JP2005339308A - Privacy management system in cooperation with biometrics, and authentication server therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To limit the use of the disclosed personal information of a user within an intended purpose consented by a user to receive a service provision via a network. <P>SOLUTION: An authentication server connected to a user terminal via a network is provided with a means for managing biometrics template information for personal identification and personal information for use in a service business, in independent databases and for allowing only the biometrics template information to be accessed at service provision. The authentication server is provided with a means for setting a privacy policy for each user, and a means for limiting the service for utilizing the biometrics template information and the personal information depending on the privacy policy of the user. A means is provided for accepting utilization application according to the privacy policy of the user, for the utilization other than the intended purpose. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to protection of personal information when performing personal identification and service business in a service business that collects personal information for the purpose of providing a specific service.

  The following are related arts related to the present invention.

  Patent Document 1 assumes that biometric information that is personal information of a user is encrypted, and that the encrypted biometric information is transferred to the authentication server designated by the user in a state where the network can be decrypted. The privacy of individual users is protected in a way that reflects the user's intention. In addition, an authentication log is taken by the authentication server to prevent reuse of unauthorized information. Furthermore, it is proposed that the authentication request side can confirm whether or not the authentication server has authenticated the system so that the security of the system is kept high.

JP 2000-92046 A

  However, in Patent Document 1, only security for transferring biometric information for collation used for biometric authentication via a network is maintained, and it is not intended for biometric information or personal information that is already a reference for collation. The protection against the use of is not considered, and it is not necessarily sufficient.

  In the system of the present invention, the following solution is provided for this problem so that higher security can be maintained.

  In the privacy management system linked with biometric authentication of the present invention, the identity of a user when providing a service via a network is performed by an authentication server connected to the user terminal via the network. At this time, the authentication server manages biometric authentication template information for authenticating the person by biometric authentication and personal information used for service work in an independent database, and at the time of providing the service, the biometric authentication template information Restrict access to only. Here, the independent database may be composed of, for example, a plurality of hard disks that are physically separated and can be managed by separating access, or may be composed of one hard disk that can be managed by separating the areas. Also good.

  The authentication server of the present invention has means for setting a privacy policy for each user, and limits services that use biometric template information and personal information according to the user's privacy policy. In addition, by setting a privacy policy for each user, services that are used for purposes other than the intended purpose are limited according to the privacy policy of the user. Furthermore, by setting a privacy policy for each user, the device security level of the device to be connected is authenticated according to the user's privacy policy, the purpose of use is authenticated, and authentication using biometric authentication template information and personal information I will provide a.

  In the present invention, personal information and biometric authentication template information are individually managed by an independent DB, so that only the biometric authentication template information DB for authentication and only the personal information DB for business conform to the privacy policy of each user. In addition, the registered biometric template information and personal information are not directly linked, and the individual is not identified by only the biometric template information, and privacy can be maintained.

Embodiments of the present invention will be described in the following order.
(1) System configuration
(2) Processing flow,
(3) database,
(4) Functional configuration of authentication server,
(5) Service server functional configuration,
(6) Another system configuration, and (7) Processing flow when issuing a temporary identification number.

(1) System Configuration FIG. 1 is a block diagram showing the configuration of the privacy management system of the present invention.

  This system includes an authentication server 110, a plurality of service servers 120a, ---, a plurality of user terminals 130a, ---, and a plurality of service terminals 140a, one of the service providing devices, on the network 100. A plurality of service business terminals 150a, one of other service providing devices, are connected to each other.

  The authentication server 110 has a personal information database (hereinafter referred to as DB) 111 for each user, a privacy policy DB 112 for each user, and a biometric template information DB 113, and is added to each authentication process. 114 and a server device 116 having a personal information provision log 115 to be added each time personal information is presented.

  The service servers 120a, --- are configured by a server authority 126 having a service authority DB 121 that defines the services that each user can receive and a service log 122 that is added each time a service is provided to each user. .

