TWI763176B - System and method for identity authentication - Google Patents

System and method for identity authentication Download PDF

Info

Publication number
TWI763176B
TWI763176B TW109144061A TW109144061A TWI763176B TW I763176 B TWI763176 B TW I763176B TW 109144061 A TW109144061 A TW 109144061A TW 109144061 A TW109144061 A TW 109144061A TW I763176 B TWI763176 B TW I763176B
Authority
TW
Taiwan
Prior art keywords
server
user device
session initiation
identity authentication
account
Prior art date
Application number
TW109144061A
Other languages
Chinese (zh)
Other versions
TW202223695A (en
Inventor
何俊逸
周自強
何佩玲
朱瑞琪
蔡仁及
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW109144061A priority Critical patent/TWI763176B/en
Application granted granted Critical
Publication of TWI763176B publication Critical patent/TWI763176B/en
Publication of TW202223695A publication Critical patent/TW202223695A/en

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method and system for identity authentication are provided. The identity authentication system includes a storage device, a first server, and a user equipment. The storage device stores a first session initiation protocol account. The user equipment obtains the first session initiation protocol account from the storage device. The user equipment and the first server establish a transmission layer channel, and the first server obtains the first session initiation protocol account from the user equipment by the transmission layer channel. The user equipment and the first server establish an application layer channel, and the first server obtains a second session initiation protocol account from the user equipment by the application layer channel. The first server determines whether the user equipment passes an identity authentication according to whether the first session initiation protocol account matches with the second session initiation protocol account.

Description

身分認證方法與身分認證系統Identity authentication method and identity authentication system

本揭露是有關於一種身分認證方法與身分認證系統。The present disclosure relates to an identity authentication method and an identity authentication system.

傳統的互聯網語音協議(Voice over Internet Protocol,VoIP)身分認證與登入方式為業者發給用戶明碼的帳號與密碼。在用戶自行將帳號與密碼輸入至用戶裝置後,用戶裝置再發送至業者的伺服器以進行驗證。此種方式的帳號與密碼可能有被竊取的風險。另外,若用戶基於資安考量需要更換密碼,也需用戶手動輸入新的密碼,造成用戶使用不便。The traditional Voice over Internet Protocol (Voice over Internet Protocol, VoIP) identity authentication and login method is that the operator sends the user a clear account and password. After the user enters the account number and password into the user device, the user device sends it to the operator's server for verification. Accounts and passwords in this way may be at risk of being stolen. In addition, if the user needs to change the password based on information security considerations, the user also needs to manually input the new password, causing inconvenience to the user.

本揭露提供一種身分認證方法與身分認證系統,可為用戶裝置提供一種安全的身分認證方法。The present disclosure provides an identity authentication method and an identity authentication system, which can provide a secure identity authentication method for a user device.

本揭露的身分認證方法,適用於互聯網語音協議,身分認證方法包括:由儲存裝置儲存第一會話啟動協定帳號,並且由用戶裝置自儲存裝置取得第一會話啟動協定帳號;由用戶裝置和第一伺服器建立用戶裝置和第一伺服器之間的傳輸層通道;由第一伺服器通過傳輸層通道以自用戶裝置取得第一會話啟動協定帳號;由用戶裝置和第一伺服器建立用戶裝置和第一伺服器之間的應用層通道;由第一伺服器通過應用層通道以自用戶裝置取得第二會話啟動協定帳號;以及由第一伺服器根據第一會話啟動協定帳號與第二會話啟動協定帳號是否匹配以決定用戶裝置是否通過身分認證。The identity authentication method of the present disclosure is applicable to Voice over Internet Protocol, and the identity authentication method includes: storing a first session initiation agreement account in a storage device, and obtaining the first session initiation agreement account from the storage device by a user device; The server establishes a transport layer channel between the user device and the first server; the first server obtains the first session activation agreement account from the user device through the transport layer channel; the user device and the first server establish the user device and the first server. an application layer channel between the first servers; the first server obtains a second session activation agreement account from the user device through the application layer channel; and is activated by the first server according to the first session activation agreement account and the second session Whether the agreement accounts match to determine whether the user device is authenticated.

本揭露的身分認證系統,適用於互聯網語音協議,身分認證系統包括:儲存裝置、第一伺服器以及用戶裝置。儲存裝置儲存第一會話啟動協定帳號。用戶裝置通訊連接至儲存裝置,自儲存裝置取得第一會話啟動協定帳號,其中用戶裝置和第一伺服器建立用戶裝置和第一伺服器之間的傳輸層通道,其中第一伺服器通過傳輸層通道以自用戶裝置取得第一會話啟動協定帳號,其中用戶裝置和第一伺服器建立用戶裝置和第一伺服器之間的應用層通道,其中第一伺服器通過應用層通道以自用戶裝置取得第二會話啟動協定帳號,其中第一伺服器根據第一會話啟動協定帳號與第二會話啟動協定帳號是否匹配以決定用戶裝置是否通過身分認證。The identity authentication system of the present disclosure is applicable to the Voice over Internet Protocol, and the identity authentication system includes: a storage device, a first server and a user device. The storage device stores the first session activation agreement account. The user device is communicatively connected to the storage device, and obtains a first session activation agreement account from the storage device, wherein the user device and the first server establish a transport layer channel between the user device and the first server, wherein the first server passes the transport layer The channel is to obtain the first session initiation agreement account from the user device, wherein the user device and the first server establish an application layer channel between the user device and the first server, wherein the first server obtains from the user device through the application layer channel The second session initiation agreement account, wherein the first server determines whether the user device passes the identity authentication according to whether the first session initiation agreement account matches the second session initiation agreement account.

