[go: up one dir, main page]

TWI864705B - Verification system and verification method - Google Patents

Verification system and verification method Download PDF

Info

Publication number
TWI864705B
TWI864705B TW112115736A TW112115736A TWI864705B TW I864705 B TWI864705 B TW I864705B TW 112115736 A TW112115736 A TW 112115736A TW 112115736 A TW112115736 A TW 112115736A TW I864705 B TWI864705 B TW I864705B
Authority
TW
Taiwan
Prior art keywords
data
secret data
time password
verification
verification server
Prior art date
Application number
TW112115736A
Other languages
Chinese (zh)
Other versions
TW202444069A (en
Inventor
陳怡君
賴冠廷
楊吉閔
劉湘琳
吳杰義
汪俞
Original Assignee
玉山商業銀行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 玉山商業銀行股份有限公司 filed Critical 玉山商業銀行股份有限公司
Priority to TW112115736A priority Critical patent/TWI864705B/en
Publication of TW202444069A publication Critical patent/TW202444069A/en
Application granted granted Critical
Publication of TWI864705B publication Critical patent/TWI864705B/en

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a verification system comprising a verification server and a mobile communication device. The mobile communication device transmits transaction information to the verification server. The verification server generates first secret data using a first pre-determined hash algorithm according to the transaction information. The verification server transmits the first secret data and a password length to the mobile communication device. The mobile communication device generates an one-time password using a pre-determined one-time password algorithm according to the first secret data and the password length, and transmits a verification request including the one-time password to the verification server. The verification server generates the one-time password using the pre-determined one-time password algorithm according to the first secret data and the password length. The verification server compares the one-time password and the one-time password included in the verification request to generate a verification result.

Description

驗證系統及驗證方法Verification system and verification method

本發明是有關於一種驗證系統,特別是指一種使用一次性密碼的驗證系統。本發明還有關於一種驗證方法。 The present invention relates to an authentication system, in particular to an authentication system using a one-time password. The present invention also relates to an authentication method.

線上交易中的身分驗證程序常使用一次性密碼進行身分驗證。一般而言,一次性密碼是由伺服器端產生並透過簡訊發送。然而,透過簡訊發送一次性密碼存在被側錄的安全性問題,再者,發送簡訊存在一定的發送費用成本。因此,如何發展出一種新的驗證系統,能提高驗證的安全性,同時降低成本,是本發明進一步要探討的主題。 The identity verification process in online transactions often uses a one-time password for identity verification. Generally speaking, the one-time password is generated by the server and sent via SMS. However, sending a one-time password via SMS has the security issue of being recorded, and furthermore, sending SMS has a certain sending fee cost. Therefore, how to develop a new verification system that can improve the security of verification and reduce costs at the same time is a further topic to be explored in this invention.

因此,本發明的目的,即在提供一種驗證系統。 Therefore, the purpose of the present invention is to provide a verification system.

本發明的另一目的,即在提供一種驗證方法。 Another purpose of the present invention is to provide a verification method.

於是,本發明驗證系統,包含一驗證伺服器及一行動通訊裝置。該行動通訊裝置,經由通訊網路電連接於該驗證伺服器, 並供一使用者操作。 Therefore, the verification system of the present invention includes a verification server and a mobile communication device. The mobile communication device is electrically connected to the verification server via a communication network, and is operated by a user.

該行動通訊裝置傳送一交易資訊給該驗證伺服器。 The mobile communication device sends transaction information to the verification server.

該驗證伺服器使用一第一預定雜湊演算法,雜湊該交易資訊,產生一第一秘密資料,其中,該驗證伺服器雜湊該交易資訊的次數為一第一預定雜湊次數。 The verification server uses a first predetermined hashing algorithm to hash the transaction information to generate a first secret data, wherein the number of times the verification server hashes the transaction information is a first predetermined hashing number.

該驗證伺服器將該第一秘密資料及一密碼長度傳送給該行動通訊裝置。 The verification server transmits the first secret data and a password length to the mobile communication device.

該行動通訊裝置根據該第一秘密資料及該密碼長度,使用一預定一次性密碼演算法,產生一個一次性密碼,並將一包含該一次性密碼的驗證請求傳送給該驗證伺服器,其中,該一次性密碼的長度為該密碼長度。 The mobile communication device generates a one-time password using a predetermined one-time password algorithm according to the first secret data and the password length, and sends a verification request including the one-time password to the verification server, wherein the length of the one-time password is the password length.

該驗證伺服器根據該第一秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該一次性密碼的長度為該密碼長度。 The verification server generates the one-time password using the predetermined one-time password algorithm according to the first secret data and the password length, wherein the length of the one-time password is the password length.

該驗證伺服器比對所產生的該一次性密碼與該驗證請求的該一次性密碼是否相同以產生一驗證結果,並將該驗證結果傳送給該行動通訊裝置。 The verification server compares the generated one-time password with the one-time password of the verification request to see if they are the same to generate a verification result, and transmits the verification result to the mobile communication device.

在一些實施態樣中,該驗證伺服器及該行動通訊裝置儲存有一對應於該行動通訊裝置的裝置識別資料。 In some implementations, the verification server and the mobile communication device store a device identification data corresponding to the mobile communication device.

該行動通訊裝置產生該一次性密碼時,先根據該第一秘 密資料及該裝置識別資料,產生一第二秘密資料,再根據該第二秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼。 When the mobile communication device generates the one-time password, it first generates a second secret data according to the first secret data and the device identification data, and then generates the one-time password using the predetermined one-time password algorithm according to the second secret data and the password length.

該驗證伺服器產生該一次性密碼時,先根據該第一秘密資料及一裝置識別資料,產生該第二秘密資料,再根據該第二秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼。 When the verification server generates the one-time password, it first generates the second secret data according to the first secret data and a device identification data, and then generates the one-time password according to the second secret data and the password length using the predetermined one-time password algorithm.

