TWI707572B - Intelligent network mobile terminal certification management system - Google Patents

Intelligent network mobile terminal certification management system Download PDF

Info

Publication number
TWI707572B
TWI707572B TW108140231A TW108140231A TWI707572B TW I707572 B TWI707572 B TW I707572B TW 108140231 A TW108140231 A TW 108140231A TW 108140231 A TW108140231 A TW 108140231A TW I707572 B TWI707572 B TW I707572B
Authority
TW
Taiwan
Prior art keywords
mobile terminal
module
user
information security
service
Prior art date
Application number
TW108140231A
Other languages
Chinese (zh)
Other versions
TW202119788A (en
Inventor
王士康
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW108140231A priority Critical patent/TWI707572B/en
Application granted granted Critical
Publication of TWI707572B publication Critical patent/TWI707572B/en
Publication of TW202119788A publication Critical patent/TW202119788A/en

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention provides an intelligent network mobile terminal certification management system. The system includes a mobile terminal certification management device and a mobile terminal. The mobile terminal certification management device may perform a legality certification for the user and the mobile terminal. For domains have different security specifications, the mobile terminal certification management device may perform management through groups and provide the manager with a convenient management mechanism to improve network information security.

Description

智能網路行動終端認證管控系統Intelligent network mobile terminal authentication control system

本發明係有關於一種智能網路行動終端認證管控系統,用來針對網路中之行動終端進行確認身分、分群管控與使用權限管控,確保整體網路之資訊安全。 The present invention relates to an intelligent network mobile terminal authentication management and control system, which is used to perform identity verification, group management and use authority management and control for mobile terminals in the network to ensure the information security of the overall network.

隨著行動網路各項技術的開發與普及,越來越多使用者透過行動終端連接網路來查詢資料或瀏覽影音服務,如果瀏覽之資料內容屬於公開資料不具敏感與機密性,將可讓使用者自由存取,不須經過身分認證與權限管控。但如果今天的使用場景是公司內部網路,或是蒐集機敏資料的物聯網網路,此時確保使用者身分與隔離使用權限就變得非常重要。 With the development and popularization of various technologies on mobile networks, more and more users connect to the Internet through mobile terminals to inquire about data or browse audio-visual services. If the content of the browsed data is public, the information is not sensitive and confidential. Users can access freely, without authentication and authority control. But if today’s usage scenario is a company’s internal network or an IoT network that collects smart data, it becomes very important to ensure user identity and isolate access rights.

對於身分認證與管控,一般可透過RADIUS搭配LDAP技術來達成,但如果希望對行動裝置能有更高的安全性要求,既有的認證技術難以達到。 For identity authentication and control, generally RADIUS can be combined with LDAP technology to achieve, but if you want to have higher security requirements for mobile devices, the existing authentication technology is difficult to achieve.

為達上述之目的,本發明提供一種智能網路行動終端認證管控系統。 To achieve the above objective, the present invention provides an intelligent network mobile terminal authentication management system.

本發明的智能網路行動終端認證管控系統,包括行動終端認證管控裝置與行動終端,其中行動終端認證管控裝置通訊連接至行動終端並且提供服務給行動終端,其中行動終端認證管控裝置包括:使用者資料儲存模組、裝置資料儲存模組、身分認證模組、第一裝置認證模組、智慧群組模組、資安政策管控模組、服務權限管控模組、使用者群組模組以及訊息推播模組。使用者資料儲存模組儲存可使用服務之至少一使用者的使用者相關資料。裝置資料儲存模組儲存可使用服務之至少一裝置的裝置相關資料。身分認證模組在行動終端的使用者登入至行動終端認證管控裝置時進行身分確認。第一裝置認證模組在行動終端註冊時進行合法確認。智慧群組模組依據行動終端的類別或服務的種類來納入行動終端至群組。資安政策管控模組掌管不同屬性之資安政策,其中資安政策管控模組將至少一資安政策套用至群組中,並且資安政策管控模組對行動終端進行資安政策符合性檢查。服務權限管控模組開通或是收回行動終端使用服務之權限,其中服務權限管控模組根據合法確認以及資安政策符合性檢查辦別行動終端是否具有使用服務的權限。使用者群組模組依據使用者的部門單位或工作屬性來劃分行動終端至使用者群組。訊息推播模組提供輸入介面以供管理者輸入推播訊息。 The intelligent network mobile terminal authentication management control system of the present invention includes a mobile terminal authentication management control device and a mobile terminal. The mobile terminal authentication management control device is communicatively connected to the mobile terminal and provides services to the mobile terminal. The mobile terminal authentication management control device includes: a user Data storage module, device data storage module, identity authentication module, first device authentication module, smart group module, information security policy control module, service authority control module, user group module, and message Push broadcast module. The user data storage module stores user-related data of at least one user who can use the service. The device data storage module stores device-related data of at least one device that can use the service. The identity authentication module confirms the identity when the user of the mobile terminal logs in to the mobile terminal authentication control device. The first device authentication module performs legal confirmation when the mobile terminal is registered. The smart group module is included in the mobile terminal to the group according to the type of the mobile terminal or the type of service. The information security policy control module controls information security policies of different attributes. The information security policy control module applies at least one information security policy to the group, and the information security policy control module checks the mobile terminal for compliance with the information security policy . The service authority control module activates or withdraws the authority of the mobile terminal to use the service. The service authority control module checks whether the mobile terminal has the authority to use the service based on legal confirmation and compliance with the information security policy. The user group module divides mobile terminals into user groups according to the user's department unit or job attribute. The message push module provides an input interface for managers to input push messages.

