TWI578253B - System and method for applying financial certificate using a mobile telecommunication device - Google Patents

使用行動通訊裝置申請金融憑證之系統及其方法System and method for applying for financial credentials using mobile communication device

本發明係為一種使用行動通訊裝置申請金融憑證之系統及其方法，特別是提供行動用戶可以輕鬆地於透過行動通訊網路，輸入其金融帳號、身分證字號、以及憑證申請相關的資料後，由一手機金融憑證管理系統協助處理身分認證及由一金融憑證註冊中心處理該憑證之申請作業。The present invention is a system and method for applying for a financial voucher using a mobile communication device, in particular, providing an action user who can easily input his financial account number, identity card number, and voucher application related information through a mobile communication network. A mobile phone financial voucher management system assists in the processing of identity authentication and the processing of the voucher by a financial voucher registration center.

數位憑證是由具公信力之第三認證中心，檢核使用者身份後核發，其內容係表彰持有者具有的身份與能力，目前數位憑證在網路之應用已愈來愈普遍，它就如同使用者的網路身份證及數位印章一樣，是目前網際網路上最常用來辨識身分的一種機制。數位憑證應用(Public Key Infrastructure，PKI)技術，故具有身份確認性、資料完整性、資料隱密性、交易不可否認性等特點。The digital certificate is issued by a credible third certification center, which is issued after checking the identity of the user. Its content is to recognize the identity and ability of the holder. The application of digital credentials in the network has become more and more common. The user's online ID card and digital seal are the most commonly used mechanisms for identifying identity on the Internet. The digital key infrastructure (PKI) technology has the characteristics of identity confirmation, data integrity, data confidentiality, and non-repudiation of transactions.

金融憑證係透由經濟部審核通過之憑證機構，依財政部主管機關規定，核發用於金融領域(如網路銀行、證券下單等)之電子憑證。因為金融憑證即代表使用者身份，故在申請時都必定會要求申請人臨櫃申請，除填具申請文件之外，亦須提供申請人之相關證明文件(如具照片之身份證、駕照等)及印鑑。The financial voucher is issued by the voucher institution approved by the Ministry of Economic Affairs and issued by the competent authority of the Ministry of Finance to issue electronic certificates for the financial sector (such as online banking, securities ordering, etc.). Since the financial vouchers represent the identity of the user, applicants will be required to apply for the counter at the time of application. In addition to the application documents, they must also provide relevant documents (such as photo IDs, driver's licenses, etc.). ) and seals.

目前最常見的金融憑證已廣泛應用於金融證券業，就是當用戶欲向一金融證券業申請一張金融憑證時，須親自至該證券公司臨櫃填寫表單申請並出示身分證證件證明，此外證券公司會要求用戶再親自至合作銀行另外新開立一證券授權扣款帳戶，這樣的辦理程序實在是複雜又不方便的。At present, the most common financial vouchers have been widely used in the financial securities industry. When a user wants to apply for a financial certificate from a financial securities industry, he must personally go to the securities company to fill out the form application and present the identity card certificate, in addition to the securities. The company will ask the user to personally open a new securities authorization debit account in person to the cooperative bank. Such a procedure is complicated and inconvenient.

而專利I340579為一種於提供一令一電腦為一電子行動裝置向一伺服器申請一電子憑證及索取一秘密金鑰之系統；該憑證利用具有較佳之電子憑證管理以及網路連線功能的電腦向一伺服器申請電子憑證及索取秘密金鑰，而該伺服器再發出一身分驗證請求訊號向該電子行動裝置請求確認，並於確認後傳送一電子憑證至該電子行動裝置。而專利I307235係透過用戶鍵入電話號碼等簡訊內容後，傳送至一短訊服務通訊系統，且由該通訊系統驗證確認簡訊來源之電話是否與該簡訊內容之電話號碼一致，藉以通過認證完成憑證申請，然此專利僅以仰賴用戶申辦行動設備時的認證資料為基礎，然若任何人取得該行動電話皆可輕易假冒他人申請憑證，因此明顯無法滿足更高安全性需求的金融憑證應用。Patent I340579 is a system for providing a computer for an electronic mobile device to apply for an electronic voucher and a secret key to a server; the voucher utilizes a computer with better electronic voucher management and network connection function. Applying for an electronic voucher to a server and requesting a secret key, the server then sends an identity verification request signal to the electronic mobile device for confirmation, and after confirmation, transmits an electronic voucher to the electronic mobile device. The patent I307235 transmits the content of the short message to the short message service communication system after the user inputs the telephone number, and the communication system verifies that the telephone of the source of the newsletter is consistent with the telephone number of the content of the newsletter, thereby completing the certificate application through the certification. However, this patent is based only on the authentication data when the user is required to apply for the mobile device. However, if anyone obtains the mobile phone, it can easily impersonate another person's application certificate, so it is obviously unable to meet the financial security application of higher security requirements.

此專利一目的係提供用戶可透過一行動通訊裝置於線上申請金融憑證之申請系統，而不需如以往申請方式，須持身分證證明資料於一發行單位申請，而是透過一行動通訊裝置便可請輕鬆申請憑證，並應用該金融憑證進行交易或金融付款或繳費等應用服務。The purpose of this patent is to provide an application system for online application for financial vouchers through a mobile communication device. It is not required to apply for identity card at a issuing unit as in the past application method, but through a mobile communication device. You can easily apply for a voucher and apply the financial voucher for application services such as trading or financial payment or payment.

此專利另一目的係提供可於線上申請金融憑證之行動通訊裝置，同時為降低行動通訊裝置資料(含憑證資料)外洩盜用風險，本專利結合了用戶用戶個人識別號碼(Personal Identity Number，PIN碼)、行動設備國際行動設備辨識碼(International Mobile Equipment Identity number，IMEI)、用戶身分模組(Subscriber Identity Module，即SIM卡)之國際行動用戶辨識碼(International Mobile Subscriber Identity，IMSI)來加密保護用戶資料(含憑證檔、金融資料、用戶基本資料)，也就是若無法獲知用戶PIN碼、取得該行動通訊裝置、或申請之SIM卡，則便無法取用置於行動通訊裝置之憑證。Another purpose of this patent is to provide a mobile communication device for online application for financial credentials, and to reduce the risk of fraudulent use of mobile communication device data (including voucher data). This patent incorporates a user identification number (Personal Identity Number, PIN). International Mobile Equipment Identity Number (IMEI) and the International Mobile Subscriber Identity (IMSI) of the User Identity Module (IMS) for encryption protection The user data (including the voucher file, financial information, user basic data), that is, if the user PIN code cannot be obtained, the mobile communication device is obtained, or the SIM card applied for, the voucher placed on the mobile communication device cannot be accessed.

此專利再一目的係採取分離設計以符合現行金融憑證發行作業原則，提供一手機憑證管理系統，專職受理手機金融憑證申請需求及管理手機之金融憑證應用功能，且負責驗證行動通訊設備用戶、金融帳戶身分認證。The purpose of this patent is to adopt a separate design to comply with the current financial document issuance operation principle, to provide a mobile phone voucher management system, to fully handle the mobile phone financial voucher application requirements and manage the financial voucher application function of the mobile phone, and to verify the mobile communication device users and finance. Account identity certification.

此專利再一目的係採取分離設計以符合現行金融憑證發行作業原則，提供另一金融憑證註冊管理系統，以前述手機憑證管理系統之認證為基礎，受理一手機之憑證申請，並傳送該憑證申請之憑證檔至該手機。Another purpose of this patent is to adopt a separate design to comply with the current financial document issuance operation principle, and to provide another financial voucher registration management system, based on the authentication of the aforementioned mobile phone voucher management system, accepting a voucher application for a mobile phone, and transmitting the voucher application The voucher file to the phone.

達成上述創作目的，本專利係採取分離架構設計，提出一符合現行金融憑證發行作業原則之一種提供行動通訊裝置於線上申請金融憑證之申請系統，並由一行動通訊裝置、一手機金融憑證管理系統、一行動通訊網路提供者、一電信系統、至少一個金融系統、一金融憑證註冊中心、以及一金融憑證管理中心所構成。To achieve the above-mentioned creative purpose, this patent adopts a separate architecture design and proposes an application system for providing online payment of financial documents in accordance with the principle of the current financial document issuance operation, and a mobile communication device and a mobile financial certificate management system. , a mobile communication network provider, a telecommunication system, at least one financial system, a financial voucher registration center, and a financial voucher management center.

