TWM583978U - System of using physical carrier to store digital certificate for performing online transaction - Google Patents

System of using physical carrier to store digital certificate for performing online transaction Download PDF

Info

Publication number
TWM583978U
TWM583978U TW108203296U TW108203296U TWM583978U TW M583978 U TWM583978 U TW M583978U TW 108203296 U TW108203296 U TW 108203296U TW 108203296 U TW108203296 U TW 108203296U TW M583978 U TWM583978 U TW M583978U
Authority
TW
Taiwan
Prior art keywords
client
voucher
digital
transaction
management server
Prior art date
Application number
TW108203296U
Other languages
Chinese (zh)
Inventor
陳嘉惠
Original Assignee
彰化商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 彰化商業銀行股份有限公司 filed Critical 彰化商業銀行股份有限公司
Priority to TW108203296U priority Critical patent/TWM583978U/en
Publication of TWM583978U publication Critical patent/TWM583978U/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

一種使用實體載具儲存數位憑證以進行線上交易之系統,其透過客戶端由憑證管理伺服器下載數位憑證後,透過安控元件將數位憑證儲存於實體載具中,並在與交易伺服器進行交易作業的過程中,需要進行憑證作業時,透過安控元件由實體載具讀出數位憑證,並使用數位憑證進行交易作業之技術手段,可以將由瀏覽器申請的數位憑證儲存到實體載具中使用,並達成降低憑證管理複雜度的技術功效。A system for storing a digital voucher using an entity vehicle for online transaction, after downloading a digital voucher by a credential management server through a client, storing the digital voucher in the physical vehicle through the security control component, and performing the transaction with the transaction server In the process of trading operations, when a voucher job is required, the digital voucher is read by the entity vehicle through the security control component, and the digital voucher is used for the transaction operation, and the digital certificate applied by the browser can be stored in the physical vehicle. Use and achieve technical efficiencies that reduce the complexity of credential management.

Description

使用實體載具儲存數位憑證以進行線上交易之系統System for storing online vouchers using physical vehicles for online transactions

一種使用數位憑證進行線上交易之系統,特別係指一種使用實體載具儲存數位憑證以進行線上交易之系統。A system for online transactions using digital vouchers, and more particularly to a system for storing digital vouchers for online transactions using physical vehicles.

數位憑證,又稱為電子憑證,是一種用於電腦系統的身分識別機制。數位憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開密碼。數位憑證的擁有人可向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。Digital credentials, also known as electronic credentials, are an identity recognition mechanism for computer systems. A digital certificate is a file or a set of computer files that record the identity of the owner and a set of public passwords. The owner of the digital certificate can authenticate to the computer system to access or use a particular computer service.

早期因網路安全性未如現今受到重視,需要透過數位憑證存取或使用的電腦服務大多以網頁附掛安控外掛元件的型態提供,意即使用者在存取或使用這些服務時,是透過瀏覽器來向遠端伺服器進行憑證申請、展期及查詢等相關服務。In the early days, due to the lack of network security, the computer services that need to be accessed or used through digital certificates are mostly provided in the form of webpages attached to the security plug-in components, meaning that when users access or use these services, It is through the browser to perform related services such as voucher application, renewal and inquiry to the remote server.

然而,透過瀏覽器所申請的憑證只能夠瀏覽器中被使用,並無法讓使用者在別處使用。However, the credentials requested through the browser can only be used in the browser and cannot be used by the user elsewhere.

綜上所述,可知先前技術中長期以來一直存在數位憑證僅能在申請之瀏覽器上使用的問題,因此有必要提出改進的技術手段,來解決此一問題。In summary, it can be seen that in the prior art, there has been a long-standing problem that digital certificates can only be used on the application browser, and therefore it is necessary to propose an improved technical means to solve this problem.

有鑒於先前技術存在數位憑證僅能在申請之瀏覽器上使用的問題,本創作遂揭露一種使用實體載具儲存數位憑證以進行線上交易之系統,其中:In view of the prior art problem that digital vouchers can only be used on the application browser, the present disclosure discloses a system for storing digital vouchers for online transactions using physical vehicles, wherein:

本創作所揭露之使用實體載具儲存數位憑證以進行線上交易之系統,至少包含:客戶端,用以安裝安控元件;實體載具,與客戶端連接;憑證管理伺服器,提供客戶端透過安控元件下載與客戶端對應之數位憑證,使安控元件將數位憑證儲存於實體載具中;硬體加解密主機,用以驗證數位憑證之憑證資訊;交易伺服器,提供該客戶端連接,並依據該客戶端所請求之交易要求該客戶端執行相對應之憑證作業,使該客戶端透過安控元件讀取實體載具中之數位憑證,並傳送數位憑證之憑證資訊至硬體加解密主機,當憑證資訊通過硬體加解密主機之驗證時,使用數位憑證與交易伺服器之進行交易作業。The system disclosed in the present application for storing digital vouchers for online transactions includes at least: a client for installing security components; a physical vehicle for connecting with a client; and a credential management server for providing client access The security control component downloads the digital certificate corresponding to the client, so that the security control component stores the digital certificate in the physical vehicle; the hardware encryption and decryption host uses the voucher information for verifying the digital certificate; and the transaction server provides the client connection. And according to the transaction requested by the client, the client performs a corresponding credential operation, so that the client reads the digital credential in the physical vehicle through the security control component, and transmits the credential information of the digital credential to the hardware plus The host is decrypted, and when the credential information is verified by the hardware encryption and decryption host, the digital voucher is used to perform a transaction operation with the transaction server.

本創作所揭露之系統如上,與先前技術之間的差異在於本創作透過客戶端由憑證管理伺服器下載數位憑證後,透過安控元件將數位憑證儲存於實體載具中,並在與交易伺服器進行交易作業的過程中,需要進行憑證作業時,透過安控元件由實體載具讀出數位憑證,並使用數位憑證進行交易作業,藉以解決先前技術所存在的問題,並可以達成降低憑證管理複雜度的技術功效。The system disclosed in the present application is as above, and the difference from the prior art is that after the creation of the digital certificate by the credential management server through the client, the digital certificate is stored in the physical vehicle through the security control component, and is in the transaction servo. During the transaction operation, when the voucher operation is required, the digital voucher is read by the physical vehicle through the security control component, and the digital voucher is used for the transaction operation, so as to solve the problems existing in the prior art, and the voucher management can be achieved. The technical power of complexity.

以下將配合圖式及實施例來詳細說明本創作之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本創作解決技術問題所應用的技術手段並據以實施,藉此實現本創作可達成的功效。The features and implementations of the present invention will be described in detail below in conjunction with the drawings and the embodiments, which are sufficient to enable any skilled person to fully understand the technical means to which the present invention solves the technical problems and implement them accordingly. The achievable effect of this creation.

本創作可以將數位憑證儲存於實體載具中,並在需要使用數位憑證時,至實體載具中存取數位憑證。如此,使用者可以使用存有數位憑證的實體載具在不同的客戶端中使用數位憑證。The author can store the digital voucher in the physical vehicle and access the digital voucher in the physical vehicle when the digital voucher is needed. In this way, the user can use the digital voucher with different digital voucher to use the digital voucher in different clients.

以下先以「第1圖」本創作所提之使用實體載具儲存數位憑證以進行線上交易之系統架構圖來說明本創作的系統。如「第1圖」所示,本創作之系統含有業務伺服器110、憑證管理伺服器120、交易伺服器130、硬體加解密主機140、實體載具150、客戶端160,以及可以附加的通訊裝置190。其中,業務伺服器110、憑證管理伺服器120、交易伺服器130、硬體加解密主機140、客戶端160、通訊裝置190都可以是包含資料處理與網路通訊之功能的計算設備。The following is a system diagram for the creation of a physical vehicle using the physical vehicle to store digital certificates for the online transaction in the "Picture 1". As shown in FIG. 1, the system of the present creation includes a service server 110, a credential management server 120, a transaction server 130, a hardware encryption/decryption host 140, a physical vehicle 150, a client 160, and an attachable Communication device 190. The service server 110, the credential management server 120, the transaction server 130, the hardware encryption and decryption host 140, the client 160, and the communication device 190 may all be computing devices including data processing and network communication functions.

