[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

TWI824239B - System, device and method for checking password incorrect times through server to complete corresponding operation - Google Patents

System, device and method for checking password incorrect times through server to complete corresponding operation Download PDF

Info

Publication number
TWI824239B
TWI824239B TW110113404A TW110113404A TWI824239B TW I824239 B TWI824239 B TW I824239B TW 110113404 A TW110113404 A TW 110113404A TW 110113404 A TW110113404 A TW 110113404A TW I824239 B TWI824239 B TW I824239B
Authority
TW
Taiwan
Prior art keywords
certificate
password
client
information
service server
Prior art date
Application number
TW110113404A
Other languages
Chinese (zh)
Other versions
TW202240438A (en
Inventor
周克遠
曹瑋桓
Original Assignee
臺灣網路認證股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 臺灣網路認證股份有限公司 filed Critical 臺灣網路認證股份有限公司
Priority to TW110113404A priority Critical patent/TWI824239B/en
Publication of TW202240438A publication Critical patent/TW202240438A/en
Application granted granted Critical
Publication of TWI824239B publication Critical patent/TWI824239B/en

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Lock And Its Accessories (AREA)

Abstract

A system, a device and a method for checking password incorrect times through a server to complete a corresponding operation are provided. By determining a password transmitted from a client passes validation by the server, generating an error message based on an incorrect times of inputting password when the password is not passed validation, and performing an operation in correspondence with the error message, the system and the method can manage re-try times of password effectively, and can achieve the effect of improving security of using certificate.

Description

透過伺服器檢核密碼錯誤次數以完成作業之系統、裝置及方法System, device and method for checking the number of password errors through the server to complete the operation

一種密碼錯誤次數判斷系統、裝置及其方法,特別係指一種透過伺服器檢核密碼錯誤次數以完成作業之系統、裝置及方法。A system, device and method for judging the number of password errors, specifically refers to a system, device and method that checks the number of password errors through a server to complete the operation.

電子憑證,又稱為數位憑證,是一種用於電腦系統的身分識別機制。電子憑證是一個或一組電腦檔案,其中記載了擁有人的身份資料及一組公開金鑰。電子憑證的擁有人可向電腦系統認證自己的身分,從而存取或使用某一特定的電腦服務。Electronic vouchers, also known as digital vouchers, are an identification mechanism used in computer systems. An electronic certificate is a computer file or a set of computer files that records the owner's identity information and a set of public keys. The owner of an electronic voucher can authenticate his or her identity to the computer system to access or use a specific computer service.

數位憑證所包含的公開金鑰會與一個私密金鑰對應。一般而言,數位憑證與相對應之私密金鑰會以一定的格式被記載在憑證檔案中,且包含數位憑證與私密金鑰的憑證檔案通常需要先經過加密後才可以被儲存在電腦系統中。也就是說,必須先使用憑證密碼解密憑證檔案後,才可以依據憑證檔案的格式由憑證檔案中取得數位憑證及/或私密金鑰。The public key contained in the digital certificate corresponds to a private key. Generally speaking, digital certificates and corresponding private keys will be recorded in certificate files in a certain format, and certificate files containing digital certificates and private keys usually need to be encrypted before they can be stored in the computer system. . In other words, the certificate file must be decrypted using the certificate password before the digital certificate and/or private key can be obtained from the certificate file according to the format of the certificate file.

然而,目前部分使用數位憑證的應用程式可能沒有設定憑證密碼的輸入次數,也就是說,有心人士在取得包含他人之數位憑證的憑證檔案後,可以不斷的嘗試以不同的字串開啟憑證檔案,直到猜到憑證密碼為止。事實上,雖然存在有限制密碼輸入次數的應用程式,但這些應用程式也只是將當前的錯誤次數記錄在本地端,有心人士可以在開始進行密碼嘗試前先備份記錄錯誤次數的檔案,並在密碼錯誤次數達到一定值後將備份的檔案蓋回,如此便可以輕易地變更記錄在本地端的資料使得應用程式無法確實得知憑證檔案的密碼嘗試次數。However, some current applications that use digital certificates may not have a set number of input times for the certificate password. In other words, after obtaining a certificate file containing someone else's digital certificate, an interested party can repeatedly try to open the certificate file with different strings. Until the credential password is guessed. In fact, although there are applications that limit the number of password input times, these applications only record the current number of incorrect times locally. Interested parties can back up the file recording the number of incorrect times before starting to try passwords, and then enter the password After the number of errors reaches a certain value, the backed-up file will be overwritten, so that the data recorded on the local side can be easily changed so that the application cannot accurately know the number of password attempts in the certificate file.

綜上所述,可知先前技術中長期以來一直存在憑證密碼可以被不斷嘗試的問題,因此有必要提出改進的技術手段,來解決此一問題。To sum up, it can be seen that there has been a problem in the previous technology that the credential password can be continuously tried for a long time. Therefore, it is necessary to propose improved technical means to solve this problem.

有鑒於先前技術存在憑證密碼可以被不斷嘗試的問題,本發明遂揭露一種透過伺服器檢核密碼錯誤次數以繼續作業系統、裝置及方法,其中:In view of the problem that the certificate password can be continuously tried in the previous technology, the present invention discloses a system, device and method for continuing the operation by checking the number of password errors on the server, wherein:

本發明所揭露之透過伺服器檢核密碼錯誤次數以完成作業之系統,至少包含:客戶端,用以取得登入資料,登入資料包含帳號資料及憑證密碼;服務伺服器,用以接收登入資料,並判斷憑證密碼未通過驗證時,累計錯誤次數,並依據錯誤次數產生相對應之錯誤訊息,及傳送錯誤訊息至客戶端,使客戶端執行與該錯誤訊息對應之作業,及用以判斷憑證密碼通過驗證時,產生並傳送許可訊息至客戶端,客戶端於接收到許可訊息後,使用憑證密碼解密憑證檔案以取得憑證資料,並使用憑證資料執行目標作業。The system disclosed by the present invention that uses a server to check the number of password errors to complete operations at least includes: a client to obtain login information, which includes account information and certificate password; a service server to receive login information, And when it is judged that the certificate password has not passed the verification, the number of errors will be accumulated, and a corresponding error message will be generated based on the number of errors, and the error message will be sent to the client, so that the client can perform the operation corresponding to the error message and use it to determine the certificate password. When the verification is passed, a permission message is generated and sent to the client. After receiving the permission message, the client uses the certificate password to decrypt the certificate file to obtain the certificate data, and uses the certificate data to perform the target operation.

本發明所揭露之透過伺服器檢核密碼錯誤次數以完成作業之裝置,至少包含:輸入模組,取得包含帳號資料及憑證密碼之登入資料;通訊模組,用以傳送登入資料至服務伺服器,及用以接收服務伺服器所傳回之錯誤訊息或許可訊息;憑證模組,用以於通訊模組接收到許可訊息時,使用憑證密碼解密憑證檔案以取得憑證資料;執行模組,用以於通訊模組接收到錯誤訊息時,執行與錯誤訊息對應之作業,及用以使用憑證資料執行目標作業。The device disclosed in the present invention that checks the number of password errors through the server to complete the operation at least includes: an input module to obtain login information including account information and certificate password; a communication module to send the login information to the service server , and is used to receive the error message or permission message returned by the service server; the certificate module is used to decrypt the certificate file using the certificate password to obtain the certificate information when the communication module receives the permission message; the execution module is used to When the communication module receives an error message, it executes the operation corresponding to the error message and uses the certificate data to execute the target operation.

本發明所揭露之透過伺服器檢核密碼錯誤次數以完成作業之方法,其步驟至少包括:客戶端取得登入資料,並傳送登入資料至服務伺服器,登入資料包含帳號資料及憑證密碼;服務伺服器判斷憑證密碼未通過驗證時,累計錯誤次數,並依據錯誤次數產生相對應之錯誤訊息,及傳送錯誤訊息至客戶端,使客戶端執行與錯誤訊息對應之作業;服務伺服器判斷憑證密碼通過驗證時,產生並傳送許可訊息至客戶端,客戶端於接收到許可訊息後,使用憑證密碼解密憑證檔案以取得憑證資料,並使用憑證資料執行目標作業。The method disclosed in the present invention uses the server to check the number of password errors to complete the operation. The steps include at least: the client obtains the login information and sends the login information to the service server. The login information includes account information and certificate password; the service server When the server determines that the certificate password has not passed verification, it accumulates the number of errors, generates a corresponding error message based on the number of errors, and sends the error message to the client, so that the client performs the operation corresponding to the error message; the service server determines that the certificate password has passed During verification, a permission message is generated and sent to the client. After receiving the permission message, the client uses the certificate password to decrypt the certificate file to obtain the certificate data, and uses the certificate data to perform the target operation.

本發明所揭露之系統、裝置與方法如上,與先前技術之間的差異在於本發明透過客戶端將憑證密碼傳送到服務伺服器,服務伺服器判斷憑證密碼是否通過驗證,並可以依據憑證密碼之錯誤次數產生對應的錯誤訊息,使得客戶端依據錯誤訊息執行對應作業,藉以解決先前技術所存在的問題,並可以達成提高使用數位憑證之安全性的技術功效。The system, device and method disclosed by the present invention are as above. The difference between the system, device and method disclosed by the present invention and the prior art is that the present invention transmits the certificate password to the service server through the client. The service server determines whether the certificate password passes the verification and can determine whether the certificate password has passed the verification. The number of errors generates a corresponding error message, allowing the client to perform corresponding operations based on the error message, thereby solving the problems existing in the previous technology and achieving the technical effect of improving the security of using digital certificates.

以下將配合圖式及實施例來詳細說明本發明之特徵與實施方式,內容足以使任何熟習相關技藝者能夠輕易地充分理解本發明解決技術問題所應用的技術手段並據以實施,藉此實現本發明可達成的功效。The features and implementations of the present invention will be described in detail below with reference to the drawings and examples. The content is sufficient to enable any person familiar with the relevant art to easily fully understand the technical means used to solve the technical problems of the present invention and implement them accordingly, thereby achieving The effect that the present invention can achieve.

本發明可以在使用者輸入憑證密碼後,由服務伺服器依據憑證密碼是否正確產生相對應之許可訊息或錯誤訊息,客戶端可以在服務伺服器傳回許可訊息時選擇使用憑證密碼解密憑證檔案,及可以在服務伺服器傳回錯誤訊息時提示使用者再次輸入憑證密碼或拒絕服務使用者。This invention allows the service server to generate a corresponding permission message or error message based on whether the certificate password is correct after the user inputs the certificate password. The client can choose to use the certificate password to decrypt the certificate file when the service server returns the permission message. And when the service server returns an error message, the user can be prompted to enter the certificate password again or the user can be refused service.