在一些實施態樣中,該行動通訊裝置產生該一次性密碼時,還使用一第二預定雜湊演算法,雜湊該第二秘密資料,產生一第三秘密資料,再根據該第三秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該行動通訊裝置雜湊該第二秘密資料的次數為一第二預定雜湊次數。 In some implementations, when the mobile communication device generates the one-time password, it also uses a second predetermined hashing algorithm to hash the second secret data to generate a third secret data, and then uses the predetermined one-time password algorithm based on the third secret data and the password length to generate the one-time password, wherein the number of times the mobile communication device hashes the second secret data is a second predetermined hashing number.

該驗證伺服器產生該一次性密碼時,還使用該第二預定雜湊演算法,雜湊該第二秘密資料,產生該第三秘密資料,再根據該第三秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該驗證伺服器雜湊該第二秘密資料的次數為該第二預定雜湊次數。 When the verification server generates the one-time password, it also uses the second predetermined hashing algorithm to hash the second secret data to generate the third secret data, and then uses the predetermined one-time password algorithm based on the third secret data and the password length to generate the one-time password, wherein the number of times the verification server hashes the second secret data is the second predetermined hashing number.

在一些實施態樣中,該驗證伺服器還儲存有一對應於該使用者的身分資料,該驗證伺服器於產生該第一秘密資料時,除了雜湊該交易資訊之外,還使用該第一預定雜湊演算法,雜湊該身分 資料,產生該第一秘密資料,其中,該驗證伺服器雜湊該身分資料的次數為該第一預定雜湊次數。 In some implementations, the verification server also stores identity data corresponding to the user. When generating the first secret data, the verification server, in addition to hashing the transaction information, also uses the first predetermined hashing algorithm to hash the identity data to generate the first secret data, wherein the number of times the verification server hashes the identity data is the first predetermined hashing number.

在一些實施態樣中,該驗證伺服器於產生該第一秘密資料時,除了雜湊該交易資訊及該身分資料之外,還使用該第一預定雜湊演算法,雜湊指示出當前日期的一日期資料,產生該第一秘密資料,其中,該驗證伺服器雜湊該日期資料的次數為該第一預定雜湊次數。 In some implementations, when generating the first secret data, the verification server, in addition to hashing the transaction information and the identity data, also uses the first predetermined hashing algorithm to hash a date data indicating the current date to generate the first secret data, wherein the number of times the verification server hashes the date data is the first predetermined number of hashing times.

在一些實施態樣中,該行動通訊裝置產生該第二秘密資料時,除了根據該第一秘密資料及該裝置識別資料之外,還根據該日期資料,產生該第二秘密資料。 In some implementations, when the mobile communication device generates the second secret data, in addition to the first secret data and the device identification data, the second secret data is also generated based on the date data.

該驗證伺服器產生該第二秘密資料時,除了根據該第一秘密資料及該裝置識別資料之外,還根據該日期資料,產生該第二秘密資料。 When the verification server generates the second secret data, in addition to the first secret data and the device identification data, it also generates the second secret data based on the date data.

在一些實施態樣中,該驗證伺服器根據該日期資料產生該第一預定雜湊次數,該行動通訊裝置及該驗證伺服器根據該日期資料產生該第二預定雜湊次數。 In some implementations, the verification server generates the first predetermined hashing number based on the date data, and the mobile communication device and the verification server generate the second predetermined hashing number based on the date data.

在一些實施態樣中,該驗證伺服器將該第一秘密資料及該密碼長度傳送給該行動通訊裝置時,還將一用於設定該一次性密碼的時效性的時效性限制資料傳送給該行動通訊裝置,該預定一次性密碼演算法為一基於時間的一次性密碼演算法。 In some implementations, when the verification server transmits the first secret data and the password length to the mobile communication device, it also transmits a time limit data for setting the time limit of the one-time password to the mobile communication device, and the predetermined one-time password algorithm is a time-based one-time password algorithm.

該行動通訊裝置產生該一次性密碼時,除了根據該第三秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼。 When the mobile communication device generates the one-time password, in addition to the third secret data and the password length, it also generates the one-time password based on the time limit data using the predetermined one-time password algorithm.

該驗證伺服器產生該一次性密碼時,除了根據該第三秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼。 When the verification server generates the one-time password, in addition to the third secret data and the password length, it also generates the one-time password based on the time limit data using the predetermined one-time password algorithm.

在一些實施態樣中,該驗證伺服器於產生該第一秘密資料時,還於該交易資訊、該身分資料及該日期資料其中一者或多者加鹽,再使用該第一預定雜湊演算法產生該第一秘密資料。 In some implementations, when generating the first secret data, the verification server also adds salt to one or more of the transaction information, the identity data, and the date data, and then uses the first predetermined hashing algorithm to generate the first secret data.

