TWI773025B - Processes and method for safe of use, monitoring and management of device accounts in terminal manner - Google Patents
Processes and method for safe of use, monitoring and management of device accounts in terminal manner Download PDFInfo
- Publication number
- TWI773025B TWI773025B TW109144485A TW109144485A TWI773025B TW I773025 B TWI773025 B TW I773025B TW 109144485 A TW109144485 A TW 109144485A TW 109144485 A TW109144485 A TW 109144485A TW I773025 B TWI773025 B TW I773025B
- Authority
- TW
- Taiwan
- Prior art keywords
- identity
- network
- decentralized
- information
- terminal device
- Prior art date
Links
Images
Landscapes
- Alarm Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明係與網路已連接設備的連接與管理有關;特別是指一種利用去中心化網路儲存與讀取認證、管理及使用資訊的方法及架構,能確保使用者與設備認證動作所需的認證資訊及設備使用過程之使用安全,藉以確保設備的使用安全。 The present invention is related to the connection and management of network-connected devices; in particular, it refers to a method and structure for storing and reading authentication, management and use information using a decentralized network, which can ensure that users and devices need to authenticate actions To ensure the safety of the use of the equipment.
身處資訊時代,駭客攻擊的消息時有所聞,僅管手法日新月異,但主要的攻擊手段仍是透過帳號密碼的竊取來達成入侵。由於目前大部份企業或機關內部重要設備的訪問係透過終端設備以遠端連線的方式進行,這樣的運作架構容易讓駭客有可趁之機。例如2020年5月,包含台灣中油在內的多家企業即遭受勒索軟體攻擊,而根據調查局調查,駭客是透過企業員工的個人電腦及資料庫伺服器竊取帳號權限,進而竄改網域控制伺服器的群組原則,藉此在員工的電腦內植入勒索軟體。在這些案例中,竊取帳號密碼是駭客發動攻擊的第一步,因此,如果企業的內部網路能夠對認證資訊(如:認證用密碼)提供較佳的保護,其實就能避免後續的駭客攻擊手段發生。 In the information age, news of hacker attacks has been heard from time to time. Although the methods are changing with each passing day, the main attack method is still through the theft of account passwords to achieve intrusion. Since most of the important devices in enterprises or organizations are accessed through remote connection through terminal devices, such an operation structure is easy for hackers to take advantage of. For example, in May 2020, a number of enterprises, including CNPC in Taiwan, were attacked by ransomware. According to the investigation by the Bureau of Investigation, the hackers stole account rights through the personal computers and database servers of employees of the enterprise, and then tampered with domain control. A group policy for servers, whereby ransomware is planted on employees' computers. In these cases, stealing account passwords is the first step for hackers to launch attacks. Therefore, if the company's internal network can provide better protection for authentication information (such as authentication passwords), subsequent hacking can actually be avoided. Guest attack means take place.
值得注意的是,電腦並非駭客唯一的入侵目標。隨著近年來物聯網(Internet of things,IOT)的蓬勃發展,已經有數量極其龐大的智慧家電連接 上網,提供了各種意想不到的入侵途徑,路由器、車用電腦,甚至是智慧咖啡機都可能成為駭客的敲門磚。例如知名的殭屍病毒Mirai,就是專門攻擊採用Linux韌體的物聯網裝置,將這些物聯網裝置拿來當成進一步攻擊網路內其他裝置的跳板。 It's worth noting that computers aren't the only target for hackers. With the vigorous development of the Internet of Things (IOT) in recent years, an extremely large number of smart home appliances have been connected Internet access provides a variety of unexpected intrusion methods. Routers, car computers, and even smart coffee machines may become hackers. For example, the well-known bot virus Mirai is designed to attack IoT devices using Linux firmware, using these IoT devices as a springboard for further attacks on other devices in the network.
