[go: up one dir, main page]

TWI891083B - Cybersecurity proxy authentication system and method - Google Patents

Cybersecurity proxy authentication system and method

Info

Publication number
TWI891083B
TWI891083B TW112138572A TW112138572A TWI891083B TW I891083 B TWI891083 B TW I891083B TW 112138572 A TW112138572 A TW 112138572A TW 112138572 A TW112138572 A TW 112138572A TW I891083 B TWI891083 B TW I891083B
Authority
TW
Taiwan
Prior art keywords
decryption key
security
temporary decryption
server host
authentication
Prior art date
Application number
TW112138572A
Other languages
Chinese (zh)
Other versions
TW202516385A (en
Inventor
陳弘明
葉介山
曾秋蓉
黃武雄
賴怡祁
陳伯彰
Original Assignee
長茂科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 長茂科技股份有限公司 filed Critical 長茂科技股份有限公司
Priority to TW112138572A priority Critical patent/TWI891083B/en
Publication of TW202516385A publication Critical patent/TW202516385A/en
Application granted granted Critical
Publication of TWI891083B publication Critical patent/TWI891083B/en

Links

Landscapes

  • Multi Processors (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a cybersecurity proxy authentication method. The method comprising: implementing a multi-party multi-factor dynamic strong encryption authentication method among a user equipment, an application server, and a cybersecurity server host; and implementing the multi-party multi-factor dynamic strong encryption authentication method among the user equipment, an information security-sensitive server host, and the cybersecurity server host by using the application server as a proxy server for the information security-sensitive server host.

Description

資通安全代理認證系統與方法 Information and communications security agent authentication system and method

本發明係關於一種資安敏感伺服器主機之資通安全身分認證系統與方法,尤其是一種透過應用伺服器代理資安敏感伺服器主機之資通安全代理身分認證系統與方法。 The present invention relates to a system and method for authenticating information security identities for information security-sensitive server hosts, and more particularly, to a system and method for authenticating information security identities by proxying information security-sensitive server hosts through an application server.

多重要素認證(Multi-Factor Authentication,MFA)是習知眾多路身分認證機制的一種,其透過結合多種不同的身分認證要素,以提升資通安全性,同時減少對傳統密碼的依賴,常用於MFA技術中的身分認證要素包含以下幾種類型。 Multi-Factor Authentication (MFA) is a well-known multi-factor authentication mechanism that combines multiple authentication factors to enhance information security while reducing reliance on traditional passwords. Common authentication factors used in MFA include the following types.

第一種是識別碼要素,也是MFA技術中最常用的身分認證要素,包括密碼、PIN碼、答案等只有使用者知道的資訊;第二種常用的要素則是物理條件要素,需要使用者提示作為身分識別使用的物理設備或物件,如安全令牌、智慧卡、手機;第三常用的要素則是生物特徵要素,係擷取使用者的生物特徵,如指紋、虹膜、聲音、臉部等獨特作為認證依據。 The first type is the identification factor, the most commonly used identity authentication factor in MFA technology. This includes information known only to the user, such as passwords, PINs, and answers. The second most commonly used factor is the physical condition factor, which requires the user to present a physical device or object used for identity verification, such as a security token, smart card, or mobile phone. The third most commonly used factor is the biometric factor, which captures the user's unique biometric characteristics, such as fingerprints, irises, voice, and face, as authentication.

因此,相對於傳統的單要素身分認證,僅驗證來自使用者的單一身分要素,通常就只是驗證密碼或PIN碼等識別碼,多重要素身分認證的確能增強資通安全性。 Therefore, compared to traditional single-factor authentication, which only verifies a single identity factor from the user, usually just an identification code such as a password or PIN, multi-factor authentication can indeed enhance information security.

FIDO2(Fast Identity Online 2)則是另一種目前受到廣泛應用 的身分驗證方法,FIDO2包含兩種主要驗證元件:WebAuthn以及CTAP,其中WebAuthn(Web Authentication)是一種網頁標準,允許網站使用多重驗證要素,例如生物特徵、PIN碼、智慧卡等來證明使用者的身分,而無需傳統密碼;CTAP(Client to Authenticator Protocol)則是一個通訊協議,提供網頁或應用程式與FIDO2設備進行通訊與互動的標準,以進行WebAuthn的操作。 FIDO2 (Fast Identity Online 2) is another widely adopted authentication method. FIDO2 consists of two main authentication components: WebAuthn and CTAP. WebAuthn (Web Authentication) is a web standard that allows websites to use multiple authentication factors, such as biometrics, PINs, and smart cards, to verify user identities without traditional passwords. CTAP (Client to Authenticator Protocol) is a communication protocol that provides a standard for web pages or applications to communicate and interact with FIDO2 devices, enabling WebAuthn operations.

但無論MFA或FIDO2技術,分別都有其缺點與需要改進之處,例如:FIDO2的實施需要額外的硬體設備支援,如生物識別設備或USB安全密鑰,易增加建置成本與系統複雜度,而MFA技術仍需依賴傳統密碼進行認證,與當前資通安全領域往無密碼(passwordless)認證的發展趨勢並不符合。 However, both MFA and FIDO2 technologies have their shortcomings and areas for improvement. For example, FIDO2 implementation requires additional hardware support, such as biometric devices or USB security keys, which can increase deployment costs and system complexity. MFA technology still relies on traditional passwords for authentication, which is inconsistent with the current trend in information and communications security towards passwordless authentication.

職是之故,有鑑習用技術之缺點,發明人經過悉心嘗試與研究,並一本鍥而不捨之精神,終構思出本案「資通安全代理認證系統與方法」,能夠克服上述習用技術存在的缺點,以下為本發明之簡要說明。 Therefore, recognizing the shortcomings of the existing technology, the inventors, through careful experimentation and research, and with unwavering perseverance, have conceived the present "Information and Communications Security Agent Authentication System and Method," which overcomes the shortcomings of the aforementioned existing technology. The following is a brief description of this invention.

本發明係關於一種資安敏感伺服器主機之資通安全身分認證系統與方法,尤其是一種透過應用伺服器代理資安敏感伺服器主機之資通安全代理身分認證系統與方法。 The present invention relates to a system and method for authenticating information security identities for information security-sensitive server hosts, and more particularly, to a system and method for authenticating information security identities by proxying information security-sensitive server hosts through an application server.

據此,本發明提出一種資通安全代理認證方法,包含:在使用者設備、應用伺服器以及安全伺服器主機之間實施多方多因子動態強加密認證方法;以及以該應用伺服器作為資安敏感伺服器主機之代理伺服器,而在該使用者設備、該資安敏感伺服器主機以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法。 Accordingly, the present invention proposes an information security proxy authentication method, comprising: implementing a multi-party, multi-factor, dynamic, strong encryption authentication method between a user device, an application server, and a security server host; and using the application server as a proxy server for a security-sensitive server host to implement the multi-party, multi-factor, dynamic, strong encryption authentication method between the user device, the security-sensitive server host, and the security server host.

本發明進一步提出一種資通安全代理認證系統,包含:第一子系統,其包含使用者設備、應用伺服器以及安全伺服器主機以實施多方多因子動態強加密認證方法;以及第二子系統,其包含該使用者設備、該應用伺服器、該安全伺服器主機以及資安敏感伺服器主機,其中該應用伺服器係作為該資安敏感伺服器主機之代理伺服器以實施該多方多因子動態強加密認證方法。 The present invention further provides an information security proxy authentication system comprising: a first subsystem comprising a user device, an application server, and a security server host to implement a multi-party, multi-factor, dynamic, strong encryption authentication method; and a second subsystem comprising the user device, the application server, the security server host, and a security-sensitive server host, wherein the application server acts as a proxy server for the security-sensitive server host to implement the multi-party, multi-factor, dynamic, strong encryption authentication method.

本發明進一步提出一種資通安全代理認證系統,包含:第一子系統,其包含使用者設備、應用伺服器以及第一資安敏感伺服器主機以實施多方多因子動態強加密認證方法;以及第二子系統,其包含該使用者設備、該應用伺服器、該第一資安敏感伺服器主機以及第二資安敏感伺服器主機,其中該應用伺服器係作為該第一資安敏感伺服器主機或者該第二資安敏感伺服器主機之代理伺服器以實施該多方多因子動態強加密認證方法。 The present invention further provides an information security proxy authentication system comprising: a first subsystem comprising a user device, an application server, and a first security-sensitive server host to implement a multi-party, multi-factor, dynamic strong encryption authentication method; and a second subsystem comprising the user device, the application server, the first security-sensitive server host, and a second security-sensitive server host, wherein the application server acts as a proxy server for the first security-sensitive server host or the second security-sensitive server host to implement the multi-party, multi-factor, dynamic strong encryption authentication method.

上述發明內容旨在提供本揭示內容的簡化摘要,以使讀者對本揭示內容具備基本的理解,此發明內容並非揭露本發明的完整描述,且用意並非在指出本發明實施例的重要/關鍵元件或界定本發明的範圍。 The above invention content is intended to provide a simplified summary of the present disclosure to provide readers with a basic understanding of the present disclosure. This invention content is not intended to be a complete description of the present invention and is not intended to identify important/critical elements of the embodiments of the present invention or to define the scope of the present invention.

