JP2001061012A - Method, device for personal identification, personal identification system and storage medium in which personal identification program is stored - Google Patents

Abstract

PROBLEM TO BE SOLVED: To simplify structure of a device and to easily generate a password by judging whether a symbol string converted by a conversion rule of a user which is stored in a storage means on the center side coincides with a symbol string given from the user and identifying the user. SOLUTION: The conversion rule is stored in a personal identification device and the storage means (S2), the personal identification device is distributed to the user (S3) and an optional symbol string is specified from the center to the user in the case of personal identification when a personal identification request is issued from the user (S4). And the specified symbol string is inputted, a password generation key of the personal identification device is depressed (S5) and the center is informed of the symbol string outputted on a picture by a push key or a dial of a telephone set by the user (S6). Upon such information, it is judged whether the symbol string converted by the conversion rule of the user which is stored in the storage means on the center coincides with the symbol string given from the user or not and the user is identified (S7).

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a personal authentication method and apparatus, a personal authentication system, and a storage medium storing a personal authentication program. Through an operator or an unattended answering machine,
The present invention relates to a personal authentication method and apparatus for confirming the identity of a user when using a service provided by a center, a personal authentication system, and a storage medium storing a personal authentication program.

[0002]

2. Description of the Related Art As a conventional personal authentication device, there is a one-time password generation device. FIG. 9 is a diagram for explaining a personal authentication method using a conventional one-time password generation device. The numbers in parentheses below are circled in the figure.
Shall correspond to the numbers in

(1) A password group consisting of a plurality of passwords is set to be unique for each user 10. (2) The same password group is stored in the one-time password generator 11 and the database 21 of the center 20 for each user 10. (3) The time information of the one-time password generation device 11 and the time information of the center 20 are synchronized.

(4) One-time password generator 1
1 is distributed to users. (5) At the time of personal authentication, when the center 20 is ready for authentication, the user is notified that the password is to be entered. (6) When requested for the password, the user 10 presses a button for requesting the issuance of the password.

(7) When a button of the password generation device 11 is pressed, one password is selected from a group of passwords based on the current time information and displayed. (8) When the password is displayed on the display portion of the one-time password, the user 10 displays the displayed content on the telephone 1
The center 20 is notified by inputting with the push button 2.

(9) When the center 20 notifies the user of the password, the center 20 registers the user 1 registered in the center.
It is determined from the password group of 0 and the current time information whether the input password is correct. Personal authentication is performed according to the above series of procedures. There is also a personal authentication method using a random number table.

FIG. 10 shows a procedure of a conventional personal authentication method using a random number table. The numbers in parentheses below correspond to the numbers in circles in FIG. (1) Random number table 1 to be unique for each user 10
Create 1. It is assumed that the random number table 11 records a random number sequence generated using random numbers different from one user to another.

(2) The contents of the random number table are registered in the database 21 of the center 20. (3) At the time of personal authentication, the position of the random number table and the vertical and horizontal directions are determined in order to determine the password, and the user is notified to request the input of the password. (4) At the time of personal authentication, the center 20 determines the position of the random number table for determining the password and the direction such as length and width, notifies the user, and requests the user to input the password.

(5) The user 10 notifies the center 20 of the password by inputting an n-digit number determined from the position and direction of the notified random number table by using the push button of the telephone or the dial of the telephone 12. . (6) The center 20 confirms that the notified n-digit number matches the n-digit number from the position and direction determined in (4) of the random number table registered in the database 21.

[0010] Personal authentication is performed according to the above series of procedures.

[0011]

However, in the conventional personal authentication method using the one-time password generator shown in FIG. 9, the time information is used when issuing a personal authentication password. Causes the following problems. (1) Before distributing the one-time password generator to the user, a procedure for synchronizing the time information between the one-time password generator and the center is required.

(2) It is necessary to embed a circuit for setting the time in the password generating device, and there is a problem that the device is complicated and the production cost is high. (3) In order to operate a circuit for measuring time, it is necessary to always supply power with a battery or the like. For this reason, when the battery runs out, the password generator must be sent to the center, the battery must be replaced, the time must be resynchronized, and then distributed to the user again.

