CN100454325C - Safety system, identifying server, identifying method and program - Google Patents

Safety system, identifying server, identifying method and program Download PDF

Info

Publication number
CN100454325C
CN100454325C CN 200510072190 CN200510072190A CN100454325C CN 100454325 C CN100454325 C CN 100454325C CN 200510072190 CN200510072190 CN 200510072190 CN 200510072190 A CN200510072190 A CN 200510072190A CN 100454325 C CN100454325 C CN 100454325C
Authority
CN
China
Prior art keywords
authentication
information
identification information
machine
unit
Prior art date
Application number
CN 200510072190
Other languages
Chinese (zh)
Other versions
CN1776704A (en
Inventor
中本与一
泽村伸一
牧元喜宣
Original Assignee
株式会社日立制作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to JP2004-335731 priority Critical
Priority to JP2004335731A priority patent/JP4574335B2/en
Application filed by 株式会社日立制作所 filed Critical 株式会社日立制作所
Publication of CN1776704A publication Critical patent/CN1776704A/en
Application granted granted Critical
Publication of CN100454325C publication Critical patent/CN100454325C/en

Links

Abstract

在进行本人认证的系统中,可以减轻使用者的认证处理的负担,并且能够确保规定的认证等级。 In carrying out personal authentication system, you can reduce the burden on the user authentication process, and to ensure the provision of certification level. 在具有认证装置(120)和认证服务器(100)的系统中,认证装置(120)内设置有:在使用者进行认证时向认证服务器(100)请求表示认证处理精度的认证参数、并取得由认证服务器(100)应答请求而发送的认证参数的单元,和使用所取得的认证参数进行认证处理的单元。 In the authentication system having means (120) and an authentication server (100), the authentication means (120) is provided with: a user authentication request when the authentication parameters the authentication process represents precision to the authentication server (100), and acquired by the unit authentication parameters the authentication parameters the authentication server (100) transmits the response request, and use the acquired unit performs authentication processing. 此外,认证服务器(100)中设置有计算认证参数的单元和把所计算出的参数发送到认证装置(120)的单元,计算认证参数的单元使用来自认证装置(120)的请求用与设置了认证装置(120)的场所或认证装置(120)许可入场的场所对应的认证等级、对应于日期和时段的认证等级、该使用者的认证履历来计算认证参数。 Further, the authentication server (100) unit to the authentication means (120) is provided with a calculating authentication parameters unit and the calculated parameters, the calculated authentication parameter unit usage request from the authentication means (120) is used and is provided authentication means (120) place or authentication means (120) corresponding to the place admission permission authentication level, the authentication level corresponding to the date and time of day, history of authentication of the user to calculate authentication parameters.

Description

安全系统、认证服务器、认证方法和程序 Security systems, authentication server, the authentication methods and procedures

技术领域 FIELD

本发明涉及一种安全系统的技术,特别是涉及一种出入办公室、医院和集体住宅等时的本人认证或利用计算机提供的服务时进行的本人认证的技术。 Personal authentication technology when I performed at the present invention relates to a security system technology, particularly to a discrepancy offices, hospitals and residential certification or collective use of computer services provided.

背景技术 Background technique

用计算机进行的本人认证的技术被用于各种各样的用途。 Personal authentication techniques using computers for a variety of purposes. 例如,将本人 For example, I

认证技术用于办公大楼、公寓大楼等的出入管理或利用使用个人计算机(PC) Authentication technology used in office buildings, apartment buildings and other use of access control or use of personal computer (PC)

的服务时的用户认证。 When the user authentication service.

在办公大楼或公寓大楼等内,进行使用设置在建筑物或房间的出入口的认证装置的出入管理。 In the office or apartment buildings, etc., were set up to use access control authentication device in the doorway of a building or room. 在使用认证装置的出入管理时,在认证装置内预先保存有用来认证使用者的认证信息。 When authentication using the access control device, in advance in the authentication means stores authentication information for the user. 认证装置接受使用者输入的认证信息,并将所接受的认证信息与自身保存的认证信息进行比较,由此来进行认证。 The authentication device receives the authentication information input by the user, and stores the received authentication information with the authentication information stored by comparing, whereby for authentication. in

这里的认证方法中利用密码、ic卡、生物认证等。 Here the use of password authentication method, ic card, biometric authentication and so on.

利用使用个人计算机(PC)的服务时的认证,在PC内或提供服务的服务器内登录着对每种服务设定的认证信息。 Certification using the service using a personal computer (PC) when, within a PC or server in the service of the login authentication information set for each service. 并且,PC或服务器比较对每种服 And, PC or server for each comparison service

务设定的认证信息和使用者输入的信息,由此来进行认证。 Authentication information input by the user and the information service set, thereby to authenticate. 利用用户名和密 Using the user name and password

码组或者使用连接在PC上的外围设备的IC卡、生物认证作为这里的认证方法。 Code group using the IC card or peripheral device connected to the PC, where the biometrics authentication as the authentication method.

另外,最近随着网络技术的发展,可以将这些认证装置与网络相互连接进行集中管理。 Further, with the recent development of network technology, these may be interconnected with the network authentication device for centralized management. 如果进行集中管理的话,可以保存各认证装置中的认证履历, 以后能够发现不对之处。 If the centralized management, you can save each authentication device authentication history, the future can find wrong with.

迄今为止,已经知道在一个认证装置中设置多个认证单元,并通过使用 To date, it has been known a plurality of authentication unit in an authentication apparatus, and by using

者选择的认证单元进行认证的技术(例如,特开2003-132023号公报)。 Technology chosen by the authentication unit authenticating (e.g., Laid-Open Patent Publication No. 2003-132023). 在特开2003-132023号公报(下称专利文献1)中,判定由使用者所选择出来的认证单元进行的认证的结果是否满足规定的认证精度,并且在满足规定的认证 Laid-Open Publication No. 2003-132023 (hereinafter Patent Document 1), the determination result of the authentication by the selected user authentication unit meets a predetermined authentication accuracy, and satisfies predetermined certification

精度的情况下,认可该使用者。 The accuracy of the case, approval of the user.

此外,迄今为止,还知道根据提供给使用者的服务来变更认证精度的 In addition, to date, it is also known to provide the user according to the service to change the authentication accuracy

技术(例如,特开2003-248661号公报(下称专利文献2))。 Techniques (e.g., Laid-Open Publication No. 2003-248661 (hereinafter Patent Document 2)). 在专利文献2 中,将对机密性高的信息的访问或购入高额商品时的认证精度设定为高的值。 In Patent Document 2, will be highly confidential information or access a purchase high accuracy authentication is set to a high value commodity. 此外,在专利文献2中,将对机密性低的信息的访问或购入低额商品时的认证精度设定为低的值。 Further, in Patent Document 2, the access information will be low confidentiality or authentication accuracy at a low purchase amount is set to a low value commodities.

可是,在办公大楼或工厂等设施内,根据时段,有可能同时有多人来到出入口。 However, in the factories or office buildings and other facilities, according to time, there may also have people come to the entrance. 另外,有时使用者认证失败,有可能再试重复认证。 In addition, sometimes the user authentication fails, it is possible to try repeat certification. 这种情况下, 如果要确保规定的安全等级,为进行认证处理就要花费一定的时间,结果, 有时在出入口(门等)附近就可能发生等待认证的人的滞留,而损害便利性。 In this case, if you want to make sure that the security level specified for the authentication process will take some time as a result, sometimes stranded people waiting for certification may occur in the entrance (door) in the vicinity, at the expense of convenience. 在办公大楼或工厂等设施内,有时存在多个必须确保安全的区域(房间或场所)。 Such as in an office building or factory facilities, sometimes there is more to ensure the safety of the area (room or place). 在这样的设施内,不仅在建筑物的出入口而且在各区域的出入口都有可能设置有用来认证本人的认证装置。 In such a facility, not only in the entrance of the building and at the entrance of each region are likely to have set himself used to authenticate the authentication device. 即使在同一个设施内有多个必须确保安全的区域的情况下,被要求的安全等级大多也根据进行认证处理的区域或时段而异。 Even if a plurality of areas to ensure the safety of the facility in the same case, the security level is often required also varies depending on the region or time period for the authentication process.

在公寓大楼等集体住宅内,为确保安全,也考虑对各层设置出入口。 In other collective residential apartment building, in order to ensure safety, but also consider the entrance to each floor. 这种情况下,如果不仅在建筑物的入口(出入口)而且在其他场所(例如设置在各层的出入口)也设置有用来认证本人的认证装置,就使安全性更加强化。 In this case, if only at the entrance of the building (entrance) but also in other places (for example, set at the entrance of each layer) is also provided with the authentication device to authenticate themselves, it makes security even more strengthened. 此外,如果在公寓大楼等内设置多个认证装置,来确保规定的安全等级的话, 就会增加公寓大楼住户的认证处理的负担。 In addition, if you set multiple authentication devices in the apartment building and so on, to ensure the provision of security level, it would increase the burden on the authentication process of apartment residents in the building.

专利文献1是用使用者选定的认证单元来进行认证;专利文献2是对提供的每种服务确定认证处理精度。 Patent Document 1 is selected by the user authentication unit for authentication; Patent Document 2 is provided for each service to determine the accuracy of the authentication process. 但是,专利文献1和专利文献2中记载的技术均未特别考虑减轻使用者的认证处理的负担,并且也未特别考虑确保规定的认证等级的问题。 However, the technique of Patent Document 1 and Patent Document 2 is no special consideration to reduce the burden of the user authentication process, and is not otherwise specifically contemplated to ensure a predetermined level of authentication problem. 虽然专利文献1对使用者提供多个认证单元,但是其认证等级固定;专利文献2对每种提供的服务设定其认证等级。 Although Patent Document 1 provides a plurality of user authentication means, the authentication level but fixed; Patent Document 2 for each service provided by setting its authentication level. 进而,专利文献1和2中记载的技术都未特别考虑缩短多个场所进行认证处理的情况下的认证时间。 Further in the case where the authentication time, and the art in Patent Document 2, neither a special consideration described in more places shortened authentication process. 发明内容 SUMMARY

因此,本发明的目的在于在进行本人认证的系统中,减轻使用者的认证 Accordingly, an object of the present invention is performing the personal authentication system, user authentication mitigating

处理的负担并确保规定的认证等级。 The burden of treatment and ensure that the provisions of the certification level.

为解决上述课题,本发明的一个方案适用于具有多个认证装置和经网络连接到该认证装置上的认证服务器的安全系统。 To solve the above problems, one aspect of the present invention is applicable to a plurality of authentication devices and are connected to the security system via a network authentication server on the authentication device.

所述认证装置具有认证信息接受单元、确定单元、发送单元、接收单元和认证单元;认证信息接受单元预先存储有每个认证使用者的认证信息中对应识别该使用者的个人识别信息的个人信息和识别自身的机器识别信息,并接受来自使用者的认证信息的输入;确定单元用所述存储的个人信息确定对应于所述接受的认证信息的个人识别信息;发送单元把所确定的个人识别信息和所存储的机器识别信息发送到所述认证服务器;接收单元应答所发送的个人识别信息和机器识别信息,接收表示所述认证服务器发送的认证处理精度的认证基准;认证单元用所接受的认证信息、所述个人信息和所接收到的认证基准进行对该使用者的认证处理。 The authentication apparatus includes an authentication information receiving unit, a determining unit, a transmitting unit, a receiving unit and an authentication unit; authentication information receiving unit previously stores authentication information for each user's personal identification information corresponding to identification of the user's personal information and machine identification information to identify itself, and receives an input of authentication information from the user; determining personal identification information corresponding to the received authentication information is determined by means of the personal information stored; personal identification unit to the determined transmission machine identification information and the stored information is transmitted to the authentication server; personal identification information and machine identification information receiving means the transmitted response, the authentication process receiving a precision reference authentication server transmits authentication; authentication unit with accepted authentication information, the personal information and the received reference for the authentication of the user authentication process.

所述认证服务器具有存储单元、接收单元、计算单元和发送单元;存储单元存储每个机器识别信息中对应表示设置所述机器识别信息表示的认证装置的区域或所述认证装置许可使用者入场的区域的位置信息的机器信息、每个所述位置信息中对应所述位置信息表示的区域确定的认证处理精度的认证信息、每个日期和时段中对应认证处理精度的日历信息、每个所述个人识别信息中对应个人识别信息表示的对使用者的过去的认证处理的认证结果的认证履历信息;接收单元接收从所述认证装置发送出来的个人识别信息和机器识别信息;计算单元用所存储的机器信息、所述认证信息、所述日历信息和所述认证履历信息计算出认证基准;发送单元把所计算出来的认证基准发送到发送了所述个人识别信息和机器识别信息的认证装置。 The authentication server having a storage unit, a receiving unit, a calculation unit and a transmission unit; storage unit that stores identification information corresponding to each machine represents a region of the machine provided authentication device identification information indicates the permission or the user authentication means admission machine position information of the area, the position information for each authentication information corresponding to the processing accuracy of determining the location area information indicates, for each calendar date and time corresponding to the processing accuracy of authentication information, each of said personal identification information corresponding to the authentication result of the authentication history information of the authentication processing of the user's past personal identification information indicated; receiving unit receives the personal identification information and machine identification information sent out from the authentication device; calculating unit with the machine information stored in the authentication information, the calendar information and the authentication history information calculated reference authentication; transmitting unit to the calculated reference authentication transmitted to the authentication apparatus transmits the personal identification information and machine identification information .

按照本发明,在进行认证处理时,用对应于进行认证的区域的认证处理精度、对应于日期和时段的认证处理精度和使用者的认证履历来求得表示认证处理精度的认证基准。 According to the present invention, during the authentication process, the authentication process with the corresponding region in the accuracy of the authentication, the authentication process corresponding to the user authentication and the accuracy of the date and time to the history indicates the authentication process obtained by the authentication precision reference. 即,用本发明能够根据日期、时刻、区域和认证履历增减认证基准的精度。 That is, with the present invention can be increased or decreased in accordance with the authentication accuracy of the reference date, time zone, and authentication history. 因此,能够根据营业状况或生活状况进行认证处理, 并能够减轻一次认证的使用者的认证处理的负担。 Therefore, the authentication process based on business conditions or living conditions, and the authentication process can reduce the burden of a certified user. 在达到目的地之前必须接受多个认证装置的认证处理的情况下,即使使用者在达到目的地的途中走错的情况下,最终也能够确实地进行认证。 A case where the authentication process must accept a plurality of authentication devices before reaching the destination, even if the user of the wrong way to reach the destination, and ultimately it is possible to surely perform authentication. 附图说明 BRIEF DESCRIPTION

图1是适用本发明的实施例的安全系统的功能方框图。 FIG 1 is a functional block diagram of an embodiment of the safety system of the present invention is applied. 图2是本发明的实施例的安全系统的硬件结构方框图。 FIG 2 is a block diagram showing a hardware configuration of the security system embodiment of the present invention. 图3是本发明的实施例的安全系统进行的认证处理的概略说明图。 3 is a schematic explanatory view showing the processing of the security authentication system of an embodiment of the present invention.

图4是模拟本发明的实施例的场所表1100的数据结构的示意图。 4 is a schematic data structure of the table 1100 in place of the present embodiment of the invention Simulation. 图5是模拟本发明的实施例的机器表1200的数据结构的示意图。 FIG 5 is a diagram illustrating a data structure of an analog embodiment of the present invention, a machine table 1200. 图6是模拟本发明的实施例的终端表1300的数据结构的示意图。 FIG 6 is a diagram illustrating a data structure of an analog embodiment of the present invention, the terminal table 1300. 图7是模拟本发明的实施例的认证表1400的数据结构的示意图。 FIG 7 is a diagram illustrating a data structure of the authentication table 1400 of an embodiment of the present invention is simulated. 图8是模拟本发明的实施例的部署表1500的数据结构的示意图。 8 is a schematic embodiment of the analog to deploy the table according to the present invention, a data structure of 1500. 图9是模拟本发明的实施例的个人认证信息表1600的数据结构的示意图。 9 is a schematic data structure of a personal authentication information table 1600 in the analog embodiment of the present invention.

图10是模拟本发明的实施例的个人部署信息表1700的数据结构的示意图。 FIG 10 is an analog embodiment of the present invention showing a data structure of a personal information table 1700 deployment.

图11是模拟本发明的实施例的业务日历表1800的数据结构的示意图。 11 is a schematic data structure of a business calendar 1800 analog embodiment of the present invention. 图12是模拟本发明的实施例的认证履历表1900的数据结构的示意图。 FIG 12 is a diagram showing a data structure of an authentication history table 1900 of the embodiment of the present invention is simulated. 图13是本发明的实施例的安全系统进行的认证处理的流程图。 13 is a flowchart of the security authentication processing system of an embodiment of the present invention. 图14是本发明的实施例的安全系统进行的认证处理的变形例的流程图。 FIG 14 is a flowchart of a modification of the embodiment of the safety system according to the present invention performs an authentication process. 图15是本发明的实施例的认证服务器100的认证管理部106确定根据与 FIG 15 is an authentication server authentication management portion 100 of the embodiment of the present invention is determined according to the 106

使用者和认证机器对应的认证等级的处理流程图。 User authentication level process flow diagram and a corresponding authentication device.

图16是本发明的实施例的认证装置的认证操作部121进行的认证使用者 FIG 16 is a certified user authentication operation unit 121 of the authentication apparatus of the present embodiment of the invention

的处理流程图。 The process flow diagram.

图17是本发明的实施例的认证操作部121进行的认证结果判定处理的流程图。 FIG 17 is a flowchart of the operation unit 121 the authenticator embodiment of the present invention the determination process.

图18是本发明的实施例的认证装置120进行卡认证时的认证部122的处理流程图。 FIG 18 is a flowchart showing authentication processing when the authentication unit 122 of the embodiment of the present invention apparatus embodiment 120 of card authentication.

图19是本发明的实施例的认证装置120进行生物认证时的认证部122的处理流程图。 FIG 19 is a flowchart showing authentication processing when the authentication unit 122 of the embodiment of the present invention apparatus embodiment 120 of the biometric authentication. 具体实施方式 Detailed ways

以下用附图来说明进行适用本发明的一个实施例的使用者出入室管理和。 The following drawings illustrate one use of the present invention is suitable for user entry and exit control, and the embodiment. 此外,在以下的说明中,把本实施例的安全系统适用于大楼内的办公室的情况作为例子,但是并不特别限定于此。 In the following description, it applies to the case where the office building security system according to the present embodiment as an example, but is not particularly limited thereto. 例如, 也可以将本实施例用于公寓大楼或医院等设施的出入室管理。 For example, this embodiment can also be used for entry and exit control such as apartment buildings or hospital facilities. 图1是适用本发明的实施例的安全系统的功能方框图。 FIG 1 is a functional block diagram of an embodiment of the safety system of the present invention is applied.

如图所示,安全系统具有认证服务器100、认证装置120-a和120-b。 , The security system having an authentication server 100, the authentication device 120-a and 120-b shown in FIG. 认证服务器100和各认证装置120-a〜120-b分别经网络110相互连接起来。 The authentication server 100 and the respective authentication device 120-a~120-b are connected to each other via a network 110. 此夕卜,在图示的说明中,以2台认证装置120-a和120-b (以下也叫做"认证装置120")为例,但是这只不过是示例,本实施例中不特别限定认证装置120 的台数。 This evening Bu, illustrated in the description, to authenticate two devices 120-a and 120-b (hereinafter also referred to as "authentication device 120") as an example, but this is only an example, embodiments of the present embodiment is not particularly limited. the number of the authentication device 120.

认证服务器100管理进行个人认证所必要的信息。 The authentication server 100 manages personal authentication information necessary. 认证服务器100接受来自认证装置120的"进行个人认证所必要的信息"的发送请求,并向请求源的认证装置120发送所请求的"进行个人认证所必要的信息"。 The authentication server 100 receives a transmission request from the authentication device "personal authentication information necessary" 120, and sends the requested operation "necessary for personal authentication information" authentication request source apparatus 120. 另外,认证服务器100接收并存储认证装置120所发送的认证结果。 Further, the authentication server 100 receives and sends the result of authentication 120 stores the authentication device.

认证装置120接受密码等认证信息的输入,对使用者进行认证。 The authentication device 120 receives an input of authentication information such as a password, to authenticate the user. 具体地说,认证装置120从认证服务器取得"进行个人认证所必要的信息",用所取得的"进行个人认证所必要的信息"和所输入的"认证信息"进行个人认证处理。 Specifically, the authentication apparatus 120 acquired from the authentication server "necessary personal authentication information", with the acquired "necessary personal authentication information" and the input "authentication information" in the personal authentication process. 认证装置120把认证结果发送到认证服务器100。 The authentication device 120 transmits the authentication result to the authentication server 100.