本發明驗證方法,藉由一驗證系統實施,該驗證系統包含一驗證伺服器及一供一使用者操作的行動通訊裝置,該方法包含:該行動通訊裝置傳送一交易資訊給該驗證伺服器;該驗證伺服器使用一第一預定雜湊演算法,雜湊該交易資訊,產生一第一秘密資料,其中,該驗證伺服器雜湊該交易資訊的次數為一第一預定雜湊次數;該驗證伺服器將該第一秘密資料及一密碼長度傳送給該行動通訊裝置;該行動通訊裝置根據該第一秘密資料及該密碼長度,使用一預定一次性密碼演算法,產生一個一次性密碼,並將一包含該一次性密碼的驗證請求傳送給該驗證伺服器,其中,該一次性密碼的長度為該密碼長度;該驗證伺服器根據該第一秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中, 該一次性密碼的長度為該密碼長度;及該驗證伺服器比對所產生的該一次性密碼與該驗證請求的該一次性密碼是否相同以產生一驗證結果,並將該驗證結果傳送給該行動通訊裝置。 The verification method of the present invention is implemented by a verification system, which includes a verification server and a mobile communication device for a user to operate. The method includes: the mobile communication device transmits a transaction information to the verification server; the verification server uses a first predetermined hashing algorithm to hash the transaction information to generate a first secret data, wherein the number of times the verification server hashes the transaction information is a first predetermined hashing number; the verification server transmits the first secret data and a password length to the mobile communication device; the mobile communication device, based on the first secret data and the password length, A one-time password is generated using a predetermined one-time password algorithm, and a verification request including the one-time password is sent to the verification server, wherein the length of the one-time password is the password length; the verification server generates the one-time password using the predetermined one-time password algorithm according to the first secret data and the password length, wherein the length of the one-time password is the password length; and the verification server compares the generated one-time password with the one-time password of the verification request to determine whether they are the same to generate a verification result, and sends the verification result to the mobile communication device.

本發明的功效在於:藉由該行動通訊裝置產生該一次性密碼並提供給該驗證伺服器比對驗證,能避免先前技術中簡訊包含的密碼遭側錄的情況,同時省去簡訊發送成本,再者,藉由該驗證伺服器根據該交易資訊、該身分資料及該日期資料使用該第一預定雜湊演算法產生該第一秘密資料,且該行動通訊裝置及該驗證伺服器根據該第一秘密資料、該裝置識別資料及該日期資料產生該第二秘密資料,且該行動通訊裝置及該驗證伺服器根據該第二秘密資料使用該第二預定雜湊演算法產生該第三秘密資料,且該行動通訊裝置及該驗證伺服器根據該第三秘密資料、該密碼長度及該時效性限制資料使用該預定一次性密碼演算法產生該一次性密碼,能進一步提高驗證的安全性。 The utility model discloses a method for generating a one-time password by the mobile communication device and providing the one-time password to the verification server for comparison and verification, thereby avoiding the situation in which the password contained in the SMS in the prior art is recorded, and saving the SMS sending cost. Furthermore, the verification server generates the first secret data according to the transaction information, the identity data and the date data using the first predetermined hashing algorithm, and the mobile communication device and the verification server generate the first secret data according to the first secret data. The second secret data is generated by the mobile communication device and the verification server according to the second secret data using the second predetermined hashing algorithm, and the mobile communication device and the verification server generate the one-time password according to the third secret data, the password length and the time limit data using the predetermined one-time password algorithm, which can further improve the security of verification.

100:驗證系統 100: Verification system

1:驗證伺服器 1: Verify server

2:行動通訊裝置 2: Mobile communication devices

S01~S11:步驟 S01~S11: Steps

本發明的其他的特徵及功效,將於參照圖式的實施方式中清楚地呈現,其中:圖1是本發明驗證系統的一個實施例的一硬體連接關係示意圖;及 圖2A及圖2B是該實施例的一流程圖。 Other features and functions of the present invention will be clearly presented in the implementation method with reference to the drawings, wherein: FIG. 1 is a schematic diagram of a hardware connection relationship of an embodiment of the verification system of the present invention; and FIG. 2A and FIG. 2B are a flow chart of the embodiment.

在本發明被詳細描述之前,應當注意在以下的說明內容中,類似的元件是以相同的編號來表示。 Before the present invention is described in detail, it should be noted that similar components are represented by the same numbers in the following description.

參閱圖1,本發明驗證系統100的一實施例,包含一驗證伺服器1及供一使用者操作的一行動通訊裝置2。 Referring to FIG. 1 , an embodiment of the verification system 100 of the present invention includes a verification server 1 and a mobile communication device 2 for a user to operate.

該驗證伺服器1在本實施例中歸屬於一銀行,並儲存有一對應於該使用者的身分資料,及一對應於該行動通訊裝置2的裝置識別資料。 In this embodiment, the verification server 1 belongs to a bank and stores identity data corresponding to the user and device identification data corresponding to the mobile communication device 2.

該行動通訊裝置2經由通訊網路電連接於該驗證伺服器1,並儲存有對應於該行動通訊裝置2的該裝置識別資料。該行動通訊裝置2例如為一智慧型手機或一平板電腦。 The mobile communication device 2 is electrically connected to the verification server 1 via a communication network, and stores the device identification data corresponding to the mobile communication device 2. The mobile communication device 2 is, for example, a smart phone or a tablet computer.

參閱圖1、圖2A及圖2B,以下說明該驗證系統100執行的步驟。首先,如步驟S01所示,該使用者欲進行一交易,而操作該行動通訊裝置2傳送對應於該交易的一交易資訊給該驗證伺服器1。 Referring to FIG. 1 , FIG. 2A and FIG. 2B , the steps performed by the verification system 100 are described below. First, as shown in step S01 , the user wants to conduct a transaction and operates the mobile communication device 2 to transmit transaction information corresponding to the transaction to the verification server 1 .

接著,如步驟S02所示,該驗證伺服器1使用一第一預定雜湊演算法,雜湊該交易資訊、該身分資料及指示出當前日期的一日期資料,產生一第一秘密資料,其中,該驗證伺服器1雜湊該交 易資訊、該身分資料及指示出當前日期的一日期資料的次數為一第一預定雜湊次數。 Next, as shown in step S02, the verification server 1 uses a first predetermined hashing algorithm to hash the transaction information, the identity data, and a date data indicating the current date to generate a first secret data, wherein the number of times the verification server 1 hashes the transaction information, the identity data, and a date data indicating the current date is a first predetermined hashing number.

