TWI745026B - Authentication system and method - Google Patents

Authentication system and method Download PDF

Info

Publication number
TWI745026B
TWI745026B TW109127607A TW109127607A TWI745026B TW I745026 B TWI745026 B TW I745026B TW 109127607 A TW109127607 A TW 109127607A TW 109127607 A TW109127607 A TW 109127607A TW I745026 B TWI745026 B TW I745026B
Authority
TW
Taiwan
Prior art keywords
data
server
authentication
identity
user device
Prior art date
Application number
TW109127607A
Other languages
Chinese (zh)
Other versions
TW202207666A (en
Inventor
吳淑琴
周培桓
余如崧
賴琮盛
Original Assignee
台灣大哥大股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 台灣大哥大股份有限公司 filed Critical 台灣大哥大股份有限公司
Priority to TW109127607A priority Critical patent/TWI745026B/en
Application granted granted Critical
Publication of TWI745026B publication Critical patent/TWI745026B/en
Publication of TW202207666A publication Critical patent/TW202207666A/en

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

一種認證系統,包含:一資料庫,儲存一第一電信資料;以及一第一伺服器,存取該資料庫,該第一伺服器自一使用者裝置接收一裝置位址資料,並根據該裝置位址資料自該資料庫中關聯出該第一電信資料;其中該第一伺服器將該第一電信資料與一時間戳記資料進行編碼,以產生一驗證資料,該第一伺服器將該驗證資料儲存至該資料庫,並將該驗證資料傳送至該使用者裝置;其中該第一伺服器通訊連接該資料庫。An authentication system includes: a database storing a first telecommunication data; and a first server accessing the database, the first server receiving device address data from a user device, and according to the The device address data is associated with the first telecommunication data from the database; wherein the first server encodes the first telecommunication data and a time stamp data to generate a verification data, and the first server The verification data is stored in the database, and the verification data is sent to the user device; wherein the first server is communicatively connected to the database.

Description

認證系統及其方法Authentication system and method

本發明係關於一種認證系統及其方法,特別係關於一種可針對使用者裝置或使用者身分進行認證的認證系統及其方法。The present invention relates to an authentication system and method, and more particularly to an authentication system and method that can authenticate a user device or user identity.

目前使用者裝置(例如手機)上所使用的認證系統多需由使用者輸入帳號及/或密碼以進行裝置或身分確認。然而,此種認證方式要求使用者必須隨時記下帳號及密碼,對於使用者來說極為不便。此外,已知有使用普遍的一次性密碼(OPT)來查核裝置使用者,但這樣的認證機制尚缺乏實名制的認證,也就是識別裝置使用者的真實身分。有鑑於此,將需要一種無需輸入帳號或密碼即可針對使用者裝置或使用者身分進行實名認證的認證系統及其方法。At present, most authentication systems used on user devices (such as mobile phones) require the user to enter an account and/or password for device or identity verification. However, this authentication method requires the user to write down the account and password at any time, which is extremely inconvenient for the user. In addition, it is known that a universal one-time password (OPT) is used to check the device user, but such an authentication mechanism still lacks real-name authentication, that is, to identify the true identity of the device user. In view of this, there will be a need for an authentication system and method for real-name authentication of a user device or user identity without entering an account or password.

為了解決上述問題,本發明之一構想在於提供一種無需輸入帳號或密碼即可針對使用者裝置或使用者身分進行認證的認證系統及其方法。In order to solve the above-mentioned problems, one idea of the present invention is to provide an authentication system and method for authenticating a user device or user identity without entering an account or password.

基於前揭構想,本發明提供一種認證系統,包含:一資料庫,儲存一第一電信資料;以及一第一伺服器,存取該資料庫,該第一伺服器自一使用者裝置接收一裝置位址資料,並根據該裝置位址資料自該資料庫中關聯出該第一電信資料;其中該第一伺服器將該第一電信資料與一時間戳記資料進行編碼,以產生一驗證資料,該第一伺服器將該驗證資料儲存至該資料庫,並將該驗證資料傳送至該使用者裝置;其中該第一伺服器通訊連接該資料庫。Based on the aforementioned concept, the present invention provides an authentication system, including: a database storing a first telecommunication data; and a first server accessing the database, the first server receiving a data from a user device Device address data, and correlate the first telecommunication data from the database according to the device address data; wherein the first server encodes the first telecommunication data and a time stamp data to generate a verification data , The first server stores the verification data in the database, and sends the verification data to the user device; wherein the first server communicates with the database.

於本發明之一較佳實施例中,該時間戳記資料指示出該第一伺服器自該使用者裝置接收該裝置位址資料的一時間。In a preferred embodiment of the present invention, the time stamp data indicates a time when the first server receives the device address data from the user device.

於本發明之一較佳實施例中,該第一電信資料包含一門號資料。In a preferred embodiment of the present invention, the first telecommunication data includes a door number data.

於本發明之一較佳實施例中,該資料庫儲存一身分資料,該認證系統進一步包含:一第二伺服器,存取該資料庫,該第二伺服器自該使用者裝置接收該驗證資料、一電信門號資料與一第一身分驗證資料,該第二伺服器並根據該驗證資料、該電信門號資料、該身分資料與該第一身分驗證資料決定是否產生一認證成功資料;其中該第二伺服器通訊連接該資料庫。In a preferred embodiment of the present invention, the database stores an identity data, and the authentication system further includes: a second server for accessing the database, the second server receiving the authentication from the user device Data, a telecommunication number data and a first identity verification data, the second server determines whether to generate an authentication success data based on the verification data, the telecommunication number data, the identity data and the first identity verification data; The second server communicates with the database.

於本發明之一較佳實施例中,該第二伺服器基於其在該第一伺服器產生該驗證資料後的一預定時間內,未從該使用者裝置接收到該驗證資料及/或該第一身分驗證資料,而產生一驗證失敗資料。In a preferred embodiment of the present invention, the second server does not receive the authentication data and/or the authentication data from the user device within a predetermined time after the authentication data is generated by the first server. The first identity verification data generates a verification failure data.

