JP2002207701A - Authentication system, method for user authentication, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an authentication system capable of conducting highly functional authentication easily without terminating an application layer, in the vicinity of a member. SOLUTION: This system has a member terminal 20 with a fingerprint reader 21, a member storage node 11 provided within a network connected to the member terminal, wherein a data link layer constituting a communication protocol in the network is terminated, and an authentication server 12 connected to the node 11 to authenticate a user. The member terminal 20 stores input fingerprint information in a frame of the protocol of the data link layer to transmit it onto the network, and the member storage node 11 reads out the fingerprint information transmitted onto the network to be transmitted to the authentication server 12. The server 12 collates the transmitted fingerprint information with preliminarily registered finger print information.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to an authentication system and a user authentication method in a network in which a subscriber uses services provided on the Internet, and a program for performing the authentication.

[0002]

2. Description of the Related Art As a configuration of a network in which a subscriber uses a service provided on the Internet, a Nortel homepage (URL (Uniform Resource Identif
ier) is "http://www.nortelnetworks.co.jp/solutions
/guide/vpn/radiussec.shtml "). An ASP (Applicatio) that provides services for companies described as "Enterprise" on the homepage
n ISP (Internet Service Provider)
vice provider), a network configuration is shown in FIG. 12A, and a protocol stack corresponding to the network configuration is shown in FIG. 12B. In addition, "ISP Private Networ"
k ”, the connection method is SOHO (Small Office,
Since it is not applied to general subscribers for enterprise users such as Home Office, the description is omitted here.

In the network configuration shown in FIG. 12A, a plurality of subscribers 100 are accommodated in a subscriber accommodation node 101, and the subscriber accommodation node 101 is a data link termination (PPP termination) 102 which is a centralized node. Is connected to The data link terminal 102 is connected to an authentication server (RADIUS (remote access dial-in user service) server) 108, and further accesses a first ISP (denoted as “ISP A” in FIG. 12). It is connected to the point 103. Here, “ISP A” is the IS with which the subscriber 100 has contracted.
P, and communication from the subscriber 100 to the access point 103 is communication on the network of the communication carrier.

[0004] The access point 103 uses the "ISP
A through the Internet backbone 105 from the network 104 of the "A", the second ISP (in FIG. 12,
(Described as “ISPB”), and connected to an application server 107 provided in a data center 200 operated and managed by an ASP that provides various content services on the Internet within the network 106. You. Here, "IS
“PB” is an ISP contracted by the ASP.

A communication protocol on the Internet is based on an OSI reference model (Open Systems Interconnection).
The protocol has a hierarchical structure conforming to the Basic Reference Model, and is generally known as a TCP / IP protocol. Here, the TCP is "Transmissi
on Control Protocol ”, IP stands for“ Internet Protocol ”
ol ". In the above network configuration,
As shown in FIG. 12B, the physical layer located at the lowest layer (“phy” in FIG. 12) and the data link layer located thereabove (“L2” and “PPP” in FIG.
PP is an abbreviation of (Point-to-Point Protocol), which is an upper Internet layer (“IP” in FIG. 12)
IP (abbreviation of Internet Protocol) has a hierarchical protocol structure including an application layer located at the highest level. The application layer has a network access function for applications and services. The Internet layer determines the communication protocol between the terminating system and the relay system and between the relay systems, and performs, for example, routing control between the carrier network and the network 104 and between the networks 104 to 106. The data link layer and the physical layer are network interface layers and have a function of physically transmitting and receiving packets (frames). In addition, although not shown,
Below the application layer is a transport layer that determines the communication protocol between the terminating and terminating systems.

In the protocol stack shown in FIG. 12B, communication is performed between the subscriber accommodation node 101, the subscriber 100, and the data link terminal 102 using the physical layer "phy". Further, between the carrier network and the network 104 owned by “ISP A”, between the network 104 and the Internet backbone 105, and between the network 104 and the Internet backbone 105.
5 and network 10 owned by “ISP B”
Communication between the network 106 and the application server 107 is performed using "IP" in the Internet layer.

[0007] First, the subscriber 100 starts with ISDN (Integrat).
ed Services Digital Network) line, etc., through a subscriber line 109 and a subscriber accommodating node 101 owned by the carrier, the "ISP"
The connection is made to the access point 103 of "A". "ISP
"A" has its own network 104 through which the subscriber's line is connected to the Internet backbone network 105 (line connection).

[0008] "ISP A" distributes a user ID number and a password to each subscriber in order to identify a subscriber who has subscribed to the service. When the line is connected, the user ID number and the password are added. Perform authentication work to request subscribers to confirm subscribers. At this time, the subscriber 100 and the access point 1 connected by the ISDN line, etc.
03, the data link layer protocol PP
Using P, information (user ID number, password) for authentication is transmitted between the subscriber and “ISP A”.

[0009] The PPP is terminated at the access point 103 via the data link terminal 102, and the information for authentication transmitted by the PPP is taken out by the access point 103 by "ISP A". “ISP A” identifies each subscriber by referring to the extracted information and the information of each subscriber stored in the authentication server 108 arranged in the own network 104. This identification result is passed to the ASP application server 107 and the subscriber 100.