基於上述,本揭露的身分認證方法與身分認證系統可由用戶裝置取得儲存裝置所儲存的會話啟動協定帳號,伺服器可比對此會話啟動協定帳號與第二會話啟動協定帳號以決定用戶裝置是否通過身分認證,增加了用戶使用的安全性與便利性。Based on the above, in the identity authentication method and the identity authentication system of the present disclosure, the user device can obtain the session activation agreement account stored in the storage device, and the server can compare the session activation agreement account with the second session activation agreement account to determine whether the user device passes the identity Authentication increases the safety and convenience of users.

為讓本揭露的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present disclosure more obvious and easy to understand, the following embodiments are given and described in detail in conjunction with the accompanying drawings as follows.

圖1是根據本揭露的一實施例繪示一種身分認證系統100的示意圖。身分認證系統100可包括儲存裝置110、用戶裝置120、第一伺服器130以及第二伺服器140。FIG. 1 is a schematic diagram illustrating an identity authentication system 100 according to an embodiment of the present disclosure. The identity authentication system 100 may include a storage device 110 , a user device 120 , a first server 130 and a second server 140 .

儲存裝置110例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合。在本實施例中,儲存裝置110可儲存第一會話啟動協定帳號(session initiation protocol,SIP)。第一會話啟動協定帳號可以是互聯網語音協議的帳號。The storage device 110 is, for example, any type of fixed or removable random access memory (random access memory, RAM), read-only memory (ROM), and flash memory (flash memory). , hard disk drive (HDD), solid state drive (SSD) or similar components or a combination of the above components. In this embodiment, the storage device 110 may store a first session initiation protocol (session initiation protocol, SIP). The first session initiation agreement account may be a Voice over Internet Protocol account.

用戶裝置120可具有處理單元(例如:處理器但不限於此)、通訊單元(例如:各類通訊晶片、行動通訊晶片、藍芽晶片、WiFi晶片等但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行用戶設備120的必要構件。用戶設備120可包括例如桌上型電腦、筆記型電腦、個人數位助理(personal digital assistant,PDA)、智慧型手機或精簡型終端(thin client)等具備IP位址或連網功能的設備。用戶裝置120可通訊連接至儲存裝置110以及第一伺服器130。The user device 120 may have a processing unit (eg, but not limited to, a processor), a communication unit (eg, various communication chips, mobile communication chips, Bluetooth chips, WiFi chips, etc., but not limited thereto), and a storage unit (eg: Removable random access memory, flash memory, hard disk, etc., but not limited thereto, are necessary components to run the user equipment 120 . User equipment 120 may include devices with IP addresses or networking capabilities, such as desktop computers, notebook computers, personal digital assistants (PDAs), smart phones, or thin clients. The user device 120 can be communicatively connected to the storage device 110 and the first server 130 .

第一伺服器130可具有處理單元(例如:處理器但不限於此)、通訊單元(例如:各類通訊晶片、行動通訊晶片、藍芽晶片、WiFi晶片等但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行第一伺服器130的必要構件。第一伺服器130可包括例如移動台、高級移動台(advanced mobile station,AMS)、客戶端、桌上型電腦、筆記型電腦、個人數位助理或工作站等具備IP位址或連網功能的設備。第一伺服器130可通訊連接至用戶裝置120以及第二伺服器140。The first server 130 may have a processing unit (eg, but not limited to, a processor), a communication unit (eg, various communication chips, mobile communication chips, Bluetooth chips, WiFi chips, etc., but not limited to), and a storage unit ( For example, removable random access memory, flash memory, hard disk, etc., but not limited thereto, are necessary components to run the first server 130 . The first server 130 may include, for example, a mobile station, an advanced mobile station (AMS), a client, a desktop computer, a notebook computer, a personal digital assistant or a workstation, and other devices with IP addresses or networking capabilities . The first server 130 can be communicatively connected to the user device 120 and the second server 140 .

第二伺服器140可具有處理單元(例如:處理器但不限於此)、通訊單元(例如:各類通訊晶片、行動通訊晶片、藍芽晶片、WiFi晶片等但不限於此)及儲存單元(例如:可移動隨機存取記憶體、快閃記憶體、硬碟等但不限於此)等運行第二伺服器140的必要構件。第二伺服器140可包括例如移動台、高級移動台、客戶端、桌上型電腦、筆記型電腦、個人數位助理或工作站等具備IP位址或連網功能的設備。第二伺服器140可通訊連接至第一伺服器130。The second server 140 may have a processing unit (eg, but not limited to, a processor), a communication unit (eg, various communication chips, mobile communication chips, bluetooth chips, WiFi chips, etc., but not limited thereto), and a storage unit ( For example, removable random access memory, flash memory, hard disk, etc., but not limited thereto, are necessary components to run the second server 140 . The second server 140 may include devices with IP addresses or networking capabilities, such as mobile stations, advanced mobile stations, clients, desktop computers, notebook computers, personal digital assistants, or workstations. The second server 140 can be communicatively connected to the first server 130 .

