TWI715500B - Authentication system and authentication method - Google Patents
Authentication system and authentication method Download PDFInfo
- Publication number
- TWI715500B TWI715500B TW109116734A TW109116734A TWI715500B TW I715500 B TWI715500 B TW I715500B TW 109116734 A TW109116734 A TW 109116734A TW 109116734 A TW109116734 A TW 109116734A TW I715500 B TWI715500 B TW I715500B
- Authority
- TW
- Taiwan
- Prior art keywords
- controller
- key
- file
- authentication
- electronic device
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000003825 pressing Methods 0.000 claims abstract description 8
- 230000004044 response Effects 0.000 claims abstract description 4
- 238000003860 storage Methods 0.000 claims description 102
- 238000010295 mobile communication Methods 0.000 claims description 76
- 238000012795 verification Methods 0.000 claims description 30
- 238000012790 confirmation Methods 0.000 claims description 18
- 238000012986 modification Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 5
- 101100042610 Arabidopsis thaliana SIGB gene Proteins 0.000 description 11
- 102100033472 Lysosomal-trafficking regulator Human genes 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 101100294408 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) MOT2 gene Proteins 0.000 description 7
- 101150117326 sigA gene Proteins 0.000 description 7
- 101001018064 Homo sapiens Lysosomal-trafficking regulator Proteins 0.000 description 6
- 101000667110 Homo sapiens Vacuolar protein sorting-associated protein 13B Proteins 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- JZPGURKWXUBQLP-UHFFFAOYSA-N 2-[[2-(2-methylpropylsulfanyl)-1,3-benzothiazol-6-yl]iminomethyl]phenol Chemical compound CC(C)CSC1=NC2=C(S1)C=C(C=C2)N=CC3=CC=CC=C3O JZPGURKWXUBQLP-UHFFFAOYSA-N 0.000 description 4
- TUMCWFMHZOUPDA-UHFFFAOYSA-N 2-ethylsulfanyl-1,3-benzothiazol-6-amine Chemical compound C1=C(N)C=C2SC(SCC)=NC2=C1 TUMCWFMHZOUPDA-UHFFFAOYSA-N 0.000 description 4
- 101100111638 Arabidopsis thaliana BIR2 gene Proteins 0.000 description 4
- 101100421503 Arabidopsis thaliana SIGA gene Proteins 0.000 description 4
- 102100021239 G protein-activated inward rectifier potassium channel 2 Human genes 0.000 description 4
- 101710158550 G protein-activated inward rectifier potassium channel 2 Proteins 0.000 description 4
- 101100473585 Arabidopsis thaliana RPP4 gene Proteins 0.000 description 3
- 101150085479 CHS2 gene Proteins 0.000 description 3
- 101100167214 Emericella nidulans (strain FGSC A4 / ATCC 38163 / CBS 112.46 / NRRL 194 / M139) chsA gene Proteins 0.000 description 3
- 101100377543 Gerbera hybrida 2PS gene Proteins 0.000 description 3
- 101100439693 Ustilago maydis (strain 521 / FGSC 9021) CHS4 gene Proteins 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000007144 small intestinal fungal overgrowth Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
本發明是有關於一種認證系統及認證方法,且特別是有關於一種基於FIDO(Fast Identity Online Alliance)聯盟所制訂的通用第二因素(Universal 2nd Factor,U2F)協定而開發的認證系統及認證方法。The present invention relates to an authentication system and an authentication method, and in particular to an authentication system and an authentication method developed based on the Universal 2nd Factor (U2F) agreement formulated by the FIDO (Fast Identity Online Alliance) alliance .
隨著網路技術快速的發展,許多的重要訊息的傳送、商業交易或是金融交易多仰賴網路來提供服務。為了提高網路使用上的安全性,許多網站開始支援通用第二因素(Universal 2nd Factor,U2F)協定的驗證方式。然而,使用者必須額外購買一個特地針對通用第二因素協定所設計製造的實體金鑰裝置,方能透過電腦使用伺服器網站所支援的通用第二因素協定的驗證服務。如此一來,將會增加使用者的成本,從而降低使用者的使用意願。With the rapid development of Internet technology, the transmission of many important messages, commercial transactions, or financial transactions rely on the Internet to provide services. In order to improve the security of Internet usage, many websites have begun to support the verification method of Universal 2nd Factor (U2F) protocol. However, the user must purchase an additional physical key device specially designed and manufactured for the universal second-factor protocol in order to use the authentication service of the universal second-factor protocol supported by the server website through the computer. As a result, it will increase the user's cost, thereby reducing the user's willingness to use.
有鑑於此,本發明提供一種認證系統及認證方法,不僅可讓使用者使用網站所支援的通用第二因素協定的驗證服務,更可降低使用者的使用成本,從而提高使用者的使用意願。In view of this, the present invention provides an authentication system and an authentication method, which not only allows users to use the authentication service of the universal second-factor protocol supported by the website, but also reduces the user's use cost, thereby increasing the user's willingness to use.
本發明的認證系統包括電子裝置。電子裝置包括控制器、處理器及按鍵模組。控制器具有摘要表格。處理器耦接控制器,且用以執行應用程式。按鍵模組耦接控制器,且受控於控制器。於綁定階段,應用程式根據金鑰因素資訊產生摘要檔案,並將摘要檔案儲存在電子裝置的摘要表格中。於查驗階段,應用程式根據摘要檔案以及金鑰因素資訊判斷控制器是否對應綁定裝置。若控制器對應綁定娤置,則於認證階段,控制器反應於按鍵模組的按壓而根據綁定裝置對應的摘要檔案而與伺服器裝置進行通用第二因素服務的認證運作。The authentication system of the present invention includes an electronic device. The electronic device includes a controller, a processor, and a button module. The controller has a summary table. The processor is coupled to the controller and used to execute the application program. The button module is coupled to and controlled by the controller. During the binding phase, the application generates a summary file based on the key factor information, and stores the summary file in the summary table of the electronic device. During the verification phase, the application determines whether the controller corresponds to the binding device based on the summary file and key factor information. If the controller corresponds to the binding setting, in the authentication stage, the controller responds to the pressing of the button module and performs authentication operation of the common second factor service with the server device according to the summary file corresponding to the binding device.
