TWM576681U - Computing device validating user identity during signing - Google Patents

Computing device validating user identity during signing Download PDF

Info

Publication number
TWM576681U
TWM576681U TW107215363U TW107215363U TWM576681U TW M576681 U TWM576681 U TW M576681U TW 107215363 U TW107215363 U TW 107215363U TW 107215363 U TW107215363 U TW 107215363U TW M576681 U TWM576681 U TW M576681U
Authority
TW
Taiwan
Prior art keywords
user
module
password
identity
computing device
Prior art date
Application number
TW107215363U
Other languages
Chinese (zh)
Inventor
蔡家宏
林志能
連子清
Original Assignee
臺灣網路認證股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣網路認證股份有限公司 filed Critical 臺灣網路認證股份有限公司
Priority to TW107215363U priority Critical patent/TWM576681U/en
Publication of TWM576681U publication Critical patent/TWM576681U/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

一種於簽章時驗證使用者身分之計算設備,其透過在判斷與被選擇之目標憑證對應的私鑰被預設密碼加密時,先驗證使用者身分,並在使用者身分通過驗證時,再使用預設密碼解密私鑰之技術手段,可以在使用者使用與沒有設定憑證密碼之憑證對應的私鑰簽章時確認使用者身分,並達成使用者不需額外記憶憑證密碼的技術功效。A computing device for verifying a user identity at the time of signing, which first verifies the user identity by encrypting the private key corresponding to the selected target voucher, and when the user identity passes the verification, The technical means of decrypting the private key by using the preset password can confirm the user identity when the user uses the private key signature corresponding to the voucher without the voucher password, and achieve the technical effect that the user does not need to additionally memorize the voucher password.

Description

於簽章時驗證使用者身分之計算設備Computing device for verifying user identity at the time of signature

一種簽章裝置,特別係指一種於簽章時驗證使用者身分之計算設備。A signing device, in particular, a computing device that verifies the identity of a user at the time of signing.

數位簽章(Digital Signature)是一種對資料使用金鑰加密的技術,更詳細的,數位簽章是以數學演算法或其他方式使用金鑰對資料進行運算後所產生資料,而非指將簽名掃描成數位圖像,也不是使用觸控板輸入的簽名。一套數位簽章通常定義兩種互補的運算,一個用於簽章,另一個用於驗證。經過數位簽章之資料的完整性是很容易驗證的,而且經過數位簽章的資料具有不可否認性,因此,數位簽章可以辨識及確認電子文件之簽署人的身分以及電子文件的真偽。Digital Signature is a technique for encrypting data using keys. In more detail, digital signatures are generated by mathematical algorithms or other means using data to calculate data, rather than signing Scan into a digital image, not a signature entered using the touchpad. A set of digital signatures usually defines two complementary operations, one for signature and one for verification. The integrity of the digital signature is easy to verify, and the digital signature is non-repudiation. Therefore, the digital signature can identify and confirm the identity of the signatory of the electronic document and the authenticity of the electronic document.

由於數位簽章具有不可否認性,因此常在網路交易中被使用。使用了數位簽章的網路交易在交易過程中具有使用者帳號的驗證以及憑證密碼的確認兩道安全措施。一般而言,儲存數位憑證的裝置也會一併儲存與數位憑證中所包含之公鑰相對應的私鑰,且該裝置會將私鑰經過相對應之數位憑證的憑證密碼加密後儲存。當需要進行數位簽章作業時,使用者需要輸入相對應之數位憑證的憑證密碼,該裝置才能解密私鑰,並使用解密後的私鑰進行數位簽章。Because digital signatures are non-repudiation, they are often used in online transactions. The online transaction using the digital signature has two security measures for the verification of the user account and the confirmation of the voucher password during the transaction. Generally, the device storing the digital certificate also stores the private key corresponding to the public key included in the digital certificate, and the device encrypts the private key after being encrypted by the corresponding password of the digital certificate. When a digital signature job is required, the user needs to input the voucher password of the corresponding digital certificate, and the device can decrypt the private key and use the decrypted private key to perform the digital signature.

但在部份的情況中,使用者並沒有設定數位憑證的憑證密碼,例如使用者認為已經有驗證使用者帳號的程序,所以使用者認為不需要額外設定數位憑證的憑證密碼,以避免忘記憑證密碼。在此情況下,數位憑證通常會被儲存數位憑證的裝置以預設密碼加密,如此,在進行數位簽章時,儲存數位憑證的裝置也會直接以預設密碼解密數位憑證。也就是說,一旦使用者帳號密碼被他人取得,取得使用者帳號密碼的他人即可以冒用使用者的身分完成網路交易。However, in some cases, the user does not set a voucher password for the digital certificate. For example, the user believes that there is already a program for verifying the user account, so the user thinks that there is no need to additionally set the voucher password of the digital certificate to avoid forgetting the voucher. password. In this case, the digital voucher is usually encrypted by the device storing the digital voucher with a preset password. Thus, when the digital signature is performed, the device storing the digital voucher directly decrypts the digital voucher with the preset password. That is to say, once the user account password is obtained by others, the person who obtains the user account password can use the identity of the user to complete the online transaction.

綜上所述,可知先前技術中長期以來一直存在使用者沒有設定憑證之憑證密碼時與憑證對應之私鑰將直接被用來進行數位簽章的問題,因此有必要提出改進的技術手段,來解決此一問題。In summary, it can be known that in the prior art, the private key corresponding to the voucher when the user does not set the voucher password of the voucher has been directly used for the digital signature, so it is necessary to propose an improved technical means. Solve this problem.

有鑒於先前技術存在使用者沒有設定憑證之憑證密碼時與憑證對應之私鑰將直接被用來進行數位簽章的問題,本創作遂揭露一種於簽章時驗證使用者身分之計算設備,其中:In view of the prior art, when the user does not have a voucher password for setting a voucher, the private key corresponding to the voucher will be directly used for the digital signature. The author discloses a computing device for verifying the user identity at the time of signing, wherein :

本創作所揭露之於簽章時驗證使用者身分之計算設備,至少包含:憑證選擇模組,用以提供選擇目標憑證;金鑰存取模組,用以判斷與目標憑證對應之私鑰是否被指定密碼或預設密碼加密;輸入模組,用以於私鑰被指定密碼加密時,提供輸入指定密碼;身份驗證模組,用以於私鑰被預設密碼加密時,驗證使用者身分;解密模組,用以使用指定密碼解密私鑰,及用以於使用者身分通過驗證時,使用預設密碼解密私鑰;簽章模組,用以使用私鑰簽章。The computing device disclosed in the present invention for verifying the identity of the user at the time of signing includes at least: a voucher selection module for providing a selection target voucher; and a key access module for determining whether the private key corresponding to the target voucher is The password is encrypted by the designated password or the preset password; the input module is configured to provide an input designated password when the private key is encrypted by the specified password; and the authentication module is configured to verify the user identity when the private key is encrypted by the preset password. The decryption module is configured to decrypt the private key by using the specified password, and is used to decrypt the private key when the user identity passes the verification, and the signature module is used to use the private key signature.