10:資通安全代理認證系統 10: Information and Communications Security Agent Certification System

11:網路 11: Internet

100:使用者設備 100: User equipment

110:第一服務編程模組 110: First Service Programming Module

200:應用伺服器 200: Application Server

210:第二服務編程模組 210: Second Service Programming Module

300:安全伺服器主機 300: Secure Server Host

310:第三服務編程模組 310: Third Service Programming Module

400:資安敏感伺服器主機 400: Information security sensitive server host

410:第四服務編程模組 410: Fourth Service Programming Module

420:作業系統 420: Operating System

S1:第一子系統 S1: First subsystem

S2:第二子系統 S2: Second subsystem

T1:第一傳輸連線 T1: First transmission connection

T2:第二傳輸連線 T2: Second transmission link

T3:第三傳輸連線 T3: Third transmission link

T4:第四傳輸連線 T4: Fourth transmission link

T5:第五傳輸連線 T5: Fifth transmission link

501-519:執行步驟 501-519: Implementation steps

601-623:執行步驟 601-623: Implementation Steps

700:資通安全代理認證方法 700: Information Security Agent Authentication Method

701-702:實施步驟 701-702: Implementation Steps

第1圖揭示本發明包含之資通安全代理認證系統之系統架構示意圖; Figure 1 shows a schematic diagram of the system architecture of the information security proxy authentication system included in the present invention;

第2圖揭示本發明包含之資通安全代理認證方法在初始認證階段其實施步驟之時序圖; Figure 2 shows a timing diagram of the implementation steps of the information security agent authentication method included in the present invention during the initial authentication phase;

第3圖揭示本發明包含之資通安全代理認證方法在代理認證階段其實施步驟之時序圖;以及 Figure 3 shows a timing diagram of the steps implemented in the information security proxy authentication method of the present invention during the proxy authentication phase; and

第4圖揭示本發明包含之資通安全代理認證方法之實施步驟流程圖。 Figure 4 shows a flowchart of the implementation steps of the information security agent authentication method included in the present invention.

本發明將可由以下的實施例說明而得到充分瞭解,使得熟習本技藝之人士可以據以完成之,然本發明之實施並非可由下列實施案例而被限制其實施型態;本發明之圖式並不包含對大小、尺寸與比例尺的限定,本發明實際實施時其大小、尺寸與比例尺並非可經由本發明之圖式而被限制。 The present invention will be fully understood through the following examples, allowing those skilled in the art to implement it accordingly. However, the implementation of the present invention is not limited by the following examples. The drawings of the present invention do not include any limitations on size, dimensions, or scale. The size, dimensions, and scale of the present invention during actual implementation are not limited by the drawings of the present invention.

本文中用語“較佳”是非排他性的,應理解成“較佳為但不限於”,任何說明書或請求項中所描述或者記載的任何步驟可按任何順序執行,而不限於請求項中所述的順序,本發明的範圍應僅由所附請求項及其均等方案確定,不應由實施方式示例的實施例確定;本文中用語“包含”及其變化出現在說明書和請求項中時,是一個開放式的用語,不具有限制性含義,並不排除其他特徵或步驟。 The term "preferably" used herein is non-exclusive and should be understood to mean "preferably, but not limited to." Any steps described or recited in any specification or claim may be performed in any order, not limited to the order recited in the claim. The scope of the present invention is determined solely by the appended claims and their equivalents, and not by the embodiments exemplified in the embodiments. The term "comprising" and its variations, when used herein in the specification and claim, are open-ended and non-restrictive, and do not exclude other features or steps.

第1圖揭示本發明包含之資通安全代理認證系統之系統架構示意圖;在某實施例,資通安全代理認證系統10至少包含使用者設備100、應用伺服器200、安全伺服器主機300以及資安敏感伺服器主機400,各個裝置之間是透過網路(network)11建立傳輸連線(transmission connection),以進行通訊和資料傳輸,其中網路11包含外部網路(Internet)、內部網路(Intranet)或者外部網路和內部網路之組合。 Figure 1 illustrates the system architecture of the information security proxy authentication system included in the present invention. In one embodiment, the information security proxy authentication system 10 includes at least a user device 100, an application server 200, a security server host 300, and a security-sensitive server host 400. Each device establishes a transmission connection via a network 11 for communication and data transmission. The network 11 may include an external network (Internet), an intranet, or a combination of an external network and an intranet.

使用者設備100較佳是例如但不限於:桌上型電腦、筆記型電腦、平板裝置或者智慧手機等;安全伺服器主機300係為由第三方資通安全服務提供者(cybersecurity service provider)建置與提供之第三方中介安全 裝置,安全伺服器主機300較佳是例如但不限於:安全中介伺服器或者雲端伺服器。 The user device 100 is preferably, for example, but not limited to, a desktop computer, laptop, tablet device, or smartphone. The secure server host 300 is a third-party intermediary security device built and provided by a third-party cybersecurity service provider. The secure server host 300 is preferably, for example, but not limited to, a secure intermediary server or a cloud server.

資安敏感伺服器主機(information security sensitive server host)400係指任何需要較高度資訊安全保護,以防止任何未經授權存取或惡意攻擊的伺服器主機裝置,這些伺服器通常用於處理或存儲敏感資訊,如商業機密、生產製造參數、個人資訊、財金資料等,或用於執行重要任務,例如指揮或傳送生產製造指令等,這類伺服器的資訊安全性至關重要,一旦遭到入侵或遭到惡意使用,可能導致不可回復的重大損失。 Information security sensitive server hosts (400) refer to any server host device that requires a high level of information security protection to prevent unauthorized access or malicious attacks. These servers are typically used to process or store sensitive information, such as commercial secrets, production parameters, personal information, and financial data, or to perform critical tasks, such as commanding or transmitting production instructions. The information security of these servers is paramount; once compromised or used maliciously, they could result in significant and irreversible losses.

舉例來說,資安敏感伺服器主機400較佳包含但不限於:生產工廠內部主控節點(factory main)、工業控制系統安全設備、物聯網(IoT)設備、工作站、防火牆和入侵檢測系統、數據庫保護設備、加密設備、安全驗證設備、資訊安全設備等等。 For example, information security-sensitive server hosts 400 preferably include, but are not limited to: factory main control nodes, industrial control system security equipment, Internet of Things (IoT) devices, workstations, firewalls and intrusion detection systems, database protection devices, encryption devices, security authentication devices, information security devices, etc.

資安敏感伺服器主機400又可視為第二資安敏感伺服器主機、外部資安敏感伺服器主機或內部資安敏感伺服器主機,安全伺服器主機300又可視為第一資安敏感伺服器主機、內部資安敏感伺服器主機或外部資安敏感伺服器主機。 The information security-sensitive server host 400 can also be considered as a second information security-sensitive server host, an external information security-sensitive server host, or an internal information security-sensitive server host, and the security server host 300 can also be considered as a first information security-sensitive server host, an internal information security-sensitive server host, or an external information security-sensitive server host.

在某實施例,使用者設備100、應用伺服器200、安全伺服器主機300以及資安敏感伺服器主機400內部,分別安裝有第一服務編程模組110、第二服務編程模組210、第三服務編程模組310以及第四服務編程模組410,資安敏感伺服器主機400內還安裝有作業系統420,其中應用伺服器200可視為第一服務編程模組110之後端(backend),第一服務編程模組110可視為第二服務編程模組210之前端(frontend),應用伺服器200可視為第一服務 編程模組110之遠端應用程式伺服器。 In one embodiment, a first service programming module 110, a second service programming module 210, a third service programming module 310, and a fourth service programming module 410 are installed in the user device 100, the application server 200, the secure server host 300, and the information security-sensitive server host 400, respectively. An operating system 420 is also installed in the information security-sensitive server host 400. The application server 200 can be considered the backend of the first service programming module 110, the first service programming module 110 can be considered the frontend of the second service programming module 210, and the application server 200 can be considered the remote application server of the first service programming module 110.

在某實施例,資通安全代理認證系統10還包含連接使用者設備100和安全伺服器主機300的第一傳輸連線T1、連接應用伺服器200和安全伺服器主機300的第二傳輸連線T2、連接使用者設備100和應用伺服器200的第三傳輸連線T3、連接使用者設備100和資安敏感伺服器主機400的第四傳輸連線T4以及連接資安敏感伺服器主機400和安全伺服器主機300的第五傳輸連線T5。 In one embodiment, the information security proxy authentication system 10 further includes a first transmission connection T1 connecting the user device 100 and the security server host 300, a second transmission connection T2 connecting the application server 200 and the security server host 300, a third transmission connection T3 connecting the user device 100 and the application server 200, a fourth transmission connection T4 connecting the user device 100 and the information security-sensitive server host 400, and a fifth transmission connection T5 connecting the information security-sensitive server host 400 and the security server host 300.

