WO2006039832A1 - Authentication method for storage and application of data, ic card, fingerprint scanner - Google Patents

Authentication method for storage and application of data, ic card, fingerprint scanner Download PDF

Info

Publication number
WO2006039832A1
WO2006039832A1 PCT/CN2004/001155 CN2004001155W WO2006039832A1 WO 2006039832 A1 WO2006039832 A1 WO 2006039832A1 CN 2004001155 W CN2004001155 W CN 2004001155W WO 2006039832 A1 WO2006039832 A1 WO 2006039832A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
card
server
user
hardware
Prior art date
Application number
PCT/CN2004/001155
Other languages
French (fr)
Chinese (zh)
Other versions
WO2006039832A8 (en
Inventor
Hui Lin
Original Assignee
Hui Lin
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hui Lin filed Critical Hui Lin
Priority to PCT/CN2004/001155 priority Critical patent/WO2006039832A1/en
Publication of WO2006039832A1 publication Critical patent/WO2006039832A1/en
Publication of WO2006039832A8 publication Critical patent/WO2006039832A8/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • G07C9/257Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition electronically
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan

Definitions

  • the present invention relates to a data storage application, an IC card, and a fingerprint scanner authentication method, and more particularly to an authentication using an IC card and a fingerprint scanner.
  • the mechanism is the data storage application authentication process that acts as a legitimate login medium.
  • the software platform emphasizes that the intelligent property rights of the software platform belong to the MP3 software industry due to the arrival of a considerable number of members, and then the monthly fee for software usage is charged. As a result of the explosion of membership, the revenue of the MP3 software platform provider is increasing proportionally. The rights of the record industry with legal property rights and intellectual property rights are seriously lost, resulting in the long record industry. Downturn, thereby affecting the creators of power and confidence.
  • the extension discusses the passwords adopted by the membership system on the current general knowledge website.
  • the password set by the user or the system, but because the information is encrypted on the server side of the website, in order to prevent the leakage of the communication network information, there are programs and logics for designing the cryptographic technology, and it is hoped that the technology can It is relatively resistant to hackers, but it is still impossible to prevent it completely in the current situation.
  • the website audit member's confidential information entry is the member login system.
  • the current website member login mode only logs in the user name and password directly on the web page. If the two match, you can enter the member's member function page.
  • AP Server general application server
  • the operation of cryptographic codec on the web server of the application server (AP Server) alone can not ensure that it can be cracked by hackers, and today's Internet is far and wide, for convenient use and anytime, anywhere.
  • the need to be able to access the Internet makes it easy for users to use different computers or other equipment to access the Internet in many places, and because of the current technology, it is difficult to set the user's authority and grading system, for example, using the library's public computer. Go online, or go online at the internet cafe, because using the same machine If there are many users, if you forget the deletion of the user name and password on the login screen and forget to delete it, it will be easily stolen by the next user or used by the hacker to use some backdoor programs of the easy operating system. Cracking and stealing confidential information, illegal transactions, resulting in user losses.
  • the current network security is full of loopholes, especially in:
  • the hacker can also intercept and tamper with the unencrypted data in the peer-to-peer transmission.
  • the communication protocol is TCP P.
  • the hacker will simultaneously spoof the identity of the host and return a large amount of useless data to the user. Attempts to calculate the computing power of the client computer system (Denial of Service; DoS). In this way, the hacker can not only fake the original user identity, but also access the resources and services on the remote host, and arbitrarily publish, tamper or delete the data, so that the system administrator on the host side cannot detect it. What is more serious is that the hacker tampers with the information in such a way that the source of the information (user identity) cannot be confirmed, making it difficult for the original user to self-clear.
  • DoS Denial of Service
  • the external network is connected through the local area network (LAN) of the public place.
  • LAN local area network
  • Ethernet-based IP networks are taken as an example. All data (packets) flow to all PCs in the local area network in the form of broadcast (Broadcassing). Because each PC has a Network Interface Card, you can filter out packets that are not sent to you. And this hidden problem, another good opportunity for hackers to invade, intercepts the data transmitted on the LAN.
  • All the packets are transmitted to all PCs in the local area network in the form of broadcast (Broadcassing), and exist in the form of plain text. Therefore, any PC connected to the local area network can play the role of a listener (Sniffer), generously peek at other people's data.
  • the invention mainly solves the current network security vulnerability, and performs the action of cipher coding and decoding on the web server of the application website server (AP Server) alone, which is really unable to ensure that it can be cracked by the hacker, and if the user uses in a public place. If the public computer, if it is negligent, left its user name and password on the login screen and forget to delete it, it is easy for the hacker to use some simple operating system backdoor programs to crack and steal the confidential information. Illegal transactions, resulting in the loss of user losses.
  • AP Server application website server
  • the main idea of the present invention comes from the fact that the current network security loopholes are numerous, and the user is less protective against using the private data on the Internet. Therefore, it is painstaking to study and use an IC card and a fingerprint scanner to match an authentication hardware and identify with the CA.
  • the Yongzheng Server (Security Control Mechanism) and the Global Fingerprint Identification System work together to meet the five information security needs of the secure transmission of electronic data networks. To improve the secure transmission of electronic data networks, the following five information security requirements must be met:
  • Ensuring that data information is not sneaked or stolen by third parties to protect the privacy of data transmission data can be accomplished through data encryption.
  • Transmitting and receiving information prevents users from denying subsequent data transmissions, which can be achieved through digital signatures and public key infrastructure.
  • the execution authority of the security module function can be determined according to the identity of the user.
  • the present invention utilizes an IC card and a fingerprint scanner to authenticate the hardware to perform effective authorization control, and performs a special encoding and decoding operation on the stored file to make it more confidential and secure for data access. And maneuverability and uniqueness (only legitimate users can use the files they store) to avoid the P2P (Peer to Peer) method of peer-to-peer transmission on the network, and to chase the chaos of the intellectual property rights law, so that legal property rights The problem of the loss of the owners of intelligent property rights.
  • P2P Peer to Peer
  • the technical feature of the present invention is to use an IC card device in conjunction with a fingerprint scanner device on a flash memory (pen drive) generally compatible with a computer USB interface, as an authentication hardware.
  • the hardware is first placed in an IC card reader (Reader), which first passes a fingerprint scanner to obtain the fingerprint through the global fingerprint identification center, and then an ID card built in an IC card to check the code ICCID and an international
  • the verification code GLN checks the identity authentication
  • the authentication hardware can be installed on a hardware that is generally compatible with a computer USB interface or a PS2 slot or has wireless communication, infrared transmission, and the like.
  • the user can use the authentication hardware to enable the fingerprint scanner to connect the user's fingerprint to the global fingerprint identification center (or other fingerprint identification center) through the network.
  • the fingerprint identification center can check the user through real-time comparison. Identity, after one or more successful comparisons, is one of the Server Resul ts for successful authentication of the hardware. If the fingerprint comparison result is incorrect, the system will also inform the user that the hardware authentication failed and the login is lost. Qualification, which is the first step of the certification process, and then log in to the user name (Username) and password (Pas sword), then the IC card will first pass its login process to the CA identity through the embedded program.
  • the result of generating a random value (Random) and encrypting with KI is stored in the database of the CA identity authentication server, and the encrypted result is the authentication hardware authentication.
  • One of the Server Resul t can be used to record the number of times the user logs in using the authentication hardware, confirm the legality of the authentication hardware and whether the password ICCID has the right to log in to the website, and the granted The maximum number of permissions, after the hardware authentication is passed, the CA identity authentication server will transmit the generated random value (Random) back to the IC card.
  • the IC card receives the random value (Random)
  • the IC card embedded program will first be inserted.
  • the built ICCID code is first decrypted to obtain a KI value (the KI value here does not check whether it is the authentication hardware passed by the authorization, the audit right and the comparison right are in the CA identity authentication server), and then the received random number.
  • the value of (Random) is encrypted to generate an IC card authentication (Cl ient Resul t) for the third party of the general application website server (AP Server).
  • AP Server general application website server
  • the authentication program of the general application website server first receives the ICCID code on the IC card, the IC card authentication (Cl ient Resul t), and the user name entered by the user. (Username) and the typed password (Pas sword). At this time, the general application website server (AP Server) first compares the user name (Username) and password (Pas sword) through its own database, and checks against it. Whether the user's effective use period expires, if the comparison is correct, the ICCID code and the IC card authentication (Cl ient Resul t) are transmitted back to the CA identity authentication server for cross-comparison, and the special process is first decrypted.
  • AP Server general application website server
  • the file downloaded by the user will perform a special editing operation through the IC card embedded program.
  • the file decoding operation must also be performed through the IC card authentication hardware. In order to open the file correctly, it can make the data access confidential, secure and mobile and unique (only legitimate users can use the stored text) Pieces).
  • the random value (Random) generated by the CA identity authentication server during the encryption process can be intercepted, and the random value (Random) It is a variable random number. The value generated by the user each time the authentication is registered is different, so the hacker still cannot use his random value to make a valid login at the next login.
  • the control mechanism and program only automatically guide and perform encryption and decryption actions through the IC card embedded program on the authentication hardware and the internal program of the CA identity server, and the fingerprint identification center only identifies and authenticates the fingerprint data and confirms the user identity.
  • (User) and the application server (AP Server) side do not cause their own problems.
  • the integration is easy and the combination is strong, which will make the application layer wider and deeper.
  • the application server only needs to add a corresponding small program to its login page (Login Page), which can greatly improve the security of the service provided by the server, and increase the security control mechanism for the user.
  • Login Page login page
  • the development is very promising; the user (User) brings a private key of its own. As a legitimate use, its hardware presentation is like the use of a general access control key. Its usage mode is more convenient for the average user. Accept, it will not be used for encryption and decryption technology products, because the use of the program is too complicated, for users who only accept the final result (User), will present the added value of multi-functionality and high value.
  • the IC card matched with the invention is mainly burned in the chip in a firmware manner, and has the advantage of large storage capacity, and is not made by ordinary people to be edited by itself, and is not easy to be counterfeited, and its anti-counterfeiting and prevention are cracked. It is highly functional and can effectively prevent the malicious use of malicious users. It is also compatible with the destination server (AP Server) and the CA authentication server. The result of close-to-cross comparison is more effective for users to navigate in a safe network environment, and to appreciate the convenience that technology brings to humans.
  • AP Server destination server
  • CA authentication server CA authentication server
  • the design of the IC card and the fingerprint scanner matched by the invention can effectively control the flow of the application server (AP Server) and establish a classification system, manage the authority, prevent the malicious invasion and destruction of the hacker, and the future thereof.
  • the development is very broad.
  • the flash memory of the device IC card and an IC card reader does not allow the data to be stored in a fixed hard disk, thereby making the data access confidentiality and security more secure.
  • another added value of the authentication hardware using the IC card and the fingerprint scanner used in the present invention is like a personal private key, which can protect a stand-alone system even when connected to the Internet, if the user uses a public computer.
  • the present invention can also be used to set the reading authority of the personal file, and the unlocking method can be smoothly unlocked only by the present invention, which is convenient. Safe and detailed privacy protection of personal data, and even the use of peripheral hardware can be locked to prohibit unauthorized use.
  • the present invention can ensure the security of the login authentication of the user on the website through the above-mentioned protection and decryption and encoding, and avoid the leakage of the user's private data, and the CA identity authentication server can be appropriately used as the website.
