[go: up one dir, main page]

TWI894679B - System and method for cross enterprise identity verification - Google Patents

System and method for cross enterprise identity verification

Info

Publication number
TWI894679B
TWI894679B TW112143729A TW112143729A TWI894679B TW I894679 B TWI894679 B TW I894679B TW 112143729 A TW112143729 A TW 112143729A TW 112143729 A TW112143729 A TW 112143729A TW I894679 B TWI894679 B TW I894679B
Authority
TW
Taiwan
Prior art keywords
invitee
enterprise server
inviting
identity
invited
Prior art date
Application number
TW112143729A
Other languages
Chinese (zh)
Other versions
TW202520097A (en
Inventor
吳治東
梁俊安
蘇嚮權
詹謹維
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW112143729A priority Critical patent/TWI894679B/en
Publication of TW202520097A publication Critical patent/TW202520097A/en
Application granted granted Critical
Publication of TWI894679B publication Critical patent/TWI894679B/en

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A system and a method for cross enterprise identity verification are provided. The method includes following steps: after an inviting-enterprise-server generates an invitation-letter corresponding to an inviter-device, transmitting, by the inviter-device, the invitation-letter to an invitee-device; generating, by an invitee-enterprise-server, an invitee-identity-endorsement, wherein the invitee-identity-endorsement corresponds to the invitee-device and the invitation-letter; and after the invitee-device generates an invitee-identity-proof corresponding to the invitation-letter, verifying, by the inviting-enterprise-server, the invitee-identity-endorsement and the invitee-identity-proof.

Description

跨企業的身分驗證系統及方法 Cross-enterprise identity authentication system and method

本發明是有關於一種跨企業的身分驗證系統及方法。 The present invention relates to a cross-enterprise identity authentication system and method.

為了確保安全性,在跨企業的即時通訊之前需先進行身分驗證。然而,目前的作法可能會因為將認證資訊集中至第三方而造成資安風險。或者,可能會因為採用伺服器對伺服器的方式而導致企業之間的耦合度提高。對本領域技術人員來說,仍然缺乏較佳的跨企業的身分驗證方案。 To ensure security, identity verification is required before cross-enterprise instant messaging. However, current practices may create security risks by centralizing authentication information with a third party. Alternatively, the server-to-server approach may increase the coupling between enterprises. For technical professionals in this field, there is still a lack of optimal cross-enterprise identity authentication solutions.

本發明的跨企業的身分驗證系統包括邀請企業伺服器、邀請者裝置、被邀請企業伺服器以及被邀請者裝置。邀請者裝置通訊連接至邀請企業伺服器。被邀請者裝置通訊連接至被邀請企業伺服器以及邀請企業伺服器。在邀請企業伺服器產生對應於邀請者裝置的邀請函之後,邀請者裝置傳送邀請函至被邀請者裝置;被 邀請企業伺服器產生被邀請者身分背書,其中被邀請者身分背書對應於被邀請者裝置以及邀請函;在被邀請者裝置產生對應於邀請函的被邀請者身分證明之後,邀請企業伺服器驗證被邀請者身分背書以及被邀請者身分證明。 The cross-enterprise identity authentication system of the present invention includes an inviting enterprise server, an inviter device, an invited enterprise server, and an invitee device. The inviter device is communicatively connected to the inviting enterprise server. The invitee device is communicatively connected to both the invited enterprise server and the inviting enterprise server. After the inviting enterprise server generates an invitation letter corresponding to the inviter device, the inviter device transmits the invitation letter to the invitee device. The invited enterprise server generates an invitee identity endorsement corresponding to the invitee device and the invitation letter. After the invitee device generates an invitee identity certificate corresponding to the invitation letter, the inviting enterprise server verifies the invitee identity endorsement and the invitee identity certificate.

本發明的跨企業的身分驗證方法包括以下步驟:在邀請企業伺服器產生對應於邀請者裝置的邀請函之後,由邀請者裝置傳送邀請函至被邀請者裝置;由被邀請企業伺服器產生被邀請者身分背書,其中被邀請者身分背書對應於被邀請者裝置以及邀請函;以及在被邀請者裝置產生對應於邀請函的被邀請者身分證明之後,由邀請企業伺服器驗證被邀請者身分背書以及被邀請者身分證明。 The cross-enterprise identity verification method of the present invention includes the following steps: after the inviting enterprise server generates an invitation letter corresponding to the inviter's device, the inviter device transmits the invitation letter to the invitee device; the invited enterprise server generates an invitee identity endorsement, wherein the invitee identity endorsement corresponds to the invitee device and the invitation letter; and after the invitee device generates an invitee identity certificate corresponding to the invitation letter, the inviting enterprise server verifies the invitee identity endorsement and the invitee identity certificate.

1:跨企業的身分驗證系統 1: Cross-enterprise identity authentication system

10:邀請企業伺服器 10: Invite Enterprise Server

20:邀請者裝置 20: Inviter device

30:被邀請企業伺服器 30: Invited to the enterprise server

40:被邀請者裝置 40: Invitee device

S100、S101、S102、S103、S104、S200、S201、S202、S203、S204、S300、S301、S302、S303、S304、S400、S401、S402、S403、S404、S31、S33、S35:步驟 S100, S101, S102, S103, S104, S200, S201, S202, S203, S204, S300, S301, S302, S303, S304, S400, S401, S402, S403, S404, S31, S33, S35: Steps

圖1是根據本發明的一實施例繪示的跨企業的身分驗證系統的示意圖。 Figure 1 is a schematic diagram of a cross-enterprise identity verification system according to an embodiment of the present invention.

圖2是圖1所示的跨企業的身分驗證系統的運作示意圖。 Figure 2 is a schematic diagram of the operation of the cross-enterprise identity authentication system shown in Figure 1.

圖3是根據本發明的一實施例繪示的跨企業的身分驗證方法的流程圖。 Figure 3 is a flow chart illustrating a cross-enterprise identity verification method according to an embodiment of the present invention.