本創作所提之計算設備包含但不限於一個或多個處理器、一個或多個記憶體模組、以及連接不同元件(包括記憶體模組和處理器)的匯流排等元件。透過所包含之多個元件,計算設備可以載入並執行作業系統,使作業系統在計算設備上運行。The computing devices referred to in this creation include, but are not limited to, one or more processors, one or more memory modules, and components such as bus bars that connect different components, including memory modules and processors. Through the various components included, the computing device can load and execute the operating system to cause the operating system to run on the computing device.

本創作所提之計算設備的匯流排可以包含一種或多個類型,例如包含資料匯流排(data bus)、位址匯流排(address bus)、控制匯流排(control bus)、擴充功能匯流排(expansion bus)、及/或局域匯流排(local bus)等類型的匯流排。計算設備的匯流排包括但不限於並列的工業標準架構(ISA)匯流排、周邊元件互連(PCI)匯流排、視頻電子標準協會(VESA)局域匯流排、以及串列的通用序列匯流排(USB)、快速周邊元件互連(PCI-E)匯流排等。The bus of the computing device proposed by the present application may include one or more types, for example, including a data bus, an address bus, a control bus, and an expansion bus ( Expansion bus), and / or local bus and other types of bus. Busbars for computing devices include, but are not limited to, side-by-side industry standard architecture (ISA) busses, peripheral component interconnect (PCI) busses, video electronic standards associations (VESA) local busses, and tandem universal sequence busses (USB), Fast Peripheral Component Interconnect (PCI-E) bus, etc.

本創作所提之計算設備的處理器與匯流排耦接。處理器包含暫存器(Register)組或暫存器空間,暫存器組或暫存器空間可以完全的被設置在處理晶片上,或全部或部分被設置在處理晶片外並經由專用電氣連接及/或經由匯流排耦接至處理器。處理器可為處理單元、微處理器或任何合適的處理元件。若計算設備為多處理器設備,也就是計算設備包含多個處理器,則計算設備所包含的處理器都相同或類似,且透過匯流排耦接與通訊。處理器可以解釋一連串的多個指令使得計算設備執行特定的運算或操作,例如,數學運算、資料比對等。The processor of the computing device proposed by the present invention is coupled to the bus bar. The processor includes a register group or a scratchpad space, and the scratchpad group or scratchpad space can be completely disposed on the processing wafer, or all or part of the processor is disposed outside the processing chip and via a dedicated electrical connection. And/or coupled to the processor via a bus. The processor can be a processing unit, a microprocessor, or any suitable processing element. If the computing device is a multi-processor device, that is, the computing device includes multiple processors, the computing device includes the same or similar processors and is coupled and communicated through the bus. The processor can interpret a series of instructions that cause the computing device to perform particular operations or operations, such as mathematical operations, data comparisons, and the like.

計算設備的處理器可以與晶片組耦接或透過匯流排與晶片組電性連接。晶片組是由一個或多個積體電路(IC)組成,包含記憶體控制器以及周邊輸出入(I/O)控制器,也就是說,記憶體控制器以及周邊輸出入控制器可以包含在一個積體電路內,也可以使用兩個或更多的積體電路實現。晶片組通常提供了輸出入和記憶體管理功能、以及提供多個通用及/或專用暫存器、計時器等,其中,上述之通用及/或專用暫存器與計時器可以讓耦接或電性連接至晶片組的一個或多個處理器存取或使用。The processor of the computing device can be coupled to the chip set or electrically connected to the chip set through the bus bar. The chipset is composed of one or more integrated circuits (ICs), including a memory controller and a peripheral input/output (I/O) controller, that is, the memory controller and the peripheral output controller can be included in In an integrated circuit, two or more integrated circuits can also be used. The chipset typically provides input and memory management functions, as well as providing a plurality of general purpose and/or dedicated registers, timers, etc., wherein the general purpose and/or dedicated registers and timers are coupled or One or more processors electrically coupled to the chip set are accessed or used.

計算設備的處理器也可以透過記憶體控制器存取安裝於計算設備上的記憶體模組和大容量儲存區中的資料。上述之記憶體模組包含任何類型的揮發性記憶體(volatile memory)及/或非揮發性(non-volatile memory, NVRAM)記憶體,例如靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、快閃記憶體(Flash)、唯讀記憶體(ROM)等。上述之大容量儲存區可以包含任何類型的儲存裝置或儲存媒體,例如,硬碟機、光碟片、隨身碟(快閃記憶體)、記憶卡(memory card)、固態硬碟(Solid State Disk, SSD)、或任何其他儲存裝置等。也就是說,記憶體控制器可以存取靜態隨機存取記憶體、動態隨機存取記憶體、快閃記憶體、硬碟機、固態硬碟中的資料。The processor of the computing device can also access the data stored in the memory module and the large-capacity storage area of the computing device through the memory controller. The above memory module includes any type of volatile memory and/or non-volatile memory (NVRAM) memory, such as static random access memory (SRAM), dynamic random access. Memory (DRAM), flash memory (Flash), read-only memory (ROM), etc. The above-mentioned mass storage area may include any type of storage device or storage medium, such as a hard disk drive, a compact disc, a flash drive (flash memory), a memory card, and a solid state disk (Solid State Disk, SSD), or any other storage device, etc. That is to say, the memory controller can access data in the static random access memory, the dynamic random access memory, the flash memory, the hard disk drive, and the solid state hard disk.

計算設備的處理器也可以透過周邊輸出入控制器經由周邊輸出入匯流排與周邊輸出裝置、周邊輸入裝置、通訊介面、以及GPS接收器等周邊裝置或介面通訊。周邊輸入裝置可以是任何類型的輸入裝置,例如鍵盤、滑鼠、軌跡球、觸控板、搖桿等,周邊輸出裝置可以是任何類型的輸出裝置,例如顯示器、印表機等,周邊輸入裝置與周邊輸出裝置也可以是同一裝置,例如觸控螢幕等。通訊介面可以包含無線通訊介面及/或有線通訊介面,無線通訊介面可以包含支援Wi-Fi、Zigbee等無線區域網路、藍牙、紅外線、近場通訊(NFC)、3G/4G/5G等行動通訊網路或其他無線資料傳輸協定的介面,有線通訊介面可為乙太網路設備、非同步傳輸模式(ATM)設備、DSL數據機、纜線(Cable)數據機等。處理器可以週期性地輪詢(polling)各種周邊裝置與介面,使得計算設備能夠進行資料的輸入與輸出,也能夠與具有上述描述之元件的另一個計算設備進行通訊。The processor of the computing device can also communicate with the peripheral device or interface such as the peripheral output device, the peripheral input device, the communication interface, and the GPS receiver through the peripheral output/input bus through the peripheral output/input controller. The peripheral input device can be any type of input device, such as a keyboard, a mouse, a trackball, a trackpad, a rocker, etc., and the peripheral output device can be any type of output device, such as a display, a printer, etc., peripheral input device It can also be the same device as the peripheral output device, such as a touch screen. The communication interface can include a wireless communication interface and/or a wired communication interface, and the wireless communication interface can include a wireless communication network such as Wi-Fi, Zigbee, Bluetooth, infrared, near field communication (NFC), 3G/4G/5G, etc. The interface of the road or other wireless data transmission protocol, the wired communication interface can be an Ethernet device, an asynchronous transfer mode (ATM) device, a DSL data machine, a cable (data) data machine, and the like. The processor can periodically poll various peripheral devices and interfaces to enable the computing device to perform input and output of data, as well as to communicate with another computing device having the elements described above.

業務伺服器110可以使用通訊介面提供客戶端160透過有線或無線網路連接,也負責使用大容量儲存區儲存安控元件,並負責使用通訊介面提供客戶端160下載安控元件。安控元件可以是執行於客戶端160中之網頁瀏覽器的附加元件或外掛程式,安控元件也可以包含在可被客戶端160執行之應用程式中。The service server 110 can use the communication interface to provide the client 160 through a wired or wireless network connection, and is also responsible for storing the security control components using the mass storage area, and is responsible for providing the client 160 with the communication interface to download the security control components. The security component can be an add-on or plug-in of a web browser executing in the client 160, and the security component can also be included in an application executable by the client 160.