在本發明的一實施例中,上述的使用者相關資料包含使 用者帳號、電子郵件地址、手機號碼、申請日期、使用期限以及申請服務種類。 In an embodiment of the present invention, the above-mentioned user-related data includes using User account number, email address, mobile phone number, application date, period of use, and type of service applied for.

在本發明的一實施例中,上述的裝置相關資料包含裝置種類、裝置序號、作業系統名稱、註冊時間以及最近一次登入時間。 In an embodiment of the present invention, the aforementioned device-related data includes device type, device serial number, operating system name, registration time, and last login time.

在本發明的一實施例中,上述的身分認證模組基於身分確認的結果與使用者資料儲存模組中的使用者相關資料相符而判斷使用者為合法使用者。 In an embodiment of the present invention, the above-mentioned identity authentication module determines that the user is a legitimate user based on the result of the identity confirmation and the user-related data in the user data storage module.

在本發明的一實施例中,上述的行動終端包括第二裝置認證模組,其中第二裝置認證模組在行動終端註冊時發送註冊訊息至行動終端認證管控裝置,並且第一裝置認證模組基於合法確認的結果與裝置資料儲存模組中的裝置相關資料相符而判斷行動終端為合法行動終端。 In an embodiment of the present invention, the aforementioned mobile terminal includes a second device authentication module, wherein the second device authentication module sends a registration message to the mobile terminal authentication control device when the mobile terminal is registered, and the first device authentication module Based on the result of the legal confirmation and the device-related data in the device data storage module, the mobile terminal is determined to be a legal mobile terminal.

在本發明的一實施例中,上述的智慧群組模組基於行動終端具有使用服務的權限而將行動終端納入群組,並且基於行動終端的權限被取消而將行動終端移出群組。 In an embodiment of the present invention, the above-mentioned smart group module incorporates the mobile terminal into the group based on the mobile terminal having the authority to use the service, and removes the mobile terminal from the group based on the cancellation of the authority of the mobile terminal.

在本發明的一實施例中,上述的第二裝置認證模組自資安政策管控模組接收至少一資安政策,並且基於行動終端符合至少一資安政策要求的場域資安規範而傳送回報訊息至資安政策管控模組,其中資安政策管控模組根據回報訊息判斷行動終端通過資安政策符合性檢查。 In an embodiment of the present invention, the above-mentioned second device authentication module receives at least one security policy from the security policy management and control module, and transmits it based on the mobile terminal complying with at least one field security policy required by the security policy Report information to the information security policy control module, where the information security policy control module determines that the mobile terminal has passed the information security policy compliance check based on the report information.

在本發明的一實施例中,上述的服務權限管控模組基於 行動終端符合場域資安規範開通行動終端使用服務之權限。 In an embodiment of the present invention, the above-mentioned service authority management control module is based on The mobile terminal complies with the field security regulations to open the authority to use the mobile terminal service.

在本發明的一實施例中,上述的訊息推播模組推播推播訊息給使用者群組中的裝置。 In an embodiment of the present invention, the aforementioned message push module pushes push messages to devices in the user group.

在本發明的一實施例中,上述的行動終端包括訊息瀏覽模組,其中訊息瀏覽模組自訊息推播模組接收推播訊息,並且顯示推播訊息給行動終端的使用者閱讀。 In an embodiment of the present invention, the aforementioned mobile terminal includes a message browsing module, wherein the message browsing module receives push messages from the message push module and displays the push messages for users of the mobile terminal to read.

本發明的目的在於對安全性要求較高之場景中,提供一種行動終端之認證與管控系統,確保場景網路環境中之行動終端安全無虞,減少行動終端成為跳板或殭屍裝置的機會,甚至感染網路內其他裝置導致集體中毒,同時確保行動終端使用者身分為安全,避免有心人士在網路中進行資料竊取或監聽。 The purpose of the present invention is to provide a mobile terminal authentication and control system in scenarios with high security requirements, to ensure the safety of mobile terminals in the scene network environment, and to reduce the chances of mobile terminals becoming springboards or zombie devices, and even Infecting other devices on the network leads to collective poisoning, while ensuring the identity of mobile terminal users to avoid data theft or monitoring by interested parties on the network.

1:智能網路行動終端認證管控系統 1: Intelligent network mobile terminal authentication control system

10:行動終端認證管控裝置 10: Mobile terminal authentication control device

100:使用者資料儲存模組 100: User data storage module

101:裝置資料儲存模組 101: Device data storage module

102:身分認證模組 102: Identity Authentication Module

103:第一裝置認證模組 103: First device authentication module

104:智慧群組模組 104: Smart Group Module

105:資安政策管控模組 105: Information Security Policy Management and Control Module

106:服務權限管控模組 106: Service authority control module

107:使用者群組模組 107: User Group Module

108:訊息推播模組 108: Message push module

11:行動終端 11: mobile terminal

110:訊息瀏覽模組 110: Message browsing module

113:第二裝置認證模組 113: Second device authentication module

S101、S102、S103、S104、S105、S106、S107、S108、S109:步驟 S101, S102, S103, S104, S105, S106, S107, S108, S109: steps

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1根據本發明的實施例繪示智能網路行動終端認證管控系統的示意圖。 Please refer to the detailed description of the present invention and its accompanying drawings to further understand the technical content of the present invention and its objectives and effects; the relevant drawings are: Figure 1 shows a smart network mobile terminal authentication management system according to an embodiment of the present invention Schematic diagram.