  Each user receives a service via a user terminal 130a connected to the authentication server 110, the service server 120a, --- by the network 100, or a service terminal 140a, --- dedicated to a specific service. . In the present invention, prior to using the system, it is necessary to register the purpose of use of biometric authentication in the privacy policy DB 112 of the authentication server 110 via the user terminal 130a. As a result, when it is desired to receive a service in accordance with the purpose of use of biometric authentication, the user terminal 130a, --- or the service terminal 140a --- dedicated to a specific service, which is one of the service providing devices, The authentication server 110 can receive a service after authenticating the user.

  The service business terminal 150a, which is one of the other service providing devices, is a terminal that performs a business necessary for providing a service business. For example, it is a terminal that performs business processing such as charging a user for a certain service. For example, if the service business terminal 150a, --- is a business that charges the user for the service price, it obtains an unprocessed log from the service log 122 of the service server 120a, --- The personal information of the user's identification number is requested to the authentication server 110, and under the approval of the authentication server 110, such information is received and business (for example, billing) is performed. The authentication server 110 checks whether or not the service business terminal that requested the personal information matches the privacy policy of the user, and provides the necessary personal information only if it matches.

  In this way, since the authentication server 110 individually manages personal information and biometric authentication template information using independent DBs, only the biometric authentication template information DB 113 is used for authentication, and only the personal information DB 111 is used for each user during business. Therefore, the registered biometric template information and personal information are not directly linked, and the individual is not identified by only the biometric template information, and privacy can be maintained.

  The authentication server 110, the plurality of service servers 120a, ---, the plurality of user terminals 130a, ---, the plurality of service terminals 140a, --- and the plurality of service business terminals 150a, --- A more detailed configuration and a program to be held by a computer will be described later with reference to FIGS. 11A and 11B, which is representative of the authentication server 110.

(2) Processing Flow A processing flow in the privacy management system of the present invention will be described. Here, an authentication service providing flow when providing a service after confirming with an authorized user will be described first, and then a business flow using personal information in a regular purpose job of the service will be described.

  FIG. 2 is a diagram showing a sequence flow when providing an authentication service.

  When a user requests a service from the service terminal 140a to the service server 120a (step 201), if the requested service is a service that requires identity verification, the service server 120a requests an authentication from the service terminal 140a (step 202). . The service terminal 140a sends the service ID to be used and the user ID to the authentication server 110 (step 205). The authentication server 110 determines whether the service for which the authentication request is made in step 201 is a use service within the purpose set in the privacy policy DB 112 of the user whose ID is the authentication target of the authentication request, or uses the service ID. (Step 206). If device authentication is required with the service terminal according to the privacy policy, device authentication is performed (step 207). It is determined whether the privacy policy is met (step 208). If they match, the process proceeds to Step 210, and if they do not match, the process proceeds to Step 209, NG information is notified to the service terminal, and the process ends.

  In step 210, the authentication server requests verification information from the service terminal. The service terminal collects verification information (step 211) and transmits the verification information to the authentication server. In the authentication server, the biometric authentication template information of the corresponding ID is checked and it is determined whether or not the threshold value is exceeded (step 215). If the evaluation result is equal to or greater than the threshold value, go to step 221; if the evaluation result is less than the threshold value, increment the contents of the counter (the number of trials) that were continuously less than the threshold value by 1 (step 216). The process proceeds to step 217. In step 217, if the counter content is within the set number of times, that is, if the number of times (the number of trials) that was continuously less than the threshold value for this service request is within the set number of times, the process proceeds to step 218. If the set number of times is exceeded, the process proceeds to step 219. In step 218, the authentication server 110 makes a re-authentication request to the service terminal 140a, and the process returns to step 211. In step 219, the authentication process (step 216) records an NG authentication log, notifies the service terminal 140a of the authentication process NG (step 220), and ends.

  In step 221, an authentication log is recorded, and although the illustration is omitted, the content of the trial number counter is cleared to zero, the process proceeds to step 222, and the verification result and the user ID in step 215 are sent from the authentication server 110 to the service. It is sent to the service server 120a to be provided. In the service server 120a, it is confirmed whether the user of the ID has service authority (step 230). If there is authority, the process proceeds to step 234. If there is no authority, the authority NG is notified to the service terminal 140a (step 233), and the process ends. In step 234, the requested service is provided to the service terminal 140a that requested the service. At the same time, a service provision log is recorded (step 235), and the process is terminated.

