TWM576680U - Authentication system using certificate through inter-domain portal server - Google Patents

Authentication system using certificate through inter-domain portal server Download PDF

Info

Publication number
TWM576680U
TWM576680U TW108200167U TW108200167U TWM576680U TW M576680 U TWM576680 U TW M576680U TW 108200167 U TW108200167 U TW 108200167U TW 108200167 U TW108200167 U TW 108200167U TW M576680 U TWM576680 U TW M576680U
Authority
TW
Taiwan
Prior art keywords
server
management center
data
portal server
application
Prior art date
Application number
TW108200167U
Other languages
Chinese (zh)
Inventor
周克遠
王國河
Original Assignee
臺灣網路認證股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣網路認證股份有限公司 filed Critical 臺灣網路認證股份有限公司
Priority to TW108200167U priority Critical patent/TWM576680U/en
Publication of TWM576680U publication Critical patent/TWM576680U/en

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

一種透過入口伺服器跨網域使用憑證進行認證之系統,其透過管理中心與入口伺服器連線後,若連線資料通過入口伺服器的驗證,則入口伺服器將外部業務伺服器所使用的數位憑證傳回管理中心,使得管理中心使用數位憑證判斷身分認證結果之技術手段,可以將數位憑證存放於伺服器上以方便管理,並達成跨伺服器共用數位憑證的技術功效。A system for authenticating a credential across a domain through an access server. After the connection between the management center and the portal server, if the connection data is verified by the portal server, the portal server uses the external service server. The digital certificate is transmitted back to the management center, so that the management center uses the digital certificate to judge the technical means of the identity authentication result, and the digital certificate can be stored on the server for management, and the technical effect of sharing the digital certificate across the server is achieved.

Description

透過入口伺服器跨網域使用憑證進行認證之系統System for authenticating credentials across the domain through the portal server

一種使用憑證進行身分認證之系統,特別係指一種透過入口伺服器跨網域使用憑證進行認證之系統。A system for authenticating credentials using credentials, in particular a system for authenticating credentials across a domain using an entry server.

電子憑證,又稱為數位憑證,是一種用於電腦系統的身分識別機制。電子憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開密碼。電子憑證的擁有人可向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。An electronic voucher, also known as a digital voucher, is an identity recognition mechanism for computer systems. An electronic voucher is a file or group of computer files that record the identity of the owner and a set of public passwords. The owner of the electronic voucher can authenticate himself to the computer system to access or use a particular computer service.

早期因網路安全性未如現今受到重視,需要透過電子憑證存取或使用的電腦服務大多以網頁附掛安控外掛元件的型態提供,意即使用者在存取或使用這些服務時,是透過瀏覽器來向遠端伺服器進行憑證申請、展期及查詢等相關作業。In the early days, due to the lack of network security, the computer services that need to be accessed or used through electronic vouchers are mostly provided in the form of webpages attached to the security plug-in components, meaning that when users access or use these services, It is through the browser to perform related applications such as voucher application, renewal and inquiry to the remote server.

如今,因近年來網路安全漸受重視,瀏覽器對於運作於其上的網頁及外掛元件之安全性要求及檢核愈益嚴苛,限制大幅增加且支援度下降,造成過去可順利在瀏覽器上執行的憑證相關作業因之操作失敗比率大增,反而對使用者造成困擾。為了解決上述的問題,目前已有將憑證相關作業分離至外部伺服器執行的解決方案,此一解決方式是讓交易作業由客戶端連線到業務伺服器上執行,憑證相關作業則由客戶端連線到其他伺服器上執行。Nowadays, due to the increasing importance of network security in recent years, browsers have become more and more stringent in terms of security requirements and checks for web pages and plug-in components operating on them. The restrictions have increased dramatically and the support has decreased, resulting in a smooth browser in the past. The voucher-related work performed on the operation has a large increase in the number of operational failures, which in turn causes confusion for the user. In order to solve the above problems, there is currently a solution for separating the voucher related operations into an external server. This solution is to allow the transaction to be executed by the client to the service server, and the voucher related work is performed by the client. Wire to other servers for execution.

另外,隨著政府法令的開放,以往許多需要臨櫃的業務已逐漸開放,只需要使用憑證在線上進行身分認證,便可以取代傳統臨櫃確認身分的過程,直接在線上辦理業務。這對於不方便臨櫃的人而言是一大福音。In addition, with the opening of government decrees, many businesses that need to be in the past have gradually opened up. They only need to use credentials to conduct identity authentication online, which can replace the traditional process of confirming identity and directly handle business online. This is a great boon for those who are not convenient.

然而,由上述可知,目前有些憑證解決方案是將憑證相關作業與交易作業分開在不同伺服器執行,為了避免安全疑慮以及管理上的方便,憑證的擁有者大多選擇將憑證存放在伺服器上,而不會將憑證匯出存放在所使用的裝置中。如此一來,使用者的憑證就無法在其他伺服器上使用。However, as can be seen from the above, some credential solutions currently implement separate credential related operations from transaction operations on different servers. In order to avoid security concerns and management convenience, the owner of the voucher mostly chooses to store the voucher on the server. The voucher is not exported and stored in the device being used. As a result, the user's credentials cannot be used on other servers.

綜上所述,可知先前技術中長期以來一直存在為了方便管理而將憑證存放於伺服器上導致憑證無法在其他伺服器上使用的問題,因此有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that in the prior art, there has been a problem in the prior art that the voucher is stored on the server for convenient management, so that the voucher cannot be used on other servers, so it is necessary to propose an improved technical means to solve this problem. .

有鑒於先前技術存在將憑證存放於伺服器上導致憑證無法在其他伺服器上使用的問題,本創作遂揭露一種透過入口伺服器跨網域使用憑證進行認證之系統,其中:In view of the prior art problem of storing a voucher on a server, causing the voucher to be unusable on other servers, the present disclosure discloses a system for authenticating a credential across a domain using an entry server, wherein:

本創作所揭露之透過入口伺服器跨網域使用憑證進行認證之系統,至少包含:管理中心,用以產生連線資料;應用程式,與服務主機連接,用以向管理中心請求身分認證;入口伺服器,對應業務伺服器,用以接收並驗證連線資料,及用以於連線資料通過驗證時,判斷是否儲存與業務伺服器對應之數位憑證,若未儲存數位憑證,則申請數位憑證,並傳送數位憑證至管理中心,其中,管理中心更用以於已儲存數位憑證時,使用數位憑證判斷認證結果,並傳送認證結果至服務主機。The system disclosed by the present invention for authenticating a certificate across a domain using a portal server includes at least a management center for generating connection data, and an application connected to the service host for requesting identity authentication from the management center; The server, corresponding to the service server, is configured to receive and verify the connection data, and is used to determine whether to store the digital certificate corresponding to the service server when the connection data passes the verification, and if the digital certificate is not stored, apply for the digital certificate And transmitting the digital certificate to the management center, wherein the management center is further configured to use the digital certificate to judge the authentication result when the digital certificate is stored, and transmit the authentication result to the service host.