网络110是设置在大楼(或公寓大楼)或办公室等的设施内的网络,在网络110内例如可以用Ether网等。 Network 110 is disposed in the facilities building (or apartment complex) or office network within the network 110 may be used Ether net. 网络110也可以不是封闭在设施内的网络, 而是经因特网等外部设施的网络进行连接。 Network 110 may not be enclosed within the network infrastructure, but the external connection facilities via a network such as the Internet.

接下来,说明认证服务器100和认证装置120的功能结构。 Next, the functional configuration of the authentication server 100 and the authentication device 120. 认证服务器IOO具有个人管理数据库(下称"个人管理DB") 101、设备管理数据库(下称"设备管理DB") 102、认证管理数据库(下称"认证管理DB") 103、数据库管理部(DB管理部)105、登录部107和认证管理部106。 The authentication server IOO a personal management database (hereinafter referred to as "personal management DB") 101, the device management database (hereinafter referred to as "device management DB") 102, (referred to as "authentication management DB" below) 103 certificate management database, the database management unit ( DB management unit) 105, a log management unit 107 and authentication unit 106. 个人管理DB101存储后述的有关使用者的信息。 For information about the user's personal management DB101 storage described later. 个人管理DB101保存个人认证信息表1600 (图9)和个人部署信息表1700 (图10)。 Personal management DB101 save personally identifiable information table 1600 (Fig. 9) and the deployment of personal information table 1700 (Figure 10). 并且,有关使用者的信息被保存在个人认证信息表1600和个人部署信息表1700内。 In addition, information about the user is stored in the personal authentication information table 1600 and deployed within the personal information table 1700. 在后段内详细说明个人认证信息表1600和个人部署信息表1700的数据结构。 DESCRIPTION personal authentication information table 1600 and the deployment data structure of personal information table 1700 in detail in the subsequent stage. 设备管理DB102存储后述的与进行认证的认证装置120的地址或进行认 DB102 management apparatus described later and stores the authentication device to authenticate or identify the address 120

证的场所等设备有关的信息。 Information-related equipment certificate places. 设备管理DB102保存场所表1100 (图4)、机器表1200 (图5)和终端表1300 (图6)。 DB102 storage location device management table 1100 (FIG. 4), the machine table 1200 (FIG. 5) and the terminal table 1300 (FIG. 6). 有关设备的信息被保存在场所表1100、机器表1200和终端表1300中。 Information about devices is stored in a location table 1100, table 1200 and the terminal machine table 1300. 在后段内详细说明场所表1100、机器表1200和终端表1300的数据结构。 DESCRIPTION place table 1100, table 1200, and the data structure of the machine table 1300 terminal in the rear section of the detail.

认证管理DB103存储后述的有关认证的信息和认证的履历。 Information about the certification and certified resume after authentication management DB103 storage described. 认证管理DB103保存认证表1400 (图7)、部署表1500 (图8)、业务日历表1800 (图ll)和认证履历表1900(图12)。 Authentication management DB103 save authentication table 1400 (Figure 7), the deployment of table 1500 (Figure 8), business calendar 1800 (Figure ll) and certified resume 1900 (Figure 12). 并且,有关认证的信息被保存在认证表1400、 部署表1500和业务日历表1800内。 In addition, information about the certification is stored in the authentication table 1400, the deployment tables in 1500 and 1800 business calendar. 认证的履历被保存在认证履历表1900内。 Certified history is stored in the authentication resume 1900. 在后段内详细说明认证表1400、部署表1500、业务日历表1800和认证履历表1900的数据结构。 Detailed Description In the subsequent stage authentication table 1400, table 1500 deployment, service calendar data structures 1800 and 1900 of the authentication history table.

此外,在本实施例中,分别将上述各表(个人认证信息表1600、个人部署信息表1700、场所表IIOO、机器表1200、终端表1300、认证表1400、部署表1500、业务日历表1800和认证履历表1900)分类存储在个人管理DB101、 设备管理DB102和认证管理DB103三个数据库内,但是并不对此特加限定。 Further, in the present embodiment, respectively, each of the tables (personal authentication information table 1600, the personal deployment information table 1700, places table IIOO, the machine table 1200, the terminal table 1300, the authentication table 1400, the deployment table 1500, business calendar 1800 and certified resume 1900) classification is stored in the personal management DB101, DB102 device management and authentication management DB103 three databases, but Ortega is not limited to this. 例如,也可以将上述各表存储在一个数据库内。 For example, a database may be stored in the respective tables. 另外,实际上这些表存储在哪个数据库内都可以,而且数据库的数目也不限定于三个。 Further, in fact, these tables are stored in a database which can be, but is not limited to the number of databases three.

DB管理部105控制分别存储在个人管理DBIOI、设备管理DB102和认证管理DB103的数据的输入输出。 DB management unit 105 controls the input-output store personal management DBIOI, device management DB102 and DB103 data management authentication in. 具体地说,DB管理部105发布SQL的询问,根据SQL的询问来取得各数据库所持有的数据,或者进行各数据库的更新。 Specifically, DB management unit 105, the release of SQL queries to obtain data from various databases held by the SQL query, or update each database. 既可以经网络发布SQL的询问,也可以利用各数据库提供的函数API 进行发布。 Ask your network either through the release of SQL, you can also publish using the API functions provided by each database. 这些数据库不仅可以安装在认证服务器100上,而且可以安装在其他服务器上。 These databases can be installed not only on the authentication server 100, and can be installed on other servers.

认证管理部106进行与认证装置120的通信和通信内容的解释*处理*应答。 Interpreting communications and communication content 106 of the authentication device authentication management unit 120 * * response process. 此外,根据需要,认证管理部106对DB管理部105请求信息的取得-登录。 Further, according to need, 106 pairs DB management unit requests the authentication management part 105 acquires information of - log. 这时,认证管理部106可以不利用DB管理部105而直接向各数据库发布询问。 In this case, the authentication management portion 106 may not use the DB management unit 105 directly to each publishing database query.

登录部107提供使用者更新各数据库(个人管理DB101、设备管理DB102 和认证管理DB103)时的用户接口。 Registration unit 107 provides a user interface update each time a user database (personal management DB101, DB102 device management and authentication management DB103). 使用者利用该用户接口输入设置新机器或增加使用者、改变大楼内的机器结构等情况下的更新数据。 User input using the user interface to set a new user or increase the machine, change machine in the case where the update data in the building structure or the like. 登录部107接 Login 107 access

受使用者输入的更新数据,用所接受的更新数据经DB管理部105来更新各数据库。 Update data inputted by the user, with the updated data received via the DB management section 105 to update the respective database.

接下来说明认证装置120的功能构成。 Next, the function configuration of the authentication device 120. 认证装置120具有认证操作部121 和认证部122,认证操作部121进行认证部122的管理和与认证服务器100 的通信处理。 Authentication apparatus 120 includes an authentication operation unit 121 and the authentication unit 122, an authentication operation unit 121 for managing the communication processing unit 122 and the authentication with the authentication server 100. 认证部122接受使用者输入的信息、并进行对该使用者的认证处理。 Authentication unit 122 receives information inputted by the user, and the user authentication process. 在认证部122上连接着多个认证装置(例如生物认证装置),利用各个认证装置进行使用者的认证。 Connected to a plurality of authentication devices (e.g. the biometric authentication device) in the authentication unit 122 performs user authentication using each authentication device.

接着说明本实施例的硬件构成。 Next, a hardware configuration of the present embodiment.

图2是本实施例的安全系统的硬件结构方框图。 FIG 2 is a block diagram showing a hardware configuration of the security system of the present embodiment.

首先说明认证装置120的硬件结构。 First, a hardware configuration of the authentication device 120.

认证装置120具有EPROM201、 CPU202、主存储器203、总线204、外围控制装置205、非易失性存储器206、 LAN接口(下称"LANI/F") 207、 读卡器接口(下称"读卡器I/F") 208、生物认证接口(下称"生物认证I/F") 209、电子锁接口(下称"电子锁I/F")210、读卡器211、生物认证装置212、 电子锁213和实时时钟(下称"RTC") 214。 Authentication apparatus 120 having EPROM201, CPU202, a main memory 203, bus 204, peripheral controller 205, non-volatile memory 206, LAN interface (hereinafter referred to as "LANI / F") 207, a card reader interface (hereinafter "card reader an I / F ") 208, a biometric authentication interfaces (" the biometric authentication I / F ") 209, an electronic lock interface (hereinafter referred to as" electronic lock I / F ") 210, a card reader 211, the biometric authentication device 212, 213 electronic locks and real-time clock (hereinafter referred to as "RTC") 214.

在认证装置120取得当前时刻时,利用RTC214。 When the authentication apparatus 120 obtains the current time by RTC214. LAN I/F207控制经网络110进行的数据收发(例如,在与认证服务器100之间进行的数据收发)。 LAN I / F207 sends and receives the control data via the network 110 (e.g., data transmission and reception performed between the authentication server 100). EPROM201、 CPU202、主存储器203、外围控制装置205经总线204相互连接起来。 EPROM201, CPU202, a main memory 203, a peripheral control device 205 via a bus 204 connected to each other. 非易失性存储器206、 LANI/F207、读卡器I/F208、生物认证I/F209、 电子锁I/F210、 RTC214分别与外围控制装置205连接。 The nonvolatile memory 206, LANI / F207, the card reader I / F208, the biometric authentication I / F209, electronic lock I / F210, RTC214 respectively connected to the peripheral control device 205. 非易失性存储器206 由磁盘装置、闪存ROM等构成。 The nonvolatile memory 206 is constituted by a magnetic disk device, a flash ROM.

读卡器1/F208、生物认证I/F209、电子锁I/F210上分别连接着读卡器211 、 生物认证装置212、电子锁213。 Reader 1 / F208, the biometric authentication I / F209, the electronic lock I / F210 are respectively connected to the reader 211, the biometric authentication device 212, the electronic lock 213.

在EPROM201中保存着引导程序。 Save the boot program in EPROM201 in. 非易失性存储器206中保存着用来实现上述的认证操作部121和认证部122的功能的程序(认证程序)。 The nonvolatile memory 206 holds the program for realizing the above-described authentication operation unit 121 and the authentication unit 122 of the function (authentication program). 并且,认证装置120启动时,CPU202根据该引导程序动作;CPU202通过引导程序从非易失性存储器206向主存储器203装载认证程序,并开始该认证程序。 Then, the authentication apparatus 120 starts, CPU 202 in accordance with the guide program operation; CPU 202 by the boot program from the nonvolatile memory 206 is loaded to the main memory 203 authentication program, and starts the authentication procedure. CPU202通过执行认证程序,经外围控制装置205对读卡器I/F208、生物认证I/F209、电子锁I/F210进行信号的收发,并迸行读卡器211、生物认证装置212和电子锁213的控制。 CPU202 through the authentication procedure performed by the peripheral control device 205 regarding readers I / F208, the biometric authentication I / F209, electronic lock I / F210 transmits and receives a signal, and a card reader into line 211, the biometric authentication device 212 and the electronic lock control 213. 此外,CPU202通过执行认证程序来进行后述的认证处理。 Further, the authentication process performed by the CPU202 performs the authentication procedure described below.

这里,将指纹认证装置、静脉认证装置、虹彩认证装置等作为生物认证装置,但是并不限定于这些装置。 Here, the fingerprint authentication apparatus, vein authentication device, iris authentication apparatus or the like as a biometric authentication device, but is not limited to these devices. 此外,作为接口,记载有读卡器I/F208、 生物认证I/F209和电子锁I/F210三个接口,但是接口的数目并不限定于这些, 可以根据认证装置或控制对象装置的数目来增减。 Further, as the interface, there is described a card reader I / F208, the biometric authentication I / F209 and electronic locks I / F210 three interfaces, but the number of interfaces is not limited thereto, the authentication device may be a control target device or the number of increase or decrease.

下面说明认证服务器100的硬件结构。 The following describes the hardware configuration of the authentication server 100.

在认证服务器100中可以使用具有EPROM220、 CPU230、主存储器240、 总线250、外围控制装置260、非易失性存储器280和LAN接口(下称"LAN I/F") 270的计算机。 In the authentication server 100 may be used with EPROM220, CPU230, a main memory 240, bus 250, peripheral controller 260, non-volatile memory 280 and LAN interface (called "LAN I / F" below) 270 of the computer.

EPROM220、 CPU230、主存储器240、外围控制装置260经总线250相互连接起来。 EPROM220, CPU230, a main memory 240, peripheral controller 260 via a bus 250 connected to each other. 非易失性存储器280和LAN I/F270分别与外围控制装置260相连接。 The nonvolatile memory 280 and LAN I / F270 are connected to the peripheral device 260 controls. 非易失性存储器280由磁盘装置、闪存ROM等构成。 The nonvolatile memory 280 is constituted by a magnetic disk device, a flash ROM. LANI/F270控制经网络110进行的数据的收发(例如,与认证装置120之间进行的数据的收发)。 LANI / F270 controls the transceiver 110 via a data network (e.g., between 120 and authentication data transmission and reception apparatus).

在EPROM220中保存着引导程序。 Save the boot program in EPROM220 in. 非易失性存储器280中保存着用来实现上述的DB管理部105、认证管理部106和登录部107的功能的各种程序(DB 管理程序、认证管理程序和登录程序)。 Stored in the nonvolatile memory 280 for realizing the above-mentioned DB management unit 105, the authentication log management unit 106 and various programs function portion 107 (the DB management program, and login authentication management program). 并且,认证服务器100起动时,CPU230 就根据该引导程序动作。 Then, the authentication server 100 is started, the operation of CPU 230 on the basis of the boot program. CPU230通过引导程序从非易失性存储器280向主存储器240装载上述各种程序。 CPU230 through the boot program from the nonvolatile memory 280 is loaded to the main memory 240 various types of programs. CPU230通过执行在主存储器240中装载的各种程序(DB管理程序、认证管理程序和登录程序)来实现上述的DB管理部105、认证管理部106和登录部107的功能。 CPU230 implemented 105, the management function of the authentication unit 106 and the registration unit 107 of the DB management unit by executing various programs loaded in the main memory 240 (DB management program, and login authentication management program). 此外,上述的个人管理DBIOI、 设备管理DB102和认证管理DB103被存储在主存储器240和非易失性存储器280中。 Further, the personal management DBIOI, device management and authentication management DB102 DB103 are stored in main memory 240 and nonvolatile memory 280.

接着用图3来说明本实施例的安全系统进行的认证处理的概况。 FIG 3 will be described followed by overview of security authentication processing system according to the present embodiment is performed. 图3是本实施例的安全系统进行的认证处理的概略说明图。 3 is a schematic explanatory view showing the processing of the security authentication system of the present embodiment is performed. 图3中,表 FIG. 3, Table

示安全系统的各DB、各部和使用者的相互关系。 Each relationship shown DB security system, and each part of the user. 此外,301、 302表示使用者。 Further, 301, 302 represents a user.

个人管理DBIOI、设备管理DB102和认证管理DB103在从DB管理部105发布SQL的询问(A3001〜A3003 )时处理其内容。 Personal management DBIOI, device management and authentication management DB103 DB102 process its contents when the DB management unit 105, the release of SQL queries (A3001~A3003) from. 并且,个人管理DB101 、 设备管理DB102和认证管理DB103分别将处理结果(A3011〜A3013)返回到DB管理部105。 Further, the personal management DB101, DB102 device management and authentication management processing results respectively DB103 (A3011~A3013) returns to the DB management unit 105.

DB管理部105利用TCP/IP上的HTTP协议等,接受把来自认证管理部106的机器ID或个人ID作为密钥的数据的取得请求(A3021 )和认证结果登录请求(A3022)。 DB management unit 105 using the TCP / HTTP protocol on IP, or individual receiving the machine ID from the authentication ID management unit 106 as a data acquisition request keys (A3021), and the authentication result of the login request (A3022). 此外,DB管理部105接受来自登录部107的DB更新请求(A3023)。 In addition, DB DB management unit 105 receives the update request (A3023) from the registration unit 107.

DB管理部105 —接受各请求(A3021〜A3023),就将其变换为SQL的询问,并向各DB发布询问(A3001〜A3003)。 DB management unit 105 - Accept each request (A3021~A3023), will be converted into SQL queries and issues refer to each DB (A3001~A3003). 此外,DB管理部105—接受来自各DB的应答(A3011〜A3013),就进行这些应答的数据形式的变换, 回应至认证管理部106或登录部107。 In addition, the reply DB management unit 105- (A3011~A3013) DB from each of these to transform a data format of a response, response to the authentication log management section 106 or section 107.

认证管理部106管理认证装置120的认证等级。 Authentication management part 106 manages the authentication device authentication level 120. 这里,所谓认证等级是表示认证强度的值,认证等级越高,进行的认证就越严格。 Here, the value of certification is a certified strength rating, the higher the certification level, the more rigorous certification carried out. 认证管理部106 一接收到来自各认证装置120的认证操作部121的个人ID和机器ID(A3031), 就经DB管理部105访问各DB,取得用于确定与各机器的个人对应的认证等级所必要的信息,认证等级确定之后,将认证等级(A3032)回应至认证操作部121。 An authentication management unit 106 receives the authentication ID and machine operation portion personal ID (A3031) from each of the authentication apparatus 121 of 120, accesses the DB management unit 105 via the respective DB, achieved with a machine for determining authentication level corresponding to the individual information necessary, after determining the authentication level, the authentication level (A3032) to respond to the authentication operation unit 121. 此外,认证管理部106 —接收到来自认证操作部121的认证结果(A3033),就经DB管理部105向认证管理DB103登录认证结果。 Further, the authentication management part 106 - receiving the authentication result (A3033) 121 from the authentication operation unit 105 to log in to the authentication result by the authentication management DB management unit DB103. 登录部107通过使用者302的操作,在输入更新数据时,经DB管理部105进行DB 的更新。 A user registration unit 107 by the operation 302, when the input data is updated, the DB management unit 105 updates the DB.

认证装置120-a和认证装置120-b的各自的认证操作部121对认证部122 进行认证参数(A3042)的设定。 Each authentication operation unit 121 pairs of the authentication unit 122 of the authentication device 120-b and 120-a authentication device authentication parameters (A3042) setting. 认证参数是根据认证等级设定的参数。 Authentication parameters are set according to the level of authentication parameters. 所谓认证参数是指例如在指纹认证中确定应该一致的特征点数量那样的认证精度的值,或者是指作为与使用者输入到指纹认证装置的指纹信息的比较对象的认证用的模板参数。 The authentication parameter is a value as the number of authentication precision, for example, determined to be the same feature point in the fingerprint authentication, authentication or the template parameter refers to a comparison of the user inputted to the fingerprint authentication device using the fingerprint information.

此外,认证操作部121从认证部122接收认证数据或认证结果(A3040〜 八3041 )。 Furthermore, the authentication operation unit 121 from the authentication unit 122 receives authentication data or authentication result (A3040~ eight 3041). 认证数据是使用者输入到认证装置的值。 Authentication data is inputted to the user authentication device value. 例如,在认证装置是读卡 For example, the authentication device is a card reader

器的读出器的情况下,记录在卡内的卡n)相当于认证数据。 In the case of a reader's, recorded in the card card n) corresponds to the authentication data. 认证结果是认证 Certification results are certified

部122进行认证的结果。 Authentication unit 122 result. 认证操作部121将从认证部122接收到的认证结果 An authentication operation unit 121 from the authentication unit 122 receives authentication result

发送到认证管理部106 (A3033)。 To the authentication management part 106 (A3033). 此外,认证操作部121把所接收到的认证结果发送到其他认证装置的认证操作部131 (A3050)。 Further, the authentication operation unit 121 transmits the received authentication result to the authentication operation unit 131 (A3050) other authentication devices.

认证部122接受来自使用者301的认证数据的输入,根据由认证操作部121设定的认证参数进行认证数据的处理。 Authentication unit 122 receives an input from the user authentication data 301, the authentication processing according to the authentication data by the authentication parameter setting operation portion 121. 在能够迸行认证的处理时,认证部122把认证结果发送到认证操作部121。 Beng row can be processed during authentication, the authentication unit 122 transmits the authentication result to the authentication operation unit 121. 另一方面,如果不能进行认证处理,认证部122把使用者输入的认证数据发送到认证操作部121。 On the other hand, if the authentication process is not performed, the authentication unit 122 transmits the authentication data entered by the user to the authentication operation unit 121. 这种情况下,在认证操作部121进行认证处理。 In this case, the authentication processing section 121 in the authentication operation.