於本發明之一較佳實施例中,該第一身分驗證資料為經過編碼的資料;其中該第二伺服器將儲存於該資料庫中的該身分資料進行編碼,以產生一第二身分驗證資料,該第二伺服器並基於該第一身分驗證資料符合於該第二身分驗證資料,且自該使用者裝置所接收的該驗證資料符合於儲存在該資料庫的該驗證資料,而產生該認證成功資料;其中該第二伺服器並未將該第一身分驗證資料解碼。In a preferred embodiment of the present invention, the first identity verification data is encoded data; wherein the second server encodes the identity data stored in the database to generate a second identity verification Data, the second server generates based on the first identity verification data conforming to the second identity verification data, and the verification data received from the user device conforms to the verification data stored in the database, The authentication success data; wherein the second server did not decode the first identity verification data.

於本發明之一較佳實施例中,該第二伺服器基於該認證成功資料而將儲存於該資料庫中的一第二電信資料傳送至該使用者裝置或一第三伺服器。In a preferred embodiment of the present invention, the second server transmits a second telecommunication data stored in the database to the user device or a third server based on the authentication success data.

於本發明之一較佳實施例中,該第二電信資料包含一電信申辦資料、一繳費紀錄資料以及一同意條款資料其中至少一者。In a preferred embodiment of the present invention, the second telecommunications data includes at least one of a telecommunications application data, a payment record data, and an agreement data.

根據本發明之目的,再提供一種認證方法,包含:由一認證系統的一第一伺服器自一使用者裝置接收一裝置位址資料;由該第一伺服器根據該裝置位址資料自該認證系統的一資料庫中關聯出一第一電信資料;由該第一伺服器將該第一電信資料與該時間戳記資料進行編碼,以產生一驗證資料;由該第一伺服器將該驗證資料儲存至該資料庫;以及由該第一伺服器將該驗證資料傳送至該使用者裝置;其中該第一伺服器通訊連接該資料庫,且該第一伺服器存取該資料庫。According to the object of the present invention, an authentication method is further provided, which includes: receiving a device address data from a user device by a first server of an authentication system; A first telecommunication data is associated with a database of the authentication system; the first server encodes the first telecommunication data and the time stamp data to generate a verification data; the first server verifies the data Data is stored in the database; and the first server transmits the verification data to the user device; wherein the first server is in communication with the database, and the first server accesses the database.

於本發明之一較佳實施例中,該時間戳記資料指示出該第一伺服器自該使用者裝置接收該裝置位址資料的一時間。In a preferred embodiment of the present invention, the time stamp data indicates a time when the first server receives the device address data from the user device.

於本發明之一較佳實施例中,該第一電信資料包含一門號資料。In a preferred embodiment of the present invention, the first telecommunication data includes a door number data.

於本發明之一較佳實施例中,該認證方法進一步包含:由該認證系統的一第二伺服器自該使用者裝置接收該驗證資料、一電信門號資料與一第一身分驗證資料;以及由該第二伺服器根據該驗證資料、該電信門號資料、該第一身分驗證資料與儲存於該資料庫的一身分資料決定是否產生一認證成功資料;其中該第二伺服器通訊連接該資料庫,且該第二伺服器存取該資料庫。In a preferred embodiment of the present invention, the authentication method further includes: receiving the authentication data, a telecommunication number data and a first identity authentication data from the user device by a second server of the authentication system; And the second server determines whether to generate an authentication success data according to the verification data, the telecommunication number data, the first identity verification data, and an identity data stored in the database; wherein the second server communicates with The database, and the second server accesses the database.

於本發明之一較佳實施例中,該認證方法進一步包含:由該第二伺服器基於其在該第一伺服器產生該驗證資料後的一預定時間內,未從該使用者裝置接收到該驗證資料及/或該第一身分驗證資料,而產生一驗證失敗資料。In a preferred embodiment of the present invention, the authentication method further includes: the second server does not receive the authentication data from the user device within a predetermined time after the first server generates the authentication data. The verification data and/or the first identity verification data generates a verification failure data.

於本發明之一較佳實施例中,該認證方法進一步包含:由該第二伺服器將儲存於該資料庫中的該身分資料進行編碼,以產生一第二身分驗證資料;以及由該第二伺服器基於該第一身分驗證資料符合於該第二身分驗證資料,且自該使用者裝置所接收的該驗證資料符合於儲存在該資料庫的該驗證資料,而產生該認證成功資料;其中該第一身分驗證資料為經過編碼的資料;其中該第二伺服器並未將該第一身分驗證資料解碼。In a preferred embodiment of the present invention, the authentication method further includes: encoding the identity data stored in the database by the second server to generate a second identity verification data; and The second server generates the authentication success data based on that the first identity verification data matches the second identity verification data, and the verification data received from the user device matches the verification data stored in the database; The first identity verification data is encoded data; wherein the second server does not decode the first identity verification data.

於本發明之一較佳實施例中,該認證方法進一步包含:由該第二伺服器基於該認證成功資料而將儲存於該資料庫中的一第二電信資料傳送至該使用者裝置或一第三伺服器。In a preferred embodiment of the present invention, the authentication method further includes: sending, by the second server, a second telecommunication data stored in the database to the user device or a The third server.

於本發明之一較佳實施例中,該第二電信資料包含一電信申辦資料、一繳費紀錄資料以及一同意條款資料其中至少一者。In a preferred embodiment of the present invention, the second telecommunications data includes at least one of a telecommunications application data, a payment record data, and an agreement data.

本發明前述各方面及其它方面依據下述的非限制性具體實施例詳細說明以及參照附隨的圖式將更趨於明瞭。The foregoing aspects and other aspects of the present invention will be more clarified based on the detailed description of the following non-limiting specific embodiments and with reference to the accompanying drawings.

