TWI835652B

Movatterモバイル変換

Info

Publication number: TWI835652B
Application number: TW112118351A
Authority: TW
Inventors: 劉秋宗; 張家棟; 陳秋玉; 薛仲佑; 郭芷辰
Original assignee: 中華電信股份有限公司
Priority date: 2023-05-17
Filing date: 2023-05-17
Publication date: 2024-03-11
Also published as: TW202447459A

Abstract

The present invention is an authorized signing system for electronic file by using Fast Identity Online(FIDO) and method thereof. A service request for file signing is proposed from a client mobile device, so that a first hash to be signed and a time to be signed are generated according to the file to be signed by a file process management server. A FIDO certification information is requested to convey from the client mobile device to a FIDO server according to the first hash to be signed. After the FIDO certification is performed, a second hash to be signed is generated according to the file to be signed and the time to be signed by the file process management server. After the first and second hash to be signing are compared by a cloud confidential device signing server to generate signing results. The file to be signed and the signing results are synthesized by the file process management server to form a signed file, so that the purpose of providing documents can be achieved. The present invention also provides a computer-readable medium for executing the method of the present invention.

Description

Translated fromChinese

電子文件授權簽署系統、方法及其電腦可讀媒介Electronic document authorization signing system and method and computer-readable medium thereof

本發明係關於電子文件簽署之技術，尤指一種可提供線上快速識別(FIDO)認證及第三方轉接之認證功能之電子文件授權簽署系統、方法及其電腦可讀媒介。The present invention relates to electronic document signing technology, and in particular, to an electronic document authorization signing system and method that can provide online fast identification (FIDO) authentication and third-party transfer authentication functions, and a computer-readable medium thereof.

在數位化的時代，使用者於編輯完電子文件後，通常須對該電子文件進行數位簽署，以辨識該電子文件所對應之該使用者之身分與真偽。現行之數位簽署技術中，提供簽署之業者多直接對該電子文件進行簽署，而未具有透過第三方轉接之方式進行電子文件之簽署，且業者通常不具有將電子文件進行合成之能力，因而須額外委託他人執行，十分不便且存在有安全性之問題。In the digital age, after a user edits an electronic document, he or she must digitally sign the electronic document to identify the identity and authenticity of the user corresponding to the electronic document. In the current digital signature technology, most signers who provide signatures sign the electronic documents directly, rather than through a third party to sign the electronic documents. Moreover, the signers usually do not have the ability to synthesize electronic documents. Therefore, It is necessary to entrust others to perform the operation, which is very inconvenient and has safety issues.

鑑於上述問題，如何提供一種電子文件之簽署技術，特別是，除了可提供快速認證以進行身分確認外，更能具有合成文件之能力，藉以提升便利性和安全性，此將成為目前本技術領域人員急欲追求之目標。In view of the above problems, how to provide an electronic document signing technology that, in addition to providing fast authentication for identity confirmation, also has the ability to synthesize documents to improve convenience and security, will become a current technical field. The goal that people are eager to pursue.

為解決上述現有技術之問題，本發明揭露一種結合FIDO認證方式的電子文件授權簽署系統，係包括：客戶端行動載具，係用於提出文件簽署服務請求；文件流程管理伺服器，係於接收該文件簽署服務請求時，依據待簽署文件生成第一待簽署雜湊以及待簽署時間；雲端保密器簽署伺服器，係用於接收該文件流程管理伺服器之該第一待簽署雜湊及使用者資訊；以及線上快速識別(FIDO)伺服器，係經該雲端保密器簽署伺服器接收該第一待簽署雜湊，以據之產生線上快速識別(FIDO)啟動資訊，俾對經該客戶端行動載具確認該FIDO啟動資訊後所產生之FIDO認證資訊進行驗證，其中，於該FIDO伺服器驗證後，該文件流程管理伺服器係依據該待簽署文件及該待簽署時間生成第二待簽署雜湊，供該雲端保密器簽署伺服器比對該第一待簽署雜湊及該第二待簽署雜湊以產生簽署結果，俾令該文件流程管理伺服器合成該待簽署文件及該簽署結果而形成已簽署文件。In order to solve the above-mentioned problems of the prior art, the present invention discloses an electronic document authorization signing system combined with FIDO authentication method, which includes: a client mobile vehicle for making a document signing service request; a document process management server for receiving When the document signing service is requested, the first hash to be signed and the time to be signed are generated based on the document to be signed; the cloud security signing server is used to receive the first hash to be signed and user information from the document process management server ; and the Fast Identification Online (FIDO) server, which receives the first to-be-signed hash via the cloud secure signing server, and generates Fast Identification Online (FIDO) activation information based on it, so as to communicate with the client mobile device Verify the FIDO authentication information generated after confirming the FIDO startup information. After verification by the FIDO server, the document process management server generates a second hash to be signed based on the document to be signed and the time to be signed. The cloud secure signing server compares the first to-be-signed hash and the second to-be-signed hash to generate a signing result, so that the document process management server synthesizes the to-be-signed document and the signing result to form a signed document.

於一實施例中，該雲端保密器簽署伺服器包括用於介接該FIDO伺服器之授權認證模組，以於該FIDO伺服器驗證後，使該授權認證模組綁定該第一待簽署雜湊及該使用者資訊，且給予該文件流程管理伺服器對應之認證令符。In one embodiment, the cloud security signing server includes an authorization authentication module for interfacing with the FIDO server, so that after verification by the FIDO server, the authorization authentication module is bound to the first signature to be signed. The user information is hashed and the corresponding authentication token is given to the document process management server.

於另一實施例中，該文件流程管理伺服器包括用於接收該文件簽署服務請求之文件流程服務伺服器端模組以及用於生成該第一待簽署雜湊之第三方簽署服務客戶端模組。In another embodiment, the document flow management server includes a document flow service server module for receiving the document signing service request and a third-party signing service client module for generating the first hash to be signed. .

於另一實施例中，本發明復包括具有用於自該第三方簽署服務客戶端模組接收該認證令符及該第二待簽署雜湊之第三方簽署伺服器端模組的第三方簽署伺服器，而該雲端保密器簽署伺服器復包括用於自該第三方簽署伺服器端模組接收該認證令符及該第二待簽署雜湊之雲端簽署模組，其中，於該雲端保密器簽署伺服器透過該雲端簽署模組確認該認證令符之有效性後，進行該第一待簽署雜湊及該第二待簽署雜湊之比對，以於比對後，將該簽署結果回傳該文件流程管理伺服器。In another embodiment, the present invention includes a third-party signing server module configured to receive the authentication token and the second to-be-signed hash from the third-party signing service client module.A third-party signing server, and the cloud secure signing server includes a cloud signing module for receiving the authentication token and the second to-be-signed hash from the third-party signing server module, wherein, in After the cloud security signing server confirms the validity of the authentication token through the cloud signing module, it compares the first hash to be signed and the second hash to be signed, so that after the comparison, the signature The results are sent back to the document process management server.

