HK1220297B - Method for verifying secruity data, system, and a computer-readable storage device - Google Patents
Method for verifying secruity data, system, and a computer-readable storage device Download PDFInfo
- Publication number
- HK1220297B HK1220297B HK16108239.6A HK16108239A HK1220297B HK 1220297 B HK1220297 B HK 1220297B HK 16108239 A HK16108239 A HK 16108239A HK 1220297 B HK1220297 B HK 1220297B
- Authority
- HK
- Hong Kong
- Prior art keywords
- verification
- data
- terminal
- server
- service
- Prior art date
Links
Description
技术领域Technical Field
本发明涉及一种安全数据验证方法、系统与计算机可读取储存媒体,特别是涉及一种验证服务器产生在原本服务下另一层安全验证步骤的方法、系统与相关程序集的储存媒体。The present invention relates to a method, system and computer-readable storage medium for verifying secure data, and in particular to a method, system and storage medium for a related program set for a verification server to generate another layer of security verification steps under the original service.
背景技术Background Art
利用网络存取特定服务时,比如购物、交易等,服务器通常会提供一种身份验证的服务,比如通过会员登录产生的账号与密码。随着简单的身份验证的方法不能再符合严格的安全需求下,很多更严格的验证方法随之而生。比如一种动态密码的技术,用户持有一称为令牌(Token)的装置,可以在每次存取服务的时候获得一个独特的动态密码,而此密码也仅适用当下的服务瞬间而已。When accessing specific services online, such as shopping or transactions, the server typically provides an authentication service, such as a username and password generated through member login. As simple authentication methods no longer meet stringent security requirements, more stringent verification methods have emerged. For example, dynamic password technology uses a device called a token to generate a unique dynamic password each time a user accesses a service. This password is valid only for the current service moment.
另外,随着移动装置愈来愈普及,也有公知技术提出利用移动装置作为上述令牌装置的验证方法,也就是提供服务的业者与电信业者合作,在使用者登入特定服务时,相关服务器先取得登入数据,协同电信业者(或认证业者)发送短信密码给用户,由用户填入短信密码后完成登入。这类服务常见于在线游戏服务器、网络银行等。Furthermore, with the increasing popularity of mobile devices, there are also known technologies that utilize mobile devices as authentication tokens. Specifically, service providers collaborate with telecom operators. When a user logs into a specific service, the relevant server first obtains the login data and then, in collaboration with the telecom operator (or authentication provider), sends a text message password to the user. The user then enters the text message password to complete the login. This type of service is commonly found in online gaming servers and online banking.
发明内容Summary of the Invention
本发明提出一种安全数据验证方法、系统与计算机可读取储存媒体,其主要特征在于当用户操作一装置欲取得特定网络服务时,将先利用一验证服务器验证用户端的终端装置,并产生完成存取该服务的事务数据,让终端装置可以安全地完成取得服务的整个流程。The present invention proposes a secure data verification method, system, and computer-readable storage medium. The main features of the method are that when a user operates a device to obtain a specific network service, a verification server will first verify the user's terminal device and generate transaction data to complete access to the service, allowing the terminal device to securely complete the entire process of obtaining the service.
根据说明书所记载的实施例,安全数据验证方法的实施例步骤包括一应用服务器取得一终端传送的服务请求的信号,比如是一个计算机主机存取特定网站内容,接着应用服务器通知一验证服务器执行身份验证,即将送一启始验证的信号至终端,比如由用户的移动装置接收为一推播信号,此时,终端上将启动一软件,能与验证服务器进行验证程序,比如传递登录本系统服务时设定的密钥,由验证服务器验证移动装置,用以确认联机中的装置或服务器为安全。According to the embodiment described in the specification, the embodiment steps of the security data verification method include an application server obtaining a service request signal transmitted by a terminal, such as a computer host accessing specific website content, and then the application server notifies a verification server to perform identity authentication, that is, sending a start verification signal to the terminal, such as received by the user's mobile device as a push signal. At this time, a software will be started on the terminal, which can perform a verification procedure with the verification server, such as passing the key set when logging into the system service. The verification server verifies the mobile device to confirm that the online device or server is secure.
当完成验证后,验证服务器传送一存取服务的事务数据至终端,比如是以一加密包裹方式传送,于终端解密后形成一套用特定表格的数据,这些数据在一实施例中将再形成提交验证服务器的验证数据,经验证后可顺利存取服务。After verification is completed, the verification server transmits transaction data for accessing the service to the terminal, for example, in an encrypted package. After decryption at the terminal, data in a specific form is formed. In one embodiment, this data will be further converted into verification data submitted to the verification server. After verification, the service can be accessed smoothly.
根据另一实施例,安全数据验证系统包括一提供服务的应用服务器,接受自终端产生的服务请求,并接收终端提交的数据,另有一提供身份验证的验证服务器,接收应用服务器要求执行安全检验,对终端传送一启始验证的信号,并与终端进行验证程序,当在完成验证后,传送一完成服务的事务数据至该终端,经确认后可以完成存取服务的目的。再一实施例中,此笔事务数据更可用以再次验证终端或其软件的安全性。According to another embodiment, a secure data verification system includes an application server providing services, which accepts service requests from terminals and receives data submitted by the terminals. A verification server providing identity verification receives the application server's request to perform a security check, transmits a signal to initiate verification to the terminal, and performs a verification procedure with the terminal. Upon completion of verification, the system transmits transaction data indicating the completion of the service to the terminal, which, upon verification, can access the service. In yet another embodiment, this transaction data can be used to further verify the security of the terminal or its software.