請參閱第一圖,其例示說明了根據本發明認證系統一具體實施例的系統架構圖,如第一圖所示實施例,認證系統100包含資料庫110以及第一伺服器120,第一伺服器120通訊連接資料庫110,且第一伺服器120可存取資料庫110。資料庫110儲存複數個位址資料(複數個位址資料中包含了使用者裝置900的裝置位址資料)以及複數個電信資料(複數個電信資料中包含了關聯於裝置位址資料的第一電信資料),各個位址資料分別關聯於該複數個電信資料其中一者。如此,當第一伺服器120自使用者裝置900接收裝置位址資料時,第一伺服器120即可根據裝置位址資料而自資料庫110中關聯出第一電信資料。第一伺服器120並接著將第一電信資料與一時間戳記資料進行編碼,以產生驗證資料。而後,第一伺服器120將驗證資料傳送至使用者裝置900,藉以完成裝置認證程序(或稱位址反查程序),第一伺服器120並會將其所產生的驗證資料儲存至資料庫110(為了方便於以下進行說明,被傳送至使用者裝置900的驗證資料亦可稱為第一驗證資料,而被儲存至資料庫110的驗證資料亦可稱為第二驗證資料)。其中,驗證資料(或第一驗證資料)即可視為一裝置認證成功資料。較佳地,第一伺服器120是透過訊息摘要演算法(Message-Digest Algorithm,MD5)將第一電信資料與時間戳記資料進行不可逆編碼,藉以產生驗證資料。由於MD5為不可逆的加密方法,因此即便驗證資料被攔截或被傳送至其他裝置,亦不會具有第一電信資料外流的風險。Please refer to the first figure, which illustrates a system architecture diagram of a specific embodiment of the authentication system according to the present invention. As shown in the embodiment shown in the first figure, the authentication system 100 includes a database 110 and a first server 120. The server 120 is in communication with the database 110, and the first server 120 can access the database 110. The database 110 stores a plurality of address data (the plurality of address data includes the device address data of the user device 900) and a plurality of telecommunication data (the plurality of telecommunication data includes the first data associated with the device address data). Telecommunications data), each address data is respectively associated with one of the plurality of telecommunications data. In this way, when the first server 120 receives the device address data from the user device 900, the first server 120 can associate the first telecommunication data from the database 110 according to the device address data. The first server 120 then encodes the first telecommunication data and a time stamp data to generate verification data. Then, the first server 120 sends the verification data to the user device 900 to complete the device verification process (or address reversal check process), and the first server 120 stores the verification data generated by it in the database 110 (For the convenience of the following description, the verification data sent to the user device 900 can also be referred to as the first verification data, and the verification data stored in the database 110 can also be referred to as the second verification data). Among them, the verification data (or the first verification data) can be regarded as a device authentication success data. Preferably, the first server 120 irreversibly encodes the first telecommunication data and the time stamp data through a Message-Digest Algorithm (MD5) to generate verification data. Since MD5 is an irreversible encryption method, even if the verification data is intercepted or transmitted to other devices, there is no risk of outflow of the first telecommunication data.

在不同具體實施例中,使用者裝置900可為行動通訊裝置(例如手機),使用者裝置900可通訊連接(例如透過網路而通訊連接)第一伺服器120,時間戳記資料可指示出第一伺服器120自使用者裝置900接收裝置位址資料的時間,或是時間戳記資料可指示出使用者裝置900將裝置位址資料傳送至第一伺服器120的時間,但不以此為限。第一電信資料可包含門號資料、卡號資料、資費資料以及上網權限資料其中至少一者。其中,門號資料指示出使用者裝置900的門號,資費資料指示出使用者裝置900所使用的資費(例如網路資費、通話資費等),上網權限資料指示出使用者裝置900的上網權限(例如使用者裝置900是否可使用上網功能,以及其可使用的網路用量等)。在一具體實施例中,認證系統100可包含一或多個處理器,並以硬體與軟體協同運作的方式實施資料庫110以及第一伺服器120。In different embodiments, the user device 900 may be a mobile communication device (for example, a mobile phone), and the user device 900 may be communicatively connected (for example, via a network) to the first server 120, and the time stamp data may indicate the first server 120 The time when a server 120 receives the device address data from the user device 900, or the time stamp data can indicate the time when the user device 900 sends the device address data to the first server 120, but it is not limited to this . The first telecommunications data may include at least one of house number data, card number data, tariff data, and Internet access authority data. Among them, the door number data indicates the door number of the user device 900, the tariff data indicates the tariff used by the user device 900 (such as network tariff, call tariff, etc.), and the Internet access data indicates the Internet access authorization of the user device 900 (For example, whether the user device 900 can use the Internet function, and the available network usage, etc.). In a specific embodiment, the authentication system 100 may include one or more processors, and implement the database 110 and the first server 120 in a cooperative manner of hardware and software.