  • the company controls the flow, management authority and establish a grading system to provide a more secure network environment. Moreover, for those who are willing to provide services in the network environment, the establishment of the mechanism will make the service more relevant for equivalent feedback. To further provide quality services in the network environment, and to make online transactions more in line with the principle of fair trade order.
  • the data storage application, the IC card, and the fingerprint identification authentication method of the present invention are all connected by the user to the Web Server website by the browser to perform related operations, and then the authentication program sends the request information to the credential servo system and the fingerprint identification center.
  • the user's credential confirmation and related functions can be easily executed, and the Web Server web server authentication program system is simple to install and makes it easy to execute.
  • the present invention utilizes an IC card to store the user's private authentication data and an identity check code ICCID, and also utilizes a fingerprint.
  • the scanner obtains the fingerprint and checks the authentication through the fingerprint identification center, and then the IC card and the fingerprint scanner are installed on the flash memory (pull disk) generally compatible with the USB interface of the computer, as the authentication hardware, and with an authentication program on the general application website.
  • the server (AP Server) and an external authentication program are used on the output software.
  • the user uses the authentication hardware to log in to the user name and password, the user encrypts and encrypts the protection action to ensure the user is on the website.
  • the security of the login authentication and the leakage of the user's private data are avoided, and the website operator can be appropriately controlled to control the traffic, manage the authority and establish a classification system, and provide a more secure network environment.
  • FIG. 1 is a flow chart of steps of the present invention
  • FIG. 2 is a schematic flow chart of an IC card authentication entity according to the present invention.
  • FIG. 3 is a schematic flowchart of a download file entity according to the present invention.
  • FIG. 4 is a flow chart showing the steps of opening a file according to the present invention.
  • FIG. 5 is a schematic diagram of the process of opening a file entity according to the present invention.
  • Figure 1 is a flow chart of the steps of the present invention, which includes five main steps of &, b, c, d, and e:
  • Step a The user device is a combination of an IC card and a fingerprint scanner, and the device is inserted into an IC card reading device (Reader). At this time, the user first scans the fingerprint through the fingerprint scanner. The Internet is sent to the fingerprint identification center, and the identity of the user is authenticated through the fingerprint identification center. After the authentication is passed within the specified number of comparisons, the first layer authentication is passed; Step b: After passing the lower level authentication of fingerprint identification, the user will be required to log in, enter the user name (Useniame) and password (Pas sword) to enter the specified field, and press the login key (Login);
  • Step c The IC card embedded program is used to guide the login process to the CA identity authentication server, and the ICCID code built into the IC card is transmitted to the CA identity authentication server, and the special authentication procedure of the CA identity authentication server is used to determine the authentication hardware. Whether the IC card is legal and auditing authority, if it is correct, the number of logins is recorded on the CA authentication server database, generating a server hardware reliability (Server Resul t), and returning the random value generated during the decoding process ( Random) to the IC card;
  • server Resul t server hardware reliability
  • Step d After the foregoing steps are correct, the IC card uses the IC card embedded program to use the acquired random value (Random) to decode the built-in ICCID code, and generates an IC card authentication (Cl ient Resul t), and The login process is guided to the application website server (AP Server), and the ICCID code, the IC card authentication (Cl ient Resul t), the user input information is transmitted to the application server P server), and the application website is made.
  • the server (AP Server) determines whether the information input by the user is correct according to the database, and queries the use period (ava il date);
  • Step e After the foregoing steps are correct, the application server (AP Server) transmits the accepted ICCID code and the IC card authentication (Cl ient Resul t) to the CA identity authentication server for decryption to confirm the authentication hardware and user information. The correctness.
  • Step a means: the user puts the fingerprint of the finger directly on the scanner portion of the fingerprint scanner for scanning, and then encrypts the scanned fingerprint to send the packet to the fingerprint identification center, and the fingerprint identification center will receive the fingerprint. Further comparison, to see if the user identity is correct, if it is wrong, it will be sent back to the sealed package to notify the user of the error message, the user must re-scan The fingerprint is fingerprinted, and then the encrypted packet is sent to the fingerprint identification center for authentication. The number of authentications can be increased to increase its security. If the identity is confirmed, the next step can be performed. This is the first authentication process.
  • Step b means that the user builds an identity verification code I CC ID and an international verification code GLN through an IC card, and places the IC card into an IC card reading device (Reader), and the device is generally compatible.
  • On the flash memory (USB drive) of the computer USB interface use it as the authentication hardware, and use this authentication hardware to log in to the user name (Username) and password (Pas sword) and press the login key (Login).
  • Step c means: After the user inputs the user name (Username) and password (Pas sword), the IC card embedded program first directs the login process to the CA identity authentication server for encryption and decryption, through special The process first decrypts the value of the ICCID secret code, and compares the CA identity authentication database, corresponding to the ICCID code and authorizes the (Val idated) EKI, decrypts the KI first, and generates a random value (Random) and The result of the KI encryption is stored in the database of the CA identity authentication server.
  • the encrypted result is the server reliability of the authentication hardware authentication (Server Resul t), and can be used to record the number of times the user logs in using the authentication hardware, and confirms the The legality of the authentication hardware and whether the password ICCID has the right to log in to the website, and the permission granted.
  • the CA identity authentication server will transmit the generated random value (Random) value back to the IC card.
  • a KEY used by the general application website server (AP Server) to pass the second authentication process and the CA authentication server For comparison; if the ICCID code in the IC card on the authentication hardware is not authorized in the comparison result (Val idated is not open), the system will inform the user that the hardware authentication fails and the gateway is lost. qualifications. This is the second step of the certification process.
  • Step d means: The authentication process of the second step is successful, and the general application website server (AP Server) first receives the KEY value transmitted by the CA identity authentication server on the IC card. ICCID password, user name (Username) and password (Pas sword) entered by the user, and then the process is directed to the general application website server (AP Server) for comparing the user name (Username) and password (Password). Is it correct, and check whether the effective use period of the user expires.
  • Step e means: Step d If the comparison is correct, the KEY value and the ICCID code are sent back.
  • Route 1 is a user IC card 10 that uses an authentication hardware to log in to the Web Server server 30 webpage Member Login window to log in its member information. After entering the Username and Pas sword, the user presses the login key (Login), and the IC card is inside.
  • the embedded program firstly directs its login process to the CA identity authentication server 20, and implicitly transmits the ICCID code built into the IC card to the CA identity authentication server 20 for encryption and decryption, and then performs authentication of the CA identity authentication server 20.
  • the encrypted result is the Server Result of the authentication hardware authentication, and can be used to record the number of times the user logs in using the authentication hardware, confirm the legality of the authentication hardware, and whether the password ICCID is logged in. The permissions of the website and the permissions granted.
  • the route 2 is touched, and the random value (Random) generated by the CA authentication server is transmitted back to the IC card.
  • the IC card receives the random value.
  • the IC card embedding program first decrypts the built-in ICCID code to obtain a KI value (the KI value here does not check whether it is the authentication hardware passed by the authorization, and the review right and the comparison right are In the CA identity authentication server, and then by encrypting with the received random value (Random) to generate an IC card authentication (CI ient Result), for general use
  • the third server authentication process is performed on the website server (AP Server)
  • the route server 3 (AP Server) is touched, and the ICCID code and the IC card authentication (CI ient Result) on the IC card are first received, and the user inputs The user name (Personal name) and the typed password (Password).
  • the general application web server AP Server
  • AP Server first compares the user name (Username) and password (Password) through its own database, and Check whether the effective use period of the user expires. If the comparison is correct, then the route 4 is touched to perform the authentication process 2, and the ICCID code and the IC card authentication (Client Result) are transmitted back to the CA identity authentication server for cross comparison.
  • the third step is passed, and the route 5 is touched. If the user determines that the registrant is a valid registrant by cross-matching, the user can log in to the portal through the legal use permission, and continue to import the next Web page and the CA identity authentication server.
  • the Server Resul t is encrypted and cleared. This is the last step, routing eight. If the comparison result does not match, the general application website server (AP Server) is notified that the hardware ICCID password is incorrect, the authentication fails, and the login is lost. .
  • AP Server general application website server
  • route 2 is the authentication mechanism (see Figure 2).
  • FIG. 4 is a flow chart of the steps of opening a file according to the present invention. It can be clearly seen from the figure that when the user wants to open the encoded file, the original authentication hardware must first be inserted into the USB connector of the computer or the USB connector of other players.
  • the MP3 player software or application software is enabled, after the fingerprint identification is authenticated, the IC card embedded program first transmits the built-in ICCID code to the external authentication program or the MP3 player software that has the authentication program code itself. Or firstly decode the application software and judge the correctness of the authentication hardware ⁇ 3 61). 1>, then pass the authentication result back to the MP3 player software or application software ⁇ s tep.
  • the file to be opened is decoded by ⁇ s tep. 3>, and the decoded file is opened by the MP3 player software or application software using ⁇ 6. 4>, and if the hardware is authenticated. If the authentication fails, an error message will be generated to inform the user that the authentication hardware ICCID failed to be authenticated.
  • FIG. 5 is a schematic diagram of the process of opening a file entity according to the present invention, which is a schematic icon of FIG. 4, and the flow direction of the open file entity process of the present invention is clearly seen from the figure,
  • the user uses the authentication hardware to insert into the USB connector of the computer or the USB connector of other players.
  • the MP3 player software or application software is turned on, the user can correctly open the file through 5 routes, where route 2 is the external authentication program or The MP3 playback software of the authentication program code itself has been described above.
  • the data storage application authentication process and the IC card authentication hardware provided by the present invention can replace the existing application website server (AP Server) login mode, which utilizes
  • An IC card has an identity verification code ICCID and an international verification code GLN built in, and the IC card is installed on a flash memory (flash drive) generally compatible with a computer USB interface, and is used as an authentication hardware, and the user utilizes the authentication hardware.
  • flash memory flash drive
  • the login operation is performed, the user's legality and effective control flow can be effectively confirmed through a plurality of encryption and decryption and cross-matching systems of the destination end and the authentication end server.
  • the matching IC card used in the present invention is utilized.
  • the website page (such as the record player) providing the property rights document or the intelligent property rights document can be effectively authorized to control, and can avoid the point-to-point transmission of P2P on the current network.
  • P2P point-to-point transmission of P2P on the current network.
  • Peer to Peer method for netizens to upload, download, and share documents with intellectual property rights or documents with intellectual property rights (such as singer's MP3) to move away from the intellectual property rights law, and make legal operators (authors)
  • the serious loss of the rights of property rights and intellectual property owners is a design that is urgently needed today.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an authentication method for storage and application of data, IC card, fingerprint scanner. In the method IC card device as well as fingerprint scanner is connected to a flash memory (taken-with disk) which is compatible to USB interface of computer and acts as the hardware for authentication, then put the authentication hardware into a IC card read device (Reader), wherein confirm user's identity by means of the mechanism of the fingerprint identification center, while the other kind of authentication is processed using identity checking cypher ICCID and international checking code GLN; The advantage of the method is that the practitioners of network station who supply files which have copyright and intellectual property will be controlled effectively by authorization, thus avoid the confusion occurring in which the files which have copyright and intellectual property are supplied to net friend to upload, download, share to or with each other by means of Peer-to-Peer transmission P2P (Peer to Peer), so that the rights of legal practitioners(the owner of copyright, intellectual property) are damaged badly.