圖1是根據本發明的一實施例繪示的跨企業的身分驗證 系統1的示意圖。請參照圖1。跨企業的身分驗證系統1可包括邀請企業伺服器10、邀請者裝置20、被邀請企業伺服器30以及被邀請者裝置40。在本實施例中,邀請者裝置20可通訊連接至邀請企業伺服器10,且被邀請者裝置40可通訊連接至被邀請企業伺服器30以及邀請企業伺服器10。在本實施例中,邀請企業伺服器10、邀請者裝置20、被邀請企業伺服器30以及被邀請者裝置40都可包括通訊晶片(未繪示於圖中)、儲存裝置(未繪示於圖中)及處理模組(未繪示於圖中)等必要構件。 Figure 1 is a schematic diagram of a cross-enterprise identity authentication system 1 according to one embodiment of the present invention. Referring to Figure 1 , the cross-enterprise identity authentication system 1 may include an inviting enterprise server 10, an inviter device 20, an invited enterprise server 30, and an invitee device 40. In this embodiment, the inviter device 20 is communicatively connected to the inviting enterprise server 10, and the invitee device 40 is communicatively connected to both the invited enterprise server 30 and the inviting enterprise server 10. In this embodiment, the inviting enterprise server 10, the inviter device 20, the invited enterprise server 30, and the invitee device 40 may all include essential components such as a communication chip (not shown), a storage device (not shown), and a processing module (not shown).

圖2是圖1所示的跨企業的身分驗證系統1的運作示意圖。請同時參照圖1及圖2。在此需先說明的是,圖2所示的步驟S100可包括步驟S101、步驟S102、步驟S103以及步驟S104。圖2所示的步驟S200可包括步驟S201、步驟S202、步驟S203以及步驟S204。圖2所示的步驟S300可包括步驟S301、步驟S302、步驟S303以及步驟S304。圖2所示的步驟S400可包括步驟S401、步驟S402、步驟S403以及步驟S404。 Figure 2 is a schematic diagram of the operation of the cross-enterprise identity authentication system 1 shown in Figure 1. Please refer to Figures 1 and 2 simultaneously. It should be noted that step S100 shown in Figure 2 may include step S101, step S102, step S103, and step S104. Step S200 shown in Figure 2 may include step S201, step S202, step S203, and step S204. Step S300 shown in Figure 2 may include step S301, step S302, step S303, and step S304. Step S400 shown in Figure 2 may include step S401, step S402, step S403, and step S404.

在步驟S100中,邀請企業伺服器10、邀請者裝置20、被邀請企業伺服器30以及被邀請者裝置40可進行前置作業。 In step S100, the inviting enterprise server 10, the inviter device 20, the invited enterprise server 30, and the invitee device 40 may perform preliminary operations.

詳細而言,在步驟S101中,邀請企業伺服器10可利用非對稱式密碼學來產生邀請企業伺服器公鑰()以及邀請企業伺服器私鑰()。舉例來說,邀請企業伺服器10可利用RSA(Rivest-Shamir-Adleman)來產生邀請企業伺服器公鑰()以及邀請企業伺服器私鑰()。另一方面,被邀請企業伺服器 30可利用非對稱式密碼學來產生被邀請企業伺服器公鑰()以及被邀請企業伺服器私鑰()。舉例來說,被邀請企業伺服器30可利用橢圓曲線密碼學(Elliptic Curve Cryptography)來產生被邀請企業伺服器公鑰()以及被邀請企業伺服器私鑰()。然後,邀請企業伺服器10可傳送邀請企業伺服器公鑰()至被邀請企業伺服器30,且被邀請企業伺服器30可傳送被邀請企業伺服器公鑰()至邀請企業伺服器10。舉例來說,邀請企業伺服器10以及被邀請企業伺服器30可預先約定S/MIME(Secure Multipurpose Internet Mail Extensions)方式。然後,邀請企業伺服器10可利用S/MIME方式來傳送邀請企業伺服器公鑰()至被邀請企業伺服器30,且被邀請企業伺服器30可利用S/MIME方式來傳送被邀請企業伺服器公鑰()至邀請企業伺服器10。 Specifically, in step S101, the inviting enterprise server 10 may use asymmetric cryptography to generate the inviting enterprise server public key ( ) and invite enterprise server private key ( For example, the inviting enterprise server 10 can use RSA (Rivest-Shamir-Adleman) to generate the inviting enterprise server public key ( ) and invite enterprise server private key ( On the other hand, the invited enterprise server 30 can use asymmetric cryptography to generate the invited enterprise server public key ( ) and the invited enterprise server private key ( For example, the invited enterprise server 30 can use Elliptic Curve Cryptography to generate the invited enterprise server public key ( ) and the invited enterprise server private key ( Then, the inviting enterprise server 10 can send the inviting enterprise server public key ( ) to the invited enterprise server 30, and the invited enterprise server 30 can send the invited enterprise server public key ( ) to the inviting enterprise server 10. For example, the inviting enterprise server 10 and the invited enterprise server 30 may pre-agreed on the S/MIME (Secure Multipurpose Internet Mail Extensions) method. Then, the inviting enterprise server 10 may use the S/MIME method to send the inviting enterprise server public key ( ) to the invited enterprise server 30, and the invited enterprise server 30 can use S/MIME to send the invited enterprise server public key ( ) to invite the enterprise server 10.

在步驟S102中,邀請企業伺服器10可傳送邀請企業伺服器公鑰()至邀請者裝置20。舉例來說,邀請企業伺服器10可透過即時通訊Long Polling同步機制來傳送邀請企業伺服器公鑰()至邀請者裝置20。 In step S102, the inviting enterprise server 10 may send the inviting enterprise server public key ( ) to the inviter device 20. For example, the inviting enterprise server 10 can send the inviting enterprise server public key ( ) to the inviter device 20.

在步驟S103中,被邀請企業伺服器30可傳送被邀請企業伺服器公鑰()至被邀請者裝置40。舉例來說,被邀請企業伺服器30可透過即時通訊WebSocket同步機制來傳送被邀請企業伺服器公鑰()至被邀請者裝置40。 In step S103, the invited enterprise server 30 may send the invited enterprise server public key ( ) to the invitee device 40. For example, the invited enterprise server 30 can transmit the invited enterprise server public key ( ) to the invitee device 40.

