TWI488479B - Secure distributed dynamic url - Google Patents

Secure distributed dynamic url Download PDF

Info

Publication number
TWI488479B
TWI488479B TW101140767A TW101140767A TWI488479B TW I488479 B TWI488479 B TW I488479B TW 101140767 A TW101140767 A TW 101140767A TW 101140767 A TW101140767 A TW 101140767A TW I488479 B TWI488479 B TW I488479B
Authority
TW
Taiwan
Prior art keywords
server
authentication
terminal
identity
provider server
Prior art date
Application number
TW101140767A
Other languages
Chinese (zh)
Other versions
TW201419821A (en
Inventor
Maw Tsong Lin
Per Skygebjerg
Original Assignee
Keypasco Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Keypasco Ab filed Critical Keypasco Ab
Priority to TW101140767A priority Critical patent/TWI488479B/en
Publication of TW201419821A publication Critical patent/TW201419821A/en
Application granted granted Critical
Publication of TWI488479B publication Critical patent/TWI488479B/en

Links

Landscapes

  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Description

具安全性保護的自動轉址及網路身份驗證方法Security-protected automatic forwarding and network authentication method

本發明是有關於一種網路驗證方法,特別是指一種經由第三方下載中心提供給內容提供者(Internet Content Provider;以下簡稱ICP)及身份驗證提供者(Identity Provider;以下簡稱IDP)使用的安全、有彈性及讓使用者方便的身份認證方式,亦讓ICP可自由選擇所信賴的IDP來確認使用者身份之具安全性保護的自動轉址及網路身份驗證方法。The present invention relates to a network authentication method, and in particular to a security provided by a third party download center to an Internet Content Provider (hereinafter referred to as ICP) and an Identity Provider (IDP). The flexible and user-friendly authentication method allows ICP to freely choose the trusted IDP to confirm the user's identity with secure protection and automatic network authentication.

蓬勃的各種網路服務,尤其是雲踹服務將帶來各種今天仍沒見到的新網路加值服務,但安全的身份驗證而且能被普遍使用是使這些未來的便利的服務能成為事實的先決條件。The thriving variety of Internet services, especially cloud services, will bring a variety of new Internet value-added services that are still not seen today, but secure authentication and universal use make these future convenient services a reality. Prerequisites.

然而,現有的各種硬件身份驗證產品,如:裝有PKI證書的USB裝置、IC電子卡,或動態密碼電子令牌(token)等身份驗證硬體產品,但是整體的成本太高。另外,現有的網路身份驗證,仍然是各網路服務商各自有自己的用戶名和密碼庫及相對的身份驗證產品,對於各網路業者而言,造成了重複投資的問題;而對於使用者而言,使用者得同時記住各種不同用戶名密碼及需要購買各種不同身份驗證硬體產品,降低使用意願。However, existing hardware authentication products, such as USB devices with PKI certificates, IC electronic cards, or dynamic password electronic tokens, are used to authenticate hardware products, but the overall cost is too high. In addition, the existing network authentication is still that each network service provider has its own username and password database and relative authentication products, which causes repeated investment problems for various network operators; In other words, the user has to remember various username and passwords at the same time and need to purchase a variety of different authentication hardware products to reduce the willingness to use.

目前的網路身份驗證因市場已經往專業的獨立第三方 驗證的IDP系統發展,這樣可避免各ICP系統管理使用者身份驗證資料的成本支出,使用者也免去記憶不同ID及密碼的麻煩及購買各種不同身份驗證硬體產品。The current network authentication is due to the market has gone to a professional independent third party The development of the verified IDP system avoids the cost of managing the user authentication data by each ICP system, and the user is relieved of the trouble of remembering different IDs and passwords and purchasing various authentication hardware products.

因此,本發明是在提供一種具有前述優點的具安全性保護的自動轉址及網路身份驗證方法。Accordingly, the present invention is directed to an automatic addressing and network authentication method with security protection having the aforementioned advantages.

本發明具安全性保護的自動轉址及網路身份驗證方法,應用於一內容提供者伺服器、多數身份驗證提供者伺服器、一使用終端及一下載中心,各該身份驗證提供者伺服器具有個別的網頁位址,該方法包括下述步驟:(a)該下載中心提供各該身份驗證提供者伺服器一內含以私鑰簽過名的網頁位址的資料,並提供該使用終端用以識別該內含以私鑰簽過名的網頁位址的資料的公鑰;(b)該內容提供者伺服器向其中一身份驗證提供者伺服器請求驗證該使用終端的身份時,該身份驗證提供者伺服器供該使用終端下傳該內含以私鑰簽過名的網頁位址的資料;及(c)該使用終端以該公鑰識別該私鑰簽過名的網頁位址的資料是否真正來自該下載中心,若結果是真實,該掃描程式便掃描該使用終端且產生一硬體掃描資料,且自動上傳該硬體掃描資料予該身份驗證提供者伺服器以供其查驗該使用者的身份。The invention provides a security protection automatic forwarding and network identity verification method, which is applied to a content provider server, a majority identity authentication provider server, a use terminal and a download center, and each of the identity verification provider servers Having an individual webpage address, the method includes the following steps: (a) the downloading center provides each of the authentication provider servers with a webpage address with a private key sign and provides the using terminal a public key for identifying the material of the webpage address that is tagged with the private key; (b) when the content provider server requests verification of the identity of the user terminal by one of the authentication server servers, The authentication provider server is configured to transmit, by the terminal, the data of the webpage address including the private key sign; and (c) the user terminal identifies the webpage address of the private key sign by the public key Whether the data actually comes from the download center, if the result is true, the scanning program scans the user terminal and generates a hardware scan data, and automatically uploads the hardware scan data to the authentication provider servo. For the identity of the user to the examination.