本創作所揭露之計算設備如上,與先前技術之間的差異在於本創作透過在判斷與被選擇之目標憑證對應的私鑰被預設密碼加密時,驗證使用者身分,並在使用者身分通過驗證時,使用預設密碼解密私鑰,藉以解決先前技術所存在的問題,並可以達成使用者只需記憶手機解鎖密碼不需額外記憶憑證密碼的技術功效。The computing device disclosed in the present application is as above, and the difference from the prior art is that the author authenticates the user identity by encrypting the private key corresponding to the selected target credential, and passes the user identity. In the verification, the private key is decrypted by using the preset password, so as to solve the problems existing in the prior art, and the technical effect that the user only needs to memorize the unlocking password of the mobile phone without additionally remembering the password of the password can be achieved.

以下將配合圖式及實施例來詳細說明本創作之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本創作解決技術問題所應用的技術手段並據以實施,藉此實現本創作可達成的功效。The features and implementations of the present invention will be described in detail below in conjunction with the drawings and the embodiments, which are sufficient to enable any skilled person to fully understand the technical means to which the present invention solves the technical problems and implement them accordingly. The achievable effect of this creation.

本創作可以在計算設備所執行之應用程式使用與被選擇之目標憑證相對應的私鑰進行簽章時,強制使用者進行輸入行為以確認使用者允許進行簽章作業。The author can force the user to perform an input behavior to confirm that the user is allowed to perform the signature job when the application executed by the computing device uses the private key corresponding to the selected target voucher to sign.

本創作所提之計算設備包含但不限於一個或多個處理器、一個或多個記憶體模組、以及連接不同元件(包括記憶體模組和處理器)的匯流排等元件,例如,計算設備可以是手機、平板、導航裝置、多媒體播放機、電子書閱讀機、電子辭典、掌上型電動玩具等。透過所包含之多個元件,計算設備可以載入並執行作業系統,使作業系統在計算設備上運行。The computing device proposed by the present invention includes, but is not limited to, one or more processors, one or more memory modules, and components such as bus bars connecting different components (including memory modules and processors), for example, calculations The device can be a mobile phone, a tablet, a navigation device, a multimedia player, an e-book reader, an electronic dictionary, a palm-type electric toy, and the like. Through the various components included, the computing device can load and execute the operating system to cause the operating system to run on the computing device.

本創作所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於並列的工業標準架構(ISA)匯流排、周邊元件互連(PCI)匯流排、視頻電子標準協會(VESA)局域匯流排、以及串列的通用序列匯流排(USB)、快速周邊元件互連(PCI-E)匯流排等。The bus of the computing device proposed by the present application may include one or more types, for example, including a data bus, an address bus, a control bus, and an expansion bus ( Expansion bus), and / or local bus and other types of bus. Busbars for computing devices include, but are not limited to, side-by-side industry standard architecture (ISA) busses, peripheral component interconnect (PCI) busses, video electronic standards associations (VESA) local busses, and tandem universal sequence busses (USB), Fast Peripheral Component Interconnect (PCI-E) bus, etc.

本創作所提之計算設備的處理器與匯流排耦接。處理器包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在做為處理器的處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理器。處理器可為處理單元、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理器,則計算設備所包含的處理器都相同或類似,且透過匯流排耦接與通訊。The processor of the computing device proposed by the present invention is coupled to the bus bar. The processor includes a register group or a scratchpad space, and the scratchpad group or the scratchpad space can be completely disposed on the processing chip as a processor, or all or part of the processing chip is disposed outside the processing chip. And coupled to the processor via a dedicated electrical connection and/or via a bus bar. The processor can be a processing unit, a microprocessor, or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processors, the computing device includes the same or similar processors and is coupled and communicated through the bus.

計算設備的處理器可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理器存取或使用。The processor of the computing device can be coupled to the chip set or electrically connected to the chip set through the bus bar. The chipset is composed of one or more integrated circuits (ICs), including a memory controller and a peripheral input/output (I/O) controller, that is, the memory controller and the peripheral output controller can be included in In an integrated circuit, two or more integrated circuits can also be used. The chipset typically provides input and memory management functions, as well as providing a plurality of general purpose and/or dedicated registers, timers, etc., wherein the general purpose and/or dedicated registers and timers are coupled or One or more processors electrically coupled to the chip set are accessed or used.

計算設備的處理器也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、快閃記憶體(Flash)、唯讀記憶體(ROM)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟、磁帶機、隨身碟(快閃記憶體)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processor of the computing device can also access the data stored in the memory module and the large-capacity storage area of the computing device through the memory controller. The above memory module includes any type of volatile memory and/or non-volatile memory (NVRAM) memory, such as static random access memory (SRAM), dynamic random access. Memory (DRAM), flash memory (Flash), read-only memory (ROM), etc. The mass storage area described above may include any type of storage device or storage medium, such as a hard disk drive, a compact disc, a tape drive, a flash drive (flash memory), a solid state disk (SSD), or any Other storage devices, etc. That is to say, the memory controller can access data in the static random access memory, the dynamic random access memory, the flash memory, the hard disk drive, and the solid state hard disk.

計算設備的處理器也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、以及GPS接收器等周邊裝置或介面通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援Wi-Fi、Zigbee等無線區域網路、藍牙、紅外線、近場通訊(NFC)、3G/4G/5G等行動通訊網路或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路設備、非同步傳輸模式(ATM)設備、DSL數據機、纜線(Cable)數據機等。處理器可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠進行資料的輸入與輸出,也能夠與具有上述描述之元件的另一個計算設備進行通訊。The processor of the computing device can also communicate with the peripheral device or interface such as the peripheral output device, the peripheral input device, the communication interface, and the GPS receiver through the peripheral output/input bus through the peripheral output/input controller. The peripheral input device can be any type of input device, such as a keyboard, a mouse, a trackball, a trackpad, a rocker, etc., and the peripheral output device can be any type of output device, such as a display, a printer, etc., peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface can include a wireless communication interface and/or a wired communication interface, and the wireless communication interface can include a wireless communication network such as Wi-Fi, Zigbee, Bluetooth, infrared, near field communication (NFC), 3G/4G/5G, etc. The interface of the road or other wireless data transmission protocol, the wired communication interface can be an Ethernet device, an asynchronous transfer mode (ATM) device, a DSL data machine, a cable (data) data machine, and the like. The processor can periodically poll various peripheral devices and interfaces to enable the computing device to perform input and output of data, as well as to communicate with another computing device having the elements described above.

以下先以「第1圖」本創作所提之於簽章時驗證使用者身分之計算設備之元件示意圖來說明本創作的運作方式。如「第1圖」所示,本創作之計算設備10含有憑證選擇模組110、金鑰存取模組120、輸入模組130、身份驗證模組150、解密模組170、簽章模組180,以及可以附加的單位判斷模組160。在部分的實施例中,上述各模組可以在計算設備10執行應用程式100後產生,但本發明並不以此為限。The following is a description of the operation of the creation of the computing device by verifying the identity of the user at the time of signature in the "Picture 1". As shown in FIG. 1, the computing device 10 of the present invention includes a voucher selection module 110, a key access module 120, an input module 130, an identity verification module 150, a decryption module 170, and a signature module. 180, and a unit judgment module 160 that can be attached. In some embodiments, the above modules may be generated after the computing device 10 executes the application 100, but the invention is not limited thereto.