圖2根據本發明的實施例繪示智能網路行動終端認證管控方法的流程圖。 Fig. 2 shows a flowchart of a method for authentication and control of a smart network mobile terminal according to an embodiment of the present invention.

圖1根據本發明的實施例繪示智能網路行動終端認證管 控系統1的示意圖。智能網路行動終端認證管控系統1主要係使用行動終端認證管控裝置10對行動終端11進行認證與管理。行動終端認證管控裝置10還可以為行動終端11提供一或多種服務。 Figure 1 illustrates the authentication management of an intelligent network mobile terminal according to an embodiment of the present invention Schematic diagram of the control system 1. The intelligent network mobile terminal authentication management control system 1 mainly uses the mobile terminal authentication management control device 10 to authenticate and manage the mobile terminal 11. The mobile terminal authentication management device 10 can also provide one or more services for the mobile terminal 11.

行動終端認證管控裝置10具有處理單元(如:處理器但不限於此)、耦接於處理單元的通訊單元(例如:支援行動網路、藍牙或WiFi等各類通訊協定的收發器)及耦接於處理單元的儲存單元(例如:可移動隨機存取記憶體、快閃記憶體或硬碟等但不限於此)等運行行動終端認證管控裝置10的必要構件。行動終端認證管控裝置10可透過通訊單元與行動終端11連接。行動終端認證管控裝置10的儲存單元可儲存包含使用者資料儲存模組100、裝置資料儲存模組101、身分認證模組102、第一裝置認證模組103、智慧群組模組104、資安政策管控模組105、服務權限管控模組106、使用者群組模組107及訊息推播模組108等多個模組。行動終端認證管控裝置10的處理單元可存取並執行該些模組。上述的各個模組的功能將於後續說明。 The mobile terminal authentication control device 10 has a processing unit (such as a processor but not limited to this), a communication unit coupled to the processing unit (such as a transceiver supporting various communication protocols such as mobile network, Bluetooth or WiFi), and a coupling The storage unit connected to the processing unit (such as removable random access memory, flash memory, or hard disk, but not limited to, etc.) and other necessary components for running the mobile terminal authentication control device 10. The mobile terminal authentication control device 10 can be connected to the mobile terminal 11 through a communication unit. The storage unit of the mobile terminal authentication management device 10 can store data including a user data storage module 100, a device data storage module 101, an identity authentication module 102, a first device authentication module 103, a smart group module 104, and information security The policy management and control module 105, the service authority management and control module 106, the user group module 107, and the message push module 108 are multiple modules. The processing unit of the mobile terminal authentication management device 10 can access and execute these modules. The functions of the above-mentioned modules will be described later.

行動終端11例如是筆記型電腦、個人數位助理(personal digital assistant,PDA)、平板電腦或電話裝置等。行動終端11具有處理單元(如:處理器但不限於此)、耦接於處理單元的通訊單元(例如:支援行動網路、藍牙或WiFi等各類通訊協定的收發器)及耦接於處理單元的儲存單元(例如:可移動隨機存取記憶體、快閃記憶體或硬碟等但不限於此)等運行行動終端11的必要構件。 行動終端11的儲存單元可儲存包含第二裝置認證模組113以及訊息瀏覽模組110等多個模組。行動終端11的處理單元可存取並執行該些模組。上述的各個模組的功能將於後續說明。 The mobile terminal 11 is, for example, a notebook computer, a personal digital assistant (PDA), a tablet computer, or a telephone device. The mobile terminal 11 has a processing unit (such as a processor but not limited to this), a communication unit coupled to the processing unit (such as a transceiver that supports various communication protocols such as mobile network, Bluetooth or WiFi), and is coupled to the processing unit The storage unit of the unit (for example, but not limited to removable random access memory, flash memory or hard disk, etc.) and other necessary components for running the mobile terminal 11. The storage unit of the mobile terminal 11 can store multiple modules including the second device authentication module 113 and the message browsing module 110. The processing unit of the mobile terminal 11 can access and execute these modules. The functions of the above-mentioned modules will be described later.

使用者資料儲存模組100用於儲存經過管理者審核而可使用由行動終端認證管控裝置10(或由行動終端認證管控裝置10所管理的外部伺服器)所提供服務之使用者的使用者相關資料。使用者相關資料可包含使用者帳號、電子郵件地址、手機號碼、服務的申請日期、服務的使用期限及/或申請服務種類等資訊,但不限於此。裝置資料儲存模組101用於儲存經過管理者審核而可使用由行動終端認證管控裝置10(或由行動終端認證管控裝置10所管理的外部伺服器)所提供服務之裝置(例如:行動終端11)的裝置相關資料。裝置相關資料可包含裝置種類、裝置序號、作業系統名稱、註冊時間及/或最近一次登入時間,但不限於此。 The user data storage module 100 is used to store user related information of users who have been reviewed by the administrator and can use the services provided by the mobile terminal authentication management device 10 (or an external server managed by the mobile terminal authentication management device 10) data. User-related information may include information such as user account, email address, mobile phone number, service application date, service use period, and/or application service type, but is not limited to this. The device data storage module 101 is used to store devices (for example: mobile terminal 11) that have been reviewed by the administrator and can use the services provided by the mobile terminal authentication management device 10 (or an external server managed by the mobile terminal authentication management device 10) ) Device related information. Device-related data may include device type, device serial number, operating system name, registration time and/or last login time, but is not limited to this.