請參閱第二圖,其例示說明了根據本發明認證系統一具體實施例的系統架構圖,如第一圖所示實施例,認證系統200包含資料庫210、第一伺服器220以及第二伺服器230。第一伺服器220通訊連接資料庫210,且第一伺服器220可存取資料庫210。第二伺服器230通訊連接資料庫210,且第二伺服器230可存取資料庫210。資料庫210儲存複數個位址資料(複數個位址資料中包含了使用者裝置900的裝置位址資料)、複數個電信資料(複數個電信資料中包含了關聯於裝置位址資料的第一電信資料)以及複數個使用者身分資料(複數個使用者身分資料中包含了身分資料)。各個位址資料分別關聯於該複數個電信資料其中一者,各個使用者身分資料分別關聯於該複數個電信資料其中一者。如此,當第一伺服器220自使用者裝置900接收裝置位址資料時,第一伺服器220即可根據裝置位址資料而自資料庫210中關聯出第一電信資料。第一伺服器220並接著將第一電信資料與一時間戳記資料進行編碼,以產生驗證資料。而後,第一伺服器220將驗證資料傳送至使用者裝置900,藉以完成裝置認證程序,第一伺服器220並會將其所產生的驗證資料儲存至資料庫210(為了方便於以下進行說明,被傳送至使用者裝置900的驗證資料亦可稱為第一驗證資料,而被儲存至資料庫210的驗證資料亦可稱為第二驗證資料)。第一伺服器220的各種實施方式可參考第一圖中的第一伺服器120。Please refer to the second figure, which illustrates a system architecture diagram of a specific embodiment of the authentication system according to the present invention. As shown in the embodiment in the first figure, the authentication system 200 includes a database 210, a first server 220, and a second server.器230. The first server 220 is in communication with the database 210, and the first server 220 can access the database 210. The second server 230 is communicatively connected to the database 210, and the second server 230 can access the database 210. The database 210 stores a plurality of address data (the plurality of address data includes the device address data of the user device 900), and a plurality of telecommunication data (the plurality of telecommunication data includes the first data associated with the device address data). Telecommunications data) and multiple user identification data (identity data is included in the multiple user identification data). Each address data is respectively associated with one of the plurality of telecommunication data, and each user identity data is respectively associated with one of the plurality of telecommunication data. In this way, when the first server 220 receives the device address data from the user device 900, the first server 220 can associate the first telecommunication data from the database 210 according to the device address data. The first server 220 then encodes the first telecommunication data and a time stamp data to generate verification data. Then, the first server 220 sends the verification data to the user device 900 to complete the device verification process. The first server 220 also stores the verification data generated by it in the database 210 (for the convenience of the following description, The verification data transmitted to the user device 900 may also be referred to as the first verification data, and the verification data stored in the database 210 may also be referred to as the second verification data). Various implementations of the first server 220 may refer to the first server 120 in the first figure.

在第一伺服器220完成裝置認證程序後,第二伺服器230可自使用者裝置900接收驗證資料(此驗證資料為第一驗證資料)、電信門號資料與第一身分驗證資料(較佳地,此第一身分驗證資料是由使用者在認證過程中自行輸入一使用者身分資料至使用者裝置900,並由使用者裝置900將該使用者身分資料進行編碼以產生第一身分驗證資料),第二伺服器230並根據驗證資料(此驗證資料可為第一驗證資料及/或第二驗證資料)、電信門號資料、第一身分驗證資料與儲存於資料庫210的身分資料決定是否產生一認證成功資料。較佳地,第一伺服器220所產生的驗證資料可具有時效性,第二伺服器230可基於其在第一伺服器220產生驗證資料後的一預定時間(此預定時間的長度可視需求而預先設定)內,未從使用者裝置900接收到驗證資料(此驗證資料為第一驗證資料)及/或第一身分驗證資料,而產生一驗證失敗資料,藉以指示出本次認證失敗。此種做法可避免非使用者本人的第三者於預定時間內重複輸入不同的身分資料以嘗試通過認證。After the first server 220 completes the device authentication process, the second server 230 can receive the verification data (this verification data is the first verification data), the telecommunication number data, and the first identity verification data (preferably) from the user device 900 Specifically, the first identity verification data is that the user inputs a user identity data to the user device 900 during the authentication process, and the user device 900 encodes the user identity data to generate the first identity verification data ), the second server 230 determines based on the verification data (the verification data can be the first verification data and/or the second verification data), the telecommunication number data, the first identity verification data, and the identity data stored in the database 210 Whether to generate a successful authentication data. Preferably, the verification data generated by the first server 220 may be time-sensitive, and the second server 230 may be based on a predetermined time after the verification data is generated by the first server 220 (the length of the predetermined time may vary according to requirements). In the preset), the verification data (this verification data is the first verification data) and/or the first identity verification data are not received from the user device 900, and a verification failure data is generated to indicate that this authentication has failed. This approach can prevent a third party who is not the user from repeatedly inputting different identification data within a predetermined period of time to try to pass the authentication.

較佳地,第二伺服器230於驗證第一驗證資料時,並無需將第一驗證資料進行解碼,而是由第二伺服器230將儲存於資料庫210的第二驗證資料與自使用者裝置900所接收的第一驗證資料進行比對,以完成第一驗證資料的驗證。其中當第一驗證資料符合於第二驗證資料,即表示第一驗證資料通過驗證。較佳地,第二伺服器230於驗證第一身分驗證資料時,並無需將第一身分驗證資料進行解碼,而是由第二伺服器230將儲存於資料庫210中的身分資料進行編碼,藉以產生一第二身分驗證資料。其中第二伺服器230用於產生第二身分驗證資料的編碼方式與第一伺服器220用於產生第一身分驗證資料的編碼方式完全相同,例如兩者皆使用相同的高級加密標準256(Advanced Encryption Standard 256,AES 256)進行編碼。因此第二伺服器230所產生的第二身分驗證資料將與第一伺服器220所產生的第一身分驗證資料完全相同。如此,第二伺服器230僅需判斷第一身分驗證資料是否符合第二身分驗證資料,即可對第一身分驗證資料進行驗證,而無需將第一身分驗證資料解碼。此外,第二伺服器230可基於第一身分驗證資料符合於第二身分驗證資料,且自使用者裝置900所接收的驗證(此驗證資料為第一驗證資料)資料符合於儲存在資料庫210的驗證資料(此驗證資料為第二驗證資料),而產生認證成功資料,並完成身分認證程序。而若第一身分驗證資料未符合於第二身分驗證資料,或自使用者裝置900所接收的第一驗證資料未符合於儲存在資料庫210的第二驗證資料,則表示認證失敗。此時,第二伺服器230將基於第一驗證資料未符合於第二驗證資料,或第一身分驗證資料未符合於第二身分驗證資料,而產生認證失敗資料。應了解,由第二伺服器230產生第二身分驗證資料的此種做法由於無需對第一身分驗證資料進行解碼,因而將可避免第一身分驗證資料解碼後所得到的使用者身分資料外流而造成資安風險。Preferably, the second server 230 does not need to decode the first verification data when verifying the first verification data. Instead, the second server 230 combines the second verification data stored in the database 210 with the user The first verification data received by the device 900 is compared to complete the verification of the first verification data. When the first verification data matches the second verification data, it means that the first verification data has passed the verification. Preferably, the second server 230 does not need to decode the first identity verification data when verifying the first identity verification data. Instead, the second server 230 encodes the identity data stored in the database 210. In order to generate a second identity verification data. The encoding method used by the second server 230 for generating the second identity verification data is exactly the same as the encoding method used by the first server 220 for generating the first identity verification data. For example, both of them use the same advanced encryption standard 256 (Advanced). Encryption Standard 256, AES 256) for encoding. Therefore, the second identity verification data generated by the second server 230 will be exactly the same as the first identity verification data generated by the first server 220. In this way, the second server 230 only needs to determine whether the first identity verification data conforms to the second identity verification data, and then the first identity verification data can be verified without decoding the first identity verification data. In addition, the second server 230 can match the second identity verification data based on the first identity verification data, and the verification (this verification data is the first verification data) received from the user device 900 is consistent with the data stored in the database 210 The verification data (this verification data is the second verification data), and the verification success data is generated, and the identity verification process is completed. If the first identity verification data does not match the second identity verification data, or the first verification data received from the user device 900 does not match the second verification data stored in the database 210, it means that the authentication has failed. At this time, the second server 230 will generate authentication failure data based on whether the first verification data does not meet the second verification data, or the first identity verification data does not meet the second identity verification data. It should be understood that this method of generating the second identity verification data by the second server 230 does not need to decode the first identity verification data, so it can avoid the outflow of the user identity data obtained after the first identity verification data is decoded. Cause information security risks.