於另一實施例中，該客戶端行動載具包括用於供使用者提出該文件簽署服務請求以及用於解析該FIDO啟動資訊，以得到該第一待簽署雜湊進行確認之文件流程管理客戶端模組。In another embodiment, the client mobile device includes a file process management client for the user to make a request for the file signing service and for parsing the FIDO startup information to obtain the first hash to be signed for confirmation. Mods.

於另一實施例中，該客戶端行動載具與該FIDO伺服器預先進行使用者認證及金鑰配對，其中，將私鑰儲存於該客戶端行動載具，以及將公鑰儲存於該FIDO伺服器。In another embodiment, the client mobile device and the FIDO server perform user authentication and key pairing in advance, wherein the private key is stored in the client mobile device and the public key is stored in the FIDO server. server.

於另一實施例中，該客戶端行動載具復包括利用該私鑰對該FIDO啟動資訊之確認結果進行加密，以產生該FIDO認證資訊之FIDO客戶端模組。In another embodiment, the client mobile device further includes a FIDO client module that uses the private key to encrypt the confirmation result of the FIDO activation information to generate the FIDO authentication information.

於又一實施例中，該F1DO伺服器透過比對該私鑰以及該公鑰，以對該FIDO認證資訊進行驗證。In another embodiment, the F1DO server verifies the FIDO authentication information by comparing the private key and the public key.

本發明復揭露一種結合FIDO認證方式的電子文件授權簽署方法，係於電腦或伺服器上執行該方法，該方法包括下列步驟：由客戶端行動載具向文件流程管理伺服器提出文件簽署服務請求，令該文件流程管理伺服器依據待簽署文件生成第一待簽署雜湊以及待簽署時間，且傳送至雲端保密器簽署伺服器；令該雲端保密器簽署伺服器儲存來自該文件流程管理伺服器之該第一待簽署雜湊及使用者資訊，且傳送至線上快速識別(FIDO)伺服器，使該FIDO伺服器依據該第一待簽署雜湊產生線上快速識別(FIDO)啟動資訊，並傳送至該客戶端行動載具；於該客戶端行動載具確認該FIDO啟動資訊後，產生FIDO認證資訊，使該FIDO伺服器對該FIDO認證資訊進行驗證；於該FIDO伺服器驗證後，該文件流程管理伺服器依據該待簽署文件及該待簽署時間生成第二待簽署雜湊且傳送至該雲端保密器簽署伺服器，以由該雲端保密器簽署伺服器比對該第一待簽署雜湊及該第二待簽署雜湊，俾於比對結果為相符時，產生簽署結果，且傳送至該文件流程管理伺服器；以及令該文件流程管理伺服器合成該待簽署文件及該簽署結果以形成已簽署文件。The invention further discloses an electronic document authorization signing method combined with the FIDO authentication method. The method is executed on a computer or server. The method includes the following steps: a client mobile device submits a document signing service request to the document process management server. , causing the document flow management server to generate the first hash to be signed and the time to be signed based on the document to be signed, and transmit it to the cloud confidentiality signing server; causing the cloud confidentiality signing server to store the hash from the document flow management server The first hash and user information to be signed are sent to the Fast Identification Online (FIDO) server,Cause the FIDO server to generate online fast identification (FIDO) startup information based on the first to-be-signed hash and send it to the client mobile device; after the client mobile device confirms the FIDO startup information, generate FIDO authentication information , causing the FIDO server to verify the FIDO certification information; after verification by the FIDO server, the document process management server generates a second hash to be signed based on the document to be signed and the time to be signed and sends it to the cloud for confidentiality The server signing server is configured to compare the first hash to be signed and the second hash to be signed by the cloud secure signing server, so that when the comparison results are consistent, a signing result is generated and sent to the document process management server; and causing the document process management server to synthesize the document to be signed and the signing result to form a signed document.

於一實施例中，於該FIDO伺服器對該FIDO認證資訊進行驗證後，由該雲端保密器簽署伺服器內介接該線上快速識別伺服器之授權認證模組，將該第一待簽署雜湊及該使用者資訊綁定，且給予該文件流程管理伺服器對應之認證令符。In one embodiment, after the FIDO server verifies the FIDO authentication information, the authorization authentication module in the cloud secure signing server that interfaces with the online rapid identification server hashes the first to-be-signed Bind with the user information and give the corresponding authentication token to the document process management server.

於另一實施例中，該文件流程管理伺服器係包括用於接收該文件簽署服務請求之文件流程服務伺服器端模組以及用於生成該第一待簽署雜湊之第三方簽署服務客戶端模組。In another embodiment, the document flow management server includes a document flow service server module for receiving the document signing service request and a third-party signing service client module for generating the first to-be-signed hash. group.

於另一實施例中，於該雲端保密器簽署伺服器給予該文件流程管理伺服器對應之該認證令符後，復包括以下步驟：令該文件流程管理伺服器將該認證令符及該第二待簽署雜湊傳送至第三方簽署伺服器，其中，該第三方簽署伺服器透過第三方簽署伺服器端模組自該第三方簽署服務客戶端模組接收該認證令符及該第二待簽署雜湊；以及令該雲端保密器簽署伺服器自該第三方簽署服務客戶端模組接收該認證令符及該第二待簽署雜湊，其中，該雲端保密器簽署伺服器透過雲端簽署模組確認該認證令符之有效性後，進行該第一待簽署雜湊及該第二待簽署雜湊之比對，以將該簽署結果回傳該文件流程管理伺服器。In another embodiment, after the cloud secure signing server gives the document flow management server the corresponding authentication token, the following steps are further included: causing the document flow management server to combine the authentication token and the third The second to-be-signed hash is sent to the third-party signing server, wherein the third-party signing server receives the authentication token and the second to-be-signed from the third-party signing service client module through the third-party signing server module. hash; and causing the cloud secure signing server to receive the authentication token and the second to-be-signed hash from the third-party signing service client module, wherein the cloud secure signing server confirms the hash through the cloud signing module After verifying the validity of the command, proceed toA comparison of the first hash to be signed and the second hash to be signed is performed to transmit the signing result back to the document process management server.

於另一實施例中，於提出該文件簽署服務請求之前，復包括令該客戶端行動載具與該FIDO伺服器預先進行使用者認證及金鑰配對，其中，將私鑰儲存於該客戶端行動載具，以及將公鑰儲存於該FIDO伺服器。In another embodiment, before making the file signing service request, it further includes causing the client mobile device and the FIDO server to perform user authentication and key pairing in advance, wherein the private key is stored in the client mobile device, and store the public key in the FIDO server.