憑證選擇模組110負責提供選擇目標憑證。一般而言,應用程式100包含資料庫(圖中未示),資料庫中儲存一個或多個憑證以及與各個憑證對應的私鑰,憑證選擇模組110可以透過周邊輸出裝置列出資料庫所儲存之憑證並透過輸入模組130提供選擇被列出之憑證,被選擇的憑證即為目標憑證,但憑證選擇模組110提供選擇目標憑證的方式並不以上述為限。The voucher selection module 110 is responsible for providing the selection target voucher. Generally, the application 100 includes a database (not shown), the database stores one or more credentials and a private key corresponding to each credential, and the credential selection module 110 can list the database through the peripheral output device. The stored voucher is provided through the input module 130 to select the listed voucher, and the selected voucher is the target voucher, but the manner in which the voucher selection module 110 provides the selected target voucher is not limited to the above.

金鑰存取模組120負責判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰是否被指定密碼或預設密碼加密。舉例來說,金鑰存取模組120可以依據資料庫中所記錄之與被選擇之目標憑證對應的資料判斷與被選擇之目標憑證對應之私鑰的加密方式,但本創作並不以此為限。The key access module 120 is responsible for determining whether the private key corresponding to the target credential selected by the credential selection module 110 is encrypted by a designated password or a preset password. For example, the key access module 120 can determine the encryption method of the private key corresponding to the selected target voucher according to the data recorded in the database corresponding to the selected target voucher, but the creation does not use this Limited.

其中,指定密碼是使用者所設定的密碼,通常是在申請憑證時所設定的密碼,或是使用者自行對所申請到之憑證進行變更的密碼,但本創作並不以此為限;預設密碼則是應用程式100用來加密與沒有被指定密碼加密之憑證對應的私鑰的密碼,通常為執行應用程式100之裝置的裝置識別碼等裝置識別資料,但預設密碼亦不以上述為限。The designated password is a password set by the user, usually a password set when the application for the voucher, or a password for the user to change the voucher applied for, but the creation is not limited thereto; The password is the password used by the application 100 to encrypt the private key corresponding to the certificate encrypted without the specified password, and is usually the device identification data such as the device identification code of the device executing the application 100, but the default password is not the above. Limited.

輸入模組130負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被指定密碼加密時,提供輸入指定密碼。輸入模組130可以呼叫執行應用程式100之作業系統所提供的輸入應用程式介面(API)以提供輸入指定密碼,也可以透過周邊輸出裝置顯示特定的按鍵並透過周邊輸入裝置提供輸入指定密碼,本創作並沒有特別的限制。The input module 130 is responsible for providing an input designated password when the key access module 120 determines that the private key corresponding to the target credential selected by the credential selection module 110 is encrypted by the designated password. The input module 130 can call the input application interface (API) provided by the operating system of the execution application 100 to provide an input designated password, or can display a specific button through the peripheral output device and provide a designated password through the peripheral input device. There are no special restrictions on creation.

輸入模組130也可以透過周邊輸入裝置提供輸入生物特徵,例如輸入指紋或擷取包含人臉的影像等,但本創作所提之生物特徵並不以上述為限;輸入模組130也可以透過周邊輸入裝置提供輸入計算設備10的螢幕解鎖密碼。The input module 130 can also provide input biometrics through the peripheral input device, such as inputting a fingerprint or capturing an image including a human face, but the biometrics proposed in the present application are not limited to the above; the input module 130 can also pass through The peripheral input device provides a screen unlock password for input to computing device 10.

身份驗證模組150負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被預設密碼加密時,驗證使用者身分。在部分的實施例中,身份驗證模組150可以透過輸入模組130提供輸入的生物特徵驗證使用者身分,例如,身份驗證模組150可以呼叫執行應用程式100之作業系統所提供之擷取生物特徵的應用程式介面擷取生物特徵,並使用生物特徵辨識技術對所擷取的生物特徵進行辨識以驗證使用者身分。The authentication module 150 is responsible for verifying the identity of the user when the key access module 120 determines that the private key corresponding to the target credential selected by the credential selection module 110 is encrypted by the default password. In some embodiments, the authentication module 150 can provide an input biometric verification user identity through the input module 130. For example, the authentication module 150 can call the execution entity provided by the execution system of the application 100. The feature's application interface captures biometrics and uses biometrics to identify captured biometrics to verify user identity.

在另一部份的實施例中,身份驗證模組150也可以透過螢幕解鎖密碼驗證使用者身分。例如,身份驗證模組150可以要求透過輸入模組130輸入螢幕解鎖密碼,並透過執行應用程式100之作業系統確認被輸入的螢幕解鎖密碼是否正確以驗證使用者身分;身份驗證模組150也可以呼叫螢幕解鎖應用程式介面以提供輸入螢幕解鎖密碼,並透過螢幕解鎖應用程式介面判斷被輸入的螢幕解鎖密碼是否正確以驗證使用者身分;身份驗證模組150也可以關閉螢幕等待使用者開啟螢幕並完成螢幕解鎖回到應用程式100以確認使用者身分等。但身份驗證模組150驗證使用者身分的方式並不以上述為限。In another embodiment, the authentication module 150 can also verify the user identity through the screen unlock password. For example, the authentication module 150 may require that the screen unlock password be input through the input module 130, and confirm that the input screen unlock password is correct by the execution system of the application 100 to verify the user identity; the identity verification module 150 may also The screen unlock application interface is provided to provide an input screen unlock password, and the screen unlock application interface is used to determine whether the entered screen unlock password is correct to verify the user identity; the authentication module 150 can also close the screen and wait for the user to turn on the screen. The screen is unlocked and returned to the application 100 to confirm the user's identity and the like. However, the manner in which the identity verification module 150 verifies the identity of the user is not limited to the above.

另外,身份驗證模組150也可以在設定使用螢幕解鎖密碼驗證使用者身分時,判斷螢幕解鎖密碼是否已被設定,若螢幕解鎖密碼尚未被設定,則身份驗證模組150可以顯示提示以要求先設定螢幕解鎖密碼。也就是說,若身份驗證模組150將使用螢幕解鎖密碼驗證使用者身分,則身份驗證模組150將會先確認螢幕解鎖密碼已被設定。In addition, the identity verification module 150 can also determine whether the screen unlock password has been set when the screen unlock password is used to verify the user identity. If the screen unlock password has not been set, the identity verification module 150 can display a prompt to request Set the screen unlock password. That is, if the authentication module 150 will verify the user identity using the screen unlock password, the authentication module 150 will first confirm that the screen unlock password has been set.

單位判斷模組160可以判斷被憑證選擇模組110所選擇之目標憑證的發放單位與簽章呼叫單位是否相同。舉例來說,單位判斷模組160可以由被選擇的目標憑證中讀取出目標憑證之發放單位的發放單位訊息,並比對所讀出之發放單位訊息以及簽章呼叫單位的呼叫單位訊息,藉以判斷被選擇之目標憑證的發放單位與簽章呼叫單位是否相同。其中,上述之發放單位訊息可以是發放單位的識別碼或名稱等,相似的,上述之呼叫單位訊息可以是簽章呼叫單位的識別碼或名稱。但單位判斷模組160判斷被選擇之目標憑證的發放單位與簽章呼叫單位是否相同之方式並不以上述為限。The unit judging module 160 can determine whether the issuing unit of the target credential selected by the credential selection module 110 is the same as the signature calling unit. For example, the unit judgment module 160 may read out the issue unit information of the issue unit of the target voucher from the selected target voucher, and compare the read release unit message and the call unit message of the signature call unit. It is judged whether the issuing unit of the selected target certificate is the same as the signature calling unit. The above-mentioned issuing unit message may be an identification code or a name of the issuing unit, and similarly, the above-mentioned calling unit message may be an identification code or a name of the signature calling unit. However, the unit judgment module 160 determines whether the issuing unit of the selected target document is the same as the signature calling unit, and is not limited to the above.