圖2是根據本揭露的一實施例繪示一種決定用戶裝置是否通過身分認證的信令圖。在步驟S201中,用戶裝置120可自儲存裝置110取得第一會話啟動協定帳號。FIG. 2 is a signaling diagram for determining whether a user equipment passes identity authentication according to an embodiment of the present disclosure. In step S201 , the user device 120 may obtain the first session initiation agreement account from the storage device 110 .

在步驟S202中,用戶裝置120和第一伺服器130可建立用戶裝置120和第一伺服器130之間的傳輸層通道。具體來說,用戶裝置120可向第一伺服器130傳送訊息以向第一伺服器130請求建立安全資料傳輸層(Secure Sockets Layer,SSL)連線,其中安全資料傳輸層連線可包含傳輸層通道。In step S202 , the user device 120 and the first server 130 may establish a transport layer channel between the user device 120 and the first server 130 . Specifically, the user device 120 may send a message to the first server 130 to request the first server 130 to establish a Secure Sockets Layer (SSL) connection, wherein the secure data transport layer connection may include a transport layer aisle.

在步驟S203中,第一伺服器130可響應於安全資料傳輸層連線的建立而傳送伺服器憑證給用戶裝置120。In step S203, the first server 130 may transmit the server certificate to the user device 120 in response to the establishment of the secure data transport layer connection.

在步驟S204中,用戶裝置120可查驗伺服器憑證。舉例來說,用戶裝置120可預存參考伺服器憑證。用戶裝置120可響應於伺服器憑證與預存的參考伺服器憑證匹配而判斷第一伺服器130通過驗證。In step S204, the user device 120 may check the server certificate. For example, the user device 120 may pre-store the reference server certificate. The user device 120 may determine that the first server 130 is authenticated in response to the server certificate matching the pre-stored reference server certificate.

在步驟S205中,第一伺服器130可在傳送伺服器憑證給用戶裝置120後,發送訊息給用戶裝置120以請求用戶裝置120傳送包含第一會話啟動協定帳號的用戶憑證給第一伺服器130。In step S205 , after sending the server certificate to the user device 120 , the first server 130 may send a message to the user device 120 to request the user device 120 to send the user certificate including the first session activation agreement account to the first server 130 .

在步驟S206中,用戶裝置120可響應於接收到第一伺服器130的請求而通過安全資料傳輸層連線的傳輸層通道傳送包含第一會話啟動協定帳號的用戶憑證至第一伺服器130。In step S206 , in response to receiving the request from the first server 130 , the user device 120 may transmit the user credential including the first session initiation protocol account to the first server 130 through the transport layer channel of the secure data transport layer connection.

在步驟S207中,第一伺服器130可查驗第一會話啟動協定帳號。舉例來說,第一伺服器130可預存參考會話啟動協定帳號。用戶裝置120可響應於用戶憑證中的第一會話啟動協定帳號與預存的參考會話啟動協定帳號而判斷用戶裝置120通過驗證。In step S207, the first server 130 may check the first session initiation agreement account. For example, the first server 130 may pre-store the reference session activation agreement account. The user device 120 may determine that the user device 120 is authenticated in response to the first session initiation agreement account in the user credential and the pre-stored reference session initiation agreement account.

在步驟S208中,用戶裝置120可傳送會話啟動協定註冊(SIP Register)給第一伺服器130以建立用戶裝置120與第一伺服器130之間的應用層通道,其中會話啟動協定註冊可包括第二會話啟動協定帳號。換句話說,第一伺服器130可通過應用層通道以自用戶裝置120取得第二會話啟動協定帳號。In step S208, the user device 120 may transmit a SIP Register to the first server 130 to establish an application layer channel between the user device 120 and the first server 130, wherein the SIP register may include the first The second session starts the protocol account. In other words, the first server 130 can obtain the second session initiation agreement account from the user device 120 through the application layer channel.

在步驟S209中,第一伺服器130可根據第一會話啟動協定帳號與第二會話啟動協定帳號是否匹配以決定用戶裝置120是否通過身分認證。若第一會話啟動協定帳號與第二會話啟動協定帳號不匹配,則第一伺服器130可決定用戶裝置120未通過身分認證。據此,第一伺服器130可中斷用戶裝置120與第一伺服器130之間的應用層通道。若第一會話啟動協定帳號與第二會話啟動協定帳號匹配,第一伺服器130可繼續進行後續的步驟以決定用戶裝置120是否通過身分認證。In step S209, the first server 130 may determine whether the user device 120 has passed the identity authentication according to whether the first session initiation agreement account matches the second session initiation agreement account. If the first session initiation agreement account does not match the second session initiation agreement account, the first server 130 may determine that the user device 120 has not passed the identity authentication. Accordingly, the first server 130 can interrupt the application layer channel between the user device 120 and the first server 130 . If the first session initiation agreement account matches the second session initiation agreement account, the first server 130 may proceed to the subsequent steps to determine whether the user device 120 is authenticated.