本創作所揭露之透過入口伺服器跨網域使用憑證進行認證之系統,至少包含:客戶端,與服務主機連接,用以執行應用程式及管理中心,應用程式用以向管理中心請求身分認證;入口伺服器,對應業務伺服器,用以接收並驗證連線資料,及用以於連線資料通過驗證時,判斷是否儲存與業務伺服器對應之數位憑證,若未儲存數位憑證,則申請數位憑證,並傳送數位憑證至管理中心,其中,管理中心更用以於已儲存數位憑證時,使用數位憑證判斷認證結果,並傳送認證結果至服務主機。The system disclosed in the present invention for authenticating a certificate across a domain using a portal server includes at least a client connected to the service host for executing an application and a management center, and the application is configured to request identity authentication from the management center; The entry server, corresponding to the service server, is configured to receive and verify the connection data, and to determine whether to store the digital certificate corresponding to the service server when the connection data is verified, and if the digital certificate is not stored, apply for the digital address The voucher and the digital voucher are sent to the management center, wherein the management center is further configured to use the digital voucher to judge the authentication result when the digital voucher has been stored, and transmit the authentication result to the service host.

本創作本創作所揭露之系統如上,與先前技術之間的差異在於本創作透過管理中心與入口伺服器連線後,若連線資料通過入口伺服器的驗證,則入口伺服器將外部業務伺服器所使用的數位憑證傳回管理中心,使得管理中心使用數位憑證判斷身分認證結果,藉以解決先前技術所存在的問題,並可以達成跨伺服器使用同一憑證的技術功效。The system disclosed in this creation is as above, and the difference from the prior art is that after the creation is connected to the portal server through the management center, if the connection data is verified by the portal server, the portal server will serve the external service. The digital certificate used by the device is sent back to the management center, so that the management center uses the digital certificate to judge the identity authentication result, thereby solving the problems existing in the prior art, and achieving the technical effect of using the same certificate across the server.

以下將配合圖式及實施例來詳細說明本創作之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本創作解決技術問題所應用的技術手段並據以實施,藉此實現本創作可達成的功效。The features and implementations of the present invention will be described in detail below in conjunction with the drawings and the embodiments, which are sufficient to enable any skilled person to fully understand the technical means to which the present invention solves the technical problems and implement them accordingly. The achievable effect of this creation.

本創作可以讓應用程式所連接的服務主機透過管理中心使用入口伺服器所保存之數位憑證取得身分認證的認證結果。This creation allows the service host to which the application is connected to obtain the authentication result of the identity authentication through the digital certificate saved by the portal using the portal server.

其中,應用程式可以是在電腦、手機或平板等客戶端上執行的程式,例如,在各種客戶端之各個作業系統中執行的瀏覽程式,或是內嵌瀏覽器的程式等,但本創作並不以上述為限;管理中心可以是透過網路與執行應用程式之客戶端以及入口伺服器連接的身分識別伺服器,也可以是安裝在執行應用程式之客戶端上的憑證管理程式。The application can be a program executed on a client such as a computer, a mobile phone or a tablet, for example, a browser executed in various operating systems of various clients, or a program embedded with a browser, etc. Not limited to the above; the management center can be an identity identification server connected to the client executing the application and the portal server through the network, or a credential management program installed on the client executing the application.

以下先以「第1A圖」及「第1B圖」本創作所提之兩種透過入口伺服器跨網域使用憑證進行認證之系統架構圖來說明本創作的系統運作。如「第1A圖」與「第1B圖」所示,本創作之系統含有服務主機110、應用程式121、管理中心130、以及入口伺服器150。在「第1A圖」中,應用程式121執行於客戶端120中且管理中心130為身分識別伺服器,而在「第1B圖」中,應用程式121與管理中心130均為可以在客戶端120中執行的程式。The system architecture of this creation is illustrated by the following two system architecture diagrams for the authentication of the cross-domain use credentials by the portal server in "1A" and "1B". As shown in "1A" and "1B", the system of the present creation includes a service host 110, an application 121, a management center 130, and an entry server 150. In the "1A", the application 121 is executed in the client 120 and the management center 130 is the identity recognition server. In the "1B", the application 121 and the management center 130 are both available at the client 120. The program executed in .

其中,服務主機110、客戶端120、身分識別伺服器、入口伺服器150均為計算設備。本創作所提之計算設備包含但不限於一個或多個處理器、一個或多個記憶體模組、以及連接不同元件(包括記憶體模組和處理器)的匯流排等元件。透過所包含之多個元件,計算設備可以載入並執行作業系統,使作業系統在計算設備上運行。The service host 110, the client 120, the identity recognition server, and the portal server 150 are all computing devices. The computing devices referred to in this creation include, but are not limited to, one or more processors, one or more memory modules, and components such as bus bars that connect different components, including memory modules and processors. Through the various components included, the computing device can load and execute the operating system to cause the operating system to run on the computing device.

本創作所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於並列的工業標準架構(ISA)匯流排、周邊元件互連(PCI)匯流排、視頻電子標準協會(VESA)局域匯流排、以及串列的通用序列匯流排(USB)、快速周邊元件互連(PCI-E)匯流排等。The bus of the computing device proposed by the present application may include one or more types, for example, including a data bus, an address bus, a control bus, and an expansion bus ( Expansion bus), and / or local bus and other types of bus. Busbars for computing devices include, but are not limited to, side-by-side industry standard architecture (ISA) busses, peripheral component interconnect (PCI) busses, video electronic standards associations (VESA) local busses, and tandem universal sequence busses (USB), Fast Peripheral Component Interconnect (PCI-E) bus, etc.

本創作所提之計算設備的處理器與匯流排耦接。處理器包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理器。處理器可為處理單元、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理器,則計算設備所包含的處理器都相同或類似,且透過匯流排耦接與通訊。The processor of the computing device proposed by the present invention is coupled to the bus bar. The processor includes a register group or a scratchpad space, and the scratchpad group or scratchpad space can be completely disposed on the processing wafer, or all or part of the processor is disposed outside the processing chip and via a dedicated electrical connection. And/or coupled to the processor via a bus. The processor can be a processing unit, a microprocessor, or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processors, the computing device includes the same or similar processors and is coupled and communicated through the bus.

計算設備的處理器可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理器存取或使用。The processor of the computing device can be coupled to the chip set or electrically connected to the chip set through the bus bar. The chipset is composed of one or more integrated circuits (ICs), including a memory controller and a peripheral input/output (I/O) controller, that is, the memory controller and the peripheral output controller can be included in In an integrated circuit, two or more integrated circuits can also be used. The chipset typically provides input and memory management functions, as well as providing a plurality of general purpose and/or dedicated registers, timers, etc., wherein the general purpose and/or dedicated registers and timers are coupled or One or more processors electrically coupled to the chip set are accessed or used.

計算設備的處理器也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、快閃記憶體(Flash)、唯讀記憶體(ROM)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟、磁帶機、隨身碟(快閃記憶體)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processor of the computing device can also access the data stored in the memory module and the large-capacity storage area of the computing device through the memory controller. The above memory module includes any type of volatile memory and/or non-volatile memory (NVRAM) memory, such as static random access memory (SRAM), dynamic random access. Memory (DRAM), flash memory (Flash), read-only memory (ROM), etc. The mass storage area described above may include any type of storage device or storage medium, such as a hard disk drive, a compact disc, a tape drive, a flash drive (flash memory), a solid state disk (SSD), or any Other storage devices, etc. That is to say, the memory controller can access data in the static random access memory, the dynamic random access memory, the flash memory, the hard disk drive, and the solid state hard disk.

