JP2009020783A - Authentication system and authentication method using noncontact ic and personal digital assistant - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication method which can be used irrespective of a receiving status of an electric wave of a personal digital assistant and can perform authentication a plurality of times in a short time. <P>SOLUTION: This authentication system comprises: an information terminal equipped with an online service server and a noncontact IC chip reader/writer; and a personal digital assistant which is equipped with an authentication server, a noncontact IC chip and an authentication client and generates authentication information. This system is provided with: a means wherein an information terminal performs need determination of a terminal user authentication and determines whether the authentication is needed or not, performs authentication of terminal user by executing a terminal user authentication means, generates when the determination is success, authentication information based on the information read from the noncontact IC chip, writes generated authentication information in the noncontact IC chip, and ends an authentication client; and a means wherein the information terminal transmits the authentication information to the online service server, while reading authentication information from the noncontact IC chip through the noncontact IC reader/writer. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an authentication system and an authentication method in various online service systems.

Conventionally, authentication using an ID and a fixed password has been widely used for online service authentication. However, authentication with a fixed password means that if an ID and password are stolen and used by a third party, it cannot be checked for access by an unauthorized user, and the user can easily be impersonated. There's a problem.
Also, with fixed password authentication, brute force attacks are prevented by periodically changing the password used for authentication, but such frequent password changes place a heavy burden on users. There is.

Therefore, as a method for enhancing the security of authentication and reducing the burden on the user's password management, a technique using a portable information terminal owned by the user has been proposed.
For example, in Patent Document 1, in an arrangement in which an online service server, an information terminal, a portable information terminal, and a portable information terminal company mail server are connected via the Internet, an online service server responds to an authentication request from the information terminal. Generate a one-time password that can be used only once for a specified time in response to an authentication request, create an email with the generated one-time password, and send the email to the user's By sending the one-time password written in the email received by the user to the mobile information terminal and entering the information terminal instead of the conventional fixed password, the information terminal sends the one-time password to the online service server, A technique for performing authentication is disclosed.

  Patent Document 2 discloses an authentication request from an information terminal in a configuration in which an online service server and an information terminal are connected via the Internet, and the online service server is connected to a portable information terminal via a public telephone line. On the other hand, the online service server calls the portable information terminal, and the user receives the call at the portable information terminal, inputs personal identification information such as a personal identification number into the portable information terminal, and the portable information terminal A technique is disclosed in which authentication is performed by transmitting input identity verification information to an online service server via a public telephone line.

According to these conventional technologies, it is possible to construct a mechanism in which only a user who owns a portable information terminal in which an e-mail address or a telephone number is registered in advance can be authenticated. Security can be strengthened.
Furthermore, the user of the authentication system can use the authentication system without having to remember the password or change it periodically.

JP 2005-209083 JP 2006-33780 Sumitomo Mitsui Banking Corporation Help for changing the Internet banking password (http://www.smbc.co.jp/kojin/direct/ib/help/help_anshouhenko.html#02)

However, the prior art has the following problems.
First, the authentication system cannot be used depending on the radio wave reception status of the portable information terminal. In the prior art, there is a possibility that the acquisition of authentication information at the mobile information terminal may be delayed or fail in places where radio waves of the mobile information terminal are difficult to reach, such as underground or in buildings.
Secondly, the operation burden on the user's terminal is large, and it is difficult to execute authentication multiple times in a short time. In the prior art, the user needs to operate the portable information terminal every time authentication is performed. For example, in the prior art described in Patent Document 1, it is necessary to read a received mail by operating a mailer of a portable information terminal every time authentication is performed. In the prior art described in Patent Document 2, a telephone call must be received every time authentication is performed. Furthermore, in the case of Patent Document 1, the user must input the one-time password by operating the information terminal while looking at the portable information terminal, which also increases the user's terminal operation burden.

In recent years, some of the online service sites that require advanced security, such as Internet banking, include the password used to log in to the online service site when providing important services such as account transfer and changing the maximum amount of money to be handled. In addition, there is one that requires password authentication for each transaction (see Non-Patent Document 1).
When strengthening the security of an online service site that requires authentication for each transaction, the prior art takes time to operate the terminal, and thus the convenience of the online service may be greatly impaired.

  An object of the present invention is to provide an authentication system and an authentication method that can be used regardless of the radio wave reception status of a portable information terminal and that can perform a plurality of authentications in a short time with a simple operation. .

In order to achieve the above object, an invention according to claim 1 is provided with an online service server that provides an online service and a non-contact IC chip reader / writer, and provides the online service by transmitting service request contents to the online service server. Receiving information terminal,
An authentication server that performs processing related to authentication of service request contents in the online service;
An authentication system comprising a portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, and generating authentication information used for authenticating the content of the service request. And
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information, generate MAC-added encryption information with MAC added, divide the encryption information with MAC, and split encrypted information with MAC A Generating encrypted information B with divided MAC, and transmitting the authentication client activation code, encrypted information A with divided MAC, and encrypted information B with divided MAC to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combines information B to generate cryptographic information with MAC, performs MAC authentication and decryption of the cryptographic information with MAC, acquires service request contents and random number information, and authentication information based on the acquired service request contents and random number information A service request content confirmation screen including the service request content, receiving the operation of the user's portable information terminal, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client; ,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

The invention according to claim 2 is an online service server that provides an online service;
An information terminal comprising a non-contact IC chip reader / writer, transmitting service request contents to the online service server to receive provision of the online service, an authentication server performing processing relating to authentication of the service request contents in the online service, and the information terminal It is composed of a portable information terminal possessed by a user who receives an online service, having a non-contact IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authenticating service request contents Authentication system,
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information, generate MAC-added encryption information with MAC added, divide the encryption information with MAC, and split encrypted information with MAC A Generating encrypted information B with divided MAC, and transmitting the authentication client activation code, encrypted information A with divided MAC, and encrypted information B with divided MAC to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with information B to generate encrypted information with MAC, perform MAC authentication and decryption of encrypted information with MAC, obtain service request contents and random number information, and use terminal using pre-stored identity verification information The terminal user authentication is performed by executing the user authentication means, and when the terminal user authentication is determined to be successful, authentication information is generated based on the acquired service request content and random number information, and the service request content Display the service request content confirmation screen including the received authentication information generated in response to the user's operation on the portable information terminal. Inclusive can, and the means to end the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

According to a third aspect of the present invention, there is provided an online service server for providing an online service, a non-contact IC chip reader / writer, an information terminal for transmitting the service request contents to the online service server and receiving the online service, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication system composed of a portable information terminal that generates authentication information used for content authentication,
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code, and terminal user authentication determination information are generated, service request contents, random number information, and terminal user authentication determination information are encrypted to generate encrypted information with MAC to which MAC is added, and with the MAC The encryption information is divided to generate divided MAC-attached encryption information A and divided MAC-attached encryption information B, and the authentication service activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B are sent to the online service server. Means for transmitting to,
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, acquires service request contents, random number information, and terminal user authentication determination information, and acquires terminal user authentication determination information To determine the necessity of the terminal user authentication by executing the terminal user authentication necessity determining means, and when the necessity determination is determined to be unnecessary, and the necessity determination is necessary. The terminal user authentication is performed by executing the terminal user authentication means using the identity verification information that is determined and stored in advance, and the terminal user authentication is performed. Authentication information is generated based on the acquired service request content and random number information, a service request content confirmation screen including the service request content is displayed, and an operation of the user's portable information terminal is received. Means for writing the generated authentication information to the non-contact IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