在使用者之行動終端11安裝了第二裝置認證模組113之後,第二裝置認證模組113會通過行動終端11的通訊單元向第一裝置認證模組103傳送註冊訊息以進行註冊報到。在報到過程中,身分認證模組102會進行使用者身分確證。具體來說,在行動終端11的使用者透過行動終端11登入至行動終端認證管控裝置10後,身分認證模組102會讀取使用者資料儲存模組100中儲存之使用者相關資料,並且確認登入之使用者是否與這些使用者相關資料相符(例如:使用者的身分是否被記錄於使用者相關資料中的合法使用者清單上)。如果相符則代表此使用者為合法使用者。 After the second device authentication module 113 is installed on the user's mobile terminal 11, the second device authentication module 113 will send a registration message to the first device authentication module 103 through the communication unit of the mobile terminal 11 for registration. During the registration process, the identity authentication module 102 will perform user identity verification. Specifically, after the user of the mobile terminal 11 logs in to the mobile terminal authentication management device 10 through the mobile terminal 11, the identity authentication module 102 will read the user-related data stored in the user data storage module 100 and confirm Whether the logged-in user matches the user-related data (for example, whether the user's identity is recorded in the legal user list in the user-related data). If they match, it means that the user is a legal user.

接著,可由第一裝置認證模組103對正進行註冊的行動終端11進行合法確認。具體來說,第一裝置認證模組103會讀取裝置資料儲存模組101中儲存之裝置相關資料,並且確認註冊之行動終端11是否與這些裝置相關資料相符(例如:行動終端11的裝置ID是否被記錄於裝置相關資料中的合法行動終端清單上)。如果相符則代表此行動終端11為合法行動終端。 Then, the mobile terminal 11 that is being registered can be legally confirmed by the first device authentication module 103. Specifically, the first device authentication module 103 reads the device-related data stored in the device data storage module 101, and confirms whether the registered mobile terminal 11 matches the device-related data (for example, the device ID of the mobile terminal 11). Whether it is recorded on the list of legal mobile terminals in the device-related data). If they match, it means that the mobile terminal 11 is a legal mobile terminal.

資安政策管控模組105掌管不同種類或屬性之資安政策。在確認該使用者與該行動終端11為合法使用之後,資安政策管控模組105會透過第二裝置認證模組113對行動終端11進行資安政策符合性檢查,確認行動終端11是否符合該場域要求之資安規範。具體來說,第二裝置認證模組113可從資安政策管控模組105接收資安政策,並檢測行動終端11是否符合資安政策要求的場域資安規範。若符合,則第二裝置認證模組113可傳送回報訊息至資安政策管控模組105。資安政策管控模組105可根據回報訊息判斷行動終端11已通過資安政策符合性檢查。除此之外,第二裝置認證模組113會定期對行動終端11進行資安政策符合性檢查,確保行動終端11隨時處於符合狀態。 The information security policy control module 105 is in charge of information security policies of different types or attributes. After confirming that the user and the mobile terminal 11 are used legally, the information security policy management control module 105 will perform an information security policy compliance check on the mobile terminal 11 through the second device authentication module 113 to confirm whether the mobile terminal 11 complies with the Information security standards required by the field. Specifically, the second device authentication module 113 may receive the information security policy from the information security policy management and control module 105, and detect whether the mobile terminal 11 meets the field security regulations required by the information security policy. If it matches, the second device authentication module 113 can send a report message to the information security policy control module 105. The information security policy management control module 105 can determine that the mobile terminal 11 has passed the information security policy compliance check based on the report information. In addition, the second device authentication module 113 will periodically check the compliance of the information security policy of the mobile terminal 11 to ensure that the mobile terminal 11 is in compliance at all times.

服務權限管控模組106用於開通或是收回行動終端11使用服務之權限。服務權限管控模組106可根據前述的合法確認及/或資安政策服務性檢查的結果辨別行動終端11是否具有使用服務的權限。具體來說,如果行動終端11符合該場域資安規範,則服務權限管控模組106會開通行動終端11使用服務的權限。相反的, 如果行動終端11不符合該場域資安規範,則服務權限管控模組106會禁用行動終端11使用服務之權限。 The service authority management control module 106 is used to activate or withdraw the authority of the mobile terminal 11 to use the service. The service authority management control module 106 can distinguish whether the mobile terminal 11 has the authority to use the service according to the aforementioned legal confirmation and/or the result of the information security policy service check. Specifically, if the mobile terminal 11 complies with the field security regulations, the service authority management and control module 106 will enable the mobile terminal 11 to use the service. The opposite of, If the mobile terminal 11 does not comply with the field security regulations, the service authority management control module 106 will disable the mobile terminal 11's authority to use the service.

