JP2010250672A - Authentication server device, authentication method, and authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an authentication server device, an authentication method, and an authentication system which enable reliable authentication with only line identification information without essentially requiring user authentication with a password, an IC card, or the like. <P>SOLUTION: Line identification information which permits authentication is stored; and when data communication is performed from a terminal device via an NGN, line identification information is obtained from the NGN, and authentication is performed by determining whether the obtained line identification information is stored. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an authentication server device, an authentication method, and an authentication system, and more particularly to an authentication server device, an authentication method, and an authentication system using NGN (Next Generation Network).

  2. Description of the Related Art Conventionally, current IP networks represented by the Internet and intranets are constructed based on the IP (Internet Protocol) version 4 (IPv4) standard. Here, with an IPv4 address or a lower layer MAC (Media Access Control) address, there is a problem that a third party can easily rewrite the IPv4 address set in the terminal. Therefore, using the result of authenticating the sender based on the IPv4 address or the MAC address as user authentication at the time of providing the service is not usually performed because of a problem in reliability.

  Here, in the user authentication system described in Patent Document 1, when an information terminal capable of connecting to the Internet with a workstation transmits a user name to the workstation, the workstation transmits the user name to the authentication server and the user. Requesting authentication, the authentication server calls the information terminal corresponding to the user name, requests to send a random number, password, and location information, and the password received from the information terminal is unique to the user name. When it is confirmed that the random number received from the workstation matches the random number received from the information terminal, and the information terminal is located within a predetermined area including the position of the workstation based on the position information received from the information terminal. And authenticating access to the workstation by the user.

  In recent years, a new version of the protocol called IP version 6 (IPv6) has been put into practical use in response to the lack of IPv4 addresses. As a network using this IPv6 protocol, NGN (Next Generation Network: next generation network) has been developed (see Non-Patent Document 1), and international standardization organizations such as ITU-T (International Telecommunication Union-Telecommunication Standardization Sector). Towards the standardization of NGN, from 2004 to the present, Recommendations have been announced with recommendation numbers in the 2000s.

JP 2008-287321 A

Nikkei Business Publications, Inc. "Use of line authentication and QoS function in business", [online], published on July 1, 2007, NIKKEI COMMUNICATIONS, [April 6, 2009 search], Internet <URL: http: // coin. nikkeibp. co. jp / coin / 0115 / PDF0701 / PDF1. pdf>

  However, in the conventional authentication method in the IPv4 network represented by the Internet (Patent Document 1 and the like), when performing control to provide different services for each user, etc., authentication is performed using the address assigned to the source. Instead, it is necessary to perform user authentication using a password given to each user, an IC (Integrated Circuit) card distributed to each user, or the like.

  The present invention has been made in view of the above problems, and an authentication server device and an authentication method that enable reliable authentication using only line identification information without requiring user authentication using a password, an IC card, or the like. And it aims at providing an authentication system.

  In order to achieve such an object, the authentication server device of the present invention can communicate with a terminal device via NGN (Next Generation Network) that provides line identification information that uniquely identifies a line used during data communication. An authentication server device including at least a storage unit and a control unit, wherein the storage unit includes a permitted line identification information storage unit that stores the line identification information that permits authentication, and the control unit When performing the data communication from the terminal device via the NGN, the line identification information acquisition means for acquiring the line identification information from the NGN, and the line identification information acquired by the line identification information acquisition means Authentication means for performing authentication by determining whether or not is stored in the permitted line identification information storage means. Features.

  The authentication server device according to the present invention is the authentication server device described above, wherein the storage unit further includes a user information database that stores user information in association with the line identification information. Further comprises user information acquisition means for acquiring the user information corresponding to the line identification information acquired by the line identification information acquisition means from the user information database.

  Further, the authentication server device of the present invention is characterized in that, in the above-described authentication server device, the control unit further comprises a settlement means for performing a settlement process when authentication is permitted by the authentication means. To do.

  The authentication server device of the present invention is the authentication server device described above, wherein the terminal device is connected to an authentication device for inputting authentication information, and the authorized line identification information storage means performs the authentication. The authentication information of the authentication device is stored in association with the line identification information to be permitted, and the settlement means controls the terminal device to transmit the authentication information input from the authentication device, and the terminal When the authentication information is received from the apparatus via the NGN, the authentication information stored in the permission identification information storage unit corresponding to the acquired line identification information and the received authentication information are It is characterized by determining whether or not they match, and performing the settlement process when they match.

  The authentication server device of the present invention is characterized in that, in the authentication server device described above, the authentication information is a card ID, biometric information, device ID, user name, or password.

  The authentication server device according to the present invention is the authentication server device described above, wherein the terminal device includes a display unit and an input unit, and the settlement unit confirms that the settlement process is performed. Control information for controlling the display unit and the input unit is transmitted to the terminal device to allow the user to input information, and authentication is permitted by the authentication unit, and the confirmation is made from the terminal device. The payment processing is performed when information is received.

  The authentication server device according to the present invention is the authentication server device described above, wherein the terminal device includes a display unit and an input unit, and the payment unit uses a payment method for performing the payment process. Control information for controlling the display unit and the input unit to be selected by the terminal device, authentication is permitted by the authentication means, and selection information of the settlement method from the terminal device When the payment is received, the payment processing is performed according to the payment method based on the selection information.

  Moreover, the authentication server device of the present invention is the above-described authentication server device, wherein the storage unit stores the payment information associated with the line identification information and necessary for performing the payment processing. And means for performing the payment processing based on the payment information stored in the payment information storage means.

  Moreover, the authentication server device of the present invention is the above-described authentication server device, wherein the settlement means is a telephone number, a line owner name, or address information acquired as the user information by the user information acquisition means. Based on the above, the settlement processing is performed.

  The present invention also relates to an authentication method, which is communicably connected to a terminal device via an NGN (Next Generation Network) that provides line identification information that uniquely identifies a line used during data communication. An authentication method executed in an authentication server device including at least a storage unit and a control unit, wherein the storage unit includes a permitted line identification information storage unit that stores the line identification information that permits authentication. The line identification information acquisition step for acquiring the line identification information from the NGN and the line identification information acquisition step when performing the data communication from the terminal device via the NGN, executed in the control unit. It is determined whether or not the line identification information acquired in this way is stored in the permitted line identification information storage means And an authentication step for performing authentication.

  The present invention also relates to an authentication system, and a terminal device including at least a control unit via NGN (Next Generation Network) that provides line identification information for uniquely identifying a line used during data communication; An authentication system configured to communicably connect a storage unit and an authentication server device including at least a control unit, wherein the storage unit of the authentication server device stores the line identification information that permits authentication A permitted line identification information storage means, wherein the control unit of the authentication server apparatus acquires the line identification information from the NGN when performing the data communication from the terminal apparatus via the NGN. Information acquisition means, and the line identification information acquired by the line identification information acquisition means is the permitted line identification information storage means. And authentication means for performing authentication by determining whether or not the information is stored in the memory.

  According to the present invention, there is an effect that it is possible to perform reliable authentication using only line identification information without requiring user authentication using a password, an IC card, or the like.

FIG. 1 is a flowchart showing the basic principle of the present invention. FIG. 2 is a block diagram showing an example of the configuration of the authentication system to which the present invention is applied. FIG. 3 is a diagram conceptually showing elements related to the present embodiment in the functional configuration of NGN 300. FIG. 4 is a diagram illustrating an example of the overall outline of the architecture of the NGN 300. FIG. 5 is a diagram showing an outline of the transport stratum 320. FIG. 6 is a diagram showing an outline of the service stratum 310. FIG. 7 is a conceptual diagram schematically showing an example of data communication via the current Internet. FIG. 8 is a conceptual diagram schematically showing an example of data communication in the authentication system via NGN. FIG. 9 is a diagram schematically illustrating an example of data communication via the current cloud type network. FIG. 10 is a diagram schematically illustrating an example of data communication in the authentication system via NGN. FIG. 11 is a conceptual diagram illustrating an example of authentication device virtualization processing of the authentication server device 100 according to the present embodiment. FIG. 12 is a screen transition diagram illustrating an example of transition of the payment screen. FIG. 13 is a flowchart illustrating an example of the payment process. FIG. 14 is a diagram illustrating an example of the configuration of the authentication system including a mobile network or a fixed network on the terminal side and a cloud network on the server side. FIG. 15 is a diagram illustrating an example in which data communication is performed from the terminal device 200 via the authentication server device 100 to a server device or the like on a cloud network. FIG. 16 is a screen transition diagram showing an example of the transition of the display screen when purchasing a product through NGN. FIG. 17 is a screen transition diagram illustrating an example of transition of the display screen when purchasing a product through NGN. FIG. 18 is a diagram showing an example in which authentication by the present authentication system is used for obtaining an electronic medical record.

  Embodiments of an authentication server device, an authentication method, an authentication system, and a program according to the present invention will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

[Outline of the present invention]
Hereinafter, the outline of the present invention will be described with reference to FIG. 1, and then the configuration and processing of the present invention will be described in detail. FIG. 1 is a flowchart showing the basic principle of the present invention.

  The present invention generally has the following basic features. That is, the authentication server device of the present invention is connected to a terminal device through an NGN (Next Generation Network) so as to be communicable, and includes at least a storage unit and a control unit. Here, “NGN” is a network using the IPv6 protocol, and has a function of providing line identification information for uniquely identifying a line used during data communication. For example, as NGN, Y.I. A network technology that has been recommended for standardization with a recommendation number in the 2000s or the like may be used.

  And the authentication server apparatus of this invention memorize | stores beforehand the line identification information which permits authentication in a memory | storage part.

  As shown in FIG. 1, the authentication server device of the present invention acquires line identification information from the NGN when a request for starting data communication via the NGN is received from the terminal device (step SA-1). (Step SA-2).

  Here, the “line identification information” is information for uniquely identifying the line used by the terminal device at the time of data communication via NGN. For example, an IPv6 address fixedly assigned on the communication network side for each subscriber line It is some identification information that can identify a subscriber line such as a telephone number.

  And the authentication server apparatus of this invention authenticates by determining whether the acquired line identification information is memorize | stored in the memory | storage part (step SA-3).

  Furthermore, the authentication server device of the present invention may perform a payment process when authentication is permitted as an authentication result. For example, the authentication server device of the present invention further stores authentication information (IC card information, password, biometric information, etc.) in the storage unit in association with the line identification information, and is input from an authentication device connected to the terminal device. When the terminal device is controlled to transmit the authentication information and the authentication information is received from the terminal device via the NGN, the received authentication information and the authentication information stored in the storage unit corresponding to the acquired line identification information However, it may be determined whether or not they match, and if they match, settlement processing may be performed. The authentication server device according to the present invention further stores user information (telephone number, line owner name, address, etc.) in the storage unit in association with the line identification information, and a user corresponding to the acquired line identification information. Information may be acquired from the storage unit.

  In addition, for example, control information for controlling the display unit and the input unit of the terminal device is transmitted to the terminal device so that the user inputs confirmation information for confirming that the payment processing is performed, and the confirmation information is received from the terminal device. In such a case, settlement processing may be performed. Here, the authentication server device according to the present invention transmits control information for controlling the display unit and the input unit of the terminal device to the terminal device so that the user selects a payment method for performing the payment process. When the payment method selection information is received from, payment processing may be performed according to the payment method based on the selection information. The above is the outline of the present invention.

[Configuration of authentication server and authentication system]
Next, the configuration of the authentication server device and the authentication system including this authentication server device will be described with reference to FIGS. FIG. 2 is a block diagram showing an example of the configuration of the authentication system to which the present invention is applied, and conceptually shows only the portion related to the present invention in the configuration. This authentication system is generally configured by connecting an authentication server device 100 and a terminal device 200 so as to be communicable via an NGN 300.

  In FIG. 2, an NGN 300 is a next generation network (Next Generation Network) that has a function of mutually connecting the authentication server device 100 and the terminal device 200 and uses the IPv6 protocol. Here, the functional configuration of the NGN 300 will be described with reference to FIGS. FIG. 3 is a diagram conceptually showing elements related to the present embodiment in the functional configuration of NGN 300.

  As shown in FIG. 3, in the NGN 300, the functional concept conceptually includes RACF (resource admission control functions) 322 that performs application level authentication and QoS (Quality of Service) control based on a user profile, and network level based on a line. NACF (network attachment control functions) 321 that performs authentication is installed as a QoS and security function, receives control from the NACF / RACF, performs transport control at the network boundary (UNI and NNI), security A function for executing QoS control is implemented in the edge router. Therefore, each line in the NGN 300 is associated with a unique number or a unique IP address (particularly an IPv6 address) and provided as line identification information. Here, FIG. 4 is a diagram illustrating an example of the overall outline of the architecture of the NGN 300.

  As shown in FIG. 4, the NGN 300 is generally composed of two hierarchies: a service stratum 310 that realizes a service-related function and a transport stratum 320 that realizes a transfer-related function. Further, at the network boundary of the NGN 300, there are three interfaces: ANI (application-network interface), NNI (network-network interface), and UNI (user-network interface). Here, NNI is an interface with another network such as a provider, UNI is an interface with the authentication server device 100, the terminal device 200, etc., and ANI is an interface for an application to use a function in the service stratum. . Here, FIG. 5 is a diagram showing an outline of the transport stratum 320.

  As shown in FIG. 5, the transport stratum 320 has a transport control function for performing authentication and bandwidth control and a transport function for performing data transmission in order to realize an IPv6 network capable of QoS control. Among the transport control functions, the NACF 321 performs authentication, user function initialization and automatic detection, access network address management (based on a transport user profile storing QoS request information, SLA (Service Level Agreement) information, etc.) It performs functions such as IPv6 address allocation). On the other hand, the RACF 322 performs functions such as resource reservation, QoS control, admission management, firewall, and address translation. Here, FIG. 6 is a diagram showing an outline of the service stratum 310.

  As shown in FIG. 6, the service stratum 310 is based on an application support function and a service support function that simplify complicated processing, and a service user file that stores a telephone number, contract contents, and the like. It has a service control function for performing control and presence management. The above is an example of the functional configuration of the NGN 300.

  Referring back to FIG. 2 again, the terminal device 200 is mutually connected to the authentication server device 100 via the NGN 300 by a communication control interface unit (not shown), and roughly shows a control unit 202, an authentication device 210, and an input unit. 212 and a display unit 214. Here, the hardware configuration of the terminal device 200 may be configured by an information processing device such as a commercially available workstation or personal computer and an accessory device thereof, and is configured as an information home appliance or a mobile phone. May be. The authentication device 210, the input unit 212, and the display unit 214 are controlled by an input / output control interface unit (not shown). Here, the authentication device 210 is any device for inputting authentication information such as a card ID, biometric information, and device ID. As an example, a USB card reader, a TV reader with a built-in card reader, a BCAS card with a built-in main body, and the like. And a mobile phone (a mobile phone with a FeliCa function, a mobile phone configured to output a mobile phone body ID, a SIM ID, etc.), an IC card reader, a biometric authentication device, and the like. As the display unit 214, a speaker (including a home TV), a speaker, or the like can be used. As the input unit 212, a keyboard, a mouse, a microphone, or the like can be used.

  In FIG. 2, the authentication server device 100 is generally configured to include a control unit 102, a communication control interface unit 104, and a storage unit 106. Here, the control unit 102 is a CPU or the like that comprehensively controls the entire authentication server device 100. The communication control interface unit 104 is an interface connected to a communication device (not shown) such as a router connected to a communication line or the like. The storage unit 106 is a device that stores various databases and tables. Each unit of the authentication server device 100 is connected to be communicable via an arbitrary communication path. Further, the authentication server device 100 is communicably connected to the NGN 300 via a communication device such as a router and a wired or wireless communication line such as a dedicated line.

  Various databases and tables (permitted line identification information file 106a to settlement information file 106c) stored in the storage unit 106 are storage means such as a fixed disk device. For example, the storage unit 106 stores various programs, tables, files, databases, web pages (including icon information), and the like used for various processes.

  Among the components of the storage unit 106, the permitted line identification information file 106a is a permitted line identification information storage unit that stores line identification information that permits authentication. Here, the permitted line identification information file 106a may store authentication information in association with the line identification information. The authentication information stored in the permitted line identification information file 106a is, for example, a card ID, biometric information, device ID, user name, password, and the like.

  The user information DB 106b is a user information database that stores user information in association with line identification information. The user information stored in the user information DB 106b is, for example, a telephone number, a user name (such as a line owner name), an address, or the like.

  The payment information file 106c is a payment information storage unit that stores payment information that is necessary for payment processing in association with the line identification information. The payment information stored in the payment information file 106c is, for example, a bank account number, a personal identification number, a credit number, a payment method, a fixed telephone number of a merchandise destination, and the like.

  In FIG. 2, the communication control interface unit 104 performs communication control between the authentication server device 100 and the NGN 300 (or a communication device such as a router). That is, the communication control interface unit 104 has a function of communicating data with other terminals via a communication line.

  In FIG. 2, the control unit 102 has an internal memory for storing a control program such as an OS (Operating System), a program defining various processing procedures, and necessary data. And the control part 102 performs the information processing for performing various processes by these programs. The control unit 102 is functionally conceptually configured to include a line identification information acquisition unit 102a, an authentication unit 102b, a user information acquisition unit 102c, and a settlement unit 102d.

  Among these, the line identification information acquisition unit 102 a is a line identification information acquisition unit that acquires line identification information from the NGN 300 when performing data communication from the terminal device 200 via the NGN 300.

  The authentication unit 102b is an authentication unit that performs authentication by determining whether or not the line identification information acquired by the line identification information acquisition unit 102a is stored in the permitted line identification information file 106a. Here, the authentication unit 102b further controls the terminal device 200 to transmit the authentication information input from the authentication device 210, and when the authentication information is received from the terminal device 200 via the NGN 300, the acquired line Authentication may be performed by comparing the authentication information stored in the permitted line identification information file 106a corresponding to the identification information with the received authentication information and determining whether or not they match.

  The user information acquisition unit 102c is a user information acquisition unit that acquires user information corresponding to the line identification information acquired by the line identification information acquisition unit 102a from the user information DB 106b.

  The settlement unit 102d is a settlement unit that performs a settlement process when authentication is permitted by the authentication unit 102b. Here, the settlement unit 102d transmits control information for controlling the input unit 212 and the display unit 214 to the terminal device 200 so that the user inputs confirmation information for confirming that the settlement process is to be performed, and the authentication unit 102b. The payment processing may be performed when the authentication is permitted by and when the confirmation information is received from the terminal device 200. Further, the settlement unit 102d transmits control information for controlling the input unit 212 and the display unit 214 to the user so that the user can select a settlement method for performing the settlement process, and the authentication unit 102b allows the authentication. If the payment method selection information is received from the terminal device 200, the payment processing may be performed according to the payment method based on the selection information. Here, the settlement unit 102d may perform a settlement process based on the settlement information stored in the settlement information file 106c. The above is an example of the configuration of the authentication server device and the authentication system.

[Authentication system processing]
Next, an example of processing of the authentication system according to the present embodiment configured as described above will be described in detail with reference to FIGS.

[Data communication via NGN]
First, data communication of the authentication system via NGN will be described with reference to FIGS. 7 to 10 while comparing with data communication via a conventional network. Here, FIG. 7 is a conceptual diagram schematically illustrating an example of data communication via the current Internet, and FIG. 8 is a conceptual diagram schematically illustrating an example of data communication in the authentication system via NGN. It is.

  As shown in FIG. 7, the current Internet is configured as an open network that passes through about 20 to 30 servers in a bucket relay system. For example, the Internet is connected between routers (R) of devices such as terminal devices and payment institutions. While performing round-trip data communication, data communication is performed in a vast route of n × n × n × n... Via a plurality of routable lines.

  On the other hand, as shown in FIG. 8, the NGN 300 is configured as a closed network via a maximum of about three core routers and edge routers in a peer-to-peer system, and does not require many servers. For example, the terminal device 200 and the authentication server During one round-trip data communication between the access points (APs) of the apparatus 100, data communication is performed using a route that can be specified by the peer-to-peer method. Further, if the terminal device 200 is a fixed terminal, it can be managed by linking it with a telephone number whose address is fixed. For this reason, line identification information is assigned to each line as in the public telephone network (PSTN), so that impersonation of a third party can be prevented and the reliability of the data transmission source can be ensured. Here, FIG. 9 is a diagram schematically showing an example of data communication via the current cloud type network, and FIG. 10 is a schematic example of data communication in the authentication system via NGN. FIG.

  As shown in FIG. 9, the current cloud-type network passes through about 20 to 30 servers during data communication between a terminal device and a device such as a financial institution, for example. In addition, there is a problem that the cost is low and the speed is low when a part of the network is used via a dedicated line. In addition, since terminal devices and EC (electronic commerce) site providing devices are open networks such as impersonation and phishing, it is difficult to ensure security during communication. On the other hand, as shown in FIG. 10, since NGN is a closed network, it is secure in the first place, and spoofing and phishing can be eliminated. The above is the outline of the data communication via the NGN according to the present embodiment.

[Basic processing of this authentication system]
Next, basic processing in the authentication system via the NGN 300 as described above will be described with reference to FIG. 1 again.

  First, as shown in FIG. 1, when the terminal device 200 controls the communication control interface unit and starts data communication with the authentication server device 100 via the NGN 300 (step SA-1), the authentication server device 100 Through the processing of the identification information acquisition unit 102a, line identification information for uniquely identifying the line used during the data communication is acquired from the NGN 300 (step SA-2).

  Then, the authentication server device 100 determines whether or not the line identification information acquired by the line identification information acquisition unit 102a is registered in the permitted line identification information file 106a by the processing of the authentication unit 102b. If it is not registered, authentication is rejected (step SA-3). This completes the basic processing in the authentication system.

[Authentication device virtualization processing]
Next, details of authentication device virtualization processing in the authentication server device 100 of the authentication system will be described with reference to FIG. FIG. 11 is a conceptual diagram illustrating an example of authentication device virtualization processing of the authentication server device 100 according to the present embodiment.

  As illustrated in FIG. 11, the terminal device 200 controls the display unit 214 to display the settlement icon MA-11, and when the user clicks on the settlement icon MA-11 via the input unit 212, the settlement icon Payment processing request information is transmitted via NGN 300 to the address of the authentication server device associated with MA-11.

  When the authentication server apparatus 100 receives the payment process request information, the authentication server apparatus 100 performs line identification information acquisition processing and authentication processing by the basic processing described above by the line identification information acquisition unit 102a and the authentication unit 102b.

  Then, when authentication is permitted by the authentication unit 102b, the authentication server device 100 controls the terminal device 200 to control the terminal device 200 to transmit the authentication information by the processing of the settlement unit 102d according to the acquired line identification information. 200.

  Then, the terminal device 200 controls the authentication device 210, the display unit 214, and the like so that the user inputs the authentication information via the authentication device 210 according to the received control information, and the authentication input via the authentication device 210 is performed. Information is transmitted to the authentication server device 100.

  Then, the authentication server device 100 determines whether or not the received authentication information matches the authentication information corresponding to the line identification information stored in the permitted line identification information file 106a. Settlement processing based on the above.

  In this way, the authentication device 210 is connected to the terminal device 200, and settlement processing is performed by a POS application or the like ahead of the NGN 300. That is, a payment program such as a POS application exists not on the terminal side but on the server side ahead of the NGN 300, and performs a payment process by virtualizing the authentication device on the server side. As a result, if the terminal device can be connected to the authentication device, the terminal does not need the POS application function. That is, conventionally, a POS application is required on the terminal side such as a CAT (Credit Authorization Terminal) terminal. However, according to the present embodiment, the terminal device 200 may be configured with only a simple information processing device, Act as a CAT terminal. In the present embodiment, the authentication information is input from the authentication device. However, on NGN, line identification information can be used as an authentication key as in the case of the current dial-up. Ultimately, there is no need for an authentication device 210 including a reader for authentication on the terminal side, and only a certain terminal connected to the NGN needs to exist.

  As an application example, it can be used for broadcasting shopping programs and the like by radio waves to a TV terminal (terminal device 200) for terrestrial digital broadcasting. At this time, payment icon information is also transmitted and displayed on the screen. Then, at the time of shopping, the connected terrestrial digital broadcasting TV terminal (terminal device 200) is connected to the NGN network via the authentication device 210 represented by a USB card reader or the like, and the settlement ahead of the NGN network. You may perform the above-mentioned payment process with an application. In addition, if a screen is created on the terminal device 200 side using Flash (flw) or the like, it can be applied to not only a digital TV but also a mobile phone or a game console. Further, instead of terrestrial digital broadcasting, content such as a shopping program may be distributed to the terminal device 200 via the Internet, and content such as a shopping program may be transmitted from the authentication server device 100 or the content server via the NGN 300. You may distribute.

[Payment processing]
Next, details of the settlement process by the process of the settlement unit 102d will be described with reference to FIGS. FIG. 12 is a screen transition diagram illustrating an example of transition of the payment screen. FIG. 13 is a flowchart showing an example of the settlement process. Note that the payment screen information displayed on the display unit 214 of the terminal device 200 shown below is transferred from the authentication server device 100 to the terminal device 200 by the processing of the payment unit 102d of the authentication server device 100 as described above. Information.

  As shown in FIG. 12, first, the terminal device 200 controls the display unit 214 to display a payment screen MA-1 including a payment icon MA-11, and as shown in FIG. When the payment icon MA-11 is clicked via 212 (step SB-1), the payment processing request information is transmitted via the NGN 300 to the address of the authentication server device associated with the payment icon MA-11. The basic processing described above is executed by the authentication server device 100 and authentication is performed (step SB-2). For example, only authentication may be performed in some form such as a USB card reader, an IC card, or biometric authentication.

  Then, the terminal device 200 receives control information for controlling the user to select a payment method for performing payment processing from the authentication server device 100, and in accordance with the control information, selects the card selection button MA-21 and the net bank selection. A settlement method selection screen MA-2 including the button MA-22 is displayed on the display unit 214 (step SB-3).

  When the net bank selection button MA-22 is clicked by the user via the input unit 212 (step SB-4), the terminal device 200 displays a payment confirmation screen on the display unit 214 according to the control information (step SB). -5). When the user clicks the OK button via the input unit 212 (step SB-6), the terminal device 200 transmits the confirmed information to the authentication server device 100 to complete the payment process and complete the payment. The screen is displayed on the display unit 214 (step SB-7). On the other hand, when the user clicks the NO button via the input unit 212 (step SB-8), the terminal device 200 transmits the cancel information to the authentication server device 100 to cancel the payment process (step SB-). 9).

  When the card selection button MA-21 is clicked by the user via the input unit 212 (step SB-10), the terminal device 200 displays an OK (Yes) button MA-31 as shown in FIG. 12 according to the control information. And the payment confirmation screen MA-3 including the NO (No) button MA-32 is displayed on the display unit 214 (step SB-11). Here, as the payment information such as credit card information, the information registered in the payment information file 106c in advance is used, so the user does not need to input at the time of payment.

  If the user clicks the OK (Yes) button MA-31 via the input unit 212 (step SB-12), the terminal device 200 transmits the confirmed information to the authentication server device 100 to perform payment processing. And the settlement completion screen MA-4 is displayed on the display unit 214 (step SB-13). That is, payment processing based on payment information such as credit card information is processed by the payment unit 102 d of the authentication server device 100. At the time of settlement, authentication processing by the authentication unit 102b is also executed based on the line identification information. On the other hand, when the user clicks the NO (no) button MA-32 via the input unit 212 (step SB-14), the terminal device 200 transmits the cancellation information to the authentication server device 100 and performs the payment process. Cancel (step SB-15).

  The above is an example of the settlement process. In this way, the payment screen appears on the display screen of the operating terminal device 200, but in reality, the payment application screen in the authentication server device 100 ahead of the NGN is transferred. In addition, since any authentication device 210 represented by a USB card reader is used, personal authentication operations such as card information input are eliminated.

[Connection between NGN and existing network]
In the above-described embodiment, the present authentication system has been described as a configuration through only NGN. However, the present invention is not limited to this, and includes a mobile network, a fixed network (a fixed telephone network, etc.), and a cloud network. It may be done. Here, FIG. 14 is a diagram showing an example of the configuration of the authentication system including a mobile network or a fixed network on the terminal side and a cloud network on the server side.

  As shown in FIG. 14, data communication from the terminal device 200 to the NGN 300 can be connected via an RAS (Remote Access Service) from an existing network such as a mobile network or a fixed network. Further, two types of connection from the NGN 300 to the cloud type network, a screen transfer type and a data processing type, can be assumed. That is, in the screen transfer type, the connection is made via a gateway (GW) between the NGN 300 and the cloud type network. On the other hand, in the data processing type, it is connected via a gateway (GW) between a server device or the like of the card company or financial institution on the NGN 300 and a server device or the like of the card company or financial institution on the cloud type network. The Here, FIG. 15 is a diagram illustrating an example in which data communication is performed from the terminal device 200 via the authentication server device 100 to a server device or the like on the cloud network.

  As illustrated in FIG. 15, when data communication is performed from the terminal device 200 to the authentication server device 100 via the RAS according to the connection type authentication method, authentication processing or the like in the authentication server device 100 is executed, and the authentication server The device 100 transmits information such as an authentication result to a server device on the cloud network via a gateway (GW). That is, the processing in the closed network is performed on the NGN, and the cloud network can be connected via the gateway (GW).

[Application examples using digital TV broadcast shopping programs]
An example of purchasing a product through NGN in a digital TV broadcast shopping program will be described below with reference to FIG. FIG. 16 is a screen transition diagram showing an example of the transition of the display screen when purchasing a product through NGN. The information on the display screen displayed on the display unit 214 of the terminal device 200 shown below is transferred from the authentication server device 100 to the terminal device 200 by the processing of the settlement unit 102d of the authentication server device 100 as described above. Information.

  As shown in FIG. 16, first, as a digital TV terminal device, when receiving a digital TV broadcast, the terminal device 200 controls the display unit 214 to display a mail order program screen MB-1 including a settlement icon MB-11. Display.

  When the user clicks on the payment icon MB-11 via the input unit 212 such as a TV remote controller, the terminal device 200 sets the address of the authentication server device 100 associated with the payment icon MB-11 to the address of the authentication server device 100. The terminal apparatus 200 transmits the request information for the payment process via the NGN 300, and the terminal apparatus 200 receives the card selection button MB according to the control information for controlling the user to select the payment method for performing the payment process received from the authentication server apparatus 100. -21 and the settlement method selection screen MB-2 including the net bank selection button MB-22 are displayed on the display unit 214.

  For example, when the card selection button MB-21 is clicked by the user via the input unit 212, the terminal apparatus 200 follows the control information including the payment information received from the authentication server apparatus 100 according to the control information including the “Yes” button MB-31. The payment confirmation screen MB-3 including the “No” button MB-32 is displayed on the display unit 214. Here, as the payment information such as credit card information, the information registered in the payment information file 106c in advance is used, so the user does not need to input at the time of payment.

  When the user clicks the “Yes” button MB-31 via the input unit 212, the terminal device 200 follows the control information received from the authentication server device 100 with the “Yes” button MB-41 and “No”. "Delivery address confirmation screen MA-4 including" MB "button MB-42 is displayed on display 214.

  When the user clicks the “Yes” button MB-41 via the input unit 212, the terminal device 200 transmits the confirmed information to the authentication server device 100, and the authentication server device 100 receives the user information acquisition unit. Through the process of 102c, the user information (telephone number, address, etc.) stored in the user information DB 106b corresponding to the line identification information is acquired as the destination information, and the settlement process is executed by the process of the settlement unit 102d. The payment processing completion information is transmitted to the terminal device 200, and the terminal device 200 controls the display unit 214 to display the payment completion screen MB-5.

  On the other hand, when the “No” button MB-42 is clicked by the user via the input unit 212, the terminal device 200 displays the telephone number input screen MB-61, “Yes” button MB-62, and “ The telephone number designation screen MB-6 including the “No” button MB-63 is displayed. When the user inputs a telephone number to the telephone number input screen MB-61 via the input unit 212 and clicks the “Yes” button MB-62, the terminal device 200 transmits information such as the telephone number to the authentication server device. 100, the authentication server device 100 searches the user information DB 106b for the address associated with the received telephone number and sets it as a destination by the processing of the user information acquisition unit 102c. A settlement process is executed by the process. The payment processing completion information is transmitted to the terminal device 200, and the terminal device 200 controls the display unit 214 to display the payment completion screen MB-7. The above is an example of processing when purchasing a product through NGN. As described above, the payment is made with the payment information registered in the payment information file 106c in advance, and the delivery destination is also sent to the address registered in the user information DB 106b, and is an NGN connected to the fixed network. Therefore, since everything is authenticated by the telephone number, the operation is easy and secure.

[Another application using a digital TV broadcast shopping program (2-click version)]
Another example of purchasing a product through NGN in a digital TV broadcast shopping program will be described below with reference to FIG. FIG. 17 is a screen transition diagram illustrating an example of transition of the display screen when purchasing a product through NGN. The information on the display screen displayed on the display unit 214 of the terminal device 200 shown below is transferred from the authentication server device 100 to the terminal device 200 by the processing of the settlement unit 102d of the authentication server device 100 as described above. Control information and the like.

  As shown in FIG. 17, first, as a digital TV terminal device, when receiving a digital TV broadcast, the terminal device 200 controls the display unit 214 to display a mail order program screen MC-1 including a settlement icon MC-11. Display.