本發明具安全性保護的自動轉址及網路身份驗證方法,應用於一ICP伺服器、多數IDP伺服器、一使用終端及一下載中心,各該身份驗證提供者伺服器具有個別的網頁位址,該方法包括下述步驟:(a)各該IDP伺服器取得該下載中心事先用一非對稱私鑰簽過名的各該IDP伺服器之網頁位址, 且該使用終端已從該下載中心下載對應各該非對稱私鑰的非對稱公鑰及一掃描程式;(b)該使用終端瀏覽該ICP伺服器之網站,該ICP伺服器之網站提供一腳本予使用終端,該腳本內含該等ICP伺服器的業者委託進行身份認證之該IDP伺服器之網頁位址;(c)該腳本受該使用終端觸發後,該使用終端之掃描程式和該IDP伺服器相連並要求IDP伺服器下傳前述經該下載中心的私鑰簽過名的該IDP伺服器之網頁位址,並用該使用終端內存該下載中心之公鑰來辨別其是否真正來自該下載中心,若結果是真實,該掃描程式便掃描該使用終端且產生一硬體掃描資料並上傳予該IDP伺服器儲存以供後續使用者的身份比對。The invention provides a security-protected automatic forwarding and network identity verification method, which is applied to an ICP server, a majority IDP server, a use terminal and a download center, and each of the identity verification provider servers has individual webpage bits. The method includes the following steps: (a) each IDP server obtains a webpage address of each IDP server that the download center has previously signed with an asymmetric private key. And the user terminal has downloaded an asymmetric public key corresponding to each asymmetric private key and a scanning program from the download center; (b) the user terminal browses the website of the ICP server, and the website of the ICP server provides a script to the website. Using a terminal, the script includes a webpage address of the IDP server that is trusted by the operator of the ICP server; (c) the script is triggered by the terminal, the scanning program of the terminal and the IDP servo The device is connected and requires the IDP server to transmit the web address of the IDP server signed by the download center's private key, and use the public key of the download center in the terminal to distinguish whether it is actually from the download center. If the result is true, the scanning program scans the user terminal and generates a hardware scan data and uploads it to the IDP server for storage for subsequent user identity comparison.

較佳的,該使用終端可隨時直接和該下載中心相連,並請求該下載中心辨識取得的簽過名的IDP伺服器的網頁位址是否真實,或下載其他新的公鑰以防止駭客攻擊或非簽約的IDP伺服器非法使用其技術及服務。Preferably, the user terminal can directly connect to the download center at any time, and request the download center to identify whether the obtained web address of the signed IDP server is authentic, or download another new public key to prevent hacking attacks. Or non-contracted IDP servers illegally use their technology and services.

較佳的,該掃描程式是掃描包括該使用終端的一中央處理單元、一基本輸入輸出系統單元、一儲存裝置、一網路介面、一主機板之識別碼及一有線或無線近距離連接的外接裝置的其中至少二硬體元件之識別碼組合。Preferably, the scanning program scans a central processing unit including the user terminal, a basic input/output system unit, a storage device, a network interface, an identification code of a motherboard, and a wired or wireless close-range connection. An identification code of at least two hardware components of the external device.

較佳的,該掃描程式還可取得對於所掃描的該等硬體元件的地理位置進行定位,並於該身份驗證提供伺服器查驗身份時,判斷當時掃描的該等硬體元件是否處於相同的理位置以決定使用者身份。Preferably, the scanning program can also obtain the location of the scanned hardware components, and determine whether the hardware components scanned at the time are the same when the identity verification server provides the identity verification. Position to determine the identity of the user.

較佳的,該內容提供者伺服器可提供數個不同的身份驗 證提供者讓使用者選擇,且提供予該使用終端的腳本內含該使用者所選擇的身份驗證提供者伺服器之網頁位址以進行身份登錄及驗證Preferably, the content provider server can provide several different authentications. The certificate provider allows the user to select, and the script provided to the user terminal contains the web address of the authentication provider server selected by the user for identity login and verification.

本發明具安全性保護的自動轉址及網路身份驗證方法之功效在於:ICP伺服器、IDP伺服器及使用終端可利用同一下載中心及同一掃描程式來做身份認證,免去重覆投資,且ICP伺服器及使用者都可自由選擇IDP伺服器,避免遠端的網路駭客盜用身份資料,以及配合多重身份驗證方式加強確認使用者本人的真實身份,因此,可加強驗證使用者身份安全的保障,並且無需額外的身份識別硬體成本及維護,可增加業者及使用者的意願。The effect of the automatic address and network identity verification method with security protection of the present invention is that the ICP server, the IDP server and the use terminal can use the same download center and the same scanning program to perform identity authentication, thereby avoiding repeated investment. And the ICP server and the user are free to choose the IDP server, to avoid the remote network hackers stealing identity data, and to strengthen the identity of the user by means of multiple authentication methods, thereby enhancing the identity of the user. Security and the need for additional identification hardware costs and maintenance can increase the willingness of the industry and users.

有關本發明之前述及其他技術內容、特點與功效,在以下配合參考圖式之數個較佳實施例的詳細說明中,將可清楚的呈現。在本發明被詳細描述之前,要注意的是,在以下的說明內容中,類似的元件是以相同的編號來表示。The above and other technical features, features, and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments. Before the present invention is described in detail, it is noted that in the following description, similar elements are denoted by the same reference numerals.

參閱圖1,本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例,是應用於一下載中心1、一使用終端2、一ICP伺服器群集3及一IDP伺服器群集4,各裝置分別介紹如下。Referring to FIG. 1, a preferred embodiment of the security-protected automatic forwarding and network authentication method of the present invention is applied to a download center 1, a use terminal 2, an ICP server cluster 3, and an IDP server. Cluster 4, each device is described below.

ICP伺服器群集3包括多數個分別屬於不同網站服務業者的ICP伺服器31-3n,例如:網路銀行、拍賣網站、線上遊戲業者等。IDP伺服器群集4包括多數個分別屬於不同ID管理業者的IDP伺服器41-4n,也就是提供第三方網路身份 驗證服務的如Google、Yahoo、Facebook等系統。The ICP server cluster 3 includes a plurality of ICP servers 31-3n belonging to different website service providers, such as online banking, auction websites, online game players, and the like. The IDP server cluster 4 includes a plurality of IDP servers 41-4n belonging to different ID management companies, that is, providing third party network identity. Verification services such as Google, Yahoo, Facebook and other systems.

ICP伺服器31-3n、IDP伺服器41-4n、下載中心1及使用終端2以通訊網路彼此連接及傳遞資料。The ICP server 31-3n, the IDP server 41-4n, the download center 1 and the use terminal 2 are connected to each other and transfer data by means of a communication network.