According to a fourth aspect of the present invention, there is provided an online service server for providing an online service, a non-contact IC chip reader / writer, an information terminal for transmitting the service request content to the online service server and receiving the online service, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication system composed of a portable information terminal that generates authentication information used for content authentication,
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code and terminal user authentication determination information are generated, and terminal user authentication necessity determination means is executed using the terminal user authentication determination information, thereby determining the necessity of terminal user authentication. To obtain the result of the necessity determination as a terminal user authentication request flag, encrypt the service request content, random number information, and the terminal user authentication request flag, and generate encrypted information with MAC to which the MAC is added, The encryption information with MAC is divided to generate the encryption information A with divided MAC and the encryption information B with divided MAC, and the authentication client activation code, the encryption information A with divided MAC, and the encryption information B with divided MAC are online. Means for sending to the service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, obtains service request contents, random number information, and a terminal user authentication request flag, and acquires a terminal user authentication request flag Is not necessary, and the terminal user authentication request flag read from the non-contact IC chip is necessary, and the terminal user authentication means is executed by using the pre-stored personal identification information. If the terminal user authentication is performed and the terminal user authentication is determined to be successful, the authentication information based on the acquired service request content and random number information And it generates and displays a service request content confirmation screen including the service request content, by receiving the operation of the user of the portable information terminal writes the generated authentication information to the contactless IC chip, and means for terminating the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

  According to a fifth aspect of the present invention, in the authentication system according to any one of the third and fourth aspects, the terminal user authentication determination information is a login included in a service request content transmitted together with the authentication request by the information terminal. The terminal user authentication necessity determining means is a determination flag, and the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content. In this case, it is determined that the execution result of the terminal user authentication necessity determination means is unnecessary, and the login determination flag acquired as the terminal user authentication determination information indicates that the login to the online service is requested as the service request content. In the case of the indicated value, the execution result of the terminal user authentication necessity determining means is determined to be necessary.

  According to a sixth aspect of the present invention, in the authentication system according to any one of the third and fourth aspects, the terminal user authentication determination information includes random number information used as an argument when generating authentication information. The time generated by the server, and the terminal user authentication necessity determination means generates a random number acquired as terminal user authentication determination information when the mobile information terminal generates the authentication information immediately before the authentication request being processed. The time difference between the time and the random number generation time acquired as the terminal user authentication determination information is calculated, and when the calculated time difference is less than the time difference predetermined in the authentication system, the terminal user authentication necessity determination means The execution result of the terminal user authentication necessity determination means is determined to be necessary when the calculated time difference is greater than or equal to the time difference predetermined in the authentication system. The features.

  The invention according to claim 7 is the authentication system according to any one of claims 3 and 4, wherein the terminal user authentication determination information is a transaction included in a service request content transmitted together with the authentication request by the information terminal. The terminal user authentication necessity determination means determines the terminal user authentication necessity when the transaction amount acquired as the terminal user authentication determination information is less than the amount predetermined in the authentication system. When the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination unit is determined. It is determined that it is necessary.

  The invention according to claim 8 is the authentication system according to any one of claims 3 and 4, wherein the terminal user authentication determination information is a transaction included in a service request content transmitted by the information terminal together with the authentication request. Amount of money and customer information, and history information of service request contents executed by the user before the authentication request being processed, and the terminal user authentication necessity determination means is the transaction amount acquired as the terminal user authentication determination information Service request contents acquired as terminal user authentication determination information, if the customer information is higher or lower than the amount determined in advance in the authentication system, and the customer information acquired as terminal user authentication determination information The result of the terminal user authentication necessity determination means is made unnecessary or unnecessary by the combination of the condition determination that it is included or not included in the history information Characterized in that it constant.

The invention according to claim 9 is the authentication system according to any one of claims 2 to 8, wherein the terminal user authentication means executed by the authentication client prompts the user to input identification information and is input When the personal identification information matches the personal identification information stored in advance in the portable information terminal, the terminal user authentication is determined to be successful.
The invention described in claim 10 is the authentication system according to any one of claims 2-9, wherein the personal identification information is a personal identification number.
The invention described in claim 11 is the authentication system according to any one of claims 2-9, wherein the identity verification information is position information.
The invention described in claim 12 is the authentication system according to any one of claims 2-9, wherein the personal identification information is biometric information of a user.
The invention according to claim 13 is the authentication system according to any one of claims 1 to 12, wherein the authentication information is a one-time password.
The invention according to claim 14 is the authentication system according to any one of claims 1 to 12, wherein the authentication information is a digital signature.

The invention according to claim 15 is an online service server that provides an online service;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
Authentication in an authentication system comprised of a portable information terminal possessed by a user who receives an online service at the information terminal and comprising a non-contact IC chip and an authentication client, and generating authentication information used for authentication of service request contents A method,
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information, generate MAC-added encryption information with MAC added, divide the encryption information with MAC, and split encrypted information with MAC A Generating the encrypted MAC-added encryption information B, and transmitting the authentication client activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combines information B to generate cryptographic information with MAC, performs MAC authentication and decryption of the cryptographic information with MAC, acquires service request contents and random number information, and authentication information based on the acquired service request contents and random number information Displaying a service request content confirmation screen including the service request content, receiving the operation of the user's portable information terminal, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client; ,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the service request content received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; It is characterized by providing.

An invention according to claim 16 is an online service server that provides an online service;
An information terminal comprising a non-contact IC chip reader / writer, transmitting service request contents to the online service server and receiving provision of the online service, an authentication server performing processing related to authentication of the service request contents in the online service, and the information terminal It is composed of a portable information terminal possessed by a user who receives an online service, having a non-contact IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of service request contents An authentication method in an authentication system,
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information, generate MAC-added encryption information with MAC added, divide the encryption information with MAC, and split encrypted information with MAC A Generating the encrypted MAC-added encryption information B, and transmitting the authentication client activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with information B to generate encrypted information with MAC, perform MAC authentication and decryption of encrypted information with MAC, obtain service request contents and random number information, and use terminal using pre-stored identity verification information The terminal user authentication is performed by executing the user authentication means, and when the terminal user authentication is determined to be successful, authentication information is generated based on the acquired service request content and random number information, and the service request content Display the service request content confirmation screen including the received authentication information generated in response to the user's operation on the portable information terminal. Inclusive can, and the step to end the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the service request content received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; It is characterized by providing.

The invention described in claim 17 includes an online service server that provides online service, a non-contact IC chip reader / writer, an information terminal that transmits service request contents to the online service server and receives online service, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication method in an authentication system configured with a portable information terminal that generates authentication information used for content authentication,
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code, and terminal user authentication determination information are generated, service request contents, random number information, and terminal user authentication determination information are encrypted to generate encrypted information with MAC to which MAC is added, and with the MAC The encryption information is divided to generate divided MAC-attached encryption information A and divided MAC-attached encryption information B, and the authentication service activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B are sent to the online service server. Sending to
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, acquires service request contents, random number information, and terminal user authentication determination information, and acquires terminal user authentication determination information To determine the necessity of the terminal user authentication by executing the terminal user authentication necessity determining means, and when the necessity determination is determined to be unnecessary, and the necessity determination is necessary. The terminal user authentication is performed by executing the terminal user authentication means using the identity verification information that is determined and stored in advance, and the terminal user authentication is performed. Authentication information is generated based on the acquired service request content and random number information, a service request content confirmation screen including the service request content is displayed, and an operation of the user's portable information terminal is received. Writing the generated authentication information into the non-contact IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

An invention according to claim 18 is provided with an online service server that provides online services, a non-contact IC chip reader / writer, an information terminal that transmits service request contents to the online service server and receives provision of online services, An authentication server that performs processing related to the authentication of service request contents in a service, and a user who receives an online service at the information terminal, includes a contactless IC chip and an authentication client, stores personal identification information in advance, An authentication method in an authentication system configured with a portable information terminal that generates authentication information used for content authentication,
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code and terminal user authentication determination information are generated, and terminal user authentication necessity determination means is executed using the terminal user authentication determination information, thereby determining the necessity of terminal user authentication. To obtain the result of the necessity determination as a terminal user authentication request flag, encrypt the service request content, random number information, and the terminal user authentication request flag, and generate encrypted information with MAC to which the MAC is added, The encryption information with MAC is divided to generate the encryption information A with divided MAC and the encryption information B with divided MAC, and the authentication client activation code, the encryption information A with divided MAC, and the encryption information B with divided MAC are online. Sending to the service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, obtains service request contents, random number information, and a terminal user authentication request flag, and acquires a terminal user authentication request flag Is not necessary, and the terminal user authentication request flag read from the non-contact IC chip is necessary, and the terminal user authentication means is executed by using the pre-stored personal identification information. If the terminal user authentication is performed and the terminal user authentication is determined to be successful, the authentication information based on the acquired service request content and random number information And it generates the steps of displaying a service request content confirmation screen including the service request content, by receiving the operation of the user of the portable information terminal writes the generated authentication information to the contactless IC chip, and ends the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. Features.

