設輸入模組130可以顯示指定密碼的輸入介面,藉以提供使用者輸入指定密碼。If the key access module 120 determines that the private key corresponding to the selected target certificate is encrypted by the designated password, the input module 130 can provide the designated password for input (step 230). In this embodiment, it is assumed that the input module 130 can display an input interface of the designated password, so as to provide the user to input the designated password.

在使用者透過輸入模組130輸入指定密碼後,解密模組170可以使用被使用者輸入的指定密碼解密與應用程式100之憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟240),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對呼叫應用程式100之證券下單應用程式提供使用者輸入之下單資料簽章。After the user enters the designated password through the input module 130, the decryption module 170 can use the designated password entered by the user to decrypt the private key corresponding to the selected target certificate provided by the certificate selection module 110 of the application 100 (step 240) , The signing module 180 can use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 uses the decrypted private key to provide the user with the signature of the order data to the securities order application that calls the application 100.

而若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密,通常表示與被選擇之目標憑證相對應的私鑰被預設密碼加密,則身份驗證模組150可以透過執行應用程式100之作業系統驗證使用者身分,並判斷使用者身分是否通過驗證(步驟280)。在本實施例中,假設身份驗證模組150可以在應用程式100被安裝後,第一次被執行時,偵測執行應用程式100之作業系統(也就是在計算設備10中運行之作業系統)的系統訊息,藉以判斷執行應用程式100之作業系統是否為可以使用生物特徵辨識使用者身分的版本,若是,則提供使用者選擇使用生物特徵或螢幕鎖定密碼驗證使用者身分。如果使用者選擇使用生物特徵驗證使用者身分,則身份驗證模組150在需要驗證使用者身分時,可以呼叫執行應用程式100之作業系統所提供之生物特徵識別的應用程式介面,使得生物特徵識別的應用程式介面提供使用者輸入指紋或人臉等生物特徵,並辨識被使用者輸入的生物特徵,如此,身份驗證模組150可以依據生物特徵識別的應用程式介面的辨識結果判斷使用者身分是否通過驗證;而若使用者選擇不使用生物特徵驗證使用者身分,或是身份驗證模組150判斷執行應用程式100之作業系統不為可以使用生物特徵辨識使用者身分的版本,則身份驗證模組150在需要驗證使用者身分時,可以呼叫執行應用程式100之作業系統所提供之螢幕解鎖應用程式介面,使得螢幕解鎖應用程式介面提供使用者輸入螢幕解鎖密碼,並判斷被輸入的螢幕解鎖密碼是否正確,如此,身份驗證模組150可以依據螢幕解鎖應用程式介面所判斷的螢幕解鎖密碼正確與否判斷使用者身分是否通過驗證。And if the key access module 120 determines that the private key corresponding to the selected target certificate is not encrypted by the specified password, it usually means that the private key corresponding to the selected target certificate is encrypted by the default password, then the identity verification module The group 150 can verify the user's identity through the operating system running the application 100, and determine whether the user's identity is verified (step 280). In this embodiment, it is assumed that the identity verification module 150 can detect the operating system running the application 100 (that is, the operating system running on the computing device 10) when the application 100 is installed for the first time. The system information is used to determine whether the operating system running the application 100 is a version that can use biometrics to identify the user's identity. If so, the user is provided with the option of using biometrics or a screen lock password to verify the user's identity. If the user chooses to use biometrics to verify the user's identity, the identity verification module 150 can call the biometrics application program interface provided by the operating system of the application 100 when the user's identity needs to be verified The application program interface provides the user to input biometrics such as fingerprints or faces, and recognizes the biometrics entered by the user. In this way, the identity verification module 150 can determine whether the user's identity is based on the recognition result of the biometric application interface Pass verification; and if the user chooses not to use biometrics to verify user identity, or the identity verification module 150 determines that the operating system running the application 100 is not a version that can use biometrics to identify the user identity, the identity verification module 150 When you need to verify the user's identity, you can call the screen unlocking application interface provided by the operating system running the application 100, so that the screen unlocking application interface provides the user to enter the screen unlocking password, and to determine whether the entered screen unlocking password is Correct, in this way, the identity verification module 150 can determine whether the user identity is verified based on whether the screen unlocking password determined by the screen unlocking application interface is correct.