使用終端2安裝有一瀏覽器軟體21及一掃描程式22,瀏覽器軟體21是供使用者瀏覽ICP伺服器31-3n的網站,掃描程式22是用於掃描使用終端2之多個硬體元件成識別碼記錄成一硬體掃描清單,掃描程式22是由下載中心1下載。The browser 2 is provided with a browser software 21 and a scanning program 22, the browser software 21 is a website for the user to browse the ICP server 31-3n, and the scanning program 22 is for scanning a plurality of hardware components of the terminal 2. The identification code is recorded as a hard scan list, and the scan program 22 is downloaded by the download center 1.

較佳的,掃描程式22是掃描包括使用終端2的一中央處理單元、一基本輸入輸出系統單元、一儲存裝置、一網路介面、一主機板之識別碼及一有線或無線近距離連接的外接裝置的其中至少二硬體元件之識別碼組合;此外,掃描程式21還可取得對於所掃描的該等硬體元件的地理位置進行定位,並於該IDP伺服器41-4n查驗身份時,判斷當時掃描的該等硬體元件是否處於相同的地理位置以決定使用者身份。Preferably, the scanning program 22 scans a central processing unit including the terminal 2, a basic input/output system unit, a storage device, a network interface, an identification code of a motherboard, and a wired or wireless close-range connection. The identification code combination of at least two hardware components of the external device; in addition, the scanning program 21 can also obtain a location for scanning the geographical location of the hardware components, and when the IDP server 41-4n checks the identity, It is determined whether the hardware components scanned at that time are in the same geographical position to determine the identity of the user.

本發明具安全性保護的自動轉址及網路身份驗證方法的原理包括下述步驟:使用終端2經一第一管道瀏覽該ICP伺服器41之網站,ICP伺服器31之網站由此第一管道提供一腳本(如:JAVA Script)內含ICP委託幫其做身份認證之IDP伺服器41之網頁位址(URL)予使用終端2,該腳本受該使用終端2觸發後,使用終端2的掃描程式22便經由一不同於該第一管道的第二管道鏈結至該對應的IDP,要求該IDP下傳上述經下載中心1私鑰簽過名的該IDP伺服器 41之網頁位址,並用其內存下載中心1之公鑰來辨別其是否真正來自下載中心1,若結果是真實,掃描程式22便掃描使用終端2,產生一硬體掃描資料,並經由上述第二管道上傳予該IDP伺服器41儲存以供後續使用者的身份比對。The principle of the automatic transfer and network authentication method with security protection of the present invention includes the following steps: the terminal 2 browses the website of the ICP server 41 via a first pipeline, and the website of the ICP server 31 is thus the first The pipeline provides a script (such as JAVA Script) containing the web address (URL) of the IDP server 41 for which the ICP is authorized to authenticate, to the user terminal 2, and the script is triggered by the user terminal 2, and the terminal 2 is used. The scanning program 22 links to the corresponding IDP via a second pipe different from the first pipe, and requests the IDP to transmit the IDP server that has been named by the download center 1 private key sign. 41 web address, and use its memory download center 1 public key to distinguish whether it is really from the download center 1, if the result is true, the scanner 22 scans the use terminal 2, generates a hardware scan data, and through the above The two pipes are uploaded to the IDP server 41 for storage for subsequent user identity comparison.

本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例包括如圖2的網頁位址簽名及公鑰分送程序、如圖3的身份登錄程序及如圖4的身份驗證程序,以下配合圖1的裝置將本發明方法的各程序介紹如下。A preferred embodiment of the security-protected automatic forwarding and network authentication method of the present invention includes the webpage address signature and public key distribution procedure of FIG. 2, the identity login procedure of FIG. 3, and the identity of FIG. Verification procedure, the procedures of the method of the invention are described below in conjunction with the apparatus of Figure 1.

參閱圖2,下載中心1是對應不同的IDP伺服器41、42提供經其非對稱私鑰簽過名的各IDP伺服器41、42之網頁位址,在本實施例中,下載中心1首先產生一非對稱密鑰對,例如:符合非對稱公鑰技術的一公鑰及一私鑰,並對每一簽過約的IDP伺服器41、42提供經下載中心1私鑰簽過名的IDP伺服器41、42之網頁位址予IDP伺服器41(步驟S201)及IDP伺服器42(步驟S202)以及在使用終端2由下載中心1下載掃描程式22時提供該公鑰予該使用終端2(步驟S203及步驟S204)。Referring to FIG. 2, the download center 1 is a webpage address of each IDP server 41, 42 that is named by its different asymmetric ID key corresponding to different IDP servers 41, 42. In this embodiment, the download center 1 first Generating an asymmetric key pair, for example, a public key and a private key conforming to the asymmetric public key technology, and providing each signed IDP server 41, 42 with a name of the download center 1 private key The web page addresses of the IDP servers 41 and 42 are supplied to the IDP server 41 (step S201) and the IDP server 42 (step S202), and when the use terminal 2 downloads the scan program 22 from the download center 1, the public key is supplied to the use terminal. 2 (step S203 and step S204).