When the authentication result is "rejection", the connection of the subscriber line to the backbone network 105 is rejected and the communication is terminated. When the authentication result is "authorization", the connection of the subscriber line to the backbone network 105 is performed. Connection is allowed. After the line connection, the signal transmitted by the protocol of the layer above PPP is transmitted to the network 1 of "ISP A".
04, receives an IP transfer, passes through the Internet backbone 105, and enters an ASP contract “IS
PB "enters the network 106. "ISP B"
An ASP application server 107 is connected to the network 106, and the application layer is terminated by this server. Thereby, the subscriber 100
Can transmit and receive information on various services provided by the application server 107, and can receive desired services.

In the above-described conventional network configuration, authentication performed in the network is authentication using a user ID number and a password. In order to perform more sophisticated authentication, for example, fingerprint authentication, an application layer protocol is required. Becomes A sophisticated authentication method is required in a network when an ASP that provides a unique service on the Internet adds electronic commerce to a menu. FIG. 13 shows a network configuration when a high-performance authentication method such as fingerprint authentication is adopted between a subscriber and an ASP.
FIG. 13A shows a protocol stack corresponding to this, and FIG.

The network configuration shown in FIG.
The ASP data center 200 is provided with an authentication server 112 for performing high-performance authentication in addition to the application server 107, and the subscriber 100 has a subscriber terminal 111 having a fingerprint reader 110.
Fingerprint information (information for advanced authentication) read from
Is substantially the same as the above-described network configuration shown in FIG. 12A except that is transmitted using the application layer. In FIG. 13A, the same components as those in FIG. 12A are denoted by the same reference numerals.

The fingerprint information (information for high-performance authentication) read from the fingerprint reader 110 is transmitted using a protocol of an application layer which is an upper layer. On the other hand, information for authentication using a user ID number and a password is transmitted using PPP as a lower layer, and terminated at an access point 103 of “ISP A” contracted by a subscriber. As shown in FIG.
The signal transmitted by the protocol of the layer above P is
It enters the network 104 of “ISP A” and receives the IP transfer while receiving the Internet backbone 10.
After that, the user enters the network 105 of “ISP B” contracted by ASP. An ASP application server 107 is connected to the network of “ISP B”, and the application layer is terminated by this server. The fingerprint information transmitted using the application layer is transmitted to the authentication server 112 in the ASP data center 200.
Passed to. The authentication server 112 collates the received fingerprint information with the fingerprint information of each subscriber registered in advance, and identifies each subscriber. The result of this identification is
It is transmitted to the subscriber 100 using the application layer. If the fingerprint collation result is “approved”, the subscriber 100 can receive the service related to the electronic commerce provided by the application server 107, and if “rejected”, the communication ends.

[0014]

As described above, in the conventional network configuration, when performing high-function authentication, high-function authentication is supported in addition to the service function originally provided to the ASP application server. If it is necessary to provide a function to perform the operation and the application server does not have enough capacity, as shown in FIG.
It is necessary to newly install a server for performing such high-performance authentication on the ASP side.

In the future, with the development of the Internet, the number of subscribers with the ISP will increase, and it is inevitable that the speed of the subscriber line will be increased. Therefore, the PPP termination and the authentication work at the access point of the ISP will become a heavy load. It is expected that. For this reason, a network configuration in which an authentication work is performed as close to the subscriber as possible (at a stage where the number of accommodated subscribers is small) is considered for the PPP termination point. The configuration that terminates is becoming widespread.

With the technical background as described above, most ASPs that provide services on the Internet are small in scale, and when an authentication function is added to an application server, maintenance of the application server is considered to be a burden. In addition, when providing services with high-level authentication to contracted subscribers, the ASP side will also be responsible for adding an authentication function to the subscriber's terminal. It is even more burdensome for the ASP.

As described above, in the conventional system, there is a problem that a load on the ASP side is large when performing high-performance authentication.

Further, in the future, with regard to basic functions such as authentication, it is considered that the network configuration performed by a carrier who manages the network in the vicinity of the subscriber will become widespread. A for functions
It is necessary to establish a business form in which carriers receive commissions from SPs. However, in the conventional system, as described above, the transmission of information for high-performance authentication is performed on the application layer. It is necessary to terminate to the upper layer application layer in addition to the termination of only the data link layer performed in the vicinity of. This complicates communication control.

An object of the present invention is to solve the above problems and provide an authentication system and a user authentication method which can easily perform high-function authentication near the subscriber without terminating an application layer. It is in. Another object of the present invention is to provide a program for performing such authentication.

[0020]

In order to achieve the above object, an authentication system according to the present invention comprises a subscriber terminal capable of inputting a plurality of different specific information for specifying a user, wherein the subscriber terminal is connected to the subscriber terminal. A data link layer terminating means provided in a network to be configured and terminating a data link layer constituting a communication protocol in the network; an authentication server connected to the data link layer terminating means for performing authentication of the user; The subscriber terminal, the plurality of different specific information input, each accommodated in a different independent frame of the protocol of the data link layer, and set a different protocol identification value respectively in these independent frames The data link layer termination means transmits the data from the subscriber terminal to the network. The plurality of different specific information is selected and extracted based on the protocol identification value, and transferred as different applications to the authentication server. The authentication server relates to the plurality of different specific information of the user registered in advance. The registration information is compared with a plurality of different specific information transferred from the data link layer terminating means.