以下先以「第1圖」本發明所提之透過伺服器檢核密碼錯誤次數以完成作業之系統架構圖來說明本發明的系統運作。如「第1圖」所示,本發明之系統含有客戶端110、服務伺服器120,及可附加的憑證伺服器140。其中,客戶端110與服務伺服器120之間可以透過有線或無線網路連接,藉以傳遞資料或訊號給對方。The system operation of the present invention is first described below with reference to "Figure 1", a system architecture diagram of the system architecture of the present invention in which the server checks the number of password errors to complete the operation. As shown in "Figure 1", the system of the present invention includes a client 110, a service server 120, and an attachable certificate server 140. Among them, the client 110 and the service server 120 can be connected through a wired or wireless network to transmit data or signals to each other.

客戶端110負責將登入資料傳送給服務伺服器120,並依據服務伺服器所傳回的訊息執行對應的之作業。在部分的實施例中,客戶端110更可以包含輸入模組111、憑證模組112、通訊模組114、執行模組115,及可附加的運算模組113。The client 110 is responsible for transmitting the login information to the service server 120 and performing corresponding operations based on the information returned by the service server. In some embodiments, the client 110 may further include an input module 111, a voucher module 112, a communication module 114, an execution module 115, and an additional computing module 113.

輸入模組111可以選擇欲使用的數位憑證,也負責取得登入資料,並負責將所取得的登入資料傳送給服務伺服器120。一般而言,輸入模組111可以顯示使用者介面以提供輸入登入資料。輸入模組111所取得之登入資料包含帳號資料及憑證密碼。其中,帳號資料包含但不限於身分證號及/或預先在服務伺服器120上註冊的帳號。The input module 111 can select the digital certificate to be used, is also responsible for obtaining login information, and is responsible for transmitting the obtained login information to the service server 120 . Generally speaking, the input module 111 can display a user interface to provide input of login information. The login information obtained by input module 111 includes account information and certificate password. Among them, the account information includes but is not limited to the identity card number and/or the account registered on the service server 120 in advance.

憑證模組112可以產生金鑰對(在本發明中以公開金鑰與私密金鑰表示金鑰對所包含的兩把金鑰),並可以產生包含公開金鑰的憑證簽署請求(Certificate Signing Request, CSR)。The certificate module 112 can generate a key pair (in the present invention, the public key and the private key represent the two keys included in the key pair), and can generate a certificate signing request (Certificate Signing Request) including the public key. , CSR).

憑證模組112也可以使用預定格式產生包含通訊模組114所接收到之與憑證簽署請求對應的數位憑證及包含所產生之私密金鑰的憑證檔案。一般而言,憑證模組112在產生憑證檔案時,會將憑證檔案的內容以輸入模組111所取得之登入資料中的憑證密碼加密,也就是說,客戶端110可以對包含以預定格式結合之數位憑證與私密金鑰的資料加密以產生憑證檔案。其中,上述預定格式為用來記載數位憑證與私密金鑰的檔案格式,例如PFX、PEM檔案格式等,但本發明並不以此為限。The certificate module 112 may also use a predetermined format to generate a certificate file including the digital certificate corresponding to the certificate signing request received by the communication module 114 and the generated private key. Generally speaking, when the certificate module 112 generates a certificate file, the content of the certificate file will be encrypted with the certificate password in the login information obtained by the input module 111. That is to say, the client 110 can combine the contents of the certificate file in a predetermined format. The digital certificate and private key data are encrypted to generate a certificate file. The above-mentioned predetermined format is a file format used to record digital certificates and private keys, such as PFX, PEM file format, etc., but the invention is not limited thereto.

憑證模組112並負責在通訊模組114接收到許可訊息時,使用輸入模組111所取得之登入資料中的憑證密碼解密所產生之相對應的憑證檔案,並可以在解密憑證檔案後取得憑證資料。要說明的是,憑證檔案可以包含數位憑證及與數位憑證(所包含之公開金鑰)對應的私密金鑰,憑證模組112可以由數位憑證中取得憑證資料。其中,憑證資料通常是數位憑證所包含的一個或多個資料,例如憑證擁有者識別資料(包含但不限於身分證號、護照號碼等)、憑證序號、憑證有效期限等,但本發明並不以此為限,例如,憑證資料也可以是數位憑證所包含的所有資料(即憑證資料可以是數位憑證)。The certificate module 112 is also responsible for decrypting the corresponding certificate file using the certificate password in the login information obtained by the input module 111 when the communication module 114 receives the permission message, and can obtain the certificate after decrypting the certificate file. material. It should be noted that the certificate file may include a digital certificate and a private key corresponding to the digital certificate (contained public key), and the certificate module 112 may obtain the certificate information from the digital certificate. Among them, the voucher information is usually one or more information included in the digital voucher, such as the identification information of the voucher owner (including but not limited to the ID number, passport number, etc.), the voucher serial number, the validity period of the voucher, etc., but the present invention does not With this limitation, for example, the voucher information can also be all the information contained in the digital voucher (that is, the voucher information can be a digital voucher).

憑證模組112也可以在通訊模組114所接收的錯誤訊息表示廢止憑證時進行憑證刪除作業,舉例來說,憑證模組112可以刪除被輸入模組111選擇的憑證檔案,也可以由錯誤訊息中取得刪除資訊,並可以將刪除資訊所對應的憑證檔案刪除,其中,刪除資訊可以包含憑證檔案的儲存路徑與檔案名稱,或可以包含憑證檔案所包含之數位憑證的憑證序號等足以使執行模組115辨識出需要被刪除之憑證檔案的資料,但本發明並不以此為限。The certificate module 112 can also perform a certificate deletion operation when the error message received by the communication module 114 indicates that the certificate is revoked. For example, the certificate module 112 can delete the certificate file selected by the input module 111, or it can delete the certificate by the error message. Obtain the deletion information from the deletion information, and delete the certificate file corresponding to the deletion information. The deletion information may include the storage path and file name of the certificate file, or may include the certificate serial number of the digital certificate contained in the certificate file, etc., which is sufficient to enable the execution of the module. Group 115 identifies the data in the certificate file that needs to be deleted, but the invention is not limited thereto.

在部分的實施例中,憑證模組112除了進行憑證刪除作業外,還可以進行憑證廢止作業,更詳細的,憑證模組112可以產生並透過通訊模組114傳送憑證廢止請求至憑證伺服器140,藉以完成憑證廢止作業。其中,憑證廢止請求包含足以使憑證伺服器140辨識出需要被刪除之數位憑證的資料,例如數位憑證的憑證序號等,但本發明亦不以此為限。In some embodiments, in addition to performing certificate deletion operations, the certificate module 112 can also perform certificate revocation operations. In more detail, the certificate module 112 can generate and send a certificate revocation request to the certificate server 140 through the communication module 114 , to complete the voucher cancellation operation. The certificate revocation request includes information sufficient for the certificate server 140 to identify the digital certificate that needs to be deleted, such as the certificate serial number of the digital certificate, but the present invention is not limited thereto.

運算模組113可以依據輸入模組111所取得之登入資料中的憑證密碼產生驗證資料。更詳細的,運算模組113可以將完整或部分的憑證密碼作為驗證資料,也可以對憑證密碼進行特定運算而產生驗證資料。其中,特定運算為可以產生與憑證密碼為一對一之運算值且無法由運算值推得憑證密碼的運算,例如雜湊運算等,或為對憑證密碼所包含之各位元的位置重新排列的運算,但本發明並不以此為限。The computing module 113 can generate verification data based on the certificate password in the login data obtained by the input module 111 . In more detail, the calculation module 113 can use the complete or partial certificate password as verification data, or can perform specific operations on the certificate password to generate verification data. Among them, the specific operation is an operation that can produce a one-to-one operation value with the certificate password and the certificate password cannot be deduced from the operation value, such as a hash operation, or an operation that rearranges the positions of the bits contained in the certificate password. , but the present invention is not limited to this.

通訊模組114可以將憑證模組112所產生的憑證簽署請求傳送給憑證伺服器140,藉以向憑證伺服器140申請數位憑證,例如,通訊模組114可以直接將憑證簽署請求傳送給憑證伺服器140,也可以將憑證簽署請求傳送給服務伺服器120,藉以透過服務伺服器120間接將憑證簽署請求傳送給憑證伺服器140。The communication module 114 can transmit the certificate signing request generated by the certificate module 112 to the certificate server 140 to apply for a digital certificate from the certificate server 140. For example, the communication module 114 can directly transmit the certificate signing request to the certificate server. 140, the certificate signing request may also be sent to the service server 120, thereby indirectly sending the certificate signing request to the certificate server 140 through the service server 120.

通訊模組114也可以接收憑證伺服器140所產生的數位憑證。一般而言,通訊模組114可以與將憑證簽署請求傳送給憑證伺服器140之相同方式接收數位憑證,例如,通訊模組114可以直接接收憑證伺服器140所傳回的數位憑證,也可以透過服務伺服器120接收憑證伺服器140所傳回的數位憑證,也就是接收服務伺服器120所轉送的數位憑證。The communication module 114 can also receive the digital certificate generated by the certificate server 140 . Generally speaking, the communication module 114 can receive the digital certificate in the same way as the certificate signing request is sent to the certificate server 140. For example, the communication module 114 can directly receive the digital certificate returned by the certificate server 140, or it can also receive it through The service server 120 receives the digital certificate returned by the certificate server 140, that is, receives the digital certificate forwarded by the service server 120.

通訊模組114也可以將輸入模組111所取得之登入資料中的帳號資料、及憑證模組112由通訊模組114所接收到之數位憑證中取得的憑證資料傳送給服務伺服器120。在部分的實施例中,通訊模組114也可以將運算模組113所產生之驗證資料連同帳號資料與憑證資料傳送給服務伺服器120。The communication module 114 can also transmit the account information in the login information obtained by the input module 111 and the certificate information obtained by the certificate module 112 from the digital certificate received by the communication module 114 to the service server 120 . In some embodiments, the communication module 114 can also transmit the verification data generated by the computing module 113 together with the account information and certificate information to the service server 120 .