在部分的實施例中,業務伺服器110也可以使用大容量儲存區儲存帳戶資料,並可以使用通訊介面提供客戶端160透過安控元件下載所儲存的帳戶資料。其中,帳戶資料並不限於使用明文被儲存,例如,業務伺服器110也可以是透過二維條碼等方式儲存帳戶資料。In some embodiments, the service server 110 can also use the mass storage area to store account data, and can use the communication interface to provide the client 160 to download the stored account data through the security control component. The account information is not limited to being stored in plain text. For example, the service server 110 may store the account data through a two-dimensional barcode or the like.

本創作所提之帳戶資料可以是客戶端160之使用者的銀行帳號及/或個人資料,但本創作並不以此為限。其中,個人資料包含但不限於姓名、身分證號、性別、通訊地址、電話號碼、電子郵件地址等。The account information provided in this creation may be the bank account number and/or personal data of the user of the client 160, but the creation is not limited thereto. The personal data includes, but is not limited to, name, identity card number, gender, mailing address, telephone number, email address, and the like.

憑證管理伺服器120可以使用通訊介面提供客戶端160透過有線或無線網路連接,也可以使用大容量儲存區儲存為客戶端160所申請的數位憑證。The credential management server 120 can use the communication interface to provide the client 160 to connect via a wired or wireless network, or can use the mass storage area to store the digital credentials requested by the client 160.

憑證管理伺服器120還可以使用大容量儲存區記錄客戶端160的裝置識別資料以及與客戶端160對應之數位憑證的儲存訊息。其中,裝置識別資料可以是客戶端160的裝置名稱、裝置序號、處理器序號、網路位址、MAC位址等具有唯一值的資料,但本創作所提之裝置識別資料並不以上述為限;儲存訊息包含數位憑證的儲存路徑以及數位憑證的檔案名稱等,但本創作並不以此為限,凡可以使數位憑證正確讀出的資料都可以作為儲存訊息。The credential management server 120 can also use the mass storage area to record the device identification data of the client 160 and the stored information of the digital credential corresponding to the client 160. The device identification data may be a device having a unique value such as a device name, a device serial number, a processor serial number, a network address, a MAC address, etc. of the client 160, but the device identification data proposed by the present application is not The storage message contains the storage path of the digital certificate and the file name of the digital certificate, but the creation is not limited to this. Any data that can be correctly read by the digital certificate can be used as a storage message.

憑證管理伺服器120負責使用通訊介面接收客戶端160所傳送的裝置識別資料,並負責依據所接收到的裝置識別資料尋找與客戶端160對應之數位憑證的儲存訊息。當憑證管理伺服器120搜尋到與客戶端160對應之數位憑證的儲存訊息時,可以依據所搜尋到之儲存訊號由大容量儲存區中讀出與客戶端160對應的數位憑證,並使用通訊介面傳送至客戶端160;而當憑證管理伺服器120沒有搜尋到與客戶端160對應之數位憑證的儲存訊息時,可以使用通訊介面傳送表示與客戶端160對應之數位憑證不存在的通知訊息給客戶端160。憑證管理伺服器120也可以在沒有搜尋到與客戶端160對應之數位憑證的儲存訊息時,或可以在通訊介面接收到客戶端160所傳送的憑證申請訊息時,透過有線或無線網路使用通訊介面連線到憑證管理中心400為客戶端160申請相對應的數位憑證,並將所申請到的數位憑證傳回客戶端160。The credential management server 120 is responsible for receiving the device identification data transmitted by the client 160 using the communication interface, and is responsible for finding a storage message of the digital credential corresponding to the client 160 according to the received device identification data. When the voucher management server 120 searches for the storage message of the digital certificate corresponding to the client 160, the digital certificate corresponding to the client 160 can be read from the large-capacity storage area according to the searched storage signal, and the communication interface is used. The message is transmitted to the client 160. When the voucher management server 120 does not search for the stored message of the digital certificate corresponding to the client 160, the communication interface may be used to transmit a notification message indicating that the digital certificate corresponding to the client 160 does not exist to the client. End 160. The voucher management server 120 can also use the communication through the wired or wireless network when the storage message of the digital certificate corresponding to the client 160 is not found, or when the communication interface receives the voucher application message transmitted by the client 160. The interface is connected to the voucher management center 400 to apply for the corresponding digital certificate for the client 160, and the applied digital certificate is transmitted back to the client 160.

在部分的實施例中,憑證管理伺服器120也可以使用通訊介面接收客戶端160所傳送之客戶端160的裝置識別資料以及憑證資訊,並可以判斷所接收到之裝置識別資料與憑證資訊是否對應,也就是判斷大容量儲存區中是否儲存有包含所接收到之裝置識別資料與憑證資訊的記錄。若存在包含憑證管理伺服器120所接收到之裝置識別資料與憑證資訊的記錄,則憑證管理伺服器120可以產生表示客戶端經過確認的通知訊息至客戶端160;而若包含憑證管理伺服器120所接收到之裝置識別資料與憑證資訊的記錄不存在,則憑證管理伺服器120可以依據憑證資訊中的申請人資料讀出相對應的通訊資料,並依據通訊資料使用通訊介面傳送確認訊息給與憑證資訊對應的通訊裝置190(也就是憑證資訊所表示之數位憑證的申請人可以使用的通訊裝置),以及接收通訊裝置190所傳回的回應訊息,且依據通訊介面所接收到的回應訊息產生表示客戶端160是否經過確認的通知訊息,並使用通訊介面傳送通知訊息至客戶端160。其中,通訊裝置190所傳送之回應訊息表示數位憑證之申請人允許或拒絕客戶端160存取數位憑證,若數位憑證之申請人拒絕客戶端160存取數位憑證,則憑證管理伺服器120可以產生客戶端160沒有經過確認的通知訊息;而若數位憑證之申請人允許客戶端160存取數位憑證,則憑證管理伺服器120可以產生客戶端160經過確認的通知訊息。In some embodiments, the credential management server 120 can also use the communication interface to receive the device identification data and the credential information of the client 160 transmitted by the client 160, and can determine whether the received device identification data corresponds to the credential information. That is, it is judged whether or not the record containing the received device identification data and the voucher information is stored in the large-capacity storage area. If there is a record including the device identification data and the credential information received by the credential management server 120, the credential management server 120 may generate a notification message indicating that the client has been confirmed to the client 160; and if the credential management server 120 is included If the record of the received device identification data and the voucher information does not exist, the voucher management server 120 can read the corresponding communication data according to the applicant information in the voucher information, and send a confirmation message according to the communication data using the communication interface. The communication device 190 corresponding to the voucher information (that is, the communication device that the applicant of the digital certificate indicated by the voucher information can use), and the response message sent by the communication device 190, and generated according to the response message received by the communication interface. A notification message indicating whether the client 160 has been confirmed, and transmitting a notification message to the client 160 using the communication interface. The response message transmitted by the communication device 190 indicates that the applicant of the digital certificate allows or denies the client 160 to access the digital certificate. If the applicant of the digital certificate denies the client 160 access to the digital certificate, the certificate management server 120 can generate The client 160 does not have a confirmed notification message; and if the applicant of the digital certificate allows the client 160 to access the digital certificate, the credential management server 120 can generate a confirmation message that the client 160 has been confirmed.

交易伺服器130使用通訊介面提供客戶端160透過有線或無線網路連接,負責與客戶端160進行交易作業。交易伺服器130與客戶端160所進行之交易作業包含需要使用數位憑證的作業,例如網路轉帳/下單、憑證管理、線上融資/動撥等,但本創作所提之交易作業並不以上述為限。The transaction server 130 uses the communication interface to provide the client 160 with a wired or wireless network connection and is responsible for conducting transactions with the client 160. The transaction operation performed by the transaction server 130 and the client 160 includes jobs requiring digital certificates, such as network transfer/ordering, voucher management, online financing/moving, etc., but the transaction operations proposed by the present application are not The above is limited.

交易伺服器130可以使用通訊介面接收客戶端160所傳送的帳戶資料,並可以依據所接收到的帳戶資料完成交易作業。The transaction server 130 can receive the account information transmitted by the client 160 using the communication interface, and can complete the transaction operation according to the received account information.

在部分的實施例中,交易伺服器130與業務伺服器110可以是同一台伺服器中的相同實體或是不同實體,也就是說,一台伺服器可以同時提供交易伺服器130與業務伺服器110的服務。In some embodiments, the transaction server 130 and the service server 110 may be the same entity or different entities in the same server, that is, one server may simultaneously provide the transaction server 130 and the service server. 110 services.

