DE69832145T2 - Remote authentication system - Google Patents

Remote authentication system

Info

Publication number
DE69832145T2
DE69832145T2 DE69832145T DE69832145T DE69832145T2 DE 69832145 T2 DE69832145 T2 DE 69832145T2 DE 69832145 T DE69832145 T DE 69832145T DE 69832145 T DE69832145 T DE 69832145T DE 69832145 T2 DE69832145 T2 DE 69832145T2
Authority
DE
Germany
Prior art keywords
authentication
user
information
id
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
DE69832145T
Other languages
German (de)
Other versions
DE69832145D1 (en
Inventor
Yoshimasa Chiyoda-ku Baba
Teruko Chiyoda-ku Fujii
Hiroshi Chiyoda-ku Nakamura
Tetsuo Chiyoda-ku Sadakane
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to JP2422598 priority Critical
Priority to JP10024225A priority patent/JPH11224236A/en
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Application granted granted Critical
Publication of DE69832145D1 publication Critical patent/DE69832145D1/en
Publication of DE69832145T2 publication Critical patent/DE69832145T2/en
Anticipated expiration legal-status Critical
Application status is Expired - Fee Related legal-status Critical

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual entry or exit registers
    • G07C9/00007Access-control involving the use of a pass
    • G07C9/00031Access-control involving the use of a pass in combination with an identity-check of the pass-holder
    • G07C9/00071Access-control involving the use of a pass in combination with an identity-check of the pass-holder by means of personal physical data, e.g. characteristic facial curves, hand geometry, voice spectrum, fingerprints
    • G07C9/00087Access-control involving the use of a pass in combination with an identity-check of the pass-holder by means of personal physical data, e.g. characteristic facial curves, hand geometry, voice spectrum, fingerprints electronically