在本實施例中,該第一預定雜湊演算法為安全雜湊演算法(Secure Hash Algorithm,SHA),例如Sha512。 In this embodiment, the first predetermined hashing algorithm is a secure hashing algorithm (Secure Hash Algorithm, SHA), such as Sha512.

在本實施例中,該驗證伺服器1根據該日期資料產生該第一預定雜湊次數。舉例來說,該第一預定雜湊次數為(日期資料mod 4)+1,但不以此為限。 In this embodiment, the verification server 1 generates the first predetermined hashing number according to the date data. For example, the first predetermined hashing number is (date data mod 4) + 1, but is not limited thereto.

在本實施例中,該驗證伺服器1於產生該第一秘密資料時,還於該交易資訊、該身分資料及該日期資料其中一者或多者加鹽(插入特定的字串),再使用該第一預定雜湊演算法產生該第一秘密資料。 In this embodiment, when generating the first secret data, the verification server 1 also adds salt (inserts a specific string) to one or more of the transaction information, the identity data and the date data, and then uses the first predetermined hashing algorithm to generate the first secret data.

接著,如步驟S03所示,該驗證伺服器1將該第一秘密資料及一密碼長度傳送給該行動通訊裝置2。在本實施例中,該驗證伺服器1將該第一秘密資料及該密碼長度傳送給該行動通訊裝置2時,還將一用於設定該一次性密碼的時效性的時效性限制資料(例如指示出有效時限為30秒)傳送給該行動通訊裝置2。在本實施例中,該驗證伺服器1將該第一秘密資料、一密碼長度及一時效性限制資料加密後(例如RSA)傳送。 Next, as shown in step S03, the verification server 1 transmits the first secret data and a password length to the mobile communication device 2. In this embodiment, when the verification server 1 transmits the first secret data and the password length to the mobile communication device 2, it also transmits a time limit data (for example, indicating that the validity period is 30 seconds) for setting the time limit of the one-time password to the mobile communication device 2. In this embodiment, the verification server 1 encrypts the first secret data, a password length and a time limit data (for example, RSA) and transmits them.

接著,如步驟S04所示,該行動通訊裝置2根據該第一秘密資料、該裝置識別資料及該日期資料,產生一第二秘密資料。 Then, as shown in step S04, the mobile communication device 2 generates a second secret data according to the first secret data, the device identification data and the date data.

接著,如步驟S05所示,該行動通訊裝置2使用一第二預定雜湊演算法,雜湊該第二秘密資料,產生一第三秘密資料,其中,該行動通訊裝置2雜湊該第二秘密資料的次數為一第二預定雜湊次數。 Next, as shown in step S05, the mobile communication device 2 uses a second predetermined hashing algorithm to hash the second secret data to generate a third secret data, wherein the number of times the mobile communication device 2 hashes the second secret data is a second predetermined hashing number.

在本實施例中,該第二預定雜湊演算法為安全雜湊演算法(Secure Hash Algorithm,SHA),例如Sha512。 In this embodiment, the second predetermined hash algorithm is a secure hash algorithm (Secure Hash Algorithm, SHA), such as Sha512.

在本實施例中,該行動通訊裝置2根據該日期資料產生該第二預定雜湊次數。舉例來說,該第二預定雜湊次數為(日期資料mod 4)+1,但不以此為限。 In this embodiment, the mobile communication device 2 generates the second predetermined hashing number according to the date data. For example, the second predetermined hashing number is (date data mod 4) + 1, but is not limited thereto.

接著,如步驟S06所示,該行動通訊裝置2根據該第三秘密資料及該密碼長度,使用一預定一次性密碼演算法,產生一個一次性密碼,其中,該一次性密碼的長度為該密碼長度。 Then, as shown in step S06, the mobile communication device 2 generates a one-time password using a predetermined one-time password algorithm according to the third secret data and the password length, wherein the length of the one-time password is the password length.

在本實施例中,該預定一次性密碼演算法為一基於時間的一次性密碼演算法(Time-based One-Time Password,TOTP)。該驗證伺服器1產生該一次性密碼時,除了根據該第三秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼。 In this embodiment, the predetermined one-time password algorithm is a time-based one-time password algorithm (TOTP). When the verification server 1 generates the one-time password, in addition to the third secret data and the password length, it also uses the predetermined one-time password algorithm according to the time limit data to generate the one-time password.

接著,如步驟S07所示,該行動通訊裝置2將一包含該一次性密碼的驗證請求傳送給該驗證伺服器1。 Then, as shown in step S07, the mobile communication device 2 sends a verification request including the one-time password to the verification server 1.

接著,如步驟S08所示,該驗證伺服器1根據該第一秘密 資料、該裝置識別資料及該日期資料,產生該第二秘密資料。 Next, as shown in step S08, the verification server 1 generates the second secret data based on the first secret data, the device identification data and the date data.

接著,如步驟S09所示,該驗證伺服器1使用該第二預定雜湊演算法,雜湊該第二秘密資料,產生該第三秘密資料,其中,該驗證伺服器1雜湊該第二秘密資料的次數為該第二預定雜湊次數。 Next, as shown in step S09, the verification server 1 uses the second predetermined hashing algorithm to hash the second secret data to generate the third secret data, wherein the number of times the verification server 1 hashes the second secret data is the second predetermined hashing number.

在本實施例中,該驗證伺服器1根據該日期資料產生該第二預定雜湊次數。 In this embodiment, the verification server 1 generates the second predetermined hashing number based on the date data.

接著,如步驟S10所示,該驗證伺服器1根據該第三秘密資料、該密碼長度及該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該一次性密碼的長度為該密碼長度。 Then, as shown in step S10, the verification server 1 generates the one-time password using the predetermined one-time password algorithm according to the third secret data, the password length and the time limit data, wherein the length of the one-time password is the password length.