[0021] The user authentication method of the present invention is a user authentication method performed in a system in which a subscriber terminal capable of inputting a plurality of different specific information for specifying a user is connected to a predetermined network. The subscriber terminal is
The plurality of different specific information input, each accommodated in a different independent frame of the protocol of the data link layer constituting the communication protocol in the predetermined network, and set a different protocol identification value to each of these independent frames Transmitting to the predetermined network; terminating the data link layer on the subscriber terminal side in the predetermined network; and transmitting the data link layer from the subscriber terminal to the predetermined network at the data link layer termination unit. Selecting and extracting a plurality of different specific information based on the protocol identification value, and transferring the extracted specific information to an authentication server that authenticates the user, wherein the authentication server is registered in advance. Registration information on a plurality of different specific information of the user Characterized in that it comprises the step of matching the serial data link layer and a plurality of different specific information transferred from the terminal end, respectively.

According to the program of the present invention, when a plurality of different specific information for specifying a user is input, the input specific information is converted into a protocol of a data link layer constituting a communication protocol in a predetermined network. Causing the computer to execute a process of accommodating different independent frames, a process of setting predetermined different protocol identification values for the different independent frames, and a process of transmitting the different independent frames to the predetermined network. Features.

In any of the above-mentioned inventions, the plurality of different pieces of specific information are the first specific information of biometric information or ID card information capable of specifying a user, and the first specific information of ID number or password specifying a user. 2 may include the specific information.

The present invention configured as described above has the following operation.

Conventionally, in authentication (authentication) for confirming the identity of a subscriber who uses the Internet, information for highly functional authentication such as biometrics authentication is as follows. Provided at the application layer of the communication protocol. On the other hand, according to the present invention, a plurality of specific information can be accommodated and transmitted in independent frames having different data link layer protocols, respectively, so that the first specific information (biometric information or ID Card information, etc.) as well as the second specific information such as the user ID number and the password can be contained in the independent frame of the protocol of the data link layer. Therefore, the first specific information can be provided in the data link layer, and the first specific information can be taken out at the end of the data link layer. According to this configuration, it is possible for the communication carrier to centralize the authentication function in a network node owned by the communication carrier or a subscriber accommodating node secured by collocation by the ISP. The authentication can be performed at the subscriber accommodation node of the carrier. Therefore, it is not necessary for the ASP to perform an authentication operation, and it is not necessary for the ASP application server to double as the authentication server or to install a new authentication server. Further, according to the present invention, the fingerprint reader can be installed in the subscriber terminal on the carrier side, so that it is not necessary for the ASP to correspond to service contract subscribers widely distributed.

In the present invention, the first specific information (biometrics information and ID card information) and the second specific information (user ID number and password) are selected at the data link layer end based on the protocol identification value. It is possible to perform authentication at a required level for each application because it is possible to authenticate the application by extracting it to the authentication server as a different application. For example, in the case of using an e-commerce service, the second specific information (user ID number or password) and the first specific information (biometric information or I
(D card information), and in the case of simply using the information browsing service, it is possible to properly use such that only authentication based on the second specific information is performed.

[0027]

Next, embodiments of the present invention will be described with reference to the drawings.

The authentication system according to the present invention has a high-performance authentication method in a network configuration for connecting an ASP that provides a service requiring high-performance authentication such as electronic commerce and a subscriber using the ASP. Using biometric authentication, especially fingerprint authentication,
This fingerprint authentication can be performed near the subscriber.

(Embodiment 1) FIG. 1A is a schematic diagram showing a network configuration of an authentication system according to a first embodiment of the present invention, and FIG. 1B shows a protocol stack corresponding to the network configuration. It is a schematic diagram.

In the network configuration of the authentication system according to the present embodiment, a plurality of subscribers 10 are accommodated in a subscriber accommodation node 11, and this subscriber accommodation node 11 uses an authentication server (R).
ADIUS server) 12 and a first ISP (in FIG. 1,
Access point 1 of "ISP A")
3 to be connected. Here, “ISP A” is an ISP to which the subscriber 10 has subscribed, and communication from the subscriber 10 to the access point 13 is communication on the network of the communication carrier.

The access point 13 is "ISP A"
1 through an Internet backbone 15 from a second ISP ("ISP" in FIG. 1).
B) is connected to the network 16
Within this network 16, it is connected to an application server 17 provided in a data center 18 that is operated and managed by an ASP that provides various content services on the Internet. Here, “ISP B” is ASP
Is an ISP under contract.