  Next, processing when using personal information in a service operation will be described. FIG. 3 is a diagram showing a processing flow when using personal information in a service business. Here, the service work includes, for example, a charge for service provision to the user.

  First, the service provider requests an unprocessed log from the service business terminal 150a to the service server 120a (step 301). The service server 120a presents an unprocessed log to the service business terminal 150a (step 302) and takes a presentation record of the unprocessed log (step 303). The service business terminal 150a requests the authentication server 110 for necessary personal information corresponding to the ID of the service provision log (step 304). At this time, the service ID of the service business terminal is also notified.

  The authentication server 110 uses the user ID and service ID to confirm the user's privacy policy (step 310). If the privacy policy requires device authentication of the business terminal, authentication of the purpose of the program, and authentication of the operator of the business terminal, the respective authentication processes are performed (step 311). The authentication server 110 confirms whether or not the charge conforms to the privacy policy set by the ID user (step 312), and if it matches, proceeds to step 314 to provide personal information to the service business terminal and An information provision log is recorded (step 315). If they do not match, NG is notified to the service business terminal 150a (step 313), and the process ends.

  The service business terminal 150a performs business processing using the provided personal information (step 320). Thereafter, the service business terminal 150a notifies the service server 120a that the log ID processing has been completed (step 321). In response to this, the service terminal records in the log that the process has ended (step 322), and ends the process.

  As described above, in each process, the authentication server 110 receives only the biometric template information associated with the user identification information and its authority when receiving service provision, and performs the service business. By separating only the necessary personal information, it is possible to prevent the biometric authentication template information and the personal information from being combined, and to protect the privacy of the biometric authentication template information.

Next, a case where the user uses biometric authentication template information for an unintended use will be described. Here, the following use etc. can be considered as an example of non-purpose use.
(I) Accuracy evaluation for the purpose of confirming the security level,
(Ii) tuning authentication algorithm;
(Iii) Investigation / analysis of biometric template information of a specific ID that can be a security hole, and
(Iv) Crime investigation (especially in the case of fingerprint authentication).

  Further, similarly to biometric authentication template information, use of personal information for other purposes such as new service use or temporary use purpose is also conceivable. In the privacy management system of the present invention, the following processing flow is taken similarly to biometric authentication template information.

  Here, a flow for applying for unintended use in the privacy management system of the present invention will be described first, and then a processing flow for permit / deny for an application for unintended use will be described.

  FIG. 4 is a diagram showing an application process flow for non-purpose use in the privacy management system of the present invention.

  The authentication server 110 receives a use application from an unintended terminal (for example, the service business terminal 150a) (step 401). This is, for example, an authentication request for biometric template information or a personal information request. In this case, as a matter of course, an unintended terminal makes a use application by presenting information such as a requested user ID, a purpose of use, a type of requested information, a person in charge of managing information, and the like. The authentication server 110 confirms the privacy policy of the requested user ID (step 411). If device authentication of the requesting terminal is required according to the privacy policy, the security level of the terminal that received the request or the program of the terminal is authenticated (step 412). The security policy of the requesting terminal is verified (step 413), and if it matches, the process proceeds to step 415. If they do not match, the personal information presentation NG is notified to an unintended terminal, and the process is terminated (step 414).

  If the security policy of the requesting terminal matches, the authentication server 110 notifies the user whose ID has been applied for use (step 415). This notification is to notify the application contents of the unintended use by e-mail or the like (step 416). Notify level etc. Following this, it is registered in the processing waiting item list of the user (step 417) and the processing is terminated.

  FIG. 5 is a diagram showing a processing flow of permission / rejection by a user for an unintended use application.