當服務權限管控模組106開通行動終端11的服務使用權限後,依據行動終端11的類別或是所使用的服務種類,智慧群組模組104會將該行動終端11納入所屬之智慧群組。在行動終端11進入所屬智慧群組後,行動終端11可收到隸屬於該智慧群組的數個APP派送。相反的,如果服務權限管控模組106禁用或取消行動終端11的服務使用權限,則智慧群組模組104會將行動終端11移出所屬之智慧群組,同時行動終端11上隸屬於該智慧群組的數個APP會自動刪除。 After the service authority management control module 106 activates the service use authority of the mobile terminal 11, the smart group module 104 will include the mobile terminal 11 into its own smart group according to the type of the mobile terminal 11 or the type of service used. After the mobile terminal 11 enters the smart group to which it belongs, the mobile terminal 11 can receive several APP dispatches belonging to the smart group. Conversely, if the service authority management control module 106 disables or cancels the service use authority of the mobile terminal 11, the smart group module 104 will move the mobile terminal 11 out of the smart group to which it belongs, and at the same time, the mobile terminal 11 belongs to the smart group Several apps in the group will be deleted automatically.

資安政策管控模組105可將不同的資安政策分別套用於不同的智慧群組。舉例來說,資安政策管控模組105可將特定資安政策套用在行動終端11所屬的智慧群組。如此,則該智慧群組中的所有裝置都需遵從該特定資安政策。 The information security policy management and control module 105 can apply different information security policies to different smart groups. For example, the information security policy management and control module 105 can apply a specific information security policy to the smart group to which the mobile terminal 11 belongs. In this way, all devices in the smart group need to comply with the specific security policy.

另外,訊息推播模組108可提供輸入介面(例如:鍵盤)以供管理者輸入推播訊息,從而將推播訊息推播給特定使用者群組中的各個裝置。在服務權限管控模組106開通行動終端11的服務使用權限後,依據行動終端11之使用者所屬之部門單位或工作屬性(但不限於此),使用者群組模組107會將該使用者的行動終端11納入所屬之使用者群組。當行動終端11進入所屬使用者群組時,行動終端11就可透過訊息瀏覽模組110讀取由訊息推播模組108推播給使用者群組之推播訊息。例如,訊息瀏覽模組110 可將推播訊息顯示於行動終端11的顯示器以供使用者閱讀。此推播訊息會針對使用者群組作各別發送。不屬於使用者群組之使用者無法瀏覽該使用者群組推播的訊息。此作法可提高機密訊息之傳遞安全性。相反的,如果服務權限管控模組106收回行動終端11的服務使用權限,使用者群組模組107會將該行動終端11移出所屬之使用者群組,當行動終端11離開所屬使用者群組時,行動終端11就無法透過訊息瀏覽模組110讀取由訊息推播模組108推播給使用者群組之推播訊息。 In addition, the message push module 108 may provide an input interface (for example, a keyboard) for the administrator to input push messages, so as to push the push messages to various devices in a specific user group. After the service authority management control module 106 opens the service use authority of the mobile terminal 11, the user group module 107 will assign the user to the department or work attribute (but not limited to this) to which the user of the mobile terminal 11 belongs. The mobile terminal 11 is included in the user group to which it belongs. When the mobile terminal 11 enters the user group to which it belongs, the mobile terminal 11 can read the push message pushed to the user group by the message push module 108 through the message browsing module 110. For example, the message browsing module 110 The push message can be displayed on the display of the mobile terminal 11 for the user to read. This push message will be sent separately for the user group. Users who do not belong to the user group cannot browse the messages pushed by the user group. This approach can improve the transmission security of confidential information. On the contrary, if the service authority management control module 106 withdraws the service use authority of the mobile terminal 11, the user group module 107 will remove the mobile terminal 11 from the user group to which it belongs, and when the mobile terminal 11 leaves the user group to which it belongs At this time, the mobile terminal 11 cannot read the push messages pushed to the user group by the message push module 108 through the message browsing module 110.

圖2根據本發明的實施例繪示智能網路行動終端認證管控方法的流程圖,其中智能網路行動終端認證管控方法可由如圖1所示的智能網路行動終端認證管控系統1實施。 FIG. 2 shows a flow chart of an authentication control method for a smart network mobile terminal according to an embodiment of the present invention. The authentication control method for the smart network mobile terminal can be implemented by the smart network mobile terminal authentication management system 1 shown in FIG. 1.

步驟S101:在行動終端11安裝第二裝置認證模組113後,行動終端11會被要求向第一裝置認證模組103進行註冊報到。 Step S101: After the second device authentication module 113 is installed on the mobile terminal 11, the mobile terminal 11 will be required to register with the first device authentication module 103.

步驟S102:身分認證模組102對行動終端11的使用者進行使用者身分認證,認證方式會透過讀取使用者資料儲存模組100中儲存之使用者相關資料,並比對該使用者相關資料與使用者的身分。 Step S102: The identity authentication module 102 performs user identity authentication on the user of the mobile terminal 11. The authentication method is to read user-related data stored in the user data storage module 100 and compare the user-related data And the identity of the user.

步驟S103:裝置認證模組103對對行動終端11進行裝置認證,認證方式會透過讀取裝置資料儲存模組101中儲存之裝置相關資料,並比對裝置相關資料與行動終端11。 Step S103: The device authentication module 103 performs device authentication on the mobile terminal 11. The authentication method is to read the device-related data stored in the device data storage module 101 and compare the device-related data with the mobile terminal 11.