  According to a nineteenth aspect of the present invention, in the authentication method according to any one of the seventeenth and eighteenth aspects, the terminal user authentication determination information is a login included in a service request content transmitted together with the authentication request by the information terminal. The terminal user authentication necessity determining means is a determination flag, and the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content. In this case, it is determined that the execution result of the terminal user authentication necessity determination means is unnecessary, and the login determination flag acquired as the terminal user authentication determination information indicates that the login to the online service is requested as the service request content. In the case of the indicated value, the execution result of the terminal user authentication necessity determining means is determined to be necessary.

  According to a twentieth aspect of the present invention, in the authentication method according to any one of the seventeenth and eighteenth aspects, the terminal user authentication determination information includes random number information used as an argument when generating authentication information. The time generated by the server, and the terminal user authentication necessity determination means generates a random number acquired as terminal user authentication determination information when the mobile information terminal generates the authentication information immediately before the authentication request being processed. The time difference between the time and the random number generation time acquired as the terminal user authentication determination information is calculated, and when the calculated time difference is less than the time difference predetermined in the authentication system, the terminal user authentication necessity determination means The execution result of the terminal user authentication necessity determination means is determined to be necessary when the calculated time difference is greater than or equal to the time difference predetermined in the authentication system. And wherein the door.

  The invention according to claim 21 is the authentication method according to any one of claims 17 and 18, wherein the terminal user authentication determination information is a transaction included in a service request content transmitted by the information terminal together with the authentication request. The terminal user authentication necessity determination means determines the terminal user authentication necessity when the transaction amount acquired as the terminal user authentication determination information is less than the amount predetermined in the authentication system. When the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination unit is determined. It is determined that it is necessary.

  According to a twenty-second aspect of the present invention, in the authentication method according to the seventeenth and eighteenth aspects, the terminal user authentication determination information is a transaction included in a service request content transmitted together with the authentication request by the information terminal. Amount of money and customer information, and history information of service request contents executed by the user before the authentication request being processed, and the terminal user authentication necessity determination means is the transaction amount acquired as the terminal user authentication determination information Service request contents acquired as terminal user authentication determination information, if the customer information is higher or lower than the amount determined in advance in the authentication system, and the customer information acquired as terminal user authentication determination information The result of the terminal user authentication necessity determination means is necessary or unnecessary depending on the combination of the condition determination that it is included or not included in the history information And judging.

According to the present invention, the user can use the authentication system regardless of the radio wave reception status of the portable information terminal.
Also, as long as the user places the portable information terminal within a distance that can be read and written by the non-contact IC reader / writer, the user can operate the information terminal without operating the portable information terminal. An authentication system capable of starting an authentication client necessary for generating information and inputting the generated authentication information to an information terminal can be provided. As a result, the user can authenticate a plurality of times in a short time with a simpler operation than the prior art.
In addition, by introducing a mechanism for determining the necessity of terminal user authentication for portable information terminals, the risk of unauthorized use of the authentication system by a third party who is not a regular user is minimized. This can be prevented simply by requesting an operation burden.

Hereinafter, an authentication system and an authentication method according to an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is an overall configuration diagram of an authentication system according to an embodiment of the present invention.
First, the configuration of the authentication system will be described below.
The authentication system of the present embodiment has a configuration in which an information terminal 101, an online service server 103, and an authentication server 104 are connected via a communication network 105 such as the Internet.
Further, the information terminal 101 is connected to a non-contact IC chip reader / writer 106 (shown in the figure and hereinafter referred to as non-contact ICR / W). The contactless ICR / W 106 is an information device that performs contactless communication with the portable information terminal 102.
The information terminal 101 includes at least an online service client 107.
The information terminal 101 is, for example, a personal computer (PC) owned by a user of an online service.
The portable information terminal 102 includes at least a non-contact IC chip 108 and an authentication client 109. The mobile information terminal 102 is, for example, a mobile phone owned by an online service user.

FIG. 2 is a functional block diagram showing the configuration of the information terminal 101.
The online service client 209 in this figure is the same as the online service client 107 shown in FIG.
The information terminal 101 includes a CPU 201 that executes and executes a program, an input unit 202 that inputs commands and data, an output unit 203 that outputs a system state, a memory 204 that loads programs and data, A non-contact ICR / W connection unit 205 that connects the contact ICR / W, a communication processing unit 206 that establishes a connection with another communication device, an online service client 209, and a non-contact ICR / W control program 210 are stored. A storage unit 207 is connected by a bus 208.

The non-contact ICR / W connection unit 205 is a connection port for connecting the non-contact ICR / W 106 to the information terminal 101. For example, when the non-contact ICR / W is provided as an external connection device of the information terminal, the USB In the case where the non-contact ICR / W is provided as a function built in the information terminal in advance, the connection port is mounted on an electronic board such as a motherboard.
The online service client 209 has a function of transmitting information input by the user through the input unit 202 to the online service server 103 and a function of presenting information received from the online service server 103 to the user through the output unit 203. Software.
The online service client 209 is, for example, a browser.
The non-contact ICR / W control program 210 is a program that realizes a function of transmitting information read / write requests to the non-contact IC chip 108 and an authentication client activation code for activating the authentication client 109 to the portable information terminal 102.
Here, the authentication client activation code is information including the address of the authentication client 109 in the storage unit of the portable information terminal 102, a secret code necessary for activation, and an activation parameter which is an argument referred to by the authentication client after activation.
The non-contact ICR / W control program 210 is a plug-in that extends the function of the online service client or a program provided as one of the functions of the online service client.

FIG. 3 is a functional block diagram showing the configuration of the portable information terminal 102.
In addition, the non-contact IC chip 305 and the authentication client 310 in this figure are the same as the non-contact IC chip 108 and the authentication client 109 shown in FIG. 1, respectively.
The portable information terminal 102 includes a CPU 301 that executes a program and an operation, an input unit 302 that inputs a command and data, an output unit 303 that outputs a system state and the like, a memory 304 that loads a program and data, Authentication client 310 including non-contact IC chip 305 that stores divided MAC-added encryption information A308 and authentication information 309, terminal user authentication necessity determination program 313, and terminal user authentication program 314, and non-contact The IC chip control program 311 and the storage unit 306 that stores the personal identification information 312 are connected via a bus 307.
The input unit 302 is a keyboard, camera, microphone, position information acquisition means such as GPS, and a biometric information input device such as a fingerprint, an iris, a retina pattern, and a vein pattern.
The non-contact IC chip 305 is an IC chip that supports non-contact communication. In addition to reading / writing information from an external information device via the non-contact ICR / W 106, reading / writing information from software installed in the portable information terminal 102 It is also possible IC chip.
The non-contact IC chip 305 is, for example, a FeliCa (registered trademark) chip.

The encrypted MAC-added encryption information A308 is a piece of encryption information with MAC generated by the authentication server encrypting service request contents, terminal user authentication determination information, and random number information, and adding MAC (Message Authentication Code) thereto. Part. The authentication server divides the byte string of the encrypted information with MAC into two to generate divided encrypted information with MAC A and encrypted information B with divided MAC.
Here, the service request content is the operation content such as login to the online service requested by the user, the transaction content such as merchandise sales and bank transfer, etc., and when the authentication with this authentication system is successful, This is information regarding the content of the service provided by the online service server 103. In addition, the service request content includes a login determination flag for determining whether the service content requested by the user is a login to the online service site or a service other than login such as merchandise sales or bank transfer. Shall.
The terminal user authentication determination information is information used as an argument of the terminal user authentication necessity determination program 313.
The random number information is information used as one of arguments when generating the authentication information 309 in the processing of the authentication client 310, and is a random byte string generated by, for example, a pseudo random number program.