通訊模組114也負責接收服務伺服器120所傳送的許可訊息及錯誤訊息。在部分的實施例中,通訊模組114也可以接收服務伺服器120所傳送的安全密碼。The communication module 114 is also responsible for receiving permission messages and error messages sent by the service server 120 . In some embodiments, the communication module 114 can also receive the security password sent by the service server 120 .

通訊模組114也可以將輸入模組111所取得之帳號資料、憑證模組112所取得之憑證資料、及執行模組115所產生之簽章值傳送到服務伺服器120。The communication module 114 can also transmit the account information obtained by the input module 111, the certificate information obtained by the certificate module 112, and the signature value generated by the execution module 115 to the service server 120.

通訊模組114也可以接收服務伺服器120所傳送的關聯資料。本發明所提之關聯資料為能夠表示輸入模組111所輸入之帳號資料的擁有者身分的資料,包含但不限於帳號資料之擁有者的身分識別資料(包含但不限於身分證號、護照號碼等)或帳號資料之擁有者對服務伺服器120所使用之數位憑證的憑證序號等,但本發明並不以此為限。一般而言,關聯資料為帳號資料之擁有者在服務伺服器120上註冊帳號資料時被提供。The communication module 114 can also receive related data sent by the service server 120 . The associated information mentioned in the present invention is information that can represent the identity of the owner of the account information input by the input module 111, including but not limited to the identity identification information of the owner of the account information (including but not limited to identity card number, passport number etc.) or the certificate serial number of the digital certificate used by the owner of the account information for the service server 120, etc., but the present invention is not limited to this. Generally speaking, the associated information is provided by the owner of the account information when registering the account information on the service server 120 .

執行模組115負責使用憑證模組112由憑證檔案中取出之憑證資料完成對應目標作業。執行模組115所執行的目標作業通常包含簽章,例如登入服務伺服器120或與服務伺服器120交易等,更詳細的,當目標作業為登入服務伺服器120時,執行模組115可以使用憑證模組112解密憑證檔案取得之私密金鑰產生簽章值,使通訊模組114可以傳送帳號資料、憑證資料及簽章值至服務伺服器120,藉以登入服務伺服器120。其中,執行模組115可以使用憑證模組112所取得之私密金鑰對帳號資料及/或憑證資料簽章以產生簽章值,也可以使用私密金鑰對許可訊息所包含之特定資料簽章以產生簽章值。而當目標作業為與服務伺服器120交易時,客戶端110可以使用私密金鑰對交易資料簽章以產生簽章值,並可以將交易資料、數位憑證(或憑證資料)、及簽章值傳送至服務伺服器120,藉以完成與服務伺服器120之間的交易。The execution module 115 is responsible for using the voucher data retrieved from the voucher file by the voucher module 112 to complete the corresponding target operation. The target operation executed by the execution module 115 usually includes a signature, such as logging into the service server 120 or transacting with the service server 120. More specifically, when the target operation is logging into the service server 120, the execution module 115 can use The certificate module 112 decrypts the private key obtained from the certificate file to generate a signature value, so that the communication module 114 can send the account information, certificate information and signature value to the service server 120 to log in to the service server 120 . Among them, the execution module 115 can use the private key obtained by the certificate module 112 to sign the account information and/or the certificate information to generate a signature value, or can also use the private key to sign the specific data contained in the permission message. to generate a signature value. When the target operation is a transaction with the service server 120, the client 110 can use the private key to sign the transaction data to generate a signature value, and can combine the transaction data, digital certificate (or certificate data), and signature value. Sent to the service server 120 to complete the transaction with the service server 120 .

執行模組115也可以使用通訊模組114所接收到之安全密碼加密憑證模組112所產生的憑證檔案以產生經過二次加密的憑證檔案(在本發明中亦以「加密檔案」表示),使得加密檔案取代憑證檔案;執行模組115也可以在通訊模組114接收到許可訊息時,使用安全密碼解密所產生之加密檔案以將加密檔案還原為可以使用憑證密碼解密的憑證檔案。若許可訊息中除了安全密碼之外,還包含替代密碼時,執行模組115還可以在憑證模組112解密憑證檔案後,將替代密碼作為新的安全密碼,並使用替代密碼再次加密憑證檔案而產生取代憑證檔案的加密檔案。The execution module 115 can also use the security password received by the communication module 114 to encrypt the certificate file generated by the certificate module 112 to generate a secondary encrypted certificate file (also represented as an "encrypted file" in the present invention), The encrypted file replaces the certificate file; the execution module 115 can also use the security password to decrypt the generated encrypted file when the communication module 114 receives the permission message to restore the encrypted file to a certificate file that can be decrypted using the certificate password. If the permission message contains an alternative password in addition to the security password, the execution module 115 can also use the alternative password as a new security password after the certificate module 112 decrypts the certificate file, and use the alternative password to encrypt the certificate file again. Generates an encrypted file that replaces the certificate file.

執行模組115也負責在通訊模組114接收到錯誤訊息時,執行與錯誤訊息對應的作業。例如,當錯誤訊息表示密碼錯誤時,執行模組115可以進行提示作業,更詳細的,執行模組115可以產生提示訊息,並顯示提示訊息以提示使用者再次輸入登入資料,但本發明並不以此為限。其中,提示訊息可以是與錯誤訊息對應及/或可以包含錯誤訊息所包含之全部或部分的內容,例如,提示訊息可以包含錯誤訊息中所記載的密碼錯誤次數等。The execution module 115 is also responsible for executing operations corresponding to the error message when the communication module 114 receives the error message. For example, when the error message indicates that the password is incorrect, the execution module 115 can perform a prompt operation. In more detail, the execution module 115 can generate a prompt message and display the prompt message to prompt the user to re-enter the login information. However, the present invention does not This is the limit. The prompt message may correspond to the error message and/or may include all or part of the content contained in the error message. For example, the prompt message may include the number of password errors recorded in the error message, etc.

執行模組115也可以判斷憑證模組112解密憑證檔案後取得的憑證資料是否與通訊模組114所接收到的關聯資料相符。舉例來說,當關聯資料包含身分識別資料及/或憑證序號時,執行模組115可以判斷憑證資料中之擁有者身分證號/憑證序號是否與關聯資料所包含的身分證號及/或憑證序號相同。The execution module 115 can also determine whether the certificate information obtained by the certificate module 112 after decrypting the certificate file is consistent with the related information received by the communication module 114 . For example, when the associated information includes identification information and/or a certificate serial number, the execution module 115 can determine whether the owner's ID number/certificate serial number in the certificate information is consistent with the identity card number and/or certificate contained in the associated information. The serial numbers are the same.

服務伺服器120負責判斷客戶端110所取得的憑證密碼是否通過驗證,並負責在憑證密碼沒有通過驗證時累計錯誤次數,及負責依據憑證密碼是否通過驗證及累計之錯誤次數產生相對應的結果訊息。其中,服務伺服器120更可以包含傳輸模組121、處理模組122、登入模組123。The service server 120 is responsible for determining whether the certificate password obtained by the client 110 passes the verification, and is responsible for accumulating the number of errors when the certificate password fails the verification, and is responsible for generating corresponding result messages based on whether the certificate password passes the verification and the accumulated number of errors. . Among them, the service server 120 may further include a transmission module 121, a processing module 122, and a login module 123.

傳輸模組121負責接收客戶端110所取得的登入資料,也負責接收客戶端110所取得的帳號資料、憑證資料及/或驗證資料。傳輸模組121也負責傳送處理模組122所產生的錯誤訊息或許可訊息到客戶端110。The transmission module 121 is responsible for receiving the login information obtained by the client 110, and is also responsible for receiving the account information, certificate information and/or verification information obtained by the client 110. The transmission module 121 is also responsible for transmitting error messages or permission messages generated by the processing module 122 to the client 110 .

傳輸模組121也可以接收客戶端110所產生的憑證簽署請求,並可以將所接收到的憑證簽署請求轉送到憑證伺服器140,及可以接收憑證伺服器140所傳回的數位憑證,並可以將所接收到的數位憑證轉送給客戶端110。傳輸模組121也可以將處理模組122所產生的憑證廢止請求傳送給憑證伺服器140以完成憑證廢止作業。The transmission module 121 can also receive the certificate signing request generated by the client 110, and can forward the received certificate signing request to the certificate server 140, and can receive the digital certificate returned by the certificate server 140, and can The received digital voucher is forwarded to the client 110 . The transmission module 121 may also transmit the certificate revocation request generated by the processing module 122 to the certificate server 140 to complete the certificate revocation operation.

傳輸模組121也可以將處理模組122所產生的安全密碼傳送給客戶端110。一般而言,傳輸模組121可以在轉送接收自憑證伺服器140的數位憑證時,一併將安全密碼傳送到客戶端110,但本發明並不以此為限。The transmission module 121 may also transmit the security password generated by the processing module 122 to the client 110 . Generally speaking, the transmission module 121 can transmit the security password to the client 110 when transmitting the digital certificate received from the certificate server 140, but the present invention is not limited thereto.

處理模組122可以將傳輸模組121所接收到之帳號資料、憑證資料與驗證資料作為一筆記錄儲存,也可以由傳輸模組121所接收到之數位憑證中取得憑證資料,並將傳輸模組121所接收到之帳號資料與驗證資料及所取得之憑證資料作為一筆記錄儲存。在部分的實施例中,若傳輸模組121所接收到之驗證資料並非由客戶端110進行特定運算產生,而是完整或部分的憑證密碼,則處理模組122可以對驗證資料進行特定運算,並以運算所產生之資料作為新的驗證資料。The processing module 122 can store the account information, voucher information and verification information received by the transmission module 121 as a record, or can obtain the voucher information from the digital certificate received by the transmission module 121 and transfer it to the transmission module. 121 The received account information, verification information and obtained certificate information are stored as a record. In some embodiments, if the verification data received by the transmission module 121 is not generated by a specific operation performed by the client 110, but is a complete or partial certificate password, the processing module 122 can perform a specific operation on the verification data. And use the data generated by the operation as new verification data.

處理模組122也負責判斷傳輸模組121所接收到的憑證密碼是否通過驗證。一般而言,處理模組122可以依據傳輸模組121所接收到的帳號資料讀取相對應的驗證資料,並可以對憑證密碼進行特定運算以產生相對應的運算值,及可以比對所產生之運算值及所讀出之驗證資料。當運算值與驗證資料相同時,處理模組122可以判斷憑證密碼通過驗證,而當運算值與驗證資料不同時,處理模組122可以判斷憑證密碼未通過驗證。The processing module 122 is also responsible for determining whether the certificate password received by the transmission module 121 passes the verification. Generally speaking, the processing module 122 can read the corresponding verification data based on the account data received by the transmission module 121, and can perform specific operations on the certificate password to generate corresponding operation values, and can compare the generated The calculated value and the verification data read. When the calculated value is the same as the verification data, the processing module 122 can determine that the voucher password has passed the verification; and when the calculated value is different from the verification data, the processing module 122 can determine that the voucher password has not passed the verification.

