1357752 , · 九、發b月說明·· 【發明所屬之技術領域】 .一本發明係關於一種網路用戶身分驗證系統與方法,更 ★ °羊而D之,係一種支援多種認證來源、多種認證領域與多 種認證方式之通用型網路用戶身分驗㈣統與方法。、 【先前技術】1357752 , · 九,发b月说明·· [Technical field of invention] A invention relates to a network user identity verification system and method, and more is a kind of support for multiple authentication sources, multiple The general network user identification (four) system and method in the field of certification and multiple authentication methods. [Prior Art]
網路使用越來越大眾化,隨著網路的蓬勃發展,網路 的建構及擴展已漸漸地改變人類的行為模式。舉例來說, 由於網路相當的普及,使大部分的使用者透過網 料'劇覽知識、購買商品、工作、討論問題與交朋友:: :社各樣的網站出現於網路上’藉由與各種不同的網 技。仃互動,使得人類的行為更方便、更快速且更科 —般來說,使用者登人網站,必須先 當制者具有多數網站的帳號與密碼= 相同與费碼常對使用者造成困擾。若使用者設定 ㈣版 碼,一但資料外茂(例如遭駭客盜取帳號 二:站竊取個人資料)’非法之用戶即可輕易地以該 在-碼登入網路’假冒使用者身分在網 以’交友或發表言論,使真正使用者造成極大損宝 另-方面’網路服務平台為了防止不合法的:戶入 =可能絲㈣建翻全贿機制 :::rr’再增加一道認證關卡,藉心= 的難度,強化網站登入安全性 】】0896 5 1357752 I ' 然i ’上述習知技術存在以下的問題: (1)便利性不足。使用者於登入特定網站時,需輸入 該特定網站的帳號密碼並通過另一道認證關卡'然而當使 :用者具有多數網站的帳號密碼時,如何找出對應該網:的 帳號與密碼及該網站增設的認證關卡以登人該特定網站 係使用者所面臨的-大難題,因此也造成使用上的 利。 …2)成t增加。網站的業者為了避免骇客入侵而額外 '網路女全s忍證機制’自然造成營運成本的增加。 (3)安全性不足。網站的業者所建構的網路安曰全“ 機制通常僅具有特定的認證方式與認證來源 = =試後仍有可能找出破解的方法,因此會影響二: 綜上所述’如何能提供一種 戶身分驗證系統與方法,遂成為目;上1問桃網路用 【發明内容】 成為目心待解決的課題。 為解決前述習知技術之缺失,本發明提供一 戶身分驗證系統,係應用於網路 用 驗證系統包括:用戶端裝置,⑽用戶身分 資料處理與存取功能;網站,係提供該罔路連,功能及/或 務;以及認證系統,係用以對連網戶'而裝置網路服 之用戶進行身分認證,其中,當_之該用戶端裳置 時,該網站通知該認證系統對該用戶令山=置連結該網站 分認證,該認證系統請求該用 = <用戶進行身 而羞置輪入認證資訊,該 110896 6 1357752 * ’ ιέ證系統比對該認證資訊並將認證結果傳回該網站。 本發明又提供一種網路用戶身分認證方法,係應用於 網路用戶身分驗證系統中,該網路用戶身分認證方法包 括:令用戶端裝置透過該網路系統與網站連結;令該網站 通知認證系統對該用戶端裝置之用戶進行身分認證;令該 認證系統請求該用戶端裝置輸入認證資訊;令該認證系統 比對該認證資訊;以及令該認證系統將認證結果傳回該網 站。 Φ 本發明再提供一種網路用戶身分認證方法,係應用於 具有認證資訊裝置之網路用戶身分驗證系統中,該網路用 戶身分認證方法包括令用戶端裝置透過該網路系統與網 站連結;令該網站通知認證系統對該用戶端裝置之用戶進 行身分認證;令該認證系統確認對應該用戶端裝置之認證 資訊裝置,其中,該認證資訊係由一與該用戶端裝置搭接 之認證資訊裝置所提供;令該認證系統請求該用戶端裝置 輸入認證資訊;令該認證系統比對該認證資訊與該認證資 籲訊裝置是否有對應關係;以及令該認證系統將認證結果傳 回該網站。 相較於習知的技術,本發明之網路用戶身分驗證系統 與方法解決了習知網路用戶身分驗證系統的缺點。本發明 之網路用戶身分驗證系統與方法應用一種網路安全認證 平台,當用戶登入特定網站時,由此認證平台對使用者進 行身分認證。由於此認證平台可支援多種認證方式與認證 來源,其安全性自然比習知技術要高,網路服務業者也無 ]10896 1357752 » » • ^ ^ 需另外建構額外的認證機制。且對於具備認證資訊裝置的 周戶,可將多種網路服務網站的帳號設定為相同的認證方 .”昇使用的便利性。因此解*了習知技術的不;:、 . 南成本以及安全性不足的問題。 【實施方式】 以下係藉由特定的具體實施例說明本發明之實施方 瞭无此技術之人士可由本說明書所揭示之内容輕易地 ’、1明之其他優點與功效。本發明亦可#由1 # π 鲁的具體實施例純施行或制。 了❹其他不同 的竿=閱Λί所圖,其係本發明之網路用戶身分驗證系統 庫IS: 本發明之網路用戶身分驗證系統係 :用於稱系統(以τ稱網路)1(),包 網站12以及認證系統13。 戶Μ置U、 網路10用以作為資料傳輸的媒介,並 如為採用有線式之ADSL、Fm ^連、',。方式可例 或採用I線式之絪败、•… 觸之網路連結及/ •,,、路連、,·口。本發明之網路用戶身分驗执车 、、先所採用之架構為網際網路,但 h 乐 圍,也就是If X姐!r/v * 口而限制本發明之範 乜就疋並不排除適用於如組織内 路系統、區域網路系統、廣域網路系南、、…組織間網 統等網路系統之可能性。 ’、、錢虛擬私人網路系 用戶端裝置11係為可存取資 子設備,例如桌H 進行資料處理之電 /或行動電話。只要:二,型電腦、個人數位助理及 處之用戶端|置^ 14線功能之設借均可作為此 义置11。惟較佳者,用戶端裝置η復可選擇 ]10896 8 1357752 性地k括資料處理與存取功能。 網站12係用以提供用戶各種網路服務,例如電子商 務網站、入口網站、社***友網站、線上娛樂網站、論壇、 政府網站、學術網站、拍賣網站、電信服務網站及/或金 融服務網站。 認證系統13係用以對連結該網站之該用戶端裝置之 用戶進行身分認證。認證系統13通常包含網頁連線裝 置、應用伺服器與資料庫。網頁連線裝置提供網頁讓用戶 鲁連線,應用伺服器可提供用戶資料設定、管理、認證的功 能,而資料庫可儲存用戶或網站的各種屬性資料。 本發明具體實施時,用戶端裝置11透過網路10連結 網站12,此時網站12主動通知認證系統13對該用戶端 裝置之用戶進行身分認證。此時認證系統13與該用戶端 裝置11連線並請求用戶透過用戶端裝置11輸入認證資 訊,認證系統13比對該認證資訊以確認用戶端裝置11 是否為合法用戶,並將認證結果傳回該網站。 • 請參閱第2圖,其係本發明之網路用戶身分驗證系統 一具體實施例。其中用戶端裝置21復包含資料處理裝置 210與認證資訊裝置211,而認證系統23復包含資料庫單 元230、認證資料管理單元231、認證資訊比對單元232 與連線控制單元233。 認證資訊裝置211係用以產生認證資訊,使資料處理 裝置21 0提供認證資訊予該認證系統23作為確認用戶端 裝置21是否為合法用戶。認證資訊裝置211可為生物特 9 110896 1357752 徵!辨k裝置、認證卡片、電話、行動通訊裝置、通用串列 匯流排權杖(USB Token )、動態密碼設備及/或隨機密碼產 生設備。 資料庫單元230係為資料儲存裝置,用以儲存用戶端 裝置21與網站22之各項認證屬性資料。認證資料管理單 元231係用以提供用戶進行註冊及各項認證屬性資料的 設定,包含資料處理裝置210的資料與認證資訊裝置211 的設定以及網站22的帳號與屬性資料設定。認證資訊比 •對單元232係用以將用戶端裝置21輸入之認證資訊與儲 存於資料庫單元230中對應之認證屬性資料進行比對。連 線控制單元233係透過該網路系統20與用戶端裝置21 及網站22進行連結並傳遞資料。 於本實施例,首先,資料處理裝置210透過網路20 連結特定網站22請求登入,此時網站22主動與認證系統 23之連線控制單元233連結並通知認證系統23對用戶端 裝置21進行身分認證。接著,認證系統23透過連線控制 籲單元233與資料處理裝置210連線並請求資料處理裝置 210輸入認證資訊。資料處理裝置210將認證資訊裝置211 產生的認證資訊輸入認證系統23。認證系統23利用認證 資訊比對單元232比對認證資訊以確認用戶端裝置21是 否為合法用戶,並將認證結杲傳回該網站22使該系統決 定是否允許用戶端裝置21的登入。 請再參閱第3圖,係本發明之網路用戶身分驗證系統 另一具體實施例。本實施例中包括複數個用戶端裝置 ]〇 ]10896 1357752The use of the Internet has become more and more popular. With the rapid development of the Internet, the construction and expansion of the Internet has gradually changed the behavior patterns of human beings. For example, due to the popularity of the Internet, most users use the network to 'explore knowledge, purchase goods, work, discuss issues and make friends::: a variety of websites appear on the Internet' With a variety of different web technologies.