  Note that the encrypted information with divided MAC A is transmitted from the information terminal to the portable information terminal by writing to the non-contact IC chip, but the encrypted information with divided MAC B is an activation parameter included in the authentication client activation code, It is transmitted from the information terminal to the portable information terminal. The divided MAC-attached encryption information A written in the non-contact IC chip can be referred to regardless of whether the authentication client is activated, while the divided MAC-attached encryption information B sent by the authentication client activation code is: Reference is possible only while the authentication client is running. In other words, when the execution of the authentication client is finished, it is impossible to read the decrypted MAC-attached encryption information from the portable information terminal. With this mechanism, in this authentication system, when the user loses the portable information terminal, the risk of leakage of the user's personal information and authentication information from the lost terminal is reduced.

The authentication information 309 is information that is generated in the authentication client 310 based on random number information, service request contents, and key information described later, and is information used for authentication processing in the authentication server 104.
The authentication information 309 is, for example, a one-time password or a digital signature.
The authentication client 310 is portable information terminal software distributed by a provider that provides an online service or a provider that operates an authentication server.
The non-contact IC chip control program 311 receives a read / write request from the non-contact ICR / W 106 to the non-contact IC chip 305 and reads / writes information in the non-contact IC chip, or an authentication client from the non-contact ICR / W 106 A program having a function of receiving an activation code and activating the authentication client 310.
The non-contact IC chip control program 311 is a program distributed together with an authentication client by an operator that provides an online service or an operator that operates an authentication server, or provided as one of the functions of the authentication client.
The identity verification information 312 is information used as an argument of the terminal user authentication program 314.
The personal identification information 312 is, for example, secret information such as a personal identification number and position information that only the owner of the portable information terminal knows, and biometric information of the owner of the portable information terminal such as a fingerprint, an iris, a retina pattern, and a vein pattern. It is.

Hereinafter, the operation of the authentication system according to the present embodiment will be described with reference to FIGS.
Note that the present embodiment described below exemplifies processing from when a user logs in to online banking and completing the account transfer procedure. The user receives authentication using this system at the time of login and at the time of account transfer execution. In this embodiment, terminal user authentication is performed when the service request content requested by the user is login, and terminal user authentication is omitted when the procedure is other than login, such as transfer. Explains.
The operation of the authentication system according to the present embodiment is roughly divided into three operations: an authentication information generation preparation process, an authentication information generation process, and an authentication process.

FIG. 4 is a diagram showing an operation flow of the authentication information generation preparation process.
The authentication information generation preparation process is executed with the transmission of the authentication request from the online service client 107.
FIG. 5 is a diagram showing an operation flow of the authentication information generation process of the authentication system.
The authentication information generation process is executed when the user presses an authentication information generation button displayed on the online service client 107 by executing the authentication information generation preparation process.
FIG. 6 is a diagram showing an operation flow of the authentication process of the authentication system.
The authentication process includes the authentication information displayed on the online service client 107 by executing the authentication information generation preparation process after the user presses the service request content confirmation button displayed on the authentication client 109 by executing the authentication information generating process. This is executed when the user presses the send button.

First, the initial state of the authentication system will be described below.
The portable information terminal owned by the user of the online service stores the data listed below in the storage unit 306.
・ Common key K
・ Secret key SK
The authentication server 104 stores data listed below for each online service user.
・ User ID
・ Common key K
・ Public key PK
However, the secret key SK and the public key PK are information necessary only when a digital signature is used as the authentication information 309, and are not necessary when a one-time password is used as the authentication information.

The common key K is key information generated and issued by the authentication server for each user of the online service. The generation of the encryption information with MAC in the authentication server 104 and the MAC of the encryption information with MAC in the authentication client 109 Key information used for authentication and decryption.
The secret key SK and the public key PK are a pair of key information based on public key cryptography generated and issued by the authentication server 104 for each user of the online service, and the secret key SK is a digital signature at the authentication client. The public key PK is key information used for verification of the digital signature in the authentication server 104.

As an example of a procedure for configuring the initial state described above, an initial setting procedure of the authentication client 109 will be described below.
A business provider that provides an online service or a business that operates an authentication server distributes a user ID and a fixed password together when distributing the authentication client 109 to a user of the online service.
The user accesses the initial setting site prepared in the authentication server 104 from the online service client 107, logs in with the user ID and the fixed password, and transmits an initial setting request for the authentication client 109 to the authentication server 104. .

In response to the initial setting request, the authentication server 104 generates a common key K, a secret key SK, and a public key PK, and transmits the common key K and the secret key SK to the online service client 107. At this time, the authentication server 104 stores the common key K and the public key PK in association with the user ID.
The online service client 107 transmits the common key K and the secret key SK to the portable information terminal 102 using contactless communication.

The portable information terminal 102 stores the received common key K and secret key SK in the storage unit 306.
The initial setting procedure has been described above.
In the above procedure, when the portable information terminal 102 can be connected to the communication network 105 and can access the initial setting site, an initial setting request is transmitted from the portable information terminal to the initial setting site. The mobile information terminal may receive the common key K and the secret key SK without going through.
In addition, after completing the initial setting procedure, the user ends the execution of the authentication client, if necessary, after displaying personal identification information such as a personal identification number, location information, or biometric information, or a service request content confirmation screen described later. The time until is input and stored in the storage unit 306.

First, the operation flow of the authentication information generation preparation process of the authentication system will be described with reference to FIG.
In FIG. 4, the online service client 107 transmits an authentication request including the user ID and the service request content to the online service server 103 in accordance with the operation of the information terminal by the user (step 401).
The online service server 103 transmits the received authentication request to the authentication server 104 (step 402).

When the authentication server 104 receives the authentication request including the user ID and the service request content, the authentication server 104 generates random number information (step 403).
The authentication server 104 acquires the login determination flag of the service request content received in step 403 as terminal user authentication determination information (step 404).
First, the authentication server 104 refers to the user ID acquired in step 403 and acquires the common key K associated with the user ID and stored in the authentication server.
Then, the service request content, the terminal user authentication determination information, and the random number information are encrypted with the common key K, and further the MAC is added to generate the encryption information with the MAC (step 405).

The authentication server 104 divides the byte string of the encryption information with MAC generated in Step 405 into two, and generates divided MAC-added encryption information A308 and divided MAC-added encryption information B (Step 406). Note that the division algorithm is shared in advance by the authentication server and the authentication client.
The authentication server 104 first generates an authentication client activation code using the encrypted information B with the divided MAC as an activation parameter. Then, the authentication client activation code, the encrypted MAC-added encryption information A, and the service request content are transmitted to the online service server 103 (step 407).

When the online service server 103 receives the authentication client activation code including the divided MAC-attached encryption information B, the divided MAC-attached encryption information A, and the service request content, the contactless IC chip executed by the contactless ICR / W control program 210 An authentication client operation screen display code incorporating the reader / writer control code is generated and transmitted to the online service client 107 (step 408).
Here, the authentication client operation screen display code is, for example, an HTML code incorporating a non-contact IC chip reader / writer control code.
The non-contact IC chip reader / writer control code includes an authentication client activation code, a request to write the encrypted MAC-added encrypted information A to the non-contact IC chip, and a request to read the authentication information 309 from the non-contact IC chip. This is a code for realizing the function of transmitting to the portable information terminal 102.

When receiving the authentication client operation screen display code, the online service client 107 displays the authentication client operation screen shown in FIG. Here, the authentication client operation screen 801 shown in FIG. 8 is an example of a screen displayed when the service request content is login to online banking. An authentication client operation screen 1101 shown in FIG. 11 is an example of a screen displayed when the service request content is an account transfer procedure (step 408).
Each of the authentication client operation screens 801 and 1101 includes at least a service request content display unit 802 or 1102, an authentication information generation button 803 or 1103, and an authentication information transmission button 804 or 1104.

When the authentication information generation button is pressed, the non-contact IC chip reader / writer control code incorporated in step 408 is executed, the authentication client activation code including the encrypted information B with the divided MAC, and the encrypted information with the divided MAC A button for transmitting a write request to the non-contact IC chip 305 of A to the portable information terminal 102.
When the authentication information transmission button is pressed, the non-contact IC chip reader / writer control code incorporated in step 408 is executed, the authentication information 309 is read from the non-contact IC chip 305, and the read authentication information is displayed online. This is a button for transmitting to the service server 103.