在一實施例中,第二伺服器140可儲存第二會話啟動協定帳號的憑證狀態。例如,憑證狀態可以是「憑證未逾期」或是「憑證已逾期」。在步驟S210中,第一伺服器130可向第二伺服器140查詢第二會話啟動協定帳號的憑證狀態。In one embodiment, the second server 140 may store the credential status of the second session activation agreement account. For example, the voucher status can be "Voucher Not Expired" or "Voucher Expired". In step S210, the first server 130 may query the second server 140 for the certificate status of the second session activation agreement account.

在步驟S211中,第二伺服器140可傳送第二會話啟動協定帳號的憑證狀態給第一伺服器130。In step S211 , the second server 140 may transmit the certificate status of the second session activation agreement account to the first server 130 .

在步驟S212中,第一伺服器130可根據憑證狀態是否為有效的以決定用戶裝置120是否通過身分認證。例如,若憑證狀態是「憑證已逾期」,則第一伺服器130可決定用戶裝置120未通過身分認證,並可中斷第一伺服器130與用戶裝置120之間的連線。若第一伺服器130決定用戶裝置120未通過身分認證,第一伺服器130可中斷第一伺服器130與用戶裝置120之間的傳輸層及應用層通道。若憑證狀態是「憑證未逾期」,則第一伺服器130可繼續進行後續的步驟以決定用戶裝置120是否通過身分認證。In step S212, the first server 130 may determine whether the user device 120 has passed the identity authentication according to whether the certificate status is valid. For example, if the certificate status is “the certificate has expired”, the first server 130 can determine that the user device 120 has not passed the identity authentication, and can disconnect the connection between the first server 130 and the user device 120 . If the first server 130 determines that the user device 120 has not passed the identity authentication, the first server 130 may interrupt the transport layer and application layer channels between the first server 130 and the user device 120 . If the certificate status is "the certificate has not expired", the first server 130 may proceed to the subsequent steps to determine whether the user device 120 has passed the identity authentication.

在一實施例中,第一伺服器130可預存第三會話啟動協定帳號。在步驟S213中,第一伺服器130可根據第二會話啟動協定帳號與第三會話啟動協定帳號是否匹配以決定用戶裝置120是否通過身分認證。若第二會話啟動協定帳號與第三會話啟動協定帳號不匹配,則第一伺服器130可決定用戶裝置120未通過身分認證。據此,第一伺服器130可中斷第一伺服器130與用戶裝置120之間的傳輸層及應用層通道。若第二會話啟動協定帳號與第三會話啟動協定帳號匹配,則第一伺服器130可繼續進行後續的步驟以決定用戶裝置120是否通過身分認證。In one embodiment, the first server 130 may pre-store the third session activation agreement account. In step S213, the first server 130 may determine whether the user device 120 passes the identity authentication according to whether the second session initiation agreement account matches the third session initiation agreement account. If the second session initiation agreement account does not match the third session initiation agreement account, the first server 130 may determine that the user device 120 has not passed the identity authentication. Accordingly, the first server 130 can interrupt the transport layer and application layer channels between the first server 130 and the user device 120 . If the second session initiation agreement account matches the third session initiation agreement account, the first server 130 may proceed to the subsequent steps to determine whether the user device 120 has passed the identity authentication.

在步驟S214中,第一伺服器130可響應於接收到會話啟動協定註冊而產生隨機數(nonce)。In step S214, the first server 130 may generate a nonce in response to receiving the session initiation protocol registration.

在步驟S215中,第一伺服器130可傳送會話啟動協定碼401(SIP Code 401)給用戶裝置120,其中會話啟動協定碼401可包括隨機數。In step S215, the first server 130 may transmit a session initiation protocol code 401 (SIP Code 401) to the user device 120, wherein the session initiation protocol code 401 may include a random number.

在步驟S216中,用戶裝置120可根據隨機數產生數位簽章。In step S216, the user device 120 may generate a digital signature according to the random number.

在步驟S217中,用戶裝置120可將數位簽章傳送給第一伺服器130。In step S217 , the user device 120 may transmit the digital signature to the first server 130 .