計算設備的處理器也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、以及GPS接收器等周邊裝置或介面通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援Wi-Fi、Zigbee等無線區域網路、藍牙、紅外線、近場通訊(NFC)、3G/4G/5G等行動通訊網路或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路設備、非同步傳輸模式(ATM)設備、DSL數據機、纜線(Cable)數據機等。處理器可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠進行資料的輸入與輸出,也能夠與具有上述描述之元件的另一個計算設備進行通訊。The processor of the computing device can also communicate with the peripheral device or interface such as the peripheral output device, the peripheral input device, the communication interface, and the GPS receiver through the peripheral output/input bus through the peripheral output/input controller. The peripheral input device can be any type of input device, such as a keyboard, a mouse, a trackball, a trackpad, a rocker, etc., and the peripheral output device can be any type of output device, such as a display, a printer, etc., peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface can include a wireless communication interface and/or a wired communication interface, and the wireless communication interface can include a wireless communication network such as Wi-Fi, Zigbee, Bluetooth, infrared, near field communication (NFC), 3G/4G/5G, etc. The interface of the road or other wireless data transmission protocol, the wired communication interface can be an Ethernet device, an asynchronous transfer mode (ATM) device, a DSL data machine, a cable (data) data machine, and the like. The processor can periodically poll various peripheral devices and interfaces to enable the computing device to perform input and output of data, as well as to communicate with another computing device having the elements described above.

服務主機110透過通訊介面可以提供應用程式121連接,並可以接收應用程式121所傳送的資料或訊號,也可以傳送資料或訊號給應用程式121。其中,服務主機110可以透過乙太網路等有線方式或WiFi、藍牙、或3G/4G/5G等無線方式提供應用程式121連接。The service host 110 can provide an application 121 connection through the communication interface, and can receive data or signals transmitted by the application 121, and can also transmit data or signals to the application 121. The service host 110 can provide the application 121 connection through a wired manner such as Ethernet or a wireless method such as WiFi, Bluetooth, or 3G/4G/5G.

服務主機110可以提供應用程式121各種服務,包含需要身分認證的服務,例如線上報稅、或是線上查詢證券交易資料等,但本創作並不以此為限。在服務主機110提供應用程式121身分驗證服務時,若管理中心130為身分識別伺服器,則服務主機110可以將應用程式121導向至身分識別伺服器;而若管理中心130為憑證管理程式,則服務主機110可以傳送指令控制應用程式121呼叫憑證管理程式。The service host 110 can provide various services of the application 121, including services requiring identity authentication, such as online tax filing, or online inquiry of securities transaction materials, but the creation is not limited thereto. When the service host 110 provides the application 121 identity verification service, if the management center 130 is an identity recognition server, the service host 110 can direct the application 121 to the identity recognition server; and if the management center 130 is a certificate management program, The service host 110 can transmit an instruction control application 121 to call the credential management program.

應用程式121可以透過客戶端120的通訊介面與服務主機110及/或入口伺服器150連接,並可以接收服務主機110/入口伺服器150所傳送的資料,及傳送資料至服務主機110/入口伺服器150。若管理中心130為身分識別伺服器,則應用程式121可以透過客戶端120的通訊介面與管理中心130連接,並可以接收管理中心130所傳送的資料及傳送資料至管理中心130;而若管理中心130為客戶端120中所執行的程式,則應用程式121可以透過呼叫或記憶體共享等方式傳送資料給管理中心130並取得管理中心130所提供的資料。The application 121 can be connected to the service host 110 and/or the portal server 150 through the communication interface of the client 120, and can receive the data transmitted by the service host 110/the portal server 150, and transmit the data to the service host 110/entry servo. 150. If the management center 130 is an identity identification server, the application 121 can be connected to the management center 130 through the communication interface of the client 120, and can receive the data transmitted by the management center 130 and transmit the data to the management center 130; 130 is a program executed in the client 120, and the application 121 can transmit the data to the management center 130 by means of call or memory sharing or the like and obtain the information provided by the management center 130.

應用程式121負責向管理中心130請求身分認證。一般而言,應用程式121是在使用服務主機110所提供之服務的過程中,需要進行身分認證時,向管理中心130請求身分認證的服務。The application 121 is responsible for requesting identity authentication from the management center 130. In general, the application 121 is a service for requesting identity authentication from the management center 130 when identity authentication is required in the process of using the service provided by the service host 110.

在部分的實施例中,應用程式121也可以透過管理中心130接收入口伺服器150所傳送的請求訊息,並依據所接收到的請求訊息提示輸入登入資料,例如,請求訊息可以包含訊號或畫面,應用程式121可以直接顯示所接收到的畫面或顯示依據所接收到之訊號轉換產生的畫面,藉以提示輸入登入資料。應用程式121也可以將完成輸入的登入資料傳回入口伺服器150。其中,登入資料包含但不限於預先在業務伺服器160註冊的帳號密碼、指紋或人臉資訊等。In some embodiments, the application 121 can also receive the request message sent by the portal server 150 through the management center 130, and promptly input the login data according to the received request message. For example, the request message can include a signal or a picture. The application 121 can directly display the received screen or display a screen generated according to the received signal conversion, thereby prompting for the login data. The application 121 can also pass the completed login data back to the portal server 150. The login data includes, but is not limited to, an account password, a fingerprint, or a face information registered in advance in the service server 160.

管理中心130負責產生連線資料。舉例來說,管理中心130可以產生包含一組註冊碼的驗證參數,並使用特定的雜湊函數對所產生的驗證參數進行計算以產生校驗資料,再產生包含所產生之驗證參數以及所計算出的校驗資料的連線資料。但管理中心130產生連線資料的方式並不以上述為限。The management center 130 is responsible for generating connection information. For example, the management center 130 may generate a verification parameter including a set of registration codes, and calculate the generated verification parameters using a specific hash function to generate a verification data, and then generate the verification parameters generated and the calculated parameters. Connection data for verification data. However, the manner in which the management center 130 generates connection information is not limited to the above.

管理中心130所產生之驗證參數中的註冊碼為預先至入口伺服器150註冊取得的資料,其中包含鍵值與對應值。在部分的實施例中,管理中心130所產生的驗證參數除了註冊碼之外,還可以包含需要傳送給入口伺服器150的元資料。The registration code in the verification parameter generated by the management center 130 is the data registered in advance to the portal server 150, and includes the key value and the corresponding value. In some embodiments, the verification parameters generated by the management center 130 may include metadata that needs to be transmitted to the portal server 150 in addition to the registration code.

管理中心130也負責傳送連線資料至入口伺服器150。若管理中心130為身分識別伺服器,則在服務主機110將應用程式121導向至身分識別伺服器時,身分識別伺服器可以提供應用程式121的使用者透過應用程式121選擇欲連接的入口伺服器150,並連線至被選擇的入口伺服器150;而若管理中心130為憑證管理程式,則在服務主機110控制應用程式121呼叫憑證管理程式時,憑證管理程式可以提供應用程式121的使用者在憑證管理程式中選擇欲連接的入口伺服器150,並與被選擇的入口伺服器150建立連線。The management center 130 is also responsible for transmitting connection data to the portal server 150. If the management center 130 is the identity identification server, when the service host 110 directs the application 121 to the identity recognition server, the identity recognition server can provide the user of the application 121 to select the portal server to connect through the application 121. 150, and connected to the selected portal server 150; and if the management center 130 is a credential management program, the credential management program can provide the user of the application 121 when the service host 110 controls the application 121 to call the credential management program. The entry server 150 to be connected is selected in the credential management program and connected to the selected entry server 150.

管理中心130也負責使用所儲存的數位憑證判斷身分認證的認證結果,並將判斷產生的認證結果傳送給應用程式121。The management center 130 is also responsible for judging the authentication result of the identity authentication using the stored digital certificate, and transmitting the authentication result generated by the judgment to the application 121.