The subscriber 10 has a subscriber terminal 20 provided with a fingerprint reader 21, and this subscriber terminal 20
It is connected to the subscriber accommodation node 11 via a subscriber line 19 such as N. The fingerprint reader 21 is a known fingerprint reader. The subscriber terminal 20 is a known information processing device such as a personal computer, and has a user ID
The fingerprint information of the subscriber input by the fingerprint reader 21 together with the authentication information of the number and the password can be transmitted using the protocol of the data link layer. The subscriber accommodating node 11 is terminated with a data link layer protocol compatible with PPP, can extract the user ID number and password authentication information sent from the subscriber terminal 20, and supports the PPP. The fingerprint information for the fingerprint authentication which has been impossible can be taken out. Authentication server 12, networks 14-16,
Since the application server 17 is substantially the same as that shown in FIGS. 12A and 13A,
Here, the detailed description is omitted.

When using the Internet service with fingerprint authentication (for example, electronic commerce), the subscriber 10
On the subscriber terminal 20 provided with the fingerprint reader 21, the user's fingerprint data is input together with the user ID number and the password. These authentication information are transmitted using a data link layer protocol.

The authentication information transmitted from the subscriber terminal 20 is transmitted to the subscriber accommodation node 11 of the communication carrier through the subscriber line 19 owned by the communication carrier, and is extracted from the subscriber accommodation node 11 respectively. Each piece of authentication information extracted by the subscriber accommodation node 11 is a transport layer protocol, UDP (User
It is sent to the authentication server 12 located in the carrier's network using Datagram Protocol). The authentication server 12 collates the received authentication information with authentication information of individual subscribers stored in advance. By this comparison, the authentication server 12 authenticates each subscriber, and notifies the subscriber accommodation node 11 of the result. When the authentication is established, the subscriber accommodating node 11 transmits a signal from the subscriber 10 to the access point 13 of the contracted party “ISP A” using the IP of the network layer protocol.

In the case of “ISP A”, when the ASP application server specified by the subscriber 10 is connected to the company network 14, the ASP application server is connected to the subscriber 10. When the application server of the ASP specified by the subscriber 10 is connected to the network 16 of the other company “ISP A”, the communication path of the subscriber 10 once passes through the Internet backbone 15 to the “ISP B”. It is connected to a network 16 and further connected to an application server 17 within the network 16.

The service provided by the ASP application server 17 is usually Java (Sun Microsystem).
s, Inc. (registered trademark).
By launching an Internet browser (browsing software) compatible with ava and connecting to an ASP access server, the provided service can be executed. Most of the personal computers currently on the market are already equipped with an Internet browser compatible with Java, and as long as such a personal computer is used as a subscriber terminal, a new service is required to receive the service provided by the ASP. There is no need to implement an Internet browser.

FIG. 2A is a schematic diagram showing a protocol format of a data link layer in the authentication system shown in FIG. 1, and FIG. 2B is a schematic diagram showing a PPP format. Since the protocol of the data link layer shown in FIG. 2A is based on the PPP format, the format of the PPP will be described first.
"P" section.

As shown in FIG. 2B, the section between the flags (7Eh) is recognized as one frame in the PPP data link frame. The inside of a PPP data link frame is roughly divided into a part for storing a protocol datagram and a part for storing control information. The protocol accommodated in the part accommodating the datagram of the protocol can be roughly divided into three types: a network layer protocol, a network control protocol, and a data link layer control protocol. A protocol field is provided in the control information to display a value for identifying a contained protocol. For example, in a datagram, CHAP (Chal
When the information of the Length Handshake Authentication Protocol is accommodated, the protocol identification value is set to “C223”. CHAP is a data link control protocol and is used for authentication using a user ID number and a password. The information transmitted by the CHAP is stored in the authentication server 1 after the PPP is terminated in the subscriber accommodation node 11.
2

In the case of an IP datagram which is a protocol of the network layer, the protocol identification value is “002”.
1 ". After the PPP is terminated, the IP datagram is carried on the data link layer (L2) of the network and transferred in the network.

For the other control information areas, the addresses and controls are fixed values and can be omitted. FCS
Is a frame inspection sequence from the address to the portion containing the datagram, and normally uses "CRC-16".

In the authentication system of the present embodiment, FIG.
The information for fingerprint authentication is transmitted as a datagram using the same format as the data link frame of PPP shown in (b). At this time, as for the identification value of the protocol, an unused value “C001” is assigned as a value when transmitting information for fingerprint authentication in PPP.

FIG. 3 is a block diagram showing a schematic configuration of the subscriber accommodation node and the subscriber terminal shown in FIG. This subscriber accommodation node 11 has a node modem 11a connected to a subscriber modem 20a of a subscriber terminal 20 via a subscriber line 19, and a data link layer termination circuit 11b provided with a protocol identification value recognition circuit 11c. . The subscriber terminal 20 includes a CPU 20b. Under the control of the CPU 20b, input of fingerprint data from the fingerprint reader 21 and transmission / reception of data via the subscriber modem 20a are performed.

The subscriber 10 captures his / her own fingerprint with the fingerprint reader 21. The captured fingerprint information is transmitted from the fingerprint reader 21 to the subscriber terminal 20. In the subscriber terminal 20, the CPU 20b accommodates the fingerprint information in the frame of the protocol of the data link layer, and joins in the same manner as the information (CHAP information) for authentication by the user ID number and the password or the frame in which the IP datagram is accommodated. To the modem 20a. The CHAP information, the information for fingerprint authentication, and the IP datagram are contained in independent frames. The frame containing the CHAP information has a protocol identification value “C223”, and the frame containing the information for fingerprint authentication has a Protocol identification value "C
001 "and a protocol identification value" 0021 "are set in the frame containing the IP datagram.