硬體加解密主機140可以使用通訊介面提供客戶端160透過有線或無線網路連接。硬體加解密主機140也負責使用大容量儲存區儲存發證識別資料,並可以使用通訊介面提供客戶端160透過安控元件讀取所儲存的發證識別資料。The hardware encryption and decryption host 140 can use the communication interface to provide the client 160 with a connection via a wired or wireless network. The hardware encryption and decryption host 140 is also responsible for storing the license identification data using the large-capacity storage area, and can use the communication interface to provide the client 160 to read the stored license identification data through the security control component.

硬體加解密主機140也負責使用通訊介面接收客戶端160所傳送之憑證資訊,並可以由所接收到的憑證資訊中讀出特定資料。The hardware encryption and decryption host 140 is also responsible for receiving the credential information transmitted by the client 160 using the communication interface, and can read the specific data from the received credential information.

硬體加解密主機140也可以判斷所讀出的特定資料是否與發證識別資料相符,當特定資料與發證識別資料相符時,表示憑證資訊通過驗證;而當特定資料與發證識別資料不符時,表示憑證資訊沒有通過驗證。硬體加解密主機140也可以使用通訊介面將判斷結果傳回客戶端160。其中,判斷結果可以表示憑證資訊是否通過硬體加解密主機140的驗證。The hardware encryption and decryption host 140 can also determine whether the specific data read is consistent with the license identification data. When the specific data matches the license identification data, the certificate information is verified; and when the specific data does not match the license identification data, When it is indicated, the voucher information has not been verified. The hardware encryption and decryption host 140 can also transmit the determination result back to the client 160 using the communication interface. The judgment result may indicate whether the credential information is verified by the hardware encryption and decryption host 140.

實體載具150可以透過周邊輸出入匯流排與客戶端160直接連接,例如,USB、IEEE 1394、音源輸入/輸出端子等;實體載具150也可以透過與周邊輸出入匯流排連接的特定元件或模組與客戶端160連接,例如,透過客戶端160內建或外接的讀卡機與客戶端160連接等。The physical carrier 150 can be directly connected to the client 160 through the peripheral output bus, for example, USB, IEEE 1394, audio input/output terminals, etc.; the physical carrier 150 can also be connected to a specific component connected to the peripheral output bus or The module is connected to the client 160, for example, to the client 160 via a built-in or external card reader of the client 160.

實體載具150負責儲存數位憑證,並提供所連接之客戶端160存取。其中,實體載具150是包含能夠儲存資料之儲存媒體的裝置、模組或元件,例如外接硬碟、USB隨身碟、記憶卡、晶片卡等,但本創作並不以此為限。The physical carrier 150 is responsible for storing the digital credentials and providing access to the connected client 160. The physical carrier 150 is a device, a module or a component that includes a storage medium capable of storing data, such as an external hard disk, a USB flash drive, a memory card, a chip card, etc., but the creation is not limited thereto.

一般而言,實體載具150 所儲存之數位憑證經過加密,客戶端160在存取實體載具150所儲存之數位憑證時,需要透過安控元件存取,也就是說,安控元件需要先將實體載具150所儲存之數位憑證解密後,客戶端160才能透過安控元件存取實體載具150 所儲存的數位憑證。Generally, the digital certificate stored by the physical carrier 150 is encrypted, and the client 160 needs to access the security component when accessing the digital certificate stored by the physical carrier 150, that is, the security component needs to be first After decrypting the digital certificate stored by the physical carrier 150, the client 160 can access the digital certificate stored by the physical carrier 150 through the security control component.

客戶端160例如電腦、手機、平板、電視、導航裝置、多媒體撥放器、電子書閱讀機、電子辭典、電玩主機等,但本創作並不以此為限。The client 160 is, for example, a computer, a mobile phone, a tablet, a television, a navigation device, a multimedia player, an e-book reader, an electronic dictionary, a video game host, etc., but the present invention is not limited thereto.

客戶端160可以使用周邊輸出入匯流排提供實體載具150連接,並可以使用通訊介面透過有線或無線網路與業務伺服器110、憑證管理伺服器120、交易伺服器130、硬體加解密主機140連接。The client 160 can provide the physical carrier 150 connection using the peripheral output incoming bus, and can use the communication interface to communicate with the service server 110, the credential management server 120, the transaction server 130, and the hardware encryption and decryption host through the wired or wireless network. 140 connections.

客戶端160也負責安裝所下載的安控元件。在部分的實施例中,客戶端160可以使用通訊介面由所連接之業務伺服器110或交易伺服器130下載安控元件,並安裝所下載的安控元件;在另一部分的實施例中,客戶端160也可以在與實體載具150連接後,偵測實體載具150是否儲存需要自動安裝之包含安控元件的應用程式,若是,則安裝應用程式以安裝安控元件。其中,客戶端160可以依據應用程式的名稱、特定檔案中所記錄的資料等方式判斷應用程式是否需要自動安裝,但本創作並不以此為限。The client 160 is also responsible for installing the downloaded security components. In some embodiments, the client 160 can download the security component from the connected service server 110 or transaction server 130 using the communication interface and install the downloaded security component; in another embodiment, the client The terminal 160 can also detect whether the physical carrier 150 stores an application including a security component that needs to be automatically installed after being connected to the physical carrier 150, and if so, install an application to install the security component. The client 160 can determine whether the application needs to be automatically installed according to the name of the application, the data recorded in the specific file, etc., but the creation is not limited thereto.

客戶端160也負責透過安控元件使用通訊介面連線至憑證管理伺服器120下載與客戶端160對應的數位憑證。在部分的實施例中,安控元件可以在客戶端160已與實體載具150連接時,才由憑證管理伺服器120下載數位憑證,也就是說,若安控元件判斷客戶端160尚未與實體載具150連接,則安控元件可以顯示對應的提示訊息,並不下載數位憑證。The client 160 is also responsible for downloading the digital certificate corresponding to the client 160 through the security control component using the communication interface to the credential management server 120. In some embodiments, the security component can download the digital credentials by the credential management server 120 when the client 160 has been connected to the physical carrier 150, that is, if the security component determines that the client 160 has not been associated with the entity. When the carrier 150 is connected, the security component can display the corresponding prompt message and does not download the digital certificate.

一般而言,客戶端160可以透過安控元件傳送客戶端160的裝置識別資料至憑證管理伺服器120,並接收憑證管理伺服器120所傳回的數位憑證。客戶端160也可以在透過安控元件使用通訊介面傳送客戶端160的裝置識別資料至憑證管理伺服器120後,接收到憑證管理伺服器120所傳回的通知訊息時,透過安控元件使用通訊介面傳送憑證申請訊息至憑證管理伺服器120,使得憑證管理伺服器120依據憑證申請訊息申請與客戶端160對應的數位憑證,並使用通訊介面接收憑證管理伺服器120所申請到的數位憑證。In general, the client 160 can transmit the device identification data of the client 160 to the credential management server 120 through the security control component, and receive the digital credential returned by the credential management server 120. The client 160 can also use the communication device to transmit the notification information sent by the credential management server 120 after receiving the notification information sent by the credential management server 120 by using the communication interface to transmit the device identification data of the client 160 to the credential management server 120. The interface transmits the voucher application message to the voucher management server 120, so that the voucher management server 120 requests the digital voucher corresponding to the client 160 according to the voucher application message, and uses the communication interface to receive the digital voucher applied by the voucher management server 120.

客戶端160也負責將接收自憑證管理伺服器120的數位憑證儲存至實體載具150,並負責存取實體載具150中的數位憑證。更詳細的,客戶端160可以使用安控元件呼叫與實體載具150對應的存取函式庫,藉以透過安控元件與被呼叫的存取函式庫將相對應的數位憑證儲存到實體載具150中,或是讀取數位憑證。The client 160 is also responsible for storing the digital credentials received from the credential management server 120 to the physical vehicle 150 and for accessing the digital credential in the physical vehicle 150. In more detail, the client 160 can use the security control component to call the access library corresponding to the physical vehicle 150, so as to store the corresponding digital certificate to the entity through the security control component and the called access library. With 150, or read a digital certificate.