  When the user confirms the notification of unintended use by the notification in step 416 of the authentication server 110 described above in the user terminal 130a (step 501), the permission ID for the use of unintended use is started and the use of the case ID waiting for the unintended process and the use The user ID is notified to the authentication server 110 (step 502).

  Upon receiving the notification in step 502, the authentication server 110 confirms the privacy policy for unintended use of the user ID (step 510). If device authentication is required in the privacy policy, the authentication server authenticates the user's terminal (step 511). It is determined whether or not the terminal matches the policy (step 512). If the terminal matches, the process proceeds to step 514. If not matched, NG is returned to the user terminal as step 513, and the process is terminated.

  In step 514, the authentication server 110 reads the user's case from the list of cases waiting to be processed, and transmits the case information for the user to confirm (step 515).

  The user terminal 130a displays the content of the transmitted item information on the display device of the terminal and shows it to the user (step 516). The user inputs permission / rejection information for unintended use with respect to the case information displayed on the display device of the user terminal 130a, using the input device of the user terminal 130a. Furthermore, the user terminal 130a collects verification information for identity verification (step 517). The user terminal 130a sends to the authentication server 110 information on whether to permit or reject the use of the collected collation information and personal information or biometric authentication template information for a purpose other than the purpose input by the user (step). 518).

  The authentication server 110 performs user (biometric) authentication based on the collation information obtained in step 518 in order to confirm whether or not the user who sent the permission / rejection information is the person himself / herself (step 519). If the authentication in step 519 is OK, the information for permitting / rejecting the disclosure of personal information or biometric template information to the non-target terminal that has applied for the use is determined according to the permission or non-permission of the user. Notification is made together with the service ID (step 520). If the authentication in step 519 is NG, NG is notified to the user terminal 130a, and the process is terminated (step 521). Further, it is determined whether or not the authentication in step 519 permits the use for the purpose (step 522). If the authentication is permitted, the use of the service ID is added to the policy (step 523). finish. If it is not permitted, do nothing and end the process.

  Here, the permission information includes (1) permission, (2) permission for a certain period, and (3) permission for a certain number of times. Correspondingly, the policy information for the permitted service is set at the same time (see the item numbers 1024-1035 of the policy database 112 shown in FIG. 8).

  As can be seen from this flow, it becomes a system that can flexibly respond to unintended use by requesting permission from each user, and by complying with the procedure, users can feel secure. Can be given. Further, since the data manager can also confirm the user authentication, the personal information can be managed appropriately. Further, the modification of the policy database can be restricted only when there is user authentication.

(3) Database The authentication server 110 of the privacy management system of the present invention manages setting information of the user personal information DB 111, biometric authentication template information DB 113, and privacy policy DB 112. The contents of these data will be described.

  FIG. 6 is a diagram illustrating a configuration example of data in the personal information DB 111. Here, each user has a user identification number 601, a user name 602, a user address 603, a user telephone number 604, a user mail address 605, and the like. These pieces of information are encrypted and managed, and are decrypted and provided as needed for intended use requests. As a result, personal information can be managed more safely.

  FIG. 7 is a diagram illustrating a configuration example of the biometric authentication template information DB 113. Here, it has the identification number 701 of the user, biometric authentication template information 702 of the user, and the like. In some cases, biometric authentication template information of a plurality of pieces of biometric information may be included.

  FIG. 8 is a diagram illustrating a configuration example of the privacy policy DB 112. The management data of the privacy policy setting information will be described with reference to FIG.

As privacy policy setting information, the identification number of each user is set from the following three viewpoints.
(I) Settings related to authentication using biometric authentication template information;
(Ii) settings for each service and service server;
(Iii) Settings related to the business terminal of each service.

First, the following information is set for each user identification number (1001) as a setting for authentication using biometric authentication template information:
Encryption of biometric template information (1011): yes, no, etc.
Encryption key management (1012): The user manages the encryption key of 1011, manages with an authentication server, or deposits with a third party, etc.
Number of trials of biometric authentication (1013): up to n times, etc.
Biometric authentication service (1014): Service A, Service B, etc.
Restriction of terminal for collecting biometric information for biometric authentication (1015): only user terminal, service terminal OK for use, arbitrary terminal OK, etc.
Restriction of device for performing biometric authentication (1016): Only authentication server, acceptable for each user terminal, acceptable for service server, etc.