Description

资料储存应用、 IC卡、 指紋扫描器的认证方法 技术领域 本发明是有关于一种资料储存应用、 IC卡、指纹扫描器的认证方法, 尤指一种利用 IC卡及指紋扫描器来做认证机制,即是当作合法登入媒介 的数据储存应用认证流程。 背景技术 在此特举目前网络上游走智能财产权法令边缘的实例来说明。 目前 网络上下载歌手歌曲 MP3的网站 :多 , 且多采 P2P (Peer to Peer点对点 传输, 技术应用模式的一种)的方式, 供网友自动上传、 下载、 分享 MP3 文件, 以筒便的搜寻功能, 让网友可以方便地搜寻和分享彼此的文件; 一般来说, 这类的 MP3业者本与唱片业者有既定的合作模式, 互相寻求 平衡点, 由 MP3业者提供各类音乐的最新信息供会员浏览, 希望借此带 动唱片业者的买气, 但随着 MP3业者的会员愈来愈多, 网友上传的 MP3 文件爆增, 成为一个人上传 MP3文件所有的会员皆可免费下载, MP3业 者提供的软件平台因会员到达相当的数量而强调该软件平台的智能财产 权属于该 MP3软件业者, 进而收取软件使用月费, 因会员人数爆增而致 使提供 MP 3软件平台业者的收益成正比爆增,反观拥有合法著作财产权、 智能财产权的唱片业者权益却严重损失, 造成唱片业界的长期低迷, 进 而影响到了创作人的动力和信心。 TECHNICAL FIELD The present invention relates to a data storage application, an IC card, and a fingerprint scanner authentication method, and more particularly to an authentication using an IC card and a fingerprint scanner. The mechanism is the data storage application authentication process that acts as a legitimate login medium. BACKGROUND OF THE INVENTION Herein is an illustration of an example of the current edge of the network moving away from the Intellectual Property Rights Act. Currently, the website for downloading singer songs MP3 on the Internet: many, and more P2P (Peer to Peer point-to-point transmission, one of the technical application modes), for users to automatically upload, download, share MP3 files, search function In order to allow users to easily search and share each other's documents; in general, such MP3 players have established a cooperative mode with the record industry, and seek balance between each other. MP 3 players provide the latest information on various music for members. Browsing, I hope to drive the buying of the record industry, but with the increasing number of MP3 players, the MP3 files uploaded by netizens have exploded, and all members who upload MP3 files can download for free, provided by MP3 players. The software platform emphasizes that the intelligent property rights of the software platform belong to the MP3 software industry due to the arrival of a considerable number of members, and then the monthly fee for software usage is charged. As a result of the explosion of membership, the revenue of the MP3 software platform provider is increasing proportionally. The rights of the record industry with legal property rights and intellectual property rights are seriously lost, resulting in the long record industry. Downturn, thereby affecting the creators of power and confidence.
再者, 延伸探讨到目前一般习知网站上会员制所采取的密码皆为使 用者自设或是系统给予的密码, 但是由于是在网站服务器端进行信息情 报密码化, 为了防止通讯网际网络情报的外泄, 有研究设计密码化技术 的程序及逻辑, 希望在技术上能与骇客相对抗, 然而在现况上尚无法做 到完全的防止。 Furthermore, the extension discusses the passwords adopted by the membership system on the current general knowledge website. The password set by the user or the system, but because the information is encrypted on the server side of the website, in order to prevent the leakage of the communication network information, there are programs and logics for designing the cryptographic technology, and it is hoped that the technology can It is relatively resistant to hackers, but it is still impossible to prevent it completely in the current situation.
而网站审核会员机密资料的入口, 便是会员登录系统, 而目前的网 站会员登录模式, 都只在网页上直接登录使用者名称及密码, 若二者相 符, 就能进入该网站会员功能网页, 用该登录使用者的资料去进行合法 会员可以执行的动作, 甚至可以查询到使用者的一些相关机密资料, 及 往来纪录; 但以今日一般的应用网站服务器(AP Server)所采用的编码技 术而言, 单独在应用网站服务器(AP Server)端网页程序上做密码编译码 的动作, 实在是无法确保能不被骇客破解,且今日网际网络的无远弗届, 为于便利使用及随时随地都能上网的需求, 使得使用者可以方便的在很 多地方利用不同的计算机或其它装备上网, 且由于目前技术要将使用者 设定权限及分级制度有其困难性, 例如利用图书馆的公用计算机上网, 或于网吧上网, 由于使用同一台机器的使用者众多, 若一时疏忽, 将其 使用者名称及密码遗留在登录画面中而忘记删除的话, 便很容易被下一 个使用者盗用或被骇客利用一些筒易操作系统的后门程序等拿来破解且 盗用其机密资料, 进行非法交易, 以致使用者的损失。  The website audit member's confidential information entry is the member login system. The current website member login mode only logs in the user name and password directly on the web page. If the two match, you can enter the member's member function page. Use the information of the logged-in user to perform actions that the legitimate member can perform, and even query the relevant confidential information of the user and the record of the transaction; but with the coding technology adopted by the general application server (AP Server) today In other words, the operation of cryptographic codec on the web server of the application server (AP Server) alone can not ensure that it can be cracked by hackers, and today's Internet is far and wide, for convenient use and anytime, anywhere. The need to be able to access the Internet makes it easy for users to use different computers or other equipment to access the Internet in many places, and because of the current technology, it is difficult to set the user's authority and grading system, for example, using the library's public computer. Go online, or go online at the internet cafe, because using the same machine If there are many users, if you forget the deletion of the user name and password on the login screen and forget to delete it, it will be easily stolen by the next user or used by the hacker to use some backdoor programs of the easy operating system. Cracking and stealing confidential information, illegal transactions, resulting in user losses.
现行网络安全漏洞百出, 其中尤以:  The current network security is full of loopholes, especially in:
骇客以 Dict ionary At tack方式破解用户密码,假冒用户身份最为普 遍, 一般大家都知道, 以输入使用者 ID及密码的方式签入计算机系统, 是最简单、 但确也是最不安全的方式。  Hackers use the Dict ionary At tack method to crack user passwords. It is most common to impersonate users. Generally, everyone knows that entering the computer system by entering the user ID and password is the simplest, but the most insecure way.
其原因如下: . .  The reasons are as follows: .
1.一般人选择密码的依据, 是以方便记忆为主, 很少人会选择一串 任意排列并夹杂英文字母及数字的密码。 著名的密码学大师 Daniel Kle in 声称, 以一般的字典攻击法(Di et ionary At tack) , 40%计算机上 的密码可轻易被破解。 目前网络上散布着许多由学生、 系统专家及骇客 所设计的密码破解软件, 提供企业内、 外部骇客入侵的工具。 1. The basis for the general person to choose a password is to facilitate the memory, few people will choose a string Randomly arranged and mixed with English letters and numbers. The famous cryptographer Daniel Kle in claims that the password on 40% of computers can be easily cracked by the Di et ionary At tack. At present, there are many password cracking software designed by students, system experts and hackers on the network to provide tools for intrusion inside and outside the enterprise.
2.现今信息系统日趋复杂化, 许多异质系统相互串联的结果, 导致 用户在签入不同计算机系统时, 因各操作系统的要求, 必须再次输入密 码。 据专家统计, 只有少数人能同时记忆三组不同且长度为八个字符串 的密码。 结论是, 绝大多数人会因此而将密码写下来, 放在用户认为安 全方便的地方。 艮显然的, 这又提供了企业内、 外部骇客入侵的管道。  2. Today's information systems are becoming more and more complex, and many heterogeneous systems are connected in series. As a result, users must enter the password again when they log in to different computer systems because of the requirements of each operating system. According to expert statistics, only a few people can simultaneously remember three different sets of passwords with a length of eight strings. The conclusion is that the vast majority of people will write down the password and place it where the user thinks it is safe. Obviously, this provides a conduit for intrusion within and outside the enterprise.
3.即使用户不曾触犯以上两点失误, 但是很显然的, 密码在从使用 者端传输到服务器前, 是以明文的形态存在。 骇客可以经由网际网络或 是局域网络上任何一点, 截取密码, 然后假冒使用者(Rep lay)开始非法 入侵系统。 很多人以为租一条专线, 就可以不被骇客入侵。 这样的观念 是错的。 即使是专线, 也是经过公共交换系统做线路交换, 对于骇客入 侵系统而言, 更为方便。 因为专线一旦建立后, 数据所流动的路线就不 常会变化。 如此, 骇客更能集中资源, 专注于截取固定线路上流动的资 料。  3. Even if the user has not violated the above two mistakes, it is obvious that the password exists in the form of plaintext before being transmitted from the user to the server. Hackers can intercept passwords via the Internet or at any point on the local area network, and then fake users (Rep lay) to start an illegal intrusion into the system. Many people think that renting a special line can not be invaded by hackers. This concept is wrong. Even if it is a dedicated line, it is also a line exchange through the public exchange system, which is more convenient for the hacker intrusion system. Once the line is established, the route through which the data flows will not change very much. In this way, hackers are more able to focus their resources on focusing on intercepting data flowing on fixed lines.
再者:  Again:
骇客亦可截取点对点传输中未经加密过的资料,并加以篡改,在网际 网络上, 走的通讯协议是 TCP P。 在两台计算机能够传输资料前, 必须 先完成三段式交握(Three-way Handing Shaking) , 才能建立联机, 开始 传送资料。 这其中潜藏的问题, 却给予骇客入侵的好机会。  The hacker can also intercept and tamper with the unencrypted data in the peer-to-peer transmission. On the Internet, the communication protocol is TCP P. Before the two computers can transfer data, you must complete the Three-way Handing Shaking to establish the connection and start transmitting data. The hidden problems in this are good opportunities for hackers to invade.
其原因如下:  The reasons are as follows:
1.为双方资料的传输是透过公众的网际网络, 而所传送的资料是以 明文的形态存在。 任何连上网际网络的计算机, 都可以对网上的资料做 监听(Sniff ing)。 如此一来, 个人隐私、 财产, 以及企业商务机密则完 全曝露在网际网络上, 根本毫无隐私、 机密可言。 1. The transmission of data for both parties is through the public internet, and the information transmitted is The form of the plaintext exists. Any computer connected to the Internet can monitor the data on the Internet (Sniff ing). As a result, personal privacy, property, and corporate business secrets are fully exposed on the Internet, with no privacy or confidentiality at all.
2.有时骇客为了完全掌握上述所建立的联机,并假冒原使用者身份, 以存取远程主机上的资源与服务, 会同时假冒主机的身份, 将大量无用 的资料回传给使用者, 企图瘫痪客户端计算机系统的运算能力(Denial of Service; DoS)。 如此一来, 骇客不但可以假冒原使用者身份, 以存 取远程主机上的资源与服务, 任意发布、 篡改或删除资料, 让主机端的 系统管理者无法察觉。 更严重的是, 骇客以这样不着痕迹的方式擅改资 料,在无法确认信息来源(使用者身份)的状况下,使原使用者难以自清。  2. Sometimes, in order to fully grasp the above established connection and impersonate the original user identity to access the resources and services on the remote host, the hacker will simultaneously spoof the identity of the host and return a large amount of useless data to the user. Attempts to calculate the computing power of the client computer system (Denial of Service; DoS). In this way, the hacker can not only fake the original user identity, but also access the resources and services on the remote host, and arbitrarily publish, tamper or delete the data, so that the system administrator on the host side cannot detect it. What is more serious is that the hacker tampers with the information in such a way that the source of the information (user identity) cannot be confirmed, making it difficult for the original user to self-clear.
再者:  Again:
若使用者于公共场所使用公用计算机上网, 都是透过该公共场所内 部的局域网络(LAN)而连接上外部网络(Internet) ,在局域网络(LAN)上, 以 Ethernet- based IP networks 为例, 所有的资料(封包)都是以广播 (Broadcas t ing)的方式流向局域网络内所有的 PC。 因为每一台 PC上都 有一张网络卡(Network Interface Card) , 所以可以过滤掉不是传送给 自己的封包。 而这其中潜藏的问题, 却给予骇客入侵的另一大好机会, 截取在 LAN上传输的资料。  If the user uses a public computer to access the Internet in a public place, the external network (Internet) is connected through the local area network (LAN) of the public place. On the local area network (LAN), the Ethernet-based IP networks are taken as an example. All data (packets) flow to all PCs in the local area network in the form of broadcast (Broadcassing). Because each PC has a Network Interface Card, you can filter out packets that are not sent to you. And this hidden problem, another good opportunity for hackers to invade, intercepts the data transmitted on the LAN.
其原因如下:  The reasons are as follows:
1.为所有的封包都是以广播(Broadcas t ing)的方式流向局域网络内 所有的 PC, 而且是以明文的形态存在。 因此, 任何连上局域网络的 PC 都可以扮演监听者(Sniffer)的角色, 大方的偷看别人的资料。  1. All the packets are transmitted to all PCs in the local area network in the form of broadcast (Broadcassing), and exist in the form of plain text. Therefore, any PC connected to the local area network can play the role of a listener (Sniffer), generously peek at other people's data.
2.更糟糕的是, 一旦某人的密码被截取, 则很有可能被人以非法的 方式签入系统, 做一些非授权的事。 例如, 签核或签退公文、 更改会计 帐、 散布不实消息、 窃取研发资料后卖给竟争对手等等。 2. Worse, once someone's password is intercepted, it is very likely that someone will be checked into the system illegally and do something unauthorized. For example, signing or signing out official documents, changing accounting Accounts, disseminate false news, steal research and development materials, sell to competitors, and so on.
基于上述, 现行的网絡安全漏洞及网絡上提供 MP 3软件平台的业者 游走智能财产权边缘的乱象相对的反映出本发明的重要性与实质的进步 性与迫切的需要性。 发明内容 本发明所欲解决的技术问题是:  Based on the above, the current network security vulnerabilities and the chaos of the operators who provide the MP3 software platform on the network to navigate the edge of intelligent property rights relatively reflect the importance and substantial progress and urgent need of the present invention. SUMMARY OF THE INVENTION The technical problem to be solved by the present invention is:
本发明主要在于解决现行的网絡安全漏洞, 单独在应用网站服务器 (AP Server)端网页程序上做密码编译码的动作, 实在是无法确保能不被 骇客破解, 且使用者若在公共场所使用公用计算机, 若一时疏忽, 将其 使用者名称及密码遗留在登录画面中而忘记删除的话, 便很容易被骇客 利用一些简易操作系统的后门程序等, 拿来破解而盗用其机密资料, 进 行非法交易, 以致使用者的损失的缺失。  The invention mainly solves the current network security vulnerability, and performs the action of cipher coding and decoding on the web server of the application website server (AP Server) alone, which is really unable to ensure that it can be cracked by the hacker, and if the user uses in a public place. If the public computer, if it is negligent, left its user name and password on the login screen and forget to delete it, it is easy for the hacker to use some simple operating system backdoor programs to crack and steal the confidential information. Illegal transactions, resulting in the loss of user losses.
再者, 利用 IC卡及指紋扫描器的认证硬件的方式, 来作有效的授权 掌控, 以避免目前网络上点对点传输 P2P (Peer to Peer)方式, 游走智 能财产权法律边缘的乱象, 使得合法的著作财产权、 智能财产权拥有人 莫大的损失的问题。  In addition, the use of the IC card and the fingerprint scanner's authentication hardware to effectively control, to avoid the current peer-to-peer P2P (Peer to Peer) mode on the network, to chase the chaos of the intellectual property rights law, so that legal The issue of property rights, intellectual property owners have a huge loss of the problem.
本发明解决技术问题的技术手段是:  The technical means for solving the technical problem of the present invention are:
本发明的主要创意来自于现行网络安全漏洞百出, 对于使用者上网 安心使用其私密资料的防护性不足,是故潜心研究利用一 IC卡及指紋扫 描器来搭配一认证硬件,并与 CA身份认 ΐ正服务器(安控机制)及全球指纹 辨识系统配合以达到提升电子数据网络安全传输所欲达到的五大信息安 全需求。 提升电子数据网络安全传输, 需符合下列的五大信息安全需求:The main idea of the present invention comes from the fact that the current network security loopholes are numerous, and the user is less protective against using the private data on the Internet. Therefore, it is painstaking to study and use an IC card and a fingerprint scanner to match an authentication hardware and identify with the CA. The Yongzheng Server (Security Control Mechanism) and the Global Fingerprint Identification System work together to meet the five information security needs of the secure transmission of electronic data networks. To improve the secure transmission of electronic data networks, the following five information security requirements must be met:
(1) 资料的隐密性 ( Confidentiality ): (1) Confidentiality of information:
确保资料信息不遭第三者偷窥或窃取,以保护数据传输资料的隐私, 可透过资料加密来完成。  Ensuring that data information is not sneaked or stolen by third parties to protect the privacy of data transmission data can be accomplished through data encryption.
(2) 资料的完整性 ( Integrity ):  (2) Integrity of the data:
确保数据传输资料信息未遭有心人窜改, 以确保数据传输内容的正 确性, 可透过数字签章或资料加密予以保护。  Ensure that the data transmission data has not been tampered with to ensure the correctness of the data transmission, and can be protected by digital signature or data encryption.
(3) 来源辨识性 ( Authentication ):  (3) Source identification (Authentication):
确认数据传输信息的来源, 以避免数据传输信息遭到假冒, 可透过 数字签章或资料加密等方式加以防范。  Confirm the source of the data transmission information to avoid the data transmission information being counterfeited. It can be prevented by digital signature or data encryption.
(4) 不可否认性 ( Non-repudiation ):  (4) Non-repudiation:
传送及接收信息避免使用者事后否认曾进行数据传输, 可透过数字 签章及公开金钥基础架构来达成。  Transmitting and receiving information prevents users from denying subsequent data transmissions, which can be achieved through digital signatures and public key infrastructure.
(5) 存取控制 ( Access Control ):  (5) Access Control (Access Control):
依使用者的身份, 作存取资料的控管。 此外, 并可依使用者的身份, 决定安控模块功能的执行权限。  Control the access to data according to the identity of the user. In addition, the execution authority of the security module function can be determined according to the identity of the user.
再者, 本发明利用 IC卡及指纹扫描器认证硬件的方式, 来作有效的 授权掌控, 并将储存的文件做一特殊的编译码动作, 使之更具有资料存 取的保密性、安全性及机动性并唯一性(唯有合法使用者才能使用其储存 的文件), 以避免目前网络上点对点传输 P2P (Peer to Peer)方式, 游走 智能财产权法律边缘的乱象, 使得合法的著作财产权、 智能财产权拥有 人莫大的损失的问题。  Furthermore, the present invention utilizes an IC card and a fingerprint scanner to authenticate the hardware to perform effective authorization control, and performs a special encoding and decoding operation on the stored file to make it more confidential and secure for data access. And maneuverability and uniqueness (only legitimate users can use the files they store) to avoid the P2P (Peer to Peer) method of peer-to-peer transmission on the network, and to chase the chaos of the intellectual property rights law, so that legal property rights The problem of the loss of the owners of intelligent property rights.
是故本发明的技术特征是在利用 IC 卡装置配合上指纹扫描器装置 于一般兼容于计算机 USB接口的闪存(随身碟)上, 当作认证硬件, 此认 证硬件先置入一 IC卡读取装置(Reader)内,其先将一指纹扫描器取得指 紋透过全球指紋辨识中心的认证通过,再由一 IC卡内建一身份核对暗码 ICCID及一国际核对码 GLN去核对身份认证, 并其认证硬件可装置于一 般兼容于计算机 USB接口或 PS2插槽亦或是具有无线通讯、 红外线传输 等等的硬件上。 在使用者利用此认证硬件上会让指纹扫描器将使用者指 纹透过网络传输联机至全球网指纹辨识中心(或其它指纹辨识中心), 其 指紋辨识中心可透过实时比对方式核对使用者身份, 经一次或多次比对 成功后即为认证硬件认证成功的凭借(Server Resul t)之一, 若其指纹比 对结果错误, 系统亦会告知使用者端硬件认证失败, 而失去通关登录的 资格, 其上为第一步认证流程, 再由网登录其使用者名称(Username)及 密码(Pas sword)时, 然后 IC卡会透过内嵌程序先将其登录流程导至 CA 身份认证服务器进行加解密动作 , 透过特殊的流程先解密出 ICCID暗码 的值, 并借其比对 CA身份认证数据库, 相对应 ICCID暗码且授权通过 (Val idate=Y)的 EKI后, 先行解密得 KI , 且产生一随.机数值(Random)并 以 KI加密的结果存于 CA身份认证服务器的数据库中, 该加密后的结果 即为认证硬件认证成功的凭借(Server Resul t)之一, 并可用以记录该使 用者使用此认证硬件登入的次数, 确认该认证硬件的合法性及该暗码 ICCID 是否有登录该网站的权限, 及所被授予的权限多大, 在硬件认证 通过后, CA 身份认证服务器会将所产生的随机数值(Random)传送回 IC 卡, 当 IC卡接收到此随机数值(Random)后, IC卡内嵌程序会先将内建 的 ICCID暗码先行解密而得一 KI值 (此处的 KI值并未审核其是否为授 权通过的认证硬件, 审核权和比对权是在 CA身份认证服务器), 再借以 和所接收的随机数值(Random)进行加密而产生一 IC 卡认证的凭借 (Cl ient Resul t) , 用来供一般应用网站服务器(AP Server)端进行第三 步认证流程时和 CA 身份认证服务器交叉比对用; 而若此认证硬件上的 IC卡内设的 ICCID暗码在比对结果中未授权通过(Va l idate=N未开卡) , 则系统会告知使用者端硬件认证失败, 而失去通关登录的资格。 Therefore, the technical feature of the present invention is to use an IC card device in conjunction with a fingerprint scanner device on a flash memory (pen drive) generally compatible with a computer USB interface, as an authentication hardware. The hardware is first placed in an IC card reader (Reader), which first passes a fingerprint scanner to obtain the fingerprint through the global fingerprint identification center, and then an ID card built in an IC card to check the code ICCID and an international The verification code GLN checks the identity authentication, and the authentication hardware can be installed on a hardware that is generally compatible with a computer USB interface or a PS2 slot or has wireless communication, infrared transmission, and the like. The user can use the authentication hardware to enable the fingerprint scanner to connect the user's fingerprint to the global fingerprint identification center (or other fingerprint identification center) through the network. The fingerprint identification center can check the user through real-time comparison. Identity, after one or more successful comparisons, is one of the Server Resul ts for successful authentication of the hardware. If the fingerprint comparison result is incorrect, the system will also inform the user that the hardware authentication failed and the login is lost. Qualification, which is the first step of the certification process, and then log in to the user name (Username) and password (Pas sword), then the IC card will first pass its login process to the CA identity through the embedded program. The server performs the encryption and decryption operation, decrypts the value of the ICCID code through a special process, and compares the ICCID password to the CA identity database, and authorizes the EKI (Val idate=Y) to decrypt the KI first. And the result of generating a random value (Random) and encrypting with KI is stored in the database of the CA identity authentication server, and the encrypted result is the authentication hardware authentication. One of the Server Resul t, and can be used to record the number of times the user logs in using the authentication hardware, confirm the legality of the authentication hardware and whether the password ICCID has the right to log in to the website, and the granted The maximum number of permissions, after the hardware authentication is passed, the CA identity authentication server will transmit the generated random value (Random) back to the IC card. When the IC card receives the random value (Random), the IC card embedded program will first be inserted. The built ICCID code is first decrypted to obtain a KI value (the KI value here does not check whether it is the authentication hardware passed by the authorization, the audit right and the comparison right are in the CA identity authentication server), and then the received random number. The value of (Random) is encrypted to generate an IC card authentication (Cl ient Resul t) for the third party of the general application website server (AP Server). When the step authentication process is used for cross-matching with the CA identity authentication server; if the ICCID code set in the IC card on the authentication hardware is not authorized in the comparison result (Va l idate=N is not open), the system will Inform the user that the hardware authentication failed and the eligibility for the login is lost.