接著,如步驟S11所示,該驗證伺服器1比對所產生的該一次性密碼與該驗證請求的該一次性密碼是否相同以產生一驗證結果,並將該驗證結果傳送給該行動通訊裝置2。 Next, as shown in step S11, the verification server 1 compares the generated one-time password with the one-time password of the verification request to generate a verification result, and transmits the verification result to the mobile communication device 2.

綜上所述,本發明驗證系統100藉由該行動通訊裝置2產生該一次性密碼並提供給該驗證伺服器1比對驗證,能避免先前技術中簡訊包含的密碼遭側錄的情況,同時省去簡訊發送成本,再者,藉由該驗證伺服器1根據該交易資訊、該身分資料及該日期資料使用該第一預定雜湊演算法產生該第一秘密資料,且該行動通訊裝置2及該驗證伺服器1根據該第一秘密資料、該裝置識別資料及該 日期資料產生該第二秘密資料,且該行動通訊裝置2及該驗證伺服器1根據該第二秘密資料使用該第二預定雜湊演算法產生該第三秘密資料,且該行動通訊裝置2及該驗證伺服器1根據該第三秘密資料、該密碼長度及該時效性限制資料使用該預定一次性密碼演算法產生該一次性密碼,能進一步提高驗證的安全性,故確實能達成本發明的目的。 In summary, the verification system 100 of the present invention generates the one-time password by the mobile communication device 2 and provides it to the verification server 1 for comparison and verification, which can avoid the situation in the prior art that the password contained in the SMS is side-tracked, and save the SMS sending cost. Furthermore, the verification server 1 generates the first secret data according to the transaction information, the identity data and the date data using the first predetermined hashing algorithm, and the mobile communication device 2 and the verification server 1 generate the first secret data according to the first secret data, The device identification data and the date data generate the second secret data, and the mobile communication device 2 and the verification server 1 generate the third secret data using the second predetermined hashing algorithm according to the second secret data, and the mobile communication device 2 and the verification server 1 generate the one-time password using the predetermined one-time password algorithm according to the third secret data, the password length and the time limit data, which can further improve the security of the verification, so the purpose of the present invention can be achieved.

惟以上所述者,僅為本發明的實施例而已,當不能以此限定本發明實施的範圍,凡是依本發明申請專利範圍及專利說明書內容所作的簡單的等效變化與修飾,皆仍屬本發明專利涵蓋的範圍內。 However, the above is only an example of the implementation of the present invention, and it cannot be used to limit the scope of the implementation of the present invention. All simple equivalent changes and modifications made according to the scope of the patent application of the present invention and the content of the patent specification are still within the scope of the patent of the present invention.

100:驗證系統 1:驗證伺服器 2:行動通訊裝置 100: Verification system 1: Verification server 2: Mobile communication device

Claims (18)