接着用图4〜12来说明被保存在本实施例的认证服务器的各DB中的表的数据结构。 Next will be explained with reference to FIG 4~12 data structure for each DB is stored in the authentication server of the present embodiment in the Table.

图4是模拟本实施例的场所表1100的数据结构的示意图。 4 is a schematic data structure of a simulation table 1100 places the present embodiment.

如图所示,场所表1100具备用来登录"场所ID"的字段1101、用来登录"场所名"的字段1102、用来登录"认证等级"的字段1103和用来登录"邻接场所"的字段1104,构成一个记录。 As shown, table 1100 includes a place for login "place ID" field 1101, used to log "place name" field 1102 is used to log in "authentication level" field 1103 and used to log 'adjacent to place " field 1104, constitutes a record. "场所ID"是对办公室或公寓大楼内的房间或通道等的各场所(区域)唯一确定的数值。 "Location ID" is a number for uniquely identifying (area) places each room or passage in the office or apartment building. "场所名"表示该场所的名称。 "Place name" represents the name of the venue. "认证等级"表示作为该场所中的认证强度的数值。 "Authentication level" represents a value of the authentication strength properties. "邻接场所"表示夹住门或认证装置而与该场所邻接的场所的场所ID。 "Adjacent locus" represents place sandwiched ID authentication apparatus or a door adjacent to the accommodation place.

图5是模拟本实施例的机器表1200的数据结构的示意图。 FIG 5 is a diagram illustrating a data structure of the machine table 1200 in the present embodiment the analog embodiment. 机器表1200 是用来登录本实施例的认证装置120的设置场所或地址等信息的表。 Machine table 1200 is used to log information table according to the present location or the like provided in the authentication apparatus 120 of the embodiment.

如图所示,机器表1200具备用来登录"机器ID"的字段1201、用来登录"机器名"的字段1202、用来登录"认证类型"的字段1203、用来登录"设置场所"的字段1204、用来登录"邻接目的地"的字段1205和用来登录"地址"的字段1206,构成一个记录。 As shown, the machine includes a table 1200 used to log "machine ID" field 1201, used to log "machine name" field 1202, used to log "Authentication Type" 1203 field is used to log on "setting place" field 1204 is used to log on "adjacent destination" field 1205 and used to log the "address" field 1206, constitutes a record. "机器ID"是对设置在办公室或公寓大楼内的各个认证装置唯一确定的数值。 "Machine ID" is provided for each authentication device in the office or apartment building, a value determined uniquely. "机器名"表示各个认证装置的名称。 "Machine name" represents the name of each of the authentication device. "认证类型"表示识别设置在各个认证装置120内的认证部220的认证单元的认证ID。 "Authentication Type" indicates the identification authentication ID authentication unit provided in the respective authentication unit 120 of the authentication device 220. "设置场所"表示设置在各个认证装置内的场所的场所ID。 "Place setting" means places the ID provided in place each of the authentication devices. "邻接目的地"表示各个认证装置许可入场的场所的场所ID。 "Adjacent destination" place ID indicates permission of admission of each authentication device places. "地址"表示各个认证装置的IP地址。 "Address" indicates the IP address of each of the authentication devices.

图6是模拟本实施例的终端表1300的数据结构的示意图。 FIG 6 is a diagram illustrating a data structure of a terminal simulation table 1300 according to the present embodiment. 这里所示的所谓终端(图未示出)表示使用者301业务用的计算机(PC)等终端,与认证 Called terminal (not shown) indicating that the computer (PC) or the like with the user service 301 illustrated here the terminal, and the authentication

装置120不同。 120 different device. 另外,终端连接在网络110上,具有认证装置120所具备的认证操作部121和认证部122。 Further, the terminal connected to the network 110, an authentication operation unit 120 includes the authentication device 121 and the authentication section 122.

如图所示,终端表1300具备用来登录"终端ID"的字段1301、用来登录"终端名"的字段1302、用来登录"场所"的字段1303、用来登录"认证类型"的字段1304和用来登录"地址"的字段1305,构成一个记录。 , The terminal includes a table 1300 used in FIG login "terminal ID" field 1301 is used to login "terminal name" field 1302, used to log "locus" field 1303, used to log "Authentication Type" field 1304 and used to log the "address" field 1305, constitutes a record.

"终端ID"是唯一分配给各个终端的数值。 "Terminal ID" is the unique numerical value assigned to each terminal. "终端名"是各个终端的名称。 "Terminal name" is the name of each terminal. "场所"表示分别配置终端的场所的场所ID。 "Locus" means a property ID sites are arranged in the terminal. "认证类型"表示识别设置在各个终端内的认证部122的认证单元的认证ID。 "Authentication Type" indicates authentication ID authentication unit of the authentication portion 122 disposed within each of the identified terminal. "地址"是该终端的IP的地址。 "Address" is the IP address of the terminal. 这里,为了明确终端与认证装置的区别,而把表分开,但是也可以把机器表1200和终端表1300构成为一个表。 Here, for clear distinction between the terminal and the authentication device, and the separate table, but may be the machine table 1200 and a terminal configuration table 1300 is a table. 这时,把终端ID置换为机器ID, 数值不要重复。 In this case, the terminal ID is replaced with the machine ID, the value do not repeat.

图7是模拟本实施例的认证表1400的数据结构的示意图。 FIG 7 is a simulation diagram showing a data structure of an authentication table 1400 according to the present embodiment. 如图所示,认证表1400具备用来登录"认证ID"的字段1401、用来登录"认证名"的字段1402和用来登录"可靠度"的字段1403,构成一个记录。 As shown, table 1400 includes authentication for login "authentication ID" field 1401 is used to login "authentication name" field 1402 and a field for the login "reliability" in 1403, constitute a record. "认证ID"是对各个认证部220唯一确定的数值。 "Authentication ID" is a numerical value for each authentication unit 220 is uniquely determined. "认证名"是各个认证部220的名称。 "Authentication name" is the name of the individual authentication section 220. "可靠度"表示在各个认证部220认证成功时相当于认证等级的哪一个数值的数值。 "Reliability" indicates the value which corresponds to a value of the authentication level of the authentication portion 220 when the respective authentication is successful.

图8是模拟本实施例的部署表1500的数据结构的示意图。 FIG 8 is a schematic diagram of this analog embodiment of the deployment data structure of a table 1500 of FIG. 如图所示,部署表1500具备用来登录"部署ID"的字段1501、用来登录"部署名"的字段1502和用来登录"使用场所"的字段1503,构成一个记录。 As shown, table 1500 is provided for deployment log "Deployment ID" field 1501, used to log "Deployment name" field 1502 and a field 1503 for login "Use place", constitutes a record. "部署ID"是对存在于办公室内的部署唯一确定的数值。 "Deploying ID" is present in the office of the deployment uniquely determined value. 此外,把本实施例适用于公寓大楼的情况下,部署的单位相当于居室。 Further, the present embodiment applies to a case where the apartment building, the room corresponding to the deployment units. "部署名"是各个部署的名称。 "Deployment Name" is the name of each deployment. "使用场所"表示识别各个部署可以利用的场所的场所ID。 "Site of use" indicates ID for identifying properties of each property can be utilized to deploy. 图9是模拟本实施例的个人认证信息表1600的数据结构的示意图。 9 is a schematic data structure of a personal authentication information table 1600 in the present embodiment the analog embodiment. 如图所示,个人认证信息表1600具备用来登录"个人ID"的字段1601、 用来登录"卡ID"的字段1602、用来登录"用户名"的字段1603、用来登录"密钥"的字段1604、用来登录"指纹信息"的字段1605、用来登录"静脉信息"的字段1606和用来登录"脸信息"的字段1607,构成一个记录。 Shown, includes a personal authentication information table 1600 in FIG login to "personal ID" field 1601 is used to log in the field "card ID" 1602, to login "user name" field 1603, used to log "key "1604 field is used to login" fingerprint information "field 1605, used to log" vein information "field 1606 and used to log" information field face "of 1607, constitutes a record. "个人ID"是为了识别使用者301而对每个使用者唯一确定的数值;"卡ID"是 "Personal ID" to identify the user 301 and the value is uniquely determined for each user; "card ID" is

赋予配置给使用者的卡的固有编号;"用户名"表示使用者利用终端时的录入名;"密钥"表示使用者利用终端时的密码;"指纹信息"、"静脉信息"和"脸信息"分别表示使用者的生物信息,这里列举了三种生物信息,但是在增加认证单元的情况下,可以附加对应的生物认证信息。 Giving a unique number to the user to configure the card; "username" represents the user name when using the input terminal; a "key" for the password when the user uses the terminal; "fingerprint information", "vein information" and "face information "represent the user biometric information, the biometric information listed here three, but in the case of increasing the authentication unit can be attached to a corresponding biometric authentication information. 各生物信息栏内记载着文字串,但实际上也可以是二进制数据或是包含认证信息的文件名或是用来 Each column describes biological information with character string, but in fact may be binary data or file name includes authentication information, or for

访问认证信息的地址。 Address access authentication information.

图IO是模拟本实施例的个人部署信息表1700的数据结构的示意图。 FIG IO is a schematic view of a data structure of a personal information table 1700 according to the present embodiment simulated deployment. 如图所示,个人部署信息表1700具备用来登录"个人ID"的字段1701、 用来登录"部署"的字段1702、用来登录"利用终端"的字段1703和用来登录"利用场所"的字段1704,构成一个记录。 As shown, the personal information table 1700 is provided for deployment log "personal ID" field 1701 is used to log on "deployment" field 1702 is used to log on "using the terminal" field 1703 is used to log and "location of use" field 1704, constitutes a record. "个人ID"与上述的个人认证信息表1600的个人ID相同。 "Personal ID" of the above-described personal ID of the personal authentication information table 1600 are the same. "部署"表示用来识别使用者所属的部署的部署ID。 "Deployment" denotes ID for identifying deployment deployment user belongs. "利用终端"表示使用者使用的终端的终端ID。 "Terminal use" indicates that the terminal ID of the terminal used by the user. "利用场所"表示使用者可使用终端的场所的场所ID。 "Location of use" means places a user ID may be used place of the terminal. 这里,"利用场所"内不仅登录有使用者所属部署使用的场所,也登录着关联部署的场所。 Here, in the "location of use" are registered user belongs not only the deployment of places to use, but also login with associated deployment sites. 这样作的目的是为了让使用者容易向其他部署出入。 The purpose for this is to allow users easy access to other deployments.

图11是模拟本实施例的业务日历表1800的数据结构的示意图。 11 is a schematic data structure of a traffic simulation calendar 1800 of the present embodiment. 业务日历表1800是对每个办公室或大楼、公寓大楼内设置的表。 Business calendar table 1800 is a table for each office or building, apartment building set.

如图所示,业务日历表1800具备用来登录"日期"的字段1801、用来登录"时段"的字段1802、用来登录"状态"的字段1803和用来登录"认证模式"的字段1804,构成一个记录。 As shown, table 1800 includes a calendar service to login fields "date" 1801, to log on "period" field 1802 is used to log on "status" field 1803 and used to log "authentication mode" field 1804 , constitutes a record.

"日期"表示适用以下所示的"状态"和"认证模式"的日期。 "Date" applies shown below, "state" and the date "authentication mode". "时段" 表示适用以下所示的"状态"和"认证模式"的开始时刻和终止时刻。 "Period" indicates shown applies the following "status" and "authentication mode" to the start time and end time. "状态" 表示办公室或大楼的营业状态。 "State" indicates the state of the business office or building. 此外,在不把本实施例适用于公寓大楼的情况下,有时可能没有字段1803。 Further, in the case of the present embodiment is not applied to the apartment building, sometimes no field 1803. "认证模式"表示进行认证时的模式(认证处理的强弱等级)。 "Authentication mode" means the mode (certification process of the strength level) at the time of certification. 本实施例中,作为"认证模式"列举了设置"通常"、"警戒"、"严格"和"开放"4种模式。 In this embodiment, as an "authentication mode" setting include "normal", "alert", "strict" and "open" the four patterns. 并且,本实施例的安全系统根据业务日 The present security system according to embodiment business day

历表1800中登录的"认证模式"来增加或减少认证处理时的认证等级。 Registered in calendar 1800 "Authentication Mode" to increase or decrease the level of authentication when the authentication process. 例如, 认证模式为"严格"的情况下,认证等级始终为最大;认证模式为"警戒" 的情况下,使认证等级比通常模式高一定值。 For example, the authentication mode is the "strict", the authentication level is always the biggest; the authentication mode is the "alert", so that the approval rating higher than a certain value in the normal mode. 认证模式为"通常"的情况下, 设为被作为缺省值而确定的认证等级。 If the authentication mode is "normal", it is set as the default authentication level is determined. 认证模式为"开放"的情况下,使认证等级比通常模式低一定值。 If the authentication mode is "open", so that the approval rating lower than a certain value in the normal mode. 根据日期和时刻增减认证等级就能够设定对应于营业状况或生活状况的认证等级。 According to the date and time will be able to increase or decrease the level of certification set corresponding to the business conditions or the living conditions of approval rating.

图12是模拟本实施例的认证履历表l卯O的数据结构的示意图。 FIG 12 is a schematic view of a data structure of the present analog authentication resume O l d embodiment.

如图所示,认证履历表l卯O具备用来登录"个人ID"的字段1901、用来登录"认证机器(认证装置120和终端)"的字段1902、用来登录"认证时刻"的字段1903、用来登录"认证结果"的字段1904和用来登录"场所判定"的字段l卯5,构成一个记录。 , The authenticating includes resume O l d to FIG log "personal ID" field 1901 is used to log "authentication device (authentication device and the terminal 120)" field 1902, a field for login "authentication time" in 1903, used to log "authentication result" field 1904 and used to log "place determination" field l d 5, constitutes a record. "个人ID"表示成为认证对象的使用者的个人ID。 "Personal ID" represents the object to become a certified user's personal ID. "认证机器"表示进行了认证的机器ID或终端ID。 "Verifier" represents the authentication terminal ID or machine ID. "认证时刻" 表示进行了认证的时刻。 "Authentication time" indicates authentication time. "认证结果"表示代表认证的成功或失败的信息和认证时的认证等级。 "Authentication result" indicates authentication level when the success or failure on behalf of certified information and certification. "场所判定"表示进行认证时路径信息内是否有不合适的判定结果(后段将说明路径信息)。 "Locus determination" whether there is improper indicates a determination result (path information will be described latter stage) of the authentication path information.

接着说明本实施例的安全系统进行的认证处理的流程。 Next, the authentication process flow of the present embodiment is a security system of the embodiment. 以下,以安全系统有多个认证装置120-a和120-b的情况为例进行说明。 Hereinafter, the security system has a plurality of authentication devices 120-a and 120-b is described as an example. 另外认证装置120-a 和120-b被分别设置在同一个设施的不同场所。 Also the authentication device 120-a and 120-b are respectively disposed at different locations of the same facility. 并且,在认证装置120-a进行过某个使用者的认证处理之后,接着由认证装置120-b进行对同一个使用者的认证处理。 And then, it carried out a user authentication process in the authentication device 120-a, followed by the same user authentication processing by the authentication device 120-b.

图13是本实施例的安全系统进行的认证处理的流程图。 13 is a flowchart of the security authentication system of the processing performed by the present embodiment. 首先,认证装置120-a接受使用者301输入的认证信息(S4000),具体地说,使用者301或者将IC卡接触或靠近读卡器211,或者将手指接触指纹认证装置或静脉认证装置等生物认证装置212,由此把认证信息输入到认证装置120-a内。 First, the authentication device 120-a 301 accepts user inputs the authentication information (S4000), in particular, the user 301 or the IC card reader 211 in contact with or close to, or in contact with the finger vein authentication device or the fingerprint authentication device, etc. biometric authentication device 212, whereby the authentication information inputted into the authentication device 120-a. 认证装置120-a经读卡器211或生物认证装置212接收认证信息。 The authentication device 120-a via the reader 211 or the biometric authentication apparatus 212 receives the authentication information. 此外,这里假定使用者301使存储了卡ID的IC卡靠近读卡器211,并由读卡器2H读出卡ID。 In addition, the memory 301 is assumed here that the user ID of an IC card close to the card reader 211, the card read by the card reader 2H ID.

接着,认证装置120-a—接收到卡ID,就从所接收到的卡ID确定个人ID (S4001)。 Next, the authentication device 120-a- received card ID, it is determined that the individual ID (S4001) from the received ID card. 此外,在认证装置120-a、 120-b中登录着将个人ID与卡ID等认证信息对应起来的表(下称"个人ID表"),后面将有描述。 Further, registered in the authentication device 120-a, 120-b in the authentication information with the personal ID and the card ID are associated with a table and the like (hereinafter referred to as "personal ID table"), will be described later. 认证装置120-a 参照个人ID表确定与所接收到的卡ID对应的个人ID。 Referring to the authentication device 120-a personal ID table to determine the individual ID received by the card ID corresponding to the. 然后,认证装置120-a 把确定出来的个人ID和在每个认证装置120内预先设定的机器ID发送到认证服务器100的认证管理部106 (S4002)。 Then, the authentication transmitting device 120-a to determine out of the personal ID and the authentication device 120 in each predetermined machine ID to the authentication server management unit 106 (S4002) 100 a.

认证管理部106 —接收到个人ID和机器ID,就把个人ID和机器ID作为密钥访问数据库并取得信息(S4003〜S4004)。 Authentication management part 106 - receiving the personal ID and the machine ID, the machine ID and put the personal ID as a key to access a database and obtains information (S4003~S4004). 这里,所取得的信息是与机器表1200 (图5)的机器ID对应的"设置场所"和"邻接目的地"、与场所表1100 (图4)的设置场所对应的"认证等级"、与认证履历表1900 (图12) 的个人ID相关联的项目(下称"履历信息")以及与业务日历表1800 (图U) 的日期和时段相关联的项目(下称"日历信息")。 Here, the information is acquired with the machine table 1200 (FIG. 5) of the "place setting" and "adjacent destination" corresponding to the machine ID, and the place table 1100 (FIG. 4) corresponding to the installation location "authentication level", and certified resume 1900 (Figure 12) projects associated with the personal ID (referred to as "historical information" under) as well as with business calendar 1800 (Figure U) projects associated with the date and time (hereinafter referred to as "calendar information").

更具体地说,认证管理部106从登录在机器表1200 (图5)内的记录中检索在字段1201内登录有接收到的"机器ID"的记录。 More specifically, the authentication management unit 106 retrieves the received record is registered in the "machine ID" field 1201 in the machine from registered in the table 1200 (FIG. 5) record. 认证管理部106取得检索到的记录的表示"设置场所"的场所ID和表示"邻接目的地"的场所ID。 Authentication management unit 106 acquires the retrieved records representing "installation location" place ID and the place ID "adjacent to the destination" in. 此外,认证管理部106从登录在场所表1100 (图4)内的记录中检索在字段1101内登录有表示所取得的场所ID的记录。 Furthermore, the authentication management portion 106 retrieves from table 1100 registered in the place (FIG. 4) of the record 1101 in the field of recording location ID indicating the acquired log. 认证管理部106取得检索到的记录的"认证等级"。 Authentication management unit 106 acquires "authentication level" retrieved records. 此外,认证管理部106从登录在认证履历表1900 (图12)内的记录中检索登录有在S4002接收到的"个人ID"的记录,并取得检索到的记录。 Furthermore, the authentication management portion 106 retrieves from the authentication log in the history table 1900 (FIG. 12) recorded in the log record in S4002 the received "personal ID" and achieved retrieved records. 进而,认证管理部106还从RTC214中取得日期和时段。 Further, the authentication management part 106 and also the period from the date of acquisition of RTC214. 认证管理部106从登录在业务日历表1800 (图11)内的记录中检索登录有所取得的日期和时段的记录。 Management unit 106 retrieves the authentication log records have the date and time acquired from the service registered in the calendar 1800 (FIG. 11) of the record. 认证管理部106取得检索到的记录。 Authentication management unit 106 acquires the retrieved records.

接下来,认证管理部106根据所取得的信息进行认证等级的计算(S4005)。 Next, the authentication management part 106 calculates the authentication level (S4005) based on the information acquired. 另外,后面将描述认证等级的具体计算方法。 Further, specific calculation method will be later described authentication level. 一旦把认证等级确定下来,认证管理部106就把认证等级发送到认证装置120-a (S4006)。 Once finalized the authentication level, the authentication management part 106 to put the authentication level to the authentication device 120-a (S4006).