處理模組122也負責在判斷傳輸模組121所接收到的憑證密碼未通過驗證時,累計與傳輸模組121所接收到之帳號資料對應的錯誤次數,並負責產生與累計之錯誤次數相對應的錯誤訊息。更詳細的,處理模組122可以判斷所累計之錯誤次數是否達到預定的門檻值。若累計的錯誤次數沒有達到門檻值,則處理模組122可以產生表示密碼錯誤的錯誤訊息,而若錯誤次數達到門檻值,則處理模組122可以產生表示廢止憑證的錯誤訊息,並可以產生憑證廢止請求以進行憑證廢止作業。在部分的實施例中,錯誤訊息可以包含錯誤次數。The processing module 122 is also responsible for accumulating the number of errors corresponding to the account information received by the transmission module 121 when it is determined that the certificate password received by the transmission module 121 has not passed the verification, and is responsible for generating a message corresponding to the accumulated number of errors. error message. In more detail, the processing module 122 may determine whether the accumulated number of errors reaches a predetermined threshold. If the accumulated number of errors does not reach the threshold, the processing module 122 can generate an error message indicating that the password is incorrect. If the number of errors reaches the threshold, the processing module 122 can generate an error message indicating that the certificate is revoked, and can generate a certificate. Revocation request for credential revocation operation. In some embodiments, the error message may include the number of errors.

處理模組122也負責在判斷傳輸模組121所接收到的憑證密碼通過驗證時,產生許可訊息。處理模組122可以依據傳輸模組121所接收到的帳號資料由預先儲存的記錄中讀出對應的安全密碼,並可以在產生許可訊息時,產生包含所讀出的安全密碼的許可訊息中。在部分的實施例中,處理模組122更可以在讀取安全密碼時,產生新的安全密碼(在本發明中也被稱為「替代密碼」),並在預先儲存之記錄中將與傳輸模組121所接收到之帳號資料對應的安全密碼更新為替代密碼,也可以產生包含所讀出之安全密碼與新產生之替代密碼的許可訊息。The processing module 122 is also responsible for generating a permission message when determining that the certificate password received by the transmission module 121 passes the verification. The processing module 122 can read the corresponding security password from the pre-stored record according to the account information received by the transmission module 121, and can generate a permission message including the read security password when generating the permission message. In some embodiments, the processing module 122 can generate a new security password (also referred to as a "substitute password" in the present invention) when reading the security password, and transmit the same in the pre-stored record. The security password corresponding to the account information received by the module 121 is updated to the substitute password, and a permission message including the read security password and the newly generated substitute password can also be generated.

處理模組122也可以依據傳輸模組121所接收到之登入資料中的帳號資料由預先儲存的記錄中讀出相對應的憑證資料,並可以將所讀出之憑證資料作為關聯資料,及產生包含關聯資料的許可訊息。在部分的實施例中,處理模組122可以將關聯資料加入與客戶端110連線的SESSION中,藉以使傳輸模組121在傳送許可訊息到客戶端110時,一併將關聯資料傳送到客戶端110。The processing module 122 can also read the corresponding voucher information from the pre-stored records based on the account information in the login information received by the transmission module 121, and can use the read voucher information as associated data, and generate Contains permission messages for associated data. In some embodiments, the processing module 122 can add the associated data to the SESSION connected to the client 110, so that the transmission module 121 also transmits the associated data to the client when transmitting the permission message to the client 110. End 110.

登入模組123可以使用傳輸模組121所接收到之帳號資料及憑證資料選擇是否允許登入客戶端110。例如,登入模組123可以在判斷所接收到之帳號資料與憑證資料已被登錄時,也就是存在一筆資料包含帳號資料與憑證資料時,允許客戶端110登入服務伺服器120;登入模組123也可以在判斷所接收到之帳號資料與憑證資料未被登錄或不存在相對應之帳號資料與憑證資料時,拒絕(不允許)客戶端110登入服務伺服器120。The login module 123 can use the account information and credential information received by the transmission module 121 to select whether to allow login to the client 110 . For example, the login module 123 can allow the client 110 to log in to the service server 120 when it determines that the received account information and voucher information have been logged in, that is, when there is a piece of data containing the account information and voucher information; the login module 123 It is also possible to refuse (not allow) the client 110 to log in to the service server 120 when it is determined that the received account information and credential information have not been logged in or there is no corresponding account information and credential information.

登入模組123也可以依據傳輸模組121所接收到的帳號資料、憑證資料及簽章值選擇是否允許客戶端110登入服務伺服器120。更詳細的,登入模組123在判斷帳號資料與憑證資料已被登錄時,還可以依據憑證資料取得相對應之數位憑證所包含的公開金鑰,並使用公開金鑰驗證簽章值,若簽章值通過驗證,則登入模組123才允許客戶端110登入服務伺服器120;而若簽章值沒有通過驗證,則登入模組123不允許客戶端110登入服務伺服器120。The login module 123 can also select whether to allow the client 110 to log in to the service server 120 based on the account information, certificate information and signature value received by the transmission module 121 . In more detail, when the login module 123 determines that the account information and voucher information have been logged in, it can also obtain the public key contained in the corresponding digital certificate based on the voucher information, and use the public key to verify the signature value. If the signature If the signature value passes the verification, the login module 123 will allow the client 110 to log in to the service server 120; if the signature value does not pass the verification, the login module 123 will not allow the client 110 to log in to the service server 120.

憑證伺服器140可以接收客戶端110或服務伺服器120所傳送的憑證簽署請求,並可以將與所接收到之憑證簽署請求對應的數位憑證傳送到發出憑證簽署請求的客戶端110或服務伺服器120。The certificate server 140 may receive the certificate signing request transmitted by the client 110 or the service server 120, and may transmit the digital certificate corresponding to the received certificate signing request to the client 110 or the service server that issued the certificate signing request. 120.

憑證伺服器140可以是憑證簽署伺服器(CA),此時,憑證伺服器140可以依據所接收到之憑證簽署請求產生對應的數位憑證;憑證伺服器140也可以是憑證註冊伺服器(RA),如此,憑證伺服器140可以將所接收到的憑證簽署請求傳送給憑證簽署伺服器並接收憑證簽署伺服器所傳回的數位憑證。The certificate server 140 may be a certificate signing server (CA). In this case, the certificate server 140 may generate a corresponding digital certificate based on the received certificate signing request; the certificate server 140 may also be a certificate registration server (RA). , in this way, the certificate server 140 can transmit the received certificate signing request to the certificate signing server and receive the digital certificate returned by the certificate signing server.

憑證伺服器140也可以接收客戶端110或服務伺服器120所傳送的憑證廢止請求,並可以取消與憑證廢止請求所表示的數位憑證。The certificate server 140 may also receive a certificate revocation request transmitted by the client 110 or the service server 120, and may cancel the digital certificate represented by the certificate revocation request.

接著以一個實施例來解說本發明的運作系統與方法,並請參照「第2A圖」本發明所提之透過伺服器檢核密碼錯誤次數以完成作業之方法流程圖。在本實施例中,假設服務伺服器120為金融服務伺服器,但本發明並不以此為限。Next, an embodiment will be used to explain the operating system and method of the present invention, and please refer to "Figure 2A" for the flow chart of the method of checking the number of password errors through the server to complete the operation proposed by the present invention. In this embodiment, it is assumed that the service server 120 is a financial service server, but the invention is not limited to this.

首先,若使用者沒有數位憑證,則使用者可以操作客戶端110向憑證伺服器140申請使用者的數位憑證。在本實施例中,假設如「第2B圖」所示之流程,使用者可以操作客戶端110連線到服務伺服器120,並可以在客戶端110與服務伺服器120連線後,操作客戶端110申請數位憑證,如此,客戶端110的輸入模組111可以提供輸入介面給使用者輸入帳號資料與憑證密碼(登入資料),客戶端110的運算模組113可以產生輸入模組111所輸入之憑證密碼的雜湊值,客戶端110的憑證模組112可以產生包含公開金鑰與私密金鑰的金鑰對,並使用公開金鑰產生憑證簽署請求,客戶端110的通訊模組114可以將輸入模組111所輸入之帳號資料、運算模組113所產生之憑證密碼的雜湊值與憑證模組112所產生的憑證簽署請求傳送給服務伺服器120,藉以透過服務伺服器120向憑證伺服器140申請數位憑證(步驟201)。First, if the user does not have a digital certificate, the user can operate the client 110 to apply for the user's digital certificate from the certificate server 140 . In this embodiment, assuming the process shown in "Figure 2B", the user can operate the client 110 to connect to the service server 120, and can operate the client after the client 110 is connected to the service server 120. The client 110 applies for a digital certificate. In this way, the input module 111 of the client 110 can provide an input interface for the user to input account information and certificate password (login information). The computing module 113 of the client 110 can generate the input of the input module 111. Based on the hash value of the certificate password, the certificate module 112 of the client 110 can generate a key pair including a public key and a private key, and use the public key to generate a certificate signing request. The communication module 114 of the client 110 can The account information input by the input module 111, the hash value of the certificate password generated by the operation module 113, and the certificate signing request generated by the certificate module 112 are sent to the service server 120, thereby sending the request to the certificate server through the service server 120. 140 Apply for digital voucher (step 201).

服務伺服器120的傳輸模組121在接收到客戶端110所傳送的帳號資料、憑證密碼之雜湊值與憑證簽署請求後,可以將所接收到的憑證簽署請求轉送給憑證伺服器140,使得憑證伺服器140依據憑證簽署請求簽發數位憑證,傳輸模組121並可以接收憑證伺服器140所傳回之客戶端110的數位憑證,而後,服務伺服器120的處理模組122可以由傳輸模組121所接收到之數位憑證中取出憑證資料(步驟205),例如憑證序號。After receiving the account information, the hash value of the certificate password and the certificate signing request sent by the client 110, the transmission module 121 of the service server 120 can forward the received certificate signing request to the certificate server 140, so that the certificate The server 140 issues a digital certificate based on the certificate signing request. The transmission module 121 can receive the digital certificate of the client 110 returned by the certificate server 140. Then, the processing module 122 of the service server 120 can receive the digital certificate from the transmission module 121. The voucher information, such as the voucher serial number, is retrieved from the received digital voucher (step 205).