在步驟S104中,邀請者裝置20可傳送對應於邀請者裝 置20的邀請者電子郵件位址(Address 20)至被邀請者裝置40。另一方面,被邀請者裝置40可傳送對應於被邀請者裝置40的被邀請者電子郵件位址(Address 40)至邀請者裝置20。舉例來說,(使用邀請者裝置20的)邀請者以及(使用被邀請者裝置40的)被邀請者可預先透過名片交換得知彼此的電子郵件地址。更詳細而言,邀請者電子郵件位址(Address 20)可包括(使用邀請者裝置20的)邀請者的邀請者用戶ID以及邀請者企業ID,且邀請者用戶ID以及邀請者企業ID可用於辨識出邀請者以及邀請者所屬的邀請者企業。另一方面,被邀請者電子郵件位址(Address 40)可包括(使用被邀請者裝置40的)被邀請者的被邀請者用戶ID以及被邀請者企業ID,且被邀請者用戶ID以及被邀請者企業ID可用於辨識出被邀請者以及被邀請者所屬的被邀請者企業。更詳細而言,邀請者企業與被邀請者企業為不同的企業。在此需說明的是,雖然本實施例是以邀請者電子郵件位址(Address 20)以及被邀請者電子郵件位址(Address 40)來說明,然而本發明不對此限制。在其它實施例中,本發明也可以不使用電子郵件位址,而是依實際需求而使用能夠區分出用戶ID以及企業ID的文字或者格式。 In step S104, the inviter device 20 may transmit the inviter's email address ( Address 20 ) corresponding to the inviter device 20 to the invitee device 40. Conversely, the invitee device 40 may transmit the invitee's email address ( Address 40 ) corresponding to the invitee device 40 to the inviter device 20. For example, the inviter (using the inviter device 20) and the invitee (using the invitee device 40) may have previously known each other's email addresses through business card exchange. More specifically, the inviter's email address ( Address 20 ) may include the inviter's user ID and the inviter's company ID (using the inviter's device 20). These user IDs and company IDs can be used to identify the inviter and the inviter's company. Meanwhile, the invitee's email address ( Address 40 ) may include the invitee's user ID and company ID (using the invitee's device 40). These user IDs and company IDs can be used to identify the invitee and the invitee's company. More specifically, the inviter's company and the invitee's company are different companies. It should be noted that although this embodiment uses the inviter's email address ( Address 20 ) and the invitee's email address ( Address 40 ) for illustration, the present invention is not limited to this. In other embodiments, the present invention may also not use email addresses, but instead use text or a format that can distinguish between the user ID and the company ID based on actual needs.

請繼續參照圖2。在步驟S200中,在邀請企業伺服器10產生對應於邀請者裝置20的邀請函(INV 10())之後,邀請者裝置20可傳送邀請函(INV 10())至被邀請者裝置40。 Please continue to refer to FIG. 2. In step S200, the inviting enterprise server 10 generates an invitation letter ( INV 10 ( ))After that, the inviter device 20 can send the invitation letter ( INV 10 ( )) to the invitee device 40.

詳細而言,在步驟S201中,邀請者裝置20可傳送對應於邀請函的邀請函產生請求至邀請企業伺服器10,其中邀請函產 生請求可包括被邀請者電子郵件位址(Address 40)。 Specifically, in step S201, the inviter device 20 may send an invitation letter generation request corresponding to the invitation letter to the inviting enterprise server 10, wherein the invitation letter generation request may include the invitee's email address ( Address 40 ).

在步驟S202中,邀請企業伺服器10可產生邀請函(INV 10()),其中邀請函(INV 10())可包括邀請者電子郵件位址(Address 20)以及被邀請者電子郵件位址(Address 40)。詳細而言,在邀請企業伺服器10從邀請者裝置20接收邀請函產生請求之後,邀請企業伺服器10可先確認請求者是否為邀請者裝置20。舉例來說,邀請企業伺服器10可利用邀請函產生請求的token來確認請求者身分。接著,在邀請企業伺服器10確認請求者是邀請者裝置20之後,邀請企業伺服器10可在邀請函的「邀請者用戶ID以及邀請者企業ID」填入(使用邀請者裝置20的)邀請者的邀請者電子郵件位址(Address 20),且邀請企業伺服器10可在邀請函的「被邀請者用戶ID以及被邀請者企業ID」填入上述邀請函產生請求中的被邀請者電子郵件位址(Address 40)。更進一步而言,邀請函(INV 10())還可包括邀請ID、邀請連線資訊、有效時戳以及邀請企業伺服器10的簽章。詳細而言,邀請企業伺服器10可利用邀請企業伺服器私鑰()來對邀請ID、邀請連線資訊、邀請者電子郵件位址(Address 20)、被邀請者電子郵件位址(Address 40)以及有效時戳執行簽章。 In step S202, the inviting enterprise server 10 may generate an invitation letter ( INV 10 ( )), including invitation letter ( INV 10 ( )) may include the inviter's email address ( Address 20 ) and the invitee's email address ( Address 40 ). Specifically, after the inviting enterprise server 10 receives the invitation letter generation request from the inviter device 20, the inviting enterprise server 10 may first confirm whether the requester is the inviter device 20. For example, the inviting enterprise server 10 may use the token generated in the invitation letter generation request to confirm the requester's identity. Then, after the inviting enterprise server 10 confirms that the requester is the inviter device 20, the inviting enterprise server 10 may enter the inviter's email address ( Address 20 ) of the inviter (using the inviter device 20) in the "Inviter User ID and Inviter Enterprise ID" of the invitation letter, and the inviting enterprise server 10 may enter the invitee's email address ( Address 40 ) in the invitation letter generation request in the "Invitee User ID and Invitee Enterprise ID" of the invitation letter. )) can also include invitation ID, invitation connection information, validity timestamp and signature of the inviting enterprise server 10. In detail, the inviting enterprise server 10 can use the inviting enterprise server private key ( ) to sign the invitation ID, invitation connection information, inviter email address ( Address 20 ), invitee email address ( Address 40 ), and validity timestamp.