參閱圖3,本發明方法的登錄程序中,使用終端2使用瀏覽器軟體21瀏覽ICP伺服器31之網站,且使用終端2是經由一第一管道傳遞一登錄資料(例如,使用者ID及密碼)予ICP伺服器31(步驟S301),ICP伺服器31驗證登錄資料無誤後,即提供腳本內含ICP委託幫其做身份認證之IDP伺服器41之網頁位址予使用終端2(步驟S302)並同時請求該IDP伺服器41進行用戶身份登錄工作(步驟303);該腳 本受該使用終端觸發後,使用終端2掃描程式22便經由一不同於該第一管道的第二管道鏈結至該對應IDP伺服器41(步驟S304),要求該IDP伺服器41下傳前述經下載中心1私鑰簽過名的該IDP伺服器41之網頁位址(步驟S305);並用其內存下載中心1之公鑰來辨別其是否真正來自下載中心1(步驟S306),若結果是真實,掃描程式22便掃描使用終端2產生一硬體掃描資料(步驟S307),再經由上述第二管道傳遞硬體掃描資料予IDP伺服器41儲存以供後續使用者的身份比對(步驟S308),IDP伺服器41並同通知ICP伺服器31登錄已經成功(步驟309)。Referring to FIG. 3, in the login procedure of the method of the present invention, the terminal 2 uses the browser software 21 to browse the website of the ICP server 31, and the terminal 2 transmits a login data (for example, a user ID and a password via a first pipe). After the ICP server 31 verifies that the login data is correct, the ICP server 31 provides the webpage address of the IDP server 41 to which the ICP is authorized to authenticate the authentication to the user terminal 2 (step S302). At the same time, the IDP server 41 is requested to perform a user identity login operation (step 303); After being triggered by the terminal, the terminal 2 scan program 22 is linked to the corresponding IDP server 41 via a second pipe different from the first pipe (step S304), and the IDP server 41 is required to transmit the foregoing. The web address of the IDP server 41 that has been signed by the download center 1 private key (step S305); and the public key of the memory download center 1 is used to discriminate whether it is actually from the download center 1 (step S306), if the result is Really, the scanning program 22 scans the use terminal 2 to generate a hardware scan data (step S307), and then transfers the hardware scan data to the IDP server 41 via the second pipeline for storage by the subsequent users (step S308). The IDP server 41 and the notification ICP server 31 have successfully registered (step 309).

由於IDP伺服器41留存有對應不同使用者的登錄資料相對應的使用終端2的硬體掃描資料,由於使用者利用隨身的使用終端2的硬體掃描資料作為身份驗證之用,讓第三人無法輕易竊取或盜用。此外,使用終端2可隨時直接和下載中心1相連,並請求下載中心1辨識取得的簽過名的IDP伺服器41的網頁位址是否真實,或下載其他新的公鑰以防止駭客攻擊或非簽約的IDP伺服器41非法使用其技術及服務。Since the IDP server 41 retains the hardware scan data of the use terminal 2 corresponding to the login data of different users, the third party is used as the identity verification by the user using the hardware scan data of the portable terminal 2 Can't be easily stolen or stolen. In addition, the terminal 2 can be directly connected to the download center 1 at any time, and requests the download center 1 to identify whether the obtained web address of the signed IDP server 41 is authentic, or download another new public key to prevent hacking attacks or The non-contracted IDP server 41 illegally uses its technology and services.

參閱圖4,當使用終端2完成如圖3的身份登錄程序後,於下一次使用瀏覽器軟體21瀏覽ICP伺服器31之網站時,使用終端2經由第一管道傳遞該登錄資料(例如,使用者ID及密碼)予ICP伺服器31(步驟S401),ICP伺服器31驗證登錄資料無誤後,即提供腳本內含ICP委託幫其做身份認證之IDP伺服器41之網頁位址予使用終端2(步驟S402)並同 時請求該IDP伺服器41做用戶身份認證工作(步驟403);該腳本受該使用終端2觸發後,使用終端2的掃描程式22便經由一不同於該第一管道的第二管道鏈結至該對應IDP伺服器41(步驟S404);要求該IDP伺服器41下傳前述經下載中心1私鑰簽過名的該IDP伺服器41之網頁位址(步驟S405);並用其內存下載中心1之公鑰來辨別其是否真正來自下載中心1(步驟S406),若結果是真實,掃描程式22便掃描使用終端2產生一硬體掃描資料(步驟S407),再經由上述第二管道傳遞硬體掃描資料予IDP伺服器41(步驟S408);IDP伺服器41查驗使用終端2之硬體掃描資料與該使用終端2預存的硬體掃描資料是否相符(步驟S409),藉此,IDP伺服器41將查驗結果回傳給ICP伺服器31(步驟S410)以決定是否允許使用終端2登錄ICP伺服器31。Referring to FIG. 4, when the terminal 2 is used to complete the identity registration process of FIG. 3, the next time the browser software 21 is used to browse the website of the ICP server 31, the terminal 2 transmits the login data via the first pipe (for example, using The ID and password are forwarded to the ICP server 31 (step S401). After the ICP server 31 verifies that the login data is correct, the ICP server 31 provides the web address of the IDP server 41 to which the ICP is authorized to authenticate the identity to the user terminal 2 (Step S402) and the same The IDP server 41 is requested to perform a user identity authentication operation (step 403); after the script is triggered by the user terminal 2, the scanning program 22 of the terminal 2 is linked to the second pipeline different from the first pipeline to Corresponding to the IDP server 41 (step S404); requesting the IDP server 41 to transmit the webpage address of the IDP server 41 that has been renamed by the download center 1 private key (step S405); and using its memory download center 1 The public key is used to discriminate whether it is actually from the download center 1 (step S406). If the result is true, the scanner 22 scans the use terminal 2 to generate a hard scan data (step S407), and then transfers the hardware via the second pipe. The data is scanned to the IDP server 41 (step S408); the IDP server 41 checks whether the hardware scan data of the use terminal 2 matches the hardware scan data prestored by the use terminal 2 (step S409), whereby the IDP server 41 The inspection result is transmitted back to the ICP server 31 (step S410) to determine whether or not the terminal 2 is allowed to log in to the ICP server 31.

參閱圖5,本發明方法的登錄程序還可提供多個IDP伺服器41、42的選項給使用者,其方式為:使用終端2使用瀏覽器軟體21瀏覽ICP伺服器31之網站,且使用終端2是經由一第一管道傳遞一登錄資料(例如,使用者ID及密碼)予ICP伺服器31(步驟S501),ICP伺服器31驗證登錄資料無誤後,即提供IDP伺服器41、42的選項(步驟S502),使用終端2即可發送選取IDP伺服器42之指令給ICP伺服器31(步驟S503);ICP伺服器31並同時請求該IDP伺服器42做用戶身份登錄工作(步驟S504)。Referring to FIG. 5, the login procedure of the method of the present invention may also provide options for a plurality of IDP servers 41, 42 to the user by using the terminal 2 to browse the website of the ICP server 31 using the browser software 21, and using the terminal. 2, a login data (for example, a user ID and a password) is transmitted to the ICP server 31 via a first pipe (step S501), and the ICP server 31 provides the option of the IDP server 41, 42 after verifying that the login data is correct. (Step S502), the terminal 2 can be used to transmit an instruction to select the IDP server 42 to the ICP server 31 (step S503); the ICP server 31 simultaneously requests the IDP server 42 to perform the user identity registration operation (step S504).

