[go: up one dir, main page]

TW202319998A - System for using multiple security levels to verify customer identity and transaction services and method thereof - Google Patents

System for using multiple security levels to verify customer identity and transaction services and method thereof Download PDF

Info

Publication number
TW202319998A
TW202319998A TW110142078A TW110142078A TW202319998A TW 202319998 A TW202319998 A TW 202319998A TW 110142078 A TW110142078 A TW 110142078A TW 110142078 A TW110142078 A TW 110142078A TW 202319998 A TW202319998 A TW 202319998A
Authority
TW
Taiwan
Prior art keywords
data
client
transaction
platform
verification
Prior art date
Application number
TW110142078A
Other languages
Chinese (zh)
Other versions
TWI828001B (en
Inventor
翁仲和
Original Assignee
翁仲和
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 翁仲和 filed Critical 翁仲和
Priority to TW110142078A priority Critical patent/TWI828001B/en
Publication of TW202319998A publication Critical patent/TW202319998A/en
Application granted granted Critical
Publication of TWI828001B publication Critical patent/TWI828001B/en

Links

Images

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A system for using multiple security levels to verify customer identity and transaction services and a method thereof are provided. By using Fast Identity Online framework to login a financial institution with biometrics by a client, choosing a security verification method corresponding risk level of a transaction service to verify customer's identity when the client requests the transaction service from the financial institution, and publishing an evidence data that can verify transaction data of the transaction service and verification data generated during the customer's identity verification to a blockchain by related nodes on the blockchain, the system and the method can establish verification procedures and standards that allow financial institutions to trust each other, and can achieve the effect of increasing complexity and cost of crime, reducing wasted resources of financial institutions, and taking care of security and convenience of transactions.

Description

使用多安全層級驗證客戶身分與交易服務之系統及方法System and method for verifying customer identity and transaction services using multiple security levels

一種身分與交易之驗證系統及其方法,特別係指一種使用多安全層級驗證客戶身分與交易服務之系統及方法。An identity and transaction verification system and method thereof, in particular a system and method for verifying client identity and transaction services using multiple security levels.

資訊技術安全評估共同準則(CC, ISO/IES15408),為成立二十多年的資訊安全產品認證框架,其分為七個安全評估等級,第一級到第四級為評估一般產品或系統的安全等級,第五級以上則為評估設計國家安全或軍事設備產品的標準。在這樣明確、統一、共通的標準下,採用CC標準的國家所產出的IT產品,就可以大規模的取得政府、企業及社會大眾的信任,利用這些產品所設計出來的各種系統便可以量化其安全性,或反過來依照系統所需的安全強度來挑選適合的IT產品。The Common Criteria for Information Technology Security Assessment (CC, ISO/IES15408) is an information security product certification framework established for more than 20 years. It is divided into seven security assessment levels. The first to fourth levels are for evaluating general products or systems. Security level, the fifth level and above are the standards for evaluating the design of national security or military equipment products. Under such a clear, unified and common standard, the IT products produced by countries that adopt the CC standard can gain the trust of the government, enterprises and the general public on a large scale, and various systems designed using these products can be quantified Its security, or conversely, select suitable IT products according to the security strength required by the system.

轉移到國內的金融業場景,全面數位化成為勢之所趨,但數位化的金融風險控制及資訊安全標準卻付之闕如,舉保險業而言,每一家保險公司的核保、理賠、保全等驗證工作流程,雖依照法規辦理,但法規僅為指導架構,並未明確流程與標準,這導致每一家保險公司的流程通常都不一樣,且驗證標準不一。如此,金融機構間並無法互信,也就是無法相信其他金融機構之驗證結果,導致每一間金融機構都需要執行相同的驗證過程,造成資源的浪費。Transferring to the domestic financial industry scene, comprehensive digitization has become the trend, but digital financial risk control and information security standards are lacking. For the insurance industry, each insurance company's underwriting, claims, and preservation Although the verification workflow is handled in accordance with the regulations, the regulations are only a guiding structure and do not specify the procedures and standards. This leads to the fact that the procedures and verification standards of each insurance company are usually different. In this way, financial institutions cannot trust each other, that is, they cannot trust the verification results of other financial institutions, so each financial institution needs to perform the same verification process, resulting in a waste of resources.

綜上所述,可知先前技術中長期以來一直存在國內金融機構間沒有能夠互信之驗證流程與標準的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has been a long-term problem in the prior art that domestic financial institutions do not have mutual trustworthy verification procedures and standards. Therefore, it is necessary to propose improved technical means to solve this problem.

有鑒於先前技術存在國內金融機構間沒有能夠互信之驗證流程與標準的問題,本發明遂揭露一種使用多安全層級驗證客戶身分與交易服務之系統及方法,其中:In view of the problem in the prior art that domestic financial institutions do not have mutual trustworthy verification procedures and standards, the present invention discloses a system and method for verifying customer identities and transaction services using multiple security levels, in which:

本發明所揭露之使用多安全層級驗證客戶身分與交易服務之系統,至少包含:客戶端,安裝有可信模組,可信模組儲存交易驗證資料;金融機構端,用以提供客戶端使用線上快速認證(Fast IDentity Online, FIDO)架構以生物特徵進行登入,並於客戶端請求交易服務時,判斷交易服務是否符合基本交易層級,當交易服務為基本交易層級時,產生身分驗證請求;平台端,用以接收金融機構端所傳送之身分驗證請求,並要求客戶端進行身分驗證,使客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端,及用以解密交易加密資料以取得身分檢核資料並確認身分檢核資料與交易驗證資料相符後,依據身分驗證請求及交易加密資料產生第一存證資料並發布第一存證資料至區塊鏈,並傳送身分驗證結果至金融機構端,使金融機構端於身分驗證結果表示通過驗證時,產生與被請求之交易服務對應之交易資料;公信單位端,用以接收金融機構端判斷交易服務為實際交易層級時所傳送之交易資料,對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端;鑑證端,用以接收平台端所傳送之公信簽章,並依據公信簽章產生第二存證資料,及發布第二存證資料至區塊鏈。The system disclosed in the present invention that uses multiple security levels to verify customer identity and transaction services includes at least: a client terminal, which is installed with a trusted module, and the trusted module stores transaction verification data; a financial institution terminal, which is used by the client terminal The Fast IDentity Online (FIDO) architecture uses biometrics to log in, and when the client requests transaction services, it judges whether the transaction service meets the basic transaction level. When the transaction service is at the basic transaction level, an identity verification request is generated; the platform The terminal is used to receive the identity verification request sent by the financial institution, and requires the client to perform identity verification, so that the client encrypts the transaction verification data to generate transaction encryption data and transmits the transaction encryption data to the platform, and is used to decrypt the transaction encryption After obtaining the identity verification data and confirming that the identity verification data is consistent with the transaction verification data, generate the first certificate data according to the identity verification request and transaction encryption data and publish the first certificate data to the blockchain, and send the identity verification The result is sent to the financial institution side, so that the financial institution side generates the transaction data corresponding to the requested transaction service when the identity verification result indicates that the verification is passed; For the transaction data sent, sign the transaction data to generate an authentic signature, and send the authentic signature to the platform; the authentication end is used to receive the authentic signature sent by the platform, and generate the second deposit certificate based on the authentic signature data, and release the second deposit certificate data to the block chain.

本發明所揭露之使用多安全層級驗證客戶身分與交易服務之方法,其步驟至少包括:客戶端使用線上快速認證架構以生物特徵登入金融機構端;金融機構端於客戶端請求交易服務時,判斷交易服務為基本交易層級時,傳送身分驗證請求至平台端,使平台端要求客戶端進行身分驗證;客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端;平台端解密交易加密資料以取得身分檢核資料並確認身分檢核資料與交易驗證資料相符後,傳送身分驗證結果至金融機構端;平台端依據身分驗證請求及交易加密資料產生第一存證資料並發布第一存證資料至區塊鏈中;金融機構端於身分驗證結果表示通過驗證時,產生與交易服務對應之交易資料;金融機構端判斷交易服務為實際交易層級時,傳送交易資料至公信單位端;公信單位端對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端;平台端傳送公信簽章給鑑證端,鑑證端依據公信簽章產生第二存證資料並發布第二存證資料至區塊鏈中。The method disclosed in the present invention for verifying client identity and transaction services with multiple security levels includes at least the following steps: the client uses an online quick authentication framework to log in to the financial institution with biometric features; the financial institution determines when the client requests transaction services When the transaction service is at the basic transaction level, the identity verification request is sent to the platform, so that the platform requires the client to perform identity verification; the client encrypts the transaction verification data to generate transaction encryption data and sends the transaction encryption data to the platform; the platform decrypts the transaction Encrypt the data to obtain the identity verification data and confirm that the identity verification data is consistent with the transaction verification data, and then send the identity verification result to the financial institution; the platform generates the first certificate data based on the identity verification request and transaction encryption data and publishes the first Store the certificate data in the blockchain; when the identity verification result indicates that the financial institution has passed the verification, it will generate the transaction data corresponding to the transaction service; when the financial institution judges that the transaction service is the actual transaction level, it will send the transaction data to the trusted unit; The public trust unit signs the transaction data to generate a public trust seal, and transmits the public trust seal to the platform; the platform transmits the public trust seal to the authentication terminal, and the certification terminal generates the second deposit certificate data based on the public trust signature and publishes the second depository. certificate data to the blockchain.

本發明所揭露之系統與方法如上,與先前技術之間的差異在於本發明透過客戶端使用線上快速認證架構以生物特徵登入金融機構端後,金融機構端於客戶端請求交易服務時,依據被請求之交易服務的風險層級選擇相對應的安全驗證方式對客戶身分進行驗證,並將能夠對驗證過程所產生的驗證資料與被請求之交易服務的交易資料進行驗證的存證資料發布到區塊鏈中,藉以解決先前技術所存在的問題,並可以達成提高犯罪複雜度與成本、降低金融機構浪費之資源、並兼顧交易安全性及便利性的技術功效。The system and method disclosed in the present invention are as above, and the difference between the present invention and the prior art is that after the client uses the online quick authentication framework to log in to the financial institution with biometric features, when the financial institution requests a transaction service from the client, it will The risk level of the requested transaction service selects the corresponding security verification method to verify the identity of the customer, and publishes the proof data that can verify the verification data generated during the verification process and the transaction data of the requested transaction service to the block In order to solve the problems existing in the previous technology, it can achieve the technical effect of increasing the complexity and cost of crime, reducing the resources wasted by financial institutions, and taking into account transaction security and convenience.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and implementation methods of the present invention will be described in detail below in conjunction with the drawings and embodiments, the content is enough to enable anyone familiar with the relevant art to easily and fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby realizing The effect that the present invention can achieve.

本發明可以讓金融機構端依據客戶端之交易服務的不同風險層級透過平台端使用不同的安全驗證技術。其中,交易服務包含未涉及金錢的金融服務、涉及小額金錢的金融交易、涉及大額金錢的金融交易等。The present invention allows the financial institution to use different security verification technologies through the platform according to the different risk levels of the transaction services of the client. Among them, transaction services include financial services that do not involve money, financial transactions that involve small amounts of money, financial transactions that involve large amounts of money, and the like.

以下先以「第1圖」本發明所提之使用多安全層級驗證客戶身分與交易服務之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有客戶端110、金融機構端130、平台端150、公信單位端160、鑑證端170,及可附加的服務端120。其中,客戶端110、服務端120、金融機構端130、平台端150、公信單位端160、鑑證端170可以是計算設備,且客戶端110與金融機構端130/平台端150之間、服務端120與金融機構端130/平台端150之間、金融機構端130與平台端150/公信單位端160之間、平台端150與公信單位端160之間可以透過有線或無線通訊方式連接,藉以相互傳遞資料或訊號。The system operation of the present invention will be described below with "Fig. 1", the system architecture diagram of the present invention using multiple security levels to verify customer identity and transaction services. As shown in "Fig. 1", the system of the present invention includes a client terminal 110, a financial institution terminal 130, a platform terminal 150, a trust unit terminal 160, an authentication terminal 170, and an additional server terminal 120. Among them, the client 110, the server 120, the financial institution 130, the platform 150, the trustworthy unit 160, and the authentication terminal 170 can be computing devices, and the client 110 and the financial institution 130/platform 150, the server 120 and the financial institution terminal 130/platform terminal 150, between the financial institution terminal 130 and the platform terminal 150/trusted unit terminal 160, and between the platform terminal 150 and the public trust unit terminal 160 can be connected through wired or wireless communication, so as to communicate with each other transmit information or signals.

客戶端110安裝有可信模組,可信模組為SIM卡、感應晶片、擴充卡等可儲存資料的實體元件,其中,感應晶片可以貼附於SIM卡,擴充卡可以嵌套SIM卡。客戶端110可以向平台端150或金融機構端130申請可信模組,並可以在可信模組被啟用後安裝可信模組,在部分的實施例中,可信模組可以與客戶端110的裝置識別資料綁定。要說明的是,可信模組僅提供寫入資料或讀取資料,以避免資料被竄改。The client 110 is equipped with a trusted module. The trusted module is a physical component that can store data such as a SIM card, a sensor chip, and an expansion card. The sensor chip can be attached to the SIM card, and the expansion card can be embedded with a SIM card. The client 110 can apply for a trusted module from the platform terminal 150 or the financial institution terminal 130, and can install the trusted module after the trusted module is enabled. In some embodiments, the trusted module can be connected with the client 110 device identification data binding. It should be noted that the trusted module only provides writing data or reading data to prevent data from being tampered with.

客戶端110可以使用實名制驗證在平台端150註冊,也可以在完成註冊後接收平台端150所傳送的登入驗證資料及交易驗證資料,並可以使用可信模組儲存所接收到的登入驗證資料及交易驗證資料。其中,實名制驗證包含但不限於行動身分識別(Mobile ID, MID)或數位身分識別(eID)。The client 110 can use the real-name verification to register on the platform 150, and can also receive the login verification data and transaction verification data sent by the platform 150 after the registration is completed, and can use the trusted module to store the received login verification data and Transaction verification data. Among them, real-name verification includes but is not limited to mobile identity identification (Mobile ID, MID) or digital identity identification (eID).

客戶端110也可以接收平台端150所傳送的客戶認證資料,並儲存所接收到的客戶認證資料。一般而言,客戶端110可以使用可信模組儲存客戶認證資料。The client 110 can also receive the client authentication information sent by the platform 150, and store the received client authentication information. In general, the client 110 can use a trusted module to store client authentication information.

客戶端110也可以透過分布式數位身分(Decentralized Identity, DID)註冊(Registry)服務在區塊鏈190上註冊以取得對應區塊鏈190的分布式數位身分識別資料。The client 110 can also register on the blockchain 190 through a distributed digital identity (Decentralized Identity, DID) registry service to obtain distributed digital identity identification data corresponding to the blockchain 190 .

客戶端110也負責以生物特徵登入金融機構端130,並負責向金融機構端13請求交易服務。例如,客戶端110可以使用線上快速認證(Fast IDentity Online, FIDO)架構以生物特徵登入金融機構端130,更詳細的,客戶端110在登入金融機構端130時,可以驗證使用者的生物特徵,並可以在使用者的生物特徵通過特徵辨識後,由可信模組中讀取出登入驗證資料與機構登入資料,並可以登入驗證資料與機構登入資料傳送至平台端150,藉以透過平台端150將機構登入資料傳送給金融機構端130。其中,本發明所提之生物特徵包含指紋特徵、人臉特徵、虹膜特徵等,但本發明並不以此為限;機構登入資料為客戶端110之使用者預先在金融機構端130註冊之資料,包含但不限於帳號密碼等。The client terminal 110 is also responsible for logging into the financial institution terminal 130 with biometric features, and is responsible for requesting transaction services from the financial institution terminal 13 . For example, the client 110 can use the Fast IDentity Online (FIDO) framework to log in to the financial institution 130 with biometric features. More specifically, the client 110 can verify the user's biometrics when logging in to the financial institution 130. And after the user's biometric feature has passed the feature identification, the login verification data and organization login data can be read from the trusted module, and the login verification data and organization login data can be sent to the platform terminal 150, so as to pass the platform terminal 150 Send the institution login information to the financial institution terminal 130 . Among them, the biometric features mentioned in the present invention include fingerprint features, face features, iris features, etc., but the present invention is not limited thereto; the institution login information is the information registered by the user of the client terminal 110 in the financial institution terminal 130 in advance , including but not limited to account passwords, etc.

客戶端110也可以在對使用者進行生物特徵辨識後,由可信模組中讀出登入驗證資料,並可以加密所讀出之登入驗證資料以產生相對應的登入加密資料,及可以將所產生之登入加密資料傳送至平台端150;客戶端110也負責在接收到平台端150所傳送的身分驗證要求時,由可信模組中讀出交易驗證資料,並加密所讀出之交易驗證資料以產生交易加密資料,及將所產生之交易加密資料傳送到平台端150,在部分的實施例中,客戶端110也可以在傳送交易加密資料時要求平台端150簽發可驗證聲明(Verifiable Credential, VC);客戶端110也可以在接收到平台端150所傳送的模組驗證請求時,由可信模組中讀出可信安全資料,並加密所讀出之可信安全資料以產生模組加密資料,及將所產生之模組加密資料傳送至平台端150。其中,可信安全資料為可信模組所儲存之全部資料或部分資料或特定資料。The client 110 can also read out the login verification data from the trusted module after performing biometric identification on the user, and can encrypt the read out login verification data to generate corresponding login encryption data, and can store all the login verification data The generated login encryption data is transmitted to the platform terminal 150; the client terminal 110 is also responsible for reading the transaction verification data from the trusted module when receiving the identity verification request sent by the platform terminal 150, and encrypting the read transaction verification data to generate transaction encryption data, and transmit the generated transaction encryption data to the platform terminal 150. In some embodiments, the client terminal 110 may also require the platform terminal 150 to issue a verifiable statement (Verifiable Credential , VC); the client 110 can also read the trusted security information from the trusted module when receiving the module verification request sent by the platform terminal 150, and encrypt the read trusted security information to generate a model Set encrypted data, and send the generated module encrypted data to the platform terminal 150 . Wherein, the trusted security data is all or part of the data or specific data stored by the trusted module.

客戶端110可以使用私鑰加密待加密資料(如登入驗證資料、交易驗證資料、可信安全資料等)以產生對應之加密結果資料(如登入加密資料、交易加密資料、模組加密資料等),也可以使用接收自平台端150之基於時間的一次性密碼(Time-based One-Time Password, TOTP)加密待加密資料以產生加密結果資料,或可以先使用私鑰加密待加密資料以產生中間密文後,再使用基於時間的一次性密碼加密中間密文以產生加密結果資料,但客戶端110由登入驗證資料/交易驗證資料/可信安全資料產生登入加密資料/交易加密資料/模組加密資料之方式並不以上述為限。其中,客戶端110可以使用AES、RSA或其他相似之對稱或非對稱演算法加密待加密資料。The client 110 can use the private key to encrypt the data to be encrypted (such as login verification data, transaction verification data, trusted security data, etc.) to generate corresponding encrypted result data (such as login encryption data, transaction encryption data, module encryption data, etc.) , you can also use the Time-based One-Time Password (TOTP) received from the platform terminal 150 to encrypt the data to be encrypted to generate the encrypted result data, or you can first use the private key to encrypt the data to be encrypted to generate intermediate After the ciphertext, use a time-based one-time password to encrypt the intermediate ciphertext to generate encrypted result data, but the client 110 generates login encrypted data/transaction encrypted data/modules from login verification data/transaction verification data/trusted security data The method of encrypting data is not limited to the above. Wherein, the client 110 can use AES, RSA or other similar symmetric or asymmetric algorithm to encrypt the data to be encrypted.

服務端120可以提供輸入客戶端110之裝置識別資料以使平台端150或金融機構端130啟用客戶端110所申請之可信模組。一般而言,服務端120可以透過有線或無線網路將裝置識別資料傳送給客戶端110申請可信模組之平台端150或金融機構端130。其中,客戶端110之裝置識別資料為能夠識別客戶端110的資料,包含但不限於可以是客戶端110的產品序號或機身號碼等。The server 120 can provide the device identification data input to the client 110 so that the platform 150 or the financial institution 130 can enable the trusted module applied by the client 110 . Generally speaking, the server 120 can transmit the device identification data to the platform 150 or the financial institution 130 where the client 110 applies for a trusted module through a wired or wireless network. Wherein, the device identification data of the client 110 is data capable of identifying the client 110 , including but not limited to the product serial number or machine number of the client 110 .

金融機構端130可以在客戶端110以實名制驗證完成註冊時產生與客戶端110對應的登入驗證資料與交易驗證資料,並將所產生之登入驗證資料與交易驗證資料傳送至客戶端110。一般而言,金融機構端130可以隨機產生登入驗證資料/交易驗證資料,但本發明並不以此為限,例如也可以對當前時間進行雜湊(hash)或位元重新排列等演算以產生登入驗證資料/交易驗證資料。其中,登入驗證資料/交易驗證資料可以是由一定數量之文字、字母、數字、符號以任意排列而成。The financial institution terminal 130 can generate login verification data and transaction verification data corresponding to the client terminal 110 when the client terminal 110 completes registration through real-name verification, and send the generated login verification data and transaction verification data to the client terminal 110 . Generally speaking, the financial institution terminal 130 can randomly generate login verification data/transaction verification data, but the present invention is not limited thereto. For example, calculations such as hash or bit rearrangement can also be performed on the current time to generate login Verification data/transaction verification data. Wherein, the login verification data/transaction verification data may be composed of a certain number of characters, letters, numbers, and symbols arranged in any order.

金融機構端130也可以認證客戶端110之使用者的個人資料。The financial institution terminal 130 can also authenticate the personal information of the user of the client terminal 110 .

金融機構端130負責提供客戶端110以生物特徵進行登入,例如使用FIDO架構等。金融機構端130可以在要求客戶端110登入時產生登入驗證請求,並可以將所產生之登入驗證請求傳送至平台端150,也可以接收平台端150所傳送的機構登入資料,並檢核所接收到的機構登入資料,當機構登入資料通過檢核時,允許客戶端110登入金融機構端130。其中,金融機構端130可以使用習知方式檢核客戶端110所註冊的機構登入資料,故不贅述。The financial institution terminal 130 is responsible for providing the client terminal 110 to log in with biometric features, such as using the FIDO framework. The financial institution terminal 130 can generate a login verification request when requesting the client terminal 110 to log in, and can transmit the generated login verification request to the platform terminal 150, and can also receive the institutional login information transmitted by the platform terminal 150, and check the received information. When the institution login information is obtained, the client terminal 110 is allowed to log in to the financial institution terminal 130 when the institution login information passes the check. Wherein, the financial institution terminal 130 can check the institution login information registered by the client terminal 110 in a conventional manner, so details are not repeated here.

金融機構端130也負責在接收到客戶端110發出之交易服務時判斷所接收到之交易服務所屬的風險層級。在本發明中,風險層級可以包含基本交易層級與實際交易層級,在部分實施例中,風險層級還可以包含監管交易層級,但本發明所提之風險層級並不以上述為限。其中,基本交易層級可以包含所有的交易服務,也就是可以包含未涉及金錢交易之查詢或設定等交易服務,及所有涉及金錢之交易服務;實際交易層級可以包含所有涉及金錢的交易服務;監管交易層級可以是涉及大額金錢(金額大於門檻值)的交易服務,但基本交易層級、實際交易層級、監管交易層級亦不以上述為限。要說明的是,一個交易服務可以同時屬於多個風險層級,金融機構端130可以在判斷交易服務屬於範圍較大的風險層級時,進一步判斷交易服務是否也屬於範圍較小的風險層級,例如,金融機構端130可以在交易服務屬於基本交易層級時判斷交易服務是否也屬於實際交易層級,並可以在交易服務屬於實際交易層級時判斷交易服務是否也屬於監管交易層級。The financial institution terminal 130 is also responsible for determining the risk level of the received transaction service when receiving the transaction service from the client terminal 110 . In the present invention, the risk level may include the basic transaction level and the actual transaction level. In some embodiments, the risk level may also include the supervisory transaction level, but the risk level mentioned in the present invention is not limited to the above. Among them, the basic transaction level can include all transaction services, that is, it can include transaction services such as inquiries or settings that do not involve money transactions, and all transaction services that involve money; the actual transaction level can include all transaction services that involve money; regulatory transactions The level can be transaction services involving large amounts of money (the amount is greater than the threshold), but the basic transaction level, actual transaction level, and regulatory transaction level are not limited to the above. It should be noted that a transaction service may belong to multiple risk levels at the same time, and the financial institution terminal 130 may further determine whether the transaction service also belongs to a smaller risk level when judging that the transaction service belongs to a wider risk level, for example, The financial institution terminal 130 can determine whether the transaction service also belongs to the actual transaction level when the transaction service belongs to the basic transaction level, and can determine whether the transaction service also belongs to the supervisory transaction level when the transaction service belongs to the actual transaction level.

金融機構端130也負責在判斷所接收到之交易服務為基本交易層級時,產生身分驗證請求,並將所產生之身分驗證請求傳送給平台端150,及負責接收平台端150所產生之身分驗證結果,並在判斷身分驗證結果所記載的內容表示客戶端110之使用者通過驗證時,產生與被請求之交易服務對應的交易資料以完成交易。在部分的實施例中,身分驗證請求可以包含取得以客戶端110之使用者的分散式數位身分識別資料簽發之與金融機構端130相關的可驗證聲明之請求,且身分驗證結果可以是平台端150所發出的可驗證聲明,此時,金融機構端130可能不會接收到平台端150所傳送的身分驗證結果,而可以使用客戶端110之使用者之分散式數位身分識別資料由區塊鏈190取得相對應的可驗證聲明,並可以使用平台端150的公鑰驗證所取得之可驗證聲明中的簽章(並確認有效性與到期時間)以驗證所取得的可驗證聲明,當可驗證聲明通過驗證且可驗證聲明中確認客戶端110之使用者的身分後,金融機構端130可以判斷身分驗證結果表示通過驗證。The financial institution terminal 130 is also responsible for generating an identity verification request when judging that the received transaction service is a basic transaction level, and sending the generated identity verification request to the platform end 150, and responsible for receiving the identity verification generated by the platform end 150 As a result, when it is judged that the content recorded in the identity verification result indicates that the user of the client terminal 110 has passed the verification, the transaction data corresponding to the requested transaction service is generated to complete the transaction. In some embodiments, the identity verification request may include a request to obtain a verifiable statement related to the financial institution end 130 issued with the distributed digital identification information of the user of the client end 110, and the identity verification result may be the platform end 150 issued a verifiable statement, at this time, the financial institution 130 may not receive the identity verification result sent by the platform 150, but can use the distributed digital identification data of the user of the client 110 to be transmitted by the blockchain 190 obtains the corresponding verifiable statement, and can use the public key of platform 150 to verify the signature in the obtained verifiable statement (and confirm the validity and expiration time) to verify the obtained verifiable statement. After the verification statement is verified and the identity of the user of the client terminal 110 is confirmed in the verifiable statement, the financial institution terminal 130 can determine that the identity verification result indicates that the verification is passed.

金融機構端130也負責判斷所接收到之交易服務是否為實際交易層級,若是,則可以將所產生的交易資料傳送至公信單位端160;金融機構端130也可以判斷交易服務是否為監管交易層級,若是,則金融機構端130可以產生模組驗證請求,並可以將所產生的模組驗證請求傳送至平台端150;而若交易服務不屬於實際交易層級或監管交易層級,則金融機構端130可以提供交易服務後結束執行。The financial institution terminal 130 is also responsible for judging whether the received transaction service is at the actual transaction level, and if so, the generated transaction data can be sent to the trust unit terminal 160; the financial institution terminal 130 can also determine whether the transaction service is at the supervisory transaction level , if so, then the financial institution terminal 130 can generate a module verification request, and can transmit the generated module verification request to the platform terminal 150; Execution can be concluded after transaction services are provided.

金融機構端130也可以接收平台端150所傳送之申報表單,並可以依據所接收到的申報表單產生第一申報資料,及可以將所產生之第一申報資料傳送給平台端150。The financial institution terminal 130 can also receive the declaration form sent by the platform terminal 150 , and can generate the first declaration data according to the received declaration form, and can transmit the generated first declaration data to the platform terminal 150 .

平台端150負責接收金融機構端130所傳送之身分驗證請求,並依據所接收到之身分驗證請求要求客戶端110進行身分驗證;平台端150也可以接收金融機構端130所傳送的模組驗證請求,並依據所接收到的模組驗證請求要求客戶端110進行可信模組的驗證;平台端150也可以接收金融機構端130所傳送的登入驗證請求,並依據所接收到的登入驗證請求要求客戶端110提供登入驗證資料。The platform end 150 is responsible for receiving the identity verification request sent by the financial institution end 130, and requires the client terminal 110 to perform identity verification according to the received identity verification request; the platform end 150 can also receive the module verification request sent by the financial institution end 130 , and require the client 110 to verify the trusted module according to the received module verification request; the platform side 150 can also receive the login verification request sent by the financial institution side 130, and according to the received login verification request request The client 110 provides login verification information.

平台端150也可以接收客戶端110所傳送的登入驗證資料與機構登入資料,並驗證登入驗證資料,也就是比對所接收到的登入驗證資料與所儲存之登入驗證資料是否相同,若是,則表示登入驗證資料通過驗證,若否,則表示登入驗證資料沒有通過驗證。平台端150也可以在登入驗證資料通過驗證時,將所接收到的機構登入資料傳送到金融機構端130。The platform terminal 150 can also receive the login verification data and the organization login data sent by the client 110, and verify the login verification data, that is, compare whether the received login verification data is the same as the stored login verification data, and if so, then Indicates that the login verification information has been verified; if not, it indicates that the login verification information has not been verified. The platform terminal 150 may also transmit the received institution login information to the financial institution terminal 130 when the login verification information is verified.

平台端150也負責接收客戶端110所傳送的交易加密資料,並解密所接收到的交易加密資料以取得身分檢核資料;平台端150也可以接收客戶端110所傳送的模組加密資料,並解密所接收到的模組加密資料以取得模組檢核資料;平台端150也可以接收客戶端110所傳送的登入加密資料,並解密登入加密資料以取得登入檢核資料。其中,平台端150解密加密結果資料(如登入加密資料、交易加密資料、模組加密資料等)的方式隨著加密結果資料被加密的方式不同而有不同,例如,當加密結果資料是被客戶端110以私鑰加密產生時,平台端150可以使用客戶端110的公鑰解密加密結果資料以產生解密資料(如登入檢核資料、身分檢核資料、模組檢核資料等);當加密結果資料是被客戶端110以平台端150所產生之基於時間的一次性密碼加密產生時,平台端150可以使用所產生之一次性密碼解密解密加密結果資料以產生原始資料;而當加密結果資料是被客戶端110先後以私鑰與一次性密碼加密產生時,平台端150可以先使用一次性密碼解密加密結果資料以產生中間密文,在使用客戶端110之公鑰解密中間密文以產生原始資料,但客戶端110解密登入加密資料/交易加密資料/模組加密資料以取得登入檢核資料/身分檢核資料/模組檢核資料之方式並不以上述為限。The platform end 150 is also responsible for receiving the transaction encryption data sent by the client 110, and decrypting the received transaction encryption data to obtain the identity verification data; the platform end 150 can also receive the module encryption data sent by the client 110, and Decrypt the received module encrypted data to obtain the module verification data; the platform 150 can also receive the login encrypted data sent by the client 110, and decrypt the login encrypted data to obtain the login verification data. Among them, the method for the platform 150 to decrypt the encrypted result data (such as login encrypted data, transaction encrypted data, module encrypted data, etc.) varies with the way the encrypted result data is encrypted. For example, when the encrypted result data is When the terminal 110 encrypts the generated data with the private key, the platform terminal 150 can use the public key of the client 110 to decrypt the encrypted result data to generate decrypted data (such as login verification data, identity verification data, module verification data, etc.); When the resulting data is encrypted by the client 110 with a time-based one-time password generated by the platform 150, the platform 150 can use the generated one-time password to decrypt and decrypt the encrypted result data to generate the original data; and when the encrypted result data When the client 110 encrypts the data with the private key and the one-time password successively, the platform 150 can first use the one-time password to decrypt the encrypted result data to generate an intermediate ciphertext, and then use the public key of the client 110 to decrypt the intermediate ciphertext to generate Original data, but the method for the client 110 to decrypt login encrypted data/transaction encrypted data/module encrypted data to obtain login verification data/identity verification data/module verification data is not limited to the above.

平台端150也負責確認解密交易加密資料所取得之身分檢核資料是否與預先儲存之客戶端110的交易驗證資料相符,並可以產生與確認結果對應的身分驗證結果。平台端150可以在身分檢核資料與交易驗證資料不相符時,傳送身分驗證結果至客戶端110及/或金融機構端130;平台端150也負責在身分檢核資料與交易驗證資料相符時,將所產生的身分驗證結果傳送至金融機構端130,並負責依據身分驗證請求與交易加密資料產生第一存證資料,及將包含所產生之第一存證資料的區塊發布到區塊鏈190中。一般而言,平台端150可以先對身分驗證請求與交易加密資料進行特定運算以產生第一存證資料,再產生包含第一存證資料的區塊,但本發明並不以此為限,例如,平台端150也可以產生包含身分驗證請求與交易加密資料的第一存證資料。其中,上述之特定運算包含但不限於雜湊(hash)運算。The platform 150 is also responsible for confirming whether the identity verification data obtained by decrypting the encrypted transaction data is consistent with the pre-stored transaction verification data of the client 110, and can generate an identity verification result corresponding to the confirmation result. The platform side 150 can transmit the identity verification result to the client terminal 110 and/or the financial institution side 130 when the identity verification data does not match the transaction verification data; the platform side 150 is also responsible for Send the generated identity verification result to the financial institution terminal 130, and be responsible for generating the first deposit data according to the identity verification request and transaction encryption data, and publish the block containing the generated first deposit data to the block chain 190 in. Generally speaking, the platform 150 can first perform a specific operation on the identity verification request and the transaction encryption data to generate the first certificate data, and then generate a block containing the first certificate data, but the present invention is not limited thereto. For example, the platform end 150 may also generate the first evidence deposit information including the identity verification request and transaction encryption information. Wherein, the above specific operations include but not limited to hash operations.

平台端150也可以接收客戶端110所傳送之聲明簽發請求,並可以在確認所取得之身分檢核資料與預存之交易驗證資料相符時,依據所接收到之簽發請求讀出相對應的使用者資料,並依據全部或部分之使用者資料產生披露訊息,及使用平台端150的私鑰對披露訊息簽章以產生可驗證聲明,並可以將所簽發產生的可驗證聲明發布到區塊鏈190。其中,披露訊息可以是客戶端110所讀出之全部或部分的使用者資料,但本發明並不以此為限,披露訊息也可以是經過整理的使用者資料;可驗證聲明與客戶端110之使用者的分散式數位身分識別資料對應且亦與所接收到之聲明簽發請求對應。The platform 150 can also receive the statement issuance request sent by the client terminal 110, and can read out the corresponding user name according to the received issuance request when confirming that the obtained identity verification data is consistent with the pre-stored transaction verification data. information, and generate disclosure information based on all or part of the user information, and use the private key of the platform 150 to sign the disclosure information to generate a verifiable statement, and the issued verifiable statement can be issued to the blockchain 190 . Wherein, the disclosed information may be all or part of the user data read by the client 110, but the present invention is not limited thereto, and the disclosed information may also be sorted user data; the verifiable statement and the client 110 The distributed digital identification information of the user corresponds to and also corresponds to the statement issuance request received.

平台端150也可以比對解密模組加密資料所產生的模組檢核資料與預先儲存的可信安全資料是否相符,若否,則平台端150可以產生表示終止交易的通知訊息,並可以將所產生之通知訊息傳送給金融機構端130;而當模組檢核資料與可信安全資料相符時,平台端150可以產生或讀取申報表單,並將申報表單傳送至金融機構端130,平台端150還可以接收金融機構端130所傳送的第一申報資料,並產生包含第一申報資料的第二申報資料,及將第二申報資料傳送給監管端(圖中未示)存留。The platform terminal 150 can also compare whether the module verification data generated by decrypting the encrypted data of the module is consistent with the pre-stored trusted security data. If not, the platform terminal 150 can generate a notification message indicating that the transaction is terminated, and can send the The generated notification message is transmitted to the financial institution terminal 130; and when the module verification data matches the credible security information, the platform terminal 150 can generate or read the declaration form, and transmit the declaration form to the financial institution terminal 130, the platform The terminal 150 can also receive the first declaration data sent by the financial institution terminal 130, generate the second declaration data including the first declaration data, and send the second declaration data to the supervision terminal (not shown in the figure) for storage.

平台端150也可以依據所接收到之模組驗證請求與模組加密資料及所產生之第二申報資料產生第三存證資料,並可以將所產生之第三存證資料發布至區塊鏈190中,但本發明產生第三存證資料之方式並不以上述為限,例如平台端150可以產生包含模組驗證請求、模組加密資料及第二申報資料之第三存證資料。The platform terminal 150 can also generate the third certificate storage data according to the received module verification request, module encryption data and the generated second declaration data, and can publish the generated third certificate storage data to the block chain 190, but the method of generating the third certificate data in the present invention is not limited to the above, for example, the platform 150 can generate the third certificate data including the module verification request, the module encryption data and the second declaration data.

平台端150也可以比對解密登入加密資料所產生的登入檢核資料與在客戶端110註冊完成時所產生並儲存的登入驗證資料是否相符,若否,則平台端150可以產生對應之通知訊息並將所產生之通知訊息傳送給客戶端110;而當登入檢核資料與登入驗證資料相符時,平台端150可以進行資料收集作業,例如,平台端150可以取得經金融機構端130認證之個人資料,並對所取得之個人資料進行特定運算以產生對應之客戶認證資料,及將所產生之客戶認證資料傳送給客戶端110。其中,上述之特定運算包含但不限於MD5等雜湊運算或base64等編碼(encoding)運算等。The platform terminal 150 can also compare whether the login verification data generated by decrypting the login encrypted data is consistent with the login verification data generated and stored when the client 110 is registered. If not, the platform terminal 150 can generate a corresponding notification message And the generated notification message is sent to the client terminal 110; and when the login verification data is consistent with the login verification data, the platform terminal 150 can carry out data collection operations, for example, the platform terminal 150 can obtain individuals certified by the financial institution terminal 130 data, and perform specific operations on the obtained personal data to generate corresponding customer authentication data, and send the generated customer authentication data to the client 110. Wherein, the above specific operations include but are not limited to hash operations such as MD5 or encoding operations such as base64.

平台端150也負責接收公信單位端160所傳送的公信簽章,並負責將所接收到的公信簽章傳送給鑑證端170。The platform terminal 150 is also responsible for receiving the public trust signature sent by the public trust unit terminal 160 , and responsible for transmitting the received public trust signature to the authentication terminal 170 .

公信單位端160負責接收金融機構端130所傳送的交易資料,並對所接收到的交易資料簽章以產生公信簽章,及負責將所產生的公信簽章傳送至平台端150。The trust unit terminal 160 is responsible for receiving the transaction data sent by the financial institution terminal 130 , and signing the received transaction data to generate a trust signature, and responsible for sending the generated trust signature to the platform terminal 150 .

鑑證端170負責接收平台端150所傳送的公信簽章,並可以儲存所接收到的公信簽章。鑑證端170也負責依據公信簽章產生第二存證資料或可以產生包含公信簽章之第二存證資料,並可以將所產生之第二存證資料發布至區塊鏈190中。The authentication terminal 170 is responsible for receiving the public trust signature sent by the platform terminal 150, and can store the received public trust signature. The verification terminal 170 is also responsible for generating the second certificate data according to the public trust signature or can generate the second certificate data containing the public trust signature, and can publish the generated second certificate data to the block chain 190 .

接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之使用多安全層級驗證客戶身分與交易服務之方法流程圖。在本實施例中,假設客戶端110可以是手機或電腦,但本發明並不以此為限。Next, an embodiment is used to explain the operating system and method of the present invention, and please refer to "Fig. 2A" for the flow chart of the method of using multiple security levels to verify customer identity and transaction services proposed by the present invention. In this embodiment, it is assumed that the client 110 may be a mobile phone or a computer, but the present invention is not limited thereto.

當使用者操作客戶端110連線到金融機構端130後,可以操作客戶端110以生物特徵登入金融機構端130(步驟210)。在本實施例中,假設客戶端110可以使用FIDO架構登入金融機構端130,進一步的,本實施例可以如「第2B圖」之流程所示,在客戶端110連線到金融機構端130時,金融機構端130可以要求客戶端110登入,並可以傳送登入驗證請求到平台端150,使平台端150向客戶端110要求提供登入驗證資料(步驟211)。客戶端110在接收到平台端150所傳送之提供登入驗證資料的要求後,可以要求使用者使用如指紋、臉部、虹膜等生物特徵進行生物特徵辨識,並可以在取得使用者之生物特徵並判斷所取得之生物特徵通過生物特徵辨識後,由可信模組中讀取預先儲存之登入驗證資料與金融機構端130的機構登入資料,及可以將所讀出之登入驗證資料與機構登入資料傳送到平台端150(步驟215)。在平台端150接收到客戶端110所傳送的登入驗證資料與機構登入資料後,可以驗證所接收到的登入驗證資料。若登入驗證資料通過平台端150的驗證,則平台端150可以在判斷登入驗證資料通過驗證後,傳送所接收到的機構登入資料給金融機構端130,使得金融機構端130允許客戶端110登入(步驟219)。After the user operates the client terminal 110 to connect to the financial institution terminal 130 , he can operate the client terminal 110 to log in to the financial institution terminal 130 with biometric features (step 210 ). In this embodiment, it is assumed that the client terminal 110 can use the FIDO architecture to log in to the financial institution terminal 130. Further, in this embodiment, as shown in the process of "Figure 2B", when the client terminal 110 connects to the financial institution terminal 130 , the financial institution terminal 130 may require the client terminal 110 to log in, and may transmit a login verification request to the platform terminal 150, so that the platform terminal 150 requests the client terminal 110 to provide login verification information (step 211). After receiving the request from the platform 150 to provide login verification information, the client 110 can ask the user to perform biometric identification using biometric features such as fingerprints, faces, irises, etc., and can obtain the user's biometrics and After judging that the obtained biometrics pass the biometrics identification, the pre-stored login verification data and the institutional login data of the financial institution terminal 130 are read from the trusted module, and the read login verification data and institutional login data can be read Transmit to platform side 150 (step 215). After the platform terminal 150 receives the login verification data and the organization login data sent by the client 110, it can verify the received login verification data. If the login verification information passes the verification of the platform terminal 150, the platform terminal 150 may transmit the received institution login information to the financial institution terminal 130 after judging that the login verification information has passed the verification, so that the financial institution terminal 130 allows the client terminal 110 to log in ( step 219).

回到「第2A圖」,在客戶端110使用FIDO架構以生物特徵登入金融機構端130(步驟210)後,客戶端110可以向金融機構端130請求交易服務,也就是向金融機構端130發出交易服務的請求。金融機構端130可以在接收到客戶端110所發出之交易服務的請求時,判斷被請求之交易服務的風險層級。當被請求之交易服務的風險層級屬於基本交易層級時,也就是被請求之交易服務為基本交易層級時,金融機構端130可以產生身分驗證請求,並可以將所產生之身分驗證請求傳送到平台端150,使得平台端150要求客戶端110進行身分驗證(步驟220)。在本實施例中,假設所有的交易服務均為基本交易層級。Going back to "Figure 2A", after the client 110 uses the FIDO architecture to log in to the financial institution terminal 130 with biometric features (step 210), the client 110 can request transaction services from the financial institution terminal 130, that is, send a transaction service to the financial institution terminal 130. Transaction service requests. The financial institution terminal 130 can determine the risk level of the requested transaction service when receiving the transaction service request from the client terminal 110 . When the risk level of the requested transaction service belongs to the basic transaction level, that is, when the requested transaction service is the basic transaction level, the financial institution terminal 130 can generate an identity verification request, and can send the generated identity verification request to the platform The terminal 150 makes the platform terminal 150 require the client 110 to perform identity verification (step 220 ). In this embodiment, it is assumed that all transaction services are at the basic transaction level.

在客戶端110接收到平台端150所傳送之身分驗證的要求時,客戶端110可以由可信模組中讀出交易驗證資料,並加密所讀出之交易驗證資料以產生交易加密資料,並可以將所產生之交易加密資料傳送到平台端150(步驟231)。在本實施例中,假設客戶端110與平台端150事先約定先後以客戶端110之私鑰與平台端150產生之基於時間的一次性密碼加密交易驗證資料以產生交易加密資料,例如,客戶端110可以先使用私鑰以RSA演算法對交易驗證資料加密而產生中間密文,再使用每隔預定時間(如60秒)與平台端150同步而取得的一次性密碼對中間密文加密以產生交易加密資料,同時,客戶端110也可以產生聲明簽發請求並與機要加密資料一同傳送給平台端150。When the client 110 receives the identity verification request sent by the platform 150, the client 110 can read the transaction verification data from the trusted module, and encrypt the read transaction verification data to generate transaction encryption data, and The generated transaction encryption data can be sent to the platform 150 (step 231). In this embodiment, it is assumed that the client 110 and the platform 150 agree in advance to use the private key of the client 110 and the time-based one-time password generated by the platform 150 to encrypt the transaction verification data to generate transaction encryption data, for example, the client 110 can first use the private key to encrypt the transaction verification data with the RSA algorithm to generate intermediate ciphertext, and then use the one-time password obtained by synchronizing with the platform terminal 150 every predetermined time (such as 60 seconds) to encrypt the intermediate ciphertext to generate At the same time, the client terminal 110 can also generate a statement issuance request and send it to the platform terminal 150 together with the confidential encrypted information.

在平台端150接收到客戶端110所傳送的交易加密資料後,可以解密所接收到的交易加密資料以取得身分檢核資料,並可以確認所取得之身分檢核資料與預先發給客戶端110之交易驗證資料是否相符以產生身分驗證結果,及可以傳送所產生之身分驗證結果到金融機構端130(步驟235)。在本實施例中,假設平台端150可以先使用最後產生之基於時間的一次性密碼解密交易加密資料而產生中間密文,再使用客戶端110的公鑰解密中間密文而取得身分檢核資料,接著,平台端150可以讀出客戶端110的交易驗證資料,並可以比對所取得之身分檢核資料與所讀出之交易驗證資料是否相符,當兩者相符時,平台端150可以產生表示通過驗證的身分驗證結果,而當兩者不符時,平台端150可以產生表示未通過驗證的身分驗證結果。另外,平台端150也可以在身分檢核資料與交易驗證資料相符時,依據所接收到之客戶端110所傳送的聲明簽發請求產生與客戶端之使用者之分散式數位身分識別資料對應的可驗證聲明,並可以將所簽發的可驗證聲明發布到區塊鏈190。After the platform 150 receives the transaction encryption data sent by the client 110, it can decrypt the received transaction encryption data to obtain the identity verification data, and can confirm the obtained identity verification data and send them to the client 110 in advance. Check whether the transaction verification information matches to generate an identity verification result, and send the generated identity verification result to the financial institution terminal 130 (step 235). In this embodiment, it is assumed that the platform 150 can use the last generated time-based one-time password to decrypt the transaction encrypted data to generate intermediate ciphertext, and then use the public key of the client 110 to decrypt the intermediate ciphertext to obtain identity verification data , then, the platform terminal 150 can read the transaction verification data of the client terminal 110, and can compare whether the obtained identity verification data is consistent with the transaction verification data read out, and when the two match, the platform terminal 150 can generate indicates that the identity verification result passed the verification, and when the two do not match, the platform 150 may generate an identity verification result indicating that the verification has not passed. In addition, the platform 150 can also generate a certificate corresponding to the distributed digital identification data of the user of the client according to the statement issuance request received from the client 110 when the identity verification data matches the transaction verification data. The statement is verified, and the issued verifiable statement can be published to the blockchain 190.

同樣在平台端150接收到客戶端110所傳送的交易加密資料後,可以依據接收自金融機構端130的身分驗證請求與接收自客戶端110的交易加密資料產生第一存證資料,並可以將所產生的第一存證資料發布到區塊鏈190中(步驟240),藉以透過區塊鏈190進行資料的存證。在本實施例中,假設平台端150可以對身分驗證請求與交易加密資料進行雜湊運算以產生第一存證資料。Similarly, after the platform terminal 150 receives the transaction encryption data sent by the client terminal 110, it can generate the first deposit certificate data according to the identity verification request received from the financial institution terminal 130 and the transaction encryption data received from the client terminal 110, and can store The generated first certificate data is released to the blockchain 190 (step 240 ), so as to deposit the data through the blockchain 190 . In this embodiment, it is assumed that the platform 150 can perform a hash operation on the identity verification request and the encrypted transaction data to generate the first evidence deposit data.

在金融機構端130接收到平台端150所產生之身分驗證結果後,可以判斷所接收到的身分驗證結果是否表示通過驗證,若否,則金融機構端130可以拒絕客戶端110所請求的交易服務,而若身分驗證結果表示通過驗證,則金融機構端130可以產生與客戶端110所請求之交易服務對應的交易資料(步驟250)。其中,金融機構端130可以直接依據平台端150所傳送的身分驗證結果判斷身分驗證結果是否表示通過驗證,也可以依據客戶端110之使用者的分散式數位身分識別資料由區塊鏈190中取得可驗證聲明(身分驗證結果),並可以使用平台端150的公鑰驗證所取得之可驗證聲明中的簽章,並確認有效性與到期時間,藉以驗證所取得的可驗證聲明,當可驗證聲明通過金融機構端130的驗證且可驗證聲明中確認客戶端110之使用者的身分後,金融機構端130可以判斷身分驗證結果表示通過驗證。After the financial institution terminal 130 receives the identity verification result generated by the platform terminal 150, it can judge whether the received identity verification result indicates that the verification is passed, and if not, the financial institution end 130 can reject the transaction service requested by the client terminal 110 , and if the identity verification result indicates that the verification is passed, the financial institution terminal 130 may generate transaction data corresponding to the transaction service requested by the client terminal 110 (step 250 ). Among them, the financial institution terminal 130 can directly judge whether the identity verification result indicates passing the verification according to the identity verification result sent by the platform end 150, or can obtain it from the blockchain 190 according to the distributed digital identification information of the user of the client terminal 110. verifiable statement (identity verification result), and can use the public key of platform 150 to verify the signature in the obtained verifiable statement, and confirm the validity and expiration time, so as to verify the obtained verifiable statement. After the verification statement is verified by the financial institution terminal 130 and the identity of the user of the client terminal 110 is confirmed in the verifiable statement, the financial institution terminal 130 can determine that the identity verification result indicates that the verification is passed.

接著,金融機構端130可以判斷客戶端110所請求之交易服務是否為實際交易層級,也就是判斷交易服務的風險層級是否屬於實際交易層級,若否,則金融機構端130可以執行被請求的交易服務,例如資料查詢等;而若客戶端110所請求之交易服務為實際交易層級,也就是交易服務的風險層級屬於實際交易層級,則金融機構端130可以將所產生的交易資料傳送到公信單位端160(步驟261)。在本實施例中,假設實際交易層級為涉及金錢交易的交易服務,交易資料包含金錢交易之商品的相關資料。Next, the financial institution terminal 130 can determine whether the transaction service requested by the client terminal 110 is the actual transaction level, that is, determine whether the risk level of the transaction service belongs to the actual transaction level, and if not, the financial institution terminal 130 can execute the requested transaction Services, such as data query, etc.; and if the transaction service requested by the client terminal 110 is the actual transaction level, that is, the risk level of the transaction service belongs to the actual transaction level, then the financial institution terminal 130 can transmit the generated transaction data to the public trust unit terminal 160 (step 261). In this embodiment, it is assumed that the actual transaction level is a transaction service involving money transactions, and the transaction data includes relevant data of commodities in money transactions.

在公信單位端160接收到金融機構端130所傳送的交易資料後,公信單位端160可以對交易資料簽章以產生公信簽章,並可以將所產生的公信簽章傳送到平台端150(步驟263)。After the public trust unit terminal 160 receives the transaction data sent by the financial institution terminal 130, the public trust unit terminal 160 can sign the transaction data to generate a public trust seal, and can transmit the produced public trust seal to the platform terminal 150 (step 263).

在平台端150接收到公信單位端160所傳送的公信簽章後,可以將所接收到的公信簽章傳送給客戶端110,也可以傳送給鑑證端170。客戶端110在接收到平台端150所傳送的公信簽章後,可以將所接收到的公信簽章儲存在可信模組中;鑑證端170在接收到平台端150所傳送的公信簽章後,可以依據所接收到的公信簽章產生第二存證資料,並可以將所產生的第二存證資料發布到區塊鏈190中(步驟265),藉以透過區塊鏈190進行資料的存證。在本實施例中,假設鑑證端170可以對公信簽章進行雜湊運算以產生第二存證資料。After the platform terminal 150 receives the public trust signature sent by the public trust unit terminal 160 , it may transmit the received public trust signature to the client terminal 110 or to the authentication terminal 170 . After the client 110 receives the public trust signature transmitted by the platform terminal 150, it can store the received public trust signature in the trusted module; after the authentication terminal 170 receives the public trust signature transmitted by the platform terminal 150 , can generate the second certificate data according to the received public trust signature, and can release the generated second certificate data to the blockchain 190 (step 265), so as to store the data through the blockchain 190 certificate. In this embodiment, it is assumed that the authenticator 170 can perform a hash operation on the trusted signature to generate the second certificate storage material.

如此,透過本發明,金融機構端130可以依據客戶端110所請求之交易服務的風險層級選擇需要執行的安全驗證機制,藉以利用不同的安全驗證技術完成不同風險層級的交易服務,如同利用複數鑰匙開啟不同交易大門,就算掉了其中一把鑰匙,攻擊者依然無法利用單一鑰匙進行假交易攻擊,因此,本發明可以提高犯罪成本,並兼顧交易安全性及便利性。In this way, through the present invention, the financial institution terminal 130 can select the security verification mechanism to be executed according to the risk level of the transaction service requested by the client 110, so as to use different security verification technologies to complete transaction services with different risk levels, just like using multiple keys Opening different transaction doors, even if one of the keys is lost, the attacker still cannot use a single key to carry out a fake transaction attack. Therefore, the present invention can increase the cost of crime while taking into account transaction security and convenience.

上述的實施例中,交易服務的風險層級還可以包含監管交易層級,如「第2C圖」之流程所示,在金融機構端130將交易資料傳送到公信單位端160(步驟261)後(實務上也可以在平台端150將公信單位端160所產生的公信簽章傳送給客戶端110及/或鑑證端170後),金融機構端130可以進一步判斷客戶端110所請求的交易服務是否為監管交易層級,也就是判斷交易服務之風險層級是否屬於監管交易層級,若否,則金融機構端130可以執行被請求的交易服務,例如小額交易等;而若交易服務為監管交易層級,金融機構端130可以產生模組驗證請求,並可以將所產生之模組驗證請求傳送到平台端150,使得平台端150向客戶端110要求進行可信模組驗證(步驟271)。In the above-mentioned embodiment, the risk level of the transaction service may also include the supervision transaction level, as shown in the process of "Fig. 2C", after the financial institution terminal 130 transmits the transaction data to the public trust unit terminal 160 (step 261) (practical (or after the platform 150 transmits the public trust signature generated by the public trust unit terminal 160 to the client terminal 110 and/or the verification terminal 170), the financial institution terminal 130 can further determine whether the transaction service requested by the client terminal 110 is supervision Transaction level, that is, to determine whether the risk level of the transaction service belongs to the regulatory transaction level, if not, the financial institution terminal 130 can execute the requested transaction service, such as small transactions; and if the transaction service is a regulatory transaction level, the financial institution terminal 130 130 may generate a module verification request, and may transmit the generated module verification request to the platform 150 , so that the platform 150 requires the client 110 to perform trusted module verification (step 271 ).

在客戶端110接收到平台端150所傳送之驗證可信模組的要求時,客戶端110可以由可信模組中讀出可信安全資料,並加密所讀出之可信安全資料以產生模組加密資料,並可以將所產生之模組加密資料傳送到平台端150(步驟273)。在此實施例中,假設客戶端110與平台端150事先約定先後以客戶端110之私鑰與平台端150產生之基於時間的一次性密碼加密可信安全資料以產生模組加密資料,也就是說,與加密交易驗證資料相似的,客戶端110可以先由可信模組中讀取出全部、部分、或特定的資料作為可信安全資料,並可以使用私鑰對可信安全資料加密而產生中間密文,再使用每隔預定時間(如30秒或更短時間)與平台端150同步而取得的一次性密碼對中間密文加密以產生模組加密資料。When the client 110 receives the request for authenticating the trusted module sent by the platform 150, the client 110 can read the trusted security information from the trusted module, and encrypt the read trusted security information to generate Module encryption data, and the generated module encryption data can be sent to the platform 150 (step 273). In this embodiment, it is assumed that the client 110 and the platform 150 agree in advance to use the private key of the client 110 and the time-based one-time password generated by the platform 150 to encrypt the trusted security data to generate module encrypted data, that is, In other words, similar to the encrypted transaction verification data, the client 110 can first read all, part, or specific data from the trusted module as trusted security data, and can use the private key to encrypt the trusted security data. Generate the intermediate ciphertext, and then encrypt the intermediate ciphertext with the one-time password obtained by synchronizing with the platform terminal 150 every predetermined time (such as 30 seconds or less) to generate module encrypted data.

在平台端150接收到客戶端110所傳送的模組加密資料後,可以解密所接收到的模組加密資料以取得模組檢核資料,並可以比對所取得之模組檢核資料與預先儲存之可信安全資料是否相符(步驟275)。在此實施例中,假設平台端150可以先使用最後產生之基於時間的一次性密碼解密模組加密資料而產生中間密文,再使用客戶端110的公鑰解密中間密文而取得模組檢核資料,接著,平台端150可以讀出客戶端110的可信安全資料,並可以比對所取得之身分檢核資料與所讀出之交易驗證資料是否相符。After the platform terminal 150 receives the module encryption data sent by the client 110, it can decrypt the received module encryption data to obtain the module verification data, and can compare the obtained module verification data with the Whether the stored credible security information matches (step 275). In this embodiment, it is assumed that the platform 150 can use the last generated time-based one-time password to decrypt the encrypted data of the module to generate an intermediate ciphertext, and then use the public key of the client 110 to decrypt the intermediate ciphertext to obtain the module ID. Then, the platform terminal 150 can read the credible security information of the client 110, and can compare whether the acquired identity verification information is consistent with the read transaction verification information.

當模組檢核資料與可信安全資料不相符時,金融機構端130可以拒絕執行客戶端110所請求的交易服務;而當模組檢核資料與可信安全資料相符時,金融機構端130可以產生第一申報資料並可以將所產生的第一申報資料傳送給平台端150(步驟277),並可以執行客戶端110所請求的交易服務。在此實施例中,假設平台端150可以產生表示模組檢核資料與可信安全資料是否相符的比對結果,並可以將所產生之比對結果傳送到金融機構端130,其中,當模組檢核資料與可信安全資料相符時,平台端150可以產生申報表單,並可以將申報表單與比對結果一同傳送給金融機構端130;金融機構端130可以在平台端150所產生的比對結果表示模組檢核資料與可信安全資料不相符時選擇拒絕服務客戶端110,也可以在比對結果表示模組檢核資料與可信安全資料相符時選擇依據平台端150所傳送之申報表單產生第一申報資料,並完成客戶端110所請求的大額交易。When the module verification information does not match the trusted security information, the financial institution terminal 130 can refuse to execute the transaction service requested by the client 110; and when the module verification information matches the trusted security information, the financial institution terminal 130 The first declaration data can be generated and transmitted to the platform 150 (step 277 ), and the transaction service requested by the client 110 can be executed. In this embodiment, it is assumed that the platform terminal 150 can generate a comparison result indicating whether the module verification data is consistent with the trusted security data, and can transmit the generated comparison result to the financial institution terminal 130, wherein, when the module When the group verification information matches the credible security information, the platform terminal 150 can generate a declaration form, and can transmit the declaration form and the comparison result to the financial institution terminal 130; When the result indicates that the module verification information does not match the trusted security information, choose to refuse service to the client 110, and when the comparison result indicates that the module verification information is consistent with the trusted security information, choose to rely on the information sent by the platform terminal 150. The declaration form generates the first declaration data, and completes the large-value transaction requested by the client 110 .

在平台端150接收到金融機構端130所所送的第一申報資料後,平台端150可以產生包含第一申報資料的第二申報資料,並可以將所產生的第二申報資料傳送給監管端,及可以依據接收自金融機構端130之模組驗證請求、接收自客戶端110之模組加密資料、及所產生的第二申報資料產生第三存證資料,並將所產生的第三存證資料發布到區塊鏈190中(步驟279),藉以透過區塊鏈190進行資料的存證。在此實施例中,假設平台端150可以對模組驗證請求、模組加密資料、第二申報資料進行雜湊運算以產生第三存證資料。After the platform terminal 150 receives the first declaration material sent by the financial institution terminal 130, the platform terminal 150 can generate the second declaration material containing the first declaration material, and can transmit the generated second declaration material to the supervisory terminal , and can generate the third deposit certificate data according to the module verification request received from the financial institution terminal 130, the module encryption data received from the client terminal 110, and the generated second declaration data, and the generated third deposit certificate data The certificate data is published to the block chain 190 (step 279), so as to store the data through the block chain 190. In this embodiment, it is assumed that the platform 150 can perform a hash operation on the module verification request, the module encryption data, and the second declaration data to generate the third certificate storage data.

另外,上述實施例中,還可以如「第3A圖」之流程所示,在客戶端110使用FIDO架構以生物特徵登入金融機構端130(步驟210)前,客戶端110可以向平台端150或金融機構端130申請可信模組(步驟311)。平台端150或金融機構端130可以通知合作之電信商製作可信模組,並可以透過專人運送或郵寄等方式將可信模組遞交給客戶端110的使用者。In addition, in the above-mentioned embodiment, as shown in the process of "Figure 3A", before the client 110 uses the FIDO framework to log in to the financial institution terminal 130 with biometric features (step 210), the client 110 can send a request to the platform terminal 150 or The financial institution terminal 130 applies for a trusted module (step 311 ). The platform side 150 or the financial institution side 130 can notify the cooperating telecommunications provider to make a trusted module, and deliver the trusted module to the user of the client terminal 110 by delivery or post.

接著,客戶端110申請可信模組的平台端150或金融機構端130的服務人員可以操作服務端120輸入客戶端110的裝置識別資料,並可以將裝置識別資料透過網路傳送給平台端150或金融機構端130,藉以線上啟用可信模組(步驟313),也就是由平台端150或金融機構端130記錄可信模組與客戶端110的識別資料的對應關係,使得平台端150或金融機構端130可以確認存取可信模組的計算設備為申請可信模組的客戶端110。如此,在可信模組被啟用後,客戶端110的使用者可以將可信模組安裝於客戶端110中(步驟315),之後,客戶端110的使用者可以操作客戶端110進行生物特徵辨識,客戶端110可以在使用者的生物特徵通過生物特徵辨識後存取可信模組,藉以確認可信模組是否成功啟用。Then, the service personnel of the platform 150 or the financial institution 130 that the client 110 applies for a trusted module can operate the server 120 to input the device identification data of the client 110, and can transmit the device identification data to the platform 150 through the network Or the financial institution terminal 130, so as to enable the trusted module online (step 313), that is, the platform terminal 150 or the financial institution terminal 130 records the corresponding relationship between the trusted module and the identification data of the client terminal 110, so that the platform terminal 150 or The financial institution terminal 130 can confirm that the computing device that accesses the trusted module is the client 110 that applies for the trusted module. In this way, after the trusted module is enabled, the user of the client 110 can install the trusted module in the client 110 (step 315), and then the user of the client 110 can operate the client 110 to perform biometric For identification, the client 110 can access the trusted module after the user's biometrics are authenticated, so as to confirm whether the trusted module is successfully activated.

此外,同樣在客戶端110使用FIDO架構以生物特徵登入金融機構端130(步驟210)前,也可以如「第3B圖」之流程所示,在使用者可以操作客戶端110連線到平台端150後,操作客戶端110在平台端150註冊,使得客戶端110以實名制驗證完成在平台端150的註冊(步驟351)。In addition, before the client 110 uses the FIDO framework to log in to the financial institution 130 with biometric features (step 210), as shown in the process of "Figure 3B", the user can operate the client 110 to connect to the platform After 150, operate the client 110 to register on the platform 150, so that the client 110 completes the registration on the platform 150 through real-name verification (step 351).

平台端150可以在客戶端110完成註冊後,產生與客戶端110對應之登入驗證資料與交易驗證資料,並可以儲存所產生的登入驗證資料、交易驗證資料、與客戶端110的公鑰,及可以將所產生之登入驗證資料與交易驗證資料傳送到客戶端110(步驟353),使得客戶端110將平台端150所傳送的登入驗證資料、交易驗證資料、及私鑰儲存在可信模組中。The platform 150 can generate login verification data and transaction verification data corresponding to the client 110 after the client 110 completes the registration, and can store the generated login verification data, transaction verification data, and the public key of the client 110, and The generated login verification data and transaction verification data can be sent to the client 110 (step 353), so that the client 110 stores the login verification data, transaction verification data, and private key sent by the platform 150 in the trusted module middle.

之後,當客戶端110接收到身分驗證的要求時,客戶端110可以要求使用者進行生物特徵辨識,在使用者的生物特徵通過生物特徵辨識後,客戶端110可以由可信模組中讀出登入驗證資料,並加密所讀出之登入驗證資料以產生登入加密資料,及可以將所產生之登入加密資料傳送到平台端150(步驟361)。其中,客戶端110加密登入驗證資料的過程與上述之加密過程相同,不再贅述。Afterwards, when the client 110 receives a request for identity verification, the client 110 can require the user to perform biometric identification, and after the user's biometric has passed the biometric identification, the client 110 can read out from the trusted module Login verification data, and encrypt the read login verification data to generate login encryption data, and send the generated login encryption data to the platform 150 (step 361). Wherein, the process of encrypting the login verification data by the client 110 is the same as the encryption process described above, and will not be repeated here.

在平台端150接收到客戶端110所傳送之登入加密資料後,平台端150可以解密登入加密資料以取得登入檢核資料,並可以比對登入檢核資料與所儲存之與客戶端110對應的登入驗證資料(步驟365)。其中,平台端150解密登入加密資料以取得登入檢核資料的過程與上述之解密過程相同,不再贅述。After the platform terminal 150 receives the login encrypted data sent by the client terminal 110, the platform terminal 150 can decrypt the login encrypted data to obtain the login verification data, and can compare the login verification data with the stored login data corresponding to the client terminal 110. Login verification data (step 365). Wherein, the process for the platform 150 to decrypt the login encrypted data to obtain the login verification data is the same as the decryption process described above, and will not be repeated here.

當平台端150判斷解密取得之登入檢核資料與所讀出之登入驗證資料相符時,平台端150可以取得經金融機構端130認證之個人資料,並由平台端150或公信單位端160對平台端150所取得之個人資料進行特定運算以產生相對應之客戶認證資料並將所產生之客戶認證資料傳送到客戶端110,使得客戶端110可以將所接收到的客戶認證資料儲存在可信模組中,或金融機構端130可以透過oAuth 2.0的機制由客戶端110取得客戶認證資料(授權許可)並傳送客戶認證資料至平台端150,藉以從平台端150下載與客戶認證資料對應的個人資料(步驟370)。When the platform terminal 150 judges that the login verification information obtained by decryption is consistent with the read login verification information, the platform terminal 150 can obtain the personal information certified by the financial institution terminal 130, and the platform terminal 150 or the trust unit terminal 160 can verify the platform The personal data obtained by the terminal 150 is used for specific operations to generate corresponding customer authentication data and the generated customer certification data is sent to the client 110, so that the client 110 can store the received customer certification data in a trusted module. In the group, or the financial institution terminal 130 can obtain customer authentication information (authorization permission) from the client terminal 110 through the mechanism of oAuth 2.0 and send the customer authentication information to the platform terminal 150, so as to download the personal information corresponding to the customer authentication information from the platform terminal 150 (step 370).

綜上所述,可知本發明與先前技術之間的差異在於具有透過客戶端使用線上快速認證架構以生物特徵登入金融機構端後,金融機構端於客戶端請求交易服務時,依據被請求之交易服務的風險層級選擇相對應的安全驗證方式對客戶身分進行驗證,並將能夠對驗證過程所產生的驗證資料與被請求之交易服務的交易資料進行驗證的存證資料發布到區塊鏈中之技術手段,藉由此一技術手段可以來解決先前技術所存在國內金融機構間沒有能夠互信之驗證流程與標準的問題,進而達成提高犯罪複雜度與成本、降低金融機構浪費之資源、並兼顧交易安全性及便利性的技術功效。To sum up, it can be seen that the difference between the present invention and the prior art lies in that after the client uses the online quick authentication framework to log in to the financial institution with biometric features, when the financial institution requests a transaction service from the client, it will The risk level of the service selects the corresponding security verification method to verify the identity of the customer, and publishes the proof data that can verify the verification data generated during the verification process and the transaction data of the requested transaction service to the blockchain. Technical means, through this technical means, can solve the problem of lack of mutual trust verification process and standards among domestic financial institutions in the previous technology, and then achieve the goal of increasing the complexity and cost of crimes, reducing the resources wasted by financial institutions, and taking into account transactions Technical efficacy for safety and convenience.

再者,本發明之使用多安全層級驗證客戶身分與交易服務之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of using multiple security levels to verify customer identity and transaction services of the present invention can be implemented in hardware, software, or a combination of hardware and software, and can also be implemented in a centralized manner in a computer system or distributed with different components Implemented in a decentralized manner over several interconnected computer systems.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments disclosed in the present invention are as above, the content described is not intended to directly limit the scope of protection of the present invention. Anyone with ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope disclosed in the present invention, makes some changes and modifications to the form and details of the implementation of the present invention, all of which belong to the patent protection of the present invention scope. The scope of patent protection of the present invention shall still be defined by the scope of the attached patent application.

110:客戶端 120:服務端 130:金融機構端 150:平台端 160:公信單位端 170:鑑證端 190:區塊鏈 步驟210:客戶端以生物特徵登入金融機構端 步驟211:金融機構端於要求客戶端登入時傳送登入驗證請求至平台端,使平台端向客戶端要求登入驗證資料 步驟215:客戶端通過生物特徵辨識後,讀取金融機構端之機構登入資料與登入驗證資料,並傳送登入驗證資料及機構登入資料至平台端 步驟219:平台端在登入驗證資料通過驗證後,傳送機構登入資料至金融機構端,使金融機構端允許客戶端登入 步驟220:金融機構端於客戶端請求交易服務且判斷交易服務為基本交易層級時,傳送身分驗證請求至平台端,使平台端要求客戶端進行身分驗證 步驟231:客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端 步驟235:平台端解密交易加密資料以取得身分檢核資料並傳送表示身分檢核資料與交易驗證資料是否相符之身分驗證結果至金融機構端 步驟240:平台端依據身分驗證請求及交易加密資料產生第一存證資料並發布至區塊鏈 步驟250:金融機構端於身分驗證結果表示通過驗證時,產生與交易服務對應之交易資料 步驟261:金融機構端判斷交易服務為實際交易層級時,傳送交易資料至公信單位端 步驟263:公信單位端對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端 步驟265:平台端傳送公信簽章給鑑證端,鑑證端依據公信簽章產生第二存證資料並發布至區塊鏈 步驟271:金融機構端判斷交易服務為監管交易層級時,傳送模組驗證請求至平台端,使平台端向客戶端要求進行可信模組驗證 步驟273:客戶端加密可信模組所儲存之可信安全資料以產生模組加密資料,並傳送模組加密資料至平台端 步驟275:平台端解密模組加密資料以取得模組檢核資料並比對模組檢核資料與可信安全資料 步驟277:當模組檢核資料與可信安全資料相符時,金融機構端產生第一申報資料並傳送該平台端 步驟279:平台端產生包含第一申報資料之第二申報資料,並依據模組驗證請求、模組加密資料及第二申報資料產生第三存證資料並發布至區塊鏈 步驟311:客戶端向平台端或金融機構端申請實體之可信模組 步驟313:服務端線上輸入客戶端之裝置識別資料以啟用可信模組 步驟315:客戶端安裝可信模組 步驟351:客戶端在平台端以實名制驗證完成註冊 步驟353:平台端傳送登入驗證資料及交易驗證資料至客戶端 步驟361:客戶端對使用者進行生物辨識後,加密登入驗證資料以產生登入加密資料並傳送登入加密資料至平台端 步驟365:平台端解密登入加密資料以取得登入檢核資料並比對登入檢核資料與登入驗證資料 步驟370:當登入檢核資料與登入驗證資料相符時,平台端取得經金融機構端認證之個人資料,並由平台端或公信單位端對個人資料進行運算以產生對應之客戶認證資料並傳送給客戶端儲存,或金融機構端由客戶端取得客戶認證資料,並傳送客戶認證資料至平台端以從平台端下載個人資料 110: client 120: server 130: Financial institution side 150: Platform end 160: Public trust unit end 170: authentication terminal 190: Blockchain Step 210: the client logs in to the financial institution with biometric features Step 211: The financial institution sends a login verification request to the platform when requesting the client to log in, so that the platform requests the client for login verification information Step 215: After the client passes the biometric identification, read the institution login information and login verification information of the financial institution, and send the login verification information and institution login information to the platform Step 219: After the login verification information is verified on the platform side, send the organization login information to the financial institution side, so that the financial institution side allows the client to log in Step 220: When the financial institution requests the transaction service from the client terminal and determines that the transaction service is at the basic transaction level, it sends an identity verification request to the platform side, so that the platform side requires the client side to perform identity verification Step 231: The client encrypts the transaction verification data to generate the transaction encryption data and sends the transaction encryption data to the platform Step 235: The platform side decrypts the transaction encryption data to obtain the identity verification data and sends the identity verification result indicating whether the identity verification data matches the transaction verification data to the financial institution side Step 240: The platform side generates the first evidence deposit data according to the identity verification request and transaction encryption data and publishes it to the blockchain Step 250: The financial institution generates transaction data corresponding to the transaction service when the identity verification result indicates that the verification is passed Step 261: When the financial institution judges that the transaction service is at the actual transaction level, send the transaction data to the trusted entity Step 263: The trusted unit signs the transaction data to generate a trusted signature, and sends the trusted signature to the platform Step 265: The platform side transmits the public trust signature to the authentication side, and the verification side generates the second certificate storage data according to the public trust signature and publishes it to the blockchain Step 271: When the financial institution side judges that the transaction service is a regulatory transaction level, it sends a module verification request to the platform side, so that the platform side asks the client side for trusted module verification Step 273: The client encrypts the trusted security data stored in the trusted module to generate module encrypted data, and sends the module encrypted data to the platform Step 275: The platform side decrypts the encrypted data of the module to obtain the module verification data and compares the module verification data with the trusted security data Step 277: When the module verification information matches the credible security information, the financial institution side generates the first declaration information and transmits it to the platform side Step 279: The platform side generates the second declaration data including the first declaration data, and generates the third certificate storage data according to the module verification request, the module encryption data and the second declaration data and publishes it to the blockchain Step 311: The client applies to the platform or the financial institution for the trusted module of the entity Step 313: The server enters the device identification information of the client online to activate the trusted module Step 315: the client installs a trusted module Step 351: The client completes the registration with the real-name verification on the platform side Step 353: The platform sends the login verification data and transaction verification data to the client terminal Step 361: After the client performs biometric identification on the user, encrypt the login verification data to generate login encrypted data and send the login encrypted data to the platform Step 365: The platform side decrypts the login encrypted data to obtain the login verification data and compares the login verification data with the login verification data Step 370: When the login verification information matches the login verification information, the platform side obtains the personal data certified by the financial institution side, and the platform side or the public trust unit side calculates the personal data to generate corresponding customer authentication data and sends it to Stored by the client, or the financial institution obtains the customer authentication information from the client, and sends the customer authentication information to the platform to download personal information from the platform

第1圖為本發明所提之使用多安全層級驗證客戶身分與交易服務之系統架構圖。 第2A圖為本發明所提之使用多安全層級驗證客戶身分與交易服務之方法流程圖。 第2B圖為本發明所提之客戶端登入金融機構端之方法流程圖。 第2C圖為本發明所提之使用多安全層級驗證客戶身分與交易服務之附加方法流程圖。 第3A圖為本發明所提之客戶端安裝可信模組之方法流程圖。 第3B圖為本發明所提之客戶端於平台端完成註冊之方法流程圖。 Figure 1 is a system architecture diagram of the present invention using multiple security levels to verify customer identity and transaction services. FIG. 2A is a flow chart of the method for verifying customer identity and transaction services using multiple security levels proposed by the present invention. FIG. 2B is a flow chart of the method for the client to log in to the financial institution according to the present invention. FIG. 2C is a flowchart of an additional method for verifying customer identity and transaction services using multiple security levels proposed by the present invention. FIG. 3A is a flowchart of a method for installing a trusted module on a client terminal according to the present invention. FIG. 3B is a flow chart of the method for completing the registration of the client on the platform according to the present invention.

步驟210:客戶端以生物特徵登入金融機構端 Step 210: the client logs in to the financial institution with biometric features

步驟220:金融機構端於客戶端請求交易服務且判斷交易服務為基本交易層級時,傳送身分驗證請求至平台端,使平台端要求客戶端進行身分驗證 Step 220: When the financial institution requests the transaction service from the client terminal and determines that the transaction service is at the basic transaction level, it sends an identity verification request to the platform side, so that the platform side requires the client side to perform identity verification

步驟231:客戶端加密交易驗證資料以產生交易加密資料並傳送交易加密資料給平台端 Step 231: The client encrypts the transaction verification data to generate the transaction encryption data and sends the transaction encryption data to the platform

步驟235:平台端解密交易加密資料以取得身分檢核資料並傳送表示身分檢核資料與交易驗證資料是否相符之身分驗證結果至金融機構端 Step 235: The platform side decrypts the transaction encryption data to obtain the identity verification data and sends the identity verification result indicating whether the identity verification data matches the transaction verification data to the financial institution side

步驟240:平台端依據身分驗證請求及交易加密資料產生第一存證資料並發布至區塊鏈 Step 240: The platform side generates the first evidence deposit data according to the identity verification request and transaction encryption data and publishes it to the blockchain

步驟250:金融機構端於身分驗證結果表示通過驗證時,產生與交易服務對應之交易資料 Step 250: The financial institution generates transaction data corresponding to the transaction service when the identity verification result indicates that the verification is passed

步驟261:金融機構端判斷交易服務為實際交易層級時,傳送交易資料至公信單位端 Step 261: When the financial institution judges that the transaction service is at the actual transaction level, send the transaction data to the trusted entity

步驟263:公信單位端對交易資料簽章以產生公信簽章,並傳送公信簽章至平台端 Step 263: The trusted unit signs the transaction data to generate a trusted signature, and sends the trusted signature to the platform

步驟265:平台端傳送公信簽章給鑑證端,鑑證端依據公信簽章產生第二存證資料並發布至區塊鏈 Step 265: The platform side transmits the public trust signature to the authentication side, and the verification side generates the second certificate storage data according to the public trust signature and publishes it to the blockchain

Claims (10)

一種使用多安全層級驗證客戶身分與交易服務之方法,該方法至少包含下列步驟: 一客戶端以生物特徵登入一金融機構端; 該金融機構端於該客戶端請求一交易服務時,判斷該交易服務為基本交易層級時,傳送一身分驗證請求至一平台端,使該平台端要求該客戶端進行身分驗證; 該客戶端加密一交易驗證資料以產生一交易加密資料並傳送該交易加密資料給平台端; 該平台端解密該交易加密資料以取得一身分檢核資料並確認該身分檢核資料與該交易驗證資料相符後,傳送一身分驗證結果至該金融機構端; 該平台端依據該身分驗證請求及該交易加密資料產生一第一存證資料並發布該第一存證資料至一區塊鏈中; 該金融機構端於該身分驗證結果表示通過驗證時,產生與該交易服務對應之一交易資料; 該金融機構端判斷該交易服務為實際交易層級時,傳送該交易資料至一公信單位端; 該公信單位端對該交易資料簽章以產生一公信簽章,並傳送該公信簽章至該平台端;及 該平台端傳送該公信簽章給一鑑證端,該鑑證端依據該公信簽章產生一第二存證資料並發布該第二存證資料至該區塊鏈中。 A method for verifying customer identity and transaction services using multiple security levels, the method at least includes the following steps: A client logs in to a financial institution with biometric features; When the client terminal requests a transaction service, the financial institution determines that the transaction service is at the basic transaction level, and sends an identity verification request to a platform, so that the platform requires the client to perform identity verification; The client encrypts a transaction verification data to generate a transaction encryption data and transmits the transaction encryption data to the platform; The platform side decrypts the transaction encryption data to obtain an identity verification data, and after confirming that the identity verification data matches the transaction verification data, sends an identity verification result to the financial institution side; The platform side generates a first deposit data according to the identity verification request and the transaction encrypted data, and releases the first deposit data to a block chain; The financial institution generates a transaction data corresponding to the transaction service when the identity verification result indicates that the verification is passed; When the financial institution determines that the transaction service is at the actual transaction level, it transmits the transaction data to a trusted entity; The credible unit signs the transaction data to generate a credible signature, and transmits the credible signature to the platform; and The platform transmits the public trust signature to an authentication terminal, and the certification terminal generates a second certificate storage data based on the public trust signature and releases the second certificate storage data to the block chain. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該方法於該金融機構端判斷被請求之該交易服務為實際交易層級之步驟後,更包含該金融機構端判斷該交易服務為監管交易層級時,傳送一模組驗證請求至該平台端,該平台端向該客戶端要求進行可信模組驗證,使該客戶端加密安裝於該客戶端上之可信模組所儲存之一可信安全資料以產生一模組加密資料並傳送該模組加密資料至該平台端,該平台端解密該模組加密資料以取得一模組檢核資料並比對該模組檢核資料與該可信安全資料,當該模組檢核資料與該可信安全資料相符時,該金融機構端產生一第一申報資料並傳送給該平台端,該平台端產生包含該第一申報資料之一第二申報資料並傳送給一監管端,並依據該模組驗證請求、該模組加密資料及該第二申報資料產生一第三存證資料,及發布該第三存證資料至該區塊鏈之步驟。The method for verifying customer identity and transaction service using multiple security levels as described in Claim 1, wherein the method further includes the determination of the financial institution side after the step of judging that the requested transaction service is an actual transaction level at the financial institution side When the transaction service is at the supervisory transaction level, a module verification request is sent to the platform, and the platform requests the client to verify the trusted module, so that the client encrypts the trusted module installed on the client. Generating a module encrypted data and sending the module encrypted data to the platform side, the platform side decrypts the module encrypted data to obtain a module verification data and compares the module Group verification data and the credible safety data, when the module verification data is consistent with the credible safety data, the financial institution side generates a first declaration data and sends it to the platform side, and the platform side generates a first declaration data containing the The second declaration data of the first declaration data is sent to a supervisory terminal, and a third certificate deposit data is generated according to the module verification request, the module encryption data and the second declaration data, and the third deposit certificate is released Steps to verify data to the blockchain. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該方法於該客戶端以生物特徵登入該金融機構端之步驟前,更包含該客戶端在該平台端以實名制驗證完成註冊後,該平台端傳送一登入驗證資料及一交易驗證資料至該客戶端,該客戶端對使用者進行生物辨識後,加密該登入驗證資料以產生一登入加密資料並傳送該登入加密資料至該平台端,該平台端解密該登入加密資料以取得一登入檢核資料並比對該登入檢核資料與該登入驗證資料,當該登入檢核資料與該登入驗證資料相符時,該平台端取得經該金融機構端認證之一個人資料,並由該平台端或該公信單位端對該個人資料進行運算以產生對應之一客戶認證資料並傳送給客戶端儲存,或該金融機構端由該客戶端取得該客戶認證資料,並傳送該客戶認證資料至該平台端以從該平台端下載該個人資料之步驟。The method for verifying client identity and transaction services using multiple security levels as described in claim 1, wherein the method further includes the client registering the client with a real name on the platform before the client logs in to the financial institution using biometric features After the registration is completed, the platform sends a login verification data and a transaction verification data to the client, and the client encrypts the login verification data to generate a login encryption data and transmits the login encryption data after biometric identification of the user. data to the platform side, the platform side decrypts the login encrypted data to obtain a login verification data and compares the login verification data with the login verification data, and when the login verification data matches the login verification data, the The platform side obtains the personal data certified by the financial institution side, and the platform side or the trusted unit side performs calculations on the personal data to generate a corresponding customer authentication data and sends it to the client side for storage, or the financial institution side is The client terminal obtains the client authentication information, and transmits the client authentication information to the platform to download the personal information from the platform. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該客戶端以生物特徵登入金融機構端之步驟更包含該金融機構端要求該客戶端使用線上快速認證(Fast IDentity Online, FIDO)架構登入時傳送一登入驗證請求至該平台端,使該平台端向該客戶端要求一登入驗證資料,該客戶端通過生物特徵辨識後取得該金融機構端之一機構登入資料並讀出該登入驗證資料後,傳送該登入驗證資料及該機構登入資料至該平台端,該平台端成功驗證該客戶端所傳送之該登入驗證資料後,傳送該機構登入資料至該金融機構端,使該金融機構端允許該客戶端登入之步驟。The method for verifying client identity and transaction services using multiple security levels as described in claim 1, wherein the step of the client logging in to the financial institution with biometric features further includes the financial institution requiring the client to use online fast authentication (Fast IDentity Online, FIDO) framework to send a login verification request to the platform side, so that the platform side requests a login verification data from the client side, and the client side obtains the institutional login data of the financial institution side after passing biometric identification and After reading out the login verification information, send the login verification information and the institution’s login information to the platform, and the platform will send the institution’s login information to the financial institution after successfully verifying the login verification information sent by the client , the step of enabling the financial institution to allow the client to log in. 如請求項1所述之使用多安全層級驗證客戶身分與交易服務之方法,其中該方法於該客戶端以生物特徵登入該金融機構端之步驟前,更包含該客戶端向該平台端或該金融機構端申請實體之一可信模組後,一服務端線上輸入該客戶端之裝置識別資料以啟用該可信模組,及該客戶端安裝該可信模組之步驟。The method for verifying client identity and transaction services using multiple security levels as described in claim 1, wherein the method further includes sending the client to the platform or the financial institution before the client uses biometrics to log in to the financial institution. After the financial institution side applies for a trusted module of the entity, a server side inputs the device identification data of the client terminal online to activate the trusted module, and the client installs the trusted module. 一種使用多安全層級驗證客戶身分與交易服務之系統,該系統至少包含: 一客戶端,安裝有一可信模組,該可信模組儲存一交易驗證資料; 一金融機構端,用以提供該客戶端以生物特徵進行登入,並於該客戶端請求一交易服務時,判斷該交易服務是否符合基本交易層級,當該交易服務為基本交易層級時,產生一身分驗證請求; 一平台端,用以接收該金融機構端所傳送之該身分驗證請求,並要求該客戶端進行身分驗證,使該客戶端加密該交易驗證資料以產生一交易加密資料並傳送該交易加密資料給平台端,及用以解密該交易加密資料以取得一身分檢核資料並確認該身分檢核資料與該交易驗證資料相符後,依據該身分驗證請求及該交易加密資料產生一第一存證資料並發布該第一存證資料至一區塊鏈,並傳送一身分驗證結果至該金融機構端,使該金融機構端於該身分驗證結果表示通過驗證時,產生與被請求之該交易服務對應之一交易資料; 一公信單位端,用以接收該金融機構端判斷該交易服務為實際交易層級時所傳送之該交易資料,對該交易資料簽章以產生一公信簽章,並傳送該公信簽章至該平台端;及 一鑑證端,用以接收該平台端所傳送之該公信簽章,並依據該公信簽章產生一第二存證資料,及發布該第二存證資料至該區塊鏈。 A system for verifying customer identity and transaction services using multiple security levels, the system at least includes: A client, installed with a trusted module, the trusted module stores a transaction verification data; A financial institution terminal is used to provide the client terminal to log in with biometric features, and when the client terminal requests a transaction service, judge whether the transaction service meets the basic transaction level, and when the transaction service is the basic transaction level, generate a identity verification request; A platform end, used to receive the identity verification request sent by the financial institution end, and request the client end to perform identity verification, make the client end encrypt the transaction verification data to generate a transaction encryption data, and send the transaction encryption data to On the platform side, it is used to decrypt the transaction encryption data to obtain an identity verification data and after confirming that the identity verification data matches the transaction verification data, generate a first deposit certificate data according to the identity verification request and the transaction encryption data And release the first deposit certificate information to a block chain, and send an identity verification result to the financial institution, so that the financial institution will generate a transaction corresponding to the requested transaction service when the identity verification result indicates that the verification is passed. one transaction data; A credible unit end, used to receive the transaction data sent by the financial institution when it judges that the transaction service is an actual transaction level, sign the transaction data to generate a credible signature, and send the credible signature to the platform end; and An authentication terminal is used to receive the public trust signature sent by the platform terminal, generate a second certificate storage data according to the public trust signature, and release the second certificate storage data to the block chain. 如請求項6所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該金融機構端更用以於該交易服務符合實際交易層級時,進一步判斷該交易服務為監管交易層級時,傳送一模組驗證請求至該平台端,使該平台端向該客戶端要求進行可信模組驗證,該客戶端更用以加密安裝於該客戶端上之可信模組所儲存之一可信安全資料以產生一模組加密資料並傳送該模組加密資料至該平台端,該平台端更用以解密該模組加密資料以取得一模組檢核資料並比對該模組檢核資料與該可信安全資料,當該模組檢核資料與該可信安全資料相符時,該金融機構端產生一第一申報資料並傳送給該平台端,該平台端產生包含該第一申報資料之一第二申報資料並傳送給一監管端,並依據該模組驗證請求、該模組加密資料及該第二申報資料產生一第三存證資料,及發布該第三存證資料至該區塊鏈。As described in Claim 6, the system using multiple security levels to verify customer identity and transaction services, wherein the financial institution is further used to send A module verification request is sent to the platform, so that the platform requests the client to verify the trusted module, and the client is further used to encrypt a trusted module stored in the trusted module installed on the client. Secure data to generate a module encrypted data and send the module encrypted data to the platform side, and the platform side is used to decrypt the module encrypted data to obtain a module verification data and compare the module verification data With the credible security data, when the module verification data matches the credible security data, the financial institution generates a first declaration data and transmits it to the platform, and the platform generates the first declaration data including the first declaration data One of the second declaration data is sent to a supervisory terminal, and a third certificate storage data is generated according to the module verification request, the module encryption data and the second declaration data, and the third certificate storage data is released to the blockchain. 如請求項6所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該平台端更用以於該客戶端以實名制驗證完成註冊時傳送一登入驗證資料及該交易驗證資料至該客戶端,該客戶端更用以對使用者進行生物辨識後,加密該登入驗證資料以產生一登入加密資料並傳送該登入加密資料至該平台端,使該平台端解密該登入加密資料以取得一登入檢核資料並比對該登入檢核資料與該登入驗證資料,當該登入檢核資料與該登入驗證資料相符時,該平台端取得經該金融機構端認證之一個人資料,並由該平台端或該公信單位端對該個人資料進行運算以產生對應之一客戶認證資料並傳送給客戶端儲存,或該金融機構端由該客戶端取得該客戶認證資料,並傳送該客戶認證資料至該平台端以從該平台端下載該個人資料。The system using multiple security levels to verify customer identity and transaction services as described in claim item 6, wherein the platform is further used to send a login verification data and the transaction verification data to the client when the client completes registration with real-name verification terminal, the client is further used to encrypt the login verification data to generate a login encrypted data after biometric identification of the user, and send the login encrypted data to the platform, so that the platform can decrypt the login encrypted data to obtain a The login verification information is compared with the login verification information. When the login verification information matches the login verification information, the platform side obtains a personal data certified by the financial institution side, and the platform The terminal or the trustworthy unit terminal performs calculations on the personal data to generate a corresponding customer authentication information and transmits it to the client for storage, or the financial institution obtains the customer authentication information from the client and sends the customer authentication information to the client platform to download the personal data from the platform. 如請求項6所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該金融機構端更用以於要求該客戶端使用線上快速認證架構登入時傳送一登入驗證請求至該平台端,使該平台端向該客戶端要求一登入驗證資料,該客戶端更用以通過生物特徵辨識後取得該金融機構端之一機構登入資料並由該可信模組讀出該登入驗證資料後,傳送該登入驗證資料及該機構登入資料至該平台端,該平台端更用以於成功驗證該客戶端所傳送之該登入驗證資料後,傳送該機構登入資料至該金融機構端,使該金融機構端允許該客戶端登入。The system using multiple security levels to verify customer identity and transaction services as described in claim 6, wherein the financial institution is further used to send a login verification request to the platform when requiring the client to log in using an online fast authentication framework, Make the platform side request a login verification data from the client terminal, and the client terminal is further used to obtain the institutional login data of the financial institution side through biometric identification and read out the login verification data by the trusted module, Send the login verification information and the institution's login information to the platform, and the platform is further used to send the institution's login information to the financial institution after successfully verifying the login verification information sent by the client, so that the financial institution The institution allows the client to log in. 如請求項9所述之使用多安全層級驗證客戶身分與交易服務之系統,其中該平台端更用以接收該客戶端所傳送之一聲明簽發請求,並於確認該身分檢核資料與該交易驗證資料相符時,簽發與該客戶端之使用者之分散式數位身分識別資料及該聲明簽發請求對應之一可驗證聲明,並發布該可驗證聲明至該區塊鏈,該金融機構端更用以依據該客戶端之使用者之分散式數位身分識別資料由該區塊鏈取得並驗證該可驗證聲明,並於該可驗證聲明通過驗證時判斷該身分驗證結果表示通過驗證。The system using multiple security levels to verify customer identity and transaction services as described in claim item 9, wherein the platform is further used to receive a statement issuance request sent by the client, and confirm the identity verification information and the transaction When the verification information matches, issue a verifiable statement corresponding to the distributed digital identification information of the user of the client and the request for issuing the statement, and publish the verifiable statement to the block chain, and the financial institution terminal will use Obtaining and verifying the verifiable statement from the block chain based on the distributed digital identity information of the user of the client, and judging that the identity verification result indicates that the verification is passed when the verifiable statement is verified.
TW110142078A 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof TWI828001B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110142078A TWI828001B (en) 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110142078A TWI828001B (en) 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof

Publications (2)

Publication Number Publication Date
TW202319998A true TW202319998A (en) 2023-05-16
TWI828001B TWI828001B (en) 2024-01-01

Family

ID=87379028

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110142078A TWI828001B (en) 2021-11-11 2021-11-11 System for using multiple security levels to verify customer identity and transaction services and method thereof

Country Status (1)

Country Link
TW (1) TWI828001B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11080380B2 (en) * 2016-11-08 2021-08-03 Aware, Inc. Decentralized biometric identity authentication
CN108064440B (en) * 2017-05-25 2021-04-09 达闼机器人有限公司 Blockchain-based FIDO authentication method, device and system
US11831409B2 (en) * 2018-01-12 2023-11-28 Nok Nok Labs, Inc. System and method for binding verifiable claims
CN109560938A (en) * 2019-01-23 2019-04-02 广州微盾科技股份有限公司 Based on the block catenary system for referring to human body biological characteristics identification technology
TWI724667B (en) * 2019-12-03 2021-04-11 臺灣銀行股份有限公司 System of identity management and authorization and method thereof
CN112837059A (en) * 2021-01-12 2021-05-25 曹燕 Payment strategy calling method for block chain security protection and digital financial platform

Also Published As

Publication number Publication date
TWI828001B (en) 2024-01-01

Similar Documents

Publication Publication Date Title
US12015716B2 (en) System and method for securely processing an electronic identity
TWM623435U (en) System for verifying client identity and transaction services using multiple security levels
US8615663B2 (en) System and method for secure remote biometric authentication
US9083533B2 (en) System and methods for online authentication
US7689832B2 (en) Biometric-based system and method for enabling authentication of electronic messages sent over a network
US9160732B2 (en) System and methods for online authentication
KR101863953B1 (en) System and method for providing electronic signature service
JP5695120B2 (en) Single sign-on between systems
US20090293111A1 (en) Third party system for biometric authentication
WO2007094165A1 (en) Id system and program, and id method
US20110289318A1 (en) System and Method for Online Digital Signature and Verification
JPH10336169A (en) Authenticating method, authenticating device, storage medium, authenticating server and authenticating terminal
WO2003007121A2 (en) Method and system for determining confidence in a digital transaction
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
US20190007218A1 (en) Second dynamic authentication of an electronic signature using a secure hardware module
CA2335532A1 (en) Apparatus and method for end-to-end authentication using biometric data
TWI772908B (en) System and method for using a device of fast identity online to certified and signed
KR101868564B1 (en) Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same
CN118250061A (en) A domestic encrypted digital authentication protection method for charging and swapping systems
CN101521571B (en) Method for authenticating safety unit and server side of mobile hardware
US20240129139A1 (en) User authentication using two independent security elements
TWI828001B (en) System for using multiple security levels to verify customer identity and transaction services and method thereof
CN102739398A (en) Online bank identity authentication method and apparatus thereof
JP2007258789A (en) Agent authentication system, agent authentication method, and agent authentication program
KR100649858B1 (en) Public telephone smart card issuance / authentication system and method