業界往往使用自家的專用系統或採人工作業來管理物聯網的設備密碼,但仍有大量物聯網裝置的設備密碼完全不受保護,或保護強度嚴重不足;事實上,即使採用專用系統,顯然也無法提供令人滿意的保護效果。無論是物聯網或企業內部網路,對設備密碼或登入認證憑證的儲存、讀取及認證動作,採用的多是中心化或集中化的架構或系統,也通常是透過這樣的中心化或集中化架構或系統來儲存、讀取物聯網或企業內部網路各種設備的操作軌跡。至於在中心化或集中化架構或系統上的身份認證作業,目前主要還是透過帳號密碼進行。層出不窮的駭客攻擊事件證明了這樣的運作方式及架構並不安全,顯有相當的改進空間。 The industry often uses its own dedicated systems or manual operations to manage IoT device passwords, but there are still a large number of IoT devices whose device passwords are not protected at all, or the protection strength is seriously insufficient; in fact, even if a dedicated system is used, it is obviously Unable to provide satisfactory protection. Whether it is the Internet of Things or an enterprise intranet, the storage, reading and authentication actions of device passwords or login authentication credentials are mostly centralized or centralized architectures or systems. It can store and read the operation traces of various devices in the Internet of Things or intranet. As for the identity authentication operation on the centralized or centralized architecture or system, it is mainly carried out through the account password at present. The endless hacking incidents have proved that this operation method and structure are not safe, and there is considerable room for improvement.
本發明之目的在於提供一種應用去中心化網路連接與管理複數設備的方法及架構,相較習用做法,可提供更高的安全性、可用性及方便性。 The purpose of the present invention is to provide a method and structure for connecting and managing multiple devices using a decentralized network, which can provide higher security, usability and convenience than conventional methods.
緣以達成上述目的,本發明提供一種應用一去中心化網路於一設備網路中連接與管理一設備的方法,其中該設備網路具有包含該設備在內的複數設備。該方法包含以下步驟:於該去中心化網路申請一去中心化身份(Decentralized ID,DID);將該去中心化身份與允許連接該設備的一數位身份綁定,並將對應產生的一綁定資訊儲存於該去中心化網路,其中該數位身份具有一認證資訊;授權該數位身份允許連接的該設備及其可連接的一特定帳號, 並將對應產生的一授權資訊儲存於該去中心化網路;當一特定條件滿足時,以一特定亂數規則就該設備及該特定帳號更新對應至該數位身份的該認證資訊,並將更新後的該認證資訊儲存於該去中心化網路;以及透過一終端裝置於該去中心化網路取出更新後的該認證資訊,並使用該認證資訊於連接該設備時進行認證,其中該終端裝置具有與該去中心化身份綁定的一身份資訊,該身份資訊係該終端裝置於完成一身份認證動作後而產生。 In order to achieve the above object, the present invention provides a method for connecting and managing a device in a device network using a decentralized network, wherein the device network has a plurality of devices including the device. The method includes the following steps: apply for a decentralized identity (Decentralized ID, DID) on the decentralized network; bind the decentralized identity with a digital identity that allows connection to the device, and associate the generated The binding information is stored in the decentralized network, wherein the digital identity has an authentication information; the device that authorizes the digital identity to allow connection and a specific account that can be connected, and store the corresponding generated authorization information in the decentralized network; when a specific condition is satisfied, update the authentication information corresponding to the digital identity for the device and the specific account with a specific random number rule, and use a specific random number rule to update the authentication information corresponding to the digital identity. The updated authentication information is stored in the decentralized network; and the updated authentication information is retrieved from the decentralized network through a terminal device, and the authentication information is used to perform authentication when connecting to the device, wherein the The terminal device has an identity information bound to the decentralized identity, and the identity information is generated after the terminal device completes an identity authentication action.
在一實施例中,更包含有以下步驟:在該終端裝置完成該身份認證動作而產生該身份資訊後,於該去中心化網路取出連接該設備的該授權資訊,再依該授權資訊使用該認證資訊於連接該設備時進行認證。 In one embodiment, the following step is further included: after the terminal device completes the identity authentication action to generate the identity information, extracts the authorization information connected to the device in the decentralized network, and then uses the authorization information according to the authorization information. The authentication information is authenticated when the device is connected.
在一實施例中,更包含有以下步驟:於使用該認證資訊連接該設備的過程中截取一歷程紀錄,並將該歷程資訊儲存於該去中心化網路。 In one embodiment, the following steps are further included: intercepting a history record in the process of using the authentication information to connect the device, and storing the history information in the decentralized network.
在一實施例中,該歷程紀錄包含有一輸入資訊。 In one embodiment, the history record includes an input information.
在一實施例中,該歷程紀錄包含有一輸出資訊。 In one embodiment, the history record includes an output message.
