TWI828001B - System for using multiple security levels to verify customer identity and transaction services and method thereof - Google Patents

System for using multiple security levels to verify customer identity and transaction services and method thereof Download PDF

Info

Publication number
TWI828001B
TWI828001B TW110142078A TW110142078A TWI828001B TW I828001 B TWI828001 B TW I828001B TW 110142078 A TW110142078 A TW 110142078A TW 110142078 A TW110142078 A TW 110142078A TW I828001 B TWI828001 B TW I828001B
Authority
TW
Taiwan
Prior art keywords
client
transaction
platform
data
verification
Prior art date
Application number
TW110142078A
Other languages
Chinese (zh)
Other versions
TW202319998A (en
Inventor
翁仲和
Original Assignee
翁仲和
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 翁仲和 filed Critical 翁仲和
Priority to TW110142078A priority Critical patent/TWI828001B/en
Publication of TW202319998A publication Critical patent/TW202319998A/en
Application granted granted Critical
Publication of TWI828001B publication Critical patent/TWI828001B/en

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A system for using multiple security levels to verify customer identity and transaction services and a method thereof are provided. By using Fast Identity Online framework to login a financial institution with biometrics by a client, choosing a security verification method corresponding risk level of a transaction service to verify customer’s identity when the client requests the transaction service from the financial institution, and publishing an evidence data that can verify transaction data of the transaction service and verification data generated during the customer’s identity verification to a blockchain by related nodes on the blockchain, the system and the method can establish verification procedures and standards that allow financial institutions to trust each other, and can achieve the effect of increasing complexity and cost of crime, reducing wasted resources of financial institutions, and taking care of security and convenience of transactions.

Description

使用多安全層級驗證客戶身分與交易服務之系統及方法Systems and methods for verifying customer identity and transaction services using multiple security levels

一種身分與交易之驗證系統及其方法,特別係指一種使用多安全層級驗證客戶身分與交易服務之系統及方法。An identity and transaction verification system and method, particularly a system and method that uses multiple security levels to verify customer identity and transaction services.

資訊技術安全評估共同準則(CC, ISO/IES15408),為成立二十多年的資訊安全產品認證框架,其分為七個安全評估等級,第一級到第四級為評估一般產品或系統的安全等級,第五級以上則為評估設計國家安全或軍事設備產品的標準。在這樣明確、統一、共通的標準下,採用CC標準的國家所產出的IT產品,就可以大規模的取得政府、企業及社會大眾的信任,利用這些產品所設計出來的各種系統便可以量化其安全性,或反過來依照系統所需的安全強度來挑選適合的IT產品。The Common Criteria for Information Technology Security Assessment (CC, ISO/IES15408) is an information security product certification framework that has been established for more than 20 years. It is divided into seven security assessment levels. Levels 1 to 4 are for evaluating general products or systems. Security level, level 5 and above are standards for evaluating and designing national security or military equipment products. Under such clear, unified and common standards, IT products produced by countries that adopt CC standards can gain the trust of governments, enterprises and the general public on a large scale, and various systems designed using these products can be quantified Its security, or conversely, select appropriate IT products based on the security strength required by the system.

轉移到國內的金融業場景,全面數位化成為勢之所趨,但數位化的金融風險控制及資訊安全標準卻付之闕如,舉保險業而言,每一家保險公司的核保、理賠、保全等驗證工作流程,雖依照法規辦理,但法規僅為指導架構,並未明確流程與標準,這導致每一家保險公司的流程通常都不一樣,且驗證標準不一。如此,金融機構間並無法互信,也就是無法相信其他金融機構之驗證結果,導致每一間金融機構都需要執行相同的驗證過程,造成資源的浪費。Moving to the domestic financial industry scene, comprehensive digitalization has become an inevitable trend, but digital financial risk control and information security standards are lacking. For example, in the insurance industry, every insurance company’s underwriting, claims settlement, and preservation Although the verification work process is handled in accordance with regulations, the regulations are only a guidance structure and do not clarify the process and standards. This results in each insurance company's process being usually different and the verification standards being different. In this way, financial institutions cannot trust each other, that is, they cannot trust the verification results of other financial institutions. As a result, each financial institution needs to perform the same verification process, resulting in a waste of resources.

綜上所述,可知先前技術中長期以來一直存在國內金融機構間沒有能夠互信之驗證流程與標準的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has long been a problem in the previous technology that domestic financial institutions do not have mutually trustworthy verification processes and standards. Therefore, it is necessary to propose improved technical means to solve this problem.

有鑒於先前技術存在國內金融機構間沒有能夠互信之驗證流程與標準的問題,本發明遂揭露一種使用多安全層級驗證客戶身分與交易服務之系統及方法,其中:In view of the problem in the prior art that domestic financial institutions do not have mutually trustworthy verification processes and standards, the present invention discloses a system and method for verifying customer identity and transaction services using multiple security levels, wherein:

本發明所揭露之使用多安全層級驗證客戶身分與交易服務之系統,至少包含:客戶端,安裝有可信模組,可信模組儲存交易驗證資料;金融機構端,用以提供客戶端使用線上快速認證(Fast IDentity Online, FIDO)架構以生物特徵進行登入,並於客戶端請求交易服務時,判斷交易服務是否符合基本交易層級,當交易服務為基本交易層級時,產生身分驗證請求;平台端,用以接收金融機構端所傳送之身分驗證請求,並要求客戶端進行身分驗證,使客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端,及用以解密交易加密資料以取得身分檢核資料並確認身分檢核資料與交易驗證資料相符後,依據身分驗證請求及交易加密資料產生第一存證資料並發布第一存證資料至區塊鏈,並傳送身分驗證結果至金融機構端,使金融機構端於身分驗證結果表示通過驗證時,產生與被請求之交易服務對應之交易資料;公信單位端,用以接收金融機構端判斷交易服務為實際交易層級時所傳送之交易資料,對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端;鑑證端,用以接收平台端所傳送之公信簽章,並依據公信簽章產生第二存證資料,及發布第二存證資料至區塊鏈。The system disclosed by the present invention that uses multiple security levels to verify customer identity and transaction services at least includes: a client installed with a trusted module that stores transaction verification data; and a financial institution that provides the client with access to The Fast IDentity Online (FIDO) architecture uses biometrics to log in, and when the client requests transaction services, it determines whether the transaction service meets the basic transaction level. When the transaction service is the basic transaction level, an identity verification request is generated; the platform The terminal is used to receive the identity verification request sent by the financial institution and require the client to perform identity verification, so that the client encrypts the transaction verification data to generate transaction encryption data and sends the transaction encryption data to the platform side, and is used to decrypt the transaction encryption After obtaining the identity verification data and confirming that the identity verification data is consistent with the transaction verification data, the first storage certificate data is generated based on the identity verification request and the transaction encryption data, and the first storage certificate data is published to the blockchain, and the identity verification is sent The results are sent to the financial institution, so that when the identity verification result indicates that the financial institution has passed the verification, the financial institution will generate transaction data corresponding to the requested transaction service; the public trust unit is used to receive the information when the financial institution determines that the transaction service is the actual transaction level. The transaction data is transmitted, and the transaction data is signed to generate a trustworthy signature, and the trustworthy signature is sent to the platform; the authentication side is used to receive the trustworthy signature sent by the platform, and generate a second certificate based on the trustworthy signature. information, and publish the secondary certificate information to the blockchain.

本發明所揭露之使用多安全層級驗證客戶身分與交易服務之方法,其步驟至少包括:客戶端使用線上快速認證架構以生物特徵登入金融機構端;金融機構端於客戶端請求交易服務時,判斷交易服務為基本交易層級時,傳送身分驗證請求至平台端,使平台端要求客戶端進行身分驗證;客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端;平台端解密交易加密資料以取得身分檢核資料並確認身分檢核資料與交易驗證資料相符後,傳送身分驗證結果至金融機構端;平台端依據身分驗證請求及交易加密資料產生第一存證資料並發布第一存證資料至區塊鏈中;金融機構端於身分驗證結果表示通過驗證時,產生與交易服務對應之交易資料;金融機構端判斷交易服務為實際交易層級時,傳送交易資料至公信單位端;公信單位端對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端;平台端傳送公信簽章給鑑證端,鑑證端依據公信簽章產生第二存證資料並發布第二存證資料至區塊鏈中。The method disclosed in the present invention uses multiple security levels to verify client identity and transaction services. The steps include at least: the client uses an online fast authentication architecture to log in to the financial institution with biometrics; the financial institution determines when the client requests transaction services. When the transaction service is at the basic transaction level, an identity verification request is sent to the platform, so that the platform requires the client to perform identity verification; the client encrypts the transaction verification data to generate transaction encryption data and sends the transaction encryption data to the platform; the platform decrypts the transaction Encrypt the data to obtain the identity verification data and confirm that the identity verification data is consistent with the transaction verification data, and then send the identity verification results to the financial institution; the platform generates the first certificate data based on the identity verification request and transaction encrypted data and publishes the first Store the certificate data in the blockchain; when the identity verification result indicates that the verification is passed, the financial institution side generates transaction data corresponding to the transaction service; when the financial institution side determines that the transaction service is an actual transaction level, it sends the transaction data to the public trust unit side; The public trust unit signs the transaction data to generate a public trust signature, and transmits the public trust signature to the platform; the platform sends the public trust signature to the authentication end, and the authentication end generates the second certificate data based on the public trust signature and issues the second certificate Certify data into the blockchain.

本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過客戶端使用線上快速認證架構以生物特徵登入金融機構端後,金融機構端於客戶端請求交易服務時,依據被請求之交易服務的風險層級選擇相對應的安全驗證方式對客戶身分進行驗證,並將能夠對驗證過程所產生的驗證資料與被請求之交易服務的交易資料進行驗證的存證資料發布到區塊鏈中,藉以解決先前技術所存在的問題,並可以達成提高犯罪複雜度與成本、降低金融機構浪費之資源、並兼顧交易安全性及便利性的技術功效。The system and method disclosed by the present invention are as above. The difference between the system and the prior art is that the present invention uses the online fast authentication architecture to log in to the financial institution through the client using biometrics. When the client requests transaction services, the financial institution will Select the corresponding security verification method for the risk level of the requested transaction service to verify the customer's identity, and publish the certificate data that can verify the verification data generated by the verification process and the transaction data of the requested transaction service to the block. In the chain, it can solve the problems existing in the previous technology, and can achieve the technical effects of increasing the complexity and cost of crime, reducing the wasted resources of financial institutions, and taking into account the security and convenience of transactions.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and implementations of the present invention will be described in detail below with reference to the drawings and examples. The content is sufficient to enable any person familiar with the relevant art to easily fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby achieving The effect that the present invention can achieve.

本發明可以讓金融機構端依據客戶端之交易服務的不同風險層級透過平台端使用不同的安全驗證技術。其中,交易服務包含未涉及金錢的金融服務、涉及小額金錢的金融交易、涉及大額金錢的金融交易等。The present invention allows the financial institution to use different security verification technologies through the platform according to different risk levels of the client's transaction services. Among them, transaction services include financial services that do not involve money, financial transactions involving small amounts of money, financial transactions involving large amounts of money, etc.

以下先以「第1圖」本發明所提之使用多安全層級驗證客戶身分與交易服務之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有客戶端110、金融機構端130、平台端150、公信單位端160、鑑證端170,及可附加的服務端120。其中,客戶端110、服務端120、金融機構端130、平台端150、公信單位端160、鑑證端170可以是計算設備,且客戶端110與金融機構端130/平台端150之間、服務端120與金融機構端130/平台端150之間、金融機構端130與平台端150/公信單位端160之間、平台端150與公信單位端160之間可以透過有線或無線通訊方式連接,藉以相互傳遞資料或訊號。The system operation of the present invention is first explained below with reference to "Figure 1", a system architecture diagram of the present invention using multiple security levels to verify client identity and transaction services. As shown in "Figure 1", the system of the present invention includes a client 110, a financial institution terminal 130, a platform terminal 150, a public trust unit terminal 160, an authentication terminal 170, and an add-on server terminal 120. Among them, the client 110, the server 120, the financial institution 130, the platform 150, the public trust unit 160, and the verification terminal 170 can be computing devices, and between the client 110 and the financial institution 130/platform 150, the server 120 and the financial institution side 130/platform side 150, between the financial institution side 130 and the platform side 150/public trust unit side 160, and between the platform side 150 and the public trust unit side 160 can be connected through wired or wireless communication methods, so as to communicate with each other. To transmit information or signals.