Description

  • BACKGROUND THE INVENTION
  • 1st area the invention
  • The The present invention relates to a remote authentication system. in which the identification of an individual by biometric Characteristics and the decision about the presence or absence of an individual's right of access to the information and the application intensively through a single authentication terminal respectively.
  • 2. Description of the state of the technique
  • Traditional is in a network connected information processing system security a process of identifying an individual to be about Permission or denial of access by the individual to decide, i. an attestation required. Furthermore introduces automatic bank machine of a bank or the like in general a certification for the identification of an individual and access to transaction information of the individual as a bank statement through. The attestation of a Individual is also performed for the Arrival at or leaving a research location with high Security and a member club.
  • The Authentication, i. the identification of an individual and detection Qualification is carried out using a Magnetic card or IC card, the same function as an ID card, a memory of the individual such as a password or a combination thereof. However, the password can be forgotten. It can the case occur that the magnetic card or IC card is not certified can be because it has been lost or broken. Another An individual as a questionable person may be considered the person in question be authenticated due to a theft of the card or transfer of information about the password. In order to maintain a high level of security, the questionable one must Person sure as he or she is attested to. In this Case is when the means to mitigate the password or a one-time password (OTP), the storage accordingly difficult, or the process of attestation itself becomes complicated. Furthermore, if the authentication by storage in a wide range (several branches of the bank) is performed, the authentication information be managed intensively.
  • on the other hand eliminates the authentication by biometric information that Properties of the living body of an individual, such as those on a fingerprint, one Handprint, handwriting, retina, etc. related information, the complication and also makes it difficult to "spend for another". If the authentication by biometric information in a wide The area required is intensive administration and accreditation for the same reason and the protection of privacy required. If the certification is carried out intensively by biometric information, It is important to have a suitable procedure of attestation in accordance with a Select security levels, like a thing, place or system that has a credential as well as everyone Require users to obtain the credential information become.
  • Now leads the Radius server described by RFC 2138 (Remote Authentication Dial in User Service, hereinafter referred to as RADIUD, renewal of the preceding RFC 2058) described in RFC (Request For Comment) by IETF (Internet Engineering Task Force) is registered in response to a request from a Radius client for the attestation process intensively through to return the result of the attestation. In this case, the credentials and credential information for each User defined. Because of this, if the biometric information according to her Acquisition environment, the credentials and the Authentication information can not be changed dynamically.
  • One example for Such a prior art is a "authentication method to a network" described in JP-A-9-815: 18 is disclosed. This procedure prompts if a user host accessing an application server, the application server is a credential server to perform a user's authentication using hard Credentials and authentication information and receive that Result of the certification.
  • The Biometric information is effective in distinguishing one Individual of other persons. However, they lead to problem of protection of privacy and the hygienic purchase, if a device for the purchase biometric features itself is dirty and inconvenience prepares.
  • US-A-4 993 068 discloses a forgery-proof personal identification system for identifying users at remote access control locations. The forgery-proof personal identification system generates encrypted one-way versions of physically fixed identification features (face photograph, scan of the Retina, speech and fingerprints). These features are stored in a portable storage device. At a remote access control location, the user presents his portable storage device and the encrypted identification features are read. The user then physically submits his physical identification properties to the remote access control location. A comparison is made between the features obtained from the storage device and the physical identity of the user to determine whether access to the remote location is allowed or denied. The features may be used individually or in combination for comparison with the physical identity of the user. Furthermore, attribute or franchise information may be added to the features and coupled to the immutable physical features.
  • Such Data can medical information about the user, special privileges held by the user such as organizational affiliation, security clearance level, passport and include visa information or financial information.
  • SUMMARY THE INVENTION
  • The The present invention has been made to solve the problem described above to solve, and it intends to have a remote authentication system and a remote authentication procedure that identify and identify an individual safely Presence or absence of an access right to decide this can, if the individual by using biometric information certified, and which can also facilitate the use.
  • These The object is achieved by a remote authentication system having the features of claim 1.
  • The The present invention provides a remote authentication system having a Network connected to an authentication server, an authentication client and a user terminal for access data from the attestation clients at which a certification of the user accessing the authentication client by the user user terminal takes place, comprising several types of recovery devices biometric features associated with the user terminal and several credentials information retrieval software items are stored in the authentication server, according to the user terminal and / or a user, according to the operation a mandatory credential acquisition software according to the User terminal, downloaded by the authentication server at attestation will be biometric information by one or more species obtained from devices for obtaining biometric features were and / or input user discrimination information used, depending on be selected from the secrecy level of the data to be accessed.
  • SUMMARY THE DRAWINGS
  • 1 Fig. 12 is a block diagram of the first embodiment of a network system to which the remote attestation system according to the present invention is applied.
  • 2 FIG. 13 is a timing chart for explaining the processing in the authentication in the network system in FIG 1 ,
  • 3 FIG. 15 is a diagram for explaining a first example of a credential information database in the authentication server terminal in FIG 1 ,
  • 4 FIG. 14 is a diagram for explaining a first example of an authentication information database in the authentication server terminal in FIG 1 ,
  • 5 FIG. 14 is a diagram for explaining a second example of an authentication information database in the authentication server terminal in FIG 1 ,
  • 6 FIG. 14 is a diagram for explaining a third example of an authentication information database in the authentication server terminal in FIG 1 ,
  • 7 FIG. 14 is a diagram for explaining a third example of an authentication information database in the authentication server terminal in FIG 1 ,
  • 8th FIG. 14 is a timing chart for explaining the authentication processing in the third example in FIG 1 shown network system.
  • 9 Fig. 12 is a block diagram of the second embodiment of the network system to which a remote authentication system according to the present invention is applied.
  • 10 FIG. 14 is a timing chart for explaining the attestation processing in FIG 9 shown network system.
  • 11 is a timing chart for explaining of the case in which rejection is made as the third embodiment of the network system in FIG 1 ,
  • 12 is a schematic view of the fourth embodiment of the network system in 1 ,
  • DETAILED DESCRIPTION THE PREFERRED EMBODIMENTS
  • It An explanation will now be made with reference to the drawings of exemplary embodiments of the present invention.
  • Embodiment 1