若身份驗證模組150判斷使用者身分沒有通過驗證(步驟280),則身份驗證模組150可以結束應用程式100,使得應用程式100拒絕呼叫應用程式100之證券下單應用程式的簽章作業;而若身份驗證模組150判斷使用者身分通過驗證(步驟280),則解密模組170可以使用預設密碼解密與憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟290),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對呼叫應用程式100之證券下單應用程式提供使用者輸入之下單資料簽章。If the identity verification module 150 determines that the user's identity has not been verified (step 280), the identity verification module 150 can terminate the application 100, so that the application 100 refuses to call the application 100 for signing the securities order application; If the identity verification module 150 determines that the user's identity is verified (step 280), the decryption module 170 can use the preset password to decrypt the private key corresponding to the selected target certificate provided by the certificate selection module 110 (step 290), and sign The chapter module 180 may use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 uses the decrypted private key to provide the user with the signature of the order data to the securities order application that calls the application 100.

繼續以第二實施例來解說本發明的運作系統與方法,同樣請參照「第2A圖」。在本實施例中,假設使用者使用計算設備10所執行之應用程式100的內嵌瀏覽器開啟報稅網頁並進行報稅作業。在報稅作業的過程中,若需要進行簽章作業時,報稅網頁中的Java Script可以呼叫應用程式100,此時,簽章呼叫單位為提供報稅網頁的國稅局。但本實施例並不以此為限,例如,使用者也可以使用報稅軟體進行報稅作業。Continue to use the second embodiment to explain the operating system and method of the present invention. Please also refer to "Figure 2A". In this embodiment, it is assumed that the user uses the embedded browser of the application 100 executed by the computing device 10 to open the tax declaration webpage and perform tax declaration operations. In the process of tax declaration, if it is necessary to perform the signature operation, the Java Script in the tax declaration webpage can call the application 100. At this time, the signature calling unit is the IRS that provides the tax declaration webpage. However, this embodiment is not limited to this. For example, users can also use tax reporting software to perform tax reporting operations.

在使用者操作報稅網頁,使得報稅網頁中的Java Script呼叫應用程式100後,憑證選擇模組110可以提供選擇目標憑證(步驟210)。在本實施例中,假設憑證選擇模組110可以顯示應用程式100之資料庫中所記錄之所有憑證的清單,藉以提供使用者由清單中選擇目標憑證。After the user operates the tax declaration webpage so that the Java Script in the tax declaration webpage calls the application 100, the certificate selection module 110 can provide the target certificate for selection (step 210). In this embodiment, it is assumed that the certificate selection module 110 can display a list of all certificates recorded in the database of the application 100, so as to provide the user to select a target certificate from the list.

在憑證選擇模組110提供選擇目標憑證(步驟210)後,金鑰存取模組120可以判斷與憑證選擇模組110提供選擇之目標憑證相對應的私鑰是否被指定密碼加密(步驟222)。After the certificate selection module 110 provides the selected target certificate (step 210), the key access module 120 can determine whether the private key corresponding to the selected target certificate provided by the certificate selection module 110 is encrypted by the specified password (step 222) .

若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被指定密碼加密,則輸入模組130可以提供輸入指定密碼(步驟230)。在本實施例中,假設輸入模組130可以顯示指定密碼的輸入介面,藉以提供使用者輸入指定密碼。If the key access module 120 determines that the private key corresponding to the selected target certificate is encrypted by the designated password, the input module 130 can provide the designated password for input (step 230). In this embodiment, it is assumed that the input module 130 can display an input interface of the designated password, so as to provide the user to input the designated password.