在一實施例中,在該歷程資訊儲存於該去中心化網路後,更包含有以下步驟:於另一該數位身份完成身份認證後,自該去中心化網路讀取該歷程紀錄,以檢視該設備的連接過程。 In one embodiment, after the history information is stored in the decentralized network, the following step is further included: after the identity authentication of the other digital identity is completed, read the history record from the decentralized network, to view the connection process of the device.
在一實施例中,該特定條件包含當一特定時間週期過去時。 In one embodiment, the specific condition includes when a specific period of time has elapsed.
在一實施例中,該特定條件包含當該設備使用該特定帳號連接後。 In one embodiment, the specific condition includes when the device is connected using the specific account.
在一實施例中,該數位身份由一身份管理系統管理。 In one embodiment, the digital identity is managed by an identity management system.
另外,本發明亦提供一種網路連接與管理之架構,包含有一設備網路、一終端裝置,以及一去中心化網路。該設備網路包含有複數設備。該終端裝置具有一身份資訊,並載有一管理程式,其中該身份資訊係該終端裝置透過完成一身份認證動作而產生。該去中心化網路提供有一去中心化身份(Decentralized ID,DID),其中該去中心化身份係與允許連接該設備的一數位 身份綁定,其中該數位身份具有一認證資訊;另外,該去中心化身份亦與該終端裝置的該身份資訊綁定。該終端裝置的該管理程式於一特定條件滿足時,依一特定亂數規則更新允許連接該設備的該數位身份所具有的該認證資訊,並將更新後的該認證資訊儲存於該去中心化網路。當該終端裝置欲連接該設備網路的該設備時,該管理程式於該去中心化網路取出更新後的該認證資訊,以使用該認證資訊於連接該設備時進行認證。 In addition, the present invention also provides a network connection and management structure, including a device network, a terminal device, and a decentralized network. The device network contains a plurality of devices. The terminal device has an identity information and carries a management program, wherein the identity information is generated by the terminal device by completing an identity authentication action. The decentralized network provides a decentralized identity (Decentralized ID, DID), wherein the decentralized identity is associated with a digital number that allows connection to the device Identity binding, wherein the digital identity has authentication information; in addition, the decentralized identity is also bound with the identity information of the terminal device. When a specific condition is satisfied, the management program of the terminal device updates the authentication information possessed by the digital identity that is allowed to connect to the device according to a specific random number rule, and stores the updated authentication information in the decentralized network. When the terminal device wants to connect to the device of the device network, the management program retrieves the updated authentication information from the decentralized network, and uses the authentication information to authenticate when connecting to the device.
在一實施例中,該終端裝置的該管理程式於進行連接該設備網路的該設備之過程中,會截取該終端裝置的一歷程紀錄,並將該歷程紀錄儲存於該去中心化網路。 In one embodiment, the management program of the terminal device intercepts a history record of the terminal device during the process of connecting the device to the device network, and stores the history record in the decentralized network .
在一實施例中,該歷程紀錄包含有一輸入資訊。 In one embodiment, the history record includes an input information.
在一實施例中,該歷程紀錄包含有一輸出資訊。 In one embodiment, the history record includes an output message.
在一實施例中,該終端裝置的該管理程式能夠自該去中心化網路讀取該歷程紀錄,以供檢視該終端裝置與該設備網路的該設備之連接過程。 In one embodiment, the management program of the terminal device can read the history record from the decentralized network for viewing the connection process of the terminal device and the device of the device network.
在一實施例中,該設備網路包含一物聯網(Internet of things,IOT)。 In one embodiment, the device network includes an Internet of things (IOT).
在一實施例中,該設備網路包含一企業內部網路。 In one embodiment, the network of devices includes an intranet.
在一實施例中,更包含有一身份管理系統,具有並管理該數位身份。 In one embodiment, an identity management system is further included to possess and manage the digital identity.
在一實施例中,該身份管理系統所具有的該數位身份的該認證資訊包含一登入認證憑證。 In one embodiment, the authentication information of the digital identity possessed by the identity management system includes a login authentication certificate.
在一實施例中,該身份管理系統所具有的該數位身份的該認證資訊包含一密碼。 In one embodiment, the authentication information of the digital identity possessed by the identity management system includes a password.
在一實施例中,該特定條件包含當一特定時間週期過去時。 In one embodiment, the specific condition includes when a specific period of time has elapsed.
在一實施例中,該特定條件包含當該設備使用一特定帳號連接後。 In one embodiment, the specific condition includes when the device is connected using a specific account.