接著,ICP伺服器31提供一腳本內含IDP伺服器42之網頁位址予使用終端2(步驟S505),使用終端2觸發腳本後, 使用終端掃描程式22便經由一不同於該第一管道的第二管道鏈結至該對應IDP(步驟S506);要求該IDP伺服器42下傳前述經下載中心1私鑰簽過名的該IDP伺服器42之網頁位址(步驟S507);並用其內存下載中心1之公鑰來辨別其是否真正來自下載中心1(步驟S508),若結果是真實,掃描程式22便掃描使用終端2產生一硬體掃描資料(步驟S509),再經由上述第二管道傳遞硬體掃描資料予IDP伺服器42儲存以供後續使用者的身份比對(步驟S510),IDP伺服器42並通知ICP伺服器31身份登錄成功(步驟S511)。Next, the ICP server 31 provides a script containing the webpage address of the IDP server 42 to the user terminal 2 (step S505), and after using the terminal 2 to trigger the script, The terminal scanning program 22 is used to link to the corresponding IDP via a second pipe different from the first pipe (step S506); the IDP server 42 is required to transmit the IDP that has been named by the download center 1 private key. The webpage address of the server 42 (step S507); and using the public key of the memory download center 1 to discriminate whether it is actually from the download center 1 (step S508), if the result is true, the scanner 22 scans the use terminal 2 to generate a The hardware scans the data (step S509), and then transmits the hardware scan data to the IDP server 42 via the second pipeline for storage by the subsequent user (step S510), and the IDP server 42 notifies the ICP server 31. The identity registration is successful (step S511).

參閱圖6,當使用終端2完成如圖5的身份登錄程序後,於下一次使用瀏覽器軟體21瀏覽ICP伺服器31之網站時,使用終端2經由第一管道傳遞該登錄資料(例如,使用者ID及密碼)予ICP伺服器31(步驟S601),ICP伺服器31驗證登錄資料無誤後,即提供IDP伺服器41、42的選項(步驟S602),使用終端2即可發送選取IDP伺服器42之指令給ICP伺服器31(步驟S603)。Referring to FIG. 6, when the terminal 2 is used to complete the identity registration process of FIG. 5, the next time the browser software 21 is used to browse the website of the ICP server 31, the terminal 2 transmits the login data via the first pipe (for example, using The ID and password are forwarded to the ICP server 31 (step S601). After the ICP server 31 verifies that the login data is correct, the ICP server 31 provides the options of the IDP servers 41 and 42 (step S602), and the terminal 2 can be used to transmit the selected IDP server. The instruction of 42 is supplied to the ICP server 31 (step S603).

然後,ICP伺服器31即提供一腳本內含IDP伺服器42之網頁位址予使用終端2(步驟S604)予使用終端2並同時請求該IDP做用戶身份認證工作(步驟S605),該腳本受使用終端2觸發後,使用掃描程式22便經由一不同於該第一管道的第二管道鏈結至該對應IDP伺服器42(步驟S606);要求該IDP伺服器42下傳前述經下載中心1私鑰簽過名的該IDP伺服器之網頁位址(步驟S607);並用其內存下載中心1之公鑰來辨別其是否真正來自下載中心1(步驟S608),若 結果是真實,掃描程式22便掃描使用終端2產生一硬體掃描資料(步驟S609),再經由上述第二管道傳遞硬體掃描資料予IDP伺服器42(步驟S610);IDP伺服器42查驗使用終端2之硬體掃描資料與該使用終端2預存的硬體掃描資料是否相符(步驟S611),藉此,IDP伺服器42將查驗結果回傳給ICP伺服器31(步驟S612)以決定是否允許使用終端2登錄ICP伺服器31,如此一來,即提供使用終端2更為多元的IDP伺服器41-4n的不同選擇來進行身份驗證。Then, the ICP server 31 provides a script containing the webpage address of the IDP server 42 to the use terminal 2 (step S604) to the use terminal 2 and simultaneously requests the IDP for user identity authentication (step S605), the script is subjected to After being triggered by the terminal 2, the scan program 22 is used to link to the corresponding IDP server 42 via a second pipe different from the first pipe (step S606); the IDP server 42 is required to transmit the aforementioned download center 1 The private key signing the web address of the IDP server (step S607); and using the public key of the memory download center 1 to distinguish whether it is actually from the download center 1 (step S608), The result is true, the scanning program 22 scans the use terminal 2 to generate a hard scan data (step S609), and then transfers the hardware scan data to the IDP server 42 via the second pipeline (step S610); the IDP server 42 checks and uses Whether the hardware scan data of the terminal 2 matches the hardware scan data pre-stored by the terminal 2 (step S611), whereby the IDP server 42 returns the check result to the ICP server 31 (step S612) to determine whether to allow The terminal 2 is used to log in to the ICP server 31, thus providing different options for using the more diverse IDP server 41-4n of the terminal 2 for identity verification.

從長遠來看,本發明可改變網路身份認證產業生態,提供一個各IDP業者在相同條件下自由競爭,提供各有特色及不同價值的安全認證服務,使用者有選擇權,且隨時可更換IDP業者,ICP業者可以專注於其核心業務,把身份認證交給第三方IDP業者及讓其使用者選擇自己信任的IDP業者,本發明真正用到網際網路這樣一個開放環境且符合其精神可以自由競爭,自由選擇的安全身份認證。In the long run, the present invention can change the ecology of the network identity authentication industry, provide a IDP operator to compete freely under the same conditions, and provide various security certification services with different characteristics and different values. The user has the right to choose and can be replaced at any time. IDP operators, ICP operators can focus on their core business, handing identity authentication to third-party IDP operators and letting their users choose their own trusted IDP operators. The invention truly uses the open environment of the Internet and is in line with its spirit. Free competition, free choice of secure identity authentication.