在使用者透過輸入模組130輸入指定密碼後,解密模組170可以使用被使用者輸入的指定密碼解密與應用程式100之憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟240),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對被使用者輸入到呼叫應用程式100之報稅網頁中的報稅下單資料簽章。After the user enters the designated password through the input module 130, the decryption module 170 can use the designated password entered by the user to decrypt the private key corresponding to the selected target certificate provided by the certificate selection module 110 of the application 100 (step 240) , The signing module 180 can use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 uses the decrypted private key to sign the tax declaration order data entered by the user into the tax declaration web page of the calling application 100.

而若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密,通常表示與被選擇之目標憑證相對應的私鑰被預設密碼加密,則身份驗證模組150可以驗證使用者身分,並判斷使用者身分是否通過驗證(步驟280)。在本實施例中,假設身份驗證模組150可以偵測執行應用程式100之作業系統(也就是在計算設備10中運行之作業系統)的系統訊息,藉以判斷執行應用程式100之作業系統是否為可以呼叫螢幕解鎖應用程式介面的版本,若是,則身份驗證模組150可以呼叫執行應用程式100之作業系統所提供之螢幕解鎖應用程式介面,使得螢幕解鎖應用程式介面提供使用者輸入螢幕解鎖密碼,並判斷被輸入的螢幕解鎖密碼是否正確,身份驗證模組150可以依據螢幕解鎖應用程式介面的判斷結果判斷使用者身分是否通過驗證;若執行應用程式100之作業系統為無法呼叫螢幕解鎖應用程式介面的版本,則身份驗證模組150可以提示使用者允許應用程式100擁有管理者權限,如果使用者不同意給予應用程式100管理者權限,則身份驗證模組150可以結束應用程式100,使得應用程式100拒絕呼叫應用程式100之報稅網頁的簽章作業,但如果使用者同意給予應用程式100管理者權限,則身份驗證模組150可以關閉螢幕,並判斷使用者是否於預定時間內開啟螢幕且完成螢幕解鎖後回到應用程式100以判斷使用者身分是否通過驗證。And if the key access module 120 determines that the private key corresponding to the selected target certificate is not encrypted by the specified password, it usually means that the private key corresponding to the selected target certificate is encrypted by the default password, then the identity verification module The group 150 can verify the user's identity and determine whether the user's identity is verified (step 280). In this embodiment, it is assumed that the identity verification module 150 can detect the system information of the operating system running the application 100 (that is, the operating system running in the computing device 10) to determine whether the operating system running the application 100 is You can call the version of the screen unlocking application program interface. If so, the authentication module 150 can call the screen unlocking application interface provided by the operating system running the application 100, so that the screen unlocking application interface provides the user to enter the screen unlocking password. And determine whether the entered screen unlocking password is correct. The authentication module 150 can determine whether the user's identity is verified according to the judgment result of the screen unlocking application interface; if the operating system running the application 100 is unable to call the screen unlocking application interface Version, the authentication module 150 can prompt the user to allow the application 100 to have administrator rights. If the user does not agree to grant the application 100 administrator rights, the authentication module 150 can end the application 100 and make the application 100 100 refuses to call the application 100's tax declaration webpage signature operation, but if the user agrees to grant the application 100 administrator permissions, the identity verification module 150 can turn off the screen and determine whether the user opened the screen within a predetermined time and completed After the screen is unlocked, return to the application 100 to determine whether the user identity is verified.