在步驟S203中,邀請企業伺服器10可傳送邀請函(INV 10())至邀請者裝置20。 In step S203, the inviting enterprise server 10 may send an invitation letter ( INV 10 ( )) to the inviter device 20.

在步驟S204中,當邀請者裝置20利用邀請企業伺服器公鑰()來成功地驗證邀請函(INV 10())時,邀請者裝 置20可傳送邀請函(INV 10())至被邀請者裝置40。詳細而言,當邀請者裝置20利用邀請企業伺服器公鑰()來驗證邀請函(INV 10())與邀請函產生請求為匹配時,邀請者裝置20可將邀請函(INV 10())編碼為二維條碼,且邀請者裝置20可傳送此二維條碼至被邀請者裝置40。在其他實施例中,邀請者裝置20可利用被邀請者電子郵件位址(Address 40)來傳送邀請函(INV 10())至被邀請者裝置40。本發明不限制邀請者裝置20傳送邀請函(INV 10())的方式。 In step S204, when the inviter device 20 uses the invitation enterprise server public key ( ) to successfully verify the invitation letter ( INV 10 ( )), the inviter device 20 may send an invitation letter ( INV 10 ( )) to the invitee device 40. Specifically, when the inviter device 20 uses the invitation enterprise server public key ( ) to verify the invitation letter ( INV 10 ( )) and the invitation letter generation request are matched, the inviter device 20 can send the invitation letter ( INV 10 ( )) is encoded into a two-dimensional barcode, and the inviter device 20 can send the two-dimensional barcode to the invitee device 40. In other embodiments, the inviter device 20 can use the invitee's email address ( Address 40 ) to send the invitation letter ( INV 10 ( )) to the invitee device 40. The present invention does not limit the inviter device 20 to send the invitation letter ( INV 10 ( )) way.

請繼續參照圖2。在步驟S300中,被邀請企業伺服器30可產生被邀請者身分背書(ENDT 30()),其中被邀請者身分背書(ENDT 30())可對應於被邀請者裝置40以及邀請函(INV 10())。 Please continue to refer to FIG. 2. In step S300, the invited enterprise server 30 may generate an invitee identity endorsement ( ENDT 30 ( )), where the invitee's identity endorsement ( ENDT 30 ( )) may correspond to the invitee device 40 and the invitation letter ( INV 10 ( )).

詳細而言,在步驟S301中,被邀請者裝置40可利用非對稱式密碼學來產生被邀請者臨時公鑰()以及被邀請者臨時私鑰()。承上述實施例,被邀請者裝置40可將二維條碼進行解碼以獲得邀請函(INV 10())。所述非對稱式密碼學例如是橢圓曲線密碼學。 Specifically, in step S301, the invitee device 40 may use asymmetric cryptography to generate the invitee temporary public key ( ) and the invitee's temporary private key ( ). According to the above embodiment, the invitee device 40 can decode the two-dimensional barcode to obtain the invitation letter ( INV 10 ( )). The asymmetric cryptography is, for example, elliptical cryptography.

在步驟S302中,被邀請者裝置40可傳送對應於邀請函的被邀請者身分背書產生請求至被邀請企業伺服器30,其中被邀請者身分背書產生請求可包括邀請函(INV 10())以及被邀請者臨時公鑰()。 In step S302, the invitee device 40 may send an invitee identity endorsement generation request corresponding to the invitation letter to the invited enterprise server 30, wherein the invitee identity endorsement generation request may include the invitation letter ( INV 10 ( )) and the invitee's temporary public key ( ).

在步驟S303中,當被邀請企業伺服器30利用邀請企業 伺服器公鑰()來成功地驗證被邀請者身分背書產生請求時,被邀請企業伺服器30可產生被邀請者身分背書(ENDT 30()),其中被邀請者身分背書可包括被邀請者電子郵件位址(Address 40)。詳細而言,在被邀請企業伺服器30從被邀請者裝置40接收被邀請者身分背書產生請求之後,被邀請企業伺服器30可先進行資料確認,其中資料確認包含但不限於:(1)確認請求者為使用被邀請者裝置40的被邀請者(2)使用邀請企業伺服器公鑰()驗證邀請函(INV 10())的簽章有效性(3)確認邀請函(INV 10())的有效時戳尚未過期(4)確認邀請函(INV 10())中的被邀請者與傳送被邀請者身分背書產生請求的請求者為匹配。若以上(1)~(4)都確認正確且該邀請ID未曾出現,則被邀請企業伺服器30可產生被邀請者身分背書(ENDT 30())。更進一步而言,被邀請者身分背書(ENDT 30())還可包括邀請ID、邀請函(INV 10())的雜湊值、被邀請者臨時公鑰()、有效時戳以及被邀請企業伺服器30的簽章。詳細而言,被邀請企業伺服器30可利用被邀請企業伺服器私鑰()來對邀請ID、被邀請者電子郵件位址(Address 40)、邀請函(INV 10())的雜湊值、被邀請者臨時公鑰()以及有效時戳執行簽章。需說明的是,同一邀請ID至多只能產生一則被邀請者身分背書(ENDT 30())。若被邀請企業伺服器30曾經針對特定邀請ID產生過被邀請者身分背書(ENDT 30()),且被邀請企業伺服器30再次接收到針對此特定邀請ID的被邀請者身分背書產生請求,則被邀請企業伺服器30 可回覆錯誤訊息給被邀請者裝置40。 In step S303, when the invited enterprise server 30 uses the inviting enterprise server public key ( ) to successfully verify the invitee identity endorsement generation request, the invited enterprise server 30 may generate the invitee identity endorsement ( ENDT 30 ( )), wherein the invitee identity endorsement may include the invitee email address ( Address 40 ). In detail, after the invited enterprise server 30 receives the invitee identity endorsement request from the invitee device 40, the invited enterprise server 30 may first perform data confirmation, wherein the data confirmation includes but is not limited to: (1) confirming that the requester is the invitee using the invitee device 40 (2) using the inviting enterprise server public key ( )Verification Invitation Letter ( INV 10 ( ))'s signature validity (3) Confirm invitation letter ( INV 10 ( ))The valid timestamp has not expired (4)Confirm invitation letter ( INV 10 ( )) matches the invitee in the requester that sent the invitee identity endorsement request. If (1) to (4) above are all confirmed to be correct and the invitation ID has not appeared before, the invited enterprise server 30 can generate the invitee identity endorsement ( ENDT 30 ( )). Furthermore, the invitee's identity endorsement ( ENDT 30 ( )) can also include invitation ID, invitation letter ( INV 10 ( )) hash value, invitee's temporary public key ( ), valid timestamp and signature of the invited enterprise server 30. In detail, the invited enterprise server 30 can use the invited enterprise server private key ( ) to the invitation ID, invitee email address ( Address 40 ), invitation letter ( INV 10 ( )) hash value, invitee's temporary public key ( ) and a valid timestamp execution signature. It should be noted that the same invitation ID can only generate one invitee identity endorsement ( ENDT 30 ( )). If the invited enterprise server 30 has generated an invitee identity endorsement for a specific invitation ID ( ENDT 30 ( )), and if the invited enterprise server 30 receives the invitee identity endorsement generation request for this specific invitation ID again, the invited enterprise server 30 may reply an error message to the invitee device 40.