认证装置120-a —接收到认证等级就进行根据认证等级的认证处理,给予使用者以开门等的许可(S4007〜S4008)。 The authentication device 120-a - authentication level received authentication process proceeds according to the authentication level, to open the door to give the user permission (S4007~S4008). 此外,后面将详细描述认证处理。 Further, the authentication process will be described in detail later. 另外,使用者认证之后,认证装置120-a把认证结果信息发送到认证服务器100的认证管理部106 (S4009)。 Further, after the user authentication, 120-a to the authentication means transmits authentication result information to the authentication server management unit 106 (S4009) 100 a. 在认证结果信息中包含有作为认证可否与认证结果等级的组的认证结果、进行过认证的时间、个人ID和机器ID。 Contained in the authentication result information serving as the authentication result of the authentication result of the authentication whether the group level, authentication over time, the individual ID and the machine ID.

认证管理部106 —接收到认证结果信息就将其内容发送到DB管理部105,迸行DB内的认证履历表1900的更新(S4010)。 Authentication management part 106 - receiving the authentication result information which will be transmitted to the content DB management unit 105, into line update (S4010) authentication DB 1900 in the resume.

然后,由认证装置120-a认证之后,使用者移动,接受下一个认证装置120-b的认证。 Then, after the user moves from the authentication device 120-a authentication, authentication accept the next authentication device 120-b. 由认证装置120-b进行的认证步骤与上述的认证装置120-a进 Authentication procedure by the authentication device 120-b and the above-described authentication apparatus 120-a into the

行的步骤一样。 Step line of the same. S卩,认证装置120-b进行与上述S4001〜S4002同样的处理, 接受来自使用者的认证信息(卡ID)后,确定出个人ID。 S Jie, the authentication device 120-b perform the same processing as described above S4001~S4002, after receiving the authentication information (card ID) from the user, it is determined that the individual ID. 认证装置120-b将确定出来的个人ID和预先登录认证装置120-b内的机器ID发送到认证服务器100 (S4100〜S4102)。 The authentication device 120-b transmits the determined out personal ID and the machine ID registered in advance in the authentication device 120-b to the authentication server 100 (S4100~S4102). 此外,与上述的S4003〜S4006 —样,认证服务器100确定认证等级,并将所确定的认证等级发送到认证装置120-b (S4102〜 S4106)。 Further, the above-described S4003~S4006 - like, the authentication server determines the authentication level 100, and the determined authentication level to the authentication device 120-b (S4102~ S4106). 然后,认证装置120-b进行与上述的S4007〜S4010同样的认证处理(S4107〜S4110)。 Then, the authentication device 120-b with the above-described authentication process similar S4007~S4010 (S4107~S4110).

但是,在进行S4100〜S4109的处理时,认证服务器100的认证履历表1900内登录着认证装置120-a进行的认证结果。 However, during the process S4100~S4109, the authentication server 100 of the authentication history table 1900 with the login authentication result for the device 120-a. 此外,由于认证装置120-b 的设置场所不同于认证装置120-a,所以认证等级的值与认证装置120-a进行认证的情况也不同。 Further, since the authentication device 120-b is different from the place of the authentication apparatus is provided 120-a, so that the value of the authentication level of the authentication device 120-a is different authentication. 例如,在认证装置120-a进行认证失败的情况下,认证等级升高;在认证成功的情况下,认证等级降低。 For example, the authentication device 120-a in the case of authentication failure, authentication level increased; in the authentication is successful, authentication level decreased. 这里,在认证装置120-a 进行认证失败而由认证装置120-b进行认证的情况下,会出现以下的情况。 Here, the authentication fails in the authentication device 120-a and in the case the authentication by the authentication device 120-b, the following situation. 例如,假设使用者在由认证装置120-a进行认证处理时自身失败。 For example, if a user's own failure when authentication by the authentication processing means 120-a. 这时,把失败的认证处理的履历登录在认证服务器100内。 At this time, the failure of the authentication process history registered in the authentication server 100. 然后,有可能使用者在认证成功的其他使用者入场时被带着进入到设置有认证装置120-b的区域内。 Then, the user is likely to be provided with a entry region to an authentication device 120-b when another user authentication success admission.

这样,在本实施例中,由于用使用者过去的认证结果来变更认证等级, 所以,即使在使用者达到目的地的途中走错的情况下,最后也能够确实地进行认证。 Thus, in the present embodiment, since the user last used the authentication result to the authentication level is changed, so that even in a case where the wrong way to reach the destination user, and finally it is possible to surely perform authentication. 此外,由于用使用者过去的认证结果来变更认证等级,例如在管理部的区域的认证成功的使用者而后进入到开发部的区域的情况下,通过降低认证等级就能够减轻使用者的认证处理的负担。 In addition, since the user authentication results in the past to change the authentication level, for example in the area of ​​successful authentication management part of the user and then proceed to the next part of regional development, by reducing the level of certification will be able to reduce the user authentication process burden.

在本实施例中,与设置有认证装置120的场所对应来确定认证等级,要按照日期和时间来变更其认证等级。 In the present embodiment, the place corresponding to the authentication means 120 is provided to determine the authentication level, to change the date and time according to its authentication level. g卩,按照本实施例,可以根据设置有认证装置120的场所和日期时间来设定安全等级。 g Jie, according to this embodiment, there is provided according to the date and time and place of the authentication apparatus 120 to set the security level. 因此,例如对于设置于出入口的认证装置120来说,可以降低平日的通勤时段的认证等级,在超过了通勤时段的情况下,提高认证等级,这样就能够降低通勤时段的混乱。 Thus, for example, provided in the authentication apparatus 120 of the entrance, the authentication level can be reduced commuting hours weekdays, in the case where more than the commute time, improve authentication level, so that it is possible to reduce the confusion commuting periods. 对于通过的人少的休息日,提高认证等级就能够强化安全性。 For the rest day by fewer people, improve the level of certification will be able to strengthen security.

接下来,用图14来说明图13说明过的本实施例的认证处理的变形例。 Next, the embodiment of FIG. 14 will be described modification example of authentication processing described in FIG. 13 of the present embodiment. 与上述的一样,本变形例也是在认证装置120-a进行某使用者301的认证处 As with the above, the present embodiment is also a modification of a user authentication at the authentication apparatus 301 of the 120-a

理之后接着由认证装置120-b进行同一个使用者301的认证处理。 After treatment followed by the same user authentication process by the authentication device 301 120-b.

图14是本实施例的安全系统进行的认证处理的变形例的流程图。 FIG 14 is a flowchart of a modification of the security system of the present embodiment performs an authentication process. 在本实施例中,认证装置120-a在进行认证处理时从认证服务器100取得与处于该使用者301有可能通过认证的路径上的认证装置120有关的路径信息。 In the present embodiment, the authentication device 120-a is performed with the authentication server 100 acquires from the user 301 is likely related to the path information through the authentication device 120 of the authentication path of the authentication process. 认证装置120-a将自身进行的认证结果和路径信息发送到包含在路径信息内的认证装置120 (在以下的例子中,是认证装置120-b)。 The authentication device 120-a transmits the authentication result and path information contained itself to the authentication device 120 in the path information (in the following examples, is an authentication device 120-b). 然后,认证装置120-b接收上述的发送出来的认证结果和路径信息,并用所接收到的认证结果和路径信息计算出认证等级。 Then, the authentication device 120-b receives the authentication result and the path information sent out and received by the authentication result and the authentication level information calculation path. 按照这样的构成,由于认证装置120-b 为取得认证等级不是每次都访问认证服务器100的认证管理部106,所以能够减轻通信数据量。 With this construction, since the authentication device 120-b is not always acquired authentication level access management unit 106 the authentication server 100, the communication data amount can be reduced. 此外,由于不是用认证服务器的认证管理部106进行认证等级的计算,而是用认证装置120来进行计算,所以,能够分散计算负荷。 Further, since it is not calculated authentication level authenticated by the authentication server management section 106, but with the authentication device 120 to be calculated, so that the calculation load can be dispersed. 下面来说明该处理的流程。 The following flow of the processing will be described.

首先,认证装置120-a进行与图13中说明的S4000〜S4001 —样的处理, 取得来自使用者301的认证数据,并从所取得的认证数据中确定出个人ID (S5000〜S5001)。 First, the authentication device 120-a S4000~S4001 be described with reference to FIG. 13 - like processing data acquired from the user authentication 301, and determines the personal ID (S5000~S5001) from the acquired authentication data.

此后,认证装置120-a判定是否保存有与所确定的个人ID相关联的后述的路径信息(S5200),所谓路径信息是将使用者301以前进行的认证结果和认证所必要的信息与每个个人信息关联起来的数据(后面将描述路径信息)。 Thereafter, the authentication device 120-a determines whether the route information stored with the personal ID described later is associated with the determined (S5200), the path information is called the authentication result and user authentication 301 performed prior to each information necessary individuals associated information data (route information will be described later). 此外,这里所示例的是在认证装置120-a中最初认证使用者301的情况。 Also, here is an example of the authentication device 120-a 301 in the first case the user authentication. 艮口, 认证装置120-a未保存S5000所接收到的使用者301的路径信息。 Gen mouth, the authentication device 120-a is not received route information S5000 to the user 301 is stored. 因此,认证装置120-a判定为未保存路径信息,并进到S5002的处理。 Therefore, the authentication device 120-a is determined that the path information is not saved, the process proceeds to S5002.

在S5002,与图13说明的S4002 —样,把个人ID和设定在每个认证装置120内的机器ID发送到认证服务器100的认证管理部106。 In S5002, the description of FIG. 13 S4002 - like, the personal ID and the machine ID is set in each of the authentication device 120 transmits to the authentication management portion 106 of the authentication server 100.

认证管理部106 —接收到个人ID和机器ID就从DB管理部105取得与图13的S4003〜S4004同样的信息("设置场所"、"邻接目的地"、"认证等级"、"履历信息"和"日历信息")。 Authentication management part 106 - receiving the personal ID and the machine ID information to obtain the same S4003~S4004 13 ( "place setting", "adjacent to the destination", "authentication level", "history information" from the DB management unit 105 and "calendar information"). 此外,因为取得"设置场所"、"邻接目的地"、"认证等级"、"履历信息"和"日历信息"的处理与S4003〜S4004 一样,所以这里省略说明。 In addition, because obtain "place setting", "adjacent destination", "authentication level", "history information" and "Calendar information" in dealing with S4003~S4004 the same description is omitted here. 进而,认证管理部106用所取得的"邻接目的地" 来确定从机器表1200取得的"邻接目的地"成为"设置场所"的记录。 Further, the authentication management part 106 with the acquired "adjacent destination" is determined from the machine table 1200 acquired "adjacent destination" a "place setting" recording. 认证 Authenticate

管理部106取得所确定的记录的机器ID。 Record management unit 106 acquires the determined machine ID. 然后,取得与所取得的"机器ID" Then, to obtain the "machine ID" and made

对应的"设置场所"、"邻接目的地"、"地址"和"认证等级"(S5003〜S5004)。 Corresponding to "place setting", "adjacent to the destination", "address" and "authentication level" (S5003~S5004). 具体地说,认证管理部106从登录在机器表1200 (图5)内的记录中检索具有登录着所取得的"邻接目的地"的场所ID的字段1204的记录。 Specifically, the authentication management portion 106 retrieves a log having the "adjacent destination" place the acquired ID field 1204 from the record registered in the machine table 1200 (FIG. 5) of the record. 认证管理部106检索的结果如果是找到了登录着所取得的"邻接目的地"的场所ID的字段1204的记录,认证管理部106就取得检索到的记录的"设置场所"、 The results retrieved authentication management section 106 if it is to find a record 1204 made the login field "adjacent destination" place ID, the authentication management unit 106 to obtain the retrieved records of "place setting"

"邻接目的地"和"地址"。 "Adjacent destination" and "address." 另夕卜,认证管理部106从登录在场所表1100 (图4)内的记录中检索字段1101内登录着所取得的"邻接目的地"的记录。 Another Bu Xi, the authentication log management unit 106 retrieves the records acquired "adjacent destination" in the field 1101 registered in the place from the table 1100 (FIG. 4) records. 并且,认证管理部106生成将所取得的"机器ID"、"设置场所"、"邻接目的地"、 Then, the authentication management part 106 generates a "machine ID" will be acquired, "place setting", "adjacent to the destination",

"认证等级"和"地址"与接收到的"个人ID"对应起来的邻接目的地信息。 "Authentication level" and "address" and the received "personal ID" in association with the adjacent destination information. 认证管理部106进一步按照与上述相同的步骤返回来再从所生成的邻接目的地信息内包含的"邻接目的地"生成邻接目的地信息。 In further accordance with the authentication management part 106 the same procedure as described above and then returned to the adjacent destination included in the generated information "adjacent destination" adjacent to the destination information generation. 认证管理部106把这些邻接目的地信息汇集起来作成路径信息。 The authentication management part 106 adjacent to destination information path information creating pooling.

这样,利用机器表1200来査看设置在邻接目的地的认证装置120的"机器ID"、"设置场所"、"邻接目的地"、"认证等级"、"地址",就能够作成设置在使用者有可能通过的场所的、可由使用者操作的认证装置120的信息。 Thus, using a machine table 1200 is provided to view the "machine ID", "place setting", "adjacent to the destination", "authentication level", "address" authentication device 120 adjacent to the destination, it can be made provided the use of are possible through the spaces, the information may be a user authentication apparatus 120 is operated.

另外,认证管理部106在返回来生成邻接目的地信息时,从个人部署信息表1700取得对应于个人ID的部署,并从部署表1500取得对应于该部署的使用场所,在使用场所内没有邻接目的地的情况下,也可以终止返回来的邻接目的地信息的生成。 Further, the authentication management part 106 generates a return destination information abutment deployment acquired from the personal information table 1700 corresponding to the personal ID deployment, and made corresponding to the deployed from the deployment site of use table 1500 is not adjacent to the site of use in generating a case where the destination can also be terminated adjacent to the return destination information. 此外,在生成邻接目的地信息时,在已经将邻接目的地登录在路径信息内的情况下,也可以结束邻接目的地信息的生成。 Further, when generating the adjacent destination information, in a case where a destination has been registered in the adjacent path information, may be generated adjacent to the end destination information. 也可以将生成邻接目的地信息的次数设定为一定次数。 Frequency may be generated adjacent to the destination information is set to a certain number. 另外,也可以把与个人部署信息表1700的个人ID对应的使用场所与邻接目的地一致的情况作为邻接目的地信息生成的结束条件。 It is also possible with the personal information table 1700 is deployed adjacent the end condition of the individual destination information corresponding to the ID generated using the same place as the case adjacent to the destination.

此外,在对应于个人ID的使用场所的判定也可以仅用于使用者301 —次结束终端的认定的情况。 Further, in place of use corresponding to the personal ID may be used only for determining the user 301-- case end times identified terminal. 按照这样的构成,只有在使用者迸入到自己所属的部署内的情况下,才能进入其他部署。 With this construction, only in the case of user Beng into the inner deployment they belong, in order to enter other deployments.

认证管理部106根据这些信息进行认证等级的计算(S5005)。 Authentication management unit 106 calculates the authentication level (S5005) based on this information. 后面描述 Described later

计算方法的细节。 Details of the method of calculation. 一旦确定了认证等级,认证管理部106就把认证等级和路 Once the authentication level, authentication management section 106 certification level and put the Road

径信息发送到认证装置120-a (S5006)。 Path information to the authentication device 120-a (S5006).

与图13的S4007 —样,认证装置120-a—接收到认证等级和路径信息, 就进行与该认证等级对应的认证处理(S5007);对使用者301赋予开门等待许可(S500S)。 And S4007 in FIG. 13 - like the authentication device 120-a- received route information and the authentication level, to perform authentication level corresponding to the authentication process (S5007); wait for the user 301 gives permission to open the door (S500S). 后面描述认证处理的细节。 Details of the authentication process will be described later. 认证装置120进行使用者的认证之后,把认证结果发送到认证管理部106 (S5009)。 After the user authentication apparatus 120 for authentication, it transmits the authentication result to the authentication management portion 106 (S5009). 在该认证结果中包含认证的可否、进行了认证的时间、个人ID、机器ID和路径的判定结果。 Contained in the authentication result whether the authentication performs authentication time, the personal ID, the machine ID and the result of the determination path.

一接收到认证结果,认证管理部106就把该内容发送到DB管理部105, 进行DB内的认证履历表1900的更新(S5010)。 Upon receiving the authentication result, the authentication management part 106 to put the content to the DB management unit 105 is updated (S5010) authentication DB 1900 in the resume.

认证装置120-a把认证结果发送到认证管理部106之后,从S5006接收到的路径信息中与自身的机器ID对应的邻接目的地信息确定出设置在邻接目的地的认证装置120。 After 120-a transmits the authentication result to the authentication management apparatus 106, the information received from the path determined in S5006 with its own machine adjacent to the destination information corresponding to the ID in an authentication device disposed adjacent to the destination 120. 这里,将认证装置120-b确定为设置在邻接目的地的装置。 Here, the authentication device 120-b is determined to be disposed adjacent to the destination device. 认证装置120-a把认证结果和路径信息发送到认证装置120-b的地址(S5011)。 Authentication means 120-a and the path information authentication result to the authentication device 120-b of the address (S5011). 认证装置120-b —取得认证结果和路径信息就将其保存在自身中。 The authentication device 120-b - and authentication result acquired path information will be saved in itself. 认证装置120-a认证使用者301之后,使用者301移动,进行下一个由认证装置120-b作的认证。 After authenticating the user authentication apparatus 120-a 301, the user 301 moves, as a next performed by the authentication device 120-b authentication. 以下来说明由认证装置120-b进行的认证处理。 The following will be described an authentication process by the authentication device 120-b.

与上述的S5000〜S5001 —样,认证装置120-b从使用者301取得认证数据,并由该认证数据确定个人ID (S5100〜S5101)。 The above-described S5000~S5001 - like, the authentication device 120-b 301 acquired from the user authentication data, the authentication data is determined by the personal ID (S5100~S5101). 此外,与上述一样,认证装置120-b判定是否有与所确定的个人ID相关联的后述的路径信息(S5200)。 Further, as described above, the authentication device 120-b is determined whether there is path information (S5200) after the personal ID associated with the determined later. 这里,为了保持路径信息,认证装置120-b用该路径信息计算出认证等级(S5201)。 Here, in order to maintain route information, the authentication device 120-b calculated by the route information showing authentication level (S5201). 具体地讲,认证装置120-b从保持的路径信息中取得在S5101确定的个人ID和与认证装置120-b的机器ID对应的邻接目的地信息。 Specifically, the authentication device 120-b adjacent to obtain the destination information corresponding to the machine ID and individual ID S5101 and determines the authentication device 120-b from the path information held. 此外,认证装置120-b再用邻接目的地和与个人ID对应的认证结果信息计算出认证等级。 Further, the authentication device 120-b adjacent to the destination and then calculates a personal authentication result information corresponding to the ID authentication level.

认证装置120-b根据在S5201计算出来的认证等级进行使用者301的认证(S5107)。 The authentication device 120-b 301 a user authentication (S5107) based on the calculated authentication level S5201. 然后,认证装置120-b把认证结果发送到认证管理部106。 Then, the authentication device 120-b transmits the authentication result to the authentication management part 106. 此外, 认证装置120-b将路径信息和认证结果发送到邻接的认证装置120。 Further, the authentication device 120-b transmits the path information to the authentication result and the authentication device 120 of the abutment. 邻接的认证装置120的判断步骤与认证装置120-a的情况一样。 As in the case adjacent to the authentication device determination step 120-a and the authentication device 120.

接着详细说明本实施例的安全系统的各部进行的处理。 Next, processing of each security system of the present embodiment will be detailed embodiment.

最初用图15来说明认证服务器100的认证管理部106进行的根据使用者 FIG 15 will be described initially with the user authentication according to the authentication management unit 106 of the server 100

和认证机器确定认证等级的处理。 And authentication processing machine authentication level is determined.

图15是认证服务器100的认证管理部106确定与使用者和认证机器对应的认证等级的处理的流程图。 15 is a flowchart authentication management portion 106 determines the authentication server 100 and user authentication processing with the authentication level corresponding to the machine.

首先,认证管理部106接收认证装置120输出的"个人ID"和"机器ID" 的组或终端输出的"个人ID"和"机器ID"的组(S601),然后进到S602 的处理。 First, the "personal ID" and "machine ID" output from the authentication management apparatus 120 receives the authentication unit 106 "personal ID" and "machine ID" output terminal group or groups (S601,), then the process proceeds to S602.