Next, the operation flow of the authentication information generation process will be described with reference to FIG.
After confirming the authentication client operation screen displayed on the information terminal 101 in the authentication information generation preparation process, the user places the portable information terminal 102 within the communicable range of the non-contact ICR / W 106 and presses the authentication information generation button.
When the authentication information generation button is pressed, the online service client 107 writes the divided MAC-added encrypted information A308 to the non-contact IC chip 305, and further uses the divided MAC-added encrypted information B as an activation parameter. The authentication client 310 is activated. (Step 501).

Details of the processing in step 501 are shown below.
When the authentication information generation button 803 is pressed, the online service client sends a request to write the encrypted information with divided MAC A and an authentication client activation code with the encrypted information B with divided MAC as an activation parameter to the portable information terminal. To the non-contact IC chip control program 311.
When the non-contact IC chip control program 311 receives the write request for the encrypted information A with divided MAC, the non-contact IC chip control program 311 writes the encrypted information A with divided MAC to the non-contact IC chip. Further, when the authentication client activation code is received, the authentication client is activated, and the encrypted MAC-added information B with the divided MAC is passed to the authentication client as an activation parameter.

The authentication client 109 reads the encrypted MAC-attached encryption information A308 from the non-contact IC chip and acquires it in the memory. The encrypted MAC-added encryption information B is read from the activation parameter of the authentication client activation code and acquired in the memory. (Step 502).
The authentication client 109 combines the divided MAC-attached encryption information A and the divided MAC-attached encryption information B acquired in step 502 to generate the encryption information with MAC. The encryption information with MAC generated here is the same as the encryption information with MAC generated by the authentication server in step 405 (step 503).

The authentication client 109 first reads the common key K stored in the storage unit 306 and acquires it in the memory. Then, using the common key K, MAC authentication and decryption of the encryption information with MAC are performed. If either MAC authentication or decryption fails, a message indicating the failure is displayed and the execution of the authentication client is immediately terminated.
If the MAC authentication and decryption are successful, the service request contents, terminal user authentication determination information, and random number information are acquired in the memory, and the process proceeds to step 505 (step 504).
The authentication client 109 executes the terminal user authentication necessity determination program 313 using the terminal user authentication determination information as an argument, and acquires a terminal user authentication request flag as an execution result (step 505).
If the value of the terminal user authentication request flag is “unnecessary”, the authentication client 109 proceeds to step 508. If the value of the terminal user authentication request flag is “necessary”, the terminal user authentication program 314 is executed, the terminal user authentication result is acquired as the execution result, and the process proceeds to step 507 (step 506).

Here, the operation of the terminal user authentication program 314 will be described with reference to FIG.
The terminal user authentication program 314 displays a terminal user authentication screen 901 illustrated in FIG. 9, asks for input of identity verification information from the input unit 302 of the portable information terminal 102, and the entered identity verification information is stored in advance. This is a program for determining whether or not it matches the personal identification information 312 stored in the storage unit 306.
If the identity verification information matches, the terminal user authentication is determined to be successful, and “success” is determined as the terminal user authentication result. If the identity verification information does not match, the terminal user authentication is determined to be unsuccessful. Return “No” as the terminal user authentication result.
Here, FIG. 9 shows an example in which the personal identification information is a personal identification number, but when the portable information terminal 102 has an input unit for position information and biological information in the input unit 302, the personal identification information is used instead of the personal identification number. Position information or biometric information may be used as confirmation information, and input of position information or biometric information may be requested when the terminal user authentication program is executed.

If the terminal user authentication result is “No”, the authentication client 109 interrupts the authentication process and immediately ends the execution of the authentication client 109.
If the terminal user authentication result is “success”, the process proceeds to step 508 (step 507).
The authentication client 109 generates authentication information based on the service request content, random number information, and key information, and displays the service request content confirmation screen 1001 or 1201 shown in FIG. 10 or FIG. Here, a service request content confirmation screen 1001 shown in FIG. 10 is an example of a screen displayed when the service request content is a login to online banking. 12 is an example of a screen displayed when the service request content is an account transfer procedure (step 508).

Details of processing for generating authentication information in step 508 will be described below.
When a one-time password is used as authentication information, the authentication client 109 first reads the common key K stored in the storage unit 306 and acquires it in the memory.
Next, a secure hash function is executed using a byte string obtained by concatenating the common key K, service request contents, and random number information as an argument, and a hash value is acquired as an execution result.
Then, a part or all of the hash value is set as a one-time password.
When a digital signature is used as authentication information, the authentication client 109 first reads the secret key SK stored in the storage unit 306 and acquires it in the memory.
Next, a secure hash function is executed using a byte string obtained by concatenating service request contents and random number information as an argument, and a hash value is acquired as an execution result.
Then, the hash value is encrypted with the secret key SK, and the acquired byte string is used as a digital signature.

Here, the service request content confirmation screens 1001 and 1201 will be described with reference to FIGS. 10 and 12.
The service request content confirmation screens 1001 and 1201 include an authentication client service request content display unit 1002 or 1202 for displaying the service request content, a service request content confirmation button 1003 or 1203, and an authentication interruption button 1004 or 1204.
Further, on the service request content confirmation screen shown in FIGS. 10 and 12, in consideration of the convenience of the user, a message notifying the user that the generation of the authentication information has been completed, and the authentication client 109 in the subsequent step 510. A message is displayed to notify the user of the remaining time until the process is terminated.

When the user presses the service request content confirmation button, the authentication information generated in step 508 is written in the non-contact IC chip 305, and the execution of the authentication client is terminated.
The authentication interrupt button is a button that, when pressed by the user, immediately terminates the execution of the authentication client without writing the authentication information to the contactless IC chip.

When the user presses the service request content confirmation button within a predetermined time from the display of the service request content confirmation screen in step 508, the authentication client 109 writes the authentication information to the non-contact IC chip, and executes it after the writing is completed. finish. In this case, the user then proceeds to an authentication process whose operation flow is shown in FIG.
On the other hand, if the service request content confirmation button is not pressed within a certain time from step 508, or if the user presses the authentication interruption button, the authentication client 109 does not write the authentication information to the non-contact IC chip. Then, a message indicating that the authentication process has been interrupted is displayed and the execution is terminated (step 509).

If the authentication client is terminated without writing the authentication information in the non-contact IC chip, even if the user continues to execute the authentication process shown in FIG. 6, the authentication will not succeed. In order to succeed in the authentication, the user needs to re-execute the authentication information generation process from step 501.
The time from when the service request content confirmation screen is displayed until the execution of the authentication client is completed is stored in the storage unit 306 of the portable information terminal by a method in which the user inputs the authentication client 109 in advance. It shall be.

Next, the operation flow of the authentication process will be described with reference to FIG.
After the user presses the service request content confirmation button displayed on the portable information terminal 102 in the authentication information generation process, the user places the portable information terminal 102 within the communicable range of the non-contact ICR / W 106, and sends the authentication information transmission button 804. Press.
When the authentication information transmission button 804 is pressed, the online service client 107 reads the authentication information 309 from the non-contact IC chip 305 and acquires it in the memory, and further transmits the acquired authentication information to the online service server 103 (step) 601).
The online service server 103 transmits the received authentication information to the authentication server 104 (step 602).

Upon receiving the authentication information, the authentication server 104 executes an authentication process and acquires an authentication result (step 603).
Details of the authentication processing in step 603 will be described below.
When a one-time password is used as authentication information, the authentication server 104 first refers to the user ID acquired in step 402 and uses the common key K stored in the authentication server in association with the user ID. get.
Next, the secure hash function is executed with the byte string obtained by concatenating the common key K, the service request content acquired in step 402 and the random number information acquired in step 403 as an argument, and a hash value is acquired as an execution result. .
Then, the hash value is compared with the one-time password received from the online service server in step 603.
If they match, it is determined that the authentication has succeeded and “success” is returned as the authentication result. If they do not match, it is determined that the authentication has failed and “no” is returned as the authentication result.