在完成身分認證程序後,第二伺服器230可基於認證成功資料而將儲存於資料庫210中的第二電信資料傳送至使用者裝置900。在不同具體實施例中,由於本發明之認證系統或方法係應用於使用者裝置900上的一應用程式,因此第二伺服器230可基於認證成功資料而將儲存於資料庫210中的第二電信資料傳送至使用者裝置900,或是第二伺服器230可基於認證成功資料而將儲存於資料庫210中的第二電信資料傳送至該應用程式的管理商所管理的一第三伺服器(圖未示)。其中該第三伺服器可通訊連接(例如透過網路而通訊連接)第二伺服器230,使用者裝置900可通訊連接(例如透過網路而通訊連接)第一伺服器220及/或第二伺服器230。其中第二電信資料可包含一電信申辦資料、一繳費紀錄資料以及一同意條款資料其中至少一者,但不以此為限。電信申辦資料可例如記錄了使用者於申辦門號時為親自辦理或委任辦理,或例如記錄了申辦門號時的辦理門市(門市可包含直營門市、加盟門市、經銷門市或網路門市),但不以此為限。繳費紀錄資料可例如記錄了使用者的對於此門號的使用/繳費時間長度、是否正常繳費、是否有遲繳紀錄等,但不以此為限。同意條款資料可例如記錄了使用者所同意的使用條款或該使用條款的使用條款版本號或使用者點選同意條款的時間,但不以此為限。在一具體實施例中,認證系統200可包含一或多個處理器,並以硬體與軟體協同運作的方式實施資料庫210、第一伺服器220以及第二伺服器230。After the identity authentication process is completed, the second server 230 may send the second telecommunication data stored in the database 210 to the user device 900 based on the authentication success data. In different embodiments, since the authentication system or method of the present invention is applied to an application on the user device 900, the second server 230 can store the second data in the database 210 based on the authentication success data. The telecommunication data is sent to the user device 900, or the second server 230 can send the second telecommunication data stored in the database 210 to a third server managed by the administrator of the application based on the authentication success data (Not shown in the picture). The third server can be communicatively connected (for example, through a network through communication) to the second server 230, and the user device 900 may be communicatively connected (for example, through a network through which communication is connected) to the first server 220 and/or the second server. Server 230. The second telecommunications data may include at least one of a telecommunications application data, a payment record data, and an agreement data, but it is not limited to this. The telecommunications application information can, for example, record the user's personal or appointed processing when applying for the door number, or for example, record the processing store when the application number is applied (the store can include directly-operated stores, franchised stores, distribution stores or online stores) , But not limited to this. The payment record data may, for example, record the user's usage/payment time length for this door number, whether the payment is normal, whether there is a late payment record, etc., but it is not limited to this. The agreement data may, for example, record the terms of use agreed by the user or the version number of the terms of use or the time when the user clicks to agree to the terms, but it is not limited to this. In a specific embodiment, the authentication system 200 may include one or more processors, and implement the database 210, the first server 220, and the second server 230 in a cooperative manner of hardware and software.

請參閱第三圖,其例示說明了根據本發明認證方法一具體實施例的流程圖,如第三圖所示實施例,認證方法300開始於步驟310,由認證系統的第一伺服器自使用者裝置接收裝置位址資料。接著,執行步驟320,由第一伺服器根據裝置位址資料自認證系統的資料庫中關聯出第一電信資料。其中第一伺服器通訊連接資料庫,且第一伺服器可存取資料庫。較佳地,資料庫儲存複數個位址資料(複數個位址資料中包含了使用者裝置900的裝置位址資料)以及複數個電信資料(複數個電信資料中包含了關聯於裝置位址資料的第一電信資料),各個位址資料分別關聯於該複數個電信資料其中一者。如此,當第一伺服器自使用者裝置接收裝置位址資料時,第一伺服器即可根據裝置位址資料而自資料庫中關聯出第一電信資料。Please refer to the third figure, which illustrates a flowchart of a specific embodiment of the authentication method according to the present invention. As shown in the embodiment shown in the third figure, the authentication method 300 starts at step 310 and is used by the first server of the authentication system. The recipient device receives device address data. Then, step 320 is executed, and the first server associates the first telecommunication data from the database of the authentication system according to the device address data. The first server is in communication with the database, and the first server can access the database. Preferably, the database stores a plurality of address data (the plurality of address data includes the device address data of the user device 900) and a plurality of telecommunication data (the plurality of telecommunication data includes the device address data associated with the device The first telecommunication data), each address data is respectively associated with one of the plurality of telecommunication data. In this way, when the first server receives the device address data from the user device, the first server can associate the first telecommunication data from the database according to the device address data.