本發明之效果在於,藉由使用去中心化網路儲存、讀取認證資訊,可避免中心化或集中化的架構或系統易遭駭客攻擊突破之缺點,且經亂數處理過後的認證資訊,以及終端裝置上與去中心化身份綁定的身份資訊,皆大幅提高了入侵的困難度。因此,相較於習用之作法,本發明能夠提供更高的安全性,同時亦增加了可用性及方便性。 The effect of the present invention is that by using the decentralized network to store and read the authentication information, the disadvantage that the centralized or centralized architecture or system is easily broken through by hacker attacks can be avoided, and the authentication information after the random number processing can be avoided. , and the identity information bound to the decentralized identity on the terminal device, all of which greatly increase the difficulty of intrusion. Therefore, compared with the conventional method, the present invention can provide higher security while also increasing usability and convenience.
1:網路使用架構 1: Network usage architecture
10:去中心化網路 10: Decentralized Web
20:設備網路 20: Device Network
30:終端裝置 30: Terminal device
32:管理程式 32: Management Program
40:身份管理系統 40: Identity Management System
第1圖為本發明一實施例之網路連接與管理架構的示意圖;第2圖為本發明一實施例之應用去中心化網路連接與管理設備網路其中一設備的方法流程圖;第3圖為一示意圖,說明在第2圖的第一步驟中,終端裝置與去中心化網路之間的互動關係;第4圖為一示意圖,說明在第2圖的第二步驟中,終端裝置、身份管理系統,以及設備網路之間的互動關係;第5圖為一示意圖,說明在第2圖的第三步驟中,終端裝置、去中心化網路,以及設備網路之間的互動關係;第6圖為一示意圖,說明在第2圖的第四步驟中,終端裝置、去中心化網路,以及設備網路之間的互動關係;第7圖為一示意圖,說明在第2圖的第五步驟中,終端裝置與去中心化網路之間的互動關係;第8圖為一示意圖,說明在第2圖的第六步驟中,終端裝置、去中心化網路,以及設備網路之間的互動關係;以及 第9圖為一示意圖,說明在第2圖的第七步驟中,終端裝置與去中心化網路之間的互動關係。 Figure 1 is a schematic diagram of a network connection and management architecture according to an embodiment of the present invention; Figure 2 is a flow chart of a method for connecting and managing a device in a device network using a decentralized network according to an embodiment of the present invention; Figure 3 is a schematic diagram illustrating the interaction between the terminal device and the decentralized network in the first step in Figure 2; Figure 4 is a schematic diagram illustrating the interaction between the terminal device and the decentralized network in the second step in Figure 2 The interaction between the device, the identity management system, and the device network; Figure 5 is a schematic diagram illustrating the interaction between the terminal device, the decentralized network, and the device network in the third step of Figure 2. Interactive relationship; Figure 6 is a schematic diagram illustrating the interaction between the terminal device, the decentralized network, and the device network in the fourth step in Figure 2; Figure 7 is a schematic diagram illustrating the interaction between the terminal device, the decentralized network, and the device network In the fifth step of FIG. 2, the interaction between the terminal device and the decentralized network; FIG. 8 is a schematic diagram illustrating that in the sixth step of FIG. 2, the terminal device, the decentralized network, and interactions between networks of devices; and FIG. 9 is a schematic diagram illustrating the interaction between the terminal device and the decentralized network in the seventh step of FIG. 2 .