綜上所述,本發明具安全性保護的自動轉址及網路身份驗證方法之功效在於:In summary, the effectiveness of the automatic address and network identity verification method with security protection of the present invention is as follows:

1.本發明是藉由使用終端2的掃描程式22來掃描使用終端2的硬體資料進行身份認證,不用另外購買收各種不同身份驗證硬體產品。1. The present invention scans the hardware data of the terminal 2 for identity authentication by using the scanning program 22 of the terminal 2, without separately purchasing various different authentication hardware products.

2.本發明連接使用終端2和ICP伺服器31-3n的管道和連接使用終端和IDP伺服器41-4n的管道並不一樣,是一個雙管道的認證架構,駭客不容易攻擊,2. The connection between the terminal 2 and the ICP server 31-3n of the present invention is different from that of the connection terminal and the IDP server 41-4n. It is a dual-pipe authentication architecture, and the hacker is not easy to attack.

3.使用者只需從下載中心1下載一掃描程式22,各個 ICP伺服器31-3n及IDP伺服器41-4n皆可使用同一掃描程式22來做身份認證。3. The user only needs to download a scanning program 22 from the download center 1, each Both the ICP server 31-3n and the IDP server 41-4n can use the same scanner 22 for identity authentication.

4.ICP伺服器31-3n可選擇不同IDP伺服器41-4n的業者幫其做身份認證,亦可隨時更換IDP伺服器41-4n的業者,不用考慮更換IDP伺服器41-4n時所需的各種費用,時間及給使用者帶來的麻煩,4. The ICP server 31-3n can select different IDP server 41-4n to help him authenticate the identity, and can also change the IDP server 41-4n at any time, regardless of the need to replace the IDP server 41-4n. Various expenses, time and trouble for the user,

5.IDP伺服器41-4n的業者可利用同一架構及技術對不同客戶(ICP伺服器31-3n)提供不同附加價值,不同價格及特色的認證服務,5. IDP server 41-4n operators can use different architectures and technologies to provide different added value, different price and characteristic certification services for different customers (ICP server 31-3n).

6.下載中心1是獨立於ICP的業者及IDP的業者以外的第三方,可以事先大量的推出掃瞄程式22給使用者,大量節省客服成本。6. The download center 1 is a third party other than the ICP-independent company and the IDP operator. The scanner program 22 can be introduced to the user in advance, and the customer service cost is greatly saved.

7.同一ICP伺服器31-3n可同時提供不同IDP伺服器41-4n讓使用者選擇,使用者可以在不同ICP伺服器31-3n選用同一IDP伺服器41-4n,這樣好的IDP伺服器41-4n就可勝出,淘汰不好的IDP伺服器41-4n。7. The same ICP server 31-3n can provide different IDP servers 41-4n for the user to select, the user can select the same IDP server 41-4n in different ICP servers 31-3n, such a good IDP server 41-4n will win, and the bad IDP server 41-4n will be eliminated.

8.不同的ICP伺服器31-3n的業者及不同的IDP伺服器41-4n的業者可與下載中心1的業者合作,由第三方的業者提供下載中心1及掃描程式22,如此一來,使用者以使用終端2可自由選擇所信賴的IDP伺服器41-4n來確認使用者身份。8. The operators of different ICP servers 31-3n and the operators of different IDP servers 41-4n can cooperate with the operators of the download center 1, and the download center 1 and the scanning program 22 are provided by the third party, so that The user can freely select the trusted IDP server 41-4n by the use terminal 2 to confirm the identity of the user.

9.當任一ICP系統31-3n導向任一IDP伺服器41-4n時,由於各ICP系統31-3n及各IDP伺服器41-4n之間的傳輸通道已被加密,可避免有心人士攔截及竄改網頁位址的方式盜 用個人資料。9. When any ICP system 31-3n is directed to any IDP server 41-4n, since the transmission channel between each ICP system 31-3n and each IDP server 41-4n has been encrypted, it can be avoided to be intercepted by the person concerned. And hacking the way the web address is stolen Use personal information.

10.除了ICP系統31-3n使用傳統的ID及密碼的登錄資料,再利用多重的硬體掃描資料及地理位置的查驗,可加強確認使用者本人的真實身份,避免被遠端的駭客盜用身份資料,故確實能達到本發明之目的。10. In addition to the ICP system 31-3n using traditional ID and password login data, and then using multiple hardware scan data and geographical location inspection, can strengthen the user's true identity, to avoid being stolen by remote hackers The identity data, indeed, can achieve the purpose of the present invention.

惟以上所述者,僅為本發明之較佳實施例而已,當不能以此限定本發明實施之範圍,即大凡依本發明申請專利範圍及發明說明內容所作之簡單的等效變化與修飾,皆仍屬本發明專利涵蓋之範圍內。The above is only the preferred embodiment of the present invention, and the scope of the invention is not limited thereto, that is, the simple equivalent changes and modifications made by the scope of the invention and the description of the invention are All remain within the scope of the invention patent.