本申請系統之行動通訊裝置提供用戶於該裝置上輸入與暫存其身分證字號、金融帳號、以及金融憑證申請所需之用戶資料後，透過該裝置之行動通訊連網功能，傳送前述資料至一手機金融憑證管理系統後，而於傳送通訊過程中，該手機金融憑證管理系統可從一行動通訊網路提供者處取得前述傳送通訊過程之行動通訊裝置之通訊用戶識別碼(如IMSI，或行動電話門號)後，該手機金融憑證管理系統將分別傳送用戶身分證字號與通訊用戶識別碼至一電信系統驗證該通訊用戶識別碼之登記人是否與身分證字號一致，以及傳送用戶身分證字號與金融帳號至該一金融系統之戶名是否與身分證字號一致。The mobile communication device of the system of the present application provides the user to input and store the identity card number, the financial account number, and the user information required for the financial certificate application on the device, and then transmit the foregoing information through the mobile communication function of the device. After a mobile phone financial voucher management system, in the process of transmitting communication, the mobile phone financial voucher management system can obtain the communication user identification code (such as IMSI, or action) of the mobile communication device transmitting the communication process from a mobile communication network provider. After the telephone number, the mobile phone financial voucher management system will respectively transmit the user identity card number and the communication user identification code to a telecommunication system to verify whether the registrant of the communication user identification code is consistent with the identity card number, and transmit the user identity card number. Whether the name of the financial account to the financial system is consistent with the identity card number.

再者，該手機金融憑證管理系統將依據電信系統與金融系統所回傳之資料認證結果進行判斷，若兩資料認證結果皆為成功，則該手機金融憑證管理系統將產生唯一之憑證申請編號作為此次申請的序號識別使用，同時將該憑證申請編號、通訊用戶識別碼、身分證字號、金融帳號、以及金融憑證申請所需之用戶資料一併記錄儲存於資料庫。Furthermore, the mobile phone financial voucher management system will judge based on the data authentication results returned by the telecommunication system and the financial system. If both data authentication results are successful, the mobile financial voucher management system will generate a unique voucher application number as The serial number of the application is identified and used, and the voucher application number, the communication user identification code, the identity card number, the financial account number, and the user data required for the financial voucher application are recorded and stored in the database.

然後該手機金融憑證管理系統將會分別傳送憑證申請編號和認證結果至原行動通訊裝置，以及同步傳送該憑證申請編號和該通訊用戶識別碼至一金融憑證註冊中心註記，即通知該註冊中心有一持憑證申請編號之行動通訊裝置已通過該手機金融憑證管理系統之電信資料與金融資料驗證，該註冊中心將接續受理此行動通訊用戶憑證申請程序。Then, the mobile phone financial voucher management system will separately transmit the voucher application number and the authentication result to the original mobile communication device, and synchronously transmit the voucher application number and the communication user identification code to a financial voucher registration center annotation, that is, notify the registration center that there is a The mobile communication device with the voucher application number has been verified by the telecommunication data and financial data of the mobile financial voucher management system, and the registration center will continue to accept the mobile communication user voucher application procedure.

而該行動通訊裝置接收到該手機金融憑證管理系統回傳之憑證申請編號和認證結果後，該行動通訊裝置將隨機產生一組PKI金鑰對，並把將PKI金鑰對之公鑰、和先前暫存的身分證字號、金融帳號、以及金融憑證申請所需之用戶資料組合一憑證申請檔，再利用憑證申請編號或該行動通訊裝置的通訊用戶識別碼作為密鑰，以一單向雜湊函數對於憑證申請檔計算以產出一訊息認證碼後，傳送金融憑證註冊資料(包含該憑證申請編號或該行動通訊裝置的通訊用戶識別碼、憑證申請檔、和訊息認證碼)至一金融憑證註冊中心，進行金融憑證註冊程序。After the mobile communication device receives the voucher application number and the authentication result returned by the mobile financial voucher management system, the mobile communication device randomly generates a set of PKI key pairs, and pairs the public key of the PKI key pair, and The previously stored identity card number, financial account number, and user data required for the financial certificate application are combined with a voucher application file, and the voucher application number or the communication user identification code of the mobile communication device is used as a key to make a one-way hash. After calculating the voucher application file to generate a message authentication code, the function transmits the financial voucher registration data (including the voucher application number or the communication user identification code, the voucher application file, and the message authentication code of the mobile communication device) to a financial voucher Registration center, the financial voucher registration process.

而該金融憑證註冊中心接收該行動通訊裝置傳送之金融憑證註冊資料及驗證訊息認證碼之正確性後，(1)透過傳送之憑證申請編號來查詢登錄於該手機金融憑證管理系統資料庫中，該憑證申請編號所對應的通訊用戶識別碼並以該識別碼作為密鑰；或者(2)透過傳送之通訊用戶識別碼來查詢所對應的憑證申請編號並以該編號作為密鑰。After receiving the correctness of the financial voucher registration data and the verification message authentication code transmitted by the mobile communication device, the financial voucher registration center (1) queries and logs in the mobile financial voucher management system database through the transmitted voucher application number. The communication user identification code corresponding to the voucher application number is used as the key by the identification code; or (2) the corresponding voucher application number is queried through the transmitted communication user identification code and the number is used as the key.

上述註冊中心查詢出密鑰後，將採取與行動通訊裝置相同之單向雜湊函數對於憑證申請檔計算而產出另一訊息認證碼後，比較該訊息認證碼是否與行動通訊裝置傳送之訊息認證碼一致。若訊息認證碼一致時，表示此次註冊中心所接收到憑證申請檔並無遭第三人竄改或假冒，然後該註冊中心將傳送金融憑證註冊資料之金融帳號與身分證字號至一金融系統驗證與授權；而註冊中心接收到該金融系統回傳之驗證與授權結果後，該註冊中心才會轉送憑證申請檔至一金融憑證管理中心進行憑證簽發，再轉送該管理中心簽發之憑證檔至行動通訊裝置。After the registration center queries the key, the same one-way hash function as the mobile communication device is used to calculate the voucher application file to generate another message authentication code, and then compare the message authentication code with the message authentication transmitted by the mobile communication device. The code is consistent. If the message authentication code is consistent, it means that the certificate application file received by the registration center has not been tampered with or impersonated by a third party, and then the registration center will transmit the financial account number and identity card number of the financial certificate registration data to a financial system verification. And after the registration center receives the verification and authorization result of the financial system return, the registration center will forward the voucher application file to a financial voucher management center for certificate issuance, and then forward the certificate file issued by the management center to the action. Communication device.

請參閱以下有關本發明之詳細說明與附圖，以更進一步瞭解本發明為達成預定目的所採取之技術及功效。然而，本說明書所附之圖式僅提供參考與說明使用，並非用來對本發明加以限制。Please refer to the following detailed description of the invention and the accompanying drawings in order to provide a further understanding of the invention. However, the drawings attached to the present specification are for reference only, and are not intended to limit the invention.