客戶端110安裝有可信模組,可信模組為SIM卡、感應晶片、擴充卡等可儲存資料的實體元件,其中,感應晶片可以貼附於SIM卡,擴充卡可以嵌套SIM卡。客戶端110可以向平台端150或金融機構端130申請可信模組,並可以在可信模組被啟用後安裝可信模組,在部分的實施例中,可信模組可以與客戶端110的裝置識別資料綁定。要說明的是,可信模組僅提供寫入資料或讀取資料,以避免資料被竄改。The client 110 is installed with a trusted module. The trusted module is a SIM card, a sensor chip, an expansion card and other physical components that can store data. The sensor chip can be attached to the SIM card, and the expansion card can be nested in the SIM card. The client 110 can apply for a trusted module from the platform 150 or the financial institution 130, and can install the trusted module after the trusted module is enabled. In some embodiments, the trusted module can be connected to the client. 110 device identification data binding. It should be noted that the trusted module only provides writing data or reading data to prevent data from being tampered with.

客戶端110可以使用實名制驗證在平台端150註冊,也可以在完成註冊後接收平台端150所傳送的登入驗證資料及交易驗證資料,並可以使用可信模組儲存所接收到的登入驗證資料及交易驗證資料。其中,實名制驗證包含但不限於行動身分識別(Mobile ID, MID)或數位身分識別(eID)。The client 110 can use real-name verification to register on the platform 150, or can receive the login verification information and transaction verification data sent by the platform 150 after completing the registration, and can use the trusted module to store the received login verification information and transaction verification information. Transaction verification information. Among them, real-name verification includes but is not limited to mobile identity recognition (Mobile ID, MID) or digital identity recognition (eID).

客戶端110也可以接收平台端150所傳送的客戶認證資料,並儲存所接收到的客戶認證資料。一般而言,客戶端110可以使用可信模組儲存客戶認證資料。The client 110 can also receive the client authentication information transmitted by the platform 150 and store the received client authentication information. Generally speaking, the client 110 can use a trusted module to store client authentication information.

客戶端110也可以透過分布式數位身分(Decentralized Identity, DID)註冊(Registry)服務在區塊鏈190上註冊以取得對應區塊鏈190的分布式數位身分識別資料。The client 110 can also register on the blockchain 190 through the distributed digital identity (Decentralized Identity, DID) registration (Registry) service to obtain the distributed digital identity information corresponding to the blockchain 190.

客戶端110也負責以生物特徵登入金融機構端130,並負責向金融機構端13請求交易服務。例如,客戶端110可以使用線上快速認證(Fast IDentity Online, FIDO)架構以生物特徵登入金融機構端130,更詳細的,客戶端110在登入金融機構端130時,可以驗證使用者的生物特徵,並可以在使用者的生物特徵通過特徵辨識後,由可信模組中讀取出登入驗證資料與機構登入資料,並可以登入驗證資料與機構登入資料傳送至平台端150,藉以透過平台端150將機構登入資料傳送給金融機構端130。其中,本發明所提之生物特徵包含指紋特徵、人臉特徵、虹膜特徵等,但本發明並不以此為限;機構登入資料為客戶端110之使用者預先在金融機構端130註冊之資料,包含但不限於帳號密碼等。The client 110 is also responsible for logging into the financial institution terminal 130 using biometric characteristics, and is responsible for requesting transaction services from the financial institution terminal 13 . For example, the client 110 can use the Fast IDentity Online (FIDO) architecture to log in to the financial institution 130 using biometrics. In more detail, the client 110 can verify the user's biometrics when logging in to the financial institution 130. And after the user's biometric characteristics are recognized, the login verification information and organization login information can be read from the trusted module, and the login verification information and organization login information can be sent to the platform end 150, so as to use the platform end 150 Send the institution login information to the financial institution end 130. Among them, the biometric features mentioned in the present invention include fingerprint features, facial features, iris features, etc., but the present invention is not limited thereto; the institution login information is the information that the user of the client 110 has pre-registered with the financial institution 130 , including but not limited to account password, etc.

客戶端110也可以在對使用者進行生物特徵辨識後,由可信模組中讀出登入驗證資料,並可以加密所讀出之登入驗證資料以產生相對應的登入加密資料,及可以將所產生之登入加密資料傳送至平台端150;客戶端110也負責在接收到平台端150所傳送的身分驗證要求時,由可信模組中讀出交易驗證資料,並加密所讀出之交易驗證資料以產生交易加密資料,及將所產生之交易加密資料傳送到平台端150,在部分的實施例中,客戶端110也可以在傳送交易加密資料時要求平台端150簽發可驗證聲明(Verifiable Credential, VC);客戶端110也可以在接收到平台端150所傳送的模組驗證請求時,由可信模組中讀出可信安全資料,並加密所讀出之可信安全資料以產生模組加密資料,及將所產生之模組加密資料傳送至平台端150。其中,可信安全資料為可信模組所儲存之全部資料或部分資料或特定資料。The client 110 can also read the login verification information from the trusted module after performing biometric identification on the user, and can encrypt the read login verification information to generate corresponding login encrypted information, and can convert all the login verification information. The generated login encryption information is sent to the platform 150; the client 110 is also responsible for reading the transaction verification data from the trusted module when receiving the identity verification request sent by the platform 150, and encrypting the read transaction verification. data to generate transaction encrypted data, and transmit the generated transaction encrypted data to the platform 150. In some embodiments, the client 110 may also require the platform 150 to issue a verifiable statement (Verifiable Credential) when transmitting the transaction encrypted data. , VC); the client 110 can also read the trusted security information from the trusted module when receiving the module verification request sent by the platform 150, and encrypt the read trusted security information to generate the module. Set encrypted data, and send the generated module encrypted data to the platform 150. Among them, the trusted security data is all the data, part of the data or specific data stored by the trusted module.

客戶端110可以使用私鑰加密待加密資料(如登入驗證資料、交易驗證資料、可信安全資料等)以產生對應之加密結果資料(如登入加密資料、交易加密資料、模組加密資料等),也可以使用接收自平台端150之基於時間的一次性密碼(Time-based One-Time Password, TOTP)加密待加密資料以產生加密結果資料,或可以先使用私鑰加密待加密資料以產生中間密文後,再使用基於時間的一次性密碼加密中間密文以產生加密結果資料,但客戶端110由登入驗證資料/交易驗證資料/可信安全資料產生登入加密資料/交易加密資料/模組加密資料之方式並不以上述為限。其中,客戶端110可以使用AES、RSA或其他相似之對稱或非對稱演算法加密待加密資料。The client 110 can use the private key to encrypt the data to be encrypted (such as login verification data, transaction verification data, trusted security data, etc.) to generate corresponding encryption result data (such as login encryption data, transaction encryption data, module encryption data, etc.) , you can also use the time-based One-Time Password (TOTP) received from the platform 150 to encrypt the data to be encrypted to generate encryption result data, or you can first use the private key to encrypt the data to be encrypted to generate an intermediate After the ciphertext, a time-based one-time password is used to encrypt the intermediate ciphertext to generate encryption result data, but the client 110 generates login encryption data/transaction encryption data/module from login verification data/transaction verification data/trusted security data The methods of encrypting data are not limited to the above. The client 110 may use AES, RSA or other similar symmetric or asymmetric algorithms to encrypt the data to be encrypted.

服務端120可以提供輸入客戶端110之裝置識別資料以使平台端150或金融機構端130啟用客戶端110所申請之可信模組。一般而言,服務端120可以透過有線或無線網路將裝置識別資料傳送給客戶端110申請可信模組之平台端150或金融機構端130。其中,客戶端110之裝置識別資料為能夠識別客戶端110的資料,包含但不限於可以是客戶端110的產品序號或機身號碼等。The server 120 can provide the device identification information input to the client 110 so that the platform 150 or the financial institution 130 activates the trusted module applied by the client 110 . Generally speaking, the server 120 can transmit the device identification information to the platform 150 or the financial institution 130 where the client 110 applies for the trusted module through a wired or wireless network. The device identification data of the client 110 is data that can identify the client 110, including but not limited to the product serial number or machine number of the client 110.

金融機構端130可以在客戶端110以實名制驗證完成註冊時產生與客戶端110對應的登入驗證資料與交易驗證資料,並將所產生之登入驗證資料與交易驗證資料傳送至客戶端110。一般而言,金融機構端130可以隨機產生登入驗證資料/交易驗證資料,但本發明並不以此為限,例如也可以對當前時間進行雜湊(hash)或位元重新排列等演算以產生登入驗證資料/交易驗證資料。其中,登入驗證資料/交易驗證資料可以是由一定數量之文字、字母、數字、符號以任意排列而成。The financial institution 130 can generate login verification data and transaction verification data corresponding to the client 110 when the client 110 completes registration through real-name verification, and transmit the generated login verification data and transaction verification data to the client 110 . Generally speaking, the financial institution end 130 can randomly generate login verification data/transaction verification data, but the present invention is not limited to this. For example, the current time can also be hashed or bit rearranged to generate login data. Verification information/transaction verification information. Among them, the login verification information/transaction verification information can be composed of a certain number of words, letters, numbers, and symbols arranged in any order.

金融機構端130也可以認證客戶端110之使用者的個人資料。The financial institution 130 may also authenticate the personal information of the user of the client 110 .

金融機構端130負責提供客戶端110以生物特徵進行登入,例如使用FIDO架構等。金融機構端130可以在要求客戶端110登入時產生登入驗證請求,並可以將所產生之登入驗證請求傳送至平台端150,也可以接收平台端150所傳送的機構登入資料,並檢核所接收到的機構登入資料,當機構登入資料通過檢核時,允許客戶端110登入金融機構端130。其中,金融機構端130可以使用習知方式檢核客戶端110所註冊的機構登入資料,故不贅述。The financial institution end 130 is responsible for providing the client 110 with biometric login, for example, using the FIDO architecture. The financial institution end 130 can generate a login verification request when requiring the client 110 to log in, and can send the generated login verification request to the platform end 150. It can also receive the institution login information sent by the platform end 150, and check the received When the institution login information passes the verification, the client 110 is allowed to log in to the financial institution end 130. Among them, the financial institution end 130 can use the conventional method to check the institution login information registered by the client 110, so no details are given.

金融機構端130也負責在接收到客戶端110發出之交易服務時判斷所接收到之交易服務所屬的風險層級。在本發明中,風險層級可以包含基本交易層級與實際交易層級,在部分實施例中,風險層級還可以包含監管交易層級,但本發明所提之風險層級並不以上述為限。其中,基本交易層級可以包含所有的交易服務,也就是可以包含未涉及金錢交易之查詢或設定等交易服務,及所有涉及金錢之交易服務;實際交易層級可以包含所有涉及金錢的交易服務;監管交易層級可以是涉及大額金錢(金額大於門檻值)的交易服務,但基本交易層級、實際交易層級、監管交易層級亦不以上述為限。要說明的是,一個交易服務可以同時屬於多個風險層級,金融機構端130可以在判斷交易服務屬於範圍較大的風險層級時,進一步判斷交易服務是否也屬於範圍較小的風險層級,例如,金融機構端130可以在交易服務屬於基本交易層級時判斷交易服務是否也屬於實際交易層級,並可以在交易服務屬於實際交易層級時判斷交易服務是否也屬於監管交易層級。The financial institution end 130 is also responsible for determining the risk level to which the received transaction service belongs when receiving the transaction service from the client 110 . In the present invention, the risk level may include the basic transaction level and the actual transaction level. In some embodiments, the risk level may also include the regulatory transaction level, but the risk level proposed by the present invention is not limited to the above. Among them, the basic transaction level can include all transaction services, that is, it can include transaction services such as inquiries or settings that do not involve money transactions, and all transaction services involving money; the actual transaction level can include all transaction services involving money; supervisory transactions Levels can be transaction services involving large amounts of money (amount greater than the threshold), but the basic transaction level, actual transaction level, and regulatory transaction level are not limited to the above. It should be noted that a transaction service can belong to multiple risk levels at the same time. When determining that the transaction service belongs to a larger risk level, the financial institution 130 can further determine whether the transaction service also belongs to a smaller risk level, for example, The financial institution end 130 can determine whether the transaction service also belongs to the actual transaction level when the transaction service belongs to the basic transaction level, and can determine whether the transaction service also belongs to the regulatory transaction level when the transaction service belongs to the actual transaction level.