步驟S104:資安政策管控模組105透過第二裝置認證模 組113對行動終端11進行資安政策符合性檢查,確認行動終端11是否符合該場域要求之資安規範。 Step S104: The information security policy control module 105 passes the second device authentication module The group 113 conducts an information security policy compliance check on the mobile terminal 11 to confirm whether the mobile terminal 11 meets the information security regulations required by the field.

步驟S105:在確定行動終端11符合該場域資安規範後,服務權限管控模組106會依據該行動終端11可使用之服務來開通使用權限。相反的,如果行動終端11不符合該場域資安規範,則服務權限管控模組106會禁用或收回該行動終端11使用服務之權限。 Step S105: After determining that the mobile terminal 11 complies with the field security regulations, the service authority management control module 106 will activate the use authority according to the services that the mobile terminal 11 can use. On the contrary, if the mobile terminal 11 does not comply with the field security regulations, the service authority management control module 106 will disable or revoke the authority of the mobile terminal 11 to use the service.

步驟S106:在行動終端11的服務使用權限被開通後,依據行動終端11的類別或是所使用的服務種類,則智慧群組模組104會將該行動終端11納入所屬之智慧群組。相反的,如果行動終端11的服務使用權限被收回,則智慧群組模組104會將該行動終端11移出所屬之智慧群組。 Step S106: After the service use authority of the mobile terminal 11 is activated, according to the type of the mobile terminal 11 or the type of service used, the smart group module 104 will include the mobile terminal 11 into the smart group to which it belongs. Conversely, if the service use authority of the mobile terminal 11 is withdrawn, the smart group module 104 will remove the mobile terminal 11 from the smart group to which it belongs.

步驟S107:當行動終端11進入所屬智慧群組時,會收到隸屬於該智慧群組且對應於所申請服務之數個APP派送。相反的,如果行動終端11被移出所屬智慧群組,行動終端11上隸屬於該智慧群組的數個APP會自動刪除。 Step S107: When the mobile terminal 11 enters the smart group to which it belongs, it will receive a number of APPs belonging to the smart group and corresponding to the requested service. On the contrary, if the mobile terminal 11 is removed from the smart group to which it belongs, several APPs belonging to the smart group on the mobile terminal 11 will be automatically deleted.

步驟S108:當行動終端11的服務使用權限被開通後,依據行動終端11使用者所屬之使用者群組,使用者群組模組107會將該行動終端11納入所屬之使用者群組。相反的,如果行動終端11的服務使用權限被收回,使用者群組模組107會將該行動終端11移出所屬之使用者群組。 Step S108: After the service use permission of the mobile terminal 11 is activated, the user group module 107 will include the mobile terminal 11 into the user group to which the user of the mobile terminal 11 belongs. On the contrary, if the service use authority of the mobile terminal 11 is withdrawn, the user group module 107 will remove the mobile terminal 11 from the user group to which it belongs.

步驟S109:在行動終端11進入所屬使用者群組後,行動 終端11就可透過訊息瀏覽模組110瀏覽訊息推播模組108產生之推播訊息。相反的,如果行動終端11被移出所屬使用者群組,行動終端11就無法透過訊息瀏覽模組110瀏覽訊息推播模組108產生之推播訊息。 Step S109: After the mobile terminal 11 enters the user group to which it belongs, act The terminal 11 can browse the push messages generated by the message push module 108 through the message browsing module 110. On the contrary, if the mobile terminal 11 is removed from the user group to which it belongs, the mobile terminal 11 cannot browse the push messages generated by the message push module 108 through the message browsing module 110.

本發明智能網路行動終端認證管控,可用來針對網路中的行動終端進行身分與裝置認證,確保登入使用者與註冊裝置之合法性,同時依據該場域之資安規範要求,隨時對裝置執行資安政策符合性檢查,確保裝置維持在安全狀態,保護整體網路資訊安全。 The intelligent network mobile terminal authentication management and control of the present invention can be used to perform identity and device authentication for mobile terminals in the network to ensure the legitimacy of the logged-in user and registered device. At the same time, the device can be checked at any time according to the security regulations of the field. Perform information security policy compliance checks to ensure that the device is maintained in a safe state and protect the overall network information security.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The above detailed description is a specific description of a feasible embodiment of the present invention, but this embodiment is not intended to limit the patent scope of the present invention. Any equivalent implementation or modification without departing from the technical spirit of the present invention shall be included in In the scope of the patent in this case.

[特點及功效][Features and Effects]

本發明之特點在於透過身分、裝置認證與資安政策管控技術,多方面確保使用者與行動終端具備合法性,再加上智慧群組技術之導入,可在同一平台上管控多個場域之行動終端,依據不同場域設定不同之資安政策與派送不同APP服務,增強行動裝置管控性與整體網路資訊安全。另外搭配使用者群組隔離技術,可在推播機敏訊息時確保資料不外洩,且可即時公告系統訊息給特定使用者群組。 The feature of the present invention is to ensure the legitimacy of users and mobile terminals through various aspects of identity, device authentication, and information security policy management and control technology. In addition, with the introduction of smart group technology, it can manage and control multiple fields on the same platform. Mobile terminals set different information security policies and deliver different APP services according to different fields, enhancing the control of mobile devices and overall network information security. In addition, with user group isolation technology, it can ensure that data is not leaked when pushing alert messages, and can instantly announce system messages to specific user groups.