於又一實施例中，該FIDO伺服器透過比對該私鑰以及該公鑰，以對該FIDO認證資訊進行驗證。In another embodiment, the FIDO server verifies the FIDO authentication information by comparing the private key and the public key.

本發明復揭露一種電腦可讀媒介，應用於計算裝置或電腦中，係儲存有指令，以執行前述之結合FIDO認證方式的電子文件授權簽署方法。The invention further discloses a computer-readable medium, which is used in a computing device or a computer and stores instructions to execute the aforementioned electronic document authorization signing method combined with the FIDO authentication method.

由上可知，本發明之結合FIDO認證方式的電子文件授權簽署系統、方法及其電腦可讀媒介，可在電子文件之簽署過程中，提供FIDO認證之功效，且透過第三方簽署伺服器能提供第三方轉接簽署之功能，後續第三方簽署模組透過取得之認證令符，將待簽署資訊經由雲端保密器簽署伺服器簽署後，整合長效資訊匯入文件流程管理伺服器，過程中雲端保密器簽署伺服器無須接觸待簽署文件，即可達到提供使用者簽署意願確認之目的，且相較於集中式簽署服務，實具有降低負載平衡度之功效。It can be seen from the above that the electronic document authorization signing system, method and computer-readable medium combined with FIDO authentication method of the present invention can provide the function of FIDO authentication in the signing process of electronic documents, and can provide it through a third-party signing server. With the function of third-party transfer signing, the subsequent third-party signing module uses the obtained authentication token to sign the information to be signed through the cloud secure signing server, and then integrates the long-term information and imports it into the document process management server. During the process, the cloud The secure signing server can achieve the purpose of providing confirmation of the user's signing intention without touching the document to be signed, and compared with the centralized signing service, it can actually reduce the load balance.

1:電子文件授權簽署系統1: Electronic document authorization signing system

11:客戶端行動載具11:Client mobile vehicle

111:文件流程管理客戶端模組111:File process management client module

112:FIDO客戶端模組112:FIDO client module

12:文件流程管理伺服器12: Document process management server

121:文件流程服務伺服器端模組121: Document process service server module

122:第三方簽署服務客戶端模組122: Third-party signing service client module

13:雲端保密器簽署伺服器13:Cloud Confidential Signing Server

131:授權認證模組131: Authorization authentication module

132:雲端簽署模組132: Cloud signing module

14:FIDO伺服器14:FIDO server

141:FIDO驗證模組141:FIDO verification module

15:第三方簽署伺服器15:Third-party signing server

151:第三方簽署伺服器端模組151: Third-party signing of server-side modules

S200~S250:步驟S200~S250: steps

401~411:流程401~411: Process

圖1係本發明之結合FIDO認證方式的電子文件授權簽署系統的系統架構圖。Figure 1 is a system architecture diagram of the electronic document authorization and signing system combined with FIDO authentication method according to the present invention.

圖2係本發明之結合FIDO認證方式的電子文件授權簽署方法的步驟圖。Figure 2 is a step diagram of the electronic document authorization signing method combined with FIDO authentication method according to the present invention.

圖3係本發明之簽署程序的步驟圖。Figure 3 is a step diagram of the signing procedure of the present invention.

圖4係本發明之結合FIDO認證方式的電子文件授權簽署方法實際運作的流程圖。Figure 4 is a flow chart of the actual operation of the electronic document authorization signing method combined with FIDO authentication method according to the present invention.

以下藉由特定的具體實施形態說明本發明之技術內容，熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。The following describes the technical content of the present invention through specific embodiments. Those familiar with the art can easily understand the advantages and effects of the present invention from the content disclosed in this specification. However, the present invention can also be implemented or applied through other different specific implementation forms.

圖1為本發明之結合線上快速識別(Fast Identity Online，FIDO)認證方式的電子文件授權簽署系統的系統架構圖。如圖所示，本發明之電子文件授權簽署系統1包括客戶端行動載具11、文件流程管理伺服器12、雲端保密器簽署伺服器13以及FIDO伺服器14，以下將說明本發明之具體內容。Figure 1 is a system architecture diagram of an electronic document authorization and signing system combined with Fast Identity Online (FIDO) authentication method according to the present invention. As shown in the figure, the electronic document authorization andsigning system 1 of the present invention includes a clientmobile carrier 11, a documentprocess management server 12, a cloud security device signingserver 13 and a FIDOserver 14. The specific content of the present invention will be described below. .

於本發明之電子文件授權簽署系統1對待簽署文件進行簽署之前，令該客戶端行動載具11與該FIDO伺服器14之間預先進行使用者認證及金鑰配對。詳言之，使用者先透過該客戶端行動載具11連線至該文件流程管理伺服器12，經該FIDO伺服器14進行使用者認證與金鑰配對，以於完成認證後，將私鑰儲存於該客戶端行動載具11，公鑰則儲存或公布於該FIDO伺服器14，作為後續使用者認證之確認。Before the electronic documentauthorization signing system 1 of the present invention signs a document to be signed, user authentication and key pairing are performed in advance between the clientmobile device 11 and theFIDO server 14 . Specifically, the user first connects to the article through the clientmobile device 11The softwareprocess management server 12 performs user authentication and key matching through theFIDO server 14, so that after the authentication is completed, the private key is stored in the clientmobile device 11, and the public key is stored or published in theFIDO Server 14 serves as confirmation for subsequent user authentication.

該客戶端行動載具11用以於使用者有電子文件之簽署需求時，供該使用者提出文件簽署服務請求，此後，將收到該FIDO伺服器14發送之FIDO啟動資訊，此時，該客戶端行動載具11將據之而回覆FIDO認證資訊。具體而言，該客戶端行動載具11包括文件流程管理客戶端模組111以及FIDO客戶端模組112，其中，該文件流程管理客戶端模組111用於供使用者提出該文件簽署服務請求，且於接收到該FIDO啟動資訊時，解析該FIDO啟動資訊以得到對應之資料，於使用者確認該資料後，該FIDO客戶端模組112利用該私鑰對該FIDO啟動資訊之確認結果進行加密，以產生該FIDO認證資訊。The clientmobile vehicle 11 is used for the user to make a document signing service request when the user has a need to sign an electronic document. After that, the FIDO activation information sent by theFIDO server 14 is received. At this time, the user The clientmobile vehicle 11 will respond with FIDO authentication information accordingly. Specifically, the clientmobile vehicle 11 includes a file flowmanagement client module 111 and aFIDO client module 112, where the file flowmanagement client module 111 is used for users to make requests for the file signing service. , and when receiving the FIDO startup information, parse the FIDO startup information to obtain the corresponding data. After the user confirms the data, theFIDO client module 112 uses the private key to confirm the result of the FIDO startup information. Encrypt to generate the FIDO authentication information.