The subscriber modem 20a communicates with the node modem 11a using the communication protocol of the subscriber line 19,
Information for fingerprint authentication transmitted from the subscriber terminal 20, CH
AP information, IP datagram, etc.
Send to The node modem 11a demodulates a signal according to the communication protocol of the subscriber line 19, and inputs the demodulated signal to a protocol identification value recognition circuit 11c inside the data link layer terminating circuit 11b.

The protocol identification value recognition circuit 11c reads the protocol identification value set in the format of the data link layer, and selects and outputs information for fingerprint authentication, CHAP information, IP datagram, and the like. Among these, the IP datagram is transferred in the carrier network toward the designated ISP access point, and the CHAP information and the information for fingerprint authentication are UDP.
Authentication server 1 as a separate application using
2 is sent.

The authentication server 12 performs a first authentication operation using the user ID number and the password included in the CHAP information, and further performs a second authentication operation using the information for fingerprint authentication. Only when the subscriber is authenticated by the operation, it is recognized as the principal.

When CHAP is used for authentication of a user ID number and a password as in this example, the authentication operation is performed periodically during communication. In this example, the information contained in the frame of the protocol of the data link layer is:
Although three types of CHAP information, information for fingerprint authentication, and IP datagram have been described as examples, other information necessary for configuring a network is also accommodated in a frame in which a protocol identification value assigned by RFC 1700 is set. You.

The accommodation of the data link layer protocol such as the CHAP information, the information for fingerprint authentication, and the IP datagram in the frame is performed by the CPU 20b according to a program prepared in advance.
It may be stored in a storage device built in the subscriber terminal 20, or may be provided via the Internet. Furthermore, as shown in FIG. 4, this program may be provided by being stored in a recording medium 50. Here, the recording medium 50 may be a magnetic disk, a semiconductor memory, or another recording medium. In any case, by reading the provided program, the CPU 20b reads the input user ID number and password information and the fingerprint information (other biometric information may be used) according to the protocol of the data link layer. , A process of setting different specific protocol identification values to these different independent frames, and a process of sending these independent frames to the network. If the user ID number and password information are not required, the CPU 20
b, processing for accommodating the input biometric information in the independent frame of the protocol of the data link layer, processing for setting a specific protocol identification value in the independent frame, and processing for transmitting the independent frame on the network. Execute

In the authentication system of the present embodiment described above, the authentication using the user ID number and the password and the fingerprint authentication are performed in the common authentication server 12, but the authentication server for performing each authentication is connected to the network. May be arranged at different positions.

Although fingerprint authentication is used as a highly functional authentication method, biometrics authentication of other voiceprints, retinas, and the like, as well as authentication using a user ID card and authentication using handwriting such as a signature are performed. Is also good. In the case of a user ID card, specific information stored in the ID card is taken into the subscriber terminal, and the specific information is used for user authentication.

Further, an information reading device such as a fingerprint reader for high-performance authentication may be incorporated in the subscriber terminal.

Further, a value other than "C001" may be used as the protocol identification value when accommodating information for high-performance authentication as long as it does not overlap with other protocol identification values.

In the present embodiment, the end of the data link layer is the subscriber accommodation node. However, it may be located at other places, for example, immediately before the access aggregator, edge router, or ISP access point.

(Embodiment 2) FIG. 5A is a schematic diagram showing a network configuration of an authentication system according to a second embodiment of the present invention, and FIG. 5B shows a protocol stack corresponding to the network configuration. It is a schematic diagram.

The network configuration of the authentication system according to the present embodiment is such that the ISP provides a high-performance authentication service to an ASP or the like.
The configuration is almost the same as the network configuration shown in FIG. 1A except that the configuration is different from that of FIG. “ISP A”, which intends to provide a sophisticated authentication service, collocates network equipment in the subscriber accommodation node 11 of the communication carrier and accommodates subscriber signals in its own network 14. Here, the colocation is also referred to as a housing service, and is a service in which a communication carrier having a facility equipped with line facilities allows a customer such as an ISP to install a communication device in a company's own facility.

In the authentication system of this embodiment, as in the case of the first embodiment, the subscriber terminal 10
, The information for fingerprint authentication, the IP datagram, etc. are accommodated in the frame of the protocol of the data link layer, and a unique protocol identification value is set and transmitted to the subscriber accommodation node 11.

The subscriber accommodating node 11 is owned by the communication carrier.
A communication device of “ISP A” is installed, and a signal transmitted by a subscriber from a subscriber line of a communication carrier is transmitted to “ISP A”.
A "can be received. The data link layer protocol is terminated in the communication device owned by “ISP A”, and the CHAP information and the information for fingerprint authentication are “I
The information is sent to the authentication server 12 owned by “ISP A” in the network 14 of “SP A”, and the authentication server 12 performs an authentication operation.