接著,執行步驟330,由第一伺服器將第一電信資料與時間戳記資料進行編碼,以產生驗證資料。較佳地,第一伺服器120是透過訊息摘要演算法(MD5)將第一電信資料與時間戳記資料進行編碼,藉以產生驗證資料。由於MD5為不可逆的加密方法,因此即便驗證資料被攔截或被傳送至其他裝置,亦不會具有第一電信資料外流的風險。接著,執行步驟340,由第一伺服器將驗證資料儲存至資料庫。接著,執行步驟350,由第一伺服器將驗證資料傳送至使用者裝置,藉以完成裝置認證程序。其中,驗證資料即可視為一裝置認證成功資料。在不同具體實施例中,使用者裝置可為行動通訊裝置(例如手機,但不以此為限),時間戳記資料可指示出第一伺服器自使用者裝置接收裝置位址資料的時間,或是時間戳記資料可指示出使用者裝置將裝置位址資料傳送至第一伺服器的時間,但不以此為限。第一電信資料可包含門號資料、卡號資料、資費資料以及上網權限資料其中至少一者。Then, step 330 is executed to encode the first telecommunication data and the time stamp data by the first server to generate verification data. Preferably, the first server 120 encodes the first telecommunication data and the time stamp data through a message digest algorithm (MD5) to generate verification data. Since MD5 is an irreversible encryption method, even if the verification data is intercepted or transmitted to other devices, there is no risk of outflow of the first telecommunication data. Then, step 340 is executed to store the verification data in the database by the first server. Then, step 350 is executed to send the verification data to the user device from the first server, so as to complete the device verification process. Among them, the verification data can be regarded as a device verification success data. In different embodiments, the user device may be a mobile communication device (such as a mobile phone, but not limited to this), and the time stamp data may indicate the time when the first server received the device address data from the user device, or The time stamp data can indicate the time when the user device sends the device address data to the first server, but it is not limited to this. The first telecommunications data may include at least one of house number data, card number data, tariff data, and Internet access authority data.

請參閱第四圖,其例示說明了根據本發明認證方法一具體實施例的流程圖,如第四圖所示實施例,認證方法400包含了第三圖中的步驟310至步驟350,並於步驟350後接著執行步驟410,由認證系統的第二伺服器自使用者裝置接收驗證資料、電信門號資料與第一身分驗證資料。其中第二伺服器通訊連接資料庫,且第二伺服器可存取資料庫。較佳地,第一身分驗證資料是由使用者自行於認證過程中輸入一使用者身分資料至使用者裝置,並由使用者裝置將該使用者身分資料進行編碼以產生第一身分驗證資料。Please refer to the fourth figure, which illustrates a flowchart of a specific embodiment of the authentication method according to the present invention. As shown in the embodiment shown in the fourth figure, the authentication method 400 includes step 310 to step 350 in the third figure, and Step 350 is followed by step 410, where the second server of the authentication system receives the verification data, the telecommunication number data, and the first identity verification data from the user device. The second server is in communication with the database, and the second server can access the database. Preferably, the first identity verification data is that the user inputs a user identity data to the user device during the authentication process, and the user device encodes the user identity data to generate the first identity verification data.

在執行完步驟410後,接著執行步驟420,由第二伺服器根據驗證資料、電信門號資料、第一身分驗證資料與儲存於資料庫的身分資料決定是否產生認證成功資料。在一具體實施例中,驗證資料可具有時效性,認證方法400可進一步包含由第二伺服器基於其在第一伺服器產生第一驗證資料後的一預定時間(例如為十分鐘)內,未從使用者裝置接收到該驗證資料及/或該第一身分驗證資料,而產生一驗證失敗資料,藉以指示出本次認證失敗。After step 410 is executed, step 420 is then executed, and the second server determines whether to generate authentication success data based on the verification data, the telecommunication number data, the first identity verification data, and the identity data stored in the database. In a specific embodiment, the verification data may be time-sensitive, and the verification method 400 may further include the second server based on it within a predetermined time (for example, ten minutes) after the first server generates the first verification data, The verification data and/or the first identity verification data are not received from the user device, and a verification failure data is generated to indicate the failure of this authentication.

在一具體實施例中,認證方法400可進一步包含由第二伺服器將儲存於資料庫中的身分資料進行編碼,以產生第二身分驗證資料的步驟,以及由第二伺服器基於第一身分驗證資料符合於第二身分驗證資料,且自使用者裝置所接收的驗證資料符合於儲存在資料庫的驗證資料,而產生認證成功資料的步驟。其中第一身分驗證資料為經過編碼的資料,且其中第二伺服器並未將第一身分驗證資料解碼。較佳地,第二伺服器用於產生第二身分驗證資料的編碼方式與第一伺服器用於產生第一身分驗證資料的編碼方式完全相同(例如兩者皆使用相同的高級加密標準 AES 256進行編碼)。因此第二伺服器所產生的第二身分驗證資料將與第一伺服器所產生的第一身分驗證資料完全相同。如此,第二伺服器僅需判斷第一身分驗證資料是否符合第二身分驗證資料,即可對第一身分驗證資料進行驗證,而無需將第一身分驗證資料解碼。在一具體實施例中,認證方法400可進一步包含由第二伺服器基於其所產生的認證成功資料而將儲存於資料庫中的第二電信資料傳送至使用者裝置。其中第二電信資料包含電信申辦資料、繳費紀錄資料以及同意條款資料其中至少一者。In a specific embodiment, the authentication method 400 may further include a step of encoding the identity data stored in the database by the second server to generate second identity verification data, and the second server based on the first identity The verification data conforms to the second identity verification data, and the verification data received from the user device conforms to the verification data stored in the database, and the steps of generating the authentication success data. The first identity verification data is encoded data, and the second server does not decode the first identity verification data. Preferably, the encoding method used by the second server to generate the second identity verification data is exactly the same as the encoding method used by the first server to generate the first identity verification data (for example, both use the same advanced encryption standard AES 256). Code). Therefore, the second identity verification data generated by the second server will be exactly the same as the first identity verification data generated by the first server. In this way, the second server only needs to determine whether the first identity verification data conforms to the second identity verification data, and then the first identity verification data can be verified without decoding the first identity verification data. In a specific embodiment, the authentication method 400 may further include the second server transmitting the second telecommunication data stored in the database to the user device based on the authentication success data generated by the second server. The second telecommunications information includes at least one of telecommunications application information, payment record information, and agreement terms information.