(4) Since a password is generated from a password group and used once, the password is not reused. Therefore, if the password prepared in the password group is lost, the password cannot be used. In order to extend the expiration date, a procedure such as returning the password generation device from the user to the center, registering the password group and time synchronization again at the center, and redistributing the password to the user occurs.

(5) Since the one-time password generator has only a function of generating a password, there is a problem that it is not used except when authentication is required. In the conventional personal authentication method using a random number table shown in FIG.
The following problem arises because a procedure for confirming the number of the designated place from the random number table by human eyes is included.

(6) There is a problem that human error increases. (7) If the number of elements in the random number table is increased with respect to the size of the sheet on which the random number table is written, the characters become smaller, making it difficult to see. There is a problem that the number of password patterns is reduced and the security level is lowered.

SUMMARY OF THE INVENTION The present invention has been made in view of the above points, and provides a personal authentication method and a personal authentication system capable of simplifying the configuration of an apparatus and easily generating a password, a personal authentication system, and a storage medium storing a personal authentication program. The purpose is to provide.

[0017]

FIG. 1 is a diagram for explaining the principle of the present invention. The present invention (Claim 1) is for confirming that a user is himself / herself when a user uses a service provided by a center via an operator or an unattended answering device through a telephone line. In the personal authentication method, the center side inputs a symbol string,
A conversion rule that outputs a symbol string is determined for each user (step 1), and the conversion rule is stored in the personal authentication device and in a storage unit on the center side (step 2). To the user (Step 3), and at the time of personal authentication in which the user issues a personal authentication request, the center side specifies an arbitrary symbol string to the user (Step 4). The entered symbol string is input, and the password generation button of the personal authentication device is pressed (step 5), and the symbol string output on the screen is notified to the center by a push button or dial of the telephone (step 6). By determining whether the symbol string converted by the conversion rule of the corresponding user stored in the storage means on the center side matches the symbol string notified by the user, The authentication (step 7).

According to the present invention (claim 2), the conversion rule
An n × n random number table is used. FIG. 2 is a diagram illustrating the principle of the present invention. The present invention (Claim 3) is intended to confirm the identity of a user when the user uses a service provided by the center via an operator or an unattended answering device via a telephone line. An authentication device, a button 301 for inputting a symbol including a number, a calculating means 305 for performing calculation on the input calculation formula, a display means 304 for displaying the calculation result by the button and the calculating means, A password issue button 302 for requesting issuance, and a conversion rule holding unit 307 holding a function or a conversion rule (hereinafter, referred to as a conversion rule) that inputs / outputs a string composed of symbol strings (hereinafter, referred to as a symbol string). When the password issue button is pressed, the input symbol string is converted into another symbol string according to the conversion rule and displayed on the display means 304. 6.

The present invention (claim 4) further comprises communication means for notifying the center of the symbol string converted by the conversion means. The present invention (claim 5) uses an n × n random number table as the conversion rule. The present invention (claim 6)
When a user uses a service provided by the center via an operator or an unattended answering device through a telephone line, an identity authentication system for confirming that the user is an identity, including a symbol including a numeral A button for inputting, and calculation means for calculating the input calculation formula,
Display means for displaying the result of the calculation by the button and the calculation means; a password issue button for requesting the issuance of a password; (Hereinafter referred to as a conversion rule) and a conversion rule holding means for holding the password issue button, convert the input symbol string into another symbol string according to the conversion rule, and display the symbol string on the display means. And a communication unit for notifying the center of the symbol string converted by the conversion unit. The personal authentication device distributed to the user, and a conversion rule for each user for the personal authentication device. Is determined and stored in the conversion rule holding means, and the conversion rule determining means for storing the conversion rule in the storage means, and the symbol string converted by the conversion means of the personal authentication device distributed to the user. Acquired via the network, and the result of converting by the conversion rule stored in the storage means,
A center having authentication means for comparing the symbol strings acquired from the user and performing authentication based on whether they are the same or not.