The signal of the subscriber who has been authenticated by the authentication server 12 is sent to the network 1 of "ISP A".
4 and forwarded to the specified destination. If the designated destination is subscribed to another “ISP B”, the subscriber signal is transferred to the “ISP B” network 16 via the Internet backbone 15.

Next, the specific configuration and operation of the subscriber accommodation node shown in FIG. 5A will be described.

FIG. 6 is a block diagram showing a configuration example of the subscriber accommodation node shown in FIG. In FIG. 6, the subscriber accommodation node 11 is an MDF (Main Distribut).
ion Frame: Main switchboard 30, POI (Point of Interf)
ace) 31, a subscriber line concentrator circuit 32, and a data link layer terminating circuit 33. The connection mode in the subscriber accommodation node 11 is a form called an MDF connection, and the MDF 30 in the subscriber accommodation node 11 returns the subscriber line to connect to the subscriber line concentrator circuit 32 owned by “ISP A”. Has become. The signal from the subscriber 10 is input to the data link layer terminating circuit 33 connected to the network 14 after being collected by the subscriber concentrator circuit 32.
CHAP information (user ID number and password) and information for fingerprint authentication are transferred from the data link layer terminating circuit 33 to the authentication server 12 arranged in the network 14, and the IP datagram is transferred to the data link layer terminating circuit 3.
3 to the network 14. In this example, the POI 31 which is a connection point between the communication carrier and “ISP A” is used.
Are located between the MDF 30 and the subscriber line concentrator circuit 32.

FIG. 7 is a block diagram showing another configuration example of the subscriber accommodation node shown in FIG. In FIG. 7, the subscriber accommodation node 11 is the same as that shown in FIG.
It comprises an MDF 30, a POI 31, a subscriber line concentrator circuit 32, and a data link layer termination circuit 33. The communication carrier has the subscriber line concentrator circuit 32, and "ISP A" has the data link layer termination circuit 33. In this case, PO
I31 is placed between the subscriber line concentrator circuit 32 and the data link layer termination circuit 33.

In the case of this example, similarly to the case shown in FIG.
The signal from the subscriber 10 is input to the data link layer terminating circuit 33 connected to the network 14 after being collected by the subscriber concentrator circuit 32. CHAP information (User I
D number and password) and information for fingerprint authentication
The IP datagram is transferred from the data link layer terminating circuit 33 to the authentication server 12 located in the network 14, and the IP datagram is transmitted from the data link layer terminating circuit 33 to the network 14
Transferred to within.

In the present embodiment described above, similarly to the case of the first embodiment, the common authentication server 1 is used.
In step 2, the authentication of the user ID number and the password and the authentication of the fingerprint are performed, but the authentication servers for performing the respective authentications may be arranged at different positions on the network.

Although the fingerprint authentication is used as a highly functional authentication method, the configuration of the present embodiment is also effective when other biometric authentication such as voiceprint and retina, authentication using a user ID card, and the like are used.

An information reading device for high-performance authentication such as a fingerprint reader may be incorporated in the subscriber terminal.

A protocol identification value other than "C001" when accommodating information for highly functional authentication may be used as long as it does not overlap with other protocol identification values.

Further, in this embodiment, the ISP collocates with the subscriber accommodating node to terminate the data link layer. However, other locations, for example, the access aggregator, the edge router, the collocation immediately before the ISP access point, Even in the case of the configuration described above, the configuration of this embodiment is effective.

Next, a specific use (operation) form of the authentication system of the present invention described above will be described.

FIG. 8 is a block diagram showing an example of an electronic settlement system to which the authentication system of the present invention is applied. This electronic payment system is a payment service relating to a subscriber 40, a communication carrier 41, an ISP 42 and an ASP 43, which are connected to each other on a network, and a fee for use when the subscriber 40 uses an e-commerce service provided by the ASP 43. (Collection of a fee).

Subscriber 40, communication carrier 41, ISP4
2 and the ASP 43 are connected on the network,
The authentication system as described in the above-described first embodiment is provided so that signals necessary for the service provided by the ASP 43 can be transmitted and high-performance authentication such as fingerprint authentication can be performed. That is, the subscriber terminal owned by the subscriber 40 accommodates the fingerprint information in the frame of the protocol of the data link layer and accommodates the information (CHAP information) for authentication by the user ID number and the password or the IP datagram. The communication carrier 41 is configured to transmit to the communication carrier 41 using the data link layer protocol in the same manner as the frame. Authentication servers that perform highly-functional authentication according to.

In the electronic payment system of this example, the subscriber 40
The ASP 43 has previously made a contract with the common card company 44 for payment of a fee, and the ASP 43 can collect a fee from the subscriber 40 through the card company 44 when electronic commerce is established. The card company 44 uses a high-performance authentication method such as fingerprint authentication as an authentication method at the time of collecting the fee. Only receive. According to this system, the communication carrier 41 provides high-performance authentication to the card company 44, so that the burden on the authentication to the card company 44 is reduced.