至此,本發明之用戶認證系統及其方法已經由上述說明及圖式加以說明。然應了解,本發明的各個具體實施例僅是做為說明之用,在不脫離本發明申請專利範圍與精神下可進行各種改變,且均應包含於本發明之專利範圍中。因此,本說明書所描述的各具體實施例並非用以限制本發明,本發明之真實範圍與精神揭示於以下申請專利範圍。So far, the user authentication system and method of the present invention have been described by the above description and drawings. However, it should be understood that the specific embodiments of the present invention are for illustrative purposes only, and various changes can be made without departing from the scope and spirit of the patent application of the present invention, and should be included in the patent scope of the present invention. Therefore, the specific embodiments described in this specification are not intended to limit the present invention, and the true scope and spirit of the present invention are disclosed in the scope of the following patent applications.

100:認證系統 110:資料庫 120:第一伺服器 200:認證系統 210:資料庫 220:第一伺服器 230:第二伺服器 300:認證方法 310~350:步驟 400:認證方法 410~420:步驟 900:使用者裝置 100: authentication system 110: database 120: The first server 200: authentication system 210: database 220: The first server 230: second server 300: authentication method 310~350: Step 400: authentication method 410~420: steps 900: User device

第一圖為本發明認證系統一具體實施例的系統架構圖。The first figure is a system architecture diagram of a specific embodiment of the authentication system of the present invention.

第二圖為本發明認證系統一具體實施例的系統架構圖。The second figure is a system architecture diagram of a specific embodiment of the authentication system of the present invention.

第三圖為本發明認證方法一具體實施例的流程圖。The third figure is a flowchart of a specific embodiment of the authentication method of the present invention.

第四圖為本發明認證方法一具體實施例的流程圖。The fourth figure is a flowchart of a specific embodiment of the authentication method of the present invention.

without

200:認證系統 200: authentication system

210:資料庫 210: database

220:第一伺服器 220: The first server

230:第二伺服器 230: second server

900:使用者裝置 900: User device

Claims (10)