Next, the following information is set for each user identification number as a setting for each service and each service server that provides the service:
Service service identification number (1021) of the service server,
Biometric template information disclosure (1022): OK, NG, etc.
Authentication level (1023) for the service: threshold setting, others acceptance rate (error rate) setting, server default, etc.
Service server expiration date or number of times the service is valid (1024): 2005 or k times, etc.

Furthermore, the following information is set for each user identification number as a setting for the business terminal of each service:
Service business identification number of the business terminal (1031).

Business terminal security level (1032): m or higher, etc.
Scope of personal information to be disclosed for the service (1033): name | address | TEL | e-address | credit number | bank account |
Authentication of operator operating business terminal (1034): yes, no, etc.
Service server expiration date or number of times the service is valid (1035): 2005 or k times, etc.

In addition, the following information is set for each user identification number as settings related to unintended use:
Non-purpose use terminal (1042): accept application, do not accept, etc.
Security level (1041) of the terminal / server that applied for unintended use: n or higher.

  As is apparent from FIG. 1, the authentication server 110 manages an authentication history log 114 and a personal information provision log 115 in addition to the information described above.

  FIG. 9 is a diagram illustrating a configuration example of data in the service authority DB 121 of the service server 120a. In the service authority DB 121, a user identification number 801 and service authority information 801 for the user identification number are managed for each identification number.

  FIG. 10 is a diagram illustrating a data configuration example of the service provision log 122 of the service server 120a. The service provision log 122 has a provision date and time 901, a user identification number 902, and a service content 903 that has been provided.

(4) Functional Configuration of Authentication Server 110 FIG. 11A shows a functional configuration block of the authentication server of the privacy management system of the present invention. The authentication server 110 includes a personal information management program 1121 that manages the personal information DB 111, a privacy policy management program 1122 that manages the privacy policy DB 112, a biometric template information management program 1123 that manages the biometric authentication template information DB 113, and communication of the authentication server 110. A program for controlling processing and hardware for connecting to the network 100, the user terminal 130a, ---, service server 120a, ---, service terminal 140a, ---, and service business terminal 150a via the network 100 In response to the authentication process between the communication interface 1131 that communicates with the user terminal 130a, and the user terminal 130a, the authentication request process management program 1132 that manages the authentication process, the biometric authentication template information management program With authentication log management program 1134 for managing the biometric authentication program 1133, the authentication log 114 which records the authentication result to the biometric authentication undergo more biometric template information. In addition, a personal information provision log for managing a personal information request processing management program 1141 for managing processing of personal information requests between the service business terminals 150a and ---, and a personal information provision log 115 for recording access relating to provision of personal information. The management program 1142, the user terminal 130a, ---, the service terminal 140a, ---, the service business terminal 150a, ---, and the service server 120a, --- have a terminal authentication program 1143 that performs device authentication.

The authentication server 110 described with reference to FIG. 11A is configured by an electronic computer. FIG. 11B is a block diagram displaying the functional blocks of the authentication server 110 described in FIG. 11A as the configuration of the electronic computer. Reference numeral 20 denotes a system bus. A keyboard 21 ₁ and a mouse 21 ₂ are connected to the system bus 20 as input means, and a printing means 21 ₃ and a display means 21 ₄ are connected as output means. Further, a central processing unit (CPU) 22, a memory work area 23, and a memory storage area 24 are connected to the system bus 20. Further, the network 100 is connected via the communication interface 1131, and the network 100 is connected to the authentication server 110, service server 120 a, ---, user terminal 130 a, ---, service terminal 140 a, ---, and service business. Terminals 150a and --- are connected.

  The various processes described above with reference to the flowchart are executed by the central processing unit (CPU) 22 by reading the necessary program and data held in the storage area 24 into the work area 23. The storage area 24 holds not only the program described with reference to FIG. 11A but also a program necessary for the operation of the electronic computer.