若身份驗證模組150判斷使用者身分沒有通過驗證,也就是螢幕解鎖應用程式介面判斷使用者所輸入的螢幕解鎖密碼錯誤達到預定次數,或是使用者沒有在預定時間內開啟螢幕並完成螢幕解鎖以回到應用程式100,則身份驗證模組150可以結束應用程式100,使得應用程式100拒絕呼叫應用程式100之證券下單應用程式的簽章作業;而若身份驗證模組150判斷使用者身分通過驗證,也就是螢幕解鎖應用程式介面判斷使用者所輸入的螢幕解鎖密碼正確,或是使用者在預定時間內開啟螢幕並完成螢幕解鎖且回到應用程式100,則解密模組170可以使用預設密碼解密與憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟290),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對被使用者輸入到呼叫應用程式100之報稅網頁中的報稅下單資料簽章。If the authentication module 150 determines that the user's identity has not been verified, that is, the screen unlocking application interface determines that the screen unlocking password entered by the user is incorrect for a predetermined number of times, or the user has not turned on the screen within the predetermined time and completed the screen unlocking To return to the application 100, the identity verification module 150 can terminate the application 100, so that the application 100 refuses to call the application 100 to sign the securities order application; and if the identity verification module 150 determines the user identity Through verification, that is, the screen unlocking application interface determines that the user’s screen unlocking password is correct, or the user turns on the screen within a predetermined time and completes the screen unlock and returns to the application 100, the decryption module 170 can use the pre- Assuming that the password decryption and the private key corresponding to the selected target certificate provided by the certificate selection module 110 (step 290), the signing module 180 can use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 uses the decrypted private key to sign the tax declaration order data entered by the user into the tax declaration web page of the calling application 100.

如此,在應用程式100執行簽章作業時,本發明可以要求使用要輸入指定密碼、輸入生物特徵、或輸入螢幕解鎖密碼,使得應用程式100可以確認使用者允許進行簽章作業。In this way, when the application 100 executes the signing operation, the present invention may require the user to input a designated password, input biometrics, or input a screen unlocking password, so that the application 100 can confirm that the user allows the signing operation.

上述兩實施例中,金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密(步驟222)後,金鑰存取模組120可以進一步判斷與被選擇之目標憑證相對應的私鑰是否被預設密碼加密(步驟226)。In the above two embodiments, after the key access module 120 determines that the private key corresponding to the selected target certificate is not encrypted by a specified password (step 222), the key access module 120 can further determine whether the private key is selected. Whether the private key corresponding to the target certificate is encrypted by the preset password (step 226).

另外,在上述兩實施例中,若應用程式100還包含單位判斷模組160,則如「第2B圖」之流程所示,在金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被預設密碼加密,或是在金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密時,單位判斷模組160可以先判斷目標憑證的發放單位與簽章呼叫單位是否相同(步驟260)。若兩者不同,則如上所述,身份驗證模組150可以驗證使用者身分,並判斷使用者身分是否通過驗證(步驟280),解密模組170可以在身份驗證模組150判斷使用者身分通過驗證時,使用預設密碼解密與被選擇的目標憑證對應的私鑰(步驟290);而若單位判斷模組160判斷目標憑證的發放單位與簽章呼叫單位相同,則解密模組170可以直接使用預設密碼解密與被選擇的目標憑證對應的私鑰(步驟290),在此條件下,身份驗證模組150可以不執行,也就是身份驗證模組150可以不判斷使用者身分是否通過驗證。In addition, in the above two embodiments, if the application 100 further includes the unit determination module 160, as shown in the flow of "Figure 2B", the key access module 120 determines that it corresponds to the selected target certificate The private key of is encrypted by a default password, or when the key access module 120 determines that the private key corresponding to the selected target certificate is not encrypted by a specified password, the unit judgment module 160 may first determine the issuance of the target certificate Whether the unit is the same as the signing calling unit (step 260). If the two are different, as described above, the identity verification module 150 can verify the user identity and determine whether the user identity is verified (step 280), and the decryption module 170 can determine the user identity in the identity verification module 150 When verifying, use the preset password to decrypt the private key corresponding to the selected target certificate (step 290); and if the unit determining module 160 determines that the issuing unit of the target certificate is the same as the signing and calling unit, the decryption module 170 can directly Use the preset password to decrypt the private key corresponding to the selected target certificate (step 290). Under this condition, the identity verification module 150 may not execute, that is, the identity verification module 150 may not determine whether the user identity is verified .