該文件流程管理伺服器12係供使用者編輯待簽署文件，且於接收到來自該客戶端行動載具11之該文件簽署服務請求時，依據該待簽署文件生成第一待簽署雜湊以及待簽署時間，其中，該文件流程管理伺服器12包括文件流程服務伺服器端模組121以及第三方簽署服務客戶端模組122，據此，該文件流程管理伺服器12透過該文件流程服務伺服器端模組121接收來自該客戶端行動載具11之該文件簽署服務請求，且令該第三方簽署服務客戶端模組122針對該待簽署文件之文本生成該第一待簽署雜湊以及該待簽署時間，接著，該文件流程管理伺服器12將該第一待簽署雜湊及使用者資訊進行加密後，傳遞至該雲端保密器簽署伺服器13，以供該雲端保密器簽署伺服器13進行該第一待簽署雜湊及該使用者資訊之綁定確認。The documentflow management server 12 is for users to edit documents to be signed, and when receiving the document signing service request from the clientmobile device 11, generates the first hash to be signed and the first hash to be signed based on the document to be signed. Time, wherein the documentflow management server 12 includes a document flowservice server module 121 and a third-party signingservice client module 122. Accordingly, the documentflow management server 12 uses the document flow service server Themodule 121 receives the file signing service request from the clientmobile device 11, and causes the third-party signingservice client module 122 to generate the first to-be-signed hash and the to-be-signed time based on the text of the file to be signed. , then, the documentprocess management server 12 encrypts the first hash to be signed and the user information, and then transmits it to the cloudsecurity signing server 13 for the cloudTheclient signature server 13 performs binding confirmation of the first to-be-signed hash and the user information.

該雲端保密器簽署伺服器13係自該文件流程管理伺服器12接收該第一待簽署雜湊及該使用者資訊並進行儲存，該雲端保密器簽署伺服器13依據該使用者資訊向該FIDO伺服器14提出產製FIDO啟動資訊之請求，且將該第一待簽署雜湊及該使用者資訊傳送至該FIDO伺服器14。具體而言，該雲端保密器簽署伺服器13包括授權認證模組131以及雲端簽署模組132，其中，該授權認證模組131用於介接該FIDO伺服器14，以依據該使用者資訊向該FIDO伺服器14請求依據該第一待簽署雜湊產製該FIDO啟動資訊，並留存該第一待簽署雜湊及該使用者資訊。The cloudsecure signing server 13 receives and stores the first to-be-signed hash and the user information from the documentprocess management server 12. The cloudsecure signing server 13 sends a message to the FIDO server based on the user information. Theserver 14 makes a request to generate FIDO activation information, and transmits the first hash to be signed and the user information to theFIDO server 14. Specifically, the cloudsecurity signing server 13 includes an authorization authentication module 131 and acloud signing module 132, wherein the authorization authentication module 131 is used to interface with theFIDO server 14 to provide the user with information based on the user information. TheFIDO server 14 requests to generate the FIDO startup information based on the first hash to be signed, and saves the first hash to be signed and the user information.

該FIDO伺服器14係接受該雲端保密器簽署伺服器13產製該FIDO啟動資訊之請求，且接收該雲端保密器簽署伺服器13之該第一待簽署雜湊，據以產生對應之FIDO啟動資訊並回傳至該雲端保密器簽署伺服器13，待該雲端保密器簽署伺服器13取得該FIDO啟動資訊後，將該FIDO啟動資訊經該文件流程管理伺服器12傳送至該客戶端行動載具11，使用者即可透過該文件流程管理服務客戶端模組111解析該FIDO啟動資訊，以取得該第一待簽署雜湊，且經使用者確認該第一待簽署雜湊之資料後，啟動FIDO認證流程。TheFIDO server 14 accepts the request of the cloudsecure signing server 13 to generate the FIDO activation information, and receives the first to-be-signed hash from the cloudsecure signing server 13 to generate the corresponding FIDO activation information. And it is sent back to the cloudsecure signing server 13. After the cloudsecure signing server 13 obtains the FIDO activation information, it sends the FIDO activation information to the client mobile device through the documentprocess management server 12. 11. The user can parse the FIDO activation information through the document process managementservice client module 111 to obtain the first hash to be signed, and after the user confirms the information of the first hash to be signed, FIDO authentication can be started. process.

於FIDO認證流程中，該客戶端行動載具11之該FIDO客戶端模組112對該第一待簽署雜湊簽署後，形成FIDO認證資訊，且經由該文件流程管理伺服器12傳送至該雲端保密器簽署伺服器13，該雲端保密器簽署伺服器13透過FIDO伺服器14驗證該FIDO認證資訊。於一實施例中，該FIDO伺服器14具有用於接收該FIDO認證資訊以進行驗證之FIDO驗證模組141，亦即，使該FIDO伺服器14對經該客戶端行動載具11確認該FIDO啟動資訊後所產生之FIDO認證資訊進行驗證。於一實施例中，該FIDO客戶端模組112以該私鑰進行FIDO認證資訊之加密，使該FIDO伺服器14於接收到該FIDO認證資訊時，透過該FIDO驗證模組141比對該私鑰以及該公鑰，以對該FIDO認證資訊進行驗證。In the FIDO authentication process, theFIDO client module 112 of the clientmobile device 11 signs the first hash to be signed, forming FIDO authentication information, and transmits it to the cloud through the documentprocess management server 12 for confidentiality The cloudserver signing server 13 verifies the FIDO authentication information through theFIDO server 14 . Implemented in oneIn this example, theFIDO server 14 has aFIDO verification module 141 for receiving the FIDO authentication information for verification, that is, after theFIDO server 14 confirms the FIDO startup information through the clientmobile device 11 Verify the generated FIDO certification information. In one embodiment, theFIDO client module 112 uses the private key to encrypt the FIDO authentication information, so that when receiving the FIDO authentication information, theFIDO server 14 compares the private key with theFIDO verification module 141. key and the public key to verify the FIDO certification information.