在S602,认证管理部106进行取得"场所ID"的处理。 In S602, authentication management unit 106 performs the processing of acquiring "place ID" of. 具体地讲,在S601接收到"机器ID"的情况下,认证管理部106从机器表1200 (图5)中确定具有接收到的"机器ID"的记录。 Specifically, in the case of S601 receiving the "machine ID", the authentication management part 106 determines the received record having "machine ID" from the machine table 1200 (FIG. 5). 此外,认证管理部106取得登录在从机器表1200确定的记录的字段1204内的"场所ID";在S601接收到"终端ID"的情况下,认证管理部106从终端表1300 (图6)中确定具有接收到的"终端ID"的记录。 Furthermore, the authentication management unit 106 acquires log in from the field recording machine table 1200 to determine 1204 "place ID"; in the case of S601 receives the "terminal ID", the authentication management part 106 from the terminal table 1300 (FIG. 6) determined with a recording of the received "terminal ID" is. 认证管理部106取得登录在从终端表1300确定的记录的字段1303内的"场所ID"。 Authentication management unit 106 acquires "place ID" registered in the field 1303 of the record 1300 of the table is determined from the terminal. 认证管理部106取得"场所ID"后,进到S603。 After authentication management unit 106 acquires "Location ID", enter into S603. 在S603,认证管理部106用在S601接收到的"个人ID"从认证履历表1900中取得与该"个人ID"对应的认证履历。 In S603, the authentication management unit 106 in S601 with the received "personal ID" acquired the authentication history with the "personal ID" from the authentication history table 1900. 具体地讲,认证管理部106从认证履历表1900中取得具有在S601接收到的"个人ID"的记录。 Specifically, the authentication management unit 106 acquires recording S601 has received "personal ID" from the authentication history table 1900. 此外,在有多个与"个人ID"对应的认证履历的情况下,取得字段l卯3登录的"认证时刻"为最新的记录。 In addition, when a plurality of the "personal ID", the authentication history of the case, obtain the latest record "authentication time" field l d 3 login.

然后,在S604中,认证管理部106在S601接收到"机器ID"的情况下, 从机器表1200取得表示"邻接目的地(其认证装置120许可入场的场所)" 的"场所ID"。 Then, if in S604, the, the authentication management part 106 receives S601 the "machine ID", and obtain from the machine table 1200 indicates "adjacent to the destination (which admission permission authentication apparatus 120 places)" in "place ID". 具体地说,认证管理部106从登录在机器表1200内的记录中, 从用于登录与在S602取得的"场所ID"对应的"邻接目的地"的字段1205 中取得"场所ID"。 Specifically, the authentication management part 106, corresponding to the "adjacent destination" field 1205 acquires "place ID" from a log "place ID" in S602 and obtained from the machine table 1200 registered in the record. 此外,在S601认证管理部106接收到终端ID的情况下, 把在S602取得的"场所ID"作为"邻接目的地"的"场所ID"。 Further, in a case where S601 authentication management unit 106 receives the terminal ID, the "place ID" acquired in S602 as "place ID" "adjacent to the destination" in. 这样做是因为终端不是判断是否许可使用者入场的装置。 This is not because the terminal device determines whether to permit the user admission. 即,在终端内没有相当于"邻接目的地(许可入场的场所)"的场所。 That is, there is no equivalent in the terminal accommodation "Destination abutment (admission permission place)" in. 因此,在终端表1300内不设置用于登录"邻接目的地"的字段。 Thus, the field is not set for the log "adjacent to the destination" in the terminal table 1300.

进而,在本步骤中,为了防止使用者进入无权限的场所,认证管理部106 也可以进行以下的处理(未图示)。 Further, in this step, in order to prevent the user enters a place without authority, certificate management section 106 may perform the following processing (not shown). 具体地讲,认证管理部106从个人部署信 Specifically, the authentication management part 106 to deploy individual channel

息表1700中取得与在S601所取得的"个人ID"对应的使用场所。 Acquires information table 1700 "personal ID" corresponding to the site of use obtained in S601. 在从个人部署信息表1700中取得的"使用场所"内未包含S602所取得的"场所ID" 的情况下,认证管理部106把认证等级设定为"一1 "。 Without comprising the deployment made in individual information table 1700 "site of use," "place ID" S602 is acquired, the authentication management part 106 authentication level set to "-1." 并且,认证管理部106将上述设定的认证等级发送到在步骤S601发送过信息的认证装置120(或终端)的认证操作部121,结束认证等级的计算处理。 Then, the authentication management unit 106 transmits the authentication level to the transmission over the set of 120 (or terminal) authentication device information in step S601 authentication operation unit 121, authentication level calculation process is ended. 这样做是为了防止使用者进入不能使用的场所。 This is done to prevent a user from entering the premises can not be used. 另一方面,认证管理部106在从个人部署信息表1700中取得的"使用场所"内包含有S602所取得的"场所ID"的情况下, 进到S605的处理。 On the other hand, the authentication management part 106 made in the deployment of individual information table 1700 "site of use" contains "place ID" S602 is obtained, the process proceeds to S605.

在S605,认证管理部106从场所表1100 (图4)中取得与S604所取得的"场所ID"对应的认证等级。 In S605, the authentication management part 106 acquires "place ID" S604 and the acquired authentication level corresponding to the property table 1100 (FIG. 4). 具体地说,认证管理部106参照场所表1100 确定具有在S604所取得的"场所ID"的记录。 Specifically, with reference to the authentication management unit 106 determines a recording property table 1100 "place ID" acquired in the S604. 认证管理部106取得登录在所确定的记录的字段1103内的"认证等级"的数值。 Authentication log management unit 106 obtains the value "authentication level" in the field 1103 of the determined record. 然后,认证管理部106 从业务日历表1800中取得与当前时刻对应的认证模式。 Then, the authentication management part 106 obtains the current time from the service authentication mode corresponding to the calendar table 1800. 认证管理部106用所取得的"认证等级"和认证模式计算出认证等级。 Authentication management unit 106 calculates the authentication level with an "authentication level" and the acquired authentication mode. 更具体地说,在认证模式是"开放"的情况下,认证管理部106降低所取得的"认证等级"。 More specifically, in the authentication mode is "open", the authentication management part 106 to reduce "authentication level" achieved. 在认证模式是"警戒"的情况下,认证管理部106提高所取得的"认证等级"。 In the authentication mode is "alert" situation, 106 improve the authentication management unit has acquired "certification level." 在认证模式是"严格"的情况下,认证管理部106把"认证等级"提高到最大值。 In the authentication mode is "strict", the authentication management unit 106 "authentication level" increased to the maximum.

在以后的S606〜S614,认证管理部106用使用者的路径和认证履历等对上述计算出来的认证等级进行修正处理。 Correction processing is performed on the calculated authentication level of the later of S606~S614, the authentication management part 106 and a user certification path history and the like.

在S606,认证管理部106进行使用者的路径的确认。 In S606, the authentication management part 106 to confirm the user's path. 具体地说,认证管理部106取得在S603得到的认证履历的认证机器的机器ID,并从机器表1200 取得与机器ID对应的邻接目的地的场所ID。 Specifically, the authentication management part 106 acquires the authentication machine S603 obtained authentication history machine ID, properties ID and 1200 adjacent to obtain the destination corresponding to the machine ID from the machine table. 如果这里所得到的"场所ID" 与S602所得到的"场所ID" —致,就判断为路径正确,如果不一致,判断为路径不正确。 If obtained here, "place ID" S602 and the resulting "place ID" - induced, it is determined that the path is correct, and if not, it is determined that the path is incorrect. 并且,在判断为路径正确情况下,认证管理部106进到S609 的处理。 Further, the path is determined correct, the authentication management unit 106 proceeds to processing of S609. 另一方面,在判断为路径不正确情况下,认证管理部106迸到S607 的处理。 On the other hand, it is judged that the path is not correct, the authentication management part 106 Beng processing to S607.

在判断为路径不正确情况下进入S607,认证管理部106进行纠错处理。 When it is determined in S607 into the path is incorrect, the authentication management unit 106 performs an error correction process. 纠错处理进行向系统管理者的警告发送或向记录的保存。 Error correction process stored or transmitted to the recording system administrator warning. 此外,尝试数据库内有不妥的情况的修正。 In addition, try to have the situation corrected wrong database. 例如,在S601接收到"终端ID"并在S602取得了"场所ID"的情况下,认为所取得的该"场所ID"是在场所表1100内不存 For example, in the case of S601 receiving "terminal ID" and made "place ID" in S602, it is believed that the "place ID" is acquired does not exist in the place table 1100

在的值。 In value. 这种情况下,认证管理部106确认S603取得的认证履历的字段1905 为"OK",判断此前的路径为正确后,从字段1902取得"机器ID"。 In this case, the authentication management part 106 to confirm the authentication history field 1905 is acquired S603, "the OK", the previous determination of the correct path, to obtain "machine ID" field 1902 from. 认证管理部106从机器表1200确定出与"机器ID"对应的记录,再从该记录的字段1205取得邻接目的地的"场所ID",该邻接目的地的"场所ID"表示终端存在的场所。 Authentication management part 106 from the machine table 1200 determines that the "machine ID" corresponding to the record, and then made "place ID" field of the destination from the adjacent record 1205, "place ID" indicates the presence of the neighboring terminal destination place . 认证管理部106从终端表1300中确定出具有在S601接收到的"终端ID"的记录。 Certification from the terminal management section 106 determines that a recording table 1300 in S601 the received "terminal ID" is. 认证管理部106用邻接目的地的"场所ID"更新终端表1300中被确定的记录的字段1303的值。 "Place ID" authentication management part 106 is adjacent to the destination terminal to update records in the table 1300 are determined 1303 field values.

这样,使用者经登录部107将无效值填入登录终端表1300的字段1301 之后,使用者利用终端就能够自动设定终端的场所。 Thus, the user via the registration unit 107 after the valid values ​​into log 13011300 Field of the terminal, the terminal user can be automatically set using the properties of the terminal. 认证管理部106结束纠错处理之后,进到S608的处理。 After authentication error correction processing management unit 106 ends, the process proceeds to S608.

在S608,认证管理部106将S605算出来的"认证等级"提高一定值, 这里提高的值是特定值,也可以是引出保存在其他表内的值的值。 "Authentication level" improve certain value, where the increase in the value of S608, the authentication management unit 106 S605 calculated is a specific value, may be a lead-out value is stored in the other tables. 这时,表就是由路径判断或认证时刻判断等与认证场所、认证机器、认证装置等判断条件的组构成的表。 In this case, the path table is determined by the configuration of the table or group certification judgment condition place, machine authentication, the authentication device certification judgment time.

接下来,在S606,说明在判断为路径正确的情况下进到S609的处理。 Next, in S606, advances to S609, the processing described in the case where it is determined that the correct path.

在S609,认证管理部106从当前时刻和S603得到的认证履历确认认证时刻。 In S609, the authentication management part 106 and the current time obtained from the authentication history checking authentication time S603. 认证管理部106接着比较当前时刻和认证时刻,经过了一定时间以上的情况下,判断为使用者的行动不正确,进到S610。 Authentication management unit 106 then compares the current time and authentication time, after the predetermined time or more, it is determined not correct user action, proceeds to S610. 另一方面,认证管理部106在未经过一定时间以上的情况下,判断为使用者的行动正确,进到S612 的处理。 On the other hand, the authentication management part 106 in the case where the predetermined time has not elapsed, it is determined that the correct user action, processing proceeds to S612. 这样做是为了确认使用者301是否在路径途中的场所逗留必要的时间以上。 This is done to confirm whether or not to stay more than 301 users in the time necessary to place the path on the way.

在S610,认证管理部106进行纠错处理,然后进到S611的处理。 In S610, the authentication management part 106 performs error correction processing, then the process proceeds to S611. 纠错处理的内容与上述的S607 —样,在S611,认证管理部106提高认证等级, 提高的值用与S610同样的步骤来确定。 The content of the above-described error correcting process S607 - like, be determined by the same procedure in S611 and S610, the value of the authentication level to improve, enhance management unit 106 of the authentication.

接着,说明在S609判断为使用者的行动正确后进到S612的处理。 Next, in S609 it is determined that the correct user action backward processing to S612. 在S612,认证管理部106进行上次的认证结果的确认。 In S612, authentication management unit 106 to confirm the results of previous certification. 认证管理部106 取得在S603所取得的表示认证履历的记录的登录在字段1904和1905的"认证结果"和"场所判定"。 Authentication management unit 106 acquires authentication history record represents acquired in S603 is registered in the "authentication result" field in 1904 and 1905 and the "place judgment." 在"认证结果"是"OK"且"场所判定"是"OK" In the "authentication result" is "OK" and "workplace determination" is "OK"

的情况下,认证管理部106进到S614。 In the case where the authentication management section 106 proceeds to S614. 在S614,认证管理部106进行降低认证等级的处理,然后进到S615。 In S614, the authentication management part 106 performs authentication level reduction process, and then proceeds to S615.

另一方面,在S612,在"认证结果"和"场所判定"都是NG的情况下, 认证管理部106进到S613。 On the other hand, in S612, the "authentication result" and "place judgment" NG is the case, the authentication management section 106 proceeds to S613. 在S613,认证管理部106根据"认证结果"和"场所判定"的状态提高认证等级。 In S613, the authentication management part 106 "authentication result" and "the place judging" state to improve the authentication level.

按以上方式确定认证等级后,在S615,认证管理部106把认证等级发送到认证装置120 (或终端)。 After determining the authentication level according to the above embodiment, the transmission in S615, 106 sends the authentication level to the authentication management unit 120 (or terminal) authentication apparatus. 在使用图14所示的路径信息的情况下,认证管理部106把路径信息与认证等级一起发送出去。 In the case shown in FIG. 14 in the path information sent together with the authentication information management unit 106 and authentication level path. 发送认证等级和路径信息后, 认证管理部106将路径的判断结果(S606的判断结果)作为个人ID、机器ID 和场所判定登录在认证履历表1900内,这时,认证结果项为空栏,认证结束后填充。 After the authentication level and transmission path information, the determination result of the path 106 of the authentication management unit (YES of S606) as a personal ID, machine ID and location is determined in the authentication log history table 1900, then the authentication result item is blank, after filling certification.

接下来,用图16来说明认证装置120的认证操作部121进行使用者的认证时的处理。 Next, the operation of FIG. 16 will be described authentication unit 120 of the authentication device 121 when a user authentication process.

图16是本实施例的认证装置和认证操作部121进行的认证使用者的处理流程图。 FIG 16 is a flowchart of a user authentication device authentication and the authentication operation unit 121 of the present embodiment is performed. ' '

首先,认证操作部121取得认证部清单,所谓认证部清单是表示认证装置120可用的认证部122的清单,预先登录在认证装置120内。 First, an authentication operation unit 121 acquires the authentication unit list, the list is called the list of authentication portion 120 may authenticate the authentication device 122, pre-registered in the authentication device 120. 认证部清单被存储在例如认证装置120的非易失性存储器206 (参照图2)的规定区域。 Authentication unit list is stored, for example, a predetermined region in the nonvolatile memory 206 of the authentication apparatus 120 (refer to FIG. 2). 认证部清单由识别各认证部的"认证ID"和用来使用认证部的库函数的"接口"构成,"接口"是对函数的指针,是函数名,"认证ID"对应于认证表兩O 的认证ID,清单内的认证部的数目对应于机器表1200的认证类型。 Authentication unit list identifying each authentication unit composed of "authentication ID" and library functions used for the authentication portion of the "interface", "interface" is a pointer to a function, the function name is "authentication ID" corresponding to the two authentication table O, authentication ID, authentication unit number in the list corresponding to the type of machine table 1200 of the authentication. 认证操作部121在取得认证部清单之后,将认证结果设定为"0"。 Authentication operation unit 121 after the list of certified unit, the authentication result is set to "0."

然后,在S702〜S711所示在循环中,认证操作部121进行有关存在于S701得到的认证清单中的各个认证部的认证处理。 Then, as shown in S702~S711 in circulation, the authentication operation unit 121 authenticates each authentication processing unit present in the relevant list of authentication obtained in S701.

在S703,认证操作部121判定认证装置120内是否设定有使用者301的个人ID,具体地说,在认证装置120的非易失性存储器206的规定区域内存储着认证信息与使用者的"个人ID" —一对应的个人ID表,认证操作部121 从个人ID表中检索对应于使用者接受的认证信息(例如卡ID)的个人ID。 In S703, the authentication unit 121 determines whether or not the operation setting the personal authentication device 120 has a user ID 301, specifically, the user authentication information stored in a predetermined area of ​​the nonvolatile memory 120 of the authentication device 206 "personal ID" - a table corresponding to the personal ID, the authentication unit 121 retrieves the operation from the personal authentication information corresponding to the ID table (e.g., ID card) in the user accepts personal ID. 在检测到对应于所接受的认证信息的个人ID的情况下,认证操作部121将检 In the case where the personal ID is detected corresponding to the authentication information accepted, the authentication operation unit 121 to the subject

索结果判定为登录有"个人ID"。 Search results to determine the login of "personal ID". 另一方面,在未检测到对应于所接受的认证信息的个人ID的情况下,认证操作部121判定为未登录"个人ID"。 On the other hand, in the case where not detected corresponding to the personal ID of the authentication information accepted, the authentication operation unit 121 determines that the unregistered "personal ID." 认证 Authenticate

操作部121在判定为未设定使用者301的个人ID的情况下,认证操作部121 进到S705,在判定为设定有使用者301的个人ID的情况下,进到S704的处理。 In the case where the operation unit 121 determines that the user has not set a personal ID 301, an authentication operation unit 121 proceeds to S705, in a case where it is determined that the user ID 301 is set in the individual, the processing proceeds to step S704.

在S705,认证操作部121设定缺省的认证等级,然后进到S707的处理。 In S705, an authentication operation unit 121 sets the default authentication level, and then the process proceeds to S707. 把缺省的认证等级取为预先登录在认证装置120内的认证等级。 The default authentication level of the authentication level is taken to be pre-registered in the authentication device 120. 所登录着的认证等级对应于登录在机器表1200和场所表1100内的设置认证装置120的设置场所的认证等级,缺省认证等级的设定也可以在设置认证装置120时预先进行设定,也可以在把认证装置120连接到网络上的情况下由认证管理部106进行设置。 The login authentication level with an authentication level corresponding to the authentication means provided the machine table 1200 registered in the table 1100 and places place setting 120, the default authentication level setting may be set in advance at the time of the authentication device 120 is provided, It may also be provided by the authentication management portion 106 in the case where the authentication device 120 is connected to the network. 在场所表1100和机器表1200中有变化的情况下,由认证管理部106来变更该值。 Independent of changes in place of the machine table 1100 and table 1200, the authentication by the management unit 106 to change the value.

接着,在S703,在判定为设定有使用者的个人ID的情况下,进到S704 的处理。 Next, in S703, in a case where it is determined that the user's personal ID is set, the process proceeds to S704.

在S704,认证操作部121判定是否已经取得了认证等级,在已经取得了认证等级的情况下,进到S707的处理。 In S704, the operation unit 121 determines whether the authentication has been made authentication level, the authentication has been made in the lower level, the process proceeds to S707. 在还未取得认证等级的情况下,进到S706的处理。 In the case has not been certified level, the process proceeds to S706.

在S706,认证操作部121取得认证等级,在不利用图13所示的路径信息的情况下和利用图14所示的路径信息的情况下认证操作部121进行的认证等级的取得处理是不同的。 In S706, an authentication operation unit 121 acquires authentication level, without using the route information shown in FIG. 13 and a level certified authentication operation unit 121 in the case where the route information shown in FIG. 14 is performed using a different process .

在不利用路径信息的情况下,认证操作部121进行与图13的S4002和S4006同样的处理,由认证服务器100的认证管理部106取得认证等级。 In the case without using the route information, the authentication operation unit 121 performs the same processing as S4002 and S4006 of FIG. 13, the acquired authentication level authenticated by the authentication server 100 of the management unit 106. 具体地说,认证操作部121把所设定的个人ID和自身的机器ID (或终端ID) 的组发送到认证管理部106。 Specifically, the operation unit 121 transmits the authentication set their own personal ID and a machine ID (or terminal ID) of the group management unit 106 to the authentication. 认证管理部106计算认证等级,然后将该认证等级发送到认证操作部121。 Authentication management unit 106 calculates the authentication level, and then transmits the authentication operation unit 121 to the authentication level. 认证操作部121接收认证管理部106发送的认证等级。 Authentication management unit 121 receives the authentication operation unit 106 transmits the authentication level.