金融機構端130也負責在判斷所接收到之交易服務為基本交易層級時,產生身分驗證請求,並將所產生之身分驗證請求傳送給平台端150,及負責接收平台端150所產生之身分驗證結果,並在判斷身分驗證結果所記載的內容表示客戶端110之使用者通過驗證時,產生與被請求之交易服務對應的交易資料以完成交易。在部分的實施例中,身分驗證請求可以包含取得以客戶端110之使用者的分散式數位身分識別資料簽發之與金融機構端130相關的可驗證聲明之請求,且身分驗證結果可以是平台端150所發出的可驗證聲明,此時,金融機構端130可能不會接收到平台端150所傳送的身分驗證結果,而可以使用客戶端110之使用者之分散式數位身分識別資料由區塊鏈190取得相對應的可驗證聲明,並可以使用平台端150的公鑰驗證所取得之可驗證聲明中的簽章(並確認有效性與到期時間)以驗證所取得的可驗證聲明,當可驗證聲明通過驗證且可驗證聲明中確認客戶端110之使用者的身分後,金融機構端130可以判斷身分驗證結果表示通過驗證。The financial institution end 130 is also responsible for generating an identity verification request when it determines that the received transaction service is a basic transaction level, and transmits the generated identity verification request to the platform end 150, and is responsible for receiving the identity verification generated by the platform end 150. As a result, when it is determined that the content recorded in the identity verification result indicates that the user of the client 110 has passed the verification, transaction data corresponding to the requested transaction service is generated to complete the transaction. In some embodiments, the identity verification request may include a request to obtain a verifiable statement related to the financial institution 130 issued using the distributed digital identification data of the user of the client 110, and the identity verification result may be the platform-side 150. At this time, the financial institution end 130 may not receive the identity verification result sent by the platform end 150, but can use the user's distributed digital identification information of the client end 110 to obtain the verification result from the blockchain. 190 obtains the corresponding verifiable statement, and can use the public key of the platform 150 to verify the signature in the obtained verifiable statement (and confirm the validity and expiration time) to verify the obtained verifiable statement. When it can After the verification statement passes the verification and the identity of the user of the client 110 is confirmed in the verifiable statement, the financial institution end 130 can determine that the identity verification result indicates that the verification has been passed.

金融機構端130也負責判斷所接收到之交易服務是否為實際交易層級,若是,則可以將所產生的交易資料傳送至公信單位端160;金融機構端130也可以判斷交易服務是否為監管交易層級,若是,則金融機構端130可以產生模組驗證請求,並可以將所產生的模組驗證請求傳送至平台端150;而若交易服務不屬於實際交易層級或監管交易層級,則金融機構端130可以提供交易服務後結束執行。The financial institution end 130 is also responsible for determining whether the received transaction service is at the actual transaction level. If so, the generated transaction data can be sent to the public trust unit end 160; the financial institution end 130 can also determine whether the transaction service is at the regulatory transaction level. , if so, then the financial institution end 130 can generate a module verification request, and can transmit the generated module verification request to the platform end 150; and if the transaction service does not belong to the actual transaction level or the regulatory transaction level, then the financial institution end 130 Execution ends after transaction services can be provided.

金融機構端130也可以接收平台端150所傳送之申報表單,並可以依據所接收到的申報表單產生第一申報資料,及可以將所產生之第一申報資料傳送給平台端150。The financial institution terminal 130 can also receive the declaration form sent by the platform terminal 150, and can generate the first declaration information based on the received declaration form, and can transmit the generated first declaration information to the platform terminal 150.

平台端150負責接收金融機構端130所傳送之身分驗證請求,並依據所接收到之身分驗證請求要求客戶端110進行身分驗證;平台端150也可以接收金融機構端130所傳送的模組驗證請求,並依據所接收到的模組驗證請求要求客戶端110進行可信模組的驗證;平台端150也可以接收金融機構端130所傳送的登入驗證請求,並依據所接收到的登入驗證請求要求客戶端110提供登入驗證資料。The platform end 150 is responsible for receiving the identity verification request sent by the financial institution end 130, and requiring the client 110 to perform identity verification based on the received identity verification request; the platform end 150 can also receive the module verification request sent by the financial institution end 130 , and requires the client 110 to verify the trusted module based on the received module verification request; the platform 150 can also receive the login verification request sent by the financial institution end 130, and based on the received login verification request. Client 110 provides login verification information.

平台端150也可以接收客戶端110所傳送的登入驗證資料與機構登入資料,並驗證登入驗證資料,也就是比對所接收到的登入驗證資料與所儲存之登入驗證資料是否相同,若是,則表示登入驗證資料通過驗證,若否,則表示登入驗證資料沒有通過驗證。平台端150也可以在登入驗證資料通過驗證時,將所接收到的機構登入資料傳送到金融機構端130。The platform 150 can also receive the login verification information and the organization login information sent by the client 110, and verify the login verification information, that is, compare the received login verification information with the stored login verification information. If so, then It means that the login verification data has passed the verification. If not, it means that the login verification data has not passed the verification. The platform side 150 may also transmit the received institutional login information to the financial institution side 130 when the login verification information passes the verification.

平台端150也負責接收客戶端110所傳送的交易加密資料,並解密所接收到的交易加密資料以取得身分檢核資料;平台端150也可以接收客戶端110所傳送的模組加密資料,並解密所接收到的模組加密資料以取得模組檢核資料;平台端150也可以接收客戶端110所傳送的登入加密資料,並解密登入加密資料以取得登入檢核資料。其中,平台端150解密加密結果資料(如登入加密資料、交易加密資料、模組加密資料等)的方式隨著加密結果資料被加密的方式不同而有不同,例如,當加密結果資料是被客戶端110以私鑰加密產生時,平台端150可以使用客戶端110的公鑰解密加密結果資料以產生解密資料(如登入檢核資料、身分檢核資料、模組檢核資料等);當加密結果資料是被客戶端110以平台端150所產生之基於時間的一次性密碼加密產生時,平台端150可以使用所產生之一次性密碼解密解密加密結果資料以產生原始資料;而當加密結果資料是被客戶端110先後以私鑰與一次性密碼加密產生時,平台端150可以先使用一次性密碼解密加密結果資料以產生中間密文,在使用客戶端110之公鑰解密中間密文以產生原始資料,但客戶端110解密登入加密資料/交易加密資料/模組加密資料以取得登入檢核資料/身分檢核資料/模組檢核資料之方式並不以上述為限。The platform 150 is also responsible for receiving the transaction encrypted data sent by the client 110, and decrypting the received transaction encrypted data to obtain the identity verification information; the platform 150 can also receive the module encrypted data sent by the client 110, and Decrypt the received module encrypted data to obtain the module verification data; the platform 150 can also receive the login encrypted data sent by the client 110 and decrypt the login encrypted data to obtain the login verification data. Among them, the way the platform end 150 decrypts the encrypted result data (such as login encrypted data, transaction encrypted data, module encrypted data, etc.) differs depending on the way the encrypted result data is encrypted. For example, when the encrypted result data is encrypted by the customer When the client 110 encrypts the data with a private key, the platform 150 can use the public key of the client 110 to decrypt the encryption result data to generate decrypted data (such as login verification data, identity verification data, module verification data, etc.); when encrypting When the result data is encrypted by the client 110 using the time-based one-time password generated by the platform 150, the platform 150 can use the generated one-time password to decrypt and decrypt the encrypted result data to generate the original data; and when the encrypted result data is When it is encrypted by the client 110 using the private key and the one-time password, the platform 150 can first use the one-time password to decrypt the encrypted result data to generate the intermediate ciphertext, and then use the public key of the client 110 to decrypt the intermediate ciphertext to generate original data, but the method by which the client 110 decrypts the login encrypted data/transaction encrypted data/module encrypted data to obtain the login verification data/identity verification data/module verification data is not limited to the above.

平台端150也負責確認解密交易加密資料所取得之身分檢核資料是否與預先儲存之客戶端110的交易驗證資料相符,並可以產生與確認結果對應的身分驗證結果。平台端150可以在身分檢核資料與交易驗證資料不相符時,傳送身分驗證結果至客戶端110及/或金融機構端130;平台端150也負責在身分檢核資料與交易驗證資料相符時,將所產生的身分驗證結果傳送至金融機構端130,並負責依據身分驗證請求與交易加密資料產生第一存證資料,及將包含所產生之第一存證資料的區塊發布到區塊鏈190中。一般而言,平台端150可以先對身分驗證請求與交易加密資料進行特定運算以產生第一存證資料,再產生包含第一存證資料的區塊,但本發明並不以此為限,例如,平台端150也可以產生包含身分驗證請求與交易加密資料的第一存證資料。其中,上述之特定運算包含但不限於雜湊(hash)運算。The platform 150 is also responsible for confirming whether the identity verification data obtained by decrypting the transaction encrypted data is consistent with the pre-stored transaction verification data of the client 110, and can generate an identity verification result corresponding to the confirmation result. The platform side 150 can send the identity verification result to the client 110 and/or the financial institution side 130 when the identity verification data does not match the transaction verification data; the platform side 150 is also responsible for sending the identity verification result when the identity verification data matches the transaction verification data. Send the generated identity verification results to the financial institution end 130, and be responsible for generating the first certificate data based on the identity verification request and transaction encryption data, and publishing the block containing the generated first certificate data to the blockchain. 190 in. Generally speaking, the platform 150 can first perform a specific operation on the identity verification request and the transaction encryption data to generate the first certificate data, and then generate a block containing the first certificate data, but the present invention is not limited to this. For example, the platform 150 may also generate the first certificate data including the identity verification request and transaction encryption data. Among them, the above-mentioned specific operations include but are not limited to hash operations.

平台端150也可以接收客戶端110所傳送之聲明簽發請求,並可以在確認所取得之身分檢核資料與預存之交易驗證資料相符時,依據所接收到之簽發請求讀出相對應的使用者資料,並依據全部或部分之使用者資料產生披露訊息,及使用平台端150的私鑰對披露訊息簽章以產生可驗證聲明,並可以將所簽發產生的可驗證聲明發布到區塊鏈190。其中,披露訊息可以是客戶端110所讀出之全部或部分的使用者資料,但本發明並不以此為限,披露訊息也可以是經過整理的使用者資料;可驗證聲明與客戶端110之使用者的分散式數位身分識別資料對應且亦與所接收到之聲明簽發請求對應。The platform 150 can also receive the statement issuance request sent by the client 110, and when confirming that the obtained identity verification information is consistent with the pre-stored transaction verification information, it can read out the corresponding user based on the received issuance request. data, and generate disclosure information based on all or part of the user information, and use the private key of the platform 150 to sign the disclosure information to generate a verifiable statement, and the signed and generated verifiable statement can be published to the blockchain 190 . The disclosure information may be all or part of the user information read by the client 110, but the present invention is not limited thereto. The disclosure information may also be organized user information; the verifiable statement and the client 110 The user's distributed digital identification data corresponds to the received claim issuance request.

平台端150也可以比對解密模組加密資料所產生的模組檢核資料與預先儲存的可信安全資料是否相符,若否,則平台端150可以產生表示終止交易的通知訊息,並可以將所產生之通知訊息傳送給金融機構端130;而當模組檢核資料與可信安全資料相符時,平台端150可以產生或讀取申報表單,並將申報表單傳送至金融機構端130,平台端150還可以接收金融機構端130所傳送的第一申報資料,並產生包含第一申報資料的第二申報資料,及將第二申報資料傳送給監管端(圖中未示)存留。The platform 150 can also compare whether the module verification data generated by decrypting the encrypted data of the module is consistent with the pre-stored trusted security information. If not, the platform 150 can generate a notification message indicating the termination of the transaction, and can The generated notification message is sent to the financial institution end 130; and when the module verification data matches the trusted security information, the platform end 150 can generate or read the declaration form, and send the declaration form to the financial institution end 130. The platform The terminal 150 can also receive the first declaration information sent by the financial institution terminal 130, generate the second declaration information including the first declaration information, and transmit the second declaration information to the regulatory end (not shown in the figure) for storage.

平台端150也可以依據所接收到之模組驗證請求與模組加密資料及所產生之第二申報資料產生第三存證資料,並可以將所產生之第三存證資料發布至區塊鏈190中,但本發明產生第三存證資料之方式並不以上述為限,例如平台端150可以產生包含模組驗證請求、模組加密資料及第二申報資料之第三存證資料。The platform 150 can also generate third certificate data based on the received module verification request, module encryption data and the generated second declaration data, and can publish the generated third certificate data to the blockchain. 190, but the method of generating the third certificate data in the present invention is not limited to the above. For example, the platform 150 can generate the third certificate data including module verification request, module encryption data and second declaration data.