According to the present invention (claim 7), the user can use an operator or an unattended answering device through a telephone line.
A storage medium storing an identity authentication program mounted on an identity authentication device for confirming the identity of a user when using a service provided by the center, and for requesting the issuance of a password. When the password issue button is pressed, the input symbol string is converted into another function according to a function or a conversion rule (hereinafter, referred to as a conversion rule) that inputs / outputs a string of symbol strings (hereinafter, referred to as a symbol string). A conversion process of converting into a symbol string and displaying on a display means;
And a notifying process for notifying the center of the converted symbol string.

[0021] According to the present invention (claim 8), the user can use an operator or an unattended answering device through a telephone line.
A storage medium storing an identity authentication program installed in a center that performs authentication based on data from an identity authentication device for confirming that a user who uses a service provided by the center is an identity. A conversion rule is determined for each user, stored in the personal authentication device and stored in the storage means, and a conversion rule determination process for storing the conversion rule in the storage means. An authentication process of obtaining a symbol string and converting the result of conversion according to the conversion rule stored in the storage unit with the symbol string obtained from the user, and performing authentication based on whether or not they are the same.

As described above, according to the present invention, when performing authentication, the center side distributes the personal authentication device in which the conversion rules are stored in advance to the user, and requests the password.
There is no need for time information, and there is no need to embed a circuit for measuring time in the password generator. Therefore, there is no need for a procedure for synchronizing time information between the center and the user before distributing the one-time password generation device to the user, and there is no need to constantly supply power.

In addition, the password can be issued in a short time by pressing the password issuing button of the personal authentication device distributed from the center only once, so that the password can be issued in a short time, and the procedure for searching the random number table does not occur. From human errors can be reduced. In addition, since the password issuance processing function is provided inside the personal authentication device, when issuing a password, the amount of data used can be larger than the random number table seen by the user. Become.

Further, when a password is issued by a conversion device based on an arbitrary symbol string, the number of password patterns is sufficient, so that the password can be used semi-permanently.

[0025]

FIG. 3 shows the configuration of the personal identification device of the present invention. The personal authentication device shown in FIG.
01, a password issue button 302, a management unit 303, a display unit 304, a calculation unit 305, a password issue unit 306,
It comprises a change rule storage unit 307 and a communication unit 308.

The input button 301 is pressed by a user to input numbers, symbols, and the like. The password issue button 302 is pressed by the user to request issuance of a password. The management unit 303 manages input / output and processing of the entire apparatus.

The display unit 304 displays an input result and an output result,
Displays the password conversion result, etc. The calculation unit 305 performs calculation on a mathematical expression input by the user. The password issuing unit 305 converts the input symbol string into another symbol string using the conversion rule stored in the conversion rule storage unit 307 when the user presses the password issue button 302.

The conversion rule storage unit 307 holds a conversion rule for converting a symbol string set for each user into another symbol string. The communication unit 308 is connected to another device and performs communication and data exchange with another device, such as taking in a conversion rule for converting an arbitrary symbol string into another symbol string.
FIG. 4 is a diagram for explaining the authentication method of the present invention.

Step 401) The center 200 determines a conversion rule for inputting / outputting a symbol string for each user. Step 402) The determined conversion rule is stored in the database 210 on the center side. Step 403) The determined conversion rule is applied to the personal authentication device 1
Hold at 10.

Step 404) The personal authentication device 110 storing the conversion rules is distributed to the user. Step 405) At the time of authentication, the center side 200 requests a user to input a password by designating a symbol string. Step 406) The user is the user authentication device 110
Then, the designated symbol string is input, and the password issue button 302 is pressed.

Step 407) In the password issuing unit 306 of the personal authentication device, the input symbol string is converted into another symbol string according to the conversion rule stored in the conversion rule storage unit 307, and displayed on the display unit 304. . Step 408) Press the push button of the telephone 120 or turn the dial according to the symbol string to notify the center 200.

Step 409) It is determined whether or not the symbol string converted by the conversion rule stored in the database 210 of the center 200 matches the symbol string notified by the user.

[0033]

Embodiments of the present invention will be described below with reference to the drawings. [First Embodiment] FIG. 5 shows the configuration of a personal authentication apparatus according to a first embodiment of the present invention. The figure shows the configuration of the outside of the housing 501 to 405 of the personal authentication apparatus and the inside of the housing 505 to 508.
It is shown.