請參閱圖一、圖二以及圖五所示，為本發明使用行動通訊裝置申請金融憑證之系統架構圖、模組圖以及系統之一操作流程圖，其中行動通訊裝置1至少包含一行動通訊模組11、一用戶身分模組12、一憑證管理模組13。行動通訊模組11為一具有行動通訊連網功能之行動裝置，用以接收來自用戶輸入、計算、及傳輸資料之載具，且該模組上建有一介面用以置放一用戶身分模組12。用戶身分模組12(Subscriber Identity Module，即SIM卡)內至少儲存了一組唯一的國際行動用戶識別碼(International Mobile Subscriber Identity，IMSI)，該識別碼係為電信公司用以提供一通訊網路接取設備之身分識別使用，並於識別成功後提供該接取設備通訊服務，再者，電信公司便可透過該IMSI查出此次接取設備(含用戶身分模組))之申請用戶身分，並對於該用戶之通訊費用進行計價出帳。憑證管理模組13依圖五操作流程所示說明，首先步驟S501係透過行動通訊模組11取得外部輸入(用戶輸入)的金融憑證申請資料，其中該金融憑證申請資料係至少包含一身分識別資料(如身分證字號)、一組金融資料(如金融帳號、電子錢包帳號)、及用戶基本資料(如姓名、聯絡電話、戶藉地等)等；接著步驟S502係透過該行動通訊模組11之行動通訊連網功能該申請資料傳送至一手機金融憑證管理系統進行資料認證；並於步驟S503中接收該手機金融憑證管理系統回覆之身分認證結果及本次憑證申請之具唯一的憑證申請編號；然後於步驟S504憑證管理模組13將產生一組隨機的PKI金鑰對；並於步驟S505中憑證管理模組13可依金融交易安全等級需求，提供多種等級加密機制對於PKI金鑰對進行加密儲存保護，例如可以用戶另外輸入的PIN碼作為加密密鑰以限制本憑證僅能接受特定使用者使用；或以用戶另外輸入的PIN碼和IMSI組合作為加密密鑰，限制本憑證僅能接收特定使用者於裝有指定SIM卡的行動通訊裝置上使用；或以用戶另外輸入的PIN碼和行動通訊裝置之國際行動設備辨識碼組合作為加密密鑰，限制本憑證僅能接收特定使用者於特定的行動通訊裝置上使用；或以用戶另外輸入的PIN碼、前述回傳取得之憑證申請編號、IMSI、SIM卡號、或IMEI之排列組合作為加密密鑰；於步驟S506中憑證管理模組13將產製一組包含一憑證申請檔及其訊息認證碼(Message Authentication Code，MAC)，其中該憑證申請檔係由先前身分認證之金融資料、身分識別資料、及前述產生PKI金鑰對之公鑰所構成，而訊息認證碼係由一演算法及一加密密鑰計算該憑證申請檔而產生，其中演算法可為sha1、md5、DES、或3DES等演算法，加密密鑰則可為憑證申請編號或IMSI等；若以憑證申請編號作為加密密鑰時，則步驟S507係透過該行動通訊模組11之行動通訊連網功能傳送先前產製的IMSI、憑證申請檔、及其訊息認證碼至一金融憑證註冊中心進行金融憑證註冊；若以IMSI作為加密密鑰時，則步驟S507係透過該行動通訊模組11之行動通訊連網功能傳送先前產製的憑證申請編號、憑證申請檔、及其訊息認證碼至一金融憑證註冊中心進行金融憑證註冊登記；最後於步驟S508接收該註冊中心所提供之憑證檔並安裝之。此外，上述步驟S505所述PIN碼亦可於步驟S501時由用戶輸入取得；而步驟S504亦可提前於步驟S501~步驟S503時執行。Please refer to FIG. 1 , FIG. 2 and FIG. 5 , which are a system architecture diagram, a module diagram and a system operation diagram of a system for applying for a financial certificate by using a mobile communication device, wherein the mobile communication device 1 includes at least one mobile communication module. The group 11, a user identity module 12, and a voucher management module 13. The mobile communication module 11 is a mobile device having a mobile communication network function for receiving a vehicle from which a user inputs, calculates, and transmits data, and the module has an interface for placing a user identity module. 12. At least one unique International Mobile Subscriber Identity (IMSI) is stored in the Subscriber Identity Module (SIM), which is used by the telecommunications company to provide a communication network connection. The identity of the device is identified and used, and the access device communication service is provided after the identification is successful. Further, the telecommunications company can identify the application user identity of the access device (including the user identity module) through the IMSI. And the user's communication fee is charged and billed. The voucher management module 13 is illustrated in the operation flow of FIG. 5. First, in step S501, an external input (user input) financial voucher application data is obtained through the mobile communication module 11, wherein the financial voucher application data includes at least one identity identification data. (such as identity card number), a set of financial information (such as financial account number, e-wallet account), and user basic information (such as name, contact number, household borrowing, etc.); then step S502 is through the mobile communication module 11 The mobile communication network function transmits the application data to a mobile phone financial voucher management system for data authentication; and in step S503, receives the identity authentication result of the mobile financial certificate management system reply and the unique voucher application number of the voucher application Then, in step S504, the voucher management module 13 will generate a set of random PKI key pairs; and in step S505, the voucher management module 13 can provide a plurality of levels of encryption mechanism for the PKI key pair according to the financial transaction security level requirement. Encrypted storage protection, for example, a PIN code that can be additionally input by the user as an encryption key to restrict the certificate to only accept special The user uses; or uses the PIN code and IMSI combination input by the user as the encryption key, and restricts the certificate to only receive the specific user to use on the mobile communication device with the specified SIM card; or the PIN code input by the user. And the combination of the international mobile device identification code of the mobile communication device as the encryption key, restricting the voucher to only receive the specific user to use on the specific mobile communication device; or applying the PIN code input by the user and the voucher obtained by the foregoing return The combination of the number, IMSI, SIM card number, or IMEI is used as the encryption key; in step S506, the voucher management module 13 will produce a set of a voucher application file and a message authentication code (MAC) thereof, wherein The voucher application file is composed of the financial data of the previous identity authentication, the identity identification data, and the public key of the PKI key pair, and the message authentication code is calculated by an algorithm and an encryption key. Generated, wherein the algorithm can be an algorithm such as sha1, md5, DES, or 3DES, and the encryption key can be a voucher application number or an IMSI; When the application number is used as the encryption key, step S507 transmits the previously produced IMSI, the voucher application file, and the message authentication code thereof to the financial voucher registration center through the mobile communication network function of the mobile communication module 11 to perform the financial certificate. If the IMSI is used as the encryption key, step S507 transmits the previously generated voucher application number, voucher application file, and its message authentication code to a financial voucher through the mobile communication network function of the mobile communication module 11. The registration center performs registration of the financial certificate; finally, in step S508, the document file provided by the registration center is received and installed. In addition, the PIN code in the above step S505 may also be obtained by the user input in step S501; and the step S504 may be performed in advance in steps S501 to S503.

請參閱圖六所示，係為上述發明行動通訊裝置之憑證管理模組13之另一實施例，首先步驟S601係透過行動通訊模組11取得外部輸入(用戶輸入)的金融憑證申請資料，其中該金融憑證申請資料係至少包含一身分識別資料(如身分證字號)、一組金融資料(如金融帳號)、及用戶基本資料(如姓名、聯絡電話、戶藉地等)等；接著步驟S602係透過該行動通訊模組11之行動通訊連網功能該申請資料傳送至一手機金融憑證管理系統進行資料認證；並於步驟S603中接收該手機金融憑證管理系統回覆之身分認證結果及本次憑證申請之具唯一的憑證申請編號；步驟S604接收來自一金融憑證註冊中心以簡訊方式傳送的一次性密碼(One Time Password，OTP)；然後於步驟S605憑證管理模組13將產生一組隨機的PKI金鑰對；並於步驟S606中憑證管理模組模組13可依金融交易安全等級需求，提供多種等級加密機制對於PKI金鑰對進行加密儲存保護，例如可以用戶另外輸入的PIN碼作為加密密鑰以限制本憑證僅能接受特定使用者使用；或以用戶另外輸入的PIN碼和IMSI組合作為加密密鑰，限制本憑證僅能接收特定使用者於裝有指定SIM卡的行動通訊裝置上使用；或以用戶另外輸入的PIN碼和行動通訊裝置之國際行動設備辨識碼組合作為加密密鑰，限制本憑證僅能接收特定使用者於特定的行動通訊裝置上使用；或以用戶另外輸入的PIN碼、前述回傳取得之憑證申請編號、IMSI、SIM卡號、或IMEI之排列組合作為加密密鑰；於步驟S607中憑證管理模組13將產製一組包含一憑證申請檔及其訊息認證碼，其中該憑證申請檔係由先前身分認證之金融資料、身分識別資料、及前述產生PKI金鑰對之公鑰所構成，而訊息認證碼係由一演算法及以前些步驟所取得之一次性密碼作為加密密鑰計算該憑證申請檔而產生，其中演算法可為sha1、md5、DES、或3DES等演算法；而步驟S608係透過該行動通訊模組11之行動通訊連網功能傳送先前產製的憑證申請編號、憑證申請檔、及其訊息認證碼至該金融憑證註冊中心進行金融憑證註冊；最後於步驟S609接收該註冊中心所提供之憑證檔並安裝之。此外，上述步驟S606所述PIN碼亦可於步驟S601時由用戶輸入取得；而步驟S605亦可提前於步驟S601~步驟S603時執行。Referring to FIG. 6 , which is another embodiment of the credential management module 13 of the above-described inventive mobile communication device, first step S601 is to obtain an external input (user input) financial voucher application data through the mobile communication module 11 . The financial voucher application data includes at least one identification information (such as an identity card number), a set of financial information (such as a financial account number), and basic user information (such as name, contact number, household borrowing land, etc.); and then step S602 The application data is transmitted to a mobile phone financial voucher management system for data authentication through the mobile communication network function of the mobile communication module 11; and the identity authentication result and the current certificate of the mobile financial certificate management system are received in step S603. The application has a unique voucher application number; step S604 receives a One Time Password (OTP) transmitted from a financial voucher registration center in a short message manner; then in step S605, the voucher management module 13 will generate a random set of PKIs. Key pair; and in step S606, the voucher management module module 13 can provide multiple levels according to the financial transaction security level requirement. The encryption mechanism protects the PKI key pair by encrypting and storing. For example, the PIN code input by the user may be used as an encryption key to restrict the certificate from being accepted by a specific user; or the combination of the PIN code and the IMSI input by the user as the encryption key. Key, limit the certificate can only be used by a specific user on the mobile communication device with the specified SIM card; or use the PIN code input by the user and the international mobile device identification code combination of the mobile communication device as the encryption key, and limit the present The voucher can only be used by a specific user on a specific mobile communication device; or as an encryption key by using a PIN code input by the user, a voucher application number obtained by the above return, an IMSI, a SIM card number, or an IMEI; In step S607, the voucher management module 13 will produce a set of a voucher application file and a message authentication code thereof, wherein the voucher application file is a financial data, identity identification data, and a PKI key pair generated by the prior identity authentication. The public key is composed, and the message authentication code is a one-time password obtained by an algorithm and previous steps as an encryption key. The algorithm is generated by calculating the voucher application file, wherein the algorithm may be an algorithm such as sha1, md5, DES, or 3DES; and step S608 is to transmit the previously issued voucher application number through the mobile communication network function of the mobile communication module 11 And the voucher application file and the message authentication code to the financial voucher registration center to perform the financial voucher registration; finally, in step S609, the voucher file provided by the registration center is received and installed. In addition, the PIN code in the above step S606 may also be obtained by the user input in step S601; and step S605 may be performed in advance in steps S601 to S603.