执行上述信息数据验证方法的程序集储存于一计算机可读取储存媒体,其中包括在移动装置上执行安全数据验证方法的程序集。在移动装置上,程序集包括自一验证服务器接收一启始验证的信号的指令、根据启始验证的信号启动一软件的指令、与验证服务器执行验证程序的指令、于完成验证后,自验证服务器接收一完成服务的事务数据的指令,以及根据事务数据的全部或部分形成一提供确认事务数据的表单的指令。A program set for executing the aforementioned information data verification method is stored on a computer-readable storage medium, including a program set for executing the secure data verification method on a mobile device. On the mobile device, the program set includes instructions for receiving a signal from a verification server to initiate verification, launching software based on the verification signal, executing a verification program with the verification server, receiving transaction data indicating service completion from the verification server after verification is complete, and generating a form for providing confirmation of the transaction data based on all or part of the transaction data.
为了能更进一步了解本发明为达成既定目的所采取的技术、方法及功效,请参阅以下有关本发明的详细说明、附图,相信本发明的目的、特征与特点,当可由此得以深入且具体的了解,然而所附附图与附件仅提供参考与说明用,并非用来对本发明加以限制。In order to further understand the techniques, methods and effects adopted by the present invention to achieve the established objectives, please refer to the following detailed description and drawings of the present invention. It is believed that the objectives, features and characteristics of the present invention can be deeply and specifically understood thereby. However, the attached drawings and appendices are provided for reference and illustration only and are not intended to limit the present invention.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明安全数据验证系统的网络架构实施例之一示意图;FIG1 is a schematic diagram of a network architecture embodiment of a security data verification system according to the present invention;
图2为本发明安全数据验证方法执行于客户端的实施例流程图;FIG2 is a flow chart of an embodiment of the security data verification method of the present invention executed on a client;
图3A、3B、3C、3D为移动装置执行本发明安全数据验证方法的实施方式示意图;3A, 3B, 3C, and 3D are schematic diagrams illustrating an embodiment of a mobile device executing the security data verification method of the present invention;
图4为本发明安全数据验证方法运作于服务器端的实施例方式流程图;FIG4 is a flow chart of an embodiment of the security data verification method of the present invention operating on the server side;
图5为本发明安全数据验证方法的系统运作实施例之一流程图;FIG5 is a flow chart of one embodiment of the system operation of the security data verification method of the present invention;
图6为本发明安全数据验证方法的系统运作另一实施例流程图。FIG6 is a flow chart of another embodiment of the system operation of the security data verification method of the present invention.
【附图标记说明】[Description of Reference Numerals]
网络10 应用服务器101Network 10 Application Server 101
验证服务器103 第一终端装置105Verification server 103 First terminal device 105
第二终端装置107Second terminal device 107
移动装置31 启动信息301Mobile device 31 startup information 301
身份认证图形303 软件305Identity Authentication Graphics 303 Software 305
进行验证程序307 申请表格309Conduct verification process 307 Application form 309
终端装置51 应用服务器53Terminal device 51 Application server 53
验证服务器55 请求服务501Verification server 55 request service 501
通知验证503 推播信息505Notification verification 503 Push information 505
验证程序507 传送事务数据509Verification program 507 Transmit transaction data 509
传送验证数据511 通知验证完成513Send verification data 511 Notify verification completion 513
允许存取服务515Access to service 515 is allowed
第一终端装置61 第二终端装置62First terminal device 61 Second terminal device 62
应用服务器63 验证服务器65Application Server 63 Authentication Server 65
请求服务601 通知验证603Request service 601 Notification verification 603
推播信息605 交换验证数据607Push information 605 Exchange verification data 607
传送事务数据609 传送验证数据611Transmit transaction data 609 Transmit verification data 611
通知验证完成613 允许存取服务615Notify verification completion 613 Allow access to service 615
步骤S201~S219安全数据验证方法客户端流程Steps S201 to S219: Client process of security data verification method
步骤S401~S415安全数据验证方法服务器端流程Steps S401 to S415: Server-side process of security data verification method
具体实施方式DETAILED DESCRIPTION
图1为本发明安全数据验证系统的网络架构实施例之一的示意图,如图1所示,其中显示有通过网络10联机的多方装置,包括一提供服务的应用服务器101,能接受自一终端(如此例的第二终端装置107)产生的一服务请求,并接收此终端提交的数据,比如是完成交易所需的数据,如用户账号、密码、会员数据、信用数据、交易列表等。Figure 1 is a schematic diagram of one embodiment of the network architecture of the security data verification system of the present invention. As shown in Figure 1, there are multiple devices connected through a network 10, including an application server 101 that provides services, which can accept a service request generated from a terminal (such as the second terminal device 107 in this example) and receive data submitted by this terminal, such as data required to complete a transaction, such as user account, password, membership information, credit data, transaction list, etc.
举例来说,应用服务器101如一购物平台、游戏主机,或是网络银行等对安全性有需求的网络服务器,当用户通过如第二终端装置107所表示的计算机装置连接应用服务器101所提供的网络服务,当应用服务器101接收到服务请求时,会通知另一提供身份验证的验证服务器103。存取应用服务器101的终端装置不排除可以如第一终端装置105所表示的移动装置执行存取。For example, application server 101 is a network server with security requirements, such as a shopping platform, game console, or online banking. When a user connects to the network service provided by application server 101 through a computer device represented by second terminal device 107, when application server 101 receives a service request, it notifies another verification server 103, which provides identity verification. The terminal device accessing application server 101 does not exclude the possibility of accessing the application server 101 through a mobile device, such as first terminal device 105.