When using a digital signature as authentication information, the authentication server 104 first refers to the user ID acquired in step 402 and acquires the public key PK associated with the user ID and stored in the authentication server. To do.
Next, the secure hash function is executed using the byte string obtained by concatenating the service request content acquired in step 402 and the random number information acquired in step 403 as an argument, and a hash value is acquired as an execution result.
Then, the hash value is compared with the value obtained by decrypting the digital signature received from the online service server with the public key PK in step 603.
If they match, it is determined that the authentication has succeeded and “success” is returned as the authentication result. If they do not match, it is determined that the authentication has failed and “no” is returned as the authentication result.
The authentication server 104 transmits the authentication result to the online service server 103 (step 604).

If the received authentication result is “success”, the online service server 103 provides the user with an online service according to the service request content requested by the user.
If the received authentication result is “No”, the online service is not provided, and a message is sent to the online service client 107 to inform the user that the authentication has failed (step 605).

Next, the operation flow of the terminal user authentication necessity determination program 313 in the present embodiment will be described with reference to FIG.
The operation of the terminal user authentication necessity determination program described below is performed when the content of the service request requested by the user is login to the online service site in the operation of the authentication information generation process of the authentication system. This program implements a mechanism for performing terminal user authentication and omitting terminal user authentication when the service is other than login.

First, a login determination flag is acquired as terminal user authentication determination information from an argument (step 701).
If the login determination flag is true, the process proceeds to step 703. If the login determination flag is false, the process proceeds to step 704 (step 702).

“Necessary” is returned as the value of the terminal user authentication request flag, and the process ends (step 703).
“Unnecessary” is returned as the value of the terminal user authentication request flag, and the process ends (step 704).
The flow of operations of the terminal user authentication necessity determination program in the present embodiment has been described above.

Note that the terminal user authentication necessity determination program described above is an example, and the following may be considered. The operation of the terminal user authentication necessity determination program is preferably determined in consideration of the balance of the terminal operation required for the user and the security strength required for the authentication system.
For example, no matter what terminal user authentication determination information is acquired, the operation is to always return “necessary” as the terminal user authentication request flag. In this case, the authentication system requests terminal user authentication from the user every time the authentication client is activated.
Further, as the terminal user authentication determination information, the time when the authentication server generates the random number information in step 403 is taken, and the time difference from the previous authentication information generation time is calculated based on the time, and the calculated time difference is determined in advance by the authentication system. If the time difference is less than the time difference set in (1), “Unnecessary” is returned as the terminal user authentication request flag, and if the calculated time difference is greater than or equal to the time difference previously set in the authentication system, the terminal user authentication request is returned. This is an operation of returning “necessary” as a flag. In this case, the authentication system requests terminal user authentication from the user when a predetermined time or more has elapsed since the last generation of authentication information.
Further, as the terminal user authentication determination information, the transaction amount included in the service request content received in step 403 is taken, and the transaction amount acquired as the terminal user authentication determination information is less than the amount predetermined in the authentication system. If the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount set in advance in the authentication system, the terminal user authentication request is returned. This is an operation of returning “necessary” as a flag. In this case, the authentication system requests terminal user authentication from the user when the transaction requested by the user is a transaction that handles a certain amount of money.
Further, as the terminal user authentication determination information, the transaction amount and customer information included in the service request content received in step 403, and the history information of the service request content executed by the user before the authentication request being processed, The transaction amount acquired as the terminal user authentication determination information is higher or lower than the amount determined in advance in the authentication system, and the supplier information acquired as the terminal user authentication determination information is the terminal An operation that returns “required” or “unnecessary” as the terminal user authentication request flag depending on the combination of the condition determinations whether it is included or not included in the history information of the service request content acquired as user authentication determination information It is. In this case, for example, the authentication system deals with a transaction requested by a user for a business partner to whom the user has never performed a transaction, and handles a certain amount of money. When it is a transaction, the terminal user authentication is requested to the user.

The embodiment of the authentication system of the present invention has been described above.
In the embodiment of the authentication system of the present invention, the terminal user authentication necessity determination program 313 is one of the functions of the authentication client 310 and is executed by the portable information terminal 102.
However, the present invention can also be implemented as a mode in which the terminal user authentication necessity determination program is one of the functions of the authentication server 104 and is executed by the authentication server.

Regarding the flow of operations when the terminal user authentication necessity determination program is executed by the authentication server, the operation changes will be described below.
First, after step 404 and before step 405, the authentication server 104 executes a terminal user authentication necessity determination program using the terminal user authentication determination information as an argument, and requests a terminal user authentication request as an execution result. Get the flag.
In step 405, the authentication server 104 uses the terminal user authentication request flag instead of the terminal user authentication determination information to generate cryptographic information with MAC.
In step 504, the authentication client 109 acquires the terminal user authentication request flag in the memory instead of the terminal user authentication determination information, and after the acquisition, skips step 505 and proceeds to step 506.
In step 506, the authentication client 109 performs processing based on the terminal user authentication request flag acquired in step 503.

In the embodiment of the present invention, the terminal user authentication program 314 inputs the identity confirmation information from the input unit 302 of the portable information terminal. However, even if the identity verification information is input from the input unit 202 of the information terminal, the present invention can be implemented.
The operation changes in the case where the identity verification information is input from the input unit 202 of the information terminal will be described below.

In step 408, a description for transmitting a request for writing personal identification information to the non-contact IC chip 305 is newly added to the non-contact IC chip reader / writer control code generated by the online service server.
In step 409, a new entry field for identification information (for example, a text box for accepting an input of a personal identification number) is added to the authentication client operation screen. Furthermore, a function for transmitting a request for writing the personal identification information to the non-contact IC chip 305 to the portable information terminal 102 is newly added to the function of the authentication information generation button.
In step 501, when the authentication information generation button is pressed, the online service client 107 writes the personal identification information to the non-contact IC chip 305 in addition to the encryption information with MAC.
This change is realized by adding a description to the non-contact IC chip reader / writer control code in step 407.

In step 502, it is assumed that the online service client 107 reads the personal identification information from the non-contact IC chip in addition to the divided encrypted MAC-added encryption information A308 and acquires it in the memory.
In step 506, the terminal user authentication program 314 executes processing using the personal identification information acquired in step 502, and acquires a terminal user authentication result as an execution result.

In the embodiment of the present invention, if the terminal user authentication result is “No” in step 507, the authentication process is interrupted and the execution of the authentication client is immediately terminated. However, this process may be replaced with the process described below.
The authentication client 109 records the number of authentication failures in which the terminal user authentication result is “No” in the storage unit 306 before ending the processing.
When the number of authentication failures exceeds a certain number, the authentication client 109 deletes the common key K and the secret key SK stored in the storage unit and executes the authentication client initial setting procedure again. To the user.
The number of authentication failures that require the user to make initial settings again is determined according to the security strength required by the operator providing the online service for this authentication system, and is incorporated in the authentication client program in advance, or the user Shall be entered in the initial setting of the authentication client.
If such a mechanism is introduced, the security strength of the authentication system can be further improved as necessary.

  In the embodiment of the present invention, the authentication client writes the authentication information in the non-contact IC chip when the user presses the service request content confirmation button in step 509. However, the condition for the authentication client to write the authentication information in the contactless IC chip may be another operation as long as the user can operate the portable information terminal that can be detected by the authentication client. For example, an operation of placing the portable information terminal once outside the communication range of the non-contact ICR / W 106 and placing it again within the communication range can be mentioned. If the operation is changed to an operation that can be performed in a short time without any burden on the user, the effect that the authentication can be performed a plurality of times in a short time can be further improved.

  In FIG. 1, the online service server 103 and the authentication server 104 may be configured to be integrated in the same server.