客戶端160也負責使用通訊介面連線至交易伺服器130,並向交易伺服器130請求進行特定的交易。The client 160 is also responsible for connecting to the transaction server 130 using the communication interface and requesting the transaction server 130 for a particular transaction.

客戶端160也負責在與交易伺服器130進行交易的過程中,交易伺服器130要求執行憑證作業時,透過安控元件讀取實體載具150中之數位憑證,並使用通訊介面傳送憑證資訊至硬體加解密主機140,藉以驗證憑證資訊。The client 160 is also responsible for reading the digital certificate in the physical vehicle 150 through the security control component when the transaction server 130 requests to perform the voucher operation during the transaction with the transaction server 130, and transmitting the voucher information to the communication interface to the transaction server 130. The hardware encrypts and decrypts the host 140 to verify the credential information.

客戶端160也負責在透過安控元件所讀出之數位憑證的憑證資訊通過硬體加解密主機140的驗證時,透過安控元件使用所讀出之數位憑證與交易伺服器130進行交易作業。其中,客戶端160也可以透過安控元件使用通訊介面接收硬體加解密主機140所傳回之判斷結果,並可以在判斷結果表示憑證資訊通過驗證時,使用數位憑證完成與交易伺服器130的交易作業,也可以在判斷結果表示憑證資訊沒有通過驗證時,結束或中止與交易伺服器130的交易作業。The client 160 is also responsible for performing transaction operations with the transaction server 130 by using the digital certificate read by the security component when the certificate information of the digital certificate read by the security component is verified by the hardware encryption and decryption host 140. The client 160 can also receive the judgment result returned by the hardware encryption and decryption host 140 through the security control component by using the communication interface, and can complete the transaction with the transaction server 130 by using the digital certificate when the judgment result indicates that the voucher information is verified. The transaction operation may also end or suspend the transaction operation with the transaction server 130 when the judgment result indicates that the voucher information has not passed the verification.

客戶端160也可以由實體載具150讀取帳戶資料,並使用通訊介面傳送所讀出的帳戶資料至交易伺服器130。The client 160 can also read the account data from the physical carrier 150 and use the communication interface to transfer the read account information to the transaction server 130.

接著以一個實施例來解說本創作的運作,並請參照「第2A圖」本創作所提之使用實體載具儲存數位憑證以進行線上交易之流程圖。在本實施例中,假設業務伺服器110為提供銀行服務的伺服器,實體載具150為USB隨身碟,但本創作並不以此為限。Next, an embodiment is used to illustrate the operation of the present creation, and please refer to the "Phase 2A" flow chart of using the physical vehicle to store digital certificates for online transactions. In this embodiment, it is assumed that the service server 110 is a server providing banking services, and the physical carrier 150 is a USB flash drive, but the creation is not limited thereto.

首先,使用者可以連接客戶端160與實體載具150(步驟210)。在本實施例中,假設客戶端160與實體載具150是透過USB介面連接。First, the user can connect the client 160 with the physical carrier 150 (step 210). In this embodiment, it is assumed that the client 160 and the physical carrier 150 are connected through a USB interface.

若實體載具150中沒有儲存安控元件,使用者也可以操作客戶端160安裝安控元件(步驟220)。在本實施例中,假設使用者可以操作客戶端160連線到業務伺服器110下載安控元件。其中,安控元件可以是執行於客戶端160中之網頁瀏覽器的附加元件或外掛程式,客戶端160下載安控元件後,可以將安控元件安裝到網頁瀏覽器中;安控元件也可以包含在應用程式,也就是說客戶端160連線到業務伺服器110下載並安裝包含安控元件的應用程式。If the security component is not stored in the physical carrier 150, the user can also operate the client 160 to install the security component (step 220). In this embodiment, it is assumed that the user can operate the client 160 to connect to the service server 110 to download the security control component. The security component may be an additional component or a plug-in program executed by the web browser in the client 160. After the client 160 downloads the security component, the security component may be installed into the web browser; the security component may also be Included in the application, that is, the client 160 connects to the service server 110 to download and install an application containing security components.

實務上,除非客戶端160是由實體載具150中安裝安控元件,否則連接客戶端160與實體載具150(步驟210)與客戶端160安裝安控元件(步驟220)並沒有先後次序的關係。In practice, unless the client 160 is installed with the security component in the physical carrier 150, the connection client 160 and the physical carrier 150 (step 210) and the client 160 install the security component (step 220) without prioritization. relationship.

在客戶端160安裝安控元件後,客戶端160可以執行安控元件,使得客戶端160可以透過安控元件連線到憑證管理伺服器120(步驟230)。在本實施例中,若安控元件為網頁瀏覽器的附加元件或外掛程式,則客戶端160可以執行網頁瀏覽器使得安控元件被執行;而若安控元件包含在應用程式中,則客戶端160可以執行包含安控元件的應用程式藉以執行安控元件。安控元件被執行後,可以連線到憑證管理伺服器120,並可以傳送客戶端160的裝置識別資料至憑證管理伺服器120。其中,安控元件可以先判斷客戶端160是否已與實體載具150連接,若客戶端160尚未與實體載具150連接,則安控元件可以顯示提示訊息以提示使用者連接客戶端160與實體載具150;而若客戶端160已與實體載具150連接,則安控元件可以傳送客戶端160的裝置識別資料至憑證管理伺服器120。After the client 160 installs the security component, the client 160 can execute the security component such that the client 160 can be connected to the credential management server 120 via the security component (step 230). In this embodiment, if the security component is an add-on or plug-in of the web browser, the client 160 can execute the web browser to cause the security component to be executed; and if the security component is included in the application, the client The end 160 can execute an application including a security component to execute the security component. After the security control component is executed, it can be connected to the credential management server 120 and can transmit the device identification data of the client 160 to the credential management server 120. The security component may first determine whether the client 160 has been connected to the physical carrier 150. If the client 160 has not been connected to the physical carrier 150, the security component may display a prompt message to prompt the user to connect the client 160 with the entity. The carrier 150; and if the client 160 has been connected to the physical carrier 150, the security component can transmit the device identification data of the client 160 to the credential management server 120.

憑證管理伺服器120在接收到客戶端160的裝置識別資料後,可以依據所接收到的裝置識別資料判斷客戶端160的數位憑證是否存在(步驟240)。當憑證管理伺服器120判斷客戶端160的數位憑證不存在時,可以連線到憑證管理中心為客戶端160申請數位憑證(步驟250),並可以將所申請到的數位憑證傳送到客戶端160,也可以儲存所申請到的數位憑證;而當客戶端160的數位憑證存在時,憑證管理伺服器120可以讀出數位憑證,並將所讀出的數位憑證傳送到客戶端160。After receiving the device identification data of the client 160, the voucher management server 120 can determine whether the digital voucher of the client 160 exists according to the received device identification data (step 240). When the credential management server 120 determines that the digital credential of the client 160 does not exist, it may connect to the credential management center to apply for a digital credential for the client 160 (step 250), and may transmit the applied digital credential to the client 160. The digital certificate can also be stored; and when the digital certificate of the client 160 exists, the voucher management server 120 can read the digital voucher and transmit the read digital voucher to the client 160.

在客戶端160透過安控元件由憑證管理伺服器120下載數位憑證後,將所下載的數位憑證寫入實體載具150中(步驟260)。在本實施例中,假設安控元件可以呼叫實體載具150的存取函式庫,藉以將數位憑證寫入實體載具150中。After the client 160 downloads the digital certificate by the credential management server 120 through the security control element, the downloaded digital credential is written into the physical vehicle 150 (step 260). In the present embodiment, it is assumed that the security control element can call the access library of the entity carrier 150 to write the digital certificate into the physical carrier 150.

在客戶端160將數位憑證寫入實體載具150後,使用者可以操作客戶端160連線到交易伺服器130(步驟270)。在本實施例中,若安控元件為客戶端160上所執行之網頁瀏覽器的附加元件或外掛程式,則客戶端160需要透過網頁瀏覽器與交易伺服器130連線;而若安控元件包含在客戶端160的應用程式中,則客戶端160需要透過包含安控元件的應用程式與交易伺服器130連線。假設使用者欲進行網路轉帳/下單或線上融資交易,使用者可以操作客戶端160連線到對應的交易伺服器130。After the client 160 writes the digital certificate to the physical carrier 150, the user can operate the client 160 to connect to the transaction server 130 (step 270). In this embodiment, if the security component is an add-on or plug-in of the web browser executed on the client 160, the client 160 needs to connect to the transaction server 130 through the web browser; In the application included in the client 160, the client 160 needs to connect to the transaction server 130 through an application including a security component. Assuming the user wants to make a network transfer/order or online financing transaction, the user can operate the client 160 to connect to the corresponding transaction server 130.