1‧‧‧下載中心1‧‧‧Download Center

2‧‧‧使用終端2‧‧‧Use terminal

21‧‧‧瀏覽器軟體21‧‧‧Browser software

22‧‧‧掃描程式22‧‧‧ Scanner

3‧‧‧ICP伺服器群集3‧‧‧ICP server cluster

31~3n‧‧‧ICP伺服器31~3n‧‧‧ICP server

4‧‧‧IDP伺服器群集4‧‧‧IDP Server Cluster

41~4n‧‧‧IDP伺服器41~4n‧‧‧IDP server

S201~S204‧‧‧步驟S201~S204‧‧‧Steps

S301~S309‧‧‧步驟S301~S309‧‧‧Steps

S401~S410‧‧‧步驟S401~S410‧‧‧Steps

S501~S511‧‧‧步驟S501~S511‧‧‧Steps

S601~S612‧‧‧步驟S601~S612‧‧‧Steps

圖1是一系統方塊圖,說明本發明具安全性保護的自動轉址及網路身份驗證方法之相關應用裝置;圖2是一流程圖,說明本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例中,下載中心1對應不同IDP伺服器提供用其非對稱私鑰簽過名的IDP網頁位址以及提供不同使用終端來下載共用的掃描程式及相對的公鑰;圖3是一流程圖,說明本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例中的身份登錄過程;圖4是一流程圖,說明本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例中的身份驗證過程;圖5是一流程圖,說明本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例中,提供多種不同IDP系統選項供使用終端選擇其中一IDP系統選項進行身份登 錄過程;及圖6是一流程圖,說明本發明具安全性保護的自動轉址及網路身份驗證方法之較佳實施例中,提供多種不同IDP系統選項供使用終端選擇其中一IDP系統選項進行身份驗證過程。1 is a system block diagram illustrating the related application device of the automatic address and network identity verification method with security protection of the present invention; FIG. 2 is a flow chart illustrating the automatic address and network with security protection of the present invention In a preferred embodiment of the way of authenticating the method, the download center 1 provides different IDP servers with IDP web addresses that are signed with their asymmetric private keys, and provides different use terminals to download the shared scanner and the relative public key. FIG. 3 is a flow chart illustrating the identity registration process in the preferred embodiment of the automatic address and network identity verification method with security protection of the present invention; FIG. 4 is a flowchart illustrating the security protection of the present invention. FIG. 5 is a flow chart illustrating a preferred embodiment of the method for automatic addressing and network authentication of the present invention with security protection. FIG. A variety of different IDP system options are available for the terminal to select one of the IDP system options for identity The recording process; and FIG. 6 is a flow chart illustrating a preferred embodiment of the security-protected automatic forwarding and network authentication method of the present invention, providing a plurality of different IDP system options for the terminal to select one of the IDP system options. The authentication process takes place.

1‧‧‧下載中心1‧‧‧Download Center

2‧‧‧使用終端2‧‧‧Use terminal

21‧‧‧瀏覽器軟體21‧‧‧Browser software

22‧‧‧掃描程式22‧‧‧ Scanner

3‧‧‧ICP伺服器群集3‧‧‧ICP server cluster

31~3n‧‧‧ICP伺服器31~3n‧‧‧ICP server

4‧‧‧IDP伺服器群集4‧‧‧IDP Server Cluster

41~4n‧‧‧IDP伺服器41~4n‧‧‧IDP server

Claims (6)

一種具安全性保護的自動轉址及網路身份驗證方法,應用於一內容提供者伺服器、多數身份驗證提供者伺服器、一使用終端及一下載中心,各該身份驗證提供者伺服器具有個別的網頁位址,該方法包括下述步驟:(a)該下載中心提供各該身份驗證提供者伺服器一內含以私鑰簽過名的網頁位址的資料,並提供該使用終端用以識別該內含以私鑰簽過名的網頁位址的資料的公鑰;(b)該內容提供者伺服器向其中一身份驗證提供者伺服器請求驗證該使用終端的身份時,該身份驗證提供者伺服器供該使用終端下傳該內含以私鑰簽過名的網頁位址的資料;及(c)該使用終端以該公鑰識別該私鑰簽過名的網頁位址的資料是否真正來自該下載中心,若結果是真實,該掃描程式便掃描該使用終端且產生一硬體掃描資料,且自動上傳該硬體掃描資料予該身份驗證提供者伺服器以供其查驗該使用者的身份。 A security-protected automatic forwarding and network authentication method is applied to a content provider server, a majority of an authentication provider server, a use terminal, and a download center, each of the authentication provider servers having For the individual webpage address, the method includes the following steps: (a) the download center provides each of the authentication provider servers with a webpage address with a private key sign and provides the terminal for the use terminal. a public key identifying the material of the webpage address that is tagged with the private key; (b) the identity provider server requesting verification of the identity of the user terminal by one of the authentication server servers Verifying that the provider server is for the user terminal to transmit the information of the webpage address containing the private key signature; and (c) the user terminal identifies the webpage address of the private key signature by the public key Whether the data actually comes from the download center, if the result is true, the scanning program scans the user terminal and generates a hardware scan data, and automatically uploads the hardware scan data to the authentication provider server. The identity of the user for their inspection. 一種具安全性保護的自動轉址及網路身份驗證方法,應用於一內容提供者伺服器、多數身份驗證提供者伺服器、一使用終端及一下載中心,各該身份驗證提供者伺服器具有個別的網頁位址,該方法包括下述步驟:(a)各該身份驗證提供者伺服器取得該下載中心事先用一非對稱私鑰簽過名的各該身份驗證提供者伺服器之網頁位址,且該使用終端已從該下載中心下載對應各該非對稱私鑰的非對稱公鑰及一掃描程式; (b)該使用終端瀏覽該內容提供者伺服器之網站,該內容提供者伺服器之網站提供一腳本予使用終端,該腳本內含該等內容提供者伺服器的業者委託進行身份認證之該身份驗證提供者伺服器之網頁位址;及(c)該腳本受該使用終端觸發後,該使用終端之掃描程式和該身份驗證提供者伺服器相連並要求身份驗證提供者伺服器下傳前述經該下載中心的私鑰簽過名的該身份驗證提供者伺服器之網頁位址,並用該使用終端內存該下載中心之公鑰來辨別其是否真正來自該下載中心,若結果是真實,該掃描程式便掃描該使用終端且產生一硬體掃描資料並上傳予該身份驗證提供者伺服器儲存以供後續使用者的身份比對。 A security-protected automatic forwarding and network authentication method is applied to a content provider server, a majority of an authentication provider server, a use terminal, and a download center, each of the authentication provider servers having The individual webpage address, the method comprising the steps of: (a) each of the authentication provider servers obtaining a webpage of each of the authentication provider servers that the downloading center has previously signed with an asymmetric private key Address, and the user terminal has downloaded an asymmetric public key corresponding to each asymmetric private key and a scanning program from the download center; (b) the user terminal browses the website of the content provider server, and the website of the content provider server provides a script to the user terminal, and the script includes the provider of the content provider server to authorize the identity authentication. The web address of the authentication provider server; and (c) after the script is triggered by the terminal, the scanning program of the terminal is connected to the authentication provider server and requires the authentication provider server to transmit the foregoing The web address of the authentication provider server that has been signed by the private key of the download center, and uses the public key of the download center in the user terminal to identify whether it is actually from the download center, and if the result is true, the The scanning program scans the user terminal and generates a hardware scan data and uploads it to the authentication provider server for later identity comparison. 依據申請專利範圍第2項所述之具安全性保護的自動轉址及網路身份驗證方法,其中,該使用終端可隨時直接和該下載中心相連,並請求該下載中心辨識取得的簽過名的身份驗證提供者伺服器的網頁位址是否真實,或下載其他新的公鑰以防止駭客攻擊或非簽約的身份驗證提供者伺服器非法使用其技術及服務。 According to the method of claim 2, the security-protected automatic forwarding and network authentication method, wherein the user terminal can directly connect to the download center at any time, and request the download center to identify the signed name. Whether the authentication provider server's web page address is authentic, or download another new public key to prevent hacker attacks or non-contracted authentication provider servers from illegally using their technology and services. 依據申請專利範圍第3項所述之具安全性保護的自動轉址及網路身份驗證方法,其中,該掃描程式是掃描包括該使用終端的一中央處理單元、一基本輸入輸出系統單元、一儲存裝置、一網路介面、一主機板之識別碼及一有線或無線近距離連接的外接裝置的其中至少二硬體元件之識別碼組合。 According to the automatic protection and network identity verification method according to claim 3, wherein the scanning program scans a central processing unit including the terminal, a basic input/output system unit, and a A storage device, a network interface, an identification code of a motherboard, and an identification code of at least two hardware components of an external device connected in a wired or wireless proximity. 依據申請專利範圍第4項所述之具安全性保護的自動轉址 及網路身份驗證方法,其中,該掃描程式還可取得對於所掃描的該等硬體元件的地理位置進行定位,並於該身份驗證提供伺服器查驗身份時,判斷當時掃描的該等硬體元件是否處於相同的理位置以決定使用者身份。 Automatic redirection according to safety protection as described in item 4 of the patent application scope And a network authentication method, wherein the scanning program can also obtain a location for the geographical location of the scanned hardware components, and determine the hardware that is scanned at the time when the identity verification server provides the identity of the server. Whether the component is in the same position to determine the identity of the user. 依據申請專利範圍第2項所述之具安全性保護的自動轉址及網路身份驗證方法,其中,該內容提供者伺服器可提供數個不同的身份驗證提供者讓使用者選擇,且提供予該使用終端的腳本內含該使用者所選擇的身份驗證提供者伺服器之網頁位址以進行身份登錄及驗證。 According to the security-protected automatic forwarding and network authentication method described in claim 2, the content provider server can provide a plurality of different authentication providers for the user to select and provide The script for the user terminal contains the web address of the authentication provider server selected by the user for identity login and verification.
TW101140767A 2012-11-02 2012-11-02 Secure distributed dynamic url TWI488479B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW101140767A TWI488479B (en) 2012-11-02 2012-11-02 Secure distributed dynamic url