平台端150也可以比對解密登入加密資料所產生的登入檢核資料與在客戶端110註冊完成時所產生並儲存的登入驗證資料是否相符,若否,則平台端150可以產生對應之通知訊息並將所產生之通知訊息傳送給客戶端110;而當登入檢核資料與登入驗證資料相符時,平台端150可以進行資料收集作業,例如,平台端150可以取得經金融機構端130認證之個人資料,並對所取得之個人資料進行特定運算以產生對應之客戶認證資料,及將所產生之客戶認證資料傳送給客戶端110。其中,上述之特定運算包含但不限於MD5等雜湊運算或base64等編碼(encoding)運算等。The platform 150 can also compare whether the login verification data generated by decrypting the login encrypted data matches the login verification data generated and stored when the client 110 completes the registration. If not, the platform 150 can generate a corresponding notification message. and transmit the generated notification message to the client 110; and when the login verification information matches the login verification information, the platform end 150 can perform data collection operations. For example, the platform end 150 can obtain an individual certified by the financial institution end 130 data, perform specific operations on the obtained personal data to generate corresponding customer authentication information, and transmit the generated customer authentication information to the client 110. Among them, the above-mentioned specific operations include but are not limited to hash operations such as MD5 or encoding operations such as base64.

平台端150也負責接收公信單位端160所傳送的公信簽章,並負責將所接收到的公信簽章傳送給鑑證端170。The platform end 150 is also responsible for receiving the public trust signature transmitted by the public trust unit end 160, and is responsible for transmitting the received public trust signature to the authentication end 170.

公信單位端160負責接收金融機構端130所傳送的交易資料,並對所接收到的交易資料簽章以產生公信簽章,及負責將所產生的公信簽章傳送至平台端150。The public trust unit end 160 is responsible for receiving the transaction data transmitted by the financial institution end 130, signing the received transaction data to generate a public trust signature, and transmitting the generated public trust signature to the platform end 150.

鑑證端170負責接收平台端150所傳送的公信簽章,並可以儲存所接收到的公信簽章。鑑證端170也負責依據公信簽章產生第二存證資料或可以產生包含公信簽章之第二存證資料,並可以將所產生之第二存證資料發布至區塊鏈190中。The authentication end 170 is responsible for receiving the public trust signature transmitted by the platform end 150 and can store the received public trust signature. The authentication end 170 is also responsible for generating the second certification data based on the public trust signature or can generate the second certification data containing the public trust signature, and can publish the generated second certification data to the blockchain 190 .

接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之使用多安全層級驗證客戶身分與交易服務之方法流程圖。在本實施例中,假設客戶端110可以是手機或電腦,但本發明並不以此為限。Next, an embodiment will be used to explain the operating system and method of the present invention, and please refer to "Figure 2A" for the flow chart of the method for verifying customer identity and transaction services using multiple security levels according to the present invention. In this embodiment, it is assumed that the client 110 can be a mobile phone or a computer, but the invention is not limited thereto.

當使用者操作客戶端110連線到金融機構端130後,可以操作客戶端110以生物特徵登入金融機構端130(步驟210)。在本實施例中,假設客戶端110可以使用FIDO架構登入金融機構端130,進一步的,本實施例可以如「第2B圖」之流程所示,在客戶端110連線到金融機構端130時,金融機構端130可以要求客戶端110登入,並可以傳送登入驗證請求到平台端150,使平台端150向客戶端110要求提供登入驗證資料(步驟211)。客戶端110在接收到平台端150所傳送之提供登入驗證資料的要求後,可以要求使用者使用如指紋、臉部、虹膜等生物特徵進行生物特徵辨識,並可以在取得使用者之生物特徵並判斷所取得之生物特徵通過生物特徵辨識後,由可信模組中讀取預先儲存之登入驗證資料與金融機構端130的機構登入資料,及可以將所讀出之登入驗證資料與機構登入資料傳送到平台端150(步驟215)。在平台端150接收到客戶端110所傳送的登入驗證資料與機構登入資料後,可以驗證所接收到的登入驗證資料。若登入驗證資料通過平台端150的驗證,則平台端150可以在判斷登入驗證資料通過驗證後,傳送所接收到的機構登入資料給金融機構端130,使得金融機構端130允許客戶端110登入(步驟219)。After the user operates the client 110 to connect to the financial institution terminal 130, the user can operate the client 110 to log in to the financial institution terminal 130 using biometric characteristics (step 210). In this embodiment, it is assumed that the client 110 can use the FIDO architecture to log in to the financial institution terminal 130. Further, this embodiment can be as shown in the process of "Figure 2B" when the client 110 is connected to the financial institution terminal 130. , the financial institution end 130 can require the client 110 to log in, and can send a login verification request to the platform end 150, so that the platform end 150 requires the client 110 to provide login verification information (step 211). After receiving the request to provide login verification information sent by the platform 150, the client 110 can require the user to use biometric features such as fingerprints, face, iris, etc. for biometric identification, and can obtain the user's biometric features and After it is determined that the obtained biometric characteristics have passed the biometric identification, the pre-stored login verification information and the institutional login information of the financial institution side 130 are read from the trusted module, and the read login verification information and institutional login information can be Transmitted to the platform end 150 (step 215). After the platform 150 receives the login verification information and the organization login information sent by the client 110, it can verify the received login verification information. If the login verification data passes the verification of the platform side 150, the platform side 150 can, after judging that the login verification data passes the verification, send the received institution login data to the financial institution side 130, so that the financial institution side 130 allows the client 110 to log in ( Step 219).

回到「第2A圖」,在客戶端110使用FIDO架構以生物特徵登入金融機構端130(步驟210)後,客戶端110可以向金融機構端130請求交易服務,也就是向金融機構端130發出交易服務的請求。金融機構端130可以在接收到客戶端110所發出之交易服務的請求時,判斷被請求之交易服務的風險層級。當被請求之交易服務的風險層級屬於基本交易層級時,也就是被請求之交易服務為基本交易層級時,金融機構端130可以產生身分驗證請求,並可以將所產生之身分驗證請求傳送到平台端150,使得平台端150要求客戶端110進行身分驗證(步驟220)。在本實施例中,假設所有的交易服務均為基本交易層級。Returning to "Figure 2A", after the client 110 uses the FIDO architecture to log in to the financial institution end 130 with biometrics (step 210), the client 110 can request transaction services from the financial institution end 130, that is, send the transaction service to the financial institution end 130. Transaction service requests. The financial institution 130 may determine the risk level of the requested transaction service when receiving a request for the transaction service from the client 110 . When the risk level of the requested transaction service belongs to the basic transaction level, that is, when the requested transaction service is the basic transaction level, the financial institution end 130 can generate an identity verification request and can transmit the generated identity verification request to the platform. The client 150 causes the platform client 150 to require the client 110 to perform identity verification (step 220). In this embodiment, it is assumed that all transaction services are at the basic transaction level.

在客戶端110接收到平台端150所傳送之身分驗證的要求時,客戶端110可以由可信模組中讀出交易驗證資料,並加密所讀出之交易驗證資料以產生交易加密資料,並可以將所產生之交易加密資料傳送到平台端150(步驟231)。在本實施例中,假設客戶端110與平台端150事先約定先後以客戶端110之私鑰與平台端150產生之基於時間的一次性密碼加密交易驗證資料以產生交易加密資料,例如,客戶端110可以先使用私鑰以RSA演算法對交易驗證資料加密而產生中間密文,再使用每隔預定時間(如60秒)與平台端150同步而取得的一次性密碼對中間密文加密以產生交易加密資料,同時,客戶端110也可以產生聲明簽發請求並與機要加密資料一同傳送給平台端150。When the client 110 receives the identity verification request sent by the platform 150, the client 110 can read the transaction verification data from the trusted module, and encrypt the read transaction verification data to generate transaction encryption data, and The generated transaction encryption data can be transmitted to the platform 150 (step 231). In this embodiment, it is assumed that the client 110 and the platform 150 have agreed in advance to encrypt transaction verification data using the private key of the client 110 and the time-based one-time password generated by the platform 150 to generate transaction encrypted data. For example, the client 110 can first use the private key to encrypt the transaction verification data with the RSA algorithm to generate intermediate ciphertext, and then use the one-time password obtained by synchronizing with the platform 150 every predetermined time (such as 60 seconds) to encrypt the intermediate ciphertext to generate When trading encrypted data, the client 110 can also generate a statement issuance request and send it to the platform 150 together with the confidential encrypted data.

在平台端150接收到客戶端110所傳送的交易加密資料後,可以解密所接收到的交易加密資料以取得身分檢核資料,並可以確認所取得之身分檢核資料與預先發給客戶端110之交易驗證資料是否相符以產生身分驗證結果,及可以傳送所產生之身分驗證結果到金融機構端130(步驟235)。在本實施例中,假設平台端150可以先使用最後產生之基於時間的一次性密碼解密交易加密資料而產生中間密文,再使用客戶端110的公鑰解密中間密文而取得身分檢核資料,接著,平台端150可以讀出客戶端110的交易驗證資料,並可以比對所取得之身分檢核資料與所讀出之交易驗證資料是否相符,當兩者相符時,平台端150可以產生表示通過驗證的身分驗證結果,而當兩者不符時,平台端150可以產生表示未通過驗證的身分驗證結果。另外,平台端150也可以在身分檢核資料與交易驗證資料相符時,依據所接收到之客戶端110所傳送的聲明簽發請求產生與客戶端之使用者之分散式數位身分識別資料對應的可驗證聲明,並可以將所簽發的可驗證聲明發布到區塊鏈190。After the platform 150 receives the transaction encrypted data sent by the client 110, it can decrypt the received transaction encrypted data to obtain the identity verification information, and can confirm the obtained identity verification information and send it to the client 110 in advance. Whether the transaction verification data is consistent to generate an identity verification result, and the generated identity verification result can be sent to the financial institution end 130 (step 235). In this embodiment, it is assumed that the platform 150 can first use the last generated time-based one-time password to decrypt the transaction encrypted data to generate intermediate ciphertext, and then use the public key of the client 110 to decrypt the intermediate ciphertext to obtain the identity verification data. , then, the platform end 150 can read the transaction verification data of the client 110, and can compare whether the obtained identity verification data is consistent with the read transaction verification data. When the two are consistent, the platform end 150 can generate The identity verification result indicates that the verification is passed. When the two do not match, the platform 150 may generate an identity verification result that indicates that the verification is not passed. In addition, when the identity verification data matches the transaction verification data, the platform 150 can also generate a valid statement corresponding to the distributed digital identity data of the user of the client based on the received statement issuance request sent by the client 110. Verify the claim and can publish the issued verifiable claim to the blockchain 190.

同樣在平台端150接收到客戶端110所傳送的交易加密資料後,可以依據接收自金融機構端130的身分驗證請求與接收自客戶端110的交易加密資料產生第一存證資料,並可以將所產生的第一存證資料發布到區塊鏈190中(步驟240),藉以透過區塊鏈190進行資料的存證。在本實施例中,假設平台端150可以對身分驗證請求與交易加密資料進行雜湊運算以產生第一存證資料。Similarly, after the platform 150 receives the transaction encrypted data sent by the client 110, it can generate the first certificate data based on the identity verification request received from the financial institution 130 and the transaction encrypted data received from the client 110, and can generate the first certificate data. The generated first certificate data is published to the blockchain 190 (step 240), so that the data is certificated through the blockchain 190. In this embodiment, it is assumed that the platform 150 can perform a hash operation on the identity verification request and the transaction encryption data to generate the first certificate data.