在步驟S218中,第一伺服器130可根據隨機數和第二會話啟動協定帳號判斷所述數位簽章是否正確,從而決定用戶裝置120是否通過身分認證。若數位簽章是錯誤的,則第一伺服器130可判斷用戶裝置120未通過身分認證。據此,第一伺服器130可中斷第一伺服器130與用戶裝置120之間的傳輸層及應用層通道。若數位簽章是正確的,則第一伺服器130可基於第一會話啟動協定帳號與第二會話啟動協定帳號匹配、第二會話啟動協定帳號的憑證狀態為「憑證未逾期」、第二會話啟動協定帳號與第三會話啟動協定帳號匹配以及數位簽章是正確的來決定用戶裝置120通過身分認證。In step S218, the first server 130 can determine whether the digital signature is correct according to the random number and the second session activation agreement account number, so as to determine whether the user device 120 has passed the identity authentication. If the digital signature is wrong, the first server 130 may determine that the user device 120 has not passed the identity authentication. Accordingly, the first server 130 can interrupt the transport layer and application layer channels between the first server 130 and the user device 120 . If the digital signature is correct, the first server 130 can match the first session activation agreement account with the second session activation agreement account, the certificate status of the second session activation agreement account is "certificate not expired", and the second session The user device 120 is authenticated if the activation agreement account matches the third session activation agreement account and the digital signature is correct.

在步驟S219中,第一伺服器130可傳送會話啟動協定碼200(SIP code 200)給用戶裝置120,以通知用戶裝置120其已通過身分認證。In step S219, the first server 130 may transmit a session initiation protocol code 200 (SIP code 200) to the user device 120 to notify the user device 120 that it has passed the identity authentication.

值得注意的是,「步驟S209」、「步驟S210~S212」、「步驟S213」以及「步驟S214~S218」等多個步驟可同時執行或可由使用者根據需求而調整該些步驟的順序,本揭露不限於此。It is worth noting that multiple steps such as "step S209", "steps S210-S212", "step S213", and "steps S214-S218" can be executed simultaneously or the order of these steps can be adjusted by the user according to requirements. The disclosure is not limited to this.

圖3是根據本揭露的一實施例繪示一種身分認證方法的流程圖,其中身分認證方法可由如圖1所示的身分認證系統100實施。FIG. 3 is a flowchart illustrating an identity authentication method according to an embodiment of the present disclosure, wherein the identity authentication method can be implemented by the identity authentication system 100 shown in FIG. 1 .

在步驟S301中,由儲存裝置儲存第一會話啟動協定帳號,並且由用戶裝置自儲存裝置取得第一會話啟動協定帳號。In step S301, the storage device stores the first session initiation agreement account, and the user device obtains the first session initiation agreement account from the storage device.

在步驟S302中,由用戶裝置和第一伺服器建立用戶裝置和第一伺服器之間的傳輸層通道。In step S302, a transport layer channel between the user device and the first server is established by the user device and the first server.

在步驟S303中,由第一伺服器通過傳輸層通道以自用戶裝置取得第一會話啟動協定帳號。In step S303, the first server obtains the first session activation agreement account from the user device through the transport layer channel.

在步驟S304中,由用戶裝置和第一伺服器建立用戶裝置和第一伺服器之間的應用層通道。In step S304, an application layer channel between the user device and the first server is established by the user device and the first server.

在步驟S305中,由第一伺服器通過應用層通道以自用戶裝置取得第二會話啟動協定帳號。In step S305, the first server obtains the second session activation agreement account from the user device through the application layer channel.

在步驟S306中,由第一伺服器根據第一會話啟動協定帳號與第二會話啟動協定帳號是否匹配以決定用戶裝置是否通過身分認證。In step S306, the first server determines whether the user device has passed the identity authentication according to whether the first session activation agreement account matches the second session activation agreement account.

綜上所述,本揭露的身分認證方法與身分認證系統可由用戶裝置取得儲存裝置所儲存的會話啟動協定帳號。用戶裝置可分別通過傳輸層通道和應用層通道將會話啟動協定帳號傳送給伺服器。伺服器可比對分別通過傳輸層通道和應用層通道所接收的兩個會話啟動協定帳號是否匹配,並且根據匹配結果以決定用戶裝置是否通過身分認證。除此之外,伺服器還可與第二伺服器確認會話啟動協定帳號的憑證狀態,身分認證的安全性更能有效提升。To sum up, the identity authentication method and the identity authentication system of the present disclosure can allow the user device to obtain the session activation agreement account stored in the storage device. The user device can transmit the session initiation protocol account to the server through the transport layer channel and the application layer channel, respectively. The server can compare whether the two session initiation agreement accounts received through the transport layer channel and the application layer channel respectively match, and determine whether the user device has passed the identity authentication according to the matching result. In addition, the server can also confirm the certificate status of the session activation agreement account with the second server, and the security of the identity authentication can be effectively improved.

雖然本揭露已以實施例揭露如上,然其並非用以限定本揭露,任何所屬技術領域中具有通常知識者,在不脫離本揭露的精神和範圍內,當可作些許的更動與潤飾,故本揭露的保護範圍當視後附的申請專利範圍所界定者為準。Although the present disclosure has been disclosed above with examples, it is not intended to limit the present disclosure. Anyone with ordinary knowledge in the technical field may make some changes and modifications without departing from the spirit and scope of the present disclosure. The scope of protection of the present disclosure shall be determined by the scope of the appended patent application.