需要特別說明的是,使用者所用來連線到交易伺服器130的客戶端160並不一定是將數位憑證寫入實體載具150的客戶端160,也可以是使用者將實體載具150由寫入數位憑證的客戶端160上移除或拔除以中斷實體載具150與寫入數位憑證的客戶端160的連接後,重新與儲存數位憑證的實體載具150連接的另一個客戶端,也就是說使用者可以將儲存數位憑證的實體載具150由寫入數位憑證的客戶端160移動到新的客戶端,並使用新的客戶端與交易伺服器130連線。其中,若安控元件為客戶端上所執行之網頁瀏覽器的附加元件或外掛程式,則新的客戶端與實體載具150連接後,若新的客戶端上的網頁瀏覽器並未安裝安控元件,則使用者可以先操作客戶端160下載並安裝安控元件,再透過安控元件連線到需要透過網頁瀏覽器與交易伺服器130連線;而若安控元件包含在客戶端160的應用程式中,則新的客戶端與實體載具150連接後,新的客戶端可以自動執行實體載具150中的應用程式,藉以透過安控元件與交易伺服器130連線。It should be particularly noted that the client 160 used by the user to connect to the transaction server 130 is not necessarily the client 160 that writes the digital certificate to the physical carrier 150, or the user can have the physical carrier 150 After the client 160 that writes the digital certificate is removed or removed to interrupt the connection between the physical carrier 150 and the client 160 that writes the digital certificate, another client that is connected to the physical carrier 150 storing the digital certificate is also That is, the user can move the entity vehicle 150 storing the digital certificate to the new client by the client 160 that writes the digital certificate, and connect to the transaction server 130 using the new client. Wherein, if the security component is an add-on or plug-in of the web browser executed on the client, the new client is connected to the physical carrier 150, and if the web browser on the new client is not installed, For the control component, the user can first operate the client 160 to download and install the security control component, and then connect through the security control component to connect to the transaction server 130 through the web browser; and if the security component is included in the client 160 In the application, after the new client is connected to the physical vehicle 150, the new client can automatically execute the application in the physical vehicle 150 to connect to the transaction server 130 through the security control component.

在客戶端160連線到交易伺服器130(步驟270)後,當客戶端160與交易伺服器130進行交易作業的過程中,交易伺服器130要求客戶端160執行憑證作業時,客戶端160可以透過安控元件由與客戶端160連接的實體載具150中讀出數位憑證,並將所讀出之數位憑證之憑證資訊傳送至硬體加解密主機140(步驟280)。After the client 160 is connected to the transaction server 130 (step 270), when the client 160 performs a transaction operation with the transaction server 130, the transaction server 130 requires the client 160 to perform a voucher job, and the client 160 can The digital certificate is read from the physical carrier 150 connected to the client 160 through the security control element, and the voucher information of the read digital certificate is transmitted to the hardware encryption and decryption host 140 (step 280).

之後,客戶端160可以在傳送給硬體加解密主機140的憑證資訊通過硬體加解密主機140的驗證後,透過安控元件使用所讀出的數位憑證與交易伺服器130進行交易作業(步驟290)。在本實施例中,假設如「第2B圖」之流程所示,硬體加解密主機140可以由接收自客戶端160的憑證資訊中讀出特定資料,並可以判斷所讀出之特定資料是否與預先儲存之發證識別資料相符(步驟293),以及產生並傳送判斷結果至客戶端160。客戶端160的安控元件機收到硬體加解密主機140所傳送的判斷結果後,若判斷結果表示特定資料與發證識別資料相符,則安控元件可以使用該數位憑證完成交易作業(步驟297),而若判斷結果表示特定資料與發證識別資料不符,則安控元件可以結束交易作業(步驟295)。After that, the client 160 can perform the transaction operation with the transaction server 130 by using the read digital certificate through the security component to verify the credential information transmitted to the hardware encryption and decryption host 140 through the verification of the hardware encryption and decryption host 140. 290). In this embodiment, it is assumed that, as shown in the flow of "FIG. 2B", the hardware encryption/decryption host 140 can read out specific data from the voucher information received from the client 160, and can determine whether the specific data read is The pre-stored license identification data is matched (step 293), and the judgment result is generated and transmitted to the client 160. After the security component of the client 160 receives the judgment result transmitted by the hardware encryption and decryption host 140, if the judgment result indicates that the specific data matches the license identification data, the security component can use the digital certificate to complete the transaction operation (step 297), and if the judgment result indicates that the specific data does not match the certification identification data, the security control element may end the transaction operation (step 295).

如此,透過本創作,使用者可以將數位憑證儲存到實體載具,並在連接實體載具150與任意的客戶端後,在連接實體載具150的客戶端中使用實體載具150中的數位憑證與交易伺服器130進行交易。Thus, through the present creation, the user can store the digital certificate to the physical vehicle and use the digit in the physical vehicle 150 in the client connecting the physical vehicle 150 after connecting the physical vehicle 150 with any client. The voucher is traded with the transaction server 130.

上述實施例中,在客戶端160透過安控元件將由實體載具150中所讀出之數位憑證之憑證資訊傳送至硬體加解密主機140(步驟280)前,更可以如「第2C圖」之流程所示,客戶端160可以先透過安控元件傳送客戶端160的裝置識別資料以及所讀出之數位憑證的憑證資訊至憑證管理伺服器120(步驟285)。In the above embodiment, before the client 160 transmits the voucher information of the digital certificate read by the physical carrier 150 to the hardware encryption and decryption host 140 through the security control component (step 280), it may be as shown in the "2C chart". As shown in the flow, the client 160 may first transmit the device identification data of the client 160 and the credential information of the read digital certificate to the credential management server 120 through the security control component (step 285).

憑證管理伺服器120在接收到客戶端160所傳送的裝置識別資料與憑證資訊後,可以判斷所接收到的裝置識別資料與憑證資訊是否對應(步驟286)。在本實施例中,憑證管理伺服器120可以搜尋與裝置識別資料對應的憑證資訊,並判斷搜尋出的憑證資訊與所接收到的憑證資訊是否相同,若相同,則憑證管理伺服器120可以傳送表示客戶端經過確認的通知訊息至客戶端160(步驟288)。After receiving the device identification data and the credential information transmitted by the client 160, the credential management server 120 can determine whether the received device identification data and the credential information correspond (step 286). In this embodiment, the credential management server 120 may search for credential information corresponding to the device identification data, and determine whether the searched credential information is identical to the received credential information. If the same, the credential management server 120 may transmit Indicates that the client has acknowledged the notification message to the client 160 (step 288).

而若憑證管理伺服器120沒有搜尋出與所接收到的憑證資訊相同的憑證資訊,則憑證管理伺服器120可以依據所接收到的憑證資訊中的申請人資訊搜尋與憑證資訊所表示之數位憑證之申請人的通訊資料,並使用所搜尋出之通訊資料傳送確認訊息至與憑證資訊對應的通訊裝置190,並接收通訊裝置190所傳送的回應訊息(步驟287)。If the credential management server 120 does not search for the same credential information as the received credential information, the credential management server 120 may search for the digital credential represented by the credential information according to the applicant information in the received credential information. The applicant's communication data transmits the confirmation message to the communication device 190 corresponding to the voucher information using the searched communication data, and receives the response message transmitted by the communication device 190 (step 287).

在憑證管理伺服器120接收到通訊裝置190所傳回的回應訊息後,憑證管理伺服器120可以依據所接收到的回應訊號產生表示表示客戶端是否經過確認的通知訊息,並可以將所產生的通知訊息傳送至客戶端160(步驟288)。After the voucher management server 120 receives the response message sent by the communication device 190, the voucher management server 120 may generate a notification message indicating whether the client has been confirmed according to the received response signal, and may generate the generated message. The notification message is transmitted to the client 160 (step 288).