為能更清楚地說明本發明,茲舉較佳實施例並配合圖式詳細說明如後。第1圖所示為本發明一實施例之網路使用架構1,包含有一去中心化網路10、一設備網路20、一終端裝置30,以及一身份管理系統40。
In order to describe the present invention more clearly, preferred embodiments are given and described in detail with the drawings as follows. FIG. 1 shows a network usage architecture 1 according to an embodiment of the present invention, which includes a
其中,該設備網路20包含有複數個設備(圖未示)。該身份管理系統40負責管理允許使用該設備網路20的其中一該設備的至少一數位身份。詳言之,各該數位身份係對應至真實存在的使用者,而使用者必須通過認證,確認身份無誤,才能取得其所屬的該數位身份,進而得以透過該數位身份使用該設備網路20上的該設備。為了確保認證的可信度,各該數位身份分別具有一認證資訊,使用者必須提供正確的資訊,能夠與該認證資訊吻合,才能通過並完成認證。此處所述的認證資訊可以是登入認證憑證,或者是密碼,但此些示例並非本發明的限制所在,端視該設備網路20上該些設備的設計而定。
The
更明確來說,凡是一個網路內部連接有多個設備、且要求使用者進行登錄以確認其身份是否許可使用該網路其中任一設備者,皆可視為是本發明所指的設備網路20。因此,該設備網路20可以是一物聯網,或一企業內部網路。在該設備網路20為物聯網的實施例中,其所包含的該些設備可以是具連網功能的販賣機、自動調溫器、電燈,或各種智慧家電等等(實際的設備類型於本發明中並不指定,亦非本發明的限制所在);而在該設備網路20是企業內部網路的實施例中,其所包含的該些設備可能是企業員工的個人電腦或公用的郵件伺服器等等,而前述的該身份管理系統40可以是Microsoft® AD、LDAP,或具有身
份或其中一該設備之授權的軟體。同理,該企業內部網路內的該些設備之實際類型不是本發明的限制所在,此處亦不特別指定。
To be more specific, any network connected with multiple devices and requiring users to log in to confirm whether their identity is allowed to use any of the devices in the network can be regarded as the device network referred to in the present invention. 20. Therefore, the
該終端裝置30載有一管理程式32,而持有該終端裝置30的使用者能夠透過該管理程式32而與該設備網路20的該設備直接連接或透過終端裝置30安裝設備連接程式進行連接,並可加以管理。實務上,該終端裝置30可以是運作Windows®、Linus®、Android®、iOS®,或MacOS®的各種類型之裝置,並不限定為行動裝置或個人電腦,甚至可以是目前尚未發明之作業系統或設備。另外,凡是原則上具備去中心化架構的網路,都可以是本發明所指稱的該去中心化網路10,且應至少提供以下該的各種去中心化功能:受申請而提供去中心化身份(Decentralized ID,DID)、進行去中心化計算(例如開放原始碼分散式帳本IOTA),以及去中心化儲存(例如星際檔案系統IFPS)。實務上,該去中心化網路10可以是應用區塊鍊(Block Chain)、有向無環圖(DAG)、雷電網路(Raiden Network)、閃電網路(Lightning Network)、前述的開放原始碼分散式帳本及星際檔案系統等去中心化網路之一部份或組合,或甚至可以是目前尚未發明的去中心化網路架構。需說明的是,在實際應用的情境裡,前述的身份管理系統40也可以與該管理程式32整合,或者可以將該身份管理系統40負責管理該些數位身份的相關工作視為該管理程式32的其中一項功能。
The
在本發明所揭露的該網路使用架構1中,該終端裝置30的該管理程式32會向該去中心化網路10申請一去中心化身份(Decentralized ID,DID),而該去中心化身份會與該管理程式32所管理的其中一該數位身份綁定,使得該去中心化身份於該管理程式32內視為等同於該被綁定的該數位身份。經由此處該的綁定工作,會產生一綁定資訊,且該綁定資訊可儲存於該去中心化網路10,
待日後使用。該管理程式32可以使用例如Windows AD等程式的功能完成前述的綁定工作,或者亦可以採用E-mail等可確認使用者身份的其他途徑為之。該數位身份所允許連接的所設備及其可連接的一特定帳號將得到授權,藉此產生一授權資訊,同樣儲存於該去中心化網路10。
In the network usage framework 1 disclosed in the present invention, the