值得一提的是,管理中心130可以在被應用程式121請求進行身分認證時,先判斷是否儲存有應用程式121欲連接之入口伺服器150的數位憑證,若有,則管理中心130可以直接使用所儲存之該數位憑證判斷認證結果,無需連接入口伺服器150以取得數位憑證。若管理中心130沒有儲存欲連接之入口伺服器150的數位憑證,管理中心130才需要連接入口伺服器150以取得數位憑證,並在接收到入口伺服器150所傳送的數位憑證後,使用所接收到的數位憑證判斷認證結果。It is worth mentioning that the management center 130 can first determine whether the digital certificate of the portal server 150 to which the application 121 is to be connected is stored when the application 121 requests the identity authentication. If so, the management center 130 can directly use the digital certificate. The stored digital certificate determines the authentication result without connecting to the portal server 150 to obtain the digital certificate. If the management center 130 does not store the digital certificate of the portal server 150 to be connected, the management center 130 needs to connect to the portal server 150 to obtain the digital certificate, and after receiving the digital certificate transmitted by the portal server 150, use the received The digital certificate obtained determines the authentication result.

管理中心130也可以接收請求身分認證之應用程式121欲連接之入口伺服器150所傳送之登入資料的請求訊息,並可以在接收到登入資料的請求訊息時,引導應用程式121與入口伺服器150連接。The management center 130 may also receive a request message for requesting login information transmitted by the portal server 150 to which the identity authentication application 121 is to be connected, and may guide the application 121 and the portal server 150 upon receiving the request message of the login data. connection.

入口伺服器150透過通訊介面可以與應用程式121、管理中心130、業務伺服器160以及憑證伺服器140連接,並可以接收應用程式121、管理中心130、業務伺服器160、及/或憑證伺服器140所傳送的資料或訊號,也可以傳送資料或訊號給應用程式121、管理中心130、業務伺服器160、及/或憑證伺服器140。其中,入口伺服器150可以透過乙太網路等有線方式或WiFi、藍牙、或3G/4G/5G等無線方式與客戶端120、管理中心130、業務伺服器160、及/或憑證伺服器140連接。The portal server 150 can be connected to the application 121, the management center 130, the service server 160, and the credential server 140 through the communication interface, and can receive the application 121, the management center 130, the service server 160, and/or the credential server. The data or signal transmitted by 140 may also be transmitted to the application 121, the management center 130, the service server 160, and/or the credential server 140. The portal server 150 can communicate with the client 120, the management center 130, the service server 160, and/or the credential server 140 through a wired manner such as Ethernet or a wireless method such as WiFi, Bluetooth, or 3G/4G/5G. connection.

入口伺服器150與業務伺服器160對應。一般而言,一個入口伺服器可以對應一個或多個業務伺服器,其中,與同一個入口伺服器對應所有業務伺服器可以使用同一個數位憑證進行身分認證或進行線上交易。The portal server 150 corresponds to the service server 160. In general, an ingress server can correspond to one or more service servers, wherein all service servers corresponding to the same ingress server can use the same digital voucher for identity authentication or online transactions.

入口伺服器150負責接收並驗證管理中心130所傳送的連線資料。舉例來說,入口伺服器150可以依據所接收到之連線資料所包含之註冊碼的鍵值讀出相對應的註冊值,並產生包含連線資料中之元資料、註冊碼的鍵值、以及所讀出之註冊值的待驗資料,以及使用與傳送連線資料之管理中心130所使用之相同的雜湊函數對待驗資料進行計算,藉以計算出雜湊資料,再依據所接收到之連線資料中的校驗資料是否與所計算出的雜湊資料是否相同來判斷連線資料是否通過驗證。其中,若校驗資料與雜湊資料相同,表示連線資料通過驗證,而若校驗資料與雜湊資料不同,表示連線資料沒有通過驗證;另外,若入口伺服器150判斷所接收到之連線資料沒有包含註冊碼的鍵值,或是無法依據註冊碼的鍵值讀出相對應的註冊值,則同樣表示程式連線資料沒有通過驗證。但入口伺服器150驗證連線資料的方式並不以上述為限。The portal server 150 is responsible for receiving and verifying the connection information transmitted by the management center 130. For example, the portal server 150 can read the corresponding registration value according to the key value of the registration code included in the received connection data, and generate a key value including the metadata in the connection data, the registration code, And the data to be inspected of the registered value read out, and the same hash function used by the management center 130 for transmitting the connection data is used to calculate the data, thereby calculating the hash data, and then according to the received connection. Whether the verification data in the data is the same as the calculated hash data to determine whether the connection data has passed the verification. Wherein, if the verification data is the same as the hash data, it indicates that the connection data is verified, and if the verification data is different from the hash data, it indicates that the connection data has not passed the verification; in addition, if the portal server 150 determines the received connection The data does not contain the key value of the registration code, or the corresponding registration value cannot be read according to the key value of the registration code, which also indicates that the program connection data has not passed the verification. However, the manner in which the portal server 150 verifies the connection data is not limited to the above.

入口伺服器150也負責在所接收的連線資料通過驗證時,判斷是否儲存與相對應之業務伺服器160對應的數位憑證,若入口伺服器150沒有儲存與業務伺服器160對應的數位憑證,則入口伺服器150可以連線到RA等憑證伺服器140申請與業務伺服器160對應的數位憑證,並在完成數位憑證的申請後,儲存所申請到的數位憑證,以及將所申請到的數位憑證傳送到管理中心130。另外,入口伺服器150也可以將所申請到的數位憑證傳送給曾經連線到業務伺服器160的瀏覽程式(圖中未示),使得瀏覽程式將所接收到的數位憑證儲存到與業務伺服器160對應的本地儲存區(Local Storage)中。The portal server 150 is also responsible for determining whether to store the digital certificate corresponding to the corresponding service server 160 when the received connection data passes the verification. If the portal server 150 does not store the digital certificate corresponding to the service server 160, Then, the portal server 150 can connect to the credential server 140 such as the RA to apply for the digital certificate corresponding to the service server 160, and after completing the application of the digital certificate, store the applied digital certificate and the digital number applied for. The voucher is transmitted to the management center 130. In addition, the portal server 150 can also transmit the applied digital certificate to a browsing program (not shown) that has been connected to the service server 160, so that the browsing program stores the received digital certificate to the service server. The corresponding storage area (Local Storage) of the device 160.

入口伺服器150也負責在所接收到的連線資料沒有通過驗證時,傳送登入資料的請求訊息給管理中心130,藉以與受到管理中心130引導之應用程式121連接,並向應用程式121請求輸入登入資料。The portal server 150 is also responsible for transmitting the request message of the login data to the management center 130 when the received connection data is not verified, thereby connecting to the application 121 guided by the management center 130, and requesting input from the application 121. Login information.

入口伺服器150也可以接收應用程式121所傳送的登入資料,並透過業務伺服器160判斷登入資料是否通過驗證。The portal server 150 can also receive the login data transmitted by the application 121 and determine whether the login data has passed the verification through the service server 160.

接著以第一實施例來解說本創作的系統運作,並請參照「第2A圖」本創作所提之透過入口伺服器跨網域使用憑證進行認證之方法流程圖。在本實施例中,假設應用程式121為執行於客戶端120中的瀏覽程式,管理中心130為身分識別伺服器,但本創作並不以此為限。Next, the system operation of the present author is explained in the first embodiment, and please refer to the flowchart of the method for authenticating the cross-domain using credentials by the portal server in the "Phase 2A". In this embodiment, it is assumed that the application 121 is a browsing program executed in the client 120, and the management center 130 is an identity recognition server, but the creation is not limited thereto.