此外,上述兩實施例中,在身份驗證模組150判斷使用者身分是否通過驗證(步驟280)時,若身份驗證模組150透過呼叫執行應用程式100之作業系統(也就是於計算設備10中運行之作業系統所提供)的螢幕解鎖應用程式介面判斷使用者身分是否通過驗證,則在身份驗證模組150在判斷使用者身分是否通過驗證前,身份驗證模組150可以如「第2C圖」之流程所示,先判斷螢幕鎖定密碼是否被設定(步驟202),若否,則身份驗證模組150可以提示使用者設定螢幕解鎖密碼(步驟206)。例如,身份驗證模組150可以在應用程式100被安裝後,第一次被執行時判斷螢幕鎖定密碼是否被設定(步驟202),但本發明並不以此為限。In addition, in the above two embodiments, when the identity verification module 150 determines whether the user's identity is verified (step 280), if the identity verification module 150 executes the operating system of the application 100 (that is, in the computing device 10) by calling The screen unlocking application interface provided by the running operating system determines whether the user’s identity has been verified. Then, before the identity verification module 150 determines whether the user’s identity has been verified, the identity verification module 150 can be as shown in "Figure 2C" As shown in the process, it is first judged whether the screen lock password is set (step 202), if not, the identity verification module 150 can prompt the user to set the screen unlock password (step 206). For example, the identity verification module 150 can determine whether the screen lock password is set for the first time after the application 100 is installed (step 202), but the present invention is not limited to this.

綜上所述,可知本發明與先前技術之間的差異在於具有在判斷與被選擇之目標憑證對應的私鑰被預設密碼加密時,先驗證使用者身分,並在使用者身分通過驗證時,再使用預設密碼解密私鑰之技術手段,藉由此一技術手段可以解決先前技術所存在使用者沒有設定憑證之憑證密碼時與憑證對應之私鑰將直接被用來進行數位簽章的問題,進而達成使用者只需記憶手機解鎖密碼不需額外記憶憑證密碼的技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that when it is determined that the private key corresponding to the selected target certificate is encrypted by the preset password, the user identity is first verified, and when the user identity is verified , And then use the technical means of decrypting the private key with the preset password. This technical means can solve the problem that the private key corresponding to the certificate will be directly used for digital signature when the user in the prior art does not set the certificate password of the certificate. The problem is to achieve the technical effect that the user only needs to memorize the mobile phone unlocking password without needing to memorize the credential password.

再者,本發明之於簽章時驗證使用者身分之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of verifying the user's identity at the time of signing of the present invention can be implemented in hardware, software, or a combination of hardware and software, and can also be implemented in a centralized manner in a computer system or distributed in a number of different components. The decentralized implementation of interconnected computer systems.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments of the present invention are disclosed as above, the content described is not intended to directly limit the scope of patent protection of the present invention. Anyone with ordinary knowledge in the technical field to which the present invention belongs, without departing from the spirit and scope of the present invention, makes some modifications in the form and details of the implementation of the present invention, all belong to the patent protection of the present invention range. The scope of patent protection of the present invention shall still be determined by the scope of the attached patent application.