除此之外,該去中心化身份也會跟該終端裝置30的一身份資訊綁定。此處所述的身份資訊,是該終端裝置30透過一身份認證動作而產生的,對應至持有該終端裝置30之使用者的真實身份;換言之,持有該終端裝置30之使用者藉由完成該身份認證動作並產生該身份資訊,使得自己的身份在該終端裝置30上得到了確認。該身份認證動作於實務上可以是由使用者輸入帳號密碼而完成,亦可使用其他的認證資訊或生物辨識方法為之,若身份認證強度不足,該管理程式32還可透過一次性通行碼(one-time password,OTP)補強。
Besides, the decentralized identity is also bound with an identity information of the
一旦該終端裝置30的該身份資訊與該去中心化身份完成綁定,日後該終端裝置30在完成該身份認證動作後,其所具有的該管理程式32便能很容易地驗證身份,或者向該去中心化網路10進行身份認證,確認該終端裝置30的使用者身份無誤。
Once the identity information of the
如前所述,該終端裝置30的該管理程式32負責管理允許與該設備網路20上該設備連接的至少一數位身份,且各該數位身份皆分別具有進行認證所需的一該認證資訊。為進一步提高認證的安全性,在一特定條件滿足的情況下,該終端裝置30的該管理程式32會依一特定亂數規則更新該設備網路20上設備一或複數個數位身份所具有的認證資訊,並將更新後的該認證資訊儲存於該去中心化網路10。此處所述的特定條件,實務上有可能是在一特定時間週期過去後,或者是每當該設備以該特定帳號連接後,即視為條件滿足。待日後需要
進行該認證動作時,該終端裝置30的該管理程式32會從該去中心化網路10取出更新後的該認證資訊,對指定連線的該設備網路20的該設備進行連線,並可代替使用者輸入該認證資訊,藉此完成認證並登入該設備網路20上的該設備。
As mentioned above, the
為供日後參照並保留紀錄,在進行前述連線該設備網路20上該設備的過程中,該終端裝置30的該管理程式32可以截取一歷程紀綠,並將該歷程紀錄儲存於該去中心化網路10。其中,該歷程紀錄包含有該終端裝置30的一輸入資料,包含但不限於鍵盤輸入、剪貼簿內容,以及語音輸入等;另外,該歷程紀錄還可以進一步包含該終端裝置30的一輸出資料,包含但不限於螢幕的畫面截圖、剪貼簿內容,以及語音輸出等。當然,於實務上,該歷程紀錄亦可只包含有該輸入資料及該輸出資料的其中一者。當有需要調閱該歷程紀錄時,該終端裝置30的該管理程式32(或者其它終端裝置30的該管理程式32通過身份認證的另一該數位身份)可以由該去中心化網路10將該歷程紀錄取出,提供給使用者檢視或下載,讓使用者得以知道該設備的連接過程。
For future reference and record keeping, in the process of connecting the device on the
再請參照第2圖,此處以具有多個步驟的方法來說明本發明之內容。本發明所揭露應用該去中心化網路10連接與管理該設備網路20的該設備之方法包含有以下步驟:
Referring again to FIG. 2, a method having multiple steps is used to illustrate the content of the present invention. The method of applying the
一、於該去中心化網路10申請該去中心化身份。如第3圖所示,於此步驟中,該終端裝置30的該管理程式32向該去中心化網路10提出申請,而該去中心化網路10回應申請,提供該去中心化身份。
1. Apply for the decentralized identity on the
二、將該去中心化身份與身份管理系統40所管理的其中一該數位身份綁定。如第4圖所示,於此步驟中,該終端裝置30的該管理程式32將該去中
心化身份與其中一該數位身份綁定。此時對應產生的該綁定資訊可儲存於該去中心化網路10。
2. Bind the decentralized identity to one of the digital identities managed by the
三、透過該終端裝置30的該管理程式32於該去中心化網路10取出該認證資訊,並綁定該終端裝置30具有的該身份資訊與該去中心化身份綁定;此時該數位身份允許連接的該設備及其可連接的一特定帳號將得到授權,並將對應產生的一授權資訊儲存於該去中心化網路10。如第5圖所示,於此步驟中,該終端裝置30的該管理程式32由該去中心化網路10取出該認證資訊,於該設備網路20進行該設備與該特定帳號的授權,再將該授權資訊傳送至該去中心化網路10儲存。
3. Extract the authentication information from the
四、自該去中心化網路10取出該授權資訊,並使用該認證資訊於連接該設備時進行認證。如第6圖所示,該終端裝置30的該管理程式32由該去中心化網路10取出該授權資訊,並使用該認證資訊於該設備網路20的該設備進行認證動作。
4. Take out the authorization information from the