當使用者在客戶端120上操作應用程式121使用服務主機110所提供的服務時,若服務主機110請求應用程式121進行身分驗證,則應用程式121可以向管理中心130請求身分認證(步驟201)。在本實施例中,假設服務主機110提供報稅服務,且服務主機110在請求應用程式121進行身分驗證時,可以將應用程式121導向至管理中心130。When the user operates the application 121 on the client 120 to use the service provided by the service host 110, if the service host 110 requests the application 121 to perform the identity verification, the application 121 may request the identity authentication from the management center 130 (step 201). . In the present embodiment, it is assumed that the service host 110 provides a tax return service, and the service host 110 can direct the application 121 to the management center 130 when requesting the application 121 to perform identity verification.

在應用程式121連線到管理中心130後,管理中心130可以提供應用程式121選擇入口伺服器150(步驟211)。在本實施例中,假設管理中心130可以傳送選擇業務單位的網頁給應用程式121顯示,且上述可被選擇之業務單位都提供有入口伺服器150,藉以提示應用程式121的使用者操作應用程式121選擇一個業務單位所提供的入口伺服器150。其中,業務單位包含但不限於各個券商,入口伺服器150可以是各個券商所提供的交易伺服器。After the application 121 is connected to the management center 130, the management center 130 can provide the application 121 to select the portal server 150 (step 211). In this embodiment, it is assumed that the management center 130 can transmit the web page of the selected business unit to the application 121, and the selected business unit is provided with the portal server 150 to prompt the user of the application 121 to operate the application. 121 selects an entry server 150 provided by a business unit. Wherein, the business unit includes but is not limited to each broker, and the portal server 150 may be a transaction server provided by each broker.

在應用程式121選擇入口伺服器150後,管理中心130可以判斷是否儲存與應用程式121所選擇之入口伺服器150對應的數位憑證(步驟215)。若是,管理中心130可以直接使用所儲存的數位憑證判斷身分認證的認證結果,並將判斷產生的認證結果傳回服務主機110(步驟290)。After the application 121 selects the portal server 150, the management center 130 can determine whether to store the digital certificate corresponding to the portal server 150 selected by the application 121 (step 215). If so, the management center 130 can directly use the stored digital certificate to determine the authentication result of the identity authentication, and transmit the generated authentication result back to the service host 110 (step 290).

而若管理中心130判斷沒有儲存與應用程式121所選擇之入口伺服器150對應的數位憑證,則管理中心130可以產生連線資料,並將所產生的連線資料傳送到入口伺服器150(步驟220)。在本實施例中,假設管理中心130所產生的連線資料可以是將導向至入口伺服器150的連結,使得應用程式121依據連結被導向至入口伺服器150,藉以將連線資料傳送給入口伺服器150。If the management center 130 determines that the digital certificate corresponding to the portal server 150 selected by the application 121 is not stored, the management center 130 may generate the connection data and transmit the generated connection data to the portal server 150 (step 220). In this embodiment, it is assumed that the connection data generated by the management center 130 may be a link that will be directed to the portal server 150, so that the application 121 is directed to the portal server 150 according to the connection, thereby transmitting the connection data to the portal. Server 150.

在入口伺服器150接收到連線資料後,入口伺服器150可以判斷所接收到的連線資料是否通過驗證(步驟230)。在本實施例中,假設入口伺服器150可以先判斷連線資料中是否包含註冊碼與校驗資料,若否,則表示連線資料沒有通過驗證;若連線資料中包含註冊碼與校驗資料,則入口伺服器150可以進一步由連線資料中取出元資料與註冊碼,並依據註冊碼中的鍵值讀出相對應的註冊值後,產生包含元資料、鍵值與註冊值的待驗資料後,使用雜湊函數對待驗資料進行計算,藉以計算出雜湊資料,並在所接收到之連線資料中的校驗資料與所計算出的待驗資料相同時,判斷連線資料通過驗證,而在所接收到之連線資料中的校驗資料與所計算出的待驗資料不同時,判斷連線資料沒有通過驗證。After the portal server 150 receives the connection data, the portal server 150 can determine whether the received connection data has passed verification (step 230). In this embodiment, it is assumed that the portal server 150 can first determine whether the connection code and the verification data are included in the connection data. If not, it indicates that the connection data has not passed the verification; if the connection data includes the registration code and the verification For the data, the portal server 150 may further extract the metadata and the registration code from the connection data, and read the corresponding registration value according to the key value in the registration code, and then generate the metadata, the key value and the registration value. After the data is verified, the hash function is used to calculate the data to calculate the hash data, and when the verification data in the received connection data is the same as the calculated data to be verified, the connection data is verified. When the verification data in the received connection data is different from the calculated verification data, it is judged that the connection data has not passed the verification.

若入口伺服器150判斷連線資料通過驗證,則入口伺服器150可以判斷是否儲存與業務伺服器160對應的數位憑證(步驟260)。If the portal server 150 determines that the connection data has passed the verification, the portal server 150 can determine whether to store the digital certificate corresponding to the service server 160 (step 260).

而若入口伺服器150判斷連線資料沒有通過驗證,則入口伺服器150可以傳送登入資料的請求訊息至管理中心130,管理中心130在接收到登入資料的請求訊息後,引導應用程式121與入口伺服器150連接,入口伺服器150可以在與應用程式121連接後,請求應用程式121輸入登入資料(步驟240)。在本實施例中,假設入口伺服器150可以傳送輸入登入資料的網頁300給應用程式121顯示,藉以提示應用程式121的使用者輸入在先前所選擇之業務單位註冊的帳號與密碼,如「第3圖」所示。If the portal server 150 determines that the connection data has not passed the verification, the portal server 150 can transmit the request message of the login data to the management center 130. After receiving the request message of the login data, the management center 130 guides the application 121 and the portal. The server 150 is connected, and the portal server 150, after being connected to the application 121, requests the application 121 to input the login data (step 240). In this embodiment, it is assumed that the portal server 150 can transmit the webpage 300 for inputting the login information to the application 121, thereby prompting the user of the application 121 to input the account and password registered in the previously selected business unit, such as " 3 shows.

在使用者操作應用程式121完成登入資料的輸入後,應用程式121可以將被輸入的登入資料傳送至入口伺服器150,入口伺服器150可以透過使用者先前所選擇之業務單位的業務伺服器160驗證應用程式121所傳送的登入資料,藉以判斷接收自應用程式121的登入資料是否通過驗證(步驟250)。若登入資料沒有通過驗證,則入口伺服器150可以再次請求應用程式121輸入登入資料(步驟240),或是通知管理中心130,使管理中心130拒絕應用程式121之身分驗證的請求。After the user operates the application 121 to complete the input of the login data, the application 121 can transmit the entered login data to the portal server 150, and the portal server 150 can pass the service server 160 of the business unit previously selected by the user. The login data transmitted by the application 121 is verified to determine whether the login data received from the application 121 has passed the verification (step 250). If the login data does not pass the verification, the portal server 150 may request the application 121 to input the login data again (step 240), or notify the management center 130 to cause the management center 130 to reject the identity verification request of the application 121.

若入口伺服器150判斷應用程式121所傳送之登入資料通過業務伺服器160的驗證,則如「第2B圖」之流程所示,入口伺服器150可以判斷是否儲存與業務伺服器160對應的數位憑證(步驟260)。If the portal server 150 determines that the login data transmitted by the application 121 has been verified by the service server 160, the portal server 150 can determine whether to store the digit corresponding to the service server 160 as shown in the flow of "FIG. 2B". Voucher (step 260).