(5) Functional Configuration of Service Server 120a Although detailed description of the service server 120a, ---- is omitted, as with the authentication server 110, a service authority DB 121 that defines services that each user can receive, A service log 122 to be added each time a service is provided to a user and a service program for executing the flow illustrated in FIG. 3 is composed of a memory and a server device 126 having a central processing unit that can access the memory. In addition, a service program and a central processing unit for executing the flows illustrated in FIGS. 2 and 3 are included. The central processing unit performs necessary processing based on the data of the service authority DB 121 and the service log 122 according to the service program.

(6) Another System Configuration FIG. 12A shows a second system configuration of the privacy management system of the present invention. The system configuration is essentially the same as that shown in FIG. 1, and the same reference numerals are assigned to the same functions or equivalent functions.

  The system configuration shown in FIG. 12A divides the network 100 into a WAN 1240 to which the user terminals 130a and --- are connected and a LAN 1250 to which the service terminals 140a and-and the service business terminals 150a and-are connected. The first gateway GW 1230 and the second gateway GW 1230 are connected in series between them. Further, the authentication server 110 is divided into a first authentication server 110-1 and a second authentication server 110-2, and the first authentication server 110-1 is connected to a connection point between the first gateway GW 1230 and the second gateway GW 1230. The second authentication server 110-2 is connected to the LAN 1250. The service servers 120a and --- are connected to the LAN 1250.

  The separated first authentication server 110-1 manages only biometric authentication biometric template information and a privacy policy related to authentication, and the separated second authentication server 110-2 functions as a personal information server. Therefore, the privacy policy DB 112 is also divided into a policy 1 DB 112-1 and a policy 2 DB 112-2, a privacy policy related to authentication is stored in the policy 1 DB 112-1, and a privacy policy related to personal information is stored in the policy 2DB 112-2. The biometric authentication template information DB 113 and the authentication log 114 are provided in the first authentication server 110-1. Similarly, the personal information DB 111 and the personal information provision log 115 are provided in the second authentication server 110-2.

  The first gateway GW 1230 is set so that the signal flow from the WAN 1240 to the LAN 1250 is limited only to the user terminal 130a, --- to the authentication server 110-1. Further, the signal flow from the LAN 1250 to the WAN 1240 is set so as to be limited only to the service terminal 120a, --- to the user terminal 130a, ---. The second gateway GW 1230 is set so that the signal flow from the WAN 1240 to the LAN 1250 is limited to only the service from the authentication server 110-1 to the service server 120a. Further, the signal flow from the LAN 1250 to the WAN 1240 is set so as to be limited only to the service terminal 120a, --- to the user terminal 130a, ---. The flow of these signals is indicated by bold lines in the figure.

  Thus, by separately managing personal information and biometric authentication template information and controlling the flow of information by the gateway, access to the biometric authentication template information from the service business terminal can be restricted. In addition, it is possible to reduce the threat of access from WAN for personal information.

  FIGS. 12B and 12C show specific configuration examples of the first authentication server 110-1 and the second authentication server 110-2 in the system configuration of FIG. 12A in the same manner as FIG. 11B. Elements having the same or equivalent functions as those in FIGS. 12A and 11B are denoted by the same reference numerals. As is clear from comparison with FIG. 12A, the information DB and the processing program are divided and arranged according to the purpose of each server. Details of the operation are the same as those in FIG.

(7) Processing Flow for Issuing Temporary Identification Number In the privacy management system linked with the biometric authentication of the present invention, the user ID is not required when the service server does not confirm the authority. In such a case, there is no problem even if the user ID provided from the authentication server to the service server is presented as a temporary ID. At this time, the temporary ID and the user ID are recorded in the authentication log of the authentication server, and the authentication server confirms the authentication log for the temporary ID for which the personal information is requested by the service business terminal. The personal information of ID can be provided to the service business terminal.

  By using such a temporary ID, it is not possible to trace the usage status based on the ID, and there is an effect that an operation with more privacy can be performed.