在金融機構端130接收到平台端150所產生之身分驗證結果後,可以判斷所接收到的身分驗證結果是否表示通過驗證,若否,則金融機構端130可以拒絕客戶端110所請求的交易服務,而若身分驗證結果表示通過驗證,則金融機構端130可以產生與客戶端110所請求之交易服務對應的交易資料(步驟250)。其中,金融機構端130可以直接依據平台端150所傳送的身分驗證結果判斷身分驗證結果是否表示通過驗證,也可以依據客戶端110之使用者的分散式數位身分識別資料由區塊鏈190中取得可驗證聲明(身分驗證結果),並可以使用平台端150的公鑰驗證所取得之可驗證聲明中的簽章,並確認有效性與到期時間,藉以驗證所取得的可驗證聲明,當可驗證聲明通過金融機構端130的驗證且可驗證聲明中確認客戶端110之使用者的身分後,金融機構端130可以判斷身分驗證結果表示通過驗證。After the financial institution end 130 receives the identity verification result generated by the platform end 150, it can determine whether the received identity verification result indicates that the verification has been passed. If not, the financial institution end 130 can reject the transaction service requested by the client 110. , and if the identity verification result indicates that the verification is passed, the financial institution end 130 can generate transaction data corresponding to the transaction service requested by the client 110 (step 250). Among them, the financial institution end 130 can directly determine whether the identity verification result indicates that the identity verification result is passed based on the identity verification result transmitted by the platform end 150, or it can also obtain it from the blockchain 190 based on the distributed digital identity identification data of the user of the client end 110. Verifiable statement (identity verification result), and can use the public key of the platform 150 to verify the signature in the verifiable statement obtained, and confirm the validity and expiration time, thereby verifying the obtained verifiable statement, when it can After the verification statement passes the verification of the financial institution end 130 and the identity of the user of the client 110 is confirmed in the verifiable statement, the financial institution end 130 can determine that the identity verification result indicates that the verification has been passed.

接著,金融機構端130可以判斷客戶端110所請求之交易服務是否為實際交易層級,也就是判斷交易服務的風險層級是否屬於實際交易層級,若否,則金融機構端130可以執行被請求的交易服務,例如資料查詢等;而若客戶端110所請求之交易服務為實際交易層級,也就是交易服務的風險層級屬於實際交易層級,則金融機構端130可以將所產生的交易資料傳送到公信單位端160(步驟261)。在本實施例中,假設實際交易層級為涉及金錢交易的交易服務,交易資料包含金錢交易之商品的相關資料。Then, the financial institution end 130 can determine whether the transaction service requested by the client 110 is an actual transaction level, that is, determine whether the risk level of the transaction service belongs to the actual transaction level. If not, the financial institution end 130 can execute the requested transaction. Services, such as data query, etc.; and if the transaction service requested by the client 110 is the actual transaction level, that is, the risk level of the transaction service belongs to the actual transaction level, the financial institution end 130 can transmit the generated transaction data to the public trust unit Terminal 160 (step 261). In this embodiment, it is assumed that the actual transaction level is a transaction service involving monetary transactions, and the transaction data includes data related to commodities traded in monetary transactions.

在公信單位端160接收到金融機構端130所傳送的交易資料後,公信單位端160可以對交易資料簽章以產生公信簽章,並可以將所產生的公信簽章傳送到平台端150(步驟263)。After the public trust unit end 160 receives the transaction data transmitted by the financial institution end 130, the public trust unit end 160 can sign the transaction data to generate a public trust signature, and can transmit the generated public trust signature to the platform end 150 (step 263).

在平台端150接收到公信單位端160所傳送的公信簽章後,可以將所接收到的公信簽章傳送給客戶端110,也可以傳送給鑑證端170。客戶端110在接收到平台端150所傳送的公信簽章後,可以將所接收到的公信簽章儲存在可信模組中;鑑證端170在接收到平台端150所傳送的公信簽章後,可以依據所接收到的公信簽章產生第二存證資料,並可以將所產生的第二存證資料發布到區塊鏈190中(步驟265),藉以透過區塊鏈190進行資料的存證。在本實施例中,假設鑑證端170可以對公信簽章進行雜湊運算以產生第二存證資料。After the platform end 150 receives the public trust signature transmitted by the public trust unit end 160, it can transmit the received public trust signature to the client 110 or to the verification terminal 170. After receiving the public trust signature transmitted by the platform side 150, the client 110 can store the received public trust signature in the trusted module; after receiving the public trust signature transmitted by the platform side 150, the authentication terminal 170 , the second certifying data can be generated based on the received public trust signature, and the generated second certifying data can be published to the blockchain 190 (step 265), so as to store the data through the blockchain 190 Certificate. In this embodiment, it is assumed that the verification terminal 170 can perform a hash operation on the public signature to generate the second certificate data.

如此,透過本發明,金融機構端130可以依據客戶端110所請求之交易服務的風險層級選擇需要執行的安全驗證機制,藉以利用不同的安全驗證技術完成不同風險層級的交易服務,如同利用複數鑰匙開啟不同交易大門,就算掉了其中一把鑰匙,攻擊者依然無法利用單一鑰匙進行假交易攻擊,因此,本發明可以提高犯罪成本,並兼顧交易安全性及便利性。In this way, through the present invention, the financial institution 130 can select the security verification mechanism that needs to be executed according to the risk level of the transaction service requested by the client 110, thereby using different security verification technologies to complete transaction services of different risk levels, just like using multiple keys. By opening different transaction doors, even if one of the keys is lost, the attacker still cannot use a single key to conduct a fake transaction attack. Therefore, the present invention can increase the cost of crime and take into account transaction security and convenience.

上述的實施例中,交易服務的風險層級還可以包含監管交易層級,如「第2C圖」之流程所示,在金融機構端130將交易資料傳送到公信單位端160(步驟261)後(實務上也可以在平台端150將公信單位端160所產生的公信簽章傳送給客戶端110及/或鑑證端170後),金融機構端130可以進一步判斷客戶端110所請求的交易服務是否為監管交易層級,也就是判斷交易服務之風險層級是否屬於監管交易層級,若否,則金融機構端130可以執行被請求的交易服務,例如小額交易等;而若交易服務為監管交易層級,金融機構端130可以產生模組驗證請求,並可以將所產生之模組驗證請求傳送到平台端150,使得平台端150向客戶端110要求進行可信模組驗證(步驟271)。In the above embodiment, the risk level of the transaction service may also include the regulatory transaction level. As shown in the process of "Figure 2C", after the financial institution 130 transmits the transaction data to the public trust unit 160 (step 261) (in practice) The platform side 150 can also transmit the public trust signature generated by the public trust unit side 160 to the client 110 and/or the authentication side 170), and the financial institution side 130 can further determine whether the transaction service requested by the client 110 is regulated. The transaction level is to determine whether the risk level of the transaction service belongs to the regulated transaction level. If not, the financial institution end 130 can execute the requested transaction service, such as small-amount transactions; and if the transaction service is the regulated transaction level, the financial institution end 130 130 can generate a module verification request, and can transmit the generated module verification request to the platform end 150, so that the platform end 150 requests the client 110 for trusted module verification (step 271).

在客戶端110接收到平台端150所傳送之驗證可信模組的要求時,客戶端110可以由可信模組中讀出可信安全資料,並加密所讀出之可信安全資料以產生模組加密資料,並可以將所產生之模組加密資料傳送到平台端150(步驟273)。在此實施例中,假設客戶端110與平台端150事先約定先後以客戶端110之私鑰與平台端150產生之基於時間的一次性密碼加密可信安全資料以產生模組加密資料,也就是說,與加密交易驗證資料相似的,客戶端110可以先由可信模組中讀取出全部、部分、或特定的資料作為可信安全資料,並可以使用私鑰對可信安全資料加密而產生中間密文,再使用每隔預定時間(如30秒或更短時間)與平台端150同步而取得的一次性密碼對中間密文加密以產生模組加密資料。When the client 110 receives the request to verify the trusted module sent by the platform 150, the client 110 can read the trusted security information from the trusted module and encrypt the read trusted security information to generate The module encrypts the data, and can transmit the generated module encryption data to the platform 150 (step 273). In this embodiment, it is assumed that the client 110 and the platform 150 have agreed in advance to encrypt trusted security data using the private key of the client 110 and the time-based one-time password generated by the platform 150 to generate module encrypted data, that is, That is, similar to encrypted transaction verification data, the client 110 can first read all, part, or specific data from the trusted module as trusted security data, and can use the private key to encrypt the trusted security data. The intermediate ciphertext is generated, and then the intermediate ciphertext is encrypted using a one-time password obtained by synchronizing with the platform end 150 every predetermined time (such as 30 seconds or less) to generate module encrypted data.

在平台端150接收到客戶端110所傳送的模組加密資料後,可以解密所接收到的模組加密資料以取得模組檢核資料,並可以比對所取得之模組檢核資料與預先儲存之可信安全資料是否相符(步驟275)。在此實施例中,假設平台端150可以先使用最後產生之基於時間的一次性密碼解密模組加密資料而產生中間密文,再使用客戶端110的公鑰解密中間密文而取得模組檢核資料,接著,平台端150可以讀出客戶端110的可信安全資料,並可以比對所取得之身分檢核資料與所讀出之交易驗證資料是否相符。After the platform 150 receives the module encrypted data sent by the client 110, it can decrypt the received module encrypted data to obtain the module verification data, and can compare the obtained module verification data with the pre-set Whether the stored trusted security information matches (step 275). In this embodiment, it is assumed that the platform 150 can first use the last generated time-based one-time password to decrypt the module encrypted data to generate an intermediate ciphertext, and then use the public key of the client 110 to decrypt the intermediate ciphertext to obtain the module verification Verify the data. Then, the platform 150 can read the trusted security information of the client 110, and can compare whether the obtained identity verification data is consistent with the read transaction verification data.

當模組檢核資料與可信安全資料不相符時,金融機構端130可以拒絕執行客戶端110所請求的交易服務;而當模組檢核資料與可信安全資料相符時,金融機構端130可以產生第一申報資料並可以將所產生的第一申報資料傳送給平台端150(步驟277),並可以執行客戶端110所請求的交易服務。在此實施例中,假設平台端150可以產生表示模組檢核資料與可信安全資料是否相符的比對結果,並可以將所產生之比對結果傳送到金融機構端130,其中,當模組檢核資料與可信安全資料相符時,平台端150可以產生申報表單,並可以將申報表單與比對結果一同傳送給金融機構端130;金融機構端130可以在平台端150所產生的比對結果表示模組檢核資料與可信安全資料不相符時選擇拒絕服務客戶端110,也可以在比對結果表示模組檢核資料與可信安全資料相符時選擇依據平台端150所傳送之申報表單產生第一申報資料,並完成客戶端110所請求的大額交易。When the module verification data does not match the trusted security data, the financial institution end 130 can refuse to execute the transaction service requested by the client 110; and when the module verification data matches the trusted security information, the financial institution end 130 The first reporting information can be generated and transmitted to the platform terminal 150 (step 277), and the transaction service requested by the client 110 can be performed. In this embodiment, it is assumed that the platform end 150 can generate a comparison result indicating whether the module verification data is consistent with the trusted security information, and can transmit the generated comparison result to the financial institution end 130. When the module When the group inspection information matches the credible security information, the platform side 150 can generate a declaration form, and can transmit the declaration form and the comparison results to the financial institution side 130; the financial institution side 130 can use the comparison generated by the platform side 150 to The client 110 may be selected to refuse service when the result indicates that the module verification data is inconsistent with the trusted security information, or the client 110 may be selected to rely on the information sent by the platform 150 when the comparison result indicates that the module verification data is consistent with the trusted security information. The declaration form generates the first declaration information and completes the large-amount transaction requested by the client 110.

在平台端150接收到金融機構端130所所送的第一申報資料後,平台端150可以產生包含第一申報資料的第二申報資料,並可以將所產生的第二申報資料傳送給監管端,及可以依據接收自金融機構端130之模組驗證請求、接收自客戶端110之模組加密資料、及所產生的第二申報資料產生第三存證資料,並將所產生的第三存證資料發布到區塊鏈190中(步驟279),藉以透過區塊鏈190進行資料的存證。在此實施例中,假設平台端150可以對模組驗證請求、模組加密資料、第二申報資料進行雜湊運算以產生第三存證資料。After the platform end 150 receives the first reporting information sent by the financial institution end 130, the platform end 150 can generate the second reporting information including the first reporting information, and can transmit the generated second reporting information to the regulatory end. , and can generate the third storage certificate data based on the module verification request received from the financial institution terminal 130, the module encryption data received from the client 110, and the generated second declaration data, and use the generated third storage certificate data The certification data is published to the blockchain 190 (step 279), so that the data is certified through the blockchain 190. In this embodiment, it is assumed that the platform 150 can perform a hash operation on the module verification request, the module encryption data, and the second declaration data to generate the third certificate data.