五、該終端裝置30的該管理程式32於該特定時間週期過去後,或於每次該設備使用該特定帳號連接後,以一特定亂數規則產生一新的認證資訊(如密碼)後,取代該設備進行該特定帳號之認證所使用的該認證資訊,並將更新後的此一該認證資訊儲存於該去中心化網路10。如第7圖所示,該終端裝置30的該管理程式32使用該特定亂數規則變更該認證資訊之後,便將該認證資訊儲存於該去中心化網路10。
5. The
六、該終端裝置30的該管理程式32自該去中心化網路10取出取出授權連接該設備網路20上連接該設備所需的該認證資訊,並使用該認證資訊於連接該設備時進行認證。在此步驟中,該管理程式32截取該終端裝置30於該設備
網路20上連接該設備連線過程中的該歷程紀錄,並將該歷程紀錄儲存於該去中心化網路10。如第8圖所示,於此步驟中,該終端裝置30的該管理程式32會在截取該歷程紀錄後,將其儲存於該去中心化網路10。在這之後,進行以下該的最後一個步驟。
6. The
七、自該去中心化網路10取出該終端裝置30的該歷程紀錄以供檢視或下載。此一步驟於實務上亦可由已通過身份認證的另一該數位身份為之。如第9圖所示,於此步驟中,該終端裝置30的該管理程式32於該去中心化網路10取出先前儲存的該歷程紀錄,使用者能夠加以檢視,或甚至儲存於他處。
7. Extract the history record of the
需特別說明的是,在進行前述第三步驟之前,該終端裝置30應已完成該身份認證動作而產生該身份資訊,如此才能在前述第三步驟中綁定該身份資訊與該去中心化身份。然而,此處所述的身份認證動作不必然要緊鄰著前述第二步驟之後才發生,該終端裝置30也可以早在幾個步驟之前(甚至是在前述第一步驟之前)即已完成該身份認證動作;反過來說,該終端裝置30也可以在即將執行前述第三步驟的當下,才要求使用者進行該身份認證動作。無論是前述的何種狀況,皆不影響該身份資訊與該去中心化身份的綁定作業。
It should be noted that, before performing the aforementioned third step, the
可以理解的是,本發明中該終端裝置30的該管理程式32執行的所有動作,當然也可以由一個以上的系統或軟體分擔,並不必然要由單一個程式負責全部工作。另外,該管理程式32除了如本發明該運作於單一個裝置(即該終端裝置30),在其他實施例中也可以分散於複數個裝置或設備,透過彼此間的協同運作達成前述各項功能。除此之外,儘管該管理程式32在本發明中為該終端裝置30所擁有,邏輯上該管理程式32其實也可以安裝在該終端裝置30外部,或者是一個獨立運作的系統,或者是以硬體或靭體實施的其他做法。
It can be understood that, in the present invention, all the actions performed by the
再者,本發明該管理程式32留存的該歷程紀錄,其輸入或輸出資料的態樣當然不以先前所示例者為限;目前已存在(但本發明中未明確提及)或尚不存在的輸入與輸出裝置留下的操作軌跡,皆應視為屬於該輸入資料或該輸出資料的涵蓋範圍。
Furthermore, the history record retained by the
由以上本發明的說明可知,本發明使用該去中心化網路10儲存、讀取該認證資訊,可避免中心化或集中化的架構易遭駭客攻擊突破之缺點;除此之外,該設備網路20上連接該設備需要的該認證資訊更經過亂數處理,該終端裝置30的該身份資訊也與該去中心化身份進行綁定,再再提高了入侵的困難度。因此,本發明對於安全性、可用性及方便性皆有顯著的改進。
It can be seen from the above description of the present invention that the present invention uses the
上述實施例僅為例示性說明本發明之技術及其功效,而非用於限制本發明。任何熟於此項技術人士均可在不違背本發明之技術原理及精神的情況下,對上述實施例進行修改及變化,因此本發明之權利保護範圍應如後該之申請專利範圍所列。 The above-mentioned embodiments are only used to illustrate the technology of the present invention and its effects, but are not intended to limit the present invention. Anyone skilled in the art can modify and change the above embodiments without violating the technical principle and spirit of the present invention. Therefore, the scope of the right protection of the present invention should be listed in the following patent application.