10                     計算設備 100                   應用程式 110                   憑證選擇模組 120                   金鑰存取模組 130                   輸入模組 150                   身份驗證模組 160                   單位判斷模組 170                   解密模組 180                   簽章模組 步驟202           判斷是否已設定螢幕鎖定密碼 步驟206           要求設定螢幕解鎖密碼 步驟210           提供選擇目標憑證 步驟222           判斷與目標憑證對應之私鑰是否被指定密碼加密 步驟226           判斷與目標憑證對應之私鑰是否被預設密碼加密 步驟230           提供輸入指定密碼 步驟240           使用指定密碼解密私鑰 步驟250           使用私鑰簽章 步驟260           判斷目標憑證之發放單位與簽章呼叫單位是否相同 步驟280           判斷使用者身分是否通過驗證 步驟290           使用預設密碼解密私鑰The computing device 10 100 110 document application module selection key 120 whether or not the input access module 130 module 150 module 160 to authenticate the decryption unit determining module 170 module 180 module signature is determined in step 202 has set the lock screen passcode Step 206 Request to set a screen unlock password Step 210 Provide a target certificate selection Step 222 Determine whether the private key corresponding to the target certificate is assigned a password encryption Step 226 Determine whether the private key corresponding to the target certificate is specified by a preset password Encryption step 230 Step 240 Use the designated password to decrypt the private key Step 250 Use the private key to sign step 260 Determine whether the issuing unit of the target certificate is the same as the signing and calling unit Step 280 Determine whether the user's identity has passed the verification step 290 Use the default private key to decrypt

第1圖為本發明所提之於簽章時驗證使用者身分之系統架構圖。 第2A圖為本發明所提之於簽章時驗證使用者身分之方法流程圖。 第2B圖為本發明所提之於簽章時驗證使用者身分之附加方法流程圖。 第2C圖為本發明所提之要求設定螢幕解鎖密碼之方法流程圖。Figure 1 is a diagram of the system architecture for verifying user identity when signing a seal according to the present invention. Figure 2A is a flow chart of the method for verifying the user's identity when signing a seal according to the present invention. Figure 2B is a flowchart of the additional method for verifying user identity when signing a seal according to the present invention. Figure 2C is a flowchart of the method for requesting to set a screen unlocking password according to the present invention.

步驟210           提供選擇目標憑證 步驟222           判斷與目標憑證對應之私鑰是否被指定密碼加密 步驟226           判斷與目標憑證對應之私鑰是否被預設密碼加密 步驟230           提供輸入指定密碼 步驟240           使用指定密碼解密私鑰 步驟250           使用私鑰簽章 步驟280           判斷使用者身分是否通過驗證 步驟290           使用預設密碼解密私鑰Step 210 Provide selection of target certificate Step 222 Determine whether the private key corresponding to the target certificate is encrypted by a specified password Step 226 Determine whether the private key corresponding to the target certificate is encrypted by a preset password Step 230 Provide a specified password for decryption Step 240 Key step 250 Use private key to sign step 280 Determine whether the user's identity has passed the verification step 290 Use the preset password to decrypt the private key

Claims (10)