FIG. 9 is a block diagram showing another example of an electronic settlement system to which the authentication system of the present invention is applied. In this electronic payment system, similarly to the electronic payment system shown in FIG. 8, when the ASP 43 provides an electronic commerce service, the payment business is performed by interposing a card company 44 with the subscriber 40 who uses the service. Do. The difference from the electronic settlement system shown in FIG. 8 is that an authentication function providing company 45 that performs an authentication operation in place of the communication carrier 41 is provided. This authentication function providing company 45 is a card company 44
Was established jointly with the telecommunications carrier 41, and A
The authentication operation when the subscriber 40 uses the electronic commerce service provided by the SP 43 is performed. Card company 4
4 invests in the authentication function providing company 45 and outsources the authentication function and pays for it. On the other hand, the communication carrier 41
Invests in the authentication function providing company 45, and also obtains the revenue by providing the installation location of the device necessary for the authentication. Therefore,
As a whole, the cash flow associated with the authentication providing service is from the card company 44 to the communication carrier 41 through the authentication function providing company 45.

In the electronic payment system of this example, the subscriber transmits personal information required for biometrics authentication to the communication carrier 4.
For example, if the user feels uncomfortable with registering at No. 1, registration with a subsidiary of the card company can be performed with a relatively low resistance method.

FIG. 10 is a block diagram showing another example of the configuration of the electronic payment system to which the authentication system of the present invention is applied. In this electronic payment system, similarly to the electronic payment system shown in FIG. 8, when the ASP 43 provides an electronic commerce service, the payment business is performed by interposing a card company 44 with the subscriber 40 who uses the service. Do. The difference from the electronic settlement system shown in FIG.
1 is that the ISP 42 performs an authentication operation in place of 1. Therefore, in this example, the authentication system as described in the above-described second embodiment is provided so that the ISP 42 can perform high-performance authentication such as fingerprint authentication. That is, ISP
Reference numeral 42 includes a data link layer terminating circuit in its own network, and an authentication server for performing authentication using a user ID number and a password and performing high-function authentication using a fingerprint.

In the electronic payment system of this example, the card company 44 uses a sophisticated authentication method such as fingerprint authentication as an authentication method at the time of toll collection, but the authentication function itself and devices required for authentication are sent to the ISP 42. Source ISP4
2 only receives the authentication result. According to this system, the ISP 42 provides the card company 44 with high-performance authentication, so that the burden on the card company 44 regarding authentication is reduced.

FIG. 11 is a block diagram showing another example of the electronic payment system to which the authentication system of the present invention is applied.
In this electronic payment system, similarly to the electronic payment system shown in FIG. 10, when the ASP 43 provides an electronic commerce service, the payment business is performed by interposing a card company 44 with the subscriber 40 who uses the service. Do. The difference from the electronic settlement system shown in FIG. 10 is that an authentication function providing company 45 that performs an authentication operation in place of the ISP 42 is provided. This authentication function providing company 45 is a card company 44
Was co-founded with ISP42 and ASP4
Subscriber 4 to the e-commerce service provided by 3
0 performs an authentication operation at the time of use. The card company 44 invests in the authentication function providing company 45, and outsources the authentication function to pay the price. On the other hand, the ISP 42 invests in the authentication function providing company 45 and provides an installation place of the device necessary for the authentication to obtain an income. Therefore, as a whole, the cash flow associated with the authentication providing service is transferred from the card company 44 through the authentication function providing company 45 to the communication carrier 4.
It becomes a direction toward 1.

The electronic payment system of this example has a relatively low resistance of registering with a card company subsidiary when a subscriber feels reluctant to register personal information necessary for biometrics authentication in the ISP 42. There is an advantage that the method can be taken.

As described above, according to the present invention, the format of the protocol of the data link layer is compatible with PPP used by many communication carriers, and uses only a protocol identification value that is unique. Therefore, operators that provide high-performance authentication services, such as telecommunications carriers, ISPs or subsidiaries jointly invested with card companies, only need to match already installed PPP termination circuits or ready-made PPP termination circuits with the above eigenvalues. , The end of the data link layer is possible. In addition, since communication between the subscriber accommodation node and the authentication server uses UDP in the transport layer as in the case of the RADIUS server used for authentication using a user ID number and a password, both the subscriber node and the authentication server perform fingerprint authentication. Support an application layer protocol for As described above, a business providing a high-performance authentication service is expected to increase the service menu of the authentication method by only slightly improving the existing equipment, thereby increasing the profit.

In the electronic payment system shown in FIGS. 9 and 11, the authentication function providing company 45 is jointly invested by a card company and a communication carrier or an ISP. It can also be configured to be performed by the equipment vendor.

[0080]

As described above, according to the present invention,
High-functional authentication information (biometrics information and user ID card information) can be provided at the data link layer, so high-performance authentication can be easily performed near the subscriber without terminating the application layer. This can greatly reduce the burden of high-functional authentication on a provider of various content services on the Internet such as an ASP.

[Brief description of the drawings]

FIG. 1A is a schematic diagram illustrating a network configuration of an authentication system according to a first embodiment of the present invention, and FIG.
FIG. 3 is a schematic diagram showing a protocol stack corresponding to the network configuration shown in FIG.

2A is a schematic diagram showing a protocol format of a data link layer in the authentication system shown in FIG. 1, and FIG. 2B is a schematic diagram showing a PPP format.