另外,上述實施例中,還可以如「第3A圖」之流程所示,在客戶端110使用FIDO架構以生物特徵登入金融機構端130(步驟210)前,客戶端110可以向平台端150或金融機構端130申請可信模組(步驟311)。平台端150或金融機構端130可以通知合作之電信商製作可信模組,並可以透過專人運送或郵寄等方式將可信模組遞交給客戶端110的使用者。In addition, in the above embodiment, as shown in the process of "Figure 3A", before the client 110 uses the FIDO architecture to log in to the financial institution end 130 with biometrics (step 210), the client 110 can send a request to the platform end 150 or The financial institution end 130 applies for a trusted module (step 311). The platform side 150 or the financial institution side 130 can notify the cooperating telecommunications provider to produce a trusted module, and can deliver the trusted module to the user of the client 110 through personal delivery or mail.

接著,客戶端110申請可信模組的平台端150或金融機構端130的服務人員可以操作服務端120輸入客戶端110的裝置識別資料,並可以將裝置識別資料透過網路傳送給平台端150或金融機構端130,藉以線上啟用可信模組(步驟313),也就是由平台端150或金融機構端130記錄可信模組與客戶端110的識別資料的對應關係,使得平台端150或金融機構端130可以確認存取可信模組的計算設備為申請可信模組的客戶端110。如此,在可信模組被啟用後,客戶端110的使用者可以將可信模組安裝於客戶端110中(步驟315),之後,客戶端110的使用者可以操作客戶端110進行生物特徵辨識,客戶端110可以在使用者的生物特徵通過生物特徵辨識後存取可信模組,藉以確認可信模組是否成功啟用。Then, the service staff of the platform 150 or the financial institution 130 where the client 110 applies for the trusted module can operate the server 120 to input the device identification information of the client 110 and can transmit the device identification information to the platform 150 through the network. or the financial institution side 130, thereby enabling the trusted module online (step 313), that is, the platform side 150 or the financial institution side 130 records the corresponding relationship between the trusted module and the identification data of the client 110, so that the platform side 150 or The financial institution 130 can confirm that the computing device accessing the trusted module is the client 110 that applied for the trusted module. In this way, after the trusted module is enabled, the user of the client 110 can install the trusted module in the client 110 (step 315). After that, the user of the client 110 can operate the client 110 to perform biometric identification. Identification, the client 110 can access the trusted module after the user's biometrics pass biometric identification to confirm whether the trusted module is successfully activated.

此外,同樣在客戶端110使用FIDO架構以生物特徵登入金融機構端130(步驟210)前,也可以如「第3B圖」之流程所示,在使用者可以操作客戶端110連線到平台端150後,操作客戶端110在平台端150註冊,使得客戶端110以實名制驗證完成在平台端150的註冊(步驟351)。In addition, before the client 110 uses the FIDO architecture to log in to the financial institution 130 with biometrics (step 210), the user can also operate the client 110 to connect to the platform as shown in the process in "Figure 3B". After 150, the client 110 is operated to register on the platform 150, so that the client 110 completes the registration on the platform 150 through real-name verification (step 351).

平台端150可以在客戶端110完成註冊後,產生與客戶端110對應之登入驗證資料與交易驗證資料,並可以儲存所產生的登入驗證資料、交易驗證資料、與客戶端110的公鑰,及可以將所產生之登入驗證資料與交易驗證資料傳送到客戶端110(步驟353),使得客戶端110將平台端150所傳送的登入驗證資料、交易驗證資料、及私鑰儲存在可信模組中。The platform 150 can generate login verification data and transaction verification data corresponding to the client 110 after the client 110 completes the registration, and can store the generated login verification data, transaction verification data, and the public key of the client 110, and The generated login verification information and transaction verification information can be sent to the client 110 (step 353), so that the client 110 stores the login verification information, transaction verification information, and private key sent by the platform 150 in the trusted module middle.

之後,當客戶端110接收到身分驗證的要求時,客戶端110可以要求使用者進行生物特徵辨識,在使用者的生物特徵通過生物特徵辨識後,客戶端110可以由可信模組中讀出登入驗證資料,並加密所讀出之登入驗證資料以產生登入加密資料,及可以將所產生之登入加密資料傳送到平台端150(步驟361)。其中,客戶端110加密登入驗證資料的過程與上述之加密過程相同,不再贅述。Later, when the client 110 receives the request for identity verification, the client 110 can ask the user to perform biometric identification. After the user's biometric identification passes the biometric identification, the client 110 can read it out from the trusted module. Login verification data is encrypted to generate login encryption data, and the generated login encryption data can be sent to the platform 150 (step 361). The process of encrypting the login verification data by the client 110 is the same as the above-mentioned encryption process and will not be described again.

在平台端150接收到客戶端110所傳送之登入加密資料後,平台端150可以解密登入加密資料以取得登入檢核資料,並可以比對登入檢核資料與所儲存之與客戶端110對應的登入驗證資料(步驟365)。其中,平台端150解密登入加密資料以取得登入檢核資料的過程與上述之解密過程相同,不再贅述。After the platform 150 receives the login encrypted information sent by the client 110, the platform 150 can decrypt the login encrypted information to obtain the login verification information, and can compare the login verification information with the stored login information corresponding to the client 110. Log in verification information (step 365). The process of the platform side 150 decrypting the login encrypted data to obtain the login verification data is the same as the above-mentioned decryption process and will not be described again.

當平台端150判斷解密取得之登入檢核資料與所讀出之登入驗證資料相符時,平台端150可以取得經金融機構端130認證之個人資料,並由平台端150或公信單位端160對平台端150所取得之個人資料進行特定運算以產生相對應之客戶認證資料並將所產生之客戶認證資料傳送到客戶端110,使得客戶端110可以將所接收到的客戶認證資料儲存在可信模組中,或金融機構端130可以透過oAuth 2.0的機制由客戶端110取得客戶認證資料(授權許可)並傳送客戶認證資料至平台端150,藉以從平台端150下載與客戶認證資料對應的個人資料(步驟370)。When the platform end 150 determines that the login verification information obtained by decryption is consistent with the read login verification information, the platform end 150 can obtain the personal information authenticated by the financial institution end 130, and the platform end 150 or the public trust unit end 160 will verify the platform The personal data obtained by the client 150 performs specific operations to generate corresponding client authentication information and transmits the generated client authentication information to the client 110, so that the client 110 can store the received client authentication information in a trusted mode. In the group, or the financial institution 130 can obtain the customer authentication information (authorization permission) from the client 110 through the oAuth 2.0 mechanism and send the customer authentication information to the platform 150, thereby downloading the personal information corresponding to the customer authentication information from the platform 150 (Step 370).

綜上所述,可知本發明與先前技術之間的差異在於具有透過客戶端使用線上快速認證架構以生物特徵登入金融機構端後,金融機構端於客戶端請求交易服務時,依據被請求之交易服務的風險層級選擇相對應的安全驗證方式對客戶身分進行驗證,並將能夠對驗證過程所產生的驗證資料與被請求之交易服務的交易資料進行驗證的存證資料發布到區塊鏈中之技術手段,藉由此一技術手段可以來解決先前技術所存在國內金融機構間沒有能夠互信之驗證流程與標準的問題,進而達成提高犯罪複雜度與成本、降低金融機構浪費之資源、並兼顧交易安全性及便利性的技術功效。To sum up, it can be seen that the difference between the present invention and the prior art is that after the client uses the online fast authentication framework to log in to the financial institution with biometrics, the financial institution uses the requested transaction when the client requests transaction services. The risk level of the service selects the corresponding security verification method to verify the customer's identity, and publishes the certificate data that can verify the verification data generated by the verification process and the transaction data of the requested transaction service to the blockchain. Technical means, through this technical means, can solve the problem of previous technology that there is no mutual trust between domestic financial institutions in the verification process and standards, thereby improving the complexity and cost of crime, reducing the wasted resources of financial institutions, and taking into account transactions Technical efficacy for safety and convenience.

再者,本發明之使用多安全層級驗證客戶身分與交易服務之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of using multiple security levels to verify customer identity and transaction services of the present invention can be implemented in hardware, software, or a combination of hardware and software. It can also be implemented in a centralized manner in a computer system or distributed with different components. Implemented in a decentralized manner across several interconnected computer systems.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments of the present invention are disclosed above, the content described is not intended to directly limit the scope of patent protection of the present invention. Anyone with ordinary knowledge in the technical field to which the present invention belongs can make slight modifications and modifications to the form and details of the implementation of the present invention without departing from the spirit and scope disclosed by the present invention, which shall fall under the patent protection of the present invention. Scope. The scope of patent protection for this invention must still be defined by the scope of the attached patent application.

110:客戶端 120:服務端 130:金融機構端 150:平台端 160:公信單位端 170:鑑證端 190:區塊鏈 步驟210:客戶端以生物特徵登入金融機構端 步驟211:金融機構端於要求客戶端登入時傳送登入驗證請求至平台端,使平台端向客戶端要求登入驗證資料 步驟215:客戶端通過生物特徵辨識後,讀取金融機構端之機構登入資料與登入驗證資料,並傳送登入驗證資料及機構登入資料至平台端 步驟219:平台端在登入驗證資料通過驗證後,傳送機構登入資料至金融機構端,使金融機構端允許客戶端登入 步驟220:金融機構端於客戶端請求交易服務且判斷交易服務為基本交易層級時,傳送身分驗證請求至平台端,使平台端要求客戶端進行身分驗證 步驟231:客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端 步驟235:平台端解密交易加密資料以取得身分檢核資料並傳送表示身分檢核資料與交易驗證資料是否相符之身分驗證結果至金融機構端 步驟240:平台端依據身分驗證請求及交易加密資料產生第一存證資料並發布至區塊鏈 步驟250:金融機構端於身分驗證結果表示通過驗證時,產生與交易服務對應之交易資料 步驟261:金融機構端判斷交易服務為實際交易層級時,傳送交易資料至公信單位端 步驟263:公信單位端對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端 步驟265:平台端傳送公信簽章給鑑證端,鑑證端依據公信簽章產生第二存證資料並發布至區塊鏈 步驟271:金融機構端判斷交易服務為監管交易層級時,傳送模組驗證請求至平台端,使平台端向客戶端要求進行可信模組驗證 步驟273:客戶端加密可信模組所儲存之可信安全資料以產生模組加密資料,並傳送模組加密資料至平台端 步驟275:平台端解密模組加密資料以取得模組檢核資料並比對模組檢核資料與可信安全資料 步驟277:當模組檢核資料與可信安全資料相符時,金融機構端產生第一申報資料並傳送該平台端 步驟279:平台端產生包含第一申報資料之第二申報資料,並依據模組驗證請求、模組加密資料及第二申報資料產生第三存證資料並發布至區塊鏈 步驟311:客戶端向平台端或金融機構端申請實體之可信模組 步驟313:服務端線上輸入客戶端之裝置識別資料以啟用可信模組 步驟315:客戶端安裝可信模組 步驟351:客戶端在平台端以實名制驗證完成註冊 步驟353:平台端傳送登入驗證資料及交易驗證資料至客戶端 步驟361:客戶端對使用者進行生物辨識後,加密登入驗證資料以產生登入加密資料並傳送登入加密資料至平台端 步驟365:平台端解密登入加密資料以取得登入檢核資料並比對登入檢核資料與登入驗證資料 步驟370:當登入檢核資料與登入驗證資料相符時,平台端取得經金融機構端認證之個人資料,並由平台端或公信單位端對個人資料進行運算以產生對應之客戶認證資料並傳送給客戶端儲存,或金融機構端由客戶端取得客戶認證資料,並傳送客戶認證資料至平台端以從平台端下載個人資料 110:Client 120:Server 130: Financial institution side 150:Platform side 160:Public trust unit end 170: Forensic end 190:Blockchain Step 210: The client uses biometrics to log in to the financial institution. Step 211: The financial institution side sends a login verification request to the platform side when requesting the client to log in, so that the platform side requests login verification information from the client side. Step 215: After passing the biometric identification, the client reads the institutional login information and login verification information from the financial institution, and sends the login verification information and institutional login information to the platform. Step 219: After the login verification information is verified, the platform side transmits the institution login information to the financial institution side, so that the financial institution side allows the client to log in. Step 220: When the client requests transaction services and determines that the transaction service is at the basic transaction level, the financial institution sends an identity verification request to the platform, so that the platform requires the client to perform identity verification. Step 231: The client encrypts the transaction verification data to generate transaction encryption data and sends the transaction encryption data to the platform. Step 235: The platform decrypts the transaction encrypted data to obtain the identity verification data and sends the identity verification result indicating whether the identity verification data matches the transaction verification data to the financial institution. Step 240: The platform generates the first certificate data based on the identity verification request and transaction encryption data and publishes it to the blockchain Step 250: When the identity verification result indicates that the verification is passed, the financial institution generates transaction data corresponding to the transaction service. Step 261: When the financial institution determines that the transaction service is at the actual transaction level, it sends the transaction data to the public trust institution. Step 263: The public trust unit signs the transaction data to generate a public trust signature, and transmits the public trust signature to the platform. Step 265: The platform sends the trustworthy signature to the verification side, and the verification side generates the second certificate data based on the trustworthy signature and publishes it to the blockchain. Step 271: When the financial institution determines that the transaction service is at the regulated transaction level, it sends a module verification request to the platform, so that the platform requests the client for trusted module verification. Step 273: The client encrypts the trusted security data stored in the trusted module to generate module encrypted data, and sends the module encrypted data to the platform. Step 275: The platform decrypts the module encrypted data to obtain the module verification data and compares the module verification data with trusted security data. Step 277: When the module verification data matches the trusted security data, the financial institution generates the first declaration data and transmits it to the platform. Step 279: The platform generates the second declaration data including the first declaration data, and generates the third certificate data based on the module verification request, module encryption data and the second declaration data and publishes it to the blockchain Step 311: The client applies for the entity’s trusted module from the platform or financial institution. Step 313: The server enters the client's device identification information online to enable the trusted module. Step 315: Client installs trusted module Step 351: The client completes registration on the platform through real-name verification Step 353: The platform sends login verification information and transaction verification information to the client Step 361: After the client performs biometric identification on the user, it encrypts the login verification data to generate the login encrypted data and sends the login encrypted data to the platform. Step 365: The platform decrypts the login encrypted data to obtain the login verification data and compares the login verification data with the login verification data. Step 370: When the login verification information matches the login verification information, the platform side obtains the personal data authenticated by the financial institution side, and the platform side or the public trust unit side calculates the personal data to generate the corresponding customer authentication data and sends it to The client stores, or the financial institution obtains customer authentication information from the client, and sends the customer authentication information to the platform to download personal information from the platform.