一種於簽章時驗證使用者身分之方法,係應用於一應用程式,該方法至少包含下列步驟:提供選擇一目標憑證;判斷與該目標憑證對應之一私鑰是否被一指定密碼或一預設密碼加密;當該私鑰被該指定密碼加密時,提供輸入該指定密碼,並使用該指定密碼解密該私鑰後,使用該私鑰簽章;及當該私鑰被該預設密碼加密時,驗證一使用者身分,並於該使用者身分通過驗證時,使用該預設密碼解密該私鑰,並使用該私鑰簽章。 A method for verifying the user's identity when signing a seal is applied to an application. The method includes at least the following steps: providing to select a target certificate; judging whether a private key corresponding to the target certificate is assigned a specified password or a preset Set password encryption; when the private key is encrypted by the specified password, provide the specified password, and use the specified password to decrypt the private key, then use the private key to sign; and when the private key is encrypted by the preset password When the identity of a user is verified, and when the identity of the user is verified, the private key is decrypted using the preset password, and the private key is used to sign. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之方法,其中該方法於判斷該私鑰使用該預設密碼加密之步驟後,更包含判斷該目標憑證之發放單位與一簽章呼叫單位相同時,使用該預設密碼解密該私鑰,並使用該私鑰簽章之步驟。 For example, the method for verifying the user's identity at the time of signing as described in item 1 of the scope of patent application, wherein the method further includes determining the issuing unit of the target certificate and a step of determining that the private key is encrypted with the preset password When the signing and calling unit is the same, use the preset password to decrypt the private key, and use the private key to sign the step. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之方法,其中驗證該使用者身分之步驟為擷取生物特徵以使用生物特徵辨識技術驗證該使用者身分。 For example, the method for verifying the user's identity at the time of signing as described in item 1 of the scope of patent application, wherein the step of verifying the user's identity is to capture biometrics to verify the user's identity using biometric identification technology. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之方法,其中驗證該使用者身分之步驟為要求輸入螢幕解鎖密碼以驗證使用者身分。 For example, the method for verifying the user's identity when signing a seal as described in item 1 of the scope of patent application, wherein the step of verifying the user's identity is to require the input of a screen unlock password to verify the user's identity. 如申請專利範圍第4項所述之於簽章時驗證使用者身分之方法,其中該方法於提供該參加單位選擇該目標憑證之步驟前,更包含判斷螢幕解鎖密碼未設定時,要求設定螢幕解鎖密碼之步驟。 For example, the method for verifying the user's identity when signing a seal as described in item 4 of the scope of patent application, where the method includes requesting to set the screen when the screen unlocking password is not set before providing the step of selecting the target certificate for the participating unit Steps to unlock the password. 一種於簽章時驗證使用者身分之系統,係應用於一應用程式中,該系統至少包含:一憑證選擇模組,用以提供選擇一目標憑證;一金鑰存取模組,用以判斷與該目標憑證對應之一私鑰是否被一指定密碼或一預設密碼加密;一輸入模組,用以於該私鑰被該指定密碼加密時,提供輸入該指定密碼;一身份驗證模組,用以於該私鑰被一預設密碼加密時,驗證一使用者身分;一解密模組,用以使用該指定密碼解密該私鑰,及用以於該使用者身分通過驗證時,使用該預設密碼解密該私鑰;及一簽章模組,用以使用該私鑰簽章。 A system for verifying user identity when signing a seal is applied to an application. The system at least includes: a certificate selection module for selecting a target certificate; a key access module for determining Whether a private key corresponding to the target certificate is encrypted by a designated password or a preset password; an input module for providing input of the designated password when the private key is encrypted by the designated password; an identity verification module , Used to verify the identity of a user when the private key is encrypted by a preset password; a decryption module used to decrypt the private key with the specified password, and used when the user’s identity is verified The preset password decrypts the private key; and a signing module for signing the private key. 如申請專利範圍第6項所述之於簽章時驗證使用者身分之系統,其中該系統更包含一單位判斷模組,用以判斷該目標憑證之發放單位與一簽章呼叫單位是否相同,該解密模組更用以於該目標憑證之發放單位與該簽章呼叫單位相同時,使用該預設密碼解密該私鑰。 For example, the system for verifying the user's identity at the time of signing as described in item 6 of the scope of patent application, wherein the system further includes a unit judgment module for judging whether the issuing unit of the target certificate is the same as a signing calling unit, The decryption module is further used to decrypt the private key using the preset password when the issuing unit of the target certificate is the same as the signing calling unit. 如申請專利範圍第6項所述之於簽章時驗證使用者身分之系統,其中該身份驗證模組是擷取生物特徵以使用生物特徵辨識技術驗證該使用者身分。 For example, the system for verifying the user's identity at the time of signing as described in item 6 of the scope of patent application, wherein the identity verification module captures biometrics to verify the user's identity using biometric identification technology. 如申請專利範圍第6項所述之於簽章時驗證使用者身分之系統,其中該身份驗證模組是要求輸入螢幕解鎖密碼以驗證使用者身分。 For example, the system for verifying the user's identity at the time of signing as described in item 6 of the scope of patent application, wherein the identity verification module requires the input of a screen unlock password to verify the user's identity. 如申請專利範圍第9項所述之於簽章時驗證使用者身分之系統,其中該身份驗證模組更用以判斷螢幕解鎖密碼未設定時,要求設定螢幕解鎖密碼。 For example, the system for verifying the user's identity at the time of signing as described in item 9 of the scope of patent application, wherein the identity verification module is used to determine that the screen unlocking password is not set, and the screen unlocking password is required to be set.
TW107140100A 2018-11-12 2018-11-12 System for verifying user identity when processing digital signature and method thereof TWI698823B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107140100A TWI698823B (en) 2018-11-12 2018-11-12 System for verifying user identity when processing digital signature and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107140100A TWI698823B (en) 2018-11-12 2018-11-12 System for verifying user identity when processing digital signature and method thereof