1:智能網路行動終端認證管控系統 1: Intelligent network mobile terminal authentication control system

10:行動終端認證管控裝置 10: Mobile terminal authentication control device

100:使用者資料儲存模組 100: User data storage module

101:裝置資料儲存模組 101: Device data storage module

102:身分認證模組 102: Identity Authentication Module

103:第一裝置認證模組 103: First device authentication module

104:智慧群組模組 104: Smart Group Module

105:資安政策管控模組 105: Information Security Policy Management and Control Module

106:服務權限管控模組 106: Service authority control module

107:使用者群組模組 107: User Group Module

108:訊息推播模組 108: Message push module

11:行動終端 11: mobile terminal

110:訊息瀏覽模組 110: Message browsing module

113:第二裝置認證模組 113: Second device authentication module

Claims (8)

一種智能網路行動終端認證管控系統,包括:行動終端認證管控裝置與行動終端,其中該行動終端認證管控裝置通訊連接至該行動終端並且提供服務給該行動終端,其中該行動終端認證管控裝置包括:使用者資料儲存模組,儲存可使用該服務之至少一使用者的使用者相關資料;裝置資料儲存模組,儲存可使用該服務之至少一裝置的裝置相關資料;身分認證模組,在該行動終端的使用者登入至該行動終端認證管控裝置時進行身分確認;第一裝置認證模組,在該行動終端註冊時進行合法確認;智慧群組模組,依據該行動終端的類別或該服務的種類來納入該行動終端至群組,其中該智慧群組模組基於該行動終端具有使用該服務的該權限而將該行動終端納入該群組,並且基於該行動終端的該權限被取消而將該行動終端移出該群組;資安政策管控模組,掌管不同屬性之資安政策,其中該資安政策管控模組將至少一資安政策套用至該群組中,並且該資安政策管控模組對該行動終端進行資安政策符合性檢查;服務權限管控模組,開通或是收回該行動終端使用該服務之權限,其中該服務權限管控模組根據該合法確認以及該資安政策符合性檢查辦別該行動終端是否具有使用該服務的該權限; 使用者群組模組,依據該使用者的部門單位或工作屬性來劃分該行動終端至使用者群組;以及訊息推播模組,提供輸入介面以供管理者輸入推播訊息;其中該行動終端包括第二裝置認證模組,其中該第二裝置認證模組在該行動終端註冊時發送註冊訊息至該行動終端認證管控裝置,並且該第一裝置認證模組基於該合法確認的結果與該裝置資料儲存模組中的該裝置相關資料相符而判斷該行動終端為合法行動終端。 An intelligent network mobile terminal authentication management control system, comprising: a mobile terminal authentication management control device and a mobile terminal, wherein the mobile terminal authentication management control device is communicatively connected to the mobile terminal and provides services to the mobile terminal, wherein the mobile terminal authentication management control device includes : User data storage module, which stores user-related data of at least one user who can use the service; device data storage module, which stores device-related data of at least one device that can use the service; Identity authentication module, in The user of the mobile terminal performs identity verification when logging in to the mobile terminal authentication control device; the first device authentication module performs legal verification when the mobile terminal is registered; the smart group module depends on the type of the mobile terminal or the The type of service is included in the mobile terminal to the group, where the smart group module includes the mobile terminal in the group based on the mobile terminal having the permission to use the service, and the permission is cancelled based on the mobile terminal The mobile terminal is removed from the group; the information security policy control module controls information security policies of different attributes, wherein the information security policy control module applies at least one information security policy to the group, and the information security policy The policy control module checks the mobile terminal’s information security policy compliance; the service authority control module activates or withdraws the mobile terminal’s authority to use the service, where the service authority control module is based on the legal confirmation and the information security Policy compliance check whether the mobile terminal has the right to use the service; The user group module, which divides the mobile terminal into user groups according to the user’s department or work attribute; and the message push module, which provides an input interface for the administrator to input push messages; where the action The terminal includes a second device authentication module, wherein the second device authentication module sends a registration message to the mobile terminal authentication control device when the mobile terminal is registered, and the first device authentication module is based on the legal confirmation result and the The device-related data in the device data storage module matches to determine that the mobile terminal is a legal mobile terminal. 如申請專利範圍第1項所述之智能網路行動終端認證管控系統,其中該使用者相關資料包含使用者帳號、電子郵件地址、手機號碼、申請日期、使用期限以及申請服務種類。 For example, in the intelligent network mobile terminal authentication management system described in the first item of the scope of patent application, the user-related information includes user account, email address, mobile phone number, application date, use period, and application service type. 如申請專利範圍第1項所述之智能網路行動終端認證管控系統,其中該裝置相關資料包含裝置種類、裝置序號、作業系統名稱、註冊時間以及最近一次登入時間。 For example, the intelligent network mobile terminal authentication management system described in the scope of patent application, wherein the device-related data includes device type, device serial number, operating system name, registration time, and last login time. 如申請專利範圍第1項所述之智能網路行動終端認證管控系統,其中該身分認證模組基於該身分確認的結果與該使用者資料儲存模組中的該使用者相關資料相符而判斷該使用者為合法使用者。 For example, the intelligent network mobile terminal authentication management system described in item 1 of the scope of patent application, wherein the identity authentication module determines that the identity authentication module matches the user-related data in the user data storage module based on the identity verification result The user is a legal user. 如申請專利範圍第1項所述之智能網路行動終端認證管控系統,其中該第二裝置認證模組自該資安政策管控模組接收該至少一資安政策,並且基於該行動終端符合該至少一資安政策要求的場域資安規範而傳送回報訊息至該資安政策管控模組,其中 該資安政策管控模組根據該回報訊息判斷該行動終端通過該資安政策符合性檢查。 For example, the intelligent network mobile terminal authentication management system described in the first item of the scope of patent application, wherein the second device authentication module receives the at least one information security policy from the information security policy management and control module, and is based on the mobile terminal conforming to the At least one field information security standard required by an information security policy sends a report message to the information security policy control module, where The information security policy control module determines that the mobile terminal passes the information security policy compliance check based on the report message. 如申請專利範圍第5項所述之智能網路行動終端認證管控系統,其中該服務權限管控模組基於該行動終端符合該場域資安規範開通該行動終端使用該服務之該權限。 For example, in the intelligent network mobile terminal authentication management system described in item 5 of the scope of patent application, the service authority management control module activates the authority for the mobile terminal to use the service based on the mobile terminal complies with the field security regulations. 如申請專利範圍第1項所述之智能網路行動終端認證管控系統,其中該訊息推播模組推播該推播訊息給該使用者群組中的裝置。 For example, the intelligent network mobile terminal authentication management system described in the first item of the scope of patent application, wherein the message push module pushes the push message to the devices in the user group. 如申請專利範圍第1項所述之智能網路行動終端認證管控系統,其中行動終端包括訊息瀏覽模組,其中該訊息瀏覽模組自該訊息推播模組接收該推播訊息,並且顯示該推播訊息給該行動終端的該使用者閱讀。 For example, the intelligent network mobile terminal authentication management system described in the first item of the scope of patent application, wherein the mobile terminal includes a message browsing module, wherein the message browsing module receives the push message from the message push module and displays the Push the message to the user of the mobile terminal to read.
TW108140231A 2019-11-06 2019-11-06 Intelligent network mobile terminal certification management system TWI707572B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108140231A TWI707572B (en) 2019-11-06 2019-11-06 Intelligent network mobile terminal certification management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108140231A TWI707572B (en) 2019-11-06 2019-11-06 Intelligent network mobile terminal certification management system