1 is an overall configuration diagram showing an embodiment of an authentication system according to the present invention. It is a functional block diagram which shows the structure of an information terminal. It is a functional block diagram which shows the structure of a portable information terminal. It is a flowchart which shows the flow of operation | movement of an authentication information generation preparation process. It is a flowchart which shows the flow of operation | movement of an authentication information generation process. It is a flowchart which shows the flow of operation | movement of an authentication process. It is a flowchart which shows the flow of a process of a terminal user authentication necessity determination program. It is a figure which shows the example of an authentication client operation screen in case a service request content is login. It is a figure which shows the example of a terminal user authentication screen. It is a figure which shows the example of a service request content confirmation screen in case a service request content is login. It is a figure which shows the example of an authentication client operation screen in case a service request content is transactions other than login. It is a figure which shows the example of the service request content confirmation screen in case a service request content is transactions other than login.

Explanation of symbols

101 information terminal 102 portable information terminal 103 online service server 104 authentication server 105 communication network 106 contactless ICR / W
107 Online service client 108 Contactless IC chip 109 Authentication client

Claims (22)

An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving the provision of an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
An authentication system comprising a non-contact IC chip and an authentication client possessed by a user who receives an online service at the information terminal, and comprising a portable information terminal that generates authentication information used for authentication of service request contents. And
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information and generate MAC-attached encryption information with MAC added, and divide MAC-attached encryption information into divided MAC-attached encryption information A And generating the encrypted MAC-added encryption information B, and transmitting the authentication client activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with divided MAC and the encrypted information B with divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the divided encryption information with MAC B as a parameter is received from the information terminal, the authentication client is activated, and the divided MAC encryption information A and the divided MAC encryption read from the non-contact IC chip Combines information B to generate cryptographic information with MAC, performs MAC authentication and decryption of the cryptographic information with MAC, acquires service request contents and random number information, and authentication information based on the acquired service request contents and random number information A service request content confirmation screen including the service request content, receiving the operation of the user's portable information terminal, writing the generated authentication information into the non-contact IC chip, and terminating the authentication client; ,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving the provision of an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of service request contents; An authentication system comprising:
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information and generate MAC-attached encryption information with MAC added, and divide MAC-attached encryption information into divided MAC-attached encryption information A And generating the encrypted MAC-added encryption information B, and transmitting the authentication client activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with divided MAC and the encrypted information B with divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the divided encryption information with MAC B as a parameter is received from the information terminal, the authentication client is activated, and the divided MAC encryption information A and the divided MAC encryption read from the non-contact IC chip Combines information B to generate encrypted information with MAC, performs MAC authentication and decryption of encrypted information with MAC, obtains service request contents and random number information, and uses terminal using personal identification information stored in advance The terminal user authentication is performed by executing the user authentication means, and when the terminal user authentication is determined to be successful, authentication information is generated based on the acquired service request content and random number information, and the service request content Display the service request content confirmation screen including the received authentication information generated in response to the user's operation on the portable information terminal. Inclusive can, and the means to end the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication system comprising:
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code, and terminal user authentication determination information are generated, service request contents, random number information, and terminal user authentication determination information are encrypted to generate encrypted information with MAC to which MAC is added, and with the MAC The encryption information is divided to generate divided MAC-attached encryption information A and divided MAC-attached encryption information B, and the authentication service activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B are sent to the online service server. Means for transmitting to,
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, acquires service request contents, random number information, and terminal user authentication determination information, and acquires terminal user authentication determination information To determine the necessity of the terminal user authentication by executing the terminal user authentication necessity determining means, and when the necessity determination is determined to be unnecessary, and the necessity determination is necessary. The terminal user authentication is performed by executing the terminal user authentication means using the identity verification information that is determined and stored in advance, and the terminal user authentication is performed. Authentication information is generated based on the acquired service request content and random number information, a service request content confirmation screen including the service request content is displayed, and an operation of the user's portable information terminal is received. Means for writing the generated authentication information to the non-contact IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication system comprising:
The information terminal is
Means for transmitting a service request content to the online service server together with an authentication request;
The online service server is
Means for transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code and terminal user authentication determination information are generated, and terminal user authentication necessity determination means is executed using the terminal user authentication determination information, thereby determining the necessity of terminal user authentication. To obtain the result of the necessity determination as a terminal user authentication request flag, encrypt the service request content, random number information, and the terminal user authentication request flag, and generate encrypted information with MAC to which the MAC is added, The encryption information with MAC is divided to generate the encryption information A with divided MAC and the encryption information B with divided MAC, and the authentication client activation code, the encryption information A with divided MAC, and the encryption information B with divided MAC are online. Means for sending to the service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Means for displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Means for writing the encrypted MAC-added encryption information A and transmitting the authentication client activation code including the divided MAC-added encryption information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, obtains service request contents, random number information, and a terminal user authentication request flag, and acquires a terminal user authentication request flag Is not necessary, and the terminal user authentication request flag read from the non-contact IC chip is necessary, and the terminal user authentication means is executed by using the pre-stored personal identification information. If the terminal user authentication is performed and the terminal user authentication is determined to be successful, the authentication information based on the acquired service request content and random number information And it generates and displays a service request content confirmation screen including the service request content, by receiving the operation of the user of the portable information terminal writes the generated authentication information to the contactless IC chip, and means for terminating the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Means for reading and transmitting authentication information to the online service server;
The online service server is
Means for transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A featured authentication system. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a login determination flag included in a service request content transmitted by the information terminal together with an authentication request,
If the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content, the terminal user authentication necessity determination means When the execution result of the user authentication necessity determination means is determined to be unnecessary, and the login determination flag acquired as terminal user authentication determination information is a value indicating that login to the online service is requested as the service request content An authentication system characterized in that the execution result of the terminal user authentication necessity determining means is determined to be necessary. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a time when the authentication server generates random number information to be used as an argument when generating authentication information,
The terminal user authentication necessity determining means includes a random number generation time acquired as terminal user authentication determination information when the portable information terminal generates authentication information immediately before an authentication request being processed, and a terminal user authentication determination The time difference from the random number generation time acquired as information is calculated, and when the calculated time difference is less than the time difference determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination means is determined to be unnecessary. An authentication system characterized in that, when the calculated time difference is equal to or greater than a time difference determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination means is determined to be necessary. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information is a transaction amount included in the service request content transmitted by the information terminal together with the authentication request,
The terminal user authentication necessity determination means is the execution result of the terminal user authentication necessity determination means when the transaction amount acquired as the terminal user authentication determination information is less than an amount determined in advance in the authentication system. If the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination unit is determined to be necessary. An authentication system characterized by that. In the authentication system according to any one of claims 3 and 4,
The terminal user authentication determination information includes the transaction amount and customer information included in the service request content transmitted by the information terminal together with the authentication request, and history information of the service request content executed by the user before the authentication request being processed. And
The terminal user authentication necessity determining means is configured to determine whether the transaction amount acquired as the terminal user authentication determination information is higher or lower than the amount determined in advance in the authentication system, and the terminal user authentication Necessity of terminal user authentication based on a combination of condition judgments on whether customer information acquired as determination information is included or not included in the history information of service request contents acquired as terminal user authentication determination information An authentication system characterized in that the execution result of the determination means is determined as necessary or unnecessary. In the authentication system according to any one of claims 2 to 8,
The terminal user authentication means executed by the authentication client prompts the user to input identity verification information, and if the entered identity verification information matches the identity verification information stored in advance in the portable information terminal, the terminal use Authentication system characterized in that person authentication is determined to be successful. The authentication system according to any one of claims 2 to 9,
The authentication system, wherein the personal identification information is a personal identification number. The authentication system according to any one of claims 2 to 9,
The authentication system characterized in that the identity verification information is position information. The authentication system according to any one of claims 2 to 9,
The authentication system characterized in that the identity verification information is biometric information of a user. In the authentication system according to any one of claims 1 to 12,
The authentication system, wherein the authentication information is a one-time password. In the authentication system according to any one of claims 1 to 12,
The authentication system, wherein the authentication information is a digital signature. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