  INDUSTRIAL APPLICABILITY The present invention can be used when confirming the identity of a user in a system that provides a service via a network.

It is a block diagram of the whole system explaining the Example of this invention. It is an example of the processing flow of user authentication at the time of the service utilization in the Example of this invention. It is an example of the processing flow of the personal information request | requirement in the service service within the objective in the Example of this invention. It is an example of the processing flow at the time of applying for utilization of personal information and biometrics template information other than the objective in the Example of this invention. It is an example of the processing flow at the time of performing use permission / denial of a user regarding unintended use in the Example of this invention. It is an example of the data structure of the database of the personal information managed with the authentication server in the Example of this invention. It is an example of the data structure of the biometrics template information database managed with the authentication server in the Example of this invention. It is an example of the data structure of the setting database of the privacy policy managed by the authentication server in the Example of this invention. It is a figure which shows the structural example of the data of the service authority DB121 which the service server 120a has. It is an example of the data structure of the service provision log managed by the service server in the Example of this invention. It is a figure which shows the functional block of the authentication server in the Example of this invention. It is the block diagram which displayed the functional block of the authentication server 110 demonstrated in FIG. 11A as a structure of an electronic computer. It is a figure which shows the 2nd system configuration | structure of the privacy management system of this invention. It is a figure which shows the specific structural example of the 1st authentication server 110-1 in the system configuration | structure of FIG. 12A. It is a figure which shows the specific structural example of the 2nd authentication server 110-2 in the system configuration | structure of FIG. 12A.

Explanation of symbols

20 ... system bus 21 ... keyboard ₂₁ 1, 21 2 _... mouse, 21 3 _... printing means, 21 4 _... display unit, 22 ... central processing unit (CPU), 23 ... work area of memory, 24 ... storage area of the memory 24, 100 ... Network, 110 ... Authentication server, 120a ... Service server, 130a ... User terminal, 140a ... Service terminal, 150a ... Service business terminal, 111 ... Personal information database, 112 ... Privacy policy setting database, 113 ... Biometric authentication Template information database, 114 ... authentication log, 115 ... personal information provision log, 116, 126 ... server device, 121 ... authority database, 122 ... service log, 1311, ... communication interface.

Claims (18)