1:網路使用架構 1: Network usage architecture
10:去中心化網路 10: Decentralized Web
20:設備網路 20: Device Network
30:終端裝置 30: Terminal device
32:管理程式 32: Management Program
40:身份管理系統 40: Identity Management System
Claims (19)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW109144485A TWI773025B (en) | 2020-12-16 | 2020-12-16 | Processes and method for safe of use, monitoring and management of device accounts in terminal manner |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW109144485A TWI773025B (en) | 2020-12-16 | 2020-12-16 | Processes and method for safe of use, monitoring and management of device accounts in terminal manner |
Publications (2)
Publication Number | Publication Date |
---|---|
TW202226011A TW202226011A (en) | 2022-07-01 |
TWI773025B true TWI773025B (en) | 2022-08-01 |
Family
ID=83437055
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW109144485A TWI773025B (en) | 2020-12-16 | 2020-12-16 | Processes and method for safe of use, monitoring and management of device accounts in terminal manner |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI773025B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109005186A (en) * | 2018-08-20 | 2018-12-14 | 杭州复杂美科技有限公司 | A kind of method, system, equipment and the storage medium of user-isolated identity information |
CN111064749A (en) * | 2019-12-30 | 2020-04-24 | 中国联合网络通信集团有限公司 | Network connection method, device and storage medium |
US20200213134A1 (en) * | 2019-06-26 | 2020-07-02 | Alibaba Group Holding Limited | Confidential blockchain transactions |
US20200336481A1 (en) * | 2019-04-19 | 2020-10-22 | Ricoh Company, Ltd. | Device authentication method, service access control method, device, and non-transitory computer-readable recording medium |
CN111884805A (en) * | 2020-06-24 | 2020-11-03 | 易联众信息技术股份有限公司 | Data hosting method and system based on block chain and distributed identity |
CN111914230A (en) * | 2020-07-17 | 2020-11-10 | 中国联合网络通信集团有限公司 | Block chain-based identity authentication method, system, terminal device and storage medium |
-
2020
- 2020-12-16 TW TW109144485A patent/TWI773025B/en active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109005186A (en) * | 2018-08-20 | 2018-12-14 | 杭州复杂美科技有限公司 | A kind of method, system, equipment and the storage medium of user-isolated identity information |
US20200336481A1 (en) * | 2019-04-19 | 2020-10-22 | Ricoh Company, Ltd. | Device authentication method, service access control method, device, and non-transitory computer-readable recording medium |
US20200213134A1 (en) * | 2019-06-26 | 2020-07-02 | Alibaba Group Holding Limited | Confidential blockchain transactions |
CN111064749A (en) * | 2019-12-30 | 2020-04-24 | 中国联合网络通信集团有限公司 | Network connection method, device and storage medium |
CN111884805A (en) * | 2020-06-24 | 2020-11-03 | 易联众信息技术股份有限公司 | Data hosting method and system based on block chain and distributed identity |
CN111914230A (en) * | 2020-07-17 | 2020-11-10 | 中国联合网络通信集团有限公司 | Block chain-based identity authentication method, system, terminal device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
TW202226011A (en) | 2022-07-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11223614B2 (en) | Single sign on with multiple authentication factors | |
CN107172054B (en) | Authority authentication method, device and system based on CAS | |
US12074885B2 (en) | Dynamically-tiered authentication | |
US20140281539A1 (en) | Secure Mobile Framework With Operating System Integrity Checking | |
JP2017510013A (en) | Techniques for providing network security with just-in-time provisioned accounts | |
US11757882B2 (en) | Conditionally-deferred authentication steps for tiered authentication | |
US10397214B2 (en) | Collaborative sign-on | |
US11855993B2 (en) | Data shield system with multi-factor authentication | |
US10652244B2 (en) | Cross-site request forgery (CSRF) prevention | |
JP2020109645A (en) | System and method for changing password of account record under threat of illegal access to user data | |
Haber et al. | Indicators of compromise | |
US20230262061A1 (en) | Secure resource access by amalgamated identities and distributed ledger | |
TWI773025B (en) | Processes and method for safe of use, monitoring and management of device accounts in terminal manner | |
US11405379B1 (en) | Multi-factor message-based authentication for network resources | |
KR101545897B1 (en) | A server access control system by periodic authentification of the smart card | |
CN114640490B (en) | Method and system for realizing equipment account use safety, monitoring and management termination | |
US11533306B2 (en) | Processes and method for safe of use, monitoring and management of device accounts in terminal manner | |
US20150058621A1 (en) | Proof of possession for web browser cookie based security tokens | |
US20240259371A1 (en) | Techniques for dynamically adjusting authenticator assurance levels | |
US20240179184A1 (en) | Enhanced authorization layers for native access to secure network resources | |
US20240179143A1 (en) | Native agentless efficient queries | |
US20240179141A1 (en) | Agentless single sign-on for native access to secure network resources | |
US20240179148A1 (en) | Agentless in-memory caching for native network resource connections | |
US20230198767A1 (en) | Distribution of one-time passwords for multi-factor authentication via blockchain |