在利用路径信息的例子中,认证操作部121确认自身是否保持有路径信息(图14的S5200),在未保持有路径信息的情况下,进行与图14的S5002 和S5006同样的处理,从认证服务器100的认证管理部106取得认证等级。 In the case of using the route information, the authentication operation unit 121 to confirm whether it holds the route information (S5200 in FIG. 14), without holding has route information case, and S5002 in FIG. 14 and the same processing as S5006, the authentication authentication management unit 100 of the 106 certified server level.

另一方面,在保持有路径信息的情况下,认证操作部121进行与图14的S5001同样的处理,计算出认证等级。 On the other hand, in the case where route information is held, an authentication operation unit 121 performs the same processing as S5001 in FIG. 14, the approval rating is calculated. 具体地说,在保持有路径信息的情况 Specifically, in the case where route information is held

下,认证操作部121使用对应于从其他认证装置120接收到的被设定的个人ID的认证结果,从路径信息中取得对应于自身的机器ID和个人ID的邻接目的地信息和对应于个人ID的认证结果。 , The authentication operation unit 121 corresponding to the authentication result using the set personal ID received from other authentication device 120 acquires the destination information corresponding to the adjacent its machine ID and the personal ID from the path information corresponding to the individual ID of the authentication result. 认证操作部121从邻接目的地信息取得邻接目的地和认证等级,从认证结果取得认证时刻、认证结果、场所判定。 Adjacent to the operation unit 121 acquires the authentication information from the adjacent destination and destination authentication level, certified time authentication result from the authentication result, determining place. 与图14所示的S606〜S614 —样,认证操作部121用这些信息进行认证等级的计算,来设定认证等级。 Shown in FIG. 14 S606~S614 - like, the authentication operation unit 121 calculates the information with the authentication level, to set the authentication level. 这里,在认证等级是"一1 "的情况下,被认为认证失败,转移到S710的处理。 Here, the authentication level is "a 1", is considered the authentication fails, the process proceeds to S710.

在未从其他的认证装置120接收到对应于上述的个人ID的认证结果的情况下,认证操作部121进行与图14的S5002和S5006同样的处理,从认证服务器100的认证管理部106取得认证等级。 In the case of not receiving another authentication device 120 to the corresponding to the authentication result personal ID of S5002 and S5006 the same process as the authentication operation unit 121 in FIG. 14 acquires authentication from the authentication management unit authentication server 100 106 grade.

在S707,认证操作部121用表示认证部清单的认证部122进行认证,这里是设定机器认证结果,机器认证结果等级是用数值表示认证结果的等级, 对应于认证等级的数值。 In S707, the authentication section 122 indicates an authentication operation unit 121 by the authentication portion authenticates the list, where the machine is set to the authentication result, the authentication result of the machine numerical scale level is represented by an authentication result, a value corresponding to the authentication level. 后面将描述认证处理的细节。 Details of the authentication process will be described later.

在S708,认证操作部121进行认证结果的判定,在进行了判定的情况下, 设定认证结果,用后述的图17来描述该处理的内容。 S708 in the authentication result, the authentication unit 121 determines the operation, the case of performing the determination, the authentication result set, the contents of which 17 will be described later treatment after using FIG.

在S709,认证操作部121确认是否设定有认证结果,在设定了认证结果的情况下,认证操作部121判断为被认证部122正确认证,并进到S710。 In S709, an authentication operation unit 121 confirms whether the authentication result is set, in a case where the authentication result, an authentication operation unit 121 determines that the authentication unit 122 is properly authenticated, and goes to S710. 而在未设定认证结果的情况下,认证操作部121判断为未被认证部122认证, 并进到S711。 In the case where the authentication result is not set, the authentication unit 121 determines that the operation is not authenticated authentication portion 122, and goes to S711.

在S710,认证操作部121进行认证完成处理,进行认证完成处理时,有时也可以不用S701取得的认证清单的全部认证部122来结束认证,这时,由于未被利用的认证部122不必从认证服务器100的认证管理DB1003中取得必要的认证信息,所以可以减轻通信量。 In S710, the authentication operation unit 121 to complete the authentication process, carried out the authentication process is completed, a list of all certified 122 certified S701 sometimes you can not get to the end of the certification, this time, the unused portion 122 need not be certified from certification DB1003 authentication management server 100 to obtain the necessary authentication information, it is possible to reduce the amount of traffic.

在例如是认证装置120且附设在门上的情况下,S710进行的认证完成处理就是开门。 In the case where, for example, authentication apparatus 120 and attached to the door, the authentication processing S710 is performed to complete the door. 在单体设置认证装置120情况下,也无特殊之处。 In the case where the monomer is provided authentication means 120, and no special. 这是仅进行认证的机器,这里的认证结果反映在使用者以后用别的认证装置120进行认证时的认证等级上。 This is only the authentication machine, where the authentication result is reflected by a user after the authentication level of another authentication apparatus 120 when authentication. 由此就能够取代不具备认证部122的功能的机器来进行 Thereby it is possible to replace the function does not have the authentication unit 122 to the machine

认证。 Certification. 在进行认证的机器是终端的情况下,将向终端的记录或对特定的服务器的访问等适当的服务提供给使用者。 Authentication is performed when the terminal machines, the terminal will record the appropriate service or access to specific servers or the like provided to the user.

在S711,认证操作部121判定S701所得到的认证部清单内的全部认证部122的认证处理是否已经结束,在存在还未进行认证处理的认证部122的情况下,返回到S702,由未进行认证处理的认证部122进行认证处理。 In S711, an authentication operation unit 121 determines whether or not all of the authentication process in the authentication unit 122 the authentication unit S701 the obtained list has ended, in the presence of the authentication processing section 122 has not been authenticated, the flow returns to S702, not by the authentication processing unit 122 authenticates the authentication process. 另一方面,在S701所得到的认证部清单内的全部认证部122的认证处理已经结束的情况下(即,全部认证部122进行认证后未进行认证的情况下),进到S712 的处理。 On the other hand, in the case where the authentication process unit inventory authentication S701 all the obtained authentication portion 122 has ended (i.e., without authenticating the authentication unit 122 authenticates all), the process proceeds to S712.

在S712,认证操作部121把S710或S711的认证结果信息发送到认证管理部106,存在路径信息的情况下,从路径信息取得与自身的机器ID对应的邻接目的地信息,并将路径信息和认证结果信息发送到该邻接目的地。 In S712, the authentication unit 121 transmits the authentication operation result S710 or S711 to the case where the authentication information management section 106, there is a path information acquisition destination information with its own adjacent to the machine ID from the path information, and path information and authentication result information transmitted to the adjacent destination. 认证管理部106 —接收到认证结果信息就从认证履历表1900确认对应于个人ID 和认证机器项的机器ID的栏,在认证结果是空栏的情况下,进行该栏的更新。 Authentication management part 106 - receiving the authentication result information corresponding to the personal ID 1900 and confirmed authentication item machines the machine ID from the authentication column resume, in the case where the authentication result is blank, the update of the column. 接着,用图17来说明认证操作部121进行的上述S708的处理。 Next, FIG 17 will be explained with the above-described process S708 authentication operation unit 121 performed. 图17是本实施例的认证操作部121进行的认证结果判定处理的流程图。 FIG 17 is a flowchart authentication result operation unit 121 of the present embodiment performs the determination process. 首先,认证操作部121取得认证部122设定的机器认证设定等级(S801), 然后进到S802。 First, the operation unit 121 to obtain the authentication device authentication level is set (S801) to set the authentication portion 122, and then proceeds to S802. 在S802,认证操作部121取得所保存的认证结果等级,并进至ij S803。 In S802, the authentication operation section 121 to obtain stored authentication result level, and thus to ij S803.

在S803,认证操作部121用S801和S802取得的机器认证设定等级和认证结果等级计算新的认证结果等级,对新的认证结果等级的计算步骤不作特别限定。 In S803, the machine setting level authentication level and an authentication result by the authentication operation unit 121 S801 and S802 the acquired authentication result calculated new level, new level calculation step authentication result is not particularly limited. 这里,把对应于认证部122的认证ID的可靠性等级与S802得到的认证结果等级相乘,再与S802得到的认证结果等级相加。 Authentication result and the reliability level S802 where the authentication ID corresponding to the authentication unit 122 obtained by multiplying the level, then the level of S802 obtained by adding the authentication results.

可靠性等级相当于对应于认证表1400的机器ID的栏的值,也可以在设置认证装置120时预先设定该值,在认证装置120连接在网络上的情况下, 也可以由认证管理部106来设定。 ID field value of the reliability level corresponds to the machine corresponding to the authentication table 1400, the value may be set in advance when setting the authentication apparatus 120, when connected to the network authentication device 120, may be managed by the authentication unit 106 set. 在认证表1400中有变更的情况下,由认证管理部106进行变更。 In case there is a change in the case where the authentication table 1400, performed by the authentication management part 106 changes.

在S804,认证操作部121把S803计算出来的认证结果保存到认证装置120内(存储在主存储器203和非易失性存储器206的规定的区域内),然后进到S805。 In S804, the authentication operation storage unit 121 S803 the authentication result to the calculated (the predetermined region stored in the main memory 203 and nonvolatile memory 206) of the authentication device 120, and then proceeds to S805.

在S805,认证操作部121判定S804所保存的认证结果等级是否大于S705 (图16)或S706设定的认证等级。 In S805, an authentication operation unit 121 determines whether the stored authentication result of S804 is greater than the level of S705 (FIG. 16) set in S706 or authentication level. 如果S804所保存的认证结果等级大于S705 设定的认证等级或者上述认证结果等级大于S706设定的认证等级,就判定为认证成功,并进到S806。 If the authentication result stored in S804 the level is greater than the authentication level, or the authentication result is greater than the level set in S705 authentication level set in S706, it is determined that authentication has succeeded, and goes to S806. 另一方面,如果所保存的认证结果等级小于S705 设定的认证等级或者上述认证结果等级小于S706设定的认证等级,就判定为认证失败,结束处理。 On the other hand, if the stored authentication result of the authentication level is less than level or the authentication result is less than a set level S705 authentication level set in S706, it is determined that authentication has failed, the process ends.

在判定为认证成功的情况下,进到S806,认证操作部121设定认证结果。 In the case where it is determined that authentication is successful, the process proceeds to S806, the authentication operation unit 121 sets the authentication result.

在S805,即使在判定为认证失败的情况下,只要S804所保存的认证结果等级与S705或S706设定的认证等级之差在一定值以内,认证操作部121 也设定认证结果。 In S805, even in a case where it is determined that the authentication fails, the authentication level difference as long as the stored authentication result S804 to S705 or S706 to set level in less than a predetermined value, the operation unit 121 to set the authentication result of the authentication. 这时,在认证结果栏内填入"NG",但是认证操作部121 进行认证完成处理。 In this case, the authentication result column filled "NG", but the operation unit 121 authenticates the authentication process is completed. 这种情况下,在下一个认证时,提高认证等级。 In this case, the next time a certification to improve the approval rating. 但是, 认证是在终端进行处理的情况下或者适用于公寓大楼的情况下,如果认证装置120的邻接目的地是居室内,不进行该处理。 However, the authentication process is performed in the case where the terminal or applies to the apartment building, adjacent destination if the authentication device 120 is a living room, the process is not performed. 其原因是,由于按照这种认证,在目的地不设置认证装置,所以这种情况下以后不能进行代理的认证。 The reason is because in this authentication, the authentication apparatus is not provided at the destination, the agent can not be performed after the authentication in this case.

接下来,列举迸行卡认证的情况和进行生物认证的情况为例来说明本实施例的认证装置120进行的认证处理。 Next, the case exemplified the case into line card authentication and biometric authentication will be described as an example of the present embodiment the authentication processing of the authentication apparatus 120 of the embodiment.

首先用图18说明进行卡认证的例子。 Examples for authentication card 18 is first described with reference to FIG.

图18是本实施例的认证装置120进行卡认证时的认证部122的处理流程图。 FIG 18 is a flowchart of processing when the authentication unit 122 of the authentication device 120 of the present embodiment, the card authentication. 这里,认证部122被连接在读出存储在卡(例如IC卡)内的信息的读卡器211 (参照图2)上。 Here, the authentication unit 122 is connected to the card reader 211 reads out data stored in the card (e.g., IC card) information (see FIG. 2). 在卡内存储有为了识别卡而唯一分配的卡ID,在本实施例中,不特别限定读卡器211的具体构成,例如,读卡器211既可以是 Card in the card stores a card ID to uniquely identify the distribution, in the present embodiment, the specific configuration is not particularly limited reader 211, for example, may be a card reader 211

非接触式的读卡器也可以是接触式的读卡器。 Non-contact type reader may be contact type reader.

首先,认证部122等待卡靠近读卡器211或插入读卡器(S901)。 First, the authentication unit 122 waits for the card near the reader 211 or into the reader (S901). 一旦卡靠近读卡器211或插入读卡器,认证部122就经读卡器211读入存储在卡内的卡ID (S902)。 Once the card near the reader 211 or into the reader, the authentication unit 122 to read via the card reader 211 into the ID memory in the card (S902). 具体地说,读卡器211读出存储在卡内的卡ID,并发送到认证部122。 Specifically, the reader 211 reads a memory card in the card ID, and sent to the authentication section 122. 认证部122接收读卡器211发送的卡ID。 Card section 122 receives the authentication ID transmitted from the card reader 211.

接着,认证部122判定S卯2的卡ID的读入处理是否成功,如果读入失败,认证部122进到S907,如果读入成功,进到S卯4的处理(S卯3)。 Next, the authentication unit 122 determines that the card ID 2 S d of the reading processing is successful, if the read fails, the authentication unit 122 proceeds to S907, if the read is successful, the processing proceeds to S d (S d 3) 4.

在S907,认证部122把机器认证结果等级设定为"0.3",然后结束处理。 In S907, the authentication unit 122 the authentication result of the machine level is set to "0.3", then the process ends.

这里,以把机器认证结果等级取"0"到"1"的范围的值为例。 Here, in order to take the machine level authentication result "0" to the value "1" ranges example. 认证部122 The authentication unit 122

将该机器认证结果等级乘以预先设定在认证部122内的"可靠性等级",由此 The machine authentication result is multiplied by a predetermined level in the authentication unit 122 of the "reliability level", thereby

来判断相当于哪个认证等级。 To determine which level of certification equivalent. 虽然机器认证结果等级设定有特定值,但是也 While the machine-level authentication result set has a specific value, but also

可以另外从该值的表中来取得。 It may additionally be taken from the table values. 认证服务器100的认证管理部106可改写该表,从而以后能够变更机器认证结果等级。 Authentication management portion 106 of the authentication server 100 of the rewritable table, so that the machine can be changed after the authentication result level.

接下来,说明在S903卡ID读入成功的情况下进到S卯4的处理。 Next, the processing proceeds to S 4 d in the case of the S903 card ID read successfully. 在S904, 认证部122进行对应于所读入的卡ID的检索,具体地说,认证部122从上述的个人ID表中检索对应于所读入的卡ID,当检索结果是不存在对应于所读入的卡ID的情况下,认证部122向认证管理部106发送卡ID和自身的认证ID的组,询问个人ID。 In S904, the authentication unit 122 retrieves the corresponding card ID is read, in particular, the authentication unit 122 of the personal ID from the table to retrieve the corresponding card ID is read, when the search result does not correspond to the present a case where the read card ID, the authentication portion 122 to the group management unit 106 transmits the authentication ID and the own card authentication ID, personal ID inquiry. 认证管理部106—接受来自认证管理部106的询问就取得对应于认证表1400 (图7)的认证ID的认证名。 106- authentication management unit receiving an inquiry from the authentication management part 106 on the name corresponding to the certified authentication table 1400 (FIG. 7) of the authentication ID. 认证管理部106从登录在个人认证信息表1600 (图9)内的记录中确定出具有所接收到的卡ID的记录,并取得对应于该确定的记录的认证名和与个人ID对应的信息,例如,在上述所取得的认证名是"密码"的情况下,认证部122取得所确定的记录的个人ID和表示密码的信息。 Authentication management unit 106 determines from the registration in the personal authentication information table 1600 (FIG. 9) record issued by the recording has received card ID, and obtain authentication name and the information corresponding to the identified record with the individual corresponding to the ID, For example, in the above-described authentication acquired name is "password", the authentication unit 122 acquires recording the determined personal ID and the information indicating a password. 认证管理部106把所取得的上述的确定的记录的认证名和与个人ID对应的信息发送到认证部122。 Determining the authentication name of the certification of the recording management section 106 and the acquired individual information corresponding to the ID to the authentication unit 122.

认证部122 —取得个人ID,就把个人ID和卡ID的组保存到认证装置120 的非易失性存储器206的个人ID表内。 Authentication 122 - Get personal ID, personal ID and save the group took the card ID into the nonvolatile memory 120 of the personal authentication device ID table 206. 在从被发送的卡ID和认证ID中未能检索到认证名和对应于个人ID的信息的情况下,认证管理部106将该意旨发送到认证部122。 In the case where the card ID and the authentication ID is transmitted not retrieve the name and authentication information corresponding to the personal ID, the authentication management part 106 to the authentication unit 122 intention.

在S905,认证部122判定是否己经取得了个人ID,在未能发现的情况下, 在S908,把机器认证结果等级设定为"0.6"。 In S905, the authentication unit 122 determines whether the individual ID has been made, in the case failed to find, in S908, the result of the equipment authentication level is set to "0.6." 在已经发现了个人ID的情况下, 把个人ID设定到认证装置120,将认证结果等级设定为"1.0"。 It has been found in the case of a personal ID, personal ID 120 is set to the authentication device, the authentication result level is set to "1.0."

这样,在本实施例中,在读入来自卡(IC卡)的数据失败的情况下或用从卡读入的卡ID未能认证的情况下都在这个阶段不判定为失败而给出规定的认证结果(S907、 S908)。 Thus, in the present embodiment, the case where the data from the card (IC card) from the failed or a case where a card reader fails to authenticate the card ID are not determined at this stage is in failure is given a predetermined read authentication result (S907, S908). 因此,在"卡ID的读入"失败的情况下或"未能发现个人ID"的情况下,都可能根据设置认证装置的场所(区域)和进行过认证的时间等认证使用者。 Thus, in the case of "read the card ID" failed or "failed to find personal ID" of the case, the authentication means may according to the setting place (area) and subjected to time certification user authentication. 在例如像通勤时段那样同时有多人进行认证处理的情况下,这样做就能够减轻因认证处理的失败引起的混杂。 In that same time period, for example, as there are many people commuting authentication processing cases, this can reduce the confounding caused by the failure of the authentication process. 即使在这种情况下,在对要求高安全等级的场所(区域)入场的认证处理时,将认证等级设定得高,也能够确保规定的安全等级。 Even in this case, when the high level of security required place (region) admission authentication process, the authentication level is set high, it is possible to ensure the safety of a predetermined level. 接着,用图19来说明进行生物认证例。 Next, FIG. 19 embodiment will be described biometric authentication.

图19是本实施例的认证装置120进行生物认证时的认证部122的处理流程图。 FIG 19 is a flowchart of processing when the authentication unit 122 of the authentication device 120 of the present embodiment, the biometric authentication. 这里,认证部122被连接在生物认证装置212上。 Here, the authentication unit 122 is connected to the biometric authentication device 212.

首先,认证部122进行设定认证参数的处理(SIOOI),从图16所示的S705或S706设定的认证等级的小数点部分的值开始,将认证参数变换得与认证部122 —致。 First, the authentication processing section 122 to set the authentication parameters (SIOOI), the value of the decimal part of the authentication level of S705 or S706 shown in FIG. 16 starts is set, the authentication parameter conversion section 122 to obtain the authentication - To.

在S1002,认证部122判定是否设定有个人ID。 In S1002, the authentication unit 122 determines whether to set personal ID. 在已经设定有个人ID的情况下,认证部122进行S1003以后的处理。 In the case where the personal ID has already been set, the authentication unit 122 performs subsequent processing S1003. 在S1003以后的处理中,认证部122根据对应于个人ID的认证信息进行认证处理。 In subsequent processing S1003, the authentication unit 122 performs authentication processing based on authentication information corresponding to the personal ID. 另一方面,在未设定个人ID的情况下,认证部122进行S1011以后的处理,在S1011以后的处理中, 认证部122用被保存在认证装置120内的认证信息进行认证处理。 On the other hand, in the case where the personal ID is not set, the authentication unit 122 performs the subsequent processing S1011, S1011 in the subsequent processing, the authentication unit 122 with the authentication information is stored in the authentication device 120 performs an authentication process. 以下,分S1003以后的处理和S1011以后的处理两部分进行说明。 Hereinafter, the sub-S1003 subsequent processing of S1011 and subsequent processing will be described in two parts.