在客戶端160接收到憑證管理伺服器120所傳送的通知訊息後,客戶端160所執行的安控元件可以判斷所接收到的通知訊息是否表示客戶端經過確認,若否,則安控元件可以結束交易作業;若是,則安控元件可以傳送數位憑證之憑證資訊至硬體加解密主機140(步驟289),使硬體加解密主機140驗證憑證資訊。After the client 160 receives the notification message sent by the credential management server 120, the security control component executed by the client 160 can determine whether the received notification message indicates that the client has been confirmed. If not, the security control component can The transaction operation is ended; if so, the security control component can transmit the voucher information of the digital certificate to the hardware encryption and decryption host 140 (step 289), so that the hardware encryption and decryption host 140 verifies the voucher information.

綜上所述,可知本創作與先前技術之間的差異在於具有客戶端由憑證管理伺服器下載數位憑證後,透過安控元件將數位憑證儲存於實體載具中,並在與交易伺服器進行交易作業的過程中,需要進行憑證作業時,透過安控元件由實體載具讀出數位憑證,並使用數位憑證進行交易作業之技術手段,藉由此一技術手段可以解決先前技術所存在數位憑證僅能在申請之瀏覽器上使用的問題,進而達成降低憑證管理複雜度的技術功效。In summary, it can be seen that the difference between the present creation and the prior art is that after the client downloads the digital certificate by the credential management server, the digital certificate is stored in the physical vehicle through the security control component, and is performed with the transaction server. In the process of trading operations, when a voucher job is required, a digital voucher is read by a physical vehicle through a security control component, and a digital voucher is used to perform a transaction operation. The technical means can solve the digital certificate existing in the prior art. The technical effects of reducing the complexity of credential management can be achieved only by the problems that can be used on the application browser.

上述的實施例中,客戶端160在透過安控元件使用由實體載具150讀出的數位憑證與交易伺服器130進行交易作業時,客戶端160也可以透過安控元件由實體載具150中讀取帳戶資料,並傳送帳戶資料至交易伺服器130,使交易伺服器130依據帳戶資料完成交易作業。In the above embodiment, when the client 160 performs a transaction operation with the transaction server 130 by using the digital certificate read by the physical carrier 150 through the security control unit, the client 160 can also be used by the entity carrier 150 through the security control component. The account information is read, and the account information is transmitted to the transaction server 130, so that the transaction server 130 completes the transaction operation based on the account information.

再者,本創作之使用實體載具儲存數位憑證以進行線上交易之系統,亦可以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the system for the use of physical vehicles for storing digital vouchers for online transactions can also be implemented in a centralized manner or in a decentralized manner in which different components are interspersed among several interconnected computer systems.

雖然本創作所揭露之實施方式如上,惟所述之內容並非用以直接限定本創作之專利保護範圍。任何本創作所屬技術領域中具有通常知識者,在不脫離本創作所揭露之精神和範圍的前提下,對本創作之實施的形式上及細節上作些許之更動潤飾,均屬於本創作之專利保護範圍。本創作之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present disclosure are as above, the contents are not intended to directly limit the scope of the patent protection of the present invention. Anyone who has the usual knowledge in the technical field of this creation, without any departure from the spirit and scope disclosed in this creation, makes some modifications to the form and details of the implementation of this creation, which are the patent protection of this creation. range. The scope of patent protection of this creation must be determined by the scope of the attached patent application.

110‧‧‧業務伺服器110‧‧‧Business Server

120‧‧‧憑證管理伺服器120‧‧‧Voucher Management Server

130‧‧‧交易伺服器130‧‧‧Transaction Server

140‧‧‧硬體加解密主機140‧‧‧ hardware encryption and decryption host

150‧‧‧實體載具150‧‧‧Ent vehicle

160‧‧‧客戶端160‧‧‧Client

190‧‧‧通訊裝置190‧‧‧Communication device

400‧‧‧憑證管理中心400‧‧‧Voucher Management Center

步驟210‧‧‧連接客戶端與實體載具Step 210‧‧‧Connect client and physical vehicle

步驟220‧‧‧客戶端安裝安控元件Step 220‧‧‧ Client installation security components

步驟230‧‧‧客戶端透過安控元件連線至憑證管理伺服器Step 230‧‧‧ The client connects to the credential management server through the security control component

步驟240‧‧‧憑證管理伺服器判斷數位憑證是否存在Step 240‧‧‧Voucher management server determines whether the digital certificate exists

步驟250‧‧‧憑證管理伺服器申請數位憑證Step 250‧‧‧Voucher Management Server Requests Digital Voucher

步驟260‧‧‧客戶端下載數位憑證,並將數位憑證儲存至實體載具中Step 260‧‧‧ The client downloads the digital certificate and stores the digital certificate in the physical vehicle

步驟270‧‧‧客戶端連線至交易伺服器Step 270‧‧‧ Clients connect to the transaction server

步驟280‧‧‧當交易伺服器要求客戶端執行憑證作業時,客戶端透過安控元件讀取實體載具中之數位憑證,並傳送數位憑證之憑證資訊至硬體加解密主機Step 280‧‧‧ When the transaction server asks the client to perform the voucher operation, the client reads the digital certificate in the physical vehicle through the security control component, and transmits the voucher information of the digital certificate to the hardware encryption and decryption host

步驟285‧‧‧客戶端透過安控元件傳送裝置識別資料及憑證資訊至憑證管理伺服器Step 285‧‧‧ The client transmits the identification information and the credential information to the credential management server through the security component transfer device

步驟286‧‧‧憑證管理伺服器判斷裝置識別資料是否與憑證資訊對應Step 286‧‧‧ The credential management server determines whether the device identification data corresponds to the credential information

步驟287‧‧‧憑證管理伺服器傳送確認訊息至與憑證資訊對應之通訊裝置,並接收通訊裝置傳回之回應訊息Step 287‧‧ The credential management server transmits a confirmation message to the communication device corresponding to the credential information, and receives the response message returned by the communication device

步驟288‧‧‧憑證管理伺服器傳送通知訊息至安控元件Step 288‧‧ The credential management server transmits a notification message to the security control component

步驟289‧‧‧安控元件於通知訊息表示客戶端經過確認時,傳送數位憑證之憑證資訊至硬體加解密主機Step 289‧‧‧ The security component transmits the voucher information of the digital certificate to the hardware encryption and decryption host when the notification message indicates that the client is confirmed

步驟290‧‧‧當憑證資訊通過硬體加解密主機之驗證時,客戶端透過安控元件使用數位憑證與交易伺服器進行交易作業Step 290‧‧‧ When the voucher information is verified by the hardware encryption and decryption host, the client uses the digital certificate to conduct transaction with the transaction server through the security control component.

步驟293‧‧‧硬體加解密主機判斷特定資料與發證識別資料是否相符Step 293‧‧‧ The hardware encryption and decryption host determines whether the specific data matches the license identification data

步驟295‧‧‧安控元件結束交易作業Step 295‧‧‧Security components to close the transaction

步驟297‧‧‧安控元件使用數位憑證完成交易作業Step 297‧‧‧ Security components use digital voucher to complete the transaction

第1圖為本創作所提之使用實體載具儲存數位憑證以進行線上交易之系統架構圖。 第2A圖為本創作所提之使用實體載具儲存數位憑證以進行線上交易之流程圖。 第2B圖為本創作所提之依據實體載具所儲存之數位憑證執行交易作業之流程圖。 第2C圖為本創作所提之透過憑證管理伺服器確認客戶端之流程圖。Figure 1 is a system architecture diagram of the author's use of physical vehicles to store digital certificates for online transactions. Figure 2A is a flow chart of the author's use of the physical vehicle to store digital certificates for online transactions. Figure 2B is a flow chart of the execution of the transaction operation based on the digital certificate stored in the physical vehicle. Figure 2C is a flow chart of the client confirming the client through the credential management server.