接著,服務伺服器120的處理模組122可以由將服務伺服器120的傳輸模組121所接收到之帳號資料、憑證密碼的雜湊值、及所取出的憑證序號儲存為一筆記錄,服務伺服器120的傳輸模組121可以將接收自憑證伺服器140的數位憑證轉送回客戶端110(步驟207)。Then, the processing module 122 of the service server 120 can store the account information, the hash value of the certificate password, and the retrieved certificate serial number received by the transmission module 121 of the service server 120 as a record. The service server The transmission module 121 of 120 may forward the digital certificate received from the certificate server 140 back to the client 110 (step 207).

客戶端110的通訊模組114在接收到服務伺服器120所傳送的數位憑證後,客戶端110的憑證模組112可以將通訊模組114所接收到之數位憑證與所產生之金鑰對中的私密金鑰以客戶端110的輸入模組111所輸入的憑證密碼加密,藉以產生包含數位憑證與私密金鑰的憑證檔案並儲存所產生的憑證檔案。After the communication module 114 of the client 110 receives the digital certificate sent by the service server 120, the certificate module 112 of the client 110 can match the digital certificate received by the communication module 114 with the generated key. The private key is encrypted with the certificate password input by the input module 111 of the client 110 to generate a certificate file including the digital certificate and the private key and store the generated certificate file.

回到「第2A圖」,當客戶端110的使用者需要登入服務伺服器120以使用服務伺服器120所提供的服務時,客戶端110的輸入模組111可以透過所提供之使用者介面取得使用者所輸入之包含帳號資料與憑證密碼的登入資料,客戶端110的通訊模組114可以將輸入模組111所取得之登入資料傳送到服務伺服器120(步驟220)。Returning to "Figure 2A", when the user of the client 110 needs to log in to the service server 120 to use the services provided by the service server 120, the input module 111 of the client 110 can be obtained through the provided user interface. The user inputs the login information including the account information and certificate password. The communication module 114 of the client 110 can transmit the login information obtained by the input module 111 to the service server 120 (step 220).

在服務伺服器120的傳輸模組121接收到客戶端110所傳送的登入資料後,服務伺服器120的處理模組122可以判斷傳輸模組121所接收到之登入資料所包含的憑證密碼是否通過驗證(步驟230)。在本實施例中,假設處理模組122可以由客戶端110透過服務伺服器120向憑證伺服器140申請數位憑證之過程中所儲存之記錄中讀取與傳輸模組121所接收到的帳號資料對應之憑證密碼的雜湊值(驗證資料),並可以對憑證密碼進行雜湊運算以產生相對應的運算值,及可以比對所產生之運算值及所讀取到之驗證資料,並可以依據運算值與驗證資料是否相同判斷憑證密碼是否通過驗證。After the transmission module 121 of the service server 120 receives the login information sent by the client 110, the processing module 122 of the service server 120 can determine whether the certificate password contained in the login information received by the transmission module 121 is passed. Verification (step 230). In this embodiment, it is assumed that the processing module 122 can read and transmit the account information received by the module 121 from the records stored in the process of the client 110 applying for a digital certificate to the certificate server 140 through the service server 120 The hash value (verification data) of the corresponding certificate password, and the certificate password can be hashed to generate the corresponding operation value, and the generated operation value can be compared with the read verification data, and the operation can be based on Whether the value is the same as the verification data determines whether the certificate password passes the verification.

若服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之憑證密碼沒有通過驗證,則可以如「第2C圖」之流程所示,處理模組122可以累計與傳輸模組121所接收到之帳號資料對應的錯誤次數(步驟241),並可以進一步判斷所累計的錯誤次數是否達到門檻值(步驟243),若否,處理模組122可以產生表示密碼錯誤的錯誤訊息,且傳輸模組121可以將處理模組122所產生的錯誤訊息傳送給客戶端110(步驟245),使得客戶端110的通訊模組114在接收到錯誤訊息後,客戶端110的執行模組115可以依據通訊模組114所接收到的錯誤訊息提示使用者再次輸入登入資料,通訊模組114並可以將使用者再次輸入的登入資料傳送給服務伺服器120(步驟220);若是,也就是與服務伺服器120的傳輸模組121所接收到之帳號資料對應的錯誤次數達到門檻值,服務伺服器120的處理模組122可以產生表示廢止憑證的錯誤訊息,且傳輸模組121可以將處理模組122所產生的錯誤訊息傳送給客戶端110(步驟247),客戶端110的通訊模組114在接收到表示廢止憑證的錯誤訊息後,客戶端110的憑證模組112可以依據通訊模組114所接收到之錯誤訊息中所包含的相關資料將包含對應的數位憑證的憑證檔案刪除(步驟295)。其中,服務伺服器120的處理模組122可以由預先建立的記錄中讀出與傳輸模組121所接收到之帳號資料相對應的憑證序號(憑證資料),並可以產生包含所讀出之憑證序號的錯誤訊息,使得客戶端110的憑證模組112可以找出包含與錯誤訊息中之憑證序號對應的數位憑證之憑證檔案,並刪除所找出的憑證檔案。If the processing module 122 of the service server 120 determines that the certificate password received by the transmission module 121 of the service server 120 has not passed the verification, then as shown in the process of "Figure 2C", the processing module 122 can accumulate and The number of errors corresponding to the account information received by the transmission module 121 (step 241), and can further determine whether the accumulated number of errors reaches the threshold (step 243). If not, the processing module 122 can generate a message indicating that the password is incorrect. error message, and the transmission module 121 can transmit the error message generated by the processing module 122 to the client 110 (step 245), so that after receiving the error message, the communication module 114 of the client 110 executes The module 115 can prompt the user to re-enter the login information according to the error message received by the communication module 114, and the communication module 114 can send the user's re-entered login information to the service server 120 (step 220); if so, That is, the number of errors corresponding to the account information received by the transmission module 121 of the service server 120 reaches the threshold, the processing module 122 of the service server 120 can generate an error message indicating that the certificate is revoked, and the transmission module 121 can The error message generated by the processing module 122 is sent to the client 110 (step 247). After the communication module 114 of the client 110 receives the error message indicating that the certificate is revoked, the certificate module 112 of the client 110 can communicate according to the error message. The relevant data contained in the error message received by the module 114 will be deleted from the certificate file containing the corresponding digital certificate (step 295). Among them, the processing module 122 of the service server 120 can read the certificate serial number (certificate data) corresponding to the account information received by the transmission module 121 from the pre-established record, and can generate a certificate containing the read certificate. The error message of the serial number allows the certificate module 112 of the client 110 to find the certificate file containing the digital certificate corresponding to the certificate serial number in the error message, and delete the found certificate file.

再次回到「第2A圖」,在服務伺服器120的處理模組122判斷登入資料所包含的憑證密碼是否通過驗證(步驟230)時,若服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之憑證密碼通過驗證,則處理模組122可以產生許可訊息,傳輸模組121可以將處理模組122所產生的許可訊息傳回客戶端110(步驟250)。Returning to "Figure 2A" again, when the processing module 122 of the service server 120 determines whether the certificate password contained in the login information passes the verification (step 230), if the processing module 122 of the service server 120 determines whether the service server If the certificate password received by the transmission module 121 of the client 120 passes the verification, the processing module 122 can generate a permission message, and the transmission module 121 can transmit the permission message generated by the processing module 122 back to the client 110 (step 250).

客戶端110的通訊模組114在接收到服務伺服器120所傳送的許可訊息後,客戶端110的憑證模組112可以使用所取得之登入資料中的憑證密碼取得憑證資料(步驟270)。在本實施例中,假設憑證模組112可以使用憑證密碼解密憑證檔案,並取出憑證檔案中的數位憑證,及由數位憑證出取出憑證序號作為憑證資料。After the communication module 114 of the client 110 receives the permission message sent by the service server 120, the certificate module 112 of the client 110 can obtain the certificate information using the certificate password in the obtained login information (step 270). In this embodiment, it is assumed that the certificate module 112 can use the certificate password to decrypt the certificate file, retrieve the digital certificate in the certificate file, and extract the certificate serial number from the digital certificate as the certificate data.

在客戶端110的憑證模組112取得憑證資料後,客戶端110的通訊模組114可以將憑證模組112所取得之憑證資料及客戶端110的輸入模組111所取得之登入資料中的帳號資料傳送給服務伺服器120,藉以登入服務伺服器120(步驟290)。在本實施例中,假設服務伺服器120的傳輸模組121在接收到帳號資料與憑證資料後,服務伺服器120的登入模組123可以依據傳輸模組121所接收到之帳號資料及憑證資料是否已被登入而選擇是否允許客戶端110登入服務伺服器120。例如,存在一筆註冊資料包含帳號資料與憑證資料時,登入模組123可以允許客戶端110登入服務伺服器120;反之,登入模組123可以拒絕(不允許)客戶端110登入服務伺服器120。After the certificate module 112 of the client 110 obtains the certificate information, the communication module 114 of the client 110 can use the certificate information obtained by the certificate module 112 and the account number in the login information obtained by the input module 111 of the client 110 The data is sent to the service server 120 to log in to the service server 120 (step 290). In this embodiment, it is assumed that after the transmission module 121 of the service server 120 receives the account information and voucher information, the login module 123 of the service server 120 can use the account information and voucher information received by the transmission module 121 to Whether the client 110 is allowed to log in to the service server 120 is selected based on whether the client 110 has been logged in. For example, when there is a registration information including account information and certificate information, the login module 123 can allow the client 110 to log in to the service server 120; conversely, the login module 123 can deny (not allow) the client 110 to log in to the service server 120.

如此,透過本發明,服務伺服器120可以判斷客戶端110之使用者所輸入之憑證密碼是否正確,並在憑證密碼錯誤時累計錯誤次數,使得可以依據服務伺服器累計的錯誤次數選擇是否繼續讓使用者輸入憑證密碼。In this way, through the present invention, the service server 120 can determine whether the certificate password entered by the user of the client 110 is correct, and accumulate the number of errors when the certificate password is incorrect, so that it can choose whether to continue to use the certificate based on the number of errors accumulated by the service server. The user enters the certificate password.