The input button 501 on the outside of the housing is a button for inputting a numeral such as 10 from 0 to 9 and symbols such as four arithmetic symbols and equal symbols. Display window 50
2 displays the input result sequentially by the user pressing the input button or displays the calculation result. The connection terminal 503 is a terminal for connection with another device, and serves as an interface for data exchange with another device.

The password issue button 504 is a button for requesting the issuance of a password. The calculation unit 505 inside the housing in FIG. 5 performs calculation according to a calculation formula including symbols input from the input buttons 501 and symbols such as four arithmetic operations. The result calculated by the calculation unit 501 is displayed on the display window 502. The memory 506 is a storage device for storing the conversion rules, and is realized by a nonvolatile storage element or a storage device so that the storage state can be maintained even when power is not always supplied.

The battery 507 supplies power required to operate the personal identification device. Also,
The dry battery 507 may be any solar battery or any other device that can supply electric power. Password issuing unit 50
8 converts an arbitrary symbol string input according to the conversion rule stored in the memory 508 into another symbol string when the password issuance button is pressed. Password issuing unit 5
08 is displayed on the display window 502.

[Second Embodiment] In this embodiment, a system in which the personal identification device of the present invention is applied to a bank teller service will be described. FIG. 6 shows an example in which the personal identification device is applied to a bank teller service according to the second embodiment of the present invention.

In the figure, the user equipment 601 is an environment in which the user receives a service, such as a home or a company. The user-side equipment 601 includes a telephone 602 and an authentication device 603. The center-side equipment 604 is an environment on the center side, such as a call center or a system center. The center-side equipment 604 includes a line accommodation device 605.
, A database 606, and a center-side authentication device 607.

The telephone 6 in the user equipment 601
02 is a line accommodating device 605 in the center-side facility 604.
And a telephone network 608. Further, the center-side authentication device 607 has a function of determining a conversion rule,
A function of connecting to the personal authentication device 603 and storing the conversion rules in the authentication device 603; and a function of connecting to the database 606 and storing the conversion rules for each user.
6 has a function of acquiring a conversion rule for each user and a function of converting an arbitrary symbol string according to the conversion rule.

Next, the operation of the above configuration will be described. FIG. 7 is a diagram for explaining the operation of the second embodiment of the present invention. Step 701) First, when receiving the authentication service, the user A 601 registers in the center 604 in advance. Step 702) In the center 604, the user A 601
When the registration is performed, the conversion rule F using the center side authentication device 607 to input and output a symbol string to the user A 601 is used.
Determine A.

Step 703) The determined conversion rule FA
The authentication device 607 of the center side 604 and the personal authentication device RA
603 is connected and held in the personal authentication device RA603. Step 704) The conversion rule FA determined at the same time is registered in the database 606 of the center 604. Step 705) The user A is connected to the personal authentication device RA603.
601.

Step 706) Here, at the time of authentication,
The user A 601 makes a service request to the center side 604. Step 707) The center side 604 arbitrarily determines a symbol string x. Step 708) The user A 601 is urged to input the symbol string x into the personal authentication device RA 603 and to input the symbol string output as a result of pressing the password issue button using the push button or the dial of the telephone 602.

Step 709) The user A 601 inputs the symbol string x and presses the password issue button using the personal authentication device RA603 at hand, and instructs the conversion result y by the push button of the telephone 602 or the dial as instructed. input. Step 710) The conversion result y is sent from the user A to the center side 603. Step 711) On the center side 603, the conversion rule FA
To convert the symbol string x and hold the conversion result y ′.

Step 712) On the center side 603,
Conversion result y obtained from user A 601 and step 7
The conversion result y 'in step 11 is compared with the result, and if it is confirmed that they are the same, it is determined that the authentication is successful, and the service is continued.
Next, the conversion rules used above will be described. As the conversion rule, for example, a function used in a common key cryptosystem or the like can be used.

As a conversion rule, an n × n random number table can be used. FIG. 8 is a diagram showing a tenth embodiment of the present invention.
It is an example of a random number table of × 10. The random number table shown in the figure is a series of numerical values stored in an electronic storage medium or printed on paper, and when printed on paper, it is read by a scanner or the like, and the personal authentication device is used. The random number table TA is stored in the RA 603 and the database 606 on the center side 604 side.
It is assumed that this data is retained.