FIG. 3 is a block diagram showing a schematic configuration of a subscriber accommodation node and a subscriber terminal shown in FIG. 1;

FIG. 4 is a diagram for explaining a recording medium applicable to the subscriber accommodation node shown in FIG.

FIG. 5A is a schematic diagram illustrating a network configuration of an authentication system according to a second embodiment of the present invention, and FIG.
FIG. 3 is a schematic diagram showing a protocol stack corresponding to the network configuration shown in FIG.

FIG. 6 is a block diagram illustrating a configuration example of a subscriber accommodation node illustrated in FIG.

FIG. 7 is a block diagram showing another configuration example of the subscriber accommodation node shown in FIG.

FIG. 8 is a block diagram showing an example of an electronic payment system to which the authentication system of the present invention is applied.

FIG. 9 is a block diagram showing another example of the electronic payment system to which the authentication system of the present invention is applied.

FIG. 10 is a block diagram showing another example of the electronic payment system to which the authentication system of the present invention is applied.

FIG. 11 is a block diagram showing another example of the electronic payment system to which the authentication system of the present invention is applied.

12A is a schematic diagram illustrating a configuration of a general network that provides an Internet service, and FIG. 12B is a schematic diagram illustrating a protocol stack corresponding to the network configuration illustrated in FIG.

13A is a schematic diagram illustrating a conventional network configuration capable of performing fingerprint authentication, and FIG. 13B is a schematic diagram illustrating a protocol stack corresponding to the network configuration illustrated in FIG.

[Explanation of symbols]

 10, 40 subscriber 11 subscriber accommodating node 11a node modem 11b, 33 data link layer terminating circuit 11c protocol identification value recognition circuit 12 authentication server 13 access point 14, 16 network 15 internet backbone 17 application server 18 data center 19 subscriber line Reference Signs List 20 subscriber terminal 20a subscriber modem 20b CPU 21 fingerprint reader 30 MDF 31 POI 32 subscriber line concentrator circuit 41 communication carrier 42 ISP 43 ASP 44 card company 45 authentication function providing company 50 recording medium

Claims (11)

[Claims] 1. A subscriber terminal capable of inputting a plurality of different specific information for specifying a user, and a data link provided in a network to which the subscriber terminal is connected and constituting a communication protocol in the network A data link layer terminating means having a layer terminated, and an authentication server connected to the data link layer terminating means for performing authentication of the user, wherein the subscriber terminal receives the plurality of different identifications The information is accommodated in different independent frames of the protocol of the data link layer, respectively, different protocol identification values are set in the independent frames, and the information is transmitted over the network. Selection of a plurality of different pieces of specific information transmitted from the terminal onto the network based on the protocol identification value The authentication server transfers the registration information as a different application to the authentication server, the registration information relating to a plurality of different specific information of the user registered in advance, and a plurality of different An authentication system characterized by collating with specific information. 2. The authentication system according to claim 1, wherein the network includes a network owned by a carrier, and the data link layer terminating means and the authentication server are arranged in the network. 3. The authentication system according to claim 1, wherein the network includes a network owned by an Internet service provider, and the data link layer terminating means and the authentication server are arranged in the network. 4. The authentication system according to claim 2, wherein the data link layer terminating means is a subscriber accommodation node accommodating a subscriber terminal. 5. The authentication system according to claim 3, wherein an application server that provides a predetermined service is connected to a network owned by the Internet service provider. 6. The plurality of different specific information includes first specific information of biometric information or ID card information capable of specifying a user, and second specific information of an ID number or password for specifying a user. The authentication system according to claim 1, wherein: 7. A user authentication method performed in a system in which a subscriber terminal capable of inputting a plurality of different specific information for specifying a user is connected to a predetermined network, the subscriber terminal comprising: The plurality of different specific information is accommodated in different independent frames of a protocol of a data link layer constituting a communication protocol in the predetermined network, and different protocol identification values are respectively set in these independent frames. Sending to a predetermined network; terminating the data link layer at the subscriber terminal side in the predetermined network, and transmitting the data link layer from the subscriber terminal to the predetermined network at the data link layer termination unit. A plurality of different pieces of specific information are sorted and taken out based on the protocol identification value. Transferring the extracted specific information to an authentication server that authenticates the user, wherein the authentication server registers registration information on a plurality of different specific information of the user registered in advance and the data link. Collating each with a plurality of different pieces of specific information transferred from the layer terminating unit. 8. The user authentication method according to claim 7, wherein the data link layer terminating unit is a subscriber accommodation node accommodating a subscriber terminal. 9. The plurality of different specific information includes first specific information of biometric information or ID card information capable of specifying a user, and second specific information of an ID number or a password specifying a user. The user authentication method according to claim 7, wherein: 10. When a plurality of different specific information for specifying a user is input, the input specific information is converted into different independent frames of a data link layer protocol constituting a communication protocol in a predetermined network. A program for causing a computer to execute: a process of storing a different protocol identification value for each of the different independent frames; and a process of transmitting the different independent frame to the predetermined network. 11. The plurality of different specific information includes first specific information of biometric information or ID card information capable of specifying a user, and second specific information of an ID number or a password specifying a user. The program according to claim 10.