  • 1 shows an embodiment of the first embodiment, in which the present invention is applied to a network system. A network 2 is with an authentication server terminal 3 , an authentication client terminal 4 (Network server terminal in this embodiment) and a user terminal 5 etc. connected. In such a network system 1 the network server receives 4 when from a user via the user terminal 5 an individual authentication of the user from the user server terminal 3 and provides a service to the user based on the result.
  • The authentication server terminal 3 is a computing device such as a personal computer, a workstation, etc. (which may include a CPU, a memory, a disk, a communication control unit, etc., as described below) including an authentication control unit 3A , an authentication information database 3B and a credential information retrieval software pool 3C stores (hereafter software is referred to as S / W). The network server terminal 4 is a computing device such as a personal computer, a workstation, etc., in which a network server database 4A , an authentication request unit 4B and a network server b / w 4C that requires a user's authentication to be operated.
  • The user terminal device 5 is composed of a browser for displaying information of the network server terminal 4 and a computing device, such as a personal computer or workstation, in which an authentication information retrieval S / W 5B is pressed. The user terminal device 5 is with a device 6 connected to the acquisition of biometric features. The device 6 to obtain biometric features contains a device 7 for obtaining fingerprints and a device 8th for obtaining handprints acquiring a fingerprint and a handprint of a living body as biometric information through image processing, a letter recognition board 9 for obtaining handwriting information written by a user as biometric information, a retina information obtaining device 10 for acquiring retinal information of a living body as biometric information by palpating an ocular fundus.
  • A processing procedure for the authentication in such a network system is in 2 shown. First, an explanation will be given of the case where a user accesses the information of the network server database 4A with a high degree of security in the network server terminal 4 Being a credential client accesses using the browser 5A one in the user terminal device 5 working application is (SP1). The network server b / w 4C , which is an application that performs access control for the high-security information, must perform user authentication to determine whether the user has an access right (SP10).
  • That is, the network server b / w 4C in the network server terminal 4 informs the authentication request unit 4B on the necessity of user authentication as well as a client ID (authentication request unit identifier), an application ID (identifier of the network server S / W 4C , which is an authentication-requiring application) and an access data class (secrecy level of the data accessed by the user) (SP11). The authentication request unit 4B transmits the authentication request of the user including the aforementioned information to the authentication server terminal 3 ,
  • The authentication control unit 3A in the authentication server terminal 3 who has received the authentication request from the user selects an authentication information acquisition S / W 11 from the authentication client ID, the application ID and the access data type (SP20). The authentication information acquisition S / W 11 acquires a predetermined information word. It can acquire several words of credential information. The authentication control unit 3A transmits the selected authentication information acquisition S / W 11 to the network server terminal 4 Being a client of accreditation (SP21).
  • The authentication request unit 4B in the network server terminal 4 provides the transmitted authentication information acquisition S / W 11 to the network server b / w 4C , instructs them to acquire the credential information from the user. Based on this statement, the Authentication information acquisition S / W 11 from the network server b / w 4C to the user terminal 5 transferred (SP12).
  • The browser 5A in the user terminal 5 receives the transmitted authentication information acquisition S / W 11 and performs it as an authentication information S / W 5B off (SP2). The authentication information S / W spontaneously acquires a user ID (name, company, membership number, address, affiliation, telephone number, or ID assigned by the system to an individual), biometric information such as fingerprint information, handprint, handwriting Retina, and authentication information that is normally used in a conventional computer system, such as a password, one-time password, etc. In this case, it can work in conjunction with the other S / W like a driver acquiring the credential information. The authentication information acquisition S / W 5B transmits the acquired user ID and authentication information via the browser 5A to the network server terminal 4 ,
  • The authentication request unit 4B in the network server terminal 4 transmits the user ID and authentication information acquired by the user through the network server S / W 4C to the authentication server terminal 3 (SP13). The authentication control unit 3A in the authentication server terminal 3 performs user authentication using the transmitted user ID and authentication information (SP22). The credential information, such as the transmitted biometric information, becomes against the individual information initially in the credential information database 3B in the authentication server terminal 3 stored, checked. When a decision that a questionable person exists is made as a result of checking all the words of the transmitted authentication information, the result is informed by the network server terminal that a client is the identifier. If at least one of the results of the test is incorrect, a decision that a person in question does not exist is made. This is informed by the network server terminal (SP23).
  • The authentication request unit 4B in the network server terminal 4 who has received the result of authentication, which is a client of authentication informs the network server b / w 4C about the result of the certification. Based on the result of the authentication, the network server S / W determines 4C the admission or refusal of access to the information with a high degree of security in the network server database 4A for the user (SP14). For example, the process of user access occurs as a representation of the secret information.
  • In addition, encryption allows between the user terminal 5 (Authentication information acquisition S / W 5B ) and the network server terminal 4 and between the network server terminal 4 and the authentication server terminal 3 (Authentication control unit 3A ) that the credential information is hidden and reduces the risk of one person posing for another. Similarly, encryption between the user terminal also allows 5 (Authentication information acquisition S / W 5B ) and the authentication server terminal 3 (Authentication control unit 3A ), but not between the individual terminals, also, that a risk that a person is out for another, is reduced.
  • example 1
  • Referring to the 3 and 4 will be an explanation of a simple example of the database structure and the authentication information acquisition S / W selection processing 5B given. The authentication information database 3B in 3 contains words for the user ID, user level and authentication as information associated with an individual user. The user ID includes a name, company, membership number, address, accessory, telephone number, or any feature assigned by the system to an individual. The user level represents an access level to secret information. The credential information is biometric information such as fingerprint, handprint, handwriting, retina, and credential information such as a password, one-time password, etc.
  • How out 4 is apparent, the authentication information acquisition S / W pool stores authentication information acquisition S / W 11 for obtaining information about both the fingerprint and the retina; Obtaining fingerprint information from two fingers and obtaining information of both the fingerprint and the retina, etc. The authentication information obtaining S / W pool 3C describes the selectable authentication information retrieval S / W 11 according to secrecy levels and the data class.