Claims (10)

一種使用實體載具儲存數位憑證以進行線上交易之系統,該系統至少包含:一客戶端,為一計算設備,用以安裝一安控元件;一實體載具,包含儲存媒體,用以與該客戶端連接;一憑證管理伺服器,提供該客戶端透過該安控元件下載與該客戶端對應之一數位憑證,使該安控元件將該數位憑證儲存於該實體載具中;一硬體加解密主機,用以驗證該數位憑證之憑證資訊;及一交易伺服器,提供該客戶端連接,並依據該客戶端所請求之交易要求該客戶端執行相對應之憑證作業,使該客戶端透過該安控元件讀取該實體載具中之該數位憑證,並傳送該數位憑證之憑證資訊至該硬體加解密主機,當該憑證資訊通過該硬體加解密主機之驗證時,使用該數位憑證與該交易伺服器之進行交易作業。 A system for storing digital vouchers for online transactions using a physical vehicle, the system comprising: at least one client, being a computing device for installing a security component; and a physical carrier comprising a storage medium for a client connection; a credential management server, wherein the client downloads a digital credential corresponding to the client through the security control component, so that the security component stores the digital credential in the physical vehicle; And the encryption and decryption host is configured to verify the voucher information of the digital voucher; and a transaction server provides the client connection, and according to the transaction requested by the client, the client performs a corresponding voucher operation, so that the client Reading the digital certificate in the physical vehicle through the security control component, and transmitting the voucher information of the digital certificate to the hardware encryption and decryption host, when the voucher information is verified by the hardware encryption and decryption host, The digital voucher is traded with the transaction server. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該憑證管理伺服器更用以連線至憑證管理中心為該客戶端申請該數位憑證。 The system for storing an online certificate by using a physical vehicle as described in claim 1, wherein the voucher management server is further configured to connect to the voucher management center to apply for the digital voucher for the client. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該硬體加解密主機判斷該憑證資訊中之一特定資料與預先儲存之一發證識別資料是否相符,並傳送一判斷結果至該安控元件,當該判斷結果表示該特定資料與該發證識別資料相符時,該安控元件使用該數位憑證完成交易作業,及當該判斷結果表示判斷該特定資料與該發證識別資料不符時,結束交易作業。 The system for storing an online certificate by using a physical vehicle as described in claim 1, wherein the hardware encryption and decryption host determines whether one of the specific information of the voucher information and one of the pre-stored identification materials is pre-stored Matching, and transmitting a judgment result to the security control component, when the judgment result indicates that the specific data is consistent with the license identification data, the security control component uses the digital certificate to complete the transaction operation, and when the judgment result indicates that the judgment When the specific data does not match the license identification data, the transaction is terminated. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該系統更包含一通訊裝置,與該憑證資訊對應,用以接收該憑證管理伺服器於判斷該客戶端透過該安控元件所傳送之該客戶端之一裝置識別資料不與該憑證資訊對應時所傳送之一確認訊息,並傳送一回應訊息至該憑證管理伺服器,該憑證管理伺服器更用以依據該回應訊息傳送一通知訊息至該安控元件,使該安控元件依據該通知訊息選擇是否傳送該數位憑證之該憑證資訊至該硬體加解密主機。 The system for storing an online certificate by using a physical vehicle as described in claim 1, wherein the system further comprises a communication device corresponding to the voucher information for receiving the voucher management server to determine the The client transmits a confirmation message sent by the security component to the credential management server, and transmits a response message to the credential management server, and the credential management server further transmits a response message to the credential management server. And transmitting, by the response message, a notification message to the security control component, so that the security control component selects whether to send the voucher information of the digital voucher to the hardware encryption and decryption host according to the notification message. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該客戶端更用以透過該安控元件由該實體載具讀取一帳戶資料,並傳送該帳戶資料至該交易伺服器以完成交易作業。 The system for storing a digital voucher for performing an online transaction using the physical vehicle as described in claim 1, wherein the client is further configured to read an account data from the entity vehicle through the security control component, and transmit the Account information to the transaction server to complete the transaction. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該安控元件為該客戶端可執行之網頁瀏覽器之附加元件或外掛程式、或包含在該客戶端可執行之應用程式中。 A system for storing an online certificate by using a physical vehicle as described in claim 1, wherein the security control component is an add-on or plug-in of a web browser executable by the client, or is included in the Client executable in the application. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該安控元件是該客戶端連線至該交易伺服器或一業務伺服器下載,或是預先儲存於該實體載具中。 The system for storing an online certificate by using a physical vehicle as described in claim 1, wherein the security control component is the client connected to the transaction server or a service server for downloading, or Stored in the physical carrier. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該客戶端更用以傳送一裝置識別資料至該憑證管理伺服器,該憑證管理伺服器更用以依據該裝置識別資料搜尋該數位憑證。 The system for storing an online certificate by using an entity vehicle for performing online transaction, as described in claim 1, wherein the client is further configured to transmit a device identification data to the credential management server, and the credential management server is further used. Searching for the digital certificate based on the device identification data. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該實體載具為外接硬碟、隨身碟、記憶卡、或晶片卡。 A system for storing online vouchers for online transactions using an entity vehicle as described in claim 1 wherein the physical vehicle is an external hard drive, a flash drive, a memory card, or a wafer card. 如申請專利範圍第1項所述之使用實體載具儲存數位憑證以進行線上交易之系統,其中該客戶端更用以透過該安控元件加密該數位憑證並儲存加密後之該數位憑證於該實體載具中,及透過該安控元件解密儲存於該實體載具中之數位憑證。The system for storing an online certificate by using a physical vehicle as described in claim 1, wherein the client further encrypts the digital certificate through the security component and stores the encrypted digital certificate. The physical vehicle is used to decrypt the digital certificate stored in the physical vehicle through the security control component.
TW108203296U 2019-03-19 2019-03-19 System of using physical carrier to store digital certificate for performing online transaction TWM583978U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108203296U TWM583978U (en) 2019-03-19 2019-03-19 System of using physical carrier to store digital certificate for performing online transaction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108203296U TWM583978U (en) 2019-03-19 2019-03-19 System of using physical carrier to store digital certificate for performing online transaction

Publications (1)

Publication Number Publication Date
TWM583978U true TWM583978U (en) 2019-09-21

Family

ID=68620694

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108203296U TWM583978U (en) 2019-03-19 2019-03-19 System of using physical carrier to store digital certificate for performing online transaction

Country Status (1)

Country Link
TW (1) TWM583978U (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI720694B (en) * 2019-11-18 2021-03-01 中華電信股份有限公司 Device and method of burning authentication with time sequence algorithm

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI720694B (en) * 2019-11-18 2021-03-01 中華電信股份有限公司 Device and method of burning authentication with time sequence algorithm

Similar Documents

Publication Publication Date Title
US9569602B2 (en) Mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device
TWM539667U (en) System of online credentials application for network transaction via carrier
CN112738021A (en) Single sign-on method, terminal, application server, authentication server and medium
TWI644276B (en) System for opening account and applying mobile banking account online and method thereof
CN115408707A (en) Data transmission method, device and system, electronic equipment and storage medium
TWM594186U (en) Device and system combining online rapid authentication and public key infrastructure to identify identity
US11822669B2 (en) Systems and methods for importing security credentials for use by an information handling system
TWM618092U (en) Certificate management system for automated domain verification
TWM539668U (en) System for opening account online and applying for mobile banking
TWM583978U (en) System of using physical carrier to store digital certificate for performing online transaction
TWM592629U (en) System to obtain appended data and execute corresponding operation when identity is confirmed
TWM575144U (en) Computing equipment using password of operating system to encrypt and decrypt
TWI720738B (en) System for combining architectures of fido and pki to identity user and method thereof
TWI767113B (en) System for using certificate stored in carrier to conduct online transactions and method thereof
TWM620550U (en) System for verifying identity on different devices by verifying valid certificates
TWI690820B (en) System for using embedded browser module to manage certificate and method thereof
TWM609003U (en) System for transferring to client end to continue operation after confirming the identity on the public equipment
TWM586390U (en) A system for performing identity verification according to the service instruction to execute the corresponding service
TWM588313U (en) System for confirming user identity through financial account information
TWM580295U (en) System for managing certificate with embedded browser module and computing equipment
TWI803907B (en) System for confirming identity on different devices by verifying valid certification and method thereof
TWM576681U (en) Computing device validating user identity during signing
TWM578053U (en) System for generating signing documents sequentially providing the signature for the signing party
TWM641468U (en) Electronic certificate and digital certificate verification system through third-party platform
TWI729535B (en) System for using financial account to confirm identity and method thereof