在步驟S304中,被邀請者裝置40可從被邀請企業伺服器30接收被邀請者身分背書(ENDT 30()),且被邀請者裝置40可利用被邀請企業伺服器公鑰()來驗證被邀請者身分背書(ENDT 30())。詳細而言,被邀請者裝置40可利用被邀請企業伺服器公鑰()來驗證被邀請者身分背書的內容是否匹配被邀請者身分背書產生請求。 In step S304, the invitee device 40 may receive the invitee identity endorsement ( ENDT 30 ( )), and the invitee device 40 can use the invited enterprise server public key ( ) to verify the identity endorsement of the invitee ( ENDT 30 ( )). In detail, the invitee device 40 can use the invited enterprise server public key ( ) to verify whether the content of the invitee's identity endorsement matches the invitee's identity endorsement generation request.

請繼續參照圖2。在步驟S400中,在被邀請者裝置40產生對應於邀請函(INV 10())的被邀請者身分證明(Proof 40()之後,邀請企業伺服器10可驗證被邀請者身分背書(ENDT 30())以及被邀請者身分證明(Proof 40()。 Please continue to refer to FIG. 2. In step S400, the invitee device 40 generates a corresponding invitation letter ( INV 10 ( ))'s Proof of Identity ( Proof 40 ( ) after which the inviting enterprise server 10 can verify the invitee's identity endorsement ( ENDT 30 ( )) and the invitee's identity certificate ( Proof 40 ( ).

詳細而言,在步驟S401中,被邀請者裝置40可利用被邀請者臨時私鑰()來產生對應於邀請函(INV 10())的被邀請者身分證明(Proof 40()。進一步而言,被邀請者身分證明(Proof 40()可包括邀請ID、邀請函(INV 10())的雜湊值、有效時戳以及被邀請者裝置40的簽章。詳細而言,被邀請者裝置40可利用被邀請者臨時私鑰()來對邀請ID、邀請函(INV 10())的雜湊值以及有效時戳執行簽章。 Specifically, in step S401, the invitee device 40 may use the invitee temporary private key ( ) to generate the corresponding invitation letter ( INV 10 ( ))'s Proof of Identity ( Proof 40 ( Furthermore, the invitee's identity proof ( Proof 40 ( ) may include invitation ID, invitation letter ( INV 10 ( )) hash value, validity timestamp and signature of the invitee device 40. In detail, the invitee device 40 can use the invitee temporary private key ( ) to the invitation ID, invitation letter ( INV 10 ( )) and a valid timestamp to execute the signature.

在步驟S402中,被邀請者裝置40可傳送對應於邀請函(INV 10())的被邀請者身分驗證請求至邀請企業伺服器10,其中被邀請者身分驗證請求可包括被邀請者身分背書(ENDT 30())以及被邀請者身分證明(Proof 40()。詳細而 言,被邀請者裝置40可利用邀請函(INV 10())中的邀請連線資訊來獲得與邀請企業伺服器10連線的方法/地址。 In step S402, the invitee device 40 may send the corresponding invitation letter ( INV 10 ( )) of the invitee identity verification request to the inviting enterprise server 10, wherein the invitee identity verification request may include the invitee identity endorsement ( ENDT 30 ( )) and the invitee's identity certificate ( Proof 40 ( In detail, the invitee device 40 can use the invitation letter ( INV 10 ( )) to obtain the method/address for connecting to the invited enterprise server 10.