在S1003以后的处理中,首先在S1003,认证部122检索生物认证时的认证信息即模板的检索,首先是从保存在认证装置120内的个人ID与模板的对应表中进行检索。 In S1003 after processing, first in S1003, i.e., the template retrieved authentication information when the authentication unit 122 retrieves the biometric authentication, first personal ID is retrieved from the corresponding table with the template stored in the authentication device 120. 在认证装置120内不存在模板的情况下,认证部122向认证管理部106询问发送个人ID和自身的认证ID的组的模板。 The absence of a template in the authentication device 120, the authentication unit 122 sends the set of templates and their own personal ID to the authentication ID management unit 106 asks the authentication. 认证管理部106 —接受来自认证部122的询问,就取得对应于认证表1400的认证ID的认证名。 Authentication management part 106 - Accept inquiry from the authentication section 122, it is certified authentication name table 1400 corresponding to the authentication ID. 认证管理部106用接收到的个人ID和所取得的认证名从个人认证信息表1600取得对应于认证名和个人ID的信息。 Authentication management unit 106 with the received personal ID and authentication information corresponding to the authentication ID and the personal ID 1600 acquired name acquired from the personal authentication information table. 具体地说,认证管理部106 从登录在个人认证信息表1600 (图9)内的记录中特定出具有接收到的"个人ID"的记录,并取得对应于该特定的记录的"认证名"的信息。 Specifically, the authentication management part 106 records the specific "personal ID" having received from the personal authentication information registered in the table 1600 (FIG. 9) record, and obtaining corresponding to the specific record "authentication name" Information. 例如,在上述所取得的认证名是"指纹"的情况下,认证管理部106取得表示所特定的记录的指纹信息的模板。 For example, in the above-mentioned certification were acquired template is the case of "fingerprint", the authentication management unit 106 acquires information indicating a specific record of the fingerprint information. 认证管理部106把所取得的上述特定的记录的认证名和对应于个人ID的信息返回到认证部122。 Name and authentication information corresponding to the specific personal ID of the authentication recording management section 106 returns to the acquired authentication section 122.

认证部122接收对应于认证名和个人ID的信息(模板),并把个人ID与模板的组保存在认证装置120内,例如,存储在认证装置120的主存储器203 和非易失性存储器206的规定区域内。 Unit 122 receives the authentication information (template) corresponding to the authentication ID and personal ID, personal ID and saves the group of the template in the authentication device 120, for example, in the main memory 120 of the authentication device 203 and the nonvolatile memory 206 within the specified area.

在S1004,认证部122判定是否发现了模板,在未发现模板的情况下, In S1004, the authentication unit 122 determines whether the template found, in the case where the template is not found,

认证部122进到S1007。 Authentication unit 122 proceeds to S1007. 在S1007,认证部122把机器认证结果等级设定为"0.2",然后结束处理。 In S1007, the authentication unit 122 the authentication result of the machine level is set to "0.2", then the process ends. 另一方面,在发现了模板的情况下,认证部122进到S1005。 On the other hand, in the case where the template is found, the authentication unit 122 proceeds to S1005.

在S1005,认证部122进行从使用者301得到的信息与模板的选配,在该选配时,反映S1001设定的认证参数。 For template matching information obtained from the user 301 in S1005, the authentication unit 122, when the matching, setting reflects S1001 authentication parameters.

在S1006,认证部122判定选配是否成功。 In S1006, the authentication unit 122 determines whether the matching success. 在被判定为选配失败的情况下,认证部122进到S1008。 In the case where it is determined as a matching failure, the authentication unit 122 proceeds to S1008. 在判定为选配成功的情况下,进到S1009的处理。 In the case where it is determined that a successful matching, the process proceeds to S1009.

在S1008,认证部122把机器认证结果等级设定为"0.8",然后结束处理。 In S1008, the authentication unit 122 the authentication result of the machine level is set to "0.8", then the process ends. 另一方面,在判定为选配成功的情况下进到的S1009,认证部122把机器认证结果等级设定为"1.0",然后结束处理。 On the other hand, it is determined that the matching is successful into the S1009, the authentication unit 122 the authentication result of the machine level is set to "1.0", then the process ends.

接着说明在S1002判定为还未设定好个人ID的情况下而进到的S1011 以后的处理。 In the case where it is determined yet S1002 personal ID set up and the processing proceeds to the subsequent S1011 will be described.

在S1011,认证部122取得保存在认证装置120内的模板并作成清单。 In S1011, the authentication unit 122 acquires a template stored in the authentication device 120 and creating a list. 然后在S1012,认证部122进行认证参数的变更,以提高认证等级。 Then in S1012, the authentication unit 122 changes the authentication parameters to improve the approval rating. 这是为了在认证等级低的情况下减低选配成其他人的模板的几率。 This is to reduce the level of certification in the case of optional low into the other person's chance of templates.

接下来,认证部122对清单的各个模板进行S1013〜S1015、 S1018所示的循环处理。 Next, the authentication section 122 is performed for each template list S1013~S1015, loop processing shown in S1018.

在S1014,进行从使用者得到的信息与模板的选配,这里的选配处理时, 反映S1012设定的认证参数。 In S1014, carried out with the template matching information obtained from the user, when the matching process here, reflecting the S1012 authentication parameters set. 然后在S1015,判定选配是否成功,在选配成功的情况下,在S1016,将机器认证结果等级设定为"0.8"。 Then in S1015, to determine whether matching success, in the case of matching success, in S1016, the result of the equipment authentication level is set to "0.8." 在选配失败的情况下,继续S1013〜S1015、 S1018所示的循环处理。 In the case of failure of the matching, continuing S1013~S1015, loop processing shown in S1018. 直到S1013的循环处理结束为止,如果选配仍未成功,就在S1017,将机器认证结果等级设定为"0.4"。 Until the end of the loop process of S1013, optional if unsuccessful, in S1017, the result of the equipment authentication level is set to "0.4."

在终端密码认证的情况下,认证部122接收使用者经键盘等输入装置输入的"用户名"和"密码"。 In the case where the terminal password authentication, the authentication unit 122 receives a user input device such as a keyboard via the "user name" and "password." 在该接收到的"用户名"和"密码"的组与从个人认证表1600经认证管理部106取得的用户名和密码一致的情况下或与保存在认证部122内的用户名和密码组一致的情况下,认证部122判断为认证成功,并把机器认证结果等级设定为"1.0"。 The received "username" and "password" group consistent with the user name and the same password when acquiring from the personal authentication table 1600 by the authentication management portion 106 or the user name and password group and stored in the authentication unit 122 case, the authentication unit 122 determines that the authentication is successful, the authentication result and the machine level is set to "1.0." 在失败的情况下,把认证结果等 In case of failure, the certification results, etc.

级设定为"0.0"。 Level is set to "0.0."

以上说明了卡认证的情况、生物认证的情况和密码认证的情况的处理, 但是在脸认证或虹彩认证等其他认证方法中也进行同样的处理。 The above description of the handling of cases of card authentication, biometric authentication and password authentication of the situation, but also subjected to the same treatment in the facial recognition or iris authentication and other authentication methods.

本发明不限定于以上所说明的实施例,在本发明的宗旨范围内可能构成各种变形,例如,在判定为使用者认证失败的情况下,认证装置120也可以 The present invention is not limited to the embodiments described above, within the scope of the gist of the present invention, various modification may, for example, in a case where it is determined that the user authentication failed, the authentication device 120 may be

许可该使用者入场,而在该使用者用设施内的其他认证装置120进行认证时 Permit the user admission, and the user authentication performed by the authentication device in other facilities 120

设定严格的认证等级。 Set stringent certification level. 按照这样的构成,像通勤时段那样在使用者暂时集中的设施的出入口(正门)等处可以缓解因使用者重复进行认证处理而产生的混杂。 According to this configuration, as the user temporarily commuting hours as in the centralized facility gate (front gate), etc. can mitigate confounding the user authentication process is repeated generated. 该使用者在进行下次的认证处理时,由于按严格的认证等级进行认证处理,所以能够确保安全性。 The next time the user during the authentication process as a result of the authentication process according to the strict certification levels, it is possible to ensure safety.

在认证装置120的设置场所也有用其他认证装置120不许可入场和不进入的门,在把认证装置120设置在这样的门上的情况下,在设定认证等级时确认使用者的认证履历,在没有认证履历的情况下,也可以将认证等级设定为高值。 Also useful for other authentication device 120 does not permit entry and admission gate apparatus 120 at the installation location of the authentication, in the case where the authentication device 120 is provided on such door, confirms that the user authentication when setting history authentication level in the case history without the authentication, the authentication level may be set to a high value.

Claims (12)