若第二步的认证流程成功的话,一般应用网站服务器(AP Server) 的 认证程序会先接收 IC 卡上的 ICCID 暗码、 IC 卡认证的凭借(Cl ient Resul t), 使用 者输入的使用者名称 (Username) 和键入的密码 (Pas sword) , 此时一般应用网站服务器(AP Server)会先透过其本身数据 库进行比对使用者名称 (Username)和密码 (Pas sword)是否正确, 并核对 该使用者的有效使用期限是否过期 , 若经比对无误, 则将 ICCID暗码及 IC 卡认证的凭借(Cl ient Resul t)传回 CA 身份认证服务器进行交叉比 对,透过特殊的流程先解密出 ICCID暗码的值, 并借其比对 CA身份认证 数据库, 找出相对应 ICCID暗码且授权通过(Val idate=Y)的认证硬件认 证成功的凭借 (Server Resul t)后, 比对认证硬件认证成功的凭借 (Server Resul t)是否和 IC卡认证的凭借(CI ient Resul t)相符,若相符, 则第三步认证通过, 若使用者经交叉比对确定是合法的注册者, 则才能 以合法使用权限通过会员登录入口, 继续导入下一步的 Web Page 并将 CA身份认证服务器上加解密出的 Server Resul t清空, 以使得使用者下 次登录时可以产生新的 Server Resul t并供暂存, 若比对结果不相符, 则告知一般应用网站服务器(AP Server)认证硬件 ICCID暗码错误, 认证 失败, 失去通关登录的资格。  If the authentication process in the second step is successful, the authentication program of the general application website server (AP Server) first receives the ICCID code on the IC card, the IC card authentication (Cl ient Resul t), and the user name entered by the user. (Username) and the typed password (Pas sword). At this time, the general application website server (AP Server) first compares the user name (Username) and password (Pas sword) through its own database, and checks against it. Whether the user's effective use period expires, if the comparison is correct, the ICCID code and the IC card authentication (Cl ient Resul t) are transmitted back to the CA identity authentication server for cross-comparison, and the special process is first decrypted. The value of the ICCID code, and by comparing the CA identity database, to find the corresponding ICCID code and authorize the authentication (Val idate=Y) authentication hardware authentication (Server Resul t), the authentication hardware authentication is successful. Whether (Server Resul t) matches IC card authentication (CI ient Resul t), if it matches, the third step is passed, if the user passes If the comparison is determined to be a legal registrant, the user can log in to the portal with the legal use permission, continue to import the next Web Page, and clear the Server Resul t encrypted and decrypted on the CA authentication server, so that the user logs in next time. A new Server Resul t can be generated for temporary storage. If the comparison result does not match, the general application website server (AP Server) is notified that the hardware ICCID code error is incorrect, the authentication fails, and the qualification for the login is lost.
而使用者下载下来的文件则会透过 IC 卡内嵌程序做一特殊的编动 作,在使用者欲开启下载下来的文件时 ,也必须透过该 IC卡认证硬件做 文件译码的动作, 才能正确的开启文件, 如此可使的更具有资料存取的 保密性、安全性及机动性并唯一性 (唯有合法使用者才能使用其储存的文 件)。 The file downloaded by the user will perform a special editing operation through the IC card embedded program. When the user wants to open the downloaded file, the file decoding operation must also be performed through the IC card authentication hardware. In order to open the file correctly, it can make the data access confidential, secure and mobile and unique (only legitimate users can use the stored text) Pieces).
而若使用者的登录流程资料在传输过程中被骇客所拦截, 其所能截 取到的仅有 CA身份认证服务器在加密过程中所产生的随机数值(Random) 而已, 而且此随机数值(Random)乃为一变动的随机数, 使用者每次登录 认证时所产生的值都不一样, 所以骇客仍无法利用其随机数值在下次登 录时做有效的登录。  If the user's login process data is intercepted by the hacker during the transmission process, only the random value (Random) generated by the CA identity authentication server during the encryption process can be intercepted, and the random value (Random) It is a variable random number. The value generated by the user each time the authentication is registered is different, so the hacker still cannot use his random value to make a valid login at the next login.
本发明资料储存应用认证流程、 IC卡及指纹扫描器认证硬件, 和使 用者(User)、应用网站服务器(AP Server)、 CA身份认证服务器(安控端) 形成一环状架构,其认证安控机制及程序只透过认证硬件上 IC卡内嵌程 序及 CA身份服务器内部程序自动导引及进行加解密动作,而其指纹辨识 中心只将指紋资料辨识认证且确认使用者身份, 对于使用者(User)和应 用网站服务器(AP Server)端而言, 并不会造成其本身的困扰, 其整合容 易, 相结合性强, 将致使其应用层面更广、 更深。 应用网站服务器(AP Server)只需在其登录网页(Login Page)加入相呼应的小段程序, 便可大 大提高该服务器所提供的服务安全性, 为使用者增加了安控机制, 对其 本身的发展性大有前景;而使用者(User)则如带了一把属于自己的私钥, 当成合法使用的凭借, 其硬件呈现方式如同一般门禁钥匙的运用, 其使 用模式较能让一般使用者接受, 不会像一般用于加解密科技产品, 因使 用程序过于繁复, 对于只接受最后结果的使用者(User)而言, 将呈现多 功能与高利用价值的附加价值。  The data storage application authentication process, the IC card and the fingerprint scanner authentication hardware, and the user (User), the application website server (AP Server), and the CA identity authentication server (the security control terminal) form a ring structure, and the authentication device is authenticated. The control mechanism and program only automatically guide and perform encryption and decryption actions through the IC card embedded program on the authentication hardware and the internal program of the CA identity server, and the fingerprint identification center only identifies and authenticates the fingerprint data and confirms the user identity. (User) and the application server (AP Server) side do not cause their own problems. The integration is easy and the combination is strong, which will make the application layer wider and deeper. The application server (AP Server) only needs to add a corresponding small program to its login page (Login Page), which can greatly improve the security of the service provided by the server, and increase the security control mechanism for the user. The development is very promising; the user (User) brings a private key of its own. As a legitimate use, its hardware presentation is like the use of a general access control key. Its usage mode is more convenient for the average user. Accept, it will not be used for encryption and decryption technology products, because the use of the program is too complicated, for users who only accept the final result (User), will present the added value of multi-functionality and high value.
且本发明所搭配的 I C卡主要是以韧体的方式烧录于芯片中,且有储 存量大的优点, 且非一般人能自行制作编辑, 不易被仿冒盗制, 其防伪 及防止被破解的功能性强, 可有效的防止被人恶意盗用的困扰, 并搭配 目的端应用网站服务器(AP Server)及 CA身份认证服务器端的相互加解 密并交叉比对的结果, 更能有效的让使用者悠游于安全的网络环境中, 且能体会科技带给人类方便的美意。 Moreover, the IC card matched with the invention is mainly burned in the chip in a firmware manner, and has the advantage of large storage capacity, and is not made by ordinary people to be edited by itself, and is not easy to be counterfeited, and its anti-counterfeiting and prevention are cracked. It is highly functional and can effectively prevent the malicious use of malicious users. It is also compatible with the destination server (AP Server) and the CA authentication server. The result of close-to-cross comparison is more effective for users to navigate in a safe network environment, and to appreciate the convenience that technology brings to humans.
且本发明所搭配的 IC卡及指紋扫描器设计,更能为应用网站服务器 (AP Server)业者有效的控管流壹及建立起分级制度, 管理权限, 防止骇 客恶意入侵及破坏, 其未来的发展性甚广。  Moreover, the design of the IC card and the fingerprint scanner matched by the invention can effectively control the flow of the application server (AP Server) and establish a classification system, manage the authority, prevent the malicious invasion and destruction of the hacker, and the future thereof. The development is very broad.
另外,搭配装置一 IC卡及一 IC卡读取装置(Reader)于其内的闪存, 不会使得资料只能存放于固定的硬盘中,使之更具有资料存取的保密性、 安全性及机动性并唯一性, 当成合法使用的凭借, 其硬件呈现方式如同 一般门禁钥匙的运用, 其使用模式较能让一般使用者接受, 不会像一般 用于加解密科技产品, 因使用程序过于繁复, 对于一般人因使用不便, 而放弃相关加解密功能的使用, 而抹煞科技带给人类方便的美意。  In addition, the flash memory of the device IC card and an IC card reader (Reader) does not allow the data to be stored in a fixed hard disk, thereby making the data access confidentiality and security more secure. Mobility and uniqueness, as a legitimate use, its hardware presentation is like the use of a general access control key, its usage mode is more acceptable to the average user, it is not used for encryption and decryption technology products, because the use of the program is too complicated For the average person to use the relevant encryption and decryption function due to inconvenient use, and wipe the technology to bring convenience to human beings.
再者,利用本发明所采用的搭配 IC卡及指紋扫描器的认证硬件的另 一附加价值是如同个人的私钥,其不连上网际网络时亦可保护单机系统, 若使用者使用公用计算机, 如办公室的计算机或学校计算机教室等多人 共享的计算机时, 亦可利用本发明来设定个人文件的读取权限, 且其解 锁方式唯有透过本发明才能顺利解除锁定, 如此可方便安全且周详的做 到个人资料私密保护, 甚至也可将外围硬件的使用权限锁住而禁止没有 使用权限的人使用。  Furthermore, another added value of the authentication hardware using the IC card and the fingerprint scanner used in the present invention is like a personal private key, which can protect a stand-alone system even when connected to the Internet, if the user uses a public computer. When a computer shared by a plurality of people such as an office computer or a school computer classroom is used, the present invention can also be used to set the reading authority of the personal file, and the unlocking method can be smoothly unlocked only by the present invention, which is convenient. Safe and detailed privacy protection of personal data, and even the use of peripheral hardware can be locked to prohibit unauthorized use.
依据前述, 本发明经由上述数道加解密并编码的防护动作, 可以确 保使用者于网站上登录认证的安全性, 并避免使用者私密资料的泄露, 且 CA身份认证服务器更可适当的为网站业者控管流量、管理权限并建立 分级制度, 提供更安全的网络环境, 更甚者, 对于愿在网络环境上提供 服务者, 也因此机制的建立, 让其服务更有依据作等值的回馈, 进一步 提供网络环境优质服务, 而让网络交易更符合公平交易秩序的原则。 且利用 IC卡及指纹扫描器认证硬件的方式, 来作有效的授权掌控, 并将储存的文件做一特殊的编译码动作 ,使之更具有资料存取的保密性、 安全性及机动性并唯一性(唯有合法使用者才能使用其储存的文件), 以 避免目前网络上点对点传输 P2P (Peer to Peer)方式, 游走智能财产权 法律边缘的乱象, 使得合法的著作财产权、 智能财产权拥有人不致莫大 的损失的问题。 According to the foregoing, the present invention can ensure the security of the login authentication of the user on the website through the above-mentioned protection and decryption and encoding, and avoid the leakage of the user's private data, and the CA identity authentication server can be appropriately used as the website. The company controls the flow, management authority and establish a grading system to provide a more secure network environment. Moreover, for those who are willing to provide services in the network environment, the establishment of the mechanism will make the service more relevant for equivalent feedback. To further provide quality services in the network environment, and to make online transactions more in line with the principle of fair trade order. And use the IC card and fingerprint scanner to authenticate the hardware, to effectively control the control, and to make the stored file a special encoding and decoding action, so that it has more confidentiality, security and mobility of data access. Uniqueness (only legitimate users can use the files they store) to avoid the P2P (Peer to Peer) method of peer-to-peer transmission on the network, and to chase the chaos of the intellectual property rights law, so that legal property rights and intellectual property rights are owned. The problem of people not losing a lot.
本发明对于先前技术的技术效果是:  The technical effect of the present invention on the prior art is:
本发明的资料储存应用、 IC卡、 指纹辨识的认证方法, 皆由用户以 浏览器上网连到 Web Server网站执行相关作业, 再由认证程序送出各请 求信息到凭证伺服系统及指紋辨识中心来。 用户的凭证确认及相关功能 可非常容易的执行,且 Web Server网络服务器端认证程序系统安装简单, 更使其应用上容易执行。  The data storage application, the IC card, and the fingerprint identification authentication method of the present invention are all connected by the user to the Web Server website by the browser to perform related operations, and then the authentication program sends the request information to the credential servo system and the fingerprint identification center. The user's credential confirmation and related functions can be easily executed, and the Web Server web server authentication program system is simple to install and makes it easy to execute.
. 和现有应用于一般应用网站服务器(AP Server)使用者登录系统的 方法比较,本发明利用了一 IC卡储存使用者的私密认证资料并一身份核 对暗码 ICCID, 且同时亦利用了一指纹扫描器取得指纹并通过指纹辨识 中心核对认证, 再将此 IC卡及指紋扫描器装置于一般兼容于计算机 USB 接口的闪存(随身碟)上, 当做认证硬件, 并搭配一认证程序于一般应用 网站服务器(AP Server)端及一外挂认证程序于输出软件上, 在使用者利 用此认证硬件上网登录其使用者名称及密码时, 经由数道加解密并编码 的防护动作, 以确保使用者于网站上登录认证的安全性, 并避免使用者 私密资料的泄露, 且可适当的为网站业者控管流量、 管.理权限并建立分 级制度, 并提供更安全的网络环境。  Compared with the existing method for applying to the general application website server (AP Server) user login system, the present invention utilizes an IC card to store the user's private authentication data and an identity check code ICCID, and also utilizes a fingerprint. The scanner obtains the fingerprint and checks the authentication through the fingerprint identification center, and then the IC card and the fingerprint scanner are installed on the flash memory (pull disk) generally compatible with the USB interface of the computer, as the authentication hardware, and with an authentication program on the general application website. The server (AP Server) and an external authentication program are used on the output software. When the user uses the authentication hardware to log in to the user name and password, the user encrypts and encrypts the protection action to ensure the user is on the website. The security of the login authentication and the leakage of the user's private data are avoided, and the website operator can be appropriately controlled to control the traffic, manage the authority and establish a classification system, and provide a more secure network environment.
另搭配上 IC 卡读取装置(Reader)的认证硬件亦可用来当做储存媒 介, 而不会使得资料只能存放于单一台计算机固定式的硬盘中, 并可将 储存的文件做一特殊的编译码动作, 使之更具有资料存取的保密性、 安 全性及机动性并唯一性(唯有合法使用者才能使用其储存的文件)。 附图说明 图 1为本发明的步驟流程图; The authentication hardware with the IC card reader (Reader) can also be used as a storage medium, so that the data can only be stored in a single computer fixed hard disk, and The stored file is subjected to a special encoding and decoding action to make it more confidential, secure and mobile and unique to the data access (only legitimate users can use the stored file). BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a flow chart of steps of the present invention;
图 2是为本发明的 IC卡认证实体流程示意图;  2 is a schematic flow chart of an IC card authentication entity according to the present invention;
图 3是为本发明的下载文件实体流程示意图;  3 is a schematic flowchart of a download file entity according to the present invention;
图 4是为本发明的开启文件步骤流程图;  4 is a flow chart showing the steps of opening a file according to the present invention;
图 5是为本发明的开启文件实体流程示意图。  FIG. 5 is a schematic diagram of the process of opening a file entity according to the present invention.
符号说明:  Symbol Description:
10 ~认证硬件  10 ~ certified hardware
20 ~ CA '身份认证服务器  20 ~ CA 'Authentication Server
30 ~应用网站服务器 具体实施方式 以下配合图标对本发明的实施方式做进一步的说明后当更能明了。 图 1为本发明的步骤流程图, 图中包含&、 b、 c、 d、 e五个主要步 骤:  30 ~ Application Website Server BEST MODE FOR CARRYING OUT THE INVENTION The following description of the embodiments of the present invention will be further clarified. Figure 1 is a flow chart of the steps of the present invention, which includes five main steps of &, b, c, d, and e:
步骤 a: 使用者使用装置是一 IC卡与指紋扫描器的结合, 并将此装 置插入一 IC卡读取装置(Reader) ,于此时使用者先将指紋透过指纹扫描 器扫描资料透过网际网络送至指纹辨识中心中, 透过指紋辨识中心认证 使用者身份, 经过指定比对次数内认证通过后即通过第一层认证; 步骤 b: 当通过指纹辨识的低一层认证后会要求登入会员, 输入使 用者名称(Useniame)及密码(Pas sword)进入指定字段, 并按登录键 (Login); Step a: The user device is a combination of an IC card and a fingerprint scanner, and the device is inserted into an IC card reading device (Reader). At this time, the user first scans the fingerprint through the fingerprint scanner. The Internet is sent to the fingerprint identification center, and the identity of the user is authenticated through the fingerprint identification center. After the authentication is passed within the specified number of comparisons, the first layer authentication is passed; Step b: After passing the lower level authentication of fingerprint identification, the user will be required to log in, enter the user name (Useniame) and password (Pas sword) to enter the specified field, and press the login key (Login);
步骤 c: 利用 IC卡内嵌程序将其登录流程导至 CA身份认证服务器, 并将 IC卡内建的 ICCID暗码传至 CA身份认证服务器,透过 CA身份认证 服务器特殊的程序来判定认证硬件上的 IC卡是否合法及审核权限,正确 则在 CA身份认证服务器数据库上记录其登入次数,产生一认证硬件认证 成功的凭借(Server Resul t) , 并回传译码过程中所产生的随机数值 (Random)至 IC卡;  Step c: The IC card embedded program is used to guide the login process to the CA identity authentication server, and the ICCID code built into the IC card is transmitted to the CA identity authentication server, and the special authentication procedure of the CA identity authentication server is used to determine the authentication hardware. Whether the IC card is legal and auditing authority, if it is correct, the number of logins is recorded on the CA authentication server database, generating a server hardware reliability (Server Resul t), and returning the random value generated during the decoding process ( Random) to the IC card;
步骤 d: 前述步骤正确后, IC卡利用 IC卡内嵌程序将取得的随机数 值(Random)用来译码内建的 ICCID 暗码, 并产生一 IC 卡认证的凭借 (Cl ient Resul t) , 并将其登录流程导至应用网站服务器(AP Server) , 并将 ICCID暗码、 IC卡认证的凭借(Cl ient Resul t), 使用者输入信息 一并传至应用网站 务器 P Server) , 让应用网站 H良务器(AP Server) 依其数据库判定使用者输入的信息是否正确, 并查询使用期限(ava i l date);  Step d: After the foregoing steps are correct, the IC card uses the IC card embedded program to use the acquired random value (Random) to decode the built-in ICCID code, and generates an IC card authentication (Cl ient Resul t), and The login process is guided to the application website server (AP Server), and the ICCID code, the IC card authentication (Cl ient Resul t), the user input information is transmitted to the application server P server), and the application website is made. The server (AP Server) determines whether the information input by the user is correct according to the database, and queries the use period (ava il date);
步驟 e: 前述步骤正确后, 应用网站服务器(AP Server)将所接受的 ICCID暗码及 IC卡认证的凭借(Cl ient Resul t)传至 CA身份认证服务器 以供再次解密确认认证硬件及使用者信息的正确性。  Step e: After the foregoing steps are correct, the application server (AP Server) transmits the accepted ICCID code and the IC card authentication (Cl ient Resul t) to the CA identity authentication server for decryption to confirm the authentication hardware and user information. The correctness.
兹将以上步 K故一详细说明如下: ·  I will explain the above steps in detail as follows:
步骤 a是指: 使用者将手指指紋正对着指紋扫描器上的扫描器部位 置放以便扫描, 再将扫描后的指紋加密送出封包至指纹辨识中心, 其指 纹辨识中心会将收到的指纹进一步做比对, 看使用者身份是否正确, 若 是错误会送回加密封包通知错误信息让使用者得知, 使用者必须重新扫 描指纹, 再送加密后的封包至指紋辨识中心认证, 其认证的次数可经由 限制以增加其安全性, 若是确认身份无误即可进入下一个步骤, 此为第 一个认证流程。 Step a means: the user puts the fingerprint of the finger directly on the scanner portion of the fingerprint scanner for scanning, and then encrypts the scanned fingerprint to send the packet to the fingerprint identification center, and the fingerprint identification center will receive the fingerprint. Further comparison, to see if the user identity is correct, if it is wrong, it will be sent back to the sealed package to notify the user of the error message, the user must re-scan The fingerprint is fingerprinted, and then the encrypted packet is sent to the fingerprint identification center for authentication. The number of authentications can be increased to increase its security. If the identity is confirmed, the next step can be performed. This is the first authentication process.
步骤 b是指:使用者透过一 I C卡内建一身份核对暗码 I CC I D及一国 际核对码 GLN, 将此 IC卡置入一 IC卡读取装置(Reader)内, 并装置于 一般兼容于计算机 USB接口的闪存(随身碟)上, 当作认证硬件, 并利用 此认证硬件上网登录其使用者名称(Username)及密码(Pas sword)后按登 录键(Login) 。  Step b means that the user builds an identity verification code I CC ID and an international verification code GLN through an IC card, and places the IC card into an IC card reading device (Reader), and the device is generally compatible. On the flash memory (USB drive) of the computer USB interface, use it as the authentication hardware, and use this authentication hardware to log in to the user name (Username) and password (Pas sword) and press the login key (Login).
步骤 c 是指: 在使用者输入其使用者名称(Username)及密码 (Pas sword)后, 透过 IC卡内嵌程序先将其登录流程导至 CA身份认证服 务器进行加解密动作, 透过特殊的流程先解密出 ICCID暗码的值, 并借 其比对 CA身份认证数据库,相对应 ICCID暗码且授权通过(Val idated) 的 EKI后, 先行解密得 KI , 且产生一随机数值(Random)并以 KI加密的 结果存于 CA身份认证服务器的数据库中 ,该加密后的结果即为认证硬件 认证成功的凭借(Server Resul t) , 并可用以记录该使用者使用此认证硬 件登入的次数, 确认该认证硬件的合法性及该暗码 ICCID是否有登录该 网站的权限, 及所被授予的权限多大, 在硬件认证通过后, CA身份认证 服务器会将所产生的随机数值(Random)值传送回 IC卡, 当作 KEY, 用来 供一般应用网站服务器(AP Server)端通过第二步认证流程后和 CA身份 认证服务器交叉比对用;而若此认证硬件上的 IC卡内设的 ICCID暗码在 比对结果中未授权通过(Val idated未开卡), 则系统会告知使用者端硬 件认证失败, 而失去通关登录的资格。 此为第二步的认证流程。  Step c means: After the user inputs the user name (Username) and password (Pas sword), the IC card embedded program first directs the login process to the CA identity authentication server for encryption and decryption, through special The process first decrypts the value of the ICCID secret code, and compares the CA identity authentication database, corresponding to the ICCID code and authorizes the (Val idated) EKI, decrypts the KI first, and generates a random value (Random) and The result of the KI encryption is stored in the database of the CA identity authentication server. The encrypted result is the server reliability of the authentication hardware authentication (Server Resul t), and can be used to record the number of times the user logs in using the authentication hardware, and confirms the The legality of the authentication hardware and whether the password ICCID has the right to log in to the website, and the permission granted. After the hardware authentication is passed, the CA identity authentication server will transmit the generated random value (Random) value back to the IC card. , as a KEY, used by the general application website server (AP Server) to pass the second authentication process and the CA authentication server For comparison; if the ICCID code in the IC card on the authentication hardware is not authorized in the comparison result (Val idated is not open), the system will inform the user that the hardware authentication fails and the gateway is lost. qualifications. This is the second step of the certification process.
步驟 d 是指: 第二步的认证流程成功, 一般应用网站服务器(AP Server)会先接收 IC卡上由 CA身份认证服务器所传送过来的 KEY值, ICCID 暗码, 使用者输入的使用者名称(Username)和键入的密码 (Pas sword) , 再将其流程导至一般应用网站服务器(AP Server)进行比对 使用者姓名(Username)和密码(Password)是否正确, 并核对该使用者的 有效使用期限是否过期。 Step d means: The authentication process of the second step is successful, and the general application website server (AP Server) first receives the KEY value transmitted by the CA identity authentication server on the IC card. ICCID password, user name (Username) and password (Pas sword) entered by the user, and then the process is directed to the general application website server (AP Server) for comparing the user name (Username) and password (Password). Is it correct, and check whether the effective use period of the user expires.
步驟 e是指: 步骤 d若经比对无误, 则将 KEY值及 ICCID暗码传回 Step e means: Step d If the comparison is correct, the KEY value and the ICCID code are sent back.
CA身份认证服务器进行加解密, 透过特殊的流程先解密出 ICCID暗码的 值, 并借其比对 CA 身份认证数据库, 相对应 ICCID 暗码且授权通过 (Val idate=Y)的 EKI后 ,并用 KEY值去对 EKI值解密,比对是否和 Server Resul t相符, 若相符, 则第三步认证通过, 若使用者经交叉比对确定是 合法的注册者, 则才能以合法使用权限通过会员登录入口, 继续导入下 一步的 Web Page并将 CA身份认证服务器上加解密出的 Server Resul t 清空, 以使得使用者下次登录时可以产生新的 Server Resul t并供暂存, 若比对结果不相符, 则告知一般应用网站服务器(AP Server)认证硬件 ICCID 暗码错误, 认证失败, 失去通关登录的资格, 此为笫三步认证流 程。 The CA authentication server performs encryption and decryption, decrypts the value of the ICCID secret code through a special process, and compares the CA identity authentication database with the ICCID password and authorizes the EKI (Val idate=Y) and uses KEY. The value is to decrypt the EKI value, and the comparison is consistent with Server Resul t. If it matches, the third step is passed. If the user determines that the registrant is a valid registrant through cross-matching, then the member can log in through the member with legal use rights. Continue to import the next Web Page and clear the Server Resul t encrypted and decrypted on the CA authentication server, so that the user can generate a new Server Resul t for temporary storage when the user logs in next time, if the comparison result does not match. , the general application website server (AP Server) is certified to the hardware ICCID password error, the authentication fails, and the qualification for the login is lost. This is the three-step authentication process.
图 2是为本发明的 IC卡认证实体流程示意图,图中显示本发明实际 认证运作时的流程导向, 使用者除了指纹认证方式外从登录到正式认证 成功共经过 5个路由, 请参考图标, 路由 1为使用者利用一认证硬件的 装置 IC卡 10登入 Web Server服务器 30网页 Member Login窗口登录其 会员资料, 使用者在输入 Username 和 Pas sword 之后, 按登录键 (Login) ,此时 IC卡内嵌程序便会先将其登录流程导至 CA身份认证服务 器 20, 并将 IC卡内建的 ICCID码暗传至 CA身份认证服务器 20进行加 解密动作, 此.时进行 CA身份认证服务器 20的认证流程 l (Winsock), 在 认证流程 (Winsock)里透过特殊的流程先解密出 ICCID暗码的值,并借其 比对 CA身份认证数据库, 相对应 ICCID暗码且授权通过(Validate=Y) 的 E I后, 先行解密得 KI, 且产生一随机数值(Random)并以 KI加密的 结果存于 CA身份认证服务器的数据库中,该加密后的结果即为认证硬件 认证成功的凭借 (Server Result) , 并可用以记录该使用者使用此认证硬 件登入的次数, 确认该认证硬件的合法性及该暗码 ICCID是否有登录该 网站的权限, 及所被授予的权限多大, 在硬件认证完成后, 紧接着触动 路由 2, 将 CA身份认证服务器所产生的随机数值(Random)传送回 IC卡, 当 IC 卡接收到此随机数值(Random)后, IC 卡内嵌程序会先将内建的 ICCID暗码先行解密而得一 KI值 (此处的 KI值并未审核其是否为授权 通过的认证硬件, 审核权和比对权是在 CA身份认证服务器), 再借以和 所接收的随机数值(Random)进行加密而产生一 IC卡认证的凭借(CI ient Result) , 用来供一般应用网站服务器(AP Server)端进行第三步认证流 程时和 CA身份认证服务器交叉比对用; 而若此认证硬件上的 IC卡内设 的 ICCID暗码在比对结果中未授权通过(Validate=N未开卡), 则系统会 告知使用者端硬件认证失败, 而失去通关登录的资格。 2 is a schematic flow chart of an IC card authentication entity according to the present invention. The figure shows the flow direction of the actual authentication operation of the present invention. In addition to the fingerprint authentication mode, the user has 5 routes through login to formal authentication. Please refer to the icon. Route 1 is a user IC card 10 that uses an authentication hardware to log in to the Web Server server 30 webpage Member Login window to log in its member information. After entering the Username and Pas sword, the user presses the login key (Login), and the IC card is inside. The embedded program firstly directs its login process to the CA identity authentication server 20, and implicitly transmits the ICCID code built into the IC card to the CA identity authentication server 20 for encryption and decryption, and then performs authentication of the CA identity authentication server 20. Process l (Winsock), in the authentication process (Winsock), first decrypt the value of the ICCID code through a special process, and borrow Compare the CA authentication database, corresponding to the ICCID code and authorize the EI (Validate=Y), decrypt the KI first, and generate a random value (Random) and encrypt the result with KI in the database of the CA authentication server. The encrypted result is the Server Result of the authentication hardware authentication, and can be used to record the number of times the user logs in using the authentication hardware, confirm the legality of the authentication hardware, and whether the password ICCID is logged in. The permissions of the website and the permissions granted. After the hardware authentication is completed, the route 2 is touched, and the random value (Random) generated by the CA authentication server is transmitted back to the IC card. When the IC card receives the random value. After (Random), the IC card embedding program first decrypts the built-in ICCID code to obtain a KI value (the KI value here does not check whether it is the authentication hardware passed by the authorization, and the review right and the comparison right are In the CA identity authentication server, and then by encrypting with the received random value (Random) to generate an IC card authentication (CI ient Result), for general use When the third server authentication process is performed on the website server (AP Server), the CA authentication server cross-matches with the CA authentication server; if the ICCID password in the IC card on the authentication hardware is not authorized in the comparison result (Validate=N) If the card is not opened, the system will inform the user that the hardware authentication failed and the eligibility for the login is lost.
而若第二步的认证流程成功的话, 则触动路由 3—般应用网站服务 器(AP Server) ,会先接收 IC卡上的 ICCID暗码、 IC卡认证的凭借(CI ient Result) , 使用者输入的使用者名称 (User name) 和键入的密码 (Password) , 此时一般应用网站服务器(AP Server)会先透过其本身数据 库进行比对使用者名称(Username)和密码(Password)是否正确, 并核对 该使用者的有效使用期限是否过期, 若经比对无误, 再触动路由 4进行 认证流程 2, 将 ICCID暗码及 IC卡认证的凭借(Client Result)传回 CA 身份认证服务器进行交叉比对, 透过特殊的流程先解密出 ICCID暗码的 值, 并借其比对 CA身份认证数据库,找出相对应 ICCID暗码且授权通过 (Val idate=Y)的认证硬件认证成功的凭借(Server Resul t)后, 比对认证 硬件认证成功的凭借(Server Resul t)是否和 IC 卡认证的凭借(CI ient Resul t)相符, 若相符, 则第三步认证通过, 触动路由 5 , 若使用者经交 叉比对确定是合法的注册者,则才能以合法使用权限通过会员登录入口, 继续导入下一步的 Web Page 并将 CA 身份认证服务器上加解密出的 Server Resul t 清空, 此为最后步骤, 路由八; 而若比对结果不相符, 则告知一般应用网站服务器(AP Server)认证硬件 ICCID暗码错误, 认证 失败, 失去通关登录的资格。 If the authentication process of the second step is successful, then the route server 3 (AP Server) is touched, and the ICCID code and the IC card authentication (CI ient Result) on the IC card are first received, and the user inputs The user name (Personal name) and the typed password (Password). At this time, the general application web server (AP Server) first compares the user name (Username) and password (Password) through its own database, and Check whether the effective use period of the user expires. If the comparison is correct, then the route 4 is touched to perform the authentication process 2, and the ICCID code and the IC card authentication (Client Result) are transmitted back to the CA identity authentication server for cross comparison. Through the special process, the value of the ICCID code is decrypted first, and the CA identity database is compared to find the corresponding ICCID code and the authorization is passed. (Val idate=Y) After the successful authentication of the hardware authentication (Server Resul t), whether the server reliability of the authentication hardware authentication (Server Resul t) matches the CI ient Resul t, if it matches Then, the third step is passed, and the route 5 is touched. If the user determines that the registrant is a valid registrant by cross-matching, the user can log in to the portal through the legal use permission, and continue to import the next Web page and the CA identity authentication server. The Server Resul t is encrypted and cleared. This is the last step, routing eight. If the comparison result does not match, the general application website server (AP Server) is notified that the hardware ICCID password is incorrect, the authentication fails, and the login is lost. .
图 3是为本发明的下载文件实体流程示意图,其为图 2的概略图标, 由图中可清楚看出本发明的下载文件实体流程运作时的流程导向, 从使 用者登录到正式登录完成共经过 4个路由,其中路由 2即为认证机制(请 参图 2)。  3 is a schematic diagram of the flow of the download file entity of the present invention, which is a schematic icon of FIG. 2, which clearly shows the flow direction of the download file entity process of the present invention, from the user login to the official login completion. After 4 routes, route 2 is the authentication mechanism (see Figure 2).
图 4是为本发明的开启文件步骤流程图, 由图中可清楚看出使用者 欲开启编码过的文件时, 必须先将原认证硬件插入至计算机 USB接头或 其它播放器的 USB接头之中, 在开启 MP3播放软件或应用软件时, 通过 指紋辨识的认证后, IC卡内嵌程序会先将内建的 ICCID暗码传至外挂的 认证程序或在本身已有认证程序代码的 MP 3播放软件或应用软件上先行 译码并判断认证硬件的正确性< 3 61). 1〉, 再将认证结果传回 MP3播放软 件或应用软件 <s tep. 2>, 若认证通过认证硬件合法, 则透过 IC卡内嵌程 序将欲开启的文件 #丈译码 <s tep. 3>, 并透过 MP3播放软件或应用软件开 启该译码后的文件使用<^6 . 4>, 而若认证硬件认证失败的话, 则会产 生错误信息, 告知使用者认证硬件 ICCID错误认证失败。 4 is a flow chart of the steps of opening a file according to the present invention. It can be clearly seen from the figure that when the user wants to open the encoded file, the original authentication hardware must first be inserted into the USB connector of the computer or the USB connector of other players. When the MP3 player software or application software is enabled, after the fingerprint identification is authenticated, the IC card embedded program first transmits the built-in ICCID code to the external authentication program or the MP3 player software that has the authentication program code itself. Or firstly decode the application software and judge the correctness of the authentication hardware < 3 61). 1>, then pass the authentication result back to the MP3 player software or application software <s tep. 2>, if the authentication is legal through the authentication hardware, After the IC card embedded program, the file to be opened is decoded by <s tep. 3>, and the decoded file is opened by the MP3 player software or application software using <^ 6. 4>, and if the hardware is authenticated. If the authentication fails, an error message will be generated to inform the user that the authentication hardware ICCID failed to be authenticated.
图 5是为本发明的开启文件实体流程示意图,其为图 4的概略图标, 由图中可清楚看出本发明的开启文件实体流程运作时的流程导向, 从使 用者利用认证硬件插入至计算机 USB接头或其它播放器的 USB接头之中, 开启 MP3播放软件或应用软件时到正确的开启文件共经过 5个路由, 其 中路由 2即为外挂的认证程序或在本身已有认证程序代码的 MP3播放软 综上所述,本发明所提供的数据储存应用认证流程及 IC卡认证硬件, 能取代现有的应用网站服务器(AP Server)登录模式, 其是利用了一 IC 卡内建一身份核对暗码 ICCID及一国际核对暗码 GLN,并将此 IC卡装置于 一般兼容于计算机 USB接口的闪存(随身碟)上, 当作认证硬件,在使用者 利用此认证硬件做登录动作时, 经由数道加解密并目的端及认证端服务 器的交叉比对系统, 可有效确认使用者的合法性及有效的控管流量; 再 者, 利用本发明所采用的搭配 IC卡的认证硬件的另一附加价值是如同个 人的私钥, 具有高防护性及高安全性的优越功能, 具应用层面广泛及高 安全性特点, 且为前所未有的设计, 另外本发明更可使提供著作财产权 文件或智能财产权文件的网站页者(如唱片业者)作有效的授权掌控, 而 可避免目前网络上点对点传输 P2P (Peer to Peer)方式,供网友互相上传、 下载、分享有著作财产权或是有智能财产权的文件(如歌手的 MP3)的游走 智能财产权法律边缘乱象的发生, 而使得合法的业者(著作财产权、智能 财产权拥有人)的权益严重损失, 正为当今迫切需要的设计。 FIG. 5 is a schematic diagram of the process of opening a file entity according to the present invention, which is a schematic icon of FIG. 4, and the flow direction of the open file entity process of the present invention is clearly seen from the figure, The user uses the authentication hardware to insert into the USB connector of the computer or the USB connector of other players. When the MP3 player software or application software is turned on, the user can correctly open the file through 5 routes, where route 2 is the external authentication program or The MP3 playback software of the authentication program code itself has been described above. The data storage application authentication process and the IC card authentication hardware provided by the present invention can replace the existing application website server (AP Server) login mode, which utilizes An IC card has an identity verification code ICCID and an international verification code GLN built in, and the IC card is installed on a flash memory (flash drive) generally compatible with a computer USB interface, and is used as an authentication hardware, and the user utilizes the authentication hardware. When the login operation is performed, the user's legality and effective control flow can be effectively confirmed through a plurality of encryption and decryption and cross-matching systems of the destination end and the authentication end server. Furthermore, the matching IC card used in the present invention is utilized. Another added value of the certified hardware is the private key of the individual, the superior function of high protection and high security, and the application level is wide. And high security features, and unprecedented design, in addition to the invention, the website page (such as the record player) providing the property rights document or the intelligent property rights document can be effectively authorized to control, and can avoid the point-to-point transmission of P2P on the current network. (Peer to Peer) method for netizens to upload, download, and share documents with intellectual property rights or documents with intellectual property rights (such as singer's MP3) to move away from the intellectual property rights law, and make legal operators (authors) The serious loss of the rights of property rights and intellectual property owners is a design that is urgently needed today.

Claims

权 利 要 求 Rights request
1. 一种资料储存应用、 ic卡、 指紋辨识的认证方法, 主要的特征 是利用一指纹扫描器取得指纹透过全球指纹辨识中心的认证通过, 再配 合一 IC卡内建一身份核对暗码 ICCID及一国际核对码 GLN, 将此 IC卡置入 一 IC卡读取装置内, 并将两者装置于一般兼容于计算机的硬件上, 当作 认证硬件, 主要包含下列步骤: 步骤 a: 使用者使用装置是一 IC卡与指紋扫描器的结合, 并将此装置 插入一 IC卡读取装置, 于此时使用者先将指纹透过指紋扫描器扫描资料 透过网际网络送至指纹辨识中心中,透过指纹辨识中心认证使用者身份, 经过指定比对次数内认证通过后即通过第一层认证; 1. A data storage application, an ic card, and a fingerprint identification authentication method. The main feature is that a fingerprint scanner is used to obtain fingerprints through the global fingerprint identification center, and an IC card is built into an identity verification code ICCID. And an international verification code GLN, the IC card is placed in an IC card reading device, and the two are installed on the hardware generally compatible with the computer, as the authentication hardware, mainly comprising the following steps: Step a: User The device is a combination of an IC card and a fingerprint scanner, and the device is inserted into an IC card reading device. At this time, the user first sends the fingerprint through the fingerprint scanner to the fingerprint identification center through the Internet. The identity of the user is authenticated through the fingerprint identification center, and the first layer of authentication is passed after the authentication is passed within the specified number of comparisons;
步骤 b : 当通过指纹辨识的低一层认证后会要求登入会员, 输入使用 者名称及密码进入指定字段, 并按登录键;  Step b: After passing the lower level authentication of fingerprint identification, the user will be required to log in, enter the user name and password to enter the specified field, and press the login button;
步骤 c: 利用 IC卡内嵌程序将其登录流程导至 CA身份认证服务器, 并 将 IC卡内建的 ICCID暗码传至 CA身份认证服务器,透过 CA身份认证服务器 特殊的程序来判定认证硬件上的 IC卡是否合法及审核权限, 此为笫二层 认证, 正确则在 CA身份认证服务器数据库上记录其登入次数, 产生一认 证硬件认证成功的凭借, 并回传译码过程中所产生的随机数值至 IC卡; 步骤 d: 前述步骤正确后, IC卡利用 IC卡内嵌程序将取得的随机数值 用来译码内建的 ICCID暗码, 并产生一 IC卡认证的凭借, 并将其登录流程 导至应用网站服务器, 并将 ICCID暗码、 IC卡认证的凭借, 使用者输入信 息一并传至应用网站服务器, 让应用网站服务器依其数据库判定使用者 输入的信息是否正确, 并查询使用期限; 步驟 e: 前述步骤正确后, 应用网站服务器将所接受的 ICCID暗码及 IC卡认证的凭借传至 CA身份认证服务器。 Step c: The IC card embedded program is used to guide the login process to the CA identity authentication server, and the ICCID code built into the IC card is transmitted to the CA identity authentication server, and the special authentication procedure of the CA identity authentication server is used to determine the authentication hardware. Whether the IC card is legal and auditing authority, this is the second layer authentication. Correctly, the number of logins is recorded on the CA authentication server database, which generates a successful authentication hardware authentication, and returns the random generated during the decoding process. The value is to the IC card; Step d: After the foregoing steps are correct, the IC card uses the IC card embedded program to use the obtained random value to decode the built-in ICCID code, and generates an IC card authentication, and logs in the process. Leading to the application website server, and passing the ICCID code and IC card authentication, the user input information is transmitted to the application website server, and the application website server determines whether the information input by the user is correct according to the database, and queries the use period; Step e: After the foregoing steps are correct, the application website server transmits the accepted ICCID code and the IC card authentication to the CA identity authentication server.
2. 根据权利要求 1所述的资料储存应用、 IC卡、 指紋辨识的认证 方法, 其中该装置 IC卡及指紋扫描器的认证硬件,可为一 USB接口的硬 件。  2. The data storage application, the IC card, and the fingerprint identification authentication method according to claim 1, wherein the authentication hardware of the IC card and the fingerprint scanner of the device is a hardware of a USB interface.
3. 根据权利要求 1所述的资料储存应用、 IC卡、 指纹辨识的认证 方法, 其中该装置 IC卡及指纹扫描器的认证硬件, 可为一无线 USB接口 的硬件。  3. The data storage application, IC card, and fingerprint identification authentication method according to claim 1, wherein the authentication hardware of the device IC card and the fingerprint scanner is a hardware of a wireless USB interface.
4. 根据权利要求 1所述的资料储存应用、 IC卡、 指紋辨识的认证 方法, 其中该装置 IC卡的认证硬件, 可为一闪存。  4. The data storage application, IC card, and fingerprint identification authentication method according to claim 1, wherein the authentication hardware of the IC card of the device is a flash memory.
5. 根据权利要求 1所述的资料储存应用、 IC卡、 指纹辨识的认证 方法, 其中指纹扫描器为一 CCD指纹扫描器。  5. The data storage application, IC card, and fingerprint identification authentication method according to claim 1, wherein the fingerprint scanner is a CCD fingerprint scanner.
6. 根据权利要求 1所述的资料储存应用、 IC卡、 指紋辨识的认证 方法, 其中指紋扫描器为一 C0MS指紋扫描器。  6. The data storage application, IC card, and fingerprint identification authentication method according to claim 1, wherein the fingerprint scanner is a C0MS fingerprint scanner.
7. 根据权利要求 1所述的资料储存应用、 IC卡、 指纹辨识的认证 方法, 其中指紋扫描器为一 C0MS电容式指紋扫描器。  7. The data storage application, IC card, and fingerprint identification authentication method according to claim 1, wherein the fingerprint scanner is a C0MS capacitive fingerprint scanner.
8. 根据权利要求 1所述的资料储存应用、 IC卡、 指纹辨识的认证 方法, 其中指纹扫描器为一 C0MS电阻式指纹扫描器。  8. The data storage application, IC card, and fingerprint identification authentication method according to claim 1, wherein the fingerprint scanner is a C0MS resistive fingerprint scanner.
PCT/CN2004/001155 2004-10-12 2004-10-12 Authentication method for storage and application of data, ic card, fingerprint scanner WO2006039832A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2004/001155 WO2006039832A1 (en) 2004-10-12 2004-10-12 Authentication method for storage and application of data, ic card, fingerprint scanner

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2004/001155 WO2006039832A1 (en) 2004-10-12 2004-10-12 Authentication method for storage and application of data, ic card, fingerprint scanner

Publications (2)

Publication Number Publication Date
WO2006039832A1 true WO2006039832A1 (en) 2006-04-20
WO2006039832A8 WO2006039832A8 (en) 2006-08-10

Family

ID=36148028

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/001155 WO2006039832A1 (en) 2004-10-12 2004-10-12 Authentication method for storage and application of data, ic card, fingerprint scanner

Country Status (1)

Country Link
WO (1) WO2006039832A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106682712A (en) * 2016-12-30 2017-05-17 镇江市民卡有限公司 Integrated citizen card system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1405686A (en) * 2001-09-14 2003-03-26 东维成科技股份有限公司 System and method for ensuring computer host safety
CN1514573A (en) * 2003-04-24 2004-07-21 徐文祥 Identity authentication method and its identity authentication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1405686A (en) * 2001-09-14 2003-03-26 东维成科技股份有限公司 System and method for ensuring computer host safety
CN1514573A (en) * 2003-04-24 2004-07-21 徐文祥 Identity authentication method and its identity authentication system

Also Published As

Publication number Publication date
WO2006039832A8 (en) 2006-08-10

Similar Documents

Publication Publication Date Title
JP6606156B2 (en) Data security service
EP1498800B1 (en) Security link management in dynamic networks
US7100048B1 (en) Encrypted internet and intranet communication device
US20080240447A1 (en) System and method for user authentication with exposed and hidden keys
CN101192926A (en) Account protection method and system
Prakash et al. Eliminating vulnerable attacks using one time password and passtext analytical study of blended schema
US20050066199A1 (en) Identification process of application of data storage and identification hardware with IC card
TWI328956B (en)
US20150121504A1 (en) Identification process of application of data storage and identification hardware with ic card
US20100058453A1 (en) Identification process of application of data storage and identification hardware with ic card
WO2005041482A1 (en) An authentication method for information storing application and a ic card authentication hardware
WO2006039832A1 (en) Authentication method for storage and application of data, ic card, fingerprint scanner
WO2005041481A1 (en) A method of internet clearance security certification and ic card certification hardware
CN1612148A (en) Data storage and application authentication method and IC card authentication hardware
TW200539045A (en) Data storage application, IC card, fingerprint scanner authentication hardware and process flow method
JP2014081887A (en) Secure single sign-on system and program
JP2006074487A (en) Authentication managing method and authentication management system
US11218472B2 (en) Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device
CN109284615B (en) Mobile equipment digital resource safety management method
Tysowski OAuth standard for user authorization of cloud services
Nagar et al. A secure authenticate framework for cloud computing environment
CN1612117A (en) Internet link secure authentication method and IC card authentication hardware
WO2005041480A1 (en) A method of mail server landing security certification and ic card certification hardware
Kumar et al. SDN based pollution attack detection and prevention in cloud computing
Kashyap et al. A survey on various authentication attacks and database secure authentication techniques

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 04762283

Country of ref document: EP

Kind code of ref document: A1