在步驟S403中,邀請企業伺服器10可利用被邀請企業伺服器公鑰()來驗證被邀請者身分背書(ENDT 30()),可利用被邀請者臨時公鑰()來驗證被邀請者身分證明(Proof 40(),並且可獲得身分驗證結果。詳細而言,在邀請企業伺服器10從被邀請者裝置40接收被邀請者身分驗證請求之後,邀請企業伺服器10可進行身分驗證,其中身分驗證包括但不限於:(1)利用被邀請企業伺服器公鑰()來檢查被邀請者身分背書(ENDT 30())的簽章(2)從被邀請者身分背書(ENDT 30())中取得被邀請者臨時公鑰(),並利用被邀請者臨時公鑰()來驗證被邀請者身分證明(Proof 40()的簽章(3)確認被邀請者身分背書(ENDT 30())的有效時戳尚未過期,且確認被邀請者身分證明(Proof 40()的有效時戳尚未過期(4)確認被邀請者身分背書(ENDT 30())的邀請ID匹配被邀請者身分證明(Proof 40()的邀請ID(5)確認邀請企業伺服器10內是否存在與邀請ID對應有效時戳未過期的邀請函(INV 10())(6)檢查邀請企業伺服器10產生的邀請函(INV 10())中的被邀請者電子郵件位址(Address 40)是否匹配被邀請者身分背書(ENDT 30())中的被邀請者電子郵件位址(Address 40)。若以上(1)~(6)都確認正確,則邀請企業伺服器10可判定此被邀請者身分驗證請求的請求者的身分為被邀請者裝置40。 In step S403, the inviting enterprise server 10 can use the invited enterprise server public key ( ) to verify the identity endorsement of the invitee ( ENDT 30 ( )), you can use the invitee's temporary public key ( ) to verify the invitee's identity ( Proof 40 ( ) and can obtain the identity verification result. In detail, after the inviting enterprise server 10 receives the invitee identity verification request from the invitee device 40, the inviting enterprise server 10 can perform identity verification, wherein the identity verification includes but is not limited to: (1) using the invited enterprise server public key ( ) to check the identity endorsement of the invitee ( ENDT 30 ( ))'s signature (2) endorsed by the invitee ( ENDT 30 ( )) to obtain the invitee's temporary public key ( ) and use the invitee's temporary public key ( ) to verify the invitee's identity ( Proof 40 ( )'s signature (3) confirms the identity endorsement of the invitee ( ENDT 30 ( )) has not expired, and the invitee's identity is confirmed ( Proof 40 ( )'s valid timestamp has not expired (4) Confirm the identity endorsement of the invitee ( ENDT 30 ( ))'s invitation ID matches the invitee's ID ( Proof 40 ( ) invitation ID (5) to confirm whether there is an invitation letter with a valid time stamp corresponding to the invitation ID and not expired in the inviting enterprise server 10 ( INV 10 ( ))(6) Check the invitation letter generated by the invitation enterprise server 10 ( INV 10 ( )) in the invitee's email address ( Address 40 ) matches the invitee's identity endorsement ( ENDT 30 ( )) in the invitee's email address ( Address 40 ). If all of the above (1) to (6) are confirmed to be correct, the inviting enterprise server 10 can determine that the identity of the requester of the invitee identity verification request is the invitee device 40.

在步驟S404中,邀請企業伺服器10可傳送身分驗證結果至被邀請者裝置40。 In step S404, the inviting enterprise server 10 may transmit the identity verification result to the invitee device 40.

圖3是根據本發明的一實施例繪示的跨企業的身分驗證方法的流程圖,其中所述方法可由圖1所示的跨企業的身分驗證系統1實施。在步驟S31中,在邀請企業伺服器產生對應於邀請者裝置的邀請函之後,由邀請者裝置傳送邀請函至被邀請者裝置。在步驟S33中,由被邀請企業伺服器產生被邀請者身分背書,其中被邀請者身分背書對應於被邀請者裝置以及邀請函。在步驟S35中,在被邀請者裝置產生對應於邀請函的被邀請者身分證明之後,由邀請企業伺服器驗證被邀請者身分背書以及被邀請者身分證明。所述方法已於前述實施例說明,於此不再贅述。 Figure 3 is a flow chart illustrating a cross-enterprise identity verification method according to an embodiment of the present invention. The method can be implemented by the cross-enterprise identity verification system 1 shown in Figure 1 . In step S31, after the inviting enterprise server generates an invitation letter corresponding to the inviter's device, the inviter device transmits the invitation letter to the invitee device. In step S33, the invited enterprise server generates an invitee identity endorsement, where the invitee identity endorsement corresponds to the invitee device and the invitation letter. In step S35, after the invitee device generates an invitee identity certificate corresponding to the invitation letter, the inviting enterprise server verifies the invitee identity endorsement and the invitee identity certificate. The method has been described in the aforementioned embodiment and will not be repeated here.

綜上所述,本發明的跨企業的身分驗證系統及方法可由邀請企業伺服器為邀請者裝置產生邀請函。然後,在被邀請企業伺服器產生被邀請者身分背書,且被邀請者裝置產生被邀請者身分證明之後,由邀請企業伺服器驗證被邀請者身分背書以及被邀請者身分證明。基此,企業之間不需進行額外的伺服器的連線,而是只需經由安全通道預先交換公鑰即可進行跨企業的身分驗證,因此可降低導入成本與門檻。除此之外,用戶認證資訊可保存於企業內而不須提供給第三方,也可避免企業資訊外洩的風險。 In summary, the cross-enterprise identity authentication system and method of the present invention enables the inviting enterprise's server to generate an invitation letter for the inviter's device. Subsequently, after the invited enterprise's server generates the invitee's identity endorsement and the invitee's device generates the invitee's identity certificate, the inviting enterprise's server verifies the invitee's identity endorsement and the invitee's identity certificate. Consequently, enterprises do not need to establish additional server connections. Instead, cross-enterprise identity authentication can be performed by pre-exchanging public keys over a secure channel, thereby reducing implementation costs and barriers to entry. Furthermore, user authentication information can be stored within the enterprise rather than being disclosed to third parties, thus reducing the risk of enterprise information leakage.

S31、S33、S35:步驟 S31, S33, S35: Steps

Claims (6)