Publications (2)

Publication Number Publication Date
TW202018626A TW202018626A (en) 2020-05-16
TWI698823B true TWI698823B (en) 2020-07-11

Family

ID=71895798

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107140100A TWI698823B (en) 2018-11-12 2018-11-12 System for verifying user identity when processing digital signature and method thereof

Country Status (1)

Country Link
TW (1) TWI698823B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI769028B (en) * 2021-07-27 2022-06-21 玉山綜合證券股份有限公司 Method of verifying securities orders

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201042964A (en) * 2009-05-18 2010-12-01 Chunghwa Telecom Co Ltd Mobile phone service system for e-commerce dual identity check
TW201828130A (en) * 2017-01-19 2018-08-01 阿里巴巴集團服務有限公司 Identity authentication method and device according to a preset standard interface bound to a dedicated service application and a security authentication of a terminal device itself

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201042964A (en) * 2009-05-18 2010-12-01 Chunghwa Telecom Co Ltd Mobile phone service system for e-commerce dual identity check
TW201828130A (en) * 2017-01-19 2018-08-01 阿里巴巴集團服務有限公司 Identity authentication method and device according to a preset standard interface bound to a dedicated service application and a security authentication of a terminal device itself

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI769028B (en) * 2021-07-27 2022-06-21 玉山綜合證券股份有限公司 Method of verifying securities orders

Also Published As

Publication number Publication date
TW202018626A (en) 2020-05-16

Similar Documents

Publication Publication Date Title
US11803633B1 (en) Method and system for securing user access, data at rest and sensitive transactions using biometrics for mobile devices with protected, local templates
JP6239788B2 (en) Fingerprint authentication method, apparatus, intelligent terminal, and computer storage medium
US20050228993A1 (en) Method and apparatus for authenticating a user of an electronic system
US11675893B2 (en) Verification application, method, electronic device and computer program
US10037418B2 (en) Pre-boot authentication credential sharing system
IL176378A (en) Method for activation of an access to a computer system or to a program
TW202040385A (en) System for using device identification to identify via telecommunication server and method thereof
TWM594186U (en) Device and system combining online rapid authentication and public key infrastructure to identify identity
TWI698823B (en) System for verifying user identity when processing digital signature and method thereof
CN115935318B (en) Information processing method, device, server, client and storage medium
WO2023061262A1 (en) Image processing method and apparatus, and device and storage medium
TWM592629U (en) System to obtain appended data and execute corresponding operation when identity is confirmed
TWM580206U (en) System for identifying identity through telecommunication server by identification data device
TWM576681U (en) Computing device validating user identity during signing
TWM575144U (en) Computing equipment using password of operating system to encrypt and decrypt
TWI720738B (en) System for combining architectures of fido and pki to identity user and method thereof
CN115885280A (en) Authentication device and authentication method
TWI754812B (en) System for using a device identification to log in via telecommunication server and method thereof
TWI746920B (en) System for using certificate to verify identity from different domain through portal and method thereof
TWI745015B (en) System and method for providing authorized content generated during identity authentication for verifying transaction data before transaction
TWI651626B (en) Biometric data encryption method and information processing device using same
KR200433767Y1 (en) Electronic device
TW202013291A (en) System for encrypting and decrypting through operation system verifies code and method thereof
TW202103031A (en) System for using network identification to identify via telecommunication server and method thereof
KR100717959B1 (en) Electronic device and authentication method thereof