本發明的認證方法包括以下步驟。於綁定階段,透過電子裝置的處理器所執行的應用程式根據金鑰因素資訊及選取策略產生摘要檔案,並將摘要檔案儲存在電子裝置的控制器的摘要表格中。於查驗階段,透過電子裝置的應用程式根據摘要檔案以及金鑰因素資訊判斷控制器是否對應綁定裝置。若控制器對應綁定裝置,則於認證階段,透過控制器反應於電子裝置的按鍵模組的按壓而根據綁定裝置對應的摘要檔案而與伺服器裝置進行通用第二因素服務的認證運作。The authentication method of the present invention includes the following steps. In the binding phase, the application program executed by the processor of the electronic device generates a summary file based on the key factor information and the selection strategy, and stores the summary file in the summary table of the controller of the electronic device. In the verification phase, the application program of the electronic device determines whether the controller corresponds to the bound device according to the summary file and the key factor information. If the controller corresponds to the binding device, in the authentication phase, the controller responds to the pressing of the button module of the electronic device and performs authentication operation of the common second factor service with the server device according to the summary file corresponding to the binding device.
基於上述,本發明所提出的認證系統及認證方法,可讓使用者使用伺服器裝置所支援的通用第二因素協定的驗證,以提高使用伺服器裝置服務的安全性。此外,本發明所提出的認證系統中的行動儲存裝置/行動通訊裝置可以是現有的任何類型的可攜式儲存裝置/可攜式通訊裝置,且認證方法可由電子裝置執行,因此使用者無須額外購買一個特地針對通用第二因素協定所設計製造的實體金鑰裝置。如此一來,可有效降低使用通用第二因素協定之驗證的成本,從而提高使用者的使用意願。Based on the above, the authentication system and authentication method proposed by the present invention can allow users to use the universal second-factor protocol authentication supported by the server device to improve the security of using the server device service. In addition, the mobile storage device/mobile communication device in the authentication system proposed by the present invention can be any type of existing portable storage device/portable communication device, and the authentication method can be executed by an electronic device, so the user does not need additional Purchase a physical key device specially designed and manufactured for the general second factor agreement. In this way, the cost of verification using the universal second-factor protocol can be effectively reduced, thereby increasing the user's willingness to use.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.
為了使本發明之內容可以被更容易明瞭,以下特舉實施例做為本發明確實能夠據以實施的範例。另外,凡可能之處,在圖式及實施方式中使用相同標號的元件/構件,係代表相同或類似部件。In order to make the content of the present invention more comprehensible, the following embodiments are specifically cited as examples on which the present invention can indeed be implemented. In addition, wherever possible, elements/components with the same reference numbers in the drawings and embodiments represent the same or similar components.
圖1是依照本發明一實施例所繪示的認證系統的方塊及應用示意圖。請參照圖1,認證系統100至少包括電子裝置140,但在其他實施例中,認證系統100可以更包括行動儲存裝置120及行動通訊裝置130的其中之一。FIG. 1 is a block diagram and application diagram of an authentication system according to an embodiment of the invention. Please refer to FIG. 1, the
行動儲存裝置120用以儲存金鑰識別檔案KDF以作為實體金鑰裝置。電子裝置140可用以與行動儲存裝置120相插接。電子裝置140可根據行動儲存裝置120所儲存的金鑰識別檔案KDF執行通用第二因素的相關運算,並且可反應於電子裝置140的按鍵模組的按壓啟用伺服器裝置900所支援的通用第二因素協定的驗證服務,以讓電子裝置140的使用者可使用伺服器裝置900所支援的通用第二因素協定的驗證服務。The
行動通訊裝置130用以傳送生物辨識確認結果BIR,其中生物辨識確認結果BIR例如臉部辨識結果或指紋辨識結果,但本發明實施例不以此為限。電子裝置140用以與行動通訊裝置130以有線方式或無線方式相連接。電子裝置140可根據行動通訊裝置130所提供的生物辨識確認結果BIR執行通用第二因素的相關運算,並且可反應於電子裝置140的按鍵模組的按壓啟用伺服器裝置900所支援的通用第二因素協定的驗證服務,以讓電子裝置140的使用者可使用伺服器裝置900所支援的通用第二因素協定的驗證服務。The
並且,在電子裝置140未與外部電子裝置(例如行動儲存裝置120及行動通訊裝置130)相連接的情況下,電子裝置140可依據自身的資訊執行通用第二因素的相關運算,並且可反應於電子裝置140的按鍵模組的按壓啟用伺服器裝置900所支援的通用第二因素協定的驗證服務,以讓電子裝置140的使用者可使用伺服器裝置900所支援的通用第二因素協定的驗證服務。Moreover, when the
因此,即使使用者於伺服器裝置900的登入帳號及密碼被他人取得,只要被綁定的介面實體裝置(例如電子裝置140)未被他人所取得,或者對應的認證實體裝置(例如行動儲存裝置120及行動通訊裝置130)未被他人所取得,他人所輸入的登入帳號及密碼便無法通過伺服器裝置900的通用第二因素協定的驗證,故而無法登入此使用者的帳號。Therefore, even if the user's login account and password on the
在本發明的一實施例中,行動儲存裝置120可例如是通用序列匯流排(USB)隨身碟或是USB讀卡機與記憶卡之組合,行動通訊裝置130可例如是行動電話或平板電腦,但本發明不限於此。事實上,行動儲存裝置120可以是現有的任何類型的可攜式儲存裝置,行動通訊裝置130可以是現有的任何類型的可攜式通訊裝置,故而可降低使用者的使用成本。In an embodiment of the present invention, the
在本發明的一實施例中,電子裝置140可例如是筆記型電腦(notebook computer),但本發明不限於此。In an embodiment of the present invention, the
在本發明的一實施例中,電子裝置140可透過有線通訊或無線通訊的方式與伺服器裝置900進行通訊。In an embodiment of the present invention, the
在本發明的一實施例中,認證系統100的認證流程可包括綁定階段、查驗階段以及認證階段,但不限於此。於綁定階段,可綁定用來執行的通用第二因素協定的驗證的電子裝置140,更可將行動儲存裝置120及行動通訊裝置130的其中之一與電子裝置140綁定。當電子裝置140與行動儲存裝置120相插接時,於綁定階段,電子裝置140可根據電子裝置140的金鑰因素資訊KFI0產生金鑰識別檔案KDF,並將金鑰識別檔案KDF傳送至行動儲存裝置120。此外,於綁定階段,電子裝置140可根據金鑰識別檔案KDF的檔案狀態及行動儲存裝置120的金鑰因素資訊KFI0產生摘要檔案DGF,並將摘要檔案DGF儲存在電子裝置140的控制器(稍後說明)中,其中控制器儲存有摘要表格。如此一來,行動儲存裝置120與電子裝置140藉由金鑰識別檔案KDF以及摘要檔案DGF而彼此綁定。In an embodiment of the present invention, the authentication process of the
當電子裝置140與行動通訊裝置130相連接時,於綁定階段,行動通訊裝置130會提供第一公鑰UK1及金鑰因素資訊KFI2至電子裝置140,金鑰因素資訊KFI2例如行動通訊裝置130目前登入的帳號(例如電子郵件地址(e-mail address))、行動通訊裝置130之國際行動裝置辨識(IMEI)碼、目前用戶身分模組(sim)卡的電話號碼、以及行動通訊裝置130中的應用程式於綁定當下隨機產生之訊息碼。此外,於綁定階段,電子裝置140可根據行動通訊裝置130的金鑰因素資訊KFI2及行動儲存裝置120的金鑰因素資訊KFI0產生摘要檔案DGF,並將摘要檔案DGF儲存在電子裝置140的摘要表格中。如此一來,行動通訊裝置130與電子裝置140藉由第一公鑰UK1及摘要檔案DGF而彼此綁定。When the
當電子裝置140未與外部電子裝置相連接時,於綁定階段,電子裝置140可根據其金鑰因素資訊KFI0產生摘要檔案DGF,並將摘要檔案DGF儲存在電子裝置140的摘要表格中,以假裝與虚擬裝置綁定。When the
另外,當電子裝置140與行動儲存裝置120相插接時,於查驗階段,電子裝置140可查驗行動儲存裝置120與電子裝置140是否彼此綁定。詳細來說,電子裝置140可自行動儲存裝置120讀取金鑰識別檔案KDF,且根據摘要檔案DGF以及電子裝置140的金鑰因素資訊KFI0查驗行動儲存裝置120中的金鑰識別檔案KDF是否有效。若電子裝置140查驗金鑰識別檔案KDF為有效,表示行動儲存裝置120與電子裝置140已彼此綁定,亦即判定電子裝置140是對應至綁定裝置(亦即行動儲存裝置120),則於認證階段,電子裝置140可根據對應於金鑰識別檔案KDF的摘要檔案DGF而與伺服器裝置900進行通用第二因素服務的認證運作。In addition, when the
當電子裝置140與行動通訊裝置130相連接時,於查驗階段,電子裝置140可驗證行動通訊裝置130與電子裝置140是否彼此綁定。詳細來說,行動通訊裝置130可自電子裝置140接收第一認證詢問CHS1,且根據第一認證詢問CHS1回傳第一簽章SIG1至電子裝置140,電子裝置140確認第一簽章SIG1是否與第一公鑰UK1對應而確認行動通訊裝置130是否為綁定裝置。若行動通訊裝置130為綁定裝置,電子裝置140可根據對應於行動通訊裝置130的摘要檔案DGF而與伺服器裝置900進行通用第二因素服務的認證運作。When the
當電子裝置140未與外部電子裝置相連接時,於查驗階段,電子裝置140可根據金鑰因素資訊KFI0確認電子裝置140是否對應至綁定裝置(在此為虚擬裝置)。一般而言,電子裝置140會被確認為與綁定裝置對應,接著電子裝置140可根據摘要檔案DGF而與伺服器裝置900進行通用第二因素服務的認證運作。When the
在本發明的一實施例中,認證系統100的認證流程還可包括註冊階段。詳細來說,若電子裝置140確認為與綁定裝置對應,則於註冊階段,電子裝置140可根據對應的摘要檔案DGF向伺服器裝置900作通用第二因素服務的註冊。只要電子裝置140根據摘要檔案DGF完成向伺服器裝置900作通用第二因素服務的註冊,則於認證階段,電子裝置140根據對應的摘要檔案DGF向伺服器裝置900進行通用第二因素服務的認證即可通過。In an embodiment of the present invention, the authentication process of the
圖2是依照本發明一實施例所繪示的認證方法的步驟流程圖。請合併參照圖1及圖2,本範例實施例的認證方法包括如下步驟。首先,不論行動儲存裝置120是否被插接至電子裝置140或行動通訊裝置130是否與電子裝置140連接,使用者都可決定是否要讓電子裝置140是否與外部裝置(如行動儲存裝置120或行動通訊裝置130)或虛擬裝置彼此綁定,如步驟S200所示。若步驟S200的決定結果為是,則執行步驟S210,否則執行步驟S220。在步驟S210所示的綁定階段,透過電子裝置140的應用程式根據金鑰因素資訊KFI0(或者更與金鑰因素資訊KFI1及KFI2的其中之一)及選取策略SEP產生摘要檔案DGF,並將摘要檔案DGF及選取策略SEP儲存在電子裝置140的控制器中的摘要表格。FIG. 2 is a flowchart of steps of an authentication method according to an embodiment of the invention. Please refer to FIG. 1 and FIG. 2 together. The authentication method of this exemplary embodiment includes the following steps. First, regardless of whether the
另外,於步驟S220所示的查驗階段,透過電子裝置140的應用程式根據摘要檔案DGF以及金鑰因素資訊KFI0、KFI1及KFI2的其中之一判斷電子裝置140的控制器是否對應綁定裝置。若電子裝置140的控制器對應至綁定娤置,則決定是否向伺服器裝置900作通用第二因素服務的註冊,如步驟S230所示。若步驟S230的決定結果為是,則於步驟S240所示的註冊階段,透過電子裝置140根據摘要檔案DGF向伺服器裝置900作通用第二因素服務的註冊。若步驟S230的決定結果為否,則於步驟S250所示的認證階段,透過電子裝置140的控制器反應於電子裝置140的按鍵模組的按壓而根據綁定裝置的摘要檔案DGF而與伺服器裝置900進行通用第二因素服務的認證運作。In addition, in the verification phase shown in step S220, the application program of the
圖3是依照本發明一實施例所繪示的電子裝置的方塊示意圖。請參照圖3,電子裝置140可包括控制器141、處理器142以及按鍵模組144,但本發明不限於此。控制器141可包括儲存器143且具有識別碼SN。按鍵模組144耦接控制器141,且受控於控制器141。處理器142耦接控制器141。處理器142可執行應用程式AP,並且透過應用程式AP執行圖2的步驟S210及S220,且控制器141可透過其韌體執行圖2的步驟S240及S250。FIG. 3 is a block diagram of an electronic device according to an embodiment of the invention. 3, the
在本發明的一實施例中,處理器142可例如是中央處理單元(Central Process Unit,CPU),但本發明不限於此。In an embodiment of the present invention, the
在本發明的一實施例中,控制器141可例如是微控制器(microcontroller),但本發明不限於此。In an embodiment of the present invention, the
在本發明的一實施例中,儲存器143可例如是序列週邊介面(Serial Peripheral Interface,SPI)快閃記憶體(Flash memory),但本發明不限於此。In an embodiment of the present invention, the
在本發明的一實施例中,電子裝置140還可包括通訊模組。通訊模組耦接控制器141。控制器141可透過通訊模組與伺服器裝置900進行通訊。In an embodiment of the present invention, the
圖4是依照本發明一實施例所繪示的圖2的步驟S210(即綁定階段)的細節步驟流程圖。請合併參照圖1、圖3及圖4,其中電子裝置140的金鑰因素資訊KFI0可包括控制器141的識別碼SN、上述應用程式的識別碼AP以及電子裝置140的登入帳號LID,但本發明不限於此。如圖4所示,步驟S210可包括細節步驟S2100、S2102、S2104、S2106、S2108。首先,於步驟S2100中,處理器142的應用程式AP可根據控制器141的識別碼SN、應用程式AP的識別碼SAP以及電子裝置140的登入帳號LID進行雜湊(Hashing)運算以產生金鑰識別檔案KDF。接著,於步驟S2102中,處理器142的應用程式AP可將金鑰識別檔案KDF傳送至行動儲存裝置120。FIG. 4 is a detailed step flowchart of step S210 (ie, the binding phase) of FIG. 2 according to an embodiment of the present invention. Please refer to FIGS. 1, 3, and 4 together. The key factor information KFI0 of the
在本發明的一實施例中,控制器141的識別碼SN可例如是控制器141的製造編號,其乃是唯讀的且是唯一的,用以識別控制器141,但本發明不限於此。在本發明的一實施例中,上述應用程式AP的識別碼SAP可例如是全局唯一識別元(Globally Unique Identifier,GUID),但本發明不限於此。在本發明的一實施例中,電子裝置140的登入帳號LID可例如是電子裝置140的作業系統的登入帳號,但本發明不限於此。In an embodiment of the present invention, the identification code SN of the
由於行動儲存裝置120中的金鑰識別檔案KDF與控制器141的識別碼SN、應用程式AP的識別碼SAP以及電子裝置140的登入帳號LID有關,因此即使行動儲存裝置120被竊取,行動儲存裝置120中的金鑰識別檔案KDF也無法在其他電子裝置上使用。這是因為其他電子裝置的控制器識別碼及應用程式的識別碼與原先電子裝置140的控制器識別碼SN及應用程式AP的識別碼SAP並不相同,且其他電子裝置的登入帳號與原先的電子裝置140的登入帳號LID也可能不同,因此行動儲存裝置120中的金鑰識別檔案KDF在其他電子裝置會被認定為無效。如此一來,可提升認證系統100的安全性。Since the key identification file KDF in the
另外,於步驟S2104中,處理器142的應用程式AP可隨機產生選取策略SEP。接著,於步驟S2106中,處理器142的應用程式AP可根據選取策略SEP選擇金鑰識別檔案KDF的檔案狀態以及行動儲存裝置120的金鑰因素資訊KFI1至少其中之一進行雜湊運算以產生摘要檔案DGF。之後,於步驟S2108中,處理器142可將摘要檔案DGF以及對應的選取策略SEP儲存在儲存器143的加密儲存區1432中的摘要表格。In addition, in step S2104, the application AP of the
更進一步來說,金鑰識別檔案KDF的檔案狀態可包括該金鑰識別檔案KDF的建立日期、修改日期、存取日期、檔案叢集(cluster)的起始位置以及檔案叢集的個數至少其中之一。另外,行動儲存裝置120的金鑰因素資訊KFI1可包括行動儲存裝置120的供應商識別碼、行動儲存裝置120的產品識別碼以及行動儲存裝置120的剩餘儲存空間大小至少其中之一。Furthermore, the file status of the key identification file KDF may include at least one of the creation date, modification date, access date, start location of the file cluster, and the number of file clusters of the key identification file KDF One. In addition, the key factor information KFI1 of the
舉例來說,若處理器142的應用程式AP隨機產生的選取策略SEP為金鑰識別檔案KDF的建立日期、行動儲存裝置120的剩餘儲存空間大小以及金鑰識別檔案KDF的檔案叢集的個數,則處理器142的應用程式AP將選取金鑰識別檔案KDF的建立日期、行動儲存裝置120的剩餘儲存空間大小以及金鑰識別檔案KDF的檔案叢集的個數進行雜湊運算以產生摘要檔案DGF,並將摘要檔案DGF以及對應的選取策略SEP儲存在儲存器143的加密儲存區1432。For example, if the selection strategy SEP randomly generated by the application AP of the
可以理解的是,由於用以產生摘要檔案DGF的選取策略SEP是由處理器142的應用程式AP所隨機產生,且處理器142所產生的摘要檔案DGF及摘要檔案DGF的選取策略SEP被儲存在加密儲存區1432,因此他人並無法得知對應於金鑰識別檔案KDF的摘要檔案DGF的內容為何,亦無法得知摘要檔案DGF是如何產生的(因無法得知摘要檔案DGF的選取策略SEP),故而可防止摘要檔案DGF被他人複製。另外,即使金鑰識別檔案KDF被竊取並複製至另一行動儲存裝置,但複製後的金鑰識別檔案與原先的金鑰識別檔案的建立日期、修改日期、存取日期及檔案叢集的起始位置皆不相同,且另一行動儲存裝置與原先的行動儲存裝置的供應商識別碼、產品識別碼以及剩餘儲存空間大小也不可能完全相同,因此在查驗階段,處理器142的應用程式AP可根據摘要檔案DGF及選取策略SEP而查驗出複製後的金鑰識別檔案為無效。如此一來,可提升認證系統100的安全性。It is understandable that the selection strategy SEP used to generate the summary file DGF is randomly generated by the application AP of the
附帶一提的是,行動儲存裝置120可與多個不同的電子裝置綁定,因此,行動儲存裝置120中可存有一至多個金鑰識別檔案,其中此些金鑰識別檔案分別對應於不同的電子裝置、或是不同的登入帳號、或是不同的電子裝置及不同的登入帳號。類似地,電子裝置140可與多個不同的行動儲存裝置綁定,因此,加密儲存區1432中所儲存的摘要檔案及其選取策略之組合的數量可為一個或是多個,其中此些摘要檔案分別對應於不同的金鑰識別檔案。Incidentally, the
圖5是依照本發明一實施例所繪示的圖2的步驟S220(即查驗階段)的細節步驟流程圖。請合併參照圖1、圖3及圖5。如圖5所示,當電子裝置140與行動儲存裝置120相插接時,步驟S220包括細節步驟S2201~S2205。首先,於步驟S2201,處理器142的應用程式AP檢查行動儲存裝置120是否存有金鑰識別檔案KDF。在本發明的一實施例中,處理器142的應用程式AP可根據行動儲存裝置120中所儲存的檔案之檔名或副檔名來判斷其是否為金鑰識別檔案KDF,但本發明不限於此。若步驟S2201的檢查結果為否,表示行動儲存裝置120中並未存有金鑰識別檔案KDF,則處理器142的應用程式AP判斷查驗失敗,如步驟S2205所示,並結束查驗。若步驟S2201的檢查結果為是,表示行動儲存裝置120中存有金鑰識別檔案KDF,則執行步驟S2202。FIG. 5 is a detailed flow chart of step S220 (that is, the checking phase) of FIG. 2 according to an embodiment of the present invention. Please refer to Figure 1, Figure 3 and Figure 5 together. As shown in FIG. 5, when the
於步驟S2202中,處理器142的應用程式AP可根據加密儲存區1432中的摘要檔案DGF的選取策略SEP來檢查金鑰識別檔案KDF是否對應於摘要檔案DGF。若步驟S2202的檢查結果為否,表示行動儲存裝置120中的金鑰識別檔案KDF並非對應於加密儲存區1432中的摘要檔案DGF,則處理器142判斷查驗失敗,亦即控制器141未對應至綁定裝置,如步驟S2205所示,並結束查驗。若步驟S2302的檢查結果為是,表示行動儲存裝置120中的金鑰識別檔案KDF對應於加密儲存區1432中的摘要檔案DGF,亦即控制器141對應至綁定裝置,則執行步驟S2203。In step S2202, the application AP of the
舉例來說,假設行動儲存裝置120中存有金鑰識別檔案KDF,且加密儲存區1432中存有第一摘要檔案及其第一選取策略以及第二摘要檔案及其第二選取策略。首先,處理器142的應用程式AP可根據加密儲存區1432中的第一選取策略選擇金鑰識別檔案KDF的檔案狀態以及行動儲存裝置120的金鑰因素資訊KFI1至少其中之一進行雜湊運算以產生一第一比對檔案,並判斷第一比對檔案與第一摘要檔案是否相同。若第一比對檔案與第一摘要檔案相同,表示行動儲存裝置120中的金鑰識別檔案KDF對應於加密儲存區1432中的第一摘要檔案,則執行步驟S2203。For example, assume that the
若第一比對檔案與第一摘要檔案不同,表示行動儲存裝置120中的金鑰識別檔案KDF並非對應於加密儲存區1432中的第一摘要檔案,則處理器142可再根據加密儲存區1432中的第二選取策略選擇金鑰識別檔案KDF的檔案狀態以及行動儲存裝置120的金鑰因素資訊KFI1至少其中之一進行雜湊運算以產生一第二比對檔案,並判斷第二比對檔案與第二摘要檔案是否相同。If the first comparison file is different from the first digest file, it means that the key identification file KDF in the
若第二比對檔案與第二摘要檔案相同,表示行動儲存裝置120中的金鑰識別檔案KDF對應於加密儲存區1432中的第二摘要檔案,則執行步驟S2203。若第二比對檔案與第二摘要檔案不同,表示行動儲存裝置120中的金鑰識別檔案KDF並非對應於加密儲存區1432中的第一摘要檔案及第二摘要檔案,則處理器142的應用程式AP判斷查驗失敗(即金鑰識別檔案KDF為無效),如步驟S2205所示,並結束查驗。If the second comparison file is the same as the second summary file, it means that the key identification file KDF in the
於步驟S2203中,處理器142的應用程式AP可根據控制器141的識別碼SN、應用程式AP的識別碼SAP以及電子裝置140的登入帳號LID進行雜湊運算以檢驗金鑰識別檔案KDF是否正確。若步驟S2203的檢驗結果為否,則處理器142的應用程式AP判斷查驗失敗(即金鑰識別檔案KDF為無效),如步驟S2205所示,並結束查驗。若步驟S2203的檢驗結果為是,則處理器142判斷金鑰識別檔案KDF為有效,如步驟S2204所示,並進入步驟S230。In step S2203, the application AP of the
圖6是依照本發明另一實施例所繪示的圖2的步驟S210的細節步驟流程圖。請合併參照圖1、圖3及圖6。如圖6所示,當電子裝置與行動通訊裝置130相連接時,步驟S210包括細節步驟S2100a、S2102a,此時電子裝置140與行動通訊裝置130是執行非對稱式認證及非對稱式加密傳輸。。首先,於步驟S2100a中,於綁定階段,處理器142的應用程式AP等待行動通訊裝置130的第一生物辨識確認結果BIR1。於步驟S2102a中,當第一生物辨識確認結果BIR1為通過時,處理器142的應用程式AP自行動通訊裝置130接收金鑰因素資訊KFI2後,將金鑰因素資訊KFI2傳送至控制器141,以產生摘要檔案DFG。FIG. 6 is a detailed step flowchart of step S210 in FIG. 2 according to another embodiment of the present invention. Please refer to Figure 1, Figure 3 and Figure 6 together. As shown in FIG. 6, when the electronic device is connected to the
圖7是依照本發明另一實施例所繪示的圖2的步驟S220的細節步驟流程圖。請合併參照圖1、圖3及圖7。如圖7所示,當電子裝置140與行動通訊裝置130相連接時,步驟S220包括細節步驟S2200a、S2202a,此時電子裝置140與行動通訊裝置130是執行非對稱式認證及對稱式加密傳輸。首先,於步驟S2200a中,於查驗階段,處理器142的應用程式AP等待行動通訊裝置130的第二生物辨識確認結果BIR2。於步驟S2202a中,當第二生物辨識確認結果BIR2為通過時,處理器142的應用程式AP自行動通訊裝置130接收金鑰因素資訊KFI2後,將金鑰因素資訊KFI2傳送至控制器141,以確認控制器141是否對應綁定裝置。FIG. 7 is a detailed step flowchart of step S220 in FIG. 2 according to another embodiment of the present invention. Please refer to Figure 1, Figure 3 and Figure 7 together. As shown in FIG. 7, when the
在本發明實施例中,在處理器142的應用程式AP等待行動通訊裝置130的第一生物辨識確認結果BIR1或第二生物辨識確認結果BIR2的時間中,行動通訊裝置130產生第一公鑰UK1及第一私鑰IK1,並且處理器142的應用程式AP向行動通訊裝置130請求第一公鑰UK1、生物辨識狀態BIS以及金鑰因素資訊KFI2,其中應用程式儲存第一公鑰UK1。在處理器142的應用程式AP將金鑰因素資訊KFI2傳送至控制器141之前,處理器142的應用程式產生第二公鑰UK2及第二私鑰IK2,並且第二公鑰傳UK2送至控制器141,以使控制器141儲存第二公鑰UK2。In the embodiment of the present invention, while the application AP of the
圖8是依照本發明一實施例的應用程式認證行動通訊裝置的細節步驟流程圖。請合併參照圖1、圖3及圖8。如圖8所示,當處理器142的應用程式AP認證行動通訊裝置130時,行動通訊裝置130取得來自處理器142的應用程式AP的第一認證詢問CHS1,行動通訊裝置130反應於第一認證詢問CHS1而依據第一私鑰IK1產生第一簽章SIG1,且行動通訊裝置130回傳第一簽章SIG1至處理器142的應用程式AP。處理器142的應用程式AP透過行動通訊裝置130所傳送的第一公鑰UK1來核對第一簽章SIG1是否正確,藉此來對行動通訊裝置130進行認證。FIG. 8 is a flowchart of detailed steps of an application authentication mobile communication device according to an embodiment of the present invention. Please refer to Figure 1, Figure 3 and Figure 8 together. As shown in FIG. 8, when the application AP of the
圖9是依照本發明一實施例的控制器認證應用程式的細節步驟流程圖。請合併參照圖1、圖3及圖9。如圖9所示當控制器141認證處理器142的應用程式AP時,處理器142的應用程式AP取得來自控制器141的第二認證詢問CHS2,處理器142的應用程式AP反應於第二認證詢問CHS2而依據第二私鑰IK2產生第二簽章SIG2,且處理器142的應用程式AP回傳第二簽章SIG2至控制器141。控制器141透過處理器142的應用程式AP所傳送的第二公鑰UK2來核對第二簽章SIG2是否正確,藉此來對處理器142的應用程式AP進行認證。FIG. 9 is a flowchart of detailed steps of a controller authentication application according to an embodiment of the invention. Please refer to Figure 1, Figure 3 and Figure 9 together. As shown in FIG. 9, when the
在本發明的實施例中,電子裝置140可以不與外部電子裝置相連接而啟用通用第二因素的驗證。在電子裝置140可以未與外部電子裝置相連接時,於綁定階段中,亦即步驟S210中,處理器142的應用程式AP根據電子裝置140的金鑰因素資訊KFI0及取策略SEP產生摘要檔案DGF。於查驗階段,亦即步驟S220中,處理器142的應用程式AP根據摘要檔案DGF以及電子裝置140的金鑰因素資訊KFI0判斷控制器141是否對應至綁定裝置。In the embodiment of the present invention, the
圖10是依照本發明一實施例所繪示的圖2的步驟S240(即註冊階段)的細節步驟流程圖。請合併參照圖1、圖3及圖10。如圖10所示,步驟S240包括細節步驟S2400、S2402、S2404、S2406。首先,於步驟S2400,控制器141可將使用者所輸入的用於登入伺服器裝置900的帳號及密碼傳送至伺服器裝置900。然後,於步驟S2402,控制器141可自伺服器裝置900取得對應的伺服器識別碼SVID,且控制器141可自處理器142取得對應於金鑰識別檔案KDF的摘要檔案DGF。接著,於步驟S2404,控制器141根據隨機數RNB、伺服器識別碼SVID以及摘要檔案DGF進行雜湊運算以產生信息識別碼MAC以及公鑰(Public Key) UK。FIG. 10 is a detailed step flowchart of step S240 (ie, the registration phase) of FIG. 2 according to an embodiment of the present invention. Please refer to Figure 1, Figure 3 and Figure 10 together. As shown in FIG. 10, step S240 includes detailed steps S2400, S2402, S2404, and S2406. First, in step S2400, the
詳細來說,步驟S2404可包括細節步驟S642、S644。首先,於步驟S642,控制器141可根據隨機數RNB、伺服器識別碼SVID以及摘要檔案DGF進行雜湊運算以產生私鑰(Private Key) IK及公鑰UK。接著,於步驟S644,控制器141可根據私鑰IK、伺服器識別碼SVID以及摘要檔案DGF進行雜湊運算以產生信息識別碼MAC。In detail, step S2404 may include detailed steps S642 and S644. First, in step S642, the
之後,於步驟S2406,控制器141可將隨機數RNB、信息識別碼MAC以及公鑰UK傳送至伺服器裝置900,以向伺服器裝置900作通用第二因素服務的註冊。如此一來,伺服器裝置900即可將上述用於登入伺服器裝置900的帳號及密碼對應至公鑰UK,並完成註冊。After that, in step S2406, the
在本發明的一實施例中,上述所提到的雜湊運算可採用現有的雜湊運算法來進行運算,例如安全雜湊演算法(Secure Hash Algorithm,SHA)等等,但本發明不限於此,端視實際應用或設計需求而定。In an embodiment of the present invention, the above-mentioned hash operation can be performed by an existing hash operation method, such as Secure Hash Algorithm (SHA), etc., but the present invention is not limited to this. Depends on actual application or design requirements.
圖11是依照本發明一實施例所繪示的圖2的步驟S250(即認證階段)的細節步驟流程圖。請合併參照圖1、圖3及圖11。如圖11所示,步驟S250包括細節步驟S2500、S2502、S2504、S2506。首先,於步驟S2500,控制器141可將使用者所輸入的用於登入伺服器裝置900的帳號及密碼傳送至伺服器裝置900,致使伺服器裝置900可根據上述帳號及密碼查找對應的公鑰UK及送出認證詢問CHS。然後,於步驟S2502,控制器141可取得來自伺服器裝置900的認證詢問CHS。接著,於步驟S2504,控制器141可反應於認證詢問CHS而依據私鑰IK產生簽章SIG。FIG. 11 is a detailed flowchart of step S250 (ie, the authentication phase) of FIG. 2 according to an embodiment of the present invention. Please refer to Figure 1, Figure 3 and Figure 11 together. As shown in FIG. 11, step S250 includes detailed steps S2500, S2502, S2504, and S2506. First, in step S2500, the
在本發明的一實施例中,步驟S2504可包括細節步驟S752、S754、S756。首先,於步驟S752,控制器141可判斷電子裝置140的按鍵模組144的一特定按鍵是否有被按壓。若步驟S752的判斷結果為否,表示使用者可能並非位於電子裝置140的週邊或使用者並未使用電子裝置140,則於步驟S756中,控制器141將不產生簽章SIG。若步驟S752的判斷結果為是,表示使用者確實位於電子裝置140的週邊且正在使用電子裝置140,則控制器141反應於認證詢問CHS而依據私鑰IK產生簽章SIG,如步驟S754所示。在本發明的一實施例中,若控制器141未在一特定時間區間內回傳簽章SIG至伺服器裝置900,則上述用於登入伺服器裝置900的帳號及密碼將無法通過伺服器裝置900的通用第二因素協定的認證,且伺服器裝置900將會發出通用第二因素認證失敗的訊息給電子裝置140。In an embodiment of the present invention, step S2504 may include detailed steps S752, S754, and S756. First, in step S752, the
之後,於步驟S2506,控制器141回傳簽章SIG至伺服器裝置900,致使伺服器裝置900根據簽章SIG及公鑰UK(即對應於上述用於登入伺服器裝置900的帳號及密碼的公鑰)進行通用第二因素服務的認證。詳細來說,伺服器裝置900可根據公鑰UK來檢驗簽章SIG是否有效。若伺服器裝置900檢驗簽章SIG為有效,則上述用於登入伺服器裝置900的帳號及密碼便通過了伺服器裝置900的通用第二因素協定的認證,因此使用者可開始使用伺服器裝置900所提供的線上服務。After that, in step S2506, the
依據上述,當電子裝置140與行動儲存裝置120相插接時,控制器141會對處理器142的應用程式AP進行確認。在應用程式AP通過確認後,控制器141接著對行動儲存裝置120進行確認。在行動儲存裝置120通過確認後,控制器141才會啟用通用第二因素服務的認證運作。當電子裝置140與行動通訊裝置130相連接時,處理器142的應用程式AP會對行動通訊裝置130進行確認。在行動通訊裝置130通過確認後,控制器141接著會對處理器142的應用程式AP進行確認。在應用程式AP通過確認後,控制器141再對行動通訊裝置130進行確認。在行動通訊裝置130通過確認後,控制器141才會啟用通用第二因素服務的認證運作。According to the above, when the
綜上所述,本發明實施例所提出的認證系統及認證方法,可讓使用者使用伺服器裝置所支援的通用第二因素協定的驗證,以提高使用伺服器裝置服務的安全性。此外,由於本發明實施例所提出的認證系統中的行動儲存裝置/行動通訊裝置可以是現有的任何類型的可攜式儲存裝置/可攜式通訊裝置,且認證方法可由電子裝置中的處理器及控制器分別透過應用程式及韌體來執行,因此使用者無須額外購買一個特地針對通用第二因素協定所設計製造的實體金鑰裝置。如此一來,可有效降低使用通用第二因素協定之驗證的成本,從而提高使用者的使用意願。In summary, the authentication system and authentication method proposed in the embodiments of the present invention allow users to use the universal second-factor protocol authentication supported by the server device to improve the security of using the server device service. In addition, since the mobile storage device/mobile communication device in the authentication system proposed by the embodiment of the present invention can be any type of existing portable storage device/portable communication device, and the authentication method can be performed by the processor in the electronic device And the controller is executed through the application and firmware respectively, so the user does not need to purchase an additional physical key device specially designed and manufactured for the general second-factor protocol. In this way, the cost of verification using the universal second-factor protocol can be effectively reduced, thereby increasing the user's willingness to use.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.
100:認證系統 120:行動儲存裝置 130:行動通訊裝置 140:電子裝置 141:控制器 142:處理器 143:儲存器 1432:加密儲存區 144:按鍵模組 900:伺服器裝置 AP:應用程式 BIR:生物辨識確認結果 BIR1:第一生物辨識確認結果 BIR2:第二生物辨識確認結果 BIS:生物辨識狀態 CHS:認證詢問 CHS1:第一認證詢問 CHS2:第二認證詢問 DGF:摘要檔案 IK:私鑰 IK1:第一私鑰 IK2:第二私鑰 KDF:金鑰識別檔案 KFI0、KFI1、KFI2:電子裝置的金鑰因素資訊 LID:電子裝置的登入帳號 MAC:信息識別碼 RNB:隨機數 S200、S210、S220、S230、S240、S250、S2100、S2102、S2104、S2106、S2108、S2100a、S2102a、S2201、S2202、S2203、S2204、S2205、S2200a、S2202a、S2400、S2402、S2404、S2406、S642、S644、S2500、S2502、S2504、S2506、S752、S754、S756:步驟 SAP:應用程式的識別碼 SEP:選取策略 SIFO:行動儲存裝置的資訊 SIG:簽章 SIG1:第一簽章 SIG2:第二簽章 SN:控制器的識別碼 SVID:伺服器識別碼 UK:公鑰 UK1:第一公鑰 UK2:第二公鑰 100: authentication system 120: Mobile storage device 130: mobile communication device 140: Electronic device 141: Controller 142: Processor 143: Storage 1432: Encrypted storage area 144: Button module 900: Server device AP: Application BIR: biometric confirmation result BIR1: The first biometric verification result BIR2: Second biometric identification confirmation result BIS: Biometric Status CHS: Certification inquiry CHS1: First certification inquiry CHS2: Second certification inquiry DGF: Summary File IK: private key IK1: The first private key IK2: second private key KDF: Key Identification File KFI0, KFI1, KFI2: Key factor information of electronic devices LID: login account of the electronic device MAC: information identification code RNB: random number S200, S210, S220, S230, S240, S250, S2100, S2102, S2104, S2106, S2108, S2100a, S2102a, S2201, S2202, S2203, S2204, S2205, S2200a, S2202a, S2400, S2402, S2404, S2406, S642, S644, S2500, S2502, S2504, S2506, S752, S754, S756: steps SAP: Application ID SEP: Select strategy SIFO: Mobile storage device information SIG: signature SIG1: The first signature SIG2: Second signature SN: the identification code of the controller SVID: Server ID UK: Public key UK1: The first public key UK2: The second public key
下面的所附圖式是本發明的說明書的一部分,繪示了本發明的示例實施例,所附圖式與說明書的描述一起說明本發明的原理。 圖1是依照本發明一實施例所繪示的認證系統的方塊及應用示意圖。 圖2是依照本發明一實施例所繪示的認證方法的步驟流程圖。 圖3是依照本發明一實施例所繪示的電子裝置的方塊示意圖。 圖4是依照本發明一實施例所繪示的圖2的步驟S210的細節步驟流程圖。 圖5是依照本發明一實施例所繪示的圖2的步驟S220的細節步驟流程圖。 圖6是依照本發明另一實施例所繪示的圖2的步驟S210的細節步驟流程圖。 圖7是依照本發明另一實施例所繪示的圖2的步驟S220的細節步驟流程圖。 圖8是依照本發明一實施例的應用程式認證行動通訊裝置的細節步驟流程圖。 圖9是依照本發明一實施例的控制器認證應用程式的細節步驟流程圖。 圖10是依照本發明一實施例所繪示的圖2的步驟S240的細節步驟流程圖。 圖11是依照本發明一實施例所繪示的圖2的步驟S250的細節步驟流程圖。 The accompanying drawings below are a part of the specification of the present invention, and illustrate exemplary embodiments of the present invention. The accompanying drawings and the description of the specification illustrate the principle of the present invention. FIG. 1 is a block diagram and application diagram of an authentication system according to an embodiment of the invention. FIG. 2 is a flowchart of steps of an authentication method according to an embodiment of the invention. FIG. 3 is a block diagram of an electronic device according to an embodiment of the invention. FIG. 4 is a detailed flow chart of step S210 of FIG. 2 according to an embodiment of the present invention. FIG. 5 is a detailed flow chart of step S220 of FIG. 2 according to an embodiment of the present invention. FIG. 6 is a detailed step flowchart of step S210 in FIG. 2 according to another embodiment of the present invention. FIG. 7 is a detailed step flowchart of step S220 in FIG. 2 according to another embodiment of the present invention. FIG. 8 is a flowchart of detailed steps of an application authentication mobile communication device according to an embodiment of the present invention. FIG. 9 is a flowchart of detailed steps of a controller authentication application according to an embodiment of the invention. FIG. 10 is a detailed flowchart of step S240 of FIG. 2 according to an embodiment of the present invention. FIG. 11 is a detailed flow chart of step S250 of FIG. 2 according to an embodiment of the present invention.
100:認證系統 120:行動儲存裝置 130:行動通訊裝置 140:電子裝置 900:伺服器裝置 BIR:生物辨識確認結果 CHS1:第一認證詢問 DGF:摘要檔案 KDF:金鑰識別檔案 KFI0、KFI1、KFI2:金鑰因素資訊 SEP:選取策略 SIG1:第一簽章 UK1:第一公鑰 100: authentication system 120: Mobile storage device 130: mobile communication device 140: Electronic device 900: Server device BIR: biometric confirmation result CHS1: First certification inquiry DGF: Summary File KDF: Key Identification File KFI0, KFI1, KFI2: Key factor information SEP: Select strategy SIG1: The first signature UK1: The first public key
Claims (33)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010488875.6A CN112069493B (en) | 2019-06-10 | 2020-06-02 | Authentication system and authentication method |
| US16/894,889 US11509655B2 (en) | 2019-06-10 | 2020-06-08 | Authentication system and authentication method |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW108119975 | 2019-06-10 | ||
| TW108119975 | 2019-06-10 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW202046675A TW202046675A (en) | 2020-12-16 |
| TWI715500B true TWI715500B (en) | 2021-01-01 |
Family
ID=73658589
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW109116734A TWI715500B (en) | 2019-06-10 | 2020-05-20 | Authentication system and authentication method |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112073178B (en) |
| TW (1) | TWI715500B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9432373B2 (en) * | 2010-04-23 | 2016-08-30 | Apple Inc. | One step security system in a network storage system |
| CN115189716B (en) * | 2021-04-06 | 2025-01-21 | 瑞昱半导体股份有限公司 | Identification and pairing method of signal processing system and signal transmission device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554013A (en) * | 2015-12-30 | 2016-05-04 | 深圳数字电视国家工程实验室股份有限公司 | Separate identity authentication apparatus based on USB device, system and method |
| US20170232300A1 (en) * | 2016-02-02 | 2017-08-17 | Bao Tran | Smart device |
| WO2017155703A1 (en) * | 2016-03-08 | 2017-09-14 | Qualcomm Incorporated | System, apparatus and method for generating dynamic ipv6 addresses for secure authentication |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105577606B (en) * | 2014-10-09 | 2019-03-01 | 华为技术有限公司 | A method and device for realizing authenticator registration |
| WO2017128756A1 (en) * | 2016-01-25 | 2017-08-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for network access |
| US10154037B2 (en) * | 2017-03-22 | 2018-12-11 | Oracle International Corporation | Techniques for implementing a data storage device as a security device for managing access to resources |
| CN107994998A (en) * | 2018-01-24 | 2018-05-04 | 国民认证科技(北京)有限公司 | A kind of authentication information encryption method and system |
-
2019
- 2019-10-10 CN CN201910979780.1A patent/CN112073178B/en active Active
-
2020
- 2020-05-20 TW TW109116734A patent/TWI715500B/en active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554013A (en) * | 2015-12-30 | 2016-05-04 | 深圳数字电视国家工程实验室股份有限公司 | Separate identity authentication apparatus based on USB device, system and method |
| US20170232300A1 (en) * | 2016-02-02 | 2017-08-17 | Bao Tran | Smart device |
| WO2017155703A1 (en) * | 2016-03-08 | 2017-09-14 | Qualcomm Incorporated | System, apparatus and method for generating dynamic ipv6 addresses for secure authentication |
Non-Patent Citations (1)
| Title |
|---|
| A1 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112073178A (en) | 2020-12-11 |
| TW202046675A (en) | 2020-12-16 |
| CN112073178B (en) | 2024-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112069493B (en) | Authentication system and authentication method | |
| JP6574168B2 (en) | Terminal identification method, and method, system, and apparatus for registering machine identification code | |
| US10225089B2 (en) | Per-device authentication | |
| TWI759322B (en) | Method and device for programming and verification of Internet of Things equipment, and method and device for identity authentication | |
| US9667626B2 (en) | Network authentication method and device for implementing the same | |
| KR101941227B1 (en) | A FIDO authentication device capable of identity confirmation or non-repudiation and the method thereof | |
| CN111353903A (en) | Network identity protection method and device, electronic equipment and storage medium | |
| TW202134913A (en) | Query system, method and non-transitory machine-readable medium to determine authentication capabilities | |
| CN106656455B (en) | Website access method and device | |
| CN101027676A (en) | Personal Tokens and Methods for Controlled Authentication | |
| CN114579951B (en) | Service access method, electronic device and storage medium | |
| TWM595792U (en) | Authorization system for cross-platform authorizing access to resources | |
| TWI715500B (en) | Authentication system and authentication method | |
| JP6567939B2 (en) | Information processing system, peripheral device, wireless communication chip, application program, and information processing method | |
| TWI770411B (en) | Firmware access based on temporary passwords | |
| WO2009140911A1 (en) | Method for interactive authentication | |
| JP2001216270A (en) | Authentication station, authentication system and authentication method | |
| CN110061988B (en) | Authentication method of embedded equipment, service server and storage medium | |
| KR102515721B1 (en) | Non-fungible password authentication supproting method using one time password for authentication based on blockchain and apparatus therefor | |
| CN114615309B (en) | Client access control method, device, system, electronic equipment and storage medium | |
| WO2007016867A1 (en) | A method of physical authentication and a digital device | |
| JP7668314B2 (en) | PROGRAM, INFORMATION PROCESSING APPARATUS AND INFORMATION PROCESSING METHOD | |
| KR101936941B1 (en) | Electronic approval system, method, and program using biometric authentication | |
| TWI813905B (en) | System for using authentication mechanism of fast identity online to enable certificate and method thereof | |
| JP7768515B2 (en) | PROGRAM, INFORMATION PROCESSING APPARATUS AND INFORMATION PROCESSING METHOD |