仃 Interaction makes human behavior more convenient, faster and more scientific. Generally speaking, when users log on to the website, they must first have the account and password of most websites = the same and the fee code often causes trouble to the user. If the user sets the (4) version of the code, once the data is external (for example, the hacker steals the account number 2: the station steals the personal data) 'Illegal users can easily use the on-code login network' to impersonate the user. The network uses 'friends or comments, so that the real users cause great damage to the other side--the Internet service platform to prevent illegal: households = possible silk (four) to build a bribery mechanism:::rr' to add another certification Levels, the difficulty of relying on the heart, strengthen the security of website login]] 0896 5 1357752 I ' 然 i 'The above-mentioned conventional technology has the following problems: (1) Insufficient convenience. When logging in to a specific website, the user needs to enter the account password of the specific website and pass another authentication level. However, when the user has the account password of most websites, how to find the account and password corresponding to the network: The addition of a certification level to the website is a big problem for users of this particular website, and therefore also causes a benefit in use. ...2) Increased to t. In order to avoid hacking, the operators of the website have to increase the operating cost of the network. (3) Insufficient security. The network security mechanism built by the website operators usually only has a specific authentication method and certification source == It is still possible to find out the method of cracking after the trial, so it will affect the second: In summary, how can we provide a kind of The household identity verification system and method have become the target; the above 1 question Taotao network [invention content] has become a problem to be solved. To solve the above-mentioned lack of the prior art, the present invention provides an identity verification system, which is an application. The network authentication system includes: a client device, (10) a user identity data processing and access function; a website providing the network connection, functions and/or services; and an authentication system for the networked user' The user of the device network service performs identity authentication, wherein when the user terminal is set up, the website notifies the authentication system to link the user to the website, and the authentication system requests the use = < The user is in a position to be ashamed to enter the authentication information, the 110896 6 1357752 * ' έ έ *** 比 比 对该 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 比 。 The sub-authentication method is applied to a network user identity verification system. The network user identity authentication method includes: causing a user equipment to connect with a website through the network system; and causing the website to notify the authentication system of the user of the user equipment. Performing identity authentication; causing the authentication system to request the client device to input authentication information; causing the authentication system to compare the authentication information; and causing the authentication system to transmit the authentication result back to the website. Φ The present invention further provides a network user identity The authentication method is applied to a network user identity verification system with a certified information device, and the network user identity authentication method includes: causing the client device to connect with the website through the network system; and causing the website to notify the authentication system of the client The user of the device performs identity authentication; the authentication system confirms the authentication information device corresponding to the client device, wherein the authentication information is provided by an authentication information device that is connected to the client device; and the authentication system requests the authentication system The client device inputs the authentication information; the authentication system compares the authentication resource Whether the communication has a corresponding relationship with the certification call device; and causing the authentication system to transmit the authentication result back to the website. Compared with the prior art, the network user identity verification system and method of the present invention solves the conventional network. Disadvantages of the road