一種跨企業的身分驗證系統,包括: 邀請企業伺服器; 邀請者裝置; 被邀請企業伺服器;以及 被邀請者裝置,其中所述邀請者裝置通訊連接至所述邀請企業伺服器,其中所述被邀請者裝置通訊連接至所述被邀請企業伺服器以及所述邀請企業伺服器,其中 在所述邀請企業伺服器產生對應於所述邀請者裝置的邀請函之後,所述邀請者裝置傳送所述邀請函至所述被邀請者裝置; 所述被邀請企業伺服器產生被邀請者身分背書,其中所述被邀請者身分背書對應於所述被邀請者裝置以及所述邀請函; 在所述被邀請者裝置產生對應於所述邀請函的被邀請者身分證明之後,所述邀請企業伺服器驗證所述被邀請者身分背書以及所述被邀請者身分證明。 A cross-enterprise identity verification system comprises: an inviting enterprise server; an inviter device; an invited enterprise server; and an invitee device, wherein the inviter device is communicatively connected to the inviting enterprise server, wherein the invitee device is communicatively connected to both the invited enterprise server and the inviting enterprise server, wherein after the inviting enterprise server generates an invitation letter corresponding to the inviter device, the inviter device transmits the invitation letter to the invitee device; the invited enterprise server generates an invitee identity endorsement, wherein the invitee identity endorsement corresponds to the invitee device and the invitation letter; After the invitee device generates an invitee identity certificate corresponding to the invitation letter, the inviting enterprise server verifies the invitee identity endorsement and the invitee identity certificate. 如請求項1所述的跨企業的身分驗證系統,其中 所述邀請企業伺服器利用非對稱式密碼學來產生邀請企業伺服器公鑰以及邀請企業伺服器私鑰; 所述被邀請企業伺服器利用所述非對稱式密碼學來產生被邀請企業伺服器公鑰以及被邀請企業伺服器私鑰; 所述邀請企業伺服器傳送所述邀請企業伺服器公鑰至所述被邀請企業伺服器; 所述被邀請企業伺服器傳送所述被邀請企業伺服器公鑰至所述邀請企業伺服器; 所述邀請企業伺服器傳送所述邀請企業伺服器公鑰至所述邀請者裝置; 所述被邀請企業伺服器傳送所述被邀請企業伺服器公鑰至所述被邀請者裝置; 所述邀請者裝置傳送對應於所述邀請者裝置的邀請者電子郵件位址至所述被邀請者裝置; 所述被邀請者裝置傳送對應於所述被邀請者裝置的被邀請者電子郵件位址至所述邀請者裝置。 A cross-enterprise identity authentication system as described in claim 1, wherein: the inviting enterprise server uses asymmetric cryptography to generate an inviting enterprise server public key and an inviting enterprise server private key; the invited enterprise server uses the asymmetric cryptography to generate an invited enterprise server public key and an invited enterprise server private key; the inviting enterprise server transmits the inviting enterprise server public key to the invited enterprise server; the invited enterprise server transmits the invited enterprise server public key to the inviting enterprise server; the inviting enterprise server transmits the inviting enterprise server public key to the inviter device; the invited enterprise server transmits the invited enterprise server public key to the invitee device; The inviter device transmits the inviter email address corresponding to the inviter device to the invitee device; The invitee device transmits the invitee email address corresponding to the invitee device to the inviter device. 如請求項1所述的跨企業的身分驗證系統,其中 所述邀請者裝置傳送對應於所述邀請函的邀請函產生請求至所述邀請企業伺服器,其中所述邀請函產生請求包括被邀請者電子郵件位址; 所述邀請企業伺服器產生所述邀請函,其中所述邀請函包括邀請者電子郵件位址以及所述被邀請者電子郵件位址; 所述邀請企業伺服器傳送所述邀請函至所述邀請者裝置; 當所述邀請者裝置利用邀請企業伺服器公鑰來成功地驗證所述邀請函時,所述邀請者裝置傳送所述邀請函至所述被邀請者裝置。 The cross-enterprise identity authentication system of claim 1, wherein: the inviter device transmits an invitation letter generation request corresponding to the invitation letter to the inviting enterprise server, wherein the invitation letter generation request includes the invitee's email address; the inviting enterprise server generates the invitation letter, wherein the invitation letter includes the inviter's email address and the invitee's email address; the inviting enterprise server transmits the invitation letter to the inviter device; when the inviter device successfully verifies the invitation letter using the inviting enterprise server's public key, the inviter device transmits the invitation letter to the invitee device. 如請求項1所述的跨企業的身分驗證系統,其中 所述被邀請者裝置利用非對稱式密碼學來產生被邀請者臨時公鑰以及被邀請者臨時私鑰; 所述被邀請者裝置傳送對應於所述邀請函的被邀請者身分背書產生請求至所述被邀請企業伺服器,其中所述被邀請者身分背書產生請求包括所述邀請函以及所述被邀請者臨時公鑰; 當所述被邀請企業伺服器利用邀請企業伺服器公鑰來成功地驗證所述被邀請者身分背書產生請求時,所述被邀請企業伺服器產生所述被邀請者身分背書,其中所述被邀請者身分背書包括被邀請者電子郵件位址; 所述被邀請者裝置從所述被邀請企業伺服器接收所述被邀請者身分背書,且所述被邀請者裝置利用被邀請企業伺服器公鑰來驗證所述被邀請者身分背書。 The cross-enterprise identity authentication system of claim 1, wherein: the invitee device utilizes asymmetric cryptography to generate an invitee temporary public key and an invitee temporary private key; the invitee device transmits an invitee identity endorsement generation request corresponding to the invitation letter to the invited enterprise server, wherein the invitee identity endorsement generation request includes the invitation letter and the invitee temporary public key; when the invited enterprise server successfully verifies the invitee identity endorsement generation request using the inviting enterprise server public key, the invited enterprise server generates the invitee identity endorsement, wherein the invitee identity endorsement includes the invitee email address; The invitee device receives the invitee identity endorsement from the invited enterprise server, and the invitee device verifies the invitee identity endorsement using the invited enterprise server public key. 如請求項1所述的跨企業的身分驗證系統,其中 所述被邀請者裝置利用被邀請者臨時私鑰來產生對應於所述邀請函的所述被邀請者身分證明; 所述被邀請者裝置傳送對應於所述邀請函的被邀請者身分驗證請求至所述邀請企業伺服器,其中所述被邀請者身分驗證請求包括所述被邀請者身分背書以及所述被邀請者身分證明; 所述邀請企業伺服器利用被邀請企業伺服器公鑰來驗證所述被邀請者身分背書,利用被邀請者臨時公鑰來驗證所述被邀請者身分證明,並且獲得身分驗證結果; 所述邀請企業伺服器傳送所述身分驗證結果至所述被邀請者裝置。 The cross-enterprise identity authentication system of claim 1, wherein: the invitee device generates the invitee identity certificate corresponding to the invitation letter using the invitee temporary private key; the invitee device transmits an invitee identity authentication request corresponding to the invitation letter to the inviting enterprise server, wherein the invitee identity authentication request includes the invitee identity endorsement and the invitee identity certificate; the inviting enterprise server verifies the invitee identity endorsement using the invited enterprise server public key and verifies the invitee identity certificate using the invitee temporary public key, and obtains an identity authentication result; the inviting enterprise server transmits the identity authentication result to the invitee device. 一種跨企業的身分驗證方法,適於包括邀請企業伺服器、邀請者裝置、被邀請企業伺服器以及被邀請者裝置的系統,其中所述方法包括以下步驟: 在所述邀請企業伺服器產生對應於所述邀請者裝置的邀請函之後,由所述邀請者裝置傳送所述邀請函至所述被邀請者裝置; 由所述被邀請企業伺服器產生被邀請者身分背書,其中所述被邀請者身分背書對應於所述被邀請者裝置以及所述邀請函;以及 在所述被邀請者裝置產生對應於所述邀請函的被邀請者身分證明之後,由所述邀請企業伺服器驗證所述被邀請者身分背書以及所述被邀請者身分證明。 A cross-enterprise identity verification method, suitable for a system comprising an inviting enterprise server, an inviter device, an invited enterprise server, and an invitee device, wherein the method comprises the following steps: After the inviting enterprise server generates an invitation letter corresponding to the inviter device, the inviter device transmits the invitation letter to the invitee device; The invited enterprise server generates an invitee identity endorsement, wherein the invitee identity endorsement corresponds to the invitee device and the invitation letter; and After the invitee device generates an invitee identity certificate corresponding to the invitation letter, the inviting enterprise server verifies the invitee identity endorsement and the invitee identity certificate.
TW112143729A 2023-11-13 2023-11-13 System and method for cross enterprise identity verification TWI894679B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112143729A TWI894679B (en) 2023-11-13 2023-11-13 System and method for cross enterprise identity verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112143729A TWI894679B (en) 2023-11-13 2023-11-13 System and method for cross enterprise identity verification