另外,簽章呼叫單位為欲進行簽章之程式或網頁等對象的提供者,例如,欲進行簽章之對象為與應用程式100執行於相同裝置上之其他應用程式,則簽章呼叫單位即為提供該其他應用程式之人、公司、團體、或組織;相似的,若欲進行簽章之對象為應用程式100之內嵌瀏覽器所開啟之網頁,則簽章呼叫單位即為包含應用程式100所開啟之網頁之網站的擁有者、公司、團體、或組織。In addition, the signature calling unit is a provider of an object such as a program or a web page to be signed, for example, if the object to be signed is another application executed on the same device as the application 100, the signature calling unit is For the person, company, group, or organization that provides the other application; similarly, if the object to be signed is the web page opened by the embedded browser of the application 100, the signature calling unit is the application containing the application. The owner, company, group, or organization of the website of the 100-opened web page.

解密模組170負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被指定密碼加密時,使用輸入模組130提供輸入的指定密碼解密與被選擇之目標憑證對應的私鑰;解密模組170也負責在金鑰存取模組120判斷與被憑證選擇模組110所選擇之目標憑證相對應的私鑰被預設密碼加密,且使用者身分通過身份驗證模組150的驗證時,使用預設密碼解密與被選擇之目標憑證對應的私鑰。The decryption module 170 is responsible for decrypting and decrypting the specified password provided by the input module 130 when the key access module 120 determines that the private key corresponding to the target credential selected by the credential selection module 110 is encrypted by the designated password. The private key corresponding to the selected target credential; the decryption module 170 is also responsible for determining, at the key access module 120, that the private key corresponding to the target credential selected by the credential selection module 110 is encrypted by the preset password, and the user When the identity is verified by the authentication module 150, the private key corresponding to the selected target credential is decrypted using the preset password.

解密模組170也可以在單位判斷模組160判斷被憑證選擇模組110所選擇之目標憑證的發放單位與簽章呼叫單位相同時,直接使用預設密碼解密被選擇之私鑰。也就是說,在部分的實施例中,當金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被預設密碼加密,且單位判斷模組160判斷被選擇之目標憑證的發放單位與簽章呼叫單位相同時,解密模組170可以使用預設密碼解密與被選擇之目標憑證對應的私鑰;而當金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被預設密碼加密,同時單位判斷模組160判斷被選擇之目標憑證的發放單位與簽章呼叫單位不同,且使用者身分通過身份驗證模組150的驗證時,解密模組170同樣可以使用預設密碼解密與被選擇之目標憑證對應的私鑰。The decryption module 170 can also directly decrypt the selected private key by using the preset password when the unit judgment module 160 determines that the issuing unit of the target credential selected by the credential selection module 110 is the same as the signature calling unit. That is, in some embodiments, when the key access module 120 determines that the private key corresponding to the selected target credential is encrypted by the preset password, and the unit judging module 160 judges the selected target credential. When the issuing unit is the same as the signature calling unit, the decryption module 170 may decrypt the private key corresponding to the selected target document by using the preset password; and when the key access module 120 determines the corresponding corresponding to the selected target document, The private key is encrypted by the preset password, and the unit determining module 160 determines that the issuing unit of the selected target credential is different from the signature calling unit, and the decryption module 170 can also be used when the user identity is verified by the authentication module 150. The private key corresponding to the selected target credential is decrypted using the preset password.

簽章模組180負責使用解密模組170解密後的私鑰對簽章呼叫單位所提供的資料進行簽章。The signature module 180 is responsible for signing the information provided by the signature calling unit using the decrypted private key decrypted by the decryption module 170.

接著以第一實施例來解說本創作的運作過程,並請參照「第2A圖」本創作所提之於簽章時驗證使用者身分之方法流程圖。Next, the operation of the present creation will be explained in the first embodiment, and please refer to the flowchart of the method for verifying the identity of the user at the time of signature in the "Phase 2A".

在本實施例中,假設使用者在計算設備10上執行證券公司所提供之證券下單應用程式,並在證券下單應用程式中下單時,若證券下單應用程式需要進行簽章作業,則證券下單應用程式可以呼叫應用程式100,此時,簽章呼叫單位為提供證券下單應用程式的證券公司。但本實施例並不以此為限,例如,使用者也可以使用應用程式100之內嵌瀏覽器開啟證券公司所提供之下單網頁進行下單。In this embodiment, it is assumed that when the user executes the securities order application provided by the securities company on the computing device 10 and places an order in the securities order application, if the securities order application needs to perform the signing operation, The securities order application can call the application 100. At this time, the signature call unit is a securities company that provides a securities order application. However, the embodiment is not limited thereto. For example, the user can use the embedded browser of the application 100 to open a single webpage provided by the securities company to place an order.

在使用者操作證券下單應用程式,使得證券下單應用程式呼叫應用程式100後,憑證選擇模組110可以提供選擇目標憑證(步驟210)。在本實施例中,假設憑證選擇模組110可以顯示應用程式100之資料庫中所記錄之所有憑證的清單,藉以提供使用者由清單中選擇目標憑證。After the user operates the securities order application so that the securities order application calls the application 100, the voucher selection module 110 can provide the selection target voucher (step 210). In this embodiment, it is assumed that the credential selection module 110 can display a list of all the vouchers recorded in the database of the application 100, thereby providing the user with the target vouchers selected from the list.

在憑證選擇模組110提供選擇目標憑證(步驟210)後,金鑰存取模組120可以判斷與憑證選擇模組110提供選擇之目標憑證相對應的私鑰是否被指定密碼加密(步驟222)。After the credential selection module 110 provides the selection target credential (step 210), the key access module 120 can determine whether the private key corresponding to the selected target credential provided by the credential selection module 110 is encrypted by the specified password (step 222). .

若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被指定密碼加密,則輸入模組130可以提供輸入指定密碼(步驟230)。在本實施例中,假設輸入模組130可以顯示指定密碼的輸入介面,藉以提供使用者輸入指定密碼。If the key access module 120 determines that the private key corresponding to the selected target credential is encrypted by the specified password, the input module 130 may provide an input designation password (step 230). In this embodiment, it is assumed that the input module 130 can display an input interface for specifying a password, thereby providing a user to input a designated password.

在使用者透過輸入模組130輸入指定密碼後,解密模組170可以使用被使用者輸入的指定密碼解密與應用程式100之憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟240),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對呼叫應用程式100之證券下單應用程式提供使用者輸入之下單資料簽章。After the user inputs the designated password through the input module 130, the decryption module 170 can decrypt the private key corresponding to the selected target document provided by the credential selection module 110 of the application 100 using the specified password input by the user (step 240). The signature module 180 can use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 provides the user-entered single-item signature to the securities placing application of the calling application 100 using the decrypted private key.