1.一种安全系统,包括多个认证装置和经网络与该认证装置连接的认证服务器,其特征在于, 所述认证装置预先存储在每个认证使用者的认证信息中与识别该使用者的个人识别信息对应的个人信息、和识别自身的机器识别信息, 所述认证装置包括: 接受来自使用者的认证信息的输入的认证信息接受单元; 用所述存储的个人信息确定与所述接受的认证信息对应的个人识别信息的单元; 将所述确定的个人识别信息和所述存储的机器识别信息发送到所述认证服务器的发送单元; 应答所述发送的个人识别信息和机器识别信息,接收所述认证服务器发送的表示认证处理精度的认证基准的单元;以及用所述接受的认证信息、所述个人信息和所述接收到的认证基准进行对使用者的认证处理的认证单元, 所述认证服务器包括: 存储每个所述机器识别信息中与表 1. A security system comprising a plurality of authentication apparatus and an authentication server via a network connection to the authentication device, wherein the authentication means prestores the identification of each user in the user authentication information in personal information corresponding to the personal identification information, and machine identification information to identify itself, said authentication device comprising: receiving authentication information inputted from authentication information of the user of the receiving unit; determining said stored personal information for the accepted means personal identification information corresponding to the authentication information; transmitting machine identification information of the determined personal identification information and the storage unit to transmit the authentication server; personal identification information and machine identification information of the response transmitted, received represents the reference authentication precision authentication processing unit transmits the authentication server; and a reference authentication with the authentication information received, the received personal information and the authentication unit performs authentication processing of a user, said the authentication server comprising: identification information stored in each of the machine with the table 示设置该机器识别信息表示的认证装置的区域或者所述认证装置许可使用者入场的区域的位置信息对应的机器信息、每个所述位置信息中与所述位置信息表示的区域确定的认证处理精度对应的认证信息、每个日期和时段中与认证处理精度对应的日历信息、每个所述个人识别信息中与对于该个人识别信息表示的使用者的过去的认证处理的认证结果对应的认证履历信息的单元; 接收从所述认证装置发送的个人识别信息和机器识别信息的接收单元; 计算认证基准的计算单元,所述计算单元用所述接收到的个人识别信息和机器识别信息、所述存储的机器信息、所述认证信息、所述日历信息和所述认证履历信息来计算认证基准;和将计算出的认证基准向发送过所述个人识别信息和机器识别信息的认证装置发送的发送单元。 Machine position information area corresponding to a region of the machine shown is provided authentication means of identification information indicating the authentication apparatus or a user admission permission region, each of the position information indicating position information of the authentication the processing accuracy of the authentication information, calendar information with each date and time corresponding to the processing accuracy of the authentication, each of the personal identification information and authentication result of the authentication process in the past for the user of the personal identification information indicating the corresponding unit authentication history information; receiving personal identification information from the receiving unit and the machine identification information transmitted from the authentication device; calculating a reference authentication calculation unit, personal identification information and machine identification information received by the computing unit, the appliance information stored in the authentication information, the calendar information and the authentication information to compute authentication history reference; and the calculated reference authentication transmits through the transmitting personal identification information and machine identification information authentication means a transmission unit.
2. 根据权利要求1所述的安全系统,其特征在于,所述计算单元用所述机器信息确定与所述接收到的机器识别信息对应的位置信息;用所述认证信息确定该确定的位置信息表示的区域中被确定的认证处理精度;用所述日历信息确定与当前的日期和时段对应的认证处理精度; 用该位置信息表示的区域确定的认证处理精度和与该日期和时段对应的认证处理精度来求出所述认证基准;在与所述接收到的个人识别信息对应的认证结果存在于所述存储的认证履历之中的情况下,用该认证结果修正所述求得的认证基准的值。 2. The security system according to claim 1, wherein the position information of the machine by means of the determining information corresponding to the received identification information of the computing machine; determining that the authentication information determined by the position precision authentication processing region information indicating the determined; determining corresponding to the current date and time with the accuracy of the authentication processing calendar information; precision authentication processing area indicated by the position information and the date and time corresponding authentication process obtains the authentication accuracy reference; in the case where the authentication result of the personal identification information corresponding to the received history present in the stored authentication with the authentication result of the correction obtained authentication the reference value.
3. 根据权利要求2所述的安全系统,其特征在于, 所述认证结果中包含表示认证处理是否成功的信息;所述计算单元在所述认证结果中包含表示认证处理成功的信息的情况下进行减少所述求得的认证基准的值的修正,在包含表示该认证处理失败的信息的情况下进行增加所述求得的认证基准的值的修正。 A case where the calculating unit comprises information showing the authentication process is successful in the authentication results; 3. The safety system of claim 2, wherein, if the authentication result includes information showing the authentication processing is successful authentication corrected reference value obtained by the reduction is performed, the correction value increases the determined authentication reference information in a case where the authentication process has failed comprising representation.
4. 根据权利要求2所述的安全系统,其特征在于, 所述认证结果中包含表示进行过认证处理的日期和时刻的信息; 所述计算单元求出所述认证结果中包含的表示进行过认证处理的日期和时刻的信息与当前的日期和时刻的时间差;在该时间差大于规定时间的情况下,进行增加所述求得的认证基准的值的修正。 The safety system according to claim 2, wherein the authentication result includes information indicating the date and time information subjected to the authentication process; indicates the authentication result obtaining unit included in the calculations carried out the date and time of the authentication process and the current date and time is the time difference; in the case where the time difference is greater than a predetermined time, the correction value increases the determined authentication reference.
5. 根据权利要求1〜4任一项所述的安全系统,其特征在于, 所述认证装置具有把所述认证单元进行过的认证处理的认证结果中与所述确定的个人识别信息对应的认证履历发送到所述认证服务器的发送单元;所述认证服务器具有接收所述认证装置发送的认证履历,用该接收到的认证履历更新所述存储的认证履历信息的更新单元。 The safety system according to any one of claims 1 ~ 4, wherein said authentication means having the personal identification information authentication result of the authentication process unit had determined the corresponding authentication history transmission unit to transmit the authentication server; wherein the authentication server includes an authentication history of the receiving apparatus transmits the authentication, the authentication history information updating unit using the received authentication updating the stored history.
6. 根据权利要求4所述的安全系统,其特征在于,所述认证装置具有把所述认证单元进行过的认证处理的认证结果中与所述确定的个人识别信息对应的认证履历发送到所述认证服务器的发送单元;所述认证服务器具有接收所述认证装置发送的认证履历,用该接收到的认证履历更新所述存储的认证履历信息的更新单元,所述认证装置的认证单元判定所述认证信息接受单元的所述认证信息的蔼接受处理是否成功;在所述认证信息的接受处理被判定为失败的情况下,设定第--值作为判定认证处理的成败的值;在所述认证信息的接受处理被判定为成功的情况下,进一步判定所述个人信息中是否存在与所述接受的认证信息对应的个人识别信息;所述判定的结果为不存在与所述接受的认证信息对应的个人识别信息的情况下,设定高于所述第一值的第二值作为判定 6. A security system as claimed in claim 4, wherein said authentication means having the personal identification information corresponding to the authentication result of the authentication process to the authentication unit over a determined and sent to the authentication history of the transmitting said authentication server unit; authentication with the authentication server receives the authentication apparatus transmits the history, the authentication history information updating unit using the received authentication history updating the stored authentication unit determines that the authentication means Ai said authentication information, the authentication information receiving unit receiving process succeeds; receiving process in a case where the authentication information is determined to be failed, set - of determining the success or failure as the value of the authentication process; in the a case where the authentication information acceptance processing described later is determined to be successful, it is determined whether there is a further personal identification information with the received authentication information corresponding to the personal information; result of the determination that there is no authentication of the received a case where the personal identification information corresponding to the information, a second set value higher than the first value is determined as 证处理的成败的值;存在所述个人识别信息的情况下,设定高于所述第二值的第三值为判定认证处理的成败的值;比较所述接收到的认证基准与所述设定的判定认证处理的成败的值,来判定认证处理是否成功。 The value of the success of the authentication process; the presence of a case where the personal identification information, the setting value is the second value higher than the third determination value success or failure of the authentication process; comparing the received authentication with the reference judgment value success or failure of the authentication process to determine the authentication process is successful.
7. —种安全系统,具有多个认证装置和经网络与该认证装置连接的认证服务器,其特征在于,所述认证装置预先存储每个认证使用者的认证信息中与识别该使用者的个人识别信息对应的个人信息、和识别自身的机器识别信息, 所述认证装置包括:接受来自使用者的认证信息的输入的单元;用所述存储的个人信息确定与所述接受的认证信息对应的个人识别信息的单元;将所述确定出的个人识别信息和所述存储的机器识别信息发送到所述认证服务器的发送单元;应答所述发送的个人识别信息和机器识别信息,接收所述认证服务器发送的表示认证处理精度的认证基准的接收单元;以及用所述接受的认证信息、所述存储的个人信息和所述接收到的认证基准进行判定是否许可使用者进入规定的区域的认证处理的认证单元,所述认证服务器包括:接收从所述认 7. - kind of security system, having a plurality of devices and authentication with the authentication server via a network connected to the authentication apparatus, wherein the authentication means stores in advance the personal authentication information for each user in the identification of the user identification information corresponding to the personal information, and machine identification information to identify itself, said authentication apparatus comprising: an input unit receiving authentication information from a user; determining said personal information with the stored authentication information corresponding to the received unit of the personal identification information; machine identification information of the determined personal identification information and the storage unit to the transmitting of the authentication server; personal identification information and machine identification information of the response sent by the authentication receiving the authentication process and the authentication reference information of the personal authentication information received with the storage of the received and determines whether to allow the user to enter a predetermined area; authentication unit receiving the reference authentication processing precision representation sent by the server the authentication unit, the authentication server comprises: receiving from the recognition 证装置发送的个人识别信息和机器识别信息的接收单元; 存储每个所述机器识别信息中与表示设置该机器识别信息表示的认证装置的区域的设置位置信息和表示是该认证装置许可使用者入场的区域的、且邻接设置所述认证装置的区域的区域的位置信息对应的机器信息的单元;存储每个所述位置信息中与所述位置信息表示的区域确定的认证处理精度对应的认证信息的单元; 存储每个日期和时段内与认证处理精度对应的日历信息的单元; 存储每个所述个人识别信息中与该个人识别信息表示的对使用者的过去的认证处理的认证结果对应的认证履历信息的单元;用所述接收到的个人识别信息和机器识别信息、所述存储的机器信息、所述认证信息、所述日历信息和所述认证履历信息来计算认证基准的计算单元;以及把计算出的认证基准发送到发送过所述个 The receiving unit personal identification information and machine identification information transmitted from the authentication device; identification information stored in each of the machine and setting position information representing setting area indicating an authentication apparatus identification information indicates that the machine is that the permitted user authentication means , and the setting area adjacent to the entrance of the device authentication unit appliance information region position information corresponding to the region; authentication processing accuracy of each storage area indicated by the position information in the position information corresponding to the determined unit authentication information; means the calendar information stored in each date and time corresponding to the processing accuracy of the authentication; authentication result of the user authentication process of the past stored for each personal identification information indicating the personal identification information and unit authentication history information corresponding to; machine information received by the personal identification information and machine identification information, the storage of the authentication information, the calendar information and the authentication history information calculated reference authentication calculation unit; and the calculated reference authentication transmitted to the transmission through a 人识别信息和机器识别信息的认证装置的单元,所述认证结果中包含表示进行过认证处理的认证装置的机器识别信息; 所述计算单元包括:用所述机器信息确定与所述接收到的机器识别信息对应的表示所述邻接区域的位置信息、用所述认证信息确定该确定的位置信息表示的区域确定的认证处理精度、用所述日历信息确定与当前的日期和时段对应的认证处理精度、用该位置信息表示的区域确定的认证处理精度和与该日期和时段对应的认证处理精度来计算所述认证基准的单元;在所述存储的认证履历中存在与所述接收到的个人识别信息对应的认证结果的情况下,用包含在所述认证结果内的机器识别信息、所述接收到的机器识别信息和所述存储的机器信息判定使用者是否通过了正确的路径的单元;以及所述判定结果为使用者未通过正确的路径的情况下, Authentication information recognition means and machine unit identification information, the authentication result indicates identification information included in the machine carried out the authentication process of the authentication apparatus; said calculating means comprises: determining with the machine information and the received machine identification information indicating the position information corresponding to the adjacent area, the authentication process to determine the accuracy of the determined position information of the region indicated by the authentication information determined by the information to determine the current calendar date and time, the authentication process precision, accuracy of the authentication processing area indicated by the position information and the calculated reference authentication with the authentication date and time corresponding to the processing accuracy of the unit; individual exists in the received authentication history stored in the a case where the identification information corresponding to the authentication result, with the machine identification information contained in the authentication result, said identification information received by the machine and the machine information stored by the unit determines whether the user of the correct path; and a case where the determination result is not the correct path to the user by, 进行增加所述计算出的认证基准的值的修正的单元。 The correction unit increases the calculated value is out of the reference authentication.
8. 根据权利要求7所述的安全系统,其特征在于,判定使用者是否通过了正确的路径的单元从所述存储的机器信息中取得与包含在所述认证结果内的机器识别信息对应的位置信息、和与所述接收到的机器识别信息对应的设置位置信息,在该取得的位置信息和设置位置信息是表示相同区域的信息的情况下判定为使用者正在通过正确的路径,在不是表示该相同区域的信息的情况下判定为使用者未通过正确的路径。 8. The security system of claim 7, wherein it is determined whether the user unit is the correct path through the machine obtaining the identification information contained in the authentication result from the appliance information corresponding to said stored position information and setting position information corresponding to the apparatus identification information received with said position information and setting position information of the acquired information is a case where the determination of the same area by the user is the correct path, not in determining a case where information indicating the same area as the user is not the correct path through.
9. 根据权利要求7所述的安全系统,其特征在于,所述机器信息与每个机器识别信息中该机器识别信息表示的认证装置的所述网络上的网络地址对应;所述认证服务器用所述接收到的机器识别信息和所述存储的机器信息选择设置在使用者有可能通行的某区域内的认证装置的机器识别信息、设置位置信息、位置信息和网络地址;用所述认证信息确定该确定的位置信息表示的区域所确定的认证处理精度;并包括计算每个所述选择出的机器识别信息中与设置位置信息、位置信息、网络地址、认证精度和个人识别信息对应的路径信息的单元;发送所述认证基准的单元把所述计算出的路径信息与该认证基准一起发送到所述认证装置;所述认证装置包括:接收并存储所述认证服务器发送的路径信息的单元;把所述认证单元进行的认证结果和所述路径信息发送到包 9. The security system of claim 7, wherein a network address on said network authentication device of each machine and the machine information in the machine identification information corresponding to the identification information represented; with the authentication server the machine identification information received and the stored information selection machine is provided with a user authentication device of the machine identification within a region may pass information, the installation position information, position information and network address; the authentication information authentication processing accuracy determined position information of the region determined by the determined representation; and comprises computing each of the selected machine identification information provided in the position information, position information, network address, and authentication accuracy of personal identification information corresponding to the path means receiving and storing said authentication server sends the path information: the authentication means comprises; cell information; transmitting the authentication unit to reference the computed path information transmitted together with the authentication reference to said authentication means ; authentication result and sends the path information to the authentication unit package 含在该路径信息内的网络地址的认证装置的单元;接收并存储所述其他认证装置发送的认证结果和所述路径信息的单元;在确定了所述个人识别信息时,判定所述存储的路径信息和认证结果两者内是否包含有所述确定的个人识别信息的单元;以及进行认证处理的单元,该进行认证处理的单元在所述判定结果为所述路径信息和所述认证结果中都未包含所述确定的个人识别信息的情况下,经所述发送单元把所述个人识别信息和所述机器识别信息发送到所述认证服务器,在包含所述确定的个人识别信息的情况下,用所述存储的机器识别信息、 所述路径信息和所述认证结果计算出认证基准,用所述计算出的认证基准使所述认证单元进行认证处理。 Means the path information contained within the authentication device network address; receiving and storing said authentication result transmitted from other authentication devices and the path information unit; when the determined personal identification information, determining whether the stored unit authentication processing unit and the authentication processing result of the determination in the path information and the authentication result; authentication result and the path information unit contains personal identification information on which the determination of both the inner a case where the personal identification information contained none of the determined by the transmission unit transmits the personal identification information and the apparatus identification information to the authentication server, a case where the personal identification information contained in the determination of calculated reference authentication with the stored apparatus identification information, the path information and the authentication result, an authentication with the calculated reference authentication unit performs the authentication process.
10. —种认证服务器,经网络与多个认证装置连接,其特征在于,所述认证装置把识别自身的机器识别信息和识别使用者的个人识别信息发送到所述认证服务器,应答所述发送的个人识别信息和机器识别信息,接收所述认证服务器发送的表示认证处理精度的认证基准,用该接收到的认证基准进行对该使用者的认证处理,所述认证服务器包括:存储每个所述机器识别信息中与表示设置该机器识别信息表示的认证装置的区域或者所述认证装置许可使用者入场的区域的位置信息对应的机器信息、每个所述位置信息中与所述位置信息表示的区域确定的认证处理精度对应的认证信息、每个日期和时段中与认证处理精度对应的日历信息、每个所述个人识别信息中与该个人识别信息表示的对使用者的过去的认证处理的认证结果对应的认证履历信息的单元;接收从所 10. - kind of authentication servers, via a network connected with a plurality of authentication devices, wherein the authentication means transmits identification information to identify itself and the machine to identify the user's personal identification information to the authentication server, transmitting the response the personal identification information and machine identification information indicating the processing accuracy of the authentication server receives the authentication transmits an authentication reference, with reference to the received authentication for the user authentication process, the authentication server comprising: storing each of the said machine readable information is provided indicating the position information corresponding to the device information area or region of the user license authentication device authentication apparatus identification information indicating the admission machine, each of said position information and said position information authentication information corresponding to the processing accuracy of the determined region indicated, calendar information with each date and time corresponding to the processing accuracy of the authentication, the personal identification information of each of the past represented by authentication of the user's personal identification information unit authentication history information of the result of the process corresponding to the authentication; received from the 述认证装置发送的个人识别信息和机器识别信息的单元、 计算认证基准的计算单元,所述计算单元用所述接收到的个人识别信息和机器识别信息、所述存储的机器信息、所述认证信息、所述日历信息和所述认证履历信息来计算认证基准;和把计算出的认证基准发送到发送过所述个人识别信息和机器识别信息的认证装置的单元。 Means personal identification information and machine identification information transmitted from said authentication device, the authentication calculating means calculating the reference personal identification information and machine identification information of the receiving means with the computing, storing the machine information, the authentication information, the calendar information and the authentication history information calculated reference authentication; and transmitting the calculated authentication unit to the reference personal identification information and authentication apparatus identification information transmitted through the machine.
11. 一种经网络与多个认证装置连接的认证服务器进行的认证方法,其特征在于,所述认证装置把识别自身的机器识别信息和识别使用者的个人识别信息发送到所述认证服务器,应答所述发送的个人识别信息和机器识别信息,接收所述认证服务器发送的表示认证处理精度的认证基准,用该接收到的认证基准进行对该使用者的认证处理,所述认证服务器包括存储单元,所述存储单元存储每个所述机器识别信息中与表示设置该机器识别信息表示的认证装置的区域或所述认证装置许可使用者入场的区域的位置信息对应的机器信息、每个所述位置信息中与所述位置信息表示的区域确定的认证处理精度对应的认证信息、每个日期和时段中与认证处理精度对应的日历信息、每个所述个人识别信息中与该个人识别信息表示的对使用者的过去的认证处理的认证结果对 11. An authentication method for an authentication server via a network connected with a plurality of authentication devices, wherein the authentication means transmits identification information to identify itself and the machine to identify the user's personal identification information to the authentication server, response to said transmitted personal identification information and machine identification information indicating the authentication process of authentication precision reference sent by the server receiving the authentication, the user authentication process performed with reference to the received authentication, the authentication server includes a storage unit, each of the machine identification information storage unit stores the machine is provided with position information representing a region corresponding to the authentication device or a user license authentication device identification information representing the machine entrance area, each authentication information corresponding to the processing accuracy of the location information in a region indicated by the position information, the calendar information for each date and time in the authentication process with precision corresponding to each said personal identification information with the personal identification certified results of the authentication process of the user's past information represented 应的认证履历信息,所述认证方法进行如下步骤:接收从所述认证装置发送的个人识别信息和机器识别信息; 用所述接收到的个人识别信息和机器识别信息、所述存储的机器信息、所述认证信息、所述日历信息和所述认证履历信息计算认证基准;把所述计算出的认证基准发送到发送过所述个人识别信息和机器识别信息的认证装置。 Authentication history information corresponding to the authentication method the steps of: receiving the personal identification information and machine identification information transmitted from the authentication apparatus; machine information received by the personal identification information and machine identification information, the stored , the authentication information, the calendar information and the authentication history information calculated reference authentication; transmitting said calculated reference authentication to transmit through the personal identification information and identification information authentication means of the machine.
12. —种具有多个认证装置和经网络连接的认证服务器的安全系统进行的使用者认证方法,其特征在于, 所述认证装置进行如下步骤: 接受来自使用者的认证信息的输入;用预先与认证信息对应存储的个人识别信息确定与所述接受的认证信息对应的个人识别信息;将所述确定出的个人识别信息和预先存储的识别自身的机器识别信息发送到所述认证服务器;应答所述发送的个人识别信息和机器识别信息,接收所述认证服务器发送的表示认证处理精度的认证基准;用所述接受的认证信息、所述存储的个人信息和所述接收到的认证基准进行判定是否许可使用者进入规定的区域的认证;以及将所述认证处理的结果中与所述确定的个人识别信息和所述识别自身的机器识别信息对应的认证履历发送到所述认证服务器;所述认证服务器包括:存储每个所述机器识 12 - having a plurality of kinds of user authentication apparatus and authentication method of an authentication server via the safety system connected to a network, wherein said authentication means the steps of: receiving an input of the authentication information from the user; a pre- and authentication information corresponding stored personal identification information with the personal identification information corresponding to the authentication information received; and transmitting the determined identification and personal identification information pre-stored identification information of the machine itself to the authentication server; response personal identification information and machine identification information transmitted, the authentication process authenticating reference represents the accuracy of receiving the transmitted authentication server; with the authentication information received, said stored personal information and the authentication reference is received determining whether the authentication of the user enters the predetermined area of ​​the license; personal identification information and the result of the authentication process and determines the identification of the machine itself, the authentication history identification information transmitted to the authentication server; the said authentication server comprising: storing each of said machine identification 信息中与表示设置该机器识别信息表示的认证装置的区域的设置位置信息和表示是该认证装置许可使用者入场的区域且邻接设置所述认证装置的区域的区域的位置信息对应的机器信息、每个所述位置信息中与所述位置信息表示的区域确定的认证处理精度对应的认证信息、每个日期和时段内与认证处理精度对应的日历信息、每个所述个人识别信息中与该个人识别信息表示的对使用者的过去的认证处理的认证结果对应的认证履历信息的单元;该认证方法还进行如下步骤:接收所述认证装置发送的个人识别信息和机器识别信息的步骤;用所述接收到的个人识别信息和机器识别信息、所述存储的机器信息、 所述认证信息、所述日历信息和所述认证履历信息计算认证基准的计算步骤;把计算出的认证基准发送到发送过所述个人识别信息和机器识别信息的认 Region information indicating the installation position of the machine with information representing identification information provided indicates that the authentication device authentication apparatus admission permitted user and the machine position information area corresponding to a region adjacent to a region of the provided authentication means , authentication information corresponding to each of the processing accuracy of the position information of the region indicated by the determined location information, the calendar date and time information in each of the authentication process corresponding to the accuracy of each said personal identification information and unit authentication history information of past authentication result processing corresponding to the user's personal identification information indicates; that the authentication method further following steps: step personal identification information and machine identification information sent by the authentication receiving means; received by the personal identification information and machine identification information, the device information stored in the authentication information, the authentication information and history information calculating step of calculating the reference authentication calendar; transmits the calculated reference authentication to identify the transmission through the personal identification information and machine identification information 装置的步骤;以及接收所述认证装置发送的认证履历,用该接收到的认证履历更新所述存储的认证履历信息的步骤,所述计算步骤具有如下步骤:用所述机器信息确定与所述接收到的机器识别信息对应的表示所述邻接区域的位置信息,用所述认证信息确定该确定的位置信息表示的区域确定的认证处理精度,用所述日历信息确定与当前的日期和时段对应的认证处理精度,用该位置信息表示的区域确定的认证处理精度和与该日期和时段对应的认证处理精度计算所述认证基准;在所述存储的认证履历中存在与所述接收到的个人识别信息对应的认证处理的结果的情况下,用包含在所述认证结果内的机器识别信息、所述接收到的机器识别信息和所述存储的机器信息判定使用者是否正在通过正确的路径;以及所述判定结果为使用者未通过正确的路径的情况下 Step device; and an authentication history of receiving the authentication apparatus transmits, in step with the authentication history information of the received authentication updating the stored history, the calculating step includes the steps of: determining by said machine information and said received machine identification information corresponding to position information indicating the adjacent area, the processing accuracy authentication determination area represented by the position information determining that the authentication information determined by the determining calendar information corresponds to the current date and time precision authentication process, the authentication processing accuracy of the position indicated by the region information determined and the calculated reference authentication with the authentication date and time corresponding to the processing accuracy; the presence of the individual received in the authentication history stored if the identification result of the authentication process corresponding to the information, with the machine identification information contained in the authentication result, said identification information received by the machine and the machine information stored by the user is determined whether or not the correct path; and a case where the determination result by the user is not the correct path 正所述计算出的认证基准。 N the calculated reference authentication.
CN 200510072190 2004-11-19 2005-05-23 Safety system, identifying server, identifying method and program CN100454325C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2004-335731 2004-11-19
JP2004335731A JP4574335B2 (en) 2004-11-19 2004-11-19 Security system, authentication server, authentication method, and program

Publications (2)

Publication Number Publication Date
CN1776704A CN1776704A (en) 2006-05-24
CN100454325C true CN100454325C (en) 2009-01-21

Family

ID=36625611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200510072190 CN100454325C (en) 2004-11-19 2005-05-23 Safety system, identifying server, identifying method and program

Country Status (2)

Country Link
JP (1) JP4574335B2 (en)
CN (1) CN100454325C (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4956096B2 (en) 2006-08-30 2012-06-20 東芝ソリューション株式会社 Authentication system and apparatus
JP2008171027A (en) 2007-01-05 2008-07-24 Toshiba Corp Authentication system, device and system
JP5045128B2 (en) * 2007-02-01 2012-10-10 オムロン株式会社 Face recognition device
JP4709181B2 (en) * 2007-06-08 2011-06-22 東芝テック株式会社 Information access management device
JP5078660B2 (en) * 2008-02-20 2012-11-21 株式会社リコー Authentication control apparatus, authentication control method, and program
JP5547378B2 (en) 2008-03-31 2014-07-09 アズビル株式会社 Data management apparatus and data management method
KR101475644B1 (en) * 2011-02-18 2014-12-22 미쓰비시덴키 가부시키가이샤 Room entry/exit management device and room entry/exit management system using same
JP2013126108A (en) * 2011-12-14 2013-06-24 Mitsubishi Electric Information Systems Corp Mobile information terminal communicable with ic chip
JP5748003B2 (en) * 2011-12-26 2015-07-15 三菱電機株式会社 Entrance / exit management system
JP2013206292A (en) * 2012-03-29 2013-10-07 Japan Research Institute Ltd Customer terminal for performing authentication processing, authentication method and program for authentication
JP6122657B2 (en) * 2013-02-22 2017-04-26 株式会社Synchro Authentication system and biometric information providing apparatus using cellular phone
JP5761241B2 (en) * 2013-03-25 2015-08-12 コニカミノルタ株式会社 Authentication system, information processing apparatus, authentication method, and program
US9542783B2 (en) * 2013-11-15 2017-01-10 Google Technology Holdings LLC Method and apparatus for authenticating access to a multi-level secure environment of an electronic device
JP6252246B2 (en) * 2014-02-27 2017-12-27 株式会社デンソー Navigation message receiver
US9992207B2 (en) * 2014-09-23 2018-06-05 Qualcomm Incorporated Scalable authentication process selection based upon sensor inputs
JP6516467B2 (en) * 2014-12-19 2019-05-22 国立大学法人 鹿児島大学 Authentication processing apparatus and authentication processing method, authentication information registration apparatus and authentication information registration method
JP2016012370A (en) * 2015-10-06 2016-01-21 株式会社日本総合研究所 Customer terminal for performing authentication processing, authentication method, and program for authentication
CN107316356A (en) * 2016-04-26 2017-11-03 北大方正集团有限公司 Control locking method and central lock system
CN107978034A (en) * 2016-10-25 2018-05-01 杭州海康威视数字技术股份有限公司 A kind of entrance guard controlling method and system, controller and terminal
CN108022335A (en) * 2016-10-31 2018-05-11 杭州海康威视数字技术股份有限公司 A kind of access control method, device and access control system
CN107958517B (en) * 2017-12-18 2019-10-18 中国地质大学(武汉) Unlocking method based on smart lock security level
KR20190114593A (en) * 2018-03-30 2019-10-10 주식회사 플랫폼베이스 Method and system for authentication of electronic lock based on usage pattern

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1269032A (en) 1997-07-30 2000-10-04 维斯托公司 System and method for globally and securely accessing unified information in a computer network
CN1352429A (en) 2001-11-29 2002-06-05 上海复旦光华信息科技股份有限公司 Centralized domain user authorization and management system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4082028B2 (en) * 2001-12-28 2008-04-30 ソニー株式会社 Information processing apparatus, information processing method, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1269032A (en) 1997-07-30 2000-10-04 维斯托公司 System and method for globally and securely accessing unified information in a computer network
CN1352429A (en) 2001-11-29 2002-06-05 上海复旦光华信息科技股份有限公司 Centralized domain user authorization and management system

Also Published As

Publication number Publication date
JP4574335B2 (en) 2010-11-04
JP2006145835A (en) 2006-06-08
CN1776704A (en) 2006-05-24

Similar Documents

Publication Publication Date Title
US8689296B2 (en) Remote access of digital identities
US7007298B1 (en) Apparatus and method for authenticating user according to biometric information
US9183366B2 (en) Request-specific authentication for accessing Web service resources
US9037866B1 (en) System and method for enrolling in a biometric system
KR100901238B1 (en) Methods and apparatus for dynamic user authentication using customizable context-dependent interaction across multiple verification objects
EP2224368A2 (en) An electronic data vault providing biometrically protected electronic signatures
CN102598577B (en) Cloud certification is used to carry out device and the system of certification
US20120297455A1 (en) Target-based access check independent of access request
US10049359B2 (en) Identity risk scoring
US8010562B2 (en) Method and system for implementing and managing an enterprise identity management for distributed security in a computer system
US7865950B2 (en) System of assigning permissions to a user by password
KR100270146B1 (en) Method for accessing information
US8224483B1 (en) System for checking the accuracy of a prescription fill
CN1278283C (en) Smart card access control system
US8060922B2 (en) Consumer internet authentication device
US7502761B2 (en) Method and system for providing online authentication utilizing biometric data
US9117064B2 (en) Method and system for transmitting authentication context information
US9569678B2 (en) Method and system to authenticate an object
US8930709B2 (en) Method and apparatus for sequential authentication using one or more error rates characterizing each security challenge
JP2018537022A (en) System and method for managing digital identities
US7434063B2 (en) Authentication method, apparatus, and system
US7222361B2 (en) Computer security with local and remote authentication
US9202083B2 (en) Systems and methods for verifying uniqueness in anonymous authentication
KR100780502B1 (en) Authentication system, authentication entity apparatus, verification apparatus, client apparatus, storage medium, authentication method, verification method, and authentication relay method
US8533797B2 (en) Using windows authentication in a workgroup to manage application users

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted
C41 Transfer of the right of patent application or the patent right
ASS Succession or assignment of patent right

Owner name: HITACHI?INDUSTRIAL?CONTROL INFORMATION SYSTEM CO.,

Free format text: FORMER OWNER: HITACHI,LTD.

Effective date: 20141229

C56 Change in the name or address of the patentee

Owner name: HITACHI INDUSTRIAL CONTROL SOLUTIONS LTD.

Free format text: FORMER NAME: HITACHI?INDUSTRIAL?CONTROL INFORMATION SYSTEM CO., LTD.