於通過驗證後，該雲端保密器簽署伺服器13將該第一待簽署雜湊與該使用者資訊進行綁定，同時形成一組認證令符給予該文件流程管理伺服器12。易言之，於該FIDO認證資訊通過該FIDO伺服器14驗證後，使該雲端保密器簽署伺服器13之該授權認證模組131綁定該第一待簽署雜湊及該使用者資訊，且給予該文件流程管理伺服器12對應之認證令符，於此之後，該文件流程管理伺服器12透過該第三方簽署服務客戶端模組122以該待簽署文件及該待簽署時間作為參數，生成第二待簽署雜湊，且將該第二待簽署雜湊與該認證令符介接至該雲端保密器簽署伺服器13，以進行認證令符有效性之確認，於確認該認證令符無誤後，取得該認證令符綁定之該第一待簽署雜湊，據以比對該第二待簽署雜湊與該第一待簽署雜湊是否相符，其中，於該雲端保密器簽署伺服器13比對該第一待簽署雜湊及該第二待簽署雜湊為相符時，產生簽署結果。After passing the verification, the cloudsecure signing server 13 binds the first hash to be signed with the user information, and forms a set of authentication tokens for the documentflow management server 12 . In other words, after the FIDO authentication information is verified by theFIDO server 14, the authorization authentication module 131 of the cloudsecure signing server 13 is bound to the first to-be-signed hash and the user information, and is given The authentication token corresponding to the documentflow management server 12. After that, the documentflow management server 12 uses the document to be signed and the time to be signed as parameters to generate the third-party signingservice client module 122. The second hash to be signed, and the second hash to be signed and the authentication token are connected to the cloud secretserver signing server 13 to confirm the validity of the authentication token. After confirming that the authentication token is correct, the The first to-be-signed hash bound to the authentication token is compared to see whether the second to-be-signed hash is consistent with the first to-be-signed hash, wherein the cloud secureserver signing server 13 compares the first to-be-signed hash. When the hash to be signed and the second hash to be signed match, a signing result is generated.

於一實施例中，該第二待簽署雜湊以及該認證令符可透過第三方簽署伺服器15進行介接，是以，本發明之電子文件授權簽署系統1復可包括第三方簽署伺服器15。具體來說，該第三方簽署伺服器15包括具有用於自該第三方簽署服務客戶端模組122接收該認證令符及該第二待簽署雜湊的第三方簽署伺服器端模組151，對此，該雲端保密器簽署伺服器13復包括雲端簽署模組132，其中，該雲端保密器簽署伺服器13透過該雲端簽署模組132自該第三方簽署伺服器端模組151接收該認證令符及該第二待簽署雜湊，且確認該認證令符之有效性後，取出與該認證令符對應之該第一待簽署雜湊以與該第二待簽署雜湊之比對，俾於比對後，該雲端保密器簽署伺服器13將該簽署結果經該第三方簽署伺服器15，回傳該文件流程管理伺服器12。In one embodiment, the second to-be-signed hash and the authentication token can be interfaced through a third-party signing server 15. Therefore, the electronic documentauthorization signing system 1 of the present invention can also include a third-party signing server 15. . Specifically, the third-party signing server 15 includes a module configured to receive the authentication token and the second signature to be signed from the third-party signingservice client module 122.deploying a hybrid third-party signing server-side module 151, for which the cloudsecurity signing server 13 further includes acloud signing module 132, wherein the cloudsecurity signing server 13 automatically The third-partysigning server module 151 receives the authentication token and the second hash to be signed, and after confirming the validity of the authentication token, retrieves the first hash to be signed corresponding to the authentication token to match After the comparison of the second hash to be signed, the cloudsecure signature server 13 transmits the signing result back to the documentprocess management server 12 via the third-party signing server 15 .

於完成FIDO認證流程後，使該文件流程管理伺服器12合成該待簽署文件及該簽署結果以形成已簽署文件。具體而言，使該第三方簽署服務客戶端模組122依據該文件流程管理伺服器12之需求進行該待簽署文件與該簽署結果之合成，據以形成該已簽署文件，且呈現於該文件流程管理伺服器12，俾完成電子文件之簽署。After completing the FIDO authentication process, the documentprocess management server 12 is allowed to synthesize the document to be signed and the signing result to form a signed document. Specifically, the third-party signingservice client module 122 is allowed to synthesize the document to be signed and the signing result according to the requirements of the documentprocess management server 12, so as to form the signed document and present it in the document. Theprocess management server 12 is used to complete the signing of electronic documents.

圖2為本發明之結合FIDO認證方式的電子文件授權簽署方法的步驟圖。如圖所示，本發明之電子文件授權簽署方法可於上述之電子文件授權簽署系統中執行，關於電子文件授權簽署系統之系統架構，請參見上述內容，不復贅言，其中，該電子文件授權簽署方法包括以下步驟：Figure 2 is a step diagram of the electronic document authorization signing method combined with FIDO authentication method according to the present invention. As shown in the figure, the electronic document authorization and signing method of the present invention can be executed in the above-mentioned electronic document authorization and signing system. Regarding the system architecture of the electronic document authorization and signing system, please refer to the above content and will not be repeated. Among them, the electronic document authorization and signing system The signing method includes the following steps:

於步驟S200，進行FIDO註冊。於本步驟中，令該客戶端行動載具向FIDO伺服器預先進行使用者之註冊，以提供使用者認證及金鑰配對，亦即，使用者可先透過該客戶端行動載具向該FIDO伺服器進行註冊，以完成使用者認證以及執行金鑰配對，且於金鑰配對後，於該客戶端行動載具儲存私鑰，並於該FIDO伺服器儲存公鑰，以供後續FIDO認證使用。In step S200, FIDO registration is performed. In this step, the client mobile device is pre-registered with the FIDO server to provide user authentication and key matching. That is, the user can first register the user with the FIDO server through the client mobile device. The server registers to complete user authentication and perform key matching. After key matching, the private key is stored in the client mobile device and the public key is stored in the FIDO server for subsequent FIDO authentication. .

於步驟S210，提出文件簽署服務請求。於本步驟中，當使用者有電子文件之數位簽署需求時，透過客戶端行動載具向該文件流程管理伺服器提出文件簽署服務請求，此時，該客戶端行動載具之該文件流程管理客戶端模組向該文件流程管理伺服器發動文件雲端簽署服務。於一實施例中，該客戶端行動載具透過文件流程管理客戶端模組供使用者提出該文件簽署服務請求，且於接收到該文件簽署服務請求時，該文件流程管理伺服器依據使用者所編輯之該待簽署文件生成第一待簽署雜湊，且同步產出待簽署時間，接著，將該第一待簽署雜湊、使用者資訊以及伺服器認證資訊傳遞至該雲端保密器簽署伺服器，以於後續程序中對該使用者資訊與該第一待簽署雜湊執行關係建立流程。In step S210, a file signing service request is made. In this step, when the user has a need for digital signature of electronic documents, a document signing service request is made to the document process management server through the client mobile device. At this time, the document process management of the client mobile device The client module initiates the document cloud signing service to the document process management server. In one embodiment, the client mobile device allows the user to submit the document signing service request through the document flow management client module, and when receiving the document signing service request, the document flow management server The edited document to be signed generates a first hash to be signed, and the time to be signed is synchronized. Then, the first hash to be signed, user information and server authentication information are transmitted to the cloud security signing server. To establish a process for establishing a relationship between the user information and the first hash execution to be signed in subsequent procedures.