user identity verification system. The network user identity verification system and method of the present invention employs a network security authentication platform, and when the user logs in to a specific website, the authentication platform authenticates the user. Because the authentication platform can Support multiple authentication methods and certification sources, the security is naturally higher than the prior art, and the network service providers do not have] 10896 1357752 » » • ^ ^ Additional construction of additional authentication mechanisms is required, and for households with certified information devices The account number of various Internet service websites can be set to the same authenticator. Therefore, the solution of the conventional technology is not;;, . The problem of insufficient cost and safety. [Embodiment] The following is a description of the embodiments of the present invention by way of specific embodiments. Those skilled in the art can readily devise other advantages and advantages as disclosed in the specification. The invention may also be carried out or manufactured purely by the specific embodiment of 1 # π 鲁. The other is the network user identity verification system library IS: The network user identity verification system of the present invention is used for the system (called τ network) 1 ( ), the package website 12 and the authentication system 13. The user terminal U and the network 10 are used as a medium for data transmission, and if wired ADSL, Fm^, ', are used. The method can be used or the I-line type is defeated, •... The network connection and / /,,,,,,,,,,,,, The network user identity verification vehicle of the present invention, the first adopted architecture is the Internet, but h music, that is, If X sister! The limitation of the present invention does not preclude the possibility of applying to network systems such as an organization internal system, a regional network system, a wide area network, an inter-organizational network system, and the like. The virtual private network system is a client device 11 that is an accessible device, such as a desk H for data processing. As long as: 2, the type of computer, personal digital assistant and the user terminal | set the 14 line function can be used as this. Preferably, the client device η can select 10896 8 1357752 to include data processing and access functions. Website 12 is used to provide users with a variety of Internet services, such as e-commerce websites, portals, social networking sites, online entertainment websites, forums, government websites, academic websites, auction websites, telecommunications service websites, and/or financial services websites. The authentication system 13 is used to authenticate the user of the client device that is connected to the website. The authentication system 13 typically includes a web page connection device, an application server, and a database. The webpage connection device provides a webpage for the user to connect, and the application server can provide functions for setting, managing, and authenticating user data, and the database can store various attribute data of the user or the website. In the specific implementation of the present invention, the client device 11 connects to the website 12 via the network 10. At this time, the website 12 actively notifies the authentication system 13 to perform identity authentication for the user of the user device. At this time, the authentication system 13 is connected to the client device 11 and requests the user to input authentication information through the client device 11, and the authentication system 13 compares the authentication information to confirm whether the client device 11 is a legitimate user, and returns the authentication result. The site. • Referring to Figure 2, a specific embodiment of the network user identity verification system of the present invention. The client device 21 includes the data processing device 210 and the authentication information device 211, and the authentication system 23 further includes a database unit 230, an authentication data management unit 231, an authentication information comparison unit 232, and a connection control unit 233. The authentication information device 211 is for generating authentication information, and causes the data processing device 210 to provide authentication information to the authentication system 23 as to confirm whether the