請參閱圖三所示，為本發明使用行動通訊裝置申請金融憑證之系統之手機金融憑證管理模組架構圖，係為一至少包含一金融憑證申請模組21、一身分認證模組22、一憑證註冊中心閘道模組23之金融憑證管理系統，金融憑證申請模組21係用以接收來自一行動通訊網路之行動通訊裝置1傳送之金融憑證申請資料-身分識別資料(如身分證字號)、金融資料(如金融帳號、電子錢包帳號等)、及用戶基本資料(如姓名、聯絡電話、戶藉地等)等，並從該行動通訊裝置1之通訊來源網路所屬之行動通訊網路提供者處，取得該行動通訊裝置1之通訊用戶識別碼，其中通訊用戶識別碼可為IMSI、行動電話門號、以一公式轉換IMSI之IMSI替代碼、或以一公式轉換行動電話門號之行動電話門號替代碼，接著金融憑證申請模組21將傳送該金融憑證申請資料及通訊用戶識別碼至身分認證模組22；並接收該模組22所回傳之認證結果後，本模組判斷若該認證結果失敗，則直接回傳給來源之行動通訊裝置1；反之若該認證結果成功，則將配發一唯一的憑證申請編號給該金融憑證申請資料，並且將憑證申請編號及認證結果回傳給資料來源的行動通訊裝置1，同時，金融憑證申請模組21提供該憑證申請編號與通訊用戶識別碼予憑證註冊中心閘道模組23以進行資料同步作業；最後在接收憑證註冊中心閘道模組23回傳之該憑證申請編號及其此次憑證註冊結果後，依據其憑證註冊結果啟用該憑證申請編號所對應之用戶憑證服務功能，完成本次憑證申請程序。身分認證模組22係用以接收來自金融憑證申請模組21所傳送之金融憑證申請資料及通訊用戶識別碼，然後再分別傳送金融憑證申請資料之身分識別資料與金融資料至金融系統5進行認證，及傳送金融憑證申請資料之身分識別資料和通訊用戶識別碼至電信系統4進行認證；再接收及判斷電信系統之認證結果和金融系統之認證結果，若兩認證結果皆為認證成功，則回覆認證成功結果予金融憑證申請模組21，反之則回覆認證失敗結果予金融憑證申請模組21。憑證註冊中心閘道模組23，係用以傳送該次憑證申請編號及通訊用戶識別碼予金融憑證註冊中心6註記，並接收該註冊中心6回傳之憑證申請編號及其憑證註冊結果後，再回傳給金融憑證申請模組21；此外本模組23傳送至金融憑證註冊中心6之通訊用戶識別碼可改以一演算法將通訊用戶識別碼轉換成一識別替代碼，或改以一演算法將通訊用戶識別碼、本系統之系統時間計算以產生一具驗證時效之識別替代碼所替代。 Please refer to FIG. 3, which is a structural diagram of a mobile phone financial voucher management module of a system for applying for a financial voucher using a mobile communication device according to the present invention. The system includes at least one financial voucher application module 21, an identity authentication module 22, and a The financial voucher management system of the voucher registration center gateway module 23, the financial voucher application module 21 is configured to receive the financial voucher application data transmitted from the mobile communication device 1 of a mobile communication network - identity identification data (such as identity card number) , financial information (such as financial account, e-wallet account, etc.), and user basic information (such as name, contact number, household borrowing, etc.), etc., and from the mobile communication network of the communication source network of the mobile communication device 1 Obtaining a communication user identification code of the mobile communication device 1, wherein the communication user identification code may be an IMSI, a mobile phone number, an IMSI replacement code that converts the IMSI by a formula, or an action of converting a mobile phone number by a formula The phone number substitution code, and then the financial voucher application module 21 will transmit the financial voucher application data and the communication user identification code to the identity authentication module 22 And receiving the authentication result returned by the module 22, the module determines that if the authentication result fails, it is directly transmitted back to the source mobile communication device 1; if the authentication result is successful, the module will be assigned a unique one. The voucher application number is sent to the financial voucher application data, and the voucher application number and the authentication result are transmitted back to the mobile communication device 1 of the data source, and the financial voucher application module 21 provides the voucher application number and the communication user identification code to the voucher. The registration center gateway module 23 performs the data synchronization operation; finally, after receiving the voucher application number and the voucher registration result returned by the voucher registration center gateway module 23, the voucher application number is activated according to the voucher registration result. The corresponding user credential service function completes the voucher application procedure. The identity authentication module 22 is configured to receive the financial voucher application data and the communication user identification code transmitted by the financial voucher application module 21, and then transmit the identity identification data and financial information of the financial voucher application data to the financial system 5 for authentication. And transmitting the identity identification data of the financial voucher application data and the communication user identification code to the telecommunication system 4 for authentication; receiving and judging the authentication result of the telecommunication system and the authentication result of the financial system, and if both authentication results are successful, the reply is replied The successful result of the authentication is sent to the financial voucher application module 21, and vice versa, the result of the authentication failure is returned to the financial voucher application module 21. The voucher registration center gateway module 23 is configured to transmit the voucher application number and the communication user identification code to the financial voucher registration center 6 note, and receive the voucher application number of the registration center 6 and the voucher registration result thereof. And then transmitted back to the financial voucher application module 21; in addition, the communication user identification code transmitted by the module 23 to the financial voucher registration center 6 can be converted into an identification replacement code by an algorithm, or converted into a calculation The method replaces the communication user identification code and the system time calculation of the system to generate a verification replacement code for verifying the aging.

請參閱圖七所示，為本發明使用行動通訊裝置申請金融憑證之系統流程圖，首先步驟S701接收來自一行動通訊網路之一行動通訊裝置所傳送之金融憑證申請資料-身分識別資料(如身分證字號)、金融資料(如金融帳號、電子錢包帳號等)、及用戶基本資料(如姓名、身分證字號、聯絡電話、戶藉地等)； 步驟S702本系統將從該行動通訊網路之行動通訊網路提供者處取得該申請資料來源之行動通訊裝置之通訊用戶識別碼，然後於步驟S703本系統將傳送身分識別資料、通訊用戶識別碼至一電信系統進行認證及傳送用戶身分識別資料、金融資料至一金融系統進行認證；於步驟S704本系統將分別接收電信系統與金融系統之認證結果後；於步驟S705進行認證結果判斷，若前述電信系統與金融系統有一認證結果失敗時，則終止本次金融憑證申請作業，反之，若回覆認證結果皆成功，則進行步驟S706登錄此次金融憑證申請之身分識別資料、通訊身分識別碼、金融資料、及用戶基本資料，並且產生唯一的憑證申請編號；然後於步驟S707回傳該憑證申請編號與認證結果至原行動通訊裝置；於此同時步驟S708本系統將與一金融憑證註冊中心進行資料同步以提供該憑證申請編號及該通訊身分識別碼；並於步驟S709接收該金融憑證註冊中心回傳之憑證申請編號和憑證註冊結果；步驟S710若前述憑證註冊結果回傳成功，則將啟用該憑證申請編號所對應之憑證服務或功能；最後步驟S711完成金融憑證申請程序。 Please refer to FIG. 7 , which is a system flowchart for applying for a financial voucher using a mobile communication device according to the present invention. First, step S701 receives a financial voucher application data transmitted from a mobile communication device of a mobile communication network - identity identification information (such as identity). Certificate number), financial information (such as financial account number, e-wallet account number, etc.), and user basic information (such as name, ID card number, contact number, household borrowing area, etc.); Step S702: The system obtains the communication user identification code of the mobile communication device of the application data source from the mobile communication network provider of the mobile communication network, and then the system transmits the identity identification data and the communication user identification code to the first step in step S703. The telecommunication system performs authentication and transmits the user identity identification data and the financial information to a financial system for authentication; after the system receives the authentication results of the telecommunication system and the financial system respectively in step S704; the authentication result is judged in step S705, if the telecommunication system If the financial system fails to pass the authentication result, the financial certificate application operation is terminated. Otherwise, if the reply authentication result is successful, then the step S706 is used to log in the identification information of the financial certificate application, the communication identification code, the financial information, And the user basic information, and generate a unique voucher application number; then return the voucher application number and the authentication result to the original mobile communication device in step S707; at the same time, in step S708, the system will synchronize data with a financial voucher registration center. Provide the voucher application number and The communication identity identifier; and receiving the voucher application number and the voucher registration result returned by the financial voucher registration center in step S709; if the voucher registration result is successfully transmitted back in step S710, the voucher service corresponding to the voucher application number is enabled Or function; the final step S711 completes the financial voucher application procedure.