在某實施例,資通安全代理認證系統10還包含第一子系統S1以及第二子系統S2,其中第一子系統S1包含使用者設備100、應用伺服器200、安全伺服器主機300、第一傳輸連線T1、第二傳輸連線T2以及第三傳輸連線T3,第二子系統S2包含使用者設備100、資安敏感伺服器主機400、安全伺服器主機300、第一傳輸連線T1、第四傳輸連線T4以及第五傳輸連線T5,第一子系統S1亦可視為底層系統或者安全系統。 In one embodiment, the information security agent authentication system 10 further includes a first subsystem S1 and a second subsystem S2. The first subsystem S1 includes a user device 100, an application server 200, a security server host 300, a first transmission connection T1, a second transmission connection T2, and a third transmission connection T3. The second subsystem S2 includes the user device 100, a security-sensitive server host 400, a security server host 300, a first transmission connection T1, a fourth transmission connection T4, and a fifth transmission connection T5. The first subsystem S1 can also be considered an underlying system or a security system.

本發明包含之資通安全代理認證方法較佳是在資通安全代理認證系統10的系統架構下,透過第一服務編程模組110、第二服務編程模組210、第三服務編程模組310以及第四服務編程模組410之執行而實施。 The information security agent authentication method included in the present invention is preferably implemented within the system architecture of the information security agent authentication system 10 through the execution of the first service programming module 110, the second service programming module 210, the third service programming module 310, and the fourth service programming module 410.

第2圖揭示本發明包含之資通安全代理認證方法在初始認證階段其實施步驟之時序圖;本發明包含之資通安全代理認證方法還包含在初始認證階段基於第一子系統S1而實施的多方多因子動態強加密認證方法。 Figure 2 illustrates a timing diagram of the steps implemented during the initial authentication phase of the information security proxy authentication method included in the present invention. The information security proxy authentication method included in the present invention also includes a multi-party, multi-factor, dynamic, strong encryption authentication method implemented based on the first subsystem S1 during the initial authentication phase.

步驟501:首先,使用者在使用者設備100上進行登入操作,例如:將帳號與密碼輸入登入頁面中的對應欄位。 Step 501: First, the user logs in on the user device 100, for example, by entering their account number and password into the corresponding fields on the login page.

步驟502:因應來自使用者的登入操作,在使用者設備100上執行的第一服務編程模組110將以隨機方式或者實施第一密碼學演算法,而生成例如但不限於:具有32字節(bytes)長度的第一暫態解密金鑰(ephemeral decrypting key,EDK)以及初始向量(initialization vector,IV)。 Step 502: In response to the user's login operation, the first service programming module 110 executed on the user device 100 generates, for example but not limited to, a first ephemeral decrypting key (EDK) and an initialization vector (IV) with a length of 32 bytes, either randomly or by implementing a first cryptographic algorithm.

第一密碼學演算法較佳選自MD5算法、MD4算法、MD2算法、SHA-1算法、SHA-2算法、SHA-3算法、RIPEMD-160算法、MDC-2算法、GOST R 34.11-94算法、BLAKE2算法、Whirlpool算法、SM3算法或者其組合。 The first cryptographic algorithm is preferably selected from the MD5 algorithm, MD4 algorithm, MD2 algorithm, SHA-1 algorithm, SHA-2 algorithm, SHA-3 algorithm, RIPEMD-160 algorithm, MDC-2 algorithm, GOST R 34.11-94 algorithm, BLAKE2 algorithm, Whirlpool algorithm, SM3 algorithm, or a combination thereof.

步驟503:當第一暫態解密金鑰(first EDK)在使用者設備100上生成後,第一服務編程模組110繼續在使用者設備100上,基於第一暫態解密金鑰而實施公開金鑰基礎架構(PKI)方法或者第二密碼學演算法,以加密一組身分識別資訊(ID info)而生成一組電子數位簽章(electronic digital signature,eID),第二密碼學演算法較佳用於生成電子數位簽章,身分識別資訊較佳是一組由第二服務編程模組210分配給第一服務編程模組110的身分識別碼。 Step 503: After the first temporary decryption key (first EDK) is generated on the user device 100, the first service programming module 110 continues to implement a public key infrastructure (PKI) method or a second cryptographic algorithm on the user device 100 based on the first temporary decryption key to encrypt a set of identity information (ID information) to generate an electronic digital signature (eID). The second cryptographic algorithm is preferably used to generate the electronic digital signature. The identity information is preferably an identity code assigned to the first service programming module 110 by the second service programming module 210.

第二密碼學演算法較佳選自RSA算法、DSA算法、ECDSA算法、ECC算法、HMAC算法、MD5算法、MD4算法、MD2算法、SHA-1算法、SHA-2算法、SHA-3算法、RIPEMD-160算法、MDC-2算法、GOST R 34.11-94算法、BLAKE2算法、Whirlpool算法、SM3算法及其組合其中之一。 The second cryptographic algorithm is preferably selected from the group consisting of RSA, DSA, ECDSA, ECC, HMAC, MD5, MD4, MD2, SHA-1, SHA-2, SHA-3, RIPEMD-160, MDC-2, GOST R 34.11-94, BLAKE2, Whirlpool, SM3, and combinations thereof.

步驟504:當電子數位簽章在使用者設備100上生成後,第一服務編程模組110再次實施第一密碼學演算法,或者以隨機方式生成第二暫態金鑰,或者另外實施加擾(scrambled)程序,以第一暫態金鑰為基礎,變化 第一暫態金鑰而另外生成第二暫態金鑰(second EDK)。第一與第二暫態解密金鑰的形式不限,較佳可以是32、64、128或者256二進位位元長度的符號字串。 Step 504: After the electronic digital signature is generated on the user device 100, the first service programming module 110 re-implements the first cryptographic algorithm to either randomly generate a second temporary key or perform a scrambled process based on the first temporary key to generate a second temporary key (second EDK) by modifying the first temporary key. The first and second temporary decryption keys can be in any format, but are preferably symbolic strings of 32, 64, 128, or 256 binary bytes.

步驟505:當第二暫態金鑰在使用者設備100上生成後,第一服務編程模組110繼續在使用者設備100上,基於第二暫態解密金鑰而實施第三密碼學演算法,較佳是對稱式加密,以進一步加密電子數位簽章而生成認證令牌(authentication token),第三密碼學演算法亦稱為安全加密算法。 Step 505: After the second temporary key is generated on the user device 100, the first service programming module 110 continues to implement a third cryptographic algorithm, preferably symmetric encryption, based on the second temporary decryption key on the user device 100 to further encrypt the electronic digital signature to generate an authentication token. The third cryptographic algorithm is also called a secure encryption algorithm.

第三密碼學演算法較佳選自AES算法、DSA算法、HMAC算法、MD5算法、MD4算法、MD2算法、SHA-1算法、SHA-2算法、SHA-3算法、Blowfish算法、Camellia算法、Chacha20算法、Poly1305算法、SEED算法、CAST-128算法、DES算法、IDEA算法、RC2算法、RC4算法、RC5算法、SM4算法、TDES算法以及GOST 28147-89算法或者其組合。 The third cryptographic algorithm is preferably selected from the group consisting of AES, DSA, HMAC, MD5, MD4, MD2, SHA-1, SHA-2, SHA-3, Blowfish, Camellia, Chacha20, Poly1305, SEED, CAST-128, DES, IDEA, RC2, RC4, RC5, SM4, TDES, and GOST 28147-89, or a combination thereof.

步驟506:接著,第一服務編程模組110將所生成的第一與第二暫態解密金鑰,從使用者設備100發佈至安全伺服器主機300。 Step 506: Next, the first service programming module 110 publishes the generated first and second temporary decryption keys from the user device 100 to the secure server host 300.

步驟507:在安全伺服器主機300上執行的第三服務編程模組310在接收第一與第二暫態解密金鑰之後,將根據第一與第二暫態解密金鑰生成令牌索引(token index),令牌索引是指足夠提取第一與第二暫態解密金鑰的最少內容或絕對小部分(strictly smaller portion)。 Step 507: After receiving the first and second temporary decryption keys, the third service programming module 310 running on the secure server host 300 generates a token index based on the first and second temporary decryption keys. The token index is the minimum content or strictly smaller portion sufficient to extract the first and second temporary decryption keys.

步驟508:接著,在使用者設備100執行的第一服務編程模組110向第三服務編程模組310索取令牌索引並取回令牌索引。 Step 508: Next, the first service programming module 110 executed on the user device 100 requests the token index from the third service programming module 310 and retrieves the token index.

步驟509:接著,第一服務編程模組110組合電子數位簽章、認證令牌以及令牌索引,形成一組暫態字串(string)。 Step 509: Next, the first service programming module 110 combines the electronic digital signature, the authentication token, and the token index to form a temporary string.

步驟510:然後第一服務編程模組110將暫態字串從使用者設備100發佈至應用伺服器200。 Step 510: The first service programming module 110 then publishes the temporary string from the user device 100 to the application server 200.

步驟511:當在應用伺服器200上執行的第二服務編程模組210接收到暫態字串後,將解析(parse)暫態字串以從暫態字串中取出電子數位簽章、令牌索引以及認證令牌。 Step 511: After receiving the temporary string, the second service programming module 210 running on the application server 200 parses the temporary string to extract the electronic digital signature, token index, and authentication token from the temporary string.