第1圖為本發明所提之使用多安全層級驗證客戶身分與交易服務之系統架構圖。 第2A圖為本發明所提之使用多安全層級驗證客戶身分與交易服務之方法流程圖。 第2B圖為本發明所提之客戶端登入金融機構端之方法流程圖。 第2C圖為本發明所提之使用多安全層級驗證客戶身分與交易服務之附加方法流程圖。 第3A圖為本發明所提之客戶端安裝可信模組之方法流程圖。 第3B圖為本發明所提之客戶端於平台端完成註冊之方法流程圖。 Figure 1 is a system architecture diagram of using multiple security levels to verify customer identity and transaction services according to the present invention. Figure 2A is a flow chart of the method for verifying customer identity and transaction services using multiple security levels according to the present invention. Figure 2B is a flow chart of the method for the client to log in to the financial institution according to the present invention. Figure 2C is a flow chart of an additional method for verifying customer identity and transaction services using multiple security levels according to the present invention. Figure 3A is a flow chart of a method for installing a trusted module on a client according to the present invention. Figure 3B is a flow chart of the method for the client to complete registration on the platform according to the present invention.

步驟210:客戶端以生物特徵登入金融機構端 Step 210: The client uses biometrics to log in to the financial institution.

步驟220:金融機構端於客戶端請求交易服務且判斷交易服務為基本交易層級時,傳送身分驗證請求至平台端,使平台端要求客戶端進行身分驗證 Step 220: When the client requests transaction services and determines that the transaction service is at the basic transaction level, the financial institution sends an identity verification request to the platform, so that the platform requires the client to perform identity verification.

步驟231:客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端 Step 231: The client encrypts the transaction verification data to generate transaction encryption data and sends the transaction encryption data to the platform.

步驟235:平台端解密交易加密資料以取得身分檢核資料並傳送表示身分檢核資料與交易驗證資料是否相符之身分驗證結果至金融機構端 Step 235: The platform decrypts the transaction encrypted data to obtain the identity verification data and sends the identity verification result indicating whether the identity verification data matches the transaction verification data to the financial institution.

步驟240:平台端依據身分驗證請求及交易加密資料產生第一存證資料並發布至區塊鏈 Step 240: The platform generates the first certificate data based on the identity verification request and transaction encryption data and publishes it to the blockchain

步驟250:金融機構端於身分驗證結果表示通過驗證時,產生與交易服務對應之交易資料 Step 250: When the identity verification result indicates that the verification is passed, the financial institution generates transaction data corresponding to the transaction service.

步驟261:金融機構端判斷交易服務為實際交易層級時,傳送交易資料至公信單位端 Step 261: When the financial institution determines that the transaction service is at the actual transaction level, it sends the transaction data to the public trust institution.

步驟263:公信單位端對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端 Step 263: The public trust unit signs the transaction data to generate a public trust signature, and transmits the public trust signature to the platform.

步驟265:平台端傳送公信簽章給鑑證端,鑑證端依據公信簽章產生第二存證資料並發布至區塊鏈 Step 265: The platform sends the trustworthy signature to the verification side, and the verification side generates the second certificate data based on the trustworthy signature and publishes it to the blockchain.

Claims (10)