100:身分認證系統 110:儲存裝置 120:用戶裝置 130:第一伺服器 140:第二伺服器 S201、S202、S203、S204、S205、S206、S207、S208、S209、S210、S211、S212、S213、S214、S215、S216、S217、S218、S219、S301、S302、S303、S304、S305、S306:步驟 100: Identity Authentication System 110: Storage device 120: User device 130: First server 140: Second server S201, S202, S203, S204, S205, S206, S207, S208, S209, S210, S211, S212, S213, S214, S215, S216, S217, S218, S219, S301, S302, S303, S304, S305, S306: step

圖1是根據本揭露的一實施例繪示一種身分認證系統的示意圖。 圖2是根據本揭露的一實施例繪示一種決定用戶裝置是否通過身分認證的信令圖。 圖3是根據本揭露的一實施例繪示一種身分認證方法的流程圖。 FIG. 1 is a schematic diagram illustrating an identity authentication system according to an embodiment of the present disclosure. FIG. 2 is a signaling diagram for determining whether a user equipment passes identity authentication according to an embodiment of the present disclosure. FIG. 3 is a flowchart illustrating an identity authentication method according to an embodiment of the present disclosure.

100:身分認證系統 100: Identity Authentication System

110:儲存裝置 110: Storage device

120:用戶裝置 120: User device

130:第一伺服器 130: First server

140:第二伺服器 140: Second server

Claims (14)