client device 21 is a legitimate user. The authentication information device 211 can be a biometric device, an authentication card, a telephone, a mobile communication device, a universal serial bus (USB Token), a dynamic cryptographic device, and/or a random password generating device. The database unit 230 is a data storage device for storing the authentication attribute data of the client device 21 and the website 22. The authentication data management unit 231 is for providing user registration and setting of various authentication attribute data, including the data processing device 210 setting of the data processing device 210 and the account number and attribute data setting of the website 22. The authentication information comparison unit 232 is configured to compare the authentication information input by the client device 21 with the corresponding authentication attribute data stored in the database unit 230. The connection control unit 233 connects to the client device 21 and the website 22 via the network system 20 and transmits the data. In this embodiment, first, the data processing device 210 connects to the specific website 22 via the network 20 to request login. At this time, the website 22 actively connects with the connection control unit 233 of the authentication system 23 and notifies the authentication system 23 to identify the user device 21. Certification. Next, the authentication system 23 is connected to the data processing device 210 via the connection control call unit 233 and requests the data processing device 210 to input the authentication information. The data processing device 210 inputs the authentication information generated by the authentication information device 211 into the authentication system 23. The authentication system 23 compares the authentication information with the authentication information matching unit 232 to confirm whether the client device 21 is a legitimate user, and transmits the authentication certificate back to the website 22 to cause the system to determine whether to permit the login of the client device 21. Please refer to FIG. 3 again, which is another specific embodiment of the network user identity verification system of the present invention. In this embodiment, a plurality of user equipments are included] 〇 ] 10896 1357752
I ^ t » 31、複數個網站32以及i秀供r M w aI ^ t » 31, a number of websites 32 and i show for r M w a
Qln 及透過乙太網路30分別與複數個用 戶电知310以及複數個網 n同站32連結之認證平台33。盆 中’複數個用戶端裝置31可Λ兀π十4门 八 1了為不同或相同的用戶所有, . 而铍數個網站32亦可眉於扣门斗、 』屬方:相同或不同的業者所有。於不 问的貫施例中,用戶端萝罢w Ώ 』 衣置31及/或網站32可為單數個。 用戶端裝置31包含用玲雨0 7 ^ A 3用戶电知3】〇及動態密碼鎖Qln and the authentication platform 33 connected to the plurality of subscribers 310 and the plurality of subscribers 32 via the Ethernet 30, respectively. In the basin, a plurality of client devices 31 can be owned by different or the same users, and a plurality of websites 32 can also be attached to the door, and the genus: the same or different The owner is all. In the case of the application, the user-side w 』 ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” ” The client device 31 includes the user of the Lingyu 0 7 ^ A 3 and the dynamic password lock
311。動怨密碼鎖311可凑4 , liL 只了產生一次性密碼(〇ne_time 阳卿㈣),使用戶電腦仙可提供此密竭給認證平A % 料身分認證之用。認證平台33包含資料庫咖、資料 S理主機331、身分認證主機332與連線主機咖,用以 提供用戶端電腦31進行連線、註冊、資料設定 證及資料儲存。 河刀。心 、/於認證平台33進行認證之前.,用戶電腦3ι〇之用戶 1須先登入該認證平台33進行註冊與資料設定。用戶電 腦310兀成„主冊後,須言史定欲使用之認證資訊裝置。而本 實施例中用戶電腦31〇利用資料管理主機犯卜選擇以動 恶抢碼鎖310所提供之一次性密碼來進行認證。接著,用 戶電腦310設定對應該認證方式之網站⑽的帳號及/或該 網站32的屬性。此時資料管理主機331將用戶電腦 輸入之資料儲存於資料庫330並將該網站32的屬性資料 (如交易系統描述、可接受設備安全等級與連線方式貝等) 建播’俾用戶電腦310可隨時進行修改與調整。 認證平台33設定完成後,即可開始運作。於用戶電 腦310請求登入時,網站32會通知認證平台33對該用戶 110896 1] 1357752 . · 電腦310進行身分認證。此時,認證平台33根據先前設 定的資料’透過連線主機333與用戶電腦3〗〇連線並請求 •該用戶電腦輸入動態密碼鎖3U所產生之密碼。輪入 完成後,認證平台33利用身分認證主機332比對該密碼 以確δ忍用戶步而裳置31是否為合法用戶,並將認證結果傳 回該拍賣網站32使該網站決定是否允許用戶電腦310的 具體實施時,當用戶透過用戶電腦310請求登入時網 站32時,網站32可通知認證平台33,而認證平台33可 透過如彈出式視窗方式請求該用戶電腦3ι〇輸入動能穷 碼鎖311所產生之密瑪,俾進行身分認證。 … 參閱第4圖,係本發明之網路用戶身分認證方法的流 程圖。如圖所示’此網路用戶身分認證方法係應用於上述 之網路用戶身分驗證系統丨中, 上玟 丁凡J甲,其包括以下的步驟。 於步驟S40中,用卢唑壯班、去 姓^ ^ 用戶碥裝置透蟑網路系統與網站連 求登入網站。其中’用戶端聚置可為桌上型電腦、 為網際網路、組織内網路“克丨:動…網路系統可 也^诗 路糸統、組織間網路系統、區域網311. The blame password lock 311 can be used to make 4, liL only generates a one-time password (〇ne_time Yang Qing (4)), so that the user computer can provide this exhaustion to the certification level A% identity authentication. The authentication platform 33 includes a database coffee, a data management host 331, an identity authentication host 332, and a connection host coffee for providing the client computer 31 for connection, registration, data setting, and data storage. River knife. Before the authentication platform 33 performs authentication, the user 1 user 1 must first log in to the authentication platform 33 to register and set the data. After the user computer 310 becomes the main book, it is necessary to use the authentication information device that the user wants to use. In the embodiment, the user computer 31 uses the data management host to select the one-time password provided by the spoof code lock 310. Then, the user computer 310 sets the account number of the website (10) corresponding to the authentication method and/or the attribute of the website 32. At this time, the data management host 331 stores the data input by the user computer in the database 330 and the website 32. The attribute data (such as the description of the trading system, the acceptable device security level and the connection mode, etc.). The user's computer 310 can be modified and adjusted at any time. After the authentication platform 33 is set, it can be started. When the website 310 requests to log in, the website 32 notifies the authentication platform 33 to authenticate the user 110896 1] 1357752. The computer 310 performs identity authentication. At this time, the authentication platform 33 passes the connection host 333 and the user computer 3 according to the previously set data. Connect and request • The user computer enters the password generated by the dynamic password lock 3U. After the rounding is completed, the authentication platform 33 utilizes the identity authentication host 332. Whether the password is valid or not, and the authentication result is transmitted back to the auction website 32 to cause the website to decide whether to allow the specific implementation of the user computer 310, when the user requests login through the user computer 310. At the time of the website 32, the website 32 can notify the authentication platform 33, and the authentication platform 33 can request the user computer 3ι to input the MM generated by the kinetic energy code lock 311, such as pop-up window, to perform identity authentication. 4 is a flow chart of the method for authenticating a network user identity according to the present invention. As shown in the figure, 'this network user identity authentication method is applied to the above-mentioned network user identity verification system, and the above-mentioned Ding Fan J A, The method includes the following steps: In step S40, the website is connected to the website through the network system and the website by using the rumor and the surname ^ ^ user device. The user terminal can be a desktop computer, Internet, intra-organizational network "Keit: dynamic... network system can also be poetry system, inter-organizational network system, regional network
次虛挺私人網路系統。網站可 為电子商務網站、入口網 J .社群父友網站、線上娛雔網 站、响壇、政府網站、學術網站 、市罔 站及/或金融服務纟_。 貝,、電信服務網 接著進至步驟S41。 於步驟S41中,網站通知切说 i设糸統對用戶端裝置之用 110896 12 1357752 « ·The second is a private network system. The website can be an e-commerce website, an entrance network J. Community parent website, online entertainment website, ringing, government website, academic website, city station and/or financial service. Bei, the telecommunication service network then proceeds to step S41. In step S41, the website informs that the system is used for the user equipment. 110896 12 1357752 «
1 *- · I 戶進行身分認證。此時網站僅確認用戶端裝置輸入的帳號 密碼是否正確,而進一步的身分認證則係透過認證系統來 - 執行。接著進至步驟S42。 . 於步驟S42中,認證系統收到網站的通知後,主動與 用戶端裝置連線並請求用戶端裝置輸入認證資訊。其中, 認證資訊可為特定密碼或其他辨識資訊。接著進至步驟 S43。 於步驟S43中,認證系統比對用戶端裝置輸入之認證 _資訊是否正確’並產生一認證結果。接著進至步驟S44。 於步驟S44中,認證系統將認證結果傳回網站,使網 站能依據認證結果來決定是否允許用戶端裝置的登入。接 著進至步驟S45。 參閱第5圖,係本發明之網路用戶身分認證方法一具 體實施例。相較於第4圖,本實施例包含步驟S50-S55 ’ 其中步驟 S50、S51、S53、S55 與步驟 S40、S41、S42、 S44相同,不再贅述,以下僅針對不同的步驟予以說明。 籲 於本實施例中,用戶端裝置更包含一組認證資訊裝置 (如第2圖所示),用以提供認證資訊予認證系統。因此於 步驟S52中,當網站通知認證系統對該用戶端裝置之用戶 進行身分認證時,需使認證系統確認對應用戶端裝置之用 戶的認證資訊裝置,以便於後續的比對與認證。認證資訊 裝置可為生物特徵辨識裝置、認證卡>1、電話、行動通訊 裝置、通用串列匯流排權杖(USB Token)、動態密碼設備 及/或隨機密碼產生設備。認證系統確認對應用戶端裝置 110896 13 1357752 之認證資訊裝置之方式可例如為同步對時。 於步驟S54,當用戶端裝置輸入由認證資訊裝置產生 *之認證資訊後,令認證系統比對認證資訊與認證資訊裝置 .是否有對應關係。若認證資訊與步驟S52所確認之認證資 訊裝置有對應關係’顯示用戶端裝置持有正確的認證資訊 裝置,較單純透過帳號密碼更能進一步地確認其為合法用 戶。若認證資訊與步驟S52所確認之認證資訊裝置無對應 關係’則用戶端裝置有相當可能為駭客或非法用戶,因此 籲於S55中通知網站拒絕此用戶端裝置的登入。 參閱第6圖,係本發明之網路用戶身分認證方法中設 定網路用戶身分驗證系統的流程圖。於本發明之網路用戶 身分認證方法實行以前,必須使用戶端裝置進行各項資料 的設定,其步驟說明如下。 於步驟S60,令該用戶端裝置登入該認證系統。由於 本發明之網路用戶身分認證方法係透過認證系統來進行 各種認證程序,因此相關之認證資料必須由用戶端裝置預 鲁先設定於認證系統中。惟於本發明之其他實施例中,相關 之認證資料亦可選擇性地或併行地透過用戶端裝置與認 證系統以外的其他具有網路通訊及/或資料處理功能之裝 置進行認證系統中註冊及認證資料之設定。接著進至步驟 S61。 於步驟S61,認證系統中必須先建立特定網站之資料 以及登入網站之認證方式,因此令用戶端裝置設定認證資 訊裝置的種類、該網站之帳號及/或網站的屬性。接著進 110896 14 1357752 至步驟S62。 於步驟S62,令認證系統向網站確認用戶端裝置之用 . 戶的身分。若網站中確實有此用戶端裝置的帳號與資料, 即可完成設定步驟。 請參閱第7圖,係本發明之網路用戶身分認證方法中 設定網路用戶身分驗證系統的一具體實施例。 步驟S70中,令用戶端裝置登入認證平台並提供用戶 各項資料以進行註冊程序。接著進至步驟S71。 φ 步驟S71中,認證平台將用戶之註冊資料儲存於資料 庫中並建立一組用戶的認證專用區域。接著進至步驟 S72 ° 步驟S72中,用戶進入認證專用區域,並設定欲使用 之認證設備種類及認證方式。接著進至步驟S73。 步驟S73中,用戶設定對應該認證方式之特定網站的 帳號及/或該網站的屬性。該網站的屬性可為網站的描 述、該認證資訊裝置的安全等級、連線方式及/或認證運 •算資料。認證系統可將上述建立於用戶的認證專用區域, 俾有利用戶隨時進行修改。接著進至步驟S74。 步驟S74中,向特定網站確認用戶是否為合法用戶。 若用戶為合法用戶,則完成設定。若用戶為非合法用戶, 則返回步驟S73請求用戶重新設定。 參閱第8圖,係本發明之網路用戶身分認證方法另一 具體實施例。如圖所示,該網路用戶身分認證方法包含以 下步驟。 15 110896 1357752 步驟S80中,令用戶連結特定網站並輸入帳號密碼, 由特定網站對用戶身分作第一次確認。接著進至步驟 、S8卜 步驟S81中,特定網站主動與認證平台連線並請求認 證平台對用戶進行第二次身分認證。接著進至步驟S82。 步驟S82中,由認證平台於資料庫中搜尋用戶所輸入 之該組帳號所對應之特定認證設備,而特定認證設備的資 料係經由上述第6圖的方法所提供。接著進至步驟S83。 φ 步驟S83中,認證平台取得該特定認證設備的資料 後,主動與該用戶進行連線並請求用戶輸入認證資訊。接 著進至步驟S84。 步驟S84中,認證平台比對用戶輸入的認證資訊是否 由該特定認證設備所提供。若認證資訊確由特定認證設備 所提供,則進至步驟S85。若認證資訊非由特定認證設備 所提供,則進至步驟S86。 步驟S85中,通知特定網站允許用戶登入。 ® 步驟S86中,通知特定網站拒絕用戶登入。 因此,透故上述實施例的說明可知本發明之網路用戶 身分認證方法能適用於不同的網站,並提供多種認證來 源、認證領域及認證方法,確保使用者連結網站時的安全 性、方便性並降低網路服務業者建構安全認證機制的成 本。 透過前述本發明之網路用戶身分驗證系統與方法,可 實現以下功效。 】6 110896 1357752 > » , η · f (1) 解決帳號密碼外洩所產生的資訊安全風險。 (2) 減少使用者進行身分認證時的不便利。 - (3)降低網路服務業者建構安全認證機制的成本。 综上所述,本發明之網路用戶身分驗證系統與方法, 提供-種能適用於不同網站系統、不同認證方式血不同切 證來源之通用型網路安全認證平台,能減少—般網路服於 戶須使用多種不同認證機制的不便利性,解決網㈣ 號在、碼夕卜茂之資訊安全風險以及降低網站個別 遇證機制的成本。 王 上述實施例僅為例示性說明本發明之原理及 用於限制本發明。任何熟習此項技術之人均;在 本發明之精神及㈣下,對上述實施例進行修飾與 【圖式簡單說明】 月之網路用戶身分驗證系統之架構圖; 弟2圖為本务明之網路用 施例; 尸身刀驗。且糸統一具體實 第3圖為本發明之網路用 實施例; 尸身刀驗〇丘糸統另一具體 弟4圖為本發明之堆& & 第5 纟分賴^·程圖; 弟5圖為本發明之網路用 π说 施例; 尸身刀自心迅方法—具體實 弟6圖為本發明之網路 敗田θ A 戶身分認證方法中·定_ 路用戶身分驗證系統的流程圖; 疋、,周 η 0896 17 1357752 ι * ' 1 第7圖為本發明之網路用戶身分認證方法中設定網 路用戶身分驗證系統的一具體實施例;以及 __ 第8圖為本發明之網路用戶身分認證方法另一具體 實施例。 【主要元件符號說明】 I 網路用戶身分驗證系統 10 網路 II 用戶端裝置 φ 12 網站 13 認證系統 20 網路系統 21 用戶端裝置 210 資料處理裝置 211 認證資訊裝置 22 網站 23 認證糸統 • 230 資料庫單元 231 認證資料管理單元 232 認證資訊比對單元 233 連線控制單元 30 乙太網路 31 用戶端裝置 310 用戶電腦 311 動態密碼鎖 18 110896 13577521 *- · I have an identity certification. At this point, the website only confirms that the account password entered by the client device is correct, and further identity authentication is performed through the authentication system. Then it proceeds to step S42. In step S42, after receiving the notification from the website, the authentication system actively connects with the client device and requests the user device to input the authentication information. The authentication information may be a specific password or other identification information. Then it proceeds to step S43. In step S43, the authentication system compares the authentication_information input by the client device to the correctness and generates an authentication result. Then it proceeds to step S44. In step S44, the authentication system transmits the authentication result back to the website, so that the website can decide whether to allow the login of the client device according to the authentication result. Then, the process proceeds to step S45. Referring to Figure 5, there is shown a specific embodiment of the method for authenticating a network user identity of the present invention. Compared with FIG. 4, the embodiment includes steps S50-S55'. Steps S50, S51, S53, and S55 are the same as steps S40, S41, S42, and S44, and are not described again. Hereinafter, only different steps will be described. In this embodiment, the client device further includes a set of authentication information devices (as shown in FIG. 2) for providing authentication information to the authentication system. Therefore, in step S52, when the website notifies the authentication system to perform identity authentication on the user of the client device, the authentication system needs to confirm the authentication information device of the user corresponding to the user device to facilitate subsequent comparison and authentication. The authentication information device may be a biometric device, an authentication card>, a telephone, a mobile communication device, a universal serial tow card (USB Token), a dynamic cryptographic device, and/or a random password generating device. The manner in which the authentication system confirms the authentication information device corresponding to the client device 110896 13 1357752 may be, for example, a synchronization time. In step S54, after the client device inputs the authentication information generated by the authentication information device, the authentication system compares the authentication information with the authentication information device. If the authentication information has a corresponding relationship with the authentication information device confirmed in step S52, it is displayed that the client device holds the correct authentication information device, and it is further confirmed that it is a legitimate user by simply using the account password. If the authentication information has no correspondence with the authentication information device confirmed in step S52, the client device is likely to be a hacker or an illegal user, and therefore the website is notified in S55 to reject the login of the client device. Referring to Fig. 6, a flow chart of setting a network user identity verification system in the network user identity authentication method of the present invention. Before the implementation of the network user identity authentication method of the present invention, the user equipment must be configured to perform various data, and the steps are as follows. In step S60, the client device is caused to log in to the authentication system. Since the network user identity authentication method of the present invention performs various authentication procedures through the authentication system, the related authentication data must be pre-arranged by the client device in the authentication system. In other embodiments of the present invention, the related authentication data may be selectively or in parallel registered in the authentication system through the user equipment and other devices having network communication and/or data processing functions other than the authentication system. The setting of the certification data. Then it proceeds to step S61. In step S61, the authentication system must first establish the information of the specific website and the authentication method of the login website, so that the client device sets the type of the authentication information device, the account number of the website, and/or the attributes of the website. Then proceeds to 110896 14 1357752 to step S62. In step S62, the authentication system is caused to confirm to the website the identity of the user equipment. If the website does have the account and data of the client device, the setup steps can be completed. Referring to FIG. 7, a specific embodiment of a network user identity verification system in the network user identity authentication method of the present invention is shown. In step S70, the client device is caused to log in to the authentication platform and provide various data of the user to perform the registration process. Then it proceeds to step S71. φ In step S71, the authentication platform stores the user's registration data in the database and establishes a group of user authentication areas. Next, proceeding to step S72 ° to step S72, the user enters the authentication-dedicated area, and sets the type of authentication device to be used and the authentication method. Then it proceeds to step S73. In step S73, the user sets the account number of the specific website corresponding to the authentication method and/or the attribute of the website. The properties of the website may be the description of the website, the security level of the authentication information device, the connection method and/or the authentication data. The authentication system can establish the above-mentioned authentication-dedicated area of the user, and the user can modify it at any time. Then it proceeds to step S74. In step S74, it is confirmed to the specific website whether the user is a legitimate user. If the user is a legitimate user, the settings are completed. If the user is a non-legitimate user, the process returns to step S73 to request the user to reset. Referring to Fig. 8, there is shown another embodiment of the network user identity authentication method of the present invention. As shown in the figure, the network user identity authentication method includes the following steps. 