當入口伺服器150判斷儲存有與業務伺服器160對應的數位憑證時,入口伺服器150可以將與業務伺服器160對應的數位憑證傳送到管理中心130(步驟280)。而若入口伺服器150判斷沒有儲存與業務伺服器160對應的數位憑證,則入口伺服器150可以連線到憑證伺服器140申請與業務伺服器160對應的數位憑證(步驟270),並在完成數位憑證的申請後,可以儲存所申請到的數位憑證,並可以將所申請到的數位憑證傳送給管理中心130(步驟280)。When the portal server 150 determines that the digital certificate corresponding to the service server 160 is stored, the portal server 150 may transmit the digital certificate corresponding to the service server 160 to the management center 130 (step 280). If the portal server 150 determines that the digital certificate corresponding to the service server 160 is not stored, the portal server 150 can connect to the credential server 140 to apply for the digital certificate corresponding to the service server 160 (step 270), and is completed. After the application of the digital certificate, the applied digital certificate can be stored, and the applied digital certificate can be transmitted to the management center 130 (step 280).

管理中心130在接收到入口伺服器150所傳送的數位憑證後,可以儲存所接收到的數位憑證,並可以使用所接收到的數位憑證判斷身分認證的認證結果,以及將判斷產生的認證結果傳送給服務主機110(步驟290)。After receiving the digital certificate transmitted by the portal server 150, the management center 130 may store the received digital certificate, and may use the received digital certificate to determine the authentication result of the identity authentication, and transmit the authentication result generated by the determination. The service host 110 is provided (step 290).

繼續以第二實施例來解說本創作的系統運作,同樣請繼續參照「第2A圖」。在本實施例中,假設應用程式121為安裝於行動裝置(客戶端120)上的特定程式,管理中心130為安裝在同一行動裝置上的憑證管理程式,但本創作並不以此為限。Continuing with the second embodiment to illustrate the operation of the system of this creation, please continue to refer to "Figure 2A". In this embodiment, it is assumed that the application 121 is a specific program installed on the mobile device (the client 120), and the management center 130 is a credential management program installed on the same mobile device, but the present invention is not limited thereto.

當使用者操作應用程式121使用服務主機110所提供的服務時,若服務主機110請求應用程式121進行身分驗證,則應用程式121可以向管理中心請求身分認證(步驟201)。在本實施例中,假設服務主機110提供證券交易的查詢服務,且服務主機110在請求應用程式121進行身分驗證時,可以透過應用程式121呼叫管理中心130。When the user operates the application 121 to use the service provided by the service host 110, if the service host 110 requests the application 121 to perform identity verification, the application 121 may request identity authentication from the management center (step 201). In the present embodiment, it is assumed that the service host 110 provides a query service for the securities transaction, and the service host 110 can call the management center 130 through the application 121 when requesting the application 121 to perform identity verification.

在管理中心130開始執行後,管理中心130可以提供選擇入口伺服器150(步驟211)。在本實施例中,假設管理中心130可以顯示包含多個業務單位的使用者介面,其中每一個業務單位都有一個對應的入口伺服器150,藉以提示應用程式121的使用者選擇入口伺服器150。After the management center 130 begins execution, the management center 130 can provide a selection portal server 150 (step 211). In this embodiment, it is assumed that the management center 130 can display a user interface including a plurality of business units, wherein each business unit has a corresponding portal server 150, thereby prompting the user of the application 121 to select the portal server 150. .

在管理中心130提供選擇入口伺服器150後,管理中心130可以判斷是否儲存與應用程式121所選擇之入口伺服器150對應的數位憑證(步驟215)。若是,管理中心130可以直接使用所儲存的數位憑證判斷身分認證的認證結果,並將判斷產生的認證結果傳回應用程式121(步驟290)。After the management center 130 provides the selection portal server 150, the management center 130 can determine whether to store the digital certificate corresponding to the portal server 150 selected by the application 121 (step 215). If so, the management center 130 can directly use the stored digital certificate to determine the authentication result of the identity authentication, and return the generated authentication result to the application 121 (step 290).

而若管理中心130判斷沒有儲存與應用程式121所選擇之入口伺服器150對應的數位憑證,則管理中心130可以產生連線資料,並傳送所產生的連線資料到入口伺服器150(步驟220)。在本實施例中,假設管理中心130可以透過內嵌的瀏覽器開啟包含連線資料的連結,藉以在連線至入口伺服器150的同時,將連線資料傳送至入口伺服器150。If the management center 130 determines that the digital certificate corresponding to the portal server 150 selected by the application 121 is not stored, the management center 130 may generate the connection data and transmit the generated connection data to the portal server 150 (step 220). ). In this embodiment, it is assumed that the management center 130 can open the link containing the connection data through the embedded browser, so as to connect the connection data to the portal server 150 while connecting to the portal server 150.

在管理中心130連線到入口伺服器150後,入口伺服器150可以判斷與管理中心130建立連線時所接收到的連線資料是否通過驗證(步驟230)。在本實施例中,假設管理中心130所產生的連線資料並沒有包含註冊碼及/或校驗資料,則入口伺服器150可以判斷連線資料沒有通過驗證,並可以傳送登入資料的請求訊息至管理中心130,使管理中心130引導應用程式121與入口伺服器150連接,藉以請求應用程式121輸入登入資料(步驟240)。After the management center 130 is connected to the portal server 150, the portal server 150 can determine whether the connection data received when establishing the connection with the management center 130 is verified (step 230). In this embodiment, if the connection data generated by the management center 130 does not include the registration code and/or the verification data, the portal server 150 can determine that the connection data has not passed the verification, and can transmit the request message of the login data. To the management center 130, the management center 130 guides the application 121 to connect with the portal server 150, thereby requesting the application 121 to input the login data (step 240).

在使用者操作應用程式121完成登入資料的輸入後,應用程式121可以將被輸入的登入資料傳送至入口伺服器150,入口伺服器150可以透過使用者先前所選擇之業務單位的業務伺服器160驗證應用程式121所傳送的登入資料,藉以判斷接收自應用程式121的登入資料是否通過驗證(步驟250)。After the user operates the application 121 to complete the input of the login data, the application 121 can transmit the entered login data to the portal server 150, and the portal server 150 can pass the service server 160 of the business unit previously selected by the user. The login data transmitted by the application 121 is verified to determine whether the login data received from the application 121 has passed the verification (step 250).

若入口伺服器150判斷應用程式121所傳送之登入資料通過業務伺服器160的驗證,則如「第2B圖」之流程所示,入口伺服器150可以判斷是否儲存與業務伺服器160對應的數位憑證(步驟260)。在本實施例中,若入口伺服器150判斷儲存有與業務伺服器160對應的數位憑證,則入口伺服器150可以將與業務伺服器160對應的數位憑證傳送到管理中心130(步驟280)。If the portal server 150 determines that the login data transmitted by the application 121 has been verified by the service server 160, the portal server 150 can determine whether to store the digit corresponding to the service server 160 as shown in the flow of "FIG. 2B". Voucher (step 260). In this embodiment, if the portal server 150 determines that the digital certificate corresponding to the service server 160 is stored, the portal server 150 may transmit the digital certificate corresponding to the service server 160 to the management center 130 (step 280).

而若入口伺服器150判斷沒有儲存與業務伺服器160對應的數位憑證,則入口伺服器150可以連線到憑證伺服器140申請與業務伺服器160對應的數位憑證(步驟270),並在完成數位憑證的申請後,可以儲存所申請到的數位憑證,並可以將所申請到的數位憑證傳送給管理中心130(步驟280)。If the portal server 150 determines that the digital certificate corresponding to the service server 160 is not stored, the portal server 150 can connect to the credential server 140 to apply for the digital certificate corresponding to the service server 160 (step 270), and is completed. After the application of the digital certificate, the applied digital certificate can be stored, and the applied digital certificate can be transmitted to the management center 130 (step 280).