An authentication server connected to a service providing device that executes a predetermined service and a user terminal via a network,
A personal information database of users,
The personal information database is a user biometric authentication template database that is accessed independently;
Managed by a user ID for each user and having a user privacy policy database storing the purpose of use of the biometric template database;
Based on the service ID specifying the service content issued by the service providing device and the user ID transmitted from the user terminal, it is confirmed whether the set of the service ID and the user ID is registered in the privacy policy. And an authentication server that is capable of accessing the personal information database or the privacy policy database when registered.   The authentication server according to claim 1, wherein the privacy policy data of the user can be set according to an identification number for each user in response to a request from the user terminal.   3. The authentication server according to claim 2, wherein in the setting of the privacy policy data of the user, the personal information is encrypted according to the privacy policy of the user, and is decrypted and provided only for the purpose set by the user.   The authentication server according to claim 2, wherein an authentication function is provided only for an intended service in accordance with a user's privacy policy in setting the user's privacy policy data.   Accepting an application for disclosure of the personal information of another user for use outside the purpose of the user's privacy policy, and if the user who is the policy setter approves, The authentication server according to claim 4 which provides information.   6. The purpose of the privacy policy corresponding to the disclosure application is added to the privacy policy data when the user who is the policy setter approves the disclosure application of personal information for the use other than the purpose. Authentication server.   When the user's privacy policy data is a request for device authentication at a security level of a service business terminal that is one of the service providing devices that request personal information, the device authentication at the security level is executed. The authentication server according to claim 1, which provides personal information after confirming that the security level is at a predetermined level.   The authentication server according to claim 1, wherein the privacy policy data of the user has items that limit a user terminal that permits a request for identity verification and a request for identity verification. A privacy management system that can be applied to a system that includes an authentication server, a service server, a user terminal, and a service providing device connected to a network and that can transmit and receive data between the server and the terminal.
The authentication server comprises a user personal information database, a user biometric template database, an authentication log, a personal information provision log, a user privacy policy database, an authentication request processing management program, and a personal information request processing management program. A computer comprising a memory and a central processing unit capable of accessing the memory;
The service server has a service authority database that defines services that each user can receive, a service log that is added each time a service is provided to each user, a memory that includes a service program for the service, and an access to the memory. A computer with a central processing unit,
The authentication server manages the user's personal information data, the user's biometric authentication template data, and the user's privacy policy data with an identification number for each user, and uses the user's personal information database and the user's personal information database. It is assumed that the central processing unit accesses the person's biometric authentication template database independently of the person's biometric authentication template database. The central processing unit uses the biometric template data at the time of service use and personal information data at the time of service work. A privacy management system that performs processing for personal information requests used after confirming the purpose set in the privacy policy.   The authentication server presents the user ID provided to the service server as an ID to be temporarily used when the service server does not confirm the authority for the service requested by the user. The ID and the user ID are recorded in the authentication log of the authentication server, and the user ID is confirmed by checking the authentication log against the temporary ID for which personal information is requested by the service business terminal which is one of the service providing devices. The privacy management system according to claim 9, wherein the personal information is provided to a service business terminal.   The privacy management system according to claim 9, wherein the user privacy policy data can be set according to an identification number for each user by the central processing unit upon receiving a request from a user terminal.   12. The privacy management system according to claim 11, wherein in the setting of the user's privacy policy data, the personal information is encrypted according to the user's privacy policy, and is decrypted and provided only for the purpose set by the user.   10. The privacy management system according to claim 9, wherein an authentication function is provided only for an intended service in accordance with a user's privacy policy in setting the user's privacy policy data.   Accepting an application for disclosure of the personal information of another user for use outside the purpose of the user's privacy policy, and if the user who is the policy setter approves, 14. The privacy management system according to claim 13, which provides information.   15. The purpose of the privacy policy corresponding to the disclosure application is added to the privacy policy data when a user who is a policy setter approves the disclosure application of personal information for the use other than the purpose. Privacy management system.   When the user's privacy policy data is a request for device authentication at a security level of a service business terminal that is one of the service providing devices that request personal information, the central processing unit is a device at a security level. 10. The privacy management system according to claim 9, wherein personal information is provided after executing authentication to confirm that the security level is at a predetermined level.   The privacy management system according to claim 9, wherein the user privacy policy data includes a user terminal that permits a request for identity verification and an item that restricts the request for identity verification. A user terminal connected to the first network, a service server, a personal information server, and a service providing device connected to the second network, and the first and second connected in series between the networks. A privacy management system in which an authentication server is connected to a connection point of the first and second gateways while being connected by a gateway,
The authentication server includes a user biometric template database and authentication log, a privacy policy database related to the user biometric template data, a memory including an authentication request processing management program, and a central processing unit that can access the memory. A calculator,
The personal information server includes: a user personal information database; a personal information provision log; a privacy policy database related to user personal information data; a memory including a personal information request processing management program; and a central processing unit capable of accessing the memory. Equipped with a calculator,
The service server has a service authority database that defines services that each user can receive, a service log that is added each time a service is provided to each user, a memory that includes a service program for the service, and an access to the memory. A computer with a central processing unit,
The authentication server manages the biometric authentication template data of the user and the privacy policy data related to the biometric authentication template data of the user with an identification number for each user, and the central processing unit performs biometric authentication when using the service. Execute identity verification processing using template data after confirming the purpose set in the privacy policy,
The personal information server manages the user's personal information data and privacy policy data related to the user's personal information data with an identification number for each user, and the central processing unit manages the user's personal information when using the service. Execute the information confirmation process after confirming the purpose set in the privacy policy,
The first gateway only allows a signal flow from the first network to which the user terminal is connected to the authentication server, and the second gateway allows a signal flow from the authentication server to the service server. The first gateway and the second gateway connected in series allow only a signal flow from the service server to the user terminal,
A privacy management system characterized by this.

Images