  • By example. is taken in the case in which a user to the information of the network server database 4 the data class 17 An explanation will be given of a mechanism of selecting the authentication information acquisition S / W 11 in the authentication server endge advises 3 given. In this case, the authentication client ID becomes an identifier of the authentication request unit 4B on 15 and the application ID corresponding to the network server S / W identifier 4C will be on 25 set. If the access to the data class 17 is done, informs the network server b / w 4C the authentication request unit 4B about the need for user authentication. The user request unit 4B transmits the authentication request of the user including the above information words about the data class 17 , the authentication client ID of 15 and the application ID of 25 to the authentication server terminal 3 , In response, the authentication server terminal receives 3 the authentication request including these information words.
  • The authentication control unit 3A in the authentication server terminal 3 notices a selectable candidate for the credentials information retrieval S / W 11 not lower than level 2 based on the database in the authentication information retrieval S / W pool 3C in 4 , and that the data class due to the authentication requirement the level 2 Has.
  • Example 2
  • With reference to the 5 and 6 will be an explanation of another embodiment of a part of the authentication information database according to the in 3 shown given. These figures describe the selectable authentication information acquisition S / W 11 for each authentication client ID or application ID. The authentication control unit 3A in the authentication server terminal 3 notices attestation information retrieval S / W candidates 11 which are selectable from the authentication client ID and the application ID. Therefore, on the basis of the data class A, B, C, D, E, F are selected as candidates; on the basis of the authentication client ID, C, D and E are selected as candidates; and on the basis of the application ID, A, D, E, and E are selected as candidates. Finally, either D or E are selected.
  • The arbitrary or fixed defined by candidates of the selectable authentication information retrieval S / W by the authentication server terminal 3 Selected B / W is selected by normal selection or sequential selection. In this embodiment, the credentials and the authentication information can be flexibly selected according to the environment such as the data class representing access information, the authentication request unit 4B works in a device that is a client of authentication and network server b / w 4C which is a use application. Thus, the identification of an individual and a decision on the presence or absence of the individual's right of access can be made securely according to the environment.
  • Example 3
  • An explanation will be given of the case in which a user ID is included in an authentication request, and in FIG 3 in detail as shown in the credentials database 7 shown is set. The processing flow in this embodiment is shown in FIG 8th shown in the same reference numbers refer to equal parts in 2 Respectively. First, the network server terminal acquires 4 a user ID (name, company, membership number, address, accessory, telephone number, or ID assigned by the system to an individual) and requests the authentication request unit 4B to perform authentication of the user with the acquired user ID, client ID (authentication request unit identifier 4B ), Application ID (identifier of network server b / w 4C which is an authentication-requiring application) and the access data class (secrecy level of the data accessed by the user).
  • In the 7 shown credential information database contains in addition to the in 3 displayed information given to an individual such as a type of user (data manager or general user), a usable authentication client ID, a usable application ID, application control information delivered to an application when a person in question is authenticated, and checking Logs (past credential information retrieval S / W selection state to the prescribed number of credentials and check rates), total number of times of authentication, selection condition, etc.
  • If the authentication request includes the user ID, the authentication information acquisition S / W is selected according to the selection condition for the user in question. For example, if the user ID is the same 1 and the other conditions are the same as. the previous example (ie, data class = 17 , Authentication client ID = 15 and application ID = 25 ) transmits the authentication request unit 4B the authentication requirement of the user as the above information including the user ID = 1 , Data class = 17 , Authentication client ID = 15 and application ID = 25 to the authentication server terminal 3 ,
  • The authentication server terminal 3 receives the authentication request including the aforementioned information. As in the above embodiment, on the basis of the data class A, B, C, D. E, F are selected as candidates; based on the authentication client ID, C, D and E are selected as candidates; and on the basis of the application ID, A, D, E and E are selected as candidates. Finally, either D or E are selected. Furthermore, the user ID = 1 , the authentication control unit 3A Carries out the selection in the total number of times of authentication. The selection is made in such a way that the first selection is equal to D, the second is equal to E, the third equals E, the fourth equals E, ... Now, in the total number of times the attestation is the same 20 with the user ID = 1 , this time it is 21 , Therefore, D becomes the authentication information acquisition S / W 11 selected.
  • Other examples
  • Furthermore, as in 7 shown in the authentication information database 3B when the authentication client ID and the application ID usable for each user are designated, the access control such as the transmission of the authentication information acquisition S / W 11 to the user only when the designated authentication client ID and the application ID are designated. Now that's because the useable client ID 15 contains and the useable application ID 25 contains, sending the authentication information retrieval S / W 11 authorized.
  • Authorization or Blocking of Certification Information Acquisition S / W 11 can be based on the in 7 user type shown. How to the user, when a secrecy level for the authentication client and the application is assigned, the authentication server terminal 3 the authentication information acquisition S / W 11 based on the levels of the authentication client, the application, and the access data class. For example, control of the selection of the credential information S / W having the highest level may be performed in three levels or higher.
  • The processing after sending the authentication information acquisition S / W 11 is different from the above-described example in that only the authentication information is sent because the user ID has been acquired. Furthermore, the network server terminal 4 by using key = 1 , which is the control information supplied to the application when the authentication of the person in question 7 takes place, realize different access control.
  • In the above example, the total number of times of attestation was given as an example of the check rate in 7 used as the selection condition.
  • Instead, if the check evaluation is used as the selection condition, then the credential information obtaining S / Wen 11 with the level of 2 or higher, the one with the highest audit score in the past, looked up and selected from the user's audit logs. Now E, which last had the highest test evaluation, is selected.
  • There is also an example of omitting the authentication credential S / W transmission from the authentication server 3 to the authentication client. That is, when the authentication information acquisition S / W is fixed by the network server terminal that has an authentication client in the case of the above-described network system 1 is, the previously through the network server terminal 4 Acquired attestation acquisition S / W 11 from the authentication server terminal 3 to the network server terminal 4 be transmitted without the transmission of authentication information retrieval S / W.
  • As described above, when the authentication is performed using the biometric information in the network system 1 the authentication information acquisition S / W that dynamically acquires the information required for the authentication is selected according to the environment (user who has made the access, data class representing access information, authentication request unit 4B stored in the network server terminal 4 which is a client of authentication works, web server b / w 4C which is a utility application, etc.) and authentication history (ie, state at the time of attestation). In this way, the identification of an individual and the decision on the presence or absence of the right of access for the individual can be safely carried out according to the environment.