於步驟S220，執行FIDO啟動程序。於本步驟中，令該雲端保密器簽署伺服器對該文件流程管理伺服器之該第一待簽署雜湊及該使用者資訊進行儲存，且傳送至FIDO伺服器，使該FIDO伺服器依據該第一待簽署雜湊產生FIDO啟動資訊，該雲端保密器簽署伺服器於得到該FIDO啟動資訊時，將該FIDO啟動資訊經該文件流程管理伺服器傳送至該客戶端行動載具。In step S220, the FIDO startup procedure is executed. In this step, the cloud security signing server is caused to store the first to-be-signed hash and the user information of the document process management server, and transmit it to the FIDO server, so that the FIDO server can Once the signed hash is generated to generate FIDO activation information, the cloud secure signing server, upon obtaining the FIDO activation information, transmits the FIDO activation information to the client mobile device through the document process management server.

於步驟S230，執行FIDO啟動及驗證程序。於本步驟中，當該客戶端行動載具確認該FIDO啟動資訊後，產生FIDO認證資訊。於一實施例中，該客戶端行動載具透過文件流程管理客戶端模組解析該FIDO啟動資訊，以得到該第一待簽署雜湊，供該使用者確認該第一待簽署雜湊，於此之後，啟動FIDO驗證程序。詳言之，該客戶端行動載具復透過該FIDO客戶端模組利用該私鑰對該FIDO啟動資訊之確認結果進行加密，以產生該FIDO認證資訊，亦即，該FIDO客戶端模組利用該私鑰加密經確認之該第一待簽署雜湊，以產生該FIDO認證資訊，並傳送至該文件流程管理伺服器，接著，該文件流程管理伺服器利用該文件流程服務伺服器端模組將FIDO認證資訊、使用者資訊以及伺服器認證資訊傳遞至該雲端保密器簽署伺服器之授權認證模組，透過該授權認證模組介接該FIDO伺服器，使該FIDO伺服器對該FIDO認證資訊進行驗證作業。於一實施例中，該FIDO伺服器透過比對該私鑰以及該公鑰，以對該FIDO認證資訊進行驗證，且於通過驗證後，該授權認證模組將該第一待簽署雜湊及該使用者資訊進行綁定，且給予該文件流程管理伺服器對應之認證令符。In step S230, the FIDO startup and verification process is executed. In this step, after the client mobile device confirms the FIDO activation information, it generates FIDO authentication information. In one embodiment, the client mobile device parses the FIDO startup information through the document process management client module to obtain the first hash to be signed for the user to confirm the first hash to be signed. After that , start the FIDO verification process. Specifically, the client mobile device uses the private key to encrypt the confirmation result of the FIDO startup information through the FIDO client module to generateThe FIDO authentication information, that is, the FIDO client module uses the private key to encrypt the confirmed first hash to be signed to generate the FIDO authentication information and transmit it to the document process management server. Then, the document The process management server uses the document process service server-side module to transmit FIDO authentication information, user information and server authentication information to the authorization authentication module of the cloud security signing server, which is interfaced through the authorization authentication module The FIDO server causes the FIDO server to verify the FIDO authentication information. In one embodiment, the FIDO server verifies the FIDO authentication information by comparing the private key and the public key, and after passing the verification, the authorization authentication module hashes the first to-be-signed hash and the The user information is bound and the corresponding authentication token is given to the document process management server.

於步驟S240，執行簽署程序。於本步驟中，在該FIDO伺服器驗證後，該文件流程管理伺服器取得該認證令符，接著，以該待簽署文件、該待簽署時間以及該認證令符向該第三方簽署服務客戶端模組要求進行該待簽署文件之文件簽署，亦即，該文件流程管理伺服器透過該第三方簽署服務客戶端模組依據該待簽署文件及該待簽署時間生成該第二待簽署雜湊，接著將該第二待簽署雜湊、該認證令符以及第三方簽署伺服器認證資訊傳送至第三方簽署伺服器，且由該第三方簽署伺服器再傳送至該雲端保密器簽署伺服器，使該雲端保密器簽署伺服器比對該第一待簽署雜湊及該第二待簽署雜湊，於比對結果為相符時，產生簽署結果，且傳送至該文件流程管理伺服器。In step S240, a signing process is executed. In this step, after the FIDO server authenticates, the document process management server obtains the authentication token, and then uses the document to be signed, the time to be signed, and the authentication token to the third-party signing service client The module requires document signing of the document to be signed, that is, the document process management server generates the second hash to be signed based on the document to be signed and the time to be signed through the third-party signing service client module, and then The second to-be-signed hash, the authentication token and the third-party signing server certification information are sent to the third-party signing server, and the third-party signing server then sends them to the cloud security signing server, so that the cloud The secure signature server compares the first to-be-signed hash and the second to-be-signed hash, and when the comparison result is consistent, generates a signing result and sends it to the document process management server.

進一步地，如圖3所示之本發明之簽署程序的步驟圖。如圖所示，本發明之簽署程序包括以下步驟：Further, Figure 3 shows a step diagram of the signing procedure of the present invention. As shown in the figure, the signing procedure of the present invention includes the following steps:

於步驟S241，介接認證令符及第二待簽署雜湊。於本步驟中，在該文件流程管理伺服器取得該認證令符後，先將該認證令符及該第二待簽署雜湊傳送至第三方簽署伺服器，具體來說，該第三方簽署伺服器透過該第三方簽署伺服器端模組接收該認證令符及該第二待簽署雜湊。In step S241, the authentication token and the second hash to be signed are connected. In this step, after the document process management server obtains the authentication token, it first transmits the authentication token and the second hash to be signed to the third-party signing server. Specifically, the third-party signing server The authentication token and the second to-be-signed hash are received through the third-party signing server module.

於步驟S242，取得簽署結果。於本步驟中，該第三方簽署伺服器透過該第三方簽署伺服器端模組將該認證令符、該第二待簽署雜湊及雲端保密器認證資訊傳遞至該雲端保密器簽署伺服器之該雲端簽署模組，使該雲端簽署模組確認該認證令符之有效性無誤後，取得該認證令符綁定之待簽署資訊，即該第一待簽署雜湊，進而比對該第二待簽署雜湊與該第一待簽署雜湊是否相符，當比對結果為相符時，完成簽署並將簽署結果經該第三方簽署伺服器端模組回傳該文件流程管理伺服器之該第三方簽署服務客戶端模組。In step S242, the signing result is obtained. In this step, the third-party signing server transmits the authentication token, the second hash to be signed and the cloud encryption device authentication information to the cloud signing module of the cloud encryption device signing server through the third-party signing server end module, so that the cloud signing module confirms the validity of the authentication token, obtains the information to be signed bound to the authentication token, that is, the first hash to be signed, and then compares the second hash to be signed with the first hash to be signed to see if they match. When the comparison result is consistent, the signing is completed and the signing result is returned to the third-party signing service client module of the document flow management server through the third-party signing server end module.