It is assumed that the random number table TA shown in FIG. 8 is used for the user A 601 and the data of the random number table TA is held in the personal authentication device RA 603 and the database 606 on the center side 604 side. It is assumed that a string of four numbers “abcd” is adopted as a designated symbol string. As a conversion rule for the numeric string “abcd”,
Using the random number table TA, a is the horizontal position of the horizontal random number table TA, b
Is a vertical position, and if c + d is odd, it is taken from top to bottom; if it is even, it is taken from left to right, so that, for example, (a, b, c, d) = (5, 7, 3, 9 ), From the random number table, a = 5, b = 7, c + d = 12, so that the fifth character in the horizontal direction and the seventh character in the vertical direction take four digits from top to bottom, and so on. Can decide.

As the basis of the random number seed, for example, personal information such as an account number, a telephone number, a date of birth, etc. can be used. If there is no or very rare communication between the user and the center,
Even if the personal information does not differ for every user, the random number seed may differ at least for each region (for example, the same random number table for Mr. A in Osaka and Mr. B in Tokyo).

Although the above embodiment has been described based on the configurations shown in FIGS. 3, 4, 5, and 6, the personal authentication device used on the user side and the center authentication device are used. The present invention can be easily realized by constructing the above operation as a program and installing it in a computer used as a personal authentication device and a center-side authentication device. It should be noted that the present invention is not limited to the above-described embodiment, but can be variously modified and applied within the scope of the claims.

[0049]

As described above, according to the present invention, time information is not required at the time of authentication, so that it is not necessary to embed a time measuring circuit in a password generating device as in the prior art. Therefore, there is no need for a procedure for synchronizing time information between the center and the user before distributing the one-time password generator to the user, and there is no need to constantly supply power. As a result, a simple device configuration becomes possible.

Further, since the password is generated only by pressing the button once, the password can be issued in a short time, and the procedure for searching from the random number table does not occur, thereby reducing human errors. Further, since the password issuance processing is performed inside the apparatus, the amount of data used when issuing the password can be made larger than the random number table seen by the user.

Since a password is issued by a conversion operation based on an arbitrary symbol string, the number of password patterns is sufficient and can be used semipermanently. Furthermore, by incorporating the calculation function and the authentication function into one device, the use frequency of the device itself can be increased while suppressing the production cost by sharing the buttons and the display unit.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining the principle of the present invention.

FIG. 2 is a principle configuration diagram of the present invention.

FIG. 3 is a configuration diagram of a personal authentication device of the present invention.

FIG. 4 is a diagram for explaining an authentication method of the present invention.

FIG. 5 is a configuration diagram of the personal authentication device according to the first embodiment of the present invention.

FIG. 6 is an example in which a personal identification device is applied to a bank teller service according to a second embodiment of the present invention.

FIG. 7 is a diagram for explaining the operation of the second embodiment of the present invention.

FIG. 8 is an example of a 10 × 10 random number table according to an embodiment of the present invention.

FIG. 9 is a diagram showing a procedure of a conventional personal authentication method using a random number table.

FIG. 10 is a diagram for explaining a personal authentication method using a conventional one-time password generation device.

[Explanation of symbols]

 301, 501 button, input button 302, 504 password issue button 303 management unit 304 display unit, display unit 305, 505 calculation unit 306, 508 conversion unit, password issue unit 307 conversion rule holding unit, conversion rule storage unit 308 communication unit 100 User 110 Identity authentication device 120 Telephone 200 Center 210 Database 502 Display window 503 Connection terminal 506 Memory 507 Dry cell 601 User equipment 602 Telephone 603 Identity authentication device 604 Center equipment 605 Line accommodating device 606 Database 607 Center authentication device

Continuing on the front page (72) Inventor Toshio Chisaki 2-3-1 Otemachi, Chiyoda-ku, Tokyo Nippon Telegraph and Telephone Corporation (72) Inventor Yoichi Okamoto 2-3-1 Otemachi, Chiyoda-ku, Tokyo Date F-Term (in reference) 5B085 AE03 AE09 AE23 5K015 AA06 AB00 AF00 AF06 AF07

Claims (8)