而若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密,通常表示與被選擇之目標憑證相對應的私鑰被預設密碼加密,則身份驗證模組150可以透過執行應用程式100之作業系統驗證使用者身分,並判斷使用者身分是否通過驗證(步驟280)。在本實施例中,假設身份驗證模組150可以在應用程式100被安裝後,第一次被執行時,偵測執行應用程式100之作業系統(也就是於計算設備10中運行的作業系統)的系統訊息,藉以判斷執行應用程式100之作業系統是否為可以使用生物特徵辨識使用者身分的版本,若是,則提供使用者選擇使用生物特徵或螢幕鎖定密碼驗證使用者身分。如果使用者選擇使用生物特徵驗證使用者身分,則身份驗證模組150在需要驗證使用者身分時,可以呼叫執行應用程式100之作業系統所提供之生物特徵識別的應用程式介面,使得生物特徵識別的應用程式介面提供使用者輸入指紋或人臉等生物特徵,並辨識被使用者輸入的生物特徵,如此,身份驗證模組150可以依據生物特徵識別的應用程式介面的辨識結果判斷使用者身分是否通過驗證;而若使用者選擇不使用生物特徵驗證使用者身分,或是身份驗證模組150判斷執行應用程式100之作業系統不為可以使用生物特徵辨識使用者身分的版本,則身份驗證模組150在需要驗證使用者身分時,可以呼叫執行應用程式100之作業系統所提供之螢幕解鎖應用程式介面,使得螢幕解鎖應用程式介面提供使用者輸入螢幕解鎖密碼,並判斷被輸入的螢幕解鎖密碼是否正確,如此,身份驗證模組150可以依據螢幕解鎖應用程式介面所判斷的螢幕解鎖密碼正確與否判斷使用者身分是否通過驗證。If the key access module 120 determines that the private key corresponding to the selected target credential is not encrypted by the specified password, and generally indicates that the private key corresponding to the selected target credential is encrypted by the preset password, the identity verification module The group 150 can verify the identity of the user by executing the operating system of the application 100 and determine whether the user identity has passed verification (step 280). In this embodiment, it is assumed that the identity verification module 150 can detect the operating system of the execution application 100 (that is, the operating system running in the computing device 10) when the application 100 is installed for the first time. The system message is used to determine whether the operating system executing the application 100 is a version that can use the biometric identification user identity, and if so, the user is selected to use the biometric or screen lock password to verify the user identity. If the user chooses to use the biometric to verify the user identity, the authentication module 150 can call the biometric application interface provided by the operating system of the application 100 to enable biometric identification when the user identity needs to be verified. The application interface provides the user with input biometrics such as a fingerprint or a human face, and recognizes the biometric input by the user. Thus, the authentication module 150 can determine whether the user identity is based on the identification result of the biometric identification application interface. If the user chooses not to use the biometrics to verify the user identity, or the authentication module 150 determines that the operating system of the execution application 100 is not a version that can use the biometric identification user identity, the authentication module 150, when the user identity needs to be verified, the screen unlocking application interface provided by the operating system of the execution application 100 can be called, so that the screen unlocking application interface provides the user input screen unlocking password and determines whether the screen unlocking password is input. Right, so, Part verification module 150 can unlock the API judged the screen unlock password is correct or not by judging whether the user identity verification based on the screen.

若身份驗證模組150判斷使用者身分沒有通過驗證(步驟280),則身份驗證模組150可以結束應用程式100,使得應用程式100拒絕呼叫應用程式100之證券下單應用程式的簽章作業;而若身份驗證模組150判斷使用者身分通過驗證(步驟280),則解密模組170可以使用預設密碼解密與憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟290),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對呼叫應用程式100之證券下單應用程式提供使用者輸入之下單資料簽章。If the identity verification module 150 determines that the user identity has not passed the verification (step 280), the identity verification module 150 can end the application 100, so that the application 100 rejects the signature operation of the securities order application of the calling application 100; If the identity verification module 150 determines that the user identity has passed the verification (step 280), the decryption module 170 can decrypt the private key corresponding to the selected target voucher provided by the voucher selection module 110 by using the preset password (step 290). The chapter module 180 can sign using the decrypted private key decrypted by the decryption module 170 (step 250). In this embodiment, the signature module 180 provides the user-entered single-item signature to the securities placing application of the calling application 100 using the decrypted private key.

繼續以第二實施例來解說本創作的運作過程,同樣請參照「第2A圖」。在本實施例中,假設使用者使用計算設備10所執行之應用程式100的內嵌瀏覽器開啟報稅網頁並進行報稅作業。在報稅作業的過程中,若需要進行簽章作業時,報稅網頁中的Java Script可以呼叫應用程式100,此時,簽章呼叫單位為提供報稅網頁的國稅局。但本實施例並不以此為限,例如,使用者也可以使用報稅軟體進行報稅作業。Continuing with the second embodiment to illustrate the operation of this creation, please also refer to "2A". In this embodiment, it is assumed that the user uses the embedded browser of the application 100 executed by the computing device 10 to open the tax return webpage and perform a tax return operation. In the process of filing a tax return, if a signature job is required, the Java Script in the tax return page can call the application 100. At this time, the signature calling unit is the IRS that provides the tax return page. However, the embodiment is not limited thereto. For example, the user can also use the tax filing software to perform the tax return operation.

在使用者操作報稅網頁,使得報稅網頁中的Java Script呼叫應用程式100後,憑證選擇模組110可以提供選擇目標憑證(步驟210)。在本實施例中,假設憑證選擇模組110可以顯示應用程式100之資料庫中所記錄之所有憑證的清單,藉以提供使用者由清單中選擇目標憑證。After the user operates the tax return page to cause the Java Script in the tax return webpage to call the application 100, the credential selection module 110 can provide a selection target credential (step 210). In this embodiment, it is assumed that the credential selection module 110 can display a list of all the vouchers recorded in the database of the application 100, thereby providing the user with the target vouchers selected from the list.

在憑證選擇模組110提供選擇目標憑證(步驟210)後,金鑰存取模組120可以判斷與憑證選擇模組110提供選擇之目標憑證相對應的私鑰是否被指定密碼加密(步驟222)。After the credential selection module 110 provides the selection target credential (step 210), the key access module 120 can determine whether the private key corresponding to the selected target credential provided by the credential selection module 110 is encrypted by the specified password (step 222). .

若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被指定密碼加密,則輸入模組130可以提供輸入指定密碼(步驟230)。在本實施例中,假設輸入模組130可以顯示指定密碼的輸入介面,藉以提供使用者輸入指定密碼。If the key access module 120 determines that the private key corresponding to the selected target credential is encrypted by the specified password, the input module 130 may provide an input designation password (step 230). In this embodiment, it is assumed that the input module 130 can display an input interface for specifying a password, thereby providing a user to input a designated password.

在使用者透過輸入模組130輸入指定密碼後,解密模組170可以使用被使用者輸入的指定密碼解密與應用程式100之憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟240),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對被使用者輸入到呼叫應用程式100之報稅網頁中的報稅下單資料簽章。After the user inputs the designated password through the input module 130, the decryption module 170 can decrypt the private key corresponding to the selected target document provided by the credential selection module 110 of the application 100 using the specified password input by the user (step 240). The signature module 180 can use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 is a tax return order data signature that is entered into the tax return webpage of the call application 100 by the user using the decrypted private key.