一種驗證系統,包含:一驗證伺服器;及一行動通訊裝置,經由通訊網路電連接於該驗證伺服器,並供一使用者操作;該行動通訊裝置傳送一交易資訊給該驗證伺服器;該驗證伺服器使用一第一預定雜湊演算法,雜湊該交易資訊,產生一第一秘密資料,其中,該驗證伺服器雜湊該交易資訊的次數為一第一預定雜湊次數;該驗證伺服器將該第一秘密資料及一密碼長度傳送給該行動通訊裝置;該行動通訊裝置根據該第一秘密資料及該密碼長度,使用一預定一次性密碼演算法,產生一個一次性密碼,並將一包含該一次性密碼的驗證請求傳送給該驗證伺服器,其中,該一次性密碼的長度為該密碼長度;該驗證伺服器根據該第一秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該一次性密碼的長度為該密碼長度;該驗證伺服器比對所產生的該一次性密碼與該驗證請求的該一次性密碼是否相同以產生一驗證結果,並將該驗證結果傳送給該行動通訊裝置。 A verification system includes: a verification server; and a mobile communication device electrically connected to the verification server via a communication network and operated by a user; the mobile communication device transmits a transaction information to the verification server; the verification server hashes the transaction information using a first predetermined hashing algorithm to generate a first secret data, wherein the number of times the verification server hashes the transaction information is a first predetermined hashing number; the verification server transmits the first secret data and a password length to the mobile communication device; the mobile communication device generates a first secret data according to the first secret data and the password length. A one-time password is generated using a predetermined one-time password algorithm, and a verification request including the one-time password is sent to the verification server, wherein the length of the one-time password is the password length; the verification server generates the one-time password using the predetermined one-time password algorithm according to the first secret data and the password length, wherein the length of the one-time password is the password length; the verification server compares the generated one-time password with the one-time password of the verification request to determine whether they are the same to generate a verification result, and sends the verification result to the mobile communication device. 如請求項1所述的驗證系統,其中,該驗證伺服器及該行動通訊裝置儲存有一對應於該行動通訊裝置的裝置識別資料; 該行動通訊裝置產生該一次性密碼時,先根據該第一秘密資料及該裝置識別資料,產生一第二秘密資料,再根據該第二秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼;該驗證伺服器產生該一次性密碼時,先根據該第一秘密資料及一裝置識別資料,產生該第二秘密資料,再根據該第二秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼。 The verification system as described in claim 1, wherein the verification server and the mobile communication device store a device identification data corresponding to the mobile communication device; When the mobile communication device generates the one-time password, it first generates a second secret data according to the first secret data and the device identification data, and then uses the predetermined one-time password algorithm according to the second secret data and the password length to generate the one-time password; When the verification server generates the one-time password, it first generates the second secret data according to the first secret data and a device identification data, and then uses the predetermined one-time password algorithm according to the second secret data and the password length to generate the one-time password. 如請求項2所述的驗證系統,其中,該行動通訊裝置產生該一次性密碼時,還使用一第二預定雜湊演算法,雜湊該第二秘密資料,產生一第三秘密資料,再根據該第三秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該行動通訊裝置雜湊該第二秘密資料的次數為一第二預定雜湊次數;該驗證伺服器產生該一次性密碼時,還使用該第二預定雜湊演算法,雜湊該第二秘密資料,產生該第三秘密資料,再根據該第三秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該驗證伺服器雜湊該第二秘密資料的次數為該第二預定雜湊次數。 The verification system as claimed in claim 2, wherein when the mobile communication device generates the one-time password, it also uses a second predetermined hashing algorithm to hash the second secret data to generate a third secret data, and then uses the predetermined one-time password algorithm to generate the one-time password based on the third secret data and the password length, wherein the number of times the mobile communication device hashes the second secret data is one The second predetermined hashing number; when the verification server generates the one-time password, it also uses the second predetermined hashing algorithm to hash the second secret data to generate the third secret data, and then uses the predetermined one-time password algorithm according to the third secret data and the password length to generate the one-time password, wherein the number of times the verification server hashes the second secret data is the second predetermined hashing number. 如請求項3所述的驗證系統,其中,該驗證伺服器還儲存有一對應於該使用者的身分資料,該驗證伺服器於產生該第一秘密資料時,除了雜湊該交易資訊之外,還使用該第一預定雜湊演算法,雜湊該身分資料,產生該第一秘密資料,其中,該驗證伺服器雜湊該身分資料的次數為該第一 預定雜湊次數。 The verification system as described in claim 3, wherein the verification server also stores identity data corresponding to the user, and when generating the first secret data, the verification server, in addition to hashing the transaction information, also uses the first predetermined hashing algorithm to hash the identity data to generate the first secret data, wherein the number of times the verification server hashes the identity data is the first predetermined hashing number. 如請求項4所述的驗證系統,其中,該驗證伺服器於產生該第一秘密資料時,除了雜湊該交易資訊及該身分資料之外,還使用該第一預定雜湊演算法,雜湊指示出當前日期的一日期資料,產生該第一秘密資料,其中,該驗證伺服器雜湊該日期資料的次數為該第一預定雜湊次數。 The verification system as claimed in claim 4, wherein when generating the first secret data, the verification server, in addition to hashing the transaction information and the identity data, also uses the first predetermined hashing algorithm to hash a date data indicating the current date to generate the first secret data, wherein the number of times the verification server hashes the date data is the first predetermined number of hashing times. 如請求項5所述的驗證系統,其中,該行動通訊裝置產生該第二秘密資料時,除了根據該第一秘密資料及該裝置識別資料之外,還根據該日期資料,產生該第二秘密資料;該驗證伺服器產生該第二秘密資料時,除了根據該第一秘密資料及該裝置識別資料之外,還根據該日期資料,產生該第二秘密資料。 The verification system as described in claim 5, wherein when the mobile communication device generates the second secret data, in addition to the first secret data and the device identification data, the second secret data is generated according to the date data; when the verification server generates the second secret data, in addition to the first secret data and the device identification data, the second secret data is generated according to the date data. 如請求項6所述的驗證系統,其中,該驗證伺服器根據該日期資料產生該第一預定雜湊次數,該行動通訊裝置及該驗證伺服器根據該日期資料產生該第二預定雜湊次數。 The verification system as described in claim 6, wherein the verification server generates the first predetermined hashing number according to the date data, and the mobile communication device and the verification server generate the second predetermined hashing number according to the date data. 如請求項7所述的驗證系統,其中,該驗證伺服器將該第一秘密資料及該密碼長度傳送給該行動通訊裝置時,還將一用於設定該一次性密碼的時效性的時效性限制資料傳送給該行動通訊裝置,該預定一次性密碼演算法為一基於時間的一次性密碼演算法;該行動通訊裝置產生該一次性密碼時,除了根據該第三秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼;該驗證伺服器產生該一次性密碼時,除了根據該第三 秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼。 The verification system as claimed in claim 7, wherein when the verification server transmits the first secret data and the password length to the mobile communication device, it also transmits a time limit data for setting the time limit of the one-time password to the mobile communication device, and the predetermined one-time password algorithm is a one-time password algorithm based on time; when the mobile communication device generates the one-time password, in addition to the third secret data and the password length, it also uses the time limit data to generate the one-time password; when the verification server generates the one-time password, in addition to the third secret data and the password length, it also uses the time limit data to generate the one-time password. 如請求項8所述的驗證系統,其中,該驗證伺服器於產生該第一秘密資料時,還於該交易資訊、該身分資料及該日期資料其中一者或多者加鹽,再使用該第一預定雜湊演算法產生該第一秘密資料。 The verification system as described in claim 8, wherein the verification server, when generating the first secret data, also adds salt to one or more of the transaction information, the identity data and the date data, and then uses the first predetermined hashing algorithm to generate the first secret data. 一種驗證方法,藉由一驗證系統實施,該驗證系統包含一驗證伺服器及一供一使用者操作的行動通訊裝置,該方法包含:該行動通訊裝置傳送一交易資訊給該驗證伺服器;該驗證伺服器使用一第一預定雜湊演算法,雜湊該交易資訊,產生一第一秘密資料,其中,該驗證伺服器雜湊該交易資訊的次數為一第一預定雜湊次數;該驗證伺服器將該第一秘密資料及一密碼長度傳送給該行動通訊裝置;該行動通訊裝置根據該第一秘密資料及該密碼長度,使用一預定一次性密碼演算法,產生一個一次性密碼,並將一包含該一次性密碼的驗證請求傳送給該驗證伺服器,其中,該一次性密碼的長度為該密碼長度;該驗證伺服器根據該第一秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該一次性密碼的長度為該密碼長度;及該驗證伺服器比對所產生的該一次性密碼與該驗證請求的該一次性密碼是否相同以產生一驗證結果,並將該 驗證結果傳送給該行動通訊裝置。 