上述實施例中,也可以如「第2D圖」之流程所示,在服務伺服器120的傳輸模組121接收到憑證伺服器140所傳回的數位憑證(步驟205)後,服務伺服器120的處理模組122可以產生安全密碼,例如,處理模組122可以使用進階加密標準(Advanced Encryption Standard, AES)產生安全密碼,服務伺服器120的傳輸模組121可以將處理模組122所產生的安全密碼連同接收自憑證伺服器140的數位憑證一同傳送到客戶端110(步驟209)。In the above embodiment, as shown in the process of "Figure 2D", after the transmission module 121 of the service server 120 receives the digital certificate returned by the certificate server 140 (step 205), the service server 120 The processing module 122 can generate a security password. For example, the processing module 122 can use Advanced Encryption Standard (AES) to generate a security password. The transmission module 121 of the service server 120 can generate the security password generated by the processing module 122. The security password is transmitted to the client 110 together with the digital certificate received from the certificate server 140 (step 209).

在客戶端110的通訊模組114接收到服務伺服器120所傳送的數位憑證與安全密碼後,客戶端110的憑證模組112可以將數位憑證與所產生之金鑰對中的私密金鑰以憑證密碼使用進階加密標準加密,藉以產生憑證檔案,跟著,客戶端110的執行模組115可以使用通訊模組114所接收到的安全密碼加密憑證檔案,藉以產生加密檔案(步驟210),同時,客戶端110的執行模組115也可以儲存安全密碼。After the communication module 114 of the client 110 receives the digital certificate and security password transmitted by the service server 120, the certificate module 112 of the client 110 can use the digital certificate and the private key in the generated key pair to The certificate password is encrypted using the Advanced Encryption Standard to generate a certificate file. Then, the execution module 115 of the client 110 can encrypt the certificate file using the security password received by the communication module 114 to generate an encrypted file (step 210). , the execution module 115 of the client 110 can also store the security password.

如此,在服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之登入資料中的憑證密碼通過驗證(步驟230)後,服務伺服器120的處理模組122產生給客戶端110的許可訊息(步驟250)時,處理模組122也可以由預先建立的記錄中讀取與登入資料中之帳號資料對應的安全密碼(步驟253)並產生包含所讀出之安全密碼的許可訊息,且服務伺服器120的傳輸模組121也可以將包含安全密碼的許可訊息傳送給客戶端110(步驟255)。In this way, after the processing module 122 of the service server 120 determines that the certificate password in the login information received by the transmission module 121 of the service server 120 passes the verification (step 230), the processing module 122 of the service server 120 generates When sending the permission message to the client 110 (step 250), the processing module 122 may also read the security password corresponding to the account information in the login information from the pre-established record (step 253) and generate the security password containing the read The permission message containing the password, and the transmission module 121 of the service server 120 may also transmit the permission message including the security password to the client 110 (step 255).

在客戶端110的通訊模組114接收到服務伺服器120所傳送的許可訊息後,客戶端110的執行模組115可以使用通訊模組114所接收到之許可訊息中的安全密碼解密先前所產生的加密檔案以還原憑證檔案(步驟260),跟著,客戶端110的憑證模組112可以使用憑證密碼解密執行模組115所還原的憑證檔案以取得憑證資料(步驟270)。After the communication module 114 of the client 110 receives the permission message sent by the service server 120, the execution module 115 of the client 110 can use the security password in the permission message received by the communication module 114 to decrypt the previously generated The encrypted file is used to restore the certificate file (step 260). Then, the certificate module 112 of the client 110 can use the certificate password to decrypt the certificate file restored by the execution module 115 to obtain the certificate information (step 270).

更進一步的,在服務伺服器120的處理模組122產生給客戶端110的許可訊息(步驟250)時,處理模組122可以由預先建立的記錄中讀取與登入資料中之帳號資料對應的安全密碼(步驟253)並產生替代密碼,同時將預先建立的記錄中與登入資料中之帳號資料對應的安全密碼更換為替代密碼,使得替代密碼成為新的安全密碼,接著,處理模組122可以產生包含原先的安全密碼及新產生之替代密碼的許可訊息(步驟255)。如此,在服務伺服器120的傳輸模組121將包含處理模組122所產生之許可訊息傳送給客戶端110,使客戶端110的通訊模組114接收到服務伺服器120所傳送的許可訊息後,客戶端110的執行模組115可以使用通訊模組114所接收到之許可訊息中之原先的安全密碼解密先前所產生的加密檔案以還原憑證檔案(步驟260),客戶端110的憑證模組112可以使用憑證密碼解密執行模組115所還原的憑證檔案以取得憑證資料(步驟270)。而在憑證模組112取得憑證資料後,執行模組115可以使用許可訊息中之替代密碼再次加密憑證檔案以產生新的加密檔案,如此,並可以透過在客戶端110每一次存取憑證檔案後都更換不同的安全密碼,可以避免安全密碼被竊取的可能,更進一步的提高憑證檔案的安全性。Furthermore, when the processing module 122 of the service server 120 generates the permission message to the client 110 (step 250), the processing module 122 can read the account information corresponding to the login information from the pre-established record. Security password (step 253) and generate a replacement password, and at the same time replace the security password corresponding to the account information in the login information in the pre-established record with the replacement password, so that the replacement password becomes a new security password. Then, the processing module 122 can A permission message containing the original security password and the newly generated replacement password is generated (step 255). In this way, after the transmission module 121 of the service server 120 sends the permission message including the permission message generated by the processing module 122 to the client 110, so that the communication module 114 of the client 110 receives the permission message sent by the service server 120 , the execution module 115 of the client 110 can use the original security password in the permission message received by the communication module 114 to decrypt the previously generated encrypted file to restore the certificate file (step 260). The certificate module of the client 110 112 can use the certificate password to decrypt the certificate file restored by the execution module 115 to obtain the certificate information (step 270). After the certificate module 112 obtains the certificate information, the execution module 115 can use the alternative password in the permission message to re-encrypt the certificate file to generate a new encrypted file. In this way, the client 110 can access the certificate file every time. Changing all security passwords to different ones can avoid the possibility of security passwords being stolen and further improve the security of the credential files.

另外,上述實施例中,在服務伺服器120的處理模組122判斷服務伺服器120的傳輸模組121所接收到之登入資料所包含的憑證密碼通過驗證(步驟230)後,處理模組122產生並傳送許可訊息到客戶端110(步驟250)時,可以如「第2E圖」之流程所示,處理模組122可以由預先儲存的記錄中讀取與登入資料中的帳號資料相對應的憑證資料,例如帳號資料之擁有者的身分證號或帳號資料之擁有者所使用的憑證序號等,並可以將所讀出的憑證資料作為關聯資料(步驟251),且傳輸模組121可以將關聯資料與許可訊息一併傳送到客戶端110(步驟259)。其中,處理模組122可以將關聯資料加入與客戶端110連線的SESSION中,使傳輸模組121在傳送許可訊息時,以SESSION的方式將關聯資料連同許可訊息一起傳送到客戶端110。In addition, in the above embodiment, after the processing module 122 of the service server 120 determines that the certificate password contained in the login information received by the transmission module 121 of the service server 120 passes the verification (step 230), the processing module 122 When generating and sending the permission message to the client 110 (step 250), as shown in the process of "Figure 2E", the processing module 122 can read from the pre-stored record corresponding to the account information in the login information. Credential data, such as the identity card number of the owner of the account data or the certificate serial number used by the owner of the account data, etc., and the read credential data can be used as associated data (step 251), and the transmission module 121 can The associated data is sent to the client 110 along with the permission message (step 259). Among them, the processing module 122 can add the related data to the SESSION connected to the client 110, so that the transmission module 121 transmits the related data together with the permission message to the client 110 in the form of SESSION when transmitting the permission message.

如此,在客戶端110的通訊模組114接收到服務伺服器120所傳送的許可訊息與關聯資料,且客戶端110的憑證模組112使用客戶端110的輸入模組111所取得之登入資料中的憑證密碼取得憑證資料(步驟270)後,客戶端110的執行模組115可以判斷憑證模組112所取得的憑證資料是否與通訊模組114所接收到的關聯資料相符(步驟280),例如判斷憑證資料中之擁有者身分證號/憑證序號是否與關聯資料中的對應資料相同。若否,則執行模組115可以產生並顯示表示身分確認失敗的錯誤訊息(步驟285)以提示客戶端110的使用者,而若執行模組115判斷憑證資料與關聯資料相符,客戶端110的通訊模組114才可以將憑證模組112所取得之憑證資料及客戶端110的輸入模組111所取得之登入資料中的帳號資料傳送給服務伺服器120,藉以登入服務伺服器120(步驟290)。In this way, the communication module 114 of the client 110 receives the permission message and related information sent by the service server 120, and the certificate module 112 of the client 110 uses the login information obtained by the input module 111 of the client 110. After obtaining the certificate information with the certificate password (step 270), the execution module 115 of the client 110 can determine whether the certificate information obtained by the certificate module 112 is consistent with the associated information received by the communication module 114 (step 280), for example Determine whether the owner's ID number/voucher serial number in the certificate data is the same as the corresponding data in the related data. If not, the execution module 115 can generate and display an error message indicating that the identity verification failed (step 285) to prompt the user of the client 110. If the execution module 115 determines that the credential data matches the associated data, the client 110 Only then can the communication module 114 transmit the certificate information obtained by the certificate module 112 and the account information in the login information obtained by the input module 111 of the client 110 to the service server 120 to log in to the service server 120 (step 290 ).

綜上所述,可知本發明與先前技術之間的差異在於具有透過客戶端將憑證密碼傳送到服務伺服器,服務伺服器判斷憑證密碼是否通過驗證,並可以依據憑證密碼之錯誤次數產生對應的錯誤訊息,使得客戶端依據錯誤訊息執行對應作業之技術手段,藉由此一技術手段可以來解決先前技術所存在憑證密碼可以被不斷嘗試的問題,進而達成提高使用數位憑證之安全性的技術功效。In summary, it can be seen that the difference between the present invention and the prior art is that the certificate password is transmitted to the service server through the client. The service server determines whether the certificate password passes the verification and can generate a corresponding message based on the number of incorrect certificate passwords. Error messages are technical means that enable the client to perform corresponding operations based on the error messages. This technical means can solve the problem of the previous technology that the certificate password can be constantly tried, thereby achieving the technical effect of improving the security of using digital certificates. .

再者,本發明之透過伺服器檢核密碼錯誤次數以完成作業之方法,可實現於硬體、軟體或硬體與軟體之組合中,亦可在電腦系統中以集中方式實現或以不同元件散佈於若干互連之電腦系統的分散方式實現。Furthermore, the method of checking the number of password errors through the server to complete the operation of the present invention can be implemented in hardware, software, or a combination of hardware and software. It can also be implemented in a centralized manner in a computer system or in different components. Implemented in a decentralized manner spread over several interconnected computer systems.