而若金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密,通常表示與被選擇之目標憑證相對應的私鑰被預設密碼加密,則身份驗證模組150可以驗證使用者身分,並判斷使用者身分是否通過驗證(步驟280)。在本實施例中,假設身份驗證模組150可以偵測執行應用程式100之作業系統(也就是於計算設備10中運行的作業系統)的系統訊息,藉以判斷執行應用程式100之作業系統是否為可以呼叫螢幕解鎖應用程式介面的版本,若是,則身份驗證模組150可以呼叫執行應用程式100之作業系統所提供之螢幕解鎖應用程式介面,使得螢幕解鎖應用程式介面提供使用者輸入螢幕解鎖密碼,並判斷被輸入的螢幕解鎖密碼是否正確,身份驗證模組150可以依據螢幕解鎖應用程式介面的判斷結果判斷使用者身分是否通過驗證;若執行應用程式100之作業系統為無法呼叫螢幕解鎖應用程式介面的版本,則身份驗證模組150可以提示使用者允許應用程式100擁有管理者權限,如果使用者不同意給予應用程式100管理者權限,則身份驗證模組150可以結束應用程式100,使得應用程式100拒絕呼叫應用程式100之報稅網頁的簽章作業,但如果使用者同意給予應用程式100管理者權限,則身份驗證模組150可以關閉螢幕,並判斷使用者是否於預定時間內開啟螢幕且完成螢幕解鎖後回到應用程式100以判斷使用者身分是否通過驗證。If the key access module 120 determines that the private key corresponding to the selected target credential is not encrypted by the specified password, and generally indicates that the private key corresponding to the selected target credential is encrypted by the preset password, the identity verification module Group 150 can verify the identity of the user and determine if the user's identity has passed verification (step 280). In this embodiment, it is assumed that the identity verification module 150 can detect the system information of the operating system of the application 100 (that is, the operating system running in the computing device 10), thereby determining whether the operating system of the executing application 100 is The screen unlocking application version can be called, and if so, the authentication module 150 can call the screen unlocking application interface provided by the operating system of the application 100 to enable the screen unlocking application interface to provide the user with a screen unlocking password. And determining whether the input screen unlocking password is correct, the identity verification module 150 can determine whether the user identity is verified according to the judgment result of the screen unlocking application interface; if the operating system of the executing application 100 is unable to call the screen unlocking application interface The authentication module 150 can prompt the user to allow the application 100 to have administrator rights. If the user does not agree to give the application 100 administrator authority, the authentication module 150 can end the application 100 and make the application 100 rejects the call should The signature operation of the tax return page of the program 100, but if the user agrees to give the application 100 administrator authority, the authentication module 150 can close the screen and determine whether the user opens the screen within a predetermined time and completes the screen unlocking. Go to the application 100 to determine if the user's identity has passed verification.

若身份驗證模組150判斷使用者身分沒有通過驗證,也就是螢幕解鎖應用程式介面判斷使用者所輸入的螢幕解鎖密碼錯誤達到預定次數,或是使用者沒有在預定時間內開啟螢幕並完成螢幕解鎖以回到應用程式100,則身份驗證模組150可以結束應用程式100,使得應用程式100拒絕呼叫應用程式100之證券下單應用程式的簽章作業;而若身份驗證模組150判斷使用者身分通過驗證,也就是螢幕解鎖應用程式介面判斷使用者所輸入的螢幕解鎖密碼正確,或是使用者在預定時間內開啟螢幕並完成螢幕解鎖且回到應用程式100,則解密模組170可以使用預設密碼解密與憑證選擇模組110提供選擇的目標憑證對應的私鑰(步驟290),簽章模組180可以使用解密模組170解密後的私鑰進行簽章(步驟250)。在本實施例中,簽章模組180是使用解密後的私鑰對被使用者輸入到呼叫應用程式100之報稅網頁中的報稅下單資料簽章。If the identity verification module 150 determines that the user identity has not passed the verification, that is, the screen unlocking application interface determines that the screen unlock password input by the user is incorrect for a predetermined number of times, or the user does not open the screen and complete the screen unlocking within the predetermined time. To return to the application 100, the authentication module 150 can end the application 100, so that the application 100 rejects the signature operation of the securities order application of the calling application 100; and if the identity verification module 150 determines the user identity By verifying, that is, the screen unlocking application interface determines that the screen unlocking password input by the user is correct, or the user opens the screen within a predetermined time and completes the screen unlocking and returns to the application 100, the decrypting module 170 can use the pre-reading The password decryption and credential selection module 110 provides the private key corresponding to the selected target credential (step 290), and the signature module 180 can use the private key decrypted by the decryption module 170 to sign (step 250). In this embodiment, the signature module 180 is a tax return order data signature that is entered into the tax return webpage of the call application 100 by the user using the decrypted private key.

如此,在應用程式100執行簽章作業時,本創作可以要求使用要輸入指定密碼、輸入生物特徵、或輸入螢幕解鎖密碼,使得應用程式100可以確認使用者允許進行簽章作業。Thus, when the application 100 executes the signature job, the author can request to use the specified password, enter the biometric, or enter the screen unlock password, so that the application 100 can confirm that the user is allowed to perform the signature job.

上述兩實施例中,金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密(步驟222)後,金鑰存取模組120可以進一步判斷與被選擇之目標憑證相對應的私鑰是否被預設密碼加密(步驟226)。In the above two embodiments, the key access module 120 determines that the private key corresponding to the selected target credential is not encrypted by the specified password (step 222), and the key access module 120 can further determine and select the selected key. Whether the private key corresponding to the target credential is encrypted by the default password (step 226).

另外,在上述兩實施例中,若應用程式100還包含單位判斷模組160,則如「第2B圖」之流程所示,在金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰被預設密碼加密,或是在金鑰存取模組120判斷與被選擇之目標憑證相對應的私鑰不是被指定密碼加密時,單位判斷模組160可以先判斷目標憑證的發放單位與簽章呼叫單位是否相同(步驟260)。若兩者不同,則如上所述,身份驗證模組150可以驗證使用者身分,並判斷使用者身分是否通過驗證(步驟280),解密模組170可以在身份驗證模組150判斷使用者身分通過驗證時,使用預設密碼解密與被選擇的目標憑證對應的私鑰(步驟290);而若單位判斷模組160判斷目標憑證的發放單位與簽章呼叫單位相同,則解密模組170可以直接使用預設密碼解密與被選擇的目標憑證對應的私鑰(步驟290),在此條件下,身份驗證模組150可以不執行,也就是身份驗證模組150可以不判斷使用者身分是否通過驗證。In addition, in the above two embodiments, if the application 100 further includes the unit determination module 160, as shown in the flow of "2B", the key access module 120 determines that it corresponds to the selected target certificate. The private key is encrypted by the default password, or when the key access module 120 determines that the private key corresponding to the selected target credential is not encrypted by the specified password, the unit judging module 160 may first determine the issuance of the target credential. Whether the unit is the same as the signature call unit (step 260). If the two are different, as described above, the identity verification module 150 can verify the user identity and determine whether the user identity passes the verification (step 280). The decryption module 170 can determine the user identity through the identity verification module 150. At the time of verification, the private key corresponding to the selected target document is decrypted using the preset password (step 290); and if the unit judgment module 160 determines that the issuing unit of the target certificate is the same as the signature calling unit, the decryption module 170 may directly The private key corresponding to the selected target certificate is decrypted using the preset password (step 290). Under this condition, the identity verification module 150 may not execute, that is, the identity verification module 150 may not determine whether the user identity passes the verification. .