請參閱圖四所示，為本發明使用行動通訊裝置申請金融憑證之系統之金融憑證註冊中心模組架構圖其中該註冊中心之一實施例如下：一金融憑證註冊中心6(即前述該註冊中心)接收一手機金融憑證管理系統2所提供之憑證申請編號與通訊用戶識別碼，以作為識別該次金融憑證申請案號，其中通訊用戶識別碼可為IMSI、或以一公式轉換IMSI之IMSI替代碼；若本註冊中心6接收一金融憑證管理中心7所回傳憑證簽發成功的結果後，將回傳送該憑證申請編號及憑證註冊結果至原手機金融憑證管理系統3。本註冊中心6若接收來自一行動通訊裝置1之憑證申請編號、憑證申請檔(係包含一金融資料、一用戶基本資料、及一PKI金鑰對之公鑰)、及訊息認 證碼時，則將從前述手機金融憑證管理系統3所提供資料中，查詢出與此行動通訊裝置傳送之憑證申請編號所對應的通訊用戶識別碼後，將以該通訊用戶識別碼作為加密密鑰；又若本註冊中心6接收來自一行動通訊裝置1之IMSI(或IMSI替代碼)、憑證申請檔(係包含一金融資料、一用戶基本資料、及一PKI金鑰對之公鑰)、及訊息認證碼時，則從前述手機金融憑證管理系統3所提供資料中，查詢出與此行動通訊裝置傳送之IMSI(或IMSI替代碼)所對應的憑證申請編號後，將以該憑證申請編號作為加密密鑰；取出加密密鑰後將以一演算法計算該憑證申請檔以產生出另一訊息認證碼，並比對該訊息認證碼與原行動通訊裝置1所傳送之訊息認證碼是否一樣，其中前述演算法可為sha1、md5、DES、或3DES等演算法；此外，若本註冊中心6接收一金融憑證管理中心7所回傳憑證簽發成功的結果後，將回傳送一憑證申請編號及憑證註冊結果至原行動通訊裝置1。本註冊中心6亦與一金融系統5介接，即當該註冊中心6比對行動通訊裝置1之訊息認證碼成功後，將傳送憑證申請檔之金融資料、用戶基本資料至該金融系統5確認此金融資料與用戶基本資料是否為同一用戶帳戶，並接收該金融系統5之驗證結果。本註冊中心6亦與一金融憑證管理中心6介接，即當該註冊中心6接收到來自一金融系統5之金融資料驗證成功的結果後，該註冊中心6將傳送其接收來自行動通訊裝置1之憑證申請檔至一金融憑證管理中心7進行憑證登記，並接收該管理中心7所回傳之憑證檔。 Please refer to FIG. 4, which is a structural diagram of a financial voucher registration center of a system for applying for a financial voucher using a mobile communication device, wherein one of the registration centers is implemented as follows: a financial voucher registration center 6 (ie, the aforementioned registration center) Receiving a voucher application number and a communication user identification code provided by a mobile phone financial voucher management system 2 as a method for identifying the financial voucher application number, wherein the communication user identification code can be an IMSI, or an IMSI that converts the IMSI by a formula If the registration center 6 receives the result of the successful return of the returned voucher of the financial voucher management center 7, the voucher application number and the voucher registration result will be transmitted back to the original mobile financial voucher management system 3. The registration center 6 receives the voucher application number and the voucher application file (including a financial data, a user basic data, and a public key of a PKI key pair) from a mobile communication device 1, and the message recognition When the code is verified, the communication user identification code corresponding to the voucher application number transmitted by the mobile communication device will be queried from the data provided by the mobile phone financial voucher management system 3, and the communication user identification code will be used as the encryption key. Key; if the registry 6 receives the IMSI (or IMSI replacement code) from a mobile communication device 1, the voucher application file (which includes a financial data, a user basic data, and a public key of a PKI key pair), And the message authentication code, after querying the voucher application number corresponding to the IMSI (or IMSI replacement code) transmitted by the mobile communication device from the data provided by the mobile phone financial voucher management system 3, the voucher application number will be As the encryption key; after the encryption key is taken out, the voucher application file is calculated by an algorithm to generate another message authentication code, and is compared with whether the message authentication code is the same as the message authentication code transmitted by the original mobile communication device 1. The foregoing algorithm may be an algorithm such as sha1, md5, DES, or 3DES; in addition, if the registration center 6 receives a financial certificate management center 7, the returned certificate is successfully issued. After the result, a voucher application number and a voucher registration result are transmitted back to the original mobile communication device 1. The registration center 6 is also connected to a financial system 5, that is, when the registration center 6 compares the message authentication code of the mobile communication device 1 successfully, the financial information of the voucher application file and the user basic data are transmitted to the financial system 5 for confirmation. Whether the financial information and the user basic data are the same user account, and receiving the verification result of the financial system 5. The registration center 6 is also interfaced with a financial voucher management center 6, that is, when the registration center 6 receives the successful verification of the financial data from a financial system 5, the registration center 6 will transmit its reception from the mobile communication device 1 The voucher application file to the financial voucher management center 7 performs voucher registration, and receives the voucher file returned by the management center 7.

為提升金融憑證申請的安全性，上述發明之金融憑證註冊中心之另一實施例，此金融憑證註冊中心6分別與手機金融憑證管理系統3、金融系統5、金融憑證管理中心7之介接內容，與上一實施例相同；其差異在於本註冊中心6與行動通 訊裝置1之介接內容。首先本註冊中心6係接收手機金融憑證管理系統3所提供之憑證申請編號與通訊用戶識別碼(此實施例之通訊用戶識別碼僅能為行動電話號碼)後，將直接以簡訊方式傳送一次性密碼至該行動通訊裝置1，而該行動通訊裝置1則以該一次性密碼作為訊息認證碼之加密密鑰；再者，本註冊中心6將以接收自該行動通訊裝置1之憑證申請編號、憑證申請檔(係包含一金融資料、一用戶基本資料、及一PKI金鑰對之公鑰)、並且以先前取得的一次性密碼為密鑰計算產生的訊息認證碼，一併傳送至本註冊中心6；而該本註冊中心6接收後，係透過該憑證申請編號查詢出原先簡訊傳送出的一次性密碼並將之作為加密密鑰，以一演算法計算該憑證申請檔以產生出另一訊息認證碼後，與原行動通訊裝置1所傳送之訊息認證碼進行比對，其中前述演算法可為sha1、md5、DES、或3DES等演算法。 In order to improve the security of the financial voucher application, another embodiment of the financial voucher registration center of the above invention, the financial voucher registration center 6 and the mobile financial voucher management system 3, the financial system 5, and the financial voucher management center 7 respectively , the same as the previous embodiment; the difference is that the registry 6 and the action pass The interface of the device 1 is connected. First, the registration center 6 receives the voucher application number and the communication user identification code provided by the mobile phone financial voucher management system 3 (the communication user identification code in this embodiment can only be a mobile phone number), and then directly transmits the information in a short message. The password is sent to the mobile communication device 1, and the mobile communication device 1 uses the one-time password as the encryption key of the message authentication code; further, the registration center 6 will use the voucher application number received from the mobile communication device 1, The voucher application file (including a financial data, a user basic data, and a public key of a PKI key pair), and the generated message authentication code is calculated by using the previously obtained one-time password as a key, and is transmitted to the registration. After receiving the registration center 6, the registration center 6 queries the one-time password transmitted by the original short message and uses it as an encryption key to calculate the voucher application file by an algorithm to generate another After the message authentication code, the message authentication code transmitted by the original mobile communication device 1 is compared, wherein the algorithm may be an algorithm such as sha1, md5, DES, or 3DES.