Authentication in an authentication system comprised of a portable information terminal possessed by a user who receives an online service at the information terminal and comprising a non-contact IC chip and an authentication client, and generating authentication information used for authentication of service request contents A method,
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information, generate MAC-added encryption information with MAC added, divide the encryption information with MAC, and split encrypted information with MAC A Generating the encrypted MAC-added encryption information B, and transmitting the authentication client activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combines information B to generate cryptographic information with MAC, performs MAC authentication and decryption of the cryptographic information with MAC, acquires service request contents and random number information, and authentication information based on the acquired service request contents and random number information Displaying a service request content confirmation screen including the service request content, receiving the operation of the user's portable information terminal, writing the generated authentication information to the non-contact IC chip, and terminating the authentication client; ,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the content of the service request received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; An authentication method characterized by comprising: An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication method in an authentication system comprising:
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Generate random number information and authentication client activation code, encrypt service request contents and random number information, generate MAC-added encryption information with MAC added, divide the encryption information with MAC, and split encrypted information with MAC A Generating the encrypted MAC-added encryption information B, and transmitting the authentication client activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B to the online service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with information B to generate encrypted information with MAC, perform MAC authentication and decryption of encrypted information with MAC, obtain service request contents and random number information, and use terminal using pre-stored identity verification information The terminal user authentication is performed by executing the user authentication means, and when the terminal user authentication is determined to be successful, authentication information is generated based on the acquired service request content and random number information, and the service request content Display the service request content confirmation screen including the received authentication information generated in response to the user's operation on the portable information terminal. Inclusive can, and the step to end the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating the authentication information received from the online service server based on the random number information generated by itself and the content of the service request received from the information terminal together with the authentication request, and transmitting an authentication result to the online service server; An authentication method characterized by comprising: An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication method in an authentication system comprising:
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code, and terminal user authentication determination information are generated, service request contents, random number information, and terminal user authentication determination information are encrypted to generate encrypted information with MAC to which MAC is added, and with the MAC The encryption information is divided to generate divided MAC-attached encryption information A and divided MAC-attached encryption information B, and the authentication service activation code, the divided MAC-attached encryption information A, and the divided MAC-attached encryption information B are sent to the online service server. Sending to
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, acquires service request contents, random number information, and terminal user authentication determination information, and acquires terminal user authentication determination information To determine the necessity of the terminal user authentication by executing the terminal user authentication necessity determining means, and when the necessity determination is determined to be unnecessary, and the necessity determination is necessary. The terminal user authentication is performed by executing the terminal user authentication means using the identity verification information that is determined and stored in advance, and the terminal user authentication is performed. Authentication information is generated based on the acquired service request content and random number information, a service request content confirmation screen including the service request content is displayed, and an operation of the user's portable information terminal is received. Writing the generated authentication information into the non-contact IC chip and terminating the authentication client;
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A characteristic authentication method. An online service server providing online services;
An information terminal comprising a non-contact IC chip reader / writer, and receiving an online service by transmitting a service request content to the online service server;
An authentication server that performs processing related to authentication of service request contents in the online service;
A portable information terminal possessed by a user who receives an online service at the information terminal, comprising a contactless IC chip and an authentication client, storing personal identification information in advance, and generating authentication information used for authentication of the service request content; An authentication method in an authentication system comprising:
The information terminal is
Transmitting service request content to the online service server together with an authentication request;
The online service server is
Transmitting the service request content received from the information terminal to the authentication server;
The authentication server is
Random number information, authentication client activation code and terminal user authentication determination information are generated, and terminal user authentication necessity determination means is executed using the terminal user authentication determination information, thereby determining the necessity of terminal user authentication. To obtain the result of the necessity determination as a terminal user authentication request flag, encrypt the service request content, random number information, and the terminal user authentication request flag, and generate encrypted information with MAC to which the MAC is added, The encryption information with MAC is divided to generate the encryption information A with divided MAC and the encryption information B with divided MAC, and the authentication client activation code, the encryption information A with divided MAC, and the encryption information B with divided MAC are online. Sending to the service server;
The online service server is
Authentication client operation that generates a non-contact IC chip reader / writer control code including the authentication client activation code, the encrypted information A with the divided MAC and the encrypted information B with the divided MAC, and incorporates the non-contact IC chip reader / writer control code Displaying a screen on the information terminal;
The information terminal is
When the user operates the authentication client operation screen, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed and divided into non-contact IC chips via the non-contact IC chip reader / writer. Writing the encrypted MAC-added cryptographic information A and transmitting the authentication client activation code including the divided MAC-added cryptographic information B as a parameter to the portable information terminal;
The portable information terminal is
The authentication client activation code including the encrypted MAC-encrypted information B as a parameter is received from the information terminal, the authentication client is activated, and the encrypted MAC-encrypted information A read from the non-contact IC chip and the encrypted encrypted MAC Combined with the information B, generates encrypted information with MAC, performs MAC authentication and decryption of the encrypted information with MAC, obtains service request contents, random number information, and a terminal user authentication request flag, and acquires a terminal user authentication request flag Is not necessary, and the terminal user authentication request flag read from the non-contact IC chip is necessary, and the terminal user authentication means is executed by using the pre-stored personal identification information. If the terminal user authentication is performed and the terminal user authentication is determined to be successful, the authentication information based on the acquired service request content and random number information And it generates the steps of displaying a service request content confirmation screen including the service request content, by receiving the operation of the user of the portable information terminal writes the generated authentication information to the contactless IC chip, and ends the authentication client,
The information terminal is
In response to the operation of the authentication client operation screen by the user, the non-contact IC chip reader / writer control code embedded in the authentication client operation screen is executed, and the authentication information is received from the non-contact IC chip via the non-contact IC reader / writer. Reading and sending authentication information to the online service server;
The online service server is
Transmitting authentication information received from the information terminal to the authentication server;
The authentication server is
Authenticating authentication information received from the online service server based on random number information generated by itself and a service request content received from the information terminal together with an authentication request, and transmitting an authentication result to the online service server. A characteristic authentication method. The authentication method according to any one of claims 17 and 18,
The terminal user authentication determination information is a login determination flag included in a service request content transmitted by the information terminal together with an authentication request,
If the login determination flag acquired as the terminal user authentication determination information is a value indicating that a request other than login to the online service is requested as the service request content, the terminal user authentication necessity determination means When the execution result of the user authentication necessity determination means is determined to be unnecessary, and the login determination flag acquired as terminal user authentication determination information is a value indicating that login to the online service is requested as the service request content The authentication method characterized in that the execution result of the terminal user authentication necessity determining means is determined to be necessary. The authentication method according to any one of claims 17 and 18,
The terminal user authentication determination information is a time when the authentication server generates random number information to be used as an argument when generating authentication information,
The terminal user authentication necessity determination means includes a random number generation time acquired as terminal user authentication determination information when the portable information terminal generates authentication information immediately before an authentication request being processed, and a terminal user authentication determination The time difference from the random number generation time acquired as information is calculated, and when the calculated time difference is less than the time difference determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination means is determined to be unnecessary. An authentication method characterized in that when the calculated time difference is equal to or greater than a time difference predetermined in the authentication system, the execution result of the terminal user authentication necessity determination means is determined to be necessary. The authentication method according to any one of claims 17 and 18,
The terminal user authentication determination information is a transaction amount included in the service request content transmitted by the information terminal together with the authentication request,
The terminal user authentication necessity determination means is the execution result of the terminal user authentication necessity determination means when the transaction amount acquired as the terminal user authentication determination information is less than an amount determined in advance in the authentication system. If the transaction amount acquired as the terminal user authentication determination information is greater than or equal to the amount determined in advance in the authentication system, the execution result of the terminal user authentication necessity determination unit is determined to be necessary. An authentication method characterized by that. The authentication method according to any one of claims 17 and 18,
The terminal user authentication determination information includes the transaction amount and customer information included in the service request content transmitted by the information terminal together with the authentication request, and history information of the service request content executed by the user before the authentication request being processed. And
The terminal user authentication necessity determining means is configured such that the transaction amount acquired as the terminal user authentication determination information is higher or lower than the amount determined in advance in the authentication system, and the terminal user authentication Necessity of terminal user authentication based on a combination of condition judgments whether the customer information obtained as judgment information is included or not included in the history information of the service request content obtained as terminal user authentication judgment information An authentication method characterized in that the execution result of the determination means is determined as necessary or unnecessary.

Images