此外,上述兩實施例中,在身份驗證模組150判斷使用者身分是否通過驗證(步驟280)時,若身份驗證模組150透過呼叫執行應用程式100之作業系統(也就是於計算設備10中運行之作業系統所提供的)螢幕解鎖應用程式介面判斷使用者身分是否通過驗證,則在身份驗證模組150在判斷使用者身分是否通過驗證前,身份驗證模組150可以如「第2C圖」之流程所示,先判斷螢幕鎖定密碼是否被設定(步驟202),若否,則身份驗證模組150可以提示使用者設定螢幕解鎖密碼(步驟206)。例如,身份驗證模組150可以在應用程式100被安裝後,第一次被執行時判斷螢幕鎖定密碼是否被設定(步驟202),但本創作並不以此為限。In addition, in the foregoing two embodiments, when the identity verification module 150 determines whether the user identity passes the verification (step 280), if the identity verification module 150 executes the operation system of the application 100 through the call (that is, in the computing device 10) The screen unlocking application interface provided by the operating system determines whether the user identity has passed the verification. Before the identity verification module 150 determines whether the user identity passes the verification, the identity verification module 150 can be as shown in FIG. 2C. As shown in the flow, it is first determined whether the screen lock password is set (step 202). If not, the identity verification module 150 can prompt the user to set a screen unlock password (step 206). For example, the authentication module 150 can determine whether the screen lock password is set when the application 100 is installed for the first time (step 202), but the creation is not limited thereto.

綜上所述,可知本創作與先前技術之間的差異在於具有在判斷與被選擇之目標憑證對應的私鑰被預設密碼加密時,先驗證使用者身分,並在使用者身分通過驗證時,再使用預設密碼解密私鑰之技術手段,藉由此一技術手段可以解決先前技術所存在使用者沒有設定憑證之憑證密碼時與憑證對應之私鑰將直接被用來進行數位簽章的問題,進而達成使用者只需記憶手機解鎖密碼不需額外記憶憑證密碼的技術功效。In summary, it can be seen that the difference between the present creation and the prior art is that when the private key corresponding to the selected target voucher is determined to be encrypted by the preset password, the user identity is first verified, and when the user identity passes the verification. And the technical means for decrypting the private key by using the preset password, by using a technical means, the private key corresponding to the voucher when the user has not set the voucher password of the prior art will be directly used for the digital signature. The problem, in turn, achieves the technical effect that the user only needs to memorize the mobile phone unlocking password without additionally remembering the credential password.

再者,本創作之於簽章時驗證使用者身分之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of verifying the identity of the user at the time of signing can be implemented in hardware, software or a combination of hardware and software, or can be implemented in a centralized manner in a computer system or distributed in different components. The decentralized implementation of interconnected computer systems.

雖然本創作所揭露之實施方式如上,惟所述之內容並非用以直接限定本創作之專利保護範圍。任何本創作所屬技術領域中具有通常知識者,在不脫離本創作所揭露之精神和範圍的前提下,對本創作之實施的形式上及細節上作些許之更動潤飾,均屬於本創作之專利保護範圍。本創作之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present disclosure are as above, the contents are not intended to directly limit the scope of the patent protection of the present invention. Anyone who has the usual knowledge in the technical field of this creation, without any departure from the spirit and scope disclosed in this creation, makes some modifications to the form and details of the implementation of this creation, which are the patent protection of this creation. range. The scope of patent protection of this creation must be determined by the scope of the attached patent application.

10‧‧‧計算設備10‧‧‧ Computing equipment

100‧‧‧應用程式 100‧‧‧Application

110‧‧‧憑證選擇模組 110‧‧‧Voucher selection module

120‧‧‧金鑰存取模組 120‧‧‧Key Access Module

130‧‧‧輸入模組 130‧‧‧Input module

150‧‧‧身份驗證模組 150‧‧‧Authentication module

160‧‧‧單位判斷模組 160‧‧‧Unit Judgment Module

170‧‧‧解密模組 170‧‧‧ decryption module

180‧‧‧簽章模組 180‧‧‧Signature Module

步驟202‧‧‧判斷是否已設定螢幕鎖定密碼 Step 202‧‧‧Check if the screen lock password has been set

步驟206‧‧‧要求設定螢幕解鎖密碼 Step 206‧‧‧Request to set the screen unlock password

步驟210‧‧‧提供選擇目標憑證 Step 210‧‧‧ Provide selection target credentials

步驟222‧‧‧判斷與目標憑證對應之私鑰是否被指定密碼加密 Step 222‧‧‧ Determine whether the private key corresponding to the target certificate is encrypted by the specified password

步驟226‧‧‧判斷與目標憑證對應之私鑰是否被預設密碼加密 Step 226‧‧‧ Determine whether the private key corresponding to the target voucher is encrypted by the default password

步驟230‧‧‧提供輸入指定密碼 Step 230‧‧‧ Provide input password

步驟240‧‧‧使用指定密碼解密私鑰 Step 240‧‧‧ Decrypt the private key with the specified password

步驟250‧‧‧使用私鑰簽章 Step 250‧‧‧Use private key signature

步驟260‧‧‧判斷目標憑證之發放單位與簽章呼叫單位是否相同 Step 260‧‧‧ Determine whether the issuing unit of the target document is the same as the signature calling unit

步驟280‧‧‧判斷使用者身分是否通過驗證 Step 280‧‧‧Determine whether the user's identity has passed verification

步驟290‧‧‧使用預設密碼解密私鑰 Step 290‧‧‧Use the default password to decrypt the private key

第1圖為本創作所提之於簽章時驗證使用者身分之計算設備之元件示意圖。 第2A圖為本創作所提之於簽章時驗證使用者身分之方法流程圖。 第2B圖為本創作所提之於簽章時驗證使用者身分之附加方法流程圖。 第2C圖為本創作所提之要求設定螢幕解鎖密碼之方法流程圖。Figure 1 is a schematic diagram of the components of the computing device that validates the user's identity at the time of signing. Figure 2A is a flow chart of the method for verifying the identity of the user at the time of signature. Figure 2B is a flow chart of an additional method for verifying the identity of a user at the time of signature. Figure 2C is a flow chart of the method for setting the screen unlock password for the author.