請參閱圖一所示，其中本憑證申請系統係包含一行動通訊裝置1、一手機金融憑證管理系統3、一行動通訊網路提供者3、一電信系統4、一金融系統5、一金融憑證註冊中心6、及一金融憑證註冊中心7；以下說明各系統介接關係：行動通訊裝置1係為具有一用戶身分模組(即SIM卡)與憑證管理功能之行動通訊設備，並該行動通訊裝置1與其他系統、中心等之介接關係如下述：(1)接收用戶輸入一金融憑證申請資料-身分識別資料、金融資料、及用戶基本資料等；(2)透過行動通訊網路8經由網際網路9傳送該些申請資料至一手機金融憑證管理系統2及接收該憑證管理系統2回傳之憑證申請編號和認證結果；(3)產生一組PKI金鑰對後，產生一組含有金融資料、用戶基本資料、及PKI金鑰對的公鑰之憑證申請檔，和用以一加密密鑰產出該憑證申請檔之唯一訊息認證碼；(4)傳送該憑證申請編號、憑證申請檔及其訊息認證碼至一金融 憑證註冊中心6進行憑證註冊；以及接收該註冊中心6之憑證註冊結果及憑證檔。 Please refer to FIG. 1 , wherein the voucher application system includes a mobile communication device, a mobile phone financial voucher management system 3, a mobile communication network provider 3, a telecommunication system 4, a financial system 5, and a financial voucher registration. Center 6, and a financial voucher registration center 7; the following describes the interface of each system: the mobile communication device 1 is a mobile communication device having a user identity module (ie, SIM card) and a credential management function, and the mobile communication device 1 The relationship with other systems, centers, etc. is as follows: (1) receiving user input of a financial voucher application data - identity identification data, financial information, and user basic information; (2) through the mobile communication network 8 via the Internet The route 9 transmits the application materials to a mobile phone financial voucher management system 2 and receives the voucher application number and the authentication result returned by the voucher management system 2; (3) after generating a set of PKI key pairs, generating a group of financial information , the user basic data, and the voucher application file of the public key of the PKI key pair, and the unique message authentication code for generating the voucher application file by using an encryption key; (4) transmitting the certificate Certificate application number, voucher application file and its message authentication code to a financial The voucher registration center 6 performs voucher registration; and receives the voucher registration result and the voucher file of the registration center 6.

手機金融憑證管理系統2與其他系統、中心、設備等之介接關係如下述：(1)接受一行動通訊裝置1透過行動通訊網路8經由網際網路9傳送之金融憑證申請資料，並且回傳該次憑證申請之憑證申請編號和認證結果；(2)從前述行動通訊網路8之行動通訊網路提供者3取得該次申請要求之通訊用戶識別碼；(3)傳送金融憑證申請資料(金融資料和用戶基本資料)至一金融系統5進行認證，及接收金融系統5之認證結果；(4)傳送通訊用戶識別碼及至一電信系統4進行認證，及接收電信系統4之認證結果；(5)提供給一金融憑證註冊中心6該次憑證申請要求之憑證申請編號及通訊用戶識別碼，以及接收該註冊中心6傳送之憑證申請編號和憑證註冊結果。 The communication relationship between the mobile financial voucher management system 2 and other systems, centers, devices, etc. is as follows: (1) accepting the financial voucher application data transmitted by the mobile communication device 1 via the Internet 9 via the mobile communication network 8, and returning The voucher application number and the authentication result of the voucher application; (2) obtaining the communication user identification code requested by the mobile communication network provider 3 of the aforementioned mobile communication network 8; (3) transmitting the financial voucher application information (financial information) And the user basic information) to the financial system 5 for authentication, and receiving the authentication result of the financial system 5; (4) transmitting the communication user identification code and the authentication to the telecommunication system 4, and receiving the authentication result of the telecommunication system 4; (5) The voucher application number and the communication user identification code required for the voucher application are provided to a financial voucher registration center 6, and the voucher application number and the voucher registration result transmitted by the registration center 6 are received.

行動通訊網路提供者3係為核發行動通訊裝置1之SIM卡的電信業者，其目的係將從其行動通訊網路8上傳送出金融憑證申請要求的行動通訊裝置1之通訊用戶識別碼給手機金融憑證管理系統3。 The mobile communication network provider 3 is a telecommunications provider that issues the SIM card of the mobile communication device 1. The purpose is to transmit the communication user identification code of the mobile communication device 1 requesting the financial voucher request from the mobile communication network 8 to the mobile financial certificate. Management System 3.

電信系統4係接受來自一手機金融憑證管理系統2之金融憑證申請資料(身分識別資料)和通訊用戶識別碼之資料認證要求，進行電信設備用戶身分比對認證及回傳其認證結果。 The telecommunication system 4 accepts the data authentication requirements of the financial voucher application data (identity identification data) and the communication user identification code from a mobile phone financial voucher management system 2, performs telecommunication device user identity verification and returns the authentication result.

金融系統5與手機金融憑證管理系統2、金融憑證註冊中心6之介接關係如下述：(1)接收來自一手機金融憑證管理系統2之金融憑證申請資料(身分識別資料和金融資料)之資料認證要求，進行金融用戶身分比對認證及回傳其認證結果；(2)接收來自一金融憑證註冊中心6之憑證申請檔之資料驗證要求，進行金融資料驗證及回傳其驗證結果。 The relationship between the financial system 5 and the mobile financial voucher management system 2 and the financial voucher registration center 6 is as follows: (1) receiving the financial voucher application data (identity identification data and financial information) from a mobile phone financial voucher management system 2 The certification requirements are to perform the financial user identity verification and return the certification result; (2) to receive the data verification request from the voucher application file of the financial certificate registration center 6, to verify the financial data and to return the verification result.

金融憑證註冊中心6與其他系統、中心、設備等之介接關係如下述：(1)接收來自一手機金融憑證管理系統2之憑證申 請編號和通訊用戶識別碼；以及回覆該手機金融憑證管理系統2之憑證申請編號與憑證註冊結果，用以通知該管理系統2啟動憑證服務；(2)接受一行動通訊裝置1傳送之憑證申請編號、憑證申請檔、和訊息認證碼並且驗證該訊息認證碼之正確性後，以完成憑證註冊受理程序；以及傳送一憑證檔及憑證註冊結果至行動通訊裝置1；(3)傳送該憑證申請檔至一金融系統5進行金融資料驗證，並接收其回傳之驗證結果；(4)傳送該憑證申請檔至一金融憑證管理中心7，要求該管理中心7進行一憑證檔簽發及回傳該憑證檔。 The relationship between the financial voucher registration center 6 and other systems, centers, devices, etc. is as follows: (1) receiving the voucher application from a mobile phone financial voucher management system 2 And numbering the communication user identification code; and replying to the voucher application number and the voucher registration result of the mobile financial voucher management system 2, to notify the management system 2 to initiate the voucher service; and (2) accepting the voucher application transmitted by the mobile communication device 1 After the number, the voucher application file, and the message authentication code are verified and the correctness of the message authentication code is verified, the voucher registration acceptance procedure is completed; and a voucher file and voucher registration result are transmitted to the mobile communication device 1; (3) the voucher application is transmitted The file to a financial system 5 performs financial data verification and receives the verification result of the returned data; (4) transmits the voucher application file to a financial voucher management center 7, and requests the management center 7 to issue and return a voucher file. Voucher file.

金融憑證管理中心7係接受來自金融憑證註冊中心6之憑證申請檔後，簽發該憑證申請檔之一憑證檔並回傳該憑證檔。 After receiving the voucher application file from the financial voucher registration center 6, the financial voucher management center 7 issues a voucher file of the voucher application file and returns the voucher file.