A verification method is implemented by a verification system, the verification system comprising a verification server and a mobile communication device for a user to operate, the method comprising: the mobile communication device transmits a transaction information to the verification server; the verification server uses a first predetermined hashing algorithm to hash the transaction information to generate a first secret data, wherein the number of times the verification server hashes the transaction information is a first predetermined hashing number; the verification server transmits the first secret data and a password length to the mobile communication device; the mobile communication device uses the first secret data and the password length to generate a first secret data; A one-time password is generated using a predetermined one-time password algorithm, and a verification request including the one-time password is sent to the verification server, wherein the length of the one-time password is the password length; the verification server generates the one-time password using the predetermined one-time password algorithm according to the first secret data and the password length, wherein the length of the one-time password is the password length; and the verification server compares the generated one-time password with the one-time password of the verification request to determine whether they are the same to generate a verification result, and sends the verification result to the mobile communication device. 如請求項10所述的驗證方法,其中,該驗證伺服器及該行動通訊裝置儲存有一對應於該行動通訊裝置的裝置識別資料;該行動通訊裝置產生該一次性密碼時,先根據該第一秘密資料及該裝置識別資料,產生一第二秘密資料,再根據該第二秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼;該驗證伺服器產生該一次性密碼時,先根據該第一秘密資料及一裝置識別資料,產生該第二秘密資料,再根據該第二秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼。 The verification method as claimed in claim 10, wherein the verification server and the mobile communication device store a device identification data corresponding to the mobile communication device; when the mobile communication device generates the one-time password, it first generates a second secret data according to the first secret data and the device identification data, and then uses the predetermined one-time password algorithm according to the second secret data and the password length to generate the one-time password; when the verification server generates the one-time password, it first generates the second secret data according to the first secret data and a device identification data, and then uses the predetermined one-time password algorithm according to the second secret data and the password length to generate the one-time password. 如請求項11所述的驗證方法,其中,該行動通訊裝置產生該一次性密碼時,還使用一第二預定雜湊演算法,雜湊該第二秘密資料,產生一第三秘密資料,再根據該第三秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該行動通訊裝置雜湊該第二秘密資料的次數為一第二預定雜湊次數;該驗證伺服器產生該一次性密碼時,還使用該第二預定雜湊演算法,雜湊該第二秘密資料,產生該第三秘密資料,再根據該第三秘密資料及該密碼長度,使用該預定一次性密碼演算法,產生該一次性密碼,其中,該驗證伺服器雜湊該第二秘密資料的次數為該第二預定雜湊次數。 The verification method as claimed in claim 11, wherein when the mobile communication device generates the one-time password, it also uses a second predetermined hashing algorithm to hash the second secret data to generate a third secret data, and then uses the predetermined one-time password algorithm to generate the one-time password based on the third secret data and the password length, wherein the number of times the mobile communication device hashes the second secret data is one The second predetermined hashing number; when the verification server generates the one-time password, it also uses the second predetermined hashing algorithm to hash the second secret data to generate the third secret data, and then uses the predetermined one-time password algorithm according to the third secret data and the password length to generate the one-time password, wherein the number of times the verification server hashes the second secret data is the second predetermined hashing number. 如請求項12所述的驗證方法,其中,該驗證伺服器還儲 存有一對應於該使用者的身分資料,該驗證伺服器於產生該第一秘密資料時,除了雜湊該交易資訊之外,還使用該第一預定雜湊演算法,雜湊該身分資料,產生該第一秘密資料,其中,該驗證伺服器雜湊該身分資料的次數為該第一預定雜湊次數。 The verification method as described in claim 12, wherein the verification server also stores identity data corresponding to the user, and when generating the first secret data, the verification server, in addition to hashing the transaction information, also uses the first predetermined hashing algorithm to hash the identity data to generate the first secret data, wherein the number of times the verification server hashes the identity data is the first predetermined hashing number. 如請求項13所述的驗證方法,其中,該驗證伺服器於產生該第一秘密資料時,除了雜湊該交易資訊及該身分資料之外,還使用該第一預定雜湊演算法,雜湊指示出當前日期的一日期資料,產生該第一秘密資料,其中,該驗證伺服器雜湊該日期資料的次數為該第一預定雜湊次數。 The verification method as claimed in claim 13, wherein, when generating the first secret data, the verification server, in addition to hashing the transaction information and the identity data, also uses the first predetermined hashing algorithm to hash a date data indicating the current date to generate the first secret data, wherein the number of times the verification server hashes the date data is the first predetermined number of hashing times. 如請求項14所述的驗證方法,其中,該行動通訊裝置產生該第二秘密資料時,除了根據該第一秘密資料及該裝置識別資料之外,還根據該日期資料,產生該第二秘密資料;該驗證伺服器產生該第二秘密資料時,除了根據該第一秘密資料及該裝置識別資料之外,還根據該日期資料,產生該第二秘密資料。 As in claim 14, the verification method, wherein when the mobile communication device generates the second secret data, in addition to the first secret data and the device identification data, the second secret data is also generated according to the date data; when the verification server generates the second secret data, in addition to the first secret data and the device identification data, the second secret data is also generated according to the date data. 如請求項15所述的驗證方法,其中,該驗證伺服器根據該日期資料產生該第一預定雜湊次數,該行動通訊裝置及該驗證伺服器根據該日期資料產生該第二預定雜湊次數。 The verification method as described in claim 15, wherein the verification server generates the first predetermined hashing number according to the date data, and the mobile communication device and the verification server generate the second predetermined hashing number according to the date data. 如請求項16所述的驗證方法,其中,該驗證伺服器將該第一秘密資料及該密碼長度傳送給該行動通訊裝置時,還將一用於設定該一次性密碼的時效性的時效性限制資料傳送給該行動通訊裝置,該預定一次性密碼演算法為一基於時間的一次性密碼演算法; 該行動通訊裝置產生該一次性密碼時,除了根據該第三秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼;該驗證伺服器產生該一次性密碼時,除了根據該第三秘密資料及該密碼長度之外,還根據該時效性限制資料,使用該預定一次性密碼演算法,產生該一次性密碼。 The verification method as claimed in claim 16, wherein when the verification server transmits the first secret data and the password length to the mobile communication device, it also transmits a time limit data for setting the time limit of the one-time password to the mobile communication device, and the predetermined one-time password algorithm is a one-time password algorithm based on time; When the mobile communication device generates the one-time password, in addition to the third secret data and the password length, it also uses the predetermined one-time password algorithm to generate the one-time password according to the time limit data; when the verification server generates the one-time password, in addition to the third secret data and the password length, it also uses the predetermined one-time password algorithm to generate the one-time password according to the time limit data. 如請求項17所述的驗證方法,其中,該驗證伺服器於產生該第一秘密資料時,還於該交易資訊、該身分資料及該日期資料其中一者或多者加鹽,再使用該第一預定雜湊演算法產生該第一秘密資料。 The verification method as described in claim 17, wherein the verification server, when generating the first secret data, also adds salt to one or more of the transaction information, the identity data and the date data, and then uses the first predetermined hashing algorithm to generate the first secret data.
TW112115736A 2023-04-27 2023-04-27 Verification system and verification method TWI864705B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112115736A TWI864705B (en) 2023-04-27 2023-04-27 Verification system and verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112115736A TWI864705B (en) 2023-04-27 2023-04-27 Verification system and verification method