当验证服务器103接获应用服务器101针对特定服务联机进行验证的通知时,也会收到相关服务的信息,比如欲取得服务的用户数据、账号数据,与/或硬件信息等,因此可以执行安全检验,包括对特定终端设备传送一启始验证的信号,比如传送启始验证的信号到如移动装置的第一终端装置105。根据实施例,在此步骤中可以经由网络推播(notification)启始验证的信号,当对应的第一终端装置105接收后,将根据启始验证的信号启始一软件,如载于移动装置的移动应用程序(APP)。用户即通过此软件提交欲存取应用服务器101上的服务数据,比如表单。When the authentication server 103 receives a notification from the application server 101 requesting authentication for a specific service connection, it also receives information related to the service, such as user data, account data, and/or hardware information for the service being accessed. This allows it to perform security checks, including sending a signal to initiate authentication to a specific terminal device, such as a first terminal device 105, such as a mobile device. According to an embodiment, this authentication initiation signal can be broadcast via a network push notification. Upon receiving the notification, the corresponding first terminal device 105 initiates software, such as a mobile application (APP) installed on the mobile device, based on the authentication initiation signal. This software then submits information, such as a form, for the service to be accessed on the application server 101.
此时,用户在操作此软件时,在一实施例中,软件将要求用户进行身份验证,包括利用使用密码、身份认证图形,或是指纹、人脸等生物辨识技术,或是同时验证执行此软件的硬件信息,以进行安全验证,完成后才会成功启动软件。At this time, when the user operates this software, in one embodiment, the software will require the user to authenticate their identity, including using a password, identity authentication graphics, or biometric recognition technology such as fingerprints and faces, or verifying the hardware information of the software at the same time to perform security verification. Only after completion will the software be successfully launched.
经启动软件后,软件中的指令将驱使第一终端装置105联机验证服务器103,并与验证服务器103进行验证程序。验证程序系为了确保服务器端与终端的软件的联机双方为事先登录与约定的,以避免被不当使用、植入木马等资安问题。其中验证方式包括双方交换验证数据,比如是双方交换通过硬件信息产生的确认码、密钥等;或是由第一终端装置传递登录本系统服务时设定的密钥,由验证服务器验证移动装置,可以确保服务器与终端装置为安全。在完成此步骤验证后,验证服务器103将传送一完成服务的事务数据至第一终端装置105,经用户确认交易内容后,由验证服务器103通知应用服务器101允许该使用者存取服务。After the software is activated, instructions within the software will cause the first terminal device 105 to connect to the authentication server 103 and perform an authentication procedure with the authentication server 103. This authentication procedure ensures that both the server-side and terminal-side software connections have been pre-registered and agreed upon, thereby preventing security issues such as improper use and the implantation of Trojans. Authentication methods include exchanging authentication data between the two parties, such as a confirmation code or key generated through hardware information; or the first terminal device transmits a key set when logging into the system service, and the authentication server authenticates the mobile device, ensuring the security of both the server and the terminal device. After completing this authentication step, the authentication server 103 transmits transaction data indicating the completion of the service to the first terminal device 105. After the user confirms the transaction details, the authentication server 103 notifies the application server 101 that the user is allowed to access the service.
附图在终端显示有第一终端装置105(如移动装置)与第二终端装置107(如一般计算机系统)。在一实施方式中,使用者可以第二终端装置107先联机到应用服务器101,欲取得特定服务,再以第一终端装置105作为身份验证的装置,于是,第一终端装置105将会与验证服务器103进行验证程序,经验证成功后,会自验证服务器103取得完成服务的事务数据,能够在第一终端装置105上的软件上形成取得服务的表单或数据,经用户确认内容后,可使第二终端装置107顺利存取服务。The accompanying drawings show a first terminal device 105 (e.g., a mobile device) and a second terminal device 107 (e.g., a general computer system). In one embodiment, a user can first connect to the application server 101 using the second terminal device 107 to access a specific service, then use the first terminal device 105 as an identity verification device. The first terminal device 105 then undergoes an authentication process with the authentication server 103. Upon successful authentication, the first terminal device 105 retrieves transaction data from the authentication server 103, which can then create a form or data for accessing the service in the software on the first terminal device 105. After the user confirms the details, the second terminal device 107 can successfully access the service.
在此值得一提的是,在第一终端装置105通过软件确认事务数据时,可以使用同一软件或另一软件读取采用一短距离无线通信协议的身份识别装置,由此完成验证身份后,才确认事务数据,通知验证服务器103。其中身份识别装置比如一个身份验证的卡片或是其他形式的识别装置,其中载有身份验证的数据,且为终端装置中软件所事先登录的数据,其中包括符合特定短距离无线通信协议的电路与天线,可以与具有相符的短距离无线通信协议相关电路的终端装置交换数据,可以避免有人非法使用第一终端装置103。It is worth mentioning that when the first terminal device 105 confirms transaction data through software, the same software or another software can be used to read an identity recognition device that uses a short-range wireless communication protocol. Only after completing identity verification can the transaction data be confirmed and notified to the verification server 103. The identity recognition device, such as an identity verification card or other form of identification device, contains the identity verification data that has been pre-registered by the software in the terminal device. It includes circuits and antennas that comply with a specific short-range wireless communication protocol and can exchange data with terminal devices that have circuits related to the compliant short-range wireless communication protocol, thereby preventing unauthorized use of the first terminal device 103.
短距离无线通信协议比如近场无线通信技术(Near Field Communication,NFC),因此使用者可在确认事务数据时,拿出身份识别装置与第一终端装置105进行非接触式数据交换,经软件确认识别数据后,使可将确认事务数据的信息传送到验证服务器103。Short-range wireless communication protocols such as Near Field Communication (NFC) allow users to take out their identification devices and perform contactless data exchange with the first terminal device 105 when confirming transaction data. After the software confirms the identification data, the information confirming the transaction data can be transmitted to the verification server 103.
在另一实施例中,上述第一终端装置105与第二终端装置107的角色可以在一个装置上执行,而不用分别采用不同的装置,但是在此一装置内仍须如以上所述,须先根据验证服务器103的信号启动软件、完成验证后接收完成服务的数据,之后确认提交给应用服务器101存取服务的交易内容,并顺利存取特定服务。In another embodiment, the roles of the first terminal device 105 and the second terminal device 107 can be performed on a single device, rather than using separate devices. However, within this single device, the software must still be activated in response to a signal from the verification server 103, and after verification is completed, data indicating that the service has been completed must be received. The transaction details submitted to the application server 101 for accessing the service must then be confirmed, and the specific service can be successfully accessed.
图2所示为本发明安全数据验证方法执行于客户端的实施例流程图。FIG2 is a flow chart showing an embodiment of the security data verification method of the present invention executed on a client.
一开始,如步骤S201,用户操作一终端装置联机应用服务器,并进入一服务网站,比如是购物网站、网络银行、游戏主机等有金流与商务需求的网站。当欲执行特定交易时,用户(比如特定服务会员)可以点入网站内的链接,并填写事务数据,事务数据比如用户账号、密码、会员数据、信用数据、订单、购物项目等,此时应用服务器将会通知验证服务器验证使用者身份。Initially, as in step S201, a user connects to an application server using a terminal device and accesses a service website, such as a shopping website, online banking, or gaming console, which has financial and business needs. To perform a specific transaction, the user (e.g., a member of a specific service) clicks on a link within the website and enters transaction information, such as user account number, password, membership information, credit information, order information, and purchase items. The application server then notifies the authentication server to verify the user's identity.
验证服务器接收到验证身份的通知时,将根据应用服务器所提供的用户信息(包括终端装置信息)产生推播信息,此时如步骤S203,终端装置将接收推播信息。实施例显示存取服务与执行身份验证的装置为同一台,或是不同。When the authentication server receives the identity verification notification, it generates a push message based on the user information (including the terminal device information) provided by the application server. At this time, as shown in step S203, the terminal device receives the push message. The embodiment shows that the device accessing the service and performing the identity verification are the same or different.
上述步骤S203显示由验证服务器产生启始软件的信号,并传送(比如推播)到终端装置,终端装置根据信号将自动启始相关软件,但在启始后将先验证使用者身份,如步骤S205,于完成验证后启动软件,如步骤S207。The above step S203 shows that the verification server generates a signal to start the software and transmits it (e.g., pushes it) to the terminal device. The terminal device will automatically start the relevant software according to the signal, but will first verify the user's identity after starting, as shown in step S205. After the verification is completed, the software is started, as shown in step S207.
根据实施例之一,在系统运行之前,用户于终端装置安装执行本发明安全验证方法的软件,如移动装置的移动应用软件(APP),第一次执行软件时,将要求用户先登录相关服务的服务器,如本例的验证服务器,此时将产生一个确认码,其中可以绑定硬件信息,比如一种每个移动装置唯一的国际移动设备辨识码(International Mobi le EquipmentIdentity number,IMEI),因此已经登录的软件需要确认码才能启始,因为绑定硬件信息的关系,如果在另一终端装置欲启始软件时,将不会被正确启始。借此可用以确保软件为事先登录且没有被随意窜改的问题。According to one embodiment, before the system is operational, a user installs software that implements the security verification method of the present invention on a terminal device, such as a mobile application (APP) on a mobile device. Upon first executing the software, the user is required to log in to the associated service server, such as the verification server in this example. A confirmation code is generated, which can be tied to hardware information, such as the International Mobile Equipment Identity (IMEI) number, a unique identifier for each mobile device. Therefore, the logged-in software requires the confirmation code to start. Because of the hardware binding, the software will not start correctly if attempted on another terminal device. This ensures that the software has been pre-registered and has not been tampered with.
当启始软件后,如步骤S209,通过软件能自动联机验证服务器,可经上述验证程序来安全检验软件与验证服务器,确保双方的合法性以及联机安全,如步骤S211。当完成验证程序后,表示终端装置可以在安全的联机下接收验证服务器所传送的事务数据,此时终端装置将产生回复验证服务器的信息,验证服务器将继续传送事务数据,也就是完成上述服务的数据,如步骤S213。After the software is started (step S209), it automatically connects to the verification server. The software then undergoes the aforementioned verification process to verify the software and the verification server, ensuring the legitimacy of both parties and the security of the connection (step S211). Upon completion of the verification process, the terminal device can securely receive transaction data from the verification server. The terminal device then generates a reply message to the verification server, and the verification server continues to transmit the transaction data, completing the aforementioned service (step S213).
在步骤S213的阶段时,由于验证服务器将根据事先约定的方式产生加密封包,可以确保信息安全,再于终端装置以相对的解密方式取得封包数据,如步骤S215,将数据套用一个服务模板(template),能形成于应用服务器取得特定服务的多字段表单或表格。接着如步骤S217,这部分表单数据与最初欲取得特定服务所填写的事务数据一致,可供用户确认交易内容是否正确。During step S213, the authentication server generates an encrypted packet according to a pre-agreed method, ensuring information security. The terminal then decrypts the packet data and applies a service template to the data, creating a multi-field form or table for accessing a specific service on the application server. This form data, then in step S217, matches the transaction data originally entered to access the specific service, allowing the user to verify the transaction details.
在此步骤中,根据特定实施例,当用户欲操作终端装置通过软件确认事务数据时,可以使用同一软件或另一软件读取采用一短距离无线通信协议的身份识别装置(如卡片或任何型式的收发装置),根据事先登录的识别信息完成验证身份,据此才能确认事务数据,再将信息传送验证服务器。在此实施例增加此一安全验证的步骤可以加强本发明流程的安全性。短距离无线通信协议比如近场无线通信技术(NFC)。In this step, according to a specific embodiment, when a user wishes to operate a terminal device to confirm transaction data through software, the same or another software can be used to read an identification device (such as a card or any type of transceiver) that uses a short-range wireless communication protocol. Identity verification is completed based on pre-registered identification information, and only then can the transaction data be confirmed and the information transmitted to the verification server. Adding this security verification step to this embodiment can enhance the security of the process of the present invention. Short-range wireless communication protocols such as near-field communication technology (NFC) are examples.
在另一特定实施例中,系统还可于此步骤后执行另一验证步骤,比如将这些表单或表格,或是在此解密数据中取得部分数据以一特定算法演算产生一验证数据,再传送给验证服务器最一次确认。于是,经验证服务器以相对的算法同样根据上述事务数据中的全部或部分数据进行演算,对比终端装置传送的验证数据(可以加密后字符串的形式传送),确认后即通知应用服务器,成功存取所选择的服务,比如达成某笔交易,如步骤S219。In another specific embodiment, the system may also perform another verification step after this step, such as applying a specific algorithm to the form or table, or extracting partial data from the decrypted data, to generate verification data, which is then sent to the verification server for final confirmation. The verification server then performs a corresponding algorithm based on all or part of the transaction data, comparing the verification data sent by the terminal device (which may be sent in the form of an encrypted string). Upon confirmation, the application server is notified that the selected service has been successfully accessed, such as a transaction has been completed, as in step S219.
举例来说,验证服务器与终端之间的验证程序可以根据事先登录所使用的资料作为验证的基础,特别也可应用终端采用的硬件设备的识别信息作为安全验证的信息。比如终端传送移动装置的IMEI信息与用户信息,或是经由特定演算这些基本资料形成验证用的信息,可以确保终端用以验证的装置为事先登录的装置,可以确保安全。For example, the authentication process between the authentication server and the terminal can use pre-registered data as the basis for authentication. Specifically, the terminal's hardware identification information can be used as security authentication information. For example, the terminal can transmit the mobile device's IMEI information and user information, or perform a specific calculation to generate authentication information from this basic information. This ensures that the device being authenticated by the terminal is a pre-registered device, thus ensuring security.
同理,在各种安全考虑下,本例的终端装置在不同阶段可以由相同或不同的装置实现。比如以一计算机主机连接应用服务器,再以另一移动装置执行身份验证,并完成取得特定服务的表单。Similarly, under various security considerations, the terminal device in this example can be implemented by the same or different devices at different stages, such as using a computer host to connect to the application server and then using another mobile device to perform identity authentication and complete a form to obtain a specific service.
运行于终端装置上的软件画面可以参阅图3A、3B、3C、3D所示为移动装置执行本发明安全数据验证方法的示意图。The software screens running on the terminal device can be referred to in FIG. 3A , 3B, 3C, and 3D , which are schematic diagrams showing the mobile device executing the security data verification method of the present invention.
如图3A,所示的移动装置31在用户通过此移动装置31或是其他计算机装置登入特定应用服务器欲取得特定服务时,移动装置31将接着会接收自一验证服务器所传送的启动信息301。As shown in FIG3A , when a user logs into a specific application server through the mobile device 31 or other computer device to obtain a specific service, the mobile device 31 will then receive activation information 301 sent from an authentication server.
接收到启动信息301将会启始移动装置31内的特定应用软件,此时,用户在操作此软件时,在一实施例中,软件将要求用户进行身份验证,包括利用使用密码、身份认证图形,或是指纹、人脸等生物辨识技术,或不排除其他方式进行身份验证,完成后才会成功启动软件。Receiving the startup information 301 will start the specific application software in the mobile device 31. At this time, when the user operates this software, in one embodiment, the software will require the user to authenticate the identity, including using a password, identity authentication graphics, or biometric recognition technology such as fingerprint, face, etc., or other methods of authentication are not excluded. Only after completion of the authentication, the software will be successfully launched.
如图3B,所示的移动装置31开始一个身份认证的程序,其中确认码可以图标的身份认证图形303表现,用户将根据事先设定好的开锁方式在此身份认证图形303画出轨迹,其中产生认证信息,经认证后即启始软件。As shown in FIG3B , the mobile device 31 starts an identity authentication process, wherein the confirmation code can be represented by an identity authentication graphic 303 of the icon. The user will draw a track on the identity authentication graphic 303 according to a pre-set unlocking method, wherein authentication information is generated, and the software is started after authentication.
再如图3C所示,移动装置31中已经启始软件305,并自动联机验证服务器,同时进行验证程序307,借此与验证服务器交换验证数据,比如交换密钥后与装置内储存的密钥演算,作为验证双方是否为合法装置的依据。As shown in FIG3C , the mobile device 31 has started software 305 and automatically connects to the authentication server, while performing an authentication procedure 307 to exchange authentication data with the authentication server, such as exchanging keys and calculating the keys stored in the device as a basis for verifying whether both parties are legitimate devices.
完成验证后,如图3D所示,移动装置31接着接收验证服务器所传送事务数据,如完成服务的数据,在软件305中解密后自动套用特定模板,并形成一个完成服务的申请表格309,使用者可以据此确认申请表格309所载的交易信息,经用户通过接口确认后,验证服务器接收此确认信息后,及通知应用服务器允许使用者登入特定应用服务器取得特定服务。After verification is completed, as shown in Figure 3D, the mobile device 31 then receives transaction data transmitted by the verification server, such as data on completed services, which is automatically applied to a specific template after decryption in the software 305 to form an application form 309 for completing the service. The user can confirm the transaction information contained in the application form 309 based on this. After the user confirms through the interface, the verification server receives this confirmation information and notifies the application server to allow the user to log in to the specific application server to obtain the specific service.
图4接着显示本发明安全数据验证方法运行于服务器端的实施例方式流程图。FIG4 then shows a flow chart of an embodiment of the security data verification method of the present invention running on the server side.
服务器端包括以相同或不同服务主机实现各种服务,包括前述应用服务器与验证服务器所提出的服务,开始如步骤S401,当应用服务器接收来自终端开始的服务请求,应用服务器可根据其中会员数据或是事先登录的数据取得终端存取服务的用户数据,以及所提交的事务数据,之后将据此要求验证服务器执行安全检验,如步骤S403,主要目的是验证使用者的身份,特别是确认所持有装置与其中软件的合法性。The server side includes various services implemented using the same or different service hosts, including the services provided by the aforementioned application server and verification server. Starting in step S401, when the application server receives a service request from a terminal, the application server can obtain the user data of the terminal accessing the service and the submitted transaction data based on the member data or pre-registered data, and then request the verification server to perform a security check based on the information, such as step S403. The main purpose of this check is to verify the identity of the user, especially to confirm the legitimacy of the device and the software in it.
此时,如步骤S405,验证服务器根据应用服务器提供的信息传送启动信号到指定的终端装置上,比如以网络推播的技术传送启动信号,在终端装置上将根据此启动信号启始软件,并开始验证程序,包括如步骤S407所示。At this time, as shown in step S405, the verification server transmits a startup signal to the designated terminal device according to the information provided by the application server, such as by using network push technology to transmit the startup signal. The software will be started on the terminal device according to this startup signal and the verification process will begin, including as shown in step S407.
在验证程序中,被验证服务器传送的信号在终端启始的软件将传送验证数据至验证服务器,比如根据用户信息或/与终端硬件信息所演算产生的验证码,与事先登录于验证服务器端的数据比对,或是同样通过演算取得的数据比对。之后,当验证服务器完成验证后,也同时检验软件的合法性(步骤S409),进而传送取得服务的事务数据,实施例之一表示此事务数据可以由最初步骤S401由终端欲取得特定服务所填写的事务数据。During the verification process, software initiated by the terminal in response to a signal from the verification server transmits verification data to the verification server. This data may include a verification code generated based on user information and/or terminal hardware information, which is then compared with data previously registered on the verification server, or with data similarly obtained through calculation. After the verification server completes the verification, it also verifies the validity of the software (step S409) and then transmits transaction data for obtaining the service. In one embodiment, this transaction data may be the transaction data initially entered by the terminal in step S401 to obtain the specific service.
在终端装置中,解密此所接收的事务数据,形成提交服务器端的表单,以供用户确认事务数据,经用户通过软件确认后,在终端再将这些事务数据的全部或部分数据演算形成一验证数据,传送到验证服务器再次确认。在验证服务器端,如步骤S413,接收终端传送的验证数据,以对应的算法演算一个比对验证的数据,可以据此再次验证。The terminal decrypts the received transaction data and creates a form that is submitted to the server for user verification. After the user confirms the transaction data through software, the terminal calculates all or part of the transaction data to form verification data, which is then sent to the verification server for further verification. The verification server, in step S413, receives the verification data sent by the terminal and uses a corresponding algorithm to calculate a comparison verification data, which can then be used for further verification.
经再次确认后,验证服务器联机应用服务器表示完成验证,由应用服务器允许使用者所欲存取的服务,如步骤S415。After reconfirmation, the authentication server connects to the application server to indicate that the authentication is complete, and the application server allows the user to access the service, as in step S415.
图5接着显示应用本发明安全数据验证方法的系统运作实施例图,此例将系统概分为三方的运行,一端为设于终端的终端装置51(包括以一台或不同计算机装置实施的方式),一端为提供服务的应用服务器53,另一端则为用以安全验证的验证服务器55。值得一提的是,在此所述的服务器为一种服务,也就是应用服务器53与验证服务器55可为一个主机或服务系统提供的两种服务;同样也可为不同服务业者在不同的系统下提供的不同服务。FIG5 then illustrates an exemplary system operating in accordance with the present invention's secure data verification method. This example generally divides the system into three distinct operating components: a terminal device 51 (implemented as a single or multiple computer devices), an application server 53 providing services, and a verification server 55 for secure verification. It is worth noting that the server described here represents a single service; that is, the application server 53 and verification server 55 can be two services provided by a single host or service system; similarly, they can be different services provided by different service providers within different systems.
根据安全数据验证方法的实施方式,一开始由终端装置51对应用服务器53发出请求服务的相关信号(501),由应用服务器53取得服务请求的信号后,通知验证服务器55验证相关的终端(503),特别是验证终端装置51的合法性。According to the implementation method of the security data verification method, the terminal device 51 initially sends a related signal (501) requesting a service to the application server 53. After the application server 53 receives the service request signal, it notifies the verification server 55 to verify the relevant terminal (503), especially to verify the legitimacy of the terminal device 51.
接着,验证服务器55直接推播启始验证的信号(505)至终端装置51,在终端装置51中,认知此启始验证的信号后,可以根据此信号(505)启始对应的软件。根据实施例之一,当终端装置51接收启始验证的信号(505)后,终端装置51将对启始软件进行身份验证,比如图3B的方式或其他方式,以确认授权启始软件。Next, the verification server 55 directly pushes the verification start signal (505) to the terminal device 51. After the terminal device 51 recognizes the verification start signal, it can start the corresponding software according to the signal (505). According to one embodiment, after the terminal device 51 receives the verification start signal (505), the terminal device 51 will perform identity verification on the startup software, such as the method shown in Figure 3B or other methods, to confirm that the startup software is authorized.
接着,终端装置51与验证服务器55双方进行验证程序(507),主要目的是由验证服务器55确认联机来源的安全性,或可通过交换验证资料(比如交换密钥)让终端也可以验证与验证服务器55的安全联机。完成验证后,验证服务器55即对终端装置55传送事务数据(509),比如是以一加密包裹方式传送此事务数据(509)。由终端解密后,之后终端装置55的用户可以借由软件确认此笔事务数据形成的表单,在一实施例中,此时即完成由应用服务器53取得的服务。在此一提的是,由验证服务器55传送的事务数据可为应用服务器53于取得终端装置51传送服务请求的信号时所取得,并递交给验证服务器55。Next, the terminal device 51 and the verification server 55 perform a verification process (507). The main purpose is for the verification server 55 to confirm the security of the connection source, or to exchange verification information (such as exchanging keys) so that the terminal can also verify the secure connection with the verification server 55. After the verification is completed, the verification server 55 transmits the transaction data (509) to the terminal device 55, for example, in an encrypted package. After decryption by the terminal, the user of the terminal device 55 can then use software to confirm the form formed by the transaction data. In one embodiment, the service obtained by the application server 53 is completed at this time. It should be noted that the transaction data transmitted by the verification server 55 can be obtained by the application server 53 when it receives the signal from the terminal device 51 transmitting the service request, and then submitted to the verification server 55.
而再另一实施例中,当终端装置51接收到验证服务器55所传送的事务数据(509)之后,经用户确认交易内容后,终端可以再以一算法(比如植于该软件内)根据该笔事务数据中解密得到的全部或部分数据演算形成一验证数据,终端装置51再将验证数据传送(511)到验证服务器55,由验证服务器55以相对的演算方法进行再次演算验证数据(511)进行再次验证。因此,在此实施例下,验证之后由验证服务器55通知应用服务器53完成验证(513),由应用服务器53允许终端装置51存取所请求的服务(515)。In another embodiment, after the terminal device 51 receives the transaction data (509) transmitted by the verification server 55, after the user confirms the transaction content, the terminal can use an algorithm (e.g., embedded in the software) to calculate a verification data based on all or part of the data obtained by decrypting the transaction data. The terminal device 51 then transmits the verification data (511) to the verification server 55, and the verification server 55 recalculates the verification data (511) using a corresponding calculation method for re-verification. Therefore, in this embodiment, after verification, the verification server 55 notifies the application server 53 that the verification is complete (513), and the application server 53 allows the terminal device 51 to access the requested service (515).
图6接着显示用户使用一般计算机装置存取服务时,再以移动装置执行验证的实施例流程。FIG6 then shows an example process flow in which a user uses a general computer device to access a service and then performs authentication using a mobile device.
此图表示整个流程由第二终端装置62对应用服务器63产生请求服务(601),此时使用者通过第二终端装置62提交事务数据,此时应用服务器63通知验证服务器65对终端进行安全验证(603)。This figure shows the entire process. The second terminal device 62 generates a service request to the application server 63 (601). At this time, the user submits transaction data through the second terminal device 62. At this time, the application server 63 notifies the verification server 65 to perform security verification on the terminal (603).
验证服务器65即推播信息(605)到第一终端装置61,由第一终端装置61启始一个软件,与验证服务器65交换验证数据(607),由验证服务器65验证第一终端装置61是否为合法验证的装置,或可由第一终端装置61通过软件验证与验证服务器65的联机安全性。此例中,第一终端装置61为与第二终端装置62不同的终端装置,显见本发明可以在一终端装置进行存取某服务时,对终端以不同而事先安排的装置执行验证程序,借此检验终端装置的所提出的服务请求。The authentication server 65 pushes information (605) to the first terminal device 61. The first terminal device 61 then starts a software program to exchange authentication data (607) with the authentication server 65. The authentication server 65 then verifies whether the first terminal device 61 is a legitimately authenticated device. Alternatively, the first terminal device 61 can verify the security of its connection with the authentication server 65 through software. In this example, the first terminal device 61 is a different terminal device from the second terminal device 62. Clearly, the present invention allows a terminal device to perform an authentication procedure using a different, pre-arranged device when accessing a service, thereby verifying the service request made by the terminal device.
当完成验证程序后,验证服务器65传送事务数据(609)到第一终端装置61,此笔事务数据比如为最初第二终端装置62存取应用服务器63时所填写的事务数据,如用户数据、信用数据、服务项目、订单等数据。于第一终端装置61接收此事务数据后,解密后形成套用特定模板(或可不必套用)形成显示于第一终端装置61上的交易表单,供用户确认交易明细。确认事务数据后,可以授权取得服务。After the verification process is completed, the verification server 65 transmits the transaction data (609) to the first terminal device 61. This transaction data may be the transaction data initially entered by the second terminal device 62 when accessing the application server 63, such as user information, credit information, service items, order information, etc. After the first terminal device 61 receives this transaction data, it decrypts it and generates a transaction form using a specific template (or not) to be displayed on the first terminal device 61 for the user to confirm the transaction details. After confirming the transaction data, the user can authorize the service.
不过,在一实施例中,系统可以提供再次验证的机制,如第一终端装置61可根据事务数据演算出一个传送到验证服务器65的验证数据(611),由验证服务器65以对应的算法对此再次验证此验证数据,借此可以确认与第一终端装置61的联机安全。However, in one embodiment, the system can provide a re-verification mechanism, such as the first terminal device 61 can calculate a verification data (611) based on the transaction data and transmit it to the verification server 65. The verification server 65 can re-verify the verification data using a corresponding algorithm, thereby confirming the security of the connection with the first terminal device 61.
之后,验证服务器65通知应用服务器63验证完成(613),可以允许第二终端装置62存取相关请请求的服务(615)。Afterwards, the authentication server 65 notifies the application server 63 that the authentication is complete ( 613 ), and the second terminal device 62 may be allowed to access the requested service ( 615 ).
公开书所载发明更涉及一种计算机可读取储存媒体,其中储存于移动装置上执行安全数据验证方法的程序集,以移动装置的一处理器执行程序集产生的步骤,如上述各实施例所载流程,相关的程序指令包括自验证服务器接收启始验证的信号的指令、根据启始验证的信号启动一软件的指令、与验证服务器进行验证程序的指令、于完成验证后,自验证服务器接收一完成服务的事务数据的指令,以及根据完成服务的基本数据的全部或部分形成一提供确认事务数据的表单的指令等。The invention disclosed in the publication further relates to a computer-readable storage medium, which stores a program set for executing a security data verification method on a mobile device, wherein a processor of the mobile device executes the steps generated by the program set, such as the processes described in the above-mentioned embodiments. The relevant program instructions include an instruction for receiving a signal to start verification from a verification server, an instruction for starting a software based on the signal to start verification, an instruction for performing a verification procedure with the verification server, an instruction for receiving transaction data of a completed service from the verification server after completing the verification, and an instruction for forming a form for providing confirmation transaction data based on all or part of the basic data of the completed service, etc.
综上所述,本发明公开一种安全数据验证方法与系统,借此除了提供存取特定网络服务时一种高安全性的验证程序,更可以通过验证服务器与终端装置的互动上达到没有密码而执行的验证程序,并能于终端装置完成验证时,可以授权存取特定交易服务。In summary, the present invention discloses a secure data verification method and system. In addition to providing a highly secure verification process for accessing specific network services, the method and system can also achieve a password-free verification process through the interaction between the verification server and the terminal device. Furthermore, upon completion of verification on the terminal device, access to specific transaction services can be authorized.
以上所述仅为本发明的较佳可行实施例,非因此即局限本发明的专利保护范围,故凡是运用本发明说明书及图示内容所为的等效结构变化,均同理包含于本发明的保护范围内。The above description is only a preferred embodiment of the present invention, and does not limit the scope of patent protection of the present invention. Therefore, all equivalent structural changes made by using the description and illustrations of the present invention are also included in the scope of protection of the present invention.
Claims (15)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW103127319A TWI548249B (en) | 2014-08-08 | 2014-08-08 | Method for verifying secruity data, system, and a computer-readable storage device |
| TW103127319 | 2014-08-08 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1220297A1 HK1220297A1 (en) | 2017-04-28 |
| HK1220297B true HK1220297B (en) | 2019-12-06 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10592872B2 (en) | Secure registration and authentication of a user using a mobile device | |
| CN113302894B (en) | Secure account access | |
| CN106575416B (en) | System and method for authenticating a client to a device | |
| TWI548249B (en) | Method for verifying secruity data, system, and a computer-readable storage device | |
| US9521548B2 (en) | Secure registration of a mobile device for use with a session | |
| CN108810021B (en) | Query system and method for determining verification function | |
| EP3208732A1 (en) | Method and system for authentication | |
| CN105959287A (en) | Biological feature based safety certification method and device | |
| US12231555B2 (en) | Authentication and validation procedure for improved security in communications systems | |
| CN113711560A (en) | System and method for efficient challenge-response verification | |
| WO2018050293A1 (en) | User sign-in and authentication without passwords | |
| CN106161475B (en) | Method and device for realizing user authentication | |
| KR102372503B1 (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| TWM595792U (en) | Authorization system for cross-platform authorizing access to resources | |
| CN117396866A (en) | Authorized transaction custody service | |
| KR20250099091A (en) | Cross authentication method and system between online service server and client | |
| KR101206854B1 (en) | Authentication system and method based by unique identifier | |
| KR102313868B1 (en) | Cross authentication method and system using one time password | |
| TWI778319B (en) | Method for cross-platform authorizing access to resources and authorization system thereof | |
| KR101879842B1 (en) | User authentication method and system using one time password | |
| HK1220297B (en) | Method for verifying secruity data, system, and a computer-readable storage device | |
| CN113987461B (en) | Identity authentication method and device and electronic equipment | |
| HK40064425A (en) | System and method for efficient challenge-response authentication | |
| HK1236268A1 (en) | System and method for authenticating a client to a device | |
| HK1236268B (en) | System and method for authenticating a client to a device |