15 110896 1357752 In step S80, the user is connected to a specific website and enters an account password, and the user identity is first confirmed by the specific website. Then, the process proceeds to step S8. In step S81, the specific website actively connects with the authentication platform and requests the authentication platform to perform the second identity authentication for the user. Then it proceeds to step S82. In step S82, the authentication platform searches the database for the specific authentication device corresponding to the group of accounts input by the user, and the information of the specific authentication device is provided by the method of FIG. 6 above. Then it proceeds to step S83. φ In step S83, after obtaining the data of the specific authentication device, the authentication platform actively connects with the user and requests the user to input the authentication information. Then, the process proceeds to step S84. In step S84, the authentication platform compares whether the authentication information input by the user is provided by the specific authentication device. If the authentication information is indeed provided by the specific authentication device, it proceeds to step S85. If the authentication information is not provided by the specific authentication device, it proceeds to step S86. In step S85, the specific website is notified to allow the user to log in. ® In step S86, the specific website is notified to deny the user login. Therefore, the description of the above embodiments can be used to understand that the network user identity authentication method of the present invention can be applied to different websites, and provides various authentication sources, authentication fields, and authentication methods to ensure the security and convenience of users when connecting websites. And reduce the cost of network service providers to build a secure authentication mechanism. Through the foregoing network user identity verification system and method of the present invention, the following effects can be achieved. 】 6 110896 1357752 > » , η · f (1) to solve the information security risks caused by account password leakage. (2) Reduce the inconvenience of users when performing identity authentication. - (3) Reduce the cost of building a secure authentication mechanism for network service providers. In summary, the network user identity verification system and method of the present invention provide a universal network security authentication platform that can be applied to different website systems and different authentication methods, and can reduce the general network. It is necessary for the household to use the inconvenience of a variety of different authentication mechanisms to solve the information security risks of the network (4), the code and the reduction of the cost of the website. The above embodiments are merely illustrative of the principles of the invention and are used to limit the invention. Any person familiar with the technology; under the spirit of the present invention and (4), the above embodiment is modified and [simplified description of the schema] monthly network user identity verification system architecture diagram; brother 2 diagram is the network of the law Road use case; corpse knife test.糸 糸 具体 具体 第 第 第 第 第 第 第 糸 糸 糸 糸 糸 糸 糸 糸 糸 糸 糸 糸 ; ; 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一 另一弟5图 is the π-speaking example of the network of the present invention; the corpse knife self-centering method-specific concrete brother 6 diagram is the network of the invention θ A household identity authentication method zhong ding _ road user identity verification system Flowchart; 疋,, 周η 0896 17 1357752 ι * ' 1 Figure 7 is a specific embodiment of setting a network user identity verification system in the network user identity authentication method of the present invention; and __ Figure 8 Another specific embodiment of the inventive network user identity authentication method. [Description of main component symbols] I Network user identity verification system 10 Network II Client device φ 12 Website 13 Authentication system 20 Network system 21 Client device 210 Data processing device 211 Authentication information device 22 Website 23 Authentication system • 230 Database unit 231 Authentication data management unit 232 Authentication information comparison unit 233 Connection control unit 30 Ethernet 31 Client device 310 User computer 311 Dynamic password lock 18 110896 1357752
32 網站 33 認證平台 330 資料庫 331 資料管理主機 332 身分認證主機 333 連線主機 S40〜S44 步驟 S50-S55 步驟 S60-S62 步驟 S70〜S74 步驟 S80-S86 步驟32 Website 33 Authentication Platform 330 Database 331 Data Management Host 332 Identity Authentication Host 333 Connection Host S40~S44 Step S50-S55 Step S60-S62 Step S70~S74 Step S80-S86 Step