一種身分認證方法,適用於互聯網語音協議(Voice over Internet Protocol,VoIP),所述身分認證方法包括:由儲存裝置儲存第一會話啟動協定帳號,並且由用戶裝置自所述儲存裝置取得所述第一會話啟動協定帳號;由所述用戶裝置和所述第一伺服器建立所述用戶裝置和所述第一伺服器之間的傳輸層通道;由所述第一伺服器通過所述傳輸層通道以自所述用戶裝置取得所述第一會話啟動協定帳號;由所述用戶裝置和所述第一伺服器建立所述用戶裝置和所述第一伺服器之間的應用層通道;由所述第一伺服器通過所述應用層通道以自所述用戶裝置取得第二會話啟動協定帳號;以及由所述第一伺服器根據所述第一會話啟動協定帳號與所述第二會話啟動協定帳號是否匹配以決定所述用戶裝置是否通過身分認證。 An identity authentication method suitable for Voice over Internet Protocol (VoIP), the identity authentication method comprising: storing a first session initiation agreement account in a storage device, and obtaining the first session activation agreement account by a user device from the storage device A session activation agreement account; establishing a transport layer channel between the user device and the first server by the user device and the first server; passing the transport layer channel by the first server obtaining the first session activation agreement account from the user device; establishing an application layer channel between the user device and the first server by the user device and the first server; The first server obtains a second session activation agreement account from the user device through the application layer channel; and the first server obtains a second session activation agreement account according to the first session activation agreement account and the second session activation agreement account Match to determine whether the user device is authenticated. 如請求項1所述的身分認證方法,更包括:由第二伺服器儲存所述第二會話啟動協定帳號的憑證狀態;由所述第一伺服器向所述第二伺服器查詢所述第二會話啟動協定帳號的所述憑證狀態;以及由所述第一伺服器根據所述憑證狀態是否為有效的以決定所述用戶裝置是否通過所述身分認證。 The identity authentication method according to claim 1, further comprising: storing, by a second server, the certificate status of the second session activation agreement account; inquiring, by the first server, to the second server for the first 2. The certificate status of the session activation agreement account; and the first server determines whether the user device has passed the identity authentication according to whether the certificate status is valid. 如請求項1所述的身分認證方法,其中由所述第一伺服器通過所述傳輸層通道以自所述用戶裝置取得所述第一會話啟動協定帳號的步驟包括:由所述用戶裝置向所述第一伺服器請求建立安全資料傳輸層連線,並且通過所述安全資料傳輸層連線的所述傳輸層通道傳送所述第一會話啟動協定帳號至所述第一伺服器。 The identity authentication method according to claim 1, wherein the step of obtaining the first session initiation agreement account from the user device by the first server through the transport layer channel comprises: sending the user device to the user device. The first server requests the establishment of a secure data transport layer connection, and transmits the first session initiation protocol account to the first server through the transport layer channel of the secure data transport layer connection. 如請求項1所述的身分認證方法,其中由所述第一伺服器通過所述應用層通道以自所述用戶裝置取得所述第二會話啟動協定帳號的步驟包括:由所述用戶裝置傳送會話啟動協定註冊給所述第一伺服器以建立所述應用層通道,其中所述會話啟動協定註冊包括所述第二會話啟動協定帳號。 The identity authentication method of claim 1, wherein the step of obtaining the second session initiation agreement account from the user device by the first server through the application layer channel comprises: transmitting by the user device A session initiation agreement is registered with the first server to establish the application layer channel, wherein the session initiation agreement registration includes the second session initiation agreement account. 如請求項4所述的身分認證方法,更包括:響應於接收到所述會話啟動協定註冊,由所述第一伺服器傳送會話啟動協定碼給所述用戶裝置,其中所述會話啟動協定碼包括隨機數;由所述用戶裝置根據所述隨機數產生數位簽章,並且將所述數位簽章傳送給所述第一伺服器;以及由所述第一伺服器根據所述隨機數和所述第二會話啟動協定帳號判斷所述數位簽章是否正確,從而決定所述用戶裝置是否通過所述身分認證。 The identity authentication method of claim 4, further comprising: in response to receiving the session initiation protocol registration, transmitting, by the first server, a session initiation protocol code to the user device, wherein the session initiation protocol code including a random number; generating a digital signature by the user device according to the random number, and transmitting the digital signature to the first server; and by the first server according to the random number and the The second session initiation agreement account determines whether the digital signature is correct, so as to determine whether the user device passes the identity authentication. 如請求項1所述的身分認證方法,更包括: 由所述第一伺服器預存第三會話啟動協定帳號;以及由所述第一伺服器根據所述第二會話啟動協定帳號與所述第三會話啟動協定帳號是否匹配以決定所述用戶裝置是否通過所述身分認證。 The identity authentication method according to claim 1, further comprising: A third session initiation agreement account number is pre-stored by the first server; and the first server determines whether the user device is not based on whether the second session initiation agreement account number matches the third session initiation agreement account number Authenticated by said identity. 如請求項1所述的身分認證方法,更包括:由所述第一伺服器響應於所述用戶裝置未通過所述身分認證而中斷所述傳輸層及所述應用層通道。 The identity authentication method of claim 1, further comprising: interrupting, by the first server, the transport layer and the application layer channel in response to the user device failing the identity authentication. 一種身分認證系統,適用於互聯網語音協議,所述身分認證系統包括:儲存裝置,儲存第一會話啟動協定帳號;第一伺服器;以及用戶裝置,通訊連接至所述儲存裝置,自所述儲存裝置取得所述第一會話啟動協定帳號,其中所述用戶裝置和所述第一伺服器建立所述用戶裝置和所述第一伺服器之間的傳輸層通道,其中所述第一伺服器通過所述傳輸層通道以自所述用戶裝置取得所述第一會話啟動協定帳號,其中所述用戶裝置和所述第一伺服器建立所述用戶裝置和所述第一伺服器之間的應用層通道,其中所述第一伺服器通過所述應用層通道以自所述用戶裝置取得第二會話啟動協定帳號,其中 所述第一伺服器根據所述第一會話啟動協定帳號與所述第二會話啟動協定帳號是否匹配以決定所述用戶裝置是否通過身分認證。 An identity authentication system suitable for voice over Internet protocol, the identity authentication system comprising: a storage device for storing a first session initiation agreement account number; a first server; and a user device for communicating with the storage device, from the storage device The device obtains the first session initiation agreement account, wherein the user device and the first server establish a transport layer channel between the user device and the first server, wherein the first server passes the transport layer channel to obtain the first session initiation agreement account from the user device, wherein the user device and the first server establish an application layer between the user device and the first server a channel, wherein the first server obtains a second session initiation agreement account from the user device through the application layer channel, wherein The first server determines whether the user device passes the identity authentication according to whether the first session initiation agreement account matches the second session initiation agreement account. 如請求項8所述的身分認證系統,更包括:第二伺服器,通訊連接至所述第一伺服器,所述第二伺服器儲存所述第二會話啟動協定帳號的憑證狀態,其中第一伺服器向所述第二伺服器查詢所述第二會話啟動協定帳號的所述憑證狀態,其中所述第一伺服器根據所述憑證狀態是否為有效的以決定所述用戶裝置是否通過身分認證。 The identity authentication system according to claim 8, further comprising: a second server, communicatively connected to the first server, the second server storing the certificate state of the second session activation agreement account, wherein the first server A server queries the second server for the certificate status of the second session initiation agreement account, wherein the first server determines whether the user device is authenticated according to whether the certificate status is valid or not Certification. 如請求項8所述的身分認證系統,其中所述用戶裝置向所述第一伺服器請求建立安全資料傳輸層連線,並且通過所述安全資料傳輸層連線的所述傳輸層通道傳送所述第一會話啟動協定帳號至所述第一伺服器。 The identity authentication system of claim 8, wherein the user device requests the first server to establish a secure data transport layer connection, and transmits the data through the transport layer channel of the secure data transport layer connection The first session activates a protocol account to the first server. 如請求項8所述的身分認證系統,其中所述用戶裝置傳送會話啟動協定註冊給所述第一伺服器以建立所述應用層通道,其中所述會話啟動協定註冊包括所述第二會話啟動協定帳號。 The identity authentication system of claim 8, wherein the user device transmits a session initiation protocol registration to the first server to establish the application layer channel, wherein the session initiation protocol registration includes the second session initiation Agreement account. 如請求項11所述的身分認證系統,其中響應於接收到所述會話啟動協定註冊,所述第一伺服器傳送會話啟動協定碼給所述用戶裝置,其中所述會話啟動協定碼包括隨機數,其中 所述用戶裝置根據所述隨機數產生數位簽章,並且將所述數位簽章傳送給所述第一伺服器,其中所述第一伺服器根據所述隨機數和所述第二會話啟動協定帳號判斷所述數位簽章是否正確,從而決定所述用戶裝置是否通過所述身分認證。 The identity authentication system of claim 11, wherein in response to receiving the session initiation protocol registration, the first server transmits a session initiation protocol code to the user device, wherein the session initiation protocol code includes a random number ,in The user device generates a digital signature according to the random number, and transmits the digital signature to the first server, wherein the first server initiates an agreement according to the random number and the second session The account determines whether the digital signature is correct, so as to determine whether the user device has passed the identity authentication. 如請求項8所述的身分認證系統,其中所述第一伺服器預存第三會話啟動協定帳號,其中所述第一伺服器根據所述第二會話啟動協定帳號與所述第三會話啟動協定帳號是否匹配以決定所述用戶裝置是否通過所述身分認證。 The identity authentication system of claim 8, wherein the first server pre-stores a third session initiation agreement account, wherein the first server and the third session initiation agreement are based on the second session initiation agreement account Whether the account numbers match to determine whether the user device is authenticated by the identity. 如請求項8所述的身分認證系統,其中所述第一伺服器響應於所述用戶裝置未通過所述身分認證而中斷所述傳輸層及所述應用層通道。 The identity authentication system of claim 8, wherein the first server interrupts the transport layer and the application layer channel in response to the user device failing the identity authentication.
TW109144061A 2020-12-14 2020-12-14 System and method for identity authentication TWI763176B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109144061A TWI763176B (en) 2020-12-14 2020-12-14 System and method for identity authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109144061A TWI763176B (en) 2020-12-14 2020-12-14 System and method for identity authentication