Publications (2)

Publication Number Publication Date
TW202520097A TW202520097A (en) 2025-05-16
TWI894679B true TWI894679B (en) 2025-08-21

Family

ID=96548016

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112143729A TWI894679B (en) 2023-11-13 2023-11-13 System and method for cross enterprise identity verification

Country Status (1)

Country Link
TW (1) TWI894679B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104093146A (en) * 2014-06-20 2014-10-08 裴兆欣 Intelligent identity authentication method and device for mobile devices
CN113765897A (en) * 2021-08-20 2021-12-07 北京万千维度网络科技有限公司 Sharing use method and system of electronic equipment
CN111177686B (en) * 2019-12-31 2022-07-29 华为云计算技术有限公司 Identity authentication method, device and related equipment
CN115757894A (en) * 2022-11-15 2023-03-07 河北航天信息技术有限公司 Method, device, server and storage medium for rapidly verifying enterprise identity
CN115604039B (en) * 2022-12-15 2023-03-10 江苏金智教育信息股份有限公司 Third-party assisted identity verification login method and system
TWI796675B (en) * 2020-07-03 2023-03-21 大陸商支付寶(杭州)信息技術有限公司 Blockchain-based identity verification method and related hardware

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104093146A (en) * 2014-06-20 2014-10-08 裴兆欣 Intelligent identity authentication method and device for mobile devices
CN111177686B (en) * 2019-12-31 2022-07-29 华为云计算技术有限公司 Identity authentication method, device and related equipment
TWI796675B (en) * 2020-07-03 2023-03-21 大陸商支付寶(杭州)信息技術有限公司 Blockchain-based identity verification method and related hardware
CN113765897A (en) * 2021-08-20 2021-12-07 北京万千维度网络科技有限公司 Sharing use method and system of electronic equipment
CN115757894A (en) * 2022-11-15 2023-03-07 河北航天信息技术有限公司 Method, device, server and storage medium for rapidly verifying enterprise identity
CN115604039B (en) * 2022-12-15 2023-03-10 江苏金智教育信息股份有限公司 Third-party assisted identity verification login method and system

Also Published As

Publication number Publication date
TW202520097A (en) 2025-05-16

Similar Documents

Publication Publication Date Title
CN107240001B (en) A digital asset transaction method and system
US7818576B2 (en) User controlled anonymity when evaluating into a role
CN113190822B (en) Authentication method, personal secure core node, and electronic device
TWI813586B (en) Platform and method of certification of an electronic contract for electronic identification and trust services (eidas)
US9100171B1 (en) Computer-implemented forum for enabling secure exchange of information
US20070055867A1 (en) System and method for secure provisioning of encryption keys
CN103516687B (en) Security information interaction system, Apparatus and method for
US20120191979A1 (en) System and method for electronic signature via proxy
WO2020103557A1 (en) Transaction processing method and device
JP2023503607A (en) Method and device for automatic digital certificate verification
CN101821987A (en) Efficient authentication email protocol
CN101939948A (en) Signature method and device
CN104349313B (en) Service authorization method, device and system
US12348635B2 (en) System and methods for interactive document sharing and authentication with privacy guarantee
CN114641967A (en) Callback mechanism for blockchain transactions
US20090216837A1 (en) Secure reservationless conferencing
CN104301288B (en) Online identity certification, online transaction checking, the method and system of online verification protection
JP2020534749A (en) Electronic Notification Certification Platforms and Methods for Electronic Identification and Credit Services (EIDAS)
TWI894679B (en) System and method for cross enterprise identity verification
CN111275417B (en) Transaction endorsement processing method, server and computer readable storage medium
CN1697376A (en) Method and system for authenticating or enciphering data by using IC card
CN102571335B (en) Dual factors digital signature method and system and server and client side
CN118333577A (en) Electronic seal making method and electronic seal making system
CN114445072A (en) Block chain transaction method and block chain transaction system
CN104077681A (en) Certificate handling and inspecting method