管理中心130在接收到入口伺服器150所傳送的數位憑證後,可以儲存所接收到的數位憑證,並可以使用所接收到的數位憑證判斷身分認證的認證結果,以及將判斷產生的認證結果傳送給服務主機110(步驟290)。After receiving the digital certificate transmitted by the portal server 150, the management center 130 may store the received digital certificate, and may use the received digital certificate to determine the authentication result of the identity authentication, and transmit the authentication result generated by the determination. The service host 110 is provided (step 290).

如上述兩實施例,透過本創作,應用程式121便可以透過管理中心130使用在外部之業務伺服器160中使用的數位憑證進行身分認證。As with the above two embodiments, through the creation, the application 121 can perform identity authentication through the digital certificate used by the management server 130 in the external service server 160.

綜上所述,可知本創作與先前技術之間的差異在於具有管理中心與入口伺服器連線後,若連線資料通過入口伺服器的驗證,則入口伺服器將外部業務伺服器所使用的數位憑證傳回管理中心,使得管理中心使用數位憑證判斷身分認證結果之技術手段,藉由此一技術手段可以解決先前技術所存在為了方便管理而將憑證存放於伺服器上導致憑證無法在其他伺服器上使用的問題,進而達成跨伺服器使用同一憑證的技術功效。In summary, it can be seen that the difference between the present creation and the prior art is that after the connection between the management center and the portal server, if the connection data is verified by the portal server, the portal server uses the external service server. The digital voucher is sent back to the management center, so that the management center uses the digital voucher to judge the technical means of the identity authentication result. By means of this technical means, the prior art exists to save the voucher on the server for facilitating management, so that the voucher cannot be in other servos. The problem with the use of the same credential across the server.

再者,本創作之透過入口伺服器跨網域使用憑證進行認證之系統可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the system for authenticating credentials using the credentials of the portal server across the domain can be implemented in a centralized manner in a computer system or in a decentralized manner in which different components are interspersed among several interconnected computer systems.

雖然本創作所揭露之實施方式如上,惟所述之內容並非用以直接限定本創作之專利保護範圍。任何本創作所屬技術領域中具有通常知識者,在不脫離本創作所揭露之精神和範圍的前提下,對本創作之實施的形式上及細節上作些許之更動潤飾,均屬於本創作之專利保護範圍。本創作之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present disclosure are as above, the contents are not intended to directly limit the scope of the patent protection of the present invention. Anyone who has the usual knowledge in the technical field of this creation, without any departure from the spirit and scope disclosed in this creation, makes some modifications to the form and details of the implementation of this creation, which are the patent protection of this creation. range. The scope of patent protection of this creation must be determined by the scope of the attached patent application.

110‧‧‧服務主機110‧‧‧Service Host

120‧‧‧客戶端 120‧‧‧Client

121‧‧‧應用程式 121‧‧‧Application

130‧‧‧管理中心 130‧‧‧Management Center

140‧‧‧憑證伺服器 140‧‧‧Certificate Server

150‧‧‧入口伺服器 150‧‧‧Entry server

160‧‧‧業務伺服器 160‧‧‧Business Server

300‧‧‧網頁 300‧‧‧Webpage

步驟201‧‧‧應用程式向管理中心請求身分認證 Step 201‧‧‧Applications request identity authentication from the Management Center

步驟211‧‧‧管理中心提供選擇入口伺服器 Step 211‧‧‧Management Center provides selection of portal server

步驟215‧‧‧管理中心判斷是否儲存與業務伺服器對應之數位憑證 Step 215‧‧‧ The management center determines whether to store the digital certificate corresponding to the service server

步驟220‧‧‧管理中心產生連線資料,並傳送連線資料至入口伺服器 Step 220‧‧‧ Management Center generates connection data and transmits connection data to the portal server

步驟230‧‧‧入口伺服器判斷連線資料是否通過驗證 Step 230‧‧‧ The portal server determines whether the connection data has passed the verification

步驟240‧‧‧入口伺服器請求應用程式輸入登入資料 Step 240‧‧‧ The portal server requests the application to enter the login data

步驟250‧‧‧入口伺服器透過業務伺服器判斷登入資料是否通過驗證 Step 250‧‧‧ The portal server determines whether the login data has passed the verification through the service server.

步驟260‧‧‧入口伺服器判斷是否儲存與業務伺服器對應之數位憑證 Step 260‧‧‧ The portal server determines whether to store the digital certificate corresponding to the service server

步驟270‧‧‧入口伺服器申請數位憑證 Step 270‧‧‧Entry server to apply for digital certificate

步驟280‧‧‧入口伺服器傳送數位憑證至管理中心 Step 280‧‧‧ The portal server sends the digital certificate to the management center

步驟290‧‧‧管理中心使用數位憑證判斷認證結果,並傳送認證結果至服務主機 Step 290‧‧‧ The management center uses the digital certificate to judge the authentication result and transmits the authentication result to the service host.

第1A圖為本創作所提之透過入口伺服器跨網域使用憑證進行認證之系統架構圖。 第1B圖為本創作所提之另一種透過入口伺服器跨網域使用憑證進行認證之系統架構圖。 第2A圖為本創作所提之透過入口伺服器跨網域使用憑證進行認證之方法流程圖。 第2B圖為本創作所提之入口伺服器申請憑證之方法流程圖。 第3圖為本創作實施例所提之網頁示意圖。Figure 1A is a system architecture diagram of the author's authentication through the use of credentials by the portal server across the domain. Figure 1B is another system architecture diagram of the author's authentication through the portal server using credentials across the domain. Figure 2A is a flow chart of the method for authenticating through the portal server using credentials by the author. Figure 2B is a flow chart of the method for applying for the voucher of the portal server proposed by the author. FIG. 3 is a schematic diagram of a webpage proposed by the present embodiment.

Claims (10)