  • Embodiment 2
  • The second embodiment of the present invention is a simplification of the first embodiment. In 9 , in the same reference numbers refer to equal parts in 1 The user terminal acquiring biometric information is the same as the authentication client's terminal. An example of an application requiring authentication is a database call application 5E to perform the database retrieval. The user terminal 5 contains a local database 5C that comes from the database retrieval application 5E is used, an authentication request unit 5D and a computer (personal computer or workstation) in which the database retrieval application 5E and the authentication information acquisition S / W 11 operate. The device 6 for acquiring biometric features is with the user terminal 6 connected and has the same overall configuration as that in the first embodiment. The authentication server terminal 3 has the same overall configuration as that in the first embodiment.
  • An explanation will be given of the operation of the remote attesting system according to the second embodiment of the present invention. In 10 , in the same reference numbers refer to the same parts in the 2 and 8th Obtain the database retrieval application 5E if they are to the secret information in the local database 5C first accesses (SP5), a user ID (name, company, membership number, address, accessories, telephone number or an ID assigned by the system for an individual) (SP6) and requests the authentication request unit 5D an authentication of the user with the acquired user ID, client ID (identifier of the authentication request unit 5D ), Application ID (identifier of the database retrieval application 5E which is an authentication-requiring application) and the access data class (secrecy level of the data accessed by the user) (SP7).
  • The authentication server terminal 3 performs the same operation of authentication as in the first embodiment. The authentication request unit 5D of the user terminal 5 , which has received the result of the authentication, informs the database retrieval application 5E about the result of the certification. The database retrieval application 5E decides on the basis of the result of the authentication on the permission or denial of access to the most secret information in the local database 5C by the user (SP8). In this case, for example, the operation for user access such as the display of the secret information is performed. In such a configuration where the user terminal 5 Issues a request for authentication, the same effect as in the first embodiment can be obtained.
  • Embodiment 3
  • In 11 , in the same reference numbers refer to the same parts in the 2 and 8th For example, a process (SP2B, SP12A) is proposed in which a user rejects the credential information retrieval S / W when the individual credential information obtained by the credential server 3 transmitted authentication information acquisition S / W 11 are not consistent with a user's intent (SP2B, SP12). The authentication server terminal 3 Having suffered the rejection of the purchase again selects another credential information retrieval S / W (SP20A). However, this is limited to the case where there is another authentication information acquisition S / W that can be selected again, as in connection with 4 is described.
  • When the biometric features are used as authentication information of an individual, it is necessary for a user to have a particular device 6 rejects biometric features that are contaminated and cause discomfort. In particular, although the biometric features are effective for distinguishing an individual from other individuals, there are problems of privacy and sanitation as described above. For this reason, it is necessary for the user to reject or change the extraction of biometric features. If the safety of the device 6 is not guaranteed to obtain biometric features, the user may intend to specify information other than the biometric features, that is, alternative means such as a one-time password (OTP), even if this is complicated. In such a case, according to the user's intention to refuse or change, the authentication information acquisition S / W which dynamically acquires the information for authentication may be selected to identify an individual and the presence or absence of the individual's access right according to Environment to decide for sure.
  • Embodiment 4
  • This embodiment contains as means for obtaining the same effect as in the third embodiment the mechanism of selection of acquired authentication information in the authentication information acquisition S / W even after the first one and second embodiment. at the first embodiment For example, the authentication information S / W itself may have the authentication D both by the fingerprint and the handwriting and the attestation E only by the fingerprint select. In this case, the authentication server transmits the credentials information retrieval b / w required to acquire both from D as well as E is able.
  • The configuration and the operation procedure in the network system 1 themselves are the same as in the first and second embodiments. The displayed image of the credential information retrieval S / W on the user's side is in 12 shown. The user selects either D or E to acquire credentials and credential information for himself. If he press the selection key 12A or 12B presses, the authentication information acquisition S / W is operated to acquire the actually selected authentication information. The authentication server terminal 3 may determine the type of credential information received and whether authentication may be performed using a set of the received information. Thus, the same effect as in the third embodiment can be obtained.
  • In the first to fourth embodiments, the authentication information to be acquired has been determined by the authentication S / W. However, instead, the credential information to be acquired can only be displayed on a screen. For example, in the number of times of authentication in the detailed database of the first embodiment, the transmission of the fingerprint information and the handwriting information is displayed on the screen. Thus, the user spontaneously operates the software for acquiring the authentication information in accordance with the displayed content, and transmits the thus acquired authentication information to the authentication server terminal 3 ,
  • The transfer does not need to be presented concretely, but a previous transmission the credential information can be displayed. In this Case pressed the user spontaneously obtains the software for acquiring the credential information, around all previously noted information words to acquire from a manager according to the memory of the user, and transfers the acquired Authentication information to the authentication server. In this way the same effect as in the first embodiment can be realized. In the above case, the previous transmission of the authentication information, which are not presented concretely become the means of acquisition used the credential information in the manner of a password. Therefore, security can be gained when acquiring the credential information remarkably improved.
  • In the first to fourth embodiments, authentication of a user's individual has been performed by the network server terminal 4 carried out. However, the present invention is not limited thereto, but can be widely applied to a general control device which requires an individual of a user such as an arrival / departure terminal device connected to a network.
  • As described above chooses according to the present Invention, when certified using biometric Information performed The authentication server should be able to acquire the device biometric features and credential information according to the acquisition environment for the biometric information freely by the user and acquires it. Thus, a remote attestation system can be used for identification of a user and to decide on the presence or absence of the user The user's access rights are able to be safely realized become.
  • If the designated authentication information is not satisfactory for the user he can change the authentication information to be acquired and reject their acquisition. Even if the device itself dirty to acquire biometric features is and causes discomfort or the device for acquiring the Biometric information is not reliable, the identification of the User and the decision over the presence or absence of the user's access right by alternative means.