一種使用多安全層級驗證客戶身分與交易服務之方法,該方法至少包含下列步驟:一客戶端以生物特徵登入一金融機構端;該金融機構端於該客戶端請求一交易服務且判斷該交易服務所屬風險層級為基本交易層級時,該金融機構端傳送一身分驗證請求至一平台端,使該平台端要求該客戶端進行身分驗證;該客戶端加密於該平台端註冊後該平台端所產生之一交易驗證資料以產生一交易加密資料且該客戶端傳送該交易加密資料給平台端;該平台端解密該交易加密資料以取得一身分檢核資料且該平台端確認該身分檢核資料與該客戶端註冊時所產生之該交易驗證資料相符後,該平台端傳送一身分驗證結果至該金融機構端;該平台端依據該身分驗證請求及該交易加密資料產生一第一存證資料並發布該第一存證資料至一區塊鏈中;該金融機構端於該身分驗證結果表示通過驗證時,該金融機構端產生與該交易服務對應之一交易資料;該金融機構端判斷該交易服務為實際交易層級時,該金融機構端傳送該交易資料至一公信單位端;該公信單位端對該交易資料簽章以產生一公信簽章,且該公信單位端傳送該公信簽章至該平台端;及該平台端傳送該公信簽章給一鑑證端,該鑑證端依據該公信簽章產生一第二存證資料並發布該第二存證資料至該區塊鏈中。 A method for verifying client identity and transaction services using multiple security levels. The method at least includes the following steps: a client logs in to a financial institution using biometric characteristics; the financial institution requests a transaction service from the client and determines the transaction service When the risk level is the basic transaction level, the financial institution sends an identity verification request to a platform, so that the platform requires the client to perform identity verification; the client encrypts the information generated by the platform after it is registered on the platform. A transaction verification data to generate a transaction encryption data and the client sends the transaction encryption data to the platform; the platform decrypts the transaction encryption data to obtain an identity verification data and the platform confirms that the identity verification data is consistent with After the transaction verification data generated when the client is registered matches, the platform sends an identity verification result to the financial institution; the platform generates a first certificate of information based on the identity verification request and the transaction encryption data and Publish the first certificate information into a blockchain; when the identity verification result indicates that the verification is passed, the financial institution generates transaction data corresponding to the transaction service; the financial institution determines the transaction When the service is at the actual transaction level, the financial institution sends the transaction data to a trustworthy unit; the trustworthy unit signs the transaction data to generate a trustworthy signature, and the trustworthy unit sends the trustworthy signature to the trustworthy unit. The platform side; and the platform side sends the trustworthy signature to a verification side, and the verification side generates a second certification data based on the public trust signature and publishes the second certification data to the blockchain. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該方法於該金融機構端判斷被請求之該交易服務為實際交易層級之步驟後,更包含該金融機構端判斷該交易服務為監管交易層級時,傳送一模組驗證請求至該平台端,該平台端向該客戶端要求進行可信模組驗證,使該客戶端加密安裝於該客戶端上之可信模組所儲存之一可信安全資料以產生一模組加密資料並傳送該模組加密資料至該平台端,該平台端解密該模組加密資料以取得一模組檢核資料並比對該模組檢核資料與該可信安全資料,當該模組檢核資料與該可信安全資料相符時,該金融機構端產生一第一申報資料並傳送給該平台端,該平台端產生包含該第一申報資料之一第二申報資料並傳送給一監管端,並依據該模組驗證請求、該模組加密資料及該第二申報資料產生一第三存證資料,及發布該第三存證資料至該區塊鏈之步驟。 The method of using multiple security levels to verify client identity and transaction services as described in request 1, wherein the method further includes the step of determining on the financial institution end that the requested transaction service is an actual transaction level, and further includes the step of determining on the financial institution end that the requested transaction service is an actual transaction level. When the transaction service is at the regulated transaction level, a module verification request is sent to the platform, and the platform requests the client for trusted module verification so that the client encrypts the trusted module installed on the client. Set a stored trusted security data to generate a module encrypted data and send the module encrypted data to the platform. The platform decrypts the module encrypted data to obtain a module verification data and compares the module The module verification information is combined with the trusted security information. When the module verification information matches the credible security information, the financial institution generates a first declaration information and transmits it to the platform. The platform generates a first declaration information containing the trusted security information. The first reporting data and the second reporting data are sent to a supervisory end, and a third storage certification data is generated based on the module verification request, the module encryption data and the second reporting data, and the third storage certification data is released. Steps to authenticate data to the blockchain. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該方法於該客戶端以生物特徵登入該金融機構端之步驟前,更包含該客戶端在該平台端以實名制驗證完成註冊後,該平台端傳送一登入驗證資料及一交易驗證資料至該客戶端,該客戶端對使用者進行生物辨識後,加密該登入驗證資料以產生一登入加密資料並傳送該登入加密資料至該平台端,該平台端解密該登入加密資料以取得一登入檢核資料並比對該登入檢核資料與該登入驗證資料,當該登入檢核資料與該登入驗證資料相符時,該平台端取得經該金融機構端認證之一個人資料,並由該平台端或該公信單位端對該個人資料進行運算以產生對應之一客戶認證資料並傳送給客戶端儲存,或該金融機構端由該客戶端取得該客戶認證資料,並傳送該客戶認證資料至該平台端以從該平台端下載該個人資料之步驟。 The method of using multiple security levels to verify customer identity and transaction services as described in request item 1, wherein the method further includes the step of the client logging in to the financial institution with biometrics, including the client using real-name authentication on the platform. After the verification is completed and the registration is completed, the platform sends a login verification information and a transaction verification information to the client. After the client performs biometric identification on the user, it encrypts the login verification information to generate a login encryption information and sends the login encryption The data is sent to the platform end, and the platform end decrypts the login encrypted information to obtain a login verification information and compares the login verification information with the login verification information. When the login verification information matches the login verification information, the The platform side obtains personal data authenticated by the financial institution side, and the platform side or the public trust unit side performs calculations on the personal data to generate corresponding customer authentication information and transmits it to the client side for storage, or the financial institution side uses The client obtains the customer authentication information and sends the customer authentication information to the platform to download the personal information from the platform. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該客戶端以生物特徵登入金融機構端之步驟更包含該金融機構端要求該客戶端使用線上快速認證(Fast IDentity Online,FIDO)架構登入時傳送一登入驗證請求至該平台端,使該平台端向該客戶端要求一登入驗證資料,該客戶端通過生物特徵辨識後取得該金融機構端之一機構登入資料並讀出該登入驗證資料後,傳送該登入驗證資料及該機構登入資料至該平台端,該平台端成功驗證該客戶端所傳送之該登入驗證資料後,傳送該機構登入資料至該金融機構端,使該金融機構端允許該客戶端登入之步驟。 The method of using multiple security levels to verify customer identity and transaction services as described in request 1, wherein the step of the client logging in to the financial institution using biometrics further includes the financial institution requiring the client to use online fast authentication (Fast IDentity) Online, FIDO) architecture sends a login verification request to the platform when logging in, causing the platform to request a login verification information from the client. The client obtains the institutional login information of the financial institution through biometric identification and After reading the login verification information, send the login verification information and the institution's login information to the platform. After the platform successfully verifies the login verification information sent by the client, it sends the institution's login information to the financial institution. , the steps to enable the financial institution to allow the client to log in. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該方法於該客戶端以生物特徵登入該金融機構端之步驟前,更包含該客戶端向該平台端或該金融機構端申請實體之一可信模組後,一服務端線上輸入該客戶端之裝置識別資料以啟用該可信模組,及該客戶端安裝該可信模組之步驟。 The method of using multiple security levels to verify client identity and transaction services as described in request item 1, wherein the method further includes the client sending a request to the platform or the financial institution before the client uses biometrics to log in to the financial institution. After the financial institution applies for a trusted module of the entity, a server inputs the client's device identification information online to enable the trusted module, and the client installs the trusted module. 一種使用多安全層級驗證客戶身分與交易服務之系統,該系統至少包含:一客戶端,安裝有一可信模組,該可信模組儲存一交易驗證資料;一金融機構端,用以提供該客戶端以生物特徵進行登入,並於該客戶端請求一交易服務,且判斷該交易服務所屬風險層級為是否符合基本交易層級,當該交易服務為基本交易層級時,產生一身分驗證請求;一平台端,用以接收該金融機構端所傳送之該身分驗證請求,並要求該客戶端進行身分驗證,使該客戶端加密該交易驗證資料以產生於該平台端註冊後該平台端所產生之一交易加密資料並傳送該交易加密資料給平台 端,及用以解密該交易加密資料以取得一身分檢核資料並確認該身分檢核資料與該客戶端註冊時所產生之該交易驗證資料相符後,依據該身分驗證請求及該交易加密資料產生一第一存證資料並發布該第一存證資料至一區塊鏈,並傳送一身分驗證結果至該金融機構端,使該金融機構端於該身分驗證結果表示通過驗證時,產生與被請求之該交易服務對應之一交易資料;一公信單位端,用以接收該金融機構端判斷該交易服務為實際交易層級時所傳送之該交易資料,對該交易資料簽章以產生一公信簽章,並傳送該公信簽章至該平台端;及一鑑證端,用以接收該平台端所傳送之該公信簽章,並依據該公信簽章產生一第二存證資料,及發布該第二存證資料至該區塊鏈。 A system that uses multiple security levels to verify customer identity and transaction services. The system at least includes: a client installed with a trusted module that stores a transaction verification data; a financial institution terminal used to provide the The client logs in with biometrics, requests a transaction service from the client, and determines whether the risk level of the transaction service is in compliance with the basic transaction level. When the transaction service is the basic transaction level, an identity verification request is generated; 1. The platform side is used to receive the identity verification request sent by the financial institution side, and require the client side to perform identity verification, so that the client side encrypts the transaction verification data to generate the transaction verification information generated by the platform side after the platform side registers. Transaction encrypted data and transmit the transaction encrypted data to the platform terminal, and is used to decrypt the transaction encrypted data to obtain an identity verification information and confirm that the identity verification information is consistent with the transaction verification information generated when the client is registered, based on the identity verification request and the transaction encryption data Generate a first certificate of deposit information and publish the first certificate of deposit information to a blockchain, and send an identity verification result to the financial institution, so that when the identity verification result indicates that the verification is passed, the financial institution generates and A transaction data corresponding to the requested transaction service; a public trust unit terminal, used to receive the transaction data sent by the financial institution when it determines that the transaction service is an actual transaction level, and sign the transaction data to generate a public trust unit Sign and send the trustworthy signature to the platform; and an authentication terminal to receive the trustworthy signature sent by the platform, generate a second certificated information based on the trustworthy signature, and publish the Secondly, the certificate information is stored in the blockchain. 如請求項6所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該金融機構端更用以於該交易服務符合實際交易層級時,進一步判斷該交易服務為監管交易層級時,傳送一模組驗證請求至該平台端,使該平台端向該客戶端要求進行可信模組驗證,該客戶端更用以加密安裝於該客戶端上之可信模組所儲存之一可信安全資料以產生一模組加密資料並傳送該模組加密資料至該平台端,該平台端更用以解密該模組加密資料以取得一模組檢核資料並比對該模組檢核資料與該可信安全資料,當該模組檢核資料與該可信安全資料相符時,該金融機構端產生一第一申報資料並傳送給該平台端,該平台端產生包含該第一申報資料之一第二申報資料並傳送給一監管端,並依據該模組驗證請求、該模組加密資料及該第二申報資料產生一第三存證資料,及發布該第三存證資料至該區塊鏈。 As described in request 6, the system uses multiple security levels to verify customer identity and transaction services, wherein the financial institution is further used to further determine that the transaction service is a regulated transaction level when the transaction service meets the actual transaction level, and transmit A module verification request is sent to the platform, causing the platform to request trusted module verification from the client. The client is further used to encrypt a trusted module stored in the trusted module installed on the client. The security data is used to generate a module encrypted data and send the module encrypted data to the platform. The platform is further used to decrypt the module encrypted data to obtain a module verification data and compare the module verification data. When the module verification information matches the credible security information, the financial institution generates a first reporting data and sends it to the platform. The platform generates a first reporting data containing the first reporting data. A second reporting information is sent to a regulatory end, and a third certifying information is generated based on the module verification request, the module encrypted data and the second reporting information, and the third certifying information is released to the Blockchain. 如請求項6所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該平台端更用以於該客戶端以實名制驗證完成註冊時傳送一登入驗證資料及該交易驗證資料至該客戶端,該客戶端更用以對使用者進行生物辨識後,加密該登入驗證資料以產生一登入加密資料並傳送該登入加密資料至該平台端,使該平台端解密該登入加密資料以取得一登入檢核資料並比對該登入檢核資料與該登入驗證資料,當該登入檢核資料與該登入驗證資料相符時,該平台端取得經該金融機構端認證之一個人資料,並由該平台端或該公信單位端對該個人資料進行運算以產生對應之一客戶認證資料並傳送給客戶端儲存,或該金融機構端由該客戶端取得該客戶認證資料,並傳送該客戶認證資料至該平台端以從該平台端下載該個人資料。 A system that uses multiple security levels to verify customer identity and transaction services as described in request 6, wherein the platform is further used to send a login verification information and the transaction verification information to the customer when the client completes registration through real-name verification. The client is further used to perform biometric identification on the user, encrypt the login verification information to generate an encrypted login information and send the encrypted login information to the platform end, so that the platform end decrypts the encrypted login information to obtain an encrypted login information. Login verification information and compare the login verification information with the login verification information. When the login verification information matches the login verification information, the platform side obtains personal information certified by the financial institution side and the platform side The client or the public trust unit performs calculations on the personal data to generate corresponding client authentication information and sends it to the client for storage, or the financial institution acquires the client authentication information from the client and sends the client authentication information to the client. Platform side to download the personal data from the platform side. 如請求項6所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該金融機構端更用以於要求該客戶端使用線上快速認證架構登入時傳送一登入驗證請求至該平台端,使該平台端向該客戶端要求一登入驗證資料,該客戶端更用以通過生物特徵辨識後取得該金融機構端之一機構登入資料並由該可信模組讀出該登入驗證資料後,傳送該登入驗證資料及該機構登入資料至該平台端,該平台端更用以於成功驗證該客戶端所傳送之該登入驗證資料後,傳送該機構登入資料至該金融機構端,使該金融機構端允許該客戶端登入。 A system that uses multiple security levels to verify client identity and transaction services as described in request 6, wherein the financial institution is further configured to send a login verification request to the platform when requiring the client to log in using an online fast authentication framework, The platform side requests a login verification information from the client side, and the client side is further used to obtain the institutional login information of the financial institution side through biometric identification and after the trusted module reads the login verification information, Send the login verification information and the institution's login information to the platform. The platform is further used to send the institution's login information to the financial institution after successfully verifying the login verification information sent by the client, so that the financial institution can The organization allows the client to log in. 如請求項9所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該平台端更用以接收該客戶端所傳送之一聲明簽發請求,並於確認該身分檢核資料與該交易驗證資料相符時,簽發與該客戶端之使用者之分散式數位身分識別資料及該聲明簽發請求對應之一可驗證聲明,並發布該可驗證聲明至該區塊鏈,該金融機構端更用以依據該客戶端之使用者之分散式數位身分 識別資料由該區塊鏈取得並驗證該可驗證聲明,並於該可驗證聲明通過驗證時判斷該身分驗證結果表示通過驗證。 A system that uses multiple security levels to verify client identity and transaction services as described in request 9, wherein the platform is further configured to receive a statement issuance request sent by the client, and confirm the identity verification information and the transaction When the verification information matches, a verifiable statement corresponding to the user's distributed digital identification information of the client and the statement issuance request is issued, and the verifiable statement is published to the blockchain, and the financial institution end uses Based on the decentralized digital identity of the user of the client The identification data is obtained from the blockchain and verifies the verifiable statement, and when the verifiable statement is verified, it is determined that the identity verification result indicates that the verification has been passed.
TW110142078A 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof TWI828001B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110142078A TWI828001B (en) 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110142078A TWI828001B (en) 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof

Publications (2)

Publication Number Publication Date
TW202319998A TW202319998A (en) 2023-05-16
TWI828001B true TWI828001B (en) 2024-01-01

Family

ID=87379028

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110142078A TWI828001B (en) 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof

Country Status (1)

Country Link
TW (1) TWI828001B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108064440A (en) * 2017-05-25 2018-05-22 深圳前海达闼云端智能科技有限公司 FIDO authentication method, device and system based on block chain
CN109560938A (en) * 2019-01-23 2019-04-02 广州微盾科技股份有限公司 Based on the block catenary system for referring to human body biological characteristics identification technology
CN111602116A (en) * 2018-01-12 2020-08-28 诺克诺克实验公司 System and method for binding verifiable claims
CN112837059A (en) * 2021-01-12 2021-05-25 曹燕 Payment strategy calling method for block chain security protection and digital financial platform
TW202123648A (en) * 2019-12-03 2021-06-16 臺灣銀行股份有限公司 System of identity management and authorization and method thereof
US11080380B2 (en) * 2016-11-08 2021-08-03 Aware, Inc. Decentralized biometric identity authentication

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11080380B2 (en) * 2016-11-08 2021-08-03 Aware, Inc. Decentralized biometric identity authentication
CN108064440A (en) * 2017-05-25 2018-05-22 深圳前海达闼云端智能科技有限公司 FIDO authentication method, device and system based on block chain
CN111602116A (en) * 2018-01-12 2020-08-28 诺克诺克实验公司 System and method for binding verifiable claims
CN109560938A (en) * 2019-01-23 2019-04-02 广州微盾科技股份有限公司 Based on the block catenary system for referring to human body biological characteristics identification technology
TW202123648A (en) * 2019-12-03 2021-06-16 臺灣銀行股份有限公司 System of identity management and authorization and method thereof
CN112837059A (en) * 2021-01-12 2021-05-25 曹燕 Payment strategy calling method for block chain security protection and digital financial platform

Also Published As

Publication number Publication date
TW202319998A (en) 2023-05-16

Similar Documents

Publication Publication Date Title
US12015716B2 (en) System and method for securely processing an electronic identity
US9860245B2 (en) System and methods for online authentication
CN108834144B (en) Method and system for managing association of operator number and account
US9160732B2 (en) System and methods for online authentication
RU2638741C2 (en) Method and user authentication system through mobile device with usage of certificates
KR101863953B1 (en) System and method for providing electronic signature service
US8615663B2 (en) System and method for secure remote biometric authentication
TWM623435U (en) System for verifying client identity and transaction services using multiple security levels
EP1191743B1 (en) Method and device for performing secure transactions
US20090293111A1 (en) Third party system for biometric authentication
US20030135740A1 (en) Biometric-based system and method for enabling authentication of electronic messages sent over a network
CA2914956C (en) System and method for encryption
WO2007094165A1 (en) Id system and program, and id method
JPH10336169A (en) Authenticating method, authenticating device, storage medium, authenticating server and authenticating terminal
AU2004288540A1 (en) Portable security transaction protocol
CN101216923A (en) A system and method to enhance the data security of e-bank dealings
KR101856530B1 (en) Encryption system providing user cognition-based encryption protocol and method for processing on-line settlement, security apparatus and transaction approval server using thereof
US20240129139A1 (en) User authentication using two independent security elements
KR101868564B1 (en) Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same
TWI828001B (en) System for using multiple security levels to verify customer identity and transaction services and method thereof
TWI772908B (en) System and method for using a device of fast identity online to certified and signed
CN102739398A (en) Online bank identity authentication method and apparatus thereof
CN111414629B (en) Electronic contract signing device
TW202213131A (en) System for using authentication mechanism of fast identity online to enable certificate and method thereof
CN117396866A (en) Authorized transaction escrow service