一種透過入口伺服器跨網域使用憑證進行認證之系統,該系統至少包含: 一管理中心,用以產生一連線資料; 一客戶端,與一服務主機連接,用以執行一應用程式,該應用程式用以向該管理中心請求身分認證;及 一入口伺服器,對應一業務伺服器,用以接收並驗證該連線資料,及用以於該連線資料通過驗證時,判斷是否儲存與該業務伺服器對應之一數位憑證,若未儲存該數位憑證,則申請該數位憑證,並傳送該數位憑證至該管理中心,使該管理中心使用該數位憑證判斷一認證結果,並傳送該認證結果至該服務主機。A system for authenticating a certificate by using an entry server across a domain, the system comprising: at least one management center for generating a connection data; and a client connected to a service host for executing an application, The application is configured to request identity authentication from the management center; and an portal server corresponding to a service server for receiving and verifying the connection data, and for determining whether to store and verify the connection data when verifying The service server corresponds to one of the digital certificates. If the digital certificate is not stored, the digital certificate is applied, and the digital certificate is transmitted to the management center, so that the management center uses the digital certificate to determine an authentication result, and transmits the authentication. The result is to the service host. 如申請專利範圍第1項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該管理中心更用以於該應用程式請求身分認證時,先判斷是否儲存有該數位憑證,並在已儲存有該數位憑證時,使用該數位憑證判斷該認證結果,並傳送該認證結果至該服務主機。A system for authenticating a certificate across a domain using a portal server as described in claim 1, wherein the management center is further configured to determine whether the digital certificate is stored when the application requests identity authentication, and When the digital certificate has been stored, the digital certificate is used to judge the authentication result, and the authentication result is transmitted to the service host. 如申請專利範圍第1項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該入口伺服器更用以於該連線資料沒有通過驗證時,要求該應用程式輸入一登入資料,並透過一業務伺服器判斷該登入資料是否通過驗證。The system for authenticating the certificate across the domain using the portal server as described in claim 1, wherein the portal server is further configured to require the application to input a login data when the connection data fails to pass the verification. And determine whether the login data has passed verification through a service server. 如申請專利範圍第1項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該管理中心是產生包含預先由該入口伺服器取得之一組註冊碼之一認證參數,並以雜湊函數對該認證參數進行計算以產生一校驗資料,及產生包含該認證參數及該校驗資料之該連線資料,且該入口伺服器是使用該認證參數及該雜湊函數計算一雜湊資料,依據該校驗資料是否與該雜湊資料相同判斷該連線資料是否通過驗證。A system for authenticating a certificate across a domain using a portal server as described in claim 1, wherein the management center generates an authentication parameter including one of a group registration code obtained in advance by the portal server, and The hash function calculates the authentication parameter to generate a verification data, and generates the connection data including the authentication parameter and the verification data, and the portal server calculates the hash data by using the authentication parameter and the hash function. According to whether the verification data is the same as the hash data, whether the connection data is verified or not. 如申請專利範圍第1項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該管理中心為一身分識別伺服器,且該服務主機是將請求身分認證之應用程式導向至該身分識別伺服器。A system for authenticating a certificate across a domain using a portal server as described in claim 1, wherein the management center is an identity identification server, and the service host directs an application requesting identity authentication to the Identity identification server. 一種透過入口伺服器跨網域使用憑證進行認證之系統,該系統至少包含: 一客戶端,與一服務主機連接,用以執行一應用程式及一管理中心,該應用程式用以向該管理中心請求身分認證;及 一入口伺服器,對應一業務伺服器,用以接收並驗證該連線資料,及用以於該連線資料通過驗證時,判斷是否儲存與該業務伺服器對應之一數位憑證,若未儲存該數位憑證,則申請該數位憑證,並傳送該數位憑證至該管理中心,使該管理中心使用該數位憑證判斷一認證結果,並傳送該認證結果至該服務主機。A system for authenticating a certificate by using an entry server across a domain, the system comprising: a client connected to a service host for executing an application and a management center, the application being used for the management center Requesting identity authentication; and an entry server corresponding to a service server for receiving and verifying the connection data, and for determining whether to store one digit corresponding to the service server when the connection data is verified If the digital certificate is not stored, the digital certificate is applied, and the digital certificate is transmitted to the management center, so that the management center uses the digital certificate to determine an authentication result, and transmits the authentication result to the service host. 如申請專利範圍第6項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該管理中心更用以於該應用程式請求身分認證時,先判斷是否儲存有該數位憑證,並在已儲存有該數位憑證時,使用該數位憑證判斷該認證結果,並傳送該認證結果至該服務主機。The system for authenticating a certificate across a domain using a portal server as described in claim 6, wherein the management center is further configured to determine whether the digital certificate is stored when the application requests the identity authentication, and When the digital certificate has been stored, the digital certificate is used to judge the authentication result, and the authentication result is transmitted to the service host. 如申請專利範圍第6項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該入口伺服器更用以於該連線資料沒有通過驗證時,要求該應用程式輸入一登入資料,並透過一業務伺服器判斷該登入資料是否通過驗證。The system for authenticating the certificate across the domain using the portal server as described in claim 6, wherein the portal server is further configured to require the application to input a login data when the connection data fails to pass the verification. And determine whether the login data has passed verification through a service server. 如申請專利範圍第6項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該應用程式是包含預先由該入口伺服器取得之一組註冊碼之一認證參數,並以一雜湊函數對該認證參數進行計算以產生一校驗資料,及產生包含該認證參數及該校驗資料之該連線資料,且該入口伺服器是使用該認證參數及該雜湊函數計算一雜湊資料,依據該校驗資料是否與該雜湊資料相同判斷該連線資料是否通過驗證。A system for authenticating a certificate across a domain using a portal server as described in claim 6 wherein the application includes one of a set of registration codes previously obtained by the portal server, and The hash function calculates the authentication parameter to generate a verification data, and generates the connection data including the authentication parameter and the verification data, and the portal server calculates the hash data by using the authentication parameter and the hash function. According to whether the verification data is the same as the hash data, whether the connection data is verified or not. 如申請專利範圍第6項所述之透過入口伺服器跨網域使用憑證進行認證之系統,其中該管理中心為一憑證管理程式,且該服務主機是控制請求身分認證之應用程式呼叫該憑證管理程式。A system for authenticating a certificate across a domain using a portal server as described in claim 6 wherein the management center is a credential management program, and the service host is an application that controls the request identity authentication to call the credential management. Program.
TW108200167U 2019-01-04 2019-01-04 Authentication system using certificate through inter-domain portal server TWM576680U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108200167U TWM576680U (en) 2019-01-04 2019-01-04 Authentication system using certificate through inter-domain portal server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108200167U TWM576680U (en) 2019-01-04 2019-01-04 Authentication system using certificate through inter-domain portal server

Publications (1)

Publication Number Publication Date
TWM576680U true TWM576680U (en) 2019-04-11

Family

ID=66997092

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108200167U TWM576680U (en) 2019-01-04 2019-01-04 Authentication system using certificate through inter-domain portal server

Country Status (1)

Country Link
TW (1) TWM576680U (en)

Similar Documents

Publication Publication Date Title
EP2774314B1 (en) Secure machine enrollment in multi-tenant subscription environment
CN106856475B (en) Authorization server and authentication collaboration system
TWI754811B (en) System for using device identification to identify via telecommunication server and method thereof
TWM539667U (en) System of online credentials application for network transaction via carrier
TWI644276B (en) System for opening account and applying mobile banking account online and method thereof
TWM594186U (en) Device and system combining online rapid authentication and public key infrastructure to identify identity
TWM592629U (en) System to obtain appended data and execute corresponding operation when identity is confirmed
TWM539668U (en) System for opening account online and applying for mobile banking
TWM580206U (en) System for identifying identity through telecommunication server by identification data device
TWM576680U (en) Authentication system using certificate through inter-domain portal server
TWI746920B (en) System for using certificate to verify identity from different domain through portal and method thereof
TWI720738B (en) System for combining architectures of fido and pki to identity user and method thereof
TWI698823B (en) System for verifying user identity when processing digital signature and method thereof
TWM588313U (en) System for confirming user identity through financial account information
TWM583978U (en) System of using physical carrier to store digital certificate for performing online transaction
TWM580295U (en) System for managing certificate with embedded browser module and computing equipment
TWM576681U (en) Computing device validating user identity during signing
TWM586390U (en) A system for performing identity verification according to the service instruction to execute the corresponding service
TWI777105B (en) System for obtaining additional data when identifying to execute operation and method thereof
TWI754812B (en) System for using a device identification to log in via telecommunication server and method thereof
TWM586494U (en) ID recognition system using network identification data through telecommunication server
TWI691859B (en) System for identifying according to instruction to execute service and method thereof
TW202029036A (en) System for using embedded browser module to manage certificate and method thereof
TWI767113B (en) System for using certificate stored in carrier to conduct online transactions and method thereof
TWI729535B (en) System for using financial account to confirm identity and method thereof

Legal Events

Date Code Title Description
MM4K Annulment or lapse of a utility model due to non-payment of fees