步驟512:然後第二服務編程模組210將取得的令牌索引透過加密模式或未加密模式傳輸給安全伺服器主機300上的第三服務編程模組310,以憑藉令牌索引向第三服務編程模組310領取對應的第一與第二暫態解密金鑰。 Step 512: The second service programming module 210 then transmits the obtained token index to the third service programming module 310 on the secure server host 300 in encrypted or unencrypted mode, thereby obtaining the corresponding first and second temporary decryption keys from the third service programming module 310 based on the token index.

步驟513:第二服務編程模組210從第三服務編程模組310取回第一與第二暫態解密金鑰。 Step 513: The second service programming module 210 retrieves the first and second temporary decryption keys from the third service programming module 310.

步驟514:接著,第二服務編程模組210基於第一與第二暫態解密金鑰,實施第二密碼學演算法以及第三密碼學演算法,以分別解密認證令牌和電子數位簽章,以取得身分識別資訊。 Step 514: Next, the second service programming module 210 implements the second cryptographic algorithm and the third cryptographic algorithm based on the first and second temporary decryption keys to decrypt the authentication token and the electronic digital signature, respectively, to obtain the identity information.

步驟515:接著,第二服務編程模組210基於所領取的第一暫態解密金鑰執行簽章驗證程序,以查核電子數位簽章是否正確加密、正確簽署或者未遭竄改,以驗證認證電子數位簽章之真實性。 Step 515: Next, the second service programming module 210 executes a signature verification process based on the received first temporary decryption key to check whether the electronic digital signature is correctly encrypted, correctly signed, or has not been tampered with, thereby verifying the authenticity of the electronic digital signature.

步驟516當電子數位簽章為真時,第二服務編程模組210基於所領取的第一暫態解密金鑰解密電子數位簽章,以取出身分識別資訊。 In step 516, when the electronic digital signature is authentic, the second service programming module 210 decrypts the electronic digital signature based on the received first temporary decryption key to extract the identity information.

步驟517:在取出身分識別資訊後,第二服務編程模組210執行身分驗證程序,以查核身分識別資訊是否與紀錄正確相符,以驗證身分識別資訊的正確性。 Step 517: After retrieving the identity information, the second service programming module 210 executes an identity verification process to check whether the identity information matches the record to verify the accuracy of the identity information.

步驟518:第二服務編程模組210向第一服務編程模組110回報身分認證結果,當確認身分識別資訊為正確時,向第一服務編程模組110回報身分符合,否則回報身分不符。 Step 518: The second service programming module 210 reports the identity authentication result to the first service programming module 110. If the identity identification information is confirmed to be correct, it reports to the first service programming module 110 that the identity is correct; otherwise, it reports that the identity is not correct.

步驟519:當第一服務編程模組110確認身分認證結果為身分符合後繼續執行登入程序。 Step 519: When the first service programming module 110 confirms that the identity authentication result is consistent with the identity, it continues to execute the login process.

第一暫態解密金鑰係為選擇性生成,在某實施例中可選擇不生成第一暫態解密金鑰且不加密身分識別資訊,而暫態字串內則包含身分識別資訊、認證令牌以及令牌索引。 The first temporary decryption key is optionally generated. In some embodiments, it is possible not to generate the first temporary decryption key and not encrypt the identity information. The temporary string contains the identity information, the authentication token, and the token index.

第3圖揭示本發明包含之資通安全代理認證方法在代理認證階段其實施步驟之時序圖;本發明包含之資通安全代理認證方法還包含在代理認證階段基於第二子系統S2而實施的多方多因子動態強加密代理認證方法,能夠跨裝置對使用者進行身分安全認證。 Figure 3 illustrates a timing diagram of the steps implemented during the proxy authentication phase of the information security proxy authentication method included in the present invention. The information security proxy authentication method included in the present invention also includes a multi-party, multi-factor, dynamic, strongly encrypted proxy authentication method implemented by the second subsystem S2 during the proxy authentication phase, enabling cross-device identity authentication for users.

步驟601:首先,使用者進行登入操作準備登入資安敏感伺服器主機400的作業系統420,例如:使用者在資安敏感伺服器主機400上由Windows作業系統提供的登入頁面的帳號與密碼欄位中輸入對應的帳號與密碼。 Step 601: First, the user performs a login operation to log into the operating system 420 of the information security-sensitive server host 400. For example, the user enters the corresponding account and password in the account and password fields on the login page provided by the Windows operating system on the information security-sensitive server host 400.

步驟602:因應使用者的登入操作而啟動第四服務編程模組410之執行。 Step 602: In response to the user's login operation, the fourth service programming module 410 is activated.

步驟603:在資安敏感伺服器主機400上執行的第四服務編程模組410啟動後將暫時鎖定作業系統420。 Step 603: After being activated, the fourth service programming module 410 running on the information security-sensitive server host 400 temporarily locks the operating system 420.

步驟604:接著第四服務編程模組410以隨機方式或者開始實施第一密碼學演算法,而生成第一與第二暫態解密金鑰以及IV。 Step 604: The fourth service programming module 410 then generates the first and second temporary decryption keys and IV in a random manner or by starting to implement the first cryptographic algorithm.

步驟605:接著第四服務編程模組410依照光學識別符編碼規則,將第一與第二暫態解密金鑰、IV與光學識別符所在IP位址編入並生成一個光學識別符,以在光學識別符中儲存EDK、IV與IP位址,光學識別符之形式包含但不限於:二維空間圖碼例如快速反應編碼(QR code)。 Step 605: The fourth service programming module 410 then encodes the first and second temporary decryption keys, the IV, and the IP address of the optical identifier according to the optical identifier encoding rules to generate an optical identifier. The optical identifier stores the EDK, IV, and IP address. The optical identifier may be in the form of a two-dimensional code such as a Quick Response Code (QR code).

步驟606:接著第四服務編程模組410將所生成的光學識別符,優先覆蓋在資安敏感伺服器主機400的登入頁面的最頂層,以供使用者掃描與讀取。 Step 606: The fourth service programming module 410 then overlays the generated optical identifier on the top layer of the login page of the security-sensitive server host 400 for the user to scan and read.

步驟607:接著,使用者開啟並執行安裝在使用者設備100上的第一服務編程模組110,點選進入第一服務編程模組110提供的識別符掃描介面,然後以使用者設備100包含的鏡頭,擷取包含光學識別符之影像。 Step 607: Next, the user opens and executes the first service programming module 110 installed on the user device 100, clicks to enter the identifier scanning interface provided by the first service programming module 110, and then uses the lens included in the user device 100 to capture an image containing the optical identifier.

步驟608:當第一服務編程模組110成功擷取有顯示器連網裝置500所顯示的光學識別符後,第一服務編程模組110將先查核所擷取到的光學識別符是否符合光學識別符編碼規則,以驗證光學識別符之真實性。 Step 608: After the first service programming module 110 successfully captures the optical identifier displayed by the display networking device 500, the first service programming module 110 will first check whether the captured optical identifier complies with the optical identifier encoding rules to verify the authenticity of the optical identifier.

步驟609:當第一服務編程模組110確認光學識別符為真實時,第一服務編程模組110依照光學識別符編碼規則解碼光學識別符取得儲存在光學識別符中的第一與第二暫態解密金鑰與IV資訊。 Step 609: When the first service programming module 110 confirms that the optical identifier is authentic, the first service programming module 110 decodes the optical identifier according to the optical identifier encoding rule to obtain the first and second temporary decryption keys and IV information stored in the optical identifier.

步驟610:接著第一服務編程模組110基於第一暫態解密金鑰與IV資訊而實施公開金鑰基礎架構(PKI)方法或者第二密碼學演算法,以加密身分識別資訊而生成電子數位簽章。 Step 610: The first service programming module 110 then implements a public key infrastructure (PKI) method or a second cryptographic algorithm based on the first temporary decryption key and IV information to encrypt the identity information and generate an electronic digital signature.

步驟611:接著第一服務編程模組110基於第二暫態解密金鑰而實施第三密碼學演算法以進一步加密電子數位簽章生成認證令牌。 Step 611: The first service programming module 110 then implements a third cryptographic algorithm based on the second temporary decryption key to further encrypt the electronic digital signature to generate an authentication token.

步驟612:接著第一服務編程模組110將認證令牌與電子數位 簽章回傳給第四服務編程模組410。 Step 612: The first service programming module 110 then returns the authentication token and electronic digital signature to the fourth service programming module 410.

步驟613:第四服務編程模組410接收認證令牌與電子數位簽章後,基於第一與第二暫態解密金鑰,實施第二密碼學演算法以及第三密碼學演算法,以分別解密認證令牌和電子數位簽章,以取得身分識別資訊。 Step 613: After receiving the authentication token and electronic digital signature, the fourth service programming module 410 implements the second cryptographic algorithm and the third cryptographic algorithm based on the first and second temporary decryption keys to decrypt the authentication token and electronic digital signature, respectively, to obtain the identity information.