又如圖2所示，於步驟S250，合成已簽署文件。於本步驟中，於該文件流程管理伺服器取得該簽署結果後，使該第三方簽署服務客戶端模組將該待簽署文件及該簽署結果進行合成，以形成已簽署文件，俾達到對例如電子文件之待簽署文件進行簽署之目的，此後，該第三方簽署服務客戶端模組將該已簽署文件回傳該文件流程服務伺服器端模組留存，且該文件流程服務伺服器端模組通知該客戶端行動載具之該文件流程管理客戶端模組，並令使用者知曉該待簽署文件已成功完成簽署而成為該已簽署文件。As shown in Figure 2, in step S250, the signed document is synthesized. In this step, after the document process management server obtains the signing result, the third-party signing service client module is allowed to synthesize the document to be signed and the signing result to form a signed document, so as to achieve, for example, The purpose of signing the electronic document is to be signed. After that, the third-party signing service client module returns the signed document to the document process service server module for storage, and the document process service server module Notify the document process management client module of the client mobile device and let the user know that the document to be signed has been successfully signed and has become the signed document.

圖4為本發明之結合FIDO認證方式的電子文件授權簽署方法實際運作的流程圖。如圖所示，本發明之電子文件授權簽署方法包括以下流程：Figure 4 is a flow chart of the actual operation of the electronic document authorization signing method combined with the FIDO authentication method of the present invention. As shown in the figure, the electronic document authorization signing method of the present invention includes the following processes:

於流程401，提出文件簽署服務請求。於此流程中，使用者於客戶端行動載具檢視待簽署文件後，向文件流程管理伺服器提出待簽署文件之文件簽署服務請求，文件流程管理伺服器透過第三方簽署服務客戶端模組針對待簽署文件產出第一待簽署雜湊與待簽署時間。Inprocess 401, a file signing service request is made. In this process, after the user views the document to be signed on the client mobile device, he submits a document signing service request for the document to be signed to the document process management server. The document process management server uses a third-party signing service client module for The document to be signed outputs the first hash to be signed and the time to be signed.

於流程402，FIDO啟動程序。於此流程中，文件流程管理伺服器透過雲端保密器簽署伺服器將第一待簽署雜湊以及使用者資訊向FIDO伺服器傳遞，且請求FIDO伺服器以第一待簽署雜湊作為驗證基礎，產生FIDO啟動資訊，此後，雲端保密器簽署伺服器留存第一待簽署雜湊與使用者之關聯，再將該FIDO啟動資訊回傳文件流程管理伺服器。Inprocess 402, FIDO starts the process. In this process, the document process management server transmits the first hash to be signed and the user information to the FIDO server through the cloud security signing server, and requests the FIDO server to use the first hash to be signed as the basis for verification to generate FIDO Activation information, after that, the cloud security signing server retains the relationship between the first hash to be signed and the user, and then sends the FIDO activation information back to the file process management server.

於流程403，執行FIDO驗證程序。於此流程中，文件流程管理伺服器將FIDO啟動資訊傳遞至客戶端行動載具，使用者透過客戶端行動載具解析FIDO啟動資訊，且於確認第一待簽署雜湊為待簽署資訊後，將第一待簽署雜湊以及透過客戶端行動載具之私鑰簽署之結果作為FIDO驗證資訊，經文件流程管理伺服器將FIDO驗證資訊傳遞至雲端保密器簽署伺服器。Inprocess 403, the FIDO verification process is executed. In this process, the document process management server transmits the FIDO startup information to the client mobile device. The user parses the FIDO startup information through the client mobile device, and after confirming that the first hash to be signed is the information to be signed, The result of the first to-be-signed hash and the private key signing through the client mobile device is used as the FIDO verification information, and the FIDO verification information is transmitted to the cloud security signing server through the document process management server.

於流程404，確認是否通過FIDO驗證。具體而言，經過FIDO伺服器驗證FIDO驗證資訊後，若符合所註冊之使用者，則執行流程405，綁定第一待簽署雜湊與使用者且形成認證令符，即完成第一待簽署雜湊與使用者之綁定，且將認證令符回傳文件流程管理伺服器，若不符合，則執行流程406，通知客戶端行動載具，即回覆文件流程管理伺服器錯誤訊息後，結束流程，並通知客戶端行動載具。Inprocess 404, confirm whether the FIDO verification is passed. Specifically, after the FIDO server verifies the FIDO verification information, if it matches the registered user,process 405 is executed to bind the first hash to be signed with the user and form an authentication token, which completes the first hash to be signed. Bind with the user, and send the authentication command back to the document process management server. If it does not match, executeRun process 406 to notify the client mobile vehicle, that is, after replying to the file process management server error message, the process ends and the client mobile vehicle is notified.

於流程407至408中，文件流程管理伺服器透過第三方簽署服務客戶端模組依據第一待簽署雜湊及待簽署時間經計算產出第二待簽署雜湊，此後，文件流程管理伺服器將認證令符及第二待簽署雜湊透過第三方簽署伺服器將認證令符、第二待簽署雜湊以及使用者認證資訊傳遞至雲端保密器簽署伺服器。In processes 407 to 408, the document flow management server uses the third-party signing service client module to calculate the second hash to be signed based on the first hash to be signed and the time to be signed. After that, the document flow management server will authenticate The token and the second hash to be signed transmit the authentication token, the second hash to be signed, and the user authentication information to the cloud security signing server through a third-party signing server.

於流程409至411中，確認認證令符及待簽署雜湊是否通過驗證及比對。具體來說，於流程409，雲端保密器簽署伺服器進行認證令符之時效性確認，並比對留存之第一待簽署雜湊與第二待簽署雜湊是否相符，若結果為相符，則進入流程410，執行雲端保密器雜湊私鑰簽署，令第三方簽署伺服器合成簽署結果，並由第三方簽署服務客戶端模組進行文件合成，於完成後，回傳文件流程服務伺服器端模組，且通知客戶端行動載具已完成文件簽署流程，即已完成待簽署文件之簽署，若不相符，則進入流程411，回覆第三方簽署伺服器錯誤訊息。In processes 409 to 411, it is confirmed whether the authentication token and the hash to be signed pass verification and comparison. Specifically, inprocess 409, the cloud security signing server confirms the validity of the authentication token, and compares whether the retained first hash to be signed and the second hash to be signed are consistent. If the result is consistent, the process proceeds. 410. Execute cloud confidentiality device hash private key signing, let the third-party signing server synthesize the signing result, and the third-party signing service client module performs file synthesis. After completion, return the file process service server module. And notify the client mobile device that the document signing process has been completed, that is, the signing of the document to be signed has been completed. If it does not match, it will enterprocess 411 and reply to the third-party signing server error message.