上述發明之提供行動通訊裝置上進行金融憑證的申請系統之另一實施例B，與上述實施例之差異在於：前述實施例之註冊中心6接收到來自手機金融憑證管理系統2提供之憑證申請編號及通訊用戶識別碼(此處通訊用戶識別碼僅限於行動電話門號)後，該註冊中心6將主動以簡訊方式寄送一次性密碼至該行動通訊裝置1，爾後，該行動通訊裝置1則以該一次性密碼作為加密密鑰以產生訊息認證碼，才又傳送憑證申請編號、憑證申請檔及其訊息認證碼至一金融憑證註冊中心6進行憑證註冊；此實施例為註冊中心6自行獨自傳送一加密密鑰至行動通訊裝置1，可避免手機金融憑證管理系統2提供至憑證申請編號或其他資料外洩之虞，造成憑證申請檔被不肖人士盜用。 Another embodiment B of the above-mentioned invention for providing a financial voucher application system on the mobile communication device differs from the above embodiment in that the registration center 6 of the foregoing embodiment receives the voucher application number provided from the mobile phone financial voucher management system 2. After the communication user identification code (here, the communication user identification code is limited to the mobile phone number), the registration center 6 will send a one-time password to the mobile communication device 1 by means of a short message, and then the mobile communication device 1 The one-time password is used as the encryption key to generate the message authentication code, and then the voucher application number, the voucher application file and the message authentication code thereof are transmitted to a financial voucher registration center 6 for voucher registration; this embodiment is the registration center 6 itself. Sending an encryption key to the mobile communication device 1 can prevent the mobile phone financial voucher management system 2 from providing the voucher application number or other information leakage, and the voucher application file is stolen by unscrupulous persons.

本說明書之另一發明為一種使用行動通訊裝置申請金融憑證之方法，其實施方法步驟說說明如下： Another invention of the present specification is a method for applying for a financial certificate using a mobile communication device, and the steps of the implementation method are as follows:

步驟1：一行動通訊裝置提供用戶輸入之金融憑證申請資料並記錄之，其中該申請資料至少包含一身分識別資料(如身分證字號)、一金融資料(如金融帳號)、用戶基本資料(如申請 人姓名、聯絡電話、地址等)。 Step 1: A mobile communication device provides and records the financial certificate application data input by the user, wherein the application data includes at least one identification information (such as an identity card number), a financial information (such as a financial account number), and basic user information (such as Application Name, contact number, address, etc.).

步驟2：該行動通訊裝置經由一行動通訊網路傳送該些金融憑證申請資料至一手機金融憑證管理系統；同時，該手機金融憑證管理系統接收來自該行動通訊裝置之金融憑證申請資料後，可從該行動通訊網路之網路提供者，得到該連線之行動通訊裝置之通訊用戶識別碼(此識別碼可為IMSI或行動電話門號)。 Step 2: The mobile communication device transmits the financial voucher application materials to a mobile phone financial voucher management system via a mobile communication network; meanwhile, the mobile phone financial voucher management system can receive the financial voucher application data from the mobile communication device. The network provider of the mobile communication network obtains the communication user identification code of the connected mobile communication device (this identification code can be an IMSI or a mobile phone number).

步驟3：該手機金融憑證管理系統將傳送該通訊用戶識別碼與金融憑證申請資料之身分識別資料至一電信系統，以請求該電信系統進行電信設備用戶資料核對，確認該通訊用戶識別碼所屬之申辦人是否與該身分識別資料吻合；同時該手機金融憑證管理系統亦將傳送該金融憑證申請資料之身分識別資料與金融資料至一金融系統，以請求該金融系統進行金融帳號用戶資料核對，確認該金融帳號所屬之帳戶人是否與該身分識別資料吻合。若前述之電信系統與金融系統之回傳認證結果後，該手機金融憑證管理系統依據其兩認證結果進行判斷：若兩認證結果皆為成功，將產生一組唯一之憑證申請編號，並且將憑證申請編號、該金融憑證申請資料、及通訊用戶識別碼儲存於資料庫中。 Step 3: The mobile phone financial voucher management system transmits the identity identification data of the communication user identification code and the financial voucher application data to a telecommunication system to request the telecommunication system to perform telecommunication device user data verification, and confirm that the communication user identification code belongs to Whether the sponsor matches the identity identification data; at the same time, the mobile phone financial voucher management system will transmit the identity identification information and financial information of the financial voucher application data to a financial system to request the financial system to check the financial account user data and confirm Whether the account person to which the financial account belongs is consistent with the identity identification information. If the telecom system and the financial system return the authentication result, the mobile financial credential management system judges according to the two authentication results: if both authentication results are successful, a unique set of voucher application numbers will be generated, and the voucher will be generated. The application number, the financial certificate application data, and the communication user identification code are stored in the database.

步驟4：該手機金融憑證管理系統回傳該憑證申請編號及認證結果至原行動通訊裝置；同時，該手機金融憑證管理系統將傳送該憑證申請編號及通訊用戶識別碼至金融憑證註冊中心，或接收一金融憑證註冊中心查詢該憑證申請編號及通訊用戶識別碼資料。 Step 4: The mobile phone financial voucher management system returns the voucher application number and the authentication result to the original mobile communication device; meanwhile, the mobile phone financial voucher management system transmits the voucher application number and the communication user identification code to the financial voucher registration center, or Receiving a financial voucher registration center to query the voucher application number and the communication user identification code data.

步驟5：該行動通訊裝置接收到該手機金融憑證管理系統回傳之憑證申請編號及認證結果後，將隨機產生一組PKI金鑰對，並以該行動通訊裝置之IMSI為訊息認證碼之密鑰，將一組包含該金融帳號、用戶基本資料、及PKI金鑰對之公鑰 的憑證申請檔，以一單向雜湊演算法計算產出一訊息認證碼。 Step 5: After receiving the voucher application number and the authentication result returned by the mobile financial voucher management system, the mobile communication device randomly generates a set of PKI key pairs, and uses the IMSI of the mobile communication device as the secret of the message authentication code. Key, a set of public keys containing the financial account number, user basic data, and PKI key pair The voucher application file calculates a output message authentication code by a one-way hash algorithm.

步驟6：該行動通訊裝置傳送該憑證申請編號、憑證申請檔、訊息認證碼傳送至一金融憑證註冊中心申請憑證；而該金融憑證註冊中心收到前述行動通訊裝置傳送該些資料後，以該憑證申請編號為查詢條件，從先前自手機金融憑證管理系統所取得的憑證申請編號及通訊用戶識別碼資料中，查詢出該憑證申請編號所對應的通訊用戶識別碼；或是直接向原手機金融憑證管理系統查詢該憑證申請編號所對應之通訊用戶識別碼後；再取出通訊用戶識別碼後，以通訊用戶識別碼為密鑰，並將以同樣的單向雜湊演算法計算憑證申請檔而產出的訊息認證碼與行動通訊裝置所傳送的訊息認證碼比對，若兩訊息認證碼一樣，則表示該憑證申請檔為完整未遭竄改，遂進行憑證內容驗證。 Step 6: The mobile communication device transmits the voucher application number, the voucher application file, and the message authentication code to a financial voucher registration center application voucher; and the financial voucher registration center receives the information from the mobile communication device, and then The voucher application number is the query condition, and the communication user identification code corresponding to the voucher application number is obtained from the voucher application number and the communication user identification code data previously obtained from the mobile financial voucher management system; or directly to the original mobile phone financial certificate After the management system queries the communication user identification code corresponding to the voucher application number; after extracting the communication user identification code, the communication user identification code is used as the key, and the same one-way hash algorithm is used to calculate the voucher application file to generate The message authentication code is compared with the message authentication code transmitted by the mobile communication device. If the two message authentication codes are the same, it indicates that the voucher application file is intact and has not been tampered with, and the voucher content is verified.

步驟7：該金融憑證註冊中心將依據憑證申請檔之金融帳號，傳送金融帳號、用戶基本資料至一金融系統進行資料驗證，而接收到資資料的金融系統則以將該驗證該金融帳號之戶名是否與用戶基本資料同一人；若為同一人時，該金融系統註記用戶申請以此金融帳號作為憑證交易帳戶，並回覆該資料驗證結果回給金融憑證註冊中心。 Step 7: The financial certificate registration center will transmit the financial account number and the user basic data to a financial system for data verification according to the financial account number of the voucher application file, and the financial system that receives the capital information will use the financial account to verify the financial account. Whether the name is the same as the user's basic information; if it is the same person, the financial system notes that the user applies for the financial account as the voucher transaction account, and replies the verification result to the financial certificate registration center.

步驟8：該金融憑證註冊中心接收該金融系統回傳認證成功結果後，將轉送憑證申請檔至一金融憑證管理中心，請該管理中心核發予一金融憑證。 Step 8: After receiving the successful return of the financial system, the financial certificate registration center forwards the voucher application file to a financial voucher management center, and asks the management center to issue a financial certificate.

步驟9：該金融憑證管理中心接收憑證申請檔後，將註記該申請檔並簽發一憑證檔，再回傳該憑證檔給該金融憑證註冊中心；並由該金融憑證註冊中心提供給該行動通訊裝置。 Step 9: After receiving the voucher application file, the financial voucher management center will note the application file and issue a voucher file, and then return the voucher file to the financial voucher registration center; and the financial voucher registration center provides the mobile communication certificate Device.