[Claims] When a user uses a service provided by a center via an operator or an unattended answering device via a telephone line, an identity authentication method for confirming that the user is an identity is provided. On the center side, a conversion rule that inputs a symbol string and outputs a symbol string is determined for each user, and the conversion rule is stored in the personal authentication device and in a storage unit on the center side, The authentication device is distributed to the user, and at the time of personal authentication in which an authentication request is issued from the user, the center side specifies an arbitrary symbol string to the user, and in the personal authentication device, the user specifies The entered symbol string is input, the password generation button of the personal authentication device is pressed, and the symbol string output on the screen is notified to the center by a push button or a dial of a telephone. By determining whether or not the symbol string converted by the conversion rule of the corresponding user held in the storage means on the center side matches the symbol string notified by the user, the user is determined. A personal authentication method characterized by authentication. 2. The personal authentication method according to claim 1, wherein an n × n random number table is used as the conversion rule. 3. An identity authentication device for confirming that a user is who he or she is when a user uses a service provided by a center via a telephone line or an operator or an unattended answering device. A button for inputting a symbol including a number, a calculating means for performing a calculation on the input calculation formula, a display means for displaying the calculation result by the button and the calculating means, and a request for issuing a password. A password issuance button, a conversion rule holding unit for holding a function or a conversion rule (hereinafter, referred to as a conversion rule) that inputs / outputs a sequence of symbol strings (hereinafter, referred to as a symbol string), and presses the password issuance button. And converting means for converting the input symbol string into another symbol string according to the conversion rule and displaying the symbol string on the display means. Personal authentication device. 4. The personal authentication apparatus according to claim 3, further comprising communication means for notifying the center of the symbol string converted by the conversion means. 5. The personal authentication apparatus according to claim 3, wherein an n × n random number table is used as the conversion rule. 6. An identity authentication system for confirming the identity of a user when the user uses a service provided by a center via an operator or an unattended answering device via a telephone line. A button for inputting a symbol including a number, calculation means for performing calculation on the input calculation formula, display means for displaying the calculation result by the button and the calculation means, and a password for requesting the issuance of a password An issuance button, a conversion rule holding unit for holding a function or a conversion rule (hereinafter, referred to as a conversion rule) that inputs / outputs a string composed of symbol strings (hereinafter, referred to as a symbol string), and presses the password issue button. As a trigger, a conversion unit that converts the input symbol string into another symbol string according to the conversion rule and displays the symbol string on the display unit;
A communication unit for notifying the center of the symbol string converted by the conversion unit, and a personal authentication device distributed to the user; and a conversion of the personal authentication device for each user. A conversion rule determining unit that determines a rule and stores the conversion rule in a conversion rule holding unit and stores the conversion rule in a storage unit; and a symbol string converted by the conversion unit of the personal authentication device distributed to the user. Is obtained through a network, and the result of conversion according to the conversion rule stored in the storage means is compared with the symbol string obtained from the user, and authentication means for performing authentication based on whether or not they are the same is used. A personal identification system, comprising: 7. When a user uses a service provided by the center via an operator or an unattended answering device via a telephone line, the user is equipped with an identity authentication device for confirming the identity of the user. Is a storage medium storing a personal authentication program, and the input symbol string is converted into a string of symbol strings (hereinafter, referred to as a symbol string) when a password issue button for requesting the issuance of a password is pressed. According to a function or a conversion rule (hereinafter, referred to as a conversion rule) which inputs / outputs a character string, a conversion process of converting to another symbol string and displaying it on a display means, and a notification process of notifying the center of the converted symbol string. A storage medium storing a personal authentication program characterized by having a personal identification program. 8. A system in which a user uses a service provided by a center via a telephone line or an operator or an unattended answering device based on data from a personal authentication device for confirming that the user is a user. A storage medium storing a personal authentication program mounted on an authentication center, wherein a conversion rule is determined for each user, stored in the personal authentication device, and stored in a storage unit. A rule determination process, from the personal authentication device, via a network, a symbol string converted by the personal authentication device, and a result of conversion by the conversion rule stored in the storage means; An authentication process of comparing the acquired symbol strings and performing authentication based on whether they are the same or not, wherein a personal authentication program is stored.