步驟614:第四服務編程模組410基於第一暫態解密金鑰執行簽章驗證程序,以查核電子數位簽章是否正確加密、正確簽署或者未遭竄改,以驗證電子數位簽章之真實性。 Step 614: The fourth service programming module 410 executes a signature verification procedure based on the first temporary decryption key to check whether the electronic digital signature is correctly encrypted, correctly signed, or has not been tampered with, thereby verifying the authenticity of the electronic digital signature.

步驟615:當電子數位簽章為真時,第四服務編程模組410進一步基於第二暫態解密金鑰解密電子數位簽章,以取出身分識別資訊。 Step 615: When the electronic digital signature is authentic, the fourth service programming module 410 further decrypts the electronic digital signature based on the second temporary decryption key to extract the identity information.

步驟616:第四服務編程模組410將身分識別資訊與認證令牌傳送給在應用伺服器200執行之第二服務編程模組210。 Step 616: The fourth service programming module 410 transmits the identification information and the authentication token to the second service programming module 210 running on the application server 200.

步驟617:第二服務編程模組210在收到將身分識別資訊與認證令牌後,將代理第四服務編程模組410而與第三服務編程模組310進行通訊和資料傳輸以執行代理身分驗證程序,包含執行步驟512到步驟516。 Step 617: After receiving the identity information and authentication token, the second service programming module 210 will act as a proxy for the fourth service programming module 410 to communicate and transmit data with the third service programming module 310 to perform the proxy identity verification process, including executing steps 512 to 516.

步驟618:第二服務編程模組210聯合第三服務編程模組310執行代理身分驗證程序。 Step 618: The second service programming module 210 and the third service programming module 310 jointly execute the proxy identity verification process.

步驟619:第三服務編程模組310聯合第二服務編程模組210執行代理身分驗證程序。 Step 619: The third service programming module 310 collaborates with the second service programming module 210 to execute the proxy identity verification process.

步驟620:第二服務編程模組210執行代理身分驗證程序。 Step 620: The second service programming module 210 executes the proxy identity verification process.

步驟621:第二服務編程模組210向第四服務編程模組410回報身分驗證結果,當確認身分識別資訊為正確時,向第四服務編程模組410回報身分符合,否則回報身分不符。 Step 621: The second service programming module 210 reports the identity verification result to the fourth service programming module 410. If the identity identification information is confirmed to be correct, it reports to the fourth service programming module 410 that the identity is correct; otherwise, it reports that the identity is not correct.

步驟622:第四服務編程模組410向作業系統420回報身分驗證結果。 Step 622: The fourth service programming module 410 reports the identity verification result to the operating system 420.

步驟623:當作業系統420確認身分驗證結果為身分符合後繼續執行登入程序。 Step 623: When the operating system 420 confirms that the identity verification result is correct, it continues the login process.

在代理認證階段,安全伺服器主機300以及資安敏感伺服器主機400兩台主機之間將不會進行直接通訊連接和直接資料傳輸,兩台主機間的雙向通訊和資料傳輸都將透過應用伺服器200完成。 During the proxy authentication phase, there will be no direct communication connection or data transmission between the secure server host 300 and the information security-sensitive server host 400. All two-way communication and data transmission between the two hosts will be completed through the application server 200.

在某實施例,應用伺服器200可視為資安敏感伺服器主機400的代理伺服器(proxy),或者安全伺服器主機300的代理伺服器,能夠避免安全伺服器主機300以及資安敏感伺服器主機400兩者間的直接通訊連接和直接資料傳輸,從而達成隔離安全伺服器主機300以及資安敏感伺服器主機400之功效。 In one embodiment, the application server 200 can be considered a proxy server for the information security-sensitive server host 400, or a proxy server for the security server host 300. This can prevent direct communication and data transmission between the security server host 300 and the information security-sensitive server host 400, thereby isolating the security server host 300 and the information security-sensitive server host 400.

應用伺服器200能在安全伺服器主機300以及資安敏感伺服器主機400兩者間提供額外的隔離層,以用來增強兩者的資料保護和安全性,尤其是對於應用伺服器200而言,安全伺服器主機300以及資安敏感伺服器主機400都是通過初始資通安全驗證的安全裝置,可以確保安全伺服器主機300以及資安敏感伺服器主機400的正確運作,並且在對使用者進行跨裝置多要素身分安全認證的過程中,不會額外導入新的資訊安全風險。 Application server 200 provides an additional layer of isolation between secure server host 300 and sensitive server host 400 to enhance data protection and security for both. Specifically, for application server 200, both secure server host 300 and sensitive server host 400 are secure devices that have passed initial information security verification. This ensures the correct operation of secure server host 300 and sensitive server host 400, and prevents the introduction of new information security risks during cross-device multi-factor identity authentication for users.

在應用伺服器200的代理之下,安全伺服器主機300以及資安敏感伺服器主機400兩者間進行非直接通訊連接和非直接資料傳輸,因此安全伺服器主機300以及資安敏感伺服器主機400都能夠更加安全的執行多方多因子動態強加密認證。 Under the proxy of application server 200, indirect communication and data transmission are established between secure server host 300 and information-sensitive server host 400. Therefore, both secure server host 300 and information-sensitive server host 400 can more securely perform multi-party, multi-factor, dynamic, strong encryption authentication.

在某實施例,資安敏感伺服器主機400是5G智慧工廠中的生管工作站,有盡量與其他裝置隔離的必要,而安全伺服器主機300屬於資訊安全設備,一樣需要較高度資訊安全保護,也希望盡量能與其他裝置隔離,因此透過應用伺服器200作為安全伺服器主機300與資安敏感伺服器主機400的代理伺服器,作為兩台主機的通訊和資料傳輸的中繼點,使得安全伺服器主機300以及資安敏感伺服器主機400兩者能夠進行非直接通訊連接和資料傳輸,從而提高兩者的資訊安全防護程度。 In one embodiment, information-sensitive server host 400 is a production control workstation in a 5G smart factory and must be isolated from other devices as much as possible. Security server host 300, an information security device, also requires a high level of information security protection and is also expected to be isolated from other devices as much as possible. Therefore, application server 200 acts as a proxy server for security server host 300 and information-sensitive server host 400, serving as a relay point for communication and data transmission between the two hosts. This allows indirect communication and data transmission between security server host 300 and information-sensitive server host 400, thereby improving the level of information security protection for both.

在某實施例,第一服務編程模組110、第二服務編程模組210、第三服務編程模組310以及第四服務編程模組410都是彼此獨立執行的程式實體,雖然在以上的描述中,第一服務編程模組110、第二服務編程模組210、第三服務編程模組310以及第四服務編程模組410是分別配在不同的裝置上執行,但第一服務編程模組110、第二服務編程模組210、第三服務編程模組310以及第四服務編程模組410也可以選擇性的配置在同一部裝置上執行。 In one embodiment, the first service programming module 110, the second service programming module 210, the third service programming module 310, and the fourth service programming module 410 are all independently executed program entities. Although in the above description, the first service programming module 110, the second service programming module 210, the third service programming module 310, and the fourth service programming module 410 are respectively configured to execute on different devices, the first service programming module 110, the second service programming module 210, the third service programming module 310, and the fourth service programming module 410 may alternatively be configured to execute on the same device.

舉例來說,在某實施例,第一服務編程模組110是安裝在使用者的手機上執行,第四服務編程模組410則是安裝在5G智慧工廠中的生管工作站上執行,而第二服務編程模組210與第三服務編程模組310則是安裝在同一部NAS伺服器上執行,但雖然第二服務編程模組210與第三服務編程模組310則是安裝在同一部裝置上,但兩者仍是彼此獨立執行的程式實體,而NAS伺服器與生管工作站是同屬於同一區域網路(LAN)或內部網路。 For example, in one embodiment, the first service programming module 110 is installed and executed on a user's mobile phone, the fourth service programming module 410 is installed and executed on a production management workstation in a 5G smart factory, and the second service programming module 210 and the third service programming module 310 are installed and executed on the same NAS server. Although the second service programming module 210 and the third service programming module 310 are installed on the same device, they are still independently executed program entities, and the NAS server and the production management workstation belong to the same local area network (LAN) or intranet.

在某實施例,第一服務編程模組110是安裝在使用者的手機上執行,第四服務編程模組410則是安裝在5G智慧工廠中的生管工作站上執行,而第二服務編程模組210與第三服務編程模組310則是安裝在同一部雲 端伺服器上執行,而雲端伺服器以及生管工作站則分別位於網際網路以及內部網路。 In one embodiment, the first service programming module 110 is installed and executed on a user's mobile phone, the fourth service programming module 410 is installed and executed on a production management workstation in a 5G smart factory, and the second service programming module 210 and the third service programming module 310 are installed and executed on the same cloud server. The cloud server and the production management workstation are located on the Internet and an intranet, respectively.