上述流程步驟4、步驟6所述之通訊用戶識別碼可為國際行動用戶識別碼IMSI、或行動電話門號，且該通訊用戶識別碼可改以一演算法將通訊用戶識別碼轉換成一識別替代碼， 或改以一演算法將通訊用戶識別碼、憑證申請模組21之系統時間計算以產生一具驗證時效之識別替代碼所替代。 The communication user identification code described in step 4 and step 6 above may be an international mobile subscriber identity code (IMSI) or a mobile phone number, and the communication subscriber identity may be converted into an algorithm to convert the communication subscriber identity into an identification alternative. code, Alternatively, an algorithm may be used to replace the system time calculation of the communication user identification code and the voucher application module 21 to generate an identification replacement code for verifying the aging.

上述發明實施例之一種使用行動通訊裝置申請金融憑證之方法中，其中本方法為確保上述之PKI金鑰、金融憑證申請資料的安全性，本方法可於步驟1或步驟5時提供用戶選擇保護機制來設定資料存取權限-，也就是行動通訊裝置將以用戶鍵入之PIN碼加密儲存上述資料、或以用戶鍵入PIN碼和行動通訊裝置之IMSI(限制憑證使用的SIM卡)結合加密儲存上述資料、或以用戶鍵入PIN碼和行動通訊裝置之IMEI(限制憑證使用的手機)結合加密儲存上述資料、或以用戶鍵入PIN碼、行動通訊裝置之IMSI和IMEI(限制憑證使用的SIM卡與手機)結合加密儲存上述資料；如此便可有效降低憑證被盜用的風險。 In a method for applying for a financial certificate by using a mobile communication device according to the above embodiment of the present invention, wherein the method is to ensure the security of the PKI key and the financial certificate application data, the method may provide user selection protection in step 1 or step 5. Mechanism to set the data access rights - that is, the mobile communication device will encrypt and store the above information with the PIN code typed by the user, or store the PIN code and the IMSI of the mobile communication device (the SIM card used to restrict the voucher) in combination with the encrypted storage. Data, or use the user to type the PIN code and the IMEI of the mobile communication device (the mobile phone used to restrict the voucher) to encrypt the above data, or to type the PIN code, IMSI and IMEI of the mobile communication device (the SIM card and mobile phone used to restrict the voucher) ) Combine the encryption to store the above data; this can effectively reduce the risk of theft of the voucher.

上述發明之一種使用行動通訊裝置申請金融憑證之方法之另一實施例，其差異在於本實施例係提供該金融憑證註冊中心獨立認證行動通訊設備機制，也就是於上述步驟4時，該金融憑證註冊中心接收來自手機金融憑證管理系統提供的憑證申請編號和通訊用戶識別碼(此實施例通訊用戶識別碼僅限於行動電話門號)後，則將隨機配置一組一次性密碼對應該憑證申請編號和通訊用戶識別碼，並且以簡訊方式傳送該一次性密碼至通訊用戶識別碼(即行動電話門號)所屬之行動通訊設備；而於步驟5行動通訊設備將要求用戶輸入該一次性密碼以作為訊息認證碼之密鑰；最後於步驟6該金融憑證註冊中心將從行動通訊設備傳送之憑證申請編號查詢出配置的一次性密碼，並以該一次性密碼來驗證訊息認證碼是否正確。 Another embodiment of the method for applying for a financial voucher using a mobile communication device according to the above invention is different in that the embodiment provides a mechanism for independently authenticating the mobile communication device of the financial voucher registration center, that is, the financial voucher at step 4 above. After the registration center receives the voucher application number and the communication user identification code provided by the mobile financial voucher management system (the communication user identification code in this embodiment is limited to the mobile phone number), a set of one-time password corresponding to the voucher application number will be randomly configured. And communicating the user identification code, and transmitting the one-time password to the mobile communication device to which the communication user identification code (ie, the mobile phone door number) belongs in a short message; and in step 5, the mobile communication device will ask the user to input the one-time password as The key of the message authentication code; finally, in step 6, the financial voucher registration center queries the configured one-time password from the voucher application number transmitted by the mobile communication device, and uses the one-time password to verify whether the message authentication code is correct.

上列詳細說明乃針對本發明之一可行實施例進行具體說明，惟該實施例並非用以限制本發明之專利範圍，凡未脫離本發明技藝精神所為之等效實施或變更，均應包含於本案之 專利範圍中。 The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The case In the scope of patents.

綜上所述，本案不僅於技術思想上確屬創新，並具備習用之傳統方法所不及之上述多項功效，已充分符合新穎性及進步性之法定發明專利要件，爰依法提出申請，懇請 貴局核准本件發明專利申請案，以勵發明，至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

1‧‧‧行動通訊裝置 1‧‧‧Mobile communication device

11‧‧‧行動通訊模組 11‧‧‧Mobile communication module

12‧‧‧用戶身分模組 12‧‧‧ User Identity Module

13‧‧‧憑證管理模組 13‧‧‧Voucher Management Module

2‧‧‧手機金融憑證管理系統 2‧‧‧Mobile financial voucher management system

21‧‧‧金融憑證申請模組 21‧‧‧Financial Voucher Application Module

22‧‧‧身分認證模組 22‧‧‧ Identity Certification Module

23‧‧‧憑證註冊中心閘道模組 23‧‧‧Voucher Registration Center Gateway Module

3‧‧‧行動通訊網路提供者 3‧‧‧Mobile communication network provider

4‧‧‧電信系統 4‧‧‧Telecom system

5‧‧‧金融系統 5‧‧‧Financial System

6‧‧‧金融憑證註冊中心 6‧‧‧Financial Voucher Registration Center

7‧‧‧金融憑證管理中心 7‧‧‧Financial Credential Management Center

8‧‧‧行動通訊網路 8‧‧‧Mobile communication network

9‧‧‧網際網路 9‧‧‧Internet

S501~S508‧‧‧行動通訊裝置操作流程步驟 S501~S508‧‧‧Mobile communication device operation procedure steps

S601~S609‧‧‧行動通訊裝置操作流程步驟 S601~S609‧‧‧Mobile communication device operation procedure steps

S701~S711‧‧‧手機金融憑證系統流程步驟 S701~S711‧‧‧ Mobile financial voucher system process steps

請參閱有關本發明之詳細說明及其附圖，將可進一步瞭解本發明之技術內容及其目的功效；有關附圖為： Please refer to the detailed description of the present invention and the accompanying drawings, and the technical contents of the present invention and its effects can be further understood; the related drawings are:

圖一為本發明使用行動通訊裝置申請金融憑證之系統架構圖。 FIG. 1 is a system architecture diagram of applying for a financial certificate by using a mobile communication device according to the present invention.

圖二為本發明使用行動通訊裝置申請金融憑證之系統模組圖。 FIG. 2 is a system module diagram of applying for a financial certificate by using a mobile communication device according to the present invention.

圖三為本發明使用行動通訊裝置申請金融憑證之系統之手機金融憑證管理模組架構圖。 FIG. 3 is a structural diagram of a mobile phone financial voucher management module of a system for applying for a financial voucher using a mobile communication device according to the present invention.

圖四為本發明使用行動通訊裝置申請金融憑證之系統之金融憑證註冊中心模組架構圖。 FIG. 4 is a structural diagram of a module of a financial voucher registration center of a system for applying for a financial certificate using a mobile communication device according to the present invention.

圖五為本發明使用行動通訊裝置申請金融憑證之系統之一操作流程圖。 Figure 5 is a flow chart showing the operation of one of the systems for applying for financial documents by using a mobile communication device.

圖六為本發明使用行動通訊裝置申請金融憑證之系統之二操作流程圖。 FIG. 6 is a flow chart of the second operation of the system for applying for financial documents by using a mobile communication device according to the present invention.

圖七為本發明使用行動通訊裝置申請金融憑證之系統流程圖。 FIG. 7 is a system flow chart of applying for a financial certificate by using a mobile communication device according to the present invention.

1．．．行動通訊裝置1. . . Mobile communication device

2．．．手機金融憑證管理系統2. . . Mobile financial voucher management system

3．．．行動通訊網路提供者3. . . Mobile communication network provider

4．．．電信系統4. . . Telecommunications system

5．．．金融系統5. . . Financial system

6．．．金融憑證註冊中心6. . . Financial certificate registration center

7．．．金融憑證管理中心7. . . Financial certificate management center

8．．．行動通訊網路8. . . Mobile communication network

9．．．網際網路9. . . Internet