Claims (10)

一種於簽章時驗證使用者身分之計算設備,該計算設備至少包含:一憑證選擇模組,用以提供選擇一目標憑證;一金鑰存取模組,用以判斷與該目標憑證對應之一私鑰是否被一指定密碼或一預設密碼加密;一輸入模組,用以於該私鑰被該指定密碼加密時,提供輸入該指定密碼;一身份驗證模組,用以於該私鑰被一預設密碼加密時,驗證一使用者身分;一解密模組,用以使用該指定密碼解密該私鑰,及用以於該使用者身分通過驗證時,使用該預設密碼解密該私鑰;及一簽章模組,用以使用該私鑰簽章。 A computing device for verifying a user identity at the time of signing, the computing device at least comprising: a voucher selection module for providing a selection of a target voucher; and a key access module for determining a correspondence with the target voucher Whether a private key is encrypted by a specified password or a predetermined password; an input module for providing the specified password when the private key is encrypted by the specified password; an identity verification module for the private When the key is encrypted by a predetermined password, the user identity is verified; a decryption module is configured to decrypt the private key by using the specified password, and when the user identity is verified, the preset password is used to decrypt the key. a private key; and a signature module for signing with the private key. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之計算設備,其中該計算設備更包含一單位判斷模組,用以判斷該目標憑證之一發放單位與一簽章呼叫單位是否相同,該解密模組更用以於該發放單位與該簽章呼叫單位相同時,使用該預設密碼解密該私鑰。 The computing device for verifying the user identity at the time of signing, as described in claim 1, wherein the computing device further comprises a unit determining module for determining one of the target voucher issuing units and a signing calling unit. If the same, the decryption module is used to decrypt the private key by using the preset password when the issuing unit is the same as the signature calling unit. 如申請專利範圍第2項所述之於簽章時驗證使用者身分之計算設備,其中該單位判斷模組是依據該發放單位之發放單位訊息與該簽章呼叫單位之呼叫單位訊息判斷該發放單位與該簽章呼叫單位是否相同。 The computing device for verifying the identity of the user at the time of signing as claimed in claim 2, wherein the unit determining module determines the issuance according to the issuing unit message of the issuing unit and the calling unit message of the signing call unit Whether the unit is the same as the signature call unit. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之計算設備,其中該身份驗證模組是擷取一生物特徵以使用生物特徵辨識技術驗證該使用者身分。 The computing device for verifying the identity of a user at the time of signing as described in claim 1, wherein the authentication module captures a biometric to verify the identity of the user using a biometric identification technique. 如申請專利範圍第4項所述之於簽章時驗證使用者身分之計算設備,其中該身份驗證模組更用以偵測於該計算設備中運行之一作業系統之一系統訊息,並依據該系統訊息判斷是否為可以使用生物特徵驗證該使用者身分。 The computing device for verifying the identity of the user at the time of signing, as described in claim 4, wherein the authentication module is further configured to detect a system message of one of the operating systems running in the computing device, and The system message determines if the user identity can be verified using the biometric. 如申請專利範圍第4項所述之於簽章時驗證使用者身分之計算設備,其中該生物特徵為指紋或人臉。 A computing device for verifying a user's identity at the time of signing as described in claim 4 of the patent application, wherein the biometric is a fingerprint or a human face. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之計算設備,其中該身份驗證模組是要求輸入一螢幕解鎖密碼以驗證該使用者身分。 The computing device for verifying the identity of the user at the time of signing as claimed in claim 1, wherein the authentication module is required to input a screen unlocking password to verify the identity of the user. 如申請專利範圍第7項所述之於簽章時驗證使用者身分之計算設備,其中該身份驗證模組是偵測於該計算設備中運行之一作業系統之一系統訊息,並依據該系統訊息選擇呼叫螢幕解鎖應用程式介面以要求輸入該螢幕解鎖密碼,或選擇關閉該計算設備之一螢幕,藉以於該螢幕被開啟時要求輸入該螢幕解鎖密碼。 The computing device for verifying the identity of the user at the time of signing, as described in claim 7, wherein the authentication module detects system information of one of the operating systems running in the computing device, and according to the system The message selects the call screen to unlock the application interface to request the screen unlock password, or select to turn off one of the computing devices, so that the screen unlock password is required when the screen is turned on. 如申請專利範圍第7項所述之於簽章時驗證使用者身分之計算設備,其中該身份驗證模組更用以判斷該螢幕解鎖密碼未設定時,要求設定該螢幕解鎖密碼。 The computing device for verifying the identity of the user at the time of signing, as described in claim 7, wherein the authentication module is further configured to determine that the screen unlocking password is not set, and the screen unlocking password is required to be set. 如申請專利範圍第1項所述之於簽章時驗證使用者身分之計算設備,其中該輸入模組是呼叫於該計算設備中運行之作業系統所提供之輸入應用程式介面(API)以提供輸入該指定密碼。 A computing device for verifying a user identity at the time of signing as described in claim 1, wherein the input module is an input application interface (API) provided by an operating system running in the computing device to provide Enter the specified password.
TW107215363U 2018-11-12 2018-11-12 Computing device validating user identity during signing TWM576681U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107215363U TWM576681U (en) 2018-11-12 2018-11-12 Computing device validating user identity during signing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107215363U TWM576681U (en) 2018-11-12 2018-11-12 Computing device validating user identity during signing

Publications (1)

Publication Number Publication Date
TWM576681U true TWM576681U (en) 2019-04-11

Family

ID=66997078

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107215363U TWM576681U (en) 2018-11-12 2018-11-12 Computing device validating user identity during signing

Country Status (1)

Country Link
TW (1) TWM576681U (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI813905B (en) * 2020-09-26 2023-09-01 臺灣網路認證股份有限公司 System for using authentication mechanism of fast identity online to enable certificate and method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI813905B (en) * 2020-09-26 2023-09-01 臺灣網路認證股份有限公司 System for using authentication mechanism of fast identity online to enable certificate and method thereof

Similar Documents

Publication Publication Date Title
US20230334476A1 (en) Using a contactless card to securely share personal data stored in a blockchain
JP6239788B2 (en) Fingerprint authentication method, apparatus, intelligent terminal, and computer storage medium
US20050228993A1 (en) Method and apparatus for authenticating a user of an electronic system
US20170357967A1 (en) Authentication using a secure circuit
US11675893B2 (en) Verification application, method, electronic device and computer program
US10037418B2 (en) Pre-boot authentication credential sharing system
JP2000516373A (en) Method and apparatus for secure processing of encryption keys
IL176378A (en) Method for activation of an access to a computer system or to a program
TWI720738B (en) System for combining architectures of fido and pki to identity user and method thereof
TW202040385A (en) System for using device identification to identify via telecommunication server and method thereof
TWM594186U (en) Device and system combining online rapid authentication and public key infrastructure to identify identity
TWI698823B (en) System for verifying user identity when processing digital signature and method thereof
TWM576681U (en) Computing device validating user identity during signing
TWM580206U (en) System for identifying identity through telecommunication server by identification data device
TWM575144U (en) Computing equipment using password of operating system to encrypt and decrypt
TWM641468U (en) Electronic certificate and digital certificate verification system through third-party platform
JP7521540B2 (en) Access control device, control method, and program
CN115885280A (en) Authentication device and authentication method
TWM583978U (en) System of using physical carrier to store digital certificate for performing online transaction
TWI754812B (en) System for using a device identification to log in via telecommunication server and method thereof
TWI746920B (en) System for using certificate to verify identity from different domain through portal and method thereof
TWI777105B (en) System for obtaining additional data when identifying to execute operation and method thereof
US20240340281A1 (en) Technologies for quasi-centralized, secure biometric data management
EP3637717B1 (en) System and method for establishing trust of a network device
TWM656006U (en) Digital Seal APP Binding and Blockchain Storage System