Publications (2)

Publication Number Publication Date
TW202444069A TW202444069A (en) 2024-11-01
TWI864705B true TWI864705B (en) 2024-12-01

Family

ID=94377892

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112115736A TWI864705B (en) 2023-04-27 2023-04-27 Verification system and verification method

Country Status (1)

Country Link
TW (1) TWI864705B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010056409A1 (en) * 2000-05-15 2001-12-27 Bellovin Steven Michael Offline one time credit card numbers for secure e-commerce
US20070226784A1 (en) * 2006-03-27 2007-09-27 Yukiya Ueda System and method for user authentication
US20120096535A1 (en) * 2004-10-15 2012-04-19 Symantec Corporation One Time Password
US20130010958A1 (en) * 2010-03-29 2013-01-10 Zongming Yao Methods and apparatuses for administrator-driven profile update
US10263978B1 (en) * 2010-11-29 2019-04-16 Amazon Technologies, Inc. Multifactor authentication for programmatic interfaces
CN114826700A (en) * 2022-04-11 2022-07-29 西安慧博习兆信息技术有限公司 Zero-key information verification session method of one-time cryptographic algorithm

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010056409A1 (en) * 2000-05-15 2001-12-27 Bellovin Steven Michael Offline one time credit card numbers for secure e-commerce
US20120096535A1 (en) * 2004-10-15 2012-04-19 Symantec Corporation One Time Password
US20070226784A1 (en) * 2006-03-27 2007-09-27 Yukiya Ueda System and method for user authentication
US20130010958A1 (en) * 2010-03-29 2013-01-10 Zongming Yao Methods and apparatuses for administrator-driven profile update
US10263978B1 (en) * 2010-11-29 2019-04-16 Amazon Technologies, Inc. Multifactor authentication for programmatic interfaces
CN114826700A (en) * 2022-04-11 2022-07-29 西安慧博习兆信息技术有限公司 Zero-key information verification session method of one-time cryptographic algorithm

Also Published As

Publication number Publication date
TW202444069A (en) 2024-11-01

Similar Documents

Publication Publication Date Title
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
CN102647461B (en) Communication means based on HTTP, server, terminal
WO2018112940A1 (en) Service execution method and device for blockchain node, and node device
WO2016155497A1 (en) User authentication method and device, and wearable device registration method and device
WO2017000829A1 (en) Method for checking security based on biological features, client and server
WO2019011179A1 (en) Certificate management method, system, network device and computer readable storage medium
CN110073387A (en) Confirm being associated between communication equipment and user
CN101465735A (en) Network user identification verification method, server and client terminal
WO2019019936A1 (en) File transmission method, apparatus, device and storage medium
EP3206329B1 (en) Security check method, device, terminal and server
CN113221128B (en) Account and password storage method and registration management system
US10439809B2 (en) Method and apparatus for managing application identifier
CN113472716B (en) System access method, gateway device, server, electronic device and storage medium
TW201608499A (en) Transaction device, transaction system using the same and transaction method using the same
TWM595792U (en) Authorization system for cross-platform authorizing access to resources
US11068570B1 (en) Authentication using third-party data
WO2024011863A1 (en) Communication method and apparatus, sim card, electronic device, and terminal device
CN113836506A (en) Identity authentication method, device, system, electronic equipment and storage medium
WO2023236720A1 (en) Device certification method and apparatus, device verification method and apparatus, and device and storage medium
CN112862484A (en) Secure payment method and device based on multi-terminal interaction
CN106779672A (en) The method and device that mobile terminal safety pays
CN111444482B (en) Safe electronic seal management method based on electronic notarization
TWI864705B (en) Verification system and verification method
CN110365492A (en) An authentication method, system, device and medium
CN111935122B (en) Data security processing method and device