Publications (2)

Publication Number Publication Date
TWI707572B true TWI707572B (en) 2020-10-11
TW202119788A TW202119788A (en) 2021-05-16

Family

ID=74091768

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108140231A TWI707572B (en) 2019-11-06 2019-11-06 Intelligent network mobile terminal certification management system

Country Status (1)

Country Link
TW (1) TWI707572B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401905A (en) * 2013-07-19 2013-11-20 中国南方电网有限责任公司 Mobile application platform system for power grid scheduling based on mobile intelligent terminal
CN104065485A (en) * 2014-07-04 2014-09-24 中国南方电网有限责任公司 Power grid dispatching mobile platform safety guaranteeing and controlling method
TW201612809A (en) * 2014-09-23 2016-04-01 Chunghwa Telecom Co Ltd Form flow system and method having group management and message feedback mechanism
TWI626555B (en) * 2016-11-16 2018-06-11 Chunghwa Telecom Co Ltd Service self-administration control system and method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103401905A (en) * 2013-07-19 2013-11-20 中国南方电网有限责任公司 Mobile application platform system for power grid scheduling based on mobile intelligent terminal
CN104065485A (en) * 2014-07-04 2014-09-24 中国南方电网有限责任公司 Power grid dispatching mobile platform safety guaranteeing and controlling method
TW201612809A (en) * 2014-09-23 2016-04-01 Chunghwa Telecom Co Ltd Form flow system and method having group management and message feedback mechanism
TWI626555B (en) * 2016-11-16 2018-06-11 Chunghwa Telecom Co Ltd Service self-administration control system and method thereof

Also Published As

Publication number Publication date
TW202119788A (en) 2021-05-16

Similar Documents

Publication Publication Date Title
EP3706022B1 (en) Permissions policy manager to configure permissions on computing devices
US10990696B2 (en) Methods and systems for detecting attempts to access personal information on mobile communications devices
JP6599341B2 (en) Method, device and system for dynamic network access management
CN109460660B (en) Mobile device safety management system
CN100568212C (en) Shielding system and partition method
WO2015096695A1 (en) Installation control method, system and device for application program
US9298936B2 (en) Issuing security commands to a client device
EP2941729A1 (en) Protection and confidentiality of trusted service manager data
CN104982021A (en) Authenticating a wireless dockee to a wireless docking service
WO2018213142A1 (en) Secure password sharing for wireless networks
CN112673600A (en) Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain
US20160105417A1 (en) Computer network security management system and method
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
WO2014061897A1 (en) Method for implementing login confirmation and authorization service using mobile user terminal
US8595848B2 (en) Method for moving rights object and method for managing rights of issuing rights object and system thereof
TWI707572B (en) Intelligent network mobile terminal certification management system
CN109076126A (en) Permission update method and terminal device
KR20050096114A (en) System and method for distributed authorization for access to communications device
US10725898B2 (en) Testing network framework and information management method applied thereto
US9106766B2 (en) Phone call management
JP5730735B2 (en) Security management system, method and program
CN111291366A (en) Secure middleware system
JP2010541437A (en) Content delivery by verifying unique user-oriented authentication
CN104054088B (en) Manage across circumference access
WO2022252912A1 (en) User data management method and related device