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW101140767A TWI488479B (en) 2012-11-02 2012-11-02 Secure distributed dynamic url

Publications (2)

Publication Number Publication Date
TW201419821A TW201419821A (en) 2014-05-16
TWI488479B true TWI488479B (en) 2015-06-11

Family

ID=51294545

Family Applications (1)

Application Number Title Priority Date Filing Date
TW101140767A TWI488479B (en) 2012-11-02 2012-11-02 Secure distributed dynamic url

Country Status (1)

Country Link
TW (1) TWI488479B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050165698A1 (en) * 2002-05-25 2005-07-28 Cho Ku G. User authentication method and system using user's e-mail address and hardware information
US20090144812A1 (en) * 2007-11-29 2009-06-04 Naoki Sasamura Entry auxiliary apparatus, entry auxiliary system, entry auxiliary method and entry auxiliary program
US7861077B1 (en) * 2005-10-07 2010-12-28 Multiple Shift Key, Inc. Secure authentication and transaction system and method
TW201225697A (en) * 2010-09-20 2012-06-16 Interdigital Patent Holdings Identity management on a wireless device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050165698A1 (en) * 2002-05-25 2005-07-28 Cho Ku G. User authentication method and system using user's e-mail address and hardware information
US7861077B1 (en) * 2005-10-07 2010-12-28 Multiple Shift Key, Inc. Secure authentication and transaction system and method
US20090144812A1 (en) * 2007-11-29 2009-06-04 Naoki Sasamura Entry auxiliary apparatus, entry auxiliary system, entry auxiliary method and entry auxiliary program
TW201225697A (en) * 2010-09-20 2012-06-16 Interdigital Patent Holdings Identity management on a wireless device

Also Published As

Publication number Publication date
TW201419821A (en) 2014-05-16

Similar Documents

Publication Publication Date Title
US9838205B2 (en) Network authentication method for secure electronic transactions
US9231925B1 (en) Network authentication method for secure electronic transactions
US8532620B2 (en) Trusted mobile device based security
CN101427510B (en) Digipass for the web-functional description
JP6012125B2 (en) Enhanced 2CHK authentication security through inquiry-type transactions
US9124571B1 (en) Network authentication method for secure user identity verification
US9667618B2 (en) Method for domain control validation
CN105577612B (en) Identity authentication method, third-party server, merchant server and user terminal
US20170078276A1 (en) System for domain control validation
US20140359741A1 (en) Mutually Authenticated Communication
CN102597981A (en) Modular device authentication framework
TW201424316A (en) Method for authenticatiing online transactions using a browser
JP5431040B2 (en) Authentication request conversion apparatus, authentication request conversion method, and authentication request conversion program
CN105657474A (en) Anti-stealing link method and system using identity-based signature in video application
US20170230416A1 (en) System and methods for preventing phishing attack using dynamic identifier
US20110289316A1 (en) User authentication
JP6240102B2 (en) Authentication system, authentication key management device, authentication key management method, and authentication key management program
KR100750214B1 (en) Log-in Method Using Certificate
JP2015231177A (en) Device authentication method, device authentication system, and device authentication program
EP2916509B1 (en) Network authentication method for secure user identity verification
JP5793593B2 (en) Network authentication method for securely verifying user identification information
TWI488479B (en) Secure distributed dynamic url
JP6080282B1 (en) Authentication processing system, authentication auxiliary server, and web display program
CN103856438B (en) Have security protection from turn location and network identity validation method
CN108234136B (en) A kind of safety access method, terminal device and system

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees