AU2004254771B2 - User authentication system - Google Patents

User authentication system Download PDF

Info

Publication number
AU2004254771B2
AU2004254771B2 AU2004254771A AU2004254771A AU2004254771B2 AU 2004254771 B2 AU2004254771 B2 AU 2004254771B2 AU 2004254771 A AU2004254771 A AU 2004254771A AU 2004254771 A AU2004254771 A AU 2004254771A AU 2004254771 B2 AU2004254771 B2 AU 2004254771B2
Authority
AU
Australia
Prior art keywords
server
authentication
client
biometric
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
AU2004254771A
Other versions
AU2004254771A1 (en
Inventor
Shinji Hirata
Yoshiaki Isobe
Yoichi Seto
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of AU2004254771A1 publication Critical patent/AU2004254771A1/en
Application granted granted Critical
Publication of AU2004254771B2 publication Critical patent/AU2004254771B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints

Description

VERIFICATION OF TRANSLATION National Stage in Australia Patent Application of PCT/JP2004/002411 I, Sekizo HAYASHI, a citizen of Japan, c/o Asamura Patent Office of 331-340, New Ohtemachi Building, 2-1, Ohtemachi-2-chome, Chiyoda-ku, Tokyo, Japan do hereby solemnly and sincerely declare: 1. THAT I am well acquainted with the Japanese language and English language, and 2. THAT the attached is a full, true and faithful translation into the English language made by me of the PCT Application No. PCT/JP2004/002411 and Amendment made under PCT Article 34.
AND I, Sekizo HAYASHI, certify and state that the facts set forth above are true.
DATED this 15th day of November, 2005 Signature of translator Registered Attorney W2723 39/9 1
DESCRIPTION
USER AUTHENTICATION SYSTEM TECHNICAL FIELD The present invention relates to a user authentication protocol between a server device providing services on telecommunication and a client device to receive information services.
BACKGROUND ART Due to development and spread of broadband systems and cellular phones, an increasing need exists for safety of authentication to be conducted on telecommunication. To meet the requirements, there have been proposed authentication systems using the biometric authentication techniques conventionally adopted to check an entry into and an exit or leaving from a high security area.
The conventional techniques regarding the situation above are as follows.
For the user authentication associated with the conventional biometric authentication, a cabinet of visiting-card size includes a fingerprint input function of electrostatic capacity type, a fingerprint registration function, a fingerprint authentication function, and a function conforming to a Public Key Cryptography standard (PKCS). A private key in the 2 cabinet is activated according to a result of fingerprint comparison based on fingerprint information beforehand registered to the cabinet. Using the activated private key, the user authentication and signature are achieved by Public Key Infrastructure (PKI); (reference is to be made to, for example, an apparatus described in "Bio-Keys Sony FIU-710", PC Magazine, Vol. 20, No. 11, pp. 174 (2001/7/12), to be referred to as non-patent article 1 hereinbelow) Additionally, an authentication server is installed to collate a plurality of biometric registration data items in.a centralized manner. The server includes a function to set a combination policy of authentication schemes using AND and/or OR for each electronic settlement on business operations in ERP application to which authentication is provided. For terminal authentication, a template required for the authentication is downloaded via terminal software to conduct user authenticate by the terminal. Moreover, the terminal software operates in cooperation with PKI terminal software separately installed to conduct user authentication and signature (for example, a system described in "Mandy Andress, 'Centralized security key Authentication Suite 4.0 means managing multiple authentication schemes is easy and cheap', InfoWorld, Aug. 13, 2001, Vol. 23, i33, p. 44, to be referred to as non-patent article 2 hereinbelow) Also, in biometric authentication associated 00 3 with PKI, there has been proposed a user authentication Ssystem which possesses information relating biometric 00 registration data to a PKI certificate. For the biometric registration data and the information of the PKI certificate, biometric authentication is conducted to confirm identity of the user (for example, reference is to be made to JP-A-2000-215280, to be referred to as patent 0 article 1 hereinbelow).
(N
Furthermore, there has been proposed a format of a PKI certificate in which a field of biometric template data is disposed in an X.509 extension area to store biometric data in the field Santesson et al, "Internet X.509 Public Key Infrastructure Qualified Certificates Profile", RFC3039, Page 11 (2001/1), to be referred to as non-patent article 3 hereinbelow).
The conventional techniques are attended with the following problems.
In the technique of non-patent article 1, at reception of a result of the fingerprint comparison, the user authentication is conducted using PKI with the server. However, it is not clear on the server side how the authentication is conducted on the client side for a subject of the private key. Therefore, the security policy required by the application cannot be determined.
In addition, since the method of authenticating the subject of the private key is 201434_1.doc 4 limited to a single biometric item installed in a token, there exists a problem unique to the biometric authentication that when the technique is expanded for mass users, there occurs a case to which the technique cannot cope with.
The technique of non-patent article 2 is a system for an in-house network in which the biometric authentication function is provided to the network application server limitatively only for biometrics beforehand installed by an organization. Therefore, if the biometric authentication is assumed to be used in a case in which the users are an unspecified number of the general public via a public network such as the internet, the user authentication cannot be implemented for each user request. Also, since it is necessary to transfer via a network the biometric information which is user's privacy information, there exits a problem of privacy protection. Moreover, the authentication policy is managed by a server conducting the authentication service, and hence the policy of the application providing the service cannot be dynamically controlled.
The technique of patent article 1 is a system to authenticate biometrics in the client and hence does not cope with a system of various biometric authentication models.
Non-patent article 3 only defines a field in the certificate, and does not define at all how to 00
O
O
conduct the user authentication associated with biometrics having various unique problems (such as a problem of aging
OO
00 and a failure to enroll).
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is solely for the purpose of providing a context for the present invention. It is not Cto be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention as it existed before the priority date of each claim of this application.
Throughout this specification the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.
DISCLOSURE OF THE INVENTION The present invention provides a user authentication system in which both of a server and a client manage user authentication methods including biometric authentication possessed respectively by the serve and the client as functions. Through a session between the server and the client, the user authentication methods possessed by the server and the client are exchanged to select a user 201434 1.doc 00 6 authentication method matching the server's application I policy and the user's desire.
00 According to a first aspect of the invention, there is provided a user authentication system operating between a server providing information services and a client receiving the information services, wherein: the server has a security policy which defines an C authentication model required by the information service, a safety level of a client required by the information service, a false acceptance rate required by the information service, and a necessity of a validation for a validity of a template, in each service ID of the information service; the server, when the information service requested from the client is a service which requires a user authentication, notifies a user authentication request which includes a specification of an authentication model which corresponds to the information service and a list of biometric authentication methods which are feasible for the server to the client; the client selects biometric authentication methods which are feasible for the client from the list of biometric authentication methods which are feasible for the server and notifies the methods to the server; the server determines a biometric authentication method which adapts to the security policy, from the list 201434_1.doc 00 6a of biometric authentication methods which are feasible for the client which is selected and notified, and notifies
OO
0. the biometric authentication method to the client; the client sends biometric information conforming to 5 the biometric authentication method thus determined to the server; y the server conducts biometric comparison using the 0 biometric information thus sent thereto to thereby conduct user authentication; and the server determines whether the information service can be provided to the client by checking whether a result of the biometric comparison satisfies the false acceptance rate and whether a template which used for the biometric comparison is valid.
According to a second aspect of the invention, there is provided a user authentication system operating between a server providing information services and a client receiving the information services, wherein: the server has a security policy which defines an authentication model required by the information service, a safety level of a client required by the information service, a false acceptance rate required by the information service, and a necessity of a validation for a validity of a template, in each service ID of the information service, the server, when the information service requested 201434 1.doc 00 6b from the client is a service which requires a user
IC
authentication, notifies a user authentication request 00 which includes a specification of an authentication model which corresponds to the information service and a list of biometric authentication methods which are feasible for the server to the client; y the client selects biometric authentication methods C which are feasible for the client, from the list of biometric authentication methods which are feasible for the server, and returns the methods to the server; the server determines, a biometric authentication method which adapts to the security policy, from the selected and notified list of biometric authentication methods which are feasible for the client, and notifies the biometric authentication method and a challenge code to the client; the client sends to the server, biometric information conforming to the biometric authentication method thus determined and a result obtained by encrypting the challenge code from the server using a user private key in a public key cipher; the server deciphers data resultant from the encryption using a user public key in a public key cipher to verify the challenge code; the server conducts biometric comparison using the biometric information to thereby conduct user authentication; and 201434_1.doc oo00 6c N the server determines whether the information service can be provided to the client by checking whether a result 00 of the biometric comparison satisfies the false acceptance rate and whether a template which is used for the biometric comparison is valid.
According to a third aspect of the invention, there is provided a user authentication system operating between Ca client providing an information service and a client receiving the information service, wherein: the server has a security policy which defines an authentication model required by the information service, a safety level of a client required by the information service, a false acceptance rate required by the information service, and a necessity of a validation for a validity of a template, in each service ID of the information service; the server, when the information service required from the client is a service which requires the user authentication, notifies a user authentication request which includes a specification of an authentication model which corresponds to the information service and a list of biometric authentication methods which are feasible for the server to the client; the client selects a list of biometric authentication methods which are feasible for the client from the list of biometric authentication methods which are feasible for the server, and notifies the list to the server; 201434_1.doc 00 6d the server determines a biometric authentication -method which satisfies the safety level and the false
OC
00 acceptance rate from the selected and notified list of biometric authentication methods which are feasible for the client by referring to the security policy, and notifies the biometric authentication method to the client; C the client collects biometric information conforming to the biometric authentication method thus determined; either one of the server and the client conducts biometric comparison to perform user authentication by use of the biometric information and according to the category of the authentication model thus specified; and the server determines whether the information service can be provided to the client by checking whether a result of the biometric comparison satisfies the false acceptance rate and whether a template which is used for the biometric comparison is valid.
In addition, when a user authentication method in which biometric comparison in the client is also conducted is allowed according to the server's policy, the user authentication method may be selectively added.
Furthermore, to protect privacy, request information restricting a range of use of biometric information may be attached to the information sent from the client to the server.
201434_1.doc 00 6e Additionally, when a method in which the biometric comparison is conducted in the client is selected, a
OO
result of the comparison and registered information as a reference of the comparison may be notified to the server.
Also, when the server entrusts biometric authentication to another server which as a user y authentication server function and which is trusted by the C server, information of the trusted server may be added as the biometric authentication method.
BRIEF DESCRIPTION OF DRAWINGS A preferred embodiment of the invention will hereinafter be described, by way of example only, with reference to the drawings in which: FIG. 1 is a configuration diagram of an entire system in an embodiment, FIG. 2 is a configuration diagram of a client in the embodiment, FIG. 3 is an explanatory diagram of a first biometric authentication model to conduct biometric comparison on the client side in the embodiment, FIG. 4 is an explanatory diagram of a second biometric authentication model to conduct biometric comparison on a server side in the embodiment, FIG. 5 is a block diagram showing a functional configuration of the client 110 of a user in the embodiment, FIG. 6 is a table to control user authentication algorithms possessed by the user client 110 in the embodiment, FIG. 7 is a table of setting items of 201434 1.doc 00 6f the user client 110 in the embodiment, FIG. 8 is a control Stable of user templates possessed by the user client 110 0, in the embodiment, FIG. 9 is a block diagram showing a functional configuration of an AP server 140 in the embodiment, FIG. 10 is a table to control user authentication algorithms possessed by the AP server 140, FIG. 11 is a table to set policies regarding a safety level for each user authentication method of the 201434_1.doc 7 AP server 140, FIG. 12 is a table to set a safety level for each policy of the AP server 140, FIG. 13 is a first overall processing flow of user authentication conducted between the client and the AP server 140, FIG. 14 is a second overall processing flow of user authentication conducted between the client and the AP server 140 when the templates are stored in other than the device which executes comparison, FIG. 15 is a table indicating items of messages for the AP server 140 to request the client to conduct user authentication, FIG. 16 is a table indicating items of response messages of the client for the messages of FIG. 15, FIG. 17 is a table indicating items of messages to the client each of which includes a response and a challenge code for the messages of FIG.
16, FIG. 18 is a table indicating items of response messages to the server for the messages of FIG. 17 in the embodiment, FIG. 19 is a table indicating items of notification messages including user authentication results of the client for the messages of FIG. 18 in the embodiment, FIG. 20 is a third overall processing flow of user authentication conducted between the client and the AP server 140 in the embodiment when the authentication server executes by proxy biometric authentication processing of an application, FIG. 21 is a table indicating items of messages for the AP server 140 to send authentication information to the authentication server when the authentication server 8 executes biometric authentication processing by proxy in the embodiment, FIG. 22 is a table indicating items of notification messages for the authentication server to send a comparison result to the AP server 140 when the authentication server executes biometric authentication processing by proxy in the embodiment, FIG. 23 is an example of a setting screen set by the user of the client 110, FIG. 24 is an example of a setting screen of a security policy in the server for each application, and FIG. 25 is an example of a setting screen of a security policy of each authentication method in the server.
BEST MODE FOR CARRYING OUT THE INVENTION Description will be given of an embodiment of the present invention in the following order.
System configuration User authentication model Biometric authentication protocol Client functional configuration Server functional configuration Authentication server functional configuration Examples of various information setting screens System configuration FIG. 1 shows an overall system configuration of the embodiment.
The system of the embodiment is desirably constructed on public key structure, and each device 9 and the server device are connected to a communication network (to be referred to as the internet hereinbelow) such as the internet to communicate with each other using an Internet Protocol (IP).
Each user connects with the internet 120 by a terminal (to be referred to as a client) 110 possessed by the user and issues a request to each server device (to be referred to as an AP server hereinbelow) 140 for a service. The internet 120 is connected to a Certificate Authority (to be abbreviated as CA hereinbelow) 150 authenticating a public key, a Biometric Certificate Authority (to be abbreviated as BCA hereinbelow) authenticating registered information (to be referred to as a template hereinbelow) 160 of biometric authentication, and an authentication server device (to be referred to as an authentication server hereinbelow) 170 to conduct biometric comparison by proxy in response to a request from the AP server 140.
The biometric authentication functions of the client 110 are classified into the following three cases depending on respective methods.
The client 110 possesses an authentication information acquisition function 111 and an individual information storage function 112.
The client 110 possesses only the authentication information acquisition function 111.
The client 110 possesses the authentication information acquisition function 111, a comparison function 113, and the individual information storage function 112.
Each AP server 140 provides services to each user and includes a function to manage a user authentication policy for each service to conduct user authentication according to information presented form the client 110.
The CA 150 authenticates a public key of the user, the client 110, the AP server 140, the BCA 160, and the authentication server 170 and issues a certificate of the authentication.
The BCA 160 authenticates a template for biometric authentication of a user and issues a certificate of the authentication.
The authentication server 170 prepares various biometric authentication functions in place of the AP server 140 and provides a biometric authentication result to the AP server 140.
The embodiment provides, in consideration of such variety of biometric authentication methods, a protocol to relate electronic authentication by a public key to biometric authentication to confirm whether or not a user issuing a request for a service to the AP server 140 is a person possessing an appropriate privilege.
FIG. 2 shows a functional configuration of each device shown in FIG. 1. The device includes an information input unit 240, a display 220, a storage 11 250, and a communication device 230 which are connected to a processing unit (CPU) 210. A processing procedure (program) is stored in the storage 250. The processing unit 210 calls and executes the program to issue an operation request to a user through the display 220, to receive an input from the user through the information input unit 240, to communicate information via the communication device 230 with an external device, and to implement other functions possessed by each device.
The program may be stored in the storage 250 in advance or may be stored in the storage 250 via a portable storage medium or a communication medium (a communication network or a carrier propagating through the communication network) from another device.
User authentication model User authentication model of PKI Description will be given of a user authentication model between the client 110 and the AP server 140 using public key structure.
The user beforehand creates a private key to be paired with a public key and requests the CA 150 for authentication to receive a public key certificate issued from the CA 150. The client 110 of the user keeps a private key to be paired with the authenticated public key.
In the user authentication, the AP server 140 having received the request from the client 110 sends a challenge code created by a random number generation function to the client 110. The client 110 encrypts by its signature function the challenge code using the private key to create a digital signature and returns the digital signature to the AP server 140. The AP server 140 makes a check to determine whether or not data obtained through decryption using the public key of the certificate matches the challenge code to thereby confirm whether or not the pertinent person is the person of the certificate having issued the service request.
The user authentication is user authentication according to the property in which the authentication is based on a condition that only the user possesses the private key.
Biometric authentication model of client comparison type FIG. 3 shows a model of processing in which the comparison processing of biometric authentication is executed on the side of the client 110. The model is classified into two types according to biometric authentication template control methods as below.
Client's control method controlling templates on the client 110 side Server's control method controlling in a centralized fashion the templates of each user on the server side (including- control by the BCA 160) In the client's control method, a template authenticated by the BCA 160 is installed in the client 13 110 in advance. The comparison function 113 compares the template 15 with biometric information collected by the authentication information acquisition function 111 and sends a result of the user authentication to the AP server 140.
In the server's control method, the template authenticated by the BCA 160 is similarly sent to the client 110 at authentication. The comparison function 113 compares the template 15 with biometric information collected by the authentication information acquisition function 111 and sends a result of the user authentication to the AP server 140.
Biometric authentication model of server comparison type FIG. 4 shows a model of processing in which biometric authentication is executed on the (application) server side. The model is classified into two types according to biometric authentication template control methods as below.
Server's control method controlling in a centralized fashion the templates of each user on the server side (including control by the BCA) Client's control method controlling templates on the client 110 side In the server's control method, the authentication information acquisition function 111 of the client 110 sends the collected biometric information and an ID of the user to the AP server 140.
14 In the AP server 140, the comparison function 113 thereof compares a template 15 retrieved using the user ID with the biometric information to thereby conduct the user authentication.
In the client's control method, the authentication information acquisition function 111 of the client 110 sends the collected biometric information and a template to the AP server 140. The AP server 140 compares the transmitted template 15 with the biometric information to thereby conduct the user authentication.
It is assumed inthe operation, the template is beforehand authenticated by the BCA 160.
Problems In the operation in which only by simply combining the PKI user authentication described in (2- 1) with the biometric authentication described in (2-2) and there exist problems as below.
Identification of the persons to which IDs are respectively assigned by the biometric authentication and the PKI user authentication are not guaranteed.
As described in and although various biometric authentication methods have been proposed, there does not exists a platform (protocol) to select a biometric authentication method at operation thereof for user authentication.
In the model to complete biometric authentication on the client 110 side, there does not exists on the side providing the application a platform (protocol) to determine how the user authentication is conducted to identify the user.
To cope with these problems, the embodiment clarifies a protocol to negotiate the functions possessed by the client side and the server side to determine a biometric authentication function to conduct user authentication and provides a negotiation function for this purpose. Also, for the identification of the IDs assigned by the biometric authentication and the PKI user authentication, the identification is guaranteed, for example, by the digital signature by the BCA described in patent article 1.
Client functional configuration FIG. 5 shows a functional configuration of the client 110.
The client 110 includes a communication function 201, an encryption function 202, a certificate and private key control function 203, an authentication method negotiation function 204, an authentication method setting function 205, an authentication method control function 206, and authentication functions 2100, 2200, 2300, and 2400 possessed by the client 110.
The authentication functions possessed by the client 110 are classified into four types as below.
Authentication function 2100 which includes a template storage function 212, a comparison function 213, and an 16 authentication information acquisition function 211 and which conducts comparison in the client.
Authentication function 2200 which includes a template storage function 222 and an authentication information acquisition function 221 and which conducts comparison in the server.
Authentication function 2300 which includes an authentication information acquisition function 231 and which conducts comparison in the server.
Authentication function 2400 which includes a comparison function 243 and an authentication information acquisition function 241 and which conducts comparison in the client using a template transferred from the server.
Since the clients 110 include mutually different authentication functions in a duplicated fashion or a client 110 does not include an authentication function required for a configuration of the client, the embodiment makes it possible to achieve user authentication between the server and the client regardless of the configuration of the client such that an authentication function is selected according to a state of the server.
FIG. 6 shows a control table of authentication functions possessed by the client 110.
The control table includes an ID to uniquely identify an authentication function of each vendor and an authentication model type. The authentication models are classified into four types as below.
Type S: Type in which the server side controls templates and the server conducts comparison.
Type C: Type in which the client controls templates and the client conducts comparison.
Type D: Type in which the server side controls templates and the client conducts comparison.
Type A: Type in whi'ch the client controls templates and the server conducts comparison.
The discrimination is conducted according to which one of the authentication functions conducts user authentication by use of which one of the models.
FIG. 7 shows setting items which the user of the client 110 sets for the authentication function.
The user sets five setting items of the authentication function as follows.
SUser information: ID uniquely identifying the user and user's certificate information issued CA name serial no.) Template information: Templates possessed by the user and number thereof Priority template: Template which the user most desires to use for comparison Privacy mode: Designation of whether or not secret communication is used for biometric information SUse range limit declaration: Designation of whether or not declaration is issued to application to limit to the user authentication to use an application requiring a biometric information use range FIG. 8 shows a control table of template information possessed by the client 110 as described above. The table includes an ID (a template issuance organization BCA and a serial number thereof) uniquely identifying a template, a user ID of a person of the template, and ID uniquely identifying an authentication function to collate the template.
Server function configuration FIG. 9 shows a functional configuration of the AP server 140. The AP server 140 includes a communication function 301, an encryption function 302, a certificate and private key control function 303, an authentication method negotiation function 304, an authentication method setting function 305, an authentication method control function 306, authentication functions 310, 320, and 330 possessed by the AP server 140, and an authentication function result determination function 307. Three kinds of authentication functions are effective in the AP server 140.
First authentication function which includes a template control function 312 and a comparison function 313 and which conducts comparison in the server.
Second authentication function which includes only a template control function 322 and which conducts comparison in the client 110.
Third authentication function which includes only a comparison function 330 and which compares a template sent from the client with biometric information in the server.
When the client 110 controls the templates for comparison, it is not required for the AP server 140 to possess the associated authentication function.
As in the case of the client 110, the embodiment has an aspect in which the embodiment is independent of the functional configuration and the user authentication is achieved between the server and the client, and the embodiment selects an authentication function according to a state of the client.
In this connection, the authentication server 170 has a configuration similar to that of the AP server 140.
FIG. 10 shows a table to control authentication methods (algorithms) possessed by the AP server 140. The control table includes an ID uniquely identifying a method algorithm and a template control type. Three template control types exist as below.
SType S: Type in which AP server 140 controls a template Type C: Type in which the client controls a template Type 0: Type in which another server such as the BCA controls a template FIG. 11 shows a table to set safety levels for the user authentication methods of the AP server 140. The table includes an algorithm ID, a comparison type, and a safety level of a comparison algorithm.
Using the table, a safety level can be selected for an authentication method according to an application policy provided by the AP server 140. The safety levels are, for example, as follows.
SAssigning levels according to discrimination performance (such as a false acceptance rate) of comparison software Safety evaluation level of the client 110 in which comparison software is installed EAL of ISO15408) SAssigning levels according to authentication models of comparison software In consideration of the conditions above, a safety level of each comparison software is set by the policy of each AP server 140.
FIG. 12 shows a table to set the policy of the AP server 140. The table is constructed as below.
Service ID: Code identifying a service provided by the AP server 140 SRequired authentication model: Authentication model required by the service SRequired safety level: Safety level EAL of ISO15408) required by the service Required FAR: FAR required by the service SValidity verification flag: Processing content of validity verification in the service 21 Moreover, to these items, Level regarding quality of biometric information such as an inputted image: Policy in consideration of a picture quality level may be added.
To satisfy the security policy of the AP server described above, each biometric authentication algorithm has functions as below.
Function to output as an S/N ratio a noise level of picture quality of an input image. When compared with a noise level in an ordinary use, there is obtained an advantage to remove an input image including remarkable variation.
Function to output a quantity of variation in successively collected images. When compared with a quantity of variation in an ordinary case, there is obtained, if there appears no variation, an advantage to remove an input image as a forgery of a photo or the like.
Function to output information indicating that input features are excessive or insufficient. In a case of face comparison, by evaluating whether or not the face structure is appropriately inputted, it can be expected to increase certainty of comparison.
Authentication protocol FIG. 13 shows an authentication flow of the embodiment.
First, the client 110 sends a service request 811 to the AP server 140.
The AP server 140 in which the protocol of the embodiment is installed makes a check to determine whether the requested service is a service requiring user authentication (821). If the service requires the user authentication, the AP server 140 sends to the client 110 a user authentication request 831 including a list of authentication methods possessed by the AP server 140.
The client 110 selects from the authentication method list an authentication method which can be handled by the authentication information acquisition function under control of the client 110.
In addition, a comparison function controlled by the client 110 is added to the selected list (801). In the created list, if there exists an authentication method using a template which is desired to be used with highest priority, the method is rearranged to an uppermost position in the list. The client 110 returns the user authentication specification 812 created as above to the AP server 140.
The AP server 140 determines using the policy control table an authentication method most suitable for the requested service. In a case in which there exist many authentication methods satisfying the safety level and the FAR and there exists an authentication method desired by the user (the authentication method at the upper-most position), the AP server 140 selects 23 the desired authentication method (822). If the safety level is not known for the authentication method added by the client 110, information of FAR such as the authentication method, a vendor having developed the authentication method, and the BCA authenticating performance thereof is obtained through an online operation to determine whether or not the safety level is satisfied.
The AP server 140 notifies the user authentication method thus determined and a challenge code created by the application to the client 110. If there does not exists an authentication method conforming to the policy, the AP server 140 notifies the end of session (832).
The client 110 collects authentication information according to the determined authentication method (802).
In a case of an authentication method in which the client 100 controls and compares the template, the authentication information collected in step 802 is compared (803).
For the challenge code and the authentication information collected in step 802, the client 110 creates a signature by a private key of a user of the template (804).
The client 110 returns the collected authentication information and the user signature 813 to the application.
24 The server 140 verifies integrity of the certificate, the user signature 813, and integrity of the template through signature verification processing (823).
Additionally, the AP server 140 verifies integrity of the certificate and the template using information of the certification authority, BCA (824).
When the AP server 140 controls and compares the template, the template and the delivered authentication information are compared (825).
According to information of a result of the comparison and results of verification in steps 823 and 824, the AP server 140 confirms whether or not there exists a comparison score satisfying the FAR and whether or not the verification is conducted using effective information to determine whether or not the service can be provided (826).
The AP server 140 notifies a result of the authentication to the client 110. If it is determined in step 826 that the service can be provided, the AP server 140 provides the service (833).
FIG. 14 shows a case in which templates are controlled by other than the AP server 140 and the client 110. FIG. 14 differs from FIG. 13 in that step 805 is added and step 827 is executed in place of step 824. The other steps assigned with the same reference numbers as those of FIG. 13 are duplicated, and hence description thereof will be avoided.
After step 802, if there is used an authentication method in which the client 110 conducts comparison and the client 110 does not control templates, the client 110 issues a template request to, for example, the BCA controlling templates so that a template is sent therefrom (805). Thereafter, the client 110 compares the authentication information collected in step 802 (803).
After step 823, when a template is received from the client 110, the server 140 verifies, according to template integrity information controlled by the BCA, integrity of the template (824).
After step 823, in a case in which the AP server 140 conducts comparison and templates are controlled by other servers such as the BCA, the AP server 140 issues a template request to the BCA so that a template is sent therefrom (827). Thereafter, control goes to comparison (825) of the authentication information sent from the client 110.
FIG. 15 shows communication data 831 from the AP server 140 to request user authentication. The communication data 831 requesting the user authentication includes data items as follows.
Data identification code: Code to identify the communication data requesting user authentication Service request information: Session information of the service requested by the user Requested user authentication model: 26 Information designating a user authentication model requested by the AP server 140. For example, there are designated 0: execute only PKI authentication, 1: execute biometric comparison by client 110, 2: execute biometric comparison by AP server 140, 3: execute biometric comparison by either one of client 110 and AP server 140.
Number of lists of authentication methods: Number of authentication methods possessed by AP server 140 List of authentication methods: List of the above authentication methods. For example, there are described an ID uniquely designating an authentication method and a flag of its comparison model.
FIG. 16 shows response data 812 to the user authentication request from the client 110, the data reflecting a function of the client 110. The response data 812 to the user authentication request includes the following data items.
Data identification code: Code to identify the response data to user authentication request Service request information: Session information of the service requested by the user Number of lists of authentication methods: Number obtained by adding the number of authentication methods which can be used by the client 110 to collect biometric information for comparison when the AP server 140 allows authentication models for client comparison to the number of authentication methods which are attained from the authentication methods of the AP server 140 and which can be used by the client 110 to collect biometric information List of authentication methods: List of the above authentication methods. For example, there are described an ID uniquely designating an authentication method and a flag of its comparison model.
FIG. 17 shows determination notification data 832 of the user authentication method from the AP server 140. The determination notification data 832 of the user authentication method includes data items as below.
Data identification code: Code to identify the determination notification data of the user authentication method Service request information: Session information of the service requested by the user Determined authentication method: Authentication method for comparison in the session.
Challenge code: Random number generated by the AP server 140 for the user authentication by PKI.
FIG. 18 shows communication data 813 including a user signature and authentication information from the client 110. The communication data 813 includes data items as below.
Data identification code: Code to identify the communication data from the client 110 Service request information: Session information of the service requested by the user Determined authentication method: Authentication method for comparison in the session.
Authentication information: The authentication information is classified into the following three cases.
1) Biometric information collected by the client 110 in a case of a model in which the AP server 140 controls templates and conducts comparison 2) The comparison result and the template for the comparison by the client 110 in a case of a model in which the client 110 conducts comparison 3) Biometric information and the template collected by the client 110 in a case of a model in which the client 110 controls templates and the AP server 140 conducts comparison User signature: Signature generated by encrypting the challenge code using a private key of the user. The signature may be attached to the data and the challenge code constituting the above communication data.
FIG. 19 shows notification data 833 of the user authentication result from the AP server 140. The result notification data includes data items as below.
Data identification code: Code to identify the notification data of the user authentication result Service request information: Session 29 information of the service requested by the user Employed authentication method: Authentication method employed by the session Result: Authentication result of the session. For example, 0: user authentication succeeded, 1: PKI authentication failed, 2: biometric template failed, 3: biometric comparison failed Signature of AP server 140: Signature by a private key of the AP server 140 in response to the above result; authentication protocol in a case when an authentication server is used In a case in which many users employ biometric authentication methods, if one biometric authentication method is used, there exists a fear that the biometric authentication is not sufficient and hence usability is deteriorated for the user.
Therefore, it is desirable that the SP server 140 prepares a plurality of authentication methods.
However, when the SP server 140 possesses various authentication methods, a high configuration cost is required. Therefore, it is also possible to entrust comparison processing to an authentication server having prepared various authentication methods.
Moreover, since a long period time is required when the comparison processing is entirely entrusted to the authentication server, it is also possible to partially entrust the processing to the authentication server.
Protocols to entrust biometric comparison to the authentication server are as follows.
It is necessary for the server 140 to beforehand configure a confident relationship with the authentication server. The embodiment assumes that the AP server 140 gives credence to the comparison result from the authentication server.
The AP server 140 beforehand acquires information regarding the authentication methods possessed by the authentication server to determine a security policy for the authentication methods possessed by the authentication serve.
Also, it can also be considered that the client 110 proposes an authentication method obtained via an authentication server with which the AP server has not constructed the confident relationship. In this case, a check is first made according to a PKI authentication mechanism to determine whether or not credence can be given to the proposed authentication server to thereby entrust the comparison to the proposed server. In this situation, it can also be considered that the authentication server and the client 110 cooperatively attempt "purporting".
Therefore, the condition of credence is that the authentication server is an authentication server having (PKI) authenticated by a reliable organization.
It is required for the AP server 140 to beforehand set a policy for the credence. In addition, it is necessary to verify whether or not an authentication of an unknown authentication server matches with the safety policy of the application. Therefore, whether or not the requirement of FAR (False Acceptance Rate) is satisfied is determined according to a reliable evaluation result. The scheme of the determination can be implemented according to the authentication method disclosed in Japanese Patent Application No. 2002-50884 filed by the present applicant.
FIG. 20 shows a processing flow when biometric comparison is entrusted to an authentication server. The processing flow differs from that shown in FIG. 13 as below.
Description will be given of operation to entrust comparison step 825 to the authentication server. In this connection, the user authentication request 831 includes an authentication method possessed by the AP server 140 and a list of authentication methods possessed by the authentication server.
After step 824, to conduct the comparison by the authentication server, a template and the transmitted authentication information are sent to the authentication server (952).
The authentication server compares the template with the authentication information received therefrom (941), returns a result thereof to the AP server 140 (962), and then goes to step 826.
Examples of various information setting screens 32 Description will be given of an example of a setting screen for various information items.
FIG. 23 shows an example of a setting screen for each user in the client 110.
As individual information, certificate information of a public key of PKI is displayed in addition to a name and an address to identify an individual. Since issuance of a certificate is received from a plurality of organizations, the setting screen can be changed for each certificate on the display.
As template information, there can be displayed all templates issued for IDs of the individuals displayed by changing the screen. In addition, the templates are displayed in an order of priority desired by the user so that the priority is changed by depressing a priority increase button or a priority increase button after designating a template.
As security information, the secret communication and the use range limit declaration can be designated using check boxes.
FIG. 24 shows an example of a screen to set security policies of applications in the AP server 140.
For each application of the AP server 140, it is possible to set a safety level (such as an EAL guarantee level) required for the client 110, an FAR required for authentication, an authentication model, and necessity of integrity verification of a template.
33 FIG. 25 shows an example of a screen to set security policies of authentication methods in the AP server 140. For an authentication method granted by the AP server 140, it is possible to set FAR, a comparison type, and a safety level according to a policy of a server owner (service provider).
In accordance with the user authentication system of each of the above embodiments, there can be obtained remarkable advantages as below.
First, in the AP server 40 and the client 110 receiving provided services, each thereof controls its own authentication method such that before a service providing session, it is possible to select a user authentication method according to a policy of the AP server 140 and the desire of the user.
Also, when the policy of the AP server 140 admits a user authentication method in which the client 110 conducts biometric comparison, the method can be added as an option.
Furthermore, to protect privacy, request information to limit the biometric information use range to the authentication processing for the use of the service can be attached to the information sent from the client 110 to the AP server 140.
In addition, when a method in which the client conducts the biometric comparison is selected, a result of the comparison and a template as the reference of the comparison can be notified to the server.
Moreover, when a first server entrusts biometric authentication to a second server which has a user authentication function and which is trusted by the first server, information of the second server can be added as the biometric authentication method of the first server.
INDUSTRIAL APPLICABILITY As above, in the communication of information services on a network in which an unspecified number of the general public participate, the user authentication can be implemented according to a server policy irrespectively of the system configurations respectively of the client and the server.

Claims (7)

  1. 2. A user authentication system operating between a server providing information services and a client receiving the information services, wherein: the server has a security policy which defines an authentication model required by the information service, a safety level of a client required by the information service, a false acceptance rate required by the information service, and a necessity of a validation for a validity of a template, in each service ID of the information service, the server, when the information service requested from the client is a service which requires a user authentication, notifies a user authentication request which includes a specification of an authentication model 201434_1.doc 00 37 which corresponds to the information service and a list of -biometric authentication methods which are feasible for 00 the server to the client; the client selects biometric authentication methods which are feasible for the client, from the list of biometric authentication methods which are feasible for the server, and returns the methods to the server; C the server determines, a biometric authentication method which adapts to the security policy, from the selected and notified list of biometric authentication methods which are feasible for the client, and notifies the biometric authentication method and a challenge code to the client; the client sends to the server, biometric information conforming to the biometric authentication method thus determined and a result obtained by encrypting the challenge code from the server using a user private key in a public key cipher; the server deciphers data resultant from the encryption using a user public key in a public key cipher to verify the challenge code; the server conducts biometric comparison using the biometric information to thereby conduct user authentication; and the server determines whether the information service can be provided to the client by checking whether a result of the biometric comparison satisfies the false acceptance 201434_1.doc 00 38 rate and whether a template which is used for the (biometric comparison is valid. OO CI 3. The user authentication system according to claim 2, wherein the client adds, when it is notified that biometric authentication in the client is included as the feasible biometric authentication method feasible for the server, a biometric authentication method possessed by the client to the selection result and returns the selection result.
  2. 4. The user authentication system according to claim 2, wherein the client attaches request information limiting a use range of biometric information regarding a user of the client in the biometric comparison and sends the request information to the server. The user authentication system according to claim 2, wherein when a method in which biometric comparison is conducted in the client is selected and the user is confirmed through the biometric comparison in the client, the client encrypts the challenge code from the server using a user private key in a public key cipher and sends registered information as a reference of the comparison together with the result of the biometric comparison to the server, and the server confirms validity of the registered information of the user.
  3. 6. The user authentication system according to claim 2, wherein the server adds information of a biometric 201434 1.doc 00 39 authentication method of an authentication server to the information notifying the biometric authentication methods 00 of the server.
  4. 7. The user authentication system according to claim 2, wherein safety as a result of evaluation according to quality of information inputted for user authentication is employed as a criterion of determining the security policy of the server.
  5. 8. A user authentication system operating between a client providing an information service and a client receiving the information service, wherein: the server has a security policy which defines an authentication model required by the information service, a safety level of a client required by the information service, a false acceptance rate required by the information service, and a necessity of a validation for a validity of a template, in each service ID of the information service; the server, when the information service required from the client is a service which requires the user authentication, notifies a user authentication request which includes a specification of an authentication model which corresponds to the information service and a list of biometric authentication methods which are feasible for the server to the client; 201434_1.doc 00 the client selects a list of biometric authentication methods which are feasible for the client from the list of OO 00 biometric authentication methods which are feasible for the server, and notifies the list to the server; the server determines a biometric authentication method which satisfies the safety level and the false y acceptance rate from the selected and notified list of C biometric authentication methods which are feasible for the client by referring to the security policy, and notifies the biometric authentication method to the client; the client collects biometric information conforming to the biometric authentication method thus determined; either one of the server and the client conducts biometric comparison to perform user authentication by use of the biometric information and according to the category of the authentication model thus specified; and the server determines whether the information service can be provided to the client by checking whether a result of the biometric comparison satisfies the false acceptance rate and whether a template which is used for the biometric comparison is valid.
  6. 9. The user authentication system according to claim 8, wherein: the authentication model includes a user authentication model of PKI, a biometric authentication 201434_1.doc 00 41 model of a client comparison type and a biometric Sauthentication model of a server comparison type; OO the biometric authentication model of the client comparison type further includes an authentication model which controls a template at a client and an authentication model which controls a template at a server; and the biometric authentication model of the server comparison type further includes an authentication model which controls a template at a client and an authentication model which controls a template at a server. The user authentication system according to claim 8, wherein: the security policy further defines a quality level of an image inputted from a user for a user authentication.
  7. 11. A user authentication system substantially as hereinbefore described with reference to the accompanying drawings. DATED this 28 th day of February 2008. Hitachi, Ltd. Patent Attorneys for the Applicant: F B RICE CO 201434 l.doc
AU2004254771A 2003-05-21 2004-02-27 User authentication system Ceased AU2004254771B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2003142838A JP4374904B2 (en) 2003-05-21 2003-05-21 Identification system
JP2003-142838 2003-05-21
PCT/JP2004/002411 WO2005003985A1 (en) 2003-05-21 2004-02-27 User authentication system

Publications (2)

Publication Number Publication Date
AU2004254771A1 AU2004254771A1 (en) 2005-01-13
AU2004254771B2 true AU2004254771B2 (en) 2008-03-20

Family

ID=33530788

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2004254771A Ceased AU2004254771B2 (en) 2003-05-21 2004-02-27 User authentication system

Country Status (3)

Country Link
JP (1) JP4374904B2 (en)
AU (1) AU2004254771B2 (en)
WO (1) WO2005003985A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8352743B2 (en) 2007-02-07 2013-01-08 Nippon Telegraph And Telephone Corporation Client device, key device, service providing apparatus, user authentication system, user authentication method, program, and recording medium
US11971973B2 (en) 2019-06-25 2024-04-30 Bitkey Inc. Uilization control system, use permit issuance device, uilization control method, and computer-readable program

Families Citing this family (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006128761A (en) * 2004-10-26 2006-05-18 Sony Corp Communication method and communication system employing encryption technology, and biological information verification apparatus
JP2006268411A (en) * 2005-03-24 2006-10-05 Nomura Research Institute Ltd Method and system for authenticating remote accessing user by using living body data and user device
JP2006293473A (en) * 2005-04-06 2006-10-26 Sony Corp Authentication system and authentication method, terminal device, and authentication device
WO2007020942A1 (en) * 2005-08-18 2007-02-22 Nec Corporation User authentication system, terminal used for it, authentication verification device, and program
EP1960936A1 (en) * 2005-12-13 2008-08-27 International Business Machines Corporation A method and system for transaction validation
JP4819542B2 (en) * 2006-03-24 2011-11-24 株式会社日立製作所 Biometric authentication system and method with vulnerability verification
CN100365974C (en) * 2006-03-31 2008-01-30 北京飞天诚信科技有限公司 Device and method for controlling computer access
JP2007299153A (en) * 2006-04-28 2007-11-15 Hitachi Software Eng Co Ltd Biometrics system and biometrics method
JP4820342B2 (en) * 2007-08-09 2011-11-24 日本電信電話株式会社 User authentication method, user authentication apparatus, program, and recording medium
JP5132222B2 (en) * 2007-08-13 2013-01-30 株式会社東芝 Client device, server device, and program
JP4979127B2 (en) * 2007-08-22 2012-07-18 株式会社日立ソリューションズ Account information leak prevention service system
US8572397B2 (en) * 2008-06-20 2013-10-29 Koninklijke Philips N.V. Biometric authentication and identification
JP5344040B2 (en) 2009-09-18 2013-11-20 富士通株式会社 Biometric authentication system and control method
AU2013243768B2 (en) * 2012-04-01 2017-12-21 Payfone, Inc. Secure authentication in a multi-party system
CN102769531A (en) * 2012-08-13 2012-11-07 鹤山世达光电科技有限公司 Identity authentication device and method thereof
US9306754B2 (en) 2012-12-28 2016-04-05 Nok Nok Labs, Inc. System and method for implementing transaction signing within an authentication framework
EP2939166B1 (en) * 2012-12-28 2020-11-11 Nok Nok Labs, Inc. Query system and method to determine authentication capabilities
US9172687B2 (en) 2012-12-28 2015-10-27 Nok Nok Labs, Inc. Query system and method to determine authentication capabilities
US9887983B2 (en) 2013-10-29 2018-02-06 Nok Nok Labs, Inc. Apparatus and method for implementing composite authenticators
US10270748B2 (en) 2013-03-22 2019-04-23 Nok Nok Labs, Inc. Advanced authentication techniques and applications
US9305298B2 (en) 2013-03-22 2016-04-05 Nok Nok Labs, Inc. System and method for location-based authentication
US9961077B2 (en) 2013-05-30 2018-05-01 Nok Nok Labs, Inc. System and method for biometric authentication with device attestation
US20150242605A1 (en) * 2014-02-23 2015-08-27 Qualcomm Incorporated Continuous authentication with a mobile device
US10032008B2 (en) * 2014-02-23 2018-07-24 Qualcomm Incorporated Trust broker authentication method for mobile devices
US9654469B1 (en) 2014-05-02 2017-05-16 Nok Nok Labs, Inc. Web-based user authentication techniques and applications
US20170109751A1 (en) * 2014-05-02 2017-04-20 Nok Nok Labs, Inc. System and method for carrying strong authentication events over different channels
US9577999B1 (en) 2014-05-02 2017-02-21 Nok Nok Labs, Inc. Enhanced security for registration of authentication devices
US9749131B2 (en) 2014-07-31 2017-08-29 Nok Nok Labs, Inc. System and method for implementing a one-time-password using asymmetric cryptography
US10148630B2 (en) 2014-07-31 2018-12-04 Nok Nok Labs, Inc. System and method for implementing a hosted authentication service
US9875347B2 (en) 2014-07-31 2018-01-23 Nok Nok Labs, Inc. System and method for performing authentication using data analytics
US9736154B2 (en) 2014-09-16 2017-08-15 Nok Nok Labs, Inc. System and method for integrating an authentication service within a network architecture
JP5977846B2 (en) * 2015-02-13 2016-08-24 エヌ・ティ・ティ・インターネット株式会社 Biometric authentication platform system, biometric authentication information management apparatus, biometric authentication information management method, and biometric authentication information management program
JP6555983B2 (en) * 2015-08-27 2019-08-07 Kddi株式会社 Apparatus, method, and program for determining authentication method
CN106549919B (en) 2015-09-21 2021-01-22 创新先进技术有限公司 Information registration and authentication method and device
US10637853B2 (en) 2016-08-05 2020-04-28 Nok Nok Labs, Inc. Authentication techniques including speech and/or lip movement analysis
US10769635B2 (en) 2016-08-05 2020-09-08 Nok Nok Labs, Inc. Authentication techniques including speech and/or lip movement analysis
CN106899567B (en) * 2016-08-24 2019-12-13 阿里巴巴集团控股有限公司 User body checking method, device and system
US10091195B2 (en) 2016-12-31 2018-10-02 Nok Nok Labs, Inc. System and method for bootstrapping a user binding
US10237070B2 (en) 2016-12-31 2019-03-19 Nok Nok Labs, Inc. System and method for sharing keys across authenticators
US11868995B2 (en) 2017-11-27 2024-01-09 Nok Nok Labs, Inc. Extending a secure key storage for transaction confirmation and cryptocurrency
US11831409B2 (en) 2018-01-12 2023-11-28 Nok Nok Labs, Inc. System and method for binding verifiable claims
KR101936941B1 (en) * 2018-02-22 2019-01-11 스티븐 상근 오 Electronic approval system, method, and program using biometric authentication
JP7115167B2 (en) 2018-09-11 2022-08-09 富士フイルムビジネスイノベーション株式会社 Information processing device and program
US11792024B2 (en) 2019-03-29 2023-10-17 Nok Nok Labs, Inc. System and method for efficient challenge-response authentication
JP2021005870A (en) * 2020-07-21 2021-01-14 株式会社ビットキー Use control system, use permit issuance device, use control method, and computer-readable program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000092046A (en) * 1998-09-11 2000-03-31 Mitsubishi Electric Corp Remote authentication system
JP2002366527A (en) * 2001-06-11 2002-12-20 Ntt Advanced Technology Corp Personal identification method
JP2003030154A (en) * 2001-04-17 2003-01-31 Matsushita Electric Ind Co Ltd Personal authentication method and device
JP2003050783A (en) * 2001-05-30 2003-02-21 Fujitsu Ltd Composite authentication system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000122975A (en) * 1998-10-14 2000-04-28 Toshiba Corp User confirmation system by means of biometrics and storage medium
JP2001344212A (en) * 2000-05-31 2001-12-14 Base Technology Inc Method for limiting application of computer file by biometrics information, method for logging in to computer system, and recording medium
JP4695310B2 (en) * 2001-09-18 2011-06-08 ナイルス株式会社 Lever switch for vehicle

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000092046A (en) * 1998-09-11 2000-03-31 Mitsubishi Electric Corp Remote authentication system
JP2003030154A (en) * 2001-04-17 2003-01-31 Matsushita Electric Ind Co Ltd Personal authentication method and device
JP2003050783A (en) * 2001-05-30 2003-02-21 Fujitsu Ltd Composite authentication system
JP2002366527A (en) * 2001-06-11 2002-12-20 Ntt Advanced Technology Corp Personal identification method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8352743B2 (en) 2007-02-07 2013-01-08 Nippon Telegraph And Telephone Corporation Client device, key device, service providing apparatus, user authentication system, user authentication method, program, and recording medium
US11971973B2 (en) 2019-06-25 2024-04-30 Bitkey Inc. Uilization control system, use permit issuance device, uilization control method, and computer-readable program

Also Published As

Publication number Publication date
AU2004254771A1 (en) 2005-01-13
JP2004348308A (en) 2004-12-09
WO2005003985A1 (en) 2005-01-13
JP4374904B2 (en) 2009-12-02

Similar Documents

Publication Publication Date Title
AU2004254771B2 (en) User authentication system
US9300649B2 (en) Context sensitive dynamic authentication in a cryptographic system
RU2434340C2 (en) Infrastructure for verifying biometric account data
CA2341784C (en) Method to deploy a pki transaction in a web browser
US9189777B1 (en) Electronic commerce with cryptographic authentication
US9544297B2 (en) Method for secured data processing
US7577621B2 (en) Cryptographic server with provisions for interoperability between cryptographic systems
JP4508331B2 (en) Authentication agent device, authentication agent method, authentication agent service system, and computer-readable recording medium
US20040059924A1 (en) Biometric private key infrastructure
US20010034836A1 (en) System for secure certification of network
JP2003143136A (en) Identification system and apparatus
KR20030074483A (en) Service providing system in which services are provided from service provider apparatus to service user apparatus via network
KR20150052261A (en) Method and system for verifying an access request
US20050021954A1 (en) Personal authentication device and system and method thereof
JP2007058455A (en) Access management system and access management method
KR20220006234A (en) Method for creating decentralized identity able to manage user authority and system for managing user authority using the same
EP1959607B1 (en) A method and system for authenticating the identity
JP4794939B2 (en) Ticket type member authentication apparatus and method
AU2003253777B2 (en) Biometric private key infrastructure

Legal Events

Date Code Title Description
FGA Letters patent sealed or granted (standard patent)
MK14 Patent ceased section 143(a) (annual fees not paid) or expired