Claims (1)

  1. Remote authentication system with a network ( 2 ) using an authentication server ( 3 ), an authentication client ( 4 ) and a user terminal ( 5 ) for accessing data from the authentication client ( 4 ), in which an authentication of the user to the authentication client ( 4 ), by the user terminal ( 5 ), which system comprises: several types of devices ( 7 - 10 ) for obtaining biomedical features associated with the user terminal ( 5 ) are connected; and a plurality of authentication information retrieval pieces of software stored in the authentication server ( 3 ) are stored according to the user terminal ( 5 ) and / or a user; wherein, according to the operation, a prescribed credential acquisition software corresponding to the user terminal ( 5 ) used by the authentication server ( 3 ) is downloaded at the authentication, biometric information obtained from one or more types of biometric acquisition devices, and / or input user discrimination information is used, characterized in that the biometric information and / or user distinction information in Depending on the secrecy level of the data to be accessed.
DE69832145T 1998-02-05 1998-12-14 Remote authentication system Expired - Fee Related DE69832145T2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2422598 1998-02-05
JP10024225A JPH11224236A (en) 1998-02-05 1998-02-05 Remote authentication system

Publications (2)

Publication Number Publication Date
DE69832145D1 DE69832145D1 (en) 2005-12-08
DE69832145T2 true DE69832145T2 (en) 2006-07-20

Family

ID=12132338

Family Applications (1)

Application Number Title Priority Date Filing Date
DE69832145T Expired - Fee Related DE69832145T2 (en) 1998-02-05 1998-12-14 Remote authentication system

Country Status (3)

Country Link
EP (1) EP0935221B1 (en)
JP (1) JPH11224236A (en)
DE (1) DE69832145T2 (en)