第4圖揭示本發明包含之資通安全代理認證方法之實施步驟流程圖;小結而言,本發明包含之資通安全代理認證方法700較佳包含但不限於以下步驟:在初始認證階段,在使用者設備、應用伺服器以及安全伺服器主機之間實施多方多因子動態強加密認證方法(步驟701);以及在代理認證階段,以該應用伺服器作為資安敏感伺服器主機之代理伺服器,而在該使用者設備、該資安敏感伺服器主機以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法(步驟702)。 Figure 4 illustrates a flowchart of the implementation steps of the information security proxy authentication method included in the present invention. In summary, the information security proxy authentication method 700 included in the present invention preferably includes, but is not limited to, the following steps: in the initial authentication phase, a multi-party, multi-factor, dynamic, strong encryption authentication method is implemented between the user device, the application server, and the security server host (step 701); and in the proxy authentication phase, the application server acts as a proxy server for the security-sensitive server host, and the multi-party, multi-factor, dynamic, strong encryption authentication method is implemented between the user device, the security-sensitive server host, and the security server host (step 702).

本發明以上各實施例彼此之間可以任意組合或者替換,從而衍生更多之實施態樣,但皆不脫本發明所欲保護之範圍,茲進一步提供更多本發明實施例如次: The above embodiments of the present invention may be arbitrarily combined or replaced with each other to derive more embodiments, but all of these remain within the scope of protection of the present invention. More embodiments of the present invention are further provided as follows:

實施例1:一種資通安全代理認證方法,包含:在使用者設備、應用伺服器以及安全伺服器主機之間實施多方多因子動態強加密認證方法;以及以該應用伺服器作為資安敏感伺服器主機之代理伺服器,而在該使用者設備、該資安敏感伺服器主機以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法。 Embodiment 1: A method for information security proxy authentication, comprising: implementing a multi-party, multi-factor, dynamic, strong encryption authentication method between a user device, an application server, and a security server host; and using the application server as a proxy server for a security-sensitive server host to implement the multi-party, multi-factor, dynamic, strong encryption authentication method between the user device, the security-sensitive server host, and the security server host.

實施例2:如實施例1所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法還包含以下其中之一:在初始認證階段,在該使用者設備、該應用伺服器以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法;以及在代理認證階段,在該使用者設備、該資安敏感伺服器主機以及該安全伺服器主機之間實施該多方多因子動態強加密認 證方法。 Embodiment 2: The information security proxy authentication method of Embodiment 1, wherein the multi-party, multi-factor, dynamic, strong encryption authentication method further comprises one of the following: performing the multi-party, multi-factor, dynamic, strong encryption authentication method between the user device, the application server, and the security server host during the initial authentication phase; and performing the multi-party, multi-factor, dynamic, strong encryption authentication method between the user device, the information security-sensitive server host, and the security server host during the proxy authentication phase.

實施例3:如實施例2所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該初始認證階段還包含以下其中之一:在該使用者設備上:選擇性地實施第一密碼學演算法或以隨機方式生成第一暫態解密金鑰;選擇性地基於該第一暫態解密金鑰實施第二密碼學演算法以加密身分識別資訊而生成電子數位簽章;基於該第一暫態解密金鑰之一部分而形成或者隨機生成第二暫態解密金鑰;基於該第二暫態解密金鑰實施第三密碼學演算法以生成認證令牌;將該第一暫態解密金鑰與該第二暫態解密金鑰發布至該安全伺服器,並從該安全伺服器取回令牌索引;組合該身分識別資訊、該電子數位簽章、該令牌索引與該認證令牌其中之一而形成暫態字串;以及將該暫態字串傳輸至該應用伺服器。 Embodiment 3: The information security agent authentication method as described in Embodiment 2, wherein the multi-party multi-factor dynamic strong encryption authentication method further comprises one of the following in the initial authentication phase: on the user device: selectively implementing a first cryptographic algorithm or randomly generating a first temporary decryption key; selectively implementing a second cryptographic algorithm based on the first temporary decryption key to encrypt the identity information and generate an electronic digital signature; based on the first temporary decryption key A second temporary decryption key is formed or randomly generated based on a portion of the first temporary decryption key; a third cryptographic algorithm is implemented based on the second temporary decryption key to generate an authentication token; the first temporary decryption key and the second temporary decryption key are published to the secure server, and a token index is retrieved from the secure server; the identity information, the electronic digital signature, the token index, and one of the authentication tokens are combined to form a temporary string; and the temporary string is transmitted to the application server.

實施例4:如實施例3所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該初始認證階段還包含以下其中之一:在該應用伺服器上:解讀該暫態字串以獲得該身分識別資訊、該電子數位簽章、該令牌索引與該認證令牌其中之一;基於該令牌索引向該安全伺服器領取該第一暫態解密金鑰與該第二暫態解密金鑰;取回該第一暫態解密金鑰與該第二暫態解密金鑰;基於該第一暫態解密金鑰與該第二暫態解密金鑰解密該認證令牌以取得該電子數位簽章與該身分識別資訊;執行簽章驗證程序以查核該電子數位簽章是否正確簽署;當該電子數位簽章是正確簽署時,選擇性地基於該第一暫態解密金鑰解密該電子數位簽章以取出該身分識別資訊;以及執行身分驗證程序以查核該身分識別資訊與紀錄是否正確相符。 Embodiment 4: The information security agent authentication method as described in Embodiment 3, wherein the multi-party multi-factor dynamic strong encryption authentication method further comprises one of the following in the initial authentication phase: on the application server: decrypting the temporary string to obtain the identity identification information, the electronic digital signature, the token index and the authentication token; obtaining the first temporary decryption key and the second temporary decryption key from the security server based on the token index; retrieving the first temporary decryption key and the second temporary decryption key; a second temporary decryption key; decrypting the authentication token based on the first temporary decryption key and the second temporary decryption key to obtain the electronic digital signature and the identity information; performing a signature verification procedure to verify whether the electronic digital signature is correctly signed; when the electronic digital signature is correctly signed, selectively decrypting the electronic digital signature based on the first temporary decryption key to retrieve the identity information; and performing an identity verification procedure to verify whether the identity information correctly matches the record.

實施例5:如實施例4所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該代理認證階段還包含以下其中之一:在該資安敏感伺服器主機上:暫時鎖定作業系統;選擇性地實施該第一密碼學演算法或以隨機方式生成該第一暫態解密金鑰與該第二暫態解密金鑰;生成一光學識別符並在該光學識別符中儲存該第一暫態解密金鑰與該第二暫態解密金鑰;以及將該光學識別符置頂顯示。 Embodiment 5: The information security proxy authentication method of Embodiment 4, wherein the multi-party, multi-factor, dynamic, strong encryption authentication method further comprises one of the following during the proxy authentication phase: on the information security-sensitive server host: temporarily locking the operating system; selectively implementing the first cryptographic algorithm or randomly generating the first temporary decryption key and the second temporary decryption key; generating an optical identifier and storing the first temporary decryption key and the second temporary decryption key in the optical identifier; and displaying the optical identifier at the top.

實施例6:如實施例5所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該代理認證階段還包含以下其中之一:在該使用者設備上:擷取包含該光學識別符之影像;解析該光學識別符以取得該第一暫態解密金鑰與該第二暫態解密金鑰;基於該第一暫態解密金鑰實施該第二密碼學演算法以加密該身分識別資訊而生成該電子數位簽章;基於該第二暫態解密金鑰實施該第三密碼學演算法以加密該電子數位簽章而生成該認證令牌;以及將該電子數位簽章與該認證令牌回傳至該資安敏感伺服器主機。 Embodiment 6: The information security proxy authentication method of Embodiment 5, wherein the multi-party multi-factor dynamic strong encryption authentication method further comprises one of the following during the proxy authentication phase: on the user device: capturing an image containing the optical identifier; parsing the optical identifier to obtain the first temporary decryption key and the second temporary decryption key; performing the second cryptographic algorithm based on the first temporary decryption key to encrypt the identity information to generate the electronic digital signature; performing the third cryptographic algorithm based on the second temporary decryption key to encrypt the electronic digital signature to generate the authentication token; and transmitting the electronic digital signature and the authentication token back to the information security-sensitive server host.

實施例7:如實施例6所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該代理認證階段還包含以下其中之一:在該資安敏感伺服器主機上:基於該第一暫態解密金鑰與該第二暫態解密金鑰解密該電子數位簽章與該認證令牌;基於該第一暫態解密金鑰執行該簽章驗證程序以查核該電子數位簽章是否正確簽署;當該電子數位簽章是正確簽署時,基於該第二暫態解密金鑰解密該電子數位簽章以取出該身分識別資訊;以及將該認證令牌與該身分識別資訊傳輸至該應用伺服器。 Embodiment 7: The information security proxy authentication method of Embodiment 6, wherein the multi-party, multi-factor, dynamic, strong encryption authentication method further comprises one of the following during the proxy authentication phase: on the information security-sensitive server host: decrypting the electronic digital signature and the authentication token based on the first temporary decryption key and the second temporary decryption key; executing the signature verification process based on the first temporary decryption key to verify whether the electronic digital signature is correctly signed; if the electronic digital signature is correctly signed, decrypting the electronic digital signature based on the second temporary decryption key to retrieve the identity information; and transmitting the authentication token and the identity information to the application server.