此外，本發明還揭示一種電腦可讀媒介，係應用於具有處理器(例如，CPU、GPU等)及/或記憶體的計算裝置或電腦中，且儲存有指令，並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介，以於執行此電腦可讀媒介時執行上述之方法、各步驟及流程。In addition, the present invention also discloses a computer-readable medium, which is applied to a computing device or computer having a processor (eg, CPU, GPU, etc.) and/or a memory, and stores instructions, and can utilize the computing device or computer. The computer executes the computer-readable medium through the processor and/or memory to perform the above-mentioned methods, steps and processes when executing the computer-readable medium.

本發明的模組、單元、裝置等包括微處理器及記憶體，而演算法、資料、程式等係儲存記憶體或晶片內，微處理器可從記憶體載入資料或演算法或程式進行資料分析或計算等處理，在此不予贅述。易言之，本發明之結合FIDO認證方式的電子文件授權簽署系統及其方法可於電子設備上執行，例如一般電腦、平板或是伺服器，在收到資料後執行資料分析與運算，故本發明之結合FIDO認證方式的電子文件授權簽署系統及其方法所進行程序，可透過軟體設計並架構在具有處理器、記憶體等元件之電子設備上，以於各類電子設備上運行；另外，亦可將資源標準化供裝系統內各模組或單元分別以獨立元件組成，例如設計為計算器、記憶體、儲存器或是具有處理單元的韌體，皆可用於實現本發明，亦即，本發明可選擇以軟體程式、硬體或韌體架構呈現。The modules, units, devices, etc. of the present invention include a microprocessor and a memory, and algorithms, data, programs, etc. are stored in the memory or chip, and the microprocessor can load data or algorithms or programs from the memory. Processing such as data analysis or calculation will not be described in detail here. In other words,The electronic document authorization signing system and method combined with FIDO authentication method of the present invention can be executed on electronic devices, such as general computers, tablets or servers. After receiving the data, data analysis and calculation are performed. Therefore, the present invention combines FIDO The procedures performed by the authentication-based electronic document authorization signing system and its method can be designed and constructed through software on electronic devices with processors, memories and other components, so as to run on various electronic devices; in addition, resources can also be Each module or unit in the standardized supply system is composed of independent components, such as a calculator, memory, storage or firmware with a processing unit, which can be used to implement the present invention. That is, the present invention can choose Presented as software program, hardware or firmware architecture.

據此，本發明主要提出一套第三方雜湊簽署服務流程，透過客戶端行動載具與FIDO伺服器之間綁定FIDO認證，以於欲進行電子文件簽署時，使該客戶端行動載具介接第三方簽署服務模組，依據欲簽署之電子本文產出該第一待簽署雜湊，且經FIDO啟動流程將該第一待簽署雜湊之資訊呈現於文件流程管理客戶端模組供使用者確認，接著，復透過FIDO認證流程，使雲端保密器簽署伺服器將該第一待簽署雜湊綁定該使用者資訊，並同時取得認證令符。於簽署程序中，該第三方簽署服務模組將該認證令符與第二待簽署雜湊於雲端保密器簽署伺服器進行認證簽署後，將簽署結果合成於該待簽署文件中，且將已簽署文件導回該文件流程管理伺服器，以完成文件簽署程序。Based on this, the present invention mainly proposes a set of third-party hash signing service process, which binds FIDO authentication between the client mobile device and the FIDO server, so that when electronic document signing is to be performed, the client mobile device can Connect to the third-party signing service module, generate the first hash to be signed based on the electronic document to be signed, and present the information of the first hash to be signed to the document process management client module for user confirmation through the FIDO startup process , and then, through the FIDO authentication process, the cloud security signing server binds the first hash to be signed to the user information, and obtains the authentication token at the same time. In the signing process, the third-party signing service module combines the authentication token and the second to-be-signed hash in the cloud security signing server for authentication and signing, and then synthesizes the signing result into the document to be signed, and adds the signed document to the signed document. The document is imported back to the document process management server to complete the document signing process.

綜上，本發明之一種結合FIDO認證方式的電子文件授權簽署系統、方法及其電腦可讀媒介，利用FIDO快速驗證的特性結合第三方簽署服務模組將文件流程管理伺服器所管理的待簽署文件與雲端保密器簽署伺服器進行綁定，以於簽署過程中，達到使文件流程管理伺服器專注於文件流程的串接，以及令雲端保密器簽署伺服器專注於簽署服務之目的。另外，本發明透過第三方簽署模組結合FIDO流程將簽署文件之待簽署雜湊綁定於雲端保密器簽署伺服器，並取得認證令符，後續令第三方簽署模組透過該認證令符，將待簽署資訊經由雲端保密器簽署伺服器簽署後，整合長效資訊匯入文件流程管理伺服器，過程中雲端保密器簽署伺服器無須接觸待簽署文件，即可達到提供使用者簽署意願確認之目的，且相較於集中式簽署服務，本發明具有降低負載平衡度之功效。In summary, the present invention is an electronic document authorization signing system and method combined with FIDO authentication method and its computer-readable medium. It utilizes the characteristics of FIDO rapid verification and combines with the third-party signing service module to sign the documents to be signed managed by the document process management server. The document is bound to the cloud security signing server so that the document process management server can focus on the signing process.The purpose of concatenating document processes and allowing the cloud security signing server to focus on signing services. In addition, the present invention combines the third-party signing module with the FIDO process to bind the hash of the signed document to the cloud secure signing server, and obtains the authentication token. Subsequently, the third-party signing module uses the authentication token to After the information to be signed is signed by the cloud secure signing server, the long-term information is integrated and imported into the document process management server. During the process, the cloud secure signing server does not need to touch the document to be signed, thus achieving the purpose of providing confirmation of the user's signing intention. , and compared with the centralized signing service, the present invention has the effect of reducing the load balancing degree.

上述實施例僅為例示性說明，而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下，對上述實施例進行修飾與改變。因此，本發明之權利保護範圍係由本發明所附之申請專利範圍所定義，只要不影響本發明之效果及實施目的，應涵蓋於此公開技術內容中。The above embodiments are only illustrative and not intended to limit the present invention. Anyone skilled in the art can make modifications and changes to the above embodiments without departing from the spirit and scope of the invention. Therefore, the scope of rights protection of the present invention is defined by the scope of the patent application attached to the present invention. As long as it does not affect the effect and implementation purpose of the present invention, it should be covered by this disclosed technical content.