Publications (2)

Publication Number Publication Date
TWI763176B true TWI763176B (en) 2022-05-01
TW202223695A TW202223695A (en) 2022-06-16

Family

ID=82593966

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109144061A TWI763176B (en) 2020-12-14 2020-12-14 System and method for identity authentication

Country Status (1)

Country Link
TW (1) TWI763176B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102197398A (en) * 2008-06-25 2011-09-21 斯坦卡特·恩佐 Multifunction apparatus for telecommunications
US20150371215A1 (en) * 2002-10-01 2015-12-24 Andrew H B Zhou Systems and methods for mobile application, wearable application, transactional messaging, calling, digital multimedia capture and payment transactions
CN105516070A (en) * 2014-09-30 2016-04-20 华为技术有限公司 Authentication credential replacing method and authentication credential replacing device
CN106899969A (en) * 2017-01-18 2017-06-27 东南大学常州研究院 Specific secrecy terminal system implementation method based on iOS system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150371215A1 (en) * 2002-10-01 2015-12-24 Andrew H B Zhou Systems and methods for mobile application, wearable application, transactional messaging, calling, digital multimedia capture and payment transactions
CN102197398A (en) * 2008-06-25 2011-09-21 斯坦卡特·恩佐 Multifunction apparatus for telecommunications
CN105516070A (en) * 2014-09-30 2016-04-20 华为技术有限公司 Authentication credential replacing method and authentication credential replacing device
CN106899969A (en) * 2017-01-18 2017-06-27 东南大学常州研究院 Specific secrecy terminal system implementation method based on iOS system

Also Published As

Publication number Publication date
TW202223695A (en) 2022-06-16

Similar Documents

Publication Publication Date Title
US11510054B2 (en) Methods, apparatuses, and computer program products for performing identification and authentication by linking mobile device biometric confirmation with third-party mobile device account association
US9413758B2 (en) Communication session transfer between devices
CN102201915B (en) Terminal authentication method and device based on single sign-on
US9130935B2 (en) System and method for providing access credentials
EP2713546B1 (en) Method and apparatuses for establishing a data transmission via sip
US10594695B2 (en) Authentication arrangement
US8893244B2 (en) Application-based credential management for multifactor authentication
US20100197293A1 (en) Remote computer access authentication using a mobile device
WO2017025006A1 (en) Wireless network logon method and apparatus
WO2017016252A1 (en) Token generation and authentication method, and authentication server
US20080010673A1 (en) System, apparatus, and method for user authentication
WO2016078419A1 (en) Open authorization method, device and open platform
WO2015196908A1 (en) Service processing method, terminal, server and system
KR102645768B1 (en) System for managing multiple identity and method thereof
WO2009089764A1 (en) A system and method of secure network authentication
WO2016054990A1 (en) Security check method, device, terminal and server
US20180343309A1 (en) Migrating sessions using a private cloud - cloud technology
US11575667B1 (en) System and method for secure communications
US20180331886A1 (en) Systems and methods for maintaining communication links
US11689923B2 (en) Method and system for generating a secure one-time passcode using strong authentication
US10320920B2 (en) Automatic migration of communication sessions using a private cloud-cloud technology
TWI763176B (en) System and method for identity authentication
CN114500074B (en) Single-point system security access method and device and related equipment
US11943349B2 (en) Authentication through secure sharing of digital secrets previously established between devices
WO2019184206A1 (en) Identity authentication method and apparatus