實施例8:如實施例7所述之資通安全代理認證方法,其中該 多方多因子動態強加密認證方法在該代理認證階段還包含以下其中之一:在該應用伺服器上:執行代理身分驗證程序,該代理身分驗證程序還包含以下其中之一:基於該令牌索引向該安全伺服器領取該第一暫態解密金鑰與該第二暫態解密金鑰;取回該第一暫態解密金鑰與該第二暫態解密金鑰;執行該簽章驗證程序以查核該電子數位簽章是否正確簽署;以及執行該身分驗證程序以查核該身分識別資訊與紀錄是否正確相符。 Embodiment 8: The information security proxy authentication method of Embodiment 7, wherein the multi-party, multi-factor, dynamic, strong encryption authentication method further comprises one of the following during the proxy authentication phase: on the application server: executing a proxy identity verification process, the proxy identity verification process further comprising one of the following: obtaining the first temporary decryption key and the second temporary decryption key from the security server based on the token index; retrieving the first temporary decryption key and the second temporary decryption key; executing the signature verification process to verify whether the electronic digital signature is correctly signed; and executing the identity verification process to verify whether the identity identification information correctly matches the record.

實施例9:一種資通安全代理認證系統,包含:第一子系統,其包含使用者設備、應用伺服器以及安全伺服器主機以實施多方多因子動態強加密認證方法;以及第二子系統,其包含該使用者設備、該應用伺服器、該安全伺服器主機以及資安敏感伺服器主機,其中該應用伺服器係作為該資安敏感伺服器主機之代理伺服器以實施該多方多因子動態強加密認證方法。 Embodiment 9: An information security proxy authentication system comprises: a first subsystem comprising a user device, an application server, and a security server host to implement a multi-party, multi-factor, dynamic, strong encryption authentication method; and a second subsystem comprising the user device, the application server, the security server host, and a security-sensitive server host, wherein the application server acts as a proxy server for the security-sensitive server host to implement the multi-party, multi-factor, dynamic, strong encryption authentication method.

實施例10:一種資通安全代理認證系統,包含:第一子系統,其包含使用者設備、應用伺服器以及第一資安敏感伺服器主機以實施多方多因子動態強加密認證方法;以及第二子系統,其包含該使用者設備、該應用伺服器、該第一資安敏感伺服器主機以及第二資安敏感伺服器主機,其中該應用伺服器係作為該第一資安敏感伺服器主機或者該第二資安敏感伺服器主機之代理伺服器以實施該多方多因子動態強加密認證方法。 Embodiment 10: An information security proxy authentication system comprises: a first subsystem comprising a user device, an application server, and a first security-sensitive server host to implement a multi-party, multi-factor, dynamic, strong encryption authentication method; and a second subsystem comprising the user device, the application server, the first security-sensitive server host, and a second security-sensitive server host, wherein the application server acts as a proxy server for the first security-sensitive server host or the second security-sensitive server host to implement the multi-party, multi-factor, dynamic, strong encryption authentication method.

本發明各實施例彼此之間可以任意組合或者替換,從而衍生更多之實施態樣,但皆不脫本發明所欲保護之範圍,本發明保護範圍之界定,悉以本發明申請專利範圍所記載者為準。 The various embodiments of the present invention may be arbitrarily combined or replaced with one another to derive more embodiments, but all of these remain within the scope of protection sought by the present invention. The scope of protection of the present invention shall be determined in accordance with the scope of the patent application for the present invention.

700:資通安全代理認證方法 700: Information Security Agent Authentication Method

701-702:實施步驟 701-702: Implementation Steps

Claims (7)

一種資通安全代理認證方法,包含:在一使用者設備、一應用伺服器以及一安全伺服器主機之間實施一多方多因子動態強加密認證方法包含之一初始認證階段;以及以該應用伺服器作為一資安敏感伺服器主機之一代理伺服器,而在該使用者設備、該資安敏感伺服器主機以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法包含之一代理認證階段,該代理認證階段還包含以下其中之一:在該資安敏感伺服器主機上:暫時鎖定一作業系統;選擇性地實施該第一密碼學演算法或以隨機方式生成該第一暫態解密金鑰與該第二暫態解密金鑰;生成一光學識別符並在該光學識別符中儲存該第一暫態解密金鑰與該第二暫態解密金鑰;將該光學識別符置頂顯示;在該使用者設備上:擷取包含該光學識別符之影像;解析該光學識別符以取得該第一暫態解密金鑰與該第二暫態解密金鑰;基於該第一暫態解密金鑰實施該第二密碼學演算法以加密該身分識別資訊而生成該電子數位簽章;基於該第二暫態解密金鑰實施該第三密碼學演算法以加密該電子數位簽章而生成該認證令牌;以及 將該電子數位簽章與該認證令牌回傳至該資安敏感伺服器主機。 A method for information security proxy authentication includes: implementing a multi-party, multi-factor, dynamic, strong encryption authentication method between a user device, an application server, and a security server host, including an initial authentication phase; and using the application server as a proxy server for a security-sensitive server host, implementing a proxy authentication phase between the user device, the security-sensitive server host, and the security server host. The proxy authentication phase further includes one of the following: temporarily locking an operating system on the security-sensitive server host; selectively implementing a first cryptographic algorithm or randomly generating a first temporary decryption key. and the second temporary decryption key; generating an optical identifier and storing the first temporary decryption key and the second temporary decryption key in the optical identifier; displaying the optical identifier on top; on the user device: capturing an image containing the optical identifier; parsing the optical identifier to obtain the first temporary decryption key and the second temporary decryption key; encrypting the identity information using the second cryptographic algorithm based on the first temporary decryption key to generate the electronic digital signature; encrypting the electronic digital signature using the third cryptographic algorithm based on the second temporary decryption key to generate the authentication token; and transmitting the electronic digital signature and the authentication token back to the security-sensitive server host. 如請求項1所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法還包含以下其中之一:在該初始認證階段,在該使用者設備、該應用伺服器以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法;以及在該代理認證階段,在該使用者設備、該資安敏感伺服器主機以及該安全伺服器主機之間實施該多方多因子動態強加密認證方法。 The information security proxy authentication method of claim 1, wherein the multi-party, multi-factor, dynamic, strong encryption authentication method further comprises one of the following: performing the multi-party, multi-factor, dynamic, strong encryption authentication method between the user device, the application server, and the security server host during the initial authentication phase; and performing the multi-party, multi-factor, dynamic, strong encryption authentication method between the user device, the information security-sensitive server host, and the security server host during the proxy authentication phase. 如請求項2所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該初始認證階段還包含以下其中之一:在該使用者設備上:選擇性地實施一第一密碼學演算法或以隨機方式生成一第一暫態解密金鑰;選擇性地基於該第一暫態解密金鑰實施一第二密碼學演算法以加密一身分識別資訊而生成一電子數位簽章;基於該第一暫態解密金鑰之一部分而形成或者隨機生成一第二暫態解密金鑰;基於該第二暫態解密金鑰實施一第三密碼學演算法以生成一認證令牌;將該第一暫態解密金鑰與該第二暫態解密金鑰發布至該安全伺服器主機,並從該安全伺服器主機取回一令牌索引;組合該身分識別資訊、該電子數位簽章、該令牌索引與該認證令牌 其中之一而形成一暫態字串;以及將該暫態字串傳輸至該應用伺服器。 The information security agent authentication method as described in claim 2, wherein the multi-party multi-factor dynamic strong encryption authentication method further includes one of the following in the initial authentication phase: on the user device: selectively implementing a first cryptographic algorithm or randomly generating a first temporary decryption key; selectively implementing a second cryptographic algorithm based on the first temporary decryption key to encrypt identity information to generate an electronic digital signature; based on a portion of the first temporary decryption key Forming or randomly generating a second temporary decryption key; implementing a third cryptographic algorithm based on the second temporary decryption key to generate an authentication token; publishing the first temporary decryption key and the second temporary decryption key to the secure server host and retrieving a token index from the secure server host; combining the identity information, the electronic digital signature, the token index, and one of the authentication tokens to form a temporary string; and transmitting the temporary string to the application server. 如請求項3所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該初始認證階段還包含以下其中之一:在該應用伺服器上:解讀該暫態字串以獲得該身分識別資訊、該電子數位簽章、該令牌索引與該認證令牌其中之一;基於該令牌索引向該安全伺服器主機領取該第一暫態解密金鑰與該第二暫態解密金鑰;取回該第一暫態解密金鑰與該第二暫態解密金鑰;基於該第一暫態解密金鑰與該第二暫態解密金鑰解密該認證令牌以取得該電子數位簽章與該身分識別資訊;執行一簽章驗證程序以查核該電子數位簽章是否正確簽署;當該電子數位簽章是正確簽署時,選擇性地基於該第一暫態解密金鑰解密該電子數位簽章以取出該身分識別資訊;以及執行一身分驗證程序以查核該身分識別資訊與紀錄是否正確相符。 The information security agent authentication method as described in claim 3, wherein the multi-party multi-factor dynamic strong encryption authentication method further includes one of the following in the initial authentication phase: on the application server: decrypting the temporary string to obtain the identity identification information, the electronic digital signature, the token index and one of the authentication tokens; obtaining the first temporary decryption key and the second temporary decryption key from the security server host based on the token index; retrieving the first temporary decryption key and the second temporary decryption key; decrypting the authentication token based on the first temporary decryption key and the second temporary decryption key to obtain the electronic digital signature and the identity information; performing a signature verification process to verify whether the electronic digital signature is correctly signed; when the electronic digital signature is correctly signed, selectively decrypting the electronic digital signature based on the first temporary decryption key to obtain the identity information; and performing an identity verification process to verify whether the identity information correctly matches the record. 如請求項1所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該代理認證階段還包含以下其中之一:在該資安敏感伺服器主機上:基於該第一暫態解密金鑰與該第二暫態解密金鑰解密該電子數位簽章與該認證令牌;基於該第一暫態解密金鑰執行該簽章驗證程序以查核該電子數位 簽章是否正確簽署;當該電子數位簽章是正確簽署時,基於該第二暫態解密金鑰解密該電子數位簽章以取出該身分識別資訊;以及將該認證令牌與該身分識別資訊傳輸至該應用伺服器。 The information security proxy authentication method of claim 1, wherein the multi-party, multi-factor, dynamic, strong encryption authentication method further comprises, during the proxy authentication phase, one of the following: on the information security-sensitive server host: decrypting the electronic digital signature and the authentication token based on the first temporary decryption key and the second temporary decryption key; executing the signature verification process based on the first temporary decryption key to verify whether the electronic digital signature is correctly signed; if the electronic digital signature is correctly signed, decrypting the electronic digital signature based on the second temporary decryption key to retrieve the identity information; and transmitting the authentication token and the identity information to the application server. 如請求項5所述之資通安全代理認證方法,其中該多方多因子動態強加密認證方法在該代理認證階段還包含以下其中之一:在該應用伺服器上:執行一代理身分驗證程序,該代理身分驗證程序還包含以下其中之一:基於該令牌索引向該安全伺服器主機領取該第一暫態解密金鑰與該第二暫態解密金鑰;取回該第一暫態解密金鑰與該第二暫態解密金鑰;執行該簽章驗證程序以查核該電子數位簽章是否正確簽署;以及執行該身分驗證程序以查核該身分識別資訊與紀錄是否正確相符。 The information security proxy authentication method of claim 5, wherein the multi-party multi-factor dynamic strong encryption authentication method further comprises one of the following during the proxy authentication phase: on the application server: executing a proxy identity verification process, the proxy identity verification process further comprising one of the following: obtaining the first temporary decryption key and the second temporary decryption key from the security server host based on the token index; retrieving the first temporary decryption key and the second temporary decryption key; executing the signature verification process to verify whether the electronic digital signature is correctly signed; and executing the identity verification process to verify whether the identity identification information correctly matches the record. 一種資通安全代理認證系統,包含:一第一子系統,其包含一使用者設備、一應用伺服器以及一安全伺服器主機以實施一多方多因子動態強加密認證方法包含之一初始認證階段;以及一第二子系統,其包含該使用者設備、該應用伺服器、該安全伺服器主機以及一資安敏感伺服器主機,其中該應用伺服器係作為該資安敏 感伺服器主機之一代理伺服器以實施該多方多因子動態強加密認證方法包含之一代理認證階段,該代理認證階段還包含以下其中之一:在該資安敏感伺服器主機上:暫時鎖定一作業系統;選擇性地實施該第一密碼學演算法或以隨機方式生成該第一暫態解密金鑰與該第二暫態解密金鑰;生成一光學識別符並在該光學識別符中儲存該第一暫態解密金鑰與該第二暫態解密金鑰;將該光學識別符置頂顯示;在該使用者設備上:擷取包含該光學識別符之影像;解析該光學識別符以取得該第一暫態解密金鑰與該第二暫態解密金鑰;基於該第一暫態解密金鑰實施該第二密碼學演算法以加密該身分識別資訊而生成該電子數位簽章;基於該第二暫態解密金鑰實施該第三密碼學演算法以加密該電子數位簽章而生成該認證令牌;以及將該電子數位簽章與該認證令牌回傳至該資安敏感伺服器主機。 An information security proxy authentication system comprises: a first subsystem comprising a user device, an application server, and a security server host to implement a multi-party, multi-factor, dynamic, strong encryption authentication method including an initial authentication phase; and a second subsystem comprising the user device, the application server, the security server host, and a security-sensitive server host, wherein the application server acts as a proxy server for the security-sensitive server host to implement a proxy authentication phase of the multi-party, multi-factor, dynamic, strong encryption authentication method. The proxy authentication phase further comprises one of the following: temporarily locking an operating system on the security-sensitive server host; selectively implementing the first cryptographic algorithm or randomly The method comprises: generating the first temporary decryption key and the second temporary decryption key in a manner; generating an optical identifier and storing the first temporary decryption key and the second temporary decryption key in the optical identifier; displaying the optical identifier on top; capturing an image including the optical identifier on the user device; parsing the optical identifier to obtain the first temporary decryption key and the second temporary decryption key; a second temporary decryption key; implementing the second cryptographic algorithm based on the first temporary decryption key to encrypt the identity information to generate the electronic digital signature; implementing the third cryptographic algorithm based on the second temporary decryption key to encrypt the electronic digital signature to generate the authentication token; and returning the electronic digital signature and the authentication token to the security-sensitive server host.
TW112138572A 2023-10-06 2023-10-06 Cybersecurity proxy authentication system and method TWI891083B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112138572A TWI891083B (en) 2023-10-06 2023-10-06 Cybersecurity proxy authentication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112138572A TWI891083B (en) 2023-10-06 2023-10-06 Cybersecurity proxy authentication system and method