雖然本發明所揭露之實施方式如上,惟所述之內容並非用以直接限定本發明之專利保護範圍。任何本發明所屬技術領域中具有通常知識者,在不脫離本發明所揭露之精神和範圍的前提下,對本發明之實施的形式上及細節上作些許之更動潤飾,均屬於本發明之專利保護範圍。本發明之專利保護範圍,仍須以所附之申請專利範圍所界定者為準。Although the embodiments of the present invention are disclosed above, the content described is not intended to directly limit the scope of patent protection of the present invention. Anyone with ordinary knowledge in the technical field to which the present invention belongs can make slight modifications and modifications to the form and details of the implementation of the present invention without departing from the spirit and scope disclosed by the present invention, which shall fall under the patent protection of the present invention. Scope. The scope of patent protection for this invention must still be defined by the scope of the attached patent application.

110:客戶端 111:輸入模組 112:憑證模組 113:運算模組 114:通訊模組 115:執行模組 120:服務伺服器 121:傳輸模組 122:處理模組 123:登入模組 140:憑證伺服器 步驟201:客戶端向憑證伺服器申請數位憑證 步驟205:服務伺服器接收憑證伺服器所產生之數位憑證,並由數位憑證中取出憑證資料 步驟207:服務伺服器傳送數位憑證至客戶端 步驟209:服務伺服器產生安全密碼,並傳送安全密碼至客戶端 步驟210:客戶端使用安全密碼加密憑證檔案以產生加密檔案 步驟220:客戶端取得並傳送帳號資料及憑證密碼至服務伺服器 步驟230:服務伺服器判斷憑證密碼是否通過驗證 步驟240:服務伺服器累計錯誤次數,並依據錯誤次數產生錯誤訊息,及傳送錯誤訊息至客戶端 步驟241:服務伺服器累計錯誤次數 步驟243:服務伺服器判斷錯誤次數是否超過門檻值 步驟245:服務伺服器產生表示密碼錯誤之錯誤訊息,並傳送錯誤訊息至客戶端 步驟247:服務伺服器產生並傳送表示廢止憑證之錯誤訊息至客戶端 步驟250:服務伺服器產生並傳送許可訊息至客戶端 步驟251:服務伺服器讀取關聯資料 步驟253:服務伺服器讀取安全密碼 步驟255:服務伺服器產生包含安全密碼之許可訊息,並傳送許可訊息至客戶端 步驟259:服務伺服器傳送許可訊息與關聯資料至客戶端 步驟260:客戶端使用安全密碼解密加密檔案以還原憑證檔案 步驟270:客戶端使用憑證密碼解密憑證檔案以取得憑證資料 步驟280:客戶端判斷憑證資料與關聯資料是否相符 步驟285:客戶端產生並顯示表示身分確認失敗之錯誤訊息 步驟290:客戶端依據憑證資料執行目標作業 步驟295:客戶端依據錯誤訊息刪除包含對應數位憑證之憑證檔案 110:Client 111:Input module 112:Certificate module 113:Computational module 114: Communication module 115:Execute module 120:Service server 121:Transmission module 122: Processing module 123:Login module 140:Certificate Server Step 201: The client applies for a digital certificate from the certificate server Step 205: The service server receives the digital certificate generated by the certificate server and retrieves the certificate information from the digital certificate. Step 207: The service server sends the digital certificate to the client Step 209: The service server generates a security password and sends the security password to the client. Step 210: The client uses the security password to encrypt the certificate file to generate an encrypted file. Step 220: The client obtains and sends the account information and certificate password to the service server Step 230: The service server determines whether the certificate password passes the verification Step 240: The service server accumulates the number of errors, generates an error message based on the number of errors, and sends the error message to the client. Step 241: Accumulated number of errors on the service server Step 243: The service server determines whether the number of errors exceeds the threshold Step 245: The service server generates an error message indicating that the password is incorrect and sends the error message to the client. Step 247: The service server generates and sends an error message indicating that the certificate is revoked to the client. Step 250: The service server generates and sends the permission message to the client Step 251: The service server reads related data Step 253: Service server reads security password Step 255: The service server generates a permission message including the security password and sends the permission message to the client. Step 259: The service server sends the permission message and associated information to the client Step 260: The client uses the secure password to decrypt the encrypted file to restore the certificate file. Step 270: The client uses the certificate password to decrypt the certificate file to obtain the certificate information. Step 280: The client determines whether the certificate information matches the associated information. Step 285: The client generates and displays an error message indicating that the identity verification failed. Step 290: The client executes the target operation based on the credential information Step 295: The client deletes the certificate file containing the corresponding digital certificate based on the error message.

第1圖為本發明所提之透過伺服器檢核密碼錯誤次數以繼續作業系統之架構圖。 第2A圖為本發明所提之透過伺服器檢核密碼錯誤次數以完成作業之方法流程圖。 第2B圖為本發明所提之服務伺服器取得數位憑證相關資料之方法流程圖。 第2C圖為本發明所提之密碼錯誤處理過程之流程圖。 第2D圖為本發明所提之使用安全密碼加解密憑證檔案之方法流程圖。 第2E圖為本發明所提之使用關聯資料確認使用者身分之方法流程圖。 Figure 1 is an architectural diagram of the system according to the present invention that checks the number of password errors through the server to continue the operation. Figure 2A is a flow chart of the method of checking the number of password errors through the server to complete the operation proposed by the present invention. Figure 2B is a flow chart of the method for the service server to obtain digital certificate related information according to the present invention. Figure 2C is a flow chart of the password error handling process proposed by the present invention. Figure 2D is a flow chart of the method of using a secure password to encrypt and decrypt a certificate file according to the present invention. Figure 2E is a flow chart of the method of using relevant information to confirm the user's identity according to the present invention.

步驟220:客戶端取得並傳送帳號資料及憑證密碼至服務伺服器 Step 220: The client obtains and sends the account information and certificate password to the service server

步驟230:服務伺服器判斷憑證密碼是否通過驗證 Step 230: The service server determines whether the certificate password passes the verification

步驟240:服務伺服器累計錯誤次數,並依據錯誤次數產生錯誤訊息,及傳送錯誤訊息至客戶端 Step 240: The service server accumulates the number of errors, generates an error message based on the number of errors, and sends the error message to the client.

步驟250:服務伺服器產生並傳送許可訊息至客戶端 Step 250: The service server generates and sends the permission message to the client

步驟270:客戶端使用憑證密碼解密憑證檔案以取得憑證資料 Step 270: The client uses the certificate password to decrypt the certificate file to obtain the certificate information.

步驟290:客戶端憑證資料執行目標作業 Step 290: Client credentials execute target job

Claims (10)