  When the user clicks on the payment icon MC-11 via the input unit 212 such as a TV remote controller, the terminal device 200 sets the address of the authentication server device 100 associated with the payment icon MC-11 to the address of the authentication server device 100. Request information for payment processing is transmitted via the NGN 300, and the authentication server device 100 acquires payment information (credit card information, destination information, etc.) registered in the payment information file 106c in advance and uses the terminal device as control information. 200. The terminal device 200 causes the display unit 214 to display the confirmation screen MC-2 including the “Yes” button MC-21 and the “Change” button MC-22 according to the control information received from the authentication server device 100.

  When the user clicks the “Yes” button MC-21 via the input unit 212, the terminal device 200 transmits the confirmed information to the authentication server device 100, and the authentication server device 100 performs the processing of the settlement unit 102d. Thus, the payment process is executed based on the payment information. The payment processing completion information is transmitted to the terminal device 200, and the terminal device 200 controls the display unit 214 to display the payment completion screen MC-3.

  On the other hand, when the “change” button MC-22 is clicked by the user via the input unit 212, the terminal device 200 displays the card selection button MC-401, the card selection tab MC-402, the card according to the received control information. Number input screen MC-403, expiration date input screen MC-404, card name input screen MC-405, net bank settlement button MC-406, bank selection button MC-407, registered address selection button MC-409, registered address change button Payment information change screen MC-4 including MC-410, telephone number input screen MC-411, “Yes” button MC-412 and “No” button MC-413 is displayed.

  When there is an input via the input unit 212 for an item to be changed from the payment information registered by the user, the terminal device 200 selects whether or not to register the changed item in the payment information file 106c. Therefore, a registration confirmation screen MC-5 including a “Yes” button MC-51 and a “No” button MC-52 is displayed. Then, the terminal device 200 transmits the information on the change item of the payment information and the registration permission information to the authentication server device 100, and the authentication server device 100 performs the payment processing based on the payment information by the processing of the payment unit 102d. Execute. The payment processing completion information is transmitted to the terminal device 200, and the authentication server device 100 controls the display unit 214 to display the payment completion screen MC-3.

  In this way, in the digital TV broadcast shopping program, the present authentication system is configured to be able to purchase a product via NGN. In addition, the settlement is performed with the settlement information registered in advance in the user information DB 106b, and the delivery destination is also sent to the address registered in the user information DB 106b associated with the telephone number. Since it is an NGN connected to a fixed network, everything is authenticated by a telephone number (line recognition number), so that the operation is easy and secure. The number of clicks can be completed only two times except when processing different from normal processing is performed, that is, when the registered payment information is not changed. In the above example, the example in which the authentication is performed only with the line identification information has been described. However, the present invention is not limited to this. For example, when there are a plurality of persons using the same line, for example, wrong purchase at home, etc. In order to prevent this, some kind of authentication information may be requested by some kind of authentication device 210 represented by a USB card reader.

[Usage example of electronic medical records]
According to the present authentication system, authentication is performed by using an NGN telephone number (line recognition number) and some authentication information (not essential), so one authentication is also used when using multiple SaaS (Software as a Service). It can be used securely only by the method (single sign-on). In this case, since authentication is performed using a telephone number (line recognition number), the authentication information may be anything such as IC card information or a password. Furthermore, since authentication is performed using the line identification number, even if the line is not shared among a plurality of people, such as living alone, even an authentication key (authentication information) such as a card is not required. Here, FIG. 18 is a diagram illustrating an example in which the authentication by the authentication system is used for obtaining an electronic medical record.

  As shown in FIG. 18, authentication for obtaining electronic medical records and the like from a home or a hospital can be performed with a single authentication method using the NGN 300 telephone number (line recognition number) and authentication information such as an IC card. . In other words, in addition to hospital A during hospital visits, it is possible to obtain electronic medical records at other hospitals B such as during travel, and it can also be applied to services that require strong security, such as acquisition of electronic medical records. .

[Other embodiments]
Although the embodiments of the present invention have been described so far, the present invention is not limited to the above-described embodiments, but can be applied to various different embodiments within the scope of the technical idea described in the claims. It may be implemented.

  For example, the case where the authentication server device 100 performs processing in a stand-alone form has been described as an example. However, processing is performed in response to a request from a client terminal configured in a separate housing from the authentication server device 100, and the processing You may comprise so that a result may be returned to the said client terminal.

  In addition, among the processes described in the embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method.

  In addition, unless otherwise specified, the processing procedures, control procedures, specific names, information including registration data for each processing, parameters such as search conditions, screen examples, and database configurations shown in the above documents and drawings Can be changed arbitrarily.

  Moreover, regarding the authentication server device 100, each illustrated component is functionally conceptual and does not necessarily need to be physically configured as illustrated.

  For example, all or some of the processing functions provided in each device of the authentication server device 100, particularly the processing functions performed by the control unit 102, are interpreted and executed by a CPU (Central Processing Unit) and the CPU. It may be realized by a program to be executed, or may be realized as hardware by wired logic. The program is recorded on a recording medium to be described later, and is mechanically read by the authentication server device 100 as necessary. In other words, the storage unit 106 such as ROM or HD stores a computer program for performing various processes by giving instructions to the CPU in cooperation with an OS (Operating System). This computer program is executed by being loaded into the RAM, and constitutes a control unit in cooperation with the CPU.

  The computer program may be stored in an application program server connected to the authentication server device 100 via an arbitrary network (such as NGN 300), and all or part of the computer program is downloaded as necessary. It is also possible.

  The program according to the present invention can also be stored in a computer-readable recording medium. Here, the “recording medium” refers to any “portable physical medium” such as a flexible disk, a magneto-optical disk, a ROM, an EPROM, an EEPROM, a CD-ROM, an MO, and a DVD, or a LAN, WAN, or Internet. It includes a “communication medium” that holds the program in a short period of time, such as a communication line or a carrier wave when the program is transmitted via a network represented by

  The “program” is a data processing method described in an arbitrary language or description method, and may be in any format such as source code or binary code. The “program” is not necessarily limited to a single configuration, but is distributed in the form of a plurality of modules and libraries, or in cooperation with a separate program represented by an OS (Operating System). Including those that achieve the function. Note that a well-known configuration and procedure can be used for a specific configuration for reading a recording medium, a reading procedure, an installation procedure after reading, and the like in each device described in the embodiment.