Families Citing this family (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7290288B2 (en) 1997-06-11 2007-10-30 Prism Technologies, L.L.C. Method and system for controlling access, by an authentication server, to protected computer resources provided via an internet protocol network
EP1276054A4 (en) * 2000-02-09 2006-07-19 Nobuyoshi Ochiai Personal authentication system
WO2001009806A1 (en) * 1999-08-02 2001-02-08 E-Mark Systems Inc. Electronic settlement system, settlement device, and terminal
US7249093B1 (en) 1999-09-07 2007-07-24 Rysix Holdings, Llc Method of and system for making purchases over a computer network
JP3679953B2 (en) 1999-09-14 2005-08-03 富士通株式会社 Personal authentication system using biometrics information
US6505193B1 (en) * 1999-12-01 2003-01-07 Iridian Technologies, Inc. System and method of fast biometric database searching using digital certificates
JP2001245342A (en) 2000-02-28 2001-09-07 Nec Corp Mobile communication system and method for operating the mobile communication system
JP2003528407A (en) * 2000-03-21 2003-09-24 ウィドコム,インコーポレイティド User identification system and method for secure use of a Bluetooth enabled transceiver biometric sensor mounted on handheld computers
JP4950384B2 (en) * 2000-03-28 2012-06-13 株式会社東芝 Medical diagnostic imaging apparatus and security management method thereof
US7409543B1 (en) 2000-03-30 2008-08-05 Digitalpersona, Inc. Method and apparatus for using a third party authentication server
US7698565B1 (en) 2000-03-30 2010-04-13 Digitalpersona, Inc. Crypto-proxy server and method of using the same
US7827115B2 (en) 2000-04-24 2010-11-02 Visa International Service Association Online payer authentication service
WO2001082190A1 (en) * 2000-04-26 2001-11-01 Global Transaction Company Multi-tiered identity verification authority for e-commerce
WO2001088782A1 (en) * 2000-05-19 2001-11-22 E-Mark Systems Inc. Electronic settlement system, settlement device and terminal
US7523067B1 (en) 2000-08-02 2009-04-21 Softbankbb Corporation Electronic settlement system, settlement apparatus, and terminal
DE10051461A1 (en) * 2000-10-17 2002-04-25 Siemens Ag Method and system for identifying a user
CA2394215A1 (en) 2000-11-10 2002-05-16 Ntt Docomo, Inc. Authentication system, authentication undertaking apparatus, and terminal apparatus
JP2002236667A (en) * 2001-02-09 2002-08-23 Sony Corp Authentication method, authentication system, authentication device, and module for authentication
EP1239629B1 (en) * 2001-03-05 2011-01-12 TELEFONAKTIEBOLAGET LM ERICSSON (publ) Method for the safe use and transmission of biometric data for authentication purposes
JP2003162339A (en) * 2001-09-14 2003-06-06 Sony Computer Entertainment Inc Authentication program, storage medium with the authentication program recorded thereon, authentication server machine, client terminal device, authentication system and authentication method
US20030152231A1 (en) 2002-02-07 2003-08-14 Minolta Co., Ltd. Verification system, server, and electronic instrument
KR100989487B1 (en) * 2002-05-24 2010-10-22 텔레폰악티에볼라겟엘엠에릭슨(펍) Method for authenticating a user to a service of a service provider
GB0218706D0 (en) * 2002-08-12 2002-09-18 Domain Dynamics Ltd Method of voice authentication
AU2003255785A1 (en) * 2002-08-12 2004-02-25 Domain Dynamics Limited Method of authentication
CN1757188A (en) * 2002-11-06 2006-04-05 国际商业机器公司 Confidential data sharing and anonymous entity resolution
JP4531374B2 (en) * 2003-01-10 2010-08-25 富士フイルム株式会社 Information holding device
JP4639033B2 (en) 2003-01-29 2011-02-23 キヤノン株式会社 Authentication apparatus, authentication method, and authentication program
JP2004246715A (en) 2003-02-14 2004-09-02 Fujitsu Ltd Authentication information processing method
US7962757B2 (en) 2003-03-24 2011-06-14 International Business Machines Corporation Secure coordinate identification method, system and program
JP2005165808A (en) * 2003-12-04 2005-06-23 Fuji Xerox Co Ltd Authentication device, authentication method, and program thereof
DE102005003208B4 (en) * 2005-01-24 2015-11-12 Giesecke & Devrient Gmbh Authentication of a user
US7810143B2 (en) * 2005-04-22 2010-10-05 Microsoft Corporation Credential interface
JP4802670B2 (en) * 2005-11-10 2011-10-26 日本電気株式会社 Cardless authentication system, cardless authentication method used in the system, and cardless authentication program
KR100759813B1 (en) 2005-12-12 2007-09-20 한국전자통신연구원 Method for authenticating user using biometrics information
JP2007305140A (en) * 2007-06-01 2007-11-22 Fujitsu Ltd User terminal authentication program
KR100915589B1 (en) 2007-07-12 2009-09-07 엔에이치엔비즈니스플랫폼 주식회사 Security authentication system and method
JP4777951B2 (en) * 2007-09-10 2011-09-21 株式会社富士通エフサス Data authentication method
JP2008047140A (en) * 2007-09-10 2008-02-28 Fujitsu Fsas Inc Data authentication method
JP4583428B2 (en) * 2007-09-25 2010-11-17 東芝ソリューション株式会社 Management server device and program
JP5145003B2 (en) * 2007-10-03 2013-02-13 京セラドキュメントソリューションズ株式会社 Electronic device, authentication processing method thereof, and authentication processing program
JP5387414B2 (en) * 2007-12-11 2014-01-15 日本電気株式会社 Authentication device, authentication system, authentication method and program
JP5317596B2 (en) * 2008-09-10 2013-10-16 情報技術開発株式会社 User authentication server and user authentication method
JP5302665B2 (en) * 2008-12-25 2013-10-02 日本電信電話株式会社 Authentication server presentation method, service providing system, service providing apparatus, and service providing program
JP5344040B2 (en) * 2009-09-18 2013-11-20 富士通株式会社 Biometric authentication system and control method
CN102111271B (en) * 2009-12-25 2015-07-29 卡巴斯克 Network security authentication method and apparatus
JP2011181063A (en) * 2010-02-02 2011-09-15 Ricoh Co Ltd Image forming apparatus, input control method, input control program, and storage medium
JP5345585B2 (en) * 2010-04-23 2013-11-20 日本電信電話株式会社 Authentication system, authentication method and program
CN102800138B (en) * 2011-05-26 2016-01-13 中兴通讯股份有限公司 A method for implementing access control means and
CN102385766A (en) * 2011-06-23 2012-03-21 哈尔滨工业大学深圳研究生院 Palmprint-based authentication unlocking method, terminal and system
JP6160401B2 (en) * 2013-09-25 2017-07-12 大日本印刷株式会社 Entrance / exit management device, entrance / exit management method, and program
CN104881667B (en) 2014-02-28 2019-08-09 阿里巴巴集团控股有限公司 A kind of extracting method and device of characteristic information
CN104951940B (en) * 2015-06-05 2018-07-03 西安理工大学 A kind of mobile payment verification method based on personal recognition
JP6122924B2 (en) * 2015-09-11 2017-04-26 ヤフー株式会社 Providing device, terminal device, providing method, providing program, and authentication processing system
JP6159840B1 (en) * 2016-03-16 2017-07-05 株式会社三井住友銀行 Payment authentication system, method, and program
GB201612038D0 (en) * 2016-07-11 2016-08-24 Lookiimedia (Uk) Ltd Providing access to structured stored data
JP6240349B2 (en) * 2017-01-26 2017-11-29 ヤフー株式会社 Providing device, providing method, providing program, and authentication processing system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2204971A (en) * 1987-05-19 1988-11-23 Gen Electric Co Plc Transportable security system
JPH08329010A (en) * 1995-03-27 1996-12-13 Toshiba Corp Computer network system, its access administrating method, and individual authorization device used for same
JP3361661B2 (en) 1995-09-08 2003-01-07 株式会社キャディックス Authentication method on the network
EP0762261A3 (en) * 1995-09-08 1999-12-22 Cadix Inc. A verification server and authentication method for use in authentication on networks
DE69611099D1 (en) * 1995-10-16 2001-01-04 British Telecomm System and method for remote data visualization
US6292782B1 (en) * 1996-09-09 2001-09-18 Philips Electronics North America Corp. Speech recognition and verification system enabling authorized data transmission over networked computer systems
US5930804A (en) * 1997-06-09 1999-07-27 Philips Electronics North America Corporation Web-based biometric authentication system and method

Also Published As

Publication number Publication date
EP0935221A2 (en) 1999-08-11
EP0935221B1 (en) 2005-11-02
EP0935221A3 (en) 2000-02-02
JPH11224236A (en) 1999-08-17
DE69832145D1 (en) 2005-12-08

Similar Documents

Publication Publication Date Title
Vacca Biometric technologies and verification systems
US6213391B1 (en) Portable system for personal identification based upon distinctive characteristics of the user
US6216229B1 (en) Method for preventing inadvertent betrayal by a trustee of escrowed digital secrets
US8707388B1 (en) System, method and computer program product for an authentication management infrastructure
US8484709B2 (en) Multi-mode credential authentication
US8862891B2 (en) Systems and methods for online identity verification
US6990588B1 (en) Authentication card system
EP0924656B2 (en) Personal identification FOB
US7558407B2 (en) Tokenless electronic transaction system
US7461399B2 (en) PIN recovery in a smart card
US8520905B2 (en) Data security system
JP2686218B2 (en) Detection method alias on a computer system, a distributed computer system for executing distributed computer system and method operate, and the alias detection
US6366682B1 (en) Tokenless electronic transaction system
US6041412A (en) Apparatus and method for providing access to secured data or area
US8327421B2 (en) System and method for identity consolidation
CA2402382C (en) Centralized identity authentication for electronic communication networks
US6075455A (en) Biometric time and attendance system with epidermal topographical updating capability
US6700998B1 (en) Iris registration unit
US5790668A (en) Method and apparatus for securely handling data in a database of biometrics and associated data
US5764789A (en) Tokenless biometric ATM access system
JP2010533344A (en) Identity authentication and protection access system, components, and methods
US6636973B1 (en) Secure and dynamic biometrics-based token generation for access control and authentication
US20120221470A1 (en) User authentication and secure transaction system
US20050091338A1 (en) System and method to authenticate users to computer systems
US20040203595A1 (en) Method and apparatus for user authentication using a cellular telephone and a transient pass code

Legal Events

Date Code Title Description
8364 No opposition during term of opposition
8339 Ceased/non-payment of the annual fee