一種透過伺服器檢核密碼錯誤次數以完成作業之方法,該方法至少包含下列步驟:一客戶端產生包含一數位憑證之一憑證檔案;一客戶端取得一登入資料,並傳送該登入資料至一服務伺服器,該登入資料包含一帳號資料及一憑證密碼;該服務伺服器依據於該數位憑證之申請過程所儲存之一驗證資料判斷該憑證密碼未通過驗證時,累計一錯誤次數,並依據該錯誤次數產生相對應之一錯誤訊息,及傳送該錯誤訊息至該客戶端,使該客戶端執行與該錯誤訊息對應之作業;及該服務伺服器依據該驗證資料判斷該憑證密碼通過驗證時,產生並傳送一許可訊息至該客戶端,該客戶端於接收到該許可訊息後,使用該憑證密碼解密該憑證檔案以取得一憑證資料,並使用該憑證資料執行目標作業,其中,該憑證資料為該數位憑證或該數位憑證所包含之一個或多個資料。 A method of checking the number of password errors through the server to complete the operation. The method at least includes the following steps: a client generates a certificate file containing a digital certificate; a client obtains a login information and sends the login information to a Service server, the login information includes an account information and a certificate password; when the service server determines that the certificate password has not passed the verification based on a verification data stored in the application process of the digital certificate, it accumulates a number of errors, and based on The number of errors generates a corresponding error message, and sends the error message to the client, causing the client to perform the operation corresponding to the error message; and the service server determines that the certificate password passes the verification based on the verification data. , generate and send a permission message to the client. After receiving the permission message, the client uses the certificate password to decrypt the certificate file to obtain a certificate data, and uses the certificate data to perform the target operation, wherein the certificate The data is the digital certificate or one or more data contained in the digital certificate. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該服務伺服器依據該錯誤次數產生相對應之該錯誤訊息之步驟為該服務伺服器於該錯誤次數達到一門檻值時產生表示廢止憑證之該錯誤訊息,並於該錯誤次數未達該門檻值時產生表示密碼錯誤之該錯誤訊息,及該客戶端執行與該錯誤訊息對應之作業為該客戶端依據表示廢止憑證之該錯誤訊息刪除包含對應數位憑證之憑證檔案,或依據表示密碼錯誤之該錯誤訊息顯示錯誤提示。 The method of checking the number of password errors through the server to complete the operation as described in request item 1, wherein the step of the service server generating the corresponding error message based on the number of errors is that the service server reaches one when the number of errors reaches one. The error message indicating that the certificate is revoked is generated when the threshold value is reached, and the error message indicating that the password is incorrect is generated when the number of errors does not reach the threshold value, and the client executes the operation corresponding to the error message based on the representation of the client The error message of the revoked certificate deletes the certificate file containing the corresponding digital certificate, or displays an error message based on the error message indicating that the password is incorrect. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該方法於該客戶端取得該登入資料之步驟前,更包含接收該服務伺服器所產生之一安全密碼,並使用該安全密碼加密該憑證檔案以產生一加密檔案,且該方法於該客戶端使用該憑證密碼解碼該憑證檔案以取得該憑證資料之步驟前,更包含該客戶端使用該許可訊息所包含之該安全密碼解密該加密檔案以還原該憑證檔案之步驟。 The method of checking the number of password errors through the server to complete the operation as described in request item 1, wherein the method further includes receiving a security password generated by the service server before the client obtains the login information, And use the security password to encrypt the certificate file to generate an encrypted file, and the method further includes the client using the permission message before the step of using the certificate password to decode the certificate file to obtain the certificate information. Decrypt the encrypted file with the security password to restore the certificate file. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該客戶端產生包含該數位憑證之該憑證檔案之步驟,更包含該客戶端連線至一憑證伺服器申請該數位憑證後,產生包含該數位憑證之該憑證檔案並傳送該數位憑證之相關資料及該憑證密碼至該服務服務伺服器之步驟,或包含該客戶端透過該服務服務伺服器至該憑證伺服器申請該數位憑證,使該服務服務伺服器取得該數位憑證之相關資料及該憑證密碼,並將該數位憑證傳送該客戶端,該客戶端產生包含該數位憑證之該憑證檔案之步驟。 The method of checking the number of password errors through the server to complete the operation as described in request item 1, wherein the client generates the certificate file containing the digital certificate, and further includes the client connecting to a certificate server to apply After the digital certificate is generated, the certificate file containing the digital certificate is generated and the relevant information of the digital certificate and the certificate password are sent to the service server, or the client is sent to the certificate server through the service server. The server applies for the digital certificate, so that the service server obtains the relevant information of the digital certificate and the certificate password, and sends the digital certificate to the client. The client generates the certificate file containing the digital certificate. 如請求項1所述之透過伺服器檢核密碼錯誤次數以完成作業之方法,其中該服務伺服器產生並傳送該許可訊息至該客戶端之步驟,更包含該服務伺服器依據該帳號資料讀取一關聯資料,並將該關聯資料傳送至該客戶端之步驟,且該方法於該客戶端使用該憑證密碼解密該憑證檔案以取得該憑證資料之步驟前,更包含該客戶端判斷該憑證資料是否該關聯資料相符之步驟。 The method of checking the number of password errors through the server to complete the operation as described in request item 1, wherein the service server generates and sends the permission message to the client, and further includes the step of the service server reading based on the account information. The step of obtaining an associated data and transmitting the associated data to the client, and the method further includes the step of the client determining the certificate before the client uses the certificate password to decrypt the certificate file to obtain the certificate information. Steps to determine whether the data matches the associated data. 一種透過伺服器檢核密碼錯誤次數以完成作業之系統,該系統至少包含:一客戶端,用以產生包含一數位憑證之一憑證檔案,及用以取得一登入資料,該登入資料包含一帳號資料及一憑證密碼;及 一服務伺服器,用以接收該登入資料,並依據於該數位憑證之申請過程所儲存之一驗證資料判斷該憑證密碼未通過驗證時,累計一錯誤次數,並依據該錯誤次數產生相對應之一錯誤訊息,及傳送該錯誤訊息至該客戶端,使該客戶端執行與該錯誤訊息對應之作業,及用以依據該驗證資料判斷該憑證密碼通過驗證時,產生並傳送一許可訊息至該客戶端,該客戶端於接收到該許可訊息後,使用該憑證密碼解密一憑證檔案以取得一憑證資料,並使用該憑證資料執行一目標作業,其中,該憑證資料為該數位憑證或該數位憑證所包含之一個或多個資料。 A system that checks the number of password errors on the server to complete the operation. The system at least includes: a client for generating a certificate file containing a digital certificate, and for obtaining a login information, the login information including an account number information and a certificate password; and A service server used to receive the login information and determine that the certificate password has not passed the verification based on the verification information stored in the application process of the digital certificate. Accumulate a number of errors and generate a corresponding error message based on the number of errors. An error message, and sending the error message to the client, causing the client to perform the operation corresponding to the error message, and to determine that the certificate password is verified based on the verification data, generate and send a permission message to the client The client, after receiving the permission message, uses the certificate password to decrypt a certificate file to obtain a certificate data, and uses the certificate data to perform a target operation, wherein the certificate data is the digital certificate or the digital One or more information contained in the certificate. 如請求項6所述之透過伺服器檢核密碼錯誤次數以完成作業之系統,其中該服務伺服器是於該錯誤次數達到一門檻值時產生表示廢止憑證之該錯誤訊息,並於該錯誤次數未達該門檻值時產生表示密碼錯誤之該錯誤訊息,該客戶端是依據表示廢止憑證之該錯誤訊息刪除包含對應數位憑證之該憑證檔案,或依據表示密碼錯誤之該錯誤訊息顯示錯誤提示。 A system for completing operations by checking the number of password errors on the server as described in request item 6, wherein the service server generates the error message indicating that the certificate is revoked when the number of errors reaches a threshold, and when the number of errors reaches a threshold, When the threshold is not reached, the error message indicating that the password is incorrect is generated. The client deletes the certificate file containing the corresponding digital certificate based on the error message indicating that the certificate is revoked, or displays an error prompt based on the error message indicating that the password is incorrect. 如請求項6所述之透過伺服器檢核密碼錯誤次數以完成作業之系統,其中該服務伺服器更用以產生一安全密碼,並傳送該安全密碼至該客戶端,及用以產生包含該安全密碼之該許可訊息,該客戶端更用以使用該安全密碼加密該憑證檔案以產生該加密檔案,及用以於接收到該許可訊息時,使用該安全密碼解密加密檔案以產生該憑證檔案。 As described in request item 6, the system uses the server to check the number of password errors to complete the operation, wherein the service server is further used to generate a security password, and transmits the security password to the client, and is used to generate a code containing the security password. The client is further used to encrypt the certificate file using the security password to generate the encrypted file, and when receiving the permission message, use the security password to decrypt the encrypted file to generate the certificate file. . 如請求項6所述之透過伺服器檢核密碼錯誤次數以完成作業之系統,其中該服務伺服器更用以依據該帳號資料讀取一關聯資料,並將該許可訊息及該關聯資料傳送至該客戶端,且該客戶端更用以於接收到該許可訊息 時,判斷該憑證資料與該關聯資料相符,並於該憑證資料與該關聯資料相符時,傳送該憑證資料及該帳號資料至該服務伺服器。 As described in request item 6, the system uses the server to check the number of password errors to complete the operation, wherein the service server is further used to read an associated data based on the account information, and transmit the permission message and the associated information to the client, and the client is further configured to receive the permission message When the certificate information matches the associated information, it is determined that the certificate information matches the associated information, and when the certificate information matches the associated information, the certificate information and the account information are sent to the service server. 一種透過伺服器檢核密碼錯誤次數以完成作業之裝置,該裝置至少包含:一輸入模組,取得一登入資料,該登入資料包含一帳號資料及一憑證密碼;一通訊模組,用以傳送該登入資料至一服務伺服器,及用以接收該服務伺服器依據於該數位憑證之申請過程所儲存之一驗證資料驗證該憑證密碼所傳回之一錯誤訊息或一許可訊息,其中,該錯誤訊息是依據該憑證密碼未通過驗證之錯誤次數產生;一憑證模組,用以產生包含一數位憑證之一憑證檔案,及用以於該通訊模組接收到該許可訊息時,使用該憑證密碼解密該憑證檔案以取得一憑證資料,其中,該憑證資料為該數位憑證或該數位憑證所包含之一個或多個資料;及一執行模組,用以於該通訊模組接收到該錯誤訊息時,執行與該錯誤訊息對應之作業,及用以使用該憑證資料執行目標作業。 A device that checks the number of password errors through a server to complete the operation. The device at least includes: an input module to obtain a login information, the login information includes an account information and a certificate password; a communication module to transmit The login information is sent to a service server, and is used to receive an error message or a permission message returned by the service server to verify the certificate password based on the verification information stored in the application process of the digital certificate, wherein the The error message is generated based on the number of errors that the certificate password has failed to pass verification; a certificate module is used to generate a certificate file containing a digital certificate, and is used to use the certificate when the communication module receives the permission message Password decrypt the certificate file to obtain a certificate information, wherein the certificate information is the digital certificate or one or more data contained in the digital certificate; and an execution module is used to receive the error when the communication module When receiving a message, execute the operation corresponding to the error message and use the certificate data to execute the target operation.
TW110113404A 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation TWI824239B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110113404A TWI824239B (en) 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110113404A TWI824239B (en) 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation

Publications (2)

Publication Number Publication Date
TW202240438A TW202240438A (en) 2022-10-16
TWI824239B true TWI824239B (en) 2023-12-01

Family

ID=85460447

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110113404A TWI824239B (en) 2021-04-14 2021-04-14 System, device and method for checking password incorrect times through server to complete corresponding operation

Country Status (1)

Country Link
TW (1) TWI824239B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201631510A (en) * 2015-02-25 2016-09-01 Alibaba Group Services Ltd Methods, apparatus, and systems for identity authentication
TW201824129A (en) * 2016-12-29 2018-07-01 臺灣中小企業銀行股份有限公司 System for applying for certificate online through carrier for transaction and method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201631510A (en) * 2015-02-25 2016-09-01 Alibaba Group Services Ltd Methods, apparatus, and systems for identity authentication
TW201824129A (en) * 2016-12-29 2018-07-01 臺灣中小企業銀行股份有限公司 System for applying for certificate online through carrier for transaction and method thereof

Also Published As

Publication number Publication date
TW202240438A (en) 2022-10-16

Similar Documents

Publication Publication Date Title
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
KR101863953B1 (en) System and method for providing electronic signature service
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US8130961B2 (en) Method and system for client-server mutual authentication using event-based OTP
US8799981B2 (en) Privacy protection system
US7958362B2 (en) User authentication based on asymmetric cryptography utilizing RSA with personalized secret
US8583928B2 (en) Portable security transaction protocol
US8935528B2 (en) Techniques for ensuring authentication and integrity of communications
US10567370B2 (en) Certificate authority
US9137017B2 (en) Key recovery mechanism
US8082446B1 (en) System and method for non-repudiation within a public key infrastructure
US8369521B2 (en) Smart card based encryption key and password generation and management
CN110990827A (en) Identity information verification method, server and storage medium
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
US6215872B1 (en) Method for creating communities of trust in a secure communication system
KR101452708B1 (en) CE device management server, method for issuing DRM key using CE device management server, and computer readable medium
US11483146B2 (en) Technique for protecting a cryptographic key by means of a user password
CN114154125A (en) Certificateless identity authentication scheme of blockchain under cloud computing environment
CN115396096A (en) Encryption and decryption method and protection system for secret file based on national cryptographic algorithm
US11797392B2 (en) Backup and recovery of private information on edge devices onto surrogate edge devices
US7543147B2 (en) Method, system, and storage medium for creating a proof of possession confirmation for inclusion into an attribute certificate
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
TWI824239B (en) System, device and method for checking password incorrect times through server to complete corresponding operation
CN113872769B (en) Device authentication method and device based on PUF, computer device and storage medium
TWI698113B (en) Identification method and systerm of electronic device