  Various databases and the like (permitted line identification information file 106a to settlement information file 106c) stored in the storage unit 106 are storage means such as a memory device such as RAM and ROM, a fixed disk device such as a hard disk, a flexible disk, and an optical disk. Yes, it stores various programs, tables, databases, web page files, etc. used for various processes and website provision.

  Further, the authentication server device 100 is connected to an information processing device such as a known personal computer or workstation, and software (including a program, data, etc.) for realizing the method of the present invention is installed in the information processing device. It may be realized.

  Furthermore, the specific form of distribution / integration of the devices is not limited to that shown in the figure, and all or a part of them may be functional or physical in arbitrary units according to various additions or according to functional loads. Can be distributed and integrated.

  As described above in detail, according to the present invention, an authentication server device and an authentication method that enable reliable authentication using only line identification information without requiring user authentication using a password, an IC card, or the like. Since the authentication system can be provided, it is extremely useful in the information security field and the information processing field.

DESCRIPTION OF SYMBOLS 100 Authentication server apparatus 102 Control part 102a Line identification information acquisition part 102b Authentication part 102c User information acquisition part 102d Settlement part 104 Communication control interface part 106 Storage part 106a Permitted line identification information file 106b User information DB (database)
106c Settlement information file 200 Terminal device 202 Control unit 210 Authentication device 212 Input unit 214 Display unit 300 NGN (Next Generation Network)

Claims (11)

An authentication server device having at least a storage unit and a control unit, which is communicably connected to a terminal device via an NGN (Next Generation Network) that provides line identification information for uniquely identifying a line used during data communication Because
The storage unit
Permitted line identification information storage means for storing the line identification information for permitting authentication;
With
The controller is
Line identification information acquisition means for acquiring the line identification information from the NGN when performing the data communication from the terminal device via the NGN;
Authentication means for performing authentication by determining whether or not the line identification information acquired by the line identification information acquisition means is stored in the permitted line identification information storage means;
An authentication server device comprising: The authentication server device according to claim 1,
The storage unit
A user information database for storing user information in association with the line identification information;
Further comprising
The controller is
User information acquisition means for acquiring the user information corresponding to the line identification information acquired by the line identification information acquisition means from the user information database;
An authentication server device further comprising: In the authentication server device according to claim 1 or 2,
The controller is
Payment means for performing a payment process when authentication is permitted by the authentication means;
An authentication server device further comprising: The authentication server device according to claim 3,
The terminal device
Connected to an authentication device for entering authentication information,
The permitted line identification information storage means includes:
In association with the line identification information permitting the authentication, the authentication information of the authentication device is stored,
The settlement means is
When the terminal device is controlled to transmit the authentication information input from the authentication device, and the authentication information is received from the terminal device via the NGN, it corresponds to the acquired line identification information Determining whether or not the authentication information stored in the permission identification information storage unit matches the received authentication information, and performing the payment processing if they match,
An authentication server device. The authentication server device according to claim 4,
The authentication information is:
Be a card ID, biometric information, device ID, user name, or password,
An authentication server device. The authentication server device according to claim 5,
The terminal device
It has a display part and an input part,
The settlement means is
When control information for controlling the display unit and the input unit is transmitted to the terminal device so that the user inputs confirmation information for confirming that the settlement process is performed, and authentication is permitted by the authentication unit And when the confirmation information is received from the terminal device, performing the payment process,
An authentication server device. The authentication server device according to claim 5,
The terminal device
It has a display part and an input part,
The settlement means is
The control information for controlling the display unit and the input unit is transmitted to the terminal device to allow the user to select a payment method for performing the payment process, and authentication is permitted by the authentication unit. And, when receiving the payment method selection information from the terminal device, performing the payment processing according to the payment method based on the selection information,
An authentication server device. The authentication server device according to any one of claims 5 to 7,
The storage unit
Payment information storage means for storing payment information necessary for performing the payment processing in association with the line identification information;
In addition,
The payment means performs the payment processing based on the payment information stored in the payment information storage means;
An authentication server device. The authentication server device according to any one of claims 5 to 7,
The settlement means performs the settlement processing based on the telephone number, the line owner name, or the address information acquired as the user information by the user information acquisition means;
An authentication server device. An authentication server device having at least a storage unit and a control unit, which is communicably connected to a terminal device via an NGN (Next Generation Network) that provides line identification information for uniquely identifying a line used during data communication An authentication method performed in
The storage unit
Permitted line identification information storage means for storing the line identification information for permitting authentication;
With
Executed in the control unit,
A line identification information acquisition step of acquiring the line identification information from the NGN when performing the data communication from the terminal device via the NGN;
An authentication step for performing authentication by determining whether or not the line identification information acquired in the line identification information acquisition step is stored in the permitted line identification information storage unit;
An authentication method comprising: A terminal device including at least a control unit, and an authentication server device including at least a storage unit and a control unit via NGN (Next Generation Network) that provides line identification information for uniquely identifying a line used during data communication And an authentication system configured to be communicably connected,
The storage unit of the authentication server device is
Permitted line identification information storage means for storing the line identification information for permitting authentication;
With
The control unit of the authentication server device includes:
Line identification information acquisition means for acquiring the line identification information from the NGN when performing the data communication from the terminal device via the NGN;
Authentication means for performing authentication by determining whether or not the line identification information acquired by the line identification information acquisition means is stored in the permitted line identification information storage means;
An authentication system characterized by comprising:

Images