一種認證系統,包含:一資料庫,儲存一使用者的一第一電信資料及一身分資料;以及一第一伺服器,存取該資料庫,該第一伺服器自一使用者裝置接收一裝置位址資料,並根據該裝置位址資料自該資料庫中關聯出該第一電信資料,其中該第一伺服器將該第一電信資料與一時間戳記資料進行編碼,以產生一第一驗證資料,該第一伺服器將該第一驗證資料傳送至該使用者裝置,該時間戳記資料指示出該第一伺服器自該使用者裝置接收該裝置位址資料的一時間;一第二伺服器,自該使用者裝置接收該第一驗證資料、該電信資料與在該使用者裝置的一自行輸入的該第一身分驗證資料,該第二伺服器基於該第一驗證資料將該資料庫中所對應的身分資料加密以產生一第二身分驗證資料,該第二伺服器並至少根據該第一驗證資料、該電信資料、該第一身分驗證資料以及該第二身分驗證資料決定是否產生一認證成功資料,其中該第一身分驗證資料並未被該第二伺服器解密,該第二身分驗證資料是由第二伺服器將該資料庫的身分資料加密而成。 An authentication system includes: a database storing a first telecommunication data and an identity data of a user; and a first server accessing the database, the first server receiving a data from a user device Device address data, and associate the first telecommunication data from the database according to the device address data, wherein the first server encodes the first telecommunication data and a time stamp data to generate a first Authentication data, the first server sends the first authentication data to the user device, the time stamp data indicates a time when the first server receives the device address data from the user device; a second A server that receives the first authentication data, the telecommunication data, and a self-input first identity authentication data on the user device from the user device, and the second server uses the data based on the first authentication data The corresponding identity data in the database is encrypted to generate a second identity verification data, and the second server determines whether or not based on at least the first verification data, the telecommunication data, the first identity verification data, and the second identity verification data. An authentication success data is generated, wherein the first identity verification data has not been decrypted by the second server, and the second identity verification data is obtained by encrypting the identity data of the database by the second server. 如請求項1所述之認證系統,其中該第一電信資料包含一門號資料。 The authentication system according to claim 1, wherein the first telecommunication data includes a house number data. 如請求項1所述之認證系統,其中該第二伺服器基於其在該第一伺服器產生該驗證資料後的一預定時間內,未從該使用者裝置接收到該驗證資料及/或該第一身分驗證資料,而產生一驗證失敗資料。 The authentication system according to claim 1, wherein the second server does not receive the authentication data and/or the authentication data from the user device within a predetermined time after the authentication data is generated by the first server The first identity verification data generates a verification failure data. 如請求項1所述之認證系統,其中該第二伺服器基於該認證成功資料而將儲存於該資料庫中的一第二電信資料傳送至該使用者裝置或一第三伺服器。 The authentication system according to claim 1, wherein the second server transmits a second telecommunication data stored in the database to the user device or a third server based on the authentication success data. 如請求項4所述之認證系統,其中該第二電信資料包含一電信申辦資料、一繳費紀錄資料以及一同意條款資料其中至少一者。 The authentication system according to claim 4, wherein the second telecommunications data includes at least one of a telecommunications application data, a payment record data, and an agreement data. 一種認證方法,包含:由一認證系統的一第一伺服器自一使用者裝置接收一裝置位址資料;由該第一伺服器根據該裝置位址資料自該認證系統的一資料庫中關聯出一使用者的一第一電信資料和一身分資料;由該第一伺服器將該第一電信資料與一時間戳記資料進行編碼,以產生一第一驗證資料,其中該時間戳記資料指示出該第一伺服器自該使用者裝置接收該裝置位址資料的一時間;由該第一伺服器將該第一驗證資料傳送至該使用者裝置;由一第二伺服器自該使用者裝置接收該第一驗證資料、該電信資料與在該使用者裝置的一自行輸入的第一身分驗證資料,該第二伺服器基於該第一驗證資料將該資料庫中所對應的 身分資料加密以產生一第二身分驗證資料,該第一身分驗證資料是由該使用者裝置加密的資料;由該第二伺服器至少根據該第一驗證資料、該電信資料、該第一身分驗證資以及該第二身分驗證資料決定是否產生一認證成功資料,其中該第一身分驗證資料並未被該第二伺服器解碼,該第二身分驗證資料是由第二伺服器將該資料庫的身分資料加密而成。 An authentication method includes: receiving a device address data from a user device by a first server of an authentication system; and associating from a database of the authentication system by the first server according to the device address data Out a first telecommunication data and an identity data of a user; the first server encodes the first telecommunication data and a time stamp data to generate a first verification data, wherein the time stamp data indicates A time when the first server receives the device address data from the user device; the first server sends the first authentication data to the user device; and the second server receives the device address data from the user device Receiving the first verification data, the telecommunication data, and a self-input first identity verification data on the user device, the second server based on the first verification data corresponds to the database The identity data is encrypted to generate a second identity verification data, the first identity verification data is data encrypted by the user device; the second server is based on at least the first verification data, the telecommunication data, and the first identity The verification data and the second identity verification data determine whether to generate an authentication success data, wherein the first identity verification data is not decoded by the second server, and the second identity verification data is obtained from the database by the second server Your identity data is encrypted. 如請求項6所述之認證方法,其中該第一電信資料包含一門號資料。 The authentication method according to claim 6, wherein the first telecommunication data includes a door number data. 如請求項6所述之認證方法,進一步包含:由該第二伺服器基於其在該第一伺服器產生該驗證資料後的一預定時間內,未從該使用者裝置接收到該驗證資料及/或該第一身分驗證資料,而產生一驗證失敗資料。 The authentication method according to claim 6, further comprising: the second server does not receive the authentication data from the user device within a predetermined time after the first server generates the authentication data, and /Or the first identity verification data generates a verification failure data. 如請求項6所述之認證方法,進一步包含:由該第二伺服器基於該認證成功資料而將儲存於該資料庫中的一第二電信資料傳送至該使用者裝置或一第三伺服器。 The authentication method according to claim 6, further comprising: sending, by the second server, a second telecommunication data stored in the database to the user device or a third server based on the authentication success data . 如請求項6所述之認證方法,其中該第二電信資料包含一電信申辦資料、一繳費紀錄資料以及一同意條款資料其中至少一者。 The authentication method according to claim 6, wherein the second telecommunications data includes at least one of a telecommunications application data, a payment record data, and an agreement data.
TW109127607A 2020-08-13 2020-08-13 Authentication system and method TWI745026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109127607A TWI745026B (en) 2020-08-13 2020-08-13 Authentication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109127607A TWI745026B (en) 2020-08-13 2020-08-13 Authentication system and method

Publications (2)

Publication Number Publication Date
TWI745026B true TWI745026B (en) 2021-11-01
TW202207666A TW202207666A (en) 2022-02-16

Family

ID=79907335

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109127607A TWI745026B (en) 2020-08-13 2020-08-13 Authentication system and method

Country Status (1)

Country Link
TW (1) TWI745026B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI640189B (en) * 2017-12-25 2018-11-01 中華電信股份有限公司 System for verifying a user's identity of telecommunication certification and method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI640189B (en) * 2017-12-25 2018-11-01 中華電信股份有限公司 System for verifying a user's identity of telecommunication certification and method thereof
TW201929480A (en) * 2017-12-25 2019-07-16 中華電信股份有限公司 System for verifying a user's identity of telecommunication certification and method thereof

Also Published As

Publication number Publication date
TW202207666A (en) 2022-02-16

Similar Documents

Publication Publication Date Title
US11258777B2 (en) Method for carrying out a two-factor authentication
CN108834144B (en) Method and system for managing association of operator number and account
CN101373528B (en) Electronic payment system, device and method based on position authentication
TWI719216B (en) Graphic code information provision and acquisition method, device and terminal
TWI288552B (en) Method for implementing new password and computer readable medium for performing the method
TW200810465A (en) Mutual authentication between two parties using two consecutive one-time passwords
JP2019512961A (en) Method and system for user authentication with improved security
TW200818838A (en) Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords
CN111275419B (en) Block chain wallet signature right confirming method, device and system
CN107920052B (en) Encryption method and intelligent device
US20200196143A1 (en) Public key-based service authentication method and system
CN111130798B (en) Request authentication method and related equipment
WO2020057314A1 (en) Method, device and system for issuing esim certificate online
ES2665887T3 (en) Secure data system
CN102404337A (en) Data encryption method and device
CN115473655B (en) Terminal authentication method, device and storage medium for access network
KR102053993B1 (en) Method for Authenticating by using Certificate
TWI745026B (en) Authentication system and method
JP7211519B2 (en) Owner identity confirmation system, terminal and owner identity confirmation method
JP7251633B2 (en) Owner Identity Confirmation System, Certificate Authority Server and Owner Identity Confirmation Method
CN109257177B (en) Key generation method, system, mobile terminal, server and storage medium
CN111092734A (en) Product activation authentication method based on ad hoc network communication
KR101577059B1 (en) Method for Processing Server type OTP
KR20200018546A (en) Public key infrastructure based service authentication method and system
KR101664471B1 (en) Method for Processing Mobile OTP Based On Network