Publications (2)

Publication Number Publication Date
TW202516385A TW202516385A (en) 2025-04-16
TWI891083B true TWI891083B (en) 2025-07-21

Family

ID=96169898

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112138572A TWI891083B (en) 2023-10-06 2023-10-06 Cybersecurity proxy authentication system and method

Country Status (1)

Country Link
TW (1) TWI891083B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107592308A (en) * 2017-09-13 2018-01-16 西安电子科技大学 A kind of two server multiple-factor authentication method towards mobile payment scene
TW201913445A (en) * 2017-08-25 2019-04-01 小松鼠軟體有限公司 User data encryption device for blocking man-in-the-middle attacks and method thereof capable of providing a unique identity code and encrypting the public key
US20200169411A1 (en) * 2018-11-26 2020-05-28 T-Mobile Usa, Inc. Cryptograpic font script with integrated signature for verification
TW202127289A (en) * 2020-01-10 2021-07-16 玉山商業銀行股份有限公司 Method for cross-platform authorizing access to resources and authorization system thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201913445A (en) * 2017-08-25 2019-04-01 小松鼠軟體有限公司 User data encryption device for blocking man-in-the-middle attacks and method thereof capable of providing a unique identity code and encrypting the public key
CN107592308A (en) * 2017-09-13 2018-01-16 西安电子科技大学 A kind of two server multiple-factor authentication method towards mobile payment scene
US20200169411A1 (en) * 2018-11-26 2020-05-28 T-Mobile Usa, Inc. Cryptograpic font script with integrated signature for verification
TW202127289A (en) * 2020-01-10 2021-07-16 玉山商業銀行股份有限公司 Method for cross-platform authorizing access to resources and authorization system thereof

Also Published As

Publication number Publication date
TW202516385A (en) 2025-04-16

Similar Documents

Publication Publication Date Title
CN112637131B (en) User identity authentication method, device, equipment and storage medium
CN106656907B (en) Method, device, terminal equipment and system for authentication
US11063941B2 (en) Authentication system, authentication method, and program
CN103124269B (en) Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment
US8074264B2 (en) Secure key distribution to internet clients
JP2020058042A (en) Key exchange through partially trusted third parties
WO2020041747A1 (en) Methods, apparatuses, and computer program products for frictionless electronic signature management
US20250088352A1 (en) Password security hardware module
US20210073359A1 (en) Secure one-time password (otp) authentication
US11477192B2 (en) Personalized security system
CN105656862B (en) Authentication method and device
US12445286B2 (en) Cyber security method and system based on multi-party and multi-factor dynamic strong encryption authentication
CN114244508A (en) Data encryption method, device, equipment and storage medium
US12452071B2 (en) Authentication information manager computer program product and device
CN118233218B (en) Remote authentication system and method based on distributed trusted execution environment application
Abusaimeh Security attacks in cloud computing and corresponding defending mechanisims
CN107548542A (en) User authentication methods with enhanced integrity and security
CN111541708B (en) Identity authentication method based on power distribution
US12278895B1 (en) Authentication using a knowledge factor identification transaction with challenge authentication token
WO2022042198A1 (en) Identity authentication method and apparatus, computer device, and storage medium
US9722791B2 (en) Three-tiered security and computational architecture
TWI891083B (en) Cybersecurity proxy authentication system and method
TWI849942B (en) Multi-device multi-factor dynamic strong encryption authentication method
CN114553566B (en) Data encryption method, device, equipment and